ProperEscapingFunction: Fix short tag detection

The tracking variable `$in_short_echo` was never reset when checking different files, meaning that the property would carry over and provide the wrong context to the next file. By adding logic to the `process_token()` method of the ProperEscapingFunctionSniff, we can reset the tracking variable at the start of each file by comparing the currently processing file to the last one stored in a static variable. Includes two unit test files, numbered in the order needed to trigger the bug if the fix wasn't present. Fixes #739.
Automattic · Feb 6, 2023 · f1cd93c · f1cd93c
1 parent 3c5a8bb
commit f1cd93c
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 0 deletions.
diff --git a/WordPressVIPMinimum/Sniffs/Security/ProperEscapingFunctionSniff.php b/WordPressVIPMinimum/Sniffs/Security/ProperEscapingFunctionSniff.php
@@ -8,6 +8,7 @@
 
 namespace WordPressVIPMinimum\Sniffs\Security;
 
+use PHP_CodeSniffer\Files\File;
 use WordPressVIPMinimum\Sniffs\Sniff;
 use PHP_CodeSniffer\Util\Tokens;
 
@@ -97,6 +98,13 @@ class ProperEscapingFunctionSniff extends Sniff {
 	 */
 	private $in_short_echo = false;
 
+	/**
+	 * Keep track of the current file, so we can reset $in_short_echo for each new file.
+	 *
+	 * @var string Absolute file name of the file being processed. Defaults to an empty string.
+	 */
+	private $current_file = '';
+
 	/**
 	 * Returns an array of tokens this test wants to listen for.
 	 *
@@ -119,6 +127,12 @@ public function register() {
 	 * @return void
 	 */
 	public function process_token( $stackPtr ) {
+		// Reset short echo context tracking variable for a new file.
+		if ( $this->phpcsFile->getFilename() !== $this->current_file ) {
+			$this->in_short_echo = false;
+			$this->current_file  = $this->phpcsFile->getFilename();
+		}
+
 		/*
 		 * Short open echo tags will act as an echo for the first expression and
 		 * allow for passing multiple comma-separated parameters.

diff --git a/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.2.inc b/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.2.inc
@@ -0,0 +1,8 @@
+<?php
+/*
+ * This is part one of a two-part test. It must be in a lower-numbered file
+ * than part two, to trigger the bug in
+ * https://github.com/Automattic/VIP-Coding-Standards/issues/739
+ */
+?>
+<?= esc_attr('short_tag') ?>
diff --git a/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.3.inc b/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.3.inc
@@ -0,0 +1,11 @@
+<?php
+/*
+ * This is part two of a two-part test. It must be in a higher-numbered file
+ * than part one, to trigger the bug in
+ * https://github.com/Automattic/VIP-Coding-Standards/issues/739
+ */
+printf(
+	'<div class="%1$s"><p>%2$s</p></div>',
+	esc_attr($class),
+	wp_kses_post($message)
+);