From 5c348064c180213db1a45b8606b9485000f0ce55 Mon Sep 17 00:00:00 2001
From: gotbadger <p.j.h@hey.com>
Date: Mon, 12 Feb 2024 13:37:34 +0000
Subject: [PATCH] feat(php): improve input sanitizer

---
 rules/php/shared/lang/user_input_sanitizer.yml               | 1 +
 tests/php/lang/raw_html_using_user_input/testdata/ok.php     | 2 ++
 tests/php/lang/raw_output_using_user_input/testdata/echo.php | 1 +
 3 files changed, 4 insertions(+)

diff --git a/rules/php/shared/lang/user_input_sanitizer.yml b/rules/php/shared/lang/user_input_sanitizer.yml
index 3c5f053ee..3b2595190 100644
--- a/rules/php/shared/lang/user_input_sanitizer.yml
+++ b/rules/php/shared/lang/user_input_sanitizer.yml
@@ -2,6 +2,7 @@ type: shared
 languages:
   - php
 patterns:
+  - (int)$<_>
   - count($<_>)
   - filter_var($<!>$<_>$<...>)
 metadata:
diff --git a/tests/php/lang/raw_html_using_user_input/testdata/ok.php b/tests/php/lang/raw_html_using_user_input/testdata/ok.php
index c28c37872..3d38c569f 100644
--- a/tests/php/lang/raw_html_using_user_input/testdata/ok.php
+++ b/tests/php/lang/raw_html_using_user_input/testdata/ok.php
@@ -5,3 +5,5 @@
 $html = "<h1>{$_GET['x'] * $_GET['y']}</h1>";
 
 $html = "<h1>{$ok}</h1>";
+$foo = (int)$_GET['x']
+$html = "<h1>{$foo}</h1>";
\ No newline at end of file
diff --git a/tests/php/lang/raw_output_using_user_input/testdata/echo.php b/tests/php/lang/raw_output_using_user_input/testdata/echo.php
index c199d1c86..66ad69bac 100644
--- a/tests/php/lang/raw_output_using_user_input/testdata/echo.php
+++ b/tests/php/lang/raw_output_using_user_input/testdata/echo.php
@@ -21,6 +21,7 @@
 echo "<h1>" . filter_var($_GET["ok"], FILTER_SANITIZE_STRING) . "</h1>";
 echo strip_tags($_GET["ok"]);
 echo $_GET["x"] + $_GET["y"];
+echo (int)$_GET["x"];
 
 // FIXME: Add support for $this
 $this->Oops = $_POST["oops"];