From 3900d240670e7d2ec9c2235c85064230fd6849f5 Mon Sep 17 00:00:00 2001 From: jrfnl Date: Thu, 29 Jun 2023 14:23:29 +0200 Subject: [PATCH] ContextHelper::$safe_casts: make `private` Follow up on 2232. This property was previously not made `private` as it is used by the `EscapeOutput` sniff. For consistency with other classes and to better protect the value of the property, I'm proposing to make it `private` now anyway and add a `get_safe_cast_tokens()` method to retrieve the list. This prevents potential problems if external standards would attempt to adjust the list (which they could while the property was `public static`, even though the class is `final`). --- WordPress/Helpers/ContextHelper.php | 15 +++++++++++++-- WordPress/Sniffs/Security/EscapeOutputSniff.php | 2 +- WordPress/Tests/Security/EscapeOutputUnitTest.php | 1 + 3 files changed, 15 insertions(+), 3 deletions(-) diff --git a/WordPress/Helpers/ContextHelper.php b/WordPress/Helpers/ContextHelper.php index 757479e46d..280989d48f 100644 --- a/WordPress/Helpers/ContextHelper.php +++ b/WordPress/Helpers/ContextHelper.php @@ -34,11 +34,11 @@ final class ContextHelper { * * @since 1.1.0 * @since 3.0.0 - Moved from the Sniff class to this class. - * - The property visibility was changed from `protected` to `public static`. + * - The property visibility was changed from `protected` to `private static`. * * @var array */ - public static $safe_casts = array( + private static $safe_casts = array( \T_INT_CAST => true, \T_DOUBLE_CAST => true, \T_BOOL_CAST => true, @@ -306,6 +306,17 @@ public static function is_in_isset_or_empty( File $phpcsFile, $stackPtr ) { return false; } + /** + * Retrieve a list of the tokens which are regarded as "safe casts". + * + * @since 3.0.0 + * + * @return array + */ + public static function get_safe_cast_tokens() { + return self::$safe_casts; + } + /** * Check if something is being casted to a safe value. * diff --git a/WordPress/Sniffs/Security/EscapeOutputSniff.php b/WordPress/Sniffs/Security/EscapeOutputSniff.php index 4eed80f46d..0f00efcf0c 100644 --- a/WordPress/Sniffs/Security/EscapeOutputSniff.php +++ b/WordPress/Sniffs/Security/EscapeOutputSniff.php @@ -340,7 +340,7 @@ public function process_token( $stackPtr ) { $watch = false; // Allow int/double/bool casted variables. - if ( isset( ContextHelper::$safe_casts[ $this->tokens[ $i ]['code'] ] ) ) { + if ( isset( ContextHelper::get_safe_cast_tokens()[ $this->tokens[ $i ]['code'] ] ) ) { $in_cast = true; continue; } diff --git a/WordPress/Tests/Security/EscapeOutputUnitTest.php b/WordPress/Tests/Security/EscapeOutputUnitTest.php index 5468176b4e..4664245d45 100644 --- a/WordPress/Tests/Security/EscapeOutputUnitTest.php +++ b/WordPress/Tests/Security/EscapeOutputUnitTest.php @@ -21,6 +21,7 @@ * @since 1.0.0 This sniff has been moved from the `XSS` category to the `Security` category. * * @covers \WordPressCS\WordPress\Helpers\ArrayWalkingFunctionsHelper + * @covers \WordPressCS\WordPress\Helpers\ContextHelper::get_safe_cast_tokens * @covers \WordPressCS\WordPress\Helpers\ConstantsHelper::is_use_of_global_constant * @covers \WordPressCS\WordPress\Helpers\EscapingFunctionsTrait * @covers \WordPressCS\WordPress\Helpers\PrintingFunctionsTrait