Case where WordPress.Security.ValidatedSanitizedInput.InputNotSanitized might be a bit counter-intuitive #2246
Description
Bug Description
The WordPress.Security.ValidatedSanitizedInput.InputNotSanitized error is thrown when a GET parameter is unslashed and then only used in a direct comparison, but it's not thrown when it's only used in a direct comparison.
I would expect the same behavior between those two cases, ideally and more specifically for that error to not appear in both cases.
Minimal Code Snippet
The issue happens when running this command:
phpcs ...... over a file containing this code:
if ( isset( $_GET['foo'] ) && wp_unslash( $_GET['foo'] ) === 'bar' ) {
//code;
}but not over a file containing this code:
if ( isset( $_GET['foo'] ) && $_GET['foo'] === 'bar' ) {
//code;
}Error Code
ERROR | [ ] Detected usage of a non-sanitized input variable:
| | $_GET['foo']
| | (WordPress.Security.ValidatedSanitizedInput.InputNotSanitized)
It would probably make sense if the error should not appear in both cases? 🙂
Environment
| Question | Answer |
|---|---|
| PHP version | 7.4.20 |
| PHP_CodeSniffer version | 3.7.2 |
| WPCS version | 2.3.0 |
| WPCS install type | Composer project local and git clone (haven't tested others) |
Tested Against develop branch?
- I have verified the issue still exists in the
developbranch of WPCS.