SanitizingFunctionsTrait: make sure function names are checked case-i…

…nsensitively These functions should be self-contained, so should not presume that the sniff has already lowercased the function name before passing it. This fixes a bug as, in this case, the sniffs didn't actually lowercase the name before passing it to the Helper class methods, so the sniffs would throw false positives for non-lowercase function calls. Tested by adjusting some pre-existing tests for the `ValidatedSanitizedInput` sniff.
WordPress · Jun 29, 2023 · 7455b6f · 7455b6f
1 parent 53309ac
commit 7455b6f
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 4 deletions.
diff --git a/WordPress/Helpers/SanitizingFunctionsTrait.php b/WordPress/Helpers/SanitizingFunctionsTrait.php
@@ -220,7 +220,7 @@ public function get_sanitizing_and_unslashing_functions() {
 	 * @return bool
 	 */
 	public function is_sanitizing_function( $functionName ) {
-		return isset( $this->get_sanitizing_functions()[ $functionName ] );
+		return isset( $this->get_sanitizing_functions()[ strtolower( $functionName ) ] );
 	}
 
 	/**
@@ -233,6 +233,6 @@ public function is_sanitizing_function( $functionName ) {
 	 * @return bool
 	 */
 	public function is_sanitizing_and_unslashing_function( $functionName ) {
-		return isset( $this->get_sanitizing_and_unslashing_functions()[ $functionName ] );
+		return isset( $this->get_sanitizing_and_unslashing_functions()[ strtolower( $functionName ) ] );
 	}
 }
diff --git a/WordPress/Tests/Security/ValidatedSanitizedInputUnitTest.1.inc b/WordPress/Tests/Security/ValidatedSanitizedInputUnitTest.1.inc
@@ -94,7 +94,7 @@ switch ( do_something( wp_unslash( $_POST['foo'] ) ) ) {} // Bad.
 
 // Sanitization is required even when the value is being escaped.
 echo esc_html( wp_unslash( $_POST['foo'] ) ); // Bad.
-echo esc_html( sanitize_text_field( wp_unslash( $_POST['foo'] ) ) ); // Ok.
+echo esc_html( Sanitize_Text_Field( wp_unslash( $_POST['foo'] ) ) ); // Ok.
 
 $current_tax_slug = isset( $_GET['a'] ) ? sanitize_key( $_GET['a'] ) : false; // Ok.
 $current_tax_slug = isset( $_GET['a'] ) ? $_GET['a'] : false; // Bad x 2
@@ -105,7 +105,7 @@ echo sanitize_text_field( $_POST['foo545'] ); // Error for no validation, unslas
 echo array_map( 'sanitize_text_field', $_GET['test'] ); // Bad, no unslashing.
 echo Array_Map( 'sanitize_key', $_GET['test'] ); // Ok.
 
-foo( absint( $_GET['foo'] ) ); // Ok.
+foo( AbsINT( $_GET['foo'] ) ); // Ok.
 $ids = array_map( 'absint', $_GET['test'] ); // Ok.
 
 if ( is_array( $_GET['test'] ) ) {} // Ok.