ValidatedSanitizedInput.MissingUnslash & ValidatedSanitizedInput.InputNotSanitized

[jcvignoli]

My code:

if ( 0 === stripos( esc_url_raw( wp_unslash( strval( $_SERVER['REQUEST_URI'] ?? '' ) ) ), site_url( '', 'relative' ) . Get_Options::get_popup_url( 'movie_search' ) ) && $sanitized_film !== null ) {

The error:

WARNING	WordPress.Security.ValidatedSanitizedInput.MissingUnslash	$_SERVER['REQUEST_URI'] not unslashed before sanitization. Use wp_unslash() or similar
WARNING	WordPress.Security.ValidatedSanitizedInput.InputNotSanitized	Detected usage of a non-sanitized input variable: $_SERVER['REQUEST_URI']

$_SERVER['REQUEST_URI'] is escaped by both wp_unslash() and esc_url_raw(). I have dozens of similar errors related to sanitization, I'd like to know how I'm supposed to fix it.

[ernilambar]

WPCS expects wp_unslash() to be applied directly to the superglobal before any other processing. Can you please try once removing strval?

[jcvignoli]

Thanks, but if I remove the strval(), I get PHPStan and Psalm errors

IE, with PHPStan:
Parameter #1 $url of function esc_url_raw expects string, array<string>|string given.
If I add an extra check is_string(), Plugin check complains about
Detected usage of a possibly undefined superglobal array index: $_SERVER['REQUEST_URI']. Use isset() or empty() to check the index exists before using it
and I'm again in a loop where I can't make PHPStan and Plugin check work together.

[ernilambar]

Life is hard. We cannot make everyone happy. Make sure code is safe and use ignore appropriately. :-)

[jcvignoli]

@ernilambar This is not about making people "happy". People must use static analytical tools to get a full working and safe WP plugin.
However, they also have to pass the plugin check validation, which has become basically the official entry point for WP plugins.
Your response is not very responsible.

[ernilambar]

I gave you a pointer to potentially fix the issue and I was trying to be humorous. Apologies if you thought otherwise.

Lets go pedantic way then.

For WordPress.org directory, as of now, your plugin will never be rejected with the issue of "WordPress.Security.ValidatedSanitizedInput.MissingUnslash" and "WordPress.Security.ValidatedSanitizedInput.InputNotSanitized". You can see those are WARNINGS. Even for ERRORs, there may be false positives in the checks. So not all ERRORS are blockers. Only ERRORs with severity 7 are considered as blockers. Those issues would be manually reviewed by the reviewer in the review process.

Also plugin reviews are not done in WordPress.org based on tools like "PHPStan" and "Psalm" (as of now).

Those messages are coming from parent repo https://github.com/WordPress/WordPress-Coding-Standards and Plugin Check just points so that plugin author can confirm it and verify it. Yah, there could be false positives and those are being improved gradually in the parent repo. If you can suggest or have an idea to improve then please feel free to open issues in the parent repo.

[davidperezgar]

Yes, that issue could be proposed to WPCS as we are running their check. As Nilambar was mentioning, you will get only warnings.