Improve output escaping, input sanitizing and logging#252
Improve output escaping, input sanitizing and logging#252gudmdharalds wants to merge 49 commits into
Conversation
wpcomvip-vipgoci-bot
left a comment
There was a problem hiding this comment.
phpcs scanning turned up:
🚫 5 errors
This bot provides automated PHP linting and PHPCS scanning. For more information about the bot and available customizations, see our documentation.
Details
Scan run detail
Software versions
Options file (
|
PHP lint optionsPHP lint files enabled:
Lint modified files only:
Directories not PHP linted:
SVG configurationSVG scanning enabled:
Auto-approval configurationAuto-approvals enabled:
Non-functional changes auto-approved:
Auto-approval DB enabled:
Auto-approved file-types:
|
PHPCS configurationPHPCS scanning enabled:
PHPCS severity level:
Standard(s) used:
Runtime set:
Custom sniffs included:
Custom sniffs excluded:
Directories not PHPCS scanned:
|
… into fix-output-escaping
Dismissing review as all inline comments are obsolete by now
|
No issues were found to report when scanning latest commit (commit-ID: 9c379f4) This bot provides automated PHP linting, PHPCS scanning and Vulnerability and Update Scan. For more information about the bot and available customizations, see our documentation. DetailsScan run detail
|
This pull request aims at improving output escaping, input sanitizing and logging.
TODO:
auto-approval.php:reports.php, such as:github-api.php:vipgoci_github_pr_comments_generic_submit()$dismiss_messageinvipgoci_github_pr_review_dismiss()$label_nameinvipgoci_github_label_add_to_pr()$descriptioninvipgoci_github_status_create()$optionparameters, removing unexpected valueswpscan-scan.php, only keep fields from WPScan API results that are needed. This includes both the general result, such as latest version, and also vulnerability results (i.e.id,title,cvssfields). This logic could be implemented here.github-api.php$stateand$contextinvipgoci_github_status_create()cURLwill not escape by default.vipgoci_output_markdown_escape()so to escape>,<and&correctly. Current escaping will not result in user-friendly output, though it is safe.Starting scanning PRs;)vip-go-ciinreports.phpPHPDoccomments for new or updated functions (main code only; for VIP)