[wp-trac] [WordPress Trac] #44058: Include security sniffs in PHPCS ruleset
WordPress Trac
noreply at wordpress.org
Sat May 12 16:14:39 UTC 2018
#44058: Include security sniffs in PHPCS ruleset
------------------------------+-----------------------------
Reporter: iandunn | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Keywords:
Focuses: coding-standards |
------------------------------+-----------------------------
Currently, our custom ruleset includes the sniffs for prepared queries,
but not for XSS or CSRF.
I couldn't find any previous discussions about why they're not included.
The only thing I can think of is that there might be too many false
positives?
In my experience, the XSS sniff works well. The CSRF one sometimes
generates false positives, but I think it'd be better to include it, and
then refine our code and/or the sniff to address those, than it would be
to not use it at all, and take the risk of a vulnerability slipping
through.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/44058>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list