[wp-trac] [WordPress Trac] #44058: Include security sniffs in PHPCS ruleset
WordPress Trac
noreply at wordpress.org
Sun May 13 02:34:21 UTC 2018
#44058: Include security sniffs in PHPCS ruleset
-------------------------+-------------------------------
Reporter: iandunn | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Future Release
Component: Security | Version:
Severity: normal | Resolution:
Keywords: needs-patch | Focuses: coding-standards
-------------------------+-------------------------------
Comment (by jrf):
There are two reasons why these sniffs are not included in the core
ruleset:
1. The Core CS handbook does not contain any guidelines for this. The core
ruleset follows the handbook, so at this moment, the handbook does not
justify adding these sniffs.
2. Historically core does not escape any translations. Changing this would
IMHO be a positive precedent, but should be discussed more thoroughly.
Also, in my opinion, the nonce verification sniff will need more work
before it is suitable to be added for core.
And to give you some insight in the amount issues which would be
identified:
* Enabling the XSS sniff would at this moment generate 5500+ errors which
would all need to be manually evaluated and, where necessary, fixed.
* Enabling the CSRF sniff would at this moment generate 945+
errors+warnings which would all need to be manually evaluated and, where
necessary, fixed.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/44058#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list