Security/Underscorejs: enhancement - check for print execution statements

Add a new check for the JS native `print` command and the `_p+=` variation, when used without being combined with `_.escape()`.

Includes unit tests.

Author: jrfnl

WordPressVIPMinimum/Sniffs/Security/UnderscorejsSniff.php

@@ -26,6 +26,14 @@ class UnderscorejsSniff extends Sniff {
 	 */
 	const UNESCAPED_INTERPOLATE_REGEX = '`<%=\s*(?:.+?%>|$)`';
 
+	/**
+	 * Regex to match execute notations containing a print command
+	 * and retrieve a code snippet.
+	 *
+	 * @var string
+	 */
+	const UNESCAPED_PRINT_REGEX = '`<%\s*(?:print\s*\(.+?\)\s*;|__p\s*\+=.+?)\s*%>`';
+
 	/**
 	 * Regex to match the "interpolate" keyword when used to overrule the ERB-style delimiters.
 	 *
@@ -112,7 +120,8 @@ public function process_token( $stackPtr ) {
 			return;
 		}
 
-		$content     = $this->strip_quotes( $this->tokens[ $stackPtr ]['content'] );
+		$content = $this->strip_quotes( $this->tokens[ $stackPtr ]['content'] );
+
 		$match_count = preg_match_all( self::UNESCAPED_INTERPOLATE_REGEX, $content, $matches );
 		if ( $match_count > 0 ) {
 			foreach ( $matches[0] as $match ) {
@@ -127,6 +136,20 @@ public function process_token( $stackPtr ) {
 			}
 		}
 
+		$match_count = preg_match_all( self::UNESCAPED_PRINT_REGEX, $content, $matches );
+		if ( $match_count > 0 ) {
+			foreach ( $matches[0] as $match ) {
+				if ( strpos( $match, '_.escape(' ) !== false ) {
+					continue;
+				}
+
+				// Underscore.js unescaped output.
+				$message = 'Found Underscore.js unescaped print execution: "%s".';
+				$data    = [ $match ];
+				$this->phpcsFile->addWarning( $message, $stackPtr, 'PrintExecution', $data );
+			}
+		}
+
 		if ( $this->phpcsFile->tokenizerType !== 'JS'
 			&& preg_match( self::INTERPOLATE_KEYWORD_REGEX, $content ) > 0
 		) {

WordPressVIPMinimum/Tests/Security/UnderscorejsUnitTest.inc

@@ -106,3 +106,15 @@ function display_foo {
 	</script>
 <?php
 }
+
+function print_foo() {
+?>
+	<script id="template" type="text/template">
+		var compiled = _.template("<% print('Hello ' + _.escape(epithet)); %>"); /* OK */
+		var compiled = _.template("<% print('Hello ' + epithet); %>"); /* NOK */
+		var compiled = _.template("<% __p+=o.text %>"); /* NOK */
+
+		compiled({epithet: "stooge"});
+	</script>
+<?php
+}

WordPressVIPMinimum/Tests/Security/UnderscorejsUnitTest.js

@@ -39,3 +39,7 @@ var html = _.template(
 		variable: "o"
 	}
 );
+
+var compiled = _.template("<% print('Hello ' + _.escape(epithet)); %>"); /* OK */
+var compiled = _.template("<% print('Hello ' + epithet); %>"); /* NOK */
+var compiled = _.template("<% __p+=o.text %>"); /* NOK */

WordPressVIPMinimum/Tests/Security/UnderscorejsUnitTest.php

@@ -53,18 +53,20 @@ public function getWarningList( $testFile = '' ) {
 		switch ( $testFile ) {
 			case 'UnderscorejsUnitTest.inc':
 				return [
-					6  => 1,
-					14 => 1,
-					22 => 1,
-					23 => 1,
-					28 => 1,
-					32 => 1,
-					38 => 3,
-					45 => 1,
-					46 => 1,
-					47 => 1,
-					58 => 1,
-					60 => 1,
+					6   => 1,
+					14  => 1,
+					22  => 1,
+					23  => 1,
+					28  => 1,
+					32  => 1,
+					38  => 3,
+					45  => 1,
+					46  => 1,
+					47  => 1,
+					58  => 1,
+					60  => 1,
+					114 => 1,
+					115 => 1,
 				];
 
 			case 'UnderscorejsUnitTest.js':
@@ -74,6 +76,8 @@ public function getWarningList( $testFile = '' ) {
 					7  => 1,
 					9  => 1,
 					12 => 1,
+					44 => 1,
+					45 => 1,
 				];
 
 			default: