Security/Underscorejs: bug fix - don't error when variable is escaped

jrfnl · jrfnl · commit 1ab279496f6e · 2020-11-01T02:14:13.000+01:00
Prevent triggering a warning when the variable being printed is escaped using `_.escape()`.

Includes unit tests.

Fixes 345
diff --git a/WordPressVIPMinimum/Sniffs/Security/UnderscorejsSniff.php b/WordPressVIPMinimum/Sniffs/Security/UnderscorejsSniff.php
@@ -106,6 +106,10 @@ public function process_token( $stackPtr ) {
 		$match_count = preg_match_all( self::UNESCAPED_INTERPOLATE_REGEX, $content, $matches );
 		if ( $match_count > 0 ) {
 			foreach ( $matches[0] as $match ) {
+				if ( strpos( $match, '_.escape(' ) !== false ) {
+					continue;
+				}
+
 				// Underscore.js unescaped output.
 				$message = 'Found Underscore.js unescaped output notation: "%s".';
 				$data    = [ $match ];
diff --git a/WordPressVIPMinimum/Tests/Security/UnderscorejsUnitTest.inc b/WordPressVIPMinimum/Tests/Security/UnderscorejsUnitTest.inc
@@ -73,3 +73,36 @@ function test_interpolate_match_precision() {
 	</script>
 	<?php
 }
+
+// Recognize escaping.
+function dont_trigger_when_escaped() {
+	$script = <<<EOD
+		var html = _.template('<li><%= _.escape(name) %></li>', { name: 'John Smith' }); // OK.
+		
+		var html = _.template(
+			"<pre>The \"<% __p+=_.escape(o.text) %>\" is the same<br />" + // OK.
+				"as the  \"<%= _.escape(o.text) %>\" and the same<br />" + // OK.
+				"as the \"<%- o.text %>\"</pre>", // OK.
+			{
+				text: "<b>some text</b> and \n it's a line break"
+			},
+			{
+				variable: "o"
+			}
+		);
+EOD;
+
+	echo $script;
+}
+
+function display_foo {
+?>
+	<script id="template" type="text/template">
+		<li class="dashboard-post-item" dashboard-id="<%= _.escape( id ) %>"><!-- OK -->
+			<div class="image-wrapper">
+				<img src="<%= _.escape( image_url ) %>" class="dashboard-image"><!-- OK -->
+			</div>
+		</li>
+	</script>
+<?php
+}
diff --git a/WordPressVIPMinimum/Tests/Security/UnderscorejsUnitTest.js b/WordPressVIPMinimum/Tests/Security/UnderscorejsUnitTest.js
@@ -24,3 +24,18 @@ var p = function(f, d) {
 }
 
 y.interpolate.bezier = b; // OK.
+
+// Recognize escaping.
+var html = _.template('<li><%= _.escape(name) %></li>', { name: 'John Smith' }); // OK.
+
+var html = _.template(
+	"<pre>The \"<% __p+=_.escape(o.text) %>\" is the same<br />" + // OK.
+		"as the  \"<%= _.escape(o.text) %>\" and the same<br />" + // OK.
+		"as the \"<%- o.text %>\"</pre>", // OK.
+	{
+		text: "<b>some text</b> and \n it's a line break"
+	},
+	{
+		variable: "o"
+	}
+);
