-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve output escaping, input sanitizing and logging #252
base: trunk
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
phpcs scanning turned up:
🚫 5 errors
This bot provides automated PHP linting and PHPCS scanning. For more information about the bot and available customizations, see our documentation.
Scan run detail
Software versions
Options file (
|
PHP lint optionsPHP lint files enabled:
Lint modified files only:
Directories not PHP linted:
SVG configurationSVG scanning enabled:
Auto-approval configurationAuto-approvals enabled:
Non-functional changes auto-approved:
Auto-approval DB enabled:
Auto-approved file-types:
|
PHPCS configurationPHPCS scanning enabled:
PHPCS severity level:
Standard(s) used:
Runtime set:
Custom sniffs included:
Custom sniffs excluded:
Directories not PHPCS scanned:
|
… into fix-output-escaping
Dismissing review as all inline comments are obsolete by now
No issues were found to report when scanning latest commit (commit-ID: 9c379f4) This bot provides automated PHP linting, PHPCS scanning and Vulnerability and Update Scan. For more information about the bot and available customizations, see our documentation. Scan run detail
|
This pull request aims at improving output escaping, input sanitizing and logging.
TODO:
auto-approval.php
:reports.php
, such as:github-api.php
:vipgoci_github_pr_comments_generic_submit()
$dismiss_message
invipgoci_github_pr_review_dismiss()
$label_name
invipgoci_github_label_add_to_pr()
$description
invipgoci_github_status_create()
$option
parameters, removing unexpected valueswpscan-scan.php
, only keep fields from WPScan API results that are needed. This includes both the general result, such as latest version, and also vulnerability results (i.e.id
,title
,cvss
fields). This logic could be implemented here.github-api.php
$state
and$context
invipgoci_github_status_create()
cURL
will not escape by default.vipgoci_output_markdown_escape()
so to escape>
,<
and&
correctly. Current escaping will not result in user-friendly output, though it is safe.Starting scanning PRs;
)vip-go-ci
inreports.php
PHPDoc
comments for new or updated functions (main code only; for VIP)