Skip to content

Downgrade Files.IncludingNonPHPFile.IncludingSVGCSSFile to a warning with a more descriptive message #597

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
rebeccahum opened this issue Nov 25, 2020 · 3 comments
Closed

Downgrade Files.IncludingNonPHPFile.IncludingSVGCSSFile to a warning with a more descriptive message #597

rebeccahum opened this issue Nov 25, 2020 · 3 comments

Comments

@rebeccahum
Copy link
Contributor

Since SVG files are submitted for review and VIPCS runs on them, I think we can downgrade Files.IncludingNonPHPFile.IncludingSVGCSSFile to a warning level rather than an error. The main reasoning why we recommend file_get_contents() over include() is because we don't want arbitrary code evaluated and it's faster — we should indicate the "why" in the messaging.
@rebeccahum rebeccahum added this to the 2.3.0 milestone Nov 25, 2020
@rebeccahum
Copy link
Contributor Author

rebeccahum commented Nov 25, 2020
edited
Loading

@jrfnl Since CSS files will be slated to be removed in PHPCS (#442), should we separate it out so SVGs are a warning and CSS remain an error? This will be a breaking error code change, however.

@jrfnl
Copy link
Collaborator

jrfnl commented Mar 3, 2021

@rebeccahum Just checking - why was this issue closed ? And why is it (still) in the 2.3.0 milestone, while - as far as I can see - the issue was not addressed ?

The main reasoning why we recommend file_get_contents() over include() is because we don't want arbitrary code evaluated and it's faster — we should indicate the "why" in the messaging.

The first part - "we don't want arbitrary code evaluated" - I can understand. The second part - "it's faster" -, however, is unlikely.

include is a language construct and because of that will generally be faster than file_get_contents(), which is a function call.

Since CSS files will be slated to be removed in PHPCS (#442), should we separate it out so SVGs are a warning and CSS remain an error? This will be a breaking error code change, however.

PHPCS 4.x will no longer have tokenizer support for CSS files. This means that you will no longer be able to pass a .css file to PHPCS for analysis.

This sniff, however, does not target CSS files, but PHP files (containing code which includes css files). So for this sniff, nothing will change with PHPCS 4.x. It will continue to function for both CSS as well as SVG files (and all other types) as before.

It would be different if we were trying to analyse a CSS file doing something like:

@import url("../parenttheme/style.css");

@rebeccahum
Copy link
Contributor Author

@jrfnl Ah, I should have been more transparent as to why I closed this. After an audit, we've decided that we're going to keep this at the error level since we typically do not review SVG/CSS/other non-PHP files. So, it would be good to flag that they are properly being included (and not being executed).

@rebeccahum rebeccahum removed this from the 2.3.0 milestone Mar 8, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jrfnl @rebeccahum