Allow nested array_map()

Question

Allow nested array_map()

smileBeda opened this issue 3 years ago · 1 comments

Problem?

Assume $_POST['thing'] holds an array like so:

array(
  'https://www.asite.com',
  'https://www.bsite.com',
  'https://www.csite.com',
)

Assume we want to store the $_POST['thing'] in a $var.
Thus we would naturally do this:
$var = array_map( 'esc_url_raw', array_map( 'wp_unslash', $_POST['thing'] ) )

WPCS Sniff, despite the calls to wp_unslash and esc_url_raw, throws the errors:

 3 | ERROR | [ ] $_POST data not unslashed before sanitization. Use
   |       |     wp_unslash() or similar
 3 | ERROR | [ ] Detected usage of a non-sanitized input variable:
   |       |     $_POST['thing']

But, as the code shows, we do indeed use wp_unslash and do sanitize.

Note that, if we do the following:
$var = array_map( 'esc_url_raw', $_POST['thing'] );
then only the error about missing wp_unslash is thrown, but sanitizitation passes fine

Solution

If possible, the solution would be that WPCS recognises the nested array_map with the unslash and the sanitize callback.
I think it should be clear from the above description that WPCS seems to recognise one-level array_map but not several nested array maps.

Additional context

I first commented on #1679 (comment) because I thought it is related, but it is too old/perhaps less related than I thought.
Sorry if this is somehow wrong in report or expected in behaviour.

Answer 1 · 2021-10-27T16:08:02.000Z

Fyi wp_unslash works recursively.

Just this is enough:
array_map( 'sanitize_text_field', wp_unslash( $_POST['thing'] ) )