Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
False negatives
// Concatenating some symbols is fine.
$x = '(' . t('Test') . ')';
$x = '[' . t('Test') . ']';
$x = '- ' . t('Test') . ' -';
$x = '<' . t('Test') . '>';
The above code should not produce warnings.
False positive
// Concatenating markup with text in it is not fine.
$x = '<p>' . t('Test') . '</p><p>More text.</p>';
This code should produce a warning.
Comment | File | Size | Author |
---|---|---|---|
#7 | improve-2716963-1.patch | 4.37 KB | borisson_ |
Comments
Comment #2
alexpottComment #3
borisson_We have a similar warning in Search API's codebase on using
$this->t('General') . ' » '
, I think«
and»
should be included as allowed special characters as well.Otherwise, this patch looks great.
Comment #4
klausiwait what, eval()??? Does that mean I can write a PHP file that can do arbitrary code execution as soon as it is scanned with PHPCS?
It should be safe to run PHPCS on any third party code base, so I think this is a no-go. Can we do this some other way?
Comment #5
borisson_Tests pass, so this approach should work as well.
Comment #6
klausiPHPCS coding standards: do not use "!", "use === false" instead.
type is missing (string)
Comment should be "The string that is concatenated to a t() call."
Comment is wrong now.
TRUE should be lower case in PHPCS coding standards, make sure to run phpcbf --standard=PHPCS on the sniff file.
Comment #7
borisson_Fixed all remarks made in #6.
Comment #8
alexpottI'm on the go atm. There was a reason I did the eval(). It means that whatever the string was we would treat it correctly - things like \n. There actually was no danger whatsoever unless php' tokeniser is broken. as the only thing being passed in is something between single or double quotes. I'll update the tests to show what I mean.
Comment #9
klausiWhile it seems like you are right I still have a very bad feeling about using eval() - there might be creative ways to trick the PHP tokenizer or whatever that we don't know yet. Let's not risk that.
It seems you only want to remove the quotes, so just trim() them off? I think we don't care if some escaped quotes remain in the string.
Comment #11
klausiAlso added the regression to good.php and committed it, thanks!
Feel free to follow up with further improvements.