Stricter Escape Checks

[Morgy93]

Description

Currently, there is no validation to ensure that the correct escaping methods are used in the right context. This allows incorrect or inconsistent escaping, leading to potential security vulnerabilities.

For example, the following incorrect usages are currently not flagged:

<!-- Incorrect usage: escapeHtml() used inside an attribute -->
<div attr="<?= $escaper->escapeHtml('value') ?>"><?= $escaper->escapeHtmlAttr('text') ?></div>

<!-- Incorrect usage: escapeHtmlAttr() used for a URL -->
<a href="<?= $escaper->escapeHtmlAttr('https://example.com?param=value') ?>">Link</a>

<!-- Incorrect usage: escapeHtml() used inside JavaScript -->
<script>var msg = '<?= $escaper->escapeHtml("alert('XSS')") ?>';</script>

Correct Usage:

<!-- Proper escaping for HTML content and attributes -->
<div attr="<?= $escaper->escapeHtmlAttr('safe-value') ?>"><?= $escaper->escapeHtml('Safe Text') ?></div>

<!-- Proper escaping for URLs -->
<a href="<?= $escaper->escapeUrl('https://example.com?param=value') ?>">Link</a>

<!-- Proper escaping for JavaScript -->
<script>var msg = '<?= $escaper->escapeJs("alert('XSS')") ?>';</script>

Expected Behavior

• The Magento Coding Standard should flag incorrect usage of escaping methods.
• It should recommend the appropriate escaping function based on the context:
  • escapeHtml() → for content inside HTML tags.
  • escapeHtmlAttr() → for attribute values.
  • escapeUrl() → for URLs inside <a href="">, <form action="">, etc.
  • escapeJs() → for escaping JavaScript content inside <script> tags or inline JS handlers (onclick, onmouseover, etc.).
• Developers should be alerted when incorrect escaping is used.

Benefits

• Improves security by reducing the risk of XSS vulnerabilities caused by improper escaping.
• Encourages best practices for secure and consistent code.
• Enhances code quality by enforcing correct escaping usage.

[m2-assistant]

Hi @Morgy93. Thank you for your report.
To speed up processing of this issue, make sure that you provided sufficient information.
Add a comment to assign the issue: @magento I am working on this

---

Join Magento Community Engineering Slack and ask your questions in #github channel.

[hostep]

Would love to see this!

Especially because Magento 2.3.x code is in a much better shape then 2.4.x code in this regards, because they forgot to forward-port magento/magento2@7caf492 from 2.3 to 2.4 branch many years ago (I've already reported it multiple times to their internal devs and security team, but they keep saying it's not important and they don't have time to fix it).

Having coding standards check better against correct usage would solve a lot of wrong usages each time a template is touched.