From 3cd5b64047a67651e81b6ac1712edf5dd86a7863 Mon Sep 17 00:00:00 2001 From: "K. Adam White" Date: Mon, 22 Jun 2026 22:24:17 -0400 Subject: [PATCH 1/7] PHPCS: Add sanitization around unslashed $_GET property access --- src/post-type/render.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/post-type/render.php b/src/post-type/render.php index 70d43f2..774e771 100644 --- a/src/post-type/render.php +++ b/src/post-type/render.php @@ -48,7 +48,7 @@ From ce0175cff7987bc13fe3faeea71b1521165d41c3 Mon Sep 17 00:00:00 2001 From: "K. Adam White" Date: Mon, 22 Jun 2026 22:30:00 -0400 Subject: [PATCH 2/7] PHPCS: Add sanitization around unslashed $_GET property access Co-Authored-By: Claude Opus 4.8 (1M context) --- src/taxonomy/render.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/taxonomy/render.php b/src/taxonomy/render.php index 97258b4..362966a 100644 --- a/src/taxonomy/render.php +++ b/src/taxonomy/render.php @@ -36,7 +36,7 @@ From 581e62cab01769918913baf9c6b5efeaa4363b6f Mon Sep 17 00:00:00 2001 From: "K. Adam White" Date: Mon, 22 Jun 2026 22:30:15 -0400 Subject: [PATCH 3/7] PHPCS: Document deliberate manual sanitization of search input sanitize_key() and sanitize_text_field() are unsuitable for the search value: the former strips spaces and punctuation, the latter trims whitespace. The value is hand-sanitized over the following lines instead. Co-Authored-By: Claude Opus 4.8 (1M context) --- inc/namespace.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inc/namespace.php b/inc/namespace.php index 6457f8f..82b3786 100644 --- a/inc/namespace.php +++ b/inc/namespace.php @@ -179,7 +179,7 @@ function render_block_search( string $block_content, array $block, \WP_Block $in $action = str_replace( '/page/'. get_query_var( 'paged', 1 ), '', add_query_arg( [ $query_var => '' ] ) ); // Note sanitize_text_field trims whitespace from start/end of string causing unexpected behaviour. - $value = wp_unslash( $_GET[ $query_var ] ?? '' ); + $value = wp_unslash( $_GET[ $query_var ] ?? '' ); // phpcs:ignore HM.Security.ValidatedSanitizedInput.InputNotSanitized -- Sanitized over the following lines to preserve leading/trailing whitespace. $value = urldecode( $value ); $value = wp_check_invalid_utf8( $value ); $value = wp_pre_kses_less_than( $value ); From 76500c3bf50f3a56e794a78985a89a9433a06c6d Mon Sep 17 00:00:00 2001 From: "K. Adam White" Date: Mon, 22 Jun 2026 22:31:11 -0400 Subject: [PATCH 4/7] PHPCS: Keep strip_tags() for whitespace-preserving search sanitization The suggested wp_strip_all_tags() always trim()s its result, which would defeat the deliberate whitespace preservation noted above. Co-Authored-By: Claude Opus 4.8 (1M context) --- inc/namespace.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inc/namespace.php b/inc/namespace.php index 82b3786..401a3f8 100644 --- a/inc/namespace.php +++ b/inc/namespace.php @@ -183,7 +183,7 @@ function render_block_search( string $block_content, array $block, \WP_Block $in $value = urldecode( $value ); $value = wp_check_invalid_utf8( $value ); $value = wp_pre_kses_less_than( $value ); - $value = strip_tags( $value ); + $value = strip_tags( $value ); // phpcs:ignore WordPress.WP.AlternativeFunctions.strip_tags_strip_tags -- wp_strip_all_tags() trims whitespace, which this search value intentionally preserves. wp_interactivity_state( 'query-filter', [ 'searchValue' => $value, From 4bf9e0f218dcfbec5fa4877f9b1199e76c4bdf67 Mon Sep 17 00:00:00 2001 From: "K. Adam White" Date: Tue, 23 Jun 2026 09:03:45 -0400 Subject: [PATCH 5/7] PHPCS: Adjust positioning of ignore directives for legibility --- inc/namespace.php | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/inc/namespace.php b/inc/namespace.php index 401a3f8..ad0ac0c 100644 --- a/inc/namespace.php +++ b/inc/namespace.php @@ -179,11 +179,13 @@ function render_block_search( string $block_content, array $block, \WP_Block $in $action = str_replace( '/page/'. get_query_var( 'paged', 1 ), '', add_query_arg( [ $query_var => '' ] ) ); // Note sanitize_text_field trims whitespace from start/end of string causing unexpected behaviour. - $value = wp_unslash( $_GET[ $query_var ] ?? '' ); // phpcs:ignore HM.Security.ValidatedSanitizedInput.InputNotSanitized -- Sanitized over the following lines to preserve leading/trailing whitespace. + // phpcs:ignore HM.Security.ValidatedSanitizedInput.InputNotSanitized + $value = wp_unslash( $_GET[ $query_var ] ?? '' ); $value = urldecode( $value ); $value = wp_check_invalid_utf8( $value ); $value = wp_pre_kses_less_than( $value ); - $value = strip_tags( $value ); // phpcs:ignore WordPress.WP.AlternativeFunctions.strip_tags_strip_tags -- wp_strip_all_tags() trims whitespace, which this search value intentionally preserves. + // phpcs:ignore WordPress.WP.AlternativeFunctions.strip_tags_strip_tags -- need to preserve whitespace. + $value = strip_tags( $value ); wp_interactivity_state( 'query-filter', [ 'searchValue' => $value, From bfcccb0110cd83d9dd3d1ba07d95608c14151b16 Mon Sep 17 00:00:00 2001 From: "K. Adam White" Date: Tue, 23 Jun 2026 09:26:39 -0400 Subject: [PATCH 6/7] Update HMCS to 2.2.1 to fix false-positive on get_block_wrapper_attributes --- composer.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/composer.lock b/composer.lock index 18989e0..940544f 100644 --- a/composer.lock +++ b/composer.lock @@ -335,16 +335,16 @@ }, { "name": "humanmade/coding-standards", - "version": "v2.2.0", + "version": "v2.2.1", "source": { "type": "git", "url": "https://github.com/humanmade/coding-standards.git", - "reference": "96fb170e1b81307ca4e73dbc22b44a62fe5f8534" + "reference": "601ff015e90254a7be77c5b1ce262df6df089fdb" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/humanmade/coding-standards/zipball/96fb170e1b81307ca4e73dbc22b44a62fe5f8534", - "reference": "96fb170e1b81307ca4e73dbc22b44a62fe5f8534", + "url": "https://api.github.com/repos/humanmade/coding-standards/zipball/601ff015e90254a7be77c5b1ce262df6df089fdb", + "reference": "601ff015e90254a7be77c5b1ce262df6df089fdb", "shasum": "" }, "require": { @@ -367,9 +367,9 @@ "description": "Human Made Coding Standards", "support": { "issues": "https://github.com/humanmade/coding-standards/issues", - "source": "https://github.com/humanmade/coding-standards/tree/v2.2.0" + "source": "https://github.com/humanmade/coding-standards/tree/v2.2.1" }, - "time": "2026-06-22T17:25:44+00:00" + "time": "2026-06-23T13:24:51+00:00" }, { "name": "phpcompatibility/php-compatibility", From 5a6fb7be22e668a826193b124429effe5195770e Mon Sep 17 00:00:00 2001 From: "K. Adam White" Date: Tue, 23 Jun 2026 10:26:23 -0400 Subject: [PATCH 7/7] PHPCS: Fix misalignment of comment --- inc/namespace.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inc/namespace.php b/inc/namespace.php index ad0ac0c..63829fe 100644 --- a/inc/namespace.php +++ b/inc/namespace.php @@ -179,7 +179,7 @@ function render_block_search( string $block_content, array $block, \WP_Block $in $action = str_replace( '/page/'. get_query_var( 'paged', 1 ), '', add_query_arg( [ $query_var => '' ] ) ); // Note sanitize_text_field trims whitespace from start/end of string causing unexpected behaviour. - // phpcs:ignore HM.Security.ValidatedSanitizedInput.InputNotSanitized + // phpcs:ignore HM.Security.ValidatedSanitizedInput.InputNotSanitized $value = wp_unslash( $_GET[ $query_var ] ?? '' ); $value = urldecode( $value ); $value = wp_check_invalid_utf8( $value );