From b91fb4f620958e7dd40f55fb6f35b0f2154c5b82 Mon Sep 17 00:00:00 2001
From: Xristopher Anderton <tikifez@users.noreply.github.com>
Date: Tue, 17 Sep 2024 15:20:29 -0700
Subject: [PATCH 1/6] adds documentation for sniff

---
 .../PHP/DiscouragedPHPFunctionsStandard.xml   | 108 ++++++++++++++++++
 1 file changed, 108 insertions(+)
 create mode 100644 WordPress/Docs/PHP/DiscouragedPHPFunctionsStandard.xml

diff --git a/WordPress/Docs/PHP/DiscouragedPHPFunctionsStandard.xml b/WordPress/Docs/PHP/DiscouragedPHPFunctionsStandard.xml
new file mode 100644
index 0000000000..1abafcb40d
--- /dev/null
+++ b/WordPress/Docs/PHP/DiscouragedPHPFunctionsStandard.xml
@@ -0,0 +1,108 @@
+<?xml version="1.0"?>
+<documentation xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://phpcsstandards.github.io/PHPCSDevTools/phpcsdocs.xsd"
+    title="Discouraged PHP Functions"
+    >
+    <standard>
+    <![CDATA[
+Use JSON instead of serialized data, which has known vulnerability problems with object injection.
+    ]]>
+    </standard>
+    <code_comparison>
+        <code title="Valid: Using JSON for serialized data.">
+            <![CDATA[
+$serialized = json_encode( $array );
+$serialized = wp_json_encode( $array );
+$unserialized = json_decode( $array );
+        ]]>
+        </code>
+        <code title="Invalid: Using serialized data strings.">
+            <![CDATA[
+$serialized = serialize( $array );
+$unserialized = unserialize( $array );
+        ]]>
+        </code>
+    </code_comparison>
+    <standard>
+        <![CDATA[
+URLs should now be encoded using rawurlencode(). Only legacy applications should use urlencode().
+    ]]>
+    </standard>
+    <code_comparison>
+        <code title="Valid: Encoding a url using rawurlencode().">
+            <![CDATA[
+rawurlencode( get_site_url() );
+        ]]>
+        </code>
+        <code title="Invalid: Encoding a url using urlencode().">
+            <![CDATA[
+urlencode( get_site_url() );
+        ]]>
+        </code>
+    </code_comparison>
+    <standard>
+    <![CDATA[
+Avoid using functions which change configuration values at runtime.
+    ]]>
+    </standard>
+    <code_comparison>
+        <code title="Valid: Not changing configuration at runtime.">
+            <![CDATA[
+// Configuration not changed at runtime.
+        ]]>
+        </code>
+        <code title="Invalid: Changing configuration at runtime">
+            <![CDATA[
+error_reporting( 0 );
+ini_restore( $option );
+apache_setenv( $variable, $value );
+putenv( $assignment );
+set_include_path( $include_path );
+restore_include_path();
+magic_quotes_runtime( $new_setting );
+set_magic_quotes_runtime( $new_setting );
+dl( $extension_filename );
+        ]]>
+        </code>
+    </code_comparison>
+    <standard>
+    <![CDATA[
+Do not use PHP system calls. They are often disabled by server admins.
+    ]]>
+    </standard>
+<code_comparison>
+<code title="Valid: Not using PHP system calls.">
+    <![CDATA[
+// Avoiding using PHP system calls.
+        ]]>
+</code>
+<code title="Invalid: Using PHP system calls.">
+    <![CDATA[
+exec( $command );
+passthru( $command );
+proc_open( 'php', $desc, $pipes, $cwd, $env );
+shell_exec( $command );
+system( $command );
+popen( $command, $mode );
+        ]]>
+</code>
+</code_comparison>
+    <standard>
+    <![CDATA[
+Functions often used for obfuscating code are strongly discouraged. Make sure the function is used for benign reasons.
+     ]]>
+    </standard>
+    <code_comparison>
+        <code title="Valid: Using functions for benign reasons.">
+        <![CDATA[
+base64_encode($username);
+base64_decode( $expected_md5 );
+        ]]>
+        </code>
+        <code title="Invalid: Using functions to obfuscate code.">
+        <![CDATA[
+eval( base64_decode( $code_str ) );
+        ]]>
+        </code>
+    </code_comparison>
+</documentation>
\ No newline at end of file

From d12e715b64b85d4cc9b2e74f178d792e47ff07a1 Mon Sep 17 00:00:00 2001
From: Jason Kenison <jason.kenison@gmail.com>
Date: Tue, 26 Aug 2025 11:03:56 -0700
Subject: [PATCH 2/6] updated formatting, indentation, add <em> tags

---
 WordPress/Docs/PHP/DiscouragedPHPFunctionsStandard.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/WordPress/Docs/PHP/DiscouragedPHPFunctionsStandard.xml b/WordPress/Docs/PHP/DiscouragedPHPFunctionsStandard.xml
index 1abafcb40d..9c2b18ac45 100644
--- a/WordPress/Docs/PHP/DiscouragedPHPFunctionsStandard.xml
+++ b/WordPress/Docs/PHP/DiscouragedPHPFunctionsStandard.xml
@@ -105,4 +105,4 @@ eval( base64_decode( $code_str ) );
         ]]>
         </code>
     </code_comparison>
-</documentation>
\ No newline at end of file
+</documentation>

From 46f08e38a3ad861dd21a72c50f785ad2d01e99e7 Mon Sep 17 00:00:00 2001
From: Jason Kenison <jason.kenison@gmail.com>
Date: Tue, 26 Aug 2025 11:09:20 -0700
Subject: [PATCH 3/6] update indentation, add <em>, linebreak end of document

---
 .../PHP/DiscouragedPHPFunctionsStandard.xml   | 48 +++++++++----------
 1 file changed, 24 insertions(+), 24 deletions(-)

diff --git a/WordPress/Docs/PHP/DiscouragedPHPFunctionsStandard.xml b/WordPress/Docs/PHP/DiscouragedPHPFunctionsStandard.xml
index 9c2b18ac45..26d5511e49 100644
--- a/WordPress/Docs/PHP/DiscouragedPHPFunctionsStandard.xml
+++ b/WordPress/Docs/PHP/DiscouragedPHPFunctionsStandard.xml
@@ -10,33 +10,33 @@ Use JSON instead of serialized data, which has known vulnerability problems with
     </standard>
     <code_comparison>
         <code title="Valid: Using JSON for serialized data.">
-            <![CDATA[
-$serialized = json_encode( $array );
-$serialized = wp_json_encode( $array );
-$unserialized = json_decode( $array );
+        <![CDATA[
+$serialized = <em>json_encode</em>( $array );
+$serialized = <em>wp_json_encode</em>( $array );
+$unserialized = <em>json_decode</em>( $array );
         ]]>
         </code>
         <code title="Invalid: Using serialized data strings.">
-            <![CDATA[
-$serialized = serialize( $array );
-$unserialized = unserialize( $array );
+        <![CDATA[
+$serialized = <em>serialize</em>( $array );
+$unserialized = <em>unserialize</em>( $array );
         ]]>
         </code>
     </code_comparison>
     <standard>
-        <![CDATA[
+    <![CDATA[
 URLs should now be encoded using rawurlencode(). Only legacy applications should use urlencode().
     ]]>
     </standard>
     <code_comparison>
         <code title="Valid: Encoding a url using rawurlencode().">
-            <![CDATA[
-rawurlencode( get_site_url() );
+        <![CDATA[
+<em>rawurlencode</em>( get_site_url() );
         ]]>
         </code>
         <code title="Invalid: Encoding a url using urlencode().">
-            <![CDATA[
-urlencode( get_site_url() );
+        <![CDATA[
+<em>urlencode</em>( get_site_url() );
         ]]>
         </code>
     </code_comparison>
@@ -47,12 +47,12 @@ Avoid using functions which change configuration values at runtime.
     </standard>
     <code_comparison>
         <code title="Valid: Not changing configuration at runtime.">
-            <![CDATA[
+        <![CDATA[
 // Configuration not changed at runtime.
         ]]>
         </code>
         <code title="Invalid: Changing configuration at runtime">
-            <![CDATA[
+        <![CDATA[
 error_reporting( 0 );
 ini_restore( $option );
 apache_setenv( $variable, $value );
@@ -70,14 +70,14 @@ dl( $extension_filename );
 Do not use PHP system calls. They are often disabled by server admins.
     ]]>
     </standard>
-<code_comparison>
-<code title="Valid: Not using PHP system calls.">
-    <![CDATA[
+    <code_comparison>
+        <code title="Valid: Not using PHP system calls.">
+        <![CDATA[
 // Avoiding using PHP system calls.
         ]]>
-</code>
-<code title="Invalid: Using PHP system calls.">
-    <![CDATA[
+        </code>
+        <code title="Invalid: Using PHP system calls.">
+        <![CDATA[
 exec( $command );
 passthru( $command );
 proc_open( 'php', $desc, $pipes, $cwd, $env );
@@ -85,12 +85,12 @@ shell_exec( $command );
 system( $command );
 popen( $command, $mode );
         ]]>
-</code>
-</code_comparison>
+        </code>
+    </code_comparison>
     <standard>
     <![CDATA[
 Functions often used for obfuscating code are strongly discouraged. Make sure the function is used for benign reasons.
-     ]]>
+    ]]>
     </standard>
     <code_comparison>
         <code title="Valid: Using functions for benign reasons.">
@@ -101,7 +101,7 @@ base64_decode( $expected_md5 );
         </code>
         <code title="Invalid: Using functions to obfuscate code.">
         <![CDATA[
-eval( base64_decode( $code_str ) );
+<em>eval</em>( base64_decode( $code_str ) );
         ]]>
         </code>
     </code_comparison>

From a8fffd4508871b17ff50cc73c51afd0af0394289 Mon Sep 17 00:00:00 2001
From: Jason Kenison <jason.kenison@gmail.com>
Date: Tue, 26 Aug 2025 14:01:34 -0700
Subject: [PATCH 4/6] include more details in obfuscate code standard

---
 .../Docs/PHP/DiscouragedPHPFunctionsStandard.xml      | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/WordPress/Docs/PHP/DiscouragedPHPFunctionsStandard.xml b/WordPress/Docs/PHP/DiscouragedPHPFunctionsStandard.xml
index 26d5511e49..edbf1ce73f 100644
--- a/WordPress/Docs/PHP/DiscouragedPHPFunctionsStandard.xml
+++ b/WordPress/Docs/PHP/DiscouragedPHPFunctionsStandard.xml
@@ -95,13 +95,18 @@ Functions often used for obfuscating code are strongly discouraged. Make sure th
     <code_comparison>
         <code title="Valid: Using functions for benign reasons.">
         <![CDATA[
-base64_encode($username);
-base64_decode( $expected_md5 );
+base64_encode( $string );
+base64_decode( $encrypted_string );
+convert_uuencode( $string );
+convert_uudecode( $encrypted_string );
+str_rot13( $string );
         ]]>
         </code>
         <code title="Invalid: Using functions to obfuscate code.">
         <![CDATA[
-<em>eval</em>( base64_decode( $code_str ) );
+<em>eval( </em>base64_decode( $code_str )<em> )</em>;
+<em>eval( </em>convert_uudecode( $uuencoded )<em> )</em>;
+<em>eval( </em>str_rot13( $rot13_encoded )<em> )</em>;
         ]]>
         </code>
     </code_comparison>

From b5a58721e7df297e9ed4bfc81c7832ed0558f955 Mon Sep 17 00:00:00 2001
From: Jason Kenison <jason.kenison@gmail.com>
Date: Sun, 14 Sep 2025 10:39:40 -0700
Subject: [PATCH 5/6] requested changes

---
 .../PHP/DiscouragedPHPFunctionsStandard.xml   | 48 ++++++-------------
 1 file changed, 15 insertions(+), 33 deletions(-)

diff --git a/WordPress/Docs/PHP/DiscouragedPHPFunctionsStandard.xml b/WordPress/Docs/PHP/DiscouragedPHPFunctionsStandard.xml
index edbf1ce73f..e1360e9032 100644
--- a/WordPress/Docs/PHP/DiscouragedPHPFunctionsStandard.xml
+++ b/WordPress/Docs/PHP/DiscouragedPHPFunctionsStandard.xml
@@ -5,27 +5,26 @@
     >
     <standard>
     <![CDATA[
-Use JSON instead of serialized data, which has known vulnerability problems with object injection.
+    Use JSON instead of serialized data, which has known vulnerability problems with object injection.
     ]]>
     </standard>
     <code_comparison>
-        <code title="Valid: Using JSON for serialized data.">
+        <code title="Valid: Using JSON to encode data.">
         <![CDATA[
-$serialized = <em>json_encode</em>( $array );
-$serialized = <em>wp_json_encode</em>( $array );
-$unserialized = <em>json_decode</em>( $array );
+$serialized = <em>wp_json_encode</em>( $my_array );
+$unserialized = <em>json_decode</em>( $my_array );
         ]]>
         </code>
         <code title="Invalid: Using serialized data strings.">
         <![CDATA[
-$serialized = <em>serialize</em>( $array );
-$unserialized = <em>unserialize</em>( $array );
+$serialized = <em>serialize</em>( $my_array );
+$unserialized = <em>unserialize</em>( $my_array );
         ]]>
         </code>
     </code_comparison>
     <standard>
     <![CDATA[
-URLs should now be encoded using rawurlencode(). Only legacy applications should use urlencode().
+    URLs should now be encoded using rawurlencode().
     ]]>
     </standard>
     <code_comparison>
@@ -42,7 +41,7 @@ URLs should now be encoded using rawurlencode(). Only legacy applications should
     </code_comparison>
     <standard>
     <![CDATA[
-Avoid using functions which change configuration values at runtime.
+    Avoid using functions which change configuration values at runtime. Invalid runtime configuration functions include `error_reporting()`, `ini_restore()`, `apache_setenv()`, `putenv()`, `set_include_path()`, `restore_include_path()`, `magic_quotes_runtime()`, `set_magic_quotes_runtime()`, and `dl()`.
     ]]>
     </standard>
     <code_comparison>
@@ -53,21 +52,13 @@ Avoid using functions which change configuration values at runtime.
         </code>
         <code title="Invalid: Changing configuration at runtime">
         <![CDATA[
-error_reporting( 0 );
-ini_restore( $option );
-apache_setenv( $variable, $value );
-putenv( $assignment );
-set_include_path( $include_path );
-restore_include_path();
-magic_quotes_runtime( $new_setting );
-set_magic_quotes_runtime( $new_setting );
-dl( $extension_filename );
+<em>apache_setenv( $variable, $value );</em>
         ]]>
         </code>
     </code_comparison>
     <standard>
     <![CDATA[
-Do not use PHP system calls. They are often disabled by server admins.
+    Do not use PHP system calls. They are often disabled by server admins. Disallowed system call functions include `exec()`, `passthru()`, `proc_open()`, `shell_exec()`, `system()`, and `popen()`.
     ]]>
     </standard>
     <code_comparison>
@@ -78,35 +69,26 @@ Do not use PHP system calls. They are often disabled by server admins.
         </code>
         <code title="Invalid: Using PHP system calls.">
         <![CDATA[
-exec( $command );
-passthru( $command );
-proc_open( 'php', $desc, $pipes, $cwd, $env );
-shell_exec( $command );
-system( $command );
-popen( $command, $mode );
+<em>exec( $my_command );</em>
         ]]>
         </code>
     </code_comparison>
     <standard>
     <![CDATA[
-Functions often used for obfuscating code are strongly discouraged. Make sure the function is used for benign reasons.
+    Functions often used for obfuscating code are strongly discouraged. Make sure the function is used for benign reasons.
     ]]>
     </standard>
     <code_comparison>
         <code title="Valid: Using functions for benign reasons.">
         <![CDATA[
-base64_encode( $string );
-base64_decode( $encrypted_string );
-convert_uuencode( $string );
-convert_uudecode( $encrypted_string );
-str_rot13( $string );
+// It is up to the developer to determine if the functino is used for benign purposes or if they want to keep it.
         ]]>
         </code>
         <code title="Invalid: Using functions to obfuscate code.">
         <![CDATA[
 <em>eval( </em>base64_decode( $code_str )<em> )</em>;
-<em>eval( </em>convert_uudecode( $uuencoded )<em> )</em>;
-<em>eval( </em>str_rot13( $rot13_encoded )<em> )</em>;
+<em>convert_uudecode( $uuencoded )</code>em>;
+<em>str_rot13( $rot13_encoded )</em>;
         ]]>
         </code>
     </code_comparison>

From 013e0d0291b2fd555f099da12d15cc15dd0067ce Mon Sep 17 00:00:00 2001
From: Jason Kenison <jason.kenison@gmail.com>
Date: Sun, 14 Sep 2025 10:44:33 -0700
Subject: [PATCH 6/6] fix spelling error

---
 WordPress/Docs/PHP/DiscouragedPHPFunctionsStandard.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/WordPress/Docs/PHP/DiscouragedPHPFunctionsStandard.xml b/WordPress/Docs/PHP/DiscouragedPHPFunctionsStandard.xml
index e1360e9032..92138d542f 100644
--- a/WordPress/Docs/PHP/DiscouragedPHPFunctionsStandard.xml
+++ b/WordPress/Docs/PHP/DiscouragedPHPFunctionsStandard.xml
@@ -81,7 +81,7 @@ $unserialized = <em>unserialize</em>( $my_array );
     <code_comparison>
         <code title="Valid: Using functions for benign reasons.">
         <![CDATA[
-// It is up to the developer to determine if the functino is used for benign purposes or if they want to keep it.
+// It is up to the developer to determine if the function is used for benign purposes or if they want to keep it.
         ]]>
         </code>
         <code title="Invalid: Using functions to obfuscate code.">