PPI::Token::HereDoc->heredoc() includes the terminator for quoted terminators #71
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
guillaumeaubert
added a commit
to guillaumeaubert/Perl-Critic-Policy-ValuesAndExpressions-PreventSQLInjection
that referenced
this pull request
Mar 19, 2014
Due to a bug in PPI::Token::Heredoc, $token->heredoc() does not include the terminator line when the terminator is a simple bareword, but it includes the terminator line in the other cases (single/double quoted , commands, escaped). I wrote a patch to resolve this in PPI (see Perl-Critic/PPI#71), but in the meantime this addresses the inconsistency.
|
My mistake, the closing terminator should not include quotes/backticks/etc, or it will not be detected as a valid closing terminator and be included in the |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
While working with @vsespb on guillaumeaubert/Perl-Critic-Policy-ValuesAndExpressions-PreventSQLInjection#14, I discovered that heredoc blocks with a quoted terminator (such as
<<"HERE"or<<'HERE') include the terminator line in the output of->heredoc(), but unquoted heredoc blocks (such as<<HERE) do not.The issue is the check for the terminator on this line https://github.com/adamkennedy/PPI/blob/master/lib/PPI/Token/HereDoc.pm#L212:
$terminator is the unescaped version of the terminator without surrounding quotes, while the lines that are being compared against will have the escaped version. This also explains why it's not an issue for regular barewords, since for those the escaped and unescaped versions are the same.
I added tests in
t/ppi_token_heredoc.tto cover the five possible cases inlib/PPI/Token/HereDoc.pm, and the tests pass after adding the patch in 0295784. The tests are modeled after tests in other t/ppi_token_* files for consistency.I also opted to add a
_raw_terminatorkey rather than modifying_terminatorin thePPI::Token::HereDocobject, in case this would break code that relies on this behavior (even if the key is prefixed with an underscore to indicate that it's private). But this can easily be changed to reuse_terminatorif it is preferable.Thank you for considering this pull request!