Do wp_unslash() before deep sanitization.

.env.testing

@@ -0,0 +1,57 @@
+# This file will be consumed by both the CI and the tests.
+# Some environment variables might not apply to one but might apply to the other: modify with care.
+
+# What version of WordPress we want to install and test against.
+# This has to be compatible with the `wp core download` command, see https://developer.wordpress.org/cli/commands/core/download/.
+WP_VERSION=latest
+
+# This is where, in the context of the CI, we'll install and configure WordPress.
+# See `.travis.yml` for more information.
+WP_ROOT_FOLDER=/tmp/wordpress
+
+# The WordPress installation will be served from the Docker container.
+# See `dev/docker/ci-compose.yml` for more information.
+WP_URL=http://localhost:8080
+WP_DOMAIN=localhost:8080
+
+# The credentials that will be used to access the site in acceptance tests
+# in methods like `$I->loginAsAdmin();`.
+WP_ADMIN_USERNAME=admin
+WP_ADMIN_PASSWORD=password
+
+WP_DB_PORT=4306
+
+# The databse is served from the Docker `db` container.
+# See `dev/docker/ci-compose.yml` for more information.
+WP_TABLE_PREFIX=wp_
+WP_DB_HOST=127.0.0.1:4306
+WP_DB_NAME=wordpress
+WP_DB_USER=root
+WP_DB_PASSWORD=
+
+# The test databse is served from the Docker `db` container.
+# See `dev/docker/ci-compose.yml` for more information.
+WP_TEST_DB_HOST=127.0.0.1:4306
+WP_TEST_DB_NAME=test
+WP_TEST_DB_USER=root
+WP_TEST_DB_PASSWORD=
+
+# We're using Selenium and Chrome for acceptance testing.
+# In CI context we're starting a Docker container to handle that.
+# See the `dev/docker/ci-compose.yml` file.
+CHROMEDRIVER_HOST=localhost
+CHROMEDRIVER_PORT=4444
+
+# The URL of the WordPress installation from the point of view of the Chromedriver container.
+# Why not just use `wordpress`? While Chrome will accept an `http://wordpress` address WordPress
+# will not, we call the WordPress container with a seemingly looking legit URL and leverage the
+# lines that, in the `wp-config.php` file, will make it so that WordPress will use as its home
+# URL whatever URL we reach it with.
+# See the `dev/docker/wp-config.php` template for more information.
+WP_CHROMEDRIVER_URL="wp.test"
+
+# To run the tests let's force the background-processing lib to run in synchronous (single PHP thread) mode.
+TRIBE_NO_ASYNC=1
+
+# We're using Docker to run the tests.
+USING_CONTAINERS=1

.env.testing.slic

@@ -0,0 +1,57 @@
+# This file will be consumed by both the CI and the tests.
+# Some environment variables might not apply to one but might apply to the other: modify with care.
+
+# What version of WordPress we want to install and test against.
+# This has to be compatible with the `wp core download` command, see https://developer.wordpress.org/cli/commands/core/download/.
+WP_VERSION=latest
+
+# This is where, in the context of the CI, we'll install and configure WordPress.
+# See `.travis.yml` for more information.
+WP_ROOT_FOLDER=/var/www/html
+
+# The WordPress installation will be served from the Docker container.
+# See `dev/docker/ci-compose.yml` for more information.
+WP_URL=http://wordpress.test
+WP_DOMAIN=wordpress.test
+
+# The credentials that will be used to access the site in acceptance tests
+# in methods like `$I->loginAsAdmin();`.
+WP_ADMIN_USERNAME=admin
+WP_ADMIN_PASSWORD=password
+
+WP_DB_PORT=3306
+
+# The databse is served from the Docker `db` container.
+# See `dev/docker/ci-compose.yml` for more information.
+WP_TABLE_PREFIX=wp_
+WP_DB_HOST=db
+WP_DB_NAME=test
+WP_DB_USER=root
+WP_DB_PASSWORD=password
+
+# The test databse is served from the Docker `db` container.
+# See `dev/docker/ci-compose.yml` for more information.
+WP_TEST_DB_HOST=db
+WP_TEST_DB_NAME=test
+WP_TEST_DB_USER=root
+WP_TEST_DB_PASSWORD=password
+
+# We're using Selenium and Chrome for acceptance testing.
+# In CI context we're starting a Docker container to handle that.
+# See the `dev/docker/ci-compose.yml` file.
+CHROMEDRIVER_HOST=chrome
+CHROMEDRIVER_PORT=4444
+
+# The URL of the WordPress installation from the point of view of the Chromedriver container.
+# Why not just use `wordpress`? While Chrome will accept an `http://wordpress` address WordPress
+# will not, we call the WordPress container with a seemingly looking legit URL and leverage the
+# lines that, in the `wp-config.php` file, will make it so that WordPress will use as its home
+# URL whatever URL we reach it with.
+# See the `dev/docker/wp-config.php` template for more information.
+WP_CHROMEDRIVER_URL=http://wordpress.test
+
+# To run the tests let's force the background-processing lib to run in synchronous (single PHP thread) mode.
+TRIBE_NO_ASYNC=1
+
+# We're using Docker to run the tests.
+USING_CONTAINERS=1

.github/workflows/tests-php.yml

@@ -1,25 +1,102 @@
-name: Tests
+name: 'CI'
 on:
   push:
 jobs:
-  tests:
-    name: tests
+  test:
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        # Update this as WordPress releases new backward patches: https://wordpress.org/download/releases/
+        # Currently supporting two releases back.
+        wordpress:
+          - latest
+
+        php:
+          - '7.4'
+
+    name: "Tests: WP ${{ matrix.wordpress }} / PHP ${{ matrix.php }}"
     steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-      - name: Configure PHP environment
-        uses: shivammathur/setup-php@v2
+      - name: Checkout the repository
+        uses: actions/checkout@v4
         with:
-          php-version: '7.4'
-          extensions: mbstring, intl
-          coverage: none
-      - uses: ramsey/composer-install@v2
+          fetch-depth: 1000
+          submodules: recursive
+      # ------------------------------------------------------------------------------
+      # Checkout slic
+      # ------------------------------------------------------------------------------
+      - name: Checkout slic
+        uses: actions/checkout@v4
         with:
-          composer-options: "--ignore-platform-reqs --optimize-autoloader"
-      - name: Setup git
+          repository: stellarwp/slic
+          ref: main
+          path: slic
+          fetch-depth: 1
+      # ------------------------------------------------------------------------------
+      # Prepare our composer cache directory
+      # ------------------------------------------------------------------------------
+      - name: Get Composer Cache Directory
+        id: get-composer-cache-dir
         run: |
-          git config --global user.name "GitHub Actions"
-          git config --global user.email "<>"
-      - name: Run tests
-        run: php vendor/bin/phpunit --bootstrap=tests/bootstrap.php --no-coverage
+          echo "DIR=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
+
+      - uses: actions/cache@v4
+        id: composer-cache
+        with:
+          path: ${{ steps.get-composer-cache-dir.outputs.DIR }}
+          key: ${{ matrix.php }}-composer-${{ hashFiles('**/composer.json') }}
+          restore-keys: |
+            ${{ matrix.php }}-composer-
+
+      # ------------------------------------------------------------------------------
+      # Initialize slic
+      # ------------------------------------------------------------------------------
+      - name: Set up slic env vars
+        run: |
+          echo "SLIC_BIN=${GITHUB_WORKSPACE}/slic/slic" >> $GITHUB_ENV
+          echo "SLIC_WP_DIR=${GITHUB_WORKSPACE}/slic/_wordpress" >> $GITHUB_ENV
+          echo "SLIC_WORDPRESS_DOCKERFILE=Dockerfile.base" >> $GITHUB_ENV
+
+      - name: Set run context for slic
+        run: echo "SLIC=1" >> $GITHUB_ENV && echo "CI=1" >> $GITHUB_ENV
+
+      - name: Start ssh-agent
+        run: |
+          mkdir -p "${HOME}/.ssh";
+          ssh-agent -a /tmp/ssh_agent.sock;
+
+      - name: Export SSH_AUTH_SOCK env var
+        run: echo "SSH_AUTH_SOCK=/tmp/ssh_agent.sock" >> $GITHUB_ENV
+
+      - name: Set up slic for CI
+        run: |
+          cd ${GITHUB_WORKSPACE}/..
+          ${SLIC_BIN} here
+          ${SLIC_BIN} interactive off
+          ${SLIC_BIN} build-prompt off
+          ${SLIC_BIN} build-subdir off
+          ${SLIC_BIN} xdebug off
+          ${SLIC_BIN} debug on
+          ${SLIC_BIN} php-version set ${{ matrix.php }} --skip-rebuild
+          ${SLIC_BIN} composer-cache set ${{ steps.get-composer-cache-dir.outputs.DIR }}
+          ${SLIC_BIN} info
+          ${SLIC_BIN} config
+
+      - name: Install specific WordPress version ${{ matrix.wordpress }}
+        run: |
+          ${SLIC_BIN} wp core download --version=${{ matrix.wordpress }} --force
+
+      - name: Show WordPress version
+        run: ${SLIC_BIN} wp core version
+
+      - name: Update installed WordPress themes
+        run: ${SLIC_BIN} wp theme update --all
+
+      - name: Set up StellarWP SuperGlobals
+        run: |
+          ${SLIC_BIN} use superglobals
+          ${SLIC_BIN} composer set-version 2
+          ${SLIC_BIN} composer validate
+          ${SLIC_BIN} composer install
+
+      - name: Run wpunit tests
+        run: ${SLIC_BIN} run wpunit --ext DotReporter

codeception.dist.yml

@@ -0,0 +1,14 @@
+actor: Tester
+bootstrap: _bootstrap.php
+paths:
+    tests: tests
+    log: tests/_output
+    data: tests/_data
+    helpers: tests/_support
+    wp_root: "%WP_ROOT_FOLDER%"
+settings:
+    colors: true
+    memory_limit: 1024M
+params:
+  # read dynamic configuration parameters from the .env file
+  - .env.testing

codeception.slic.yml

@@ -0,0 +1,3 @@
+params:
+  # read dynamic configuration parameters from the .env file
+  - .env.testing.slic

composer.json

@@ -3,8 +3,11 @@
   "description": "A library that handles access to superglobals.",
   "type": "library",
   "license": "MIT",
-  "platform": {
-    "php": "7.4"
+  "config": {
+    "platform": {
+      "php": "7.4"
+    },
+    "sort-packages": true
   },
   "autoload": {
     "psr-4": {
@@ -31,7 +34,7 @@
     "stellarwp/arrays": "^1.2"
   },
   "require-dev": {
-    "phpunit/phpunit": "<10.0",
+    "lucatume/wp-browser": "^3.6.5",
     "szepeviktor/phpstan-wordpress": "^1.1",
     "symfony/event-dispatcher-contracts": "^2.5.1",
     "symfony/string": "^5.4"

src/SuperGlobals/SuperGlobals.php

@@ -29,7 +29,7 @@ public static function get_server_var( $var, $default = null ) {
 			return $default;
 		}
 
-		$unsafe = Arr::get_in_any( $data, $var, $default );
+		$unsafe = wp_unslash( Arr::get_in_any( $data, $var, $default ) );
 		return static::sanitize_deep( $unsafe );
 	}
 
@@ -46,7 +46,7 @@ public static function get_server_var( $var, $default = null ) {
 	 * @return mixed
 	 */
 	public static function get_get_var( string $var, $default = null ) {
-		$unsafe = Arr::get( (array) $_GET, $var, $default );
+		$unsafe = wp_unslash( Arr::get( (array) $_GET, $var, $default ) );
 		return static::sanitize_deep( $unsafe );
 	}
 
@@ -63,7 +63,7 @@ public static function get_get_var( string $var, $default = null ) {
 	 * @return mixed
 	 */
 	public static function get_post_var( string $var, $default = null ) {
-		$unsafe = Arr::get( (array) $_POST, $var, $default );
+		$unsafe = wp_unslash( Arr::get( (array) $_POST, $var, $default ) );
 		return static::sanitize_deep( $unsafe );
 	}
 
@@ -80,7 +80,7 @@ public static function get_post_var( string $var, $default = null ) {
 	 * @return mixed
 	 */
 	public static function get_env_var( string $var, $default = null ) {
-		$unsafe = Arr::get( (array) $_ENV, $var, $default );
+		$unsafe = wp_unslash( Arr::get( (array) $_ENV, $var, $default ) );
 		return static::sanitize_deep( $unsafe );
 	}
 
@@ -134,7 +134,7 @@ public static function get_raw_superglobal( string $superglobal ) {
 	 * @return mixed
 	 */
 	public static function get_sanitized_superglobal( string $superglobal ) {
-		$var = static::get_raw_superglobal( $superglobal );
+		$var = wp_unslash( static::get_raw_superglobal( $superglobal ) );
 		return static::sanitize_deep( $var );
 	}
 
@@ -176,7 +176,7 @@ public static function get_var( $var, $default = null ) {
 			return $default;
 		}
 
-		$unsafe = Arr::get_in_any( $requests, $var, $default );
+		$unsafe = wp_unslash( Arr::get_in_any( $requests, $var, $default ) );
 		return static::sanitize_deep( $unsafe );
 	}
 

tests/_support/.gitignore

@@ -0,0 +1 @@
+_generated

tests/_support/WpunitTester.php

@@ -0,0 +1,24 @@
+<?php
+/**
+ * Inherited Methods
+ * @method void wantToTest($text)
+ * @method void wantTo($text)
+ * @method void execute($callable)
+ * @method void expectTo($prediction)
+ * @method void expect($prediction)
+ * @method void amGoingTo($argumentation)
+ * @method void am($role)
+ * @method void lookForwardTo($achieveValue)
+ * @method void comment($description)
+ * @method void pause()
+ *
+ * @SuppressWarnings(PHPMD)
+*/
+class WpunitTester extends \Codeception\Actor
+{
+    use _generated\WpunitTesterActions;
+
+    /**
+     * Define custom actions here
+     */
+}