id summary reporter owner description type status priority milestone component version severity resolution keywords cc focuses 44058 Include security sniffs in PHPCS ruleset iandunn "Currently, our custom ruleset includes the sniffs for prepared queries, but not for XSS or CSRF. I couldn't find any previous discussions about why they're not included. The only thing I can think of is that there might be too many false positives? In my experience, the XSS sniff works well. The CSRF one sometimes generates false positives, but I think it'd be better to include it, and then refine our code and/or the sniff to address those, than it would be to not use it at all, and take the risk of a vulnerability slipping through. " enhancement new normal Future Release Security normal coding-standards