Automattic / VIP-Coding-Standards

PHP_CodeSniffer ruleset to enforce WordPress VIP coding standards.
https://wpvip.com/documentation/how-to-install-php-code-sniffer-for-wordpress-com-vip/
Other
236 stars 40 forks source link

False positive for notAttrEscAttr in ProperEscapingFunction sniff when printf()/sprintf() used #667

Closed westonruter closed 3 years ago

westonruter commented 3 years ago

Bug Description

When updating from 2.2.0 to 2.3.0 we got a lot of false positives of notAttrEscAttr in the ProperEscapingFunction sniff where printf() or sprintf() are being used. For example:

printf( '<meta name="generator" content="%s">', esc_attr( $content ) );

This code is getting flagged with:

Wrong escaping function, using esc_attr() in a context outside of HTML attributes may not escape properly.

See other such instances in the PR's check annotations: https://github.com/ampproject/amp-wp/pull/6079/files

Minimal Code Snippet

See above.

Error Code

WordPressVIPMinimum.Security.ProperEscapingFunction.notAttrEscAttr

Environment

Use php -v and composer show to get versions.

Question Answer
PHP version 7.4.16
PHP_CodeSniffer version 3.6.0
VIPCS version 2.3.0

Additional Context (optional)

Tested Against master branch?

jrfnl commented 3 years ago

@westonruter Good catch and thanks for reporting. We'll get that fixed up over the next few days. Sorry for the noisy messages for the time being.

jrfnl commented 3 years ago

@westonruter PR #668 should fix this. If you have a chance, testing would be appreciated.