Open davidperezgar opened 3 weeks ago
If there are really false positives from PHPCS, then they most likely need to be reported at https://github.com/WordPress/WordPress-Coding-Standards. For example, right now there is a related open issue about nested array_map
calls: https://github.com/WordPress/WordPress-Coding-Standards/issues/2009
That said, I cannot reproduce this.
If I do something like this:
$post_types = get_post_types();
echo implode( ' | ', array_map( 'foo_function', array_keys( $post_types ) ) );
Then I'll get the following error:
WordPress.Security.EscapeOutput.OutputNotEscaped
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found 'foo_function'.
However, if I use esc_html
as the callback, like in the provided example, no error is reported in Plugin Check.
When there is a array_map, the scanner is giving false positive.
guttypress/inc/admin/services/tax.php:378 echo implode( ' | ', array_map( 'esc_html', array_keys( $post_types ) ) );