search

WordPress / plugin-check

A repository for the new Plugin Check plugin from the WordPress Performance and Plugins Team.
https://wordpress.org/plugins/plugin-check/
GNU General Public License v2.0
195 stars 39 forks source link

False positive for escape in array_map #469

Open davidperezgar opened 3 weeks ago

davidperezgar commented 3 weeks ago

When there is a array_map, the scanner is giving false positive.

guttypress/inc/admin/services/tax.php:378 echo implode( ' | ', array_map( 'esc_html', array_keys( $post_types ) ) );

swissspidy commented 3 weeks ago

If there are really false positives from PHPCS, then they most likely need to be reported at https://github.com/WordPress/WordPress-Coding-Standards. For example, right now there is a related open issue about nested array_map calls: https://github.com/WordPress/WordPress-Coding-Standards/issues/2009

That said, I cannot reproduce this.

If I do something like this:

$post_types = get_post_types();
echo implode( ' | ', array_map( 'foo_function', array_keys( $post_types ) ) );

Then I'll get the following error:


WordPress.Security.EscapeOutput.OutputNotEscaped
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found 'foo_function'.

However, if I use esc_html as the callback, like in the provided example, no error is reported in Plugin Check.