The theme file scan detects malicious patterns in comments as well, because the current implementation does not distinguish between comment lines and code lines or even mixed content.
To achieve this, the feeding routine has to be extended to detect comments correctly in a safe way, as there are many false-positive candidates that break the change (whether intentionally or by mistake)
Some primitive examples that must not be detected incorrectly:
// Single line comment containing /* multiline comment sequence
...
$url = 'https://www.example.com';
...
//* Single line, not multi */ ... still comment
Originally suggested in WP support forums: https://wordpress.org/support/topic/should-not-alert-in-php-comments/
The theme file scan detects malicious patterns in comments as well, because the current implementation does not distinguish between comment lines and code lines or even mixed content.
To achieve this, the feeding routine has to be extended to detect comments correctly in a safe way, as there are many false-positive candidates that break the change (whether intentionally or by mistake)
Some primitive examples that must not be detected incorrectly: