Open
Description
Original Issue: Automattic/VIP-Coding-Standards#22
<?php echo MY_CLASS()->get_template_part( 'post/feature-title', $vars ); ?>
reports issue with MY_CLASS and $vars, but should really only for MY_CLASS
Another edge case:
<?php echo MY_CLASS()->get_template_part( 'post/feature-meta', array( 'obj' => $obj ) ); ?>
Another false positive is being reported on following code:
<?php echo ( $is_mobile ) ? wp_json_encode( 'true' ) : wp_json_encode( 'false' ); ?>
Taking the first example into consideration I can see following:
$ cat test.php
<?php
echo MY_CLASS()->get_template_part( 'post/feature-title', $vars );
$ phpcs --standard=WordPressVIPMinimum ./test.php -s
FILE: /home/wpcom/public_html/test.php
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
FOUND 2 ERRORS AFFECTING 1 LINE
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
3 | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found 'MY_CLASS'. (WordPress.XSS.EscapeOutput.OutputNotEscaped)
3 | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$vars'. (WordPress.XSS.EscapeOutput.OutputNotEscaped)
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Time: 50ms; Memory: 6Mb
To directly answer the question, it's the WordPress.XSS.EscapeOutput.OutputNotEscaped sniff :)
Opening as a reminder to investigate.
Note, that this sniff got moved to WordPress.Security category for WPCS 1.0.0, so the original bug might have been addressed by now.