Description
Problem?
Assume $_POST['thing'] holds an array like so:
array(
'https://www.asite.com',
'https://www.bsite.com',
'https://www.csite.com',
)
Assume we want to store the $_POST['thing'] in a $var.
Thus we would naturally do this:
$var = array_map( 'esc_url_raw', array_map( 'wp_unslash', $_POST['thing'] ) )
WPCS Sniff, despite the calls to wp_unslash and esc_url_raw, throws the errors:
3 | ERROR | [ ] $_POST data not unslashed before sanitization. Use
| | wp_unslash() or similar
3 | ERROR | [ ] Detected usage of a non-sanitized input variable:
| | $_POST['thing']
But, as the code shows, we do indeed use wp_unslash and do sanitize.
Note that, if we do the following:
$var = array_map( 'esc_url_raw', $_POST['thing'] );
then only the error about missing wp_unslash is thrown, but sanitizitation passes fine
Solution
If possible, the solution would be that WPCS recognises the nested array_map with the unslash and the sanitize callback.
I think it should be clear from the above description that WPCS seems to recognise one-level array_map but not several nested array maps.
Additional context
I first commented on #1679 (comment) because I thought it is related, but it is too old/perhaps less related than I thought.
Sorry if this is somehow wrong in report or expected in behaviour.