Security/Underscorejs: improve check for interpolate in PHP files

Match the `interpolate` property in PHP files with the similar precision as in JS files.

Includes unit tests.

Author: jrfnl

WordPressVIPMinimum/Sniffs/Security/UnderscorejsSniff.php

@@ -26,6 +26,13 @@ class UnderscorejsSniff extends Sniff {
 	 */
 	const UNESCAPED_INTERPOLATE_REGEX = '`<%=\s*(?:.+?%>|$)`';
 
+	/**
+	 * Regex to match the "interpolate" keyword when used to overrule the ERB-style delimiters.
+	 *
+	 * @var string
+	 */
+	const INTERPOLATE_KEYWORD_REGEX = '`(?:templateSettings\.interpolate|\.interpolate\s*=\s*/|interpolate\s*:\s*/)`';
+
 	/**
 	 * A list of tokenizers this sniff supports.
 	 *
@@ -107,7 +114,7 @@ public function process_token( $stackPtr ) {
 		}
 
 		if ( $this->phpcsFile->tokenizerType !== 'JS'
-			&& strpos( $content, 'interpolate' ) !== false
+			&& preg_match( self::INTERPOLATE_KEYWORD_REGEX, $content ) > 0
 		) {
 			// Underscore.js delimiter change.
 			$message = 'Found Underscore.js delimiter change notation.';

WordPressVIPMinimum/Tests/Security/UnderscorejsUnitTest.inc

@@ -50,3 +50,26 @@ EOD;
 
 // Make sure the JS specific check does not trigger on PHP code.
 $obj->interpolate = true;
+
+// Test matching the "interpolate" keyword with higher precision (mirrors same check in JS).
+function test_interpolate_match_precision() {
+	?>
+	<script type="text/javascript">
+	_.templateSettings.interpolate = /\{\{(.+?)\}\}/g; /* NOK */
+
+	options.interpolate=_.templateSettings.interpolate; /* NOK */
+	var interpolate = options.interpolate || reNoMatch, /* Ignore */
+		source = "__p += '";
+
+	// Prevent false positives on "interpolate".
+	var preventMisidentification = 'text interpolate text'; // OK.
+	var interpolate = THREE.CurveUtils.interpolate; // OK.
+
+	var p = function(f, d) {
+		return s.interpolate(m(f), _(d), 0.5, e.color_space) // OK.
+	}
+
+	y.interpolate.bezier = b; // OK.
+	</script>
+	<?php
+}

WordPressVIPMinimum/Tests/Security/UnderscorejsUnitTest.php

@@ -48,6 +48,8 @@ public function getWarningList( $testFile = '' ) {
 					45 => 1,
 					46 => 1,
 					47 => 1,
+					58 => 1,
+					60 => 1,
 				];
 
 			case 'UnderscorejsUnitTest.js':