From 17719330afe1d6ba705d8923aacd90d9ad83a448 Mon Sep 17 00:00:00 2001
From: Brent Wilson <brent@clariio.com>
Date: Tue, 26 Aug 2025 13:18:30 -0700
Subject: [PATCH 1/2] Docs: add documentation for
 WordPress.Security.EscapeOutput

---
 .../Docs/Security/EscapeOutputStandard.xml    | 37 +++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 WordPress/Docs/Security/EscapeOutputStandard.xml

diff --git a/WordPress/Docs/Security/EscapeOutputStandard.xml b/WordPress/Docs/Security/EscapeOutputStandard.xml
new file mode 100644
index 0000000000..1c82655893
--- /dev/null
+++ b/WordPress/Docs/Security/EscapeOutputStandard.xml
@@ -0,0 +1,37 @@
+<?xml version="1.0"?>
+<documentation title="Escape Output">
+    <standard>
+        <![CDATA[
+Short: Dynamic output must be escaped.
+
+Long: This sniff checks that any dynamic data sent to the browser
+is properly escaped using a WordPress escaping function, such as
+`esc_html()`, `esc_attr()`, or `wp_kses_post()`. Escaping prevents
+cross-site scripting (XSS) vulnerabilities and ensures output is safe.
+        ]]>
+    </standard>
+
+    <code_comparison>
+        <code title="Invalid: unescaped echo" language="php"><![CDATA[
+<?php
+$name = $_GET['name'];
+echo <em>$name</em>; // ❌ Unescaped user input
+        ]]></code>
+        <code title="Valid: escaped echo" language="php"><![CDATA[
+<?php
+$name = $_GET['name'];
+echo <em>esc_html( $name )</em>; // ✅ Safe output
+        ]]></code>
+    </code_comparison>
+
+    <code_comparison>
+        <code title="Invalid: unescaped printf" language="php"><![CDATA[
+<?php
+printf( 'Hello %s', <em>$name</em> ); // ❌ Dangerous
+        ]]></code>
+        <code title="Valid: escaped printf" language="php"><![CDATA[
+<?php
+printf( 'Hello %s', <em>esc_html( $name )</em> ); // ✅ Escaped
+        ]]></code>
+    </code_comparison>
+</documentation>

From 78b67f713aa579e2d51baf152ea5eb796bd58425 Mon Sep 17 00:00:00 2001
From: Brent Wilson <brent@clariio.com>
Date: Tue, 26 Aug 2025 13:43:24 -0700
Subject: [PATCH 2/2] Docs: reformat EscapeOutputStandard.xml to match docs
 style

---
 .../Docs/Security/EscapeOutputStandard.xml    | 47 +++++++++++--------
 1 file changed, 28 insertions(+), 19 deletions(-)

diff --git a/WordPress/Docs/Security/EscapeOutputStandard.xml b/WordPress/Docs/Security/EscapeOutputStandard.xml
index 1c82655893..ffb0cb5a65 100644
--- a/WordPress/Docs/Security/EscapeOutputStandard.xml
+++ b/WordPress/Docs/Security/EscapeOutputStandard.xml
@@ -1,37 +1,46 @@
 <?xml version="1.0"?>
 <documentation title="Escape Output">
     <standard>
-        <![CDATA[
-Short: Dynamic output must be escaped.
+    <![CDATA[
+      Dynamic output must be escaped.
 
-Long: This sniff checks that any dynamic data sent to the browser
-is properly escaped using a WordPress escaping function, such as
-`esc_html()`, `esc_attr()`, or `wp_kses_post()`. Escaping prevents
-cross-site scripting (XSS) vulnerabilities and ensures output is safe.
-        ]]>
+      This sniff checks that any dynamic data sent to the browser
+      is escaped using a WordPress escaping function, such as
+      esc_html(), esc_attr(), or wp_kses_post(). Escaping prevents
+      cross-site scripting (XSS) vulnerabilities and ensures
+      output is safe.
+    ]]>
     </standard>
 
     <code_comparison>
-        <code title="Invalid: unescaped echo" language="php"><![CDATA[
+        <code title="Invalid: unescaped echo">
+        <![CDATA[
 <?php
 $name = $_GET['name'];
-echo <em>$name</em>; // ❌ Unescaped user input
-        ]]></code>
-        <code title="Valid: escaped echo" language="php"><![CDATA[
+echo <em>$name</em>;
+        ]]>
+        </code>
+        <code title="Valid: escaped echo">
+        <![CDATA[
 <?php
 $name = $_GET['name'];
-echo <em>esc_html( $name )</em>; // ✅ Safe output
-        ]]></code>
+echo <em>esc_html( $name )</em>;
+        ]]>
+        </code>
     </code_comparison>
 
     <code_comparison>
-        <code title="Invalid: unescaped printf" language="php"><![CDATA[
+        <code title="Invalid: unescaped printf">
+        <![CDATA[
 <?php
-printf( 'Hello %s', <em>$name</em> ); // ❌ Dangerous
-        ]]></code>
-        <code title="Valid: escaped printf" language="php"><![CDATA[
+printf( 'Hello %s', <em>$name</em> );
+        ]]>
+        </code>
+        <code title="Valid: escaped printf">
+        <![CDATA[
 <?php
-printf( 'Hello %s', <em>esc_html( $name )</em> ); // ✅ Escaped
-        ]]></code>
+printf( 'Hello %s', <em>esc_html( $name )</em> );
+        ]]>
+        </code>
     </code_comparison>
 </documentation>