From 27701fdf8d98f3c69067b41d49d8db986aa6855a Mon Sep 17 00:00:00 2001
From: Rodrigo Primo <rodrigosprimo@gmail.com>
Date: Thu, 21 Aug 2025 16:08:21 -0300
Subject: [PATCH 1/2] Security/EscapeOutput: add tests for namespaced names

---
 .../Tests/Security/EscapeOutputUnitTest.1.inc | 69 ++++++++++++++++++-
 .../Tests/Security/EscapeOutputUnitTest.php   | 29 +++++++-
 2 files changed, 95 insertions(+), 3 deletions(-)

diff --git a/WordPress/Tests/Security/EscapeOutputUnitTest.1.inc b/WordPress/Tests/Security/EscapeOutputUnitTest.1.inc
index 52c3a59976..0f20839189 100644
--- a/WordPress/Tests/Security/EscapeOutputUnitTest.1.inc
+++ b/WordPress/Tests/Security/EscapeOutputUnitTest.1.inc
@@ -258,7 +258,7 @@ echo esc_html_x( $some_nasty_var, 'context' ); // Ok.
 	<input type="hidden" name="some-action" value="<?php echo esc_attr_x( 'none', 'context' ); ?>" /><!-- OK. -->
 <?php
 
-echo PHP_VERSION_ID, PHP_VERSION, PHP_EOL, PHP_EXTRA_VERSION; // OK.
+echo PHP_VERSION_ID, PHP_VERSION, \PHP_EOL, PHP_EXTRA_VERSION; // OK.
 
 trigger_error( 'DEBUG INFO - ' . __METHOD__ . '::internal_domains: domain = ' . $domain ); // Bad.
 Trigger_ERROR( $domain ); // Bad.
@@ -661,7 +661,7 @@ exit( status: esc_html( $foo ) ); // Ok.
 die( status: esc_html( $foo ) ); // Ok.
 
 exit( status: $foo ); // Bad.
-die( status: $foo ); // Bad.
+\die( status: $foo ); // Bad.
 
 /*
  * Issue https://github.com/WordPress/WordPress-Coding-Standards/issues/2552
@@ -687,3 +687,68 @@ _deprecated_function( __METHOD__, 'x.x.x', \ClassName::class ); // OK.
 die( \MyNamespace\ClassName::class . ' has been abandoned' ); // OK.
 echo 'Do not use ' . MyNamespace\ClassName::class; // OK.
 _deprecated_function( __METHOD__, 'x.x.x', namespace\ClassName::class ); // OK.
+
+/*
+ * Safeguard correct handling of all types of namespaced escaping and printing function calls.
+ */
+\printf( 'Hello %s', $foo ); // Bad.
+MyNamespace\wp_die( $message ); // Ok.
+\MyNamespace\vprintf( 'Hello %s', array( $foo ) ); // Ok.
+namespace\wp_dropdown_pages( $args ); // Ok. The sniff should start flagging this once it can resolve relative namespaces.
+namespace\Sub\_deprecated_function( __FUNCTION__, '1.3.0', $another_func ); // Ok.
+\printf( 'Hello %s', \esc_html( $foo ) ); // Ok.
+\wp_die( MyNamespace\number_format( $foo ) ); // Bad.
+\vprintf( 'Hello %s', array( \MyNamespace\sanitize_user_field( $foo ) ) ); // Bad.
+\wp_dropdown_pages( namespace\sanitize_key( $foo ) ); // Bad. The sniff should stop flagging this once it can resolve relative namespaces.
+\_deprecated_function( __FUNCTION__, '1.3.0', namespace\Sub\wp_kses( $another_func ) ); // Bad.
+
+/*
+ * Safeguard correct handling of namespaced auto-escaped functions.
+ */
+echo \bloginfo( $var ); // Ok.
+echo MyNamespace\count( $var ); // Bad.
+echo \MyNamespace\get_archives_link( $url, 'link' ); // Bad.
+echo namespace\get_search_form(); // Bad. The sniff should stop flagging this once it can resolve relative namespaces.
+echo namespace\Sub\the_author(); // Bad.
+
+/*
+ * Safeguard correct handling of namespaced unsafe printing functions.
+ */
+\_e( $text, 'my-domain' ); // Bad.
+MyNamespace\_ex( $text, 'context' ); // Ok.
+\MyNamespace\_e( $text, 'my-domain' ); // Ok.
+namespace\_ex( $text, 'context' ); // Ok. The sniff should start flagging this once it can resolve relative namespaces.
+namespace\Sub\_e( $text, 'my-domain' ); // Ok.
+
+/*
+ * Safeguard correct handling of namespaced formatting functions.
+ */
+echo \sprintf( '%s', $var ); // Bad.
+echo \sprintf( '%s', esc_html( $var ) ); // Ok.
+echo MyNamespace\antispambot( esc_html( $email ) ); // Bad.
+echo \MyNamespace\ent2ncr( esc_html( $_data ) ); // Bad.
+echo namespace\vsprintf( 'Hello %s', array( esc_html( $foo ) ) ); // Bad. The sniff should stop flagging this once it can resolve relative namespaces.
+echo namespace\Sub\wp_sprintf( 'Hello %s', array( esc_html( $foo ) ) ); // Bad.
+
+/*
+ * Safeguard correct handling of get_search_query() as the sniff has special logic to check the $escaped parameter.
+ */
+echo \get_search_query( true ); // Ok.
+echo \get_search_query( false ); // Bad.
+echo MyNamespace\get_search_query( true ); // Bad.
+echo \MyNamespace\get_search_query( true ); // Bad.
+echo namespace\get_search_query( true ); // Bad. The sniff should stop flagging this once it can resolve relative namespaces.
+echo namespace\Sub\get_search_query( true ); // Bad.
+
+/*
+ * Safeguard correct handling of fully qualified and namespace relative functions with special parameter handling.
+ */
+\trigger_error( esc_html( $message ), $second_param_should_be_ignored ); // Ok.
+\User_Error( $message ); // Bad.
+namespace\trigger_error( $message ); // Ok. The sniff should start flagging this once it can resolve relative namespaces.
+namespace\Sub\user_error( $message ); // Ok.
+\_deprecated_file( basename( __FILE__ ), '1.3.0' ); // Ok.
+\_deprecated_file( $file, '1.3.0' ); // Error.
+namespace\_deprecated_file( basename( __FILE__ ), '1.3.0' ); // Ok.
+namespace\_DEPRECATED_FILE( $file, '1.3.0' ); // Ok. The sniff should start flagging this once it can resolve relative namespaces.
+namespace\Sub\_deprecated_file( $file, '1.3.0' ); // Ok.
diff --git a/WordPress/Tests/Security/EscapeOutputUnitTest.php b/WordPress/Tests/Security/EscapeOutputUnitTest.php
index aea521720d..fc5200ccd8 100644
--- a/WordPress/Tests/Security/EscapeOutputUnitTest.php
+++ b/WordPress/Tests/Security/EscapeOutputUnitTest.php
@@ -10,6 +10,7 @@
 namespace WordPressCS\WordPress\Tests\Security;
 
 use PHP_CodeSniffer\Tests\Standards\AbstractSniffUnitTest;
+use PHPCSUtils\BackCompat\Helper;
 
 /**
  * Unit test class for the EscapeOutput sniff.
@@ -37,6 +38,8 @@ final class EscapeOutputUnitTest extends AbstractSniffUnitTest {
 	public function getErrorList( $testFile = '' ) {
 		switch ( $testFile ) {
 			case 'EscapeOutputUnitTest.1.inc':
+				$phpcs_version = Helper::getVersion();
+
 				return array(
 					17  => 1,
 					19  => 1,
@@ -160,10 +163,34 @@ public function getErrorList( $testFile = '' ) {
 					655 => 1,
 					657 => 1,
 					663 => 1,
-					664 => 1,
+					// PHPCS 3.13.3 changed the tokenization of FQN exit/die it impacts directly how this test case
+					// behaves (see https://github.com/PHPCSStandards/PHP_CodeSniffer/issues/1201).
+					664 => version_compare( $phpcs_version, '3.13.3', '>=' ) ? 1 : 0,
 					672 => 1,
 					673 => 1,
 					678 => 1,
+					694 => 1,
+					700 => 1,
+					701 => 1,
+					702 => 1,
+					703 => 1,
+					709 => 1,
+					710 => 1,
+					711 => 1,
+					712 => 1,
+					717 => 1,
+					726 => 1,
+					728 => 1,
+					729 => 1,
+					730 => 1,
+					731 => 1,
+					737 => 1,
+					738 => 1,
+					739 => 1,
+					740 => 1,
+					741 => 1,
+					747 => 1,
+					751 => 1,
 				);
 
 			case 'EscapeOutputUnitTest.6.inc':

From 322829bf6471d4113cd56eb4abe2a381847db224 Mon Sep 17 00:00:00 2001
From: Rodrigo Primo <rodrigosprimo@gmail.com>
Date: Fri, 14 Nov 2025 11:30:00 -0300
Subject: [PATCH 2/2] Security/EscapeOutput: add edge case tests for basename(
 __FILE__ ) pattern

Add tests to ensure the `basename( __FILE__ )` pattern recognition in `_deprecated_file()` only applies to global `basename()` function calls, not to other constructs that might look similar.
---
 .../Tests/Security/EscapeOutputUnitTest.1.inc      | 14 ++++++++++++++
 WordPress/Tests/Security/EscapeOutputUnitTest.php  |  9 +++++++++
 2 files changed, 23 insertions(+)

diff --git a/WordPress/Tests/Security/EscapeOutputUnitTest.1.inc b/WordPress/Tests/Security/EscapeOutputUnitTest.1.inc
index 0f20839189..afb3e51700 100644
--- a/WordPress/Tests/Security/EscapeOutputUnitTest.1.inc
+++ b/WordPress/Tests/Security/EscapeOutputUnitTest.1.inc
@@ -752,3 +752,17 @@ namespace\Sub\user_error( $message ); // Ok.
 namespace\_deprecated_file( basename( __FILE__ ), '1.3.0' ); // Ok.
 namespace\_DEPRECATED_FILE( $file, '1.3.0' ); // Ok. The sniff should start flagging this once it can resolve relative namespaces.
 namespace\Sub\_deprecated_file( $file, '1.3.0' ); // Ok.
+
+/*
+ * Safeguard that the basename( __FILE__ ) pattern recognition in _deprecated_file() only applies to
+ * the global basename() function and not to other constructs.
+ */
+_deprecated_file( $obj->basename( __FILE__ ), '1.3.0' ); // Bad.
+_deprecated_file( $obj?->basename( __FILE__ ), '1.3.0' ); // Bad.
+_deprecated_file( MyClass::basename( __FILE__ ), '1.3.0' ); // Bad.
+_deprecated_file( BASENAME, __FILE__ ); // Bad.
+_deprecated_file( MyNamespace\basename( __FILE__ ), '1.3.0' ); // Bad.
+_deprecated_file( \MyNamespace\basename( __FILE__ ), '1.3.0' ); // Bad.
+_deprecated_file( namespace\basename( __FILE__ ), '1.3.0' ); // Bad. We might want to update the regex so that the sniff stop flagging this once it can resolve relative namespaces.
+_deprecated_file( namespace\Sub\basename( __FILE__ ), '1.3.0' ); // Bad.
+_deprecated_file( basename(...), '1.3.0' ); // Bad.
diff --git a/WordPress/Tests/Security/EscapeOutputUnitTest.php b/WordPress/Tests/Security/EscapeOutputUnitTest.php
index fc5200ccd8..39d0c46a5a 100644
--- a/WordPress/Tests/Security/EscapeOutputUnitTest.php
+++ b/WordPress/Tests/Security/EscapeOutputUnitTest.php
@@ -191,6 +191,15 @@ public function getErrorList( $testFile = '' ) {
 					741 => 1,
 					747 => 1,
 					751 => 1,
+					760 => 1,
+					761 => 1,
+					762 => 1,
+					763 => 1,
+					764 => 1,
+					765 => 1,
+					766 => 1,
+					767 => 1,
+					768 => 1,
 				);
 
 			case 'EscapeOutputUnitTest.6.inc':