trigger_error is counted as an output function for escaping purposes #1864
Description
Bug Description
trigger_error is treated as a HTML output method, and hence requires escaping.
Errors are only output as part of the HTML when show_errors is set to true, which is not common in production environments. Error text is not necessarily HTML data, and doesn't require escaping.
Minimal Code Snippet
trigger_error( 'Undefined config option: ' . $key );Error Code
WordPress.Security.EscapeOutput.OutputNotEscaped
Environment
| Question | Answer |
|---|---|
| PHP version | 7.1.32 |
| PHP_CodeSniffer version | 3.5.4 |
| WPCS version | 1.2.1 |
| WPCS install type | Composer project local |
Additional Context (optional)
Problem exists in latest WPCS:
Given this is environment-dependent, I think the rule makes sense by default, but a way to configure or override it would be good. Currently, it's possible to add additional functions, but not remove the built in ones in Sniff.php (AFAIK?)
Tested Against develop branch?
- I have verified the issue still exists in the
developbranch of WPCS.