The WordPress.Security.ValidatedSanitizedInput.InputNotValidated error message currently suggests using isset() or empty() to check that superglobal array indexes exist:

Detected usage of a possibly undefined superglobal array index: %s. Use isset() or empty() to check the index exists before using it

However, the sniff also recognizes additional validation methods that are not mentioned in the error message:

• array_key_exists() and its alias key_exists() (PR ValidateSanitizedInput: allow for validation using array_key_exists() #1635)
• The null coalesce operator ?? and the null coalesce equal operator ??= (PR ValidatedSanitizedInput: handle null coalesce (equal) correctly #1684)

The current error message was written based on discussion in issue #1541. At that time, array_key_exists() support had already been added, but was likely not included due to an oversight. The null coalesce operators were added shortly after.

Proposed change

Update the error message to:

Detected usage of a possibly undefined superglobal array index: %s. Use isset(), empty(), array_key_exists(), or the ?? / ??= operators to ensure the index exists before using it

Notes:

• I opted to not include key_exists() as it is an array_key_exists() alias.
• The proposed message changes "check" to "ensure" because while isset(), empty(), array_key_exists(), and ?? check/validate if an index exists, the ??= operator ensures an index exists by assigning a default value. To me, the word "ensure" better covers both cases, but I don't have a strong opinion here.

Should all of these validation methods be included in the error message?