Skip to content

Docs: Add documentation for WordPress.Security.EscapeOutput#2585

Open
brentwilson-clariio wants to merge 2 commits intoWordPress:developfrom
brentwilson-clariio:docs/escapeoutput
Open

Docs: Add documentation for WordPress.Security.EscapeOutput#2585
brentwilson-clariio wants to merge 2 commits intoWordPress:developfrom
brentwilson-clariio:docs/escapeoutput

Conversation

@brentwilson-clariio
Copy link
Copy Markdown

@brentwilson-clariio brentwilson-clariio commented Aug 26, 2025

Related to #1722

Adds WordPress/Docs/Security/EscapeOutputStandard.xml with short description and invalid/valid examples (echo, printf).
Tested with:
vendor/bin/phpcs --standard=WordPress --generator=Text --sniffs=WordPress.Security.EscapeOutput

@jrfnl jrfnl mentioned this pull request Aug 26, 2025
Open
61 tasks
rodrigoprimo
rodrigoprimo reviewed Sep 1, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@rodrigoprimo rodrigoprimo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for working on this PR, @brentwilson-clariio!

I haven't done a full review yet of this PR, but I have some initial remarks:

  • Could you please update this PR to apply all the applicable points that were raised in the review of #2591? Since that PR was reviewed first, it might be a good idea to wait until it is finalized before updating this PR, as more points discussed there might be relevant here as well.
  • Per the description in #1722, verifying calls for addError()/addWarning() helps identify what the sniff is checking. There are some exceptions, but typically the documentation will contain one <standard> and one <code_comparison> block per error/warning message. This sniff raises a few errors that are not covered in this PR, and I believe they should. For example:

    WordPress-Coding-Standards/WordPress/Sniffs/Security/EscapeOutputSniff.php

    Lines 662 to 666 in afcb17e

    $this->phpcsFile->addError(
    'All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found interpolation in unescaped heredoc.',
    $current,
    'HeredocOutputNotEscaped'
    );

@rodrigoprimo
Copy link
Copy Markdown
Contributor

rodrigoprimo commented Dec 18, 2025

@brentwilson-clariio, I was just wondering if you'll have a chance to finish this off in the near future. It would be great if this PR could be included in the next WPCS release.

If you haven't got time or lost interest, please let us know and we'll see if we can find someone to take over. Thanks!

@rodrigoprimo
Copy link
Copy Markdown
Contributor

rodrigoprimo commented Mar 30, 2026

@brentwilson-clariio, please let us know within a week if you are still interested in finishing this PR. If we don't hear back from you, we will presume you don't have time, and we will see if we can find someone else to take over and finish it. Thanks for your work so far!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rodrigoprimo rodrigoprimo rodrigoprimo left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Component: Extra Status: Awaiting feedback Type: Documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@brentwilson-clariio @rodrigoprimo