J.D. Grimes
J.D. Grimes
+1 I've thought of this before but never opened an issue for it.
FWIW, I think `esc_html()` and `esc_attr()` are currently equivalent (I would have to double-check though). Also, similar to what @GaryJones pointed out, special consideration should probably be given to the...
What if the value is being passed to `preg_replace()`, and capture patterns are being used? Now you have a vector for inserting arbitrary HTML into a string (or anything else...
> AFAICS that is an output escape issue, not necessarily an input sanitization one. Well, isn't that true of all input? 😉 But I'd still say that in this case...
In this case, because you are checking that the value is not set, the sniff may be a bit overzealous. However, I wouldn't favor making it ignore all `isset()` and...
There is `esc_url_raw()`, which is more of a sanitization function (it replaced `sanitize_url()`).
It would be possible to detect whether the third parameter was supplied, if anyone would like to work up a patch.
A side note: I think that probably the `filter_input()` function should be flagged by the `WordPress.VIP.SuperGlobalInputUsage` sniff.
The only concern that I have is maintainability. If we can't automatically generate the list of deprecated features, then it won't end up getting maintained. Also, we'd need to discuss...
> On that note, the PHP Doc Parser used by the WordPress.org developer documentation site has an understanding of what code elements are deprecated, so one could possibly use this...