Sniff to detect proper usage of preg_quote() ?

[jrfnl]

I'd like to suggest adding two new sniffs around the usage of preg_quote().

• Verify the $regex parameter of any PCRE function calls to make sure that if the regex is being build up by concatenating parts together, that any $variable parts are wrapped in a call to preg_quote().

  preg_match( '`http[s]?://[^\s<>\'"()]*' . preg_quote( $match_data[0], '`' ) . '`', $content ); // OK.
  preg_match( '`http[s]?://[^\s<>\'"()]*' . $match_data[0] . '`', $content ); // Warning.
  preg_match( $regex, $content ); // OK, ignore as impossible to check reliably.
  

• Verify that the optional second parameter $delimiter of preg_quote() is always passed. Too often I come across code where it is missing and unless it is passed, the default / delimiters are presumed, which is often wrong.

Initially these sniffs would go into Extra, but I'd encourage the WP Core team to consider accepting them into the Core ruleset.

Opinions ?

[jrfnl]

Re-opened as the first bullet point has not been addressed yet.

[jrfnl]

An issue has been opened in PHPCSExtra for this: https://github.com/PHPCSStandards/PHPCSExtra/issues/190

Once PHPCSExtra has the sniff(s) for this, those should be added to WPCS Extra (and possibly Core).