EscapeOutput: False positive for _doing_it_wrong with constant

[mundschenk-at]

Bug Description

When I replace

_doing_it_wrong( __FUNCTION__, 'My message', '1.0.0' );

with

const MY_MESSAGE = 'My message';
_doing_it_wrong( __FUNCTION__, MY_MESSAGE, '1.0.0' );

I get a WordPress.Security.EscapeOutput.OutputNotEscaped error. I assume this is a false positive. If the message really should be escaped, the plain string version should result in the same the error.

Error Code

WordPress.Security.EscapeOutput.OutputNotEscaped

Environment

• PHP: 7.4.21
• PHPCS: 3.6.0
• WPCS: 2.3.0

Tested Against develop branch?

• [x] I have verified the issue still exists in the develop branch of WPCS.

[jrfnl]

@mundschenk-at This is not a false positive. As constants can be declared anywhere in the code base and even outside it - like in a dependency - WPCS does not have access to the value of the constant and can't evaluate whether it is safe.

The constant could be a constant declared in a config file by an admin user, or when declared using define() could contain the result of user input like $_GET.

The plain text string used in the first example however is not susceptible to any form of code injection and is therefore not flagged.

[jrfnl]

Closing as invalid, no action planned.