Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive for escape in array_map #469

Closed
davidperezgar opened this issue Jun 7, 2024 · 1 comment
Closed

False positive for escape in array_map #469

davidperezgar opened this issue Jun 7, 2024 · 1 comment

Comments

@davidperezgar
Copy link
Member

When there is a array_map, the scanner is giving false positive.

guttypress/inc/admin/services/tax.php:378 echo implode( ' | ', array_map( 'esc_html', array_keys( $post_types ) ) );
@swissspidy
Copy link
Member

If there are really false positives from PHPCS, then they most likely need to be reported at https://github.com/WordPress/WordPress-Coding-Standards. For example, right now there is a related open issue about nested array_map calls: WordPress/WordPress-Coding-Standards#2009

That said, I cannot reproduce this.

If I do something like this:

$post_types = get_post_types();
echo implode( ' | ', array_map( 'foo_function', array_keys( $post_types ) ) );

Then I'll get the following error:


WordPress.Security.EscapeOutput.OutputNotEscaped
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found 'foo_function'.

However, if I use esc_html as the callback, like in the provided example, no error is reported in Plugin Check.
@swissspidy swissspidy closed this as not planned Won't fix, can't repro, duplicate, stale Jul 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
2 participants
@swissspidy @davidperezgar