Merge pull request #2605 from rodrigoprimo/escape-output-fix-namespaced-class-detection

jrfnl · web-flow · commit 17875ff5f337 · 2025-09-15T15:29:34.000+02:00
Security/EscapeOutput: fix namespaced ::class detection
diff --git a/WordPress/Sniffs/Security/EscapeOutputSniff.php b/WordPress/Sniffs/Security/EscapeOutputSniff.php
@@ -615,8 +615,13 @@ protected function check_code_is_escaped( $start, $end, $code = 'OutputNotEscape
 			if ( \T_STRING === $this->tokens[ $i ]['code']
 				|| \T_VARIABLE === $this->tokens[ $i ]['code']
 				|| isset( Collections::ooHierarchyKeywords()[ $this->tokens[ $i ]['code'] ] )
+				|| \T_NAMESPACE === $this->tokens[ $i ]['code']
 			) {
-				$double_colon = $this->phpcsFile->findNext( Tokens::$emptyTokens, ( $i + 1 ), $end, true );
+				$skip_tokens                    = Tokens::$emptyTokens;
+				$skip_tokens[ \T_STRING ]       = \T_STRING;
+				$skip_tokens[ \T_NS_SEPARATOR ] = \T_NS_SEPARATOR;
+
+				$double_colon = $this->phpcsFile->findNext( $skip_tokens, ( $i + 1 ), $end, true );
 				if ( false !== $double_colon
 					&& \T_DOUBLE_COLON === $this->tokens[ $double_colon ]['code']
 				) {
diff --git a/WordPress/Tests/Security/EscapeOutputUnitTest.1.inc b/WordPress/Tests/Security/EscapeOutputUnitTest.1.inc
@@ -538,7 +538,7 @@ _deprecated_function( __METHOD__, 'x.x.x', ClassName::class ); // OK.
 die( self::CLASS . ' has been abandoned' ); // OK.
 _deprecated_function( __METHOD__, 'x.x.x', parent::Class ); // OK.
 _deprecated_function( __METHOD__, 'x.x.x', static::class ); // OK.
-echo 'Do not use ' . $object::class ); // OK.
+echo 'Do not use ' . $object::class; // OK.
 
 /*
  * Examine the parameters passed for exception creation via throw.
@@ -676,3 +676,14 @@ throw new
 /* some comment */
 #[Attribute2('text', 10)]
 readonly class( $unescaped ) {}; // Bad.
+
+/*
+ * Safeguard correct handling of all types of namespaced function calls when *::class is used.
+ *
+ * Note: using ::class on fully qualified or namespace relative class names doesn't provide
+ * any real value in practice.
+ */
+_deprecated_function( __METHOD__, 'x.x.x', \ClassName::class ); // OK.
+die( \MyNamespace\ClassName::class . ' has been abandoned' ); // OK.
+echo 'Do not use ' . MyNamespace\ClassName::class; // OK.
+_deprecated_function( __METHOD__, 'x.x.x', namespace\ClassName::class ); // OK.
