HTMLExecutingFunctions: Add further test cases

The extra unit test cases:

 - consider if the contents of a function was not a string but a function call (and update the inline comments to reflect that); this case was already correctly handled.
 - consider the case when the object that `appendTo()` (and similar) is being called in is a variable, and not a `$()` call (which we already check to see if it contains a simple string to avoid unnecessary violations) or other function call.

Author: GaryJones

WordPressVIPMinimum/Sniffs/JS/HTMLExecutingFunctionsSniff.php

@@ -88,7 +88,7 @@ public function process_token( $stackPtr ) {
 
 			while ( $nextToken < $parenthesis_closer ) {
 				$nextToken = $this->phpcsFile->findNext( Tokens::$emptyTokens, $nextToken + 1, null, true, null, true );
-				if ( T_STRING === $this->tokens[ $nextToken ]['code'] ) { // Contains a variable.
+				if ( T_STRING === $this->tokens[ $nextToken ]['code'] ) { // Contains a variable, function call or something else dynamic.
 					$message = 'Any HTML passed to `%s` gets executed. Make sure it\'s properly escaped.';
 					$data    = [ $this->tokens[ $stackPtr ]['content'] ];
 					$this->phpcsFile->addWarning( $message, $stackPtr, $this->tokens[ $stackPtr ]['content'], $data );
@@ -106,14 +106,21 @@ public function process_token( $stackPtr ) {
 			$prevPrevToken = $this->phpcsFile->findPrevious( Tokens::$emptyTokens, $prevToken - 1, null, true, null, true );
 
 			if ( T_CLOSE_PARENTHESIS !== $this->tokens[ $prevPrevToken ]['code'] ) {
+				// Not a function call, but may be a variable containing an element reference, so just
+				// flag all remaining instances of these target HTML executing functions.
+				$message = 'Any HTML used with `%s` gets executed. Make sure it\'s properly escaped.';
+				$data    = [ $this->tokens[ $stackPtr ]['content'] ];
+				$this->phpcsFile->addWarning( $message, $stackPtr, $this->tokens[ $stackPtr ]['content'], $data );
+
 				return;
 			}
 
+			// Check if it's a function call (typically $() ) that contains a dynamic part.
 			$parenthesis_opener = $this->tokens[ $prevPrevToken ]['parenthesis_opener'];
 
 			while ( $prevPrevToken > $parenthesis_opener ) {
 				$prevPrevToken = $this->phpcsFile->findPrevious( Tokens::$emptyTokens, $prevPrevToken - 1, null, true, null, true );
-				if ( T_STRING === $this->tokens[ $prevPrevToken ]['code'] ) { // Contains a variable.
+				if ( T_STRING === $this->tokens[ $prevPrevToken ]['code'] ) { // Contains a variable, function call or something else dynamic.
 					$message = 'Any HTML used with `%s` gets executed. Make sure it\'s properly escaped.';
 					$data    = [ $this->tokens[ $stackPtr ]['content'] ];
 					$this->phpcsFile->addWarning( $message, $stackPtr, $this->tokens[ $stackPtr ]['content'], $data );

WordPressVIPMinimum/Tests/JS/HTMLExecutingFunctionsUnitTest.js

@@ -42,3 +42,7 @@
 	$( variable )
 		.		replaceAll( el ); // Warning.
 })();
+
+	$( foo_that_contains_script_element() ).appendTo( el ); // Warning.
+	var $foo = $( '.my-selector' );
+	$foo.appendTo( el ); // Warning.

WordPressVIPMinimum/Tests/JS/HTMLExecutingFunctionsUnitTest.php

@@ -56,6 +56,8 @@ public function getWarningList() {
 			39 => 1,
 			41 => 1,
 			43 => 1,
+			46 => 1,
+			48 => 1,
 		];
 	}