Merge pull request #683 from Automattic/develop

Release 2.3.2

Author: rebeccahum

CHANGELOG.md

@@ -4,6 +4,13 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.3.2] - 2021-04-28
+
+Props: jrfnl
+
+### Fixed
+- [#681](https://github.com/Automattic/VIP-Coding-Standards/pull/681): ProperEscapingFunction: improve attribute matching accuracy for notAttrEscAttr.
+
 ## [2.3.1] - 2021-04-23
 
 Props: jrfnl
@@ -550,6 +557,7 @@ Initial release.
 Props: david-binda, pkevan.
 
 
+[2.3.2]: https://github.com/Automattic/VIP-Coding-Standards/compare/2.3.1...2.3.2
 [2.3.1]: https://github.com/Automattic/VIP-Coding-Standards/compare/2.3.0...2.3.1
 [2.3.0]: https://github.com/Automattic/VIP-Coding-Standards/compare/2.2.0...2.3.0
 [2.2.0]: https://github.com/Automattic/VIP-Coding-Standards/compare/2.1.0...2.2.0

WordPressVIPMinimum/Sniffs/Security/ProperEscapingFunctionSniff.php

@@ -23,7 +23,7 @@ class ProperEscapingFunctionSniff extends Sniff {
 	 *
 	 * @var string
 	 */
-	const ATTR_END_REGEX = '`(?<attrname>href|src|url|(^|\s+)action)?=(?:\\\\)?["\']*$`i';
+	const ATTR_END_REGEX = '`(?<attrname>href|src|url|(^|\s+)action)?(?<=[a-z0-9_-])=(?:\\\\)?["\']*$`i';
 
 	/**
 	 * List of escaping functions which are being tested.

WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.inc

@@ -106,3 +106,10 @@ echo '<a href="',  esc_html($url), '">'; // Error.
 <div>html</div>
 <?= '<h1 class="', esc_attr( $test ), '">'; ?><!-- OK -->
 <div>html</div>
+
+// Issue #680 - only match = when preceeded by something which could be an HTML attribute.
+<option value="<?php echo esc_attr( $i ); ?>" <?php echo ( $filter_importance === $i ) ? 'selected' : ''; ?> >
+	&gt;=<?php echo esc_html( $i ); ?>
+</option>
+
+<A HREF="<?= esc_url($url) ?>" data-num2=<?= esc_attr( $num2 )><?php echo esc_html( $link ); ?><a/>