Skip to content

ProperEscapingFunctionSniff doesn't catch misuse of wp_json_encode #876

New issue
New issue
Open
Open
ProperEscapingFunctionSniff doesn't catch misuse of wp_json_encode#876
@iandunn

Description

@iandunn
iandunn
opened on Oct 17, 2025

Bug Description

ProperEscapingFunctionSniff is a great addition to WPCS. It isn't comprehensive, though.

One specific example that I ran into is that it won't catch improper use of wp_json_encode() like it does with other functions.

Minimal Code Snippet

<!-- correctly flags esc_html as the wrong escaping function in this context -->
<img src=a onerror="<?php echo esc_html( $foo ); ?>" />

<!-- fails to catch that this is the wrong escaping function -->
<img src=a onerror="<?php echo wp_json_encode( $foo ); ?>" />

Error Code

WordPressVIPMinimum.Security.ProperEscapingFunction

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions