Security/EscapeOutput: fix false positive for get_search_query() with FQN/mixed-case true

The sniff was incorrectly flagging `get_search_query()` calls as unsafe when the `$escaped` parameter was passed as fully qualified true or as true using a non-standard case.

The comparison `'true' !== $escaped_param['clean']` failed because the parameter value wasn't normalized. This commit fixes this by stripping any leading backslash and converting to lowercase before comparison.

Author: rodrigoprimo

WordPress/Sniffs/Security/EscapeOutputSniff.php

@@ -741,7 +741,7 @@ protected function check_code_is_escaped( $start, $end, $code = 'OutputNotEscape
 					// Special case get_search_query() which is unsafe if $escaped = false.
 					if ( 'get_search_query' === strtolower( $functionName ) ) {
 						$escaped_param = PassedParameters::getParameter( $this->phpcsFile, $ptr, 1, 'escaped' );
-						if ( false !== $escaped_param && 'true' !== $escaped_param['clean'] ) {
+						if ( false !== $escaped_param && 'true' !== strtolower( ltrim( $escaped_param['clean'], '\\' ) ) ) {
 							$this->phpcsFile->addError(
 								'Output from get_search_query() is unsafe due to $escaped parameter being set to "false".',
 								$ptr,

WordPress/Tests/Security/EscapeOutputUnitTest.1.inc

@@ -801,3 +801,13 @@ echo implode( '<br>', MyNamespace\array_map( 'esc_html', $items ) ); // Bad x 2.
 echo implode( '<br>', \MyNamespace\map_deep( $items, 'esc_html' ) ); // Bad.
 echo implode( '<br>', namespace\array_map( 'esc_html', $items ) ); // Bad x 2. The sniff should stop flagging this once it can resolve relative namespaces.
 echo implode( '<br>', namespace\Sub\map_deep( $items, 'esc_html' ) ); // Bad.
+
+/*
+ * Safeguard correct handling of get_search_query() with FQN and non-standard case booleans for the $escaped parameter.
+ */
+echo \get_search_query( TRUE ); // Ok.
+echo \get_search_query( \true ); // Ok.
+echo \get_search_query( \True ); // Ok.
+echo \get_search_query( FaLsE ); // Bad.
+echo \get_search_query( \false ); // Bad.
+echo \get_search_query( \FALSE ); // Bad.

WordPress/Tests/Security/EscapeOutputUnitTest.php

@@ -205,6 +205,9 @@ public function getErrorList( $testFile = '' ) {
 					801 => 1,
 					802 => 2,
 					803 => 1,
+					811 => 1,
+					812 => 1,
+					813 => 1,
 				);
 
 			case 'EscapeOutputUnitTest.6.inc':