Security/EscapeOutput: improve handling of params in formatting functions

Similar to multiple other fixes made before, the parameters passed to a formatting function should be examined individually and not as one big code block.

Fixed now.

Includes tests.

Author: jrfnl

WordPress/Sniffs/Security/EscapeOutputSniff.php

@@ -693,13 +693,20 @@ protected function check_code_is_escaped( $start, $end ) {
 						}
 					}
 
-					// Skip pointer to after the function.
-					// If this is a formatting function we just skip over the opening
-					// parenthesis. Otherwise we skip all the way to the closing.
+					// If this is a formatting function, we examine the parameters individually.
 					if ( $is_formatting_function ) {
-						$i     = ( $function_opener + 1 );
+						$formatting_params = PassedParameters::getParameters( $this->phpcsFile, $i );
+						if ( ! empty( $formatting_params ) ) {
+							foreach ( $formatting_params as $format_param ) {
+								$this->check_code_is_escaped( $format_param['start'], ( $format_param['end'] + 1 ) );
+							}
+						}
+
 						$watch = true;
-					} elseif ( isset( $this->tokens[ $function_opener ]['parenthesis_closer'] ) ) {
+					}
+
+					// Skip pointer to after the function.
+					if ( isset( $this->tokens[ $function_opener ]['parenthesis_closer'] ) ) {
 						$i = $this->tokens[ $function_opener ]['parenthesis_closer'];
 					} else {
 						// Live coding or parse error.

WordPress/Tests/Security/EscapeOutputUnitTest.1.inc

@@ -641,3 +641,10 @@ Some text without interpolation.
 Some text {$with->interpolation}.
 Some text without interpolation.
 EOD;
+
+// Parameters in formatting functions should be examined individually.
+echo sprintf(
+	'<li><a href="#%1$s" class="%2$s"%3$s%4$s>%5$s</a></li>',
+	( '' !== $this->link_title ) ? ' title="' . esc_attr( $this->link_title ) . '"' : '',
+	( '' !== $this->link_aria_label ) ? ' aria-label="' . $this->link_aria_label . '"' : '',
+); // Bad x 1.

WordPress/Tests/Security/EscapeOutputUnitTest.php

@@ -157,6 +157,7 @@ public function getErrorList( $testFile = '' ) {
 					635 => 1,
 					636 => 1,
 					641 => 1,
+					649 => 1,
 				);
 
 			case 'EscapeOutputUnitTest.6.inc':