Security/EscapeOutput: fix false negatives when handling anonymous classes

This commit fixes false negatives when the sniff handles readonly anonymous classes and anonymous classes with attributes that are part of a throw statement.

When stepping over tokens after `T_THROW` to find the `T_OPEN_PARENTHESIS` of the exception creation function call/class instantiation, the sniff was not considering that it might need to step over `T_READONLY` tokens or attribute declarations when dealing with anonymous classes.

Fixes 2552

Author: rodrigoprimo

WordPress/Sniffs/Security/EscapeOutputSniff.php

@@ -216,10 +216,11 @@ public function process_token( $stackPtr ) {
 
 			case \T_THROW:
 				// Find the open parentheses, while stepping over the exception creation tokens.
-				$ignore  = Tokens::$emptyTokens;
-				$ignore += Collections::namespacedNameTokens();
-				$ignore += Collections::functionCallTokens();
-				$ignore += Collections::objectOperators();
+				$ignore               = Tokens::$emptyTokens;
+				$ignore              += Collections::namespacedNameTokens();
+				$ignore              += Collections::functionCallTokens();
+				$ignore              += Collections::objectOperators();
+				$ignore[ T_READONLY ] = T_READONLY;
 
 				$next_relevant = $this->phpcsFile->findNext( $ignore, ( $stackPtr + 1 ), null, true );
 				if ( false === $next_relevant ) {
@@ -233,6 +234,24 @@ public function process_token( $stackPtr ) {
 					}
 				}
 
+				// Skip over attribute declarations when searching for the open parenthesis.
+				if ( \T_ATTRIBUTE === $this->tokens[ $next_relevant ]['code'] ) {
+					if ( isset( $this->tokens[ $next_relevant ]['attribute_closer'] ) === false ) {
+						return;
+					}
+
+					$next_relevant = $this->phpcsFile->findNext(
+						$ignore,
+						( $this->tokens[ $next_relevant ]['attribute_closer'] + 1 ),
+						null,
+						true
+					);
+
+					if ( false === $next_relevant ) {
+						return;
+					}
+				}
+
 				if ( \T_OPEN_PARENTHESIS !== $this->tokens[ $next_relevant ]['code']
 					|| isset( $this->tokens[ $next_relevant ]['parenthesis_closer'] ) === false
 				) {

WordPress/Tests/Security/EscapeOutputUnitTest.1.inc

@@ -655,3 +655,13 @@ echo '<input type="search" value="' . get_search_query( false ) . '">'; // Bad.
 echo '<input type="search" value="' . get_search_query( 0 ) . '">'; // Bad.
 echo '<input type="search" value="' . get_search_query( escape: false ) . '">'; // OK, well not really, typo in param name, but that's not our concern.
 echo '<input type="search" value="' . get_search_query( escaped: false ) . '">'; // Bad.
+
+/*
+ * Issue https://github.com/WordPress/WordPress-Coding-Standards/issues/2552
+ * Ensure that readonly anonymous classes and anonymous classes with attributes are handled
+ * correctly when part of a throw statement.
+ */
+throw new #[MyAttribute] readonly class( esc_html( $message ) ) extends Exception {}; // Good.
+throw new readonly class( $unescaped ) {}; // Bad.
+throw new #[MyAttribute] class( $unescaped ) extends Exception {}; // Bad.
+throw new #[MyAttribute] readonly class( $unescaped ) extends Exception {}; // Bad.

WordPress/Tests/Security/EscapeOutputUnitTest.21.inc

@@ -0,0 +1,8 @@
+<?php
+
+/*
+ * Intentional parse error (nothing after T_ATTRIBUTE).
+ * This should be the only test in this file.
+ */
+
+throw new #[

WordPress/Tests/Security/EscapeOutputUnitTest.22.inc

@@ -0,0 +1,8 @@
+<?php
+
+/*
+ * Intentional parse error (nothing after T_ATTRIBUTE_END).
+ * This should be the only test in this file.
+ */
+
+throw new #[MyAttribute]

WordPress/Tests/Security/EscapeOutputUnitTest.php

@@ -159,6 +159,9 @@ public function getErrorList( $testFile = '' ) {
 					654 => 1,
 					655 => 1,
 					657 => 1,
+					665 => 1,
+					668 => 1,
+					669 => 1,
 				);
 
 			case 'EscapeOutputUnitTest.6.inc':