Security/EscapeOutput: namespaced function calls are incorrectly handled

[rodrigoprimo]

Bug Description

The sniff incorrectly handles namespaced function calls by checking each token individually. This causes a few problems:

1. When the namespace prefix doesn't match a known function, only the prefix is flagged in the error message instead of the full namespaced function name.
2. The array walking function logic is incorrectly applied to namespaced functions that happen to share the same name as a valid global array walking function.
3. When the namespace prefix matches an allowed function name, the sniff treats it as an allowed function.

The sniff should treat namespaced function calls as a single unit:

1. Flag the full namespaced name in error messages.
2. Do not apply special logic to namespaced functions that merely share the same name as global functions.
3. Recognize that MyNamespace\function_name() is not the global function_name().

Minimal Code Snippet

The issue happens when running this command:

phpcs --standard=WordPress --sniffs=WordPress.Security.EscapeOutput test.php

... over a file containing this code:

// Incorrect error message (should flag 'MyNamespace\esc_html')
echo MyNamespace\esc_html( $foo );
// Current: found 'MyNamespace'
// Expected: found 'MyNamespace\esc_html'

// Inconsistent handling - 2 errors for MyNamespace\array_map() and 1 error for MyNamespace\map_deep()
echo implode( '<br>', MyNamespace\array_map( 'esc_html', $items ) );
echo implode( '<br>', MyNamespace\map_deep( $items, 'esc_html' ) ); // Bad.

// Completely missed - no error (should flag 'esc_html\esc_html')
echo esc_html\esc_html( $foo );

Error Code

WordPress.Security.EscapeOutput.OutputNotEscaped

Environment

Question	Answer
PHP version	8.4
PHP_CodeSniffer version	3.13.5
WordPressCS version	develop
PHPCSUtils version	1.2.1
PHPCSExtra version	1.5.0
WordPressCS install type	git clone
IDE (if relevant)	N/A

Additional Context (optional)

It needs to be checked, but those issues probably don't happen when running WPCS with PHPCS 4.0. If that is the case, I would suggest waiting for PHPCS 3.x support to be dropped to close this issue instead of working on a fix, as this is probably low priority.

Tested Against develop Branch?

• I have verified the issue still exists in the develop branch of WordPressCS.

[jrfnl]

I believe for [1], this is a duplicate of pre-existing issue #1507. And probably [3] too.

In my opinion, [2] probably deserves its own issue.

It needs to be checked, but those issues probably don't happen when running WPCS with PHPCS 4.0.

I don't think they will be as the cases described in #1507 would not have a different tokenization in PHPCS 4.0.

May I suggest adding the information related to [1] and [3], including code samples, to issue #1507 to keep things together ?
And then this issue could be dedicated to [2], though for traceability of the discussions, it might actually be better for a new issue to replace this issue, specifically for [2].

[rodrigoprimo]

Closing this issue as I added a comment to #1507 with information related to [1] and [3], and opened #2674 to report [2].