Flag incorrectly constructed mailto links #556
Description
What problem would the enhancement address for VIP?
Some developers are not aware that esc_url() supports more than just the http and https protocols. The default list also includes ftp, ftps, mailto, news, irc, gopher, nntp, feed, and telnet as well.
of those extra ones, the most common is mailto, and a common mistake is to split a URL into a static 'mailto:' and a email address variable/string escaped with something that isn't esc_url().
Describe the solution you'd like
Add a new sniff, or consider improving ProperEscapingFunction, so that we look for `'mailto:' string before an escaping function.
What code should be reported as a violation?
<a href="mailto:<?php echo esc_html( $foo ); ?>">Email us</a>
<a href="mailto:<?php echo esc_attr( $foo ); ?>">Email us</a>
<a href="mailto:<?= esc_html( $foo ); ?>">Email us</a>
<a href="mailto:<?= esc_attr( $foo ); ?>">Email us</a>
<a href="<?php echo 'mailto:' . esc_attr( $foo ); ?>">Email us</a>
<a href="<?php echo 'mailto:', esc_attr( $foo ); ?>">Email us</a>There are likely other ways to get a similar output.
What code should not be reported as a violation?
<a href="<?php echo esc_url( 'mailto:' . $foo ); ?>">Email us</a>
<a href="<?php echo esc_url( "mailto:$foo" ); ?>">Email us</a>