Security/EscapeOutput: false negatives when handling anonymous classes #2552
Description
While reviewing #2550, @jrfnl reported false negatives when the WordPress.Security.EscapeOutput sniff handles anonymous classes:
EscapeOutput- code in the case\T_THROWblock will yield false negatives for readonly anonymous classes and anonymous classes with attributes for code likethrow new [...] class( $unescaped ) {};.My approval is for the PR as-is and presumes the missing tests for EscapeOutput will be addressed in a separate PR.
I'm opening this issue to check a few details instead of discussing them on #2550.
I can see how an anonymous class with attributes will yield false negatives. For example, the code snippets below should trigger errors, but that doesn't happen:
throw new #[MyAttribute] class( $unescaped ) extends Exception {};
throw new #[MyAttribute1(FirstParam::CONST, 'another parameter'), MyAttribute2] class( $unescaped ) extends Exception {};I'm unsure about readonly anonymous classes. I can see how something like the snippets below are false negatives:
throw new readonly class( $unescaped ) {};
throw new readonly class( $unescaped ) extends Exception {};But they are also fatal errors. The anonymous class needs to extend Exception or Error, but that is not possible for an anonymous readonly class, as Exception and Error are non-readonly.
@jrfnl, should the sniff trigger an error when handling readonly anonymous classes in a throw statement, even though it is a fatal error? Or is there an example that is not a fatal error that I'm missing?