From e09c47a21722b7233bf0fca63fa9fd235ca2218e Mon Sep 17 00:00:00 2001
From: Rebecca Hum <16962021+rebeccahum@users.noreply.github.com>
Date: Mon, 27 Sep 2021 14:18:00 -0600
Subject: [PATCH] Revert "Downgrade htmlAttrNotByEscHTML to a warning"

---
 WordPress-VIP-Go/ruleset-test.inc                 |  4 ++--
 WordPress-VIP-Go/ruleset-test.php                 |  4 ++--
 WordPress-VIP-Go/ruleset.xml                      |  4 ++++
 .../Security/ProperEscapingFunctionSniff.php      |  4 ++--
 .../Security/ProperEscapingFunctionUnitTest.inc   | 12 ++++++------
 .../Security/ProperEscapingFunctionUnitTest.php   | 15 +++++++--------
 WordPressVIPMinimum/ruleset-test.inc              |  2 +-
 WordPressVIPMinimum/ruleset-test.php              |  2 +-
 8 files changed, 25 insertions(+), 22 deletions(-)

diff --git a/WordPress-VIP-Go/ruleset-test.inc b/WordPress-VIP-Go/ruleset-test.inc
index df6e313c..61e56955 100644
--- a/WordPress-VIP-Go/ruleset-test.inc
+++ b/WordPress-VIP-Go/ruleset-test.inc
@@ -253,10 +253,10 @@ $test = @in_array( $array, $needle, true ); // Error.
 
 // WordPressVIPMinimum.Security.ProperEscapingFunction.htmlAttrNotByEscHTML
 echo '<a href="' . esc_attr( $some_var ) . '"></a>'; // Error.
-echo '<a title="' . esc_html( $some_var ) . '"></a>'; // Warning.
+echo '<a title="' . esc_html( $some_var ) . '"></a>'; // Error.
 echo '<a href="' . esc_url( $some_var ) . '"></a>'; // OK.
 ?><a href="<?php echo esc_attr( $some_var ); ?>">Hello</a> <!-- Error. -->
-<a href="" class="<?php echo esc_html( $some_var); ?>">Hey</a> <!-- Warning. -->
+<a href="" class="<?php echo esc_html( $some_var); ?>">Hey</a> <!-- Error. -->
 <a href="<?php esc_url( $url );?>"></a> <!-- Ok. -->
 <a title="<?php esc_attr( $url );?>"></a> <?php // Ok.
 
diff --git a/WordPress-VIP-Go/ruleset-test.php b/WordPress-VIP-Go/ruleset-test.php
index 264eb0ba..af455144 100644
--- a/WordPress-VIP-Go/ruleset-test.php
+++ b/WordPress-VIP-Go/ruleset-test.php
@@ -27,7 +27,9 @@
 		188 => 1,
 		252 => 1,
 		255 => 1,
+		256 => 1,
 		258 => 1,
+		259 => 1,
 		318 => 1,
 		329 => 1,
 		334 => 1,
@@ -191,8 +193,6 @@
 		245 => 1,
 		246 => 1,
 		247 => 1,
-		256 => 1,
-		259 => 1,
 		265 => 1,
 		269 => 1,
 		273 => 1,
diff --git a/WordPress-VIP-Go/ruleset.xml b/WordPress-VIP-Go/ruleset.xml
index 58386a58..e4297a51 100644
--- a/WordPress-VIP-Go/ruleset.xml
+++ b/WordPress-VIP-Go/ruleset.xml
@@ -229,6 +229,10 @@
 	<rule ref="Generic.PHP.NoSilencedErrors">
 		<severity>1</severity>
 	</rule>
+	<rule ref="WordPressVIPMinimum.Security.ProperEscapingFunction.htmlAttrNotByEscHTML">
+		<!-- This is still safe, just sub-optimal-->
+		<severity>3</severity>
+	</rule>
 	<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.is_multi_author_is_multi_author">
 		<severity>1</severity>
 	</rule>
diff --git a/WordPressVIPMinimum/Sniffs/Security/ProperEscapingFunctionSniff.php b/WordPressVIPMinimum/Sniffs/Security/ProperEscapingFunctionSniff.php
index e30af7c3..9b9513f0 100644
--- a/WordPressVIPMinimum/Sniffs/Security/ProperEscapingFunctionSniff.php
+++ b/WordPressVIPMinimum/Sniffs/Security/ProperEscapingFunctionSniff.php
@@ -205,8 +205,8 @@ public function process_token( $stackPtr ) {
 
 		if ( $escaping_type === 'html' ) {
 			$message = 'Wrong escaping function. HTML attributes should be escaped by `esc_attr()`, not by `%s()`.';
-			$this->phpcsFile->addWarning( $message, $stackPtr, 'htmlAttrNotByEscHTML', $data );
-			return; // Warning level because sub-optimal due to different filters, but still OK.
+			$this->phpcsFile->addError( $message, $stackPtr, 'htmlAttrNotByEscHTML', $data );
+			return;
 		}
 	}
 
diff --git a/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.inc b/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.inc
index 35c66e49..af65ab5f 100644
--- a/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.inc
+++ b/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.inc
@@ -12,15 +12,15 @@ echo '<a title="' . esc_attr( $some_var ) . '"></a>'; // OK.
 
 echo "<a title='" . \esc_attr( $some_var ) . "'></a>"; // OK.
 
-echo '<a title="' . esc_html_x( $some_var ) . '"></a>'; // Warning.
+echo '<a title="' . esc_html_x( $some_var ) . '"></a>'; // Error.
 
-echo "<a title='" . \esc_html( $some_var ) . "'></a>"; // Warning.
+echo "<a title='" . \esc_html( $some_var ) . "'></a>"; // Error.
 
 ?>
 
 <a href="<?php echo esc_attr( $some_var ); ?>">Hello</a> <!-- Error. -->
 
-<a href="" class="<?php esc_html_e( $some_var); ?>">Hey</a> <!-- Warning. -->
+<a href="" class="<?php esc_html_e( $some_var); ?>">Hey</a> <!-- Error. -->
 
 <a href="<?php esc_url( $url );?>"></a> <!-- OK. -->
 
@@ -71,9 +71,9 @@ echo "<$tag>  " , esc_attr( $test ) , "</$tag>"; // Error.
 <?php echo "<div>" . $test . "</div>"; // OK.
 echo "<{$tag}>" . esc_attr( $tag_content ) . "</{$tag}>"; // Error.
 echo "<$tag" . '   >' . esc_attr( $tag_content ) . "</$tag>"; // Error.
-echo '<div class=\'' . esc_html($class) . '\'>'; // Warning.
-echo "<div class=\"" . \esc_html__($class) . '">'; // Warning.
-echo "<div $someAttribute class=\"" . esc_html($class) . '">'; // Warning.
+echo '<div class=\'' . esc_html($class) . '\'>'; // Error.
+echo "<div class=\"" . \esc_html__($class) . '">'; // Error.
+echo "<div $someAttribute class=\"" . esc_html($class) . '">'; // Error.
 echo '<a href=\'' . esc_html($url) . '\'>'; // Error.
 echo "<img src=\"" . esc_html($src) . '"/>'; // Error.
 echo "<div $someAttributeName-url=\"" . esc_html($url) . '">'; // Error.
diff --git a/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.php b/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.php
index 1ae08a30..9a4b31c8 100644
--- a/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.php
+++ b/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.php
@@ -27,7 +27,10 @@ public function getErrorList() {
 		return [
 			3   => 1,
 			5   => 1,
+			15  => 1,
+			17  => 1,
 			21  => 1,
+			23  => 1,
 			33  => 1,
 			37  => 1,
 			41  => 1,
@@ -42,6 +45,9 @@ public function getErrorList() {
 			69  => 1,
 			72  => 1,
 			73  => 1,
+			74  => 1,
+			75  => 1,
+			76  => 1,
 			77  => 1,
 			78  => 1,
 			79  => 1,
@@ -60,14 +66,7 @@ public function getErrorList() {
 	 * @return array <int line number> => <int number of warnings>
 	 */
 	public function getWarningList() {
-		return [
-			15 => 1,
-			17 => 1,
-			23 => 1,
-			74 => 1,
-			75 => 1,
-			76 => 1,
-		];
+		return [];
 	}
 
 }
diff --git a/WordPressVIPMinimum/ruleset-test.inc b/WordPressVIPMinimum/ruleset-test.inc
index d1899e0b..803e890f 100644
--- a/WordPressVIPMinimum/ruleset-test.inc
+++ b/WordPressVIPMinimum/ruleset-test.inc
@@ -548,7 +548,7 @@ echo '<a href="{{href}}">{{{data}}}</div></a>'; // Warning.
 
 // WordPressVIPMinimum.Security.ProperEscapingFunction
 echo '<a href="' . esc_attr( $some_var ) . '"></a>'; // Error.
-echo '<a title="' . esc_html( $some_var ) . '"></a>'; // Warning.
+echo '<a title="' . esc_html( $some_var ) . '"></a>'; // Error.
 
 // WordPressVIPMinimum.Security.StaticStrreplace
 str_replace( 'foo', array( 'bar', 'foo' ), 'foobar' ); // Error.
diff --git a/WordPressVIPMinimum/ruleset-test.php b/WordPressVIPMinimum/ruleset-test.php
index 3e71061a..19d74bf1 100644
--- a/WordPressVIPMinimum/ruleset-test.php
+++ b/WordPressVIPMinimum/ruleset-test.php
@@ -179,6 +179,7 @@
 		523 => 1,
 		525 => 1,
 		550 => 1,
+		551 => 1,
 		554 => 1,
 		569 => 1,
 		570 => 1,
@@ -289,7 +290,6 @@
 		535 => 1,
 		538 => 1,
 		545 => 1,
-		551 => 1,
 		559 => 1,
 		565 => 1,
 		589 => 1,