From 387784c8a0ae66887e31b074b775d43525c76ca8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dawid=20Urba=C5=84ski?= <hi@dawidurbanski.com>
Date: Sun, 3 Sep 2023 10:43:53 +0200
Subject: [PATCH 01/10] Docs: Use WordPress.Files.FileName rule instead of
 WordPress.Files.Filename in the sample phpcs ruleset

---
 phpcs.xml.dist.sample | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/phpcs.xml.dist.sample b/phpcs.xml.dist.sample
index c20d803f77..b1ddd44803 100644
--- a/phpcs.xml.dist.sample
+++ b/phpcs.xml.dist.sample
@@ -146,7 +146,7 @@
 	<rule ref="WordPress.WP.GlobalVariablesOverride">
 		<exclude-pattern>/path/to/Tests/*Test\.php</exclude-pattern>
 	</rule>
-	<rule ref="WordPress.Files.Filename">
+	<rule ref="WordPress.Files.FileName">
 		<exclude-pattern>/path/to/Tests/*Test\.php</exclude-pattern>
 	</rule>
 

From d7d4de3d96977471611ca108bf0da736d5b32d6c Mon Sep 17 00:00:00 2001
From: jrfnl <jrfnl@users.noreply.github.com>
Date: Sun, 3 Sep 2023 15:49:51 +0200
Subject: [PATCH 02/10] GH Actions: add task to test example ruleset

... to prevent typos like reported in 2375 from entering it.
---
 .github/workflows/basic-qa.yml              | 6 ++++++
 Tests/RulesetCheck/example-ruleset-test.inc | 8 ++++++++
 2 files changed, 14 insertions(+)
 create mode 100644 Tests/RulesetCheck/example-ruleset-test.inc

diff --git a/.github/workflows/basic-qa.yml b/.github/workflows/basic-qa.yml
index 859cc0566d..94432f31b5 100644
--- a/.github/workflows/basic-qa.yml
+++ b/.github/workflows/basic-qa.yml
@@ -141,6 +141,12 @@ jobs:
       - name: Test the WordPress ruleset
         run: $(pwd)/vendor/bin/phpcs -ps ./Tests/RulesetCheck/class-ruleset-test.inc --standard=WordPress
 
+      - name: Rename the example ruleset to one which can be used for a ruleset
+        run:  cp phpcs.xml.dist.sample sample.xml
+
+      - name: Test the example ruleset
+        run: $(pwd)/vendor/bin/phpcs -ps ./Tests/RulesetCheck/example-ruleset-test.inc --standard=./sample.xml
+
       # Test for fixer conflicts by running the auto-fixers of the complete WPCS over the test case files.
       # This is not an exhaustive test, but should give an early indication for typical fixer conflicts.
       # If only fixable errors are found, the exit code will be 1, which can be interpreted as success.
diff --git a/Tests/RulesetCheck/example-ruleset-test.inc b/Tests/RulesetCheck/example-ruleset-test.inc
new file mode 100644
index 0000000000..de3055cb61
--- /dev/null
+++ b/Tests/RulesetCheck/example-ruleset-test.inc
@@ -0,0 +1,8 @@
+<?php
+/**
+ * File which should not yield any errors when using the example ruleset.
+ *
+ * @package My\Prefix\Package
+ */
+
+$my_prefix_var = 'hello';

From 20c8503f5f52e777dc87c893f32123a4d4733630 Mon Sep 17 00:00:00 2001
From: Brad Jorsch <brad.jorsch@automattic.com>
Date: Sun, 3 Sep 2023 11:02:45 -0400
Subject: [PATCH 03/10] Security/EscapeOutputSniff: More modular error codes

This splits certain cases out of `OutputNotEscaped` to allow for
ignoring certain cases that are looking at error strings at time of
generation (where they may eventually be used in both HTML and non-HTML
contexts) rather than at time of output.

* `ExceptionNotEscaped` for unescaped strings in throws (cf. #2374).
* `ErrorNotEscaped` for unescaped strings in `trigger_error` (cf. #1864).
---
 .../Sniffs/Security/EscapeOutputSniff.php     | 32 ++++++++++---------
 1 file changed, 17 insertions(+), 15 deletions(-)

diff --git a/WordPress/Sniffs/Security/EscapeOutputSniff.php b/WordPress/Sniffs/Security/EscapeOutputSniff.php
index e356c46ff5..a3a0bd59de 100644
--- a/WordPress/Sniffs/Security/EscapeOutputSniff.php
+++ b/WordPress/Sniffs/Security/EscapeOutputSniff.php
@@ -263,7 +263,7 @@ public function process_token( $stackPtr ) {
 
 				// Examine each parameter individually.
 				foreach ( $params as $param ) {
-					$this->check_code_is_escaped( $param['start'], ( $param['end'] + 1 ) );
+					$this->check_code_is_escaped( $param['start'], ( $param['end'] + 1 ), 'ExceptionNotEscaped' );
 				}
 
 				return $end;
@@ -344,7 +344,7 @@ public function process_token( $stackPtr ) {
 				break;
 		}
 
-		return $this->check_code_is_escaped( $start, $end );
+		return $this->check_code_is_escaped( $start, $end, 'OutputNotEscaped' );
 	}
 
 	/**
@@ -395,7 +395,7 @@ public function process_matched_token( $stackPtr, $group_name, $matched_content
 					continue;
 				}
 
-				$this->check_code_is_escaped( $param['start'], ( $param['end'] + 1 ) );
+				$this->check_code_is_escaped( $param['start'], ( $param['end'] + 1 ), 'OutputNotEscaped' );
 			}
 
 			return $end;
@@ -414,7 +414,7 @@ public function process_matched_token( $stackPtr, $group_name, $matched_content
 				return $end;
 			}
 
-			return $this->check_code_is_escaped( $message_param['start'], ( $message_param['end'] + 1 ) );
+			return $this->check_code_is_escaped( $message_param['start'], ( $message_param['end'] + 1 ), 'ErrorNotEscaped' );
 		}
 
 		/*
@@ -435,7 +435,7 @@ public function process_matched_token( $stackPtr, $group_name, $matched_content
 
 		// Examine each parameter individually.
 		foreach ( $params as $param ) {
-			$this->check_code_is_escaped( $param['start'], ( $param['end'] + 1 ) );
+			$this->check_code_is_escaped( $param['start'], ( $param['end'] + 1 ), 'OutputNotEscaped' );
 		}
 
 		return $end;
@@ -446,12 +446,13 @@ public function process_matched_token( $stackPtr, $group_name, $matched_content
 	 *
 	 * @since 3.0.0 Split off from the process_token() method.
 	 *
-	 * @param int $start The position to start checking from.
-	 * @param int $end   The position to stop the check at.
+	 * @param int    $start The position to start checking from.
+	 * @param int    $end   The position to stop the check at.
+	 * @param string $code  Code to use for the PHPCS error.
 	 *
 	 * @return int Integer stack pointer to skip forward.
 	 */
-	protected function check_code_is_escaped( $start, $end ) {
+	protected function check_code_is_escaped( $start, $end, $code ) {
 		/*
 		 * Check for a ternary operator.
 		 * We only need to do this here if this statement is lacking parenthesis.
@@ -532,7 +533,7 @@ protected function check_code_is_escaped( $start, $end ) {
 
 			// Handle PHP 8.0+ match expressions.
 			if ( \T_MATCH === $this->tokens[ $i ]['code'] ) {
-				$match_valid = $this->walk_match_expression( $i );
+				$match_valid = $this->walk_match_expression( $i, $code );
 				if ( false === $match_valid ) {
 					// Live coding or parse error. Shouldn't be possible as PHP[CS] will tokenize the keyword as `T_STRING` in that case.
 					break; // @codeCoverageIgnore
@@ -553,7 +554,7 @@ protected function check_code_is_escaped( $start, $end ) {
 				$array_items = PassedParameters::getParameters( $this->phpcsFile, $i, 0, true );
 				if ( ! empty( $array_items ) ) {
 					foreach ( $array_items as $array_item ) {
-						$this->check_code_is_escaped( $array_item['start'], ( $array_item['end'] + 1 ) );
+						$this->check_code_is_escaped( $array_item['start'], ( $array_item['end'] + 1 ), $code );
 					}
 				}
 
@@ -699,7 +700,7 @@ protected function check_code_is_escaped( $start, $end ) {
 						$formatting_params = PassedParameters::getParameters( $this->phpcsFile, $i );
 						if ( ! empty( $formatting_params ) ) {
 							foreach ( $formatting_params as $format_param ) {
-								$this->check_code_is_escaped( $format_param['start'], ( $format_param['end'] + 1 ) );
+								$this->check_code_is_escaped( $format_param['start'], ( $format_param['end'] + 1 ), $code );
 							}
 						}
 
@@ -754,7 +755,7 @@ protected function check_code_is_escaped( $start, $end ) {
 			$this->phpcsFile->addError(
 				"All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '%s'.",
 				$ptr,
-				'OutputNotEscaped',
+				$code,
 				array( $content )
 			);
 		}
@@ -825,11 +826,12 @@ private function find_long_ternary( $start, $end ) {
 	 *
 	 * @since 3.0.0
 	 *
-	 * @param int $stackPtr Pointer to a T_MATCH token.
+	 * @param int    $stackPtr Pointer to a T_MATCH token.
+	 * @param string $code     Code to use for the PHPCS error.
 	 *
 	 * @return int|false Stack pointer to skip to or FALSE if the match expression contained a parse error.
 	 */
-	private function walk_match_expression( $stackPtr ) {
+	private function walk_match_expression( $stackPtr, $code ) {
 		if ( ! isset( $this->tokens[ $stackPtr ]['scope_opener'], $this->tokens[ $stackPtr ]['scope_closer'] ) ) {
 			// Parse error/live coding. Shouldn't be possible as PHP[CS] will tokenize the keyword as `T_STRING` in that case.
 			return false; // @codeCoverageIgnore
@@ -889,7 +891,7 @@ private function walk_match_expression( $stackPtr ) {
 			}
 
 			// Now check that the value returned by this match "leaf" is correctly escaped.
-			$this->check_code_is_escaped( $item_start, $item_end );
+			$this->check_code_is_escaped( $item_start, $item_end, $code );
 
 			// Independently of whether or not the check was succesfull or ran into (parse error) problems,
 			// always skip to the identified end of the item.

From 9385487abfc09853c9dcf298f3efe99a99726e79 Mon Sep 17 00:00:00 2001
From: Brad Jorsch <anomiex@users.noreply.github.com>
Date: Mon, 4 Sep 2023 16:08:32 -0400
Subject: [PATCH 04/10] Keep the old code for `trigger_error`

Per https://github.com/WordPress/WordPress-Coding-Standards/issues/2374#issuecomment-1704338167
---
 WordPress/Sniffs/Security/EscapeOutputSniff.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/WordPress/Sniffs/Security/EscapeOutputSniff.php b/WordPress/Sniffs/Security/EscapeOutputSniff.php
index a3a0bd59de..37c38f0a8f 100644
--- a/WordPress/Sniffs/Security/EscapeOutputSniff.php
+++ b/WordPress/Sniffs/Security/EscapeOutputSniff.php
@@ -414,7 +414,7 @@ public function process_matched_token( $stackPtr, $group_name, $matched_content
 				return $end;
 			}
 
-			return $this->check_code_is_escaped( $message_param['start'], ( $message_param['end'] + 1 ), 'ErrorNotEscaped' );
+			return $this->check_code_is_escaped( $message_param['start'], ( $message_param['end'] + 1 ), 'OutputNotEscaped' );
 		}
 
 		/*

From f5590ce7b2d43fa73a7cfff22f481cace830c204 Mon Sep 17 00:00:00 2001
From: Brad Jorsch <brad.jorsch@automattic.com>
Date: Tue, 5 Sep 2023 09:40:11 -0400
Subject: [PATCH 05/10] Default `$code` per request

---
 WordPress/Sniffs/Security/EscapeOutputSniff.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/WordPress/Sniffs/Security/EscapeOutputSniff.php b/WordPress/Sniffs/Security/EscapeOutputSniff.php
index 37c38f0a8f..65ee5af3d2 100644
--- a/WordPress/Sniffs/Security/EscapeOutputSniff.php
+++ b/WordPress/Sniffs/Security/EscapeOutputSniff.php
@@ -344,7 +344,7 @@ public function process_token( $stackPtr ) {
 				break;
 		}
 
-		return $this->check_code_is_escaped( $start, $end, 'OutputNotEscaped' );
+		return $this->check_code_is_escaped( $start, $end );
 	}
 
 	/**
@@ -395,7 +395,7 @@ public function process_matched_token( $stackPtr, $group_name, $matched_content
 					continue;
 				}
 
-				$this->check_code_is_escaped( $param['start'], ( $param['end'] + 1 ), 'OutputNotEscaped' );
+				$this->check_code_is_escaped( $param['start'], ( $param['end'] + 1 ) );
 			}
 
 			return $end;
@@ -414,7 +414,7 @@ public function process_matched_token( $stackPtr, $group_name, $matched_content
 				return $end;
 			}
 
-			return $this->check_code_is_escaped( $message_param['start'], ( $message_param['end'] + 1 ), 'OutputNotEscaped' );
+			return $this->check_code_is_escaped( $message_param['start'], ( $message_param['end'] + 1 ) );
 		}
 
 		/*
@@ -435,7 +435,7 @@ public function process_matched_token( $stackPtr, $group_name, $matched_content
 
 		// Examine each parameter individually.
 		foreach ( $params as $param ) {
-			$this->check_code_is_escaped( $param['start'], ( $param['end'] + 1 ), 'OutputNotEscaped' );
+			$this->check_code_is_escaped( $param['start'], ( $param['end'] + 1 ) );
 		}
 
 		return $end;
@@ -452,7 +452,7 @@ public function process_matched_token( $stackPtr, $group_name, $matched_content
 	 *
 	 * @return int Integer stack pointer to skip forward.
 	 */
-	protected function check_code_is_escaped( $start, $end, $code ) {
+	protected function check_code_is_escaped( $start, $end, $code = 'OutputNotEscaped' ) {
 		/*
 		 * Check for a ternary operator.
 		 * We only need to do this here if this statement is lacking parenthesis.

From fe4fa457552d6618135726506d3877ce330f7d42 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Denis=20=C5=BDoljom?= <dingo-d@users.noreply.github.com>
Date: Mon, 28 Aug 2023 14:32:20 +0200
Subject: [PATCH 06/10] Update readme of the project

Add the funding link and section in the readme.
Add the link to the v3 release make post in the readme.
Add the FUNDING.yml file so that we can add the funding button in the repo.

Co-authored-by: Juliette <663378+jrfnl@users.noreply.github.com>
---
 .github/FUNDING.yml |  1 +
 README.md           | 10 +++++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)
 create mode 100644 .github/FUNDING.yml

diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
new file mode 100644
index 0000000000..f2427b9ed5
--- /dev/null
+++ b/.github/FUNDING.yml
@@ -0,0 +1 @@
+custom: ["https://opencollective.com/thewpcc/contribute/wp-php-63406", WP PHP]
diff --git a/README.md b/README.md
index 459adb0414..147eb5a18f 100644
--- a/README.md
+++ b/README.md
@@ -39,13 +39,17 @@
 * [Fixing errors or ignoring them](#fixing-errors-or-ignoring-them)
     + [Tools shipped with WordPressCS](#tools-shipped-with-wordpresscs)
 * [Contributing](#contributing)
+* [Funding](#funding)
 * [License](#license)
 
+---
 
 ## Introduction
 
 This project is a collection of [PHP_CodeSniffer](https://github.com/squizlabs/PHP_CodeSniffer) rules (sniffs) to validate code developed for WordPress. It ensures code quality and adherence to coding conventions, especially the official [WordPress Coding Standards](https://make.wordpress.org/core/handbook/best-practices/coding-standards/).
 
+This project needs funding. If you want to donate read [here](#funding) about how you can help.
+
 ## Minimum Requirements
 
 The WordPress Coding Standards package requires:
@@ -62,7 +66,7 @@ For the best results, it is recommended to also ensure the following additional
 
 ## Installation
 
-As of WordPressCS 3.0.0, installation via Composer using the below instructions is the only supported type of installation.
+As of [WordPressCS 3.0.0](https://make.wordpress.org/core/2023/08/21/wordpresscs-3-0-0-is-now-available/), installation via Composer using the below instructions is the only supported type of installation.
 
 [Composer](https://getcomposer.org/) will automatically install the project dependencies and register the rulesets from WordPressCS and other external standards with PHP_CodeSniffer using the [Composer PHPCS plugin](https://github.com/PHPCSStandards/composer-installer).
 
@@ -248,6 +252,10 @@ At this moment, WordPressCS offer the following tools:
 
 See [CONTRIBUTING](.github/CONTRIBUTING.md), including information about [unit testing](.github/CONTRIBUTING.md#unit-testing) the standard.
 
+## Funding
+
+If you want to sponsor the work on WordPressCS, you can do so by donating to the [WP PHP Open Collective](https://opencollective.com//thewpcc/contribute/wp-php-63406).
+
 ## License
 
 See [LICENSE](LICENSE) (MIT).

From 45cff8da7e06b25b65e4986669b150e896fda7e8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Denis=20=C5=BDoljom?= <dingo-d@users.noreply.github.com>
Date: Sun, 10 Sep 2023 11:23:25 +0200
Subject: [PATCH 07/10] Update README.md

Co-authored-by: Gary Jones <github@garyjones.io>
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 147eb5a18f..0175164c96 100644
--- a/README.md
+++ b/README.md
@@ -48,7 +48,7 @@
 
 This project is a collection of [PHP_CodeSniffer](https://github.com/squizlabs/PHP_CodeSniffer) rules (sniffs) to validate code developed for WordPress. It ensures code quality and adherence to coding conventions, especially the official [WordPress Coding Standards](https://make.wordpress.org/core/handbook/best-practices/coding-standards/).
 
-This project needs funding. If you want to donate read [here](#funding) about how you can help.
+This project needs funding. [Find out how you can help](#funding).
 
 ## Minimum Requirements
 

From d3c67d8763f231900aece6a9ee1cc86c5d1d4f21 Mon Sep 17 00:00:00 2001
From: jrfnl <jrfnl@users.noreply.github.com>
Date: Mon, 11 Sep 2023 00:13:39 +0200
Subject: [PATCH 08/10] Funding: fix format

This should either be an array of links or a singular link. The `WP PHP` was regarded as an invalid link (not as a link description).

Ref: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository
---
 .github/FUNDING.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
index f2427b9ed5..1c6df73886 100644
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -1 +1 @@
-custom: ["https://opencollective.com/thewpcc/contribute/wp-php-63406", WP PHP]
+custom: "https://opencollective.com/thewpcc/contribute/wp-php-63406"

From 401e4ece82a102a2eb683325f58ef26dde505e88 Mon Sep 17 00:00:00 2001
From: jrfnl <jrfnl@users.noreply.github.com>
Date: Mon, 11 Sep 2023 16:39:31 +0200
Subject: [PATCH 09/10] Release checklist: add link to monthly dev blog

Apparently we have to pro-actively inform the team as they don't appear to watch Make.

Ref: https://developer.wordpress.org/news/2023/09/whats-new-for-developers-september-2023/#comment-1611
---
 .github/release-checklist.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/release-checklist.md b/.github/release-checklist.md
index 3c39e21ed0..df5f91ed48 100644
--- a/.github/release-checklist.md
+++ b/.github/release-checklist.md
@@ -62,9 +62,10 @@ PR for tracking changes for the x.x.x release. Target release date: **DOW MONTH
 - [ ] Tweet, toot, etc about the release.
 - [ ] Post about it in Slack.
 - [ ] Submit for ["Month in WordPress"][month-in-wp].
-
+- [ ] Submit for the ["Monthy Dev Roundup"][dev-roundup].
 
 [phpcs-releases]:      https://github.com/squizlabs/PHP_CodeSniffer/releases
 [phpcsutils-releases]: https://github.com/PHPCSStandards/PHPCSUtils/releases
 [phpcsextra-releases]: https://github.com/PHPCSStandards/PHPCSExtra/releases
 [month-in-wp]:         https://make.wordpress.org/community/month-in-wordpress-submissions/
+[dev-roundup]:         https://github.com/WordPress/developer-blog-content/issues?q=is%3Aissue+label%3A%22Monthly+Roundup%22

From 9f57f6bddf355a69694b8705693893bab7c41fed Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Denis=20=C5=BDoljom?= <dingo-d@users.noreply.github.com>
Date: Wed, 13 Sep 2023 10:34:25 +0200
Subject: [PATCH 10/10] Add changelog for v3.0.1

Co-authored-by: Juliette <663378+jrfnl@users.noreply.github.com>
Co-authored-by: Gary Jones <github@garyjones.io>
---
 CHANGELOG.md | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d2e0cb8c58..2e9ca7edb4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,23 @@ This projects adheres to [Semantic Versioning](https://semver.org/) and [Keep a
 
 _No documentation available about unreleased changes as of yet._
 
+## [3.0.1] - 2023-09-13
+
+### Added
+
+- In WordPressCS 3.0.0, the functionality of the `WordPress.Security.EscapeOutput` sniff was updated to report unescaped message parameters passed to exceptions created in `throw` statements. This specific violation now has a separate error code: `ExceptionNotEscaped`. This will allow users to ignore or exclude that specific error code. Props [@anomiex].
+    The error code(s) for other escaping issues flagged by the sniff remain unchanged.
+
+### Changed
+
+- Updated the CI workflow to test the example ruleset for issues.
+- Funding files and updates in the Readme about funding the project.
+
+### Fixed
+
+- Fixed a sniff name in the `phpcs.xml.dist.sample` file (case-sensitive sniff name). Props [@dawidurbanski].
+
+
 ## [3.0.0] - 2023-08-21
 
 ### Important information about this release:
@@ -1556,6 +1573,7 @@ Initial tagged release.
 [Composer PHPCS plugin]: https://github.com/PHPCSStandards/composer-installer
 
 [Unreleased]: https://github.com/WordPress/WordPress-Coding-Standards/compare/main...HEAD
+[3.0.1]: https://github.com/WordPress/WordPress-Coding-Standards/compare/3.0.0...3.0.1
 [3.0.0]: https://github.com/WordPress/WordPress-Coding-Standards/compare/2.3.0...3.0.0
 [2.3.0]: https://github.com/WordPress/WordPress-Coding-Standards/compare/2.2.1...2.3.0
 [2.2.1]: https://github.com/WordPress/WordPress-Coding-Standards/compare/2.2.0...2.2.1
@@ -1585,8 +1603,10 @@ Initial tagged release.
 [0.3.0]: https://github.com/WordPress/WordPress-Coding-Standards/compare/2013-10-06...0.3.0
 [2013-10-06]: https://github.com/WordPress/WordPress-Coding-Standards/compare/2013-06-11...2013-10-06
 
+[@anomiex]:       https://github.com/anomiex
 [@ckanitz]:       https://github.com/ckanitz
 [@craigfrancis]:  https://github.com/craigfrancis
+[@dawidurbanski]: https://github.com/dawidurbanski
 [@desrosj]:       https://github.com/desrosj
 [@grappler]:      https://github.com/grappler
 [@Ipstenu]:       https://github.com/Ipstenu