Feature/add pattern library manager#38
Merged
noelsaw1 merged 3 commits intodevelopmentfrom Jan 7, 2026
Merged
Conversation
noelsaw1
added a commit
that referenced
this pull request
Jan 9, 2026
…elds Add new pattern wp-json-html-escape to detect HTML escaping functions (esc_url, esc_attr, esc_html) used in JSON response fields with URL-like names, which causes double-encoding issues breaking redirects in JavaScript. Pattern Details: - ID: wp-json-html-escape - Category: Reliability / Correctness - Severity: MEDIUM (heuristic - needs review) - Type: PHP - Detection: Two-step approach 1. Find JSON response functions (wp_send_json_*, WP_REST_Response, wp_json_encode) 2. Check for esc_* in URL-like keys (url, redirect, link, href, etc.) Problem: Using esc_url() in JSON responses encodes & → & which breaks JavaScript redirects. This is a very common WordPress development mistake where developers over-escape without understanding context. Example: ❌ Bad: wp_send_json_success(['redirect_url' => esc_url($url)]); ✅ Good: wp_send_json_success(['redirect_url' => $url]); Why Heuristic: - Sometimes developers intentionally send HTML fragments in JSON - Escaping may be correct for non-URL fields (e.g., 'message') - Context matters - pattern flags suspicious cases for review Changes: - Added pattern definition: dist/patterns/wp-json-html-escape.json - Integrated detection logic: dist/bin/check-performance.sh (lines 4778-4844) - Created test fixture: dist/bin/fixtures/wp-json-html-escape.php (11 test cases) - Updated CHANGELOG.md with v1.1.2 release notes - Bumped script version to 1.1.2 - Updated pattern library: 29 patterns total (18 PHP, 6 Headless, 4 Node.js, 1 JS) - Heuristic patterns: 10 total (was 9) Test Results: ✅ Detected 11/11 expected cases (8 true positives + 3 edge cases) ✅ Pattern library manager updated successfully ✅ Main scanner integration verified Impact: Helps prevent hard-to-debug redirect failures and double-encoding issues in AJAX/REST API responses. Educational value for teaching context-aware escaping in WordPress development.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pattern Library Manager - Automated pattern registry generation and marketing stats
False Positive Reduction - Mitigation Detection
Memory / OOM Crash Prevention Checks