feat: Add heuristic pattern for HTML-escaping in JSON response to Development

[noelsaw1]

Add new pattern wp-json-html-escape to detect HTML escaping functions (esc_url, esc_attr, esc_html) used in JSON response fields with URL-like names, which causes double-encoding issues breaking redirects in JavaScript.

Pattern Details:

• ID: wp-json-html-escape
• Category: Reliability / Correctness
• Severity: MEDIUM (heuristic - needs review)
• Type: PHP
• Detection: Two-step approach
  1. Find JSON response functions (wp_send_json_*, WP_REST_Response, wp_json_encode)
  2. Check for esc_* in URL-like keys (url, redirect, link, href, etc.)

Problem:
Using esc_url() in JSON responses encodes & → & which breaks JavaScript redirects. This is a very common WordPress development mistake where developers over-escape without understanding context.

Example:
❌ Bad: wp_send_json_success(['redirect_url' => esc_url($url)]); ✅ Good: wp_send_json_success(['redirect_url' => $url]);

Why Heuristic:

• Sometimes developers intentionally send HTML fragments in JSON
• Escaping may be correct for non-URL fields (e.g., 'message')
• Context matters - pattern flags suspicious cases for review

Changes:

• Added pattern definition: dist/patterns/wp-json-html-escape.json
• Integrated detection logic: dist/bin/check-performance.sh (lines 4778-4844)
• Created test fixture: dist/bin/fixtures/wp-json-html-escape.php (11 test cases)
• Updated CHANGELOG.md with v1.1.2 release notes
• Bumped script version to 1.1.2
• Updated pattern library: 29 patterns total (18 PHP, 6 Headless, 4 Node.js, 1 JS)
• Heuristic patterns: 10 total (was 9)

Test Results:
✅ Detected 11/11 expected cases (8 true positives + 3 edge cases) ✅ Pattern library manager updated successfully
✅ Main scanner integration verified

Impact:
Helps prevent hard-to-debug redirect failures and double-encoding issues in AJAX/REST API responses. Educational value for teaching context-aware escaping in WordPress development.

Description

Type of Change

• 🐛 Bug fix (non-breaking change which fixes an issue)
• ✨ New feature (non-breaking change which adds functionality)
• 💥 Breaking change (fix or feature that would cause existing functionality to not work as expected)
• 📝 Documentation update
• 🧪 Test update
• ♻️ Refactoring (no functional changes)

Related Issue

Fixes #(issue number)

Changes Made

Testing

• Ran dist/tests/run-fixture-tests.sh - All tests pass
• Tested against real WordPress plugin/theme
• Added new test fixtures (if applicable)
• Verified no new issues in dist/tests/fixtures/clean-code.php

Checklist

• My code follows the project's coding standards
• I have updated the documentation (README.md, CHANGELOG.md)
• I have added tests that prove my fix/feature works
• All new and existing tests pass
• I have updated CHANGELOG.md with my changes
• I have read and agree to the Contributor License Agreement (CLA)

CLA Signature

For first-time contributors: Please comment below with:

I have read and agree to the CLA

This is a one-time requirement. Once signed, you can contribute to all future PRs without re-signing.

Questions about the CLA? See CLA.md or email cla@hypercart.com

---

Additional Notes