ProperEscapingFunction: fine-tune attribute regex

This adds test cases with:
* No space before "action" as it is at the start of the line in a multi-line text string.
* A tab before "action".

... and makes minor adjustments to the regex to safeguard handling these cases correctly.

WordPressVIPMinimum/Sniffs/Security/ProperEscapingFunctionSniff.php

@@ -23,7 +23,7 @@ class ProperEscapingFunctionSniff extends Sniff {
 	 *
 	 * @var string
 	 */
-	const ATTR_END_REGEX = '`(?<attrname>href|src|url|\s+action)?=(?:(?:\\\\)?["\'])?$`i';
+	const ATTR_END_REGEX = '`(?<attrname>href|src|url|(^|\s+)action)?=(?:\\\\)?["\']*$`i';
 
 	/**
 	 * List of escaping functions which are being tested.

WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.inc

@@ -85,3 +85,13 @@ echo 'data-param-url="' . Esc_HTML::static_method( $share_url ) . '"'; // OK.
 
 // Not a target for this sniff (yet).
 printf( '<meta name="generator" content="%s">', esc_attr( $content ) ); // OK.
+?>
+
+// Making sure tabs and new lines before "action" are handled correctly.
+<input class="something something-else something-more"
+	action="<?php echo esc_attr( $my_var ); ?>"><!-- Error. -->
+<?php
+echo '<input class="something something-else something-more"
+	action="', esc_url( $my_var ), '">'; // OK.
+echo '<input class="something something-else something-more"
+action="', esc_attr( $my_var ), '">'; // Error.

WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.php

@@ -53,6 +53,8 @@ public function getErrorList() {
 			79 => 1,
 			80 => 1,
 			82 => 1,
+			92 => 1,
+			97 => 1,
 		];
 	}