ProperEscapingFunction: fix overreach

[jrfnl]

As part of the changes made in #624, the T_COMMA token was added to the list of tokens to skip over, to allow for echo statements with multiple arguments passed as a coma-delimited list.

As a side-effect, this caused the sniff to also examine [s]printf()-like function calls where the first parameter is a text string, while the second is often a variable within a call to one of the escaping functions.

The current change fixes this by only adding the T_COMMA token to the "ignore when looking for the previous token"-list when in an echo statement.

Includes unit test.

Fixes #667

Additional notes:

• I've run the sniff over WP Core to verify the fix and have verified that all 23 violations being throw up are correctly detected violations.
• If it would be considered a good idea to also examine, [s]printf()-like function calls for this sniff for proper escaping, I suggest opening a separate, new feature request as that change would need significantly different and quite complex logic and does not fall within the scope of this bug fix.

[westonruter]

It works much better but there are still false positives involving esc_attr_x():

FILE: includes/validation/class-amp-validated-url-post-type.php
----------------------------------------------------------------------
FOUND 5 ERRORS AFFECTING 5 LINES
----------------------------------------------------------------------
 2370 | ERROR | Wrong escaping function, using `esc_attr_x()` in a
      |       | context outside of HTML attributes may not escape
      |       | properly.
      |       | (WordPressVIPMinimum.Security.ProperEscapingFunction.notAttrEscAttr)
 2379 | ERROR | Wrong escaping function, using `esc_attr_x()` in a
      |       | context outside of HTML attributes may not escape
      |       | properly.
      |       | (WordPressVIPMinimum.Security.ProperEscapingFunction.notAttrEscAttr)
 2425 | ERROR | Wrong escaping function, using `esc_attr_x()` in a
      |       | context outside of HTML attributes may not escape
      |       | properly.
      |       | (WordPressVIPMinimum.Security.ProperEscapingFunction.notAttrEscAttr)
 2456 | ERROR | Wrong escaping function, using `esc_attr_x()` in a
      |       | context outside of HTML attributes may not escape
      |       | properly.
      |       | (WordPressVIPMinimum.Security.ProperEscapingFunction.notAttrEscAttr)
 2461 | ERROR | Wrong escaping function, using `esc_attr_x()` in a
      |       | context outside of HTML attributes may not escape
      |       | properly.
      |       | (WordPressVIPMinimum.Security.ProperEscapingFunction.notAttrEscAttr)
----------------------------------------------------------------------

See annotations in PR.

[westonruter]

Sorry, I was mistaken. Our code was using esc_attr_x() when we should have been using esc_html_x(), so the sniff caught a bug! True positive!

[jrfnl]

Thanks for testing @westonruter and glad to hear that this PR fixes the issue.

[rebeccahum]

Tested and works great!

[manooweb]

Hello,
When this fix will be released please?

[rebeccahum]

@manooweb Hi! This will be released with 2.3.1, which we are hoping to within the next few days.

[manooweb]

Ok 👍 thanks