From 330dd4cf6bf630104f6cd6ddefafef8f3367226b Mon Sep 17 00:00:00 2001
From: Gudmundur Haraldsson <gudmundur.haraldsson@automattic.com>
Date: Wed, 16 Jun 2021 13:04:27 +0000
Subject: [PATCH 01/10] Update ruleset.xml to configure VariableAnalysis

---
 WordPress-VIP-Go/ruleset.xml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/WordPress-VIP-Go/ruleset.xml b/WordPress-VIP-Go/ruleset.xml
index ba9099a2..60e2dc12 100644
--- a/WordPress-VIP-Go/ruleset.xml
+++ b/WordPress-VIP-Go/ruleset.xml
@@ -251,6 +251,16 @@
 	<rule ref="VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable">
 		<severity>0</severity>
 	</rule>
+
+	<!-- Do not report on undefined variables before require nor
+	     in file scope. See discussion here: https://github.com/Automattic/vip-go-ci/issues/120 --> 
+	<rule ref="VariableAnalysis.CodeAnalysis.VariableAnalysis">
+		<properties>
+			<property name="allowUnusedVariablesBeforeRequire" value="true"/>
+			<property name="allowUndefinedVariablesInFileScope" value="true"/>
+		</properties>
+	</rule>
+
 	<rule ref="WordPress.DB.SlowDBQuery.slow_db_query_meta_key">
 		<!-- We are silencing this one because VIP Go has a combined index on meta_key, meta_value-->
 		<severity>0</severity>

From 1d378b2c430c55e22479cfa77ab119061eec692d Mon Sep 17 00:00:00 2001
From: Gudmundur Haraldsson <gudmundur.haraldsson@automattic.com>
Date: Wed, 16 Jun 2021 13:24:07 +0000
Subject: [PATCH 02/10] Fix XML linting issue

---
 WordPress-VIP-Go/ruleset.xml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/WordPress-VIP-Go/ruleset.xml b/WordPress-VIP-Go/ruleset.xml
index 60e2dc12..0b144b3f 100644
--- a/WordPress-VIP-Go/ruleset.xml
+++ b/WordPress-VIP-Go/ruleset.xml
@@ -252,8 +252,7 @@
 		<severity>0</severity>
 	</rule>
 
-	<!-- Do not report on undefined variables before require nor
-	     in file scope. See discussion here: https://github.com/Automattic/vip-go-ci/issues/120 --> 
+	<!-- Do not report on undefined variables before require nor in file scope. -->
 	<rule ref="VariableAnalysis.CodeAnalysis.VariableAnalysis">
 		<properties>
 			<property name="allowUnusedVariablesBeforeRequire" value="true"/>

From 777ca46f5abc6071338e9032584c84a1fb215fe4 Mon Sep 17 00:00:00 2001
From: Rebecca Hum <16962021+rebeccahum@users.noreply.github.com>
Date: Tue, 22 Jun 2021 11:19:21 -0600
Subject: [PATCH 03/10] Bump VA to 2.11.1

---
 composer.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/composer.json b/composer.json
index a1d7f0be..5a7ee54b 100644
--- a/composer.json
+++ b/composer.json
@@ -17,7 +17,7 @@
 	"require": {
 		"php": ">=5.4",
 		"dealerdirect/phpcodesniffer-composer-installer": "^0.4.1 || ^0.5 || ^0.6.2 || ^0.7",
-		"sirbrillig/phpcs-variable-analysis": "^2.8.3",
+		"sirbrillig/phpcs-variable-analysis": "^2.11.1",
 		"squizlabs/php_codesniffer": "^3.5.5",
 		"wp-coding-standards/wpcs": "^2.3"
 	},

From 00838aeae726b0b30cb5706ebece005db7821b9f Mon Sep 17 00:00:00 2001
From: Brooke <hi@broo.ke>
Date: Thu, 24 Jun 2021 11:55:16 -0700
Subject: [PATCH 04/10] Remove dbDelta Warning

This removes the dbDelta message which previously stated to contact
WordPress.com VIP support for review. Fixes #479.
---
 .../Sniffs/Functions/RestrictedFunctionsSniff.php          | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/WordPressVIPMinimum/Sniffs/Functions/RestrictedFunctionsSniff.php b/WordPressVIPMinimum/Sniffs/Functions/RestrictedFunctionsSniff.php
index 9893c1b3..8f3bba86 100644
--- a/WordPressVIPMinimum/Sniffs/Functions/RestrictedFunctionsSniff.php
+++ b/WordPressVIPMinimum/Sniffs/Functions/RestrictedFunctionsSniff.php
@@ -74,13 +74,6 @@ public function getGroups() {
 					'attachment_url_to_postid',
 				],
 			],
-			'dbDelta' => [
-				'type'      => 'error',
-				'message'   => 'All database modifications have to approved by the WordPress.com VIP team.',
-				'functions' => [
-					'dbDelta',
-				],
-			],
 			// @link https://docs.wpvip.com/technical-references/code-review/vip-notices/#h-switch_to_blog
 			'switch_to_blog' => [
 				'type'      => 'warning',

From 75ece92d365ffdeceb1227354660cde77f17c2a7 Mon Sep 17 00:00:00 2001
From: Rebecca Hum <16962021+rebeccahum@users.noreply.github.com>
Date: Mon, 28 Jun 2021 15:47:40 -0600
Subject: [PATCH 05/10] Account for dbDelta removal in rulesets and tests

---
 WordPress-VIP-Go/ruleset-test.inc                             | 4 ++--
 WordPress-VIP-Go/ruleset-test.php                             | 1 -
 WordPress-VIP-Go/ruleset.xml                                  | 4 ----
 .../Tests/Functions/RestrictedFunctionsUnitTest.inc           | 4 ++--
 .../Tests/Functions/RestrictedFunctionsUnitTest.php           | 1 -
 WordPressVIPMinimum/ruleset-test.inc                          | 2 +-
 WordPressVIPMinimum/ruleset-test.php                          | 1 -
 7 files changed, 5 insertions(+), 12 deletions(-)

diff --git a/WordPress-VIP-Go/ruleset-test.inc b/WordPress-VIP-Go/ruleset-test.inc
index 876a9c6d..61e56955 100644
--- a/WordPress-VIP-Go/ruleset-test.inc
+++ b/WordPress-VIP-Go/ruleset-test.inc
@@ -111,8 +111,8 @@ filter_var_array( $array, FILTER_SANITIZE_STRING ); // Ok.
 filter_input_array( $array,FILTER_SANITIZE_STRING      ); // Ok.
 filter_input( INPUT_GET, 'foo', FILTER_DEFAULT ); // Warning.
 
-// WordPressVIPMinimum.Functions.RestrictedFunctions.dbDelta_dbdelta
-dbDelta( $query, true ); // Warning.
+
+
 
 // WordPressVIPMinimum.Functions.RestrictedFunctions.wp_mail_wp_mail
 wp_mail(); // Warning.
diff --git a/WordPress-VIP-Go/ruleset-test.php b/WordPress-VIP-Go/ruleset-test.php
index 6bca6c91..af455144 100644
--- a/WordPress-VIP-Go/ruleset-test.php
+++ b/WordPress-VIP-Go/ruleset-test.php
@@ -147,7 +147,6 @@
 		108 => 1,
 		109 => 1,
 		112 => 1,
-		115 => 1,
 		118 => 1,
 		119 => 1,
 		123 => 1,
diff --git a/WordPress-VIP-Go/ruleset.xml b/WordPress-VIP-Go/ruleset.xml
index 0b144b3f..e4297a51 100644
--- a/WordPress-VIP-Go/ruleset.xml
+++ b/WordPress-VIP-Go/ruleset.xml
@@ -132,10 +132,6 @@
 	<rule ref="WordPressVIPMinimum.Security.PHPFilterFunctions">
 		<severity>10</severity>
 	</rule>
-	<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.dbDelta_dbdelta">
-		<type>warning</type>
-		<severity>7</severity>
-	</rule>
 	<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.wp_mail_wp_mail">
 		<severity>7</severity>
 	</rule>
diff --git a/WordPressVIPMinimum/Tests/Functions/RestrictedFunctionsUnitTest.inc b/WordPressVIPMinimum/Tests/Functions/RestrictedFunctionsUnitTest.inc
index fece7131..3e65ae90 100644
--- a/WordPressVIPMinimum/Tests/Functions/RestrictedFunctionsUnitTest.inc
+++ b/WordPressVIPMinimum/Tests/Functions/RestrictedFunctionsUnitTest.inc
@@ -49,8 +49,8 @@ flush_rules(); // Ok - not in global class.
 $wp_write->flush_rules(); // Ok - not in global class $wp_rewrite.
 $wp_rewrite->flush_rules(); // Error.
 
-db_delta(); // Ok - similarly-named function to dbDelta().
-dbDelta(); // Error.
+
+
 
 switch_blog(); // Ok - similarly-named function to switch_to_blog().
 switch_to_blog( $blogid ); // Warning.
diff --git a/WordPressVIPMinimum/Tests/Functions/RestrictedFunctionsUnitTest.php b/WordPressVIPMinimum/Tests/Functions/RestrictedFunctionsUnitTest.php
index e907eae3..877f51b7 100644
--- a/WordPressVIPMinimum/Tests/Functions/RestrictedFunctionsUnitTest.php
+++ b/WordPressVIPMinimum/Tests/Functions/RestrictedFunctionsUnitTest.php
@@ -37,7 +37,6 @@ public function getErrorList() {
 			43  => 1,
 			46  => 1,
 			50  => 1,
-			53  => 1,
 			59  => 1,
 			62  => 1,
 			75  => 1,
diff --git a/WordPressVIPMinimum/ruleset-test.inc b/WordPressVIPMinimum/ruleset-test.inc
index 5c89e02a..803e890f 100644
--- a/WordPressVIPMinimum/ruleset-test.inc
+++ b/WordPressVIPMinimum/ruleset-test.inc
@@ -320,7 +320,7 @@ wpcom_vip_irc(); // Error.
 flush_rewrite_rules(); // Error.
 $wp_rewrite->flush_rules(); // Error.
 attachment_url_to_postid( $url ); // Error.
-dbDelta(); // Error.
+
 switch_to_blog( $blogid ); // Warning.
 get_page_by_title( $page_title ); // Error.
 url_to_postid( $url ); // Error.
diff --git a/WordPressVIPMinimum/ruleset-test.php b/WordPressVIPMinimum/ruleset-test.php
index 8320825c..19d74bf1 100644
--- a/WordPressVIPMinimum/ruleset-test.php
+++ b/WordPressVIPMinimum/ruleset-test.php
@@ -92,7 +92,6 @@
 		320 => 1,
 		321 => 1,
 		322 => 1,
-		323 => 1,
 		325 => 1,
 		326 => 1,
 		327 => 1,

From c3a80f053e9b9ebec53b1d2ce90480a6d5de6c34 Mon Sep 17 00:00:00 2001
From: Rebecca Hum <16962021+rebeccahum@users.noreply.github.com>
Date: Wed, 30 Jun 2021 10:20:39 -0600
Subject: [PATCH 06/10] Downgrade
 WordPressVIPMinimum.Security.ProperEscapingFunction.htmlAttrNotByEscHTML to
 warning

---
 WordPress-VIP-Go/ruleset-test.inc                 |  4 ++--
 WordPress-VIP-Go/ruleset-test.php                 |  4 ++--
 WordPress-VIP-Go/ruleset.xml                      |  4 ----
 .../Security/ProperEscapingFunctionSniff.php      |  4 ++--
 .../Security/ProperEscapingFunctionUnitTest.inc   | 12 ++++++------
 .../Security/ProperEscapingFunctionUnitTest.php   | 15 ++++++++-------
 WordPressVIPMinimum/ruleset-test.inc              |  2 +-
 WordPressVIPMinimum/ruleset-test.php              |  2 +-
 8 files changed, 22 insertions(+), 25 deletions(-)

diff --git a/WordPress-VIP-Go/ruleset-test.inc b/WordPress-VIP-Go/ruleset-test.inc
index 61e56955..df6e313c 100644
--- a/WordPress-VIP-Go/ruleset-test.inc
+++ b/WordPress-VIP-Go/ruleset-test.inc
@@ -253,10 +253,10 @@ $test = @in_array( $array, $needle, true ); // Error.
 
 // WordPressVIPMinimum.Security.ProperEscapingFunction.htmlAttrNotByEscHTML
 echo '<a href="' . esc_attr( $some_var ) . '"></a>'; // Error.
-echo '<a title="' . esc_html( $some_var ) . '"></a>'; // Error.
+echo '<a title="' . esc_html( $some_var ) . '"></a>'; // Warning.
 echo '<a href="' . esc_url( $some_var ) . '"></a>'; // OK.
 ?><a href="<?php echo esc_attr( $some_var ); ?>">Hello</a> <!-- Error. -->
-<a href="" class="<?php echo esc_html( $some_var); ?>">Hey</a> <!-- Error. -->
+<a href="" class="<?php echo esc_html( $some_var); ?>">Hey</a> <!-- Warning. -->
 <a href="<?php esc_url( $url );?>"></a> <!-- Ok. -->
 <a title="<?php esc_attr( $url );?>"></a> <?php // Ok.
 
diff --git a/WordPress-VIP-Go/ruleset-test.php b/WordPress-VIP-Go/ruleset-test.php
index af455144..264eb0ba 100644
--- a/WordPress-VIP-Go/ruleset-test.php
+++ b/WordPress-VIP-Go/ruleset-test.php
@@ -27,9 +27,7 @@
 		188 => 1,
 		252 => 1,
 		255 => 1,
-		256 => 1,
 		258 => 1,
-		259 => 1,
 		318 => 1,
 		329 => 1,
 		334 => 1,
@@ -193,6 +191,8 @@
 		245 => 1,
 		246 => 1,
 		247 => 1,
+		256 => 1,
+		259 => 1,
 		265 => 1,
 		269 => 1,
 		273 => 1,
diff --git a/WordPress-VIP-Go/ruleset.xml b/WordPress-VIP-Go/ruleset.xml
index e4297a51..58386a58 100644
--- a/WordPress-VIP-Go/ruleset.xml
+++ b/WordPress-VIP-Go/ruleset.xml
@@ -229,10 +229,6 @@
 	<rule ref="Generic.PHP.NoSilencedErrors">
 		<severity>1</severity>
 	</rule>
-	<rule ref="WordPressVIPMinimum.Security.ProperEscapingFunction.htmlAttrNotByEscHTML">
-		<!-- This is still safe, just sub-optimal-->
-		<severity>3</severity>
-	</rule>
 	<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.is_multi_author_is_multi_author">
 		<severity>1</severity>
 	</rule>
diff --git a/WordPressVIPMinimum/Sniffs/Security/ProperEscapingFunctionSniff.php b/WordPressVIPMinimum/Sniffs/Security/ProperEscapingFunctionSniff.php
index 9b9513f0..e30af7c3 100644
--- a/WordPressVIPMinimum/Sniffs/Security/ProperEscapingFunctionSniff.php
+++ b/WordPressVIPMinimum/Sniffs/Security/ProperEscapingFunctionSniff.php
@@ -205,8 +205,8 @@ public function process_token( $stackPtr ) {
 
 		if ( $escaping_type === 'html' ) {
 			$message = 'Wrong escaping function. HTML attributes should be escaped by `esc_attr()`, not by `%s()`.';
-			$this->phpcsFile->addError( $message, $stackPtr, 'htmlAttrNotByEscHTML', $data );
-			return;
+			$this->phpcsFile->addWarning( $message, $stackPtr, 'htmlAttrNotByEscHTML', $data );
+			return; // Warning level because sub-optimal due to different filters, but still OK.
 		}
 	}
 
diff --git a/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.inc b/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.inc
index af65ab5f..35c66e49 100644
--- a/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.inc
+++ b/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.inc
@@ -12,15 +12,15 @@ echo '<a title="' . esc_attr( $some_var ) . '"></a>'; // OK.
 
 echo "<a title='" . \esc_attr( $some_var ) . "'></a>"; // OK.
 
-echo '<a title="' . esc_html_x( $some_var ) . '"></a>'; // Error.
+echo '<a title="' . esc_html_x( $some_var ) . '"></a>'; // Warning.
 
-echo "<a title='" . \esc_html( $some_var ) . "'></a>"; // Error.
+echo "<a title='" . \esc_html( $some_var ) . "'></a>"; // Warning.
 
 ?>
 
 <a href="<?php echo esc_attr( $some_var ); ?>">Hello</a> <!-- Error. -->
 
-<a href="" class="<?php esc_html_e( $some_var); ?>">Hey</a> <!-- Error. -->
+<a href="" class="<?php esc_html_e( $some_var); ?>">Hey</a> <!-- Warning. -->
 
 <a href="<?php esc_url( $url );?>"></a> <!-- OK. -->
 
@@ -71,9 +71,9 @@ echo "<$tag>  " , esc_attr( $test ) , "</$tag>"; // Error.
 <?php echo "<div>" . $test . "</div>"; // OK.
 echo "<{$tag}>" . esc_attr( $tag_content ) . "</{$tag}>"; // Error.
 echo "<$tag" . '   >' . esc_attr( $tag_content ) . "</$tag>"; // Error.
-echo '<div class=\'' . esc_html($class) . '\'>'; // Error.
-echo "<div class=\"" . \esc_html__($class) . '">'; // Error.
-echo "<div $someAttribute class=\"" . esc_html($class) . '">'; // Error.
+echo '<div class=\'' . esc_html($class) . '\'>'; // Warning.
+echo "<div class=\"" . \esc_html__($class) . '">'; // Warning.
+echo "<div $someAttribute class=\"" . esc_html($class) . '">'; // Warning.
 echo '<a href=\'' . esc_html($url) . '\'>'; // Error.
 echo "<img src=\"" . esc_html($src) . '"/>'; // Error.
 echo "<div $someAttributeName-url=\"" . esc_html($url) . '">'; // Error.
diff --git a/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.php b/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.php
index 9a4b31c8..1ae08a30 100644
--- a/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.php
+++ b/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.php
@@ -27,10 +27,7 @@ public function getErrorList() {
 		return [
 			3   => 1,
 			5   => 1,
-			15  => 1,
-			17  => 1,
 			21  => 1,
-			23  => 1,
 			33  => 1,
 			37  => 1,
 			41  => 1,
@@ -45,9 +42,6 @@ public function getErrorList() {
 			69  => 1,
 			72  => 1,
 			73  => 1,
-			74  => 1,
-			75  => 1,
-			76  => 1,
 			77  => 1,
 			78  => 1,
 			79  => 1,
@@ -66,7 +60,14 @@ public function getErrorList() {
 	 * @return array <int line number> => <int number of warnings>
 	 */
 	public function getWarningList() {
-		return [];
+		return [
+			15 => 1,
+			17 => 1,
+			23 => 1,
+			74 => 1,
+			75 => 1,
+			76 => 1,
+		];
 	}
 
 }
diff --git a/WordPressVIPMinimum/ruleset-test.inc b/WordPressVIPMinimum/ruleset-test.inc
index 803e890f..d1899e0b 100644
--- a/WordPressVIPMinimum/ruleset-test.inc
+++ b/WordPressVIPMinimum/ruleset-test.inc
@@ -548,7 +548,7 @@ echo '<a href="{{href}}">{{{data}}}</div></a>'; // Warning.
 
 // WordPressVIPMinimum.Security.ProperEscapingFunction
 echo '<a href="' . esc_attr( $some_var ) . '"></a>'; // Error.
-echo '<a title="' . esc_html( $some_var ) . '"></a>'; // Error.
+echo '<a title="' . esc_html( $some_var ) . '"></a>'; // Warning.
 
 // WordPressVIPMinimum.Security.StaticStrreplace
 str_replace( 'foo', array( 'bar', 'foo' ), 'foobar' ); // Error.
diff --git a/WordPressVIPMinimum/ruleset-test.php b/WordPressVIPMinimum/ruleset-test.php
index 19d74bf1..3e71061a 100644
--- a/WordPressVIPMinimum/ruleset-test.php
+++ b/WordPressVIPMinimum/ruleset-test.php
@@ -179,7 +179,6 @@
 		523 => 1,
 		525 => 1,
 		550 => 1,
-		551 => 1,
 		554 => 1,
 		569 => 1,
 		570 => 1,
@@ -290,6 +289,7 @@
 		535 => 1,
 		538 => 1,
 		545 => 1,
+		551 => 1,
 		559 => 1,
 		565 => 1,
 		589 => 1,

From c64d6a7d6f710584d58c055c0b7cf4d5f1d4940e Mon Sep 17 00:00:00 2001
From: jrfnl <jrfnl@users.noreply.github.com>
Date: Wed, 4 Aug 2021 16:24:39 +0200
Subject: [PATCH 07/10] PHPCS: enable caching

... to allow for faster scan results when scanning the VIPCS repo code itself.

The cache will automatically be invalidated when anything which is relevant changes.
---
 .gitignore      | 1 +
 .phpcs.xml.dist | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/.gitignore b/.gitignore
index 1c6a1b2f..4c8e37bd 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,4 @@ composer.lock
 phpcs.xml
 .phpcs.xml
 phpunit.xml
+phpcs.cache
diff --git a/.phpcs.xml.dist b/.phpcs.xml.dist
index 01fc5ff9..424f4095 100644
--- a/.phpcs.xml.dist
+++ b/.phpcs.xml.dist
@@ -13,6 +13,9 @@
 	<arg name="extensions" value="php"/>
 	<arg name="parallel" value="50"/>
 
+	<!-- Cache the results between runs. -->
+	<arg name="cache" value="./phpcs.cache"/>
+
 	<rule ref="WordPress-Extra">
 		<exclude name="WordPress.Files.FileName"/>
 		<exclude name="WordPress.NamingConventions.ValidVariableName"/>

From e09c47a21722b7233bf0fca63fa9fd235ca2218e Mon Sep 17 00:00:00 2001
From: Rebecca Hum <16962021+rebeccahum@users.noreply.github.com>
Date: Mon, 27 Sep 2021 14:18:00 -0600
Subject: [PATCH 08/10] Revert "Downgrade htmlAttrNotByEscHTML to a warning"

---
 WordPress-VIP-Go/ruleset-test.inc                 |  4 ++--
 WordPress-VIP-Go/ruleset-test.php                 |  4 ++--
 WordPress-VIP-Go/ruleset.xml                      |  4 ++++
 .../Security/ProperEscapingFunctionSniff.php      |  4 ++--
 .../Security/ProperEscapingFunctionUnitTest.inc   | 12 ++++++------
 .../Security/ProperEscapingFunctionUnitTest.php   | 15 +++++++--------
 WordPressVIPMinimum/ruleset-test.inc              |  2 +-
 WordPressVIPMinimum/ruleset-test.php              |  2 +-
 8 files changed, 25 insertions(+), 22 deletions(-)

diff --git a/WordPress-VIP-Go/ruleset-test.inc b/WordPress-VIP-Go/ruleset-test.inc
index df6e313c..61e56955 100644
--- a/WordPress-VIP-Go/ruleset-test.inc
+++ b/WordPress-VIP-Go/ruleset-test.inc
@@ -253,10 +253,10 @@ $test = @in_array( $array, $needle, true ); // Error.
 
 // WordPressVIPMinimum.Security.ProperEscapingFunction.htmlAttrNotByEscHTML
 echo '<a href="' . esc_attr( $some_var ) . '"></a>'; // Error.
-echo '<a title="' . esc_html( $some_var ) . '"></a>'; // Warning.
+echo '<a title="' . esc_html( $some_var ) . '"></a>'; // Error.
 echo '<a href="' . esc_url( $some_var ) . '"></a>'; // OK.
 ?><a href="<?php echo esc_attr( $some_var ); ?>">Hello</a> <!-- Error. -->
-<a href="" class="<?php echo esc_html( $some_var); ?>">Hey</a> <!-- Warning. -->
+<a href="" class="<?php echo esc_html( $some_var); ?>">Hey</a> <!-- Error. -->
 <a href="<?php esc_url( $url );?>"></a> <!-- Ok. -->
 <a title="<?php esc_attr( $url );?>"></a> <?php // Ok.
 
diff --git a/WordPress-VIP-Go/ruleset-test.php b/WordPress-VIP-Go/ruleset-test.php
index 264eb0ba..af455144 100644
--- a/WordPress-VIP-Go/ruleset-test.php
+++ b/WordPress-VIP-Go/ruleset-test.php
@@ -27,7 +27,9 @@
 		188 => 1,
 		252 => 1,
 		255 => 1,
+		256 => 1,
 		258 => 1,
+		259 => 1,
 		318 => 1,
 		329 => 1,
 		334 => 1,
@@ -191,8 +193,6 @@
 		245 => 1,
 		246 => 1,
 		247 => 1,
-		256 => 1,
-		259 => 1,
 		265 => 1,
 		269 => 1,
 		273 => 1,
diff --git a/WordPress-VIP-Go/ruleset.xml b/WordPress-VIP-Go/ruleset.xml
index 58386a58..e4297a51 100644
--- a/WordPress-VIP-Go/ruleset.xml
+++ b/WordPress-VIP-Go/ruleset.xml
@@ -229,6 +229,10 @@
 	<rule ref="Generic.PHP.NoSilencedErrors">
 		<severity>1</severity>
 	</rule>
+	<rule ref="WordPressVIPMinimum.Security.ProperEscapingFunction.htmlAttrNotByEscHTML">
+		<!-- This is still safe, just sub-optimal-->
+		<severity>3</severity>
+	</rule>
 	<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.is_multi_author_is_multi_author">
 		<severity>1</severity>
 	</rule>
diff --git a/WordPressVIPMinimum/Sniffs/Security/ProperEscapingFunctionSniff.php b/WordPressVIPMinimum/Sniffs/Security/ProperEscapingFunctionSniff.php
index e30af7c3..9b9513f0 100644
--- a/WordPressVIPMinimum/Sniffs/Security/ProperEscapingFunctionSniff.php
+++ b/WordPressVIPMinimum/Sniffs/Security/ProperEscapingFunctionSniff.php
@@ -205,8 +205,8 @@ public function process_token( $stackPtr ) {
 
 		if ( $escaping_type === 'html' ) {
 			$message = 'Wrong escaping function. HTML attributes should be escaped by `esc_attr()`, not by `%s()`.';
-			$this->phpcsFile->addWarning( $message, $stackPtr, 'htmlAttrNotByEscHTML', $data );
-			return; // Warning level because sub-optimal due to different filters, but still OK.
+			$this->phpcsFile->addError( $message, $stackPtr, 'htmlAttrNotByEscHTML', $data );
+			return;
 		}
 	}
 
diff --git a/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.inc b/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.inc
index 35c66e49..af65ab5f 100644
--- a/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.inc
+++ b/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.inc
@@ -12,15 +12,15 @@ echo '<a title="' . esc_attr( $some_var ) . '"></a>'; // OK.
 
 echo "<a title='" . \esc_attr( $some_var ) . "'></a>"; // OK.
 
-echo '<a title="' . esc_html_x( $some_var ) . '"></a>'; // Warning.
+echo '<a title="' . esc_html_x( $some_var ) . '"></a>'; // Error.
 
-echo "<a title='" . \esc_html( $some_var ) . "'></a>"; // Warning.
+echo "<a title='" . \esc_html( $some_var ) . "'></a>"; // Error.
 
 ?>
 
 <a href="<?php echo esc_attr( $some_var ); ?>">Hello</a> <!-- Error. -->
 
-<a href="" class="<?php esc_html_e( $some_var); ?>">Hey</a> <!-- Warning. -->
+<a href="" class="<?php esc_html_e( $some_var); ?>">Hey</a> <!-- Error. -->
 
 <a href="<?php esc_url( $url );?>"></a> <!-- OK. -->
 
@@ -71,9 +71,9 @@ echo "<$tag>  " , esc_attr( $test ) , "</$tag>"; // Error.
 <?php echo "<div>" . $test . "</div>"; // OK.
 echo "<{$tag}>" . esc_attr( $tag_content ) . "</{$tag}>"; // Error.
 echo "<$tag" . '   >' . esc_attr( $tag_content ) . "</$tag>"; // Error.
-echo '<div class=\'' . esc_html($class) . '\'>'; // Warning.
-echo "<div class=\"" . \esc_html__($class) . '">'; // Warning.
-echo "<div $someAttribute class=\"" . esc_html($class) . '">'; // Warning.
+echo '<div class=\'' . esc_html($class) . '\'>'; // Error.
+echo "<div class=\"" . \esc_html__($class) . '">'; // Error.
+echo "<div $someAttribute class=\"" . esc_html($class) . '">'; // Error.
 echo '<a href=\'' . esc_html($url) . '\'>'; // Error.
 echo "<img src=\"" . esc_html($src) . '"/>'; // Error.
 echo "<div $someAttributeName-url=\"" . esc_html($url) . '">'; // Error.
diff --git a/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.php b/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.php
index 1ae08a30..9a4b31c8 100644
--- a/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.php
+++ b/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.php
@@ -27,7 +27,10 @@ public function getErrorList() {
 		return [
 			3   => 1,
 			5   => 1,
+			15  => 1,
+			17  => 1,
 			21  => 1,
+			23  => 1,
 			33  => 1,
 			37  => 1,
 			41  => 1,
@@ -42,6 +45,9 @@ public function getErrorList() {
 			69  => 1,
 			72  => 1,
 			73  => 1,
+			74  => 1,
+			75  => 1,
+			76  => 1,
 			77  => 1,
 			78  => 1,
 			79  => 1,
@@ -60,14 +66,7 @@ public function getErrorList() {
 	 * @return array <int line number> => <int number of warnings>
 	 */
 	public function getWarningList() {
-		return [
-			15 => 1,
-			17 => 1,
-			23 => 1,
-			74 => 1,
-			75 => 1,
-			76 => 1,
-		];
+		return [];
 	}
 
 }
diff --git a/WordPressVIPMinimum/ruleset-test.inc b/WordPressVIPMinimum/ruleset-test.inc
index d1899e0b..803e890f 100644
--- a/WordPressVIPMinimum/ruleset-test.inc
+++ b/WordPressVIPMinimum/ruleset-test.inc
@@ -548,7 +548,7 @@ echo '<a href="{{href}}">{{{data}}}</div></a>'; // Warning.
 
 // WordPressVIPMinimum.Security.ProperEscapingFunction
 echo '<a href="' . esc_attr( $some_var ) . '"></a>'; // Error.
-echo '<a title="' . esc_html( $some_var ) . '"></a>'; // Warning.
+echo '<a title="' . esc_html( $some_var ) . '"></a>'; // Error.
 
 // WordPressVIPMinimum.Security.StaticStrreplace
 str_replace( 'foo', array( 'bar', 'foo' ), 'foobar' ); // Error.
diff --git a/WordPressVIPMinimum/ruleset-test.php b/WordPressVIPMinimum/ruleset-test.php
index 3e71061a..19d74bf1 100644
--- a/WordPressVIPMinimum/ruleset-test.php
+++ b/WordPressVIPMinimum/ruleset-test.php
@@ -179,6 +179,7 @@
 		523 => 1,
 		525 => 1,
 		550 => 1,
+		551 => 1,
 		554 => 1,
 		569 => 1,
 		570 => 1,
@@ -289,7 +290,6 @@
 		535 => 1,
 		538 => 1,
 		545 => 1,
-		551 => 1,
 		559 => 1,
 		565 => 1,
 		589 => 1,

From 87fd9468d6ef5988c7359a6a667d0c88eb7428c4 Mon Sep 17 00:00:00 2001
From: Rebecca Hum <16962021+rebeccahum@users.noreply.github.com>
Date: Mon, 27 Sep 2021 14:21:18 -0600
Subject: [PATCH 09/10] ProperEscapingFunction: Upgrade htmlAttrNotByEscHTML to
 default severity (5)

---
 WordPress-VIP-Go/ruleset.xml | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/WordPress-VIP-Go/ruleset.xml b/WordPress-VIP-Go/ruleset.xml
index e4297a51..58386a58 100644
--- a/WordPress-VIP-Go/ruleset.xml
+++ b/WordPress-VIP-Go/ruleset.xml
@@ -229,10 +229,6 @@
 	<rule ref="Generic.PHP.NoSilencedErrors">
 		<severity>1</severity>
 	</rule>
-	<rule ref="WordPressVIPMinimum.Security.ProperEscapingFunction.htmlAttrNotByEscHTML">
-		<!-- This is still safe, just sub-optimal-->
-		<severity>3</severity>
-	</rule>
 	<rule ref="WordPressVIPMinimum.Functions.RestrictedFunctions.is_multi_author_is_multi_author">
 		<severity>1</severity>
 	</rule>

From e5d1c8147c95f95ea897247a18aa545b33804c35 Mon Sep 17 00:00:00 2001
From: Rebecca Hum <16962021+rebeccahum@users.noreply.github.com>
Date: Tue, 28 Sep 2021 10:34:59 -0600
Subject: [PATCH 10/10] Add changelog for 2.3.3 release

---
 CHANGELOG.md | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 045ac2da..b3a805c8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,19 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.3.3] - 2021-09-29
+
+Props: gudmdharalds, jrfnl, BrookeDot, rebeccahum
+
+## Changed
+- [#690](https://github.com/Automattic/VIP-Coding-Standards/pull/690): Ruleset: do not flag undefined variables in file scope or unused variables before require statement.
+- [#691](https://github.com/Automattic/VIP-Coding-Standards/pull/691): Composer: use VariableAnalysis 2.11.1.
+- [#694](https://github.com/Automattic/VIP-Coding-Standards/pull/694): PHPCS: enable caching for quicker scanning.
+- [#697](https://github.com/Automattic/VIP-Coding-Standards/pull/697): ProperEscapingFunction: upgrade htmlAttrNotByEscHTML to default severity level.
+
+## Removed
+- [#692](https://github.com/Automattic/VIP-Coding-Standards/pull/692): RestrictedFunctions: remove dbDelta group.
+
 ## [2.3.2] - 2021-04-28
 
 Props: jrfnl
@@ -557,6 +570,7 @@ Initial release.
 Props: david-binda, pkevan.
 
 
+[2.3.3]: https://github.com/Automattic/VIP-Coding-Standards/compare/2.3.2...2.3.3
 [2.3.2]: https://github.com/Automattic/VIP-Coding-Standards/compare/2.3.1...2.3.2
 [2.3.1]: https://github.com/Automattic/VIP-Coding-Standards/compare/2.3.0...2.3.1
 [2.3.0]: https://github.com/Automattic/VIP-Coding-Standards/compare/2.2.0...2.3.0