From baf95127b9f9122f1beb077be2d1e83512ed78f3 Mon Sep 17 00:00:00 2001
From: jrfnl <jrfnl@users.noreply.github.com>
Date: Thu, 29 Jun 2023 19:55:03 +0200
Subject: [PATCH] EscapingFunctionsTrait: make sure function names are checked
 case-insensitively

These functions should be self-contained, so should not presume that the sniff has already lowercased the function name before passing it.

This fixes a bug as, in this case, the sniff didn't actually lowercase the name before passing it to the trait methods, so the sniff would throw false positives for non-lowercase function calls.

Tested by adjusting some pre-existing tests for the `EscapeOutput` sniff.
---
 WordPress/Helpers/EscapingFunctionsTrait.php      | 4 ++--
 WordPress/Tests/Security/EscapeOutputUnitTest.inc | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/WordPress/Helpers/EscapingFunctionsTrait.php b/WordPress/Helpers/EscapingFunctionsTrait.php
index d66ba2992f..d4664775aa 100644
--- a/WordPress/Helpers/EscapingFunctionsTrait.php
+++ b/WordPress/Helpers/EscapingFunctionsTrait.php
@@ -223,7 +223,7 @@ public function is_escaping_function( $functionName ) {
 			$this->addedCustomEscapingFunctions['escape'] = $this->customEscapingFunctions;
 		}
 
-		return isset( $this->allEscapingFunctions[ $functionName ] );
+		return isset( $this->allEscapingFunctions[ strtolower( $functionName ) ] );
 	}
 
 	/**
@@ -247,6 +247,6 @@ public function is_auto_escaped_function( $functionName ) {
 			$this->addedCustomEscapingFunctions['autoescape'] = $this->customAutoEscapedFunctions;
 		}
 
-		return isset( $this->allAutoEscapedFunctions[ $functionName ] );
+		return isset( $this->allAutoEscapedFunctions[ strtolower( $functionName ) ] );
 	}
 }
diff --git a/WordPress/Tests/Security/EscapeOutputUnitTest.inc b/WordPress/Tests/Security/EscapeOutputUnitTest.inc
index a08c5675fd..c4e429ac37 100644
--- a/WordPress/Tests/Security/EscapeOutputUnitTest.inc
+++ b/WordPress/Tests/Security/EscapeOutputUnitTest.inc
@@ -15,7 +15,7 @@ while ( have_posts() ) {
 ?>
 
 <h2><?php echo $title; // Bad. ?></h2>
-<h2><?php echo esc_html( $title ); // OK. ?></h2>
+<h2><?php echo esc_HTML( $title ); // OK. ?></h2>
 <h2><?php echo apply_filters( 'the_title', $title ); // Bad, no escaping function. ?></h2>
 
 <?php
@@ -138,7 +138,7 @@ _doing_it_wrong( __METHOD__, "Invalid value for the 'bob' argument " . esc_html(
 trigger_error( "There was an error: {$message}", E_USER_NOTICE ); // Bad.
 trigger_error( "There was an error: " . esc_html( $message ), E_USER_NOTICE ); // Ok.
 
-echo '<p>' . sprintf( esc_html__( 'Some text -> %sLink text%s', 'textdomain' ), '<a href="' . esc_url( add_query_arg( array( 'page' => 'my_page' ), admin_url( 'admin.php' ) ) ) . '">', '</a>' ). '</p>'; // Ok.
+echo '<p>' . sprintf( esc_html__( 'Some text -> %sLink text%s', 'textdomain' ), '<a href="' . Esc_Url( add_query_arg( array( 'page' => 'my_page' ), admin_url( 'admin.php' ) ) ) . '">', '</a>' ). '</p>'; // Ok.
 
 echo '<br/><strong>' . sprintf( esc_html__( 'Found %d results', 'textdomain' ), (int) $result_count ) . '</strong><br/><br/>'; // Ok.