Make the Escaped Output sniff smarter

[westonruter]

The sniff needs more logic to determine safe output

echo 'Some Raw String';  //Causes no escaping function warning
_e( $some_nasty_var );  //No warning
echo apply_filters( 'the_content', $post->post_content );  //Causing no escaping function warning

Reported by @c3mdigital

[westonruter]

Updated from @c3mdigital: This commit allows T_CONSTANT_ENCAPSED_STRING to pass the xss test. xwp@3a073b0

[shadyvb]

This should - in general context - output an error about unescaped output:

echo apply_filters( 'the_content', $post->post_content );  //Causing no escaping function warning

However, there is some filters that does escaping for the user, which would include the_content , and although filters can be manipulated ( manipulating should be detected at its source? ), i guess adding a check for existing of these specific filters would be a good idea ?

[westonruter]

I don't think we should rely on knowing that certain filtered values get escaped. Who knows and maybe another high-priority filter is added which does something bad. Also, this would violate the principle of always escaping as close to output as possible.