False positive for notAttrEscAttr in ProperEscapingFunction sniff when printf()/sprintf() used

[westonruter]

Bug Description

When updating from 2.2.0 to 2.3.0 we got a lot of false positives of notAttrEscAttr in the ProperEscapingFunction sniff where printf() or sprintf() are being used. For example:

printf( '<meta name="generator" content="%s">', esc_attr( $content ) );

This code is getting flagged with:

Wrong escaping function, using esc_attr() in a context outside of HTML attributes may not escape properly.

See other such instances in the PR's check annotations: https://github.com/ampproject/amp-wp/pull/6079/files

Minimal Code Snippet

See above.

Error Code

WordPressVIPMinimum.Security.ProperEscapingFunction.notAttrEscAttr

Environment

Use php -v and composer show to get versions.

Question	Answer
PHP version	7.4.16
PHP_CodeSniffer version	3.6.0
VIPCS version	2.3.0

Additional Context (optional)

Tested Against master branch?

• I have verified the issue still exists in the master branch of VIPCS.
• I have verified the issue still exists in the develop branch of VIPCS.

[jrfnl]

@westonruter Good catch and thanks for reporting. We'll get that fixed up over the next few days. Sorry for the noisy messages for the time being.

[jrfnl]

@westonruter PR #668 should fix this. If you have a chance, testing would be appreciated.