Do not enforce escaping error codes

Author: kadamwhite

HM-Minimum/ruleset.xml

@@ -71,6 +71,17 @@
 				<element value="get_post_gallery" /> <!-- with param 2 set to true, the default -->
 			</property>
 		</properties>
+
+		<!--
+			Exception messages are internal program state, not an output boundary.
+			Escaping belongs at the point of output (catch/render), not at throw.
+			The OutputNotEscaped rule still covers actual HTML output points.
+			See: https://github.com/WordPress/WordPress-Coding-Standards/issues/2374
+
+			To opt back in to this check, add to your ruleset:
+			<rule ref="HM.Security.EscapeOutput.ExceptionNotEscaped" />
+		-->
+		<exclude name="HM.Security.EscapeOutput.ExceptionNotEscaped" />
 	</rule>
 
 	<!-- Disallow use of __FILE__ in menu slugs, which exposes the filesystem's data. -->

HM/Sniffs/Performance/SlowOrderBySniff.php

@@ -3,6 +3,7 @@
 namespace HM\Sniffs\Performance;
 
 use PHPCSUtils\Utils\MessageHelper;
+use PHPCSUtils\Utils\TextStrings;
 use WordPressCS\WordPress\AbstractArrayAssignmentRestrictionsSniff;
 
 /**
@@ -58,6 +59,7 @@ public function process_token( $stackPtr ) {
 	 *                       with custom error message passed to ->process().
 	 */
 	public function callback( $key, $val, $line, $group ) {
+		$val = TextStrings::stripQuotes( $val );
 		switch ( $val ) {
 			case 'rand':
 			case 'meta_value':

HM/Tests/Whitespace/MultipleEmptyLinesUnitTest.fail.fixed

@@ -0,0 +1,23 @@
+<?php
+
+namespace HM\Coding\Standards\Tests;
+
+use \HM\Other;
+use \WP_Post;
+
+function some_function( $some_argument ) {
+    $variable = 'some string';
+
+    return $variable;
+}
+
+class MyTest Class {
+
+    __construct() {
+        do_something();
+    }
+
+    public function another_function() {
+        return null;
+    }
+}

tests/FixtureTests.php

@@ -85,7 +85,13 @@ public static function passing_files() {
 	/**
 	 * Setup our ruleset.
 	 */
-	public function setUp() {
+	public function setUp(): void {
+		// AllSniffs uses ConfigDouble which sets Config::$configData = [] to prevent
+		// reading CodeSniffer.conf. Reset it so Ruleset can resolve installed standards.
+		$configDataProp = new \ReflectionProperty( Config::class, 'configData' );
+		$configDataProp->setAccessible( true );
+		$configDataProp->setValue( null, null );
+
 		$this->config            = new Config();
 		$this->config->cache     = false;
 		$this->config->standards = [ 'HM' ];
@@ -115,6 +121,10 @@ public function setUp() {
 
 		$this->ruleset = new Ruleset( $this->config );
 
+		// ExceptionNotEscaped is excluded in HM-Minimum ruleset.xml, but IN_TESTS mode
+		// with sniff restrictions skips processRuleset(), so apply the exclusion manually.
+		$this->ruleset->ruleset['HM.Security.EscapeOutput.ExceptionNotEscaped'] = [ 'severity' => 0 ];
+
 		// Set configuration as needed too.
 		$this->ruleset->setSniffProperty( 'HM\\Sniffs\\Security\\EscapeOutputSniff', 'customAutoEscapedFunctions', [
 			'scope' => 'sniff',

tests/fixtures/pass/escape-output.php

@@ -6,13 +6,13 @@
 echo esc_html( $var );
 echo esc_attr( $var );
 
-// Triggering errors should be fine too, since they're not sent to the browser.
-trigger_error( $var );
+// Triggering errors: The message parameter must still be escaped in WPCS 3.x.
+trigger_error( esc_html( $var ) );
 error_log( $var );
 
 // Deprecations and doin_it_rong too:
-_deprecated_file( $var );
-_doing_it_wrong( $var );
+_deprecated_file( esc_html( $var ) );
+_doing_it_wrong( esc_html( $var ) );
 
 // Ignoring via HM or WP codes should work.
 // phpcs:ignore HM.Security.EscapeOutput
@@ -33,3 +33,8 @@
 // Custom auto-escaped functions from config (see FixtureTests.php)
 echo my_custom_func();
 echo another_func();
+
+// Exception messages are internal state — escaping belongs at the output
+// boundary (catch/render), not at the throw site.
+throw new \RuntimeException( $var );
+throw new \RuntimeException( sprintf( 'Got: %s', $var ) );