PHPCS - WordPress.Security.EscapeOutput

[tijmenbruggeman]

PR will remove excluded ruleset WordPress.Security.EscapeOutput.

More info:

• https://developer.wordpress.org/apis/security/escaping/

[Copilot]

Pull request overview

This PR removes the project-level PHPCS exclusion for WordPress.Security.EscapeOutput and updates multiple admin views/classes to explicitly escape output (attributes, HTML text, and limited HTML via KSES) to comply with WordPress security standards.

Changes:

• Removed the PHPCS ruleset exclusion for WordPress.Security.EscapeOutput.
• Added/updated escaping across admin-facing views (SVG/CSS attributes, HTML text nodes, and controlled HTML via wp_kses*).
• Adjusted some settings/admin rendering to use safer output helpers (checked(), esc_attr(), esc_html(), etc.) and added a few view docblocks.

Reviewed changes

Copilot reviewed 18 out of 18 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
src/views/optimization-chart.php	Escapes chart values used in inline CSS/SVG/HTML output.
src/views/notice-feedback.php	Fixes invalid markup and escapes notice strings / review link output.
src/views/dashboard-widget.php	Escapes admin color output and user name; sanitizes injected link HTML.
src/views/compress-details.php	Escapes numeric and text outputs in compression details UI.
src/views/compress-details-processing.php	Adds docblock + escapes data-id attribute.
src/views/bulk-optimization.php	Escapes many outputs in the bulk optimization UI and refactors some computed values.
src/views/bulk-optimization-upgrade-notice.php	Adds docblock, sanitizes credits and upgrade URL output.
src/views/account-status-create-simple.php	Adds docblock and moves to wp_kses_post() for link-containing string.
src/views/account-status-create-advanced.php	Moves to wp_kses_post() for link-containing instructional string.
src/views/account-status-connected.php	Adds docblock, sanitizes numbers and upgrade link; sanitizes embedded link with wp_kses().
src/class-tiny-settings.php	Adds wp_kses() for links, improves escaping, and switches checked logic to booleans + checked().
src/class-tiny-plugin.php	Escapes AJAX error output; stops echo-ing a method that prints via includes.
src/class-tiny-notices.php	Escapes notice wrapper attributes and uses KSES for notice message HTML.
src/class-tiny-image-size.php	Removes an extra blank line.
src/class-tiny-compress.php	Escapes exception messages when constructing Tiny_Exception (needs adjustment).
src/class-tiny-compress-fopen.php	Disables PHPCS exception-escape sniff at file scope.
src/class-tiny-compress-client.php	Disables PHPCS exception-escape sniff at file scope.
phpcs.xml	Removes the WordPress.Security.EscapeOutput exclusion.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.