fix WordPress.Security.EscapeOutput.OutputNotEscaped errors#776

masteradhoc · 2026-02-01T20:29:52Z

Fixes #775

What?

Fixes WordPress Coding Standards (PHPCS) violations related to unescaped output in class-two-factor-core.php by properly escaping all localized and dynamic output.

Why?

The Two-Factor plugin was triggering WordPress.Security.EscapeOutput.OutputNotEscaped errors when running PHPCS. Several localized strings and formatted values (_n(), number_format_i18n(), human_time_diff(), and __()) were output directly without context-appropriate escaping. This violates WordPress security and coding standards and may block releases or CI checks.

How?

implement the correct escape functions

Testing Instructions

trigger plugin check on newest version of two-factor
apply changes
see if the OutputNotEscaped errors still show up

Changelog Entry

Fixed – Properly escaped localized output to comply with WordPress security and coding standards.

github-actions · 2026-02-01T20:30:01Z

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: masteradhoc <masteradhoc@git.wordpress.org>
Co-authored-by: kasparsd <kasparsd@git.wordpress.org>
Co-authored-by: sjinks <volodymyrkolesnykov@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

class-two-factor-core.php

kasparsd

It appears that WP core isn't passing these wp_die() strings through esc_html__() and use __() instead.

Should we keep it consistent with core?

masteradhoc · 2026-02-09T19:41:17Z

It appears that WP core isn't passing these wp_die() strings through esc_html__() and use __() instead.

Should we keep it consistent with core?

We use this a few times throughout the plugin. Shall we adjust all of this?

Then we'll probably have to add this as well ahead so we dont get the issues like #775 anymore.
// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped

class-two-factor-core.php

…e don't trust translation files This make it different from WP core approach which appears to be trusting the core translation strings to not contain anything. Co-authored-by: Volodymyr Kolesnykov <volodymyr@wildwolf.name>

kasparsd · 2026-02-13T08:37:35Z

@masteradhoc After reviewing the core implementation of _default_wp_die_handler() I feel like it is better to escape it and diverge from the core approach which appears to be trusting the translation strings.

fix WordPress.Security.EscapeOutput.OutputNotEscaped

d73217c

kasparsd reviewed Feb 2, 2026

View reviewed changes

class-two-factor-core.php Show resolved Hide resolved

class-two-factor-core.php Show resolved Hide resolved

adjust error message

79894fa

jeffpaul added this to the 0.15.0 milestone Feb 2, 2026

jeffpaul assigned masteradhoc Feb 8, 2026

kasparsd approved these changes Feb 9, 2026

View reviewed changes

Merge branch 'master' into patch-8

a8510d8

kasparsd reviewed Feb 9, 2026

View reviewed changes

Merge branch 'WordPress:master' into patch-8

f96f67a

fix feedback of kasparsd

2244b84

masteradhoc requested review from kasparsd and sjinks February 9, 2026 19:45

sjinks approved these changes Feb 9, 2026

View reviewed changes

sjinks reviewed Feb 9, 2026

View reviewed changes