Travis now offers stages. Using stages we can:
- Run the code style related checks before running any unit tests and stop the build early if any are detected.
- Remove the duplicate unit test runs - i.e. previously we had an extra (third) build against PHP 7.2 (now changed to 7.3) which would run the code style related checks, but would also re-run the unit tests. This extra build will now no longer run the unit tests.

While this does mean that the unit tests will run with a slight delay (the `Sniff` and `Rulesets` stages have to finish before they start), it also means that we:
* Get code style errors reported earlier as it's been moved to be the first stage and the build will just stop if any are found.
* We won't be wasting Travis's resources on builds which will have to be re-run anyway.

Ref: https://docs.travis-ci.com/user/build-stages/

Note that `Allowed failures` is no longer listed as a separate block in the Travis result overview, but is _is_ respected.

For more discussion about this:
* travis-ci/travis-ci#7789
* https://travis-ci.community/t/always-show-allow-failures-allowed-failures-when-build-stages-are-used/217
* https://travis-ci.community/t/work-out-kinks-in-interactions-between-stages-allow-fail-and-fast-finish/1090
* travis-ci/travis-ci#9677

…ges (#1711)

Travis: run the code style related and ruleset checks in separate stages

Co-authored-by: Stephen Edgar <stephen@netweb.com.au>

String array keys for variable array access would also be examined as part of the hook name, while those should be skipped over as they are not part of the _hook_name.

This fixes that.

Includes unit test.

This commit also lowers the nesting level of the loop by continuing early whenever possible.

Ref: https://developer.wordpress.org/reference/functions/wp_sanitize_redirect/

Fixes 1715

…dhookname-bugfix

ValidHookName: bug fix  / skip over array keys

Add RECOVERY_MODE_COOKIE to whitelisted core constants

The repo has moved organization within GitHub.

Composer: Update repo URL references

The "quicktest" stage will only run a CS check, ruleset check, linting and the unit tests against low/high PHP/PHPCS combinations. This should catch most issues.

The more comprehensive complete build against a larger combination of PHP/PHPCS combination will now only be run on PRs and merges to `develop`/`master`.

…d-stage

Travis: add "quicktest" stage for non-PR/merge builds

As this sniff is already included in the WP Core ruleset and the enhancement request is about PHP native functions, this seemed liked a logical sniff to add this to.

I've elected to make this an `error` instead of a `warning` as the code within WP Core has been cleaned up for this issue now and it would be good to prevent new instances of `date()` creeping in.

Fixes 1713

…ctions-add-date

RestrictedPHPFunctions: add error for use of date()

…idden.

…meter Values

The GitHub repository has moved from the dedicated `WordPress-Coding-Standards` organisation to the `WordPress` organisation.

This:
* Updates all links which pointed to the old repo on GH to the new one.
* Updates the badges in the Readme to pick up things up correctly again for the new repo.
* Updated all links to Travis from `.org` to `.com` as the build CI has moved as well.

Add `$plugin` to the list of global variables that shouldn't be overridden

Added remaining plugin load globals

Rulesets are processed top-to-bottom, one rule at the time.

For the `WordPress` ruleset, this means that PHPCS would first load the `WordPress-Core` ruleset and process all rules in that file, then read the `WordPress-Docs` ruleset and lastly, the `WordPress-Extra` ruleset.

As the `WordPress-Extra` ruleset includes `WordPress-Core`, it would re-process the `WordPress-Core` ruleset a second time and then process the additional rules in the `Extra` ruleset.

This means that in effect, the `WordPress-Core` ruleset is processed twice when using the `WordPress` ruleset which is inefficient.

By commenting that rule out, we still document that the `WordPress` ruleset includes `WordPress-Core` without double processing the ruleset.

…-fix

WordPress ruleset: efficiency fix

Adds documentation for the WordPress.WhiteSpace.CastStructureSpacing

Related to #1722

Adds documentation for the WordPress.WhiteSpace.PrecisionAlignmentSniff

Related to #1722

Adds documentation for the WordPress.WhiteSpace.DisallowInlineTabs sniff

Related to #1722

… in combination with a spread operator

Includes updated docs.

Related 1762
Related 1524

This new sniff addresses the new "_The short ternary operator must not be used._" rule which was recently added to the handbook.

The sniff has been added to the `WordPress-Core` ruleset.

Refs:
* https://make.wordpress.org/core/handbook/best-practices/coding-standards/php/#ternary-operator
* https://make.wordpress.org/core/2019/07/12/php-coding-standards-changes/

Includes unit tests.
Includes documentation.

Recently a new section has been added to the handbook which forbids the use of short arrays.

> Using long array syntax ( array( 1, 2, 3 ) ) for declaring arrays is generally more readable than short array syntax ( [ 1, 2, 3 ] ), particularly for those with vision difficulties. Additionally, it’s much more descriptive for beginners.
>
> Arrays must be declared using long array syntax.

https://make.wordpress.org/core/handbook/best-practices/coding-standards/php/#declaring-arrays

This PR add an existing upstream sniff which addresses this.
Includes auto-fixer.

Also see: https://make.wordpress.org/core/2019/07/12/php-coding-standards-changes/

Loosely related to 764

…rays-to-core

Core: Add upstream Generic.Arrays.DisallowShortArraySyntax sniff

…rnary-sniff

New DisallowShortTernary sniff

WPCS is running into two PHP 7.4 issues where we use array access on a non-array value.
This PR fixes both.

Refs:
* https://wiki.php.net/rfc/deprecate_curly_braces_array_access

Build showing the issues:
* https://travis-ci.com/WordPress/WordPress-Coding-Standards/jobs/218025587

…d to be overwritten

WP Core contains the global `$content_width` variable which is intended to be set/overwritten by plugins and themes.

For that reason the variable was previously removed from the `Sniff::$wp_globals` list in WPCS 0.4.0. See 276, 331.

The downside of the variable not being in the list is that the `PrefixAllGlobals` sniff complains about it not being prefixed, as it doesn't realize it is a WP native global variable.

The upside was that the `GlobalVariablesOverride` sniff did not complain about the variable being overwritten.

Adding the variable to the `Sniff::$wp_globals` list would reverse that situation with the `PrefixAllGlobals` sniff staying silent and the `GlobalVariablesOverride` sniff starting to complain.

This PR intends to solve this conundrum.

* The list of WP Core globals in `Sniff::$wp_globals` should be complete and not intentionally miss certain variables without there being any documentation on why there are not listed there.
* To still allow for the `GlobalVariablesOverride` sniff to function correctly, a new `$override_allowed` property has been added to that sniff, as well as logic to handle this.

Unit tests confirming that this fixes the issue have been added to both sniffs.

Additional notes:
* There may be more variables in WP Core which are intended to be overwritten by plugins/themes. I have not verified this.
    If we do come across additional ones, it will now be easy enough to add them to the whitelist anyway.
    For now, only `content_width` and `wp_cockneyreplace` have been added.
    Also see: #924 (comment) and https://core.trac.wordpress.org/browser/trunk/src/wp-includes/formatting.php#L123
* This PR does not address the fact that the `Sniff::$wp_globals` list is grossly out of date. See 924

Fixes 1043

This improved the error message output when array variables are being accessed.

```php
echo $strings['update-available'];
```

**Old output:**
`All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$strings'.`

**New output:**
`All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$strings['update-available']'.`

No unit tests added as the unit tests don't test the message thrown.

The effect can be tested & confirmed though by running the sniff over the above code snippet.

Partially fixes 749

…-error-msg-variables

EscapeOutput: improve the error message for non-escaped variables

…lobals-handle-content-width

GlobalVariablesOverride/PrefixAllGlobals: handle WP variables intended to be overwritten

At times, people will accidentally forget to add the `__` when they intend to use one of the "translate + escape" functions.
I've run into this a number of times now when reviewing/fixing code and found that they aren't that easy to spot visually when you're focussed on other things.

So as it was such an easy sniff to write, I figured I may as well.

AFAICS there are only two escaping functions in core which have direct "translate + escape" sister-functions.
All the same, the sniff has been set up to allow for more similar function-combis to be added.

Includes unit tests.
Includes documentation.

Sniff has been added to the `WordPress-Extra` ruleset.

PHP 7.4 compatibility / defensive coding

…ped-not-translated-sniff

New CodeAnalysis/EscapedNotTranslated sniff

…e of the brackets

For non-string, non-numeric array keys, WPCS demands a space on the inside of the square brackets around the array key.

Up to now, the _size_ of the whitespace on the inside of the square brackets was not checked.

This PR adds that check.

Includes unit tests.
Includes fixer.

If the array key should not be surrounded by spaces and there was more than one whitespace token between a bracket and the array key, the fixer would take several loops to remove the consecutive whitespace tokens.

This has been changed to fixing the whitespace in one go, reducing the chance of fixer conflicts and making the sniff more efficient.

Includes unit tests.

This can be tested by running the sniff with the `-v` option. Without this fix, the sniff takes 4 loops when fixing the unit test cases in this commit, with the fix, it takes 2 loops.

CastStructureSpacing: allow for spread operator

ArrayKeySpacingRestrictions: add space size check & fix errors in one go

The unit tests will fail when a PHP warning/notice/deprecation notice is encountered.

Deprecation notices thrown by already released PHPCS versions won't get fixed anymore (in that version), so failing the unit tests on those is moot and will skew the reliability of the Travis results.

New utility method to determine whether a _short array_ token is in actual fact representing a PHP 7.1+ short list.

This method will be short-lived in WPCS as it will be introduced in WPCS 3.5.0 and can be deprecated once the minimum required PHPCS version goes up.

While we should probably define rules for long/short list constructs, WPCS at this time, does not have a opinion on the formatting of these.

The `Arrays` sniffs, however, would all treat _short lists_ as if they were _short arrays_ and apply the array rules on them.

This PR fixes this by bowing out early if a short array is in actual fact a short list.

Includes unit tests in each of the sniffs in the `Arrays` category affected by this issue.

Fixes 1692

…uld-ignore-short-lists

Array sniffs: ignore short lists

…tion-notices-phpcs-stable

Travis: ignore PHP deprecation notices for stable PHPCS releases

Sister-method to the `find_array_open_close()` utility method to find the opener and closer for `list()` constructs, including short lists.

The bracket opener array key will only be set if there is also a bracket closer.

This adds a new utility method which will retrieve an array with the token pointers to the variables which are being assigned to in a `list()` construct, whether short or long list.

This utility method takes all currently supported list features in PHP into account and handles the following correctly:
* Nested lists
* Empty list items
* Trailing comma's in lists
* Empty lists (no longer allowed as of PHP 7.0.0)
* Short lists (PHP 7.1.0+)
* Keyed lists (PHP 7.1.0+)

Global variables to which an assignment is made via the long/short `list()` construct should also be prefixed.

Includes unit tests.

Related to 1774

…ignments

Global variables to which an assignment is made via the long/short `list()` construct should also be checked to make sure they don't override a WP global variable.

Includes unit tests.

Related to 1774

Various minor doc fixes

…de-prefixallglobals-recognize-list-assignments

PrefixAllGlobals/GlobalVariablesOverride: detect variables being set via list()

Fixes #1733 - Error on short prefixes

The `php` prefix is reserved for PHP itself.

No unit tests added as the logic for this blacklist is already sufficiently unit tested.

Fixes 1728

…-blacklist-php-prefix

PrefixAllGlobals: add "php" to the list of blacklisted prefixes

While intended for code highlighting of PHP code, based on some tests I've run, the output of the PHP native `highlight_string()` function does appear to be safe, so I'm proposing to add this to the list of `$escapingFunctions`.

Note: I'd appreciate some scrutiny of this PR. I wouldn't want to inadvertently add an unsafe function to the list.

Refs:
* https://3v4l.org/mYK5A
* https://www.php.net/manual/en/function.highlight-string.php

`sanitize_key()` only allows for lowercase characters, numbers, underscore and dash characters. So a variable run through `sanitize_key()` can be considered just as safe, if not more so, than a variable run through one of the escaping functions.

Ref:
* https://developer.wordpress.org/reference/functions/sanitize_key/

EscapeOutput: add sanitize_key() to escaping functions

The `Sniff::$safe_casts` token list and the `EscapeOutputSniff::$safe_cast_tokens` were near duplicates.

This removes the duplicate code (which can be safely removed as it is a `private` property) and adds the missing `T_UNSET_CAST` to the `Sniff::$safe_casts` list.

…eanup

EscapeOutput: use Sniff::$safe_casts

EscapeOutput: add highlight_string() to escaping functions

Found this during the work on the twentytwenty theme so I thought I should just make a PR.

Fixed minor grammar issue

Just to be sure this was covered correctly (which it luckily was).

AlternativeFunctions: add extra unit test

Performance: Don't unnecessarily use `array_merge()`.

…efficiency-fix

YodaConditions: minor efficiency fix

The valid example line was a bit too long... oops...

New error handling Deprecated Classes and Functions

Co-authored-by: Juliette <663378+jrfnl@users.noreply.github.com>

DisallowShortTernary: improve docs

Documentation Class Instantiation

Allow for the `test` TLD.

Includes unit test.

…tweak

CapitalPDangit: minor tweak

This new function:
* Tries to find a function docblock, if it exists.
* If found, checks if the docblock contains at least one `@deprecated` tag.

Returns boolean true/false.

Note: this method is `static` to allow the `ValidFunctionName` sniff which extends an upstream sniff to use the method as well.

Check the function docblock for a `@deprecated` tag and if found, bow out.

Includes unit tests.

Fixes 1797

Check the function docblock for a `@deprecated` tag and if found, bow out.

Includes unit tests.

Fixes 1797

Note: the same should probably also be done for classes/interfaces/traits/constants marked as deprecated, but that's for another PR.

…d-functions-for-namechecks

PrefixAllGlobals + ValidFunctionName: ignore deprecated methods by design

Add some more deprecated classes to the list.

Refs:
* https://core.trac.wordpress.org/ticket/42364
* https://core.trac.wordpress.org/ticket/47699

…ate-list

DeprecatedClasses: update the sniff

Adds documentations for the WordPress.Arrays.ArrayIndentation sniff

Related to #1722

…#1737)

Adds documentations for the `WordPress.Arrays.ArrayKeySpacingRestrictions` sniff and the `WordPress.Arrays.MultipleStatementAlignment` sniff.

Related to #1722

... with functions which will be deprecated in WP 5.3.

Not updating the `Sniff::$minimum_supported_version` property yet as WP 5.3 has not yet been released.

Instead of checking whether a `..._deprecated()` function was matched after the function matching, remove the deprecated hook invocation functions from the target function array in `getGroups()`.

This allows the sniff to fail earlier.

Also remove redundant check for `$parameters[1]`. If there are no parameters, the `process_parameters()` function wouldn't be called anyway.

Related to 1722

This introduces a new `WordPress.DateTime.RestrictedFunctions` sniff which initially includes two groups:
* `timezone_change` - moved from the `WordPress.WP.TimezoneChange` sniff
* `date` - moved from the `WordPress.PHP.RestrictedPHPFunctions` sniff (group not yet in a released WPCS version yet)

The `WordPress.WP.TimezoneChange` sniff is now deprecated.
* The sniff is no longer included in the WPCS rulesets.
* If the sniff is explicitly included via a custom ruleset, deprecation notices will be thrown.
* If the `exclude` property is set from with a custom ruleset, a deprecation notice will be thrown.

The new sniff is now included in the `Core` ruleset.

Note: once WP Core upgrades, the one instance of using `date_default_timezone_set()` in WP Core (in `wp-settings.php`) will need to be whitelisted inline.
There are a few more occurrences in the unit tests, but those can be ignored via file based excludes.

Fixes 1805

…ctions-list-wp-5.3

DeprecatedFunctions: update function list

The first parameter passed to `_deprecated_file()` generally is `basename( __FILE__ )` based on the code currently in WP Core.
As the result of that function call is safe, I'm proposing making an exception for that particular code pattern.

Includes unit tests.

Note: the current code does not allow for comments in the first parameter. This would be rare encounter in these function calls anyway and allowance for it can be added later if needs be.

ValidHookName: minor efficiency tweaks

ValidHookName: add documentation

New "DateTime.RestrictedFunctions" sniff

…e-first-param-deprecated-file

EscapeOutput: allow for typical pattern with `_deprecated_file()`

This new sniff adds a check for use of current_time() to retrieve a timestamp.

A (fixable) `error` will be thrown when the `$gmt` parameter is set to `true` or `1`, a `warning` when it is not.

Includes unit tests.
Includes fixer.
Includes documentation.

This new sniff has been added to the `Core` ruleset.

Fixes 1791

* Trim whitespace off the "expected" and "found" values which are used in the error messages.
* Ignore comments and PHPCS annotations when building up the "expected" and "found" values.
* Improve line precision by throwing the error on the line where the hook name starts, not the line containing the function call.

Includes unit test.

The unit test basically only tests part 3 of the change. The error message improvement needs visual inspection as the message content is not tested.

Similar to 1815, but then for the `PrefixAllGlobals` sniff, allowing it to fail earlier for calls to deprecated hooks.

…-error-messages

ValidHookName: improve error messages

…tamp-sniff

New DateTime.CurrentTimeTimestamp sniff

PrefixAllGlobals: minor efficiency tweak

What with the target release date for WPCS 2.2.0 being November 11 and the target release date of WP 5.3 being November 12, updating this property before the release is probably a good idea.

Update WordPress/Docs/WP/CronIntervalStandard.xml

Co-Authored-By: Juliette <663378+jrfnl@users.noreply.github.com>

Update WordPress/Docs/WP/CronIntervalStandard.xml

Co-Authored-By: Juliette <663378+jrfnl@users.noreply.github.com>

Update WordPress/Docs/WP/CronIntervalStandard.xml

Co-Authored-By: Juliette <663378+jrfnl@users.noreply.github.com>

Update WordPress/Docs/WP/CronIntervalStandard.xml

Co-Authored-By: Juliette <663378+jrfnl@users.noreply.github.com>

Update WordPress/Docs/WP/CronIntervalStandard.xml

Co-Authored-By: Juliette <663378+jrfnl@users.noreply.github.com>

Seperates function definition

Adds a new `WordPress.NamingConventions.ValidPostTypeSlug` sniff.

Checks if the first parameter given to a register_post_type() call is actually a valid value.

…sion-property

Update default minimum supported WP version

See #1722.

Adds documentation for WordPress.WP.CronInterval

Docs: Add PostsPerPage XML doc

... picked up along the way.

Various minor documentation fixes

…dResources

Adds documentation for WordPress.WP.EnqueuedResources.

Adds WP.Security.SafeRedirect documentation.

* Release date set at this **Monday November 11th**.
* Includes all currently merged changes.

Changelog for WPCS 2.2.0