False positive: sanitize_html_class() incorrectly flagged for missing unslash

[IanDelMar]

Bug Description

When using sanitize_html_class() to sanitize an HTML class, PHP_CodeSniffer reports that the passed variable is not unslashed before sanitization. However, sanitize_html_class() strips the string down to A-Z, a-z, 0-9, _, and - (code reference), and therefore it should be listed as an unslashing sanitizing function, similar to sanitize_key(). Instead, it is currently listed as a general sanitizing function.

Minimal Code Snippet

The issue happens when running this command:

phpcs --standard=WordPress --sniffs=WordPress.Security.ValidatedSanitizedInput test.php

... over a file containing this code:

if (! isset($_GET['html_class']) || ! is_string($_GET['html_class'])) {
	return;
}

$htmlClass = sanitize_html_class($_GET['html_class']);

Error Code

WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Environment

Question	Answer
PHP version	8.2.4
PHP_CodeSniffer version	3.11.2
WordPressCS version	3.1.0
PHPCSUtils version	1.0.12
PHPCSExtra version	1.2.1
WordPressCS install type	Composer project local
IDE (if relevant)	N/A

Tested Against develop Branch?

• I have verified the issue still exists in the develop branch of WordPressCS.