_escaped, _safe or _clean

[hupe13]

Developer Handbook says:

In situations like this, always escape while creating the string and store the value in a variable that is a postfixed with _escaped, _safe or _clean (e.g., $variable becomes $variable_escaped or $variable_safe).

My code:

			if ( $settings['track'] == 'filename' ) {
				$path_parts = pathinfo( $gpx );
				$switchname_escaped = '"' . $path_parts['filename'] . '"';
			} else {
				$switchname_escaped = 'e.name';
			}
			echo '
			controlElevation.on("eledata_loaded", function(e) {
				switchtrack.addOverlay(e.layer, ' . $switchname_escaped . ');
			});
			';

phpcs says:

886 | ERROR | [ ] All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$switchname_escaped'.

The same is with '$switchname_safe'.

Am I misunderstanding this or is it a bug?

[dingo-d]

No, it's not a bug. We don't do selective escaping based on the name of the variable. PHPCS cannot know if your variable is safe or not (unless it's escaped at the point of output), so it will output the error.

[hupe13]

Thank you for clarification.