phpcs-security.ruleset.xml

<?xml version="1.0"?>
<ruleset name="WordPress Security">

	<!-- Set a description for this ruleset. -->
	<description>A WordPress Ruleset to check application safety.</description>

	<exclude-pattern>assets/*</exclude-pattern>
	<exclude-pattern>node_modules/*</exclude-pattern>
	<exclude-pattern>test/*</exclude-pattern>
	<exclude-pattern>vendor/*</exclude-pattern>
	<exclude-pattern>*.min.js</exclude-pattern>
	<exclude-pattern>js/*.js</exclude-pattern>
	<exclude-pattern>css/*.css</exclude-pattern>

	<arg name="parallel" value="20"/>

	<rule ref="Generic.PHP.Syntax"/>

	<!-- Include the WordPress ruleset, with exclusions. -->
	<rule ref="WordPress.CodeAnalysis">
	</rule>
	<rule ref="WordPress.DB">
	</rule>
	<rule ref="WordPress.NamingConventions.PrefixAllGlobals"/>
	<rule ref="WordPress.PHP">
		<!-- omit non security sniffs -->
		<exclude name="WordPress.PHP.DontExtract"/>
		<exclude name="WordPress.PHP.YodaConditions"/>
	</rule>
	<rule ref="WordPress.Security">
	</rule>
	<rule ref="WordPress.Security.EscapeOutput">
		<properties>
			<property name="customEscapingFunctions" type="array">
				<element value="acf_esc_attr"/>
				<element value="$this->render_input"/>
			</property>
		</properties>
    </rule>
	<rule ref="WordPress.Utils">
	</rule>
	<rule ref="WordPress.WP">
		<exclude name="WordPress.WP.I18n.MixedOrderedPlaceholders"/>
		<exclude name="WordPress.WP.I18n.UnorderedPlaceholders"/>
		<exclude name="WordPress.WP.I18n.NonSingularStringLiteralText"/>
	</rule>
</ruleset>