`CommaSpacingSniff` doesn't escape `vsprintf()` placeholders adequately

[westonruter]

In the wordpress-develop repo, I have a wp-config.php which generated the following secret:

define( 'SECURE_AUTH_SALT',  '!RC{(YmFxo^o4?B=3>D S1cOl<-N?9z3[5I<c^&7%D%DITY$)Kx&O+j$a7312Ez_' );

When I would run npm run grunt lint:php I'd find that I'd get a fatal error:

Fatal error: Uncaught ValueError: Unknown format specifier "D" in ~/repos/wordpress-develop/vendor/squizlabs/php_codesniffer/src/Files/File.php on line 1073

Stack Trace

PHP Fatal error:  Uncaught ValueError: Unknown format specifier "D" in ~/repos/wordpress-develop/vendor/squizlabs/php_codesniffer/src/Files/File.php:1073
Stack trace:
#0 ~/repos/wordpress-develop/vendor/squizlabs/php_codesniffer/src/Files/File.php(1073): vsprintf('Expected %1$s b...', Array)
#1 ~/repos/wordpress-develop/vendor/squizlabs/php_codesniffer/src/Files/File.php(685): PHP_CodeSniffer\Files\File->addMessage(true, 'Expected %1$s b...', 58, 27, 'TooMuchSpaceAft...', Array, 0, true)
#2 ~/repos/wordpress-develop/vendor/squizlabs/php_codesniffer/src/Files/File.php(793): PHP_CodeSniffer\Files\File->addError('Expected %1$s b...', 296, 'TooMuchSpaceAft...', Array, 0, true)
#3 ~/repos/wordpress-develop/vendor/phpcsstandards/phpcsutils/PHPCSUtils/Fixers/SpacesFixer.php(229): PHP_CodeSniffer\Files\File->addFixableError('Expected %1$s b...', 296, 'TooMuchSpaceAft...', Array, 0)
#4 ~/repos/wordpress-develop/vendor/phpcsstandards/phpcsextra/Universal/Sniffs/WhiteSpace/CommaSpacingSniff.php(285): PHPCSUtils\Fixers\SpacesFixer::checkAndFix(Object(PHP_CodeSniffer\Files\LocalFile), 296, 298, 1, 'Expected %1$s b...', 'TooMuchSpaceAft...', 'error', 0, 'Spaces found af...')
#5 ~/repos/wordpress-develop/vendor/phpcsstandards/phpcsextra/Universal/Sniffs/WhiteSpace/CommaSpacingSniff.php(112): PHPCSExtra\Universal\Sniffs\WhiteSpace\CommaSpacingSniff->processSpacingAfter(Object(PHP_CodeSniffer\Files\LocalFile), 296)
#6 ~/repos/wordpress-develop/vendor/squizlabs/php_codesniffer/src/Files/File.php(510): PHPCSExtra\Universal\Sniffs\WhiteSpace\CommaSpacingSniff->process(Object(PHP_CodeSniffer\Files\LocalFile), 296)
#7 ~/repos/wordpress-develop/vendor/squizlabs/php_codesniffer/src/Files/LocalFile.php(130): PHP_CodeSniffer\Files\File->process()
#8 ~/repos/wordpress-develop/vendor/squizlabs/php_codesniffer/src/Runner.php(648): PHP_CodeSniffer\Files\LocalFile->process()
#9 ~/repos/wordpress-develop/vendor/squizlabs/php_codesniffer/src/Runner.php(520): PHP_CodeSniffer\Runner->processFile(Object(PHP_CodeSniffer\Files\LocalFile))
#10 ~/repos/wordpress-develop/vendor/squizlabs/php_codesniffer/src/Runner.php(120): PHP_CodeSniffer\Runner->run()
#11 ~/repos/wordpress-develop/vendor/squizlabs/php_codesniffer/bin/phpcs(14): PHP_CodeSniffer\Runner->runPHPCS()
#12 {main}
thrown in ~/repos/wordpress-develop/vendor/squizlabs/php_codesniffer/src/Files/File.php on line 1073

Call Stack

Call Stack:
0.0001     407416   1. {main}() ~/repos/wordpress-develop/vendor/squizlabs/php_codesniffer/bin/phpcs:0
0.0018    1231944   2. PHP_CodeSniffer\Runner->runPHPCS() ~/repos/wordpress-develop/vendor/squizlabs/php_codesniffer/bin/phpcs:14
0.0217    6187256   3. PHP_CodeSniffer\Runner->run() ~/repos/wordpress-develop/vendor/squizlabs/php_codesniffer/src/Runner.php:120
0.3227  116602088   4. PHP_CodeSniffer\Runner->processFile($file = class PHP_CodeSniffer\Files\LocalFile { public $path = '~/repos/wordpress-develop/wp-config.php'; protected $content = '<?php\n/**\n * The base configuration for WordPress\n *\n * The wp-config.php creation script uses this file during the installation.\n * You don\'t have to use the web site, you can copy this file to "wp-config.php"\n * and fill in the values.\n *\n * This file contains the following configurations:\n *\n * * Database settings\n * * Secret keys\n * * Database table prefix\n * * Localized language\n * * ABSPATH\n *\n * @link https://wordpress.org/support/article/editing-wp-config-php/\n *\n * @package WordPress\n */\n\n// ** Dat'...; public $config = class PHP_CodeSniffer\Config { private $settings = [...]; public $dieOnUnknownArg = TRUE; private $cliArgs = [...]; private $validGenerators = [...] }; public $ruleset = class PHP_CodeSniffer\Ruleset { public $name = 'WordPress Coding Standards'; public $paths = [...]; public $ignorePatterns = [...]; public $includePatterns = [...]; public $sniffs = [...]; public $sniffCodes = [...]; public $tokenListeners = [...]; public $ruleset = [...]; protected $rulesetDirs = [...]; private $config = class PHP_CodeSniffer\Config { ... }; private $deprecatedSniffs = [...]; private $msgCache = class PHP_CodeSniffer\Util\MessageCollector { ... } }; public $ignored = FALSE; public $eolChar = '\n'; public $fixer = class PHP_CodeSniffer\Fixer { public $enabled = FALSE; public $loops = 0; private $currentFile = ...; private $tokens = [...]; private $fixedTokens = [...]; private $oldTokenValues = [...]; private $changeset = [...]; private $inChangeset = FALSE; private $inConflict = FALSE; private $numFixes = 0 }; public $tokenizer = class PHP_CodeSniffer\Tokenizers\PHP { protected $config = class PHP_CodeSniffer\Config { ... }; protected $eolChar = '\n'; protected $tokens = [...]; protected $numTokens = 745; public $scopeOpeners = [...]; public $endScopeTokens = [...]; public $knownLengths = [...]; public $ignoredLines = [...]; protected $tstringContexts = [...] }; public $tokenizerType = 'PHP'; public $fromCache = FALSE; public $numTokens = 745; protected $tokens = [0 => [...], 1 => [...], 2 => [...], 3 => [...], 4 => [...], 5 => [...], 6 => [...], 7 => [...], 8 => [...], 9 => [...], 10 => [...], 11 => [...], 12 => [...], 13 => [...], 14 => [...], 15 => [...], 16 => [...], 17 => [...], 18 => [...], 19 => [...], 20 => [...], 21 => [...], 22 => [...], 23 => [...], 24 => [...], 25 => [...], 26 => [...], 27 => [...], 28 => [...], 29 => [...], 30 => [...], 31 => [...], 32 => [...], 33 => [...], 34 => [...], 35 => [...], 36 => [...], 37 => [...], 38 => [...], 39 => [...], 40 => [...], 41 => [...], 42 => [...], 43 => [...], 44 => [...], 45 => [...], 46 => [...], 47 => [...], 48 => [...], 49 => [...], 50 => [...], 51 => [...], 52 => [...], 53 => [...], 54 => [...], 55 => [...], 56 => [...], 57 => [...], 58 => [...], 59 => [...], 60 => [...], 61 => [...], 62 => [...], 63 => [...], 64 => [...], 65 => [...], 66 => [...], 67 => [...], 68 => [...], 69 => [...], 70 => [...], 71 => [...], 72 => [...], 73 => [...], 74 => [...], 75 => [...], 76 => [...], 77 => [...], 78 => [...], 79 => [...], 80 => [...], 81 => [...], 82 => [...], 83 => [...], 84 => [...], 85 => [...], 86 => [...], 87 => [...], 88 => [...], 89 => [...], 90 => [...], 91 => [...], 92 => [...], 93 => [...], 94 => [...], 95 => [...], 96 => [...], 97 => [...], 98 => [...], 99 => [...], 100 => [...], 101 => [...], 102 => [...], 103 => [...], 104 => [...], 105 => [...], 106 => [...], 107 => [...], 108 => [...], 109 => [...], 110 => [...], 111 => [...], 112 => [...], 113 => [...], 114 => [...], 115 => [...], 116 => [...], 117 => [...], 118 => [...], 119 => [...], 120 => [...], 121 => [...], 122 => [...], 123 => [...], 124 => [...], 125 => [...], 126 => [...], 127 => [...], ...]; protected $errors = [104 => [...], 1 => [...], 52 => [...], 53 => [...], 54 => [...], 55 => [...], 56 => [...]]; protected $warnings = []; protected $metrics = ['PHP short open tag used' => [...], 'Line indent' => [...], 'PHP closing tag at end of PHP-only file' => [...], 'PHP open tag case' => [...], 'Number of newlines at EOF' => [...], 'Constant name case' => [...], 'Spaces found before comma in function call' => [...], 'Spaces found after comma in function call' => [...], 'Multiple statements on same line' => [...]]; private ${PHP_CodeSniffer\Files\File}metricTokens = ['PHP short open tag used' => [...], 'Line indent' => [...], 'PHP closing tag at end of PHP-only file' => [...], 'PHP open tag case' => [...], 'Number of newlines at EOF' => [...], 'Constant name case' => [...], 'Spaces found before comma in function call' => [...], 'Spaces found after comma in function call' => [...], 'Multiple statements on same line' => [...]]; protected $errorCount = 9; protected $warningCount = 0; protected $fixableCount = 9; protected $fixedCount = 0; protected $replayingErrors = FALSE; protected $ignoredListeners = ['PHP_CodeSniffer\\Standards\\Generic\\Sniffs\\Functions\\FunctionCallArgumentSpacingSniff' => TRUE]; protected $ignoredCodes = []; protected $listeners = []; protected $activeListener = 'PHPCSExtra\\Universal\\Sniffs\\WhiteSpace\\CommaSpacingSniff'; protected $listenerTimes = []; protected $configCache = ['cache' => TRUE, 'sniffs' => [...], 'exclude' => [...], 'errorSeverity' => 5, 'warningSeverity' => 5, 'recordErrors' => TRUE, 'trackTime' => FALSE, 'ignorePatterns' => [...], 'includePatterns' => [...]] }) ~/repos/wordpress-develop/vendor/squizlabs/php_codesniffer/src/Runner.php:520
0.3227  116602088   5. PHP_CodeSniffer\Files\LocalFile->process() ~/repos/wordpress-develop/vendor/squizlabs/php_codesniffer/src/Runner.php:648
0.3228  116602152   6. PHP_CodeSniffer\Files\File->process() ~/repos/wordpress-develop/vendor/squizlabs/php_codesniffer/src/Files/LocalFile.php:130
0.3371  118395752   7. PHPCSExtra\Universal\Sniffs\WhiteSpace\CommaSpacingSniff->process($phpcsFile = class PHP_CodeSniffer\Files\LocalFile { public $path = '~/repos/wordpress-develop/wp-config.php'; protected $content = '<?php\n/**\n * The base configuration for WordPress\n *\n * The wp-config.php creation script uses this file during the installation.\n * You don\'t have to use the web site, you can copy this file to "wp-config.php"\n * and fill in the values.\n *\n * This file contains the following configurations:\n *\n * * Database settings\n * * Secret keys\n * * Database table prefix\n * * Localized language\n * * ABSPATH\n *\n * @link https://wordpress.org/support/article/editing-wp-config-php/\n *\n * @package WordPress\n */\n\n// ** Dat'...; public $config = class PHP_CodeSniffer\Config { private $settings = [...]; public $dieOnUnknownArg = TRUE; private $cliArgs = [...]; private $validGenerators = [...] }; public $ruleset = class PHP_CodeSniffer\Ruleset { public $name = 'WordPress Coding Standards'; public $paths = [...]; public $ignorePatterns = [...]; public $includePatterns = [...]; public $sniffs = [...]; public $sniffCodes = [...]; public $tokenListeners = [...]; public $ruleset = [...]; protected $rulesetDirs = [...]; private $config = class PHP_CodeSniffer\Config { ... }; private $deprecatedSniffs = [...]; private $msgCache = class PHP_CodeSniffer\Util\MessageCollector { ... } }; public $ignored = FALSE; public $eolChar = '\n'; public $fixer = class PHP_CodeSniffer\Fixer { public $enabled = FALSE; public $loops = 0; private $currentFile = ...; private $tokens = [...]; private $fixedTokens = [...]; private $oldTokenValues = [...]; private $changeset = [...]; private $inChangeset = FALSE; private $inConflict = FALSE; private $numFixes = 0 }; public $tokenizer = class PHP_CodeSniffer\Tokenizers\PHP { protected $config = class PHP_CodeSniffer\Config { ... }; protected $eolChar = '\n'; protected $tokens = [...]; protected $numTokens = 745; public $scopeOpeners = [...]; public $endScopeTokens = [...]; public $knownLengths = [...]; public $ignoredLines = [...]; protected $tstringContexts = [...] }; public $tokenizerType = 'PHP'; public $fromCache = FALSE; public $numTokens = 745; protected $tokens = [0 => [...], 1 => [...], 2 => [...], 3 => [...], 4 => [...], 5 => [...], 6 => [...], 7 => [...], 8 => [...], 9 => [...], 10 => [...], 11 => [...], 12 => [...], 13 => [...], 14 => [...], 15 => [...], 16 => [...], 17 => [...], 18 => [...], 19 => [...], 20 => [...], 21 => [...], 22 => [...], 23 => [...], 24 => [...], 25 => [...], 26 => [...], 27 => [...], 28 => [...], 29 => [...], 30 => [...], 31 => [...], 32 => [...], 33 => [...], 34 => [...], 35 => [...], 36 => [...], 37 => [...], 38 => [...], 39 => [...], 40 => [...], 41 => [...], 42 => [...], 43 => [...], 44 => [...], 45 => [...], 46 => [...], 47 => [...], 48 => [...], 49 => [...], 50 => [...], 51 => [...], 52 => [...], 53 => [...], 54 => [...], 55 => [...], 56 => [...], 57 => [...], 58 => [...], 59 => [...], 60 => [...], 61 => [...], 62 => [...], 63 => [...], 64 => [...], 65 => [...], 66 => [...], 67 => [...], 68 => [...], 69 => [...], 70 => [...], 71 => [...], 72 => [...], 73 => [...], 74 => [...], 75 => [...], 76 => [...], 77 => [...], 78 => [...], 79 => [...], 80 => [...], 81 => [...], 82 => [...], 83 => [...], 84 => [...], 85 => [...], 86 => [...], 87 => [...], 88 => [...], 89 => [...], 90 => [...], 91 => [...], 92 => [...], 93 => [...], 94 => [...], 95 => [...], 96 => [...], 97 => [...], 98 => [...], 99 => [...], 100 => [...], 101 => [...], 102 => [...], 103 => [...], 104 => [...], 105 => [...], 106 => [...], 107 => [...], 108 => [...], 109 => [...], 110 => [...], 111 => [...], 112 => [...], 113 => [...], 114 => [...], 115 => [...], 116 => [...], 117 => [...], 118 => [...], 119 => [...], 120 => [...], 121 => [...], 122 => [...], 123 => [...], 124 => [...], 125 => [...], 126 => [...], 127 => [...], ...]; protected $errors = [104 => [...], 1 => [...], 52 => [...], 53 => [...], 54 => [...], 55 => [...], 56 => [...]]; protected $warnings = []; protected $metrics = ['PHP short open tag used' => [...], 'Line indent' => [...], 'PHP closing tag at end of PHP-only file' => [...], 'PHP open tag case' => [...], 'Number of newlines at EOF' => [...], 'Constant name case' => [...], 'Spaces found before comma in function call' => [...], 'Spaces found after comma in function call' => [...], 'Multiple statements on same line' => [...]]; private ${PHP_CodeSniffer\Files\File}metricTokens = ['PHP short open tag used' => [...], 'Line indent' => [...], 'PHP closing tag at end of PHP-only file' => [...], 'PHP open tag case' => [...], 'Number of newlines at EOF' => [...], 'Constant name case' => [...], 'Spaces found before comma in function call' => [...], 'Spaces found after comma in function call' => [...], 'Multiple statements on same line' => [...]]; protected $errorCount = 9; protected $warningCount = 0; protected $fixableCount = 9; protected $fixedCount = 0; protected $replayingErrors = FALSE; protected $ignoredListeners = ['PHP_CodeSniffer\\Standards\\Generic\\Sniffs\\Functions\\FunctionCallArgumentSpacingSniff' => TRUE]; protected $ignoredCodes = []; protected $listeners = []; protected $activeListener = 'PHPCSExtra\\Universal\\Sniffs\\WhiteSpace\\CommaSpacingSniff'; protected $listenerTimes = []; protected $configCache = ['cache' => TRUE, 'sniffs' => [...], 'exclude' => [...], 'errorSeverity' => 5, 'warningSeverity' => 5, 'recordErrors' => TRUE, 'trackTime' => FALSE, 'ignorePatterns' => [...], 'includePatterns' => [...]] }, $stackPtr = 296) ~/repos/wordpress-develop/vendor/squizlabs/php_codesniffer/src/Files/File.php:510
0.3371  118395752   8. PHPCSExtra\Universal\Sniffs\WhiteSpace\CommaSpacingSniff->processSpacingAfter($phpcsFile = class PHP_CodeSniffer\Files\LocalFile { public $path = '~/repos/wordpress-develop/wp-config.php'; protected $content = '<?php\n/**\n * The base configuration for WordPress\n *\n * The wp-config.php creation script uses this file during the installation.\n * You don\'t have to use the web site, you can copy this file to "wp-config.php"\n * and fill in the values.\n *\n * This file contains the following configurations:\n *\n * * Database settings\n * * Secret keys\n * * Database table prefix\n * * Localized language\n * * ABSPATH\n *\n * @link https://wordpress.org/support/article/editing-wp-config-php/\n *\n * @package WordPress\n */\n\n// ** Dat'...; public $config = class PHP_CodeSniffer\Config { private $settings = [...]; public $dieOnUnknownArg = TRUE; private $cliArgs = [...]; private $validGenerators = [...] }; public $ruleset = class PHP_CodeSniffer\Ruleset { public $name = 'WordPress Coding Standards'; public $paths = [...]; public $ignorePatterns = [...]; public $includePatterns = [...]; public $sniffs = [...]; public $sniffCodes = [...]; public $tokenListeners = [...]; public $ruleset = [...]; protected $rulesetDirs = [...]; private $config = class PHP_CodeSniffer\Config { ... }; private $deprecatedSniffs = [...]; private $msgCache = class PHP_CodeSniffer\Util\MessageCollector { ... } }; public $ignored = FALSE; public $eolChar = '\n'; public $fixer = class PHP_CodeSniffer\Fixer { public $enabled = FALSE; public $loops = 0; private $currentFile = ...; private $tokens = [...]; private $fixedTokens = [...]; private $oldTokenValues = [...]; private $changeset = [...]; private $inChangeset = FALSE; private $inConflict = FALSE; private $numFixes = 0 }; public $tokenizer = class PHP_CodeSniffer\Tokenizers\PHP { protected $config = class PHP_CodeSniffer\Config { ... }; protected $eolChar = '\n'; protected $tokens = [...]; protected $numTokens = 745; public $scopeOpeners = [...]; public $endScopeTokens = [...]; public $knownLengths = [...]; public $ignoredLines = [...]; protected $tstringContexts = [...] }; public $tokenizerType = 'PHP'; public $fromCache = FALSE; public $numTokens = 745; protected $tokens = [0 => [...], 1 => [...], 2 => [...], 3 => [...], 4 => [...], 5 => [...], 6 => [...], 7 => [...], 8 => [...], 9 => [...], 10 => [...], 11 => [...], 12 => [...], 13 => [...], 14 => [...], 15 => [...], 16 => [...], 17 => [...], 18 => [...], 19 => [...], 20 => [...], 21 => [...], 22 => [...], 23 => [...], 24 => [...], 25 => [...], 26 => [...], 27 => [...], 28 => [...], 29 => [...], 30 => [...], 31 => [...], 32 => [...], 33 => [...], 34 => [...], 35 => [...], 36 => [...], 37 => [...], 38 => [...], 39 => [...], 40 => [...], 41 => [...], 42 => [...], 43 => [...], 44 => [...], 45 => [...], 46 => [...], 47 => [...], 48 => [...], 49 => [...], 50 => [...], 51 => [...], 52 => [...], 53 => [...], 54 => [...], 55 => [...], 56 => [...], 57 => [...], 58 => [...], 59 => [...], 60 => [...], 61 => [...], 62 => [...], 63 => [...], 64 => [...], 65 => [...], 66 => [...], 67 => [...], 68 => [...], 69 => [...], 70 => [...], 71 => [...], 72 => [...], 73 => [...], 74 => [...], 75 => [...], 76 => [...], 77 => [...], 78 => [...], 79 => [...], 80 => [...], 81 => [...], 82 => [...], 83 => [...], 84 => [...], 85 => [...], 86 => [...], 87 => [...], 88 => [...], 89 => [...], 90 => [...], 91 => [...], 92 => [...], 93 => [...], 94 => [...], 95 => [...], 96 => [...], 97 => [...], 98 => [...], 99 => [...], 100 => [...], 101 => [...], 102 => [...], 103 => [...], 104 => [...], 105 => [...], 106 => [...], 107 => [...], 108 => [...], 109 => [...], 110 => [...], 111 => [...], 112 => [...], 113 => [...], 114 => [...], 115 => [...], 116 => [...], 117 => [...], 118 => [...], 119 => [...], 120 => [...], 121 => [...], 122 => [...], 123 => [...], 124 => [...], 125 => [...], 126 => [...], 127 => [...], ...]; protected $errors = [104 => [...], 1 => [...], 52 => [...], 53 => [...], 54 => [...], 55 => [...], 56 => [...]]; protected $warnings = []; protected $metrics = ['PHP short open tag used' => [...], 'Line indent' => [...], 'PHP closing tag at end of PHP-only file' => [...], 'PHP open tag case' => [...], 'Number of newlines at EOF' => [...], 'Constant name case' => [...], 'Spaces found before comma in function call' => [...], 'Spaces found after comma in function call' => [...], 'Multiple statements on same line' => [...]]; private ${PHP_CodeSniffer\Files\File}metricTokens = ['PHP short open tag used' => [...], 'Line indent' => [...], 'PHP closing tag at end of PHP-only file' => [...], 'PHP open tag case' => [...], 'Number of newlines at EOF' => [...], 'Constant name case' => [...], 'Spaces found before comma in function call' => [...], 'Spaces found after comma in function call' => [...], 'Multiple statements on same line' => [...]]; protected $errorCount = 9; protected $warningCount = 0; protected $fixableCount = 9; protected $fixedCount = 0; protected $replayingErrors = FALSE; protected $ignoredListeners = ['PHP_CodeSniffer\\Standards\\Generic\\Sniffs\\Functions\\FunctionCallArgumentSpacingSniff' => TRUE]; protected $ignoredCodes = []; protected $listeners = []; protected $activeListener = 'PHPCSExtra\\Universal\\Sniffs\\WhiteSpace\\CommaSpacingSniff'; protected $listenerTimes = []; protected $configCache = ['cache' => TRUE, 'sniffs' => [...], 'exclude' => [...], 'errorSeverity' => 5, 'warningSeverity' => 5, 'recordErrors' => TRUE, 'trackTime' => FALSE, 'ignorePatterns' => [...], 'includePatterns' => [...]] }, $stackPtr = 296) ~/repos/wordpress-develop/vendor/phpcsstandards/phpcsextra/Universal/Sniffs/WhiteSpace/CommaSpacingSniff.php:112
0.3371  118396096   9. PHPCSUtils\Fixers\SpacesFixer::checkAndFix($phpcsFile = class PHP_CodeSniffer\Files\LocalFile { public $path = '~/repos/wordpress-develop/wp-config.php'; protected $content = '<?php\n/**\n * The base configuration for WordPress\n *\n * The wp-config.php creation script uses this file during the installation.\n * You don\'t have to use the web site, you can copy this file to "wp-config.php"\n * and fill in the values.\n *\n * This file contains the following configurations:\n *\n * * Database settings\n * * Secret keys\n * * Database table prefix\n * * Localized language\n * * ABSPATH\n *\n * @link https://wordpress.org/support/article/editing-wp-config-php/\n *\n * @package WordPress\n */\n\n// ** Dat'...; public $config = class PHP_CodeSniffer\Config { private $settings = [...]; public $dieOnUnknownArg = TRUE; private $cliArgs = [...]; private $validGenerators = [...] }; public $ruleset = class PHP_CodeSniffer\Ruleset { public $name = 'WordPress Coding Standards'; public $paths = [...]; public $ignorePatterns = [...]; public $includePatterns = [...]; public $sniffs = [...]; public $sniffCodes = [...]; public $tokenListeners = [...]; public $ruleset = [...]; protected $rulesetDirs = [...]; private $config = class PHP_CodeSniffer\Config { ... }; private $deprecatedSniffs = [...]; private $msgCache = class PHP_CodeSniffer\Util\MessageCollector { ... } }; public $ignored = FALSE; public $eolChar = '\n'; public $fixer = class PHP_CodeSniffer\Fixer { public $enabled = FALSE; public $loops = 0; private $currentFile = ...; private $tokens = [...]; private $fixedTokens = [...]; private $oldTokenValues = [...]; private $changeset = [...]; private $inChangeset = FALSE; private $inConflict = FALSE; private $numFixes = 0 }; public $tokenizer = class PHP_CodeSniffer\Tokenizers\PHP { protected $config = class PHP_CodeSniffer\Config { ... }; protected $eolChar = '\n'; protected $tokens = [...]; protected $numTokens = 745; public $scopeOpeners = [...]; public $endScopeTokens = [...]; public $knownLengths = [...]; public $ignoredLines = [...]; protected $tstringContexts = [...] }; public $tokenizerType = 'PHP'; public $fromCache = FALSE; public $numTokens = 745; protected $tokens = [0 => [...], 1 => [...], 2 => [...], 3 => [...], 4 => [...], 5 => [...], 6 => [...], 7 => [...], 8 => [...], 9 => [...], 10 => [...], 11 => [...], 12 => [...], 13 => [...], 14 => [...], 15 => [...], 16 => [...], 17 => [...], 18 => [...], 19 => [...], 20 => [...], 21 => [...], 22 => [...], 23 => [...], 24 => [...], 25 => [...], 26 => [...], 27 => [...], 28 => [...], 29 => [...], 30 => [...], 31 => [...], 32 => [...], 33 => [...], 34 => [...], 35 => [...], 36 => [...], 37 => [...], 38 => [...], 39 => [...], 40 => [...], 41 => [...], 42 => [...], 43 => [...], 44 => [...], 45 => [...], 46 => [...], 47 => [...], 48 => [...], 49 => [...], 50 => [...], 51 => [...], 52 => [...], 53 => [...], 54 => [...], 55 => [...], 56 => [...], 57 => [...], 58 => [...], 59 => [...], 60 => [...], 61 => [...], 62 => [...], 63 => [...], 64 => [...], 65 => [...], 66 => [...], 67 => [...], 68 => [...], 69 => [...], 70 => [...], 71 => [...], 72 => [...], 73 => [...], 74 => [...], 75 => [...], 76 => [...], 77 => [...], 78 => [...], 79 => [...], 80 => [...], 81 => [...], 82 => [...], 83 => [...], 84 => [...], 85 => [...], 86 => [...], 87 => [...], 88 => [...], 89 => [...], 90 => [...], 91 => [...], 92 => [...], 93 => [...], 94 => [...], 95 => [...], 96 => [...], 97 => [...], 98 => [...], 99 => [...], 100 => [...], 101 => [...], 102 => [...], 103 => [...], 104 => [...], 105 => [...], 106 => [...], 107 => [...], 108 => [...], 109 => [...], 110 => [...], 111 => [...], 112 => [...], 113 => [...], 114 => [...], 115 => [...], 116 => [...], 117 => [...], 118 => [...], 119 => [...], 120 => [...], 121 => [...], 122 => [...], 123 => [...], 124 => [...], 125 => [...], 126 => [...], 127 => [...], ...]; protected $errors = [104 => [...], 1 => [...], 52 => [...], 53 => [...], 54 => [...], 55 => [...], 56 => [...]]; protected $warnings = []; protected $metrics = ['PHP short open tag used' => [...], 'Line indent' => [...], 'PHP closing tag at end of PHP-only file' => [...], 'PHP open tag case' => [...], 'Number of newlines at EOF' => [...], 'Constant name case' => [...], 'Spaces found before comma in function call' => [...], 'Spaces found after comma in function call' => [...], 'Multiple statements on same line' => [...]]; private ${PHP_CodeSniffer\Files\File}metricTokens = ['PHP short open tag used' => [...], 'Line indent' => [...], 'PHP closing tag at end of PHP-only file' => [...], 'PHP open tag case' => [...], 'Number of newlines at EOF' => [...], 'Constant name case' => [...], 'Spaces found before comma in function call' => [...], 'Spaces found after comma in function call' => [...], 'Multiple statements on same line' => [...]]; protected $errorCount = 9; protected $warningCount = 0; protected $fixableCount = 9; protected $fixedCount = 0; protected $replayingErrors = FALSE; protected $ignoredListeners = ['PHP_CodeSniffer\\Standards\\Generic\\Sniffs\\Functions\\FunctionCallArgumentSpacingSniff' => TRUE]; protected $ignoredCodes = []; protected $listeners = []; protected $activeListener = 'PHPCSExtra\\Universal\\Sniffs\\WhiteSpace\\CommaSpacingSniff'; protected $listenerTimes = []; protected $configCache = ['cache' => TRUE, 'sniffs' => [...], 'exclude' => [...], 'errorSeverity' => 5, 'warningSeverity' => 5, 'recordErrors' => TRUE, 'trackTime' => FALSE, 'ignorePatterns' => [...], 'includePatterns' => [...]] }, $stackPtr = 296, $secondPtr = 298, $expectedSpaces = 1, $errorTemplate = 'Expected %1$s between the comma and "\'!RC{(YmFxo^o4?B=3>D S1cOl<-N?9z3[5I<c^&%%%DITY$)Kx&O+j$a7312Ez_\'". Found: %2$s', $errorCode = 'TooMuchSpaceAfterInFunctionCall', $errorType = 'error', $errorSeverity = 0, $metricName = 'Spaces found after comma in function call') ~/repos/wordpress-develop/vendor/phpcsstandards/phpcsextra/Universal/Sniffs/WhiteSpace/CommaSpacingSniff.php:285
0.3371  118396424  10. PHP_CodeSniffer\Files\File->addFixableError($error = 'Expected %1$s between the comma and "\'!RC{(YmFxo^o4?B=3>D S1cOl<-N?9z3[5I<c^&%%%DITY$)Kx&O+j$a7312Ez_\'". Found: %2$s', $stackPtr = 296, $code = 'TooMuchSpaceAfterInFunctionCall', $data = [0 => '1 space', 1 => '2 spaces'], $severity = 0) ~/repos/wordpress-develop/vendor/phpcsstandards/phpcsutils/PHPCSUtils/Fixers/SpacesFixer.php:229
0.3371  118396424  11. PHP_CodeSniffer\Files\File->addError($error = 'Expected %1$s between the comma and "\'!RC{(YmFxo^o4?B=3>D S1cOl<-N?9z3[5I<c^&%%%DITY$)Kx&O+j$a7312Ez_\'". Found: %2$s', $stackPtr = 296, $code = 'TooMuchSpaceAfterInFunctionCall', $data = [0 => '1 space', 1 => '2 spaces'], $severity = 0, $fixable = TRUE) ~/repos/wordpress-develop/vendor/squizlabs/php_codesniffer/src/Files/File.php:793
0.3371  118396424  12. PHP_CodeSniffer\Files\File->addMessage($error = TRUE, $message = 'Expected %1$s between the comma and "\'!RC{(YmFxo^o4?B=3>D S1cOl<-N?9z3[5I<c^&%%%DITY$)Kx&O+j$a7312Ez_\'". Found: %2$s', $line = 58, $column = 27, $code = 'TooMuchSpaceAfterInFunctionCall', $data = [0 => '1 space', 1 => '2 spaces'], $severity = 0, $fixable = TRUE) ~/repos/wordpress-develop/vendor/squizlabs/php_codesniffer/src/Files/File.php:685
0.3371  118397304  13. vsprintf($format = 'Expected %1$s between the comma and "\'!RC{(YmFxo^o4?B=3>D S1cOl<-N?9z3[5I<c^&%%%DITY$)Kx&O+j$a7312Ez_\'". Found: %2$s', $values = [0 => '1 space', 1 => '2 spaces']) ~/repos/wordpress-develop/vendor/squizlabs/php_codesniffer/src/Files/File.php:1073

The last line of the stack trace was telling:

0.3371  118397304  13. vsprintf($format = 'Expected %1$s between the comma and "\'!RC{(YmFxo^o4?B=3>D S1cOl<-N?9z3[5I<c^&%%%DITY$)Kx&O+j$a7312Ez_\'". Found: %2$s', $values = [0 => '1 space', 1 => '2 spaces']) ~/repos/wordpress-develop/vendor/squizlabs/php_codesniffer/src/Files/File.php:1073

It appears that the logic in escapePlaceholders is not adequately escaping the string:

!RC{(YmFxo^o4?B=3>D S1cOl<-N?9z3[5I<c^&7%D%DITY$)Kx&O+j$a7312Ez_

PHPCSExtra/Universal/Sniffs/WhiteSpace/CommaSpacingSniff.php

Lines 321 to 324 in 4eeabc4

	private function escapePlaceholders($text)
	{
	return \preg_replace('`(?:^|[^%])(%)(?:[^%]|$)`', '%%', \trim($text));
	}

[jrfnl]

@westonruter Good catch! Thanks for reporting this. PR #401 should fix this. Testing appreciated.

[jrfnl]

@westonruter I've released the fix: https://github.com/PHPCSStandards/PHPCSExtra/releases/tag/1.4.2