Security/PHPFilterFunctions: prevent some false positives

The `'raw'` key in the parameter arrays returned from the `PassedParameters` class contains - as per the name - the _raw_ contents of the parameter.

Since PHPCSUtils 1.0.0-alpha4, the return array also contain a `'clean'` index, which contains the contents of the parameter cleaned of comments.

By switching to using that key, some false positives get prevented.

Includes unit tests demonstrating the issue and safeguarding the fix.

Author: jrfnl

WordPressVIPMinimum/Sniffs/Security/PHPFilterFunctionsSniff.php

@@ -67,9 +67,9 @@ public function process_parameters( $stackPtr, $group_name, $matched_content, $p
 				$this->phpcsFile->addWarning( $message, $stackPtr, 'MissingThirdParameter', $data );
 			}
 
-			if ( isset( $parameters[3], $this->restricted_filters[ $parameters[3]['raw'] ] ) ) {
+			if ( isset( $parameters[3], $this->restricted_filters[ $parameters[3]['clean'] ] ) ) {
 				$message = 'Please use an appropriate filter to sanitize, as "%s" does no filtering, see: http://php.net/manual/en/filter.filters.sanitize.php.';
-				$data    = [ $parameters[3]['raw'] ];
+				$data    = [ $parameters[3]['clean'] ];
 				$this->phpcsFile->addWarning( $message, $stackPtr, 'RestrictedFilter', $data );
 			}
 		} else {
@@ -79,9 +79,9 @@ public function process_parameters( $stackPtr, $group_name, $matched_content, $p
 				$this->phpcsFile->addWarning( $message, $stackPtr, 'MissingSecondParameter', $data );
 			}
 
-			if ( isset( $parameters[2], $this->restricted_filters[ $parameters[2]['raw'] ] ) ) {
+			if ( isset( $parameters[2], $this->restricted_filters[ $parameters[2]['clean'] ] ) ) {
 				$message = 'Please use an appropriate filter to sanitize, as "%s" does no filtering, see http://php.net/manual/en/filter.filters.sanitize.php.';
-				$data    = [ $parameters[2]['raw'] ];
+				$data    = [ $parameters[2]['clean'] ];
 				$this->phpcsFile->addWarning( $message, $stackPtr, 'RestrictedFilter', $data );
 			}
 		}

WordPressVIPMinimum/Tests/Security/PHPFilterFunctionsUnitTest.inc

@@ -43,7 +43,7 @@ $incorrect_but_ok = filter_input();
  */
 filter_input( INPUT_GET, 'foo' ); // Missing third parameter.
 \filter_input( INPUT_GET, 'foo', FILTER_DEFAULT ); // This filter ID does nothing.
-filter_input( INPUT_GET, "foo", FILTER_UNSAFE_RAW  ,); // This filter ID does nothing.
+filter_input( INPUT_GET, "foo", FILTER_UNSAFE_RAW /* comment */ ,); // This filter ID does nothing.
 
 filter_var( $url ); // Missing second parameter.
 Filter_Var( $url, FILTER_DEFAULT ); // This filter ID does nothing.