XSS: Differentiate between functions and variables.

[grappler]

Split off from #744

With the following example we can be 100% sure that it is a correct error because it is a know WordPress function.
Expected next thing to be an escaping function (see Codex for 'Data Validation'), not 'home_url' (WordPress.XSS.EscapeOutput.OutputNotEscaped)

Another example would be the i18n functions. In WordPress core they are not being escaped. If we wanted to run WPCS on WordPress we would need to disable this sniff.
Expected next thing to be an escaping function (see Codex for 'Data Validation'), not '__' (WordPress.XSS.EscapeOutput.OutputNotEscaped)

This would be useful for the Theme Review Team. At the moment we have changed the notice from Error to Warning because there are too many false positives. There are a few results that we can completely trust and it would help to make those an error.

[GaryJones]

Just because a function is in WP core, doesn't mean it is safe to use unescaped.

[grappler]

Sorry, you misunderstood. If the function is in WordPress then we know if it needs to be escaped or not. So we know for sure that home_url() needs to be escaped but we do not have the same certainty for variable $foo because that could be anything.

[jrfnl]

Adding differentiation based on what was found to the error codes now would be a breaking change and I'm not sure how much value it would add.
Marking this as a candidate for closing.