[SEMGREP] - Prevent Semgrep warnings in add_query vars and in Scripts loader

[puntope]

Changes proposed in this Pull Request:

This PR prevents two issues in SEMGREP to warn in the output:

• Potential Unsafe usage (non escaped) of remove_query_arg() or add_query_arg(), which could lead to XSS
• Argument of a function used in an include/require, could lead to File Inclusion

Detailed test instructions:

1. ⚠️ Verify you can connect to Wordpress.com from the Extension Setup in Step 1.
2. Verify that running SEMGREP against the extension doesn't generate this warnings anymore

Additional details:

For running semgrep:

• Install semgrep
• clone rules --> git clone [email protected]:Automattic/wpscan-semgrep-rules.git
• cd wpscan-semgrep-rules
• download last release google-listings-and-ads zip somewhere and unzip it.
• Run --> semgrep --no-git-ignore --text -c audit {UNZIPPED_GLA_PATH}
• (You can also run it agains your locally cloned repo, but that would include noise in regards vendor files)

Changelog entry

Dev - Fix SEMGREP warnings

[codecov]

Codecov Report

Merging #1950 (97922a0) into develop (ef52b83) will not change coverage.
The diff coverage is 100.0%.

Additional details and impacted files

@@            Coverage Diff            @@
##             develop   #1950   +/-   ##
=========================================
  Coverage       56.8%   56.8%           
  Complexity      4101    4101           
=========================================
  Files            456     456           
  Lines          17620   17620           
=========================================
  Hits           10010   10010           
  Misses          7610    7610           

Flag	Coverage Δ
php-unit-tests	56.8% <100.0%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
src/Assets/ScriptWithBuiltDependenciesAsset.php	0.0% <ø> (ø)
...API/Site/Controllers/Jetpack/AccountController.php	100.0% <100.0%> (ø)

[mikkamp]

Thanks for the changes. I can confirm the Jetpack Connect URL remains the same regardless of adding esc_url. All parts of the URL are already properly escaped so it doesn't really do anything but esc_url is safe to call multiple times, so that's ok.

Just left one comment adding a colon to the ignore comment, it's important to add (in other PR's as well) since without it it disables all rules.

I'll go ahead and approve the PR already because once we add the colon it should all be good.