Skip to content

Releases: WPTT/WPThemeReview

0.2.1

17 Nov 20:08
462e590
Compare
Choose a tag to compare

Changed

  • Added new $in_list parameter to the PrefixAllGlobalsSniff::process_variable_assignment() method, so that the method is compatible with the upstream WPCS method (changed in WPCS 2.2.0).
  • Updated the minimum version requirement for the WordPress Coding Standards dependency to version 2.2.0.
  • Replaced the deprecated WordPress.WP.TimezoneChange with WordPress.DateTime.RestrictedFunctions.timezone_change_date_default_timezone_set
  • Enforce the array short syntax when writing sniffs.
  • Travis: Minor build script tweaks.

0.2.0

18 Jul 07:56
1141d45
Compare
Choose a tag to compare

Added

  • New WPThemeReview.Templates.ReservedFileNamePrefix sniff: checks if the template file is using a prefix which would cause WP to interpret it as a specialized template, meant to apply to only one page on the site.
  • New WPThemeReview.Privacy.ShortenedURLs sniff: detects the usage of shortened URLs. Handbook rule.
  • New WPThemeReview.CoreFunctionality.PostsPerPage sniff: adds a warning when a high pagination limit is detected, or if -1 is used in posts_per_page setting while querying posts, due to detrimental effects it has on the query speed.
  • New WPThemeReview.CoreFunctionality.PrefixAllGlobals sniff, which extends the WordPress.NamingConventions.PrefixAllGlobals. The new sniff overloads the prefix check for variables only and will bow out if the file being scanned has a typical theme template file name. For all other files, it will fall through to the WPCS native sniff.
    Notes:
    • The new sniff adds a public $allowed_folders property to whitelist files in specific folders of a theme as template files.
      The ruleset.xml file sets this property to a limited set of folders whitelisted by default.
    • Similar to the WPCS FileNameSniff, this sniff does not currently allow for mimetype sublevel only theme template file names, such as plain.php.
  • Added two new groups to the restricted functions group: editor-blocks and cron-functionality in the WPThemeReview.PluginTerritory.ForbiddenFunctions sniff, which will check against core editor blocks being registered in the themes, and against the usage of cron functions in the theme respectively.
  • The WordPress.PHP.IniSet rule was added to the ruleset to check against themes setting ini configuration during runtime.
  • The WordPress.WP.DeprecatedParameterValues rule was added to the ruleset about usage of deprecated parameter values in WP functions. The sniff will suggest an alternative based on the parameter passed.

Changed

  • Added XSD schema tags and validated the ruleset against schema (PHPCS 3.2+/3.3.2+).
  • Updated the minimum version requirement for the WordPress Coding Standards dependency to version 2.1.0.
  • Updated the suggested dealerdirect/phpcodesniffer-composer-installer version.
  • Updated the WPThemeReview codebase, where relevant, for compatibility with WPCS 2.0+.
  • Ruleset tweaks: limit PHPCompatibility to PHP files
  • Composer tweaks: improve readability of script section
  • Travis: Run the code style related and ruleset checks in separate stages.
  • Travis: Unit tests are now also run against PHP 7.4 (dev)
  • Travis: Test against high/low WPCS versions due to sniffs that are extending the WPCS native sniffs.
  • Travis: Minor tweaks to the Travis script.

Removed

  • Remove encoding from the ruleset. The default encoding as of PHPCS 3.0.0 is utf-8, so we don't actually need to set this.

Fixed

  • Removal of HTML from error message about adding menu pages in WPThemeReview.PluginTerritory.NoAddAdminPages sniff.
  • Minor grammar changes in the ruleset.

0.1.0

31 Oct 17:05
d9fa0df
Compare
Choose a tag to compare

Added

Native sniffs

  • WPThemeReview.CoreFunctionality.FileInclude: checks if a theme uses include(_once) or require(_once) when get_template_part() should be used. Handbook rule.
  • WPThemeReview.CoreFunctionality.NoDeregisterCoreScript: checks if a theme deregisters core scripts (javascript). Handbook rule.
  • WPThemeReview.CoreFunctionality.NoFavicon: checks if a theme is hard coding favicons instead of using core implementation. Handbook rule.
  • WPThemeReview.CoreFunctionality.NoTitleTag: checks if a theme is using a <title> tag instead of add_theme_support( 'title-tag' ). <svg> tag can use a <title> tag. Handbook rule.
  • WPThemeReview.PluginTerritory.AdminBarRemoval: checks if a theme is removing the WP admin bar. This sniff was originally part of WordPressCS. Handbook rule.
  • WPThemeReview.PluginTerritory.ForbiddenFunctions: checks if a theme is using functions that fall under plugin territory. Handbook rule.
  • WPThemeReview.PluginTerritory.NoAddAdminPages: checks if a theme is using add_..._page() functions, with the exception of add_theme_page(). Handbook rule.
  • WPThemeReview.PluginTerritory.SessionFunctionsUsage: Prevents the usage of the session functions in themes. This sniff was originally part of WordPressCS.
  • WPThemeReview.PluginTerritory.SessionVariableUsage: Prevents the usage of the session variables in themes. This sniff was originally part of WordPressCS.
  • WPThemeReview.Plugins.CorrectTGMPAVersion: verifies that if the TGM Plugin Activation library is included, the correct version is used. Handbook rule.
  • WPThemeReview.ThouShallNotUse.ForbiddenIframe: checks if a theme is using <iframe>. Handbook rule.
  • WPThemeReview.ThouShallNotUse.NoAutoGenerate: checks if a theme has been generated using theme generators.

Other sniffs in the ruleset

  • PHPCompatibilityWP: added as an entire ruleset, checking that the theme is compatible with PHP 5.2 and above.
  • Generic.PHP.DisallowShortOpenTag: prohibits the usage of the PHP short open tags. Handbook rule.
  • Generic.PHP.DisallowAlternativePHPTags: disallows the usage of alternative PHP open tags (<% and similar).
  • Squiz.WhiteSpace.SuperfluousWhitespace.StartFile: files starting with a PHP open tag shouldn't have a whitespace preceding it, to prevent possible headers already sent errors.
  • PSR2.Files.ClosingTag.NotAllowed: files should omit the closing PHP tag at the end of a file, to prevent possible headers already sent errors.
  • Internal.LineEndings.Mixed: mixed line endings are not allowed. Handbook rule.
  • Internal.Tokenizer.Exception: minified scripts or files should have original files included. Handbook rule.
  • Generic.Files.ByteOrderMark: no ByteOrderMark allowed - important to prevent issues with content being sent before headers.
  • Generic.CodeAnalysis.EmptyStatement: prohibits empty statements in the code (empty conditionals for instance).
  • WordPress.CodeAnalysis.EmptyStatement: prohibits empty PHP statements (empty PHP tags with no content or double semi-colons).
  • WordPress.WP.I18n: check that the I18N functions are used correctly. This sniff can also check the text domain, provided it's passed to PHPCS. See the documentation for more details.
  • WordPress.WP.EnqueuedResources: hard coding of scripts and styles is prohibited. They should be enqueued.
  • WordPress.Security.PluginMenuSlug: prevent path disclosure when using add_theme_page().
  • Generic.PHP.NoSilencedErrors: usage of Error Control Operator @ is forbidden in a theme.
  • WordPress.DB.RestrictedClasses: the WP abstraction layer should be used to query database if needed.
  • WordPress.DB.RestrictedFunctions: the WP abstraction layer should be used to query database if needed.
  • WordPress.DB.PreparedSQL: all SQL queries should be prepared as close to the time of querying the database as possible.
  • WordPress.DB.PreparedSQLPlaceholders: verify that placeholders in prepared queries are used correctly.
  • WordPress.Security.ValidatedSanitizedInput: validate and/or sanitize untrusted data before using it.
  • WordPress.Security.EscapeOutput: all untrusted data should be escaped before output - warning, since translations don't have to be escaped.
  • Generic.PHP.BacktickOperator: prohibit the use of the backtick operator.
  • WordPress.WP.GlobalVariablesOverride: prohibit overwriting of WordPress global variables.
  • Squiz.PHP.Eval.Discouraged: prohibit the use of the eval() PHP language construct.
  • Generic.PHP.DiscourageGoto.Found: prohibit the use of the goto PHP language construct.
  • WordPress.WP.DeprecatedClasses: check for use of deprecated WordPress classes.
  • WordPress.WP.DeprecatedFunctions: check for use of deprecated WordPress functions.
  • WordPress.WP.DeprecatedParameters: check for use of deprecated WordPress function parameters.
  • WordPress.WP.DiscouragedConstants: check for deprecated WordPress constants.
  • WordPress.NamingConventions.PrefixAllGlobals: verify that everything in the global namespace is prefixed. Handbook rule. This rule will only work if a prefix is passed. See the documentation for more details.
  • WordPress.WP.CapitalPDangit: check for correct spelling of WordPress. Handbook rule
  • WordPress.WP.TimezoneChange: themes should never touch the timezone.