2.1.0
版本发布时间: 2019-04-08 18:57:46
WordPress/WordPress-Coding-Standards最新发布版本:3.1.0(2024-03-26 00:44:32)
Added
- New
WordPress.PHP.IniSet
sniff to theWordPress-Extra
ruleset. This sniff will detect calls toini_set()
andini_alter()
and warn against their use as changing configuration values at runtime leads to an unpredictable runtime environment, which can result in conflicts between core/plugins/themes.- The sniff will not throw notices about a very limited set of "safe" ini directives.
- For a number of ini directives for which there are alternative, non-conflicting ways to achieve the same available, the sniff will throw an
error
and advise using the alternative.
-
doubleval()
,count()
andsizeof()
toSniff::$unslashingSanitizingFunctions
property. Whilecount()
and its aliassizeof()
, don't actually unslash or sanitize, the output of these functions is safe to use without unslashing or sanitizing. This affects theWordPress.Security.ValidatedSanitizedInput
and theWordPress.Security.NonceVerification
sniffs. - The new WP 5.1
WP_UnitTestCase_Base
class to theSniff::$test_class_whitelist
property. - New
Sniff::get_array_access_keys()
utility method to retrieve all array keys for a variable using multi-level array access. - New
Sniff::is_class_object_call()
,Sniff::is_token_namespaced()
utility methods. These should help make the checking of whether or not a function call is a global function, method call or a namespaced function call more consistent. This also implements allowing for the namespace keyword being used as an operator. - New
Sniff::is_in_function_call()
utility method to facilitate checking whether a token is (part of) a parameter passed to a specific (set of) function(s). - New
Sniff::is_in_type_test()
utility method to determine if a variable is being type tested, along with aSniff::$typeTestFunctions
property containing the names of the functions this applies to. - New
Sniff::is_in_array_comparison()
utility method to determine if a variable is (part of) a parameter in an array-value comparison, along with aSniff::$arrayCompareFunctions
property containing the names of the relevant functions. - New
Sniff::$arrayWalkingFunctions
property containing the names of array functions which apply a callback to the array, but don't change the array by reference. - New
Sniff::$unslashingFunctions
property containing the names of functions which unslash data passed to them and return the unslashed result.
Changed
- Moved the
WordPress.PHP.StrictComparisons
,WordPress.PHP.StrictInArray
and theWordPress.CodeAnalysis.AssignmentInCondition
sniff from theWordPress-Extra
to theWordPress-Core
ruleset. - The
Squiz.Commenting.InlineComment.SpacingAfter
error is no longer included in theWordPress-Docs
ruleset. - The default value for
minimum_supported_wp_version
, as used by a number of sniffs detecting usage of deprecated WP features, has been updated to4.8
. - The
WordPress.WP.DeprecatedFunctions
sniff will now detect functions deprecated in WP 5.1. - The
WordPress.Security.NonceVerification
sniff now allows for variable type testing, comparisons, unslashing and sanitization before the nonce check. A nonce check within the same scope, however, is still required. - The
WordPress.Security.ValidatedSanitizedInput
sniff now allows for using a superglobal in an array-value comparison without sanitization, same as when the superglobal is used in a scalar value comparison. -
WordPress.NamingConventions.PrefixAllGlobals
: some of the error messages have been made more explicit. - The error messages for the
WordPress.Security.ValidatedSanitizedInput
sniff will now contain information on the index keys accessed. - The error message for the
WordPress.Security.ValidatedSanitizedInput.InputNotValidated
has been reworded to make it more obvious what the actual issue being reported is. - The error message for the
WordPress.Security.ValidatedSanitizedInput.MissingUnslash
has been reworded. - The
Sniff::is_comparison()
method now has a new$include_coalesce
parameter to allow for toggling whether the null coalesce operator should be seen as a comparison operator. Defaults totrue
. - All sniffs are now also being tested against PHP 7.4 (unstable) for consistent sniff results.
- The recommended version of the suggested DealerDirect PHPCS Composer plugin is now
^0.5.0
. - Various minor code tweaks and clean up.
Removed
-
ini_set
andini_alter
from the list of functions detected by theWordPress.PHP.DiscouragedFunctions
sniff. These are now covered via the newWordPress.PHP.IniSet
sniff. -
in_array()
andarray_key_exists()
from the list ofSniff::$sanitizingFunctions
. These are now handled differently.
Fixed
- The
WordPress.NamingConventions.PrefixAllGlobals
sniff would underreport when global functions would be autoloaded via a Composer autoloadfiles
configuration. - The
WordPress.Security.EscapeOutput
sniff will now recognizemap_deep()
for escaping the values in an array via a callback to an output escaping function. This should prevent false positives. - The
WordPress.Security.NonceVerification
sniff will no longer inadvertently allow for a variable to be sanitized without a nonce check within the same scope. - The
WordPress.Security.ValidatedSanitizedInput
sniff will no longer throw errors when a variable is only being type tested. - The
WordPress.Security.ValidatedSanitizedInput
sniff will now correctly recognize the null coalesce (PHP 7.0) and null coalesce equal (PHP 7.4) operators and will now throw errors for missing unslashing and sanitization where relevant. - The
WordPress.WP.AlternativeFunctions
sniff will no longer recommend using the WP_FileSystem when PHP native input streams, likephp://input
, or the PHP input stream constants are being read or written to. - The
WordPress.WP.AlternativeFunctions
sniff will no longer report on usage of thecurl_version()
function. - The
WordPress.WP.CronInterval
sniff now has improved function recognition which should lower the chance of false positives. - The
WordPress.WP.EnqueuedResources
sniff will no longer throw false positives for inline jQuery code trying to access a stylesheet link tag. - Various bugfixes for the
Sniff::has_nonce_check()
method:- The method will no longer incorrectly identify methods/namespaced functions mirroring the name of WP native nonce verification functions as if they were the global functions. This will prevent some false negatives.
- The method will now skip over nested closed scopes, such as closures and anonymous classes. This should prevent some false negatives for nonce verification being done while not in the correct scope.
These fixes affect the
WordPress.Security.NonceVerification
sniff.
- The
Sniff::is_in_isset_or_empty()
method now also checks for usage ofarray_key_exist()
andkey_exists()
and will regard these as correct ways to validate a variable. This should prevent false positives for theWordPress.Security.ValidatedSanitizedInput
and theWordPress.Security.NonceVerification
sniffs. - Various bugfixes for the
Sniff::is_sanitized()
method:- The method presumed the WordPress coding style regarding code layout, which could lead to false positives.
- The method will no longer incorrectly identify methods/namespaced functions mirroring the name of WP/PHP native unslashing/sanitization functions as if they were the global functions. This will prevent some false negatives.
- The method will now recognize
map_deep()
for sanitizing an array via a callback to a sanitization function. This should prevent false positives. - The method will now recognize
stripslashes_deep()
andstripslashes_from_strings_only()
as valid unslashing functions. This should prevent false positives. All these fixes affect both theWordPress.Security.ValidatedSanitizedInput
and theWordPress.Security.NonceVerification
sniff.
- Various bugfixes for the
Sniff::is_validated()
method:- The method did not verify correctly whether a variable being validated was the same variable as later used which could lead to false negatives.
- The method did not verify correctly whether a variable being validated had the same array index keys as the variable as later used which could lead to both false negatives as well as false positives.
- The method now also checks for usage of
array_key_exist()
andkey_exists()
and will regard these as correct ways to validate a variable. This should prevent some false positives. - The methods will now recognize the null coalesce and the null coalesce equal operators as ways to validate a variable. This prevents some false positives.
The results from the
WordPress.Security.ValidatedSanitizedInput
sniff should be more accurate because of these fixes.
- A potential "Undefined index" notice from the
Sniff::is_assignment()
method.