All notable changes to this project will be documented in this file.
This projects adheres to Semantic Versioning and Keep a CHANGELOG.
Nothing yet.
0.11.0 - 2017-03-20
If you use the WordPress Coding Standards with a custom ruleset, please be aware that some of the checks have been moved between sniffs and that the naming of a number of error codes has changed. If you exclude some sniffs or error codes, you may have to update your custom ruleset to be compatible with WPCS 0.11.0.
Additionally, to make it easier for you to customize your ruleset, two new wiki pages have been published with information on the properties you can adjust from your ruleset:
For more detailed information about the changed sniff names and error codes, please refer to PR #633 and PR #814.
If you maintain or develop sniffs based upon the WordPress Coding Standards, most notably, if you use methods and properties from the WordPress_Sniff class, extend one of the abstract sniff classes WPCS provides or extend other sniffs from WPCS to use their properties, please be aware that this release contains significant changes which will, more likely than not, affect your sniffs.
Please read this changelog carefully to understand how this will affect you. For more detailed information on the most significant changes, please refer to PR #795, PR #833 and PR #841. You are also encouraged to check the file history of any WPCS classes you extend.
WordPress.WP.DeprecatedFunctionssniff to theWordPress-Extraruleset to check for usage of deprecated WP version and show errors/warnings depending on aminimum_supported_versionwhich can be passed to the sniff from a custom ruleset. The default value for theminimum_supported_versionproperty is three versions before the current WP version.WordPress.WP.I18n: ability to check for missing translators comments when a I18n function call contains translatable text strings containing placeholders. This check will also verify that the translators comment is correctly placed in the code and uses the correct comment type for optimal compatibility with the various tools available to create.potfiles.WordPress.WP.I18n: ability to pass thetext_domainto check for from the command line.WordPress.Arrays.ArrayDeclarationSpacing: check + fixer for single line associative arrays. The handbook states that these should always be multi-line.WordPress.Files.FileName: verification that files containing a class reflect this in the file name as per the core guidelines. This particular check can be disabled in a custom ruleset by setting the newstrict_class_file_namesproperty.WordPress.Files.FileName: verification that files in/wp-includes/containing template tags - annotated with@subpackage Templatein the file header - use the-templatesuffix.WordPress.Files.FileName:is_themeproperty which can be set in a custom ruleset. This property can be used to indicate that the project being checked is a theme and will allow for a predefined theme hierarchy based set of exceptions to the file name rules.WordPress.VIP.AdminBarRemoval: check for hiding the admin bar using CSS.WordPress.VIP.AdminBarRemoval: customizableremove_onlyproperty to toggle whether to error of all manipulation of the visibility of the admin bar or to execute more thorough checking for removal only.WordPress.WhiteSpace.ControlStructureSpacing: support for checking the whitespace intry/catchconstructs.WordPress.WhiteSpace.ControlStructureSpacing: check that the space after the open parenthesis and before the closing parenthesis of control structures and functions is exactly one space. Includes auto-fixer.WordPress.WhiteSpace.CastStructureSpacing: ability to automatically fix errors thrown by the sniff.WordPress.VIP.SessionFunctionsUsage: detection of thesession_abort(),session_create_id(),session_gc()andsession_reset()functions.WordPress.CSRF.NonceVerification: ability to pass custom sanitization functions to the sniff.- The
get_the_ID()function to theautoEscapedFunctionslist used by theWordPress.XSS.EscapeOutputsniff. - The
wp_strip_all_tags(),sanitize_hex_color_no_hash()andsanitize_hex_color()functions to thesanitizingFunctionslist used by theWordPress.CSRF.NonceVerification,WordPress.VIP.ValidatedSanitizedInputandWordPress.XSS.EscapeOutputsniffs. - The
floatval()function to theescapingFunctions,sanitizingFunctions,unslashingSanitizingFunctions,SQLEscapingFunctionslists used by theWordPress.CSRF.NonceVerification,WordPress.VIP.ValidatedSanitizedInput,WordPress.XSS.EscapeOutputandWordPress.WP.PreparedSQLsniffs. - The table name based
clean_*_cache()functions to thecacheDeleteFunctionslist used by theWordPress.VIP.DirectDatabaseQuerysniff. - Abstract
AbstractFunctionParameterparent class to allow for examining parameters passed in function calls. - A number of utility functions to the
WordPress_Sniffclass:strip_quotes(),addMessage(),addFixableMessage(),string_to_errorcode(),does_function_call_have_parameters(),get_function_call_parameter_count(),get_function_call_parameters(),get_function_call_parameter(),has_html_open_tag(). Squiz.Commenting.LongConditionClosingComment,Squiz.WhiteSpace.CastSpacing,Generic.Formatting.DisallowMultipleStatementsto theWordPress-Coreruleset.Squiz.PHP.NonExecutableCode,Squiz.Operators.IncrementDecrementUsage,Squiz.Operators.ValidLogicalOperators,Squiz.Functions.FunctionDuplicateArgument,Generic.PHP.BacktickOperator,Squiz.PHP.DisallowSizeFunctionsInLoopsto theWordPress-Extraruleset.- Numerous additional unit tests covering the correct handling of properties overruled via a custom ruleset by various sniffs.
- Instructions on how to use WPCS with Visual Studio to the Readme.
- Section on how to use WPCS with CI Tools to the Readme, initially covering integration with Travis CI.
- Section on considerations when writing sniffs for WPCS to
Contributing.md.
- The minimum required PHP version to 5.2 (was 5.1).
- The minimum required PHP_CodeSniffer version to 2.8.1 (was 2.6).
- Improved support for detecting issues in code using closures (anonymous functions), short array syntax and anonymous classes.
- Improved sniff efficiency and performance for a number of sniffs.
- The discouraged/restricted functions sniffs have been reorganized and made more modular.
- The new
WordPress.PHP.DevelopmentFunctionssniff now contains the checks related to PHP functions typically used during development which are discouraged in production code. - The new
WordPress.PHP.DiscouragedPHPFunctionssniff now contains checks related to various PHP functions, use of which is discouraged for various reasons. - The new
WordPress.WP.AlternativeFunctionssniff contains the checks related to PHP functions for which WP offers an alternative which should be used instead. - The new
WordPress.WP.DiscouragedFunctionssniff contains checks related to various WP functions, use of which is discouraged for various reasons. - A number of checks contained in the
WordPress.VIP.RestrictedFunctionssniff have been moved to other sniffs. - The
WordPress.PHP.DiscouragedFunctionssniff has been deprecated and is no longer used. The checks which were previously contained herein have been moved to other sniffs. - The reorganized sniffs also detect a number of additional functions which were previously ignored by these sniffs. For more detail, please refer to the summary of the PR and to PR #759.
- The new
- The error codes for these sniffs as well as for
WordPress.DB.RestrictedClasses,WordPress.DB.RestrictedFunctions,WordPress.Functions.DontExtract,WordPress.PHP.POSIXFunctionsand a number of theVIPsniffs have changed. They were previously based on function group names and will now be based on function group name in combination with the identified function name. Complete function groups can still be silenced by using theexcludeproperty in a custom ruleset. WordPress.NamingConventions.ValidVariableName: ThecustomVariablesWhitelistproperty which could be passed from the ruleset has been renamed tocustomPropertiesWhitelistas it is only usable to whitelist class properties.WordPress.WP.I18n: now allows for an array of text domain names to be passed to thetext_domainproperty from a custom ruleset.WordPress.WhiteSpace.CastStructureSpacing: the error level for the checks in this sniff has been raised fromwarningtoerror.WordPress.Variables.GlobalVariables: will no longer throw errors if the global variable override is done from within a test method. Whether something is considered a "test method" is based on whether the method is in a class which extends a predefined set of known unit test classes. This list can be enhanced by setting thecustom_test_class_whitelistproperty in your ruleset.- The
WordPress.Arrays.ArrayDeclarationsniff has been split into two sniffs:WordPress.Arrays.ArrayDeclarationandWordPress.Arrays.ArrayDeclarationSpacingfor better compatibility with PHPCS upstream. - The
WordPress.Arrays.ArrayDeclarationsniff has been synced with the PHPCS upstream version to get the benefit of some bug fixes and improvements which had been made upstream since the sniff was originally copied over. - The
WordPress.VIP.FileSystemWritesDisallow,WordPress.VIP.TimezoneChangeandWordPress.VIP.SessionFunctionsUsagesniffs now extend theWordPress_AbstractFunctionRestrictionsSniff. - Property handling of custom properties set via a custom ruleset where the property is expected to be set in array format (
type="array") has been made more lenient and will now also handle properties passed as a comma delimited lists correctly. This affects all customizable properties which expect array format. - Moved
Squiz.PHP.DisallowMultipleAssignmentsfrom theWordPress-Extrato theWordPress-Coreruleset. - Replaced the
WordPress.Classes.ValidClassName,WordPress.PHP.DisallowAlternativePHPTagsand theWordPress.Classes.ClassOpeningStatementsniffs with the existingPEAR.NamingConventions.ValidClassNameand the new upstreamGeneric.PHP.DisallowAlternativePHPTagsandGeneric.Classes.OpeningBraceSameLinesniffs in theWordPress-Coreruleset. - Use the upstream
Squiz.PHP.Evalsniff for detecting the use ofeval()instead of a WPCS native implementation. - Made the
Generic.WhiteSpace.ScopeIndentsniff in theWordPress-Coreruleset more lenient to allow for different indentation in inline HTML, heredoc and nowdoc structures. - Made the
Generic.Strings.UnnecessaryStringConcatsniff in theWordPress-Extraruleset more lenient to allow for multi-line string concatenation. - All sniffs are now also being tested against PHP 7.1 for consistent sniff results.
- The requirements for running the sniffs have been made more explicit in the readme.
- Updated composer installation instructions in the readme.
- Updated information about the rulesets in the readme and moved the information up to make it easier to find.
- Improved the information about running the unit tests in
Contributing.md. - Improved the inline documentation of the rulesets.
- Various other code quality and code consistency improvements under the hood, including refactoring of some of the abstract sniff classes, closer coupling of the child classes to the
WordPress_Sniffparent class and changes to the visibility and staticness of properties for a large number of sniffs.
- Warnings thrown by individual sniffs about parse errors they encounter. This is left up to the
Generic.PHP.Syntaxsniff which is included in theWordPress-Extraruleset. - The
post_class()function from theautoEscapedFunctionslist used by theWordPress.XSS.EscapeOutputsniff. - The
Generic.Files.LowercasedFilenamesniff from theWordPress-Coreruleset in favour of the improvedWordPress.Files.FileNamesniff to prevent duplicate messages being thrown. - Some temporary work-arounds for changes which were pulled and merged into PHPCS upstream.
WordPress.Variables.GlobalVariables: All known bugs have been fixed. If you'd previously disabled the sniff in your custom ruleset because of these bugs, it should be fine to re-enable it now.- Assignments to global variables using other assignment operators than the
=operator were not detected. - If a
global ...;statement was detected, the whole file would be checked for the variables which were made global, not just the code after the global statement. - If a
global ...;statement was detected, the whole file would be checked for the variables which were made global, including code contained within a function/closure/class scope where there is no access to the global variable. - If a
global ...;statement was detected within a function call or closure, the whole file would be checked for the variables which were made global, not just the code within the function or closure. - If a
global ...;statement was detected and an assignment was made to a static class variable using the same name as one of the variables made global, an error would incorrectly be thrown. - An override of a protected global via
$GLOBALSin combination with simple string concatenation obfuscation was not being detected.
- Assignments to global variables using other assignment operators than the
WordPress.WP.I18n: all reported bugs have been fixed.- A superfluous
UnorderedPlaceholderserror was being thrown when%%(a literal % sign) was encountered in a string. - The sniff would sometimes erroneously trigger errors when a literal
%was found in a translatable string without placeholders. - Not all type of placeholders were being recognized.
- No warning was being thrown when encountering a mix of ordered and unordered placeholders.
- The fixer for unordered placeholders was erroneously replacing all placeholders as if they were the first one.
- The fixer for unordered placeholders could cause faulty replacements in double quoted strings.
- Compatibility with PHP nightly / PHP 7.2.
- A superfluous
WordPress.WhiteSpace.ControlStructureSpacing: synced in fixes from the upstream version.- The fixer would bork on control structures which contained only a single empty line.
- The sniff did not check the spacing used for
do {} while ()control structures. - Conditional function declarations could cause an infinite loop when using the fixer.
WordPress.VIP.PluginMenuSlug: the sniff would potentially incorrectly process method calls and namespaced functions with the same function name as the targeted WordPress native functions.WordPress.VIP.CronInterval: the native WP time constants were not recognized leading to false positives.WordPress.VIP.CronInterval: the finding of the referenced function declaration has been made more accurate.WordPress.PHP.YodaConditions: minor clarification of the error message.WordPress.NamingConventions.ValidVariableName: now allows for a predefined list of known mixed case global variables coming from WordPress itself reducing false positives.- The
unslashingSanitizingFunctionslist was not consistently taken into account when verifying whether a variable was sanitized for theWordPress.VIP.ValidatedSanitizedInputandWordPress.CSRF.NonceVerificationsniffs. - The passing of properties via the ruleset was buggy for a number of sniffs - most notably those sniffs using custom properties in array format - and could lead to unintended bleed-through between sniffs.
- Various (potential)
Undefined variable,Undefined indexandUndefined offsetnotices. - An issue with placeholder replacement not taking place in some error messages.
- A (potential) issue which could play up when sniffs examined text strings which contained quotes.
0.10.0 - 2016-08-29
WordPress.WP.I18nsniff to theWordPress-Coreruleset to flag dynamic translatable strings and textdomains.WordPress.PHP.DisallowAlternativePHPTagssniff to theWordPress-Coreruleset to flag - and fix - ASP and<script>PHP open tags.WordPress.Classes.ClassOpeningStatementsniff to theWordPress-Coreruleset to flag - and fix - class opening brace placement.WordPress.NamingConventions.ValidHookNamesniff to theWordPress-Coreruleset to flag filter and action hooks which don't comply with the guideline of lowercase letters and underscores. For maintaining backward-compatibility of hook names anadditionalWordDelimitersproperty can be added via a custom ruleset.WordPress.Functions.DontExtractsniff to theWordPress-Coreruleset to flag usage of theextract()function.WordPress.PHP.POSIXFunctionssniff to theWordPress-Coreruleset to flag usage of regex functions from the POSIX PHP extension which was deprecated since PHP 5.3 and removed in PHP 7.WordPress.DB.RestrictedFunctionsandWordPress.DB.RestrictedClassessniffs to theWordPress-Coreruleset to flag usage of direct database calls using PHP functions and classes rather than the WP functions for the same.- Abstract
AbstractClassRestrictionsparent class to allow for easier sniffing for usage of specific classes. Squiz.Strings.ConcatenationSpacing,PSR2.ControlStructures.ElseIfDeclaration,PSR2.Files.ClosingTag,Generic.NamingConventions.UpperCaseConstantNameto theWordPress-Coreruleset.- Ability to add arbitrary variables to the whitelist via a custom ruleset property for the
WordPress.NamingConventions.ValidVariableNamesniff. - Ability to use a whitelist comment for tax queries for the
WordPress.VIP.SlowDBQuerysniff. - Instructions on how to use WPCS with Atom and SublimeLinter to the Readme.
- Reference to the wiki to the Readme.
- Recommendation to also use the PHPCompatibility ruleset to the Readme.
- The minimum required PHP_CodeSniffer version to 2.6.0.
- Moved the
WordPress.WP.PreparedSQLsniff fromWordPress-ExtratoWordPress-Core. WordPress.PHP.StrictInArraywill now also flag non-strict usage ofarray_keys()andarray_search().- Added
_deprecated_constructor()and_deprecated_hook()to the list of printing functions. - Added numerous additional functions to sniff for to the
WordPress.VIP.RestrictedFunctionssniff as per the VIP guidelines. - Upped the
posts_per_pagelimit from 50 to 100 inWordPress.VIP.PostsPerPagesniff as per the VIP guidelines. - Added
cat_IDto the whitelisted exceptions for theWordPress.NamingConventions.ValidVariableNamesniff. - Added
__debugInfoto the magic method whitelist for class methods starting with double underscore in theWordPress.NamingConventions.ValidFunctionNamesniff. - An error will now also be thrown for non-magic functions using a double underscore prefix -
WordPress.NamingConventions.ValidFunctionNamesniff. - The
WordPress.Arrays.ArrayAssignmentRestrictions,WordPress.Functions.FunctionRestrictions,WordPress.Variables.VariableRestrictionssniffs weren't in actual fact sniffs, but parent classes for child sniffs. These have now all been turned into proper abstract parent classes and moved to the mainWordPressdirectory. - The array provided to
AbstractFunctionRestrictionscan now take awhitelistkey to whitelist select functions when blocking a group of functions by function prefix. - Updated installation instructions in the readme.
- The
WordPress-Coreruleset is now ordered according to the handbook - The WPCS code base itself now complies with the WordPress-Core, -Extra and -Docs coding standards.
- Various other code quality and code consistency improvements under the hood.
Squiz.Functions.FunctionDeclarationArgumentSpacing.SpacingBeforeClosefrom theWordPress-Corestandard (was causing duplicate messages for the same issue).Squiz.Commenting.FunctionComment.ScalarTypeHintMissing,Squiz.Commenting.InlineComment.NotCapitalfrom theWordPress-Docsstandard.- Removed the sniffing for
get_pages()from theWordPress.VIP.RestrictedFunctionssniff as per the VIP guidelines. - Removed the sniffing for
extract()from theWordPress.VIP.RestrictedFunctionssniff as it's now covered in a separate sniff. - Removed the sniffing for the POSIX functions from the
WordPress.PHP.DiscouragedFunctionssniff as it's now covered in a separate sniff.
- Error message precision for the
WordPress.NamingConventions.ValidVariableNamesniff. - Bug in the
WordPress.WhiteSpace.ControlStructureSpacing.BlankLineAfterEndsniff which was incorrectly being triggered on last method of class. - Function name sniffs based on the
AbstractFunctionRestrictionsparent class will now do a case-insensitive function name comparison. - Function name sniffs in the
WordPress.PHP.DiscouragedFunctionssniff will now do a case-insensitive function name comparison. - Whitelist comments directly followed by a PHP closing tag were not being recognized.
- Some PHP Magic constants were not recognized by the
WordPress.XSS.EscapeOutputsniff. - An error message suggesting camel caps rather than the intended snake case format in the
WordPress.NamingConventions.ValidFunctionNamesniff. WordPress.WhiteSpace.ControlStructureSpacingshould no longer throw error notices during live code review.- Errors will be no longer be thrown for methods not complying with the naming conventions when the class extends a parent class or implements an interface -
WordPress.NamingConventions.ValidFunctionNamesniff.
0.9.0 - 2016-02-01
count()to the list of auto-escaped functions.Squiz.PHP.CommentedOutCodesniff toWordPress-VIPruleset.- Support for PHP 5.2.
attachment_url_to_postid()andparse_url()to the restricted functions forWordPress-VIP.WordPress.VIP.OrderByRandsniff.WordPress.PHP.StrictInArraysniff forWordPress-VIPandWordPress-Extra.get_tag_link(),get_category_link(),get_cat_ID(),url_to_post_id(),attachment_url_to_postid()get_posts(),wp_get_recent_posts(),get_pages(),get_children(),wp_get_post_terms()wp_get_post_categories(),wp_get_post_tags(),wp_get_object_terms(),term_exists(),count_user_posts(),wp_old_slug_redirect(),get_adjacent_post(),get_previous_post(),get_next_post()to uncached functions inWordPress.VIP.RestrictedFunctionssniff.wp_handle_upload()andarray_key_exists()to the list of sanitizing functions.- Checking for object properties in
WordPress.PHP.YodaConditionssniff. WordPress.NamingConventions.ValidVariableNamesniff.- Flagging of function calls incorporated into database queries in
WordPress.WP.PreparedSQL. - Recognition of escaping and auto-escaped functions in
WordPress.WP.PreparedSQL. true,false, andnullto the tokens ignored inWordPress.XSS.EscapeOutput.
- Incorrect ternary detection in
WordPress.XSS.EscapeOutputsniff. - False positives when detecting variables interpolated into strings in the
WordPress.WP.PreparedSQLandWordPress.VIP.ValidatedSanitizedInputsniffs. - False positives in
WordPress.PHP.YodaConditionswhen the variable is being casted. $wpdbproperties being flagged inWordPress.WP.PreparedSQLsniff.- False positive in
WordPress.PHP.YodaConditionswhen the a string is on the left side of the comparison.
0.8.0 - 2015-10-02
implode()andjoin()to the list of formatting functions in theWordPress.XSS.EscapeOutputsniff. This is useful when you need to have HTML in the$glueparameter.- Support in the
WordPress.XSS.EscapeOutputsniff for escaping an array of values usingarray_map(). (Otherwise the support forimplode()isn't of much use :) - Docs for running WPCS in Sublime Text.
nl2br()to the list of formatting functions.wp_dropdown_pages()to the list of printing functions.- Error codes to all error/warning messages.
WordPress.WP.PreparedSQLsniff for flagging unprepared SQL queries.
- Sniffing for the number of spaces before a closure's opening parenthesis from the
default configuration of the
WordPress.WhiteSpace.ControlStructureSpacingsniff. It can be re-enabled per-project as desired.
- The
WordPress.XSS.EscapeOutputsniff giving error messages with the closing parenthesis in them instead of the offending function's name.
0.7.1 - 2015-08-31
- The default number of spaces before a closure's opening parenthesis from 1 to 0.
0.7.0 - 2015-08-30
- Automatic error fixing to the
WordPress.Arrays.ArrayKeySpacingRestrictionssniff. - Functions and closures to the control structures checked by the
WordPress.WhiteSpace.ControlStructureSpacingsniff. - Sniffing and fixing for extra spacing in the
WordPress.WhiteSpace.ControlStructureSpacingsniff. (Previously it only checked for insufficient spacing.) .twigfiles to the default ignored files.esc_url_raw()andhash_equals()to the list of sanitizing functions.intval()andboolval()to list of unslashing functions.do_shortcode()to the list of auto-escaped functions.
WordPress.Functions.FunctionDeclarationArgumentSpacingin favor of the upstream sniffSquiz.Functions.FunctionDeclarationArgumentSpacing.
- Reference to incorrect issue in the inline docs of the
WordPress.VIP.SessionVariableUsagesniff. WordPress.XSS.EscapeOutputsniff incorrectly handling ternary conditions inechostatements without parentheses in some cases.
0.6.0 - 2015-06-30
- Support for
wp_cache_add()andwp_cache_delete(), as well as custom cache functions,in theWordPress.VIP.DirectDatabaseQuerysniff.
WordPress.Functions.FunctionRestrictionsandWordPress.Variables.VariableRestrictionsfrom theWordPress-VIPstandard, since they are just parents for other sniffs.
0.5.0 - 2015-06-01
WordPress.CSRF.NonceVerificationsniff to flag form processing without nonce verification.in_array()andis_array()to the list of sanitizing functions.- Support for automatic error fixing to the
WordPress.Arrays.ArrayDeclarationsniff. WordPress.PHP.StrictComparisionsto theWordPress-VIPandWordPress-Extrarulesets.WordPress-Docsruleset to sniff for proper commenting.Generic.PHP.LowerCaseKeyword,Generic.Files.EndFileNewline,Generic.Files.LowercasedFilename,Generic.Formatting.SpaceAfterCast, andGeneric.Functions.OpeningFunctionBraceKernighanRitchieto theWordPress-Coreruleset.Generic.PHP.DeprecatedFunctions,Generic.PHP.ForbiddenFunctions,Generic.Functions.CallTimePassByReference,Generic.Formatting.DisallowMultipleStatements,Generic.CodeAnalysis.EmptyStatement,Generic.CodeAnalysis.ForLoopShouldBeWhileLoop,Generic.CodeAnalysis.ForLoopWithTestFunctionCall,Generic.CodeAnalysis.JumbledIncrementer,Generic.CodeAnalysis.UnconditionalIfStatement,Generic.CodeAnalysis.UnnecessaryFinalModifier,Generic.CodeAnalysis.UselessOverridingMethod,Generic.Classes.DuplicateClassName, andGeneric.Strings.UnnecessaryStringConcatto theWordPress-Extraruleset.- Error for missing use of
wp_unslash()on superglobal data to theWordPress.VIP.ValidatedSanitizedInputsniff.
- The
WordPress.VIP.ValidatedSanitizedInputsniff to require sanitization of input even when it is being directly escaped and output. - The minimum required PHP_CodeSniffer version to 2.2.0.
- The
WordPress.VIP.ValidatedSanitizedInputandWordPress.XSS.EscapeOutputsniffs: the list of escaping functions was split from the list of sanitizing functions. ThecustomSanitizingFunctionsproperty has been moved to theValidatedSanitizedInputsniff, and thecustomEscapingFunctionsproperty should now be used instead for theEscapeOutputsniff. - The
WordPress.Arrays.ArrayDeclarationsniff to give errors forNoSpaceAfterOpenParenthesis,SpaceAfterArrayOpener, andSpaceAfterArrayCloser, instead of warnings. - The
WordPress.NamingConventions.ValidFunctionNamesniff to allow camelCase method names in classes that implement interfaces.
- The
WordPress.VIP.ValidatedSanitizedInputsniff not reporting missing validation when reporting missing sanitization. - The
WordPress.VIP.ValidatedSanitizedInputsniff flagging superglobals as needing sanitization when they were only being used in a comparison usingiforswitch, etc.
0.4.0 - 2015-05-01
- Change log file.
- Handling for string-interpolated input variables in the
WordPress.VIP.ValidatedSanitizedInputsniff. - Errors for using uncached functions when cached equivalents exist.
space_before_colonsetting for theWordPress.WhiteSpace.ControlStructureSpacingsniff, for control structures using alternative syntax. Possible values:'required','optional','forbidden'.- Support for
sanitizationwhitelisting comments for theWordPress.VIP.ValidatedSanitizedInputsniff. - Granular error/warning names for all errors and warnings.
- Handling for ternary conditions in the
WordPress.XSS.EscapeOutputsniff. die,exit,printf,vprintf,wp_die,_deprecated_argument,_deprecated_function,_deprecated_file,_doing_it_wrong,trigger_error, anduser_errorto the list of printing functions in theWordPress.XSS.EscapeOutputsniff.customPrintingFunctionssetting for theWordPress.XSS.EscapeOutputsniff.rawurlencode()andwp_parse_id_list()to the list of "sanitizing" functions in theWordPress.XSS.EscapeOutputsniff.json_encode()to the list of discouraged functions in theWordPress.PHP.DiscouragedFunctionssniff, in favor ofwp_json_encode().vip_powered_wpcom()to the list of auto-escaped functions in theWordPress.XSS.EscapeOutputsniff.debug_print_backtrace()andvar_export()to the list of discouraged functions in theWordPress.PHP.DiscouragedFunctionssniff.- Smart handling for formatting functions (
sprintf()andwp_sprintf()) in theWordPress.XSS.EscapeOutputsniff. WordPress.PHP.StrictComparisonssniff.- Correct handling of
array_map()in theWordPress.VIP.ValidatedSanitizedInputsniff. $_COOKIEand$_FILEto the list of superglobals flagged by theWordPress.VIP.ValidatedSanitizedInputandWordPress.VIP.SuperGlobalInputUsagesniffs.$_SERVERto the list of superglobals flagged by theWordPress.VIP.SuperGlobalInputUsagesniff.Squiz.ControlStructures.ControlSignaturesniff to the rulesets.
WordPress.Arrays.ArrayKeySpacingRestrictionssniff to give errors forNoSpacesAroundArrayKeysandSpacesAroundArrayKeysinstead of just warnings.WordPress.NamingConventions.ValidFunctionNamesniff to allow for camel caps method names in child classes.WordPress.XSS.EscapeOutputsniff to allow for integers (e.g.echo 5andprint( -1 )).
- Errors for mixed key/keyless array elements in the
WordPress.Arrays.ArrayDeclarationsniff. - BOM from
WordPress.WhiteSpace.OperatorSpacingsniff file. $content_widthfrom the list of non-overwritable globals in theWordPress.Variables.GlobalVariablessniff.WordPress.Arrays.ArrayAssignmentRestrictionssniff from theWordPress-VIPruleset.
- Incorrect errors for
elsestatements using alternative syntax. WordPress.VIP.ValidatedSanitizedInputsniff not always treating casting as sanitization.WordPress.XSS.EscapeOutputsniff flagging comments as needing to be escaped.WordPress.XSS.EscapeOutputsniff not sniffing comma-delimitedechoarguments after encountering the first escaping function in the statement.WordPress.PHP.YodaConditionssniff not flagging comparisons to constants or function calls.WordPress.Arrays.ArrayDeclarationsniff not ignoring doc comments.- Link to phpStorm instructions in
README.md. - Poor performance of the
WordPress.Arrays.ArrayAssignmentRestrictionssniff. - Poor performance of the
WordPress.Files.FileNamesniff.
0.3.0 - 2014-12-11
See the comparison for full list.
- Use semantic version tags for releases.
See the comparison for full list.
Initial tagged release.