What options are safe for ini_set() / ini_alter() ?

[GaryJones]

What problem would the enhancement address for VIP?

Now that VIPCS uses sniffs from WPCS 2.0, we can use the IniSet sniff. By default, it comes with a whitelist and blacklist of options that are allowed and not allowed to be amended with ini_set().

We need to work out if these lists are accurate for:

• WordPress.com VIP sites.
• VIP Go sites.

Describe the solution you'd like

A clear list of forbidden and allowed (may be empty) options.

What code should be reported as a violation?

Until now, we've flagged any use of ini_set() and its alias ini_alter(), but we should allow some flexibility if possible, and only report a violation depending on its args.

For any other call that has parameters, a Warning is given. For any call of ini_set() with no parameters, nothing is given (but this can be changed if we want, though the call would be harmless).

What code should not be reported as a violation?

Anything that is allowed to be amended, perhaps like the whitelist in the sniff.

[GaryJones]

Adding to WPCS 2.0 project as well, since without any change here, we won't have any checks, since WordPress.PHP.DiscouragedFunctions removed support for these checks.

[GaryJones]

Taking the WPCS defaults as good for now. Can be adjusted later if needed.