News theme template cleanup #78
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This next piece of work will focus on content escaping and other issues flagged by our linting tools.
matt-bernhardt
force-pushed
the
lm143
branch
5 times, most recently
from
b2e48d8 to
2dbc7ec
Compare
The sprites image ends up being loaded by inc/spotlights.php
- Namespace and file metadata - Adjust a call to DateTime outside the namespace - Ignore one call to mb_substr that is too tricky to escape right now - convert a few translated functions to their escaped equivalents - esc_url a few times
- Namespacing and file metadata - Fixing call to DateTime outside namespace - Content escaping (including removing a double title attribute) - Converting one instance of "or" to "||"
- Content escaping in two lines - Adding the right namespace - Fixing the call to a parent theme function that builds our pagination
- Removing extra empty lines - Removing a non-snake-case variable (rCat) - Simplifying a printf command to remove extra concatenation - Removing an entire block that was confusingly commented out, which we don't use nor need.
- File metadata - escape a PHP variable used in javascript To test this, look at the script tag on a category index page, and check the Category ID parameter.
- Namespace and file metadata - content escaping content-single tweak content-single.php
- file metadata - remove pageroot / isroot lines that aren't needed
- Namespace and file metadata - content escaping
- Namespace and file metadata
- Namespacing and file metadata - Fixing one call to DateTime - Escaping a number of lines as prompted by PHPCS
- Namespace and file metadata - content escaping - convert a reference to $_SERVER['SCRIPT_URI'] to a WP-specific approach that avoids server variables
- Namespace and file metadata - content escaping
- File metadata - disable PHPCS around a function that is particularly hard to escape
- Namespace and file metadata - Properly namespaced call to DateTime - content escaping
- Namespace and file metadata - removing an extra title attribute - content escaping
- Namespace and file metadata
- Namespace and file metadata
- Namespace and file metadata
- Namespace and file metadata
- Namespace and file metadata - Content escaping - Removing extra whitespace
- Namespace and file metadata
- Namespace and file metadata - Content escaping - Replacing the long string of if statements with a more tightly-scoped switch statement that only sets the relevant value (the class value assigned to the div), which is easier to escape.
- Namespace and file metadata - Disable PHPCS check for the echo on line 104, which is a regex-modified select tag(s)? - Collapse a handful of small php blocks into one coherent set of lines, trying to make this more readable.
- Namespace and file metadata
- Namespace and file metadata
- Namespace and file metadata
- Namespace and file metadata
- Namespace and file metadata
- Content escaping on two lines - Ignoring rule on two other lines which echo a blob of markup. Would need wp_kses() to do properly
- Namespace and file metadata - Better positioned template name - Content escaping - Better input validation / sanitization for limit and offset
- Namespace, template name, and file metadata - Better approach to input validation
- Namespace, tempalte name, and file metadata - Better input validation - Renaming $categoryId to $category_id since this touches most of its lines already
- Namespace, template name, and file metadata - Better input validation for $offset and $limit
- Namespace, template name, and file metadata - Better input validation for $offset and $limit
- Namespace, template name, and file metadata - Better input sanitization for $offset and $limit - Content escaping - Ignoring the standard for retrieving the query_string variable, although this makes me uneasy. The bug is already there, we just don't close it here.
- Namespace, template name, and file metadata - Better input validation for $offset and $limit
JPrevost
approved these changes
Mar 31, 2023
12 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR focuses on the issues flagged in GitHub Actions from #77. The changes can be grouped into two buckets:
This is the second PR that is part of https://mitlibraries.atlassian.net/browse/LM-143
@packageand@sincevalues in the file metadataMitlib\NewsnamespaceDateTimeorWP_Queryto be properly namespaced.phpcs:disableto turn off linting - rather than spending the time to thoroughly understand the range of possible markup and using something likewp_kses(which would be ideal, but a lot more work - particularly considering all this code is already in production for us).additionalPosts*.phptemplates have code that reads in values for$offsetand$limitfrom the querystring. These lines were getting flagged for poor code sanitization, which has been corrected. These could still be abstracted to a shared function, but that felt like a step too far for now. Ultimately I'd love to have only one of these templates, rather than a shared function between them.$pageRootand$isRoot. A few of these still remain, though, which will be removed in the next PR.Notes
orwas replaced by||in archive.php, and some more intensive changes in author.php like removing a commented-out block of code that was still getting flagged. Shortly after this I realized the scale of what that PR would look like, and so changed course to be more focused.page-subscribe.php,test-template.php, and maybepage-last-year.php. Doing this will require consulting with the folks in UX to make sure that we're handing them a theme that supports all the needed features, and that's fundamentally not part of this "make CI happy" work.Developer
Secrets
Documentation
Accessibility
our guide and
all issues introduced by these changes have been resolved or opened as new
issues (link to those issues in the Pull Request details above)
Stakeholder approval
Dependencies
YES dependencies are updated (new plugin What The File)
Code Reviewer
(not just this pull request message)