Updated WordPress standards

mikaeljorhult · Jul 22, 2017 · f6cd292 · f6cd292
1 parent bf383e2
commit f6cd292
Show file tree

Hide file tree

Showing 259 changed files with 21,919 additions and 6,571 deletions.
diff --git a/modules/vendor/phpcs/rulesets/WordPress-Core/ruleset.xml b/modules/vendor/phpcs/rulesets/WordPress-Core/ruleset.xml
diff --git a/modules/vendor/phpcs/rulesets/WordPress-Docs/ruleset.xml b/modules/vendor/phpcs/rulesets/WordPress-Docs/ruleset.xml
@@ -2,6 +2,11 @@
 <ruleset name="WordPress Docs">
 	<description>WordPress Coding Standards for Inline Documentation and Comments</description>
 
+	<!--
+		Handbook: PHP Documentation Standards
+		Ref: https://make.wordpress.org/core/handbook/best-practices/inline-documentation-standards/php/
+	-->
+
 	<rule ref="Squiz.Commenting">
 		<!-- Excluded to allow /* translators: ... */ comments -->
 		<exclude name="Squiz.Commenting.BlockComment.SingleLine"/>
@@ -61,6 +66,8 @@
 
 		<!-- Exclude to allow duplicate hooks to be documented -->
 		<exclude name="Squiz.Commenting.InlineComment.DocBlock"/>
+		<!-- Excluded to allow /* translators: ... */ comments -->
+		<exclude name="Squiz.Commenting.InlineComment.NotCapital"/>
 
 		<!-- Not in Inline Docs standard, and a code smell -->
 		<exclude name="Squiz.Commenting.LongConditionClosingComment"/>
@@ -74,6 +81,16 @@
 		<exclude name="Squiz.Commenting.VariableComment.TagNotAllowed"/>
 		<!-- WP prefers @since first -->
 		<exclude name="Squiz.Commenting.VariableComment.VarOrder"/>
+
+		<!-- It is too early for PHP7 features to be required -->
+		<exclude name="Squiz.Commenting.FunctionComment.ScalarTypeHintMissing"/>
+	</rule>
+
+	<!-- Make this sniff less likely to trigger on end comments. -->
+	<rule ref="Squiz.PHP.CommentedOutCode">
+		<properties>
+			<property name="maxPercentage" value="45"/>
+		</properties>
 	</rule>
 
 	<rule ref="Generic.Commenting">

diff --git a/modules/vendor/phpcs/rulesets/WordPress-Extra/ruleset.xml b/modules/vendor/phpcs/rulesets/WordPress-Extra/ruleset.xml
@@ -2,38 +2,116 @@
 <ruleset name="WordPress Extra">
 	<description>Best practices beyond core WordPress Coding Standards</description>
 
+	<!-- Generic PHP best practices.
+		 https://github.com/WordPress-Coding-Standards/WordPress-Coding-Standards/pull/382 -->
 	<rule ref="Generic.PHP.DeprecatedFunctions"/>
 	<rule ref="Generic.PHP.ForbiddenFunctions"/>
 	<rule ref="Generic.Functions.CallTimePassByReference"/>
-	<rule ref="Generic.Formatting.DisallowMultipleStatements"/>
-	<rule ref="Generic.CodeAnalysis.EmptyStatement" />
+	<rule ref="Generic.CodeAnalysis.EmptyStatement"/>
 	<rule ref="Generic.CodeAnalysis.ForLoopShouldBeWhileLoop"/>
 	<rule ref="Generic.CodeAnalysis.ForLoopWithTestFunctionCall"/>
 	<rule ref="Generic.CodeAnalysis.JumbledIncrementer"/>
 	<rule ref="Generic.CodeAnalysis.UnconditionalIfStatement"/>
 	<rule ref="Generic.CodeAnalysis.UnnecessaryFinalModifier"/>
 	<rule ref="Generic.CodeAnalysis.UselessOverridingMethod"/>
 	<rule ref="Generic.Classes.DuplicateClassName"/>
-	<rule ref="Generic.Strings.UnnecessaryStringConcat"/>
-
+	<rule ref="Generic.Strings.UnnecessaryStringConcat">
+		<properties>
+			<property name="allowMultiline" value="true"/>
+		</properties>
+	</rule>
+	<rule ref="WordPress.CodeAnalysis.EmptyStatement"/>
+
+	<!-- More generic PHP best practices.
+		 https://github.com/WordPress-Coding-Standards/WordPress-Coding-Standards/issues/607 -->
+	<rule ref="Squiz.PHP.NonExecutableCode"/>
+	<rule ref="Squiz.Operators.IncrementDecrementUsage"/>
+	<rule ref="Squiz.Operators.ValidLogicalOperators"/>
+	<rule ref="Squiz.Functions.FunctionDuplicateArgument"/>
+
+	<!-- And even more generic PHP best practices.
+		 https://github.com/WordPress-Coding-Standards/WordPress-Coding-Standards/pull/809 -->
+	<rule ref="Squiz.PHP.DisallowSizeFunctionsInLoops"/>
+
 	<!-- This sniff is not refined enough for general use -->
 	<!-- https://github.com/WordPress-Coding-Standards/WordPress-Coding-Standards/pull/382#discussion_r29970107 -->
 	<!--<rule ref="Generic.Formatting.MultipleStatementAlignment"/>-->
-	
+
 	<!-- Hook callbacks may not use all params -->
 	<!-- https://github.com/WordPress-Coding-Standards/WordPress-Coding-Standards/pull/382#discussion_r29981655 -->
 	<!--<rule ref="Generic.CodeAnalysis.UnusedFunctionParameter"/>-->
 
 	<rule ref="WordPress-Core"/>
 
+	<!-- Warn against using fully-qualified class names instead of the self keyword. -->
+	<rule ref="Squiz.Classes.SelfMemberReference.NotUsed">
+		<!-- Restore default severity of 5 which WordPress-Core sets to 0. -->
+		<severity>5</severity>
+	</rule>
+
 	<rule ref="WordPress.XSS.EscapeOutput"/>
-	<rule ref="WordPress.CSRF.NonceVerification" />
-	<rule ref="WordPress.PHP.DiscouragedFunctions"/>
+
+	<!-- Verify that a nonce check is done before using values in superglobals.
+		 https://github.com/WordPress-Coding-Standards/WordPress-Coding-Standards/issues/73 -->
+	<rule ref="WordPress.CSRF.NonceVerification"/>
+
+	<rule ref="WordPress.PHP.DevelopmentFunctions"/>
+	<rule ref="WordPress.PHP.DiscouragedPHPFunctions">
+		<!-- WP core still supports PHP 5.2+  -->
+		<properties>
+			<property name="exclude" value="create_function"/>
+		</properties>
+	</rule>
+	<rule ref="WordPress.WP.DeprecatedFunctions"/>
+	<rule ref="WordPress.WP.DeprecatedClasses"/>
+	<rule ref="WordPress.WP.DeprecatedParameters"/>
+	<rule ref="WordPress.WP.AlternativeFunctions"/>
+	<rule ref="WordPress.WP.DiscouragedFunctions"/>
+
+	<rule ref="Squiz.PHP.Eval"/>
+	<rule ref="Squiz.PHP.Eval.Discouraged">
+		<type>error</type>
+		<message>eval() is a security risk so not allowed.</message>
+	</rule>
+
+	<!-- Scripts & style should be enqueued.
+		 https://github.com/WordPress-Coding-Standards/WordPress-Coding-Standards/issues/35 -->
 	<rule ref="WordPress.WP.EnqueuedResources"/>
-	<rule ref="WordPress.WP.PreparedSQL"/>
+
+	<!-- Warn against overriding WP global variables.
+		 https://github.com/WordPress-Coding-Standards/WordPress-Coding-Standards/issues/26 -->
 	<rule ref="WordPress.Variables.GlobalVariables"/>
-	<rule ref="WordPress.PHP.StrictComparisons" />
 
-	<!-- https://vip.wordpress.com/documentation/code-review-what-we-look-for/#using-in_array-without-strict-parameter -->
-	<rule ref="WordPress.PHP.StrictInArray" />
+	<!-- Encourage the use of strict ( === and !== ) comparisons.
+		 https://github.com/WordPress-Coding-Standards/WordPress-Coding-Standards/issues/242 -->
+	<rule ref="WordPress.PHP.StrictComparisons"/>
+
+	<!-- Check that in_array() and array_search() use strict comparisons.
+		 https://github.com/WordPress-Coding-Standards/WordPress-Coding-Standards/issues/399
+		 https://github.com/WordPress-Coding-Standards/WordPress-Coding-Standards/issues/503 -->
+	<rule ref="WordPress.PHP.StrictInArray"/>
+
+	<!-- Discourage use of the backtick operator (execution of shell commands).
+		 https://github.com/WordPress-Coding-Standards/WordPress-Coding-Standards/pull/646 -->
+	<rule ref="Generic.PHP.BacktickOperator"/>
+
+	<!-- Check for PHP Parse errors.
+		 https://github.com/WordPress-Coding-Standards/WordPress-Coding-Standards/issues/522 -->
+	<rule ref="Generic.PHP.Syntax"/>
+
+	<!-- Make the translators comment check which is included in core stricter. -->
+	<rule ref="WordPress.WP.I18n.MissingTranslatorsComment">
+		<type>error</type>
+	</rule>
+	<rule ref="WordPress.WP.I18n.TranslatorsCommentWrongStyle">
+		<type>error</type>
+	</rule>
+
+	<!-- Verify that everything in the global namespace is prefixed. -->
+	<rule ref="WordPress.NamingConventions.PrefixAllGlobals"/>
+
+	<!-- Check that object instantiations always have braces & are not assigned by reference.
+		 https://github.com/WordPress-Coding-Standards/WordPress-Coding-Standards/issues/919 -->
+	<rule ref="WordPress.Classes.ClassInstantiation"/>
+
 </ruleset>
diff --git a/modules/vendor/phpcs/rulesets/WordPress-VIP/ruleset.xml b/modules/vendor/phpcs/rulesets/WordPress-VIP/ruleset.xml
@@ -4,16 +4,86 @@
 
 	<rule ref="WordPress-Core"/>
 
+	<!-- Covers:
+		 https://vip.wordpress.com/documentation/code-review-what-we-look-for/#removing-the-admin-bar
+		 https://vip.wordpress.com/documentation/code-review-what-we-look-for/#cron-schedules-less-than-15-minutes-or-expensive-events
+		 https://vip.wordpress.com/documentation/code-review-what-we-look-for/#direct-database-queries
+		 https://vip.wordpress.com/documentation/code-review-what-we-look-for/#filesystem-writes
+		 https://vip.wordpress.com/documentation/code-review-what-we-look-for/#order-by-rand
+		 https://vip.wordpress.com/documentation/code-review-what-we-look-for/#using-__file__-for-page-registration
+		 https://vip.wordpress.com/documentation/code-review-what-we-look-for/#uncached-functions
+		 https://vip.wordpress.com/documentation/code-review-what-we-look-for/#flush_rewrite_rules
+		 https://vip.wordpress.com/documentation/code-review-what-we-look-for/#session_start-and-other-session-related-functions
+		 https://vip.wordpress.com/documentation/code-review-what-we-look-for/#functions-that-use-joins-taxonomy-relation-queries-cat-tax-queries-subselects-or-api-calls
+		 https://vip.wordpress.com/documentation/code-review-what-we-look-for/#querying-on-meta_value
+		 https://vip.wordpress.com/documentation/code-review-what-we-look-for/#manipulating-the-timezone-server-side
+		 https://vip.wordpress.com/documentation/code-review-what-we-look-for/#validation-sanitization-and-escaping
+	-->
 	<rule ref="WordPress.VIP"/>
 
+	<!-- https://vip.wordpress.com/documentation/code-review-what-we-look-for/#validation-sanitization-and-escaping -->
+	<!-- https://vip.wordpress.com/documentation/best-practices/security/validating-sanitizing-escaping/ -->
 	<rule ref="WordPress.XSS.EscapeOutput"/>
-	<rule ref="WordPress.CSRF.NonceVerification" />
-	<rule ref="WordPress.PHP.StrictComparisons" />
-	<rule ref="WordPress.WP.PreparedSQL" />
+	<rule ref="WordPress.CSRF.NonceVerification"/>
+
+	<!-- https://vip.wordpress.com/documentation/code-review-what-we-look-for/#using-instead-of -->
+	<rule ref="WordPress.PHP.StrictComparisons"/>
+
+	<!-- https://vip.wordpress.com/documentation/best-practices/database-queries/ -->
+	<rule ref="WordPress.WP.PreparedSQL"/>
 
 	<!-- https://vip.wordpress.com/documentation/code-review-what-we-look-for/#commented-out-code-debug-code-or-output -->
-	<rule ref="Squiz.PHP.CommentedOutCode" />
+	<rule ref="Squiz.PHP.CommentedOutCode">
+		<properties>
+			<property name="maxPercentage" value="45"/>
+		</properties>
+	</rule>
+
+	<!-- https://vip.wordpress.com/documentation/vip/code-review-what-we-look-for/#eval-and-create_function -->
+	<rule ref="Squiz.PHP.Eval"/>
+	<rule ref="Squiz.PHP.Eval.Discouraged">
+		<type>error</type>
+		<message>eval() is a security risk so not allowed.</message>
+	</rule>
+
+	<!-- https://vip.wordpress.com/documentation/vip/code-review-what-we-look-for/#eval-and-create_function -->
+	<!-- https://vip.wordpress.com/documentation/vip/code-review-what-we-look-for/#serializing-data -->
+	<!-- https://vip.wordpress.com/documentation/vip/code-review-what-we-look-for/#encoding-values-used-when-creating-a-url-or-passed-to-add_query_arg -->
+	<!-- https://github.com/Automattic/vip-scanner/blob/master/vip-scanner/checks/ForbiddenPHPFunctionsCheck.php -->
+	<rule ref="WordPress.PHP.DiscouragedPHPFunctions">
+		<!-- https://github.com/WordPress-Coding-Standards/WordPress-Coding-Standards/pull/633#issuecomment-266634811 -->
+		<properties>
+			<property name="exclude" value="obfuscation"/>
+		</properties>
+	</rule>
+	<!-- https://vip.wordpress.com/documentation/vip/code-review-what-we-look-for/#settings-alteration -->
+	<rule ref="WordPress.PHP.DiscouragedPHPFunctions.runtime_configuration">
+		<type>error</type>
+	</rule>
+
+	<!-- https://vip.wordpress.com/documentation/code-review-what-we-look-for/#commented-out-code-debug-code-or-output -->
+	<rule ref="WordPress.PHP.DevelopmentFunctions"/>
+	<rule ref="WordPress.PHP.DevelopmentFunctions.error_log">
+		<type>error</type>
+	</rule>
+	<!-- https://vip.wordpress.com/documentation/vip/code-review-what-we-look-for/#settings-alteration -->
+	<rule ref="WordPress.PHP.DevelopmentFunctions.prevent_path_disclosure">
+		<type>error</type>
+	</rule>
 
 	<!-- https://vip.wordpress.com/documentation/code-review-what-we-look-for/#using-in_array-without-strict-parameter -->
-	<rule ref="WordPress.PHP.StrictInArray" />
+	<rule ref="WordPress.PHP.StrictInArray"/>
+
+	<!-- https://vip.wordpress.com/documentation/vip/code-review-what-we-look-for/#use-wp_parse_url-instead-of-parse_url -->
+	<!-- https://vip.wordpress.com/documentation/vip/code-review-what-we-look-for/#use-wp_json_encode-over-json_encode -->
+	<!-- https://vip.wordpress.com/documentation/vip/code-review-what-we-look-for/#filesystem-writes -->
+	<!-- https://vip.wordpress.com/documentation/vip/code-review-what-we-look-for/#remote-calls -->
+	<rule ref="WordPress.WP.AlternativeFunctions"/>
+	<!-- VIP recommends other functions -->
+	<rule ref="WordPress.WP.AlternativeFunctions.curl">
+		<message>Using cURL functions is highly discouraged within VIP context. Check (Fetching Remote Data) on VIP Documentation.</message>
+	</rule>
+	<rule ref="WordPress.WP.AlternativeFunctions.file_get_contents">
+		<message>%s() is highly discouraged, please use vip_safe_wp_remote_get() instead.</message>
+	</rule>
 </ruleset>