Dev Chat Summary, May 17, 2023

The WordPress Developers Chat meeting took place on 2023-05-17 at 20:00 UTC in the core channel of Make WordPress Slack.

Key Links

• Start of the Dev Chat on SlackSlack Slack is a Collaborative Group Chat Platform https://slack.com/. The WordPress community has its own Slack Channel at https://make.wordpress.org/chat/., facilitated by @webcommsat.
• Dev Chat Agenda May 10, 2023, courtesy @webcommsat.
• Last meeting summary: Dev Chat Summary, May 10, 2023.

Announcements

• WordPress 6.2.1 Maintenance and Security Release went live on May 16, 2023. Thank you everyone who helped make this happen!

Highlighted Posts

• Proposal: Retiring Older Default Themes: This post summarizes the current state of bundled themes in WordPress before proposes new support states for bundled themes. It also raises two potential ways to decrease the total number of themes receiving regular updates. Thanks to @desrosj and everyone who contributed to this post.
• Command Center: Request for feedback: Check it out and give your feedback on the UXUX User experience and APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways. for this feature.

Release Updates

The next major releasemajor release A release, identified by the first two numbers (3.6), which is the focus of a full release cycle and feature development. WordPress uses decimaling count for major release versions, so 2.8, 2.9, 3.0, and 3.1 are sequential and comparable in scope. is 6.3.

6.2.1 Minor ReleaseMinor Release A set of releases or versions having the same minor version number may be collectively referred to as .x , for example version 5.2.x to refer to versions 5.2, 5.2.1, 5.2.3, and all other versions in the 5.2 (five dot two) branch of that software. Minor Releases often make improvements to existing features and functionality. Discussion

@audrasjb provided a summary of the recent 6.2.1 release, which included security patches from 4.1.x through 6.2. One fix in particular led to an issue with utilizing shortcodes in templates. The problem was being actively discussed by the Security Editor team, who began plans for a quick follow-up patchpatch A special text file that describes changes to code, by identifying the files and lines which are added, removed, and altered. It may also be referred to as a diff. A patch can be applied to a codebase for testing. to address the issue. See this related ticketticket Created for both bug reports and feature development on the bug tracker.: #58333: WordPress 6.2.1 Shortcodes some shortcode no longer works!.

@nekojonez indicated that the issue only happens with FSE themes, confirming that their non-FSE themes were unaffected. @audrasjb agreed that it only affected template blocks [used in FSE themes]. @pbiron added that shortcodeShortcode A shortcode is a placeholder used within a WordPress post, page, or widget to insert a form or function generated by a plugin in a specific location on your site. blocks used in blockBlock Block is the abstract term used to describe units of markup that, composed together, form the content or layout of a webpage using the WordPress editor. The idea combines concepts of what in the past may have achieved with shortcodes, custom HTML, and embed discovery into a single consistent API and user experience. theme template parts remained functional.

@nekojonez also mentioned concern that the new issue may cause users and members of the WordPress community to get the impression that shortcodes would no longer be supported, and referenced a discussion in #forums that could be taken out of context in support of this misunderstanding.

@ipstenu provided a link to the discussion, and indicated that this was a breaking change that did not include a notification to users beforehand. She suggested that the release post could have been more clear as to why shortcode support in block templates was removed. @nekojonez expressed agreement about wishing for more clarity in the post.

@nekojonez noted that workarounds existed for the issue, and might be shared with clear “use as your own risk” language. @pbiron explained that one of the options was to move the shortcode block into a template part, and for the template part to replace the original shortcode block used in the template. He added a comment to the ticket explaining this. @webcommsat asked @audrasjb if the post could be updated with information about the workaround.

@azaozz asked if the workarounds “revert” the security fix, and @audrasjb confirmed that yes, they rewrite the logic and re-introduce the security issuesecurity issue A security issue is a type of bug that can affect the security of WordPress installations. Specifically, it is a report of a bug that you have found in the WordPress core code, and that you have determined can be used to gain some level of access to a site running WordPress that you should not have..

@psdtohtmlguru indicated that the pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party-based workaround impacted performance on complex templates, and asked for a link to the security fix ticket. @audrasjb shared a link to the commit, but pointed out the ticket was in Hackerone and not visible to the public. @francina also noted that security fixes are not disclosed publicly, and JB provided a supporting link to the Core Handbook’s security FAQ.

@nekojonez expressed worry that not knowing details of the security flaw may put into question the safety of non-FSE theme shortcode use, and asked for more communication on it. @pbiron added that it was strange the vulnerability would affect shortcode usage directly in a template, but not in a template part of post content. @ndiego asked if anyone could share why shortcodes behaved differently between these usages, and @timothyblynjacobs suggested the discussion was getting too deep for now.

@psdtohtmlguru asked for confirmation that shortcodes in templates don’t work, but that shortcodes in post content would continue to work. @nekojonez indicated the need to await further updates from the security and editor teams, suggesting a clarification post in the meantime. @timothyblynjacobs and @audrasjb agreed, with Timothy suggesting the post primarily clarify that the security team is aware of and discussing solutions to the issue.

@azaozz recommended that shortcodes should not be used in templates, due to performance issues on top of the security concerns. Several attendees responded in the thread explaining that shortcodes were beneficial for numerous reasons, and @asafm7 shared their particular use case. [Editor’s Summary: From this long thread the impression is that regardless of security or performance implications, shortcodes are currently a valuable content mechanism that does not yet have a clear replacement for all use cases.]

6.4 Q&A

@francina asked for an informal Q&A session around WordPress 6.4, details of which can be found in this Slack thread. @karmatosed asked if there was a list of questions for the call, to provide preparation time to address them. @estelaris responded with a link to the spreadsheet (see comment) where more questions could be added. Francesca clarified that the Q&A would be informal and occur on Zoom. @jeffpaul asked about the possibility of two sessions to accommodate timezone differences, the idea which was seconded by Tammie. Francesca agreed to make the calls more formal, and to post about it in make/coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress..

Maintainers: Component Help Requests

wp.zip Domain

@francina proposed that the https://wp.zip domain redirect to the latest WordPress release ZIP file — @sergeybiryukov asked if https://wordpress.org/latest.zip was the suggestion — rather than the WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ homepage where it currently leads. @pbiron suggested opening a ticket in Meta Trac, and proposed that https://wordpress.org/download/ might be preferable to avoid user confusion/concern that might result from a link leading to an automatic download. @webcommsat agreed that avoiding automatic downloads would be better for accessibilityAccessibility Accessibility (commonly shortened to a11y) refers to the design of products, devices, services, or environments for people with disabilities. The concept of accessible design ensures both “direct access” (i.e. unassisted) and “indirect access” meaning compatibility with a person’s assistive technology (for example, computer screen readers). (https://en.wikipedia.org/wiki/Accessibility).

6.3 Tickets

@oglekler shared two tickets that could be moved into the 6.3 milestone, which had been tested:

• #31635: Bulk Edit -> Publish should publish scheduled posts
• #57947: Publishing draft posts via Bulk Edit should publish them with the current date

@webcommsat called for help testing the patches, and reiterated adding test results to tickets for visibility.

Open Floor

WordCampWordCamp WordCamps are casual, locally-organized conferences covering everything related to WordPress. They're one of the places where the WordPress community comes together to teach one another what they’ve learned throughout the year and share the joy. Learn more. Europe 2023

@webcommsat called for updating Core and Core Test information for Contributor DayContributor Day Contributor Days are standalone days, frequently held before or after WordCamps but they can also happen at any time. They are events where people get together to work on various areas of https://make.wordpress.org/ There are many teams that people can participate in, each with a different focus. https://2017.us.wordcamp.org/contributor-day/ https://make.wordpress.org/support/handbook/getting-started/getting-started-at-a-contributor-day/., thanking @estelaris for gathering the info. Estela emphasized the need to email the info to first-time contributors by Friday, 19 May.

@webcommsat also asked for volunteers to facilitate the Core tables at the event. Both @oglekler and @sergeybiryukov expressed interest.

@webcommsat asked @estelaris if there was to be a table to assist contributors in setting up local environments, noting that a dedicated table has worked well before. Estela confirmed there would be a table, but that emails to first-time contributors could help ensure they are better prepared, particularly with software downloads. @webcommsat also noted the emails could include the date/time for upcoming new contributor meetings.

@webcommsat said they were reviewing Contributor Day info from WC Asia that should be added to the Core Handbook, noting that it was also being added to the Make Teams introduction document (link provided by @estelaris).

@webcommsat asked that Contributor Day attendees share in this post’s comments if they would be able to help at a Core table. @estelaris indicated that there would be approximately six tables dedicated to the Core team, and @desrosj asked which Core focus area had been identified for each table. Estela referred to the introduction document, and that nothing in particular had been mentioned. Jonathan would review the document and try to find other teams to collaborate with.

Finally, @webcommsat noted that tickets were still available for both the conference and Contributor Day.

Next Meeting

The next meeting will be on May 24, 2023 at 20:00 UTC.

Props @ironprogrammer for co-authoring and @audrasjb for peer review of this summary.

#6-3, #6-4, #6-2-1, #dev-chat, #meeting, #summary, #wceu