We had a pretty solid meeting and covered a good bit of ground. Thanks to everyone who participated!
Prefixing third-party scripts
The team discussed and voted on “officially” recommending dropping the prefix on script/style handles when it is a third-party script. Note that this is a recommendation, not a requirement at this point. There were 8 votes in favor of this recommendation and 0 against.
jquery-fitvids, for example, is preferable to
However, any custom scripts/styles that are specific to the theme, should still be prefixed.
Whitelisting framework textdomains
If your theme framework handles its own textdomain, you need to add it to the list of exceptions. Otherwise, the newer theme check will block any theme that has more than one textdomain.
There were two points discussed on escaping. This deals directly with a proposed sniff for the new theme check.
1) The escaping sniff requires that all theme translations be escaped before being echoed. There were 0 votes in favor of this and 11 votes against.
2) The escaping sniff requires that all variables be escaped on output. However, this creates many false positives. The way around this is to add an inline comment of
// xss ok. There were 0 votes in favor of this and 9 votes against.
Based on the discussion and tallied votes, it seems the team prefers that the tools work for theme authors rather than having theme authors changing their code to “work around” or follow some rules to accommodate automation. Our tools should not be dictating how people code. If the sniffs aren’t up to the task, they need more time to be developed into better sniffs.