October 4th Team Meeting Notes

We had a pretty solid meeting and covered a good bit of ground. Thanks to everyone who participated!

Prefixing third-party scripts

The team discussed and voted on “officially” recommending dropping the prefix on script/style handles when it is a third-party script. Note that this is a recommendation, not a requirement at this point. There were 8 votes in favor of this recommendation and 0 against.

jquery-fitvids, for example, is preferable to themeslug-jquery-fitvids.

However, any custom scripts/styles that are specific to the theme, should still be prefixed.

Whitelisting framework textdomains

If your theme framework handles its own textdomain, you need to add it to the list of exceptions. Otherwise, the newer theme check will blockBlock Block is the abstract term used to describe units of markup that, composed together, form the content or layout of a webpage using the WordPress editor. The idea combines concepts of what in the past may have achieved with shortcodes, custom HTML, and embed discovery into a single consistent API and user experience. any theme that has more than one textdomain.

Escaping sniffssniff A module for PHP Code Sniffer that analyzes code for a specific problem. Multiple stiffs are combined to create a PHPCS standard. The term is named because it detects code smells, similar to how a dog would "sniff" out food.

There were two points discussed on escaping. This deals directly with a proposed sniff for the new theme check.

1) The escaping sniffsniff A module for PHP Code Sniffer that analyzes code for a specific problem. Multiple stiffs are combined to create a PHPCS standard. The term is named because it detects code smells, similar to how a dog would "sniff" out food. requires that all theme translations be escaped before being echoed. There were 0 votes in favor of this and 11 votes against.

2) The escaping sniff requires that all variables be escaped on output. However, this creates many false positives. The way around this is to add an inline comment of // xss ok. There were 0 votes in favor of this and 9 votes against.

Based on the discussion and tallied votes, it seems the team prefers that the tools work for theme authors rather than having theme authors changing their code to “work around” or follow some rules to accommodate automation. Our tools should not be dictating how people code. If the sniffs aren’t up to the task, they need more time to be developed into better sniffs.

Ulrich 12:13 am on October 5, 2016

I have updated the recommendation section https://make.wordpress.org/themes/handbook/review/recommended/stylesheets-and-scripts/
Frank Klein 2:28 pm on October 6, 2016
Concerning the decision not to escape translations, one should clarify this quote:

Translations are inherently trusted. The __() family of functions are used thousands of times and they don’t escape output. If we’re not trusting translations then we have a big problem.

This quote refers only to the translations used by WordPress CoreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress.. There is a software (GlotPress) and a process (translation validators), which are designed to avoid security risks. So unless theme authors use the same process, and review and approve every single translation, then this quote does not apply.

Concerning this snippet:
```
$url = esc_url( $something );

printf( '', $url );
```
You should always escape as late as possible, so:
```
printf( '', esc_url( $url ) );
```
The should be a best practice to follow with or without a sniffing tool.

The problem I have with voting against using the pre-existing sniff is that it’s a no against a working solution, without proposing a different one.

I do think we still need to watch out for unescaped variables, so if escaping every occurrence is not the way to go, what is?
- Justin Tadlock 4:13 pm on October 6, 2016
  
  It’s not a “no” against a working solution. It’s a “no” against making an untested solution on .ORG required until testing shows that the sniffsniff A module for PHP Code Sniffer that analyzes code for a specific problem. Multiple stiffs are combined to create a PHPCS standard. The term is named because it detects code smells, similar to how a dog would "sniff" out food. is good enough to be set to required.
  
  We’re not dropping the sniff altogether. We’re going to use it but not blockBlock Block is the abstract term used to describe units of markup that, composed together, form the content or layout of a webpage using the WordPress editor. The idea combines concepts of what in the past may have achieved with shortcodes, custom HTML, and embed discovery into a single consistent API and user experience. submission based on it just yet. Big difference.
- Ulrich 1:32 am on October 9, 2016
  
  I just realized something from the conversation. So if translations can be trusted because they go through validation process they are secure but that we would mean we cannot allow themes to include their own translations as they have not gone through the same process.
  
  This would have a negative effect of frameworks that include their own translations.
  - Justin Tadlock 3:22 pm on October 9, 2016
    
    I review every translation file included with all my themes. All theme authors should be doing the same.
    - Ulrich 4:41 am on October 15, 2016
      
      We do not have any requirement or check that they are doing so.

Welcome to the Themes team!

Handbooks and review requirements

Coding standards and plugins

Code Packages

Communication

October 4th Team Meeting Notes

Prefixing third-party scripts

Whitelisting framework textdomains

Escaping sniffssniff A module for PHP Code Sniffer that analyzes code for a specific problem. Multiple stiffs are combined to create a PHPCS standard. The term is named because it detects code smells, similar to how a dog would "sniff" out food.

Welcome to the Themes team!

Handbooks and review requirements

Coding standards and plugins

Code Packages

Communication

Prefixing third-party scripts

Whitelisting framework textdomains

Escaping sniffssniff A module for PHP Code Sniffer that analyzes code for a specific problem. Multiple stiffs are combined to create a PHPCS standard. The term is named because it detects code smells, similar to how a dog would "sniff" out food.

Share this: