[wp-trac] [WordPress Trac] #58102: Check PHPcs Coding standard into the wp-includes folder

Wed Oct 2 17:27:51 UTC 2024

#58102: Check PHPcs Coding standard into the wp-includes folder
--------------------------+-------------------------------
 Reporter:  viralsampat   |       Owner:  (none)
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  General       |     Version:
 Severity:  normal        |  Resolution:
 Keywords:                |     Focuses:  coding-standards
--------------------------+-------------------------------

Comment (by sabernhardt):

 This ticket can focus on whether to use `sanitize_text_field()` (or
 similar sanitization) for these items:
 1. `wp-settings-{$user_id}` cookie in `wp_user_settings()` (`option.php`,
 in 58102.diff)
 2. `$_SERVER['HTTP_HOST']` and `$_SERVER['REQUEST_URI']` in
 `wp_admin_bar_customize_menu()` (`admin-bar.php`, part of 58102.2.diff)
 3. `$_SERVER['HTTP_HOST']` and `$_SERVER['REQUEST_URI']` in
 `wp_login_form()` (`general-template.php`, part of 58102-general-
 template.diff)

 For the `$_SERVER` variables, #16858 and #53998 are related.

 ----

 Other changes proposed in `wp-includes` patches:
 1. Escaping `$type_attr` in both `wp_admin_bar_header()` and
 `_admin_bar_bump_cb()` was unnecessary because the variable represented a
 specific string (or nothing), and [56682] deprecated and replaced those
 functions.
 2. Both 58102.3.diff and 58102.4.diff proposed escaping the `wp_die()`
 message in `_show_post_preview()` (`revision.php`), but I did not find
 //any// `wp_die()` messages that escape the translatable string.
 3. [56359] already set strict comparison in `revision.php`.
 4. 58102-general-template.diff adds `esc_html()` in `get_search_form()`
 and `wp_register()`, but both functions need to return or output HTML.
 5. [55642] used strict comparison in `get_archive_template()`.
 6. The documentation for `get_page_template()` should keep the parentheses
 for `locate_block_template()`.
 7. The 11 global variables for `locate_template()` are available for use
 in the separate template file that this function requires.

 Let's ignore the bundled theme patches for this ticket.
 - They escape many translations (mostly replacing `_e()` with
 `esc_html_e()`), but #30724 decided against that for bundled themes.
 - They also remove many helpful comments after `endif;` that identify what
 ends there.
 - The `twentysixteen_resource_hints()` function should remain in the theme
 in case a site uses it (though the `// add_filter` line could be removed
 below the resource hints functions in each theme).
 - 58102-twentyfourteen.diff removes `html5.js` (part of #58836) and adds
 `esc_attr()` for header image dimensions (already escaped in [56583]).
 - Patches add `global $post;` at the top of `twentyfourteen/image.php` and
 `twentyeleven/header.php`.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/58102#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform