Vipwpcs Laravel Package

Props: @GaryJones, @jrnfl, @terriann, @rebeccahum

Increases requirements for PHPCS from 3.7.2 to 3.9.2 for improved PHP 8.2 and PHP 8.3 support. Please ensure you run composer update automattic/vipwpcs --with-dependencies to benefit from this.

Removed

• Functions/RestrictedFunctions:
  • #812: Remove restricting term_exists().
  • #814: Remove restricting get_page_by_title().
  • #817: Remove restricting get_page_by_path().

Changed

• #799: Classes/DeclarationCompatibility: Sync signature definitions with WP Core.

Maintenance

• #797: GH: Add initial dependabot config file.
• GH Actions:
  • #798: Bump actions/checkout to 4 from 3.
  • #802: Minor tweaks of updating an incorrect URL and adding names to steps.
  • #803: Builds against PHP 8.3 can no longer fail, but 8.4 can.
  • #818: Add workaround for intermittent apt-get update issue.
• Composer:
  • #805: Raise minimum version for better PHP 8.2 support.
  • #805: Up the minimum PHPCSExtra version to 1.2.1.
  • #821: Up the minimum PHPCSUtils version to 1.0.11.
  • #821: Up the minimum PHPCS version to 3.9.2.
  • #821: Up the minimum WPCS version to 3.1.0.
  • #821: Up the minimum PHPCSVariableAnalysis version to 2.11.18.
• Docs:
  • #805: Update references to PHPCS under PHPCSStandards, as squizlabs version is abandoned.
  • #808: Update Composer installation instructions.
  • #811: Update old URLs.
• #809: Unit tests: Allow for PHPUnit 8 and 9.

Props: @GaryJones, @jrfnl

This release requires WordPressCS 3.0.0. It is not compatible with WordPressCS 2.x. Users should read the WordPressCS 3.0 upgrade guide for end-users.

Increases requirements for PHPCS from 3.7.1 to 3.7.2.

The tagged releases branch is now main instead of master.

Added

• #777: 3.0: start using PHPCSUtils.
• #779: 3.0: support WordPressCS 3.0.

Changed

• #780: Performance/WPQueryParams: defer to the parent sniff.
  • Two error codes changed:
    • WordPressVIPMinimum.Performance.WPQueryParams.PostNotIn is now WordPressVIPMinimum.Performance.WPQueryParams.PostNotIn_post__not_in.
    • WordPressVIPMinimum.Performance.WPQueryParams.SuppressFiltersTrue is now WordPressVIPMinimum.Performance.WPQueryParams.SuppressFilters_suppress_filters.

Removed

• #774: Performance/BatcacheWhitelistedParams: remove the sniff.
• #775: Compatibility/Zoninator: remove the sniff.
• #776: Variables/VariableAnalysis: remove the sniff.

Fixed

• #784: Performance/WPQueryParams: prevent false positives for 'exclude' with get_users().
• #788: Security/Mustache: prevent false positives on block editor templates.

Maintenance

• #778: CS: improve use statements.
• #781: Performance/NoPaging: add extra tests.
• #782: GH Actions: minor tweaks to the composer options used.
• #783: Hooks/AlwaysReturnInFilter: remove redundant condition.
• #785: Docs: remove redundant [@package](https://github.com/package) tags.
• #786: Add PHPStan to QA checks.
• #787: GH Actions: tweak the way the PHPCS/WPCS versions are set.
• #789: Updates related to branch rename from master to main.
• #790: PHPUnit: Use 7.5 schema.
• #791: Docs: Update CONTRIBUTING.md.

Props: kshaner, GaryJones, jrfnl, yolih

Increases requirements for PHPCS from 3.5.5+ to 3.7.1.

Fixed

• #709: Add get_theme_file_path() to list of allowed include functions.
• #762: IncludingFile: allow for more path-returning functions.
• #748: ProperEscapingFunction: Fix short tag detection.
• #760: RestrictedFunctions: remove reference to function which doesn't exist.

Changed

• #768: DeclarationCompatibility: performance improvement.

• Rulesets:

  • #763: Move VariableAnalysis configuration from Go to Minimum.
  • #765: Fix the names.

• Composer:

  • #742: Up the minimum PHPCS version to 3.7.1.
  • #764: Update VariableAnalysis dependency to 2.11.17.
  • #738: Allow for the 1.0.0 version of the Composer PHPCS plugin.
  • #721: Update composer.json keywords.
  • #714: Update PHP Parallel Lint and Console Highlighter.
  • #741: Update script names.
  • #747: Fix script references.
  • #708: Update references to the Composer plugin.

• Tests:

  • #735: Unit tests: Support PHP >= 8.1.
  • #746: Fix checks for PHP 8.1 and above.
  • #737: AdminBarRemovalUnitTest: Ensure final reset is read.

• Coding Standards

  • #733: Fix coding standards of VIPCS sniffs.
  • #756: Remove extra line at end of classes.
  • #758: Simplifications of sniffs extending the WPCS AbstractArrayAssignmentRestrictionsSniff.
  • #761: RegexpCompare: remove redundant condition.
  • #771: QA: fix condition order.

• CI:

  • #705: Various updates.
  • #750: Test Higher PHP versions.
  • #724: Fix use of deprecated set-output.
  • #725: Update the xmllint-problem-matcher.
  • #726: Various tweaks.
  • #728: Bust the cache semi-regularly.
  • #711: Version update for various predefined actions.
  • #712: Fix build failure.
  • #755: Validate the PHPCS installed standards.
  • #757: Test and Quicktest tweaks.
  • #767: Minor simplifications.
  • #769: .gitattributes: readability improvement.

• Docs:

  • #722: Updated Docs link for ORDER BY RAND().
  • #707: README: update requirements listing.
  • #706: README: update for Composer 2.2.
  • #766: Various minor doc fixes.
  • #759: Bug template: make version table more comprehensive.
  • #770: Docs: various tag improvements.

Deprecated

• #612: The WordPressVIPMinimum.Compatibility.Zoninator sniff is (soft) deprecated and will be removed in the 3.0.0 release.
• #613: The WordPressVIPMinimum.Performance.BatcacheWhitelistedParams sniff is (soft) deprecated and will be removed in the 3.0.0 release.

Props: gudmdharalds, jrfnl, BrookeDot, rebeccahum

Props: jrfnl

Fixed

• #681: ProperEscapingFunction: improve attribute matching accuracy for notAttrEscAttr.

Props: jrfnl

Fixed

• #668: ProperEscapingFunction: fix overreach of comma usage in non-echo expressions for notAttrEscAttr.
• #670: ProperEscapingFunction: improve "action" match precision for hrefSrcEscUrl.

Deprecated

• #670: ProperEscapingFunction: private properties $url_attrs and $attr_endings are deprecated along with the public methods is_html_attr() and attr_expects_url().

Props: jrfnl, rebeccahum, kevinfodness, GaryJones.

** There is a minor breaking change in the ProperEscapingFunction sniff from PR #624. The escaping_function property can no longer be overruled via custom rulesets. Please remove any usages of the property in custom rulesets.

** Composer now requires the phpcodesniffer-composer-installer plugin per #583. Note: If you either include it in the "require-dev" of your composer.json, use another Composer PHPCS plugin, or run bash commands to register PHPCS standards, please remove it from those sources to prevent interferences or version constraint conflicts.

Added

• #581: AlwaysReturnInFilter: flag abstract methods for manual inspection.
• #583: Composer: require phpcs-composer-installer plugin.
• #586: IncludingNonPHPFile: recognition of .phar file extensions.
• #589: WPQueryParams: flags 'exclude' array key.
• #595: Underscorejs: checks for additional print syntaxes and now throws an additional error for each occurrence of unescaped notation.
• #624: ProperEscapingFunction: account for additional escaping functions and check for esc_attr() usage in non-HTML attributes.
• #638: IncludingFile: new public property $allowedKeywords for allowing custom partial keywords in constants to reduce false positives.

Changed

• #586: IncludingNonPHPFile: various performance improvements.
• #587: LowExpiryCacheTime: new warning added for manual inspection along with various improvements.
• #592: DynamicCalls: various improvements.
• #595: Underscorejs: various improvements.
• #618: RestrictedFunctions: upgrade setcookie() to error at sniff level and remove Batcache references from messaging.
• #620: Ruleset: silence UnusedVariable from VariableAnalysis to reduce noise.
• #630: VariableAnalysis: fix incompatibility for VariableAnalysis standard with previously deprecated native VIPCS sniff.
• #639: RestrictedFunctions: remove site_option group.
• #644: RestrictedFunctions: remove wp_cache_get_multi group.
• #645: Ruleset: silence WordPress.WP.AlternativeFunctions.file_system_read_readfile.
• #646: Ruleset: silence WordPress.WP.AlternativeFunctions.file_system_read_fclose.
• #647: RestrictedFunctions: remove get_super_admins group.
• #649: RestrictedFunctions: downgrade switch_to_blog() to warning and change messaging.
• #652: RestrictedFunctions/RestrictedVariables: remove usermeta related errors.

Fixed

• #444: ConstantString: only error when a plain constant is passed as constant name parameter.
• #581: AlwaysReturnInFilter: fix runtime failure on abstract methods.
• #584: Performance: more selective sniffing for efficiency.
• #586: IncludingNonPHPFile: various bug fixes such as recognition of interpolated strings and case insensitivity in file extensions.
• #587: LowExpiryCacheTime: allow arithmetic operators, simple floats, numerical strings, zeroes and parentheses in calculations, and FQN time constants.
• #592: DynamicCalls: ignore comments, allow double quotes and remove potential memory leak.
• #595: Underscorejs: fixed false positive for when a variable is _.escape()-ed.
• #624: ProperEscapingFunction: slash escaped quotes and non-quoted strings in HTML attributes are now parsed as expected.

Removed

• #624: ProperEscapingFunction: remove $escaping_functions public property.

Maintenance

• #582: CI: re-try composer install on failure.
• #599: CI: add build against PHP 8.
• #606: Ruleset: remove redundant rule ref.
• #607: Ruleset: remove redundant rule ref.
• #608: Ruleset: remove duplicate rule ref.
• #611: Ruleset: remove redundant notice type declaration.
• #617: Ruleset: remove redundant notice type declaration.
• #619: Docs: Update links to wpvip.com.
• #631: QA: remove unused use statements.
• #632: Docs: various minor improvements (typos, alignment and code examples).
• #633: CI: switch to GitHub Actions.
• #635: Ruleset: remove redundant rule ref.
• #653: CI: use parallel linting of PHP files.
• #655: QA: remove redundant ignore annotations.
• #656: CI: always check that sniffs are feature complete.
• #657: CI: add "quicktest" stage for non-PR/merge builds.
• #658: Release template: add checkbox for dependency check.

Props: GaryJones, jrfnl, rebeccahum.

Technically, there's a breaking change due to the use of the VariableAnalysis package over the previous sniff. If you have WordPressVIPMinimum.Variables.Variables references in your PHPCS config file or in inline ignore comments, then these will need to be updated to VariableAnalysis.CodeAnalysis.VariableAnalysis.

Added

• #494: .gitattributes file.
• #495: CODEOWNERS file.
• #450: VariableAnalysis package.
• #560: Allow checking test code coverage.
• #579: Docs: Add comparisons and props to change log for old versions.

Changed

• #500: Travis: change from "trusty" to "xenial".
• #501: Move and improve CONTRIBUTING.md.
• #502: CS Ruleset: minor tweaks.
• #508: RulesetTest: don't use the system default version of PHP.
• #558: Test bootstrap: various minor tweaks.
• #571: CS: change yoda conditions to non-yoda.
• #573: Composer: Change minimum stability to stable.

Fixed

• #503: RulesetTest, fix compatibility with Windows.
• #504: RulesetTest: fail the build on failing ruleset tests, fix the failing ruleset test, and fix the test script to handle 0 values.
• #505: DeclarationCompatibility: fix incorrect signature check for Walker::walk().
• #509: RulesetTest: Revert #485 and fix one of the three causes properly.
• #559: Variables/RestrictedVariables: fix namespace of unit test file, fix the test.
• #561: Functions/RestrictedFunctions: fix false positive on class instantiation.
• #563: Hooks/AlwaysReturnInFilter: add support for hook-ins using short arrays.
• #564: Hooks/PreGetPosts: add support for hook-ins using short arrays.
• #565: PreGetPosts: improve the isEarlyMainQueryCheck() method.
• #566: RestrictedFunctions: fix false negative - functions in config_settings would never match.
• #569: RestrictedVariables: don't report on "use" in isset().
• #575: ProperEscaping: Fix message for action attribute.
• #576: Docs: Update notes for releasing.

Deprecated

• #450: Deprecate Variables/VariableAnalysisSniff. Will be removed in the next major release.

Bumps requirements to PHPCS 3.5.5+ and WPCS 2.3.0+.

Props: GaryJones, jenkoian, kevinfodness, rebeccahum.

Added

• get_page_by_path() restricted function warning, to suggest wpcom_vip_get_page_by_path() function.
• stats_get_csv() restricted function error, since this is a Jetpack-only function.
• Expanded list of HTMLExecutingFunctions to include after, appendTo, before, insertAfter, insertBefore, prepend, prependTo, replaceAll and replaceWith.
• Support PHP 5.4+ (down from 5.6+).
• PHP 8 nightly testing.

Changed

• Expand message for wp_remote_get() usage.
• Downgrade append() usage violation from Error to Warning for VIP Go, to be consistent with the other HTMLExecutingFunctions.
• Downgrade AdminBarRemoval sniff from Error to Warning for VIP Go.
• Add get_parent_theme_file_path() to safelist of path functions for WordPressVIPMinimum.Files.IncludingFile sniff.
• Allow short array syntax and fix tests within the VIPCS own coding standards.
• Update issue templates.

Fixed

• Use new WordPress.DateTime.RestrictedFunctions sniff instead of deprecated WordPress.WP.TimezoneChange.
• Fixed warnings and information items in Travis.

Removed

• get_super_admins() restricted function rule for VIP Go.
• WordPressVIPMinimum.VersionControl.MergeConflict sniff in favour of Generic.VersionControl.GitMergeConflict.

This release switches from having WPCS 1.* as a dependency, to WPCS 2.*. It is not compatible with WPCS 1.*.

The sniffs in WPCS 2.* are more accurate, so you may see new violations there weren't being reported before, and a reduction in violations for false positives.

Props: GaryJones, hanifn, paulscreiber, rebeccahum, tomjn.

Added

• Switch to using WPCS 2.*.
  • Remove reference to WPCS's PHPAliases.php.
  • Remove WPCS 1.*'s WordPress.VIP references from rulesets.
  • Bump PHPCS minimum required version to 3.3.1.
  • Update the WPCS namespace.
  • Update ruleset and ruleset test to account for WPCS 2's switch to WordPress.PHP.IniSet sniff.
  • Update ruleset test for WPCS security sniffs.
  • Update DiscouragedPHPFunctions group exclusion in WordPressVIPMinimum ruleset.

Changed

• Downgrade use of file operation functions from Error to Warning:
  • delete
  • file_put_contents
  • flock
  • fputcsv
  • fputs
  • fwrite
  • ftruncate
  • is_writable
  • is_writeable
  • link
  • rename
  • symlink
  • tempnam
  • touch
  • unlink
  • fclose
  • fopen
  • file_get_contents
• Simplify Travis config.
• Switch references from vip.wordpress.com to wpvip.com.
• Documentation updates.
• Switch development to a git-flow workflow.

This release contains many breaking changes.

It requires PHP >= 5.6, PHPCS 3.2.3+, and WPCS 1.*. It does not work with WPCS 2.*.

Props: GaryJones, rebeccahum, whyisjake, WPprodigy.

Reorganisation and Renaming

The sniffs in VIPCS have been reorganised into different categories, with new sniff names and new violation codes. The changes are detailed in the table below. If you reference any of the old violations in your custom ruleset (to change severity, type, or message), or with // phpcs:ignore or // phpcs:disable, you will need to updates these references to the new violation codes.

Added

• New violations:
  • WordPressVIPMinimum.Functions.RestrictedFunctions.chmod_chgrp
  • WordPressVIPMinimum.Functions.RestrictedFunctions.chmod_chown
  • WordPressVIPMinimum.Functions.RestrictedFunctions.chmod_chmod
  • WordPressVIPMinimum.Functions.RestrictedFunctions.chmod_lchgrp
  • WordPressVIPMinimum.Functions.RestrictedFunctions.chmod_lchown
  • WordPressVIPMinimum.Functions.RestrictedFunctions.directory_mkdir
  • WordPressVIPMinimum.Functions.RestrictedFunctions.directory_rmdir
  • WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_delete
  • WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_file_put_contents
  • WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_flock
  • WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_fputcsv
  • WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_fputs
  • WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_ftruncate
  • WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_fwrite
  • WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_is_writable
  • WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_is_writeable
  • WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_link
  • WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_rename
  • WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_symlink
  • WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_tempnam
  • WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_touch
  • WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_unlink
  • WordPressVIPMinimum.Functions.RestrictedFunctions.session_session_abort
  • WordPressVIPMinimum.Functions.RestrictedFunctions.session_session_cache_expire
  • WordPressVIPMinimum.Functions.RestrictedFunctions.session_session_cache_limiter
  • WordPressVIPMinimum.Functions.RestrictedFunctions.session_session_commit
  • WordPressVIPMinimum.Functions.RestrictedFunctions.session_session_create_id
  • WordPressVIPMinimum.Functions.RestrictedFunctions.session_session_decode
  • WordPressVIPMinimum.Functions.RestrictedFunctions.session_session_destroy
  • WordPressVIPMinimum.Functions.RestrictedFunctions.session_session_encode
  • WordPressVIPMinimum.Functions.RestrictedFunctions.session_session_gc
  • WordPressVIPMinimum.Functions.RestrictedFunctions.session_session_get_cookie_params
  • WordPressVIPMinimum.Functions.RestrictedFunctions.session_session_id
  • WordPressVIPMinimum.Functions.RestrictedFunctions.session_session_is_registered
  • WordPressVIPMinimum.Functions.RestrictedFunctions.session_session_module_name
  • WordPressVIPMinimum.Functions.RestrictedFunctions.session_session_name
  • WordPressVIPMinimum.Functions.RestrictedFunctions.session_session_regenerate_id
  • WordPressVIPMinimum.Functions.RestrictedFunctions.session_session_register_shutdown
  • WordPressVIPMinimum.Functions.RestrictedFunctions.session_session_register
  • WordPressVIPMinimum.Functions.RestrictedFunctions.session_session_reset
  • WordPressVIPMinimum.Functions.RestrictedFunctions.session_session_save_path
  • WordPressVIPMinimum.Functions.RestrictedFunctions.session_session_set_cookie_params
  • WordPressVIPMinimum.Functions.RestrictedFunctions.session_session_set_save_handler
  • WordPressVIPMinimum.Functions.RestrictedFunctions.session_session_start
  • WordPressVIPMinimum.Functions.RestrictedFunctions.session_session_status
  • WordPressVIPMinimum.Functions.RestrictedFunctions.session_session_unregister
  • WordPressVIPMinimum.Functions.RestrictedFunctions.session_session_unset
  • WordPressVIPMinimum.Functions.RestrictedFunctions.session_session_write_close
  • WordPressVIPMinimum.Functions.RestrictedFunctions.site_option_add_site_option
  • WordPressVIPMinimum.Functions.RestrictedFunctions.site_option_delete_site_option
  • WordPressVIPMinimum.Functions.RestrictedFunctions.site_option_update_site_option
  • WordPressVIPMinimum.Performance.NoPaging.nopaging_nopaging
  • WordPressVIPMinimum.Performance.OrderByRand.orderby_orderby
  • WordPressVIPMinimum.UserExperience.AdminBarRemoval.HidingDetected
  • WordPressVIPMinimum.UserExperience.AdminBarRemoval.RemovalDetected
  • WordPressVIPMinimum.Variables.RestrictedVariables.user_meta__wpdb__users
  • WordPressVIPMinimum.Variables.RestrictedVariables.user_meta__wpdb__usermeta
  • WordPressVIPMinimum.Variables.RestrictedVariables.cache_constraints___COOKIE
  • WordPressVIPMinimum.Variables.RestrictedVariables.cache_constraints___SERVER__HTTP_USER_AGENT__
  • WordPressVIPMinimum.Variables.RestrictedVariables.cache_constraints___SERVER__REMOTE_ADDR__
  • WordPressVIPMinimum.Variables.RestrictedVariables.session___session
• WordPress-VIP-Go ruleset test.
• docs about ruleset tests.
• XSD reference and ruleset validation.
• phpcodesniffer-composer-installer plugin.
• Copy has_html_open_tag() from WPCS.
• Copy AbstractVariableRestrictionsSniff from WPCS.

Changed

• Switch from PHPCS 2.* class names to PHPCS 3.* namespaced classes.
• Refactor all sniffs to extend VIPCS\Sniff, which is an extension of WordPress\Sniff.
• Tidied up:
  • unused imports
  • unused local variables
  • unused parameters
  • unused private field
  • duplicate array keys
  • redundant self-assignment
  • assignment in conditions
  • not returning void function calls
  • undefined class fields
  • strict comparisons
  • missing scope keywords
  • parentheses to clarify one specific conditional
  • consolidate multiple isset() calls
  • consolidate positive nested if()’s
  • difference in case for function calls
  • simplified return statements
  • switched to __DIR__
  • switched FQCN to import statements
  • use static property
  • use more performant strpos() instead of substr()
  • split or remove else / elseif workflows for lower complexity and more comprehension
  • misuse of array_push()
  • misuse of array_values()
  • misuse of in_array()
  • useless return
  • redundant continue
  • comments that were naming parameters
  • default assignments of null to class properties
  • function parameters that match default arg values
  • redundant parentheses
• Ruleset Test improvements:
  • Move mostly duplicate PHPCS_Ruleset_Test classes into new RulesetTest class.
  • Refactor new class:
    • Accept a ruleset name in the constructor
    • Change public method from run() to passes().
    • Break out logic into smaller private methods to make the logic more self-documenting.
    • Refactor variable names in some methods.
    • Decode JSON into objects, not arrays
    • Fix incorrect reference to local $expected to $this->expected. Somehow, this was still working regardless.
    • Fix bug where it doesn't catch proper number of errors/warnings on a line basis due to order of operations of incrementating after assignment.
    • Add further documentation.
  • Change ruleset test class usage, including adding the name to the "tests passed!" message.
  • Replaced WPCS whitelisting // XSS OK comments in this files with // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped comments.
  • Change naming of tests from "integration test" to "ruleset tests", to make it more intuitive exactly what these are (composer script, Travis, bin filename).
• Improve addError() and addWarning() calls
• Remove Generic.NamingConventions.ConstructorName.OldStyle from WordPress-VIP-Go ruleset
• Travis: Restrict PHPUnit versions to match PHPCS
• Travis: Use 7.4snapshot instead of nightly, switch from Trusty to Xenial, remove sudo: false.
• EscapingVoidReturnFunctions: Fix docs and improve logic
• AlwaysReturnSniff: trigger errors instead of warnings, don't give violation for when callback args is passed by reference
• Change exec() and shell_exec() to be flagged as Error.
• Disallow long array syntax in VIPCS sniff code.
• Remove a WordPress.CodeAnalysis.AssignmentInCondition.FoundInWhileCondition exclusion in the PHPCS config for VIPCS itself.
• Update docs.

Fixed

• Bumped PHPCompatibility testVersion to match PHP requirement.
• Silence Generic.PHP.DisallowShortOpenTag.EchoFound for WordPress-VIP-Go ruleset: <?= is no longer reported.
• Silence WordPress.WP.AlternativeFunctions.file_system_read_fwrite and WordPress.WP.AlternativeFunctions.file_system_read_file_put_contents since we have WordPressVIPMinimum.Functions.RestrictedFunctions.file_ops_*.
• Silence Short Echo tags on WordPress-VIP-Go.

This release contains breaking changes.

Props: GaryJones, nickdaugherty, rebeccahum, tomjn.

Added

• WordPressVIPMinimum.Cache.LowExpiryCacheTime sniff.
• WordPressVIPMinimum.Classes.RestrictedExtendedClasses sniff, for WP_CLI_Command.
• WordPressVIPMinimum.Filters.RestrictedHooks sniff, for upload_mimes, as well as http_request_timeout and http_request_args filters which change timeouts, as we typically don't recommend anything above 3s.
• WordPressVIPMinimum.Functions.StripTags sniff.
• WordPressVIPMinimum.JS.DangerouslySetInnerHTML sniff.
• WordPressVIPMinimum.JS.Window sniff.
• WordPressVIPMinimum.VIP.PHPFilterFunctions sniff.
• GitHub issue templates.
• opcache_*() functions to list of restricted functions.
• ACF templating function to list of restricted functions.
• .editorconfig to repo.
• Generic.PHP.Syntax to WordPressVIPMinimum ruleset.

Changed

• Allow unused $e when catching exceptions.
• Improved accuracy of WordPressVIPMinimum.Files.IncludingFile
• Refactor WordPressVIPMinimum.VIP.RestrictedFunctions sniff.
• Include documentation links directly in error message for WordPressVIPMinimum.VIP.WPQueryParams.post__not_in.
• Composer: Normalized composer.json.
• Composer: Bump to PHPCompatibility ^9.
• Change severity of WordPress.CodeAnalysis.AssignmentInCondition.Found to 1 instead of removing it.
• Increases the PHPCS (3.2.3) and PHP (5.6+) minimum versions to supported and known good values.
• Travis: Remove PHPUnit 6 workaround.
• Travis: updates the PHPCS referenced in the Travis file, and remove the PHP 5.5 and 5.4 checks.
• Travis: Switch to using build stages.
• Travis: Extract shell scripts out of Travis config file.
• Silence WordPressVIPMinimum.Cache.BatcacheWhitelistedParams for VIP Go ruleset.
• Silence variable assignment condition rule.
• Docs: Updated Readme for more accuracy.
• Docs: Updated VIP link references.
• Removed string concatenation for messages for better readability.

Fixed

• Unreplaced placeholders for violation messages in WordPressVIPMinimum.VIP.FetchingRemoteDataSniff.
• WordPressVIPMinimum.Filters.AlwaysReturnSniff not reporting filter callbacks that don't return anywhere inside the function body.
• Incorrect severity level parameters in WordPressVIPMinimum.Variables.VariableAnalysis sniff since they are passed in as a string.
• Detection of double quotes in WordPressVIPMinimum.Variables.ServerVariables, add additional server variables and update unit tests.
• Typo: WordPressVIPMinimum.Files.IncludingNonPHPFile messages, switching get_file_contents to file_get_contents.
• Typo: "returning" in WordPressVIPMinimum.Filters.AlwaysReturn.voidReturn message.
• Typo: WordPressVIPMinimum.VIP.WPQueryParameters.suppressFiltersTrue, switching probihted to prohibited.
• Integration Ruleset tests not running in Travis.

Removed

• BREAKING: WordPressVIPMinimum.SVG.HTMLCodeSniff (SVG support), since it was not working well. You should remove any reference to this in your custom ruleset.
• var_dump from WordPressVIPMinimum ruleset since it should be the same type as var_export
• wpcom_vip_get_page_by_path from WordPressVIPMinimum.VIP.RestrictedFunctions
• Version check for PHP 7 or less in WordPressVIPMinimum.Variables.VariableAnalysis unit test since tests are not failing anymore.

Originally tagged as 0.2.5.

Props: emrikol, GaryJones, gudmdharalds, mikeyarce, nickdaugherty, paulschreiber, rebeccahum, sboisvert, tomjn.

Props: BrookeDot, david-binda, GaryJones, gudmdharalds, rebeccahum, sboisvert, tomjn, uxcitizen.

Props: david-binda, sboisvert, tessneedham, trepmal.

Props: david-binda, jacklenox, pyronaur, sboisvert, trepmal, vaurdan.

Props: david-binda.

Props: david-binda, philipjohn, tomjn.

Props: david-binda.

Initial release.

Props: david-binda, pkevan.

• #692: RestrictedFunctions: remove dbDelta group.

• Fixed CS violations in VIPCS code.

• #690: Ruleset: do not flag undefined variables in file scope or unused variables before require statement.
• #691: Composer: use VariableAnalysis 2.11.1.
• #694: PHPCS: enable caching for quicker scanning.
• #697: ProperEscapingFunction: upgrade htmlAttrNotByEscHTML to default severity level.