172 lines
7.2 KiB
XML
172 lines
7.2 KiB
XML
<?xml version="1.0"?>
|
|
<ruleset xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="WPThemeReview" xsi:noNamespaceSchemaLocation="https://raw.githubusercontent.com/squizlabs/PHP_CodeSniffer/master/phpcs.xsd">
|
|
|
|
<!-- For more information: https://make.wordpress.org/themes/handbook/review/ -->
|
|
<description>Standards any Theme to be published on wordpress.org should comply with.</description>
|
|
|
|
<!-- Themes should be compatible with PHP 5.2 and higher. -->
|
|
<config name="testVersion" value="5.2-"/>
|
|
<rule ref="PHPCompatibilityWP">
|
|
<include-pattern>*\.(php|inc)$</include-pattern>
|
|
</rule>
|
|
|
|
<!-- No PHP short open tags allowed. -->
|
|
<!-- Covers: https://github.com/Otto42/theme-check/blob/master/checks/phpshort.php -->
|
|
<rule ref="Generic.PHP.DisallowShortOpenTag"/>
|
|
|
|
<!-- Alternative PHP open tags not allowed. -->
|
|
<rule ref="Generic.PHP.DisallowAlternativePHPTags"/>
|
|
|
|
<!-- Files which start with a PHP open tag should have no whitespace preceding it. -->
|
|
<rule ref="Squiz.WhiteSpace.SuperfluousWhitespace.StartFile">
|
|
<message>To help prevent PHP "headers already sent" errors, whitespace before the PHP open tag should be removed.</message>
|
|
</rule>
|
|
|
|
<!-- Files should omit the closing PHP tag at the end of a file. -->
|
|
<rule ref="PSR2.Files.ClosingTag.NotAllowed">
|
|
<type>warning</type>
|
|
<message>To help prevent PHP "headers already sent" errors, the PHP closing tag at the end of the file should be removed.</message>
|
|
</rule>
|
|
|
|
<!-- Mixed line endings are not allowed. -->
|
|
<!-- Covers: https://github.com/Otto42/theme-check/blob/master/checks/lineendings.php -->
|
|
<rule ref="Internal.LineEndings.Mixed">
|
|
<type>error</type>
|
|
</rule>
|
|
|
|
<!-- No minification of scripts or files unless you provide original files. -->
|
|
<!-- Covers: https://make.wordpress.org/themes/handbook/review/required/#stylesheets-and-scripts -->
|
|
<rule ref="Internal.Tokenizer.Exception">
|
|
<message>File appears to be minified and cannot be processed. The non-minified file must be included too.</message>
|
|
</rule>
|
|
|
|
<!-- No ByteOrderMark allowed - important to prevent issues with content being sent before headers. -->
|
|
<rule ref="Generic.Files.ByteOrderMark"/>
|
|
|
|
<!-- Control structures which don't do anything are not very useful. -->
|
|
<rule ref="Generic.CodeAnalysis.EmptyStatement"/>
|
|
|
|
<!-- PHP tags without anything between them is just sloppy. -->
|
|
<!-- Internal: this should be replaced with the PHPCS native version of the same sniff
|
|
`Generic.CodeAnalysis.EmptyPHPStatement`, once the minimum required PHPCS version has gone up to 3.4.0. -->
|
|
<rule ref="WordPress.CodeAnalysis.EmptyStatement"/>
|
|
|
|
<!-- No removal of the admin bar allowed -->
|
|
<!-- Covers: https://github.com/wordpress/theme-check/blob/master/checks/adminbar.php -->
|
|
<rule ref="WPThemeReview.PluginTerritory.AdminBarRemoval">
|
|
<properties>
|
|
<property name="remove_only" value="false"/>
|
|
</properties>
|
|
</rule>
|
|
|
|
<!-- Check that the I18N functions are used correctly. -->
|
|
<!-- This sniff can also check the text domain, provided it's passed to PHPCS. -->
|
|
<rule ref="WordPress.WP.I18n"/>
|
|
|
|
<!-- No hard coding of scripts and styles. Everything should be enqueued. -->
|
|
<rule ref="WordPress.WP.EnqueuedResources"/>
|
|
|
|
<!-- Prevent path disclosure when using add_theme_page(). -->
|
|
<rule ref="WordPress.Security.PluginMenuSlug"/>
|
|
|
|
<!-- Do not silence error notices. e.g. Error Control Operator @.. -->
|
|
<rule ref="Generic.PHP.NoSilencedErrors">
|
|
<properties>
|
|
<property name="error" value="true"/>
|
|
</properties>
|
|
</rule>
|
|
|
|
<!-- While most themes shouldn't query the database directly, if they do, it should be done correctly. -->
|
|
<!-- Don't use the PHP database functions and classes, use the WP abstraction layer instead. -->
|
|
<rule ref="WordPress.DB.RestrictedClasses"/>
|
|
<rule ref="WordPress.DB.RestrictedFunctions"/>
|
|
|
|
<!-- All SQL queries should be prepared as close to the time of querying the database as possible. -->
|
|
<rule ref="WordPress.DB.PreparedSQL"/>
|
|
|
|
<!-- Verify that placeholders in prepared queries are used correctly. -->
|
|
<rule ref="WordPress.DB.PreparedSQLPlaceholders"/>
|
|
|
|
<!-- Validate and/or sanitize untrusted data before entering into the database. -->
|
|
<rule ref="WordPress.Security.ValidatedSanitizedInput">
|
|
<type>warning</type>
|
|
</rule>
|
|
|
|
<!-- All untrusted data should be escaped before output. -->
|
|
<rule ref="WordPress.Security.EscapeOutput">
|
|
<type>warning</type>
|
|
</rule>
|
|
|
|
<!-- Prohibit the use of the backtick operator. -->
|
|
<rule ref="Generic.PHP.BacktickOperator"/>
|
|
|
|
<!-- Prohibit overwriting of WordPress global variables. -->
|
|
<rule ref="WordPress.WP.GlobalVariablesOverride"/>
|
|
|
|
<!-- Prohibit the use of the eval() PHP language construct. -->
|
|
<rule ref="Squiz.PHP.Eval.Discouraged">
|
|
<type>error</type>
|
|
<message>eval() is a security risk so not allowed.</message>
|
|
</rule>
|
|
|
|
<!-- Prohibit the use of the `goto` PHP language construct. -->
|
|
<rule ref="Generic.PHP.DiscourageGoto.Found">
|
|
<type>error</type>
|
|
<message>The "goto" language construct should not be used.</message>
|
|
</rule>
|
|
|
|
<!-- Check for use of deprecated WordPress classes, functions and function parameters. -->
|
|
<rule ref="WordPress.WP.DeprecatedClasses"/>
|
|
<rule ref="WordPress.WP.DeprecatedFunctions"/>
|
|
<rule ref="WordPress.WP.DeprecatedParameters"/>
|
|
|
|
<!-- Check for deprecated WordPress constants. -->
|
|
<rule ref="WordPress.WP.DiscouragedConstants">
|
|
<type>error</type>
|
|
</rule>
|
|
|
|
<!-- Check for usage of deprecated parameter values in WP functions and provide alternative based on the parameter passed. -->
|
|
<rule ref="WordPress.WP.DeprecatedParameterValues"/>
|
|
|
|
<!-- Verify that everything in the global namespace is prefixed. -->
|
|
<!-- Covers: https://make.wordpress.org/themes/handbook/review/required/#code - last bullet. -->
|
|
<!-- NOTE: this sniff needs a custom property to be set for it to be activated. -->
|
|
<!-- See: https://github.com/WordPress/WordPress-Coding-Standards/wiki/Customizable-sniff-properties#naming-conventions-prefix-everything-in-the-global-namespace -->
|
|
<rule ref="WPThemeReview.CoreFunctionality.PrefixAllGlobals">
|
|
<properties>
|
|
<property name="allowed_folders" type="array">
|
|
<element value="template-parts"/>
|
|
<element value="templates"/>
|
|
<element value="partials"/>
|
|
<element value="page-templates"/>
|
|
</property>
|
|
</properties>
|
|
</rule>
|
|
|
|
<!-- Check for correct spelling of WordPress. -->
|
|
<!-- Covers: https://make.wordpress.org/themes/handbook/review/required/#naming - third bullet. -->
|
|
<rule ref="WordPress.WP.CapitalPDangit">
|
|
<type>error</type>
|
|
</rule>
|
|
|
|
<!-- If TGMPA is used, verify that the version is up to date. -->
|
|
<rule ref="WPThemeReview.Plugins.CorrectTGMPAVersion">
|
|
<!-- Require that the Custom Generator is used to download & adjust TGMPA. -->
|
|
<properties>
|
|
<property name="required_flavour" value="wporg"/>
|
|
</properties>
|
|
</rule>
|
|
|
|
<!-- Themes should not use the PHP session functions nor access the $_SESSION variable. -->
|
|
<!-- Covered by the WPThemeReview.PluginTerritory.SessionFunctionsUsage and WPThemeReview.PluginTerritory.SessionVariableUsage sniffs. -->
|
|
|
|
<!-- Themes should never touch the timezone. -->
|
|
<rule ref="WordPress.DateTime.RestrictedFunctions.timezone_change_date_default_timezone_set"/>
|
|
|
|
<!-- Themes shouldn't change ini configuration during runtime. -->
|
|
<rule ref="WordPress.PHP.IniSet">
|
|
<type>error</type>
|
|
</rule>
|
|
|
|
</ruleset>
|