Skip to content

Releases: Automattic/VIP-Coding-Standards

1.0.0

24 Apr 21:38
@GaryJones GaryJones
1.0.0
This tag was signed with the committer’s verified signature.
GaryJones Gary Jones
GPG key ID: 36027BCFEC47F42C
Learn about vigilant mode.
8544a94
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
1.0.0

This release contains many breaking changes.

It requires PHP >= 5.6, PHPCS 3.2.3+, and WPCS 1.*. It does not work with WPCS 2.*.

Reorganisation and Renaming

The sniffs in VIPCS have been reorganised into different categories, with new sniff names and new violation codes. The changes are detailed in the table below. If you reference any of the old violations in your custom ruleset (to change severity, type, or message), or with // phpcs:ignore or // phpcs:disable, you will need to updates these references to the new violation codes.

Original Violation New Violation
WordPressVIPMinimum.Actions.PreGetPostSniff.PreGetPosts WordPressVIPMinimum.Hooks.PreGetPosts.PreGetPosts
WordPressVIPMinimum.Cache.BatcacheWhitelistedParams.strippedGetParam WordPressVIPMinimum.Performance.BatcacheWhitelistedParams.StrippedGetParam
WordPressVIPMinimum.Cache.CacheValueOverride.CacheValueOverride WordPressVIPMinimum.Performance.CacheValueOverride.CacheValueOverride
WordPressVIPMinimum.Cache.LowExpiryCacheTime.LowCacheTime WordPressVIPMinimum.Performance.LowExpiryCacheTime.LowCacheTime
WordPressVIPMinimum.Classes.DeclarationCompatibility.DeclarationCompatibility No change
WordPressVIPMinimum.Classes.RestrictedExtendClasses.wp_cli_wp_cli_command WordPressVIPMinimum.Classes.RestrictedExtendClasses.wp_cli
WordPressVIPMinimum.Constants.ConstantsRestrictions.ConstantRestrictions WordPressVIPMinimum.Constants.RestrictedConstants.DefiningRestrictedConstant
WordPressVIPMinimum.Constants.RestrictedConstants.UsingRestrictedConstant
WordPressVIPMinimum.Constants.ConstantString.NotCheckingConstantName No change
WordPressVIPMinimum.Files.IncludingFile.IncludingFile WordPressVIPMinimum.Files.IncludingFile.UsingVariable
WordPressVIPMinimum.Files.IncludingFile.UsingCustomConstant
WordPressVIPMinimum.Files.IncludingFile.UsingCustomFunction
WordPressVIPMinimum.Files.IncludingFile.NotAbsolutePath
WordPressVIPMinimum.Files.IncludingFile.ExternalURL
WordPressVIPMinimum.Files.IncludingFile.RestrictedConstant
WordPressVIPMinimum.Files.IncludingNonPHPFile.IncludingSVGCSSFile WordPressVIPMinimum.Files.IncludingNonPHPFile.IncludingSVGCSSFile
WordPressVIPMinimum.Files.IncludingNonPHPFile.IncludingNonPHPFile WordPressVIPMinimum.Files.IncludingNonPHPFile.IncludingNonPHPFile
WordPressVIPMinimum.Filters.AlwaysReturn.voidReturn WordPressVIPMinimum.Hooks.AlwaysReturnInFilter.VoidReturn
WordPressVIPMinimum.Filters.AlwaysReturn.missingReturnStatement WordPressVIPMinimum.Hooks.AlwaysReturnInFilter.MissingReturnStatement
WordPressVIPMinimum.Filters.RestrictedHook.UploadMimes WordPressVIPMinimum.Hooks.RestrictedHooks.upload_mimes_upload_mimes
WordPressVIPMinimum.Filters.RestrictedHook.HighTimeout WordPressVIPMinimum.Hooks.RestrictedHooks.http_request_http_request_args
WordPressVIPMinimum.Hooks.RestrictedHooks.http_request_http_request_timeout
WordPressVIPMinimum.Functions.CheckReturnValue.CheckReturnValue WordPressVIPMinimum.Functions.CheckReturnValue.DirectFunctionCall
WordPressVIPMinimum.Functions.CheckReturnValue.NonCheckedVariable
WordPressVIPMinimum.Functions.CreateFunction.CreateFunction WordPressVIPMinimum.Functions.RestrictedFunctions.create_function_create_function
WordPressVIPMinimum.Functions.DynamicCalls.DynamicCalls No change
WordPressVIPMinimum.Functions.StripTags.StripTagsOneParameter No change
WordPressVIPMinimum.Functions.StripTags.StripTagsTwoParameters No change
WordPressVIPMinimum.JS.DangerouslySetInnerHTML.dangerouslySetInnerHTML WordPressVIPMinimum.JS.DangerouslySetInnerHTML.Found
WordPressVIPMinimum.JS.HTMLExecutingFunctions.html No change
WordPressVIPMinimum.JS.HTMLExecutingFunctions.append No change
WordPressVIPMinimum.JS.HTMLExecutingFunctions.write No change
WordPressVIPMinimum.JS.HTMLExecutingFunctions.writeln No change
WordPressVIPMinimum.JS.InnerHTML.innerHTML WordPressVIPMinimum.JS.InnerHTML.Found
WordPressVIPMinimum.JS.StringConcat.StringConcatNext WordPressVIPMinimum.JS.StringConcat.Found
WordPressVIPMinimum.JS.StrippingTags.VulnerableTagStripping No change
WordPressVIPMinimum.JS.Window.VarAssignment No change
WordPressVIPMinimum.JS.Window.location No change
WordPressVIPMinimum.JS.Window.name No change
WordPressVIPMinimum.JS.Window.status No change
WordPressVIPMinimum.Plugins.Zoninator.Zoninator WordPressVIPMinimum.Compatibility.Zoninator.RequiresRESTAPI
WordPressVIPMinimum.TemplatingEngines.UnescapedOutputMustache.{{{ WordPressVIPMinimum.Security.Mustache.OutputNotation
WordPressVIPMinimum.TemplatingEngines.UnescapedOutputMustache.{{& WordPressVIPMinimum.Security.Mustache.VariableNotation
WordPressVIPMinimum.TemplatingEngines.UnescapedOutputMustache.delimeterChange WordPressVIPMinimum.Security.Mustache.DelimiterChange
WordPressVIPMinimum.TemplatingEngines.UnescapedOutputMustache.SafeString WordPressVIPMinimum.Security.Mustache.SafeString
WordPressVIPMinimum.TemplatingEngines.UnescapedOutputTwig.autoescape false WordPressVIPMinimum.Security.Twig.AutoescapeFalse
WordPressVIPMinimum.TemplatingEngines.UnescapedOutputTwig.raw WordPressVIPMinimum.Security.Twig.RawFound
WordPressVIPMinimum.TemplatingEngines.UnescapedOutputUnderscorejs.<%= WordPressVIPMinimum.Security.Underscorejs.OutputNotation
WordPressVIPMinimum.TemplatingEngines.UnescapedOutputUnderscorejs.interpolate WordPressVIPMinimum.Security.Underscorejs.InterpolateFound
WordPressVIPMinimum.TemplatingEngines.UnescapedOutputVuejs.v-html WordPressVIPMinimum.Security.Vuejs.Found
WordPressVIPMinimum.Variables.ServerVariables.BasicAuthentication No change
WordPressVIPMinimum.Variables.ServerVariables.UserControlledHeaders No change
WordPressVIPMinimum.Variables.VariableAnalysis.VariableRedeclaration No change
WordPressVIPMinimum.Variables.VariableAnalysis.UndefinedVariables WordPressVIPMinimum.Variables.VariableAnalysis.UndefinedVariable
WordPressVIPMinimum.Variables.VariableAnalysis.$... WordPressVIPMinimum.Variables.VariableAnalysis.SelfInsideClosure
WordPressVIPMinimum.Variables.VariableAnalysis.SelfOutsideClass
WordPressVIPMinimum.Variables.VariableAnalysis.StaticInsideClosure
WordPressVIPMinimum.Variables.VariableAnalysis.StaticOutsideClass
WordPressVIPMinimum.Variables.VariableAnalysis.UnusedVariable No change
WordPressVIPMinimum.VIP.ErrorControl.ErrorControl Replaced with Generic.PHP.NoSilencedErrors
WordPressVIPMinimum.VIP.EscapingVoidReturnFunctions.escapingVoidReturningFunction WordPressVIPMinimum.Security.EscapingVoidReturnFunctions.Found
WordPressVIPMinimum.VIP.ExitAfterRedirect.NoExitInConditional WordPressVIPMinimum.Security.ExitAfterRedirect.NoExitInConditional
WordPressVIPMinimum.VIP.ExitAfterRedirect.NoExit WordPressVIPMinimum.Security.ExitAfterRedirect.NoExit
WordPressVIPMinimum.VIP.FetchingRemoteData.fileGetContentsUknown WordPressVIPMinimum.Performance.FetchingRemoteData.FileGetContentsUnknown
WordPressVIPMinimum.VIP.FetchingRemoteData.fileGetContentsRemoteFile WordPressVIPMinimum.Performance.FetchingRemoteData.FileGetContentsRemoteFile
WordPressVIPMinimum.VIP.FlushRewriteRules.FlushRewriteRules Replaced with WordPressVIPMinimum.Functions.RestrictedFunctions.flush_rewrite_rules_flush_rewrite_rules and WordPressVIPMinimum.Functions.RestrictedFunctions.flush_rewrite_rules_flush_rewrite_rules
WordPressVIPMinimum.VIP.MergeConflict.HEAD WordPressVIPMinimum.MergeConflict.MergeConflict.Start
WordPressVIPMinimum.VIP.MergeConflict.DELIMITER WordPressVIPMinimum.MergeConflict.MergeConflict.End
WordPressVIPMinimum.MergeConflict.MergeConflict.Separator
WordPressVIPMinimum.VIP.PHPFilterFunctions.MissingThirdParameter WordPressVIPMinimum.Security.PHPFilterFunctions.MissingThirdParameter
WordPressVIPMinimum.VIP.PHPFilterFunctions.RestrictedFilter WordPressVIPMinimum.Security.PHPFilterFunctions.RestrictedFilter
WordPressVIPMinimum.VIP.PHPFilterFunctions.MissingSecondParameter WordPressVIPMinimum.Security.PHPFilterFunctions.MissingSecondParameter
WordPressVIPMinimum.VIP.ProperEscapingFunction.hrefSrcEscUrl WordPressVIPMinimum.Security.ProperEscapingFunction.hrefSrcEscUrl
WordPressVIPMinimum.VIP.ProperEscapingFunction.htmlAttrNotByEscHTML WordPressVIPMinimum.Security.ProperEscapingFunction.htmlAttrNotByEscHTML
WordPressVIPMinimum.VIP.RegexpCompare.compare_compare WordPressVIPMinimum.Performance.RegexCompare.compare_compare
WordPressVIPMinimum.VIP.RegexpCompare.compare_meta_compare WordPressVIPMinimum.Performance.RegexCompare.compare_meta_compare
WordPressVIPMinimum.VIP.RemoteRequestTimeout.timeout_timeout WordPressVIPMinimum.Performance.RemoteRequestTimeout.timeout_timeout
WordPressVIPMinimum.VIP.RestrictedFunctions.wp_cache_get_multi.wp_cache_get_multi WordPressVIPMinimum.Functions.RestrictedFunctions.wp_cache_get_multi_wp_cache_get_multi
WordPressVIPMinimum.VIP.RestrictedFunctions.opcache_opcache_reset WordPressVIPMinimum.Functions.RestrictedFunctions.opcache_opcache_reset
WordPressVIPMinimum.VIP.RestrictedFunctions.opcache_opcache_invalidate WordPressVIPMinimum.Functions.RestrictedFunctions.opcache_opcache_invalidate
WordPressVIPMinimum.VIP.RestrictedFunctions.opcache_opcache_compile_file WordPressVIPMinimum.Functions.RestrictedFunctions.opcache_opcache_compile_file
`WordPressVIPMinimum.VIP.RestrictedFunctions.config_settings_opcache_is_scr...
Read more
Assets 2
Loading

0.4.0

19 Dec 12:29
@GaryJones GaryJones
0.4.0
423dd6d
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
0.4.0

This release contains breaking changes.

Added

  • WordPressVIPMinimum.Cache.LowExpiryCacheTime sniff.
  • WordPressVIPMinimum.Classes.RestrictedExtendedClasses sniff, for WP_CLI_Command.
  • WordPressVIPMinimum.Filters.RestrictedHooks sniff, for upload_mimes, as well as http_request_timeout and http_request_args filters which change timeouts, as we typically don't recommend anything above 3s.
  • WordPressVIPMinimum.Functions.StripTags sniff.
  • WordPressVIPMinimum.JS.DangerouslySetInnerHTML sniff.
  • WordPressVIPMinimum.JS.Window sniff.
  • WordPressVIPMinimum.VIP.PHPFilterFunctions sniff.
  • GitHub issue templates.
  • opcache_*() functions to list of restricted functions.
  • ACF templating function to list of restricted functions.
  • .editorconfig to repo.
  • Generic.PHP.Syntax to WordPressVIPMinimum ruleset.

Changed

  • Allow unused $e when catching exceptions.
  • Improved accuracy of WordPressVIPMinimum.Files.IncludingFile
  • Refactor WordPressVIPMinimum.VIP.RestrictedFunctions sniff.
  • Include documentation links directly in error message for WordPressVIPMinimum.VIP.WPQueryParams.post__not_in.
  • Composer: Normalized composer.json.
  • Composer: Bump to PHPCompatibility ^9.
  • Change severity of WordPress.CodeAnalysis.AssignmentInCondition.Found to 1 instead of removing it.
  • Increases the PHPCS (3.2.3) and PHP (5.6+) minimum versions to supported and known good values.
  • Travis: Remove PHPUnit 6 workaround.
  • Travis: updates the PHPCS referenced in the Travis file, and remove the PHP 5.5 and 5.4 checks.
  • Travis: Switch to using build stages.
  • Travis: Extract shell scripts out of Travis config file.
  • Silence WordPressVIPMinimum.Cache.BatcacheWhitelistedParams for VIP Go ruleset.
  • Silence variable assignment condition rule.
  • Docs: Updated Readme for more accuracy.
  • Docs: Updated VIP link references.
  • Removed string concatenation for messages for better readability.

Fixed

  • Unreplaced placeholders for violation messages in WordPressVIPMinimum.VIP.FetchingRemoteDataSniff.
  • WordPressVIPMinimum.Filters.AlwaysReturnSniff not reporting filter callbacks that don't return anywhere inside the function body.
  • Incorrect severity level parameters in WordPressVIPMinimum.Variables.VariableAnalysis sniff since they are passed in as a string.
  • Detection of double quotes in WordPressVIPMinimum.Variables.ServerVariables, add additional server variables and update unit tests.
  • Typo: WordPressVIPMinimum.Files.IncludingNonPHPFile messages, switching get_file_contents to file_get_contents.
  • Typo: "returning" in WordPressVIPMinimum.Filters.AlwaysReturn.voidReturn message.
  • Typo: WordPressVIPMinimum.VIP.WPQueryParameters.suppressFiltersTrue, switching probihted to prohibited.
  • Integration tests not running in Travis.

Removed

  • BREAKING: WordPressVIPMinimum.SVG.HTMLCodeSniff (SVG support), since it was not working well. You should remove any reference to this in your custom ruleset.
  • var_dump from WordPressVIPMinimum ruleset since it should be the same type as var_export
  • wpcom_vip_get_page_by_path from WordPressVIPMinimum.VIP.RestrictedFunctions
  • Version check for PHP 7 or less in WordPressVIPMinimum.Variables.VariableAnalysis unit test since tests are not failing anymore.
Assets 2
Loading

0.3.1

07 Dec 13:58
@gudmdharalds gudmdharalds
0.3.1
6ee2440
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
0.3.1 
Merge pull request #294 from Automattic/fix/run-integration-tests-in-CI

Run integration tests in CI
Assets 2
Loading

0.2.4

19 Jul 12:06
@gudmdharalds gudmdharalds
0.2.4
c74e886
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
0.2.4 
Local file description

Improve the description of file_get_contents() to talk about local and remote files.
Assets 2
Loading

0.2.3

10 Apr 12:01
@gudmdharalds gudmdharalds
0.2.3
5017a12
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
0.2.3

Includes the new WordPress-VIP-Go ruleset.

Assets 2
Loading

0.2.2

31 Jan 16:42
@gudmdharalds gudmdharalds
0.2.2
caa574e
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
0.2.2 
Merge pull request #143 from Automattic/fix-120-flag-attempt-to-escap…

…e-void-returning-function

Flag attempt to escape function which prints it's output
Assets 2
Loading

0.2.1

14 Dec 16:40
@gudmdharalds gudmdharalds
0.2.1
e91a620
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
0.2.1 
Merge pull request #123 from Automattic/ignore-SuperfluousWhitespace-…

…in-css-and-js

Ignore SuperfluousWhitespace in css and js files.
Assets 2
Loading

0.2.0

15 Aug 10:48
@david-binda david-binda
0.2.0
682ed63
Compare
Choose a tag to compare
0.2.0

PHPCS 3.x and WPCS 0.13.x compatible version of the VIP Coding standards.

Assets 2
Loading

0.1.0

15 Aug 10:38
@david-binda david-binda
0.1.0
b5bba7a
Compare
Choose a tag to compare
0.1.0

Initial release for making it easy to reference the state of the code before the PHPCS 3.x compatibility branch gets merged.

Assets 2
Loading