@Simone thanks for sharing these plugins to test with.
I have removed a couple more rules (the ones relating to style standards), so now when scanning those 2 plugins, you get only non-style related warnings and errors.
I guess, the more plugins we review, the more “styles” we will see and the more we can remove.
Anticipating the question “why do you not just exclude the entire Squiz
or PEAR
or PSR2
?” - the reason is, while many of those rules are just for styling doctrines, some are actually about (at least perceived) security - and there is no pattern to exclude something like /Squiz.PHP.THIS_IS_A_STYLE_RULE.rule
because the rules are indeed named arbitrary and do not have a “prefix” indicating that it is a style, security or else related rule.
Update
some rules are part of subsets and can be excluded in bulk. The XML is updated with this in mind.
The sub-rules that the bulk removal removes, are still in the XML for reference but commented. (since we are experimenting at this stage, it might be wise to keep some sort of log/reference)
So… we can (correct me if wrong) not exclude the entire ruleset, without losing rules that we want to keep (like not using eval, for example, or at least warn about its usage in a codebase).
The changes are in the file I shared earlier, so re-scanning with that new ruleset should remove the leftover “unwanted” warnings and leave only the ones we want.
A word on escaping nonces.
While not entirely related, a while ago WPCS told me to escape third argument of wp_die()
.
And it is actually a valid request. The function is not escaping or sanitising it for us.
Similar, a nonce comes from a form input, even if you put it there, someone can edit the value in the hidden fields in the form.
That value then gets submitted and compared using verify nonce. Verify nonce does not escape or sanitise the input you give it, it just typecasts it to string. Additionally it is seems to be pluggable.
While obviously the nonce would fail, if not matching, and also after typecasting to string there is little (or none?) chance for anything in it to compromise your code even if plugged, it is not escaped neither sanitised explicitly for us.
So the warning is correct.
Whether false alarm or not, is above my level of understanding but I do follow that rule and do unslash and sanitize it (with sanitize_key
).
I prefer to be safe, if I do not fully understand the process (which I often do not), rather than leaving it to Stackoverflow examples (or even WP Doc examples, which in many cases fully miss to notify you about the real need of escaping or sanitising).
Also see this discussion on which I based my decision.
What I learned from that discussion (and many other similar ones I read) is that … even security aspects get personalised and opinionated, and not even very experienced folks do really have the full confidence to say “no” or “yes”
And anyone telling you differently, and claiming to know so well, first has to prove me that they are right by making WPCS Devs actually remove the rule from their ruleset (and that goes with all other such rules that folks often discuss as not-needed, and often are really false alarms).
If it is in WPCS, I follow it. Because, as for example the shared discussion shows, there is reasoning behind it and not even the gurus are confident enough to remove it. So why would I ignore it?
It’s not that I have to work so much more to satisfy that rule. And I can sleep at night, knowing I did the best I could with the little knowledge I have
Of course, folks will disagree with this and have all sorts of deep insight to share. Yet I have to see folks who actually contribute to these things daily to take a stance where they say “no, this is not needed, we remove it”. Then, I will remove it too.
Also, often it gets said that “these functions slow down the application”. While that might be true in a range of milliseconds, I then wonder how the same folks who say that, go and add 10 gazillion lines of “wow JS” to their website, 10 tracking tools, 2 chats, 4000 pixel large images, and complain about a sanitise function slowing down the app
It’s… well, this is a good read on the topic (old but IMO still actual) wp_kses Performance. It mainly is about wp_kses but also shows results of other functions, which should show very nicely that the performance argument is …