2.0.0-RC1

Important information about this release:

This is the first release candidate for WordPressCS 2.0.0.
WordPressCS 2.0.0 contains breaking changes, both for people using custom rulesets as well as for sniff developers who maintain a custom PHPCS standard based on WordPressCS.

Support for PHP_CodeSniffer 2.x has been dropped, the new minimum PHP_CodeSniffer version is 3.3.1.
Also, all previously deprecated sniffs, properties and methods have been removed.

Please read the complete changelog carefully before you upgrade.

If you are a maintainer of an external standard based on WordPressCS and any of your custom sniffs are based on or extend WPCS sniffs, please read the Developers Upgrade Guide to WordPressCS 2.0.0.

Added

• Generic.PHP.DiscourageGoto, Generic.PHP.LowerCaseType, Generic.WhiteSpace.ArbitraryParenthesesSpacing and PSR12.Keywords.ShortFormTypeKeywords to the WordPress-Core ruleset.
• Checking the spacing around the instanceof operator to the WordPress.WhiteSpace.OperatorSpacing sniff.

Changed

• The minimum required PHP_CodeSniffer version to 3.3.1 (was 2.9.0).
• The namespace used by WordPressCS has been changed from WordPress to WordPressCS\WordPress.
  This was not possible while PHP_CodeSniffer 2.x was still supported, but WordPressCS, as a good Open Source citizen, does not want to occupy the WordPress namespace and is releasing its use of it now this is viable.
• The WordPress.DB.PreparedSQL sniff used the same error code for two different errors.
  The NotPrepared error code remains, however an additional InterpolatedNotPrepared error code has been added for the second error.
  If you are referencing the old error code in a ruleset XML file or in inline annotations, you may need to update it.
• The WordPress.NamingConventions.PrefixAllGlobals sniff used the same error code for some errors as well as warnings.
  The NonPrefixedConstantFound error code remains for the related error, but the warning will now use the new VariableConstantNameFound error code.
  The NonPrefixedHooknameFound error code remains for the related error, but the warning will now use the new DynamicHooknameFound error code.
  If you are referencing the old error codes in a ruleset XML file or in inline annotations, you may need to update these to use the new codes instead.
• WordPress.NamingConventions.ValidVariableName: the error messages and error codes used by this sniff have been changed for improved usability and consistency.
  • The error messages will now show a suggestion for a valid alternative name for the variable.
  • The NotSnakeCaseMemberVar error code has been renamed to UsedPropertyNotSnakeCase.
  • The NotSnakeCase error code has been renamed to VariableNotSnakeCase.
  • The MemberNotSnakeCase error code has been renamed to PropertyNotSnakeCase.
  • The StringNotSnakeCase error code has been renamed to InterpolatedVariableNotSnakeCase.
    If you are referencing the old error codes in a ruleset XML file or in inline annotations, you may need to update these to use the new codes instead.
• The WordPress.Security.NonceVerification sniff used the same error code for both an error as well as a warning.
  The old error code NoNonceVerification is no longer used.
  The error now uses the Missing error code, while the warning now uses the Recommended error code.
  If you are referencing the old error code in a ruleset XML file or in inline annotations, please update these to use the new codes instead.
• The WordPress.WP.DiscouragedConstants sniff used to have two error codes UsageFound and DeclarationFound.
  These error codes will now be prefixed by the name of the constant found to allow for more fine-grained excluding/ignoring of warnings generated by this sniff.
  If you are referencing the old error codes in a ruleset XML file or in inline annotations, you may need to update these to use the new codes instead.
• The WordPress.WP.GlobalVariablesOverride.OverrideProhibited error code has been replaced by the WordPress.WP.GlobalVariablesOverride.Prohibited error code.
  If you are referencing the old error code in a ruleset XML file or in inline annotations, you may need to update it.
• WordPress-Extra: Replaced the inclusion of the Generic.Files.OneClassPerFile, Generic.Files.OneInterfacePerFile and the Generic.Files.OneTraitPerFile sniffs with the new Generic.Files.OneObjectStructurePerFile sniff.
• WordPress-Extra: Replaced the inclusion of the Squiz.WhiteSpace.LanguageConstructSpacing sniff with the new Generic.WhiteSpace.LanguageConstructSpacing sniff.
• WordPress-Extra: Replaced the inclusion of the Squiz.Scope.MemberVarScope sniff with the more comprehensive PSR2.Classes.PropertyDeclaration sniff.
• WordPress.NamingConventions.ValidFunctionName: Added a unit test confirming support for interfaces extending multiple interfaces.
• WordPress.NamingConventions.ValidVariableName: Added unit tests confirming support for multi-variable/property declarations.
• The get_name_suggestion() method has been moved from the WordPress.NamingConventions.ValidFunctionName sniff to the base Sniff class, renamed to get_snake_case_name_suggestion() and made static.
• The rulesets are now validated against the PHP_CodeSniffer XSD schema.
• Updated the custom ruleset example to use the recommended ruleset syntax for PHP_CodeSniffer 3.3.1+, including using the new array property format which is now supported.
• Dev: The command to run the unit tests has changed. Please see the updated instructions in the CONTRIBUTING.md file.
  The bin/pre-commit example git hook has been updated to match. Additionally a run-tests script has been added to the composer.json file for your convenience.
  To facilitate this, PHPUnit has been added to require-dev, even though it is strictly speaking a dependency of PHPCS, not of WPCS.
• Dev: The DealerDirect PHPCS Composer plugin has been added to require-dev.
• Various code tweaks and clean up.
• User facing documentation, including the wiki, as well as inline documentation has been updated for all the changes contained in WordPressCS 2.0 and other recommended best practices for PHP_CodeSniffer 3.3.1+.

Deprecated

• The use of the WordPressCS native whitelist comments, which were introduced in WPCS 0.4.0, have been deprecated and support will be removed in WPCS 3.0.0.
  The WordPressCS native whitelist comments will continue to work for now, but a deprecation warning will be thrown when they are encountered.
  You are encouraged to upgrade our whitelist comment to use the PHPCS native selective ignore annotations as introduced in PHP_CodeSniffer 3.2.0, as soon as possible.

Removed

• Support for PHP 5.3. PHP 5.4 is the minimum requirement for PHP_CodeSniffer 3.x.
  Includes removing any and all workarounds which were in place to still support PHP 5.3.
• Support for PHP_CodeSniffer < 3.3.1.
  Includes removing any and all workarounds which were in place for supporting older PHP_CodeSniffer versions.
• The WordPress-VIP standard which was deprecated since WordPressCS 1.0.0.
  For checking a theme/plugin for hosting on the WordPress.com VIP platform, please use the Automattic VIP coding standards instead.
• Support for array properties set in a custom ruleset without the type="array" attribute.
  Support for this was deprecated in WPCS 1.0.0.
  If in doubt about how properties should be set in your custom ruleset, please refer to the Customizable sniff properties wiki page which contains XML code examples for setting each and every WPCS native sniff property.
  As the minimum PHP_CodeSniffer version is now 3.3.1, you can now also use the new format for setting array properties, so this would be a great moment to review and update your custom ruleset.
  Note: the ability to set select properties from the command-line as comma-delimited strings is not affected by this change.
• The following sniffs have been removed outright without deprecation.
  If you are referencing these sniffs in a ruleset XML file or in inline annotations, please update these to reference the replacement sniffs instead.
  • WordPress.Functions.FunctionCallSignatureNoParams - superseded by a bug fix in the upstream PEAR.Functions.FunctionCallSignature sniff.
  • WordPress.PHP.DiscourageGoto - replaced by the same sniff which is now available upstream: Generic.PHP.DiscourageGoto.
  • WordPress.WhiteSpace.SemicolonSpacing - superseded by a bug fix in the upstream Squiz.WhiteSpace.SemicolonSpacing sniff.
  • WordPress.WhiteSpace.ArbitraryParenthesesSpacing - replaced by the same sniff which is now available upstream: Generic.WhiteSpace.ArbitraryParenthesesSpacing.
• The following "base" sniffs which were previously already deprecated and turned into abstract base classes, have been removed:
  • WordPress.Arrays.ArrayAssignmentRestrictions - use the `Abstract...

1.2.1

Note: This will be the last release supporting PHP_CodeSniffer 2.x.

Changed

• The default value for minimum_supported_wp_version, as used by a number of sniffs detecting usage of deprecated WP features, has been updated to 4.7.
• The WordPress.NamingConventions.PrefixAllGlobals sniff will now report the error for hook names and constant names declared with define() on the line containing the parameter for the hook/constant name. Previously, it would report the error on the line containing the function call.
• Various minor housekeeping fixes to inline documentation, rulesets, code.

Removed

• comment_author_email_link(), comment_author_email(), comment_author_IP(), comment_author_link(), comment_author_rss(), comment_author_url_link(), comment_author_url(), comment_author(), comment_date(), comment_excerpt(), comment_form_title(), comment_form(), comment_id_fields(), comment_ID(), comment_reply_link(), comment_text_rss(), comment_text(), comment_time(), comment_type(), comments_link(), comments_number(), comments_popup_link(), comments_popup_script(), comments_rss_link(), delete_get_calendar_cache(), edit_bookmark_link(), edit_comment_link(), edit_post_link(), edit_tag_link(), get_footer(), get_header(), get_sidebar(), get_the_title(), next_comments_link(), next_image_link(), next_post_link(), next_posts_link(), permalink_anchor(), posts_nav_link(), previous_comments_link(), previous_image_link(), previous_post_link(), previous_posts_link(), sticky_class(), the_attachment_link(), the_author_link(), the_author_meta(), the_author_posts_link(), the_author_posts(), the_category_rss(), the_category(), the_content_rss(), the_content(), the_date_xml(), the_excerpt_rss(), the_excerpt(), the_feed_link(), the_ID(), the_meta(), the_modified_author(), the_modified_date(), the_modified_time(), the_permalink(), the_post_thumbnail(), the_search_query(), the_shortlink(), the_tags(), the_taxonomies(), the_terms(), the_time(), the_title_rss(), the_title(), wp_enqueue_script(), wp_meta(), wp_shortlink_header() and wp_shortlink_wp_head() from the list of auto-escaped functions Sniff::$autoEscapedFunctions. This affects the WordPress.Security.EscapeOutput sniff.

Fixed

• The WordPress.WhiteSpace.PrecisionAlignment sniff would loose the value of a custom set ignoreAlignmentTokens property when scanning more than one file.

1.2.0

Added

• New WordPress.PHP.TypeCasts sniff to the WordPress-Core ruleset.
  This new sniff checks that PHP type casts are:
  • lowercase;
  • short form, i.e. (bool) not (boolean);
  • normalized, i.e. (float) not (real).
    Additionally, the new sniff discourages the use of the (unset) and (binary) type casts.
• New WordPress.Utils.I18nTextDomainFixer sniff which can compehensively replace/add text-domains in a plugin or theme.
  Important notes:
  • This sniff is disabled by default and intended as a utility tool.
  • The sniff will fix the text domains in all I18n function calls as well as in a plugin/theme Text Domain: header.
  • Passing the following properties will activate the sniff:
    • old_text_domain: an array with one or more (old) text domains which need to be replaced;
    • new_text_domain: the correct (new) text domain as a string.
• The WordPress.NamingConventions.PrefixAllGlobals sniff will now also verify that namespace names use a valid prefix.
  • The sniff allows for underscores and (other) non-word characters in a passed prefix to be converted to namespace separators when used in a namespace name.
    In other words, if a prefix of my_plugin is passed as a value to the prefixes property, a namespace name of both My\Plugin as well as My_Plugin\\, will be accepted automatically.
  • Passing a prefix property value containing namespace separators will now also be allowed and will no longer trigger a warning.
• WordPress to the prefix blacklist for the WordPress.NamingConventions.PrefixAllGlobals sniff.
  While the prefix cannot be WordPress, a prefix can still start with or contain WordPress.
• Additional unit tests covering a change in the tokenizer which will be included in the upcoming PHP_CodeSniffer 3.4.0 release.
• A variety of issue templates for use on GitHub.

Changed

• The Sniff::valid_direct_scope() method will now return the $stackPtr to the valid scope if a valid direct scope has been detected. Previously, it would return true.
• Minor hardening and efficiency improvements to the WordPress.NamingConventions.PrefixAllGlobals sniff.
• The inline documentation of the WordPress-Core ruleset has been updated to be in line again with the handbook.
• The inline links to documentation about the VIP requirements have been updated.
• Updated the custom ruleset example to recommend using PHPCompatibilityWP rather than PHPCompatibility.
• All sniffs are now also being tested against PHP 7.3 for consistent sniff results.
  Note: PHP 7.3 is only supported in combination with PHPCS 3.3.1 or higher as PHP_CodeSniffer itself has an incompatibility in earlier versions.
• Minor grammar fixes in text strings and documentation.
• Minor consistency improvement for the unit test case files.
• Minor tweaks to the composer.json file.
• Updated the PHPCompatibility dev dependency.

Removed

• The WordPress.WhiteSpace.CastStructureSpacing.NoSpaceAfterCloseParenthesis error code as an error for the same issue was already being thrown by an included upstream sniff.

Fixed

• The WordPress.CodeAnalysis.EmptyStatement would throw a false positive for an empty condition in a for() statement.
• The Sniff::is_class_property() method could, in certain circumstances, incorrectly recognize parameters in a method declaration as class properties. It would also, incorrectly, fail to recognize class properties when the object they are declared in, was nested in parentheses.
  This affected, amongst others, the GlobalVariablesOverride sniff.
• The Sniff::get_declared_namespace_name() method could get confused over whitespace and comments within a namespace name, which could lead to incorrect results (mostly underreporting).
  This affected, amongst others, the GlobalVariablesOverride sniff.
  The return value of the method will now no longer contain any whitespace or comments encountered.
• The Sniff::has_whitelist_comment() method would sometimes incorrectly regard // phpcs:set comments as whitelist comments.

1.1.0

Added

• New WordPress.PHP.NoSilencedErrors sniff. This sniff replaces the Generic.PHP.NoSilencedErrors sniff which was previously used and included in the WordPress-Core ruleset.
  The WordPress specific version of the sniff differs from the PHPCS version in that it:
  • Allows the error control operator @ if it preceeds a function call to a limited list of PHP functions for which no amount of error checking can prevent a PHP warning from being thrown.
  • Allows for a used-defined list of (additional) function names to be passed to the sniff via the custom_whitelist property in a custom ruleset, for which - if the error control operator is detected in front of a function call to one of the functions in this whitelist - no warnings will be thrown.
  • Displays a brief snippet of code in the warning message text to show the context in which the error control operator is being used. The length of the snippet (in tokens) can be customized via the context_length property.
  • Contains a public use_default_whitelist property which can be set from a custom ruleset which regulates whether or not the standard whitelist of PHP functions should be used by the sniff.
    The user-defined whitelist will always be respected.
    By default, this property is set to true for the WordPress-Core ruleset and to false for the WordPress-Extra ruleset (which is stricter regarding these kind of best practices).
• Metrics to the WordPress.NamingConventions.PrefixAllGlobals sniff to aid people in determining the most commonly used prefix in a legacy project.
  For an example of how to use this feature, please see the detailed explanation in the pull request.

Changed

• The PEAR.Functions.FunctionCallSignature sniff, which is part of the WordPress-Core ruleset, used to allow multiple function call parameters per line in multi-line function calls. This will no longer be allowed.
  As of this release, if a function call is multi-line, each parameter should start on a new line and an error will be thrown if the code being analysed does not comply with that rule.
  The sniff behaviour for single-line function calls is not affected by this change.
• Moved the WordPress.CodeAnalysis.EmptyStatement sniff from the WordPress-Extra to the WordPress-Core ruleset.
• Moved the Squiz.PHP.CommentedOutCode sniff from the WordPress-Docs to the WordPress-Extra ruleset and lowered the threshold for determining whether or not a comment is commented out code from 45% to 40%.
• The WordPress.NamingConventions.PrefixAllGlobals sniff now has improved support for recognizing whether or not (non-prefixed) globals are declared in the context of unit tests.
• The is_foreach_as() method has been moved from the GlobalVariablesOverrideSniff class to the WordPress Sniff base class.
• The Sniff::is_token_in_test_method() utility method now has improved support for recognizing test methods in anonymous classes.
• Minor efficiency improvement to the Sniff::is_safe_casted() method.
• CI: Minor tweaks to the Travis script.
• CI: Improved Composer scripts for use by WPCS developers.
• Dev: Removed IDE specific files from .gitignore.
• Readme: Improved the documentation about the project history and the badge display.

Fixed

• The WordPress.Security.ValidatedSanitizedInput sniff will now recognize array keys in superglobals independently of the string quote-style used for the array key.
• The WordPress.WhiteSpace.PrecisionAlignment sniff will no longer throw false positives for DocBlocks for JavaScript functions within inline HTML.
• WordPress.WP.DeprecatedClasses: The error codes for this sniff were unstable as they were based on the code being analysed instead of on fixed values.
• Various bugfixes for the WordPress.WP.GlobalVariablesOverride sniff:
  • Previously, the sniff only checked variables in the global namespace when a global statement would be encountered. As of now, all variable assignments in the global namespace will be checked.
  • Nested functions/closures/classes which don't import the global variable will now be skipped over when encountered within another function, preventing false positives.
  • Parameters in function declarations will no longer throw false positives.
  • The error message for assignments to a subkey of the $GLOBALS superglobal has been improved.
  • Various efficiency improvements.
• The Sniff::is_in_isset_or_empty() method presumed the WordPress coding style regarding code layout, which could lead to incorrect results (mostly underreporting).
  This affected, amongst others, the WordPress.Security.ValidatedSanitizedInput sniff.
• Broken links in the inline developer documentation.

1.0.0

Important information about this release:

If you use the WordPress Coding Standards with a custom ruleset, please be aware that a number of sniffs have been moved between categories and that the old sniff names have been deprecated.
If you selectively include any of these sniffs in your custom ruleset or set custom property values for these sniffs, your custom ruleset will need to be updated.

The WordPress-VIP ruleset has also been deprecated. If you used that ruleset to check your theme/plugin for hosting on the WordPress.com VIP platform, please use the Automattic VIP coding standards instead.
If you used that ruleset for any other reason, you should probably use the WordPress-Extra or WordPress ruleset instead.

These and some related changes have been annotated in detail in the Deprecated section of this changelog.

Please read the complete changelog carefully before you upgrade.

If you are a maintainer of an external standard based on WPCS and any of your custom sniffs are based on or extend WPCS sniffs, the same applies.

Added

• WordPress.PHP.PregQuoteDelimiter sniff to the WordPress-Extra ruleset to warn about calls to preg_quote() which don't pass the $delimiter parameter.
• WordPress.Security.SafeRedirect sniff to the WordPress-Extra ruleset to warn about potential open redirect vulnerabilities.
• WordPress.WP.DeprecatedParameterValues sniff to the WordPress-Extra ruleset to detect deprecated parameter values being passed to select functions.
• WordPress.WP.EnqueuedResourceParameters sniff to the WordPress-Extra ruleset to detect:
  • Calls to the script/style register/enqueue functions which don't pass a $version for the script/style, which can cause issues with browser caching; and/or
  • Calls to the register/enqueue script functions which don't pass the $in_footer parameter, which causes scripts - by default - to be loaded in the HTML header in a layout rendering blocking manner.
• Detection of calls to strip_tags() and various PHP native ..rand() functions to the WordPress.WP.AlternativeFunctions sniff.
• readonly() to the list of auto-escaped functions Sniff::$autoEscapedFunctions. This affects the WordPress.Security.EscapeOutput sniff.
• The WordPress.Security.PluginMenuSlug, WordPress.WP.CronInterval, WordPress.WP.PostsPerPage and WordPress.WP.TimezoneChange sniffs are now included in the WordPress-Extra ruleset. Previously, they were already included in the WordPress and WordPress-VIP rulesets.
• New utility method Sniff::is_use_of_global_constant().
• A rationale to the package suggestion made via composer.json.
• CI: Validation of the composer.json file on each build.
• A wiki page with instructions on how to set up WPCS to run with Eclipse on XAMPP.
• Readme: A link to an external resource with more examples for setting up PHPCS for CI.
• Readme: A badge-based quick overview of the project.

Changed

• The WordPress ruleset no longer includes the WordPress-VIP ruleset, nor does it include any of the (deprecated) VIP sniffs anymore.
• The following sniffs have been moved to a new category:
  • CronInterval from the VIP category to the WP category.
  • DirectDatabaseQuery from the VIP category to the DB category.
  • DontExtract from the Functions category to the PHP category.
  • EscapeOutput from the XSS category to the Security category.
  • GlobalVariables from the Variables category to the WP category.
  • NonceVerification from the CSRF category to the Security category.
  • PluginMenuSlug from the VIP category to the Security category.
  • PreparedSQL from the WP category to the DB category.
  • SlowDBQuery from the VIP category to the DB category.
  • TimezoneChange from the VIP category to the WP category.
  • ValidatedSanitizedInput from the VIP category to the Security category.
• The WordPress.VIP.PostsPerPage sniff has been split into two distinct sniffs:
  • WordPress.WP.PostsPerPage which will check for the use of a high pagination limit and will throw a warning when this is encountered. For the VIP ruleset, the error level remains error.
  • WordPress.VIP.PostsPerPage wich will check for disabling of pagination.
• The default value for minimum_supported_wp_version, as used by a number of sniffs detecting usage of deprecated WP features, has been updated to 4.6.
• The WordPress.WP.AlternativeFunctions sniff will now only throw a warning if/when the recommended alternative function is available in the minimum supported WP version of a project.
  In addition to this, certain alternatives are only valid alternatives in certain circumstances, like when the WP version only supports the first parameter of the PHP function it is trying to replace.
  This will now be taken into account for:
  • wp_strip_all_tags() is only a valid alternative for the PHP native strip_tags() when the second parameter $allowed_tags has not been passed.
  • wp_parse_url() only added support for the second parameter $component of the PHP native parse_url() function in WP 4.7.0.
• The WordPress.WP.DeprecatedFunctions sniff will now detect functions deprecated in WP 4.9.
• The WordPress.WP.GlobalVariablesOverride sniff will now display the name of the variable being overridden in the error message.
• The WordPress.WP.I18n sniff now extends the AbstractFunctionRestrictionSniff.
• Assignments in conditions in ternaries as detected by the WordPress.CodeAnalysis.AssignmentInCondition sniff will now be reported under a separate error code FoundInTernaryCondition.
• The default error level for the notices from the WordPress.DB.DirectDatabaseQuery sniff has been lowered from error to warning. For the VIP ruleset, the error level remains error.
• The default error level for the notices from the WordPress.Security.PluginMenuSlug sniff has been lowered from error to warning. For the VIP ruleset, the error level remains error.
• The default error level for the notices from the WordPress.WP.CronInterval sniff has been lowered from error to warning. For the VIP ruleset, the error level remains error.
• The Sniff::get_function_call_parameters() utility method now has improved handling of closures when passed as function call parameters.
• Rulesets: a number of error codes were previously silenced by explicitly exclude-ing them. Now, they will be silenced by setting the severity to 0 which makes it more easily discoverable for maintainers of custom rulesets how to enable these error codes again.
• Various performance optimizations which should most notably make a difference when running WPCS on PHP 7.
• References to the WordPress.com VIP platform have been clarified.
• Unit Tests: custom properties set in unit test files are reset after use.
• Various improvements to the ruleset used by the WPCS project itself and minor code clean up related to this.
• CI: Each change will now also be tested against the lowest supported PHPCS 3 version.
• CI: Each change will now also be checked for PHP cross-version compatibility.
• CI: The rulesets will now also be tested on each change to ensure no unexpected messages are thrown.
• CI: Minor changes to the script to make the build testing faster.
• Updated the custom ruleset example for the changes contained in this release and to reflect current best practices regarding the PHPCompatibility standard.
• The instructions on how to set up WPCS for various IDEs have been moved from the README to the wiki.
• Updated output examples in README.md and CONTRIBUTING.md and other minor changes to these files.
• Updated references to the PHPCompatibility standard to reflect its new location and recommend using PHPCompatibilityWP.

Deprecated

• The WordPress-VIP ruleset has been deprecated.
  For checking a theme/plugin for hosting on the WordPress.com VIP platform, please use the Automattic VIP coding standards instead.
  If you used the WordPress-VIP ruleset for any other reason, you should probably use the WordPress-Extra or WordPress ruleset instead.
• The following sniffs have been deprecated and will be removed in WPCS 2.0.0:
  • WordPress.CSRF.NonceVerification - use WordPress.Security.NonceVerification instead.
  • WordPress.Functions.DontExtract - use WordPress.PHP.DontExtract instead.
  • WordPress.Variables.GlobalVariables - use WordPress.WP.GlobalVariablesOverride instead.
  • WordPress.VIP.CronInterval - use WordPress.WP.CronInterval instead.
  • WordPress.VIP.DirectDatabaseQuery - use WordPress.DB.DirectDatabaseQuery instead.
  • WordPress.VIP.PluginMenuSlug - use WordPress.Security.PluginMenuSlug instead.
  • WordPress.VIP.SlowDBQuery - use WordPress.DB.SlowDBQuery instead.
  • WordPress.VIP.TimezoneChange - use WordPress.WP.TimezoneChange instead.
  • WordPress.VIP.ValidatedSanitizedInput - use WordPress.Security.ValidatedSanitizedInput instead.
  • WordPress.WP.PreparedSQL - use WordPress.DB.PreparedSQL instead.
  • WordPress.XSS.EscapeOutput - use WordPress.Security.EscapeOutput instead.
  • `WordPress.VIP.AdminBarRemova...

0.14.1

Fixed

• The WordPress.NamingConventions.PrefixAllGlobals sniff contained a bug which could inadvertently trigger class autoloading of the project being sniffed and by extension could cause fatal errors during the PHPCS run.

0.14.0

Added

• WordPress.Arrays.MultipleStatementAlignment sniff to the WordPress-Core ruleset which will align the array assignment operator for multi-item, multi-line associative arrays.
  This new sniff offers four custom properties to customize its behaviour: ignoreNewlines, exact, maxColumn and alignMultilineItems.
• WordPress.DB.PreparedSQLPlaceholders sniff to the WordPress-Core ruleset which will analyse the placeholders passed to $wpdb->prepare() for their validity, check whether queries using IN () and LIKE statements are created correctly and will check whether a correct number of replacements are passed.
  This sniff should help detect queries which are impacted by the security fixes to $wpdb->prepare() which shipped with WP 4.8.2 and 4.8.3.
  The sniff also adds a new "PreparedSQLPlaceholders replacement count" whitelist comment for pertinent replacement count vs placeholder mismatches. Please consider carefully whether something could be a bug when you are tempted to use the whitelist comment and if so, report it.
• WordPress.PHP.DiscourageGoto sniff to the WordPress-Core ruleset.
• WordPress.PHP.RestrictedFunctions sniff to the WordPress-Core ruleset which initially forbids the use of create_function().
  This was previous only discouraged under certain circumstances.
• WordPress.WhiteSpace.ArbitraryParenthesesSpacing sniff to the WordPress-Core ruleset which checks the spacing on the inside of arbitrary parentheses.
• WordPress.WhiteSpace.PrecisionAlignment sniff to the WordPress-Core ruleset which will throw a warning when precision alignment is detected in PHP, JS and CSS files.
• WordPress.WhiteSpace.SemicolonSpacing sniff to the WordPress-Core ruleset which will throw a (fixable) error when whitespace is found before a semi-colon, except for when the semi-colon denotes an empty for() condition.
• WordPress.CodeAnalysis.AssignmentInCondition sniff to the WordPress-Extra ruleset.
• WordPress.WP.DiscouragedConstants sniff to the WordPress-Extra and WordPress-VIP rulesets to detect usage of deprecated WordPress constants, such as STYLESHEETPATH and HEADER_IMAGE.
• Ability to pass the minimum_supported_version to use for the DeprecatedFunctions, DeprecatedClasses and DeprecatedParameters sniff in one go. You can pass a minimum_supported_wp_version runtime variable for this from the command line or pass it using a config directive in a custom ruleset.
• Generic.Formatting.MultipleStatementAlignment - customized to have a maxPadding of 40 -, Generic.Functions.FunctionCallArgumentSpacing and Squiz.WhiteSpace.ObjectOperatorSpacing to the WordPress-Core ruleset.
• Squiz.Scope.MethodScope, Squiz.Scope.MemberVarScope, Squiz.WhiteSpace.ScopeKeywordSpacing, PSR2.Methods.MethodDeclaration, Generic.Files.OneClassPerFile, Generic.Files.OneInterfacePerFile, Generic.Files.OneTraitPerFile, PEAR.Files.IncludingFile, Squiz.WhiteSpace.LanguageConstructSpacing, PSR2.Namespaces.NamespaceDeclaration to the WordPress-Extra ruleset.
• The is_class_constant(), is_class_property and valid_direct_scope() utility methods to the WordPress\Sniff class.

Changed

• When passing an array property via a custom ruleset to PHP_CodeSniffer, spaces around the key/value are taken as intentional and parsed as part of the array key/value. In practice, this leads to confusion and WPCS does not expect any values which could be preceded/followed by a space, so for the WordPress Coding Standard native array properties, like customAutoEscapedFunction, text_domain, prefixes, WPCS will now trim whitespace from the keys/values received before use.
• The WPCS native whitelist comments used to only work when they were put on the end of the line of the code they applied to. As of now, they will also be recognized when they are be put at the end of the statement they apply to.
• The WordPress.Arrays.ArrayDeclarationSpacing sniff used to enforce all associative arrays to be multi-line. The handbook has been updated to only require this for multi-item associative arrays and the sniff has been updated accordingly.
  The original behaviour can still be enforced by setting the new allow_single_item_single_line_associative_arrays property to false in a custom ruleset.
• The WordPress.NamingConventions.PrefixAllGlobals sniff will now allow for a limited list of WP core hooks which are intended to be called by plugins and themes.
• The WordPress.PHP.DiscouragedFunctions sniff used to include create_function. This check has been moved to the new WordPress.PHP.RestrictedFunctions sniff.
• The WordPress.PHP.StrictInArray sniff now has a separate error code FoundNonStrictFalse for when the $strict parameter has been set to false. This allows for excluding the warnings for that particular situation, which will normally be intentional, via a custom ruleset.
• The WordPress.VIP.CronInterval sniff now allows for customizing the minimum allowed cron interval by setting a property in a custom ruleset.
• The WordPress.VIP.RestrictedFunctions sniff used to prohibit the use of certain WP native functions, recommending the use of wpcom_vip_get_term_link(), wpcom_vip_get_term_by() and wpcom_vip_get_category_by_slug() instead, as the WP native functions were not being cached. As the results of the relevant WP native functions are cached as of WP 4.8, the advice has now been reversed i.e. use the WP native functions instead of wpcom... functions.
• The WordPress.VIP.PostsPerPage sniff now allows for customizing the post_per_page limit for which the sniff will trigger by setting a property in a custom ruleset.
• The WordPress.WP.I18n sniff will now allow and actively encourage omitting the text-domain in I18n function calls if the text-domain passed via the text_domain property is default, i.e. the domain used by Core.
  When default is one of several text-domains passed via the text_domain property, the error thrown when the domain is missing has been downgraded to a warning.
• The WordPress.XSS.EscapeOutput sniff now has a separate error code OutputNotEscapedShortEcho and the error message texts have been updated.
• Moved Squiz.PHP.Eval from the WordPress-Extra and WordPress-VIP to the WordPress-Core ruleset.
• Removed two sniffs from the WordPress-VIP ruleset which were already included via the WordPress-Core ruleset.
• The unit test suite is now compatible with PHPCS 3.1.0+ and PHPUnit 6.x.
• Some tidying up of the unit test case files.
• All sniffs are now also being tested against PHP 7.2 for consistent sniff results.
• An attempt is made to detect potential fixer conflicts early via a special build test.
• Various minor documentation fixes.
• Improved the Atom setup instructions in the Readme.
• Updated the unit testing information in Contributing.
• Updated the custom ruleset example for the changes contained in this release and to make it more explicit what is recommended versus example code.
• The minimum recommended version for the suggested DealerDirect/phpcodesniffer-composer-installer Composer plugin has gone up to 0.4.3. This patch version fixes support for PHP 5.3.

Fixed

• The WordPress.Arrays.ArrayIndentation sniff did not correctly handle array items with multi-line strings as a value.
• The WordPress.Arrays.ArrayIndentation sniff did not correctly handle array items directly after an array item with a trailing comment.
• The WordPress.Classes.ClassInstantiation sniff will now correctly handle detection when using new $array['key'] or new $array[0].
• The WordPress.NamingConventions.PrefixAllGlobals sniff did not allow for arbitrary word separators in hook names.
• The WordPress.NamingConventions.PrefixAllGlobals sniff did not correctly recognize namespaced constants as prefixed.
• The WordPress.PHP.StrictInArray sniff would erronously trigger if the true for $strict was passed in uppercase.
• The WordPress.PHP.YodaConditions sniff could get confused over complex ternaries containing assignments. This has been remedied.
• The WordPress.WP.PreparedSQL sniff would erronously throw errors about comments found within a DB function call.
• The WordPress.WP.PreparedSQL sniff would erronously throw erro...

0.13.1

Fixed

• Fatal error when using PHPCS 3.x with the installed_paths config variable set via the ruleset.

0.13.0

Added

• Support for PHP CodeSniffer 3.0.2+. The minimum required PHPCS version (2.9.0) stays the same.
• Support for the PHPCS 3 --ignore-annotations command line option. If you pass this option, both PHPCS native @ignore ... annotations as well as the WPCS specific whitelist flags will be ignored.

Changed

• The minimum required PHP version is now 5.3 when used in combination with PHPCS 2.x and PHP 5.4 when used in combination with PHPCS 3.x.
• The way the unit tests can be run is now slightly different for PHPCS 2.x versus 3.x. For more details, please refer to the updated information in the Contributing Guidelines.
• Release archives will no longer contain the unit tests and other typical development files. You can still get these by using Composer with --prefer-source or by checking out a git clone of the repository.
• Various textual improvements to the Readme.
• Various textual improvements to the Contributing Guidelines.
• Minor internal changes.

Removed

• The WordPress.Arrays.ArrayDeclaration sniff has been deprecated. The last remaining checks this sniff contained have been moved to the WordPress.Arrays.ArrayDeclarationSpacing sniff.
• Work-arounds which were in place to support PHP 5.2.

Fixed

• A minor bug where the auto-fixer could accidentally remove a comment near an array opener.

0.12.0

Added

• A default file encoding setting to the WordPress-Core ruleset. All files sniffed will now be regarded as utf-8 by default.
• WordPress.Arrays.ArrayIndentation sniff to the WordPress-Core ruleset to verify - and auto-fix - the indentation of array items and the array closer for multi-line arrays. This replaces the (partial) indentation fixing contained within the WordPress.Array.ArrayDeclarationSpacing sniff.
• WordPress.Arrays.CommaAfterArrayItem sniff to the WordPress-Core ruleset to enforce that each array item is followed by a comma - except for the last item in a single-line array - and checks the spacing around the comma. This replaces (and improves) the checks which were previously included in the WordPress.Arrays.ArrayDeclaration sniff which were causing incorrect fixes and fixer conflicts.
• WordPress.Functions.FunctionCallSignatureNoParams sniff to the WordPress-Core ruleset to verify that function calls without parameters do not have any whitespace between the parentheses.
• WordPress.WhiteSpace.DisallowInlineTabs to the WordPress-Core ruleset to verify - and auto-fix - that spaces are used for mid-line alignment.
• WordPress.WP.CapitalPDangit sniff to the WordPress-Core ruleset to - where relevant - verify that WordPress is spelled correctly. For misspellings in text strings and comment text, the sniff can auto-fix violations.
• Squiz.Classes.SelfMemberReference whitespace related checks to the WordPress-Core ruleset and the additional check for using self rather than a FQN to the WordPress-Extra ruleset.
• Squiz.PHP.EmbeddedPhp sniff to the WordPress-Core ruleset to check PHP code embedded within HTML blocks.
• PSR2.ControlStructures.SwitchDeclaration to the WordPress-Core ruleset to check for the correct layout of switch control structures.
• WordPress.Classes.ClassInstantion sniff to the WordPress-Extra ruleset to detect - and auto-fix - missing parentheses on object instantiation and superfluous whitespace in PHP and JS files. The sniff will also detect new being assigned by reference.
• WordPress.CodeAnalysis.EmptyStatement sniff to the WordPress-Extra ruleset to detect - and auto-fix - superfluous semi-colons and empty PHP open-close tag combinations.
• WordPress.NamingConventions.PrefixAllGlobals sniff to the WordPress-Extra ruleset to verify that all functions, classes, interfaces, traits, variables, constants and hook names which are declared/defined in the global namespace are prefixed with one of the prefixes provided via a custom property or via the command line.
  To activate this sniff, one or more allowed prefixes should be provided to the sniff. This can be done using a custom ruleset or via the command line.
  PHP superglobals and WP global variables are exempt from variable name prefixing. Deprecated hook names will also be disregarded when non-prefixed. Back-fills for known native PHP functionality is also accounted for.
  For verified exceptions, unprefixed code can be whitelisted.
  Code in unit test files is automatically exempt from this sniff.
• WordPress.WP.DeprecatedClasses sniff to the WordPress-Extra ruleset to detect usage of deprecated WordPress classes.
• WordPress.WP.DeprecatedParameters sniff to the WordPress-Extra ruleset to detect deprecated parameters being passed to WordPress functions with a value other than the expected default.
• The sanitize_textarea_field() function to the sanitizingFunctions list used by the WordPress.CSRF.NonceVerification, WordPress.VIP.ValidatedSanitizedInput and WordPress.XSS.EscapeOutput sniffs.
• The find_array_open_closer() utility method to the WordPress_Sniff class.
• Information about setting installed_paths using a custom ruleset to the Readme.
• Additional support links to the composer.json file.
• Support for Composer PHPCS plugins which sort out the installed_paths setting.
• Linting and code-style check of the XML ruleset files provided by WPCS.

Changed

• The minimum required PHP_CodeSniffer version to 2.9.0 (was 2.8.1). Take note: PHPCS 3.x is not (yet) supported. The next release is expected to fix that.
• Improved support for detecting issues in code using heredoc and/or nowdoc syntax.
• Improved sniff efficiency, precision and performance for a number of sniffs.
• Updated a few sniffs to take advantage of new features and fixes which are included in PHP_CodeSniffer 2.9.0.
• WordPress.Files.Filename: The "file name mirrors the class name prefixed with 'class'" check for PHP files containing a class will no longer be applied to typical unit test classes, i.e. for classes which extend WP_UnitTestCase, PHPUnit_Framework_TestCase and PHPUnit\Framework\TestCase. Additional test case base classes can be passed to the sniff using the new custom_test_class_whitelist property.
• The WordPress.Files.FileName sniff allows now for more theme-specific template hierarchy based file name exceptions.
• The whitelist flag for the WordPress.VIP.SlowQuery sniff was tax_query which was unintuitive. This has now been changed to slow query to be in line with other whitelist flags.
• The WordPress.WhiteSpace.OperatorSpacing sniff will now ignore operator spacing within declare() statements.
• The WordPress.WhiteSpace.OperatorSpacing sniff now extends the upstream Squiz.WhiteSpace.OperatorSpacing sniff for improved results and will now also examine the spacing around ternary operators and logical (&&, ||) operators.
• The WordPress.WP.DeprecatedFunctions sniff will now detect functions deprecated in WP 4.7 and 4.8. Additionally, a number of other deprecated functions which were previously not being detected have been added to the sniff and for a number of functions the "alternative" for the deprecated function has been added/improved.
• The WordPress.XSS.EscapeOutput sniff will now also detect unescaped output when the short open echo tags <?= are used.
• Updated the list of WP globals which is used by both the WordPress.Variables.GlobalVariables and the WordPress.NamingConventions.PrefixAllGlobals sniffs.
• Updated the information on using a custom ruleset and associated naming conventions in the Readme.
• Updated the custom ruleset example to provide a better starting point and renamed the file to follow current PHPCS best practices.
• Various inline documentation improvements.
• Updated the link to the PHPStorm documentation in the Readme.
• Various textual improvements to the Readme.
• Minor improvements to the build script.

Removed

• Squiz.Commenting.LongConditionClosingComment sniff from the WordPress-Core ruleset. This rule has been removed from the WP Coding Standards handbook.
• The exclusion of the Squiz.ControlStructures.ControlSignature.NewlineAfterOpenBrace error from the WordPress-Core ruleset.
• The exclusion of the PEAR.Functions.FunctionCallSignature.ContentAfterOpenBracket and PEAR.Functions.FunctionCallSignature.CloseBracketLine error from the WordPress-Core ruleset when used in combination with the fixer, i.e. phpcbf. The exclusions remain in place for phpcs runs.
• wp_get_post_terms(), wp_get_post_categories(), wp_get_post_tags() and wp_get_object_terms() from the WordPress.VIP.RestrictedFunctions sniff as these functions are now cached natively since WP 4.7.

Fixed

• The WordPress.Array.ArrayDeclarationSpacing could be overeager when fixing associative arrays to be multi-line. Non-associative single-line arrays which contained a nested associative array would also be auto-fixed by the sniff, while only the nested associated array should be fixed.
• The WordPress.Files.FileName sniff did not play nice with IDEs passing a filename to PHPCS via --stdin-path=.
• The WordPress.Files.FileName sniff was being triggered on code passed via stdin where there is no file name to examine.
• The WordPress.PHP.YodaConditions sniff would give a false positive for the result of a condition being assigned to a variable.
• The WordPress.VIP.RestrictedVariables sniff was potentially underreporting issues when the variables being restricted were a combination of variables, object properties and array members.
• The auto-fixer in the WordPress.WhiteSpace.ControlStructureSpacing sniff which deals with "blank line after control structure" issues could cause comments at the end of control structures to be removed.
• The WordPress.WP.DeprecatedFunctions sniff was reporting the wrong WP version for the deprecation of a number of functions.
• The WordPress.WP.EnqueuedResources sniff would potentially underreport issues in certain circumstances.
• The WordPress.XSS.EscapeOutput sniff will no now longer report issues when it encounters a __DIR__, (unset) cast or a floating point number, and will correctly disregard more arithmetic operators when deciding whether to report an issue or not.
• The whitelisting of errors using flags was sometimes a bit too eager and could accidentally whitelist code which was not intended to be whitelisted.
• Various (potential) Undefined variable, Undefined index and Undefined offset notices.
• Grammer in one of the `WordPres...