0.11.0

Important notes for end-users:

If you use the WordPress Coding Standards with a custom ruleset, please be aware that some of the checks have been moved between sniffs and that the naming of a number of error codes has changed.
If you exclude some sniffs or error codes, you may have to update your custom ruleset to be compatible with WPCS 0.11.0.

Additionally, to make it easier for you to customize your ruleset, two new wiki pages have been published with information on the properties you can adjust from your ruleset:

• WPCS customizable sniff properties
• PHPCS customizable sniff properties

For more detailed information about the changed sniff names and error codes, please refer to PR #633 and PR #814.

Important notes for sniff developers:

If you maintain or develop sniffs based upon the WordPress Coding Standards, most notably, if you use methods and properties from the WordPress_Sniff class, extend one of the abstract sniff classes WPCS provides or extend other sniffs from WPCS to use their properties, please be aware that this release contains significant changes which will, more likely than not, affect your sniffs.

Please read this changelog carefully to understand how this will affect you.
For more detailed information on the most significant changes, please refer to PR #795, PR #833 and PR #841.
You are also encouraged to check the file history of any WPCS classes you extend.

Added

• WordPress.WP.DeprecatedFunctions sniff to the WordPress-Extra ruleset to check for usage of deprecated WP version and show errors/warnings depending on a minimum_supported_version which can be passed to the sniff from a custom ruleset. The default value for the minimum_supported_version property is three versions before the current WP version.
• WordPress.WP.I18n: ability to check for missing translators comments when a I18n function call contains translatable text strings containing placeholders. This check will also verify that the translators comment is correctly placed in the code and uses the correct comment type for optimal compatibility with the various tools available to create .pot files.
• WordPress.WP.I18n: ability to pass the text_domain to check for from the command line.
• WordPress.Arrays.ArrayDeclarationSpacing: check + fixer for single line associative arrays. The handbook states that these should always be multi-line.
• WordPress.Files.FileName: verification that files containing a class reflect this in the file name as per the core guidelines. This particular check can be disabled in a custom ruleset by setting the new strict_class_file_names property.
• WordPress.Files.FileName: verification that files in /wp-includes/ containing template tags - annotated with @subpackage Template in the file header - use the -template suffix.
• WordPress.Files.FileName: is_theme property which can be set in a custom ruleset. This property can be used to indicate that the project being checked is a theme and will allow for a predefined theme hierarchy based set of exceptions to the file name rules.
• WordPress.VIP.AdminBarRemoval: check for hiding the admin bar using CSS.
• WordPress.VIP.AdminBarRemoval: customizable remove_only property to toggle whether to error of all manipulation of the visibility of the admin bar or to execute more thorough checking for removal only.
• WordPress.WhiteSpace.ControlStructureSpacing: support for checking the whitespace in try/catch constructs.
• WordPress.WhiteSpace.ControlStructureSpacing: check that the space after the open parenthesis and before the closing parenthesis of control structures and functions is exactly one space. Includes auto-fixer.
• WordPress.WhiteSpace.CastStructureSpacing: ability to automatically fix errors thrown by the sniff.
• WordPress.VIP.SessionFunctionsUsage: detection of the session_abort(), session_create_id(), session_gc() and session_reset() functions.
• WordPress.CSRF.NonceVerification: ability to pass custom sanitization functions to the sniff.
• The get_the_ID() function to the autoEscapedFunctions list used by the WordPress.XSS.EscapeOutput sniff.
• The wp_strip_all_tags(), sanitize_hex_color_no_hash() and sanitize_hex_color() functions to the sanitizingFunctions list used by the WordPress.CSRF.NonceVerification, WordPress.VIP.ValidatedSanitizedInput and WordPress.XSS.EscapeOutput sniffs.
• The floatval() function to the escapingFunctions, sanitizingFunctions, unslashingSanitizingFunctions, SQLEscapingFunctions lists used by the WordPress.CSRF.NonceVerification, WordPress.VIP.ValidatedSanitizedInput, WordPress.XSS.EscapeOutput and WordPress.WP.PreparedSQL sniffs.
• The table name based clean_*_cache() functions to the cacheDeleteFunctions list used by the WordPress.VIP.DirectDatabaseQuery sniff.
• Abstract AbstractFunctionParameter parent class to allow for examining parameters passed in function calls.
• A number of utility functions to the WordPress_Sniff class: strip_quotes(), addMessage(), addFixableMessage(), string_to_errorcode(), does_function_call_have_parameters(), get_function_call_parameter_count(), get_function_call_parameters(), get_function_call_parameter(), has_html_open_tag().
• Squiz.Commenting.LongConditionClosingComment, Squiz.WhiteSpace.CastSpacing, Generic.Formatting.DisallowMultipleStatements to the WordPress-Core ruleset.
• Squiz.PHP.NonExecutableCode, Squiz.Operators.IncrementDecrementUsage, Squiz.Operators.ValidLogicalOperators, Squiz.Functions.FunctionDuplicateArgument, Generic.PHP.BacktickOperator, Squiz.PHP.DisallowSizeFunctionsInLoops to the WordPress-Extra ruleset.
• Numerous additional unit tests covering the correct handling of properties overruled via a custom ruleset by various sniffs.
• Instructions on how to use WPCS with Visual Studio to the Readme.
• Section on how to use WPCS with CI Tools to the Readme, initially covering integration with Travis CI.
• Section on considerations when writing sniffs for WPCS to Contributing.md.

Changed

• The minimum required PHP version to 5.2 (was 5.1).
• The minimum required PHP_CodeSniffer version to 2.8.1 (was 2.6).
• Improved support for detecting issues in code using closures (anonymous functions), short array syntax and anonymous classes.
• Improved sniff efficiency and performance for a number of sniffs.
• The discouraged/restricted functions sniffs have been reorganized and made more modular.
  • The new WordPress.PHP.DevelopmentFunctions sniff now contains the checks related to PHP functions typically used during development which are discouraged in production code.
  • The new WordPress.PHP.DiscouragedPHPFunctions sniff now contains checks related to various PHP functions, use of which is discouraged for various reasons.
  • The new WordPress.WP.AlternativeFunctions sniff contains the checks related to PHP functions for which WP offers an alternative which should be used instead.
  • The new WordPress.WP.DiscouragedFunctions sniff contains checks related to various WP functions, use of which is discouraged for various reasons.
  • A number of checks contained in the WordPress.VIP.RestrictedFunctions sniff have been moved to other sniffs.
  • The WordPress.PHP.DiscouragedFunctions sniff has been deprecated and is no longer used. The checks which were previously contained herein have been moved to other sniffs.
  • The reorganized sniffs also detect a number of additional functions which were previously ignored by these sniffs. For more detail, please refer to the summary of the PR and to PR #759.
• The error codes for these sniffs as well as for WordPress.DB.RestrictedClasses, WordPress.DB.RestrictedFunctions, WordPress.Functions.DontExtract, WordPress.PHP.POSIXFunctions and a number of the VIP sniffs have changed. They were previously based on function group names and will now be based on function group name in combination with the identified function name. Complete function groups can still ...

0.10.0

Added

• WordPress.WP.I18n sniff to the WordPress-Core ruleset to flag dynamic translatable strings and textdomains.
• WordPress.PHP.DisallowAlternativePHPTags sniff to the WordPress-Core ruleset to flag - and fix - ASP and <script> PHP open tags.
• WordPress.Classes.ClassOpeningStatement sniff to the WordPress-Core ruleset to flag - and fix - class opening brace placement.
• WordPress.NamingConventions.ValidHookName sniff to the WordPress-Core ruleset to flag filter and action hooks which don't comply with the guideline of lowercase letters and underscores. For maintaining backward-compatibility of hook names an additionalWordDelimiters property can be added via a custom ruleset.
• WordPress.Functions.DontExtract sniff to the WordPress-Core ruleset to flag usage of the extract() function.
• WordPress.PHP.POSIXFunctions sniff to the WordPress-Core ruleset to flag usage of regex functions from the POSIX PHP extension which was deprecated since PHP 5.3 and removed in PHP 7.
• WordPress.DB.RestrictedFunctions and WordPress.DB.RestrictedClasses sniffs to the WordPress-Core ruleset to flag usage of direct database calls using PHP functions and classes rather than the WP functions for the same.
• Abstract AbstractClassRestrictions parent class to allow for easier sniffing for usage of specific classes.
• Squiz.Strings.ConcatenationSpacing, PSR2.ControlStructures.ElseIfDeclaration, PSR2.Files.ClosingTag, Generic.NamingConventions.UpperCaseConstantName to the WordPress-Core ruleset.
• Ability to add arbitrary variables to the whitelist via a custom ruleset property for the WordPress.NamingConventions.ValidVariableName sniff.
• Ability to use a whitelist comment for tax queries for the WordPress.VIP.SlowDBQuery sniff.
• Instructions on how to use WPCS with Atom and SublimeLinter to the Readme.
• Reference to the wiki to the Readme.
• Recommendation to also use the PHPCompatibility ruleset to the Readme.

Changed

• The minimum required PHP_CodeSniffer version to 2.6.0.
• Moved the WordPress.WP.PreparedSQL sniff from WordPress-Extra to WordPress-Core.
• WordPress.PHP.StrictInArray will now also flag non-strict usage of array_keys() and array_search().
• Added _deprecated_constructor() and _deprecated_hook() to the list of printing functions.
• Added numerous additional functions to sniff for to the WordPress.VIP.RestrictedFunctions sniff as per the VIP guidelines.
• Upped the posts_per_page limit from 50 to 100 in WordPress.VIP.PostsPerPage sniff as per the VIP guidelines.
• Added cat_ID to the whitelisted exceptions for the WordPress.NamingConventions.ValidVariableName sniff.
• Added __debugInfo to the magic method whitelist for class methods starting with double underscore in the WordPress.NamingConventions.ValidFunctionName sniff.
• An error will now also be thrown for non-magic functions using a double underscore prefix - WordPress.NamingConventions.ValidFunctionName sniff.
• The WordPress.Arrays.ArrayAssignmentRestrictions, WordPress.Functions.FunctionRestrictions, WordPress.Variables.VariableRestrictions sniffs weren't in actual fact sniffs, but parent classes for child sniffs. These have now all been turned into proper abstract parent classes and moved to the main WordPress directory.
• The array provided to AbstractFunctionRestrictions can now take a whitelist key to whitelist select functions when blocking a group of functions by function prefix.
• Updated installation instructions in the readme.
• The WordPress-Core ruleset is now ordered according to the handbook
• The WPCS code base itself now complies with the WordPress-Core, -Extra and -Docs coding standards.
• Various other code quality and code consistency improvements under the hood.

Removed

• Squiz.Functions.FunctionDeclarationArgumentSpacing.SpacingBeforeClose from the WordPress-Core standard (was causing duplicate messages for the same issue).
• Squiz.Commenting.FunctionComment.ScalarTypeHintMissing, Squiz.Commenting.InlineComment.NotCapital from the WordPress-Docs standard.
• Removed the sniffing for get_pages() from the WordPress.VIP.RestrictedFunctions sniff as per the VIP guidelines.
• Removed the sniffing for extract() from the WordPress.VIP.RestrictedFunctions sniff as it's now covered in a separate sniff.
• Removed the sniffing for the POSIX functions from the WordPress.PHP.DiscouragedFunctions sniff as it's now covered in a separate sniff.

Fixed

• Error message precision for the WordPress.NamingConventions.ValidVariableName sniff.
• Bug in the WordPress.WhiteSpace.ControlStructureSpacing.BlankLineAfterEnd sniff which was incorrectly being triggered on last method of class.
• Function name sniffs based on the AbstractFunctionRestrictions parent class will now do a case-insensitive function name comparison.
• Function name sniffs in the WordPress.PHP.DiscouragedFunctions sniff will now do a case-insensitive function name comparison.
• Whitelist comments directly followed by a PHP closing tag were not being recognized.
• Some PHP Magic constants were not recognized by the WordPress.XSS.EscapeOutput sniff.
• An error message suggesting camel caps rather than the intended snake case format in the WordPress.NamingConventions.ValidFunctionName sniff.
• WordPress.WhiteSpace.ControlStructureSpacing should no longer throw error notices during live code review.
• Errors will be no longer be thrown for methods not complying with the naming conventions when the class extends a parent class or implements an interface - WordPress.NamingConventions.ValidFunctionName sniff.

0.9.0

See CHANGELOG.md for a list of changes.

0.8.0

See CHANGELOG.md for a list of changes.

0.7.1

See CHANGELOG.md for a list of changes.

0.7.0

See CHANGELOG.md for a list of changes.

0.6.0

See CHANGELOG.md for a list of changes.

0.5.0

See CHANGELOG.md for a list of changes.

0.4.0

See CHANGELOG.md for a list of changes.