[theme-reviewers] Simple-Blue-Dashed 1.0

Fri Jun 11 17:03:14 UTC 2010

Hi Chip,

That's not a bad idea at all you know ... Maybe we should split each
part of the review of each theme into different groups, and each Theme
review passes from one group to the next.

1st) Theme must pass security team review with no major fails, then
passes onto General;

2nd) Theme must pass functionality team with no major fails, then passes
onto CrossBrowser/HTML/CSS testing;

3rd) Theme must pass browser team browser testing to reasonable levels
(saw Tim Golen mention this a minute ago, personally I think this falls
under "technical" rather than "design" - there are plenty of standards
for this already defined).

4th) If at this point the total number of "advisories/minors" is below
X, the theme gets approved.

If one of the groups finds anything critical along the way the author is
advised once that groups "checking" is complete, and theme doesn't get
passed onto the next group. This saves everyone in every group testing
everything twice, just because of a security fail.

Then, all the volunteers who've offered here recently can decide what
team their skills best fit into, and be put to best use. I know some
people here would prefer to test cross-browser than security, and
vice-versa of course.

Gav
//gavinpearce.com

-----Original Message-----
From: theme-reviewers-bounces at lists.wordpress.org
[mailto:theme-reviewers-bounces at lists.wordpress.org] On Behalf Of
chip at chipbennett.net
Sent: 11 June 2010 17:50
To: theme-reviewers at lists.wordpress.org
Subject: Re: [theme-reviewers] Simple-Blue-Dashed 1.0

> Security is a big item, themes mis-use any external data ($_GET,
> $_POST, $_REQUEST, $_COOKIE, $_SERVER) must be addressed, no two ways
> about it.  Direct DB queries must properly escape data in the query
> (and if there is a WP function to do the same thing the direct DB
> query should be replaced with the function call).  Those are the
> basic, *minimum* things that every theme needs to address security
> wise.

For those of us who are less-than-expert in the SQL aspects of theme
reviewing, can those who are more adept create a reasonably
easy-to-follow
security checklist?

Or, maybe we should have some security-ninja theme reviewers, who can
focus on the security aspects of themes? If so, we could divy up the
review work, such that security concerns are handled separately - after
the theme is initially reviewed (and cleaned up, if necessary) based on
the "normal" criteria?

> Sometimes the theme author just isn't aware of specific functions or
> services in WordPress, so some hints and reference URLs for more info
> are helpful there.

Agreed. I tried to add in Codex references, where appropriate, in my
first
review.

Speaking of which: the Theme Development Checklist entry in the Codex is
sorely in need of cross-referencing to Codex entries for functions,
template tags, and hooks/filters.

_______________________________________________
theme-reviewers mailing list
theme-reviewers at lists.wordpress.org
http://lists.wordpress.org/mailman/listinfo/theme-reviewers