[theme-reviewers] Formatting functions and parsing

Mario Peshev mario at peshev.net
Thu Aug 11 13:25:49 UTC 2011 

I had watched this presentation few weeks ago, but I think it's a bit two
steps above my level so I will need more practical work to be able to
understand it completely. However, I will start referring to it just as I do
with his post about the $_SERVER variable.

The addition of scripts and styles I always recommend the wp_enqueue*
functions.

While we are on this, I think it would be great if these tips are part of
the Theme Review section. There is a draft part for the usage of bloginfo
versus home_url, site_url and get_option('siteurl') which is good to be
clarified when and why to do and not to do. I'm taking notes in a document
of mine for reviewing best practices, but as I said it's a bit hardcore for
me at the moment (will need more time and few more plugins to write in order
to get the whole picture).

All the best,

Mario Peshev
freelance software developer/trainer
http://www.linkedin.com/in/mpeshev
http://peshev.net/blog



On Thu, Aug 11, 2011 at 4:15 PM, Chip Bennett <chip at chipbennett.net> wrote:

> The $truncate example you give, IMHO, should be replaced entirely with
> get_the_excerpt(). It appears to be purely a reinvention of the post-excerpt
> wheel.
>
> I assume you're going to point out all the issues with the Theme's options
> implementation (the first thing that jumps out is that the Theme is not
> using a single array to store its options)?
>
> I don't think that stripslashes() is sufficient here:
>
> <?php echo stripslashes( get_option('tt_google_analytics') ); ?>
>
> This should be an esc_js() or esc_html() or whatever, as appropriate for
> the data being output.
>
> A data validation/sanitization/escaping blog post is on my to-do list. I
> just haven't had the time yet. I would *strongly* recommend this
> presentation by Mark Jaquith:
> http://wordpress.tv/2011/01/29/mark-jaquith-theme-plugin-security/
>
> (Any blog post I write will be consistent with what Mark presents - and
> IMHO, if Mark Jaquith presents it as recommended practice, then I would take
> that recommendation as a best practice.)
>
> Chip
>
> On Thu, Aug 11, 2011 at 8:06 AM, Mario Peshev <mario at peshev.net> wrote:
>
>> Hi Chip,
>>
>> The most common example is using stripslashes (sample here
>> http://themes.svn.wordpress.org/ttblog/1.0.2/header.php), also, the
>> functions.php of the same theme uses:
>>
>> $truncate = preg_replace('@<script[^>]*?>.*?</script>@si', '', $truncate);
>>
>> I think this could also be handled (or maybe not), there are trim,
>> htmlentities and similar functions used in themes. I am interested in
>> functions such as wp_kses -
>> http://codex.wordpress.org/Function_Reference/wp_kses - as they seem
>> multifunctional to me. I was wondering if any of you has posted the
>> 'formatting and security best practices and top functions' or something like
>> this compared to plain PHP solutions.
>>
>> Thanks in advance. :)
>>
>> Mario Peshev
>> freelance software developer/trainer
>> http://www.linkedin.com/in/mpeshev
>> http://peshev.net/blog
>>
>>
>>
>> On Thu, Aug 11, 2011 at 3:57 PM, Chip Bennett <chip at chipbennett.net>wrote:
>>
>>> Mario,
>>>
>>> The only "dummy" question is the one that remains unasked. :)
>>>
>>> Can you provide a more specific example? Perhaps a ticket or something,
>>> that uses the function(s) in question?
>>>
>>> In general, though, IMHO, it is *always* preferable to use a core WP
>>> function for content filtering and/or untrusted data
>>> sanitization/validation.
>>>
>>> Chip
>>>
>>>  On Thu, Aug 11, 2011 at 7:53 AM, Mario Peshev <mario at peshev.net> wrote:
>>>
>>>>  Hello Reviewers,
>>>>
>>>> I'm not that well acquainted with security in PHP and WP so it might be
>>>> a bit dummy question, but I have tough time following the parsing and
>>>> formatting practices in WP themes. Since there is a Formatting section in WP
>>>> function list -
>>>> http://codex.wordpress.org/Function_Reference#Formatting_Functions ,
>>>> and some of the functions seem pretty similar to the same function names in
>>>> PHP, what is the rule and is it required for the WP functions to be used
>>>> instead, are they always better than plain PHPs?
>>>>
>>>> Mario Peshev
>>>> freelance software developer/trainer
>>>> http://www.linkedin.com/in/mpeshev
>>>> http://peshev.net/blog
>>>>
>>>>
>>>> _______________________________________________
>>>> theme-reviewers mailing list
>>>> theme-reviewers at lists.wordpress.org
>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>
>>>>
>>>
>>> _______________________________________________
>>> theme-reviewers mailing list
>>> theme-reviewers at lists.wordpress.org
>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>
>>>
>>
>> _______________________________________________
>> theme-reviewers mailing list
>> theme-reviewers at lists.wordpress.org
>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>
>>
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20110811/02de1620/attachment.htm>

More information about the theme-reviewers mailing list