I had watched this presentation few weeks ago, but I think it's a bit two steps above my level so I will need more practical work to be able to understand it completely. However, I will start referring to it just as I do with his post about the $_SERVER variable.<div>
<br>The addition of scripts and styles I always recommend the wp_enqueue* functions. </div><div><br>While we are on this, I think it would be great if these tips are part of the Theme Review section. There is a draft part for the usage of bloginfo versus home_url, site_url and get_option('siteurl') which is good to be clarified when and why to do and not to do. I'm taking notes in a document of mine for reviewing best practices, but as I said it's a bit hardcore for me at the moment (will need more time and few more plugins to write in order to get the whole picture).</div>
<div><br>All the best,<br clear="all"><br>Mario Peshev<br>freelance software developer/trainer<br><a href="http://www.linkedin.com/in/mpeshev">http://www.linkedin.com/in/mpeshev</a><br><a href="http://peshev.net/blog">http://peshev.net/blog</a><br>
<br>
<br><br><div class="gmail_quote">On Thu, Aug 11, 2011 at 4:15 PM, Chip Bennett <span dir="ltr"><<a href="mailto:chip@chipbennett.net">chip@chipbennett.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
The $truncate example you give, IMHO, should be replaced entirely with get_the_excerpt(). It appears to be purely a reinvention of the post-excerpt wheel.<div><br></div><div>I assume you're going to point out all the issues with the Theme's options implementation (the first thing that jumps out is that the Theme is not using a single array to store its options)?</div>
<div><br></div><div>I don't think that stripslashes() is sufficient here:</div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><span style="font-family:'Times New Roman';font-size:medium"><pre style="word-wrap:break-word;white-space:pre-wrap">
<?php echo stripslashes( get_option('tt_google_analytics') ); ?></pre></span></div></blockquote><div>This should be an esc_js() or esc_html() or whatever, as appropriate for the data being output. </div><div>
<br></div><div>A data validation/sanitization/escaping blog post is on my to-do list. I just haven't had the time yet. I would *strongly* recommend this presentation by Mark Jaquith:</div><div><a href="http://wordpress.tv/2011/01/29/mark-jaquith-theme-plugin-security/" target="_blank">http://wordpress.tv/2011/01/29/mark-jaquith-theme-plugin-security/</a></div>
<div><br></div><div>(Any blog post I write will be consistent with what Mark presents - and IMHO, if Mark Jaquith presents it as recommended practice, then I would take that recommendation as a best practice.)</div><div>
<br>
</div><font color="#888888"><div>Chip</div></font><div><div></div><div class="h5"><div><br><div class="gmail_quote">On Thu, Aug 11, 2011 at 8:06 AM, Mario Peshev <span dir="ltr"><<a href="mailto:mario@peshev.net" target="_blank">mario@peshev.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi Chip, <div><br></div><div>The most common example is using stripslashes (sample here <a href="http://themes.svn.wordpress.org/ttblog/1.0.2/header.php" target="_blank">http://themes.svn.wordpress.org/ttblog/1.0.2/header.php</a>), also, the functions.php of the same theme uses:</div>
<div><br></div><div><span style="font-family:'Times New Roman';font-size:medium"><pre style="word-wrap:break-word;white-space:pre-wrap">$truncate = preg_replace('@<script[^>]*?>.*?</script>@si', '', $truncate);</pre>
</span></div><div>I think this could also be handled (or maybe not), there are trim, htmlentities and similar functions used in themes. I am interested in functions such as wp_kses - <a href="http://codex.wordpress.org/Function_Reference/wp_kses" target="_blank">http://codex.wordpress.org/Function_Reference/wp_kses</a> - as they seem multifunctional to me. I was wondering if any of you has posted the 'formatting and security best practices and top functions' or something like this compared to plain PHP solutions.<br>
<br>Thanks in advance. :)</div><div><div><br>Mario Peshev<br>freelance software developer/trainer<br><a href="http://www.linkedin.com/in/mpeshev" target="_blank">http://www.linkedin.com/in/mpeshev</a><br><a href="http://peshev.net/blog" target="_blank">http://peshev.net/blog</a><br>
<br>
<br><br></div><div><div></div><div><div class="gmail_quote">On Thu, Aug 11, 2011 at 3:57 PM, Chip Bennett <span dir="ltr"><<a href="mailto:chip@chipbennett.net" target="_blank">chip@chipbennett.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Mario,<div><br></div><div>The only "dummy" question is the one that remains unasked. :)</div><div><br></div><div>Can you provide a more specific example? Perhaps a ticket or something, that uses the function(s) in question?</div>
<div><br></div><div>In general, though, IMHO, it is *always* preferable to use a core WP function for content filtering and/or untrusted data sanitization/validation.</div><div><br></div><div>Chip<br><br><div class="gmail_quote">
<div><div></div><div>
On Thu, Aug 11, 2011 at 7:53 AM, Mario Peshev <span dir="ltr"><<a href="mailto:mario@peshev.net" target="_blank">mario@peshev.net</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><div></div><div>
Hello Reviewers,<div><br></div><div>I'm not that well acquainted with security in PHP and WP so it might be a bit dummy question, but I have tough time following the parsing and formatting practices in WP themes. Since there is a Formatting section in WP function list - <a href="http://codex.wordpress.org/Function_Reference#Formatting_Functions" target="_blank">http://codex.wordpress.org/Function_Reference#Formatting_Functions</a> , and some of the functions seem pretty similar to the same function names in PHP, what is the rule and is it required for the WP functions to be used instead, are they always better than plain PHPs?<br clear="all">
<font color="#888888">
<br>Mario Peshev<br>freelance software developer/trainer<br><a href="http://www.linkedin.com/in/mpeshev" target="_blank">http://www.linkedin.com/in/mpeshev</a><br><a href="http://peshev.net/blog" target="_blank">http://peshev.net/blog</a><br>
<br>
</font></div>
<br></div></div>_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br></blockquote></div><br></div>
<br>_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br></blockquote></div><br></div></div></div>
<br>_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br></blockquote></div><br></div>