[theme-reviewers] Formatting functions and parsing

Mario Peshev mario at peshev.net
Thu Aug 11 13:26:54 UTC 2011


P.S. @Chip, sometimes I link to your post instead of Theme_Review WPORG
section as a reference. I hope that's not a problem and I think it could be
continued as well when you have the time and inspiration :)

Mario Peshev
freelance software developer/trainer
http://www.linkedin.com/in/mpeshev
http://peshev.net/blog



On Thu, Aug 11, 2011 at 4:25 PM, Mario Peshev <mario at peshev.net> wrote:

> I had watched this presentation few weeks ago, but I think it's a bit two
> steps above my level so I will need more practical work to be able to
> understand it completely. However, I will start referring to it just as I do
> with his post about the $_SERVER variable.
>
> The addition of scripts and styles I always recommend the wp_enqueue*
> functions.
>
> While we are on this, I think it would be great if these tips are part of
> the Theme Review section. There is a draft part for the usage of bloginfo
> versus home_url, site_url and get_option('siteurl') which is good to be
> clarified when and why to do and not to do. I'm taking notes in a document
> of mine for reviewing best practices, but as I said it's a bit hardcore for
> me at the moment (will need more time and few more plugins to write in order
> to get the whole picture).
>
> All the best,
>
>
> Mario Peshev
> freelance software developer/trainer
> http://www.linkedin.com/in/mpeshev
> http://peshev.net/blog
>
>
>
> On Thu, Aug 11, 2011 at 4:15 PM, Chip Bennett <chip at chipbennett.net>wrote:
>
>> The $truncate example you give, IMHO, should be replaced entirely with
>> get_the_excerpt(). It appears to be purely a reinvention of the post-excerpt
>> wheel.
>>
>> I assume you're going to point out all the issues with the Theme's options
>> implementation (the first thing that jumps out is that the Theme is not
>> using a single array to store its options)?
>>
>> I don't think that stripslashes() is sufficient here:
>>
>> <?php echo stripslashes( get_option('tt_google_analytics') ); ?>
>>
>> This should be an esc_js() or esc_html() or whatever, as appropriate for
>> the data being output.
>>
>> A data validation/sanitization/escaping blog post is on my to-do list. I
>> just haven't had the time yet. I would *strongly* recommend this
>> presentation by Mark Jaquith:
>> http://wordpress.tv/2011/01/29/mark-jaquith-theme-plugin-security/
>>
>> (Any blog post I write will be consistent with what Mark presents - and
>> IMHO, if Mark Jaquith presents it as recommended practice, then I would take
>> that recommendation as a best practice.)
>>
>> Chip
>>
>> On Thu, Aug 11, 2011 at 8:06 AM, Mario Peshev <mario at peshev.net> wrote:
>>
>>> Hi Chip,
>>>
>>> The most common example is using stripslashes (sample here
>>> http://themes.svn.wordpress.org/ttblog/1.0.2/header.php), also, the
>>> functions.php of the same theme uses:
>>>
>>> $truncate = preg_replace('@<script[^>]*?>.*?</script>@si', '', $truncate);
>>>
>>> I think this could also be handled (or maybe not), there are trim,
>>> htmlentities and similar functions used in themes. I am interested in
>>> functions such as wp_kses -
>>> http://codex.wordpress.org/Function_Reference/wp_kses - as they seem
>>> multifunctional to me. I was wondering if any of you has posted the
>>> 'formatting and security best practices and top functions' or something like
>>> this compared to plain PHP solutions.
>>>
>>> Thanks in advance. :)
>>>
>>> Mario Peshev
>>> freelance software developer/trainer
>>> http://www.linkedin.com/in/mpeshev
>>> http://peshev.net/blog
>>>
>>>
>>>
>>> On Thu, Aug 11, 2011 at 3:57 PM, Chip Bennett <chip at chipbennett.net>wrote:
>>>
>>>> Mario,
>>>>
>>>> The only "dummy" question is the one that remains unasked. :)
>>>>
>>>> Can you provide a more specific example? Perhaps a ticket or something,
>>>> that uses the function(s) in question?
>>>>
>>>> In general, though, IMHO, it is *always* preferable to use a core WP
>>>> function for content filtering and/or untrusted data
>>>> sanitization/validation.
>>>>
>>>> Chip
>>>>
>>>>  On Thu, Aug 11, 2011 at 7:53 AM, Mario Peshev <mario at peshev.net>wrote:
>>>>
>>>>>  Hello Reviewers,
>>>>>
>>>>> I'm not that well acquainted with security in PHP and WP so it might be
>>>>> a bit dummy question, but I have tough time following the parsing and
>>>>> formatting practices in WP themes. Since there is a Formatting section in WP
>>>>> function list -
>>>>> http://codex.wordpress.org/Function_Reference#Formatting_Functions ,
>>>>> and some of the functions seem pretty similar to the same function names in
>>>>> PHP, what is the rule and is it required for the WP functions to be used
>>>>> instead, are they always better than plain PHPs?
>>>>>
>>>>> Mario Peshev
>>>>> freelance software developer/trainer
>>>>> http://www.linkedin.com/in/mpeshev
>>>>> http://peshev.net/blog
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> theme-reviewers mailing list
>>>>> theme-reviewers at lists.wordpress.org
>>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> theme-reviewers mailing list
>>>> theme-reviewers at lists.wordpress.org
>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>
>>>>
>>>
>>> _______________________________________________
>>> theme-reviewers mailing list
>>> theme-reviewers at lists.wordpress.org
>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>
>>>
>>
>> _______________________________________________
>> theme-reviewers mailing list
>> theme-reviewers at lists.wordpress.org
>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20110811/7a63ee41/attachment-0001.htm>


More information about the theme-reviewers mailing list