[theme-reviewers] Embedded theme options frameworks and/or resources

Mon Oct 20 17:54:03 UTC 2014

I've just been helping with a review of a theme and taking a closer look at
the Options Framework.  It appears that it saves an option to the database
instead of using defaults.  Here's the relevant code, which is run on the
`admin_init` hook:
https://github.com/devinsays/options-framework-plugin/blob/master/includes/class-options-framework.php#L37

We've implemented a requirement of sane defaults and not writing default
options to the database since WP 3.9:
https://make.wordpress.org/themes/2014/07/09/using-sane-defaults-in-themes/

This is going to be problematic for any theme in the directory using the
Options Framework.  I've opened a ticket on GitHub to see if we can get
this changed:
https://github.com/devinsays/options-framework-plugin/issues/200

On Mon, Oct 20, 2014 at 11:15 AM, Edward Caissie <edward.caissie at gmail.com>
wrote:

> I would have concerns with an "approved framework" list as it implies it
> is fully vetted and maintained ... which would be by whom?
>
> Also, the "approved" part should also include the "approved
> implementation" of the framework as well ... again who will be ensuring
> that is kept up to date and accurate?
>
> Granted it is very time-consuming to review a theme *and* any bundled
> frameworks but that is simply the nature of reviewing. Themes are to stand
> on their own merits, which means every time a theme is submitted for review
> it should technically be reviewed in its entirety (although exceptions are
> made for previously approved themes to allow for "diff" reviews even those
> should be fully checked from time to time to ensure "old" code is still
> correct and up to current standards).
>
> Edward Caissie
> aka Cais.
>
> On Mon, Oct 20, 2014 at 11:39 AM, Ulrich Pogson <grapplerulrich at gmail.com>
> wrote:
>
>> The plugin review is normally done just once when you submit a plugin.
>> The themes are reviewed for each update to make sure the guildlines are
>> followed.
>>
>> If you are having trouble with a review you can always ask for a mentor.
>> The current place to ask for a mentor is here
>> https://make.wordpress.org/themes/2014/10/09/hey-mentors-and-mentees-how-are-things-weve/
>>
>> I think it might be an idea to have a list of approved framework
>> versions.
>> On 20 Oct 2014 17:22, "Venkat Raj" <venkat at webulous.in> wrote:
>>
>>>  It is options framework, but it doesn't matter. I meant to say any
>>> "bundled resource"
>>> Checking everything makes sense and we should.
>>>
>>> My concern is that, say we have 2 embedded resource then 1 theme review
>>> = 1 theme code + 2 plug-in code review?
>>> I think admins can make a rule for this, because
>>> 1) We're already atleast 6 week behind
>>> 2) New comers like me, don't have much experience in reviewing plugin
>>> code and security issues.
>>>
>>>
>>> On Monday 20 October 2014 08:34 PM, Emil Uzelac wrote:
>>>
>>>  If you are referring to http://wptheming.com/options-framework-plugin/
>>> I don't think that phoning home is involved.
>>>
>>>  Now, it does not matter if the code was integrated as-is, or has been
>>> modified, we still need to check everything :)
>>>
>>> On Mon, Oct 20, 2014 at 8:59 AM, Jasin S. <jasins at wphoot.com> wrote:
>>>
>>>>  ^ what tskk said.
>>>>
>>>>  A good starting point would be using diff to check if the Options
>>>> framework has been inserted "as-is" in the theme, or if its a modified
>>>> version (maybe even malicious code)
>>>>
>>>>  I find Sublimerge to be an awesome tool for this (available on Sublime
>>>> Text editor)
>>>>
>>>>  cheers,
>>>>  Jasin S.
>>>>
>>>>  Is that framework included in the theme zip? If it is then you have
>>>>> to review it.
>>>>> Sent from BlackBerry® on Airtel
>>>>>
>>>>> -----Original Message-----
>>>>> From: Venkat Raj <venkat at webulous.in>
>>>>> Sender: "theme-reviewers" <theme-reviewers-bounces at lists.wordpress.org>Date:
>>>>> Mon, 20 Oct 2014 11:55:24
>>>>> To: theme >> Discussion list for WordPress theme reviewers.<
>>>>> theme-reviewers at lists.wordpress.org>
>>>>> Reply-To: "Discussion list for WordPress theme reviewers."
>>>>>  <theme-reviewers at lists.wordpress.org>
>>>>> Subject: [theme-reviewers] Embedded theme options frameworks and/or
>>>>> resources
>>>>>
>>>>> I'm reviewing a theme which embeds options framework.
>>>>> My question is, since it is bundled resource, I don't need to go
>>>>> through
>>>>> it line by line, right?
>>>>> Plugin reviewer can take care of that. But how can I make sure, it is
>>>>> not modified version of original
>>>>> and/or not containing any malicious code such as dialling home which we
>>>>> encountered few days back!
>>>>>
>>>>> _______________________________________________
>>>>> theme-reviewers mailing list
>>>>> theme-reviewers at lists.wordpress.org
>>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>> _______________________________________________
>>>>> theme-reviewers mailing list
>>>>> theme-reviewers at lists.wordpress.org
>>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> theme-reviewers mailing list
>>>> theme-reviewers at lists.wordpress.org
>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> theme-reviewers mailing listtheme-reviewers at lists.wordpress.orghttp://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>
>>>
>>>
>>> _______________________________________________
>>> theme-reviewers mailing list
>>> theme-reviewers at lists.wordpress.org
>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>
>>>
>> _______________________________________________
>> theme-reviewers mailing list
>> theme-reviewers at lists.wordpress.org
>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>
>>
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20141020/ceb49138/attachment.html>