[theme-reviewers] Embedded theme options frameworks and/or resources
Edward Caissie
edward.caissie at gmail.com
Mon Oct 20 19:35:36 UTC 2014
Nice catch, Justin!
Edward Caissie
aka Cais.
On Mon, Oct 20, 2014 at 1:54 PM, Justin Tadlock <justin at justintadlock.com>
wrote:
> I've just been helping with a review of a theme and taking a closer look
> at the Options Framework. It appears that it saves an option to the
> database instead of using defaults. Here's the relevant code, which is run
> on the `admin_init` hook:
>
> https://github.com/devinsays/options-framework-plugin/blob/master/includes/class-options-framework.php#L37
>
> We've implemented a requirement of sane defaults and not writing default
> options to the database since WP 3.9:
> https://make.wordpress.org/themes/2014/07/09/using-sane-defaults-in-themes/
>
> This is going to be problematic for any theme in the directory using the
> Options Framework. I've opened a ticket on GitHub to see if we can get
> this changed:
> https://github.com/devinsays/options-framework-plugin/issues/200
>
>
> On Mon, Oct 20, 2014 at 11:15 AM, Edward Caissie <edward.caissie at gmail.com
> > wrote:
>
>> I would have concerns with an "approved framework" list as it implies it
>> is fully vetted and maintained ... which would be by whom?
>>
>> Also, the "approved" part should also include the "approved
>> implementation" of the framework as well ... again who will be ensuring
>> that is kept up to date and accurate?
>>
>> Granted it is very time-consuming to review a theme *and* any bundled
>> frameworks but that is simply the nature of reviewing. Themes are to stand
>> on their own merits, which means every time a theme is submitted for review
>> it should technically be reviewed in its entirety (although exceptions are
>> made for previously approved themes to allow for "diff" reviews even those
>> should be fully checked from time to time to ensure "old" code is still
>> correct and up to current standards).
>>
>> Edward Caissie
>> aka Cais.
>>
>> On Mon, Oct 20, 2014 at 11:39 AM, Ulrich Pogson <grapplerulrich at gmail.com
>> > wrote:
>>
>>> The plugin review is normally done just once when you submit a plugin.
>>> The themes are reviewed for each update to make sure the guildlines are
>>> followed.
>>>
>>> If you are having trouble with a review you can always ask for a mentor.
>>> The current place to ask for a mentor is here
>>> https://make.wordpress.org/themes/2014/10/09/hey-mentors-and-mentees-how-are-things-weve/
>>>
>>> I think it might be an idea to have a list of approved framework
>>> versions.
>>> On 20 Oct 2014 17:22, "Venkat Raj" <venkat at webulous.in> wrote:
>>>
>>>> It is options framework, but it doesn't matter. I meant to say any
>>>> "bundled resource"
>>>> Checking everything makes sense and we should.
>>>>
>>>> My concern is that, say we have 2 embedded resource then 1 theme review
>>>> = 1 theme code + 2 plug-in code review?
>>>> I think admins can make a rule for this, because
>>>> 1) We're already atleast 6 week behind
>>>> 2) New comers like me, don't have much experience in reviewing plugin
>>>> code and security issues.
>>>>
>>>>
>>>> On Monday 20 October 2014 08:34 PM, Emil Uzelac wrote:
>>>>
>>>> If you are referring to http://wptheming.com/options-framework-plugin/
>>>> I don't think that phoning home is involved.
>>>>
>>>> Now, it does not matter if the code was integrated as-is, or has been
>>>> modified, we still need to check everything :)
>>>>
>>>> On Mon, Oct 20, 2014 at 8:59 AM, Jasin S. <jasins at wphoot.com> wrote:
>>>>
>>>>> ^ what tskk said.
>>>>>
>>>>> A good starting point would be using diff to check if the Options
>>>>> framework has been inserted "as-is" in the theme, or if its a modified
>>>>> version (maybe even malicious code)
>>>>>
>>>>> I find Sublimerge to be an awesome tool for this (available on
>>>>> Sublime Text editor)
>>>>>
>>>>> cheers,
>>>>> Jasin S.
>>>>>
>>>>> Is that framework included in the theme zip? If it is then you have
>>>>>> to review it.
>>>>>> Sent from BlackBerry® on Airtel
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Venkat Raj <venkat at webulous.in>
>>>>>> Sender: "theme-reviewers" <
>>>>>> theme-reviewers-bounces at lists.wordpress.org>Date: Mon, 20 Oct 2014
>>>>>> 11:55:24
>>>>>> To: theme >> Discussion list for WordPress theme reviewers.<
>>>>>> theme-reviewers at lists.wordpress.org>
>>>>>> Reply-To: "Discussion list for WordPress theme reviewers."
>>>>>> <theme-reviewers at lists.wordpress.org>
>>>>>> Subject: [theme-reviewers] Embedded theme options frameworks and/or
>>>>>> resources
>>>>>>
>>>>>> I'm reviewing a theme which embeds options framework.
>>>>>> My question is, since it is bundled resource, I don't need to go
>>>>>> through
>>>>>> it line by line, right?
>>>>>> Plugin reviewer can take care of that. But how can I make sure, it is
>>>>>> not modified version of original
>>>>>> and/or not containing any malicious code such as dialling home which
>>>>>> we
>>>>>> encountered few days back!
>>>>>>
>>>>>> _______________________________________________
>>>>>> theme-reviewers mailing list
>>>>>> theme-reviewers at lists.wordpress.org
>>>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>>> _______________________________________________
>>>>>> theme-reviewers mailing list
>>>>>> theme-reviewers at lists.wordpress.org
>>>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> theme-reviewers mailing list
>>>>> theme-reviewers at lists.wordpress.org
>>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>>
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> theme-reviewers mailing listtheme-reviewers at lists.wordpress.orghttp://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> theme-reviewers mailing list
>>>> theme-reviewers at lists.wordpress.org
>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>
>>>>
>>> _______________________________________________
>>> theme-reviewers mailing list
>>> theme-reviewers at lists.wordpress.org
>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>
>>>
>>
>> _______________________________________________
>> theme-reviewers mailing list
>> theme-reviewers at lists.wordpress.org
>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>
>>
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20141020/3109efed/attachment-0001.html>
More information about the theme-reviewers
mailing list