[wp-trac] [WordPress Trac] #50413: Enhancement: Update code and comments to use more inclusive language.

WordPress Trac noreply at wordpress.org
Wed Jun 17 19:04:18 UTC 2020


#50413: Enhancement: Update code and comments to use more inclusive language.
-----------------------------+---------------------
 Reporter:  strangerstudios  |       Owner:  (none)
     Type:  defect (bug)     |      Status:  new
 Priority:  normal           |   Milestone:  5.5
Component:  General          |     Version:
 Severity:  normal           |  Resolution:
 Keywords:                   |     Focuses:
-----------------------------+---------------------
Description changed by SergeyBiryukov:

Old description:

> Specifically, we want to change any use of "blacklist" to "blocklist" and
> any use of "whitelist" to "safelist".
>
> In some cases a different word may be more appropriate or the language
> can be changed to avoid the issue.
>
> I spent some time finding all of the cases of blacklist and whitelist in
> the core WP code and took notes on what actions could be taken.
>
> Sometimes we can just change the words with no downside (that I could
> see). Sometimes the word use is based on a dependency in an included
> library. Sometimes the use is in a default theme. Sometimes we need to do
> more work to deprecate old function and filter names.
>
> Here are my all my notes. I still need to do more research on uses of
> whitelist in particular.
>
> I think we should break things down into smaller chunks. The "easy" cases
> can be separated out. And some of the cases are related around a common
> WP feature.
>
> - START NOTES -
>
> Older trac ticket that updated the language on the front end.
> https://core.trac.wordpress.org/ticket/48900
>
> Here are the instances where the term blacklist shows up in the code.
>
> https://github.com/WordPress/wordpress-
> develop/search?q=blacklist&unscoped_q=blacklist
>
> A) The password-strengh-meter.js file uses blacklist
> https://github.com/WordPress/WordPress/blob/2a0489ec49c449894471a599c1811aaf0fcbbb22
> /wp-admin/js/password-strength-meter.js
>
> The blocklist functionality is only in our WP code. The zxcvbn library
> doesn't have a blocklist.
>
> 1. Change the method and variable names in this file.
>
> 2. This other WP core file uses the old method name:
> https://github.com/WordPress/WordPress/blob/001ffe81fbec4438a9f594f330e18103d21fbcd7
> /wp-admin/js/user-profile.js#L223
>
> 3. We need to check if other plugins are using the specific
> userInputBlacklist method. At least one use here:
> https://github.com/strangerstudios/paid-memberships-
> pro/blob/272b47cf1cf041a45734678dfbf15b3ca699a241/js/pmpro-login.js#L15
>
> 4. We potentially need to keep a version of the old method that is
> deprecated.
>
> 5. Change the use in this unit test: https://github.com/WordPress
> /wordpress-
> develop/blob/98584d6e1191ad7ed62f79c13c343dade456d95d/tests/qunit/wp-
> admin/js/password-strength-meter.js
>
> ---
>
> B) The sodium_compat library uses the term in its code.
> https://github.com/WordPress/WordPress/blob/d4ef90b236ce340591bd284b2ecaa085e4f42ffd
> /wp-includes/sodium_compat/src/Core/Ed25519.php#L380
>
> 1. We should ask the maintainers of that library to consider changing
> their code to use the more inclusive terms. I believe this is the repo
> https://github.com/paragonie/sodium_compat. I didn't find any existing
> issues or PRs that address this. We could create an issue and/or PR for
> them.
>
> ---
>
> C) The twentynineteen npm package.json has a config options for
> rtlccssConfig called blacklist. The blacklist value is set to {}. Based
> on this doc (https://rtlcss.com/learn/usage-guide/options/index.html) the
> default is {} and unlikely to change IMO. There is another option
> "useCalc" that isn't set in our package.json.
>
> 1. We can remove this line
> https://github.com/WordPress/WordPress/blob/9e9be350e2b64d5c680219608b346e606f2223dc
> /wp-content/themes/twentynineteen/package.json#L23 and nothing should
> break.
>
> ---
>
> D) The twentytwenty npm package.json has the same line as above.
>
> 1. We can remove this line
> https://github.com/WordPress/WordPress/blob/9e9be350e2b64d5c680219608b346e606f2223dc
> /wp-content/themes/twentytwenty/package.json#L36 and nothing should
> break.
>
> ---
>
> E) There is a function called wp_blacklist_check() which checks if a
> comment contains blocklisted characters or words.
> https://github.com/WordPress/wordpress-
> develop/blob/3bdf8b7b020be9b3b2308a4fdf6a27d5dde15dc4/src/wp-
> includes/comment.php#L1277
>
> 1. There's also a hook named wp_blacklist_check.
> https://github.com/WordPress/wordpress-
> develop/blob/3bdf8b7b020be9b3b2308a4fdf6a27d5dde15dc4/src/wp-
> includes/comment.php#L1290
>
> We'd have to change the name, change the docs, and keep a deprecated
> version of the hook for some time.
>
> 2. We should check if other plugins are calling the function directly and
> assuming so, create a deprecated version of the whole function.
>
> https://wpdirectory.net/search/01EADC773CDTAXVXRYYGB37NBT
>
> In comment.php, we would also then have to replace the use of blacklist
> in the comment here: https://github.com/WordPress/wordpress-
> develop/blob/3bdf8b7b020be9b3b2308a4fdf6a27d5dde15dc4/src/wp-
> includes/comment.php#L17
>
> and when it's used here: https://github.com/WordPress/wordpress-
> develop/blob/3bdf8b7b020be9b3b2308a4fdf6a27d5dde15dc4/src/wp-
> includes/comment.php#L818
>
> 3. There is one unit test that uses the old function name.
> https://github.com/WordPress/wordpress-
> develop/blob/6b366c6620fdd5960cedcdf80955966a715efa82/tests/phpunit/tests/comment/wpBlacklistCheck.php#L18
>
> After we make all other changes, we should be able to rewrite this test
> to use the new terms.
>
> 4. Using blacklist_keys in the HTML attributes (name, id) of the Comment
> Blocklist field on the Discussion Options page.
>
> https://github.com/WordPress/wordpress-
> develop/blob/8b9823f53621a63d0a47626920f6930f35db160c/src/wp-admin
> /options-discussion.php#L209
>
> Change all blacklist_keys to blocklist_keys.
>
> 5. When we change the name of the textarea, we will also have to change
> the name of the parameter we look for in the server code. That would be
> here https://github.com/WordPress/wordpress-
> develop/blob/50ece6d31c33b056b91fc1f204c618c76368925b/src/wp-
> admin/options.php#L106, and it seems we can just change the name there.
>
> 6. This option is also set up as a default here
> https://github.com/WordPress/wordpress-
> develop/blob/8b9823f53621a63d0a47626920f6930f35db160c/src/wp-
> admin/includes/schema.php#L450. Change the name there.
>
> 7. The formatting rules for this option are here
> https://github.com/WordPress/wordpress-
> develop/blob/b58973554da40b4965458d993a4703ec81e7ad28/src/wp-
> includes/formatting.php#L4881. Change the name there.
>
> 8. On existing sites, the option is stored in the DB as blacklist_keys.
>
> We would want to run a SQL query like this on update.
>
> UPDATE $wpdb->options SET option_name = 'blocklist_keys' WHERE
> option_name = 'blacklist_keys';
>
> Were other plugins accessing the option from the DB directly?
>
> ---
>
> F) Comment in theme.php https://github.com/WordPress/wordpress-
> develop/blob/3bdf8b7b020be9b3b2308a4fdf6a27d5dde15dc4/src/wp-
> includes/theme.php#L2828
>
> We can change Blacklist to Blocklist or reward the comment in general to
> avoid it.
>
> ---
>
> G) This unit test for attachments uses the terms blacklist and whitelist
> in its tests of the mime type filter for uploads.
>
> https://github.com/WordPress/wordpress-
> develop/blob/cfc3b57488458801c64c750cb500c98c1ef635ad/tests/phpunit/tests/post/attachments.php#L496
>
> We can change those terms without breaking anything. The mime type filter
> itself (https://developer.wordpress.org/reference/hooks/upload_mimes/)
> doesn't use block/black/white/safe language anyway. So we can probably
> rename things to make the test even clearer.
>
> ---
>
> H) This unit test for includes/schema.php has the word blacklist in a
> comment.
>
> https://github.com/WordPress/wordpress-
> develop/blob/e72fff9ceffb41d22c48febfc5f97c0cd46f5884/tests/phpunit/tests/admin/includesSchema.php#L162
>
> We can change that to blocklist or someone who understands what is being
> tested can probably rewrite the comment to be more clear.
>
> ---
>
> I) The twentyfourteen theme has the word blacklist in a comment.
>
> https://github.com/WordPress/wordpress-
> develop/blob/8b9823f53621a63d0a47626920f6930f35db160c/src/wp-
> content/themes/twentyfourteen/inc/featured-content.php#L236
>
> We could say "We need to respect post ids already being excluded." or "We
> need to respect post ids already in the array."
>
> ---
>
> J) The wp-admin/options.php file has a variable $whitelist_options that
> is used to make sure only specific options get updated on the options
> pages.
>
> https://github.com/WordPress/wordpress-
> develop/blob/50ece6d31c33b056b91fc1f204c618c76368925b/src/wp-
> admin/options.php
>
> 1. Can change all uses of that variable within this file to
> $safelist_options.
>
> 2. There is a filter whitelist_options as well here
> https://github.com/WordPress/wordpress-
> develop/blob/50ece6d31c33b056b91fc1f204c618c76368925b/src/wp-
> admin/options.php#L209
>
> We can change that to safelist_options. We would need to add a deprecated
> filter for the old use.
>
> We would need to update the documentation.
>
> 3. Update the error message here https://github.com/WordPress/wordpress-
> develop/blob/50ece6d31c33b056b91fc1f204c618c76368925b/src/wp-
> admin/options.php#L224
>
> ---
>
> Here are some instances where whitelist shows up in the code. Many of
> these are related to the above instances of blacklist, many are not. I
> haven't code through all of these yet.
>
> https://github.com/WordPress/wordpress-
> develop/search?q=whitelist&unscoped_q=whitelist
>
> K) In wp-admin/includes/plugin.php there are a couple of related
> functions that have the word whitelist in them. add_option_whitelist()
> and remove_option_whitelist().
>
> https://github.com/WordPress/wordpress-
> develop/blob/3bdf8b7b020be9b3b2308a4fdf6a27d5dde15dc4/src/wp-
> admin/includes/plugin.php#L2139
>
> Also option_update_filter() is a callback for the whitelist_options
> filter and calls those functions.
>
> There are 2 global variables $whitelist_options and
> $new_whitelist_options.
>
> The $new_whitelist_options global seems to only be used by the
> register_setting() function https://github.com/WordPress/wordpress-
> develop/blob/8b9823f53621a63d0a47626920f6930f35db160c/src/wp-
> includes/option.php#L2117
>
> But it's also showing up in 108 or so plugin:
> https://wpdirectory.net/search/01EB1MCARJHZ77593CWHEXWH3C
>
> We could potentially update option_update_filter() function and remove
> the need for the $new_whitelist_options global by just using the
> $wp_registered_settings one and building a one time array in the right
> format for the add_option_whitelist function. The "group" is in the args
> for the options in $wp_registered_settings. We would create arrays out of
> those groups.

New description:

 Specifically, we want to change any use of "blacklist" to "blocklist" and
 any use of "whitelist" to "safelist".

 In some cases a different word may be more appropriate or the language can
 be changed to avoid the issue.

 I spent some time finding all of the cases of blacklist and whitelist in
 the core WP code and took notes on what actions could be taken.

 Sometimes we can just change the words with no downside (that I could
 see). Sometimes the word use is based on a dependency in an included
 library. Sometimes the use is in a default theme. Sometimes we need to do
 more work to deprecate old function and filter names.

 Here are my all my notes. I still need to do more research on uses of
 whitelist in particular.

 I think we should break things down into smaller chunks. The "easy" cases
 can be separated out. And some of the cases are related around a common WP
 feature.

 - START NOTES -

 Older trac ticket that updated the language on the front end: #48900

 Here are the instances where the term blacklist shows up in the code.

 https://github.com/WordPress/wordpress-
 develop/search?q=blacklist&unscoped_q=blacklist

 A) The password-strengh-meter.js file uses blacklist
 https://github.com/WordPress/WordPress/blob/2a0489ec49c449894471a599c1811aaf0fcbbb22
 /wp-admin/js/password-strength-meter.js

 The blocklist functionality is only in our WP code. The zxcvbn library
 doesn't have a blocklist.

 1. Change the method and variable names in this file.

 2. This other WP core file uses the old method name:
 https://github.com/WordPress/WordPress/blob/001ffe81fbec4438a9f594f330e18103d21fbcd7
 /wp-admin/js/user-profile.js#L223

 3. We need to check if other plugins are using the specific
 userInputBlacklist method. At least one use here:
 https://github.com/strangerstudios/paid-memberships-
 pro/blob/272b47cf1cf041a45734678dfbf15b3ca699a241/js/pmpro-login.js#L15

 4. We potentially need to keep a version of the old method that is
 deprecated.

 5. Change the use in this unit test: https://github.com/WordPress
 /wordpress-
 develop/blob/98584d6e1191ad7ed62f79c13c343dade456d95d/tests/qunit/wp-
 admin/js/password-strength-meter.js

 ---

 B) The sodium_compat library uses the term in its code.
 https://github.com/WordPress/WordPress/blob/d4ef90b236ce340591bd284b2ecaa085e4f42ffd
 /wp-includes/sodium_compat/src/Core/Ed25519.php#L380

 1. We should ask the maintainers of that library to consider changing
 their code to use the more inclusive terms. I believe this is the repo
 https://github.com/paragonie/sodium_compat. I didn't find any existing
 issues or PRs that address this. We could create an issue and/or PR for
 them.

 ---

 C) The twentynineteen npm package.json has a config options for
 rtlccssConfig called blacklist. The blacklist value is set to {}. Based on
 this doc (https://rtlcss.com/learn/usage-guide/options/index.html) the
 default is {} and unlikely to change IMO. There is another option
 "useCalc" that isn't set in our package.json.

 1. We can remove this line
 https://github.com/WordPress/WordPress/blob/9e9be350e2b64d5c680219608b346e606f2223dc
 /wp-content/themes/twentynineteen/package.json#L23 and nothing should
 break.

 ---

 D) The twentytwenty npm package.json has the same line as above.

 1. We can remove this line
 https://github.com/WordPress/WordPress/blob/9e9be350e2b64d5c680219608b346e606f2223dc
 /wp-content/themes/twentytwenty/package.json#L36 and nothing should break.

 ---

 E) There is a function called wp_blacklist_check() which checks if a
 comment contains blocklisted characters or words.
 https://github.com/WordPress/wordpress-
 develop/blob/3bdf8b7b020be9b3b2308a4fdf6a27d5dde15dc4/src/wp-
 includes/comment.php#L1277

 1. There's also a hook named wp_blacklist_check.
 https://github.com/WordPress/wordpress-
 develop/blob/3bdf8b7b020be9b3b2308a4fdf6a27d5dde15dc4/src/wp-
 includes/comment.php#L1290

 We'd have to change the name, change the docs, and keep a deprecated
 version of the hook for some time.

 2. We should check if other plugins are calling the function directly and
 assuming so, create a deprecated version of the whole function.

 https://wpdirectory.net/search/01EADC773CDTAXVXRYYGB37NBT

 In comment.php, we would also then have to replace the use of blacklist in
 the comment here: https://github.com/WordPress/wordpress-
 develop/blob/3bdf8b7b020be9b3b2308a4fdf6a27d5dde15dc4/src/wp-
 includes/comment.php#L17

 and when it's used here: https://github.com/WordPress/wordpress-
 develop/blob/3bdf8b7b020be9b3b2308a4fdf6a27d5dde15dc4/src/wp-
 includes/comment.php#L818

 3. There is one unit test that uses the old function name.
 https://github.com/WordPress/wordpress-
 develop/blob/6b366c6620fdd5960cedcdf80955966a715efa82/tests/phpunit/tests/comment/wpBlacklistCheck.php#L18

 After we make all other changes, we should be able to rewrite this test to
 use the new terms.

 4. Using blacklist_keys in the HTML attributes (name, id) of the Comment
 Blocklist field on the Discussion Options page.

 https://github.com/WordPress/wordpress-
 develop/blob/8b9823f53621a63d0a47626920f6930f35db160c/src/wp-admin
 /options-discussion.php#L209

 Change all blacklist_keys to blocklist_keys.

 5. When we change the name of the textarea, we will also have to change
 the name of the parameter we look for in the server code. That would be
 here https://github.com/WordPress/wordpress-
 develop/blob/50ece6d31c33b056b91fc1f204c618c76368925b/src/wp-
 admin/options.php#L106, and it seems we can just change the name there.

 6. This option is also set up as a default here
 https://github.com/WordPress/wordpress-
 develop/blob/8b9823f53621a63d0a47626920f6930f35db160c/src/wp-
 admin/includes/schema.php#L450. Change the name there.

 7. The formatting rules for this option are here
 https://github.com/WordPress/wordpress-
 develop/blob/b58973554da40b4965458d993a4703ec81e7ad28/src/wp-
 includes/formatting.php#L4881. Change the name there.

 8. On existing sites, the option is stored in the DB as blacklist_keys.

 We would want to run a SQL query like this on update.

 UPDATE $wpdb->options SET option_name = 'blocklist_keys' WHERE option_name
 = 'blacklist_keys';

 Were other plugins accessing the option from the DB directly?

 ---

 F) Comment in theme.php https://github.com/WordPress/wordpress-
 develop/blob/3bdf8b7b020be9b3b2308a4fdf6a27d5dde15dc4/src/wp-
 includes/theme.php#L2828

 We can change Blacklist to Blocklist or reward the comment in general to
 avoid it.

 ---

 G) This unit test for attachments uses the terms blacklist and whitelist
 in its tests of the mime type filter for uploads.

 https://github.com/WordPress/wordpress-
 develop/blob/cfc3b57488458801c64c750cb500c98c1ef635ad/tests/phpunit/tests/post/attachments.php#L496

 We can change those terms without breaking anything. The mime type filter
 itself (https://developer.wordpress.org/reference/hooks/upload_mimes/)
 doesn't use block/black/white/safe language anyway. So we can probably
 rename things to make the test even clearer.

 ---

 H) This unit test for includes/schema.php has the word blacklist in a
 comment.

 https://github.com/WordPress/wordpress-
 develop/blob/e72fff9ceffb41d22c48febfc5f97c0cd46f5884/tests/phpunit/tests/admin/includesSchema.php#L162

 We can change that to blocklist or someone who understands what is being
 tested can probably rewrite the comment to be more clear.

 ---

 I) The twentyfourteen theme has the word blacklist in a comment.

 https://github.com/WordPress/wordpress-
 develop/blob/8b9823f53621a63d0a47626920f6930f35db160c/src/wp-
 content/themes/twentyfourteen/inc/featured-content.php#L236

 We could say "We need to respect post ids already being excluded." or "We
 need to respect post ids already in the array."

 ---

 J) The wp-admin/options.php file has a variable $whitelist_options that is
 used to make sure only specific options get updated on the options pages.

 https://github.com/WordPress/wordpress-
 develop/blob/50ece6d31c33b056b91fc1f204c618c76368925b/src/wp-
 admin/options.php

 1. Can change all uses of that variable within this file to
 $safelist_options.

 2. There is a filter whitelist_options as well here
 https://github.com/WordPress/wordpress-
 develop/blob/50ece6d31c33b056b91fc1f204c618c76368925b/src/wp-
 admin/options.php#L209

 We can change that to safelist_options. We would need to add a deprecated
 filter for the old use.

 We would need to update the documentation.

 3. Update the error message here https://github.com/WordPress/wordpress-
 develop/blob/50ece6d31c33b056b91fc1f204c618c76368925b/src/wp-
 admin/options.php#L224

 ---

 Here are some instances where whitelist shows up in the code. Many of
 these are related to the above instances of blacklist, many are not. I
 haven't code through all of these yet.

 https://github.com/WordPress/wordpress-
 develop/search?q=whitelist&unscoped_q=whitelist

 K) In wp-admin/includes/plugin.php there are a couple of related functions
 that have the word whitelist in them. add_option_whitelist() and
 remove_option_whitelist().

 https://github.com/WordPress/wordpress-
 develop/blob/3bdf8b7b020be9b3b2308a4fdf6a27d5dde15dc4/src/wp-
 admin/includes/plugin.php#L2139

 Also option_update_filter() is a callback for the whitelist_options filter
 and calls those functions.

 There are 2 global variables $whitelist_options and
 $new_whitelist_options.

 The $new_whitelist_options global seems to only be used by the
 register_setting() function https://github.com/WordPress/wordpress-
 develop/blob/8b9823f53621a63d0a47626920f6930f35db160c/src/wp-
 includes/option.php#L2117

 But it's also showing up in 108 or so plugin:
 https://wpdirectory.net/search/01EB1MCARJHZ77593CWHEXWH3C

 We could potentially update option_update_filter() function and remove the
 need for the $new_whitelist_options global by just using the
 $wp_registered_settings one and building a one time array in the right
 format for the add_option_whitelist function. The "group" is in the args
 for the options in $wp_registered_settings. We would create arrays out of
 those groups.

--

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/50413#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list