-
Notifications
You must be signed in to change notification settings - Fork 4
/
phpcs.xml
355 lines (287 loc) · 12.1 KB
/
phpcs.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
<?xml version="1.0"?>
<ruleset>
<exclude-pattern>node_modules/*</exclude-pattern>
<exclude-pattern>vendor/*</exclude-pattern>
<arg name="extensions" value="php" />
<!-- Check for PHP cross-version compatibility. -->
<rule ref="PHPCompatibilityWP" />
<!--
Rules based on WordPress-Core
-->
<!-- Disallow use of __FILE__ in menu slugs, which exposes the filesystem's data. -->
<rule ref="WordPress.Security.PluginMenuSlug" />
<rule ref="WordPress.Security.PluginMenuSlug.Using__FILE__">
<type>error</type>
</rule>
<!-- Disallow functions where WordPress has an alternative. -->
<rule ref="WordPress.WP.AlternativeFunctions">
<!-- ...but, allow some back in. -->
<properties>
<property name="exclude" type="array">
<element value="file_get_contents" />
<element value="file_system_read" />
<element value="json_encode" />
<element value="json_decode" />
<!-- wp_parse_url() only exists for inconsistency in PHP <5.4 -->
<element value="parse_url" />
</property>
</properties>
</rule>
<rule ref="WordPress.DB.RestrictedFunctions" />
<rule ref="WordPress.DB.RestrictedClasses" />
<!-- Disallow eval(). (From WordPress-Core) -->
<rule ref="Squiz.PHP.Eval"/>
<rule ref="Squiz.PHP.Eval.Discouraged">
<type>error</type>
<message>eval() is a security risk and is not allowed.</message>
</rule>
<!-- Disallow create_function() -->
<rule ref="WordPress.PHP.RestrictedPHPFunctions"/>
<!-- Disallow goto function. -->
<rule ref="Generic.PHP.DiscourageGoto"/>
<rule ref="Generic.PHP.DiscourageGoto.Found">
<type>error</type>
<message>The "goto" language construct should not be used.</message>
</rule>
<!-- Disallow querying more than 100 posts at once. -->
<rule ref="WordPress.WP.PostsPerPage" />
<rule ref="WordPress.WP.PostsPerPage.posts_per_page_numberposts">
<type>error</type>
</rule>
<rule ref="WordPress.WP.PostsPerPage.posts_per_page_posts_per_page">
<type>error</type>
</rule>
<!-- Disallow changing PHP's timezone. -->
<rule ref="WordPress.DateTime.RestrictedFunctions">
<properties>
<!-- Allow other datetime functions, just not timezone. -->
<property name="exclude" type="array">
<element value="date" />
</property>
</properties>
</rule>
<!-- Disallow short PHP tags. (From WordPress-Core) -->
<rule ref="Generic.PHP.DisallowShortOpenTag">
<!-- But, allow short echo, which is now standard. -->
<exclude name="Generic.PHP.DisallowShortOpenTag.EchoFound" />
</rule>
<!-- Disallow old-style PHP tags (e.g. ASP-style) -->
<rule ref="Generic.PHP.DisallowAlternativePHPTags">
<!-- Allow ASP-style tags that aren't tokenised. -->
<exclude name="Generic.PHP.DisallowAlternativePHPTags.MaybeASPShortOpenTagFound" />
<exclude name="Generic.PHP.DisallowAlternativePHPTags.MaybeASPOpenTagFound" />
</rule>
<!-- Require prepared SQL statements. -->
<rule ref="WordPress.DB.PreparedSQL" />
<rule ref="WordPress.DB.PreparedSQLPlaceholders" />
<!-- Disallow BOM, which causes issues with headers being sent. (From WordPress-Core) -->
<rule ref="Generic.Files.ByteOrderMark" />
<!-- Disallow empty statements. -->
<rule ref="Generic.CodeAnalysis.EmptyStatement" />
<!-- Require correct usage of WP's i18n functions. -->
<rule ref="WordPress.WP.I18n">
<!-- Allow empty strings to be translated (e.g. space character) -->
<exclude name="WordPress.WP.I18n.NoEmptyStrings" />
</rule>
<!--
Rules based on WordPress-Extra
-->
<!-- Disallow parts of PHP which may cause compatibility issues. -->
<rule ref="Generic.Functions.CallTimePassByReference" />
<!-- Disallow "development" functions like var_dump/print_r/phpinfo -->
<rule ref="WordPress.PHP.DevelopmentFunctions">
<!-- Allow triggering errors for reporting purposes. -->
<exclude name="WordPress.PHP.DevelopmentFunctions.error_log_error_log" />
<exclude name="WordPress.PHP.DevelopmentFunctions.error_log_trigger_error" />
<!-- Allow overriding the error handler. -->
<exclude name="WordPress.PHP.DevelopmentFunctions.error_log_set_error_handler" />
<!-- Allow changing error level. -->
<exclude name="WordPress.PHP.DevelopmentFunctions.prevent_path_disclosure_error_reporting" />
<!-- Allow backtraces. -->
<exclude name="WordPress.PHP.DevelopmentFunctions.error_log_debug_backtrace" />
<exclude name="WordPress.PHP.DevelopmentFunctions.error_log_wp_debug_backtrace_summary" />
<!-- Set remaining to errors. -->
<type>error</type>
</rule>
<!-- Override message for clarity. -->
<rule ref="WordPress.PHP.DevelopmentFunctions.error_log_var_dump">
<message>%s() found. Errors should be logged via error_log() or trigger_error().</message>
</rule>
<rule ref="WordPress.PHP.DevelopmentFunctions.error_log_var_export">
<message>%s() found. Errors should be logged via error_log() or trigger_error().</message>
</rule>
<rule ref="WordPress.PHP.DevelopmentFunctions.error_log_print_r">
<message>%s() found. Errors should be logged via error_log() or trigger_error().</message>
</rule>
<rule ref="WordPress.PHP.DevelopmentFunctions.error_log_debug_print_backtrace">
<message>%s() found. Use error_log( wp_debug_backtrace_summary() ) instead.</message>
</rule>
<!-- Disallow a bunch of functions which change config. -->
<rule ref="WordPress.PHP.DiscouragedPHPFunctions">
<properties>
<property name="exclude" type="array">
<!-- Allow serializing -->
<element value="serialize" />
<!-- Allow base64 encoding -->
<element value="obfuscation" />
<!-- Allow regular URL encoding -->
<element value="urlencode" />
</property>
</properties>
<!-- Allow changing error level. -->
<exclude name="WordPress.PHP.DiscouragedPHPFunctions.runtime_configuration_error_reporting" />
<!-- Set all to errors. -->
<type>error</type>
</rule>
<!-- Disallow parts of WP which have been deprecated. -->
<rule ref="WordPress.WP.DeprecatedFunctions" />
<rule ref="WordPress.WP.DeprecatedClasses" />
<rule ref="WordPress.WP.DeprecatedParameters" />
<rule ref="WordPress.WP.DeprecatedParameterValues" />
<!-- Disallow parts of WP which have better alternatives. -->
<rule ref="WordPress.WP.DiscouragedConstants" />
<rule ref="WordPress.WP.DiscouragedFunctions">
<properties>
<property name="exclude" type="array">
<!--
wp_reset_query() does a different thing to
wp_reset_postdata() and should not be discouraged.
-->
<element value="wp_reset_query" />
</property>
</properties>
</rule>
<!-- Disallow the backtick operator (which calls out to the system). -->
<rule ref="Generic.PHP.BacktickOperator" />
<!-- Require valid syntax. -->
<rule ref="Generic.PHP.Syntax" />
<!-- Disallow silencing errors. -->
<rule ref="WordPress.PHP.NoSilencedErrors" />
<rule ref="WordPress.PHP.NoSilencedErrors.Discouraged">
<message>Errors should not be silenced. Found: %s</message>
</rule>
<!--
Based on WordPress-VIP
-->
<rule ref="WordPressVIPMinimum" />
<rule ref="WordPress-Core">
<!-- Exclude other conflicting rules. -->
<exclude name="WordPress.Arrays.MultipleStatementAlignment.DoubleArrowNotAligned" />
<exclude name="WordPress.PHP.DevelopmentFunctions.error_log_trigger_error" />
<exclude name="Generic.Formatting.MultipleStatementAlignment.NotSameWarning" />
<!-- We like short arrays and ternaries around here -->
<exclude name="Universal.Arrays.DisallowShortArraySyntax.Found" />
<exclude name="Universal.Operators.DisallowShortTernary" />
<!--
OK, real talk right now. Yoda conditions are ridiculous.
The fundamental problem that Yoda conditions attempts to solve is:
the equality operator is very close to the assignment operator.
It's easy to mess up and accidentally assign to the variable you're
trying to check.
Here's the thing though. Yoda conditions just don't read correctly
in the code flow. They require you to change the way you think
about the control flow.
Rather than forcing every conditional to be backwards, why not ban
assignment from conditionals? You never really *need* to assign in
a conditional.
So, here's where I stand: no to Yoda conditions. Yes to banning
assignment in conditionals.
-->
<exclude name="WordPress.PHP.YodaConditions" />
<!-- Do not warn on function arguments named $resource. -->
<exclude name="Universal.NamingConventions.NoReservedKeywordParameterNames.resourceFound" />
</rule>
<!-- Prefer alignment over line length. -->
<rule ref="WordPress.Arrays.MultipleStatementAlignment">
<properties>
<property name="maxColumn" value="1000" />
</properties>
</rule>
<!-- Allow . in hook names. -->
<rule ref="WordPress.NamingConventions.ValidHookName">
<properties>
<property name="additionalWordDelimiters" value="/" />
</properties>
</rule>
<!-- Ease up on the PHP DOM* objects. -->
<rule ref="WordPress.NamingConventions.ValidVariableName" />
<rule ref="WordPress.Security.PluginMenuSlug" />
<rule ref="WordPress.Security.PluginMenuSlug.Using__FILE__">
<type>error</type>
</rule>
<rule ref="WordPress.WP.CronInterval" />
<rule ref="WordPress.WP.CronInterval.CronSchedulesInterval">
<type>error</type>
<message>Scheduling crons at %s sec ( less than %s minutes ) is prohibited.</message>
</rule>
<!-- Allow for underscores in theme template file names -->
<rule ref="WordPress.Files.FileName">
<properties>
<property name="is_theme" value="true" />
</properties>
</rule>
<!--
Restore the ability to have multiple arguments per line
WPCS disallowed this behavior in 1.1.0, but we'd like to keep it until
there is a reason to disallow multiple arguments.
Ref: https://github.com/WordPress-Coding-Standards/WordPress-Coding-Standards/commit/bb8a48671e213a5588a6439ea52411eeefab4b0f
-->
<rule ref="PEAR.Functions.FunctionCallSignature">
<properties>
<property name="allowMultipleArguments" value="true"/>
</properties>
</rule>
<rule ref="PEAR.Functions.FunctionCallSignature.ContentAfterOpenBracket">
<severity>0</severity>
</rule>
<rule ref="PEAR.Functions.FunctionCallSignature.CloseBracketLine">
<severity>0</severity>
</rule>
<!-- Disallow long array syntax. -->
<rule ref="Generic.Arrays.DisallowLongArraySyntax" />
<!-- Single statement on same line. -->
<rule ref="Generic.Formatting.DisallowMultipleStatements" />
<!-- Namespacing required for classes. -->
<rule ref="PSR1.Classes.ClassDeclaration" />
<!-- Declare symbols or run code, but not both. -->
<rule ref="PSR1.Files.SideEffects" />
<!-- Namespacing required for functions. -->
<rule ref="PSR2.Namespaces.NamespaceDeclaration" />
<!-- Namespacing of `use` statements. -->
<rule ref="PSR2.Namespaces.UseDeclaration">
<exclude name="PSR2.Namespaces.UseDeclaration.MultipleDeclarations" />
</rule>
<rule ref="PSR2.Namespaces" />
<!-- Our custom empty line rule handles superfluous whitespace better -->
<rule ref="Squiz.WhiteSpace.SuperfluousWhitespace">
<exclude name="Squiz.WhiteSpace.SuperfluousWhitespace.EmptyLines" />
</rule>
<!-- Allow multiple variable assignments, but only outside of conditionals -->
<rule ref="Squiz.PHP.DisallowMultipleAssignments">
<exclude name="Squiz.PHP.DisallowMultipleAssignments.Found" />
</rule>
<!-- declare( strict_types=1 ); is required. -->
<rule ref="Generic.PHP.RequireStrictTypes" />
<!-- Require proper docblocks be used in all PHP files -->
<rule ref="WordPress-Docs">
<exclude name="Squiz.Commenting.FileComment.MissingPackageTag" />
<exclude name="Squiz.Commenting.FunctionComment.ParamCommentFullStop" />
<exclude name="Squiz.Commenting.FunctionComment.ThrowsNoFullStop" />
<exclude name="Squiz.Commenting.FunctionComment.SpacingAfterParamType" />
<!-- Commenting hygiene is nice, but this excludes too many valid comment syntaxes. -->
<exclude name="Squiz.Commenting.InlineComment.InvalidEndChar" />
</rule>
<!-- Turn off rules which feel superfluous or distracting within test files. -->
<rule ref="Squiz.Commenting.FunctionComment.Missing">
<exclude-pattern>tests/*</exclude-pattern>
</rule>
<rule ref="Squiz.Commenting.ClassComment.Missing">
<exclude-pattern>tests/*</exclude-pattern>
</rule>
<rule ref="Squiz.Commenting.FunctionComment.MissingParamTag">
<exclude-pattern>tests/*</exclude-pattern>
</rule>
<rule ref="PSR1.Files.SideEffects.FoundWithSymbols">
<exclude-pattern>tests/bootstrap.php</exclude-pattern>
</rule>
</ruleset>