Check PHPcs Coding standard into the wp-includes folder

[viralsampat]

Hello Team,

I have reviewed the code and found a few errors in some of the below files. Please below files:

Files:

wp-includes/admin-bar.php
wp-includes/option.php

Thanks,

[viralsampat]

I have checked above mentioned issue and I have resolved it and added patch.

[viralsampat]

I have checked above mentioned issue and I have resolved it and added patch.

[viralsampat]

I have found one another file and added patch for the same.

[audrasjb]

There is a small issue in your change on revison.php: __() should not be replaced with esc_html_e() but rather with esc_html__().

[audrasjb]

Also adding esc_attr() to $type_attr in
<style<?php echo $type_attr; ?> media="print">#wpadminbar { display:none; }</style>
looks wrong to me, as $type_attr may contain an attribute + its value (example: type="text/css".

If we want to escape this variable, I think esc_html would be more appropriate here.

[dhrumilk]

@audrasjb Please Verify the diff it OK or does need to change.

[krupalpanchal]

Shouldn't all the changes be in one diff file instead of multiple, like 58102.diff, 58102.2.diff etc. Or is that okay to have multiple diff files?

Because in the 58102.diff, there is a change in the option.php file. In 58102.2.diff, there is a change in admin-bar.php and so on.

[NekoJonez]

Replying to krupalpanchal:

Shouldn't all the changes be in one diff file instead of multiple, like 58102.diff, 58102.2.diff etc. Or is that okay to have multiple diff files?

Because in the 58102.diff, there is a change in the option.php file. In 58102.2.diff, there is a change in admin-bar.php and so on.

I think it's best practice to set them all in one file. Otherwise it looks like we have 4 different versions of one patch...

[audrasjb]

It really depends on the scope of the patch. Sometimes, it's easier to separate things into multiple small scoped patches.
But yes, when adding multiple patches to one ticket, it's probably better to name them after to scope of the change.
Example: 58102-revisions.diff would probably be a better name for 58102.4.diff.

[viralsampat]

I have removed unused variables from above mentioned files and checked phpcs coding standard.

[viralsampat]

I have checked above mentioned issue into the theme section and I have resolved it and added patch.

[viralsampat]

I have checked another file and added my patch

[viralsampat]

I have checked another theme and founds few file. Here, I have added its patch.

[viralsampat]

I have checked another theme and founds few file. Here, I have added its patch.

[viralsampat]

I have checked another theme and founds few file. Here, I have added its patch.

[viralsampat]

I have checked another theme and founds few file. Here, I have added its patch.

[viralsampat]

I have checked above mentioned issue and founds few files. Here, I have added its patch.

[sabernhardt]

This ticket can focus on whether to use sanitize_text_field() (or similar sanitization) for these items:

1. wp-settings-{$user_id} cookie in wp_user_settings() (option.php, in 58102.diff)
2. $_SERVER['HTTP_HOST'] and $_SERVER['REQUEST_URI'] in wp_admin_bar_customize_menu() (admin-bar.php, part of 58102.2.diff)
3. $_SERVER['HTTP_HOST'] and $_SERVER['REQUEST_URI'] in wp_login_form() (general-template.php, part of 58102-general-template.diff)

For the $_SERVER variables, #16858 and #53998 are related.

---

Other changes proposed in wp-includes patches:

1. Escaping $type_attr in both wp_admin_bar_header() and _admin_bar_bump_cb() was unnecessary because the variable represented a specific string (or nothing), and [56682] deprecated and replaced those functions.
2. Both 58102.3.diff and 58102.4.diff proposed escaping the wp_die() message in _show_post_preview() (revision.php), but I did not find any wp_die() messages that escape the translatable string.
3. [56359] already set strict comparison in revision.php.
4. 58102-general-template.diff adds esc_html() in get_search_form() and wp_register(), but both functions need to return or output HTML.
5. [55642] used strict comparison in get_archive_template().
6. The documentation for get_page_template() should keep the parentheses for locate_block_template().
7. The 11 global variables for locate_template() are available for use in the separate template file that this function requires.

Let's ignore the bundled theme patches for this ticket.

• They escape many translations (mostly replacing _e() with esc_html_e()), but #30724 decided against that for bundled themes.
• They also remove many helpful comments after endif; that identify what ends there.
• The twentysixteen_resource_hints() function should remain in the theme in case a site uses it (though the // add_filter line could be removed below the resource hints functions in each theme).
• 58102-twentyfourteen.diff removes html5.js (part of #58836) and adds esc_attr() for header image dimensions (already escaped in [56583]).
• Patches add global $post; at the top of twentyfourteen/image.php and twentyeleven/header.php.