Skip to content

3.3.0

Latest
Latest

Choose a tag to compare

View all tags
@jrfnl jrfnl released this 25 Nov 12:15
Immutable release. Only release title and notes can be modified.
3.3.0
7795ec6
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Added

  • Support for attributes on anonymous classes (PHP 8.0) and readonly anonymous classes (PHP 8.3) to the WordPress.Security.EscapeOutput sniff. Props @rodrigoprimo. #2559
  • Support for handling "exit as a function call" (PHP 8.4) to the WordPress.Security.EscapeOutput sniff. #2563
  • WordPress-Extra: the following sniffs have been added to the ruleset: Universal.Attributes.BracketSpacing and Universal.Attributes.DisallowAttributeParentheses. #2646

Changed

  • The minimum supported PHP version is now PHP 7.2 (was PHP 5.4). #2614
  • The minimum required PHP_CodeSniffer version to 3.13.4 (was 3.13.0). #2630
  • The minimum required PHPCSExtra version to 1.5.0 (was 1.4.0). #2646
  • The default value for minimum_wp_version, as used by a number of sniffs detecting usage of deprecated WP features, has been updated to 6.6. #2656
  • WordPress.DB.DirectDatabaseQuery will now recognize more caching functions, like the wp_cache_*_multiple() functions as added in WordPress 6.0 and the wp_cache_*_salted() functions as added in WordPress 6.9. #2654
  • WordPress.NamingConventions.PrefixAllGlobals has been updated to recognize pluggable functions introduced in WP up to WP 6.9.0. #2652
  • WordPress.WP.ClassNameCase has been updated to recognize classes introduced in WP up to WP 6.9.0. #2652
  • WordPress.WP.DeprecatedFunctions now detects functions deprecated in WordPress up to WP 6.9.0. #2652
  • WordPress.WP.DeprecatedParameters now detects parameters deprecated in WordPress up to WP 6.9.0. #2652
  • WordPress.Security.ValidatedSanitizedInput: improved the clarity of the error message for the InputNotValidated error code. Props @rodrigoprimo. #2642
  • README: updated testVersion recommendations for PHPCompatibility. Props @johnjago. #2471
  • Example ruleset: updated the minimum_wp_version and testVersion recommendations. #2608
  • All sniffs are now also being tested against PHP 8.5 for consistent sniff results. #2649
  • Various housekeeping, including documentation and test improvements. Includes contributions by @rodrigoprimo.

Deprecated

  • The WordPress.PHP.POSIXFunctions sniff (as it is no longer relevant). #2616

Removed

  • wp_kses_allowed_html() from the list of escaping functions. #2566
    This affects the WordPress.Security.EscapeOutput sniff.

Fixed

  • WordPress.DB.DirectDatabaseQuery: false positive when function call to caching functions did not use the canonical function name. Props @rodrigoprimo. #2613
  • WordPress.DB.DirectDatabaseQuery: potential false negative when a class property or constant would mirror the name of one of the caching functions. Props @rodrigoprimo. #2615
  • WordPress.DB.PreparedSQL: false positive for correctly escaped SQL snippets when the function call did not use the canonical function name. Props @rodrigoprimo. #2570
  • WordPress.DB.PreparedSQLPlaceholders: improved handling of fully qualified calls to global functions. Props @rodrigoprimo. #2569
  • WordPress.Security.EscapeOutput: expanded protection against false positives for *::class. Props @rodrigoprimo. #2605
  • WordPress.Security.NonceVerification: false positive when nonce checking function call did not use the canonical function name. Props @rodrigoprimo. #2572
  • WordPress.WP.EnqueuedResourceParameters: the sniff could cause a PHP 8.5 deprecation notice if the code under scan contained one of the deprecated type casts. #2573
  • WordPress.WP.EnqueuedResourceParameters: improved recognition of non-lowercase and fully qualified true/false/null when passed as the $ver parameter value. Props @rodrigoprimo. #2630

Contributors

rodrigoprimo and johnjago
Assets 3
Loading