Merge pull request #995 from WordPress/966-ruleset-for-plugins-to-reference

ernilambar · web-flow · commit 72de60dfd098 · 2025-07-07T09:07:35.000+05:45
Improve ruleset files
diff --git a/.github/workflows/behat-test.yml b/.github/workflows/behat-test.yml
@@ -13,6 +13,7 @@ on:
       - 'behat.yml'
       - 'composer.json'
       - 'composer.lock'
+      - 'phpcs-rulesets/*.xml'
   pull_request:
     branches:
       - trunk
@@ -26,6 +27,7 @@ on:
       - 'behat.yml'
       - 'composer.json'
       - 'composer.lock'
+      - 'phpcs-rulesets/*.xml'
     types:
       - opened
       - reopened
diff --git a/.github/workflows/php-test.yml b/.github/workflows/php-test.yml
@@ -12,6 +12,7 @@ on:
       - '.wp-env.json'
       - '**/package.json'
       - 'package-lock.json'
+      - 'phpcs-rulesets/*.xml'
       - 'phpunit.xml.dist'
       - 'composer.json'
       - 'composer.lock'
@@ -27,6 +28,7 @@ on:
       - '.wp-env.json'
       - '**/package.json'
       - 'package-lock.json'
+      - 'phpcs-rulesets/*.xml'
       - 'phpunit.xml.dist'
       - 'composer.json'
       - 'composer.lock'
diff --git a/phpcs-rulesets/plugin-check.ruleset.xml b/phpcs-rulesets/plugin-check.ruleset.xml
@@ -0,0 +1,151 @@
+<?xml version="1.0"?>
+<ruleset xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="WPPluginCheck" xsi:noNamespaceSchemaLocation="https://raw.githubusercontent.com/squizlabs/PHP_CodeSniffer/master/phpcs.xsd">
+
+	<!-- For more information: https://make.wordpress.org/plugins/handbook/review/ -->
+	<description>Standards any plugin to be published on wordpress.org should comply with.</description>
+
+	<!-- All SQL queries should be prepared as close to the time of querying the database as possible. -->
+	<rule ref="WordPress.DB.PreparedSQL"/>
+	<rule ref="WordPress.DB.PreparedSQL.InterpolatedNotPrepared">
+		<!-- Ideally this wouldn't trigger on "safe" items, but it's triggered on any variable in the SQL. -->
+		<type>warning</type>
+	</rule>
+
+	<!-- Verify that placeholders in prepared queries are used correctly. -->
+	<rule ref="WordPress.DB.PreparedSQLPlaceholders"/>
+
+	<!-- Nonces. These are triggered on any GET/POST access items. -->
+	<rule ref="WordPress.Security.NonceVerification">
+		<!-- This is triggered on all GET/POST access, it can't be an error. -->
+		<type>warning</type>
+	</rule>
+
+	<!-- Sanitized Input rules -->
+	<rule ref="WordPress.Security.ValidatedSanitizedInput">
+		<type>warning</type>
+	</rule>
+
+	<!-- Prohibit the use of the backtick operator. -->
+	<rule ref="Generic.PHP.BacktickOperator">
+		<severity>7</severity>
+	</rule>
+
+	<!-- Prohibit the use of HEREDOC or NOWDOC. -->
+	<rule ref="Squiz.PHP.Heredoc">
+		<severity>7</severity>
+	</rule>
+
+	<!-- Prohibit the use of the `goto` PHP language construct. -->
+	<rule ref="Generic.PHP.DiscourageGoto.Found">
+		<type>error</type>
+		<severity>7</severity>
+		<message>The "goto" language construct should not be used.</message>
+	</rule>
+
+	<!-- Check for error logs in plugin -->
+	<rule ref="WordPress.PHP.DevelopmentFunctions">
+		<type>warning</type>
+	</rule>
+
+	<!-- No PHP short open tags allowed. -->
+	<rule ref="Generic.PHP.DisallowShortOpenTag"/>
+	<rule ref="Generic.PHP.DisallowShortOpenTag.Found">
+		<severity>7</severity>
+	</rule>
+	<rule ref="Generic.PHP.DisallowShortOpenTag.EchoFound">
+		<severity>7</severity>
+	</rule>
+
+	<!-- Alternative PHP open tags not allowed. -->
+	<rule ref="Generic.PHP.DisallowAlternativePHPTags">
+		<severity>7</severity>
+	</rule>
+
+	<!-- Prevent path disclosure when using add_theme_page(). -->
+	<rule ref="WordPress.Security.PluginMenuSlug">
+		<severity>6</severity>
+	</rule>
+
+	<!-- While most plugins shouldn't query the database directly, if they do, it should be done correctly. -->
+	<!-- Don't use the PHP database functions and classes, use the WP abstraction layer instead. -->
+	<rule ref="WordPress.DB.RestrictedClasses">
+		<severity>7</severity>
+	</rule>
+
+	<rule ref="WordPress.DB.RestrictedFunctions">
+		<severity>7</severity>
+	</rule>
+
+	<!-- Check for code WP does better -->
+	<rule ref="WordPress.WP.AlternativeFunctions">
+		<type>error</type>
+		<exclude name="WordPress.WP.AlternativeFunctions.json_encode_json_encode"/>
+		<exclude name="WordPress.WP.AlternativeFunctions.file_get_contents_file_get_contents"/>
+		<exclude name="WordPress.WP.AlternativeFunctions.file_system_operations_file_put_contents"/>
+	</rule>
+
+	<rule ref="Generic.PHP.ForbiddenFunctions">
+		<properties>
+			<property name="forbiddenFunctions" type="array">
+				<element key="move_uploaded_file" value="null"/>
+				<element key="passthru" value="null"/>
+				<element key="proc_open" value="null"/>
+				<element key="create_function" value="null"/>
+				<element key="eval" value="null"/>
+				<element key="str_rot13" value="null"/>
+			</property>
+		</properties>
+		<type>error</type>
+		<severity>7</severity>
+	</rule>
+
+	<rule ref="Squiz.PHP.DiscouragedFunctions">
+		<properties>
+			<property name="forbiddenFunctions" type="array">
+				<element key="set_time_limit" value="null"/>
+				<element key="ini_set" value="null"/>
+				<element key="ini_alter" value="null"/>
+				<element key="dl" value="null"/>
+			</property>
+		</properties>
+	</rule>
+
+	<!-- Check for use of deprecated WordPress classes, functions and function parameters. -->
+	<rule ref="WordPress.WP.DeprecatedClasses"/>
+	<rule ref="WordPress.WP.DeprecatedFunctions"/>
+	<rule ref="WordPress.WP.DeprecatedParameters"/>
+	<rule ref="WordPress.DateTime.RestrictedFunctions"/>
+
+	<!-- Check for deprecated WordPress constants. -->
+	<rule ref="WordPress.WP.DiscouragedConstants">
+		<type>error</type>
+		<severity>7</severity>
+	</rule>
+
+	<!-- Check for discouraged WordPress functions. -->
+	<rule ref="WordPress.WP.DiscouragedFunctions">
+		<severity>6</severity>
+	</rule>
+
+	<!-- Check for usage of deprecated parameter values in WP functions and provide alternative based on the parameter passed. -->
+	<rule ref="WordPress.WP.DeprecatedParameterValues">
+		<severity>7</severity>
+	</rule>
+
+	<!-- No ByteOrderMark allowed - important to prevent issues with content being sent before headers. -->
+	<rule ref="Generic.Files.ByteOrderMark">
+		<severity>7</severity>
+	</rule>
+
+	<!-- Check for missing required function parameters. -->
+	<rule ref="PluginCheck.CodeAnalysis.RequiredFunctionParameters">
+		<severity>7</severity>
+	</rule>
+
+	<!-- Check for discouraged load_plugin_textdomain() call. -->
+	<rule ref="PluginCheck.CodeAnalysis.DiscouragedFunctions.load_plugin_textdomainFound">
+		<type>error</type>
+		<severity>7</severity>
+	</rule>
+
+</ruleset>
diff --git a/phpcs-rulesets/plugin-review.xml b/phpcs-rulesets/plugin-review.xml
@@ -30,148 +30,6 @@
 	<exclude-pattern>*/composer_directory/*</exclude-pattern>
 	<exclude-pattern>*/node_modules/*</exclude-pattern>
 
-	<!-- All SQL queries should be prepared as close to the time of querying the database as possible. -->
-	<rule ref="WordPress.DB.PreparedSQL"/>
-	<rule ref="WordPress.DB.PreparedSQL.InterpolatedNotPrepared">
-		<!-- Ideally this wouldn't trigger on "safe" items, but it's triggered on any variable in the SQL. -->
-		<type>warning</type>
-	</rule>
-
-	<!-- Verify that placeholders in prepared queries are used correctly. -->
-	<rule ref="WordPress.DB.PreparedSQLPlaceholders"/>
-
-	<!-- Nonces. These are triggered on any GET/POST access items. -->
-	<rule ref="WordPress.Security.NonceVerification">
-		<!-- This is triggered on all GET/POST access, it can't be an error. -->
-		<type>warning</type>
-	</rule>
-
-	<!-- Sanitized Input rules -->
-	<rule ref="WordPress.Security.ValidatedSanitizedInput">
-		<type>warning</type>
-	</rule>
-
-	<!-- Prohibit the use of the backtick operator. -->
-	<rule ref="Generic.PHP.BacktickOperator">
-		<severity>7</severity>
-	</rule>
-
-	<!-- Prohibit the use of HEREDOC or NOWDOC. -->
-	<rule ref="Squiz.PHP.Heredoc">
-		<severity>7</severity>
-	</rule>
-
-	<!-- Prohibit the use of the `goto` PHP language construct. -->
-	<rule ref="Generic.PHP.DiscourageGoto.Found">
-		<type>error</type>
-		<severity>7</severity>
-		<message>The "goto" language construct should not be used.</message>
-	</rule>
-
-	<!-- Check for error logs in plugin -->
-	<rule ref="WordPress.PHP.DevelopmentFunctions">
-		<type>warning</type>
-	</rule>
-
-	<!-- No PHP short open tags allowed. -->
-	<rule ref="Generic.PHP.DisallowShortOpenTag"/>
-	<rule ref="Generic.PHP.DisallowShortOpenTag.Found">
-		<severity>7</severity>
-	</rule>
-	<rule ref="Generic.PHP.DisallowShortOpenTag.EchoFound">
-		<severity>7</severity>
-	</rule>
-
-	<!-- Alternative PHP open tags not allowed. -->
-	<rule ref="Generic.PHP.DisallowAlternativePHPTags">
-		<severity>7</severity>
-	</rule>
-
-	<!-- Prevent path disclosure when using add_theme_page(). -->
-	<rule ref="WordPress.Security.PluginMenuSlug">
-		<severity>6</severity>
-	</rule>
-
-	<!-- While most plugins shouldn't query the database directly, if they do, it should be done correctly. -->
-	<!-- Don't use the PHP database functions and classes, use the WP abstraction layer instead. -->
-	<rule ref="WordPress.DB.RestrictedClasses">
-		<severity>7</severity>
-	</rule>
-
-	<rule ref="WordPress.DB.RestrictedFunctions">
-		<severity>7</severity>
-	</rule>
-
-	<!-- Check for code WP does better -->
-	<rule ref="WordPress.WP.AlternativeFunctions">
-		<type>error</type>
-		<exclude name="WordPress.WP.AlternativeFunctions.json_encode_json_encode"/>
-		<exclude name="WordPress.WP.AlternativeFunctions.file_get_contents_file_get_contents"/>
-		<exclude name="WordPress.WP.AlternativeFunctions.file_system_operations_file_put_contents"/>
-	</rule>
-
-	<rule ref="Generic.PHP.ForbiddenFunctions">
-		<properties>
-			<property name="forbiddenFunctions" type="array">
-				<element key="move_uploaded_file" value="null"/>
-				<element key="passthru" value="null"/>
-				<element key="proc_open" value="null"/>
-				<element key="create_function" value="null"/>
-				<element key="eval" value="null"/>
-				<element key="str_rot13" value="null"/>
-			</property>
-		</properties>
-		<type>error</type>
-		<severity>7</severity>
-	</rule>
-
-	<rule ref="Squiz.PHP.DiscouragedFunctions">
-		<properties>
-			<property name="forbiddenFunctions" type="array">
-				<element key="set_time_limit" value="null"/>
-				<element key="ini_set" value="null"/>
-				<element key="ini_alter" value="null"/>
-				<element key="dl" value="null"/>
-			</property>
-		</properties>
-	</rule>
-
-	<!-- Check for use of deprecated WordPress classes, functions and function parameters. -->
-	<rule ref="WordPress.WP.DeprecatedClasses"/>
-	<rule ref="WordPress.WP.DeprecatedFunctions"/>
-	<rule ref="WordPress.WP.DeprecatedParameters"/>
-	<rule ref="WordPress.DateTime.RestrictedFunctions"/>
-
-	<!-- Check for deprecated WordPress constants. -->
-	<rule ref="WordPress.WP.DiscouragedConstants">
-		<type>error</type>
-		<severity>7</severity>
-	</rule>
-
-	<!-- Check for discouraged WordPress functions. -->
-	<rule ref="WordPress.WP.DiscouragedFunctions">
-		<severity>6</severity>
-	</rule>
-
-	<!-- Check for usage of deprecated parameter values in WP functions and provide alternative based on the parameter passed. -->
-	<rule ref="WordPress.WP.DeprecatedParameterValues">
-		<severity>7</severity>
-	</rule>
-
-	<!-- No ByteOrderMark allowed - important to prevent issues with content being sent before headers. -->
-	<rule ref="Generic.Files.ByteOrderMark">
-		<severity>7</severity>
-	</rule>
-
-	<!-- Check for missing required function parameters. -->
-	<rule ref="PluginCheck.CodeAnalysis.RequiredFunctionParameters">
-		<severity>7</severity>
-	</rule>
-
-	<!-- Check for discouraged load_plugin_textdomain() call. -->
-	<rule ref="PluginCheck.CodeAnalysis.DiscouragedFunctions.load_plugin_textdomainFound">
-		<type>error</type>
-		<severity>7</severity>
-	</rule>
+	<rule ref="./plugin-check.ruleset.xml" />
 
 </ruleset>
