-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathphpcs.xml
More file actions
85 lines (74 loc) · 3.43 KB
/
phpcs.xml
File metadata and controls
85 lines (74 loc) · 3.43 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
<?xml version="1.0"?>
<ruleset name="Bazaar">
<description>Bazaar WordPress plugin coding standards.</description>
<file>bazaar.php</file>
<file>src/</file>
<file>templates/</file>
<arg name="basepath" value="."/>
<arg name="extensions" value="php"/>
<arg name="parallel" value="8"/>
<arg value="sp"/>
<!-- Target PHP 8.2+ (matches composer.json require) -->
<config name="testVersion" value="8.2-"/>
<!-- WordPress text domain -->
<config name="text_domain" value="bazaar"/>
<!-- Minimum WP version -->
<config name="minimum_wp_version" value="6.6"/>
<rule ref="WordPress-Extra"/>
<rule ref="WordPress-Docs"/>
<!--
This codebase uses PSR-4 autoloading: filenames match class names
exactly (PascalCase). Disable WordPress's hyphenated-lowercase
filename requirement so phpcs accepts e.g. BazaarPage.php.
-->
<rule ref="WordPress.Files.FileName">
<properties>
<property name="strict_class_file_names" value="false"/>
</properties>
<exclude name="WordPress.Files.FileName.NotHyphenatedLowercase"/>
</rule>
<!--
base64_encode/decode: WordPress flags these as "obfuscation" functions,
but this codebase uses them exclusively for cryptographic signatures,
URL-safe block tokens, and SVG data URIs — all legitimate encoding.
-->
<rule ref="WordPress.PHP.DiscouragedPHPFunctions">
<exclude name="WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_encode"/>
<exclude name="WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_decode"/>
</rule>
<!--
RuntimeException messages are passed to WP_CLI::error() or logged —
never rendered directly to an HTML page. Escaping at construction
would double-encode when the message surfaces in a CLI context.
-->
<rule ref="WordPress.Security.EscapeOutput">
<exclude name="WordPress.Security.EscapeOutput.ExceptionNotEscaped"/>
</rule>
<!--
The ware server streams authenticated, pre-validated files from the
plugin's own content directory. readfile() streams binary assets
without loading them into PHP memory — WP_Filesystem has no streaming
equivalent. The echo of processed HTML is also intentional: content
has already been sanitised on upload and cannot be escaped without
corrupting it.
-->
<rule ref="WordPress.WP.AlternativeFunctions.file_system_read_readfile">
<exclude-pattern>src/REST/WareServer.php</exclude-pattern>
</rule>
<rule ref="WordPress.WP.AlternativeFunctions.file_system_operations_readfile">
<exclude-pattern>src/REST/WareServer.php</exclude-pattern>
</rule>
<rule ref="WordPress.Security.EscapeOutput.OutputNotEscaped">
<exclude-pattern>src/REST/WareServer.php</exclude-pattern>
<!-- SSE text/event-stream protocol: JSON-encoded data cannot be HTML-escaped without corrupting the stream. -->
<exclude-pattern>src/REST/StreamController.php</exclude-pattern>
</rule>
<!--
The ware server injects a Vite HMR <script> tag into a proxied HTML
document returned via the REST API. wp_enqueue_script() only works for
WordPress-rendered pages, not for content streamed through REST.
-->
<rule ref="WordPress.WP.EnqueuedResources.NonEnqueuedScript">
<exclude-pattern>src/REST/WareServer.php</exclude-pattern>
</rule>
</ruleset>