Hi Everyone,
I’m using the the “Plugin Check” Plugin to review the plugin (displayed at https:Manna-network.com/demo) before submitting to the WordPress repo. The checker generated a ton of errors all related to escaping the plugin’s output to the browser. I’ve gone through and “fixed” about a third of them (using esc_attr()) but it doesn’t “feel” right and am asking if I am doing it right? I am seeing that everything that the checker is requiring me to escape is 100% trusted content from my own database. It seems all these calls to the esc_attr function are redundant and unnecessary. Am I missing something? Am I correct but it’s “just the way it is” etc.?
In the documentation it says “escaping late makes sure that you’re keeping the future you safe.?While today your code may be only outputted hardcoded content,?that may not be true in the future.?By taking the time to properly escape?when?you echo,?you prevent a mistake in the future from becoming a critical security issue”.
So it acknowledges “outputted hardcoded content” is perfectly safe but holds that we need to escape because “that may not be true in the future”?
That seems non nonsensical. Am I missing something?
Thanks.
]]>Hi there,
I’m experiencing this issue with nearly all the files in my plugin, including standard ones like LICENSE
, CHANGELOG.md
, and readme.txt
too. All the files are showing – (badly_named_files – Badly named files are not permitted) error – when I run them through plugin check. Could you please help me resolve this? I need to release an update for my plugin soon.
Hoping to hear from you soon, and thank you for looking into this issue.
Regards,
Kiran
]]>The notice below is displayed in WP 6.7.0 or earlier.
Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the woocommerce
domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init
action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/html/wp-includes/functions.php on line 6087
WordPress: 6.6.2
Plugin Check: 1.2.0
Wordfence is warning of a malicious or unsafe file.
It looks to be a false positive. Is that correct?
Should the plugin, or Wordfence correct this?
File appears to be malicious or unsafe: wp-content/languages/plugins/theme-check-en_AU.l10n.php
thank you
]]>I get a warning about mismatched_plugin_name in readme.md:
Plugin name “(plugin name english)” is different from the name declared in plugin header “(plugin name german)”.
My website is running in German and the plugin name I translated on Translating WordPress. Is it allowed to translate the plugin name? There are many plugins with translated names.
If it is allowed, the warning is not necessary.
]]>This label seems to be applied to lots of files that are not badly named…
FILE: readme.txt
ERROR badly_named_files
Badly named files are not permitted.
Although I always thought it should have been: youshouldreadmenow.txt
]]>Hi, I didn’t know about this plugin, I think it’s very usefull to use while developing a WP plugin.
Please allow me to suggest a feature:
It would be nice to be able to download the full report of errors in a CSV or txt file.
B. Regards.
Hi
Thank you for the plugin.
A question or suggestion: The plugin is of course used during development. But the fact is that some dot files have to be available, especially if you work with a version management system.
For example the .gitignore if you work with Git.
If you then later push the plugin to SVN, these files will of course be removed.
Would it be possible to make an exception for hidden files such as .gitignore and issue a warning instead of an ERROR?
Best regards
Wolfgang
The checker seems to be returning an invalid_license
warning for valid licenses. E.g., this line triggers a warning:
Main plugin file
* License: GNU General Public License (GPL) version 3
readme.txt
License: GNU General Public License (GPL) version 3
There is a suggestion to use an SPDX license identifier from here, but the above is valid according to the link.
Interestingly, this passes the checks though it is not present in the link:
Main plugin file
* License: GPLv3 or later
readme.txt
License: GPLv3 or later
]]>
When run with the “Plugin Repo” checks, the code throws an incorrect report of WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
if the variable is an array that is sanitized via an array_walk
in the next step.
Here is some illustrative code:
$post_ids = $_POST['selected_posts']; // Should not sanitize this since it is an array. Will sanitize each of its components in the array_walk.
array_walk($post_ids, 'sanitize_text_field');
A use-case for the above is, if you are doing a search and replace of certain text across selected posts via the WP_List_Table
object, you would want to sanitize the individual post ids rather than the array object. To wit, it is incorrect to call sanitize_text_field
on an array object.
Is there a way to indicate that this is an array, hence the check should not be done here?
]]>How can this be resolved -> The “Short Description” section is missing. An excerpt was generated from your main plugin description.
]]>Hi,
Please can you clarify for me why the word “plugin” is on the list of trademarked terms, “Lists of trademark terms that are commonly abused on www.ads-software.com”? Which entity claims a trademark on this word?
Thank you,
David
Hello
I am one of the developer working at LiteSpeed Cache plugin
When we scan our plugin in any other category than Security the results are showing.
When scanning Security category it passes late_escaping tests and it freezes at direct_db_queries for a few seconds, then it redirects to wp-admin/$url (this is the link).
Forgot to mention, I disabled LSC just to make sure there are no compatibility issues
I’ve been debugging a little bit but it seems there is a code(from our plugin) that creates a redirect while running checks.
rest_is_ip_address() seems not to be recognized as sanitizer:
This code:
// Generate a unique session id
function wppa_get_session_id() {
global $wppa_version;
static $session_id;
// Found already?
if ( $session_id ) {
return $session_id;
}
// Look for a cookie
if ( isset( $_COOKIE['wppa_session_id'] ) ) {
(30) $t = rest_is_ip_address( wp_unslash( $_COOKIE['wppa_session_id'] ) );
if ( $t ) {
$session_id = $t;
return $session_id;
}
}
generates this error:
]]>30 40 ERROR WordPress.Security.ValidatedSanitizedInput.InputNotSanitized Detected usage of a non-sanitized input variable: $_COOKIE[‘wppa_session_id’]
How do we fix this error message:
Detected usage of a non-sanitized input variable: $_FILES[‘file_1’]
]]>I am getting a “nonce verification needed” warning for every instance of a $_GET or $_REQUEST variable in a conditional when there is no form submission, ajax query or other type of transmission happening. These are not hard to ignore, though a bit annoying. This is also troublesome because I am editing a plugin that was flagged as not secure by the repository review team and I need to clear all errors and warnings using this plugin. If I am wrong on thinking that nonces are not required just because a $_GET or $_REQUEST is used in the code, please let me know. I could be wrong on that point.
]]>I had a message regarding copyright content specifically the use of “WP” but this page states “The abbreviation “WP” is not covered by the WordPress trademarks and you are free to use it in any way you see fit.”
Can i ignore this warning?
]]>I read the FAQ and I understand in general, it has to pass the “Plugin Repo” check to get approved.
However, I’m confused on whether this is actually enforced. I’m getting errors like “Hidden files are not permitted.” because I have a few htaccess files. When I look at other plugins, they also have htaccess files and these same errors. This is just one example of many.
Is this because other plugins were approved before these standards?
]]>Hi, running on a local env I get the fatal error:
[07-Jun-2024 13:04:05 UTC] PHP Fatal error: Uncaught ValueError: Path cannot be empty in wp-content\plugins\plugin-check\vendor\squizlabs\php_codesniffer\src\Reporter.php:160
but the analysis of a plugin still continue (the error is triggered by one of the ajax calls). I don’t know if I missed some configuration or if the xampp env is not ok to use it.
]]>I have an array variable in my PHP code.
$id_arr = fn_get_id_array(); // Returns Array, i.e. [23,24,25]
I need to use this value in my query, like this:
... WHERE ID IN(23,24,25)
If I prepare it using “%s”, this is not working:
... WHERE ID IN('23,24,25')
So, I use this:
$wpdb->query( $wpdb->prepare( "SELECT ... WHERE ID IN(%1s) ", implode(',',$id_arr) ) );
PCP says:
WARNING WordPress.DB.PreparedSQLPlaceholders.UnquotedComplexPlaceholder Complex placeholders used for values in the query string in $wpdb->prepare() will NOT be quoted automagically. Found: %1s.
Should another method be used to prepare the query? I’m waiting for your advice.
]]>My plugin imports a dataset from a CSV. The data is then sanitised and a new options table row created.
PCP returns this error:
“The use of function move_uploaded_file() is forbidden”
I’m really not sure how to fix this as it’s the standard PHP function for uploading temporary files. There doesn’t appear to be any alternative method of importing a file.
]]>I am having a hard time submitting my plugin for review. Kindly help me where can I upload the file for review and approval. Thank you!
]]>This my code:
$albums = $wpdb->get_results( "SELECT id, name FROM $wpdb->wppa_albums", ARRAY_A );
It produces 2 warnings:
– Use of a direct database call is discouraged.
– Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
What should i do with these messages? I have no idea how wp_cache_get() can be used here.
Note: My plugin wp-photo-album-plus creates and maintains various own db tables, like wppa_albums
]]>www.ads-software.com -> plugin check – Performance tab all warning is optional or required?
any one suggestion for upload plugin guideline good suggestion.
]]>Would be nice to have the option to be able to exclude files and folders, when we check the plugins. In my dev env I have stuff I don’t publish when I make a release e.g. .git, /node_modules etc. and I want to be skipped when I run the check.
Since this is developer specific plugin it make sense to be able to exclude files and folders when we run the checks, but no biggie, just a suggestion.
Thank you,
Krasen
Hi,
First, thanks for the new layout of the plugin check page.
Have version 1.0.1 installed. For all plugins a wrong warning is returned:
FILE: readme.txt
The plugin readme.txt does not exist.
Guido
]]>What is going on?
Is this you?
Are you creating an admin account!!!
Should I be sending this to security?
on_mail_error : WP_Error Object ( [errors] => Array ( [wp_mail_failed] => Array ( [0] => SMTP Error: Could not authenticate. ) ) [error_data] => Array ( [wp_mail_failed] => Array ( [to] => Array ( [0] => [email protected] ) [subject] => New WordPress Site [message] => Your new WordPress site has been successfully set up at: https://my-web.site You can log in to the administrator account with the following information: Username: plugincheck Password: qwerty123 Log in here: https://my-web.site/wp-login.php We hope you enjoy your new site. Thanks! –The WordPress Team https://www.ads-software.com/ [headers] => Array ( ) [attachments] => Array ( ) [phpmailer_exception_code] => 0 ) ) [additional_data:protected] => Array ( ) )
]]>Hello team,
I getting notice from Plugin Check ( PCP) version 0.2.2 : Notice: Undefined index: argv in …/plugins/plugin-check/inc/class-phpcs-runner.php on line 126.
$_SERVER[‘argv’]; I replaced with isset( $_SERVER[‘argv’] ) ? $_SERVER[‘argv’] : ”;
Now ok.
]]>Every plugin I choose for the check gives these 2 errors…
Failed check_against_phpcs.
Failed check_against_phpcs_review.
Can somebody tell me what this means and what I need to do to resolve it? I certainly feel that even if these error description can’t be made more descriptive here, there needs to be somewhere where this can be detailed to better explain errors such as these.
]]>Hello team,
Firstly, I’d like to extend my gratitude for creating this plugin. It’s an invaluable tool for developers like myself who aim to ensure our plugins adhere to WordPress standards.
However, I’ve come across a potential oversight that I wanted to bring to your attention. While reviewing one of my plugin, “Plugin Review” flagged the use of sanitize_url() as being deprecated since WordPress version 2.8.0, suggesting the use of esc_url_raw() instead.
Here is the full report:
WordPress.WP.DeprecatedFunctions.sanitize_urlFound Line 766 of file classes/index.php.
sanitize_url() has been deprecated since WordPress version 2.8.0. Use esc_url_raw() instead.
Upon checking the official WordPress documentation, I noticed that sanitize_url() was indeed deprecated in version 2.8.0 but was subsequently “Restored (un-deprecated)” in version 5.9.0.
It appears that the plugin might not be recognizing the restoration of this function in its checks. I wanted to share this feedback in the hopes that it might help in refining the plugin’s checks for future updates.
Thank you once again for your hard work on this essential tool. Looking forward to seeing it evolve further!
Warm regards,
Senol