最近上传了一个插件,BeePress 一键导入公众号文章,因为是第一次开发,所以基本就是按照自己平时写代码的风格,也没有遵循开发规范,被拒也是情理之中的了,不过收到这么详细的review,也是很惊讶,WordPress官方审核人员还是十分负责的,这里要表示感谢。接下来就这封回信我提一下需要注意的地方,做做笔记,希望对自己以后也有帮助,也给有需要的人一些参考吧

以下是邮件内容:

There are issues with your plugin code.

Please read this ENTIRE email, address all listed issues, and reply to this email with your corrected code attached. It is required for you to read and reply to these emails, and failure to do so will result in significant delays with your plugin being accepted.

Also please remember in addition to code quality, security and functionality, we require all plugins adhere to our guidelines. If you have not yet, please read them:

* https://developer.wordpress.org/plugins/wordpress-org/detailed-plugin-guidelines/

上面是插件的开发指南链接

## Generic function (and/or define) names

命名规范

All plugins must have unique function names, defines, and classnames. This prevents your plugin from conflicting with other plugins or themes.

注意名称的唯一性,避免和其他插件或者主题冲突

For example, if your plugin is called “Easy Custom Post Types”, then you might prefix your functions with ecpt_{your function name here}. Similarly a define of LICENSE would be better done as ECPT_LICENSE. You can use namespaces instead, however make sure that those also are unique. A namespace or class of ‘MyPlugin’ is NOT actually all that unique.

This extends to anything in a define. For example, if you were to use this, it would be a bad idea:

define( ‘PLUGIN_PATH’, plugins_url( __FILE__ ) );

That define is a global, so PLUGIN_PATH could conflict with a number of other things.

Don’t try to use two letter slugs anymore. As of 2016, all the good ones are taken. Instead consider easy_cpts_ (from the first example).

不要再使用两个字母的作为别名

Similarly, don’t use __ (double underscores), wp_ , or _ (single underscore) as a prefix. Those are reserved for WordPress itself. You can use them inside your classes, but not as stand-alone function.

不要使用 __(双下划线),wp_,或者 _(单下划线)作为前缀

Please update your plugin to use more unique function and class names.

下面是我代码中不符合规范的函数名称

Some examples from your plugin:

function wx_insert_by_url
function downloadImage

## Please sanitize, escape, and validate your POST calls

对用户POST的数据进行净化(处理)、转义(编码)、验证,避免出现安全问题

When you include POST/GET/REQUEST calls in your plugin, it’s important to sanitize, validate, and escape them. The goal here is to prevent a user from accidentally sending trash data through the system, as well as protecting them from potential security issues.

SANITIZE: All instances where generated content is inserted into the database, or into a file, or being otherwise processed by WordPress, the data MUST be properly sanitized for security. By sanitizing your POST data when used to make action calls or URL redirects, you will lessen the possibility of XSS vulnerabilities. You should never have a raw data inserted into the database, even by a update function, and even with a prepare() call.

VALIDATE: In addition to sanitization, you should validate all your calls. If a $_POST call should only be a number, ensure it’s an int() before you pass it through anything. Even if you’re sanitizing or using WordPress functions to ensure things are safe, we ask you please validate for sanity’s sake. Any time you are adding data to the database, it should be the right data.

ESCAPE: Similarly, when you’re outputting data, make sure to escape it properly, so it can’t hijack admin screens. There are many esc_*() functions you can use to make sure you don’t show people the wrong data.

总结就是,永远不要相信用户提交的数据

In all cases, using stripslashes or strip_tags is not enough. You need to use the most appropriate method associated with the type of content you’re processing. Check that a URL is a URL and don’t just be lazy and use sanitize_text please. The ultimate goal is that you should ensure that invalid and unsafe data is NEVER processed or displayed. Clean everything, check everything, escape everything, and never trust the users to always have input sane data.

Please review this document and update your code accordingly: http://codex.wordpress.org/Validating_Sanitizing_and_Escaping_User_Data

Example:

$changePostTime = isset($_REQUEST[‘change_post_time’]) ? $_REQUEST[‘change_post_time’] : false;

## Please use wp_enqueue commands

前端样式及JS脚本,应该使用wp_enqueue进行引入,而不是直接在代码中用标签的形式

Your plugin is using <style> and/or <link> tags to insert CSS/JS

You should be using the built in functions for this:

https://codex.wordpress.org/Function_Reference/wp_enqueue_script
https://codex.wordpress.org/Function_Reference/wp_enqueue_style

If you’re trying to enqueue on the admin pages you’ll want to use the admin enqueues

https://codex.wordpress.org/Plugin_API/Action_Reference/admin_enqueue_scripts
https://codex.wordpress.org/Plugin_API/Action_Reference/admin_print_scripts
https://codex.wordpress.org/Plugin_API/Action_Reference/admin_print_styles

## Including (or calling) javascript files included in WP core

WP已经内置了很多常用的JS框架,比如jquery,无需自己再引用第三方的

Your plugin has included (or called it remotely, probably from Google or jquery.com) your own copy of a javascript file that WordPress already includes.

WordPress includes its own version of many javascript files, which have all been rigorously tested with WP and many of the most common plugins. In order to provide the best compatibility and experience for our users, we ask that you not package your own (especially not an older version) and instead use wp_enqueue_script() to pull in WordPress’s version.

To reiterate:

* DO NOT include your own copy of javascript files that are already included in WordPress Core
* DO NOT make remote calls to javascript files that are already included in WordPress Core

不要引入WordPress内部已经存在JS文件,无论是你自己复制的还是从远程调用的

Please review the following link to understand how to properly include javascript, learn what files we provide out of the box, and update your plugin accordingly.

https://developer.wordpress.org/reference/functions/wp_enqueue_script/

If the file you’re trying to use isn’t a part of WordPress core, then you should include the missing file(s) -locally- in your plugin, not remotely. Please check first. We have a LOT of JS files 🙂

If your code doesn’t work with the built-in versions of jQuery, it’s most likely a no conflict issue.

You call https://cdn.staticfile.org/jquery/3.1.1/jquery.js

因为不知道Wordpress已经内置了jQuery,也不知道不能调用外部的开发库,所以自己为了方便直接引用了

—-

Please make sure you’ve addressed ALL issues brought up in this email. When you’ve corrected your code, reply to this email with the updated code attached as a zip, or provide a link to the new code for us to review. If you have questions, concerns, or need clarification, please reply to this email and just ask us.

(While we have tried to make this review as exhaustive as possible we, like you, are humans and may have missed things. As such, we will re-review the ENTIRE plugin when you send it back to us. We appreciate your patience and understanding in this.)

更新

2017年03月28日

再次被拒

We missed an issue in your vender folder.

## Including full vendor folders

Your plugin includes the vendor folders (like Bower or Node folders). You really don’t need to do this. The entire library isn’t going to be used by your users, and having all those files included is just extra weight to a plugin. Please remove them and ONLY include the files you need.

If you look in vender/simplehtmldom you have a test case folder, as well as example AND manual. Please delete the code you’re not using, as they can be security holes.

移除没有用到的文件