Add ruleset for WordPress (#5)

Author: tfirdaus

README.md

@@ -1,10 +1,10 @@
 <div align="center">
   <strong>💅 phpcs-ruleset</strong>
-  <p>PHP Coding Standard applied to Syntatis projects</p>
+  <p>Curated Coding Standards for PHP and WordPress</p>
 
   ![Packagist PHP Version](https://img.shields.io/packagist/dependency-v/syntatis/coding-standard/php)
 </div>
 
 ---
 
-A collection of rulesets to apply standard PHP coding practices across Syntatis projects. The rulesets are based on some established PHP coding standards, such as [PSR-12](https://www.php-fig.org/psr/psr-12/), [Doctrine](https://github.com/doctrine/coding-standard), [Slevomat](https://github.com/slevomat/coding-standard), and are extended with a few additional rules to suit with the specific projects' needs.
+A collection of rulesets to apply standard PHP coding practices. The rulesets are based on some established PHP coding standards, such as [PSR-12](https://www.php-fig.org/psr/psr-12/), [Doctrine](https://github.com/doctrine/coding-standard), [Slevomat](https://github.com/slevomat/coding-standard), and are extended with a few additional rules to suit with the specific projects' needs.

Syntatis/ruleset.xml

@@ -3,43 +3,33 @@
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xsi:noNamespaceSchemaLocation="https://raw.githubusercontent.com/squizlabs/PHP_CodeSniffer/master/phpcs.xsd"
 	name="Syntatis">
-	<description>PHP Coding Standard</description>
+	<description>Curated Coding Standard for PHP</description>
 
-	<!-- Use colors in output -->
-	<arg name="colors"/>
+	<!--
+		Trigger error if PHPCSUtils cannot be found.
+		PHPCSUtils does not contain any sniffs, so this rule isn't strictly necessary, but
+		by having this here anyway, if PHPCSUtils is missing, the user will get a
+		descriptive error message during the loading of the ruleset instead of
+		a fatal "class not found" error once the sniffs start running.
+	-->
+	<rule ref="PHPCSUtils"/>
 
-	<!-- Show progress of the run -->
-	<arg value="p"/>
-
-	<!-- Show sniff codes in all reports -->
-	<arg value="s"/>
-
-	<!-- Only check files with PHP extension -->
-	<arg name="extensions" value="php"/>
-
-	<!-- Show the warning but exit with 0. The Warning is fine -->
-	<config name="ignore_warnings_on_exit" value="1"/>
-
-	<!-- Include full Doctrine Coding Standard -->
+	<!-- Doctrine and Slevomat rules -->
 	<rule ref="Doctrine">
 		<exclude name="Generic.Formatting.MultipleStatementAlignment"/>
 		<exclude name="Generic.WhiteSpace.DisallowTabIndent"/>
 		<exclude name="SlevomatCodingStandard.Classes.SuperfluousExceptionNaming"/>
 		<exclude name="SlevomatCodingStandard.PHP.RequireExplicitAssertion"/>
 
-		<!-- Some of the projects still require to support PHP 7.4 which does not support the follow features -->
+		<!-- Skip features not in PHP 7.4 -->
 		<exclude name="SlevomatCodingStandard.Classes.RequireConstructorPropertyPromotion"/>
 		<exclude name="SlevomatCodingStandard.Functions.RequireTrailingCommaInDeclaration"/>
 	</rule>
 	<rule ref="SlevomatCodingStandard.Commenting.DocCommentSpacing">
 		<properties>
 			<property name="annotationsGroups" type="array">
 				<element value="@phpcsSuppress"/>
-				<!--
-					Tests annotation
-					@link https://phpunit.readthedocs.io/en/7.0/annotations.html
-					The @author annotation is excluded from the list, use @group or @ticket instead.
-              	-->
+				<!-- PHPUnit annotations (see link) -->
 				<element value="
 					@after,
 					@afterClass,
@@ -68,8 +58,15 @@
 					@ticket,
 					@uses"
 					/>
-				<!-- Psalm annotations essentially overrides PHP docBlocks -->
-				<element value="@phpstan-consistent-constructor, @phpstan-import-type, @phpstan-type, @psalm-consistent-constructor, @psalm-import-type, @phpstan-type"/>
+				<!-- Psalm & PHPStan annotations -->
+				<element value="
+					@phpstan-consistent-constructor,
+					@phpstan-import-type,
+					@phpstan-type,
+					@psalm-consistent-constructor,
+					@psalm-import-type,
+					@psalm-type"
+					/>
 				<element value="@template, @template-implements, @template-extends"/>
 				<element value="@example, @see, @link, @todo"/>
 				<element value="@method, @property"/>
@@ -86,20 +83,121 @@
 		<exclude-pattern>/tests/</exclude-pattern>
 	</rule>
 
-	<!-- Generic -->
-	<rule ref="Generic.Files.LineLength">
-		<properties>
-			<property name="ignoreComments" value="true"/>
-		</properties>
+	<!-- Avoid using the "goto" statement -->
+	<rule ref="Generic.PHP.DiscourageGoto">
+		<type>error</type>
+		<message>The "goto" language construct should not be used.</message>
 	</rule>
+
+	<!-- "eval()" is a security risk, so don't use it -->
+	<rule ref="Squiz.PHP.Eval.Discouraged">
+		<type>error</type>
+		<message>eval() is a security risk so not allowed.</message>
+	</rule>
+
+	<!-- PHP tags for multiline PHP code in HTML should be on their own lines -->
+	<rule ref="Squiz.PHP.EmbeddedPhp"/>
+
+	<!-- Always use full PHP tags, not shorthand -->
+	<rule ref="Generic.PHP.DisallowShortOpenTag"/>
+	<rule ref="Generic.PHP.DisallowAlternativePHPTags"/>
+
+	<!-- Prefer require[_once] for unconditional includes -->
+	<rule ref="PEAR.Files.IncludingFile.UseRequire">
+		<type>warning</type>
+	</rule>
+	<rule ref="PEAR.Files.IncludingFile.UseRequireOnce">
+		<type>warning</type>
+	</rule>
+	<!-- Prevent issues with content before headers -->
+	<rule ref="Generic.Files.ByteOrderMark"/>
+
+	<!-- Magic constants (__*__) should be uppercase -->
+	<rule ref="Universal.Constants.UppercaseMagicConstants"/>
+
+	<!-- The ::class keyword should be lowercase -->
+	<rule ref="Universal.Constants.LowercaseClassResolutionKeyword"/>
+
+	<!-- Only one namespace declaration per file -->
+	<rule ref="Universal.Namespaces.OneDeclarationPerFile"/>
+
+	<!-- Don't use curly brace syntax for namespaces -->
+	<rule ref="Universal.Namespaces.DisallowCurlyBraceSyntax"/>
+
+	<!-- No explicit global namespace declarations -->
+	<rule ref="Universal.Namespaces.DisallowDeclarationWithoutName"/>
+
+	<!-- Prefer __DIR__ over dirname(__FILE__) and use dirname(__DIR__, $levels) over nested dirname() -->
+	<rule ref="Modernize.FunctionCalls.Dirname"/>
+
+	<!-- Avoid ambiguous conditions -->
+	<rule ref="Generic.CodeAnalysis.RequireExplicitBooleanOperatorPrecedence"/>
+
+	<!-- Use real tabs and not spaces. -->
 	<rule ref="Generic.WhiteSpace.DisallowSpaceIndent"/>
-	<rule ref="Generic.WhiteSpace.ScopeIndent">
+	<rule ref="Universal.WhiteSpace.PrecisionAlignment"/>
+
+	<!-- Ensure functions use all passed parameters -->
+	<rule ref="Generic.CodeAnalysis.UnusedFunctionParameter">
+		<!-- Allow for callbacks that may not use all parameters -->
+		<exclude name="Generic.CodeAnalysis.UnusedFunctionParameter.FoundBeforeLastUsed"/>
+		<!-- Allow for extended class/interface functions -->
+		<exclude name="Generic.CodeAnalysis.UnusedFunctionParameter.FoundInExtendedClass"/>
+		<exclude name="Generic.CodeAnalysis.UnusedFunctionParameter.FoundInExtendedClassBeforeLastUsed"/>
+		<exclude name="Generic.CodeAnalysis.UnusedFunctionParameter.FoundInExtendedClassAfterLastUsed"/>
+		<exclude name="Generic.CodeAnalysis.UnusedFunctionParameter.FoundInImplementedInterface"/>
+		<exclude name="Generic.CodeAnalysis.UnusedFunctionParameter.FoundInImplementedInterfaceBeforeLastUsed"/>
+		<exclude name="Generic.CodeAnalysis.UnusedFunctionParameter.FoundInImplementedInterfaceAfterLastUsed"/>
+	</rule>
+
+	<!-- All line endings should be \n. -->
+	<rule ref="Generic.Files.LineEndings">
 		<properties>
-			<property name="indent" value="4" />
-			<property name="tabIndent" value="true" />
+			<property name="eolChar" value="\n"/>
 		</properties>
 	</rule>
-	<rule ref="Generic.Files.LineLength.TooLong">
-		<exclude-pattern>/tests/</exclude-pattern>
+
+	<!-- Don't commit commented-out code -->
+	<rule ref="Squiz.PHP.CommentedOutCode">
+		<properties>
+			<property name="maxPercentage" value="40"/>
+		</properties>
 	</rule>
+
+	<!-- Always have a lowertag PHP open tag. -->
+	<rule ref="Universal.PHP.LowercasePHPTag"/>
+
+	<!-- Check for duplicate array keys -->
+	<rule ref="Universal.Arrays.DuplicateArrayKey"/>
+
+	<!-- No return types for constructors/destructors, or returning values -->
+	<rule ref="Universal.CodeAnalysis.ConstructorDestructorReturn"/>
+
+	<!-- Detect foreach loops using the same variable for key and value -->
+	<rule ref="Universal.CodeAnalysis.ForeachUniqueAssignment"/>
+
+	<!-- Use self instead of static in final classes -->
+	<rule ref="Universal.CodeAnalysis.StaticInFinalClass"/>
+
+	<!-- Avoid if statements as the only statement in an else block -->
+	<rule ref="Universal.ControlStructures.DisallowLonelyIf"/>
+
+	<!-- Separate functions and object-oriented code -->
+	<rule ref="Universal.Files.SeparateFunctionsFromOO"/>
+
+	<!-- Detect useless "echo sprintf(...)" -->
+	<rule ref="Universal.CodeAnalysis.NoEchoSprintf"/>
+
+	<!-- Avoid double negatives "!!" -->
+	<rule ref="Universal.CodeAnalysis.NoDoubleNegative"/>
+
+	<!-- Avoid reserved keywords as function parameter names. -->
+	<rule ref="Universal.NamingConventions.NoReservedKeywordParameterNames"/>
+
+	<!-- General PHP best practices -->
+	<rule ref="Generic.PHP.BacktickOperator"/>
+	<rule ref="Universal.UseStatements.NoUselessAliases"/>
+	<rule ref="Squiz.Functions.FunctionDuplicateArgument"/>
+	<rule ref="Squiz.PHP.DisallowSizeFunctionsInLoops"/>
+	<rule ref="Squiz.Operators.IncrementDecrementUsage"/>
 </ruleset>

SyntatisWP/ruleset.xml

@@ -0,0 +1,112 @@
+<?xml version="1.0"?>
+<ruleset
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:noNamespaceSchemaLocation="https://raw.githubusercontent.com/squizlabs/PHP_CodeSniffer/master/phpcs.xsd"
+	name="SyntatisWP"
+	>
+	<description>Curated Coding Standard for WordPress</description>
+
+	<rule ref="Syntatis"/>
+
+	<!-- Use lowercase letters for variable, action/filter, and function names. Separate words with underscores. -->
+	<rule ref="WordPress.NamingConventions.ValidFunctionName"/>
+	<rule ref="WordPress.NamingConventions.ValidHookName"/>
+
+	<!-- Avoid direct database access. -->
+	<rule ref="WordPress.DB.RestrictedFunctions"/>
+	<rule ref="WordPress.DB.RestrictedClasses"/>
+
+	<!-- Escape data as close to the query as possible, ideally using $wpdb->prepare(). -->
+	<rule ref="WordPress.DB.PreparedSQL"/>
+
+	<!-- In $wpdb->prepare, use %s for strings and %d for integers. These placeholders are not quoted! -->
+	<rule ref="WordPress.DB.PreparedSQLPlaceholders"/>
+
+	<!-- create_function() is deprecated in PHP 7.2 and removed in PHP 8.0. Do not use it. -->
+	<rule ref="WordPress.PHP.RestrictedPHPFunctions"/>
+
+	<!-- Use Perl-compatible regular expressions instead of POSIX ones. -->
+	<rule ref="WordPress.PHP.POSIXFunctions"/>
+
+	<!-- Ensure proper use of WordPress internationalization functions. -->
+	<rule ref="WordPress.WP.I18n"/>
+
+	<!-- Ensure correct spelling of "WordPress". -->
+	<rule ref="WordPress.WP.CapitalPDangit"/>
+
+	<!-- Use appropriate DateTime functions. See: https://github.com/WordPress/WordPress-Coding-Standards/issues/1713 -->
+	<rule ref="WordPress.DateTime.RestrictedFunctions"/>
+
+	<!-- Don't use current_time() to get a timestamp. -->
+	<rule ref="WordPress.DateTime.CurrentTimeTimestamp"/>
+
+	<!-- Ensure class name references use the correct case. -->
+	<rule ref="WordPress.WP.ClassNameCase"/>
+
+	<rule ref="WordPress.Security.EscapeOutput"/>
+
+	<!-- Prefer wp_safe_redirect() to avoid open redirect vulnerabilities. See: https://github.com/WordPress/WordPress-Coding-Standards/pull/1264 -->
+	<rule ref="WordPress.Security.SafeRedirect"/>
+
+	<!-- Verify nonce checks before using values in superglobals. See: https://github.com/WordPress/WordPress-Coding-Standards/issues/73 -->
+	<rule ref="WordPress.Security.NonceVerification"/>
+
+	<rule ref="WordPress.PHP.DevelopmentFunctions"/>
+	<rule ref="WordPress.PHP.DiscouragedPHPFunctions"/>
+	<rule ref="WordPress.WP.DeprecatedFunctions"/>
+	<rule ref="WordPress.WP.DeprecatedClasses"/>
+	<rule ref="WordPress.WP.DeprecatedParameters"/>
+	<rule ref="WordPress.WP.DeprecatedParameterValues"/>
+	<rule ref="WordPress.WP.AlternativeFunctions"/>
+	<rule ref="WordPress.WP.DiscouragedConstants"/>
+	<rule ref="WordPress.WP.DiscouragedFunctions"/>
+
+	<!-- Verify correct use of capabilities. -->
+	<rule ref="WordPress.WP.Capabilities"/>
+
+	<!-- Scripts and styles should be enqueued. -->
+	<rule ref="WordPress.WP.EnqueuedResources"/>
+
+	<!-- Warn against overriding WordPress global variables. -->
+	<rule ref="WordPress.WP.GlobalVariablesOverride"/>
+
+	<!-- Detect incorrect or risky use of ini_set(). -->
+	<rule ref="WordPress.PHP.IniSet"/>
+
+	<!-- Ensure styles and scripts have version and in_footer parameters set when enqueuing or registering. -->
+	<rule ref="WordPress.WP.EnqueuedResourceParameters"/>
+
+	<!-- Make translators comment check stricter than the core one. -->
+	<rule ref="WordPress.WP.I18n.MissingTranslatorsComment">
+		<type>error</type>
+	</rule>
+	<rule ref="WordPress.WP.I18n.TranslatorsCommentWrongStyle">
+		<type>error</type>
+	</rule>
+
+	<!-- Ensure everything in the global namespace is prefixed. -->
+	<rule ref="WordPress.NamingConventions.PrefixAllGlobals"/>
+
+	<!-- Ensure post type slugs have valid characters, length, and don't use reserved keywords. -->
+	<rule ref="WordPress.NamingConventions.ValidPostTypeSlug"/>
+
+	<!-- Check for some regex best practices. -->
+	<rule ref="WordPress.PHP.PregQuoteDelimiter"/>
+
+	<!-- The Core ruleset respects the PHP allowed functions list. -->
+	<rule ref="WordPress.PHP.NoSilencedErrors">
+		<properties>
+			<property name="usePHPFunctionsList" value="false"/>
+		</properties>
+	</rule>
+
+	<!-- Prevent common mistakes. -->
+	<rule ref="WordPress.CodeAnalysis.EscapedNotTranslated"/>
+
+	<!-- General best practices -->
+	<rule ref="WordPress.PHP.DontExtract"/>
+	<rule ref="WordPress.PHP.StrictInArray"/>
+	<rule ref="WordPress.Security.PluginMenuSlug"/>
+	<rule ref="WordPress.WP.CronInterval"/>
+	<rule ref="WordPress.WP.PostsPerPage"/>
+</ruleset>

composer.json

@@ -1,7 +1,7 @@
 {
 	"name": "syntatis/coding-standard",
 	"type": "phpcodesniffer-standard",
-	"description": "PHP Coding Standard applied to Syntatis projects",
+	"description": "Curated Coding Standards for PHP and WordPress",
 	"license": "MIT",
 	"keywords": [
 		"php",
@@ -19,7 +19,8 @@
 	"require": {
 		"php": ">=7.4",
 		"dealerdirect/phpcodesniffer-composer-installer": "^1.0",
-		"doctrine/coding-standard": "^12.0"
+		"doctrine/coding-standard": "^12.0",
+		"wp-coding-standards/wpcs": "^3.0"
 	},
 	"config": {
 		"allow-plugins": {