Add a PHPCS configuration and fix or silence all current warnings/errors

The main functional change is that PUC will now use shorter HTTP request timeouts when not running inside a Cron task. This is to comply with the WP VIP coding standard that strongly recommends a maximum timeout of 3 seconds. Prompted by #107
2025-10-04 00:47:33 +08:00 · 2023-05-01 12:28:55 +03:00 · 2023-05-01 12:28:55 +03:00 · 579d537926
commit 579d537926
parent a42e1e7346
9 changed files with 39 additions and 7 deletions
--- a/Puc/v5p0/DebugBar/Panel.php
+++ b/Puc/v5p0/DebugBar/Panel.php
@ -160,11 +160,18 @@ if ( !class_exists(Panel::class, false) && class_exists('Debug_Bar_Panel', false

 		public function row($name, $value) {
 			if ( is_object($value) || is_array($value) ) {
+				//This is specifically for debugging, so print_r() is fine.
+				//phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_print_r
 				$value = '<pre>' . htmlentities(print_r($value, true)) . '</pre>';
 			} else if ($value === null) {
 				$value = '<code>null</code>';
 			}
-			printf('<tr><th scope="row">%1$s</th> <td>%2$s</td></tr>', $name, $value);
+			printf(
+				'<tr><th scope="row">%1$s</th> <td>%2$s</td></tr>',
+				esc_html($name),
+				//phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- Escaped above.
+				$value
+			);
 		}
 	}

--- a/Puc/v5p0/Scheduler.php
+++ b/Puc/v5p0/Scheduler.php
@ -49,6 +49,7 @@ if ( !class_exists(Scheduler::class, false) ):
 				} else {
 					//Use a custom cron schedule.
 					$scheduleName = 'every' . $this->checkPeriod . 'hours';
+					//phpcs:ignore WordPress.WP.CronInterval.ChangeDetected -- WPCS fails to parse the callback.
 					add_filter('cron_schedules', array($this, '_addCustomSchedule'));
 				}

@ -79,6 +80,7 @@ if ( !class_exists(Scheduler::class, false) ):
 				//Like WordPress itself, we check more often on certain pages.
 				/** @see wp_update_plugins */
 				add_action('load-update-core.php', array($this, 'maybeCheckForUpdates'));
+				//phpcs:ignore Squiz.PHP.CommentedOutCode.Found -- Not actually code, just file names.
 				//"load-update.php" and "load-plugins.php" or "load-themes.php".
 				$this->hourlyCheckHooks = array_merge($this->hourlyCheckHooks, $hourlyHooks);
 				foreach($this->hourlyCheckHooks as $hook) {
--- a/Puc/v5p0/UpdateChecker.php
+++ b/Puc/v5p0/UpdateChecker.php
@ -9,7 +9,7 @@ if ( !class_exists(UpdateChecker::class, false) ):
 	abstract class UpdateChecker {
 		protected $filterSuffix = '';
 		protected $updateTransient = '';
-		protected $translationType = ''; //"plugin" or "theme".
+		protected $translationType = ''; //This can be "plugin" or "theme".

 		/**
 		 * Set to TRUE to enable error reporting. Errors are raised using trigger_error()
@ -660,7 +660,7 @@ if ( !class_exists(UpdateChecker::class, false) ):

 			//Various options for the wp_remote_get() call. Plugins can filter these, too.
 			$options = array(
-				'timeout' => 10, //seconds
+				'timeout' => wp_doing_cron() ? 10 : 3,
 				'headers' => array(
 					'Accept' => 'application/json',
 				),
--- a/Puc/v5p0/UpgraderStatus.php
+++ b/Puc/v5p0/UpgraderStatus.php
@ -11,7 +11,7 @@ if ( !class_exists(UpgraderStatus::class, false) ):
 	 * This class uses a few workarounds and heuristics to get the file name.
 	 */
 	class UpgraderStatus {
-		private $currentType = null; //"plugin" or "theme".
+		private $currentType = null; //This must be either "plugin" or "theme".
 		private $currentId = null;   //Plugin basename or theme directory name.

 		public function __construct() {
--- a/Puc/v5p0/Vcs/BitBucketApi.php
+++ b/Puc/v5p0/Vcs/BitBucketApi.php
@ -210,7 +210,7 @@ if ( !class_exists(BitBucketApi::class, false) ):
 				$url = $this->oauth->sign($url,'GET');
 			}

-			$options = array('timeout' => 10);
+			$options = array('timeout' => wp_doing_cron() ? 10 : 3);
 			if ( !empty($this->httpFilterName) ) {
 				$options = apply_filters($this->httpFilterName, $options);
 			}
--- a/Puc/v5p0/Vcs/GitHubApi.php
+++ b/Puc/v5p0/Vcs/GitHubApi.php
@ -248,7 +248,7 @@ if ( !class_exists(GitHubApi::class, false) ):
 			$baseUrl = $url;
 			$url = $this->buildApiUrl($url, $queryParams);

-			$options = array('timeout' => 10);
+			$options = array('timeout' => wp_doing_cron() ? 10 : 3);
 			if ( $this->isAuthenticationEnabled() ) {
 				$options['headers'] = array('Authorization' => $this->getAuthorizationHeader());
 			}
--- a/Puc/v5p0/Vcs/GitLabApi.php
+++ b/Puc/v5p0/Vcs/GitLabApi.php
@ -260,7 +260,7 @@ if ( !class_exists(GitLabApi::class, false) ):
 			$baseUrl = $url;
 			$url = $this->buildApiUrl($url, $queryParams);

-			$options = array('timeout' => 10);
+			$options = array('timeout' => wp_doing_cron() ? 10 : 3);
 			if ( !empty($this->httpFilterName) ) {
 				$options = apply_filters($this->httpFilterName, $options);
 			}
--- a/js/debug-bar.js
+++ b/js/debug-bar.js
@ -14,6 +14,8 @@ jQuery(function($) {
 				_wpnonce: panel.data('nonce')
 			},
 			function(data) {
+				//The response contains HTML that should already be escaped in server-side code.
+				//phpcs:ignore WordPressVIPMinimum.JS.HTMLExecutingFunctions.html
 				responseBox.html(data);
 			},
 			'html'
--- a/phpcs.xml
+++ b/phpcs.xml
@ -0,0 +1,21 @@
+<?xml version="1.0"?>
+<ruleset name="PUC_PHPCS_Settings">
+    <description>PHPCS settings for Plugin Update Checker</description>
+
+    <arg name="basepath" value="."/>
+    <arg name="warning-severity" value="5"/>
+    <arg name="error-severity" value="5"/>
+    <arg value="sp"/>
+    
+    <!-- Check the current directory by default -->
+    <file>./</file>
+    
+    <!-- Include the WordPress-VIP-Go standard -->
+    <rule ref="WordPress-VIP-Go">
+		<!-- This library is not exclusive to WP VIP, so it doesn't use vip_safe_wp_remote_get() and such. -->
+		<exclude name="WordPressVIPMinimum.Functions.RestrictedFunctions.wp_remote_get_wp_remote_get" />
+    </rule>
+    
+    <!-- Exclude external and third-party libraries -->
+    <exclude-pattern type="relative">^vendor/*</exclude-pattern>
+</ruleset>