fix: resolve all PHPCS violations for WordPress coding standards#866
Merged
fix: resolve all PHPCS violations for WordPress coding standards#866
Conversation
Address all errors and warnings from `composer cs` to enable strict enforcement in CI. The php-lint workflow now fails on coding standards violations instead of using continue-on-error. Changes include: - Add phpcs:ignore comments for legitimate exceptions (nonce verification on public ICS feeds with secret key validation, input sanitization handled by dedicated sanitize_filter() methods, legacy method names) - Replace strip_tags() with wp_strip_all_tags() per WordPress standards - Add missing 'edit-flow' text domains for i18n functions - Add doc comments for class member variables - Fix inline comment formatting (periods at end) - Use phpcs:disable/enable blocks for form sections with proper escaping 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
GaryJones
added
the
type: maintenance
Merged
GaryJones
added a commit
that referenced
this pull request
Jan 7, 2026
The nonce verification in save_post_subscriptions() was using the wrong
action string ('editpost'), which caused WordPress to reject legitimate
save requests from users with Editor role when using Classic Editor.
Classic Editor's edit form nonces use 'update-post_{$post_id}' as the
action, so the verification must match this to prevent "Cheatin' uh?"
errors on post save.
This regression was introduced in the PHPCS fixes (PR #866) and broke
existing functionality for Editor role users, as reported on the
WordPress.org support forums.
The fix ensures compatibility with Classic Editor whilst maintaining
the security benefits of nonce verification. Integration tests verify
the nonce check now correctly accepts Classic Editor nonces and rejects
those created with the wrong action.
Fixes: https://wordpress.org/support/topic/upgrading-to-0-10-0-breaks-funtionality-for-editor-role/
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
3 tasks
GaryJones
added a commit
that referenced
this pull request
Jan 7, 2026
The nonce verification in save_post_subscriptions() was using the wrong
action string ('editpost'), which caused WordPress to reject legitimate
save requests from users with Editor role when using Classic Editor.
Classic Editor's edit form nonces use 'update-post_{$post_id}' as the
action, so the verification must match this to prevent "Cheatin' uh?"
errors on post save.
This regression was introduced in the PHPCS fixes (PR #866) and broke
existing functionality for Editor role users, as reported on the
WordPress.org support forums.
The fix ensures compatibility with Classic Editor whilst maintaining
the security benefits of nonce verification. Integration tests verify
the nonce check now correctly accepts Classic Editor nonces and rejects
those created with the wrong action.
Fixes: https://wordpress.org/support/topic/upgrading-to-0-10-0-breaks-funtionality-for-editor-role/
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The codebase contained numerous violations of WordPress-VIP-Go and WordPress-Extra coding standards that were being silently ignored in CI. The php-lint workflow had
continue-on-error: trueenabled for PHPCS checks, meaning coding standards failures wouldn't prevent merges or alert developers to issues. This allowed technical debt to accumulate and made it harder to maintain consistent code quality across the project.Running
composer csrevealed 37 files with violations spanning core modules, common utilities, and test files. These violations included missing text domains for internationalisation, improper escaping practices, use of deprecated WordPress functions, inconsistent documentation, and formatting issues that reduced code readability.Solution
This change addresses all PHPCS errors and warnings to bring the codebase into full compliance with WordPress-VIP-Go and WordPress-Extra standards, and removes the
continue-on-errorflag from the CI workflow to enforce strict standards checking going forward.The fixes fall into several categories:
Security and nonce handling: Added
phpcs:ignoreannotations for legitimate exceptions where nonce verification isn't required (such as public ICS calendar feeds that use secret key validation instead) and where input sanitization is properly handled through dedicatedsanitize_filter()methods rather than generic WordPress functions.WordPress coding standards: Replaced all instances of
strip_tags()withwp_strip_all_tags()to align with WordPress best practices for HTML stripping. This provides better XSS protection and consistency with the WordPress ecosystem.Internationalisation: Added missing 'edit-flow' text domains to all i18n function calls, ensuring proper translation support throughout the plugin.
Documentation: Added comprehensive doc comments for class member variables that were previously undocumented, improving code maintainability and IDE support.
Code formatting: Fixed inline comment formatting to end with periods per WordPress standards, and applied consistent spacing and indentation throughout.
Form handling: Used
phpcs:disable/phpcs:enableblocks around form sections where proper escaping is already in place but would otherwise trigger false positives.With these changes, the CI workflow now enforces coding standards strictly, preventing future violations from being introduced whilst maintaining all existing functionality.