How to Code Review a WPLib-based Website

This document provides an roadmap for reviewing the code of a WPLib-based website.

Questions? Concerns? Need Help?

If you have any questions whatsoever, please either email team@wplib.org with your questions or for access to wplib.slack.com where we can much more easily discuss your questions and concerns than via email.

If your need is not urgent feel free to post an issue on GitHub instead, although please do reach out and ask to be included in our Slack chatroom too.

Prerequisite

Your prerequisite is to understand the structure of an existing WPLib-based websites. Once you've gotten your head around WPLib conventions then you can dive in:

Scope

This document is primarily concerned with the PHP code, MySQL queries and HTML output of a WordPress-based website. We do not attempt to address Javascript here because WPLib does not currently offer architectural solutions for Javascript that differ from standard WordPress development practices.

Other Techniques Still Apply

We don't attempt to cover what is needed for standard WordPress website code review. This document only covers what makes WPLib easier.

Items to Review

The following are the items you need to review in a manner that is different from how you would review a typically-coded WordPress site.

Auto-Escaped Virtual Output Methods

Any "virtually implemented" output method — i.e. those prefixed with the_ — will be automatically escaped as per their suffix according to this table:

Suffix Auto-Escaping Function
_html() wp_kses_post()
_link() wp_kses_post()
_attr() esc_attr()
_url() esc_url()
No well-known suffix esc_html()

This escaping cannot be bypassed using a filter or otherwise, except for with Hardcoded Output Methods covered next.

Hardcoded Output Methods

Any method prefixed with the_ should be a static method of an App or Module, or in a method of a View instance should we written by the backend developer to generate properly-escaped output.

Look for these methods during code review and review them for proper output escaping.

Reviewing hardcoded output methods is where 1/2 of your code review effort will likely be.

Theme Templates

Here are steps to code review theme templates for output escaping:

The key benefits of relying on (auto-escaped) the_-prefixed output methods include:

Ensuring the suffixes are used correctly is where the remaining 1/2 of your code review effort will likely be. But it will be must less effort than reviewing WordPress theme templates using the normal late escaping approach.

Runmodes and Debugging Output

WPLib philosophy is to never leave the developer wondering what they did wrong so we generate a lot of error messages when used incorrectly. However, code that generates this debugging output is often flagged during code review as problematic.

To address this concern WPLib has baked in a Runmode with the default being PRODUCTION. When in production Runmode WPLib never triggers error messages.

To change Runmode you have to explicitly declare it in you /wp-config.php or similar bootstrap file:

define( 'WPLIB_RUNMODE', 'TESTING' );

The point is that without explicitly setting Runmode WPLib cannot trigger error output. And so a production site never will.

That's It!

And that's it. That is all there is that is special to code reviewing a WPLib-based website.

Questions? Concerns? Need Help?

If you have any questions whatsoever, please either email team@wplib.org with your questions or for access to wplib.slack.com where we can much more easily discuss your questions and concerns than via email.

If your need is not urgent feel free to post an issue on GitHub instead, although please do reach out and ask to be included in our Slack chatroom too.