Updated tooling and adjusted to new WPCS sniffs

.editorconfig

@@ -13,9 +13,12 @@ insert_final_newline = true
 trim_trailing_whitespace = true
 indent_style = tab
 
-[{.jshintrc,*.json,*.yml}]
+[*.yml]
 indent_style = space
 indent_size = 2
 
-[{*.txt,wp-config-sample.php}]
-end_of_line = crlf
+[*.md]
+trim_trailing_whitespace = false
+
+[*.txt]
+end_of_line = crlf

composer.json

@@ -1,75 +1,75 @@
 {
-  "name": "beans/beans",
-  "description": "The most innovative theme for WordPress. The real magic is under the hood.",
-  "type": "wordpress-theme",
-  "license": "GPL-2.0+",
-  "homepage": "http://www.getbeans.io/",
-  "support": {
-    "issues": "https://github.com/GetBeans/Beans/issues",
-    "source": "https://github.com/GetBeans/Beans"
-  },
-  "minimum-stability": "dev",
-  "prefer-stable": true,
-  "autoload": {
-    "exclude-from-classmap": [
-      "/tests/"
-    ]
-  },
-  "autoload-dev": {
-    "psr-4": {
-      "Beans\\Framework\\Tests\\Unit\\": "tests/phpunit/unit/",
-      "Beans\\Framework\\Tests\\Integration\\": "tests/phpunit/integration/"
-    }
-  },
-  "repositories": [
-    {
-      "type": "package",
-      "package": {
-      "name": "xwp/wp-dev-lib",
-      "version": "1.0.1",
-        "source": {
-          "url": "https://github.com/xwp/wp-dev-lib.git",
-          "type": "git",
-          "reference": "master"
-        }
-      }
-    }
-  ],
-  "require": {
-    "php": "^5.2|^7",
-    "composer/installers": "^1.4",
-    "roave/security-advisories": "dev-master"
-  },
-  "require-dev": {
-    "php": "^5.6|^7",
-    "brain/monkey": "^2.2",
-    "dealerdirect/phpcodesniffer-composer-installer": "^0.4.4",
-    "mikey179/vfsStream": "^1.6",
-    "phpunit/phpunit": "~5.7.9",
-    "sirbrillig/phpcs-variable-analysis": "^2.0",
-    "squizlabs/php_codesniffer": "^3.2",
-    "wimg/php-compatibility": "^8.0",
-    "wp-coding-standards/wpcs": "^0.14.1",
-    "xwp/wp-dev-lib": "^1.0.1"
-  },
-  "config": {
-    "sort-order": true
-  },
-  "scripts": {
-    "install-codestandards": [
-      "Dealerdirect\\Composer\\Plugin\\Installers\\PHPCodeSniffer\\Plugin::run"
-    ],
-    "phpcs-src": "\"vendor/bin/phpcs\"",
-    "phpcs-tests": "\"vendor/bin/phpcs\" --runtime-set testVersion 5.6 tests/phpunit/",
-    "run-phpcs": [
-      "@phpcs-src",
-      "@phpcs-tests"
-    ],
-    "test-unit": "\"vendor/bin/phpunit\" --testsuite unit --color=always",
-    "test-integration": "\"vendor/bin/phpunit\" --testsuite integration --configuration tests/phpunit/integration/phpunit.xml.dist --color=always",
-    "run-tests": [
-      "@test-unit",
-      "@test-integration"
-    ]
-  }
+	"name": "beans/beans",
+	"description": "The most innovative theme for WordPress. The real magic is under the hood.",
+	"type": "wordpress-theme",
+	"license": "GPL-2.0+",
+	"homepage": "http://www.getbeans.io/",
+	"support": {
+		"issues": "https://github.com/GetBeans/Beans/issues",
+		"source": "https://github.com/GetBeans/Beans"
+	},
+	"minimum-stability": "dev",
+	"prefer-stable": true,
+	"autoload": {
+		"exclude-from-classmap": [
+			"/tests/"
+		]
+	},
+	"autoload-dev": {
+		"psr-4": {
+			"Beans\\Framework\\Tests\\Unit\\": "tests/phpunit/unit/",
+			"Beans\\Framework\\Tests\\Integration\\": "tests/phpunit/integration/"
+		}
+	},
+	"repositories": [
+		{
+			"type": "package",
+			"package": {
+				"name": "xwp/wp-dev-lib",
+				"version": "1.0.1",
+				"source": {
+					"url": "https://github.com/xwp/wp-dev-lib.git",
+					"type": "git",
+					"reference": "master"
+				}
+			}
+		}
+	],
+	"require": {
+		"php": "^5.2|^7",
+		"composer/installers": "^1.4"
+	},
+	"require-dev": {
+		"php": "^5.6|^7",
+		"brain/monkey": "^2.2",
+		"dealerdirect/phpcodesniffer-composer-installer": "^0.4.4",
+		"mikey179/vfsStream": "^1.6",
+		"phpunit/phpunit": "~5.7.9",
+		"roave/security-advisories": "dev-master",
+		"sirbrillig/phpcs-variable-analysis": "^2.0",
+		"squizlabs/php_codesniffer": "^3.3",
+		"wimg/php-compatibility": "^8.0",
+		"wp-coding-standards/wpcs": "^1.0.0",
+		"xwp/wp-dev-lib": "^1.0.1"
+	},
+	"config": {
+		"sort-order": true
+	},
+	"scripts": {
+		"install-codestandards": [
+			"Dealerdirect\\Composer\\Plugin\\Installers\\PHPCodeSniffer\\Plugin::run"
+		],
+		"phpcs-src": "\"vendor/bin/phpcs\" --ignore=*/tests/*",
+		"phpcs-tests": "\"vendor/bin/phpcs\" --runtime-set testVersion 5.6 tests/phpunit/",
+		"run-phpcs": [
+			"@phpcs-src",
+			"@phpcs-tests"
+		],
+		"test-unit": "\"vendor/bin/phpunit\" --testsuite unit --color=always",
+		"test-integration": "\"vendor/bin/phpunit\" --testsuite integration --configuration tests/phpunit/integration/phpunit.xml.dist --color=always",
+		"run-tests": [
+			"@test-unit",
+			"@test-integration"
+		]
+	}
 }

lib/api/actions/class-beans-anonymous-action.php

@@ -51,6 +51,6 @@ public function __construct( $hook, array $callback, $priority = 10, $number_arg
 	 * @return void
 	 */
 	public function callback() {
-		echo call_user_func_array( $this->callback[0], $this->callback[1] ); // phpcs:ignore WordPress.XSS.EscapeOutput.OutputNotEscaped -- The callback handles escaping its output, as Beans does not know what HTML or content will be passed back to it.
+		echo call_user_func_array( $this->callback[0], $this->callback[1] ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- The callback handles escaping its output, as Beans does not know what HTML or content will be passed back to it.
 	}
 }

lib/api/compiler/views/localized-content.php

@@ -10,6 +10,6 @@
 
 ?>
 <script type='text/javascript'>
-	<?php echo $localized; // phpcs:ignore WordPress.XSS.EscapeOutput.OutputNotEscaped -- Previously cleaned by WP. ?>
+	<?php echo $localized; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- Previously cleaned by WP. ?>
 </script>
 

lib/api/fields/types/field.php

@@ -70,7 +70,7 @@ function beans_field_description( array $field ) {
 
 	beans_open_markup_e( 'beans_field_description[_' . $field['id'] . ']', 'div', array( 'class' => 'bs-field-description' ) );
 
-		echo $description;  // phpcs:ignore WordPress.XSS.EscapeOutput.OutputNotEscaped -- To optimize, escaping is handled above.
+		echo $description;  // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- To optimize, escaping is handled above.
 
 	if ( isset( $extended ) ) {
 		include dirname( __FILE__ ) . '/views/field-description.php';

lib/api/fields/types/text.php

@@ -26,6 +26,6 @@ function beans_field_text( array $field ) {
 		esc_attr( $field['id'] ),
 		esc_attr( $field['name'] ),
 		esc_attr( $field['value'] ),
-		beans_esc_attributes( $field['attributes'] ) // phpcs:ignore WordPress.XSS.EscapeOutput.OutputNotEscaped -- Escaping is handled in the function.
+		beans_esc_attributes( $field['attributes'] ) // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- Escaping is handled in the function.
 	);
 }

lib/api/fields/types/textarea.php

@@ -25,7 +25,7 @@ function beans_field_textarea( array $field ) {
 	printf( '<textarea id="%s" name="%s" %s>%s</textarea>',
 		esc_attr( $field['id'] ),
 		esc_attr( $field['name'] ),
-		beans_esc_attributes( $field['attributes'] ), // phpcs:ignore WordPress.XSS.EscapeOutput.OutputNotEscaped -- Escaping is handled in the function.
+		beans_esc_attributes( $field['attributes'] ), // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- Escaping is handled in the function.
 		esc_textarea( $field['value'] )
 	);
 }

lib/api/fields/types/views/activation.php

@@ -11,5 +11,5 @@
 ?>
 
 <input type="hidden" value="0" name="<?php echo esc_attr( $field['name'] ); ?>" />
-<input id="<?php echo esc_html( $field['id'] ); ?>" type="checkbox" name="<?php echo esc_attr( $field['name'] ); ?>" value="1"<?php checked( $field['value'], 1 ); ?> <?php echo beans_esc_attributes( $field['attributes'] ); ?>/><?php // phpcs:ignore WordPress.XSS.EscapeOutput.OutputNotEscaped -- Escaping is handled in the function. ?>
+<input id="<?php echo esc_html( $field['id'] ); ?>" type="checkbox" name="<?php echo esc_attr( $field['name'] ); ?>" value="1"<?php checked( $field['value'], 1 ); ?> <?php echo beans_esc_attributes( $field['attributes'] ); ?>/><?php // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- Escaping is handled in the function. ?>
 <label for="<?php echo esc_html( $field['id'] ); ?>"><?php echo esc_attr( $field['label'] ); ?></label>

lib/api/fields/types/views/checkbox.php

@@ -12,7 +12,7 @@
 ?>
 
 <input type="hidden" value="0" name="<?php echo esc_attr( $field['name'] ); ?>" />
-<input id="<?php echo esc_html( $field['id'] ); ?>" type="checkbox" name="<?php echo esc_attr( $field['name'] ); ?>" value="1"<?php checked( $field['value'], 1 ); ?> <?php echo beans_esc_attributes( $field['attributes'] ); ?>/><?php // phpcs:ignore WordPress.XSS.EscapeOutput.OutputNotEscaped -- Escaping is handled in the function. ?>
+<input id="<?php echo esc_html( $field['id'] ); ?>" type="checkbox" name="<?php echo esc_attr( $field['name'] ); ?>" value="1"<?php checked( $field['value'], 1 ); ?> <?php echo beans_esc_attributes( $field['attributes'] ); ?>/><?php // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- Escaping is handled in the function. ?>
 
 <?php if ( $checkbox_label ) : ?>
 <span class="bs-checkbox-label"><?php echo esc_html( $checkbox_label ); ?></span>

lib/api/fields/types/views/field-description.php

@@ -11,4 +11,4 @@
 ?>
 
 <br /><a class="bs-read-more" href="#"><?php esc_html_e( 'More...', 'tm-beans' ); ?></a>
-<div class="bs-extended-content" style="display: none;"><?php echo $extended; ?></div><?php // phpcs:ignore WordPress.XSS.EscapeOutput.OutputNotEscaped -- To optimize, escaping is handled in the calling function. ?>
+<div class="bs-extended-content" style="display: none;"><?php echo $extended; ?></div><?php // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- To optimize, escaping is handled in the calling function. ?>

lib/api/fields/types/views/image.php

@@ -29,7 +29,7 @@
 	$image_alt  = $image_url ? _beans_get_image_alt( $image_id ) : '';
 ?>
 	<div class="bs-image-wrap<?php echo 'placeholder' === $image_id ? ' bs-image-template' : ''; ?>">
-		<input <?php echo beans_esc_attributes( $attributes ); ?> /><?php // phpcs:ignore WordPress.XSS.EscapeOutput.OutputNotEscaped -- Escaping is handled in the function. ?>
+		<input <?php echo beans_esc_attributes( $attributes ); ?> /><?php // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- Escaping is handled in the function. ?>
 		<img src="<?php echo $image_url ? esc_url( $image_url ) : ''; ?>" alt="<?php echo $image_alt ? esc_attr( $image_alt ) : ''; ?>">
 		<div class="bs-toolbar">
 			<?php

lib/api/fields/types/views/radio.php

@@ -26,18 +26,18 @@
 	$clean_value = esc_attr( $value );
 	$clean_id    = $id_prefix . $clean_value;
 ?>
-		<label class="<?php echo $is_image ? 'bs-has-image' : ''; ?>" for="<?php echo $clean_id; // phpcs:ignore WordPress.XSS.EscapeOutput.OutputNotEscaped -- Escaped above. ?>">
+		<label class="<?php echo $is_image ? 'bs-has-image' : ''; ?>" for="<?php echo $clean_id; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- Escaped above. ?>">
 		<?php
 		if ( $is_image ) :
 			$image = _beans_standardize_radio_image( $value, $radio );
 		?>
 			<span class="screen-reader-text"><?php echo esc_html( $image['screen_reader_text'] ); ?></span>
 			<img src="<?php echo esc_url( $image['src'] ); ?>" alt="<?php echo esc_html( $image['alt'] ); ?>" />
-			<input id="<?php echo $clean_id; ?>" class="screen-reader-text" type="radio" name="<?php echo esc_attr( $field['name'] ); ?>" value="<?php echo $clean_value; ?>"<?php checked( $value, $field['value'], 1 ); ?><?php echo beans_esc_attributes( $field['attributes'] ); ?> /> <?php // phpcs:ignore WordPress.XSS.EscapeOutput.OutputNotEscaped -- The variable is escaped above. beans_esc_attributes is escaped by the function. ?>
+			<input id="<?php echo $clean_id; ?>" class="screen-reader-text" type="radio" name="<?php echo esc_attr( $field['name'] ); ?>" value="<?php echo $clean_value; ?>"<?php checked( $value, $field['value'], 1 ); ?><?php echo beans_esc_attributes( $field['attributes'] ); ?> /> <?php // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- The variable is escaped above. beans_esc_attributes is escaped by the function. ?>
 		<?php endif; ?>
 
 <?php if ( ! $is_image ) : ?>
-	<input id="<?php echo $clean_id; ?>" type="radio" name="<?php echo esc_attr( $field['name'] ); ?>" value="<?php echo $clean_value; ?>"<?php checked( $value, $field['value'], 1 ); ?><?php echo beans_esc_attributes( $field['attributes'] ); ?> /> <?php // phpcs:ignore WordPress.XSS.EscapeOutput.OutputNotEscaped -- The variable is escaped above. beans_esc_attributes is escaped by the function. ?>
+	<input id="<?php echo $clean_id; ?>" type="radio" name="<?php echo esc_attr( $field['name'] ); ?>" value="<?php echo $clean_value; ?>"<?php checked( $value, $field['value'], 1 ); ?><?php echo beans_esc_attributes( $field['attributes'] ); ?> /> <?php // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- The variable is escaped above. beans_esc_attributes is escaped by the function. ?>
 	<?php
 	echo wp_kses_post( $radio );
 endif;

lib/api/fields/types/views/select.php

@@ -12,7 +12,7 @@
 // phpcs:disable Generic.WhiteSpace.ScopeIndent.Incorrect, Generic.WhiteSpace.ScopeIndent.IncorrectExact -- View file is indented for HTML structure.
 ?>
 
-<select id="<?php echo esc_html( $field['id'] ); ?>" name="<?php echo esc_attr( $field['name'] ); ?>" <?php echo beans_esc_attributes( $field['attributes'] ); ?>><?php // phpcs:ignore WordPress.XSS.EscapeOutput.OutputNotEscaped -- Escaping is handled in the function. ?>
+<select id="<?php echo esc_html( $field['id'] ); ?>" name="<?php echo esc_attr( $field['name'] ); ?>" <?php echo beans_esc_attributes( $field['attributes'] ); ?>><?php // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- Escaping is handled in the function. ?>
 <?php foreach ( $field['options'] as $value => $label ) : ?>
 	<option value="<?php echo esc_attr( $value ); ?>"<?php selected( $value, $field['value'] ); ?>><?php echo esc_html( $label ); ?></option>
 <?php endforeach; ?>

lib/api/fields/types/views/slider.php

@@ -12,7 +12,7 @@
 ?>
 
 <div class="bs-slider-wrap" slider_min="<?php echo (int) $field['min']; ?>" slider_max="<?php echo (int) $field['max']; ?>" slider_interval="<?php echo (int) $field['interval']; ?>">
-	<input id="<?php echo esc_html( $field['id'] ); ?>" type="text" value="<?php echo esc_attr( $field['value'] ); ?>" name="<?php echo esc_attr( $field['name'] ); ?>" style="display: none;" <?php echo beans_esc_attributes( $field['attributes'] ); ?>/><?php // phpcs:ignore WordPress.XSS.EscapeOutput.OutputNotEscaped -- Escaping is handled in the function. ?>
+	<input id="<?php echo esc_html( $field['id'] ); ?>" type="text" value="<?php echo esc_attr( $field['value'] ); ?>" name="<?php echo esc_attr( $field['name'] ); ?>" style="display: none;" <?php echo beans_esc_attributes( $field['attributes'] ); ?>/><?php // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- Escaping is handled in the function. ?>
 </div>
 <span class="bs-slider-value"><?php echo esc_html( $field['value'] ); ?></span>
 

lib/api/html/functions.php

@@ -58,7 +58,7 @@ function beans_output( $id, $output ) {
  */
 function beans_output_e( $id, $output ) {
 	$args = func_get_args();
-	echo call_user_func_array( 'beans_output', $args ); // phpcs:ignore WordPress.XSS.EscapeOutput.OutputNotEscaped -- Escaped in beans_output.
+	echo call_user_func_array( 'beans_output', $args ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- Escaped in beans_output.
 }
 
 /**
@@ -164,7 +164,7 @@ function beans_open_markup( $id, $tag, $attributes = array() ) {
  */
 function beans_open_markup_e( $id, $tag, $attributes = array() ) {
 	$args = func_get_args();
-	echo call_user_func_array( 'beans_open_markup', $args ); // phpcs:ignore WordPress.XSS.EscapeOutput.OutputNotEscaped -- Escaped in beans_open_markup().
+	echo call_user_func_array( 'beans_open_markup', $args ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- Escaped in beans_open_markup().
 }
 
 /**
@@ -220,7 +220,7 @@ function beans_selfclose_markup( $id, $tag, $attributes = array() ) {
  */
 function beans_selfclose_markup_e( $id, $tag, $attributes = array() ) {
 	$args = func_get_args();
-	echo call_user_func_array( 'beans_selfclose_markup', $args ); // phpcs:ignore WordPress.XSS.EscapeOutput.OutputNotEscaped -- Escaped in beans_open_markup().
+	echo call_user_func_array( 'beans_selfclose_markup', $args ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- Escaped in beans_open_markup().
 }
 
 /**
@@ -285,7 +285,7 @@ function beans_close_markup( $id, $tag ) {
  */
 function beans_close_markup_e( $id, $tag ) {
 	$args = func_get_args();
-	echo call_user_func_array( 'beans_close_markup', $args ); // phpcs:ignore WordPress.XSS.EscapeOutput.OutputNotEscaped -- Escaped in beans_close_markup().
+	echo call_user_func_array( 'beans_close_markup', $args ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- Escaped in beans_close_markup().
 }
 
 /**

lib/api/image/functions.php

@@ -56,7 +56,7 @@ function beans_get_post_attachment( $post_id, $size = 'full' ) {
 	$obj->src         = $src[0];
 	$obj->width       = $src[1];
 	$obj->height      = $src[2];
-	$obj->alt         = trim( strip_tags( get_post_meta( $id, '_wp_attachment_image_alt', true ) ) );
+	$obj->alt         = trim( strip_tags( get_post_meta( $id, '_wp_attachment_image_alt', true ) ) ); //phpcs:ignore WordPress.WP.AlternativeFunctions.strip_tags_strip_tags -- We want to strip the tags and keep the content.
 	$obj->title       = $post->post_title;
 	$obj->caption     = $post->post_excerpt;
 	$obj->description = $post->post_content;

lib/api/post-meta/functions-admin.php

@@ -117,7 +117,7 @@ function _beans_is_post_meta_conditions( $conditions ) {
 	}
 
 	// Check if it is a new post and treat it as such.
-	if ( false !== stripos( $_SERVER['REQUEST_URI'], 'post-new.php' ) ) {
+	if ( false !== stripos( $_SERVER['REQUEST_URI'], 'post-new.php' ) ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput -- We are checking if the request path includes a certain sting in an admin request. No other processing is done.
 		$current_post_type = beans_get( 'post_type' );
 
 		if ( ! $current_post_type ) {

lib/api/term-meta/class-beans-term-meta.php

@@ -128,7 +128,7 @@ public function save( $term_id ) {
 	public function delete( $term_id ) {
 		global $wpdb;
 
-		$wpdb->query(
+		$wpdb->query( // phpcs:ignore WordPress.DB.DirectDatabaseQuery -- Pending update to term meta handling.
 			$wpdb->prepare(
 				"DELETE FROM $wpdb->options WHERE option_name LIKE %s",
 				"beans_term_{$term_id}_%"

lib/api/utilities/functions.php

@@ -184,6 +184,8 @@ function beans_str_starts_with( $haystack, $needles ) {
  * @param bool   $force_rebuild Optional. Forces the rebuild of the root url and path.
  *
  * @return string Url.
+ *
+ * phpcs:disable WordPress.PHP.PregQuoteDelimiter.Missing -- We are using `#` as delimiter.
  */
 function beans_path_to_url( $path, $force_rebuild = false ) {
 	static $root_path, $root_url;
@@ -374,7 +376,7 @@ function beans_sanitize_path( $path ) {
 function beans_get( $needle, $haystack = false, $default = null ) {
 
 	if ( false === $haystack ) {
-		$haystack = $_GET; // phpcs:ignore WordPress.CSRF.NonceVerification.NoNonceVerification -- The nonce verification check should be at the form processing level.
+		$haystack = $_GET; // phpcs:ignore WordPress.Security.NonceVerification.NoNonceVerification -- The nonce verification check should be at the form processing level.
 	}
 
 	$haystack = (array) $haystack;
@@ -397,7 +399,7 @@ function beans_get( $needle, $haystack = false, $default = null ) {
  * @return string Returns the value if found; else $default is returned.
  */
 function beans_post( $needle, $default = null ) {
-	return beans_get( $needle, $_POST, $default ); // phpcs:ignore WordPress.CSRF.NonceVerification.NoNonceVerification -- The nonce verification check should be at the form processing level.
+	return beans_get( $needle, $_POST, $default ); // phpcs:ignore WordPress.Security.NonceVerification.NoNonceVerification -- The nonce verification check should be at the form processing level.
 }
 
 /**