3.2.0

Added

• New WordPress.WP.GetMetaSingle sniff to the WordPress-Extra ruleset. Props @rodrigoprimo! #2465
  This sniff warns when get_*_meta() and get_metadata*() functions are used with the $meta_key/$key param, but without the $single parameter as this could lead to unexpected behavior due to the different return types.
• WordPress-Extra: the following additional sniffs have been added to the ruleset: Generic.Strings.UnnecessaryHeredoc and Generic.WhiteSpace.HereNowdocIdentifierSpacing. #2534
• The rest_sanitize_boolean() functions to the list of known "sanitizing" functions. Props @westonruter. #2530
• End-user documentation to the following existing sniffs: WordPress.DB.PreparedSQL (props @jaymcp, #2454), WordPress.NamingConventions.ValidFunctionName (props @richardkorthuis and @rodrigoprimo, #2452, #2531), WordPress.NamingConventions.ValidVariableName (props @richardkorthuis, #2457), WordPress.PHP.DontExtract (props @aiolachiara #2456).
  This documentation can be exposed via the PHP_CodeSniffer --generator=... command-line argument.

Changed

• The minimum required PHP_CodeSniffer version to 3.13.0 (was 3.9.0). #2532
• The minimum required PHPCSUtils version to 1.1.0 (was 1.0.10). #2532
• The minimum required PHPCSExtra version to 1.4.0 (was 1.2.1). #2532
• Sniffs based on the AbstractFunctionParameterSniff will now call a dedicated process_first_class_callable() method for PHP 8.1+ first class callables. Props @rodrigoprimo, @jrfnl. #2518, #2544
  By default, the method won't do anything, but individual sniffs extending the AbstractFunctionParameterSniff class can choose to implement the method to handle first class callables.
  Previously, first class callables were treated as a function call without parameters and would trigger the process_no_parameters() method.
• The minimum required prefix length for the WordPress.NamingConventions.PrefixAllGlobals sniff has been changed from 3 to 4 characters. Props @davidperezgar. #2479
• The default value for minimum_wp_version, as used by a number of sniffs detecting usage of deprecated WP features, has been updated to 6.5. #2553
• WordPress.NamingConventions.ValidVariableName now allows for PHP 8.4 properties in interfaces. #2532
• WordPress.NamingConventions.PrefixAllGlobals has been updated to recognize pluggable functions introduced in WP up to WP 6.8.1. #2537
• WordPress.WP.Capabilities has been updated to recognize new capabilities introduced in WP up to WP 6.8.1. #2537
• WordPress.WP.ClassNameCase has been updated to recognize classes introduced in WP up to WP 6.8.1. #2537
• WordPress.WP.DeprecatedFunctions now detects functions deprecated in WordPress up to WP 6.8.1. #2537
• WordPress.WP.DeprecatedParameters now detects parameters deprecated in WordPress up to WP 6.8.1. #2537
• WordPress.WP.DeprecatedParameterValues now detects parameter values deprecated in WordPress up to WP 6.8.1. #2537
• Minor performance improvements.
• Developer happiness: prevent creating a composer.lock file. Thanks @fredden! #2443
• Various housekeeping, including documentation and test improvements. Includes contributions by @rodrigoprimo and @szepeviktor.
• All sniffs are now also being tested against PHP 8.4 for consistent sniff results. #2511

Deprecated

Removed

• The Generic.Functions.CallTimePassByReference has been removed from the WordPress-Extra ruleset. Props @rodrigoprimo. #2536
  This sniff was dated anyway and deprecated in PHP_CodeSniffer. If you need to check if your code is PHP cross-version compatible, use the [PHPCompatibility] standard instead.

Fixed

• Sniffs based on the AbstractClassRestrictionsSniff could previously run into a PHPCS Internal.Exception, leading to fixes not being made. #2500
• Sniffs based on the AbstractFunctionParameterSniff will now bow out more often when it is sure the code under scan is not calling the target function and during live coding, preventing false positives. Props @rodrigoprimo. #2518

3.1.0

Added

• WordPress-Core ruleset: now includes the Universal.PHP.LowercasePHPTag sniff.
• WordPress-Extra ruleset: now includes the Generic.CodeAnalysis.RequireExplicitBooleanOperatorPrecedence and the Universal.CodeAnalysis.NoDoubleNegative sniffs.
• The sanitize_locale_name() function to the list of known "escaping" functions. Props @Chouby
• The sanitize_locale_name() function to the list of known "sanitize & unslash" functions. Props @Chouby

Changed

• The minimum required PHP_CodeSniffer version to 3.9.0 (was 3.7.2).
• The minimum required PHPCSUtils version to 1.0.10 (was 1.0.8).
• The minimum required PHPCSExtra version to 1.2.1 (was 1.1.0).
  Please ensure you run composer update wp-coding-standards/wpcs --with-dependencies to benefit from these updates.
• Core ruleset: the spacing after the use keyword for closure use statements will now consistently be checked. Props @westonruter for reporting.
• The default value for minimum_wp_version, as used by a number of sniffs detecting usage of deprecated WP features, has been updated to 6.2.
• WordPress.NamingConventions.PrefixAllGlobals has been updated to recognize pluggable functions introduced in WP 6.4 and 6.5.
• WordPress.NamingConventions.ValidPostTypeSlug has been updated to recognize reserved post types introduced in WP 6.4 and 6.5.
• WordPress.WP.ClassNameCase has been updated to recognize classes introduced in WP 6.4 and 6.5.
• WordPress.WP.DeprecatedClasses now detects classes deprecated in WordPress up to WP 6.5.
• WordPress.WP.DeprecatedFunctions now detects functions deprecated in WordPress up to WP 6.5.
• The IsUnitTestTrait will now recognize classes which extend the new WP Core WP_Font_Face_UnitTestCase class as test classes.
• The test suite can now run on PHPUnit 4.x - 9.x (was 4.x - 7.x), which should make contributing more straight forward.
• Various housekeeping, includes a contribution from @rodrigoprimo.

Fixed

• WordPress.WP.PostsPerPage could potentially result in an Internal.Exception when encountering a query string which doesn't include the value for posts_per_page in the query string. Props @anomiex for reporting.

3.0.1

Added

• In WordPressCS 3.0.0, the functionality of the WordPress.Security.EscapeOutput sniff was updated to report unescaped message parameters passed to exceptions created in throw statements. This specific violation now has a separate error code: ExceptionNotEscaped. This will allow users to ignore or exclude that specific error code. Props @anomiex.
  The error code(s) for other escaping issues flagged by the sniff remain unchanged.

Changed

• Updated the CI workflow to test the example ruleset for issues.
• Funding files and updates in the Readme about funding the project.

Fixed

• Fixed a sniff name in the phpcs.xml.dist.sample file (case-sensitive sniff name). Props @dawidurbanski.

3.0.0

Important information about this release:

At long last... WordPressCS 3.0.0 is here.

This is an important release which makes significant changes to improve the accuracy, performance, stability and maintainability of all sniffs, as well as making WordPressCS much better at handling modern PHP.

WordPressCS 3.0.0 contains breaking changes, both for people using ignore annotations, people maintaining custom rulesets, as well as for sniff developers who maintain a custom PHPCS standard based on WordPressCS.

If you are an end-user or maintain a custom WordPressCS based ruleset, please start by reading the Upgrade Guide to WordPressCS 3.0.0 for ruleset maintainers which lists the most important changes and contains a step by step guide for upgrading.

If you are a maintainer of an external standard based on WordPressCS and any of your custom sniffs are based on or extend WordPressCS sniffs, please read the Upgrade Guide to WordPressCS 3.0.0 for Developers.

In all cases, please read the complete changelog carefully before you upgrade.

Added

• Dependencies on the following packages: PHPCSUtils, PHPCSExtra and the [Composer PHPCS plugin].
• A best effort has been made to add support for the new PHP syntaxes/features to all WordPressCS native sniffs and utility functions (or to verify/improve existing support).
  While support in external sniffs used by WordPressCS has not be exhaustively verified, a lot of work has been done to try and add support for new PHP syntaxes to those as well.
  WordPressCS native sniffs and utilities have received fixes for the following syntaxes:
  • PHP 7.2
    • Keyed lists.
  • PHP 7.3
    • Flexible heredoc/nowdoc (providing the PHPCS scan is run on PHP 7.3 or higher).
    • Trailing commas in function calls.
  • PHP 7.4
    • Arrow functions.
    • Array unpacking in array expressions.
    • Numeric literals with underscores.
    • Typed properties.
    • Null coalesce equals operator.
  • PHP 8.0
    • Nullsafe object operators.
    • Match expressions.
    • Named arguments in function calls.
    • Attributes.
    • Union types // including supporting the false and null types.
    • Constructor property promotion.
    • $object::class
    • Throw as an expression.
  • PHP 8.1
    • Enumerations.
    • Explicit octal notation.
    • Final class constants
    • First class callables.
    • Intersection types.
  • PHP 8.2
    • Constants in traits.
• New WordPress.CodeAnalysis.AssignmentInTernaryCondition sniff to the WordPress-Core ruleset which partially replaces the removed WordPress.CodeAnalysis.AssignmentInCondition sniff.
• New WordPress.WhiteSpace.ObjectOperatorSpacing sniff which replaces the use of the Squiz.WhiteSpace.ObjectOperatorSpacing sniff in the WordPress-Core ruleset.
• New WordPress.WP.ClassNameCase sniff to the WordPress-Core ruleset, to check that any class name references to WP native classes and classes from external dependencies use the case of the class as per the class declaration.
• New WordPress.WP.Capabilities sniff to the WordPress-Extra ruleset. This sniff checks that valid capabilities are used, not roles or user levels. Props, amongst others, to [@grappler] and [@khacoder].
  Custom capabilities can be added to the sniff via a custom_capabilities ruleset property.
  The sniff also supports the minimum_wp_version property to allow the sniff to accurately determine how the use of deprecated capabilities should be flagged.
• The WordPress.WP.CapitalPDangit sniff contains a new check to verify the correct spelling of WordPress in namespace names.
• The WordPress.WP.I18n sniff contains a new EmptyTextDomain error code for an empty text string being passed as the text domain, which overrules the default value of the parameter and renders a text untranslatable.
• The WordPress.DB.PreparedSQLPlaceholders sniff has been expanded with additional checks for the correct use of the %i placeholder, which was introduced in WP 6.2. Props [@craigfrancis].
  The sniff now also supports the minimum_wp_version ruleset property to determine whether the %i placeholder can be used.
• WordPress-Core: the following additional sniffs (or select error codes from these sniffs) have been added to the ruleset: Generic.CodeAnalysis.AssignmentInCondition, Generic.CodeAnalysis.EmptyPHPStatement (replaces the WordPressCS native sniff), Generic.VersionControl.GitMergeConflict, Generic.WhiteSpace.IncrementDecrementSpacing, Generic.WhiteSpace.LanguageConstructSpacing, Generic.WhiteSpace.SpreadOperatorSpacingAfter, PSR2.Classes.ClassDeclaration, PSR2.Methods.FunctionClosingBrace, PSR12.Classes.ClassInstantiation, PSR12.Files.FileHeader (select error codes only), PSR12.Functions.NullableTypeDeclaration, PSR12.Functions.ReturnTypeDeclaration, PSR12.Traits.UseDeclaration, Squiz.Functions.MultiLineFunctionDeclaration (replaces part of the WordPress.WhiteSpace.ControlStructureSpacing sniff), Modernize.FunctionCalls.Dirname, NormalizedArrays.Arrays.ArrayBraceSpacing (replaces part of the WordPress.Arrays.ArrayDeclarationSpacing sniff), NormalizedArrays.Arrays.CommaAfterLast (replaces the WordPressCS native sniff), Universal.Classes.ModifierKeywordOrder, Universal.Classes.RequireAnonClassParentheses, Universal.Constants.LowercaseClassResolutionKeyword, Universal.Constants.ModifierKeywordOrder, Universal.Constants.UppercaseMagicConstants, Universal.Namespaces.DisallowCurlyBraceSyntax, Universal.Namespaces.DisallowDeclarationWithoutName, Universal.Namespaces.OneDeclarationPerFile, Universal.NamingConventions.NoReservedKeywordParameterNames, Universal.Operators.DisallowShortTernary (replaces the WordPressCS native sniff), Universal.Operators.DisallowStandalonePostIncrementDecrement, Universal.Operators.StrictComparisons (replaces the WordPressCS native sniff), Universal.Operators.TypeSeparatorSpacing, Universal.UseStatements.DisallowMixedGroupUse, Universal.UseStatements.KeywordSpacing, Universal.UseStatements.LowercaseFunctionConst, Universal.UseStatements.NoLeadingBackslash, Universal.UseStatements.NoUselessAliases, Universal.WhiteSpace.CommaSpacing, Universal.WhiteSpace.DisallowInlineTabs (replaces the WordPressCS native sniff), Universal.WhiteSpace.PrecisionAlignment (replaces the WordPressCS native sniff), Universal.WhiteSpace.AnonClassKeywordSpacing.
• WordPress-Extra: the following additional sniffs have been added to the ruleset: Generic.CodeAnalysis.UnusedFunctionParameter, Universal.Arrays.DuplicateArrayKey, Universal.CodeAnalysis.ConstructorDestructorReturn, Universal.CodeAnalysis.ForeachUniqueAssignment, Universal.CodeAnalysis.NoEchoSprintf, Universal.CodeAnalysis.StaticInFinalClass, Universal.ControlStructures.DisallowLonelyIf, Universal.Files.SeparateFunctionsFromOO.
• WordPress.Utils.I18nTextDomainFixer: the load_script_textdomain() function to the functions the sniff looks for.
• WordPress.WP.AlternativeFunctions: the following PHP native functions have been added to the sniff and will now be flagged when used: unlink() (in a new unlink group) , rename() (in a new rename group), chgrp(), chmod(), chown(), is_writable() is_writeable(), mkdir(), rmdir(), touch(), fputs() (in the existing file_system_operations group, which was previously named file_system_read). Props [@sandeshjangam] and [@JDGrimes].
• The PHPUnit_Adapter_TestCase class to the list of "known test (case) classes".
• The antispambot() function to the list of known "formatting" functions.
• The esc_xml() and wp_kses_one_attr() functions to the list of known "escaping" functions.
• The wp_timezone_choice() and wp_readonly() functions to the list of known "auto escaping" functions.
• The sanitize_url() and wp_kses_one_attr() functions to the list of known "sanitizing" functions.
• Metrics for blank lines at the start/end of a control structure body to the WordPress.WhiteSpace.ControlStructureSpacing sniff. These can be displayed using --report=info when the blank_line_check property has been set to true.
• End-user documentation to the following new and pre-existing sniffs: WordPress.DateTime.RestrictedFunctions, WordPress.NamingConventions.PrefixAllGlobals (props [@Ipstenu]), WordPress.PHP.StrictInArray (props [@marconmartins]), WordPress.PHP.YodaConditions (props [@Ipstenu]), WordPress.WhiteSpace.ControlStructureSpacing (props [@ckanitz]), WordPress.WhiteSpace.ObjectOperatorSpacing, WordPress.WhiteSpace.OperatorSpacing (props [@ckanitz]), WordPress.WP.CapitalPDangit (props [@NielsdeBlaauw]), WordPress.WP.Capabilities, WordPress.WP.ClassNameCase, WordPress.WP.EnqueueResourceParameters (props [@NielsdeBlaauw]).
  This documentation can be exposed via the PHP_CodeSniffer --generator=... command-line argument.
  Note: all sniffs which have been added from PHPCSExtra (Universal, Modernize, NormalizedArrays sniffs) are also fully documented.

Added (internal/dev-only)

• New Helper classes:
  • ArrayWalkingFunctionsHelper
  • ConstantsHelper *
  • ContextHelper *
  • DeprecationHelper *
  • FormattingFunctionsHelper
  • ListHelper *
  • RulesetPropertyHelper *
  • SnakeCaseHelper *
  • UnslashingFunctionsHelper
  • ValidationHelper
  • VariableHelper *
    ...

2.3.0

Added

• The WordPress.WP.I18n sniff contains a new check for translatable text strings which are wrapped in HTML tags, like <h1>Translate me</h1>. Those tags should be moved out of the translatable string.
  Note: Translatable strings wrapped in <a href..> tags where the URL is intended to be localized will not trigger this check.

Changed

• The default value for minimum_supported_wp_version, as used by a number of sniffs detecting usage of deprecated WP features, has been updated to 5.1.
• The WordPress.WP.DeprecatedFunctions sniff will now detect functions deprecated in WP 5.4.
• Improved grammar of an error message in the WordPress.WP.DiscouragedFunctions sniff.
• CI: The codebase is now - preliminary - being tested against the PHPCS 4.x development branch.

Fixed

• All function call detection sniffs: fixed a bug where constants with the same name as one of the targeted functions could inadvertently be recognized as if they were a called function.
• WordPress.DB.PreparedSQL: fixed a bug where the sniff would trigger on the namespace separator character \\.
• WordPress.Security.EscapeOutput: fixed a bug with the variable replacement in one of the error messages.

2.2.1

Added

• Metrics to the WordPress.Arrays.CommaAfterArrayItem sniff. These can be displayed using --report=info.
• The sanitize_hex_color() and the sanitize_hex_color_no_hash() functions to the escapingFunctions list used by the WordPress.Security.EscapeOutput sniff.

Changed

• The recommended version of the suggested DealerDirect PHPCS Composer plugin is now ^0.6.

Fixed

• WordPress.PHP.NoSilencedErrors: depending on the custom properties set, the metrics would be different.
• WordPress.WhiteSpace.ControlStructureSpacing: fixed undefined index notice for closures with use.
• WordPress.WP.GlobalVariablesOverride: fixed undefined offset notice when the treat_files_as_scoped property would be set to true.
• WordPress.WP.I18n: fixed a Trying to access array offset on value of type null error when the sniff was run on PHP 7.4 and would encounter a translation function expecting singular and plural texts for which one of these arguments was missing.

2.2.0

Note: The repository has moved. The new URL is https://github.com/WordPress/WordPress-Coding-Standards.
The move does not affect the package name for Packagist. This remains the same: wp-coding-standards/wpcs.

Added

• New WordPress.DateTime.CurrentTimeTimestamp sniff to the WordPress-Core ruleset, which checks against the use of the WP native current_time() function to retrieve a timestamp as this won't be a real timestamp. Includes an auto-fixer.
• New WordPress.DateTime.RestrictedFunctions sniff to the WordPress-Core ruleset, which checks for the use of certain date/time related functions. Initially this sniff forbids the use of the PHP native date_default_timezone_set() and date() functions.
• New WordPress.PHP.DisallowShortTernary sniff to the WordPress-Core ruleset, which, as the name implies, disallows the use of short ternaries.
• New WordPress.CodeAnalysis.EscapedNotTranslated sniff to the WordPress-Extra ruleset which will warn when a text string is escaped for output, but not being translated, while the arguments passed to the function call give the impression that translation is intended.
• New WordPress.NamingConventions.ValidPostTypeSlug sniff to the WordPress-Extra ruleset which will examine calls to register_post_type() and throw errors when an invalid post type slug is used.
• Generic.Arrays.DisallowShortArraySyntax to the WordPress-Core ruleset.
• WordPress.NamingConventions.PrefixAllGlobals: the PHP prefix has been added to the prefix blacklist as it is reserved by PHP itself.
• The wp_sanitize_redirect() function to the sanitizingFunctions list used by the WordPress.Security.NonceVerification, WordPress.Security.ValidatedSanitizedInput and WordPress.Security.EscapeOutput sniffs.
• The sanitize_key() and the highlight_string() functions to the escapingFunctions list used by the WordPress.Security.EscapeOutput sniff.
• The RECOVERY_MODE_COOKIE constant to the list of WP Core constants which may be defined by plugins and themes and therefore don't need to be prefixed (WordPress.NamingConventions.PrefixAllGlobals).
• $content_width, $plugin, $mu_plugin and $network_plugin to the list of WP globals which is used by both the WordPress.Variables.GlobalVariables and the WordPress.NamingConventions.PrefixAllGlobals sniffs.
• Sniff::is_short_list() utility method to determine whether a short array open/close token actually represents a PHP 7.1+ short list.
• Sniff::find_list_open_close() utility method to find the opener and closer for list() constructs, including short lists.
• Sniff::get_list_variables() utility method which will retrieve an array with the token pointers to the variables which are being assigned to in a list() construct. Includes support for short lists.
• Sniff::is_function_deprecated() static utility method to determine whether a declared function has been marked as deprecated in the function DocBlock.
• End-user documentation to the following existing sniffs: WordPress.Arrays.ArrayIndentation, WordPress.Arrays.ArrayKeySpacingRestrictions, WordPress.Arrays.MultipleStatementAlignment, WordPress.Classes.ClassInstantiation, WordPress.NamingConventions.ValidHookName, WordPress.PHP.IniSet, WordPress.Security.SafeRedirect, WordPress.WhiteSpace.CastStructureSpacing, WordPress.WhiteSpace.DisallowInlineTabs, WordPress.WhiteSpace.PrecisionAlignment, WordPress.WP.CronInterval, WordPress.WP.DeprecatedClasses, WordPress.WP.DeprecatedFunctions, WordPress.WP.DeprecatedParameters, WordPress.WP.DeprecatedParameterValues, WordPress.WP.EnqueuedResources, WordPress.WP.PostsPerPage.
  This documentation can be exposed via the PHP_CodeSniffer --generator=... command-line argument.

Changed

• The default value for minimum_supported_wp_version, as used by a number of sniffs detecting usage of deprecated WP features, has been updated to 5.0.
• The WordPress.Arrays.ArrayKeySpacingRestrictions sniff has two new error codes: TooMuchSpaceBeforeKey and TooMuchSpaceAfterKey. Both auto-fixable.
  The sniff will now check that there is exactly one space on the inside of the square brackets around the array key for non-string, non-numeric array keys. Previously, it only checked that there was whitespace, not how much whitespace.
• WordPress.Arrays.ArrayKeySpacingRestrictions: the fixers have been made more efficient and less fixer-conflict prone.
• WordPress.NamingConventions.PrefixAllGlobals: plugin/theme prefixes should be at least three characters long. A new ShortPrefixPassed error has been added for when the prefix passed does not comply with this rule.
• WordPress.WhiteSpace.CastStructureSpacing now allows for no whitespace before a cast when the cast is preceded by the spread ... operator. This pre-empts a fixer conflict for when the spacing around the spread operator will start to get checked.
• The WordPress.WP.DeprecatedClasses sniff will now detect classes deprecated in WP 4.9 and WP 5.3.
• The WordPress.WP.DeprecatedFunctions sniff will now detect functions deprecated in WP 5.3.
• WordPress.NamingConventions.ValidHookName now has "cleaner" error messages and higher precision for the line on which an error is thrown.
• WordPress.Security.EscapeOutput: if an error refers to array access via a variable, the array index key will now be included in the error message.
• The processing of the WordPress ruleset by PHP_CodeSniffer will now be faster.
• Various minor code tweaks and clean up.
• Various minor documentation fixes.
• Documentation: updated the repo URL in all relevant places.

Deprecated

• The WordPress.WP.TimezoneChange sniff. Use the WordPress.DateTime.RestrictedFunctions instead.
  The deprecated sniff will be removed in WPCS 3.0.0.

Fixed

• All sniffs in the WordPress.Arrays category will no longer treat short lists as if they were a short array.
• The WordPress.NamingConventions.ValidFunctionName and the WordPress.NamingConventions.PrefixAllGlobals sniff will now ignore functions marked as @deprecated.
• Both the WordPress.NamingConventions.PrefixAllGlobals sniff as well as the WordPress.WP.GlobalVariablesOverride sniff have been updated to recognize variables being declared via (long/short) list() constructs and handle them correctly.
• Both the WordPress.NamingConventions.PrefixAllGlobals sniff as well as the WordPress.WP.GlobalVariablesOverride sniff will now take a limited list of WP global variables which are intended to be overwritten by plugins/themes into account.
  Initially this list contains the $content_width and the $wp_cockneyreplace variables.
• WordPress.NamingConventions.ValidHookName: will no longer examine a string array access index key as if it were a part of the hook name.
• WordPress.Security.EscapeOutput: will no longer trigger on the typical basename( __FILE__ ) pattern if found as the first parameter passed to a call to _deprecated_file().
• WordPress.WP.CapitalPDangit: now allows for the .test TLD in URLs.
• WPCS is now fully compatible with PHP 7.4.
  Note: PHP_CodeSniffer itself is only compatible with PHP 7.4 from PHPCS 3.5.0 onwards.

2.1.1

Changed

• The WordPress.WP.CapitalPDangit will now ignore misspelled instances of WordPress within constant declarations.
  This covers both constants declared using defined() as well as constants declared using the const keyword.
• The default value for minimum_supported_wp_version, as used by a number of sniffs detecting usage of deprecated WP features, has been updated to 4.9.

Removed

• paginate_comments_links() from the list of auto-escaped functions Sniff::$autoEscapedFunctions.
  This affects the WordPress.Security.EscapeOutput sniff.

Fixed

• The $current_blog and $tag_ID variables have been added to the list of WordPress global variables.
  This fixes some false positives from the WordPress.NamingConventions.PrefixAllGlobals and the WordPress.WP.GlobalVariablesOverride sniffs.
• The generic TestCase class name has been added to the $test_class_whitelist.
  This fixes some false positives from the WordPress.NamingConventions.FileName, WordPress.NamingConventions.PrefixAllGlobals and the WordPress.WP.GlobalVariablesOverride sniffs.
• The WordPress.NamingConventions.ValidVariableName sniff will now correctly recognize $tag_ID as a WordPress native, mixed-case variable.
• The WordPress.Security.NonceVerification sniff will now correctly recognize nonce verification within a nested closure or anonymous class.

2.1.0

Added

• New WordPress.PHP.IniSet sniff to the WordPress-Extra ruleset.
  This sniff will detect calls to ini_set() and ini_alter() and warn against their use as changing configuration values at runtime leads to an unpredictable runtime environment, which can result in conflicts between core/plugins/themes.
  • The sniff will not throw notices about a very limited set of "safe" ini directives.
  • For a number of ini directives for which there are alternative, non-conflicting ways to achieve the same available, the sniff will throw an error and advise using the alternative.
• doubleval(), count() and sizeof() to Sniff::$unslashingSanitizingFunctions property.
  While count() and its alias sizeof(), don't actually unslash or sanitize, the output of these functions is safe to use without unslashing or sanitizing.
  This affects the WordPress.Security.ValidatedSanitizedInput and the WordPress.Security.NonceVerification sniffs.
• The new WP 5.1 WP_UnitTestCase_Base class to the Sniff::$test_class_whitelist property.
• New Sniff::get_array_access_keys() utility method to retrieve all array keys for a variable using multi-level array access.
• New Sniff::is_class_object_call(), Sniff::is_token_namespaced() utility methods.
  These should help make the checking of whether or not a function call is a global function, method call or a namespaced function call more consistent.
  This also implements allowing for the namespace keyword being used as an operator.
• New Sniff::is_in_function_call() utility method to facilitate checking whether a token is (part of) a parameter passed to a specific (set of) function(s).
• New Sniff::is_in_type_test() utility method to determine if a variable is being type tested, along with a Sniff::$typeTestFunctions property containing the names of the functions this applies to.
• New Sniff::is_in_array_comparison() utility method to determine if a variable is (part of) a parameter in an array-value comparison, along with a Sniff::$arrayCompareFunctions property containing the names of the relevant functions.
• New Sniff::$arrayWalkingFunctions property containing the names of array functions which apply a callback to the array, but don't change the array by reference.
• New Sniff::$unslashingFunctions property containing the names of functions which unslash data passed to them and return the unslashed result.

Changed

• Moved the WordPress.PHP.StrictComparisons, WordPress.PHP.StrictInArray and the WordPress.CodeAnalysis.AssignmentInCondition sniff from the WordPress-Extra to the WordPress-Core ruleset.
• The Squiz.Commenting.InlineComment.SpacingAfter error is no longer included in the WordPress-Docs ruleset.
• The default value for minimum_supported_wp_version, as used by a number of sniffs detecting usage of deprecated WP features, has been updated to 4.8.
• The WordPress.WP.DeprecatedFunctions sniff will now detect functions deprecated in WP 5.1.
• The WordPress.Security.NonceVerification sniff now allows for variable type testing, comparisons, unslashing and sanitization before the nonce check. A nonce check within the same scope, however, is still required.
• The WordPress.Security.ValidatedSanitizedInput sniff now allows for using a superglobal in an array-value comparison without sanitization, same as when the superglobal is used in a scalar value comparison.
• WordPress.NamingConventions.PrefixAllGlobals: some of the error messages have been made more explicit.
• The error messages for the WordPress.Security.ValidatedSanitizedInput sniff will now contain information on the index keys accessed.
• The error message for the WordPress.Security.ValidatedSanitizedInput.InputNotValidated has been reworded to make it more obvious what the actual issue being reported is.
• The error message for the WordPress.Security.ValidatedSanitizedInput.MissingUnslash has been reworded.
• The Sniff::is_comparison() method now has a new $include_coalesce parameter to allow for toggling whether the null coalesce operator should be seen as a comparison operator. Defaults to true.
• All sniffs are now also being tested against PHP 7.4 (unstable) for consistent sniff results.
• The recommended version of the suggested DealerDirect PHPCS Composer plugin is now ^0.5.0.
• Various minor code tweaks and clean up.

Removed

• ini_set and ini_alter from the list of functions detected by the WordPress.PHP.DiscouragedFunctions sniff.
  These are now covered via the new WordPress.PHP.IniSet sniff.
• in_array() and array_key_exists() from the list of Sniff::$sanitizingFunctions. These are now handled differently.

Fixed

• The WordPress.NamingConventions.PrefixAllGlobals sniff would underreport when global functions would be autoloaded via a Composer autoload files configuration.
• The WordPress.Security.EscapeOutput sniff will now recognize map_deep() for escaping the values in an array via a callback to an output escaping function. This should prevent false positives.
• The WordPress.Security.NonceVerification sniff will no longer inadvertently allow for a variable to be sanitized without a nonce check within the same scope.
• The WordPress.Security.ValidatedSanitizedInput sniff will no longer throw errors when a variable is only being type tested.
• The WordPress.Security.ValidatedSanitizedInput sniff will now correctly recognize the null coalesce (PHP 7.0) and null coalesce equal (PHP 7.4) operators and will now throw errors for missing unslashing and sanitization where relevant.
• The WordPress.WP.AlternativeFunctions sniff will no longer recommend using the WP_FileSystem when PHP native input streams, like php://input, or the PHP input stream constants are being read or written to.
• The WordPress.WP.AlternativeFunctions sniff will no longer report on usage of the curl_version() function.
• The WordPress.WP.CronInterval sniff now has improved function recognition which should lower the chance of false positives.
• The WordPress.WP.EnqueuedResources sniff will no longer throw false positives for inline jQuery code trying to access a stylesheet link tag.
• Various bugfixes for the Sniff::has_nonce_check() method:
  • The method will no longer incorrectly identify methods/namespaced functions mirroring the name of WP native nonce verification functions as if they were the global functions.
    This will prevent some false negatives.
  • The method will now skip over nested closed scopes, such as closures and anonymous classes. This should prevent some false negatives for nonce verification being done while not in the correct scope.
    These fixes affect the WordPress.Security.NonceVerification sniff.
• The Sniff::is_in_isset_or_empty() method now also checks for usage of array_key_exist() and key_exists() and will regard these as correct ways to validate a variable.
  This should prevent false positives for the WordPress.Security.ValidatedSanitizedInput and the WordPress.Security.NonceVerification sniffs.
• Various bugfixes for the Sniff::is_sanitized() method:
  • The method presumed the WordPress coding style regarding code layout, which could lead to false positives.
  • The method will no longer incorrectly identify methods/namespaced functions mirroring the name of WP/PHP native unslashing/sanitization functions as if they were the global functions.
    This will prevent some false negatives.
  • The method will now recognize map_deep() for sanitizing an array via a callback to a sanitization function. This should prevent false positives.
  • The method will now recognize stripslashes_deep() and stripslashes_from_strings_only() as valid unslashing functions. This should prevent false positives.
    All these fixes affect both the WordPress.Security.ValidatedSanitizedInput and the WordPress.Security.NonceVerification sniff.
• Various bugfixes for the Sniff::is_validated() method:
  • The method did not verify correctly whether a variable being validated was the same variable as later used which could lead to false negatives.
  • The method did not verify correctly whether a variable being validated had the same array index keys as the variable as later used which could lead to both false negatives as well as false positives.
  • The method now also checks for usage of array_key_exist() and key_exists() and will regard these as correct ways to validate a variable. This should prevent some false positives.
  • The methods will now recognize the null coalesce and the null coalesce equal operators as ways to validate a variable. This prevents some false positives.
    The results from the WordPress.Security.ValidatedSanitizedInput sniff should be more accurate because of these fixes.
• A potential "Undefined index" notice from the Sniff::is_assignment() method.

2.0.0

Important information about this release:

WordPressCS 2.0.0 contains breaking changes, both for people using custom rulesets as well as for sniff developers who maintain a custom PHPCS standard based on WordPressCS.

Support for PHP_CodeSniffer 2.x has been dropped, the new minimum PHP_CodeSniffer version is 3.3.1.
Also, all previously deprecated sniffs, properties and methods have been removed.

Please read the complete changelog carefully before you upgrade.

If you are a maintainer of an external standard based on WordPressCS and any of your custom sniffs are based on or extend WPCS sniffs, please read the Developers Upgrade Guide to WordPressCS 2.0.0.

Changes since 2.0.0-RC1

Fixed

• WordPress-Extra: Reverted back to including the Squiz.WhiteSpace.LanguageConstructSpacing sniff instead of the new Generic.WhiteSpace.LanguageConstructSpacing sniff as the new sniff is not (yet) available when the PEAR install of PHPCS is used.

Changes since 1.2.1

For a full list of changes from the 1.2.1 version, please review the following changelog:

• https://github.com/WordPress-Coding-Standards/WordPress-Coding-Standards/releases/tag/2.0.0-RC1