Hello!

I'm using WP Filesystem API's mkdir() method in my theme and the plugin marks it as required. Is that a problem too?

$wp_filesystem->mkdir($uploads_dir);

I guess the only problem would be that if I were using the simple PHP mkdir() function.

Since PHP 5.4.0 the tag <?= is always available regardless of the short_open_tag ini setting.
At the moment of writing WordPress requires PHP 5.6.20 or greater.

This may be a silly question. However, I cannot find a way to install and use Envato Theme Check.

I searched for Envato theme check in the WordPress plugin directory. Could not find an entry for it.

The readme section in the GitHub repo did not contain any details either.

How do I do this? I only have the default "Theme Check" from WordPress installed at the moment. I am not sure what else to do? Please help.

WARNING: Found add_meta_box in the file framework/page-options/general.php. Custom meta box functions are allowed for design only. Ensure this is a valid use case.

Get this warning after check my theme using envato theme check plugin. but i can not resolve this issue .Please tell me about this warning and help me to resolve.

Hi Guys,

What is wrong about using $wp_filesystem->mkdir ? I get a false positive on that and the advice to use wp_mkdir_p() but that does not have the ability to parse $chmod (The permissions as octal number) which i need to create a directory and set the permissions! It is definitely not php mkdir ! It is from wordpress filesystem. It can't be wrong on using that.

Please advice !

This is not an issue, but a suggestion - I noticed that reviewers also check translation escaping, but this plugin doesn't detect this. I guess now reviewers search for " __(", ".__(" etc. manually, it would be great if plugin showed the REQUIRED error for any __( or _e( occurrence without preceding "esc_html", "esc_attr" and other WordPress escaping prefixes. Thanks.

PHP:

echo esc_html( sprintf( _n( '%s comment', '%s comments', $args['comments_number'], 'my_domain' ), $args['comments_number'] ) );

Parser thinking comments_number is text domain.

More than one text-domain is being used in this theme. This means the theme will not be compatible with WordPress.org language packs.
The domains found are my_domain, comments_number

This one works fine:

$comments_number = $args['comments_number'];

echo esc_html( sprintf( _n( '%s comment', '%s comments', $comments_number , 'my_domain' ), $comments_number  ) );

Hi,

I'm using this plugin for a compatibility badge on Envato. However i noticed some issues.

I sent a theme to be checked with no problems on my end. I used the latest version from github. The person who review the code sends me a screenshot with a bunch of issues (all are about escaping a print $variable ).

I delete the plugin , reinstall again and now i see those errors. I fix the new problems but during a code review i spot some issues that should be reported by the plugin -(again all are about escaping variables).

Here is a piece of code with "problems"

<div class="floor_title">'.$plan_name.'</div>
<div class="floor_light_desc">'.$plan_desc.'</div>    
<div class="floor_details">'.$plan_size.'</div>
<div class="floor_details">'.$plan_rooms.'</div>    
<div class="floor_details">'.$plan_bath.'</div>

Again the above code, is in my current theme and no warning is triggered. Is this a know issues and is there something i can do to make sure i get all the errors reported ?

Thank you

There exist the following errors:

REQUIRED: Themes should use add_theme_page() for adding admin pages.
Line 15: add_menu_page(

REQUIRED: Themes should use add_theme_page() for adding admin pages.
Line 26: add_submenu_page(
Line 32: add_submenu_page(

but add_theme_page() adds menu items under "Appearance" menu only which is usually not desirable as theme options are usually a mix of "appearance" options and other options.

Suggested fix:
Remove this requirement altogether. (If not, then this would qualify for info label rather than recommended or required.)

Hi,
There is a bug in the plugin. When it checks the domains then the array_unique function just remove the duplicate values, not the empty ones. So, it is causing the issue and displaying the false warning. Here is the full array before the array_unique plugin applied. https://jmp.sh/4oMlQx5 So, please add a check which also removes the empty values. You can use array_filter after array_unique as i implemented here https://jmp.sh/VZTJNLA
Thanks

Hi there,
It's important to use TGMPA for plugin installation but when I add it within a theme directory this theme check fork always gives error. In that case what to do. We're getting rejection of products for this issue also. You should update the script for that also.

The Plugin checks for all errors etc. however it would be useful to know the exact line where the error has occurred, for example the plugin plainly reports the Multiple text domain usage, with just the text strings that are in question. It would be great if it could also show the filename and line number.

Hello,

Please provide detail information about how we can remove this error with theme check and WPCS

• It can be useful if a verification method is integrated to check only unsafe and/or unreliable global variables.

WARNING: Found $_SERVER in the file base-functions.php. PHP Global Variable found. Ensure the context is safe and reliable.
Line 693: $protocol = ( ! empty( $_SERVER['HTTPS'] ) && 'off' !== $_SERVER['HTTPS'] || isset( $_SERVER['SERV

https://i.imgur.com/lmEKnSm.png

Thanks

WARNING: Found echo $ in the file vc_templates/vc_custom_heading.php. Possible data validation issues found. All dynamic data must be correctly escaped for the context where it is rendered.
Line 77: echo $output;

Escaping is needed in functions and vc_templates files? These are not theme files but including theme folders.

Thanks

Our theme published over 2 years on ThemeForest and now we submit update version. We check with plugin Theme Check (latest version release 4 week ago) it work well no Waring and no RECOMMENDED https://prnt.sc/oy5u1n but your review team just reject our theme update version with so much error https://envato.d.pr/lljD7e
I see your plugin last commit version since 7 months ago. Could you please update your plugin follow new version of plugin https://wordpress.org/plugins/theme-check/

Thanks

Hi guys,

This plugins has many false positives when checking the theme. The example for this ticket is the following Warning :

"WARNING: Found mail in the file theme-functions.php. Mail functions are plugin territory."

This rule should check if the actual mail function is used instead of searching for every "mail" word in the theme.

In our latest theme, we are using the mail word in various locations:

"User email" , form inputs that have the "mail" type, etc.

Can you restrict this check to only search for actual mail() functions instead of the generic mail word?

$wp_filesystem should not be used for every single bit of file operation.

For writing it's definitely OK but when the file system method isn't "direct" ( like when using FTP ), getting the content of a file ( loading a list of Google Web Font and all the variants from a .json file in the dashboard for instance ) using $wp_filesystem->get_contents() will not work unless you ask the hostname/username/password ( show the WP's file system form ) for every single page load that relies on the content of a file even if there is no need to modify it.

This also makes reading the content of a file impossible when a page of the front end is viewed by an anonymous visitor ( still on an installation using FTP ).

Hi. I have a problem on theme check. It throws me the following error: "Found a Customizer setting that did not have a sanitization callback function. Every call to the add_setting() method needs to have a sanitization callback function passed.". I use the following framework to work with Customizer API (https://github.com/smartcatdev/Acid-WordPress-Customizer-Framework). The error is triggered on the line 124 on this file https://github.com/smartcatdev/Acid-WordPress-Customizer-Framework/blob/master/includes/AcidOption.php because the theme check searches for "sanitize_callback" array key and value, and this framework loads automatically this array item when a customizer control is rendered. Thank you.

Using Node & Composer for WPCS, these folders are included in the theme check. They should be ignore imho.

Hi,

It seems that theme check doesn't recognize non-standard variables in the plural translation function, here's the code screenshot https://www.screencast.com/t/j5mMsjB5skS Plugin confuses "attachments" array key with textdomain https://www.screencast.com/t/Xt9vYsht I guess it just searches for any word in quote marks. If I set a regular $something variable this error disappears.

Please change the text domain check php so we get information about the file where a issue has been found. See image. otherwise one has to spend hours of searching for the correct file !

Hello,

Here is warning:
WARNING: Found echo ( $ in the file...Possible data validation issues found. All dynamic data must be correctly escaped for the context where it is rendered.

Here is code:

<article id="comment-<?php comment_ID(); ?>" class="uk-comment <?php echo ( $comment->user_id > 0 ) ? 'uk-comment-primary' : ''; ?>">

As you can see, here we have false positive because of short syntax "if".

As reported by @Stephen-Cronin on Slack

If I run Theme Check via wp cli on Twenty Seventeen, it fails on the text domain with the This theme's correct slug and text-domain is . message. If I run it via the WP backend it's fine

A lot of developers use Github for theme development and oftentimes the git folder prevents the theme check from running due to memory limit issues. Would be good to have a list of excluded folders that aren't checked and with a filter we can hook into if we want to include sass folders and anything else that is removed when we run our gulp build.

Thanks!

Hello, plugin giving a false error on text and sanitize_email function.

WARNING: Found remove_filter( in the file theme-init.php. Themes should not remove core filters. Ensure this is a valid use case. Line 243: remove_filter( 'the_excerpt', 'wpautop' ); Line 258: remove_filter( 'get_search_form', 'cursornt_header_search_form_new' ); WARNING: Found remove_filter( in the file tgm.php. Themes should not remove core filters. Ensure this is a valid use case. Line 898: remove_filter( 'upgrader_source_selection', array( $this, 'maybe_adjust_sou Line 2984: remove_filter( 'upgrader_source_selection', array( $this->tgmpa, 'maybe_adj Line 3418: /* [TGMPA - ] remove_filter('upgrader_clear_destination', array($this, 'delete_old_plugin Line 3421: remove_filter( 'upgrader_post_install', array( $this, 'auto_activate' ), 10 Line 3446: remove_filter( 'upgrader_post_install', array( $this, 'auto_activate' ), 10 WARNING: Found remove_filter( in the file aq_resizer.php. Themes should not remove core filters. Ensure this is a valid use case. Line 118: if ( true === $upscale ) remove_filter( 'image_resize_dimensions', array( $this, 'aq_upscale' ) ); REQUIRED: Found is_plugin_active( in the file theme-init.php. is_plugin_active() is not reliable. Use function_exists() or class_exists() instead. Line 532: if ( is_plugin_active('easy_installer/init.php') ) { Line 540: if ( is_plugin_active('wordpress-importer/wordpress-importer.php') ) { ?> REQUIRED: Found is_plugin_active( in the file tgm.php. is_plugin_active() is not reliable. Use function_exists() or class_exists() instead. Line 905: if ( $this->is_automatic && ! $this->is_plugin_active( $slug ) ) { Line 1065: } elseif ( $this->is_plugin_active( $slug ) ) { Line 1126: if ( $this->is_plugin_active( $slug ) && false === $this->does_plugin_have_update( $slu Line 1144: if ( ! $this->is_plugin_active( $slug ) && $this->can_plugin_activate( $slug ) ) { Line 1800: if ( ! $this->is_plugin_active( $slug ) || false !== $this->does_plugin_have_update( $slu Line 1831: public function is_plugin_active( $slug ) { Line 1832: return ( ( ! empty( $this->plugins[ $slug ]['is_callable'] ) && is_callable( $this->plugins[ $slug ]['is_callable'] ) ) || is_plugin_active( $this->plugins[ $slug ]['file_path'] ) ); Line 1887: return ( ! $this->is_plugin_active( $slug ) && ! $this->does_plugin_require_update( $slug ) ) Line 2050: if ( true === $plugin['force_deactivation'] && is_plugin_active( $plugin['file_path'] ) ) { Line 2316: if ( $this->tgmpa->is_plugin_active( $slug ) && false === $this->tgmpa->does_plugin_have_updat Line 2407: if ( ! $this->tgmpa->is_plugin_active( $slug ) ) { Line 3335: $maintenance = $maintenance || ( is_plugin_active( $plugin ) && isset( $current->response[ $plugin] ) ); Line 3364: $this->skin->plugin_active = is_plugin_active($plugin); Line 3471: if ( ! is_plugin_active( $plugin_info ) ) {

1. I got a warning and the ID is not referenced anywhere in my stylesheets.

WARNING: The theme is using `#wpadminbar`. Hiding the admin bar is not allowed.

2. REQUIRED: The <title> tags can only contain a call to wp_title(). Use the wp_title filter to modify the output

I'm not adding anything extra to <title> tags so, this requirement shouldn't be displayed.

function theme_prefix_display_the_title() {
  ?>
    <title><?php wp_title( '|', true, 'right' ); ?></title>
  <?php
}
add_action( 'wp_head', 'theme_prefix_display_the_title' );

3. I've received also a lot of warnings like these and phpcs is in another directory and not part of the theme:

WARNING: fclose was found in the file wpcs/vendor/squizlabs/php_codesniffer/CodeSniffer/Reports/Gitblame.php File operations should use the WP_Filesystem methods instead of direct PHP filesystem calls.
Line 95: fclose($handle);
WARNING: fclose was found in the file wpcs/vendor/squizlabs/php_codesniffer/CodeSniffer/Reporting.php File operations should use the WP_Filesystem methods instead of direct PHP filesystem calls.
Line 245: fclose($this->_tmpFiles[$report]);
WARNING: fclose was found in the file wpcs/vendor/squizlabs/php_codesniffer/CodeSniffer/Fixer.php File operations should use the WP_Filesystem methods instead of direct PHP filesystem calls.
Line 274: fclose($fixedFile);

Hi,

I add theme supports using an array, to avoid duplicating add_theme_support(... function. Plugin doesn't recognize this, it searches for add_theme_support('exact name') instead, so this code is not recognized:

$supports=array('automatic-feed-links', 'post-thumbnails');

foreach($supports as $support) {
    add_theme_support($support);
}

It would be great if it just searched for "automatic-feed-links" and "title-tag" strings in the whole theme code, in the same way as it does for "comment-reply" string instead of searching for wp_enqueue_script('comment-reply').

Hello there,

@ in the css file marked as error (warning). See: http://prntscr.com/pj1x32
How to solve it? Can you guys please give me an idea?

Best Regards

The Filesystem API should be used for write operations.

Any theme or plugin that needs to write files locally should do so using the WP_Filesystem family of classes.

As stated on https://developer.wordpress.org/apis/handbook/filesystem/ .

The problem

I only need to read a file's contents. By calling WP_Filesystem() the method returned will resolve to ftpsocket if the filesystem isn't directly writeable by the PHP process. ftpsocket cannot be used without calling for request_filesystem_credentials.

This makes no sense. I only need to read a read-only file. I do not want to ask the user for any FS credentials because I do not need write permissions. The end result is that I'm annoying users with bad UX at best or introducing security holes at worst if the user feels like making the installation writeable by PHP.

The solution

Exclude file_get_contents from the checks.

We got warning on lines like these:

echo $check ? 'yep' : 'nope';
echo ( $check ? 'yep' : 'nope' );
...

WARNING: Found echo ($ in the file ... Possible data validation issues found. All dynamic data must be correctly escaped for the context where it is rendered.

REQUIRED: Found title="" in the file variant_templates/subscribe-video-1.php. Do not leave attributes empty.
Line 26: <div class='variant-shortcode vru' data-shortcode-name='contact-form-7' data-param-title='' data-param-id='none'>

We have a data attr called data-param-title that is intentionally left blank for JS to handle it, the plugin picks up the title="" part creating a false positive.

Like 99% of the themes, we use admin_bar_menu to add a menu for theme related pages and theme options.

If we cannot use it, what is the alternative?

1. https://d.pr/free/i/6XqAZN - https://d.pr/free/i/c0J0Zj

2. also may be you can pass remove_filter() in custom function , example: https://d.pr/free/i/D7tdXD

When we run the Envato Theme Check with one of our themes, we get the following error:

REQUIRED: Found wp_calculate_image_srcset in the file inc/template-functions.php. Do not remove core functionality.

Line 251: $srcset = wp_calculate_image_srcset( $size_array, $image_url, $image_meta, $image_id

As far as I can tell, this check exists to prevent developers from disabling 'srcset'. For example, by doing something like:

add_filter( 'wp_calculate_image_srcset', '__return_false', 9999 );

But in our case, we don't override the hook, we just want to use the core wp_calculate_image_srcset function for some of our custom images.

Is it possible to change this check to allow function calls. For example to:

/wp_calculate_image_srcset(?!\s?\()/

Here is how this regex matches against a few basic test cases.

Please fix the deprecated message

Deprecated: implode(): Passing glue string after array is deprecated. Swap the parameters in /var/docs/server.tst/public/wp-content/plugins/envato-theme-check/checks/filenames.php on line 43

Otto never fixed this either. So...

preg_match('/^\[(.+?)\]:[ ]*+<?(\S+?)>?(?:[ ]+['\'(](.+)['\')])?[ ]*+$/', $Line['text'], $matches)

is the offending line

I think it's formatted to use the WordPress.org readme styles it would be good to

• Format for GitHub?
• Add a changelog?

It seems not working on MultiSite Setup.

Thanks.

WP 5.2 increased the minimum required PHP version to 5.2. The short echo tag (<?=) is always available as of PHP 5.4: https://www.php.net/manual/en/language.basic-syntax.phptags.php

@iKREATIV I just got pinged on this TGM PA issue

In the context of TGM PA, using is_plugin_active does make sense, so this should probably be an Info or Warning rather than Required. Then the Reviewer can check if it's TGM PA or not.

Hi, I have a little problem. I get this: "All translatable strings must be escaped to prevent malicious code injection from a translation.", even if I use esc_html__(), esc_html_e(), esc_attr__() or esc_html( __() ). How should I escape them correctly?

Screenshot: https://prnt.sc/k9vb4c

Example, https://regex101.com/r/h1nGBI/1 checks for echo, print and either surrounding the variable using () with or without spaces.

I got an issue while checking the theme to test with this plugin.

WARNING: Found $_SERVER in the file template-success.php. PHP Global Variable found. Ensure the context is safe and reliable.
Line 109: $storeup_bk_user_ip = isset( sanitize_text_field( $_SERVER['REMOTE_ADDR'] ) )
Line 110: ? sanitize_text_field( $_SERVER['REMOTE_ADDR'] ) : 'N/A';

Same with another file..

WARNING: Found $_SERVER in the file admin-interface.php. PHP Global Variable found. Ensure the context is safe and reliable.
Line 225: <form action='<?php echo esc_attr( $_SERVER['REQUEST_URI'] ) ?>' method='post' style='display:inline' id='atpf

How to sanitize the code the above code?

Plugin case those errors in PHP 7.4.8 (maybe newer)
Theme testing result: REQUIRED: error_log PHP error log found.

error log:

Deprecated | implode(): Passing glue string after array is deprecated. Swap the parameters | wp-content/plugins/envato-theme-check-master/checks/filenames.php:43

Deprecated | implode(): Passing glue string after array is deprecated. Swap the parameters | wp-content/plugins/envato-theme-check-master/main.php:58

Warning (Suppressed) | opendir(/home/p316069/www/adkox.com/wp-content/plugins/Envato-Theme-Check): failed to open dir: No such file or directory | wp-admin/includes/plugin.php:296

Can please fix it?

How should we handle the widget codes?

I have a code like this in my loop.php

and plugin send me a WARNING like this
WARNING: Found echo $ in the file sloop.php. Possible data validation issues found. All dynamic data must be correctly escaped for the context where it is rendered. Line 49: echo $output;

There is no chance for escaping full content. Am I have to do something for this or warnings are not important like REQUIRED messages. I mean can ı pass this type wrong warnings.

Some warning issues are in framework's code I think, these are secured. Without these we have a couple of issues like as $args ['before_widget'] & $args ['after_widget'] if we escape those then it's stopped working.

How to solve the framework & WP core variable warnings could you please provide any good solution?

Hello,
what about if my theme use CORE PLUGIN with framework and all core theme features was implemented in framework plugin, but not in the theme.
For example I have an error: REQUIRED: Could not find comment_form
But in fact framework plugin use comment_form and theme use framework plugin for render it.

How can I resolve the issue?