Posts by bitfade

2017 posts
  • Has referred 50+ members
  • Has sold $750,000+ on Envato Market
  • Has collected 10+ items on Envato Market
  • Elite Author: Sold more than $75,000 on Envato Market
+8 more
bitfade
says

A good example is how WordPress handles the default text widget (wp-includes/default-widgets.php) stripslashes( wp_filter_post_kses( addslashes($new_instance['text']) ) );
That happens when widget text field is updated and not when rendered so there’s no late escaping. According to TF rules, it should be soft rejected because of its code

echo $args['before_widget'];
if ( ! empty( $title ) ) {
    echo $args['before_title'] . $title . $args['after_title'];
} ?>
<div class="textwidget"><?php echo !empty( $instance['filter'] ) ? wpautop( $text ) : $text; ?></div>
<?php
echo $args['after_widget'];
Please perform a global search for “echo $” and you will see several issues.
2017 posts
  • Has referred 50+ members
  • Has sold $750,000+ on Envato Market
  • Has collected 10+ items on Envato Market
  • Elite Author: Sold more than $75,000 on Envato Market
+8 more
bitfade
says

Since the above is a common soft rejection rule for WordPress themes, i’d like to know how to deal with html content. For instance, a page builder html editor block or a textarea field in a mbox/custom widget.

Do I really need to “late escape” everything? Always? Even core WordPress functions?

.... while the original author of a particular piece of code may know exactly where they’ve already escaped their output and/or it’s convenient to trust a WordPress core function’s escaping, it’s much, much faster and more reliable for our reviewers to check for “late escaping”.
Fair enough for simple escaping like urls/attributes. However, when it comes to html content, one would use wp_kses functions but

Note that the kses system can be resource-intensive, and should therefore not be run as an output sanitization filter directly, but as a filter to data after it has been input and processed, before it is saved in the database. WordPress runs kses on the pre_comment_content filter, for example, to filter the HTML before saving the comment.
So which one of the two ?
2017 posts
  • Has referred 50+ members
  • Has sold $750,000+ on Envato Market
  • Has collected 10+ items on Envato Market
  • Elite Author: Sold more than $75,000 on Envato Market
+8 more
bitfade
says

the first thing I do before to submit a theme is to eliminate those warnings. I’m not judging anyone, I know that sometimes we can miss some requirements or think that something is not required. But for me that rule is clear and I’m not including any CPT in a theme since the first announcement.
Rules are not open to interpretation: you either comply or not and every theme that doesn’t must be rejected.

Plugin_Territory class was added to theme check plugin around 5 months ago and themes failing those checks have been approved in the meanwhile. That was because phase 2 was put on hold and there was no official announcement stating the opposite.

2017 posts
  • Has referred 50+ members
  • Has sold $750,000+ on Envato Market
  • Has collected 10+ items on Envato Market
  • Elite Author: Sold more than $75,000 on Envato Market
+8 more
bitfade
says

Yes it’s there.
The check you mention is included in the original plugin used for wp.org themes and has never been an hard requirement until now.

Phase 2 was supposed to add CPT rules, the last official info about it (11 months ago):


Phase 2 requirements is currently on hold while we bring additional resources into the team. We will notify the community once a proper plan is in place. Thanks!

I didn’t see any announcement.

2017 posts
  • Has referred 50+ members
  • Has sold $750,000+ on Envato Market
  • Has collected 10+ items on Envato Market
  • Elite Author: Sold more than $75,000 on Envato Market
+8 more
bitfade
says

It almost has no documentation although the rest of WordPress codes / files are quite well documented.
true, that’s why i decided to share the code. The only way to figure out how the thing works is by digging into source javascript files which can be quite tedious and time consuming.
2017 posts
  • Has referred 50+ members
  • Has sold $750,000+ on Envato Market
  • Has collected 10+ items on Envato Market
  • Elite Author: Sold more than $75,000 on Envato Market
+8 more
bitfade
says

This was a recent pain in the a.. so decided to share some code in case somebody else had the misfortune of trying to do the same….

Goal was to use the native WordPress media uploader code to create a custom dialog that would be used for adding multiple images to a metabox (or page builder) field

Here’s a video showing what i’m blabbing about

Relevant javascript code

2017 posts
  • Has referred 50+ members
  • Has sold $750,000+ on Envato Market
  • Has collected 10+ items on Envato Market
  • Elite Author: Sold more than $75,000 on Envato Market
+8 more
bitfade
says

Just realized from February the Envato APIs changed how the “amount” field works (“statement” call)

Example here

The problem is that you cannot compute how much you earned from a sale anymore because there’s no way to link a “Sale” record to its “Author Fee” record (date can be off by 1s and won’t be realiable anyway since you could have 2 different items sold at the very same time)

To solve that, APIs should include a “Order ID” field for each record (“IVIPXXXXX” value). I really hope this gets fixed ASAP (the “Order ID” field is present in the CSV) because this change made impossible to compute earnings using APIs.

2017 posts
  • Has referred 50+ members
  • Has sold $750,000+ on Envato Market
  • Has collected 10+ items on Envato Market
  • Elite Author: Sold more than $75,000 on Envato Market
+8 more
bitfade
says

The big issue is that 10% of buyers abusing the support, the “ask first, read docs / try to do it yourself later” attitude. We have users with hundreds of posts in our support forum up to the point we had to do something about it.

So we introduced a rule: “1 question per thread” and have a queue which takes into account the threads count first and the post date last: the more you ask, the less priority you get.

And it works because abusers are penalized by the system by getting longer and longer response times up to the point their questions will not be answered anymore.

2017 posts
  • Has referred 50+ members
  • Has sold $750,000+ on Envato Market
  • Has collected 10+ items on Envato Market
  • Elite Author: Sold more than $75,000 on Envato Market
+8 more
bitfade
says

After looking at all of the data, it seems Envato’s original support plan (6 months, 3 day response time) was right on the mark.
Sure it’s a great plan to switch from the current “support not included” where 70% of the buyers thinks it is and 36% feels author should answer as many questions as they need to a “6 months mandatory support” + paid support packages where (some) buyers will want us to do everything because “I paid (insert a ridiculously low amount here) for it”.
2017 posts
  • Has referred 50+ members
  • Has sold $750,000+ on Envato Market
  • Has collected 10+ items on Envato Market
  • Elite Author: Sold more than $75,000 on Envato Market
+8 more
bitfade
says

36% of TF buyers (highest value) right now expects a fair amount of support queries to be “as many as i need”. Now, think for a moment what will happen with mandatory/paid support.

Then I saw when the Lamb broke one of the seven seals, and I heard one of the four living creatures saying as with a voice of thunder, “Come.” I looked, and behold, a white horse, and he who sat on it had a bow; and a crown was given to him, and he went out conquering and to conquer.
by
by
by
by
by
by