facetwp / use-child-theme Goto Github PK

Disclaimer: super, super nitpicky detail – I understand if it's not worth bothering with

I was initially confused because the screencast shows the notice appearing on Appearance —> Themes, but in reality the notice only shows on Appearance —> Editor.

Hi,

I just want to check if this project is still on. I haven't received any answer to my previous suggestions, that's why I'm asking.

Thanks and regards,

Oliver

I would recommend escaping the following in: https://github.com/FacetWP/use-child-theme/blob/master/use-child-theme.php#L52-L78

More details:

• http://security.stackexchange.com/a/11989
• http://www.acunetix.com/websitesecurity/cross-site-scripting/
• https://vip.wordpress.com/2015/03/25/preventing-xss-in-javascript/

There's also another method as well: https://github.com/Automattic/theme-tools/blob/master/jetpack-dependency-script/plugin-enhancements.php#L234-L269

P.S. I had bit more time today :)

Right now, the script uses file_put_contents(). This would fail the WordPress.org Theme Check. I imagine it'll fail ThemeForest's check too. If the intention is to add this to themes, you'd want to make sure the code would pass at those two places.

Here's a link to the WP Filesystem API: https://codex.wordpress.org/Filesystem_API

FWIW as a WordPress theme review admin, I doubt we'd allow this type of script within themes in the directory. It'd probably fall under what we consider "plugin territory". However, if you want to make a case for allowing it in themes, you'll want to make sure it's using the Filesystem API.

As far as I know, there should be only 1 text domain used in a WordPress theme.

So, I suggest renaming the text domain in the script from use-child-theme to parent-theme-slug (or similar) and making a note in description that theme developer should change this text domain to match the (parent) theme (where this script is included) slug.

What do you say?

PS: I'm not really a fan of modifying scripts included in the theme, but this is the only way we can resolve this issue I think.

This isn't a recommended usage:

include( dirname( __FILE__ ) . '/use-child-theme.php' );

Option A:
include get_template_directory() . '/use-child-theme.php';

Option B:
require get_template_directory() . '/use-child-theme.php';

I haven't looked through all the code yet but I do see it moves over the theme_mods - great! That's something a lot of the child theme generators miss. Nice work ;)

Hi Matt,

I created a blank wp install. Uploaded the plugin into the plugins folder and activated it. I guess it then should work and give me the option in the themes area.

But nothing shows. What am i missing here?

The file (plugin) is loaded.

Best regards,
BackuPs

For themes that enqeue the parent theme style, this code added to functions.php means that the parent theme's style.css file will be loaded twice:

function child_enqueue_styles() {
    wp_enqueue_style( 'parent-style', get_template_directory_uri() . '/style.css' );
}
add_action( 'wp_enqueue_scripts', 'child_enqueue_styles' );

I'm not sure how you account for different methods that themes use to load styles though, so I don't have any brilliant ideas on how to best handle this.

When using this class inside a theme, theme authors will want to localize the strings with their text domain to provide unified translations.

I suggest providing a filter that will allow theme authors to override the text domain without hacking into this class.