WordPress.org

Make WordPress Themes

Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#5904 closed theme (not-approved)

THEME: Clear Line - 1.1.0

Reported by: vatuma Owned by: greenshady
Priority: Keywords: theme-clear-line
Cc: vatuma@…

Description

Clear Line - 1.1.0

Clear Line is the clear and very lightweight theme. It's also highly customizable. Fixed or flexible width, 8 sidebar layouts, columnar posts displaying, 14 widget areas, advanced options page with option inheritance and tons of options, helpful 404 error page, SEO-optimized markup. It natively supports SEO and pagination plugins and WordPress3 features: header images, menus, backgrounds, post thumbnails etc. WordPress 3+ is required. Changelog - http://vatuma.com/wordpress-themes/clear-line/change-log

Theme URL - http://vatuma.com/wordpress-themes/clear-line
Author URL - http://vatuma.com

SVN - http://themes.svn.wordpress.org/clear-line/1.1.0
ZIP - http://wordpress.org/extend/themes/download/clear-line.1.1.0.zip?nostats=1

Diff with previous version: http://themes.trac.wordpress.org/changeset?old_path=/clear-line/1.0.8&new_path=/clear-line/1.1.0

All previous tickets for this theme: http://themes.trac.wordpress.org/query?col=id&col=summary&col=keywords&col=owner&col=status&col=resolution&keywords=~theme-clear-line&order=id

https://themes.svn.wordpress.org/clear-line/1.1.0/screenshot.png

Change History (5)

comment:1 greenshady2 years ago

  • Owner set to greenshady
  • Status changed from new to assigned

comment:2 greenshady2 years ago

Textdomain

Don't use constants for the theme textdomain. Use a string instead. In a month, this will be a requirement. Read this for more info:
http://markjaquith.wordpress.com/2011/10/06/translating-wordpress-plugins-and-themes-dont-get-clever/

On that note, if you're going to load translation files, make sure the entire theme is internationalized.

Sidebars

Here's a guide on appropriately registering sidebars. It will explain everything you've done wrong.
http://justintadlock.com/archives/2010/11/08/sidebars-in-wordpress

Wrong posts showing

Don't create custom queries to overwrite the posts showing in the theme templates. The home page, using the index.php template, is not loading the correct posts in the correct. Just get rid of this and run the normal loop with no custom query. If you want to add custom queries to templates, do it within a page template.

get_template_part()

get_template_part() is not meant for including templates in sub-folders. For this, use locate_template(). Read:
http://justintadlock.com/archives/2010/11/17/how-to-load-files-within-wordpress-themes

Function names

Prefix all custom function names with something unique to your theme. For example, some_function() should be named clear_line_some_function(). This goes for global variables and constants as well.

Use wp_head

All of that extra stuff like meta and inline CSS should be hooked to wp_head rather than added to header.php.

Backwards Compatibility

There's no need for backwards compatibility checks such as function_exists('register_sidebar') and function_exists('dynamic_sidebar') since the rest of your theme isn't backwards compatible.

The theme should either be fully backwards compatible or not at all, preferrably not at all so as not to encourage users to use old, insecure versions of WordPress.

CSS

<table>, <h5>, and <h6> are nearly unreadable. I suggest a larger font size.

Posts with no title

Posts with no title have no way of getting to the single view from an archive view because there's no permalink shown.

Theme Options

The theme options page doesn't even appear for me. Nevertheless, I reviewed the code and can tell you it's not up-to-par yet.

The theme options page has too many security vulnerabilities to approve this theme.

None of the options are validated or sanitized before entering data into the database nor are options escaped on output in the form elements. Theme author should read up on data validation:
http://codex.wordpress.org/Data_Validation

The settings page does no nonce checking:
http://codex.wordpress.org/WordPress_Nonces

It is also highly recommended that the theme use the Settings API, which is easier to use, more secure, and takes care of a lot of the hard work of settings pages:
http://codex.wordpress.org/Settings_API

For a good tutorial on using the Settings API, see:
http://planetozh.com/blog/2009/05/handling-plugins-options-in-wordpress-28-with-register_setting/

If you want to check out a theme with a secure and solidly-coded theme settings page, check out this theme:
http://wordpress.org/extend/themes/coraline

Drop this into any text input box and you can see an example of what a malicious script could do (don't worry, this specific script is harmless):

"<script>alert('XSS');</script>"

Review

If you have any questions about the review, please check the Theme Review guidelines or ask in the form below. I'll be happy to help out.
http://codex.wordpress.org/Theme_Review

Note that this is not a complete review. Other theme reviewers may find other issues. Please follow all the notes in the Theme Review guidelines.

comment:3 greenshady2 years ago

  • Resolution set to not-approved
  • Status changed from assigned to closed

comment:4 follow-up: vatuma2 years ago

Firstly I kindly ask you to insert *Required* and *Recommended* in the future reviews. Also when you write *Required* please provide link to the requirements on wordpress.org, not to an external URL.

Textdomain

This is not the requirement. When (and if) it will become the requirement most probably here should appear the naming requirements that are missing now.

Sidebars

Please explain what's wrong and why previous version were "right"

Wrong posts showing
Don't create custom queries...

Please link to such requirements.
I cannot get rid of custom queries because the theme is designed to show posts from a category set in options first (like featured posts)
If something is showing wrong please point what exactly is sowing wrong.

get_template_part()

Please link to such requirements. Previous reviewers advised to use get_template_part.

Function names

Ok, but still is not the requirement.

wp_head

Is it the requirement? Please link to it.

Backwards Compatibility

Not a requirement

CSS

Not a requirement

Posts with no title

not a requirement

Theme Options

The theme options page doesn't even appear for me

Could you please provide some details? Nothing was changed in the mechanics of displaying the options. Could you please try the version of clear-line theme that is alive now?

The theme options page has too many security vulnerabilities to approve this theme

I'll check this out. But this is quite strange that admin will want to hack his own site.

The settings page does no nonce checking:

Ok. Is it the requirement?

It is also highly recommended that the theme use the Settings API

It's too poor. My "Settings API" has much more possibilities.

comment:5 in reply to: ↑ 4 greenshady2 years ago

Firstly I kindly ask you to insert *Required* and *Recommended* in the future reviews. Also when you write *Required* please provide link to the requirements on wordpress.org, not to an external URL.

No. I will provide you with the best review possible and will do so in a manner I deem best to help you make a better theme. Sometimes, this even means linking to an external URL. This advice is provided to educate you in the proper ways to creating safe, secure, and usable WordPress themes.

Sidebars

Please explain what's wrong and why previous version were "right"

Read the post I linked to, which describes these issues in full detail. Previous versions of your theme were just as incorrect as this version.

Here's that link again (in particular, scroll down and see the section labeled "bad sidebar code"):
http://justintadlock.com/archives/2010/11/08/sidebars-in-wordpress

get_template_part()

Please link to such requirements. Previous reviewers advised to use get_template_part.

Previous reviewers were incorrect. get_template_part() is not meant to get templates within sub-folders. Use locate_template() for this.
http://codex.wordpress.org/Theme_Review#Including_Files

That page links to:
http://justintadlock.com/archives/2010/11/17/how-to-load-files-within-wordpress-themes

Function names

Ok, but still is not the requirement.

Yes, it is.
http://codex.wordpress.org/Theme_Review#Theme_Settings_and_Data_Security

wp_head

Is it the requirement? Please link to it.

No, not all of it is a requirement. It's just correct.

As for CSS, you must properly hook it in:
http://codex.wordpress.org/Theme_Review#Including_Stylesheets_and_Scripts

Backwards Compatibility

Not a requirement

It will soon be. Nevertheless, it's just bad coding practice to make parts of your theme backwards compatible but not other parts. It's useless and serves no purpose. So, who cares if it's a requirement? Do you actually care if you have a good theme?

CSS

Not a requirement

Properly displaying data from the unit tests is a requirement. This is handled via CSS.
http://codex.wordpress.org/Theme_Review#Theme_Unit_Tests

Posts with no title

not a requirement

Yes, it is. It's part of the theme unit tests:
http://codex.wordpress.org/Theme_Review#Theme_Unit_Tests

Theme Options

The theme options page doesn't even appear for me

Could you please provide some details? Nothing was changed in the mechanics of displaying the options. Could you please try the version of clear-line theme that is alive now?

The version of the theme that's live now is irrelevant. I'm reviewing the version of the theme you submitted.

Details: The theme options page doesn't show in the admin menu at all for me, so it is inaccessible. I didn't dig around enough to figure out the issue.

The settings page does no nonce checking:

Ok. Is it the requirement?

Yes.
http://codex.wordpress.org/Theme_Review#Theme_Settings_and_Data_Security

It is also highly recommended that the theme use the Settings API

It's too poor. My "Settings API" has much more possibilities.

Possibilities for being hacked? To think that your custom settings has more possibilities just shows a lack of understanding of properly coding a settings page. At your current level of knowledge, you're not prepared for such advanced code techniques. Please read all the links I provided to you on this subject. It will help you learn everything you need to know so that you may build a safe and secure settings page in the future.

If, after reading the links I gave you, you decide to build a custom settings page without the Settings API, you must do so in a secure manner.
http://codex.wordpress.org/Theme_Review#Theme_Settings_and_Data_Security

Note: See TracTickets for help on using tickets.