There was a point in my life as a web developer that pushed for strict HTML coding standards. It would peeve me to death to know that a popular website did not pass W3C coding standards. So six years ago, I released a plugin called “Validated” which would check every page and post URL on your site against the W3C Validator tool. It was handy for the stricter developers out there. In fact, it was downloaded over 4,000 times.
But despite that the plugin was handy, it had many issues; so many that as I look at the code today, I become flushed with embarrassment.
So what was wrong with it?
- Direct Database Queries without Limits – Instead of using the get_permalink() function, I queried the freakin’ database directly and retrieved the GUID! If a site had thousands or even millions of posts/pages, it would be doomed. (Allan silently sobs.)
- The URL sent to the file in the plugins folder did no sanitization or validation – This opened the doors wide open for scripting vulnerabilities. (Allan bangs head on desk… hard.)
- The plugin page would send every page/post GUID URL to the W3C Validator.
- The checking functionality used cURL calls – Instead of WP HTTP API calls.
- All echoed output was not escaped.
Thankfully, last night I had a chance to redeem myself!
Knowing everything that was wrong with the plugin I took an hour and completely redid it. The plugin now utilizes the correct WordPress functions and APIs, nonces, output escaping, and is up to WordPress Coding Standards.
So if you are strict about your HTML, please download the Validated Plugin today.
(Disclaimer: You may have noticed that this blog does not pass W3C Validation. This is due to the JetPack plugin and the social sharing options that come with it.)