#7065 closed enhancement (fixed)
Add additional notice to the Plugin Submission form
Reported by: | lukecarbis | Owned by: | dd32 |
---|---|---|---|
Milestone: | Priority: | normal | |
Component: | Plugin Directory | Keywords: | |
Cc: |
Description
Currently the plugin submission form includes a notice that shows how many plugins are awaiting review, and the current wait time.
Given that our wait times are currently very long, I propose adding a secondary notice to this page, with text along these lines:
We are currently experiencing long delays in plugin review times. To help us approve your plugin sooner, please ensure that you have read the Security chapter of the Plugin Handbook.
Our three most common reasons for not approving a plugin are:
- The plugin contains unescaped output: Learn about Escaping Data
- The plugin accepts unsanitized data: Learn about Sanitising Data
- The plugin processes form data without a nonce: Learn about Nonces
If the code in your plugin falls into one of the above categories, your plugin will not be approved. The plugin review team will refer you back to these Handbook pages, adding further delay to the review process.
It's my hope that this type of notice will reduce the amount of submissions that require multiple reviews.
Attachments (1)
Change History (8)
This ticket was mentioned in Slack in #meta by courtneyengle. View the logs.
16 months ago
#2
@
16 months ago
- Component changed from General to Plugin Directory
- Type changed from feature request to enhancement
#3
@
16 months ago
Part of me thinks this won't actually help, as all submitters say they've read the handbook, and well, obviously they haven't fully grokked it if they have (Based on reviewing the code that's often submitted).
For many developers, simply telling them to verify it isn't good enough, unless you specifically point out the code in question of theirs that is lacking it.
Even the best developers will miss some best practices sometimes, that's half the point of reviews.
Most developers are also submitting their plugin after developing it, not during, as a result reminding them at submission time doesn't seem like it'll be hitting them at the right time, unless you can tell them you're doing it wrong! right then and there.
While I'm not against adding such a notice, I question if it'll achieve the intended goals. In my opinion, encouraging testing using https://github.com/WordPress/plugin-check would be a better way forward, although we currently don't suggest it because it's not yet "released".
#4
@
16 months ago
Given the cost of implementing such a notice versus the potential benefit of at least jogging a few into action, then I feel that it should be tried. Then measured if there is an impact (if possible )
My idea is the add a few checkboxes (maybe mandatory radio boxes default to not set ) so there is some interaction, with some common issues e.g.
Yes No
() () I have checked all user input is sanitized at first possible time (link to article on how to use PHPCS )
() () I have checked all output is escaped at the point of output (link to article on how to use PHPCS )
() () I have checked that form processes have had nonce verification (link to nonce )
() () I have written a detailed readme, including links to a public repository or and code that gets compiled ( link to sample readme.txt )
() () I have checked that I am not potentially tracking user data without prior user consent
() () Some other common Gotcha
#5
@
5 months ago
- Owner set to dd32
- Resolution set to fixed
- Status changed from new to closed
In 13730:
#6
@
5 months ago
Although it's almost a year later, and the queue is almost under control, I've added an explicit FAQ callout on expediting plugin reviews (Since I've seen enough emails asking for their review to skip the queue).
This is not as front-and-center as the proposed banner in this ticket, but if a plugin developer is going to read the text on the page, I figure there's as much chance of reading this as they are the alert box.
Mockup of the notice