Hi everyone,
I just did my update and everything worked fine, the new code review / execution / signature is a good thing.
I watched the tutorial video and read the changelog, yet I dont know why I do have non-existing functions, and how to deal with them.
Can someone explain this step in more detail, so that I can safely update all of my sites? I know where I have to add this function (in the functions.php), but I dont know if I sould add them at all, when they dont exist.
Thank you 
I suppose that you have used these not existing functions (âhoverâ âget_related_postâ) somewhere in your site with the echo tag without having the underlining function defined php âŠ
Are you able to find where you used them with the select at the top of the Code Review section?
If you are able to find where you used theme you can then decide what to do
âŠ
I may be wrong , I watched the video but im on 1.9.6
same question, also wp_is_mobile natine function is neccesary add it??
Regarding the get_related_post echo it finds a template.
I think this could be connected to my Metabox Relationship Query, but I am not 100% sure.
I dont know if and why I need to add this non existing function to my functions.php.
I did click the button to add my code signatures, and the Metabox Relationship Query works without adding said filter to the functions.php
I dont find any echo function called âhoverâ - so I am not sure about that one either.
If I understood correctly since 1.9.7 custom PHP function are disabled by default, so you cannot invoke them in the â{echo:___}â if the desired function is not in the whitelist defined in bricks/code/echo_function_names.
I f this is correct the mental model from now on became:
// in funtions.php I define the custom function
function say_hello() {
return "Hello!!";
}
// in functions.php I add the function to the whitelist of the {echo} tag
add_filter( "bricks/code/echo_function_names", function () {
return [
"say_hello",
];
} );
// in the Bricks builder, now I can use it!!
{echo:say_hello}We need maintainers to provide some guidance hereâŠ
Bricks scans all your site code for those echo uses, and you have one somewhere that is echoing a function called âhoverâ. But Bricks doesnât detect that such a function is defined, therefor it marks it as âfunction does not existâ.
Part of the reason for this entire functionality is because people would be able to see if any hacks or bad code were entered in the site.
Perhaps hover was used in a page that doesnât exist, trashed, or a revision copy, or a template you donât use, etc. Or perhaps the actual hover() function was once defined in a custom plugin or plugin you no longer use.
The thing to do is try to find where that echo function is used on the site. This could be difficult if you have a ton of pages and templates. For this, I would download the database and try to text search through it to discover the page.
I donât believe Bricks could somehow have a false positive where it just makes up that it found something called âhoverâ. Thatâs not an accident, it exists somewhere in the Bricks page/template code. If you donât need it, then find and remove. If you do need it, then you have to implement the actual PHP function again.
Thanks, this is a great explanation. I get it now 
Since âhoverâ is not showing up as part of the elements, it was most likely used in a class, page settings, or template settings.
and with native functions as is_mobile() is necesary add_filter ??
@vigilante I understand that these new code review options / settings are on by default.
But are these code review settings mandatory, as in this cannot be turned off?
You donât have to use code review at all, itâs there for your convenience so you can see all the locations on the site where code is output. Very handy for quickly scanning to see if any bad content/code was added. Or if any functions are not found.
The second purpose of review is so Bricks will auto-generate the filter needed to whitelist the echo functions. Thatâs just for security because with echo you can really execute almost any command possible, itâs very powerful, so whitelisting helps secure it.
You donât have to do code signatures right now, there is a filter to bypass it, but the filter will be removed in future versions, you will have to sign code eventually.
None of this is needed if you donât use code snippets, you can leave code execution turned off entirely.
This is just how it works when we use page builders and need to use code within the builder. In the old days we would build themes directly in PHP templates so these things were never an issue. With page builders, people with access to WP, maybe even less priviledged users, can edit content or edit DB values to inject code. Much harder for malware to inject code directly in your PHP templates.
At the end of the day, if malware has admin access, they can do what they want and trash the site if they want. If malware gets access to files over FTP or file editing hackware, they can do what they want. So these measures to protect builders seem a bit too âextraâ. Itâs like putting a lock on your refrigerator so that if anyone breaks into your house they canât steal your food. But if someone has already broken into your house, you got bigger issues than your stash of artisan cheeses.
Regardless, this hack allowed people to do some serious trickery and get Bricks to execute their code, even without âlogging inâ. So I guess in this analogy, the thief was able to use a long grabby arm to stick through your kitchen window and open your fridge and take your cheese. So the window had to be closed.
I understand all of that, I just need to know one thing⊠can all of this code review be turned off? If you know for sure.
I have API calls that manipulate pages, CPT data and components with echo I built myself. Some of these calls add / edit functions⊠how am I suppose to get passed this manual code review?
This is a problemâŠ
As far as I know, itâs just a convenience feature, you donât have to review anything. It doesnât make you do it.
There are a few mandatory actions though.
Explicitly turn on code execution as leaving this off is the new default.
Sign the code. You only do this once after the new update, and then again any time the WordPress salts are changed.
You need to whitelist the function names used within Bricks echo calls.
This is the not the same âechoâ that is PHPâs echo function. This is the echo function built-in to Bricks. See Dynamic Data â Bricks Academy
Since whitelisting function names is just a matter of using the filter, you could always code this into your custom code or plugin. Track the list of function names you use in an array or something, then whitelist them as part of your custom plugin/code bootstrap.
So the answer is no, you arenât required to âreviewâ. You are only required to whitelist functions used withing Bricks echo tag.
I cant go into Bricks backend and manually pre whitelist functions that arenât there yetâŠ
think Iâll have to contact support about this. thanks for your insight @vigilante
You donât whitelist them from the backend, you do it with the PHP filter. You can do that from your plugin code, child theme, snippets plugin, whatever.
The Bricks backend is only there to show people functions already being used, since this is a new feature, it helps us see functions we were already using before the update. It even generates the PHP filter code for us so we can copy it to our preferred code location.
Btw @BGdev & @vigilante, feel free to share your feedback on our proposed solutions here: WIP: Better solution for echo function name filter - #12 by MattHias