I used the sociable plugin (like/tweet/+1 buttons). Out of extremism I tested under elinks, saw some weird empty ul/li hanging around, inspected the plugin config and then went into the code. The latest release at the time was barely beta code, large spans of deadcode, copy/pasted pages-long loops that were 90% similar. Wordpress plugin pages quote millions of download for this plugin. Who needs quality ?
This is what I love about PHP devs. Imagine how much effort it was to write that. The author may not have have the chops to refactor that into something elegant, but he wanted it done and was perfectly willing to just do it the hard way and FUCKING SHIP IT, warts and all. Its easy to laugh at code after the fact, but you can't argue that a ton of people aren't finding the author's work valuable.
I think there's a false logic present in arguing that "lots of people use it, so it's ok even if it's shit." Apply this same argument to one of several poorly coded plugins that have introduced basic security vulnerabilities and had widespread adoption. I think this is even worse when there's no commitment to improving it.
I find it curious we don't necessarily aspire to quality; and I think we should. I'm not happy just FUCKING SHIPPING IT.
Since there are always bugs, all code is an opportunity for security vulnerabilities. Users take their site security into their own hands whenever they have to trust others' code, as well as trusting their own coding skills (if applicable).
But with web programming, if you're not good at it, but you have the perseverance to bash on code until it's "good enough that it works" (which is admirable, don't get me wrong), there's a very high chance it's got some major holes.
This is a real consideration to me, cause I'm working to teach kids technical computer skills, including programming. If I'd teach them PHP, I'd have to wall off the server, because many of their projects are bound to be full of holes, and we can't take the chance that one of those would affect our organisation's website. It's volunteer-based, so there might not be money to get a separate hosting package. Same if I were to give them all their own WP install, some of the projects are going to be forgotten, and I'm not going to be the one making sure they're all being kept up-to-date and secure for the rest of their lifetime.
And that's a cool article you linked. I already knew it, but for those who don't: it's worth reading, check it out!
Sure, can't refute that. However it's the same mentality that allows the same, basic vulnerabilities to persist throughout the years. The code basically works so sod it, who cares.
Of course, I fall short of offering a solution, because there is none that doesn't imply writing bug-free code (impossible if it's not trivial); spending inordinate amounts of our spare time vetting this code; or otherwise stopping people from learning in the first place. The other one is to tell people not to use these plugins, or to be more careful, but they need to know what's currently'safe' and what isn't.
I just don't like the mindset that 'shipping' code is the be-all and end-all when as masters of our craft (hyperbolic?) we should at least aspire to more than 'good enough' or 'working', even if it's unattainable.
i'm reminded of one of my favourite programming blog posts ever, "slumming with the basic programmers" [http://prog21.dadgum.com/21.html]. i reread it every so often, just so that i keep that perspective in mind.