Hello,
we are in the process of uploading an new theme and have received a new type of soft reject:
fopen, file_put_contents, file_get_contents, fclose, curl_exec, curl_init, base64_encode, etc are no longer allowed.
The reason being: security. While we do understand, some features do require those functions. Example being the Vimeo API, which requires the use of file_get_contents to get the video images.
We also used base64_decode because we used the textarea_raw_html element of Visual Composer. That means we cannot use functionality of the most popular plugin on Codecanyon, which seems a bit funny.
One solution the reviewer mentioned, is to move everything to a plugin. But is that really a solution? That does not seem to make it anymore secure.
What do you guys think? Do you have any other solutions or do you still use the above PHP functions?
Migrating code which has security issues into plugin is not a solution for end user. You must develop both theme and plugins hack proof. Only for base64 you should create a function in plugin and use it into theme.