User: Invalidate `user_activation_key` on password update.
Query: Ensure that only a single post can be returned on date/time based queries.
Cache API: Ensure proper escaping around the stats method in the cache API.
Formatting: Expand `sanitize_file_name` to have better support for utf8 characters.
Brings the changes in [47633], [47634], [47635], [47636], [47637], and [47638] to the 5.0 branch.
Props: aduth, batmoo, ehti, ellatrix, jorgefilipecosta, nickdaugherty, noisysocks, pento, peterwilsoncc, sergeybiryukov, sstoqnov, talldanwp, westi, westonruter, whyisjake, whyisjake, xknown.
git-svn-id: https://develop.svn.wordpress.org/branches/5.0@47647 602fd350-edb4-49c9-b593-d223f7449a82
Props: danielbachhuber, whyisjake, peterwilson, xknown.
Prevent stored XSS through wp_targeted_link_rel().
Props: vortfu, whyisjake, peterwilsoncc, xknown, SergeyBiryukov, flaviozavan.
Update wp_kses_bad_protocol() to recognize : on uri attributes,
wp_kses_bad_protocol() makes sure to validate that uri attributes don't contain invalid/or not allowed protocols. While this works fine in most cases, there's a risk that by using the colon html5 named entity, one is able to bypass this function.
Brings r46895 to the 5.3 branch.
Props: xknown, nickdaugherty, peterwilsoncc.
Prevent stored XSS in the block editor.
Brings r46896 to the 5.3 branch.
Prevent escaped unicode characters become unescaped in unsafe HTML during JSON decoding.
Props: aduth, epiqueras.
git-svn-id: https://develop.svn.wordpress.org/branches/5.0@46915 602fd350-edb4-49c9-b593-d223f7449a82
This adds some special case handling in 'wp_check_filetype_and_ext()' that prevents some common file types from being blocked based on mismatched MIME checks, which were made more strict in WordPress 5.0.1.
Merges [44438], [44439], [44441], and [44442] to the 4.9 branch.
Props Kloon, birgire, tellyworth, joemcgill.
See #45615.
git-svn-id: https://develop.svn.wordpress.org/branches/5.0@44443 602fd350-edb4-49c9-b593-d223f7449a82
A static variable contains an integer that is incremented with each call. This number is returned with the optional prefix.
As such the returned value is not universally unique, but it is unique across the life of the PHP process.
Props westonruter, dlh.
Merges [43658] and [44406] to the 5.0 branch.
See #44883.
git-svn-id: https://develop.svn.wordpress.org/branches/5.0@44407 602fd350-edb4-49c9-b593-d223f7449a82
The inline JavaScript added by `WP_Scripts::print_translations()` should check whether `locale_data.$text_domain` exists and fall back to `locale_data.messages` otherwise.
Merge of [44403] to the 5.0 branch.
Props swissspidy.
Fixes#45441.
git-svn-id: https://develop.svn.wordpress.org/branches/5.0@44404 602fd350-edb4-49c9-b593-d223f7449a82
Fixes the `load_script_textdomain` function not resolving the md5 hash based on the relative path for WordPress installations in a subdirectory. Also adds a filter to allow sites using CDNs or other alternative asset locations to filter the relative path resolution.
Props akirk, fierevere, swissspidy, mypacecreator, babaevan, tmatsuur, ocean90.
Fixes#45528.
git-svn-id: https://develop.svn.wordpress.org/branches/5.0@44209 602fd350-edb4-49c9-b593-d223f7449a82
`wpdb::get_col()` iterates over `$wpdb->last_result`, which can be a non-countable value, should the preceeding query have failed.
Props spacedmonkey, desrosj.
See #45299.
git-svn-id: https://develop.svn.wordpress.org/branches/5.0@43934 602fd350-edb4-49c9-b593-d223f7449a82
Removes filters adding `rel="noopener"` to links targeting `_blank`.
Previous implementation could introduce blank `rel` attributes and could corrupt JSON data when saving via the customizer.
See #43187.
Reverts [43732] and [43733] from the 5.0 branch.
git-svn-id: https://develop.svn.wordpress.org/branches/5.0@43930 602fd350-edb4-49c9-b593-d223f7449a82
* Skips validation where there is no attribute definition, but keeps the attribute value. Previously, the attribute would be omitted from the attributes passed to `render_callback`. Notably, this resolves an issue where `render_callback` cannot receive a block's `align` and `customClassName` attribute values, since these are defined as a client-side filter.
* Validates `null` as a proper value in its own right. Previously, a client implementation of a block could track `{"attribute":null}` as an explicitly empty value, and the server would wrongly initiate defaulting behavior. The new behavior will now only populate a default value if the attribute is not defined at all, including when unset in its being invalid per the attribute schema.
Props aduth, noisysocks, youknowriad.
See #45145 for the patch, #45098 for the original ticket.
git-svn-id: https://develop.svn.wordpress.org/branches/5.0@43918 602fd350-edb4-49c9-b593-d223f7449a82
Demarcations for reusable blocks are always expected to be accessible by clients.
Props noisysocks, youknowriad.
See #45145 for the patch, #45098 for the original ticket.
git-svn-id: https://develop.svn.wordpress.org/branches/5.0@43917 602fd350-edb4-49c9-b593-d223f7449a82
In [43736], we prevented rendering fields when not present in `?_fields=`. However, because `get_fields_for_response()` is dependent on `get_item_schema()`, any custom fields registered with a null schema would be incorrectly excluded from the response. Because the REST API permits a null schema for `register_rest_field()`, those fields should be included in the available fields for a response.
Fixes#45220.
git-svn-id: https://develop.svn.wordpress.org/branches/5.0@43908 602fd350-edb4-49c9-b593-d223f7449a82
When switching themes, `wp_map_nav_menu_locations()` is used to ensure nav menus are placed in the relevant menu location. Occasionally, menus are registered to locations with numeric slugs, rather than strings. `wp_map_nav_menu_locations()` assumed it would be the latter, and ran `stripos()` on those numeric slugs. This behaviour is deprecated in PHP 7.3.
As this is the last known PHP 7.3 incompatibility, this commit also removes PHP 7.3 from Travis' `allowed_failures` list.
Props desrosj, jorbin.
See #45018.
git-svn-id: https://develop.svn.wordpress.org/branches/5.0@43899 602fd350-edb4-49c9-b593-d223f7449a82
Fixes an undefined index PHP warning in the load_script_textdomain function and a non-interrupting JS error when registering a domain which has no translations.
Props omarreiss, ocean90, georgestephanis.
Fixes#45256.
git-svn-id: https://develop.svn.wordpress.org/branches/5.0@43898 602fd350-edb4-49c9-b593-d223f7449a82
When 'parent' is set as the path argument name, it gets passed down through to the `create_item()` method and can erroneously reset the 'parent' value on the post itself. Instead, we rename the argument to 'id' and replicate the revision controller's `get_items_permissions_check()` to instead reference 'id'.
Also ensures revision query params (of which there are many) aren't exposed as the query params for autosaves (of which there are two).
Props TimothyBlynJacobs.
See #43316.
git-svn-id: https://develop.svn.wordpress.org/branches/5.0@43897 602fd350-edb4-49c9-b593-d223f7449a82
Changes of note:
- Includes the new Annotations API package.
- `wp-polyfill-ecmascript.js` is renamed to `wp-polyfill.js`.
- `strip_dynamic_blocks()` has been removed in favour of `excerpt_remove_blocks()`.
- The PHP block parser is now syncing from the `block-serialization-default-parser` package.
- `do_blocks()` uses the new parser.
- The `do_block` filter has been removed from `do_blocks()`, in favour of a `render_block` filter in `render_block()`.
See #45145, #45190, #45264, #45282.
git-svn-id: https://develop.svn.wordpress.org/branches/5.0@43884 602fd350-edb4-49c9-b593-d223f7449a82
As `do_blocks()` is run before `wpautop()` in `the_content` filter, we can remove in a Just In Time fashion, before that filter is run.
After `wpautop()`s original priority has passed, we can re-add it in a Just Too Late fashion, to ensure it's available if `the_content` filter is run multiple times on a page load.
Props pento, nerrad.
Fixes#45290.
git-svn-id: https://develop.svn.wordpress.org/branches/5.0@43879 602fd350-edb4-49c9-b593-d223f7449a82
Calls `wp_set_script_translations` for all packages scripts that have translations. Also correctly sets the domain on the translations.
Props omarreiss, pento, ocean90.
Fixes#45161.
git-svn-id: https://develop.svn.wordpress.org/branches/5.0@43878 602fd350-edb4-49c9-b593-d223f7449a82
Improves upon [43825] by adding unit tests to cover additional use-cases and changes loading translations to only occur when outputting the script to allow setting translations on dependencies.
Props atimmer, omarreiss, nerrad, swissspidy, ocean90.
Fixes#45103.
git-svn-id: https://develop.svn.wordpress.org/branches/5.0@43859 602fd350-edb4-49c9-b593-d223f7449a82
Also introduces a `block_editor_preload_paths` filter for plugins and themes to preload additional data.
Props imath, mattheu.
Fixes#45194.
git-svn-id: https://develop.svn.wordpress.org/branches/5.0@43833 602fd350-edb4-49c9-b593-d223f7449a82
Adds the `wp_set_script_translations` function which registers translations for a JavaScript file. This function takes a handle, domain and optionally a path and ensures JavaScript translation files are loaded if they exist.
Props atimmer, omarreiss, nerrad, swissspidy, ocean90.
Fixes#45103.
git-svn-id: https://develop.svn.wordpress.org/branches/5.0@43825 602fd350-edb4-49c9-b593-d223f7449a82
In PHP 7.3, the compact() function has been changed to issue an E_NOTICE level error if a passed string refers to an unset variable. In previous versions of PHP, this notice was silently skipped. The full RFC can be viewed here: https://wiki.php.net/rfc/compact
This fixes all unit tested code that uses compact.
Props desrosj.
Fixes#44416.
git-svn-id: https://develop.svn.wordpress.org/branches/5.0@43819 602fd350-edb4-49c9-b593-d223f7449a82
To avoid this being a vector for bypassing the filetypes that are allowed to be uploaded, this attribute is only allowed to be added without a value.
Props kalpshit, arshidkv12, welcher, peterwilsoncc, marina_wp, pento.
See #44724.
git-svn-id: https://develop.svn.wordpress.org/branches/5.0@43813 602fd350-edb4-49c9-b593-d223f7449a82
Blocks are able to register styles that used in the editor and the frontend, or only in the editor. These functions ensure the correct styles are loaded in the correct place.
See #45065.
git-svn-id: https://develop.svn.wordpress.org/branches/5.0@43812 602fd350-edb4-49c9-b593-d223f7449a82
Because the REST API allows meta keys to have empty values, the Custom Fields meta box should permit the same behavior.
Props charlestonsw, soulseekah.
Fixes#43559.
git-svn-id: https://develop.svn.wordpress.org/branches/5.0@43811 602fd350-edb4-49c9-b593-d223f7449a82
Adapts the response from `WP_oEmbed_Controller::get_proxy_item()` so that the response is correctly filtered and embeds work properly in JavaSccript editors. Introduces new `get_oembed_response_data_for_url()` function for preparing internal oEmbed responses.
Props danielbachhuber, imath, swissspidy.
Fixes#45142.
git-svn-id: https://develop.svn.wordpress.org/branches/5.0@43810 602fd350-edb4-49c9-b593-d223f7449a82
After [43808], we can now make twentynineteen the default theme. Twentyseventeen has been a great default, but 5.0 and twentynineteen is guten.
Fixes#45152.
git-svn-id: https://develop.svn.wordpress.org/branches/5.0@43809 602fd350-edb4-49c9-b593-d223f7449a82
The `@wordpress/editor` wasn't upgraded to the correct version in [43789].
This commit includes changes from the `@wordpress/block-library` upgrade in [43789], that weren't copied to the correct location in core.
This also regenerates the `package-lock.json` in Linux, which the build server requires.
See #45145.
git-svn-id: https://develop.svn.wordpress.org/branches/5.0@43801 602fd350-edb4-49c9-b593-d223f7449a82
Responsive embeds is a way for a theme to opt in to WordPress dynamically scaling the width/height of an embed. When a theme supports responsive embeds, a `wp-embed-responsive` class is added to the `<body>` tag. This information is also presented through the REST API for clients to respect.
Props desrosj.
Fixes#45125.
git-svn-id: https://develop.svn.wordpress.org/branches/5.0@43790 602fd350-edb4-49c9-b593-d223f7449a82
The cover image block uses the `url()` function in its inline CSS, to show the cover image. KSES didn't allow this, causing the block to not save correctly for Author and Contributor users. As KSES does already check each attribute name against an allowed list, we're able to add an extra check for certain attributes to be able to use the `url()` function, too.
Props peterwilsoncc, azaozz, pento, dd32.
See #45067.
git-svn-id: https://develop.svn.wordpress.org/branches/5.0@43781 602fd350-edb4-49c9-b593-d223f7449a82
PHPUnit 3.6.x requires `exclude` and `file` paths to be relative to the checkout root.
PHPUnit 4.0.0+ requires the paths to be relative to the configuration file.
See #45131.
git-svn-id: https://develop.svn.wordpress.org/branches/5.0@43774 602fd350-edb4-49c9-b593-d223f7449a82
When constructing the request URL, ensure that `?` is replaced with `&` when the API root already contains a `?`. Fixes an issue where requests were broken when sites had permalinks set to plain.
Props aduth.
Merges [42965] to the 5.0 branch.
Fixes#42382.
git-svn-id: https://develop.svn.wordpress.org/branches/5.0@43771 602fd350-edb4-49c9-b593-d223f7449a82
