956 Commits

Author SHA1 Message Date
Jake Spurlock
ef4b6d35ed Backporting several bug fixes.
- Query: Remove the static query property.
- HTTP API: Protect against hex interpretation.
- Filesystem API: Prevent directory travelersals when creating new folders.
- Administration: Ensure that admin referer nonce is valid.
- REST API: Send a Vary: Origin header on GET requests.
- Customizer: Properly sanitize background images.

Backports [46474], [46475], [46476], [46477], [46478], [46483], [46485] to the 4.3 branch.


git-svn-id: https://develop.svn.wordpress.org/branches/4.3@46499 602fd350-edb4-49c9-b593-d223f7449a82
2019-10-14 19:11:50 +00:00
Jonathan Desrosiers
c49ecfb258 Fix for URL sanitization in wp_kses_bad_protocol_once().
Merges [45997] to the 4.3 branch.

Props irsdl, sstoqnov, whyisjake.

git-svn-id: https://develop.svn.wordpress.org/branches/4.3@46011 602fd350-edb4-49c9-b593-d223f7449a82
2019-09-04 18:30:31 +00:00
Jake Spurlock
2dadc8cf79 Remove _convert_urlencoded_to_entities() from the get_the_content() callback.
Merges [45937] to the 4.3 branch.

Props vortfu, whyisjake, peterwilsoncc


git-svn-id: https://develop.svn.wordpress.org/branches/4.3@45959 602fd350-edb4-49c9-b593-d223f7449a82
2019-09-04 16:40:17 +00:00
John Blackbourn
c4d712b498 General: Remove the version number from the readme file in the 4.3 branch.
See #42386


git-svn-id: https://develop.svn.wordpress.org/branches/4.3@42093 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-31 17:43:17 +00:00
Gary Pendergast
df74cf1a48 Database: Restore numbered placeholders in wpdb::prepare().
[41496] removed support for numbered placeholders in queries send through `wpdb::prepare()`, which, despite being undocumented, were quite commonly used.

This change restores support for numbered placeholders (as well as a subset of placeholder formatting), while also adding extra checks to ensure the correct number of arguments are being passed to `wpdb::prepare()`, given the number of placeholders.

Merges [41662], [42056] to the 4.3 branch.
See #41925.



git-svn-id: https://develop.svn.wordpress.org/branches/4.3@42062 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-31 12:48:20 +00:00
Aaron D. Campbell
a9693ba63b Database: Hardening to bring wpdb::prepare() inline with documentation.
`wpdb::prepare()` supports %s, %d, and %F as placeholders in the query string. Any other non-escaped % will be escaped.

Merges [41496] to 4.3 branch.



git-svn-id: https://develop.svn.wordpress.org/branches/4.3@41502 602fd350-edb4-49c9-b593-d223f7449a82
2017-09-19 18:27:47 +00:00
Aaron D. Campbell
2fe5bc9cb3 Database: Hardening for wpdb::prepare()
Previously if you passed an array of values for placeholders, additional values could be passed as well. Now additional values will be ignored.

Merges [41470] to 4.3 branch.



git-svn-id: https://develop.svn.wordpress.org/branches/4.3@41476 602fd350-edb4-49c9-b593-d223f7449a82
2017-09-19 15:00:59 +00:00
Weston Ruter
ff4f97ce12 Customize: Fix phpunit tests after [40704] due to logic inversion error.
Merge of [40716] to the 4.3 branch.


git-svn-id: https://develop.svn.wordpress.org/branches/4.3@40721 602fd350-edb4-49c9-b593-d223f7449a82
2017-05-16 14:43:48 +00:00
John Blackbourn
00b1aadc8e Build/Test tools: In Travis, skip some tests when not on trunk.
This skips time sensitive tests (copyright year and PHP/MySQL version requirements) when tests are run on branches on Travis.

Props netweb, jorbin

Fixes #39486

Merges [40241] to the 4.3 branch.


git-svn-id: https://develop.svn.wordpress.org/branches/4.3@40244 602fd350-edb4-49c9-b593-d223f7449a82
2017-03-08 00:38:38 +00:00
Aaron D. Campbell
29c97cb0bc Strip control characters before validating redirect.
Merges [40183] to 4.3 branch.


git-svn-id: https://develop.svn.wordpress.org/branches/4.3@40188 602fd350-edb4-49c9-b593-d223f7449a82
2017-03-06 13:42:01 +00:00
Joe McGill
5b17a560e6 Media: Improved media titles when created from filename.
Preserves spaces and generally creates more accurate, cleaner titles from filenames of uploaded media.

Merge of [38615] to the 4.3 branch.

Fixes #37989.


git-svn-id: https://develop.svn.wordpress.org/branches/4.3@39713 602fd350-edb4-49c9-b593-d223f7449a82
2017-01-05 16:15:58 +00:00
Gary Pendergast
3160dee761 Database: dbDelta() will no longer try to downgrade the size of TEXT and BLOB columns.
When upgrading to `utf8mb4`, `TEXT` fields will be upgraded to `MEDIUMTEXT` (and likewise for all other `*TEXT` and `*BLOB` fields). This is to allow for the additional space requirements of `utf8mb4`.

On the subsequent upgrade, `dbDelta()` would try and downgrade the fields to their original size again. At best, this it a waste of time, at worst, this could truncate any data larger than the original size. There's no harm in leaving them at their new size, so let's do that.

The `FULLTEXT` indexes are removed from the tests, as `dbDelta()`'s `FULLTEXT` support was added in WordPress 4.4.

This also fixes a typo in the `dbDelta()` tests.

Merge of [37525] to the 4.3 branch.
Partial merge of [36552] to the 4.3 branch.

See #36748.



git-svn-id: https://develop.svn.wordpress.org/branches/4.3@37938 602fd350-edb4-49c9-b593-d223f7449a82
2016-07-01 11:41:57 +00:00
Joe McGill
e28a288f57 Media: Improve handling of extensionless filenames.
Merge of [37756] to the 4.3 branch.

See #37111.

git-svn-id: https://develop.svn.wordpress.org/branches/4.3@37814 602fd350-edb4-49c9-b593-d223f7449a82
2016-06-21 14:54:36 +00:00
Dominik Schilling (ocean90)
cb876e2ea2 Better validation of the URL used in HTTP redirects.
Merges [36444] to the 4.3 branch.

git-svn-id: https://develop.svn.wordpress.org/branches/4.3@36448 602fd350-edb4-49c9-b593-d223f7449a82
2016-02-02 16:59:00 +00:00
Dominik Schilling (ocean90)
09dccfb925 Passwords: Deprecate second parameter of wp_new_user_notification().
The second parameter `$plaintext_pass` was removed in [33023] and restored as `$notify` in [33620] with a different behavior. If you have a plugin overriding `wp_new_user_notification()` which hasn't been updated you would get a notification with your username and the password "both".
To prevent this the second parameter is now deprecated and reintroduced as the third parameter.

Adds unit tests.

Merge of [34116] to the 4.3 branch.

Props kraftbj, adamsilverstein, welcher, ocean90.
See #33654.

git-svn-id: https://develop.svn.wordpress.org/branches/4.3@34118 602fd350-edb4-49c9-b593-d223f7449a82
2015-09-14 13:02:03 +00:00
Boone Gorges
2d22aabae7 Move wp_delete_user() tests to their own file.
See #33800.


git-svn-id: https://develop.svn.wordpress.org/branches/4.3@34031 602fd350-edb4-49c9-b593-d223f7449a82
2015-09-11 01:39:52 +00:00
Gary Pendergast
cf5fc77f6e WPDB: get_table_from_query() didn't find table names with hyphens in them.
Merge of [33718] to the 4.3 branch.

Props dustinbolton, pento.

See #33470.



git-svn-id: https://develop.svn.wordpress.org/branches/4.3@33991 602fd350-edb4-49c9-b593-d223f7449a82
2015-09-10 06:54:13 +00:00
Boone Gorges
404942c442 In Walker_CategoryDropdown::start_el(), cast values to strings before deciding whether to append 'selected' attribute.
As of [32484], `wp_dropdown_categories()` uses the `$value_field` value to
decide whether a given `<option>` should be 'selected'. However, `$value_field`
can refer to a value that is a string, such as a category's slug. This causes
problems when doing a loose comparison (`==`) with the value of the 'selected'
parameter, which defaults to `0`, because when doing a loose comparison
between an integer and a string, PHP will cast the string to an integer. This
creates false matches, resulting in `<option>` elements getting a 'selected'
attribute incorrectly.

We address the issue by casting the comparison values to strings, and then
using the strict comparison operator `===`.

Merges [33681] to the 4.3 branch.

Fixes #33452 for 4.3.1.


git-svn-id: https://develop.svn.wordpress.org/branches/4.3@33949 602fd350-edb4-49c9-b593-d223f7449a82
2015-09-08 19:03:17 +00:00
Boone Gorges
48beba441b When generating a fallback post_name using the post ID, wp_insert_post() should clear the post cache immediately.
If the post cache is not cleared at this point, the cache can become stale
for operations performed before the cache is cleared later in the function.
Specifically, the generation of a `guid` for new posts can use stale data,
resulting in non-unique values. [33262] introduced a call to `get_post()`
that introduced just such an invalidation problem.

Fixes #5305.

git-svn-id: https://develop.svn.wordpress.org/trunk@33630 602fd350-edb4-49c9-b593-d223f7449a82
2015-08-18 02:50:23 +00:00
Andrew Ozz
b30fcd7597 Fix creating of extra <br /> tags in both PHP and JS variants of wpautop(). Add PHP tests to catch similar problems in the future.
Props valendesigns, azaozz. Fixes #33377.

git-svn-id: https://develop.svn.wordpress.org/trunk@33624 602fd350-edb4-49c9-b593-d223f7449a82
2015-08-17 17:35:58 +00:00
Boone Gorges
6d5da327f5 Remove unit test related to pre-4.1 term splitting during wp_update_term().
After [33615], `wp_update_term()` no longer checks `$wp_db_version` before
attempting a split. This is because pre-4.1 versions of WordPress must be
allowed to update to 4.3+.

See #30261.

git-svn-id: https://develop.svn.wordpress.org/trunk@33616 602fd350-edb4-49c9-b593-d223f7449a82
2015-08-14 04:15:34 +00:00
Dominik Schilling (ocean90)
23eaa36145 Capabilities: Fall back to the edit_posts capability for orphaned comments.
Also avoid PHP notices because of orphaned comments in the comments list table.
Includes unit test.

props pento, dd32.
fixes #33154.

git-svn-id: https://develop.svn.wordpress.org/trunk@33614 602fd350-edb4-49c9-b593-d223f7449a82
2015-08-13 22:30:26 +00:00
Scott Taylor
df480edb24 After [33325], supply a missing post_type in ->mw_editPost().
Add unit test.

Props ocean90.
Fixes #20662.


git-svn-id: https://develop.svn.wordpress.org/trunk@33612 602fd350-edb4-49c9-b593-d223f7449a82
2015-08-13 15:27:57 +00:00
Boone Gorges
ee67bd08f9 When splitting a shared 'nav_menu' term, ensure that nav items and theme locations are retained.
Props boonebgorges, dd32.
Fixes #33187.

git-svn-id: https://develop.svn.wordpress.org/trunk@33611 602fd350-edb4-49c9-b593-d223f7449a82
2015-08-12 14:06:21 +00:00
Konstantin Obenland
018cd0819e Tests: Update Site Icon tests to account for changes in [33605].
H/t jorbin.

Fixes #33325.



git-svn-id: https://develop.svn.wordpress.org/trunk@33607 602fd350-edb4-49c9-b593-d223f7449a82
2015-08-11 18:41:01 +00:00
ocean90
239759914f Shortcodes: Trim whitespace after sanitizing the shortcode output.
props Ankit K Gupta, obenland, miqrogroove.
fixes #33259.

git-svn-id: https://develop.svn.wordpress.org/trunk@33600 602fd350-edb4-49c9-b593-d223f7449a82
2015-08-09 20:48:02 +00:00
Dion Hulse
7a35bff916 Fix do_shortcode('<[shortcode]') edge case.
Props miqrogroove.
Merges [33499] trunk.
See #33116.


git-svn-id: https://develop.svn.wordpress.org/trunk@33594 602fd350-edb4-49c9-b593-d223f7449a82
2015-08-07 02:49:31 +00:00
Sergey Biryukov
0d51c50057 Customizer: Fix failing tests on PHP 5.2 after [33488].
`assertNotFalse()` is not included in PHPUnit 3.6.12, use `assertInternalType( 'int' )` instead.

fixes #32814.

git-svn-id: https://develop.svn.wordpress.org/trunk@33526 602fd350-edb4-49c9-b593-d223f7449a82
2015-07-31 13:01:16 +00:00
Helen Hou-Sandi
3fd1376418 Menu customizer: More clearly separate search results from available items.
Available items now fade from view while you're searching, and there is an explicit way to clear search results. No results gives a better message, though still brief this time around.

props valendesigns, designsimply, DH-Shredder, helen.
fixes #32710.


git-svn-id: https://develop.svn.wordpress.org/trunk@33511 602fd350-edb4-49c9-b593-d223f7449a82
2015-07-29 23:39:54 +00:00
Helen Hou-Sandi
1768c8c85a Fix a unit test failure after [33489].
see #33179.


git-svn-id: https://develop.svn.wordpress.org/trunk@33506 602fd350-edb4-49c9-b593-d223f7449a82
2015-07-29 22:14:33 +00:00
Weston Ruter
dbcb95c022 Customizer: Ensure that all existing menus are shown in the Custom Menu widget's dropdown.
* Ensure that a Custom Menu widget selecting a newly-inserted menu gets updated to use the new menu ID upon Save & Publish.
* Dynamically update the visibility of the Custom Menu widget's "no menus" message when the number of menus changes between 0 and 1+.
* Send all dirty Customized settings in `update-widget` Ajax request and `preview()` them so that the widget update/form callbacks have access to any data dependencies in the current Customizer session (such as newly created unsaved menus).
* Update link in Custom Menu widget to point to Menus panel as opposed to Menus admin page, when in the Customizer.
* Fix an issue with extra space at top immediately after creating new menu.
* Fix doubled `update-widget` Ajax requests when changing select dropdown; prevent initial from being aborted.
* Add missing `wp_get_nav_menus()` hooks to preview Customizer updates/inserts for `nav_menu` settings; includes tests.
* Update `wp_get_nav_menu_object()` to allow a menu object to be passed in (and thus passed through).

Props westonruter, adamsilverstein.
Fixes #32814.


git-svn-id: https://develop.svn.wordpress.org/trunk@33488 602fd350-edb4-49c9-b593-d223f7449a82
2015-07-29 16:02:08 +00:00
Andrew Ozz
35acd9abf8 Use the embed_maybe_make_link filter to test WP_Embed::autoembed().
See #33106.

git-svn-id: https://develop.svn.wordpress.org/trunk@33470 602fd350-edb4-49c9-b593-d223f7449a82
2015-07-29 00:01:22 +00:00
Scott Taylor
4f814ec9ae Protect newlines inside of CDATA. This was breaking things, notably inline JS that used comments for HTML standards compat.
* Tokenize newlines in `WP_Embed::autoembed()` before running `->autoembed_callback()`
* Tokenize newlines with placeholders in `wpautop()` 
* Introduce `wp_html_split()` to DRY the RegEx from `wp_replace_in_html_tags()` and `do_shortcodes_in_html_tags()`

Adds unit tests.

Props miqrogroove, kitchin, azaozz.
Fixes #33106.


git-svn-id: https://develop.svn.wordpress.org/trunk@33469 602fd350-edb4-49c9-b593-d223f7449a82
2015-07-28 23:02:04 +00:00
Sergey Biryukov
16cc16da9e Remove svn:executable from test files.
git-svn-id: https://develop.svn.wordpress.org/trunk@33425 602fd350-edb4-49c9-b593-d223f7449a82
2015-07-26 09:40:58 +00:00
Sergey Biryukov
4ed7d2d05e Update Test_WP_Customize_Nav_Menus::test_available_items_template() after [33413].
fixes #32715.

git-svn-id: https://develop.svn.wordpress.org/trunk@33424 602fd350-edb4-49c9-b593-d223f7449a82
2015-07-26 09:14:06 +00:00
Gary Pendergast
2e74ecfc1c Tests: Add a new test file missed in [33359].
git-svn-id: https://develop.svn.wordpress.org/trunk@33391 602fd350-edb4-49c9-b593-d223f7449a82
2015-07-23 05:17:19 +00:00
Weston Ruter
9e383a560a Customizer: Introduce customize_nav_menu_available_item_types and customize_nav_menu_available_items filters.
Allows for new available menu item types/objects to be registered in addition to filtering the available items that are returned for each menu item type/object.

Props valendesigns, imath, westonruter.
See #32832.
Fixes #32708.


git-svn-id: https://develop.svn.wordpress.org/trunk@33366 602fd350-edb4-49c9-b593-d223f7449a82
2015-07-22 20:28:03 +00:00
Gary Pendergast
7b41adf712 Shortcodes: Improve the reliablity of shortcodes inside HTML tags.
Props miqrogroove.

See #15694.



git-svn-id: https://develop.svn.wordpress.org/trunk@33359 602fd350-edb4-49c9-b593-d223f7449a82
2015-07-22 05:14:50 +00:00
Gary Pendergast
7439dd7354 Capabilities: When creating an auto-draft, ensure that the current user still has permission to do so.
git-svn-id: https://develop.svn.wordpress.org/trunk@33357 602fd350-edb4-49c9-b593-d223f7449a82
2015-07-22 04:01:53 +00:00
Konstantin Obenland
358ab7b010 Tests: Remove test for delete_site_icon().
Removed in [33329].
H/t wonderboymusic.

See #16434.


git-svn-id: https://develop.svn.wordpress.org/trunk@33335 602fd350-edb4-49c9-b593-d223f7449a82
2015-07-20 20:52:39 +00:00
Weston Ruter
5c76979fb8 Customizer: Finish unit tests for nav menus.
Removes object_type restriction to allow for future extensibility. Refactors some methods to improve testability. Includes new tests for Ajax requests.

Fixes #32687.
Props valendesigns, welcher, westonruter.


git-svn-id: https://develop.svn.wordpress.org/trunk@33322 602fd350-edb4-49c9-b593-d223f7449a82
2015-07-18 23:19:33 +00:00
Gary Pendergast
7217a4f6e5 WPDB: ::strip_text_from_query() doesn't pass a length to ::strip_invalid_text(), which was causing queries to fail when they contained characters that needed to be sanity checked by MySQL.
Props dd32, mdawaffe, pento.

Fixes #32279.



git-svn-id: https://develop.svn.wordpress.org/trunk@33310 602fd350-edb4-49c9-b593-d223f7449a82
2015-07-17 07:06:33 +00:00
Gary Pendergast
bea2bf1502 WPDB: Remove some of the complexities in ::strip_invalid_text() associated with switching character sets between queries. Instead of trying to dynamically change connection character sets, we now rely on the value of ::charset. This also fixes the case where queries were being blocked when DB_CHARSET was utf8, but the column character set was non-utf8.
Fixes #32165.



git-svn-id: https://develop.svn.wordpress.org/trunk@33308 602fd350-edb4-49c9-b593-d223f7449a82
2015-07-17 06:33:36 +00:00
Scott Taylor
3d1f8f292a After [33148]:
Don't nest `esc_attr()` and `htmlspecialchars()` when escaping the post title on the edit post screen.

Unrevert parts of [32851] and [32850].

Adds/alters unit tests.

Props miqrogroove.
Fixes #17780.


git-svn-id: https://develop.svn.wordpress.org/trunk@33271 602fd350-edb4-49c9-b593-d223f7449a82
2015-07-14 17:55:07 +00:00
Boone Gorges
ce4b40d794 In wp_unique_post_slug(), only prevent date archive conflicts when the slug is being changed.
This prevents existing posts with numeric slugs from having their permalinks
changed on update.

Fixes #5305.

git-svn-id: https://develop.svn.wordpress.org/trunk@33262 602fd350-edb4-49c9-b593-d223f7449a82
2015-07-14 12:27:11 +00:00
Boone Gorges
c718849baa When creating a new post with an empty post_name and post_title, don't generate a post_name that conflicts with a date archive permalink.
See #5305.

git-svn-id: https://develop.svn.wordpress.org/trunk@33261 602fd350-edb4-49c9-b593-d223f7449a82
2015-07-14 12:27:03 +00:00
Gary Pendergast
7711b72639 WPDB: When extracting the table name from a query, we had a 1000 character limit on the SQL string that would be searched. This was a hangover from when the code was imported from HyperDB, and isn't appropriate for Core, where a wider range of queries are likely to be run.
Fixes #32763



git-svn-id: https://develop.svn.wordpress.org/trunk@33259 602fd350-edb4-49c9-b593-d223f7449a82
2015-07-14 10:18:57 +00:00
Jeremy Felt
33be338e9f Tests: Use a data provider when testing site flags in update_blog_details().
See #32988.


git-svn-id: https://develop.svn.wordpress.org/trunk@33255 602fd350-edb4-49c9-b593-d223f7449a82
2015-07-14 06:38:19 +00:00
Jeremy Felt
76ef07903d Tests: Use a data provider when testing path slashing in update_blog_details().
Trims down 11 tests to 1 clean area of testing and makes for a much saner read.

See #32988.


git-svn-id: https://develop.svn.wordpress.org/trunk@33254 602fd350-edb4-49c9-b593-d223f7449a82
2015-07-14 05:51:05 +00:00
Jeremy Felt
e3e828c608 Tests: Move update_blog_details() tests to their own file.
Reduce some of the clutter in `tests/multisite/site.php` and introduce `tests/multisite/updateBlogDetails.php`. Tests moved over are verbatum at this point.

See #32988.


git-svn-id: https://develop.svn.wordpress.org/trunk@33253 602fd350-edb4-49c9-b593-d223f7449a82
2015-07-14 05:49:28 +00:00