General: Backport several commits for release.

- Embeds: Ensure that the title attribute is set correctly on embeds.
- Editor: Prevent HTML decoding on by setting the proper editor context.
- Formatting: Ensure that wp_validate_redirect() sanitizes a wider variety of characters.
- Themes: Ensure a broken theme name is returned properly.
- Administration: Add a new filter to extend set-screen-option. 

Merges [47948-47951] to the 5.2 branch.
Props xknown, sstoqnov, vortfu, SergeyBiryukov, whyisjake.
Built from https://develop.svn.wordpress.org/branches/5.2@47960


git-svn-id: http://core.svn.wordpress.org/branches/5.2@47732 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
desrosj 2020-06-10 18:12:52 +00:00
parent ff95ac1af3
commit 0d6541c100
10 changed files with 208 additions and 136 deletions

View File

@ -3057,7 +3057,7 @@ function edit_form_image_editor( $post ) {
}
?>
</label>
<?php wp_editor( $post->post_content, 'attachment_content', $editor_args ); ?>
<?php wp_editor( format_to_edit( $post->post_content ), 'attachment_content', $editor_args ); ?>
</div>
<?php

View File

@ -639,6 +639,7 @@ function set_screen_options() {
}
break;
default:
if ( '_page' === substr( $option, -5 ) || 'layout_columns' === $option ) {
/**
* Filters a screen option value before it is set.
*
@ -648,14 +649,36 @@ function set_screen_options() {
* Returning false to the filter will skip saving the current option.
*
* @since 2.8.0
* @since 5.4.2 Only applied to options ending with '_page',
* or the 'layout_columns' option.
*
* @see set_screen_options()
*
* @param bool $keep Whether to save or skip saving the screen option value. Default false.
* @param bool $keep Whether to save or skip saving the screen option value.
* Default false.
* @param string $option The option name.
* @param int $value The number of rows to use.
*/
$value = apply_filters( 'set-screen-option', false, $option, $value );
$value = apply_filters( 'set-screen-option', false, $option, $value ); // phpcs:ignore WordPress.NamingConventions.ValidHookName.UseUnderscores
}
/**
* Filters a screen option value before it is set.
*
* The dynamic portion of the hook, `$option`, refers to the option name.
*
* Returning false to the filter will skip saving the current option.
*
* @since 5.4.2
*
* @see set_screen_options()
*
* @param bool $keep Whether to save or skip saving the screen option value.
* Default false.
* @param string $option The option name.
* @param int $value The number of rows to use.
*/
$value = apply_filters( "set_screen_option_{$option}", false, $option, $value );
if ( false === $value ) {
return;

View File

@ -396,7 +396,7 @@ if ( ! is_multisite() && current_user_can( 'edit_themes' ) && $broken_themes = w
</tr>
<?php foreach ( $broken_themes as $broken_theme ) : ?>
<tr>
<td><?php echo $broken_theme->get( 'Name' ) ? $broken_theme->display( 'Name' ) : $broken_theme->get_stylesheet(); ?></td>
<td><?php echo $broken_theme->get( 'Name' ) ? $broken_theme->display( 'Name' ) : esc_html( $broken_theme->get_stylesheet() ); ?></td>
<td><?php echo $broken_theme->errors()->get_error_message(); ?></td>
<?php
if ( $can_resume ) {

View File

@ -80,7 +80,7 @@ function render_block_core_rss( $attributes ) {
}
$classes = 'grid' === $attributes['blockLayout'] ? ' is-grid columns-' . $attributes['columns'] : '';
$list_items_markup = "<ul class='wp-block-rss{$classes}'>{$list_items}</ul>";
$list_items_markup = sprintf( "<ul class='%s'>%s</ul>", esc_attr( $class ), $list_items );
// PHP 5.2 compatibility. See: http://simplepie.org/wiki/faq/i_m_getting_memory_leaks.
$rss->__destruct();

View File

@ -46,7 +46,7 @@ function render_block_core_search( $attributes ) {
return sprintf(
'<form class="%s" role="search" method="get" action="%s">%s</form>',
$class,
esc_attr( $class ),
esc_url( home_url( '/' ) ),
$label_markup . $input_markup . $button_markup
);

View File

@ -573,8 +573,8 @@ add_filter( 'the_excerpt_embed', 'wpautop' );
add_filter( 'the_excerpt_embed', 'shortcode_unautop' );
add_filter( 'the_excerpt_embed', 'wp_embed_excerpt_attachment' );
add_filter( 'oembed_dataparse', 'wp_filter_oembed_iframe_title_attribute', 5, 3 );
add_filter( 'oembed_dataparse', 'wp_filter_oembed_result', 10, 3 );
add_filter( 'oembed_dataparse', 'wp_filter_oembed_iframe_title_attribute', 20, 3 );
add_filter( 'oembed_response_data', 'get_oembed_response_data_rich', 10, 4 );
add_filter( 'pre_oembed_result', 'wp_filter_pre_oembed_result', 10, 3 );

View File

@ -797,11 +797,24 @@ function wp_filter_oembed_iframe_title_attribute( $result, $data, $url ) {
$title = ! empty( $data->title ) ? $data->title : '';
$pattern = '`<iframe[^>]*?title=(\\\\\'|\\\\"|[\'"])([^>]*?)\1`i';
$has_title_attr = preg_match( $pattern, $result, $matches );
$pattern = '`<iframe([^>]*)>`i';
if ( preg_match( $pattern, $result, $matches ) ) {
$attrs = wp_kses_hair( $matches[1], wp_allowed_protocols() );
if ( $has_title_attr && ! empty( $matches[2] ) ) {
$title = $matches[2];
foreach ( $attrs as $attr => $item ) {
$lower_attr = strtolower( $attr );
if ( $lower_attr === $attr ) {
continue;
}
if ( ! isset( $attrs[ $lower_attr ] ) ) {
$attrs[ $lower_attr ] = $item;
unset( $attrs[ $attr ] );
}
}
}
if ( ! empty( $attrs['title']['value'] ) ) {
$title = $attrs['title']['value'];
}
/**
@ -820,11 +833,11 @@ function wp_filter_oembed_iframe_title_attribute( $result, $data, $url ) {
return $result;
}
if ( $has_title_attr ) {
// Remove the old title, $matches[1]: quote, $matches[2]: title attribute value.
$result = str_replace( ' title=' . $matches[1] . $matches[2] . $matches[1], '', $result );
if ( isset( $attrs['title'] ) ) {
unset( $attrs['title'] );
$attr_string = join( ' ', wp_list_pluck( $attrs, 'whole' ) );
$result = str_replace( $matches[0], '<iframe ' . trim( $attr_string ) . '>', $result );
}
return str_ireplace( '<iframe ', sprintf( '<iframe title="%s" ', esc_attr( $title ) ), $result );
}

View File

@ -90,157 +90,182 @@ this["wp"] = this["wp"] || {}; this["wp"]["i18n"] =
/***/ 137:
/***/ (function(module, exports, __webpack_require__) {
(function(window) {
var __WEBPACK_AMD_DEFINE_RESULT__;/* global window, exports, define */
!function() {
'use strict'
var re = {
not_string: /[^s]/,
not_bool: /[^t]/,
not_type: /[^T]/,
not_primitive: /[^v]/,
number: /[diefg]/,
numeric_arg: /[bcdiefguxX]/,
json: /[j]/,
not_json: /[^j]/,
text: /^[^\x25]+/,
modulo: /^\x25{2}/,
placeholder: /^\x25(?:([1-9]\d*)\$|\(([^\)]+)\))?(\+)?(0|'[^$])?(-)?(\d+)?(?:\.(\d+))?([b-gijosuxX])/,
placeholder: /^\x25(?:([1-9]\d*)\$|\(([^)]+)\))?(\+)?(0|'[^$])?(-)?(\d+)?(?:\.(\d+))?([b-gijostTuvxX])/,
key: /^([a-z_][a-z_\d]*)/i,
key_access: /^\.([a-z_][a-z_\d]*)/i,
index_access: /^\[(\d+)\]/,
sign: /^[\+\-]/
sign: /^[+-]/
}
function sprintf() {
var key = arguments[0], cache = sprintf.cache
if (!(cache[key] && cache.hasOwnProperty(key))) {
cache[key] = sprintf.parse(key)
}
return sprintf.format.call(null, cache[key], arguments)
function sprintf(key) {
// `arguments` is not an array, but should be fine for this call
return sprintf_format(sprintf_parse(key), arguments)
}
sprintf.format = function(parse_tree, argv) {
var cursor = 1, tree_length = parse_tree.length, node_type = "", arg, output = [], i, k, match, pad, pad_character, pad_length, is_positive = true, sign = ""
function vsprintf(fmt, argv) {
return sprintf.apply(null, [fmt].concat(argv || []))
}
function sprintf_format(parse_tree, argv) {
var cursor = 1, tree_length = parse_tree.length, arg, output = '', i, k, ph, pad, pad_character, pad_length, is_positive, sign
for (i = 0; i < tree_length; i++) {
node_type = get_type(parse_tree[i])
if (node_type === "string") {
output[output.length] = parse_tree[i]
if (typeof parse_tree[i] === 'string') {
output += parse_tree[i]
}
else if (node_type === "array") {
match = parse_tree[i] // convenience purposes only
if (match[2]) { // keyword argument
else if (typeof parse_tree[i] === 'object') {
ph = parse_tree[i] // convenience purposes only
if (ph.keys) { // keyword argument
arg = argv[cursor]
for (k = 0; k < match[2].length; k++) {
if (!arg.hasOwnProperty(match[2][k])) {
throw new Error(sprintf("[sprintf] property '%s' does not exist", match[2][k]))
for (k = 0; k < ph.keys.length; k++) {
if (arg == undefined) {
throw new Error(sprintf('[sprintf] Cannot access property "%s" of undefined value "%s"', ph.keys[k], ph.keys[k-1]))
}
arg = arg[match[2][k]]
arg = arg[ph.keys[k]]
}
}
else if (match[1]) { // positional argument (explicit)
arg = argv[match[1]]
else if (ph.param_no) { // positional argument (explicit)
arg = argv[ph.param_no]
}
else { // positional argument (implicit)
arg = argv[cursor++]
}
if (get_type(arg) == "function") {
if (re.not_type.test(ph.type) && re.not_primitive.test(ph.type) && arg instanceof Function) {
arg = arg()
}
if (re.not_string.test(match[8]) && re.not_json.test(match[8]) && (get_type(arg) != "number" && isNaN(arg))) {
throw new TypeError(sprintf("[sprintf] expecting number but found %s", get_type(arg)))
if (re.numeric_arg.test(ph.type) && (typeof arg !== 'number' && isNaN(arg))) {
throw new TypeError(sprintf('[sprintf] expecting number but found %T', arg))
}
if (re.number.test(match[8])) {
if (re.number.test(ph.type)) {
is_positive = arg >= 0
}
switch (match[8]) {
case "b":
arg = arg.toString(2)
switch (ph.type) {
case 'b':
arg = parseInt(arg, 10).toString(2)
break
case "c":
arg = String.fromCharCode(arg)
case 'c':
arg = String.fromCharCode(parseInt(arg, 10))
break
case "d":
case "i":
case 'd':
case 'i':
arg = parseInt(arg, 10)
break
case "j":
arg = JSON.stringify(arg, null, match[6] ? parseInt(match[6]) : 0)
case 'j':
arg = JSON.stringify(arg, null, ph.width ? parseInt(ph.width) : 0)
break
case "e":
arg = match[7] ? arg.toExponential(match[7]) : arg.toExponential()
case 'e':
arg = ph.precision ? parseFloat(arg).toExponential(ph.precision) : parseFloat(arg).toExponential()
break
case "f":
arg = match[7] ? parseFloat(arg).toFixed(match[7]) : parseFloat(arg)
case 'f':
arg = ph.precision ? parseFloat(arg).toFixed(ph.precision) : parseFloat(arg)
break
case "g":
arg = match[7] ? parseFloat(arg).toPrecision(match[7]) : parseFloat(arg)
case 'g':
arg = ph.precision ? String(Number(arg.toPrecision(ph.precision))) : parseFloat(arg)
break
case "o":
arg = arg.toString(8)
case 'o':
arg = (parseInt(arg, 10) >>> 0).toString(8)
break
case "s":
arg = ((arg = String(arg)) && match[7] ? arg.substring(0, match[7]) : arg)
case 's':
arg = String(arg)
arg = (ph.precision ? arg.substring(0, ph.precision) : arg)
break
case "u":
arg = arg >>> 0
case 't':
arg = String(!!arg)
arg = (ph.precision ? arg.substring(0, ph.precision) : arg)
break
case "x":
arg = arg.toString(16)
case 'T':
arg = Object.prototype.toString.call(arg).slice(8, -1).toLowerCase()
arg = (ph.precision ? arg.substring(0, ph.precision) : arg)
break
case "X":
arg = arg.toString(16).toUpperCase()
case 'u':
arg = parseInt(arg, 10) >>> 0
break
case 'v':
arg = arg.valueOf()
arg = (ph.precision ? arg.substring(0, ph.precision) : arg)
break
case 'x':
arg = (parseInt(arg, 10) >>> 0).toString(16)
break
case 'X':
arg = (parseInt(arg, 10) >>> 0).toString(16).toUpperCase()
break
}
if (re.json.test(match[8])) {
output[output.length] = arg
if (re.json.test(ph.type)) {
output += arg
}
else {
if (re.number.test(match[8]) && (!is_positive || match[3])) {
sign = is_positive ? "+" : "-"
arg = arg.toString().replace(re.sign, "")
if (re.number.test(ph.type) && (!is_positive || ph.sign)) {
sign = is_positive ? '+' : '-'
arg = arg.toString().replace(re.sign, '')
}
else {
sign = ""
sign = ''
}
pad_character = match[4] ? match[4] === "0" ? "0" : match[4].charAt(1) : " "
pad_length = match[6] - (sign + arg).length
pad = match[6] ? (pad_length > 0 ? str_repeat(pad_character, pad_length) : "") : ""
output[output.length] = match[5] ? sign + arg + pad : (pad_character === "0" ? sign + pad + arg : pad + sign + arg)
pad_character = ph.pad_char ? ph.pad_char === '0' ? '0' : ph.pad_char.charAt(1) : ' '
pad_length = ph.width - (sign + arg).length
pad = ph.width ? (pad_length > 0 ? pad_character.repeat(pad_length) : '') : ''
output += ph.align ? sign + arg + pad : (pad_character === '0' ? sign + pad + arg : pad + sign + arg)
}
}
}
return output.join("")
return output
}
sprintf.cache = {}
var sprintf_cache = Object.create(null)
sprintf.parse = function(fmt) {
var _fmt = fmt, match = [], parse_tree = [], arg_names = 0
function sprintf_parse(fmt) {
if (sprintf_cache[fmt]) {
return sprintf_cache[fmt]
}
var _fmt = fmt, match, parse_tree = [], arg_names = 0
while (_fmt) {
if ((match = re.text.exec(_fmt)) !== null) {
parse_tree[parse_tree.length] = match[0]
parse_tree.push(match[0])
}
else if ((match = re.modulo.exec(_fmt)) !== null) {
parse_tree[parse_tree.length] = "%"
parse_tree.push('%')
}
else if ((match = re.placeholder.exec(_fmt)) !== null) {
if (match[2]) {
arg_names |= 1
var field_list = [], replacement_field = match[2], field_match = []
if ((field_match = re.key.exec(replacement_field)) !== null) {
field_list[field_list.length] = field_match[1]
while ((replacement_field = replacement_field.substring(field_match[0].length)) !== "") {
field_list.push(field_match[1])
while ((replacement_field = replacement_field.substring(field_match[0].length)) !== '') {
if ((field_match = re.key_access.exec(replacement_field)) !== null) {
field_list[field_list.length] = field_match[1]
field_list.push(field_match[1])
}
else if ((field_match = re.index_access.exec(replacement_field)) !== null) {
field_list[field_list.length] = field_match[1]
field_list.push(field_match[1])
}
else {
throw new SyntaxError("[sprintf] failed to parse named argument key")
throw new SyntaxError('[sprintf] failed to parse named argument key')
}
}
}
else {
throw new SyntaxError("[sprintf] failed to parse named argument key")
throw new SyntaxError('[sprintf] failed to parse named argument key')
}
match[2] = field_list
}
@ -248,44 +273,55 @@ this["wp"] = this["wp"] || {}; this["wp"]["i18n"] =
arg_names |= 2
}
if (arg_names === 3) {
throw new Error("[sprintf] mixing positional and named placeholders is not (yet) supported")
throw new Error('[sprintf] mixing positional and named placeholders is not (yet) supported')
}
parse_tree[parse_tree.length] = match
parse_tree.push(
{
placeholder: match[0],
param_no: match[1],
keys: match[2],
sign: match[3],
pad_char: match[4],
align: match[5],
width: match[6],
precision: match[7],
type: match[8]
}
)
}
else {
throw new SyntaxError("[sprintf] unexpected placeholder")
throw new SyntaxError('[sprintf] unexpected placeholder')
}
_fmt = _fmt.substring(match[0].length)
}
return parse_tree
}
var vsprintf = function(fmt, argv, _argv) {
_argv = (argv || []).slice(0)
_argv.splice(0, 0, fmt)
return sprintf.apply(null, _argv)
}
/**
* helpers
*/
function get_type(variable) {
return Object.prototype.toString.call(variable).slice(8, -1).toLowerCase()
}
function str_repeat(input, multiplier) {
return Array(multiplier + 1).join(input)
return sprintf_cache[fmt] = parse_tree
}
/**
* export to either browser or node.js
*/
/* eslint-disable quote-props */
if (true) {
exports.sprintf = sprintf
exports.vsprintf = vsprintf
exports['sprintf'] = sprintf
exports['vsprintf'] = vsprintf
}
else {}
})(typeof window === "undefined" ? this : window);
if (typeof window !== 'undefined') {
window['sprintf'] = sprintf
window['vsprintf'] = vsprintf
if (true) {
!(__WEBPACK_AMD_DEFINE_RESULT__ = (function() {
return {
'sprintf': sprintf,
'vsprintf': vsprintf
}
}).call(exports, __webpack_require__, exports, module),
__WEBPACK_AMD_DEFINE_RESULT__ !== undefined && (module.exports = __WEBPACK_AMD_DEFINE_RESULT__))
}
}
/* eslint-enable quote-props */
}(); // eslint-disable-line
/***/ }),
@ -767,7 +803,7 @@ Tannin.prototype.dcnpgettext = function( domain, context, singular, plural, n )
var memize = __webpack_require__(41);
var memize_default = /*#__PURE__*/__webpack_require__.n(memize);
// EXTERNAL MODULE: ./node_modules/sprintf-js/src/sprintf.js
// EXTERNAL MODULE: ./node_modules/@wordpress/i18n/node_modules/sprintf-js/src/sprintf.js
var sprintf = __webpack_require__(137);
var sprintf_default = /*#__PURE__*/__webpack_require__.n(sprintf);

File diff suppressed because one or more lines are too long

View File

@ -1374,9 +1374,9 @@ if ( ! function_exists( 'wp_validate_redirect' ) ) :
* @return string redirect-sanitized URL
*/
function wp_validate_redirect( $location, $default = '' ) {
$location = trim( $location, " \t\n\r\0\x08\x0B" );
// browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//'
if ( substr( $location, 0, 2 ) == '//' ) {
$location = wp_sanitize_redirect( trim( $location, " \t\n\r\0\x08\x0B" ) );
// Browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//'.
if ( '//' === substr( $location, 0, 2 ) ) {
$location = 'http:' . $location;
}