General: WordPress updates
* XML-RPC: Improve error messages for unprivileged users. * External Libraries: Disable deserialization in Requests_Utility_FilteredIterator * Embeds: Disable embeds on deactivated Multisite sites. * Coding standards: Modify escaping functions to avoid potential false positives. * XML-RPC: Return error message if attachment ID is incorrect. * Upgrade/install: Improve logic check when determining installation status. * Meta: Sanitize meta key before checking protection status. * Themes: Ensure that only privileged users can set a background image when a theme is using the deprecated custom background page. Brings the changes from [49380,49382-49388] to the 5.2 branch. Props xknown, zieladam, peterwilsoncc, whyisjake, desrosj, dd32. Built from https://develop.svn.wordpress.org/branches/5.2@49394 git-svn-id: http://core.svn.wordpress.org/branches/5.2@49153 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
94cd77983b
commit
505afcd180
|
@ -82,13 +82,13 @@ wp_enqueue_script( 'svg-painter' );
|
|||
$admin_body_class = preg_replace( '/[^a-z0-9_-]+/i', '-', $hook_suffix );
|
||||
?>
|
||||
<script type="text/javascript">
|
||||
addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
|
||||
var ajaxurl = '<?php echo admin_url( 'admin-ajax.php', 'relative' ); ?>',
|
||||
pagenow = '<?php echo $current_screen->id; ?>',
|
||||
typenow = '<?php echo $current_screen->post_type; ?>',
|
||||
adminpage = '<?php echo $admin_body_class; ?>',
|
||||
thousandsSeparator = '<?php echo addslashes( $wp_locale->number_format['thousands_sep'] ); ?>',
|
||||
decimalPoint = '<?php echo addslashes( $wp_locale->number_format['decimal_point'] ); ?>',
|
||||
addLoadEvent = function(func){if(typeof jQuery!=='undefined')jQuery(document).ready(func);else if(typeof wpOnload!=='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
|
||||
var ajaxurl = '<?php echo esc_js( admin_url( 'admin-ajax.php', 'relative' ) ); ?>',
|
||||
pagenow = '<?php echo esc_js( $current_screen->id ); ?>',
|
||||
typenow = '<?php echo esc_js( $current_screen->post_type ); ?>',
|
||||
adminpage = '<?php echo esc_js( $admin_body_class ); ?>',
|
||||
thousandsSeparator = '<?php echo esc_js( $wp_locale->number_format['thousands_sep'] ); ?>',
|
||||
decimalPoint = '<?php echo esc_js( $wp_locale->number_format['decimal_point'] ); ?>',
|
||||
isRtl = <?php echo (int) is_rtl(); ?>;
|
||||
</script>
|
||||
<meta name="viewport" content="width=device-width,initial-scale=1.0">
|
||||
|
|
|
@ -574,6 +574,8 @@ class Custom_Background {
|
|||
* @deprecated 3.5.0
|
||||
*/
|
||||
public function wp_set_background_image() {
|
||||
check_ajax_referer( 'custom-background' );
|
||||
|
||||
if ( ! current_user_can( 'edit_theme_options' ) || ! isset( $_POST['attachment_id'] ) ) {
|
||||
exit;
|
||||
}
|
||||
|
|
|
@ -338,7 +338,7 @@ class Custom_Image_Header {
|
|||
?>
|
||||
<script type="text/javascript">
|
||||
(function($){
|
||||
var default_color = '<?php echo $default_color; ?>',
|
||||
var default_color = '<?php echo esc_js( $default_color ); ?>',
|
||||
header_text_fields;
|
||||
|
||||
function pickColor(color) {
|
||||
|
|
|
@ -500,7 +500,7 @@ function wp_iframe( $content_func /* ... */ ) {
|
|||
?>
|
||||
<script type="text/javascript">
|
||||
addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
|
||||
var ajaxurl = '<?php echo admin_url( 'admin-ajax.php', 'relative' ); ?>', pagenow = 'media-upload-popup', adminpage = 'media-upload-popup',
|
||||
var ajaxurl = '<?php echo esc_js( admin_url( 'admin-ajax.php', 'relative' ) ); ?>', pagenow = 'media-upload-popup', adminpage = 'media-upload-popup',
|
||||
isRtl = <?php echo (int) is_rtl(); ?>;
|
||||
</script>
|
||||
<?php
|
||||
|
|
|
@ -885,7 +885,7 @@ function can_edit_network( $network_id ) {
|
|||
function _thickbox_path_admin_subfolder() {
|
||||
?>
|
||||
<script type="text/javascript">
|
||||
var tb_pathToImage = "<?php echo includes_url( 'js/thickbox/loadingAnimation.gif', 'relative' ); ?>";
|
||||
var tb_pathToImage = "<?php echo esc_js( includes_url( 'js/thickbox/loadingAnimation.gif', 'relative' ) ); ?>";
|
||||
</script>
|
||||
<?php
|
||||
}
|
||||
|
|
|
@ -1916,12 +1916,12 @@ function iframe_header( $title = '', $deprecated = false ) {
|
|||
<script type="text/javascript">
|
||||
addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
|
||||
function tb_close(){var win=window.dialogArguments||opener||parent||top;win.tb_remove();}
|
||||
var ajaxurl = '<?php echo admin_url( 'admin-ajax.php', 'relative' ); ?>',
|
||||
pagenow = '<?php echo $current_screen->id; ?>',
|
||||
typenow = '<?php echo $current_screen->post_type; ?>',
|
||||
adminpage = '<?php echo $admin_body_class; ?>',
|
||||
thousandsSeparator = '<?php echo addslashes( $wp_locale->number_format['thousands_sep'] ); ?>',
|
||||
decimalPoint = '<?php echo addslashes( $wp_locale->number_format['decimal_point'] ); ?>',
|
||||
var ajaxurl = '<?php echo esc_js( admin_url( 'admin-ajax.php', 'relative' ) ); ?>',
|
||||
pagenow = '<?php echo esc_js( $current_screen->id ); ?>',
|
||||
typenow = '<?php echo esc_js( $current_screen->post_type ); ?>',
|
||||
adminpage = '<?php echo esc_js( $admin_body_class ); ?>',
|
||||
thousandsSeparator = '<?php echo esc_js( $wp_locale->number_format['thousands_sep'] ); ?>',
|
||||
decimalPoint = '<?php echo esc_js( $wp_locale->number_format['decimal_point'] ); ?>',
|
||||
isRtl = <?php echo (int) is_rtl(); ?>;
|
||||
</script>
|
||||
<?php
|
||||
|
|
|
@ -126,11 +126,13 @@
|
|||
frame.on( 'select', function() {
|
||||
// Grab the selected attachment.
|
||||
var attachment = frame.state().get('selection').first();
|
||||
var nonceValue = $( '#_wpnonce' ).val() || '';
|
||||
|
||||
// Run an AJAX request to set the background image.
|
||||
$.post( ajaxurl, {
|
||||
action: 'set-background-image',
|
||||
attachment_id: attachment.id,
|
||||
_ajax_nonce: nonceValue,
|
||||
size: 'full'
|
||||
}).done( function() {
|
||||
// When the request completes, reload the window.
|
||||
|
|
|
@ -1 +1 @@
|
|||
!function(a){a(document).ready(function(){var b,c=a("#custom-background-image");a("#background-color").wpColorPicker({change:function(a,b){c.css("background-color",b.color.toString())},clear:function(){c.css("background-color","")}}),a('select[name="background-size"]').change(function(){c.css("background-size",a(this).val())}),a('input[name="background-position"]').change(function(){c.css("background-position",a(this).val())}),a('input[name="background-repeat"]').change(function(){c.css("background-repeat",a(this).is(":checked")?"repeat":"no-repeat")}),a('input[name="background-attachment"]').change(function(){c.css("background-attachment",a(this).is(":checked")?"scroll":"fixed")}),a("#choose-from-library-link").click(function(c){var d=a(this);return c.preventDefault(),b?void b.open():(b=wp.media.frames.customBackground=wp.media({title:d.data("choose"),library:{type:"image"},button:{text:d.data("update"),close:!1}}),b.on("select",function(){var c=b.state().get("selection").first();a.post(ajaxurl,{action:"set-background-image",attachment_id:c.id,size:"full"}).done(function(){window.location.reload()})}),void b.open())})})}(jQuery);
|
||||
!function(a){a(document).ready(function(){var b,c=a("#custom-background-image");a("#background-color").wpColorPicker({change:function(a,b){c.css("background-color",b.color.toString())},clear:function(){c.css("background-color","")}}),a('select[name="background-size"]').change(function(){c.css("background-size",a(this).val())}),a('input[name="background-position"]').change(function(){c.css("background-position",a(this).val())}),a('input[name="background-repeat"]').change(function(){c.css("background-repeat",a(this).is(":checked")?"repeat":"no-repeat")}),a('input[name="background-attachment"]').change(function(){c.css("background-attachment",a(this).is(":checked")?"scroll":"fixed")}),a("#choose-from-library-link").click(function(c){var d=a(this);return c.preventDefault(),b?void b.open():(b=wp.media.frames.customBackground=wp.media({title:d.data("choose"),library:{type:"image"},button:{text:d.data("update"),close:!1}}),b.on("select",function(){var c=b.state().get("selection").first(),d=a("#_wpnonce").val()||"";a.post(ajaxurl,{action:"set-background-image",attachment_id:c.id,_ajax_nonce:d,size:"full"}).done(function(){window.location.reload()})}),void b.open())})})}(jQuery);
|
|
@ -11,7 +11,7 @@ jQuery(function($) {
|
|||
* Adds a click event handler to the element with a 'wp-gallery' class.
|
||||
*/
|
||||
$( 'body' ).bind( 'click.wp-gallery', function(e) {
|
||||
var target = $( e.target ), id, img_size;
|
||||
var target = $( e.target ), id, img_size, nonceValue;
|
||||
|
||||
if ( target.hasClass( 'wp-set-header' ) ) {
|
||||
// Opens the image to preview it full size.
|
||||
|
@ -21,6 +21,7 @@ jQuery(function($) {
|
|||
// Sets the image as background of the theme.
|
||||
id = target.data( 'attachment-id' );
|
||||
img_size = $( 'input[name="attachments[' + id + '][image-size]"]:checked').val();
|
||||
nonceValue = $( '#_wpnonce' ).val() && '';
|
||||
|
||||
/**
|
||||
* This AJAX action has been deprecated since 3.5.0, see custom-background.php
|
||||
|
@ -28,6 +29,7 @@ jQuery(function($) {
|
|||
jQuery.post(ajaxurl, {
|
||||
action: 'set-background-image',
|
||||
attachment_id: id,
|
||||
_ajax_nonce: nonceValue,
|
||||
size: img_size
|
||||
}, function() {
|
||||
var win = window.dialogArguments || opener || parent || top;
|
||||
|
|
|
@ -1 +1 @@
|
|||
jQuery(function(a){a("body").bind("click.wp-gallery",function(b){var c,d,e=a(b.target);e.hasClass("wp-set-header")?((window.dialogArguments||opener||parent||top).location.href=e.data("location"),b.preventDefault()):e.hasClass("wp-set-background")&&(c=e.data("attachment-id"),d=a('input[name="attachments['+c+'][image-size]"]:checked').val(),jQuery.post(ajaxurl,{action:"set-background-image",attachment_id:c,size:d},function(){var a=window.dialogArguments||opener||parent||top;a.tb_remove(),a.location.reload()}),b.preventDefault())})});
|
||||
jQuery(function(a){a("body").bind("click.wp-gallery",function(b){var c,d,e,f=a(b.target);f.hasClass("wp-set-header")?((window.dialogArguments||opener||parent||top).location.href=f.data("location"),b.preventDefault()):f.hasClass("wp-set-background")&&(c=f.data("attachment-id"),d=a('input[name="attachments['+c+'][image-size]"]:checked').val(),e=a("#_wpnonce").val()&&"",jQuery.post(ajaxurl,{action:"set-background-image",attachment_id:c,_ajax_nonce:e,size:d},function(){var a=window.dialogArguments||opener||parent||top;a.tb_remove(),a.location.reload()}),b.preventDefault())})});
|
|
@ -77,9 +77,9 @@ if ( get_user_setting( 'uploader' ) || isset( $_GET['browser-uploader'] ) ) {
|
|||
<?php media_upload_form(); ?>
|
||||
|
||||
<script type="text/javascript">
|
||||
var post_id = <?php echo $post_id; ?>, shortform = 3;
|
||||
var post_id = <?php echo absint( $post_id ); ?>, shortform = 3;
|
||||
</script>
|
||||
<input type="hidden" name="post_id" id="post_id" value="<?php echo $post_id; ?>" />
|
||||
<input type="hidden" name="post_id" id="post_id" value="<?php echo absint( $post_id ); ?>" />
|
||||
<?php wp_nonce_field( 'media-form' ); ?>
|
||||
<div id="media-items" class="hide-if-no-js"></div>
|
||||
</form>
|
||||
|
|
|
@ -217,7 +217,7 @@ if ( ! wp_is_large_network( 'users' ) && apply_filters( 'show_network_site_users
|
|||
require( ABSPATH . 'wp-admin/admin-header.php' ); ?>
|
||||
|
||||
<script type="text/javascript">
|
||||
var current_site_id = <?php echo $id; ?>;
|
||||
var current_site_id = <?php echo absint( $id ); ?>;
|
||||
</script>
|
||||
|
||||
|
||||
|
|
|
@ -42,4 +42,17 @@ class Requests_Utility_FilteredIterator extends ArrayIterator {
|
|||
$value = call_user_func($this->callback, $value);
|
||||
return $value;
|
||||
}
|
||||
|
||||
/**
|
||||
* @inheritdoc
|
||||
*/
|
||||
public function unserialize( $serialized ) {
|
||||
}
|
||||
|
||||
/**
|
||||
* @inheritdoc
|
||||
*/
|
||||
public function __unserialize( $serialized ) { // phpcs:ignore PHPCompatibility.FunctionNameRestrictions.ReservedFunctionNames.MethodDoubleUnderscore,PHPCompatibility.FunctionNameRestrictions.NewMagicMethods.__unserializeFound
|
||||
$this->unserialize( $serialized );
|
||||
}
|
||||
}
|
||||
|
|
|
@ -3829,6 +3829,21 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
return new IXR_Error( 403, __( 'Comment is required.' ) );
|
||||
}
|
||||
|
||||
if (
|
||||
'publish' === get_post_status( $post_id ) &&
|
||||
! current_user_can( 'edit_post', $post_id ) &&
|
||||
post_password_required( $post_id )
|
||||
) {
|
||||
return new IXR_Error( 403, __( 'Sorry, you are not allowed to comment on this post.' ) );
|
||||
}
|
||||
|
||||
if (
|
||||
'private' === get_post_status( $post_id ) &&
|
||||
! current_user_can( 'read_post', $post_id )
|
||||
) {
|
||||
return new IXR_Error( 403, __( 'Sorry, you are not allowed to comment on this post.' ) );
|
||||
}
|
||||
|
||||
$comment = array(
|
||||
'comment_post_ID' => $post_id,
|
||||
'comment_content' => $content_struct['content'],
|
||||
|
@ -4233,7 +4248,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
/** This action is documented in wp-includes/class-wp-xmlrpc-server.php */
|
||||
do_action( 'xmlrpc_call', 'wp.getMediaItem' );
|
||||
|
||||
if ( ! $attachment = get_post( $attachment_id ) ) {
|
||||
$attachment = get_post( $attachment_id );
|
||||
if ( ! $attachment || 'attachment' !== $attachment->post_type ) {
|
||||
return new IXR_Error( 404, __( 'Invalid attachment ID.' ) );
|
||||
}
|
||||
|
||||
|
|
|
@ -604,7 +604,12 @@ function get_oembed_response_data_for_url( $url, $args ) {
|
|||
$sites = get_sites( $qv );
|
||||
$site = reset( $sites );
|
||||
|
||||
if ( $site && (int) $site->blog_id !== get_current_blog_id() ) {
|
||||
// Do not allow embeds for deleted/archived/spam sites.
|
||||
if ( ! empty( $site->deleted ) || ! empty( $site->spam ) || ! empty( $site->archived ) ) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if ( $site && get_current_blog_id() !== (int) $site->blog_id ) {
|
||||
switch_to_blog( $site->blog_id );
|
||||
$switched_blog = true;
|
||||
}
|
||||
|
|
|
@ -1566,7 +1566,8 @@ function is_blog_installed() {
|
|||
continue;
|
||||
}
|
||||
|
||||
if ( ! $wpdb->get_results( "DESCRIBE $table;" ) ) {
|
||||
$described_table = $wpdb->get_results( "DESCRIBE $table;" );
|
||||
if ( is_array( $described_table ) && count( $described_table ) === 0 ) {
|
||||
continue;
|
||||
}
|
||||
|
||||
|
|
|
@ -1030,8 +1030,9 @@ function _get_meta_table( $type ) {
|
|||
* @param string|null $meta_type Optional. Type of object metadata is for (e.g., comment, post, term, or user).
|
||||
* @return bool Whether the meta key is considered protected.
|
||||
*/
|
||||
function is_protected_meta( $meta_key, $meta_type = null ) {
|
||||
$protected = ( '_' == $meta_key[0] );
|
||||
function is_protected_meta( $meta_key, $meta_type = '' ) {
|
||||
$sanitized_key = preg_replace( "/[^\x20-\x7E\p{L}]/", '', $meta_key );
|
||||
$protected = strlen( $sanitized_key ) > 0 && ( '_' === $sanitized_key[0] );
|
||||
|
||||
/**
|
||||
* Filters whether a meta key is considered protected.
|
||||
|
|
Loading…
Reference in New Issue