diff --git a/wp-admin/about.php b/wp-admin/about.php index ea84efc56b..0e8c6bc1c4 100644 --- a/wp-admin/about.php +++ b/wp-admin/about.php @@ -40,6 +40,26 @@ include( ABSPATH . 'wp-admin/admin-header.php' );

+

+ Version %s addressed some security issues.' ), + '4.5.29' + ); + ?> + the release notes.' ), + sprintf( + /* translators: %s: WordPress version */ + esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ), + sanitize_title( '4.5.29' ) + ) + ); + ?> +

"; diff --git a/wp-includes/js/wp-embed.js b/wp-includes/js/wp-embed.js index 966a41f74a..966ea49d97 100644 --- a/wp-includes/js/wp-embed.js +++ b/wp-includes/js/wp-embed.js @@ -37,6 +37,7 @@ var iframes = document.querySelectorAll( 'iframe[data-secret="' + data.secret + '"]' ), blockquotes = document.querySelectorAll( 'blockquote[data-secret="' + data.secret + '"]' ), + allowedProtocols = new RegExp( '^https?:$', 'i' ), i, source, height, sourceURL, targetURL; for ( i = 0; i < blockquotes.length; i++ ) { @@ -72,6 +73,11 @@ sourceURL.href = source.getAttribute( 'src' ); targetURL.href = data.value; + /* Only follow link if the protocol is in the allow list. */ + if ( ! allowedProtocols.test( targetURL.protocol ) ) { + continue; + } + /* Only continue if link hostname matches iframe's hostname. */ if ( targetURL.host === sourceURL.host ) { if ( document.activeElement === source ) { diff --git a/wp-includes/js/wp-embed.min.js b/wp-includes/js/wp-embed.min.js index 904b15eece..b1ddb1656b 100644 --- a/wp-includes/js/wp-embed.min.js +++ b/wp-includes/js/wp-embed.min.js @@ -1 +1 @@ -!function(c,d){"use strict";var e=!1,n=!1;if(d.querySelector)if(c.addEventListener)e=!0;if(c.wp=c.wp||{},!c.wp.receiveEmbedMessage)if(c.wp.receiveEmbedMessage=function(e){var t=e.data;if(t.secret||t.message||t.value)if(!/[^a-zA-Z0-9]/.test(t.secret)){for(var r,a,i,s=d.querySelectorAll('iframe[data-secret="'+t.secret+'"]'),n=d.querySelectorAll('blockquote[data-secret="'+t.secret+'"]'),o=0;o ! apply_filters( 'disable_captions', '' ), 'nonce' => array( - 'sendToEditor' => wp_create_nonce( 'media-send-to-editor' ), + 'sendToEditor' => wp_create_nonce( 'media-send-to-editor' ), + 'setAttachmentThumbnail' => wp_create_nonce( 'set-attachment-thumbnail' ), ), 'post' => array( 'id' => 0, diff --git a/wp-includes/version.php b/wp-includes/version.php index 3792c2353c..fefd73b573 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.5.28'; +$wp_version = '4.5.29'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.