General: Backport several commits for release.

- Embeds: Ensure that the title attribute is set correctly on embeds.
- Editor: Prevent HTML decoding on by setting the proper editor context.
- Formatting: Ensure that wp_validate_redirect() sanitizes a wider variety of characters.
- Themes: Ensure a broken theme name is returned properly.
- Administration: Add a new filter to extend set-screen-option.
Merges [47947-47951] to the 3.9 branch.
Props xknown, sstoqnov, vortfu, SergeyBiryukov, whyisjake.

Built from https://develop.svn.wordpress.org/branches/3.9@47966


git-svn-id: http://core.svn.wordpress.org/branches/3.9@47737 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
whyisjake 2020-06-10 18:52:30 +00:00
parent c623e36b53
commit 6965572495
4 changed files with 37 additions and 12 deletions

View File

@ -2687,8 +2687,11 @@ function edit_form_image_editor( $post ) {
<label for="content"><strong><?php _e( 'Description' ); ?></strong><?php <label for="content"><strong><?php _e( 'Description' ); ?></strong><?php
if ( preg_match( '#^(audio|video)/#', $post->post_mime_type ) ) { if ( preg_match( '#^(audio|video)/#', $post->post_mime_type ) ) {
echo ': ' . __( 'Displayed on attachment pages.' ); echo ': ' . __( 'Displayed on attachment pages.' );
} ?></label> }
<?php wp_editor( $post->post_content, 'attachment_content', $editor_args ); ?>
?>
</label>
<?php wp_editor( format_to_edit( $post->post_content ), 'attachment_content', $editor_args ); ?>
</div> </div>
<?php <?php

View File

@ -403,24 +403,46 @@ function set_screen_options() {
return; return;
break; break;
default: default:
if ( '_page' === substr( $option, -5 ) || 'layout_columns' === $option ) {
/**
* Filters a screen option value before it is set.
*
* The filter can also be used to modify non-standard [items]_per_page
* settings. See the parent function for a full list of standard options.
*
* Returning false to the filter will skip saving the current option.
*
* @since 2.8.0
* @since 5.4.2 Only applied to options ending with '_page',
* or the 'layout_columns' option.
*
* @see set_screen_options()
*
* @param bool $keep Whether to save or skip saving the screen option value.
* Default false.
* @param string $option The option name.
* @param int $value The number of rows to use.
*/
$value = apply_filters( 'set-screen-option', false, $option, $value ); // phpcs:ignore WordPress.NamingConventions.ValidHookName.UseUnderscores
}
/** /**
* Filter a screen option value before it is set. * Filter a screen option value before it is set.
* *
* The filter can also be used to modify non-standard [items]_per_page * The dynamic portion of the hook, `$option`, refers to the option name.
* settings. See the parent function for a full list of standard options.
* *
* Returning false to the filter will skip saving the current option. * Returning false to the filter will skip saving the current option.
* *
* @since 2.8.0 * @since 5.4.2
* *
* @see set_screen_options() * @see set_screen_options()
* *
* @param bool|int $value Screen option value. Default false to skip. * @param bool $keep Whether to save or skip saving the screen option value.
* @param string $option The option name. * Default false.
* @param int $value The number of rows to use. * @param string $option The option name.
* @param int $value The number of rows to use.
*/ */
$value = apply_filters( 'set-screen-option', false, $option, $value ); $value = apply_filters( "set_screen_option_{$option}", false, $option, $value );
if ( false === $value ) if ( false === $value )
return; return;

View File

@ -251,7 +251,7 @@ if ( ! is_multisite() && current_user_can('edit_themes') && $broken_themes = wp_
foreach ( $broken_themes as $broken_theme ) { foreach ( $broken_themes as $broken_theme ) {
echo " echo "
<tr> <tr>
<td>" . ( $broken_theme->get( 'Name' ) ? $broken_theme->get( 'Name' ) : $broken_theme->get_stylesheet() ) . "</td> <td><?php echo $broken_theme->get( 'Name' ) ? $broken_theme->display( 'Name' ) : esc_html( $broken_theme->get_stylesheet() ); ?></td>
<td>" . $broken_theme->errors()->get_error_message() . "</td> <td>" . $broken_theme->errors()->get_error_message() . "</td>
</tr>"; </tr>";
} }

View File

@ -1138,7 +1138,7 @@ if ( !function_exists('wp_sanitize_redirect') ) :
* @return string redirect-sanitized URL * @return string redirect-sanitized URL
**/ **/
function wp_sanitize_redirect($location) { function wp_sanitize_redirect($location) {
$location = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%!]|i', '', $location); $location = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%!@]|i', '', $location);
$location = wp_kses_no_null($location); $location = wp_kses_no_null($location);
// remove %0d and %0a from location // remove %0d and %0a from location
@ -1194,7 +1194,7 @@ if ( !function_exists('wp_validate_redirect') ) :
* @return string redirect-sanitized URL * @return string redirect-sanitized URL
**/ **/
function wp_validate_redirect($location, $default = '') { function wp_validate_redirect($location, $default = '') {
$location = trim( $location, " \t\n\r\0\x08\x0B" ); $location = wp_sanitize_redirect( trim( $location, " \t\n\r\0\x08\x0B" ) );
// browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//' // browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//'
if ( substr($location, 0, 2) == '//' ) if ( substr($location, 0, 2) == '//' )
$location = 'http:' . $location; $location = 'http:' . $location;