WordPress-C
/
WordPress
mirror of https://github.com/WordPress/WordPress.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

General: Backport several commits for release. 

- Embeds: Ensure that the title attribute is set correctly on embeds.
- Editor: Prevent HTML decoding on by setting the proper editor context.
- Formatting: Ensure that `wp_validate_redirect()` sanitizes a wider variety of characters.
- Themes: Ensure a broken theme name is returned properly.
- Administration: Add a new filter to extend `set-screen-option`.

Merges [47948-47951] to the 5.3 branch.
Props xknown, sstoqnov, vortfu, SergeyBiryukov, whyisjake.
Built from https://develop.svn.wordpress.org/branches/5.3@47959


git-svn-id: http://core.svn.wordpress.org/branches/5.3@47731 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
desrosj 2020-06-10 18:00:01 +00:00
parent 66d6663227
commit b454439e6f
9 changed files with 66 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
wp-admin/includes/media.php
View File

@ -3212,7 +3212,7 @@ function edit_form_image_editor( $post ) {
?>
</label>
<?php wp_editor( $post->post_content, 'attachment_content', $editor_args ); ?>
<?php wp_editor( format_to_edit( $post->post_content ), 'attachment_content', $editor_args ); ?>
</div>
<?php

37
wp-admin/includes/misc.php
View File

@ -679,23 +679,46 @@ function set_screen_options() {
}
break;
default:
if ( '_page' === substr( $option, -5 ) || 'layout_columns' === $option ) {
/**
* Filters a screen option value before it is set.
*
* The filter can also be used to modify non-standard [items]_per_page
* settings. See the parent function for a full list of standard options.
*
* Returning false to the filter will skip saving the current option.
*
* @since 2.8.0
* @since 5.4.2 Only applied to options ending with '_page',
* or the 'layout_columns' option.
*
* @see set_screen_options()
*
* @param bool $keep Whether to save or skip saving the screen option value.
* Default false.
* @param string $option The option name.
* @param int $value The number of rows to use.
*/
$value = apply_filters( 'set-screen-option', false, $option, $value ); // phpcs:ignore WordPress.NamingConventions.ValidHookName.UseUnderscores
}
/**
* Filters a screen option value before it is set.
*
* The filter can also be used to modify non-standard [items]_per_page
* settings. See the parent function for a full list of standard options.
* The dynamic portion of the hook, `$option`, refers to the option name.
*
* Returning false to the filter will skip saving the current option.
*
* @since 2.8.0
* @since 5.4.2
*
* @see set_screen_options()
*
* @param bool $keep Whether to save or skip saving the screen option value. Default false.
* @param string $option The option name.
* @param int $value The number of rows to use.
* @param bool $keep Whether to save or skip saving the screen option value.
* Default false.
* @param string $option The option name.
* @param int $value The number of rows to use.
*/
$value = apply_filters( 'set-screen-option', false, $option, $value ); // phpcs:ignore WordPress.NamingConventions.ValidHookName.UseUnderscores
$value = apply_filters( "set_screen_option_{$option}", false, $option, $value );
if ( false === $value ) {
return;

2
wp-admin/themes.php
View File

@ -408,7 +408,7 @@ if ( ! is_multisite() && current_user_can( 'edit_themes' ) && $broken_themes ) {
</tr>
<?php foreach ( $broken_themes as $broken_theme ) : ?>
<tr>
<td><?php echo $broken_theme->get( 'Name' ) ? $broken_theme->display( 'Name' ) : $broken_theme->get_stylesheet(); ?></td>
<td><?php echo $broken_theme->get( 'Name' ) ? $broken_theme->display( 'Name' ) : esc_html( $broken_theme->get_stylesheet() ); ?></td>
<td><?php echo $broken_theme->errors()->get_error_message(); ?></td>
<?php
if ( $can_resume ) {

2
wp-includes/blocks/rss.php
View File

@ -96,7 +96,7 @@ function render_block_core_rss( $attributes ) {
$class .= ' ' . $attributes['className'];
}
$list_items_markup = "<ul class='{$class}'>{$list_items}</ul>";
$list_items_markup = sprintf( "<ul class='%s'>%s</ul>", esc_attr( $class ), $list_items );
// PHP 5.2 compatibility. See: http://simplepie.org/wiki/faq/i_m_getting_memory_leaks.
$rss->__destruct();

2
wp-includes/blocks/search.php
View File

@ -52,7 +52,7 @@ function render_block_core_search( $attributes ) {
return sprintf(
'<form class="%s" role="search" method="get" action="%s">%s</form>',
$class,
esc_attr( $class ),
esc_url( home_url( '/' ) ),
$label_markup . $input_markup . $button_markup
);

9
wp-includes/comment-template.php
View File

@ -593,8 +593,13 @@ function comment_date( $d = '', $comment_ID = 0 ) {
* @return string The possibly truncated comment excerpt.
*/
function get_comment_excerpt( $comment_ID = 0 ) {
$comment = get_comment( $comment_ID );
$comment_text = strip_tags( str_replace( array( "\n", "\r" ), ' ', $comment->comment_content ) );
$comment = get_comment( $comment_ID );
if ( ! post_password_required( $comment->comment_post_ID ) ) {
$comment_text = strip_tags( str_replace( array( "\n", "\r" ), ' ', $comment->comment_content ) );
} else {
$comment_text = __( 'Password protected' );
}
/* translators: Maximum number of words used in a comment excerpt. */
$comment_excerpt_length = intval( _x( '20', 'comment_excerpt_length' ) );

2
wp-includes/default-filters.php
View File

@ -574,8 +574,8 @@ add_filter( 'the_excerpt_embed', 'wpautop' );
add_filter( 'the_excerpt_embed', 'shortcode_unautop' );
add_filter( 'the_excerpt_embed', 'wp_embed_excerpt_attachment' );
add_filter( 'oembed_dataparse', 'wp_filter_oembed_iframe_title_attribute', 5, 3 );
add_filter( 'oembed_dataparse', 'wp_filter_oembed_result', 10, 3 );
add_filter( 'oembed_dataparse', 'wp_filter_oembed_iframe_title_attribute', 20, 3 );
add_filter( 'oembed_response_data', 'get_oembed_response_data_rich', 10, 4 );
add_filter( 'pre_oembed_result', 'wp_filter_pre_oembed_result', 10, 3 );

29
wp-includes/embed.php
View File

@ -797,11 +797,24 @@ function wp_filter_oembed_iframe_title_attribute( $result, $data, $url ) {
$title = ! empty( $data->title ) ? $data->title : '';
$pattern = '`<iframe[^>]*?title=(\\\\\'|\\\\"|[\'"])([^>]*?)\1`i';
$has_title_attr = preg_match( $pattern, $result, $matches );
$pattern = '`<iframe([^>]*)>`i';
if ( preg_match( $pattern, $result, $matches ) ) {
$attrs = wp_kses_hair( $matches[1], wp_allowed_protocols() );
if ( $has_title_attr && ! empty( $matches[2] ) ) {
$title = $matches[2];
foreach ( $attrs as $attr => $item ) {
$lower_attr = strtolower( $attr );
if ( $lower_attr === $attr ) {
continue;
}
if ( ! isset( $attrs[ $lower_attr ] ) ) {
$attrs[ $lower_attr ] = $item;
unset( $attrs[ $attr ] );
}
}
}
if ( ! empty( $attrs['title']['value'] ) ) {
$title = $attrs['title']['value'];
}
/**
@ -820,11 +833,11 @@ function wp_filter_oembed_iframe_title_attribute( $result, $data, $url ) {
return $result;
}
if ( $has_title_attr ) {
// Remove the old title, $matches[1]: quote, $matches[2]: title attribute value.
$result = str_replace( ' title=' . $matches[1] . $matches[2] . $matches[1], '', $result );
if ( isset( $attrs['title'] ) ) {
unset( $attrs['title'] );
$attr_string = join( ' ', wp_list_pluck( $attrs, 'whole' ) );
$result = str_replace( $matches[0], '<iframe ' . trim( $attr_string ) . '>', $result );
}
return str_ireplace( '<iframe ', sprintf( '<iframe title="%s" ', esc_attr( $title ) ), $result );
}

6
wp-includes/pluggable.php
View File

@ -1391,9 +1391,9 @@ if ( ! function_exists( 'wp_validate_redirect' ) ) :
* @return string redirect-sanitized URL
*/
function wp_validate_redirect( $location, $default = '' ) {
$location = trim( $location, " \t\n\r\0\x08\x0B" );
// browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//'
if ( substr( $location, 0, 2 ) == '//' ) {
$location = wp_sanitize_redirect( trim( $location, " \t\n\r\0\x08\x0B" ) );
// Browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//'.
if ( '//' === substr( $location, 0, 2 ) ) {
$location = 'http:' . $location;
}