davidbaumwald
69e59764eb
Grouped backports to the 4.6 branch.
...
- Comments: Prevent users who can not see a post from seeing comments on it.
- Shortcodes: Restrict media shortcode ajax to certain type.
- REST API: Ensure no-cache headers are sent when methods are overridden.
- Prevent unintended behavior when certain objects are unserialized.
Merges [56834], [56835], [56836], and [56838] to the 4.6 branch.
Props xknown, jorbin, joehoyle, timothyblynjacobs, peterwilsoncc, ehtis, tykoted, antpb, rmccue.
Built from https://develop.svn.wordpress.org/branches/4.6@56859
git-svn-id: http://core.svn.wordpress.org/branches/4.6@56370 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-10-12 18:10:52 +00:00
Dominik Schilling
97bf32c66a
Text Changes: Unify/merge two more permission error messages.
...
Props ramiy.
Fixes #34521 .
Built from https://develop.svn.wordpress.org/trunk@38037
git-svn-id: http://core.svn.wordpress.org/trunk@37978 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-07-12 11:45:29 +00:00
Rachel Baker
e5fcbb3514
REST API: Reverse order of setting sanitization/validation, validating prior to sanitizing.
...
Fixes mistake in the current behavior, where the sanitization callback ran before the validation callback. Now the validation callback will run before the sanitization.
Props schlessera, rachelbaker.
See #37247 .
Fixes #37192 .
Built from https://develop.svn.wordpress.org/trunk@37943
git-svn-id: http://core.svn.wordpress.org/trunk@37884 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-07-02 23:03:27 +00:00
Rachel Baker
a475d0a161
REST API: Include auto-discovery Link header when serving API requests.
...
The Link header allows clients to verify if a site has made the REST API available, as well as indicating how to access it.
Props danielbachhuber.
Fixes #35580 .
Built from https://develop.svn.wordpress.org/trunk@37903
git-svn-id: http://core.svn.wordpress.org/trunk@37844 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-29 01:57:55 +00:00
Rachel Baker
228c60a222
REST API: Include X-Robots-Tag: noindex header in REST API responses to prevent endpoints from being indexed by search engines.
...
Prevent duplicate content issues with search engines and REST API endpoint response data.
Fixes #36390 .
Props m_uysl for the initial patch.
Built from https://develop.svn.wordpress.org/trunk@37726
git-svn-id: http://core.svn.wordpress.org/trunk@37692 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-16 14:59:28 +00:00
Peter Wilson
47d26cd9fb
DOCS: Replace HTTP links with HTTPS.
...
Replaces unsecure links in documentation and translator comments with their secure versions.
Props johnpgreen, netweb
Fixes #36993
Built from https://develop.svn.wordpress.org/trunk@37674
git-svn-id: http://core.svn.wordpress.org/trunk@37640 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-10 04:50:33 +00:00
Rachel Baker
99cca27041
REST API: Create the general `wp_check_jsonp_callback()` function for validating JSONP callback functions.
...
Move the REST API JSONP callback validation check into a separate function named `wp_check_jsonp_callback()`. This allows plugins to use the built-in validation when handling JSONP callbacks.
Extremely Important Note: If you send JSONP in your custom response, make sure you prefix the response with `/**/`. This will mitigate the Rosetta Flash exploit. You should also send the `X-Content-Type-Options:nosniff` header, or even better, use the REST API infrastructure.
Props rmccue.
Fixes #28523 .
Built from https://develop.svn.wordpress.org/trunk@37646
git-svn-id: http://core.svn.wordpress.org/trunk@37612 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-06 21:34:28 +00:00
Drew Jaynes
f03eef071e
Docs: Standardize hook docs in wp-includes/rest-api/* to use third-person singular verbs per the inline documentation standards for PHP.
...
See #36913 .
Built from https://develop.svn.wordpress.org/trunk@37490
git-svn-id: http://core.svn.wordpress.org/trunk@37458 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-22 18:08:29 +00:00
Drew Jaynes
b1804afeaf
Docs: Standardize on 'backward compatibility/compatible' nomenclature in core inline docs.
...
Also use 'back-compat' in some inline comments where backward compatibility is the subject and shorthand feels more natural.
Note: 'backwards compatibility/compatibile' can also be considered correct, though it's primary seen in regular use in British English.
Props ocean90.
Fixes #36835 .
Built from https://develop.svn.wordpress.org/trunk@37431
git-svn-id: http://core.svn.wordpress.org/trunk@37397 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-13 18:41:31 +00:00
Drew Jaynes
fe3b007fdd
Docs: Remove inline `@see` tags from function, class, and method references in inline docs.
...
Known functions, classes, and methods are now auto-linked in Code Reference pages following #meta1483.
Note: Hook references are still linked via inline `@see` tags due to the unlikelihood of reliably matching for known hooks based on a RegEx pattern.
See #32246 .
Built from https://develop.svn.wordpress.org/trunk@37342
git-svn-id: http://core.svn.wordpress.org/trunk@37308 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-02 04:00:28 +00:00
Mark Jaquith
31152de134
REST API: Deliver parameters unadulterated instead of slashed.
...
We goofed, and parameters accessed through the REST API's methods
were slashed (inconsistently, even). This unslashes the data, so
you get the un-messed-with data that was sent.
Props joehoyle.
Fixes #36419 .
Built from https://develop.svn.wordpress.org/trunk@37163
git-svn-id: http://core.svn.wordpress.org/trunk@37130 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-04-06 21:02:28 +00:00
Joe Hoyle
a07988c1c5
REST API: Provide better method for generating CURIEs
...
In [36533] CURIEs were added to the API responses for the link relation URIs, this makes
it a lot easier for clients to look up links by relation. That patch was functional, but
broke on edge cases such as embedded responses and collection items with links in the items.
This patch instead takes a less obtrusive approach by creating a new `get_compact_response_links`
to compliment `get_response_links` making both old and new functionality available.
Also the regex for curie relations has been relaxed to `.+` as rel names can have any uri-valid charector in it.
Fixes #34729 .
Built from https://develop.svn.wordpress.org/trunk@37041
git-svn-id: http://core.svn.wordpress.org/trunk@37008 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-03-22 00:16:27 +00:00
Rachel Baker
6edbcc88ff
REST API: Add `home_url` to API index to avoid confusion with `site_url`.
...
Confusion abound, the API index is the generic term `url` to display the `site_url`. New `home` key will display the `home_url` in the index as well.
Fixes #35647 .
Built from https://develop.svn.wordpress.org/trunk@37031
git-svn-id: http://core.svn.wordpress.org/trunk@36998 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-03-17 19:16:29 +00:00
Rachel Baker
76d14c1d24
REST API: Remove unused variable `$api_root` from WP_Rest_Server->embed_links() method.
...
After [r36674] the variable `$api_root` is no longer used in this method and should be removed.
See #35803 .
Built from https://develop.svn.wordpress.org/trunk@37021
git-svn-id: http://core.svn.wordpress.org/trunk@36988 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-03-16 21:41:28 +00:00
Drew Jaynes
a65c79b3d2
Docs: Use a third-person singular verb in the DocBlock summary for `WP_REST_Response::get_curies()`, introduced in [36533].
...
Also adds a missing return description.
See #34729 . See #35986 .
Built from https://develop.svn.wordpress.org/trunk@37015
git-svn-id: http://core.svn.wordpress.org/trunk@36982 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-03-16 16:54:26 +00:00
Drew Jaynes
ddf7375217
Docs: Improve parameter description syntax in the hook doc for the `rest_request_from_url` filter, introduced in [36673].
...
See #35803 . See #35986 ,
Built from https://develop.svn.wordpress.org/trunk@37014
git-svn-id: http://core.svn.wordpress.org/trunk@36981 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-03-16 16:52:27 +00:00
Drew Jaynes
408da605e4
Docs: Improve the DocBlock for `WP_REST_Request::from_url()`, introduced in [36673].
...
See #35803 . See #35986 .
Built from https://develop.svn.wordpress.org/trunk@37013
git-svn-id: http://core.svn.wordpress.org/trunk@36980 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-03-16 16:50:27 +00:00
Ryan McCue
937b0c3241
REST API: Use WP_REST_Request::from_url() when embedding.
...
See #35803 .
Built from https://develop.svn.wordpress.org/trunk@36674
git-svn-id: http://core.svn.wordpress.org/trunk@36641 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-24 04:20:25 +00:00
Ryan McCue
0b7e133054
REST API: Add WP_REST_Request::from_url()
...
Allows converting a REST URL into a Request object.
Props danielbachhuber.
Fixes #35803 .
Built from https://develop.svn.wordpress.org/trunk@36673
git-svn-id: http://core.svn.wordpress.org/trunk@36640 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-24 04:01:26 +00:00
Drew Jaynes
a0aa608970
Docs: Improve documentation for `WP_REST_Request` to highlight a caveat of ArrayAccess when it comes to passing similar arguments for multiple request methods.
...
Props danielbachhuber, DrewAPicture.
Fixes #35799 .
Built from https://develop.svn.wordpress.org/trunk@36636
git-svn-id: http://core.svn.wordpress.org/trunk@36603 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-23 16:57:26 +00:00
Rachel Baker
9fdb970ceb
Docs: Add missing @since and @access tags to `get_curies` method and filter from r36533
...
See #34729 , #32246 .
Built from https://develop.svn.wordpress.org/trunk@36593
git-svn-id: http://core.svn.wordpress.org/trunk@36560 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-19 23:42:27 +00:00
Drew Jaynes
e020ccd081
Docs: Add formatting to a changelog entry in the hook doc for the `rest_dispatch_request` filter.
...
See [36534]. See #32246 .
Built from https://develop.svn.wordpress.org/trunk@36576
git-svn-id: http://core.svn.wordpress.org/trunk@36543 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-18 18:18:25 +00:00
Ryan McCue
3e65236aa7
REST API: Apply rest_post_dispatch to embedded responses.
...
Fixes #35628 .
Props @danielbachhuber.
Built from https://develop.svn.wordpress.org/trunk@36536
git-svn-id: http://core.svn.wordpress.org/trunk@36503 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-16 06:06:27 +00:00
Ryan McCue
03ba67a0b7
REST API: Allow explicit HEAD callbacks.
...
HEAD callbacks can now be registered independently, with the GET
callback still used as a fallback.
Fixes #34841 .
Built from https://develop.svn.wordpress.org/trunk@36535
git-svn-id: http://core.svn.wordpress.org/trunk@36502 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-16 05:51:26 +00:00
Ryan McCue
0438795671
REST API: Add routing args to rest_dispatch_request filter.
...
This allows requests to be hijacked via the filter more easily.
Fixes #35507 .
Built from https://develop.svn.wordpress.org/trunk@36534
git-svn-id: http://core.svn.wordpress.org/trunk@36501 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-16 04:40:26 +00:00
Ryan McCue
47bee5157b
REST API: Add support for CURIEs.
...
CURIEs are Compact URIs, which provide a more usable way to use
custom relations in the API. The `wp` CURIE is registered by default
for `https://api.w.org/ ` URI relations.
Fixes #34729 .
Props joehoyle.
Built from https://develop.svn.wordpress.org/trunk@36533
git-svn-id: http://core.svn.wordpress.org/trunk@36500 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-16 02:19:27 +00:00
Joe Hoyle
ee94a28953
REST API: Improve formatting of failed validation errors.
...
If a validation_callback returns a WP_Error it should give the same response format as if it returned `false`. This makes programmatically reading the validation errors better.
Props bradyvercher for initial patch.
Fixes #35028 .
Built from https://develop.svn.wordpress.org/trunk@35890
git-svn-id: http://core.svn.wordpress.org/trunk@35854 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-12 18:23:28 +00:00
Scott Taylor
4ae83ec7ec
REST API: Core typically sends nocache headers on all auth'ed responses, as in `wp`, `admin-ajax`, etc. Because the REST API infrastructure is hooked in pre-wp, we should be setting this ourselves.
...
Adds unit tests.
Props joehoyle.
Fixes #34832 .
Built from https://develop.svn.wordpress.org/trunk@35773
git-svn-id: http://core.svn.wordpress.org/trunk@35737 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-04 23:36:25 +00:00
Mark Jaquith
6cc98e6fcd
Route HEAD API requests through the GET callback method
...
fixes #34837
props danielbachhuber
Built from https://develop.svn.wordpress.org/trunk@35758
git-svn-id: http://core.svn.wordpress.org/trunk@35722 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-03 16:34:25 +00:00
Ryan McCue
d1436af513
REST API: Unabbreviate error string.
...
Props daniel-koskinen.
Fixes #34818 .
Built from https://develop.svn.wordpress.org/trunk@35750
git-svn-id: http://core.svn.wordpress.org/trunk@35714 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-11-30 09:51:27 +00:00
Ryan McCue
7ce9772866
REST API: Mark WP_REST_Server::get_raw_data as static.
...
This is just a utility function for getting the request body, not
tied to the server class.
Fixes #34768 .
Built from https://develop.svn.wordpress.org/trunk@35741
git-svn-id: http://core.svn.wordpress.org/trunk@35705 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-11-25 22:22:25 +00:00
Andrew Nacin
1579e45d41
Simplify the include graph after work to split out classes.
...
see #33413 . More details there.
Built from https://develop.svn.wordpress.org/trunk@35718
git-svn-id: http://core.svn.wordpress.org/trunk@35682 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-11-20 07:24:30 +00:00
John Blackbourn
16502d03f2
Remove `register_api_field()` from core. This is the only core function that utilises the `$wp_rest_additional_fields` global, and doesn't belong as part of the infrastructure.
...
See https://github.com/WP-API/WP-API/pull/1748
Fixes #34730
Built from https://develop.svn.wordpress.org/trunk@35687
git-svn-id: http://core.svn.wordpress.org/trunk@35651 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-11-18 20:39:26 +00:00
John Blackbourn
407f641cf3
Update `WP_REST_Response::as_error()` to handle the new format error responses introduced in [35653].
...
Props danielbachhuber
Fixes #34551
Built from https://develop.svn.wordpress.org/trunk@35671
git-svn-id: http://core.svn.wordpress.org/trunk@35635 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-11-18 18:29:26 +00:00
Ryan McCue
0801acbdd8
REST API: Remove redundant "0" parameter.
...
This is just an artifact of how we parse the URL, and is already available
via $request->get_route()
Props danielbachhuber.
Fixes #34647 .
Built from https://develop.svn.wordpress.org/trunk@35659
git-svn-id: http://core.svn.wordpress.org/trunk@35623 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-11-18 07:24:28 +00:00
Ryan McCue
81ffd2492c
REST API: Optimise for singular error instances.
...
Previously, the API returned a list of errors, as WP_Error can hold multiple
error codes internally. This isn't a particularly common use case, and it
makes handling errors on the client side more complex than it needs to be.
Fixes #34551 .
Built from https://develop.svn.wordpress.org/trunk@35653
git-svn-id: http://core.svn.wordpress.org/trunk@35617 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-11-17 04:12:26 +00:00
Ryan McCue
9524ebb38e
REST API: Include enum and description in help data.
...
Props lcherpit.
Fixes #34543 .
Built from https://develop.svn.wordpress.org/trunk@35652
git-svn-id: http://core.svn.wordpress.org/trunk@35616 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-11-17 02:49:28 +00:00
Ryan McCue
b03e036e94
REST API: Require namespace when registering routes.
...
Props danielbachhuber.
Fixes #34416 .
Built from https://develop.svn.wordpress.org/trunk@35651
git-svn-id: http://core.svn.wordpress.org/trunk@35615 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-11-17 02:39:30 +00:00
Ryan McCue
b0ee5efef2
REST API: Change link relations to api.w.org
...
Fixes #34303 .
Built from https://develop.svn.wordpress.org/trunk@35650
git-svn-id: http://core.svn.wordpress.org/trunk@35614 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-11-17 02:24:27 +00:00
Dominik Schilling
5403b62a6a
REST API: Use correct `@access` tag for `WP_REST_Request->get_parameter_order()`.
...
Props Frozzare.
Fixes #34624 .
Built from https://develop.svn.wordpress.org/trunk@35612
git-svn-id: http://core.svn.wordpress.org/trunk@35576 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-11-11 19:39:25 +00:00
Scott Taylor
16637eeee4
REST API: in `WP_REST_Server::dispatch()`, move `preg_match()` out of it's current loop, which doesn't affect the context passed to it.
...
Props TobiasBg.
Fixes #34488 .
Built from https://develop.svn.wordpress.org/trunk@35514
git-svn-id: http://core.svn.wordpress.org/trunk@35478 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-11-04 21:23:25 +00:00
Scott Taylor
a36900c076
REST API: remove the `@internal` annotation from `rest_api_default_filters()`.
...
Props swissspidy, rachelbaker.
Fixes #34219 .
Built from https://develop.svn.wordpress.org/trunk@35474
git-svn-id: http://core.svn.wordpress.org/trunk@35438 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-31 20:08:25 +00:00
John Blackbourn
37c2054778
Remove trailing whitespace introduced in [35351].
...
Props rachelbaker
Unprops johnbillion
Fixes #34512
Built from https://develop.svn.wordpress.org/trunk@35462
git-svn-id: http://core.svn.wordpress.org/trunk@35426 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-30 21:39:25 +00:00
Sergey Biryukov
5d9dc4b8bf
REST API: Use correct version in `_doing_it_wrong()` call.
...
Props TobiasBg.
Fixes #34490 .
Built from https://develop.svn.wordpress.org/trunk@35434
git-svn-id: http://core.svn.wordpress.org/trunk@35398 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-29 20:12:24 +00:00
Sergey Biryukov
e7082e31dd
REST API: Add missing translator comments for deprecated function and argument strings.
...
Props akirk.
Fixes #34486 .
Built from https://develop.svn.wordpress.org/trunk@35433
git-svn-id: http://core.svn.wordpress.org/trunk@35397 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-29 19:04:26 +00:00
Scott Taylor
31e0b06125
REST API: don't load `wp-admin/includes/admin.php` on every request.
...
Props swissspidy.
Fixes #34395 .
Built from https://develop.svn.wordpress.org/trunk@35353
git-svn-id: http://core.svn.wordpress.org/trunk@35319 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-22 16:29:28 +00:00
John Blackbourn
7757d04ce3
Force the REST API URL to use `https` for its scheme when the current request is served over HTTPS and the host name matches that of the REST API URL.
...
This allows sites to use an admin area over HTTPS with the front end over HTTP, and not end up with a cross-protocol problem when using the REST API URL in the admin area.
Fixes #34299
Built from https://develop.svn.wordpress.org/trunk@35351
git-svn-id: http://core.svn.wordpress.org/trunk@35317 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-22 00:08:26 +00:00
John Blackbourn
e552b77739
Revert [34352], pending investigation.
...
See #34299
Built from https://develop.svn.wordpress.org/trunk@35349
git-svn-id: http://core.svn.wordpress.org/trunk@35315 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-21 23:06:30 +00:00
John Blackbourn
f7f5b64a7e
Force the REST API URL to use `https` for its scheme when the current request is served over HTTPS and the host name matches that of the REST API URL.
...
This allows sites to use an admin area over HTTPS with the front end over HTTP, and not end up with a cross-protocol problem when using the REST API URL in the admin area.
Fixes #34299
Built from https://develop.svn.wordpress.org/trunk@35342
git-svn-id: http://core.svn.wordpress.org/trunk@35308 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-21 20:38:50 +00:00
Drew Jaynes
6a51505a23
Docs: Improve the return description in the DocBlock for `rest_send_allow_header()`.
...
Props danielbachhuber.
Fixes #34374 .
Built from https://develop.svn.wordpress.org/trunk@35324
git-svn-id: http://core.svn.wordpress.org/trunk@35290 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-21 13:48:27 +00:00