* XML-RPC: Improve error messages for unprivileged users.
* External Libraries: Disable deserialization in Requests_Utility_FilteredIterator
* Embeds: Disable embeds on deactivated Multisite sites.
* Coding standards: Modify escaping functions to avoid potential false positives.
* XML-RPC: Return error message if attachment ID is incorrect.
* Upgrade/install: Improve logic check when determining installation status.
* Meta: Sanitize meta key before checking protection status.
* Themes: Ensure that only privileged users can set a background image when a theme is using the deprecated custom background page.
Brings the changes from [49380,49382-49388] to the 4.8 branch.
Props xknown, zieladam, peterwilsoncc, whyisjake, desrosj, dd32.
Built from https://develop.svn.wordpress.org/branches/4.8@49398
git-svn-id: http://core.svn.wordpress.org/branches/4.8@49157 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When themes register default headers, they can use sprintf style placeholder
strings in place of the template directory URI, which WordPress transforms
in several places by running the value of
`get_theme_support( 'custom-header', 'default-image' )` through `sprintf()`.
This fixes a few places where WordPress skipped the `sprintf()` step and
referenced the `get_theme_support()` value directly.
Props bradyvercher for initial patch.
See #38557.
Built from https://develop.svn.wordpress.org/trunk@39123
git-svn-id: http://core.svn.wordpress.org/trunk@39063 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Introduces some consistency in the usage of the button CSS classes, fixes the
focus style for accessibility and responsiveness of the buttons.
- Adds the `button` class to all primary buttons make them responsive
- Removes all `secondary-button` classes and replaces it with button when needed. `button-secondary` shouldn't be used and exists just for backward compatibility reasons
- Replaces classes inside `submit_button()` with a shorthand for some buttons, and use an empty string for the default `button` class. Passing `button` is unnecessary
- Adjusts `get_submit_button()` to remove empty items
Props iseulde, dimchik, chris_d2d, mhowell, afercia.
Fixes#27314, #37138, #37448.
Built from https://develop.svn.wordpress.org/trunk@38672
git-svn-id: http://core.svn.wordpress.org/trunk@38615 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The new format looks like "Sorry, you are not allowed to <action>.". This provides a consistent experience for all error messages related to missing permissions. It also reduces the number of similar strings and allows translators to provide a consistent style in their language.
Props ramiy, Presskopp.
Fixes#34521.
Built from https://develop.svn.wordpress.org/trunk@37914
git-svn-id: http://core.svn.wordpress.org/trunk@37855 1a063a9b-81f0-0310-95a4-ce76da25c4cd
First step towards restoring a good heading structure in wp-admin.
The previous `<h1>` contained the site title and a link to the front page and was removed with the toolbar refactoring in 3.2.
Props joedolson, afercia.
Fixes#31650.
Built from https://develop.svn.wordpress.org/trunk@32974
git-svn-id: http://core.svn.wordpress.org/trunk@32945 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* In [28481], `$admin_header_callback` and `$admin_image_div_callback` were set to `private` based on their erroneous `@param` values
* `$admin_header_callback` and `$admin_image_div_callback` are used as hook callbacks - as such, they must be `public`
* In [28521] and [28524], magic methods were added for back-compat
* Currently, there are 4 properties marked `private`: `$uploaded_headers`, `$default_headers`, `$page`, and `$updated` - `$page` and `$uploaded_headers` are never used and `$updated` was added by me in [30187] during 4.1. `$default_headers` does not necessarily need to be `private`
Set `$admin_header_callback` and `$admin_image_div_callback` to `public`.
Remove the `$page` property - it duplicated the `$page` local var and is referenced/used nowhere.
Remove the `$uploaded_headers` property - it is used nowhere and is dead code.
Set `$default_headers` to `public`.
Remove the magic methods - they were beyond overkill and rendered moot by the above changes.
See #30891.
Built from https://develop.svn.wordpress.org/trunk@31134
git-svn-id: http://core.svn.wordpress.org/trunk@31115 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* In `->init()`, don't check `current_user_can()` since `add_theme_page()` will return `false` immediately if the cap check fails.
* Bail if `add_theme_page()` returns `false`
* `wp_check_filetype_and_ext()` doesn't need a 3rd param, it already defaults to `null`. Passing `false` would fail a strict check.
See #30799.
Built from https://develop.svn.wordpress.org/trunk@31116
git-svn-id: http://core.svn.wordpress.org/trunk@31097 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Replace links in admin menu and toolbar to Custom Background/Header screen with deep-links to the Customizer section.
On the Widgets screen display a link to the Customizer widgets panel.
props topher1kenobe, rzen, celloexpressions, westonruter
fixes#25569, #25571, #28032.
Built from https://develop.svn.wordpress.org/trunk@30459
git-svn-id: http://core.svn.wordpress.org/trunk@30450 1a063a9b-81f0-0310-95a4-ce76da25c4cd
whyisjake
Weston Ruter
Joe McGill
Andrea Fercia
Dominik Schilling
Drew Jaynes
Sergey Biryukov
John Blackbourn
Scott Taylor
Konstantin Obenland