Commit Graph

43 Commits

Author SHA1 Message Date
Sergey Biryukov cc0aa4e659 Grouped backports to the 5.0 branch.
- Media: Prevent CSRF setting attachment thumbnails.
- Embeds: Add protocol validation for WordPress Embed code.
- I18N: Introduce sanitization function for locale.
- Editor: Ensure block comments are of a valid form.

Merges [55760-55764] to the 5.0 branch
Props dd32, isabel_brison, martinkrcho, matveb, ocean90, paulkevan, peterwilsoncc, timothyblynjacobs, xknown, youknowriad.
Built from https://develop.svn.wordpress.org/branches/5.0@55791


git-svn-id: http://core.svn.wordpress.org/branches/5.0@55303 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-05-16 16:03:44 +00:00
desrosj 28683975c9 Build/Test Tools: Support NodeJS 14.x in the 5.0 branch.
This updates the 5.0 branch to support the latest LTS version of NodeJS (currently 14.x), allowing the same version to be used across all WordPress branches that receive security updates as a courtesy.

In addition to backporting the package updates that happened after branching 5.0, dependencies that were removed in future releases have also been updated to their latest versions.

Props desrosj, dd32, netweb, jorbin.
Merges [44233,44728,45321,45765,45826,46403-46404,46408,46409,47404,47867-47869,47872-47873,48705,49636,49933,49937,49939,49940,49983,49989,50017,50126,50176,50185,50192] to the 5.0 branch.
See #52341.
Built from https://develop.svn.wordpress.org/branches/5.0@50201


git-svn-id: http://core.svn.wordpress.org/branches/5.0@49875 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-02-05 04:05:04 +00:00
whyisjake 8428d1077f General: WordPress updates
* XML-RPC: Improve error messages for unprivileged users.
* External Libraries: Disable deserialization in Requests_Utility_FilteredIterator
* Embeds: Disable embeds on deactivated Multisite sites.
* Coding standards: Modify escaping functions to avoid potential false positives.
* XML-RPC: Return error message if attachment ID is incorrect.
* Upgrade/install: Improve logic check when determining installation status.
* Meta: Sanitize meta key before checking protection status.
* Themes: Ensure that only privileged users can set a background image when a theme is using the deprecated custom background page.

Brings the changes from [49380,49382-49388] to the 5.0 branch.

Props xknown, zieladam, peterwilsoncc, whyisjake, desrosj, dd32.

Built from https://develop.svn.wordpress.org/branches/5.0@49396


git-svn-id: http://core.svn.wordpress.org/branches/5.0@49155 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-10-29 18:51:46 +00:00
danielbachhuber 9cd179146c Embeds: Filter HTML response in oEmbed proxy controller.
Adapts the response from `WP_oEmbed_Controller::get_proxy_item()` so that the response is correctly filtered and embeds work properly in JavaSccript editors. Introduces new `get_oembed_response_data_for_url()` function for preparing internal oEmbed responses.

Props danielbachhuber, imath, swissspidy.
Fixes #45142. 

Built from https://develop.svn.wordpress.org/branches/5.0@43810


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43639 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-10-23 17:48:39 +00:00
Gary Pendergast ce66f73e68 Build: Updated CSS vendor prefixes following [43684].
`autoprefixer` was updated, which included some vendor prefix changes. Those changes are now applied.

Props netweb.
See #45080.


Built from https://develop.svn.wordpress.org/branches/5.0@43784


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43613 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-10-22 05:04:40 +00:00
Sergey Biryukov 4af0279f2a Embeds: Avoid a JS error in `wp.receiveEmbedMessage` if `data` parameter is not set.
Props dsifford, kadamwhite.
Merges [43593] and [43597] to the 5.0 branch.
Fixes #44832.
Built from https://develop.svn.wordpress.org/branches/5.0@43704


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43533 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-10-11 04:00:23 +00:00
Aaron Jorbin dda1111bdf Build/Test Tools: Revert grunt-contrib-uglify update
Follow up to [43684].
See #45064.

Built from https://develop.svn.wordpress.org/branches/5.0@43686


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43515 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-10-10 04:11:25 +00:00
Aaron Jorbin a870c7e8f3 Build/Test: Update dependencies for 5.0
Updates package dependencies to more modern versions, also adds .nvmrc and package-lock.json as followups to [43683] and [43571].

See #44600.
Fixes #45064.


Built from https://develop.svn.wordpress.org/branches/5.0@43684


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43513 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-10-09 02:52:45 +00:00
Weston Ruter 76f590b99b Customize: Introduce a new experience for discovering, installing, and previewing themes within the customizer.
Unify the theme-browsing and theme-customization experiences by introducing a comprehensive theme browser and installer directly accessible in the customizer. Replaces the customizer theme switcher with a full-screen panel for discovering/browsing and installing themes available on WordPress.org. Themes can now be installed and previewed directly in the customizer without entering the wp-admin context. Also includes an extensible framework for browsing and installing themes from other sources.

Also includes CSS auto-prefixing added via `grunt precommit:css`.

For details, see: https://make.wordpress.org/core/2016/10/03/feature-proposal-a-new-experience-for-discovering-installing-and-previewing-themes-in-the-customizer/

Previously [38813] but reverted in [39140].
Fixes #37661, #34843, #38666.
Props celloexpressions, folletto, westonruter, karmatosed, melchoyce, afercia.

Built from https://develop.svn.wordpress.org/trunk@41648


git-svn-id: http://core.svn.wordpress.org/trunk@41482 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-29 20:13:50 +00:00
Dominik Schilling 9e097490af Embeds: In switched state, restore previous state if no post ID is found.
Fixes #40673.
Built from https://develop.svn.wordpress.org/trunk@41634


git-svn-id: http://core.svn.wordpress.org/trunk@41469 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-28 16:29:45 +00:00
Andrea Fercia c65fe27ba1 Accessibility: Update and standardize the admin `screen-reader-text` CSS class.
Given the new WordPress browsers support policy, the `screen-reader-text` css
class used in the admin can be updated to use modern CSS and correct syntax. See
https://github.com/wpaccessibility/a11ythemepatterns/blob/master/read-more-links/style.css

Worth noting the `clip` property is deprecated and kept for IE11 and Edge.

- uses `clip-path` for modern browsers
- keeps `clip` for old browsers and update its value to a correct syntax
- resets `clip-path` to `none` where the class is used to dynamically reveal elements
- removes an old rule that made `screen-reader-text` completely invisible in the help tabs `#screen-meta`
- standardizes the rule across CSS files

Fixes #40970.

Built from https://develop.svn.wordpress.org/trunk@41622


git-svn-id: http://core.svn.wordpress.org/trunk@41457 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-27 17:27:45 +00:00
Pascal Birchler 81a8f1cffe Embeds: Maintain switched state when embedding a post on Multisite.
Props bor0.
Fixes #40673.

Built from https://develop.svn.wordpress.org/trunk@41606


git-svn-id: http://core.svn.wordpress.org/trunk@41441 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-27 08:36:48 +00:00
Pascal Birchler 742fc18cca Embeds: Improve performance when embedding a post on Multisite.
After [37798], this fixes embeds coming from a different site in the network.

Props imath.
Fixes #40673. See #36767. 

Built from https://develop.svn.wordpress.org/trunk@41600


git-svn-id: http://core.svn.wordpress.org/trunk@41435 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-26 08:40:47 +00:00
Aaron Campbell 1115a36cda oEmbed: Add extra hardening around allowed HTML for improved sandboxing.
Built from https://develop.svn.wordpress.org/trunk@41448


git-svn-id: http://core.svn.wordpress.org/trunk@41281 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 13:43:05 +00:00
Aaron Jorbin 50cb2c5e28 Update autoprefixer browser support matrix
WordPress no longer supports many old old browsers: https://make.wordpress.org/core/2017/04/23/target-browser-coverage/

This also removes alot of no longer necessary CSS. It served us well, but we are never getting back together with IE8,9,10.

So, in the (paraphrased) words of Taylor Swift:

I remember when we dropped support  the first time
Saying, "This is it, I've had enough, " 'cause like
We hadn't seen many users in a month
When you said you needed flexbox. (What?)
Then you postMessage again and say
"IE8, I miss you and I swear I'm gonna change, trust me."
Remember how that lasted for a day?
I say, "I hate the box model, " we break up, you call me, "I love css-grids."
Ooh, we called it off again last night
But ooh, this time I'm telling you, I'm telling you

We are never ever ever supporting IE 8,9,10,
We are never ever ever supporting IE 8,9,10,
You go talk to EDGE, talk to my FIREFOX, talk to CHROME
But we are never ever ever ever getting back together
Like, ever...

Fixes #37651.
Props stunnedbeast, netweb, jorbin.



Built from https://develop.svn.wordpress.org/trunk@41062


git-svn-id: http://core.svn.wordpress.org/trunk@40912 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-07-16 01:15:46 +00:00
Drew Jaynes 30719312fb Docs: Add a clarification to the description about what the `$output` parameter in the `embed_html` filter doc represents.
Props musus.
Fixes #37752.

Built from https://develop.svn.wordpress.org/trunk@40945


git-svn-id: http://core.svn.wordpress.org/trunk@40795 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-06-25 21:46:39 +00:00
Dominik Schilling 419c8d97ce Embeds: URL encode YouTube video IDs for broader compatibility.
Built from https://develop.svn.wordpress.org/trunk@40160


git-svn-id: http://core.svn.wordpress.org/trunk@40099 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-03-06 11:42:40 +00:00
Pascal Birchler 98e8bf7ba2 Embeds: Correctly remove security attribute from iframes in IE 10 and IE 11.
This was originally added in 4.4, but presumably broke with [35708], which prevented these browsers from actually reaching the relevant code section.
Let's make embeds work again in IE 10 and IE 11.

Fixes #38694.
Built from https://develop.svn.wordpress.org/trunk@39347


git-svn-id: http://core.svn.wordpress.org/trunk@39287 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-11-23 13:38:33 +00:00
Aaron Jorbin 32be6f7bb7 Bump grunt-contrib-uglify from 1.0.1 to 2.0.0
Sets `screwIE8` to false as it is now enabled by default

Files Changed:
build/wp-admin/js/customize-nav-menus.min.js
build/wp-admin/js/customize-widgets.min.js
build/wp-includes/js/customize-loader.min.js

Changelog:
2016-07-19   v2.0.0   Update uglify-js to v2.7.0. screwIE8 is enabled by default.
2016-07-19   v1.0.2   Update grunt to ^1.0.0. Fix beautify when passed as an object. Fix docs about report values.

See #38199.


Built from https://develop.svn.wordpress.org/trunk@39117


git-svn-id: http://core.svn.wordpress.org/trunk@39059 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-11-03 05:40:34 +00:00
Scott Taylor ff59281441 OEmbed: move `_wp_oembed_get_object()` to `embed.php`, where all of the other embed functions live. `WP_oEmbed` is then in a file by itself. Load `class-oembed.php` in `wp-settings.php` and remove extraneous include calls.
See #37827.

Built from https://develop.svn.wordpress.org/trunk@38361


git-svn-id: http://core.svn.wordpress.org/trunk@38302 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-08-26 09:49:28 +00:00
Sergey Biryukov c86199ddb2 Embeds: In `get_oembed_endpoint_url()`, avoid inadvertent stomping of the `$format` parameter passed to `oembed_endpoint_url` filter.
Props danhgilmore.
Fixes #37751.
Built from https://develop.svn.wordpress.org/trunk@38321


git-svn-id: http://core.svn.wordpress.org/trunk@38262 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-08-23 00:05:30 +00:00
Dominik Schilling 51579c49a8 Embeds: After [37745], check if a featured image exists before attaching an event listener.
Props swissspidy.
Fixes #35657.
Built from https://develop.svn.wordpress.org/trunk@37977


git-svn-id: http://core.svn.wordpress.org/trunk@37918 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-07-05 16:16:57 +00:00
Pascal Birchler e176835791 Embeds: Improve height calculation for slow loading images.
When the featured image takes longer to load, the browser might not know its exact dimensions yet and therefore sends an incorrect document height to the embedding site.

By sending the document's height again after the featured image has been loaded, we ensure that the iframe doesn't get cut off.

Fixes #35657.
Built from https://develop.svn.wordpress.org/trunk@37745


git-svn-id: http://core.svn.wordpress.org/trunk@37710 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-18 10:00:29 +00:00
Pascal Birchler ae56f468e3 Embeds: Remove support for Google Video.
While the service has been retired for years, it now has completely stopped working. Thus there is no reason to keep it.

Props Viper007Bond.
Fixes #36304.
Built from https://develop.svn.wordpress.org/trunk@37744


git-svn-id: http://core.svn.wordpress.org/trunk@37709 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-18 09:47:29 +00:00
Helen Hou-Sandí 8776694a33 Use numeric font weights instead of keywords.
When Open Sans was in use, the `300`, `400`, and `600` weights were loaded. `400` is the equivalent of `normal`; however, `bold` is equivalent to `700`, not `600`. With the move to system fonts, we need to be specific rather than relying on the lack of a `700` weight. Not all system fonts include a `600` weight; in those instances, they will use the `bold`/`700` weight.

The WordPress CSS Coding Standards have been updated accordingly.

props coderste.
see #36753.

Built from https://develop.svn.wordpress.org/trunk@37740


git-svn-id: http://core.svn.wordpress.org/trunk@37705 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-17 18:37:28 +00:00
Pascal Birchler bf3fdc35b3 Embeds: Enforce a valid post ID when embedding a post from the current site.
Otherwise `wp_filter_pre_oembed_result()` could erroneously return the HTML of the current post instead of the intended result.

Props kraftbj.
See #36767.
Built from https://develop.svn.wordpress.org/trunk@37729


git-svn-id: http://core.svn.wordpress.org/trunk@37695 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-16 17:18:28 +00:00
Pascal Birchler 629b43769b Embeds: Improve performance when embedding a post from the current site.
When the post being embedded is from the same site, there's no reason to do an HTTP request for it. The data can be fetched directly using `get_oembed_response_data()`.

Fixes #36767 for trunk.
Built from https://develop.svn.wordpress.org/trunk@37708


git-svn-id: http://core.svn.wordpress.org/trunk@37674 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-15 11:23:28 +00:00
Gary Pendergast 733ccfe08a Embeds: Ensure embed widths are integers.
This prevents a warning in PHP trunk when a non-integer width is passed.

See #36435.


Built from https://develop.svn.wordpress.org/trunk@37549


git-svn-id: http://core.svn.wordpress.org/trunk@37517 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-24 06:15:28 +00:00
Drew Jaynes d28f1a08ef Docs: Apply inline `@see` tags to hooks referenced in DocBlocks in a variety of wp-includes/* files.
Applying these specially-crafted `@see` tags allows the Code Reference parser to recognize and link these elements as actions and filters.

See #36921.

Built from https://develop.svn.wordpress.org/trunk@37543


git-svn-id: http://core.svn.wordpress.org/trunk@37511 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-23 19:01:27 +00:00
Drew Jaynes abbd18dbb7 Docs: Standardize filter docs in wp-includes/embed.php to use third-person singular verbs per the inline documentation standards for PHP.
See #36913.

Built from https://develop.svn.wordpress.org/trunk@37513


git-svn-id: http://core.svn.wordpress.org/trunk@37481 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-22 18:42:27 +00:00
Helen Hou-Sandí 848501711a System font: The stack does not work with the `font` shorthand property.
see #36753.

Built from https://develop.svn.wordpress.org/trunk@37442


git-svn-id: http://core.svn.wordpress.org/trunk@37410 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-17 01:45:27 +00:00
Helen Hou-Sandí a800cf654b Drop Open Sans in the admin in favor of system fonts.
Rejoice, for your admins will feel more native to your surrounding computing environment and likely load faster, especially when offline, as they no longer have to talk to The Google Overlord.

At the time of introduction in 3.8, there were not good system fonts common to all platforms at the time. In the years since, Windows, Android, OS X, iOS, Firefox OS, and various flavors of Linux have all gotten their own (good) system UI fonts.

There will definitely be visual bugs, mainly around alignment and spacing; these should be documented and reported on the ticket and fixed more atomically so that our current and future selves have a better understanding of what happened and why.

The style remains registered, as it is almost certainly in use by themes and plugins.

props mattmiklic.
see #36753.

Built from https://develop.svn.wordpress.org/trunk@37361


git-svn-id: http://core.svn.wordpress.org/trunk@37327 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-04 22:07:37 +00:00
Aaron Jorbin 1972aa2a2a Add grunt prerelease task
An unintended consequence of improving the precommit task is that when it's time to run a release, more tasks need to get run to verify things. This adds a prerelease task to help fix that situation. grunt prerelease should include tasks that verify the code base is ready to be released to the wild and find all the tears on the mausoleum floor and help Blood stain the Colosseum doors.

See #35557

Built from https://develop.svn.wordpress.org/trunk@36930


git-svn-id: http://core.svn.wordpress.org/trunk@36898 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-03-10 05:37:27 +00:00
Pascal Birchler 5d6513f0bc Embeds: Adjust the iframe title attribute for improved accessibility.
Changes the title attribute from `Embedded WordPress Post` to `"Post name" — site title`.

Props ramiy.
Fixes #35804.
Built from https://develop.svn.wordpress.org/trunk@36873


git-svn-id: http://core.svn.wordpress.org/trunk@36840 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-03-07 10:00:29 +00:00
Pascal Birchler 0425e01d21 Embeds: Use a more accessible way to initially hide the iframe.
This fixes a bug in Firefox where assets inside the iframe aren't being displayed because they have no computed style.

See #35894.
Built from https://develop.svn.wordpress.org/trunk@36708


git-svn-id: http://core.svn.wordpress.org/trunk@36675 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-25 10:23:27 +00:00
Drew Jaynes 0fc00feec3 Embeds: Introduce embed templates into the template hierarchy via theme-compat.
Splits wp-includes/embed-template.php, introduced in 4.4, into five new templates that can be individually overridden by themes:

* embed.php
* embed-404.php
* embed-content.php
* header-embed.php
* footer-embed.php

Also introduces a new template tag for outputting the site title, `the_embed_site_title()`.

The five new templates live in theme-compat, allowing for graceful fallbacks should themes prefer not to override any or all of them.

Props swissspidy, imath, ocean90, DrewAPicture.
See #34561.

Built from https://develop.svn.wordpress.org/trunk@36693


git-svn-id: http://core.svn.wordpress.org/trunk@36660 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-24 20:57:26 +00:00
Pascal Birchler 383c422527 Embeds: Only display an iframe when it was successfully loaded.
This prevents showing a blank iframe by first checking if a message was successfully received from it.

Fixes #35894.
Built from https://develop.svn.wordpress.org/trunk@36648


git-svn-id: http://core.svn.wordpress.org/trunk@36615 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-23 20:23:25 +00:00
Pascal Birchler 0c242d0666 Embeds: Make the click event handler work for dynamically added links.
Props JamesDiGioia.
Fixes #35630.
Built from https://develop.svn.wordpress.org/trunk@36637


git-svn-id: http://core.svn.wordpress.org/trunk@36604 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-23 17:16:26 +00:00
Pascal Birchler b0b13aff2f Embeds: Allow embedding static front pages and pages having a child page with an `embed` slug.
This makes `embed` a special slug that can't be used for new pages/posts. When `https://example.com/foo/embed/` is an existing page, embeds fall back to `https://example.com/foo/?embed=true`.
Adds unit tests.

Fixes #34971.
Built from https://develop.svn.wordpress.org/trunk@36307


git-svn-id: http://core.svn.wordpress.org/trunk@36274 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-01-15 07:56:26 +00:00
Gary Pendergast 324cbf5d7e Embeds: Don't show embed discovery link on a static front page.
There's currently no iframe content being generated for a static front page. Giving out a link to that isn't an ideal user experience.

Props peterwilsoncc.

Fixes #35194 for trunk.


Built from https://develop.svn.wordpress.org/trunk@36059


git-svn-id: http://core.svn.wordpress.org/trunk@36024 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-22 10:50:31 +00:00
Scott Taylor 8cf8e2c66d WP oEmbed: validate the `secret` send via `postMessage` in `wp.receiveEmbedMessage`. Also, compare `window` instances.
In the data sent to us from the embedded iframe by postMessage(), the secret value is being used directly in a document.querySelectorAll() call without first being validated or escaped.

In theory, this could lead to some broken embeds.

Props mdawaffe.
Fixes #34831.

Built from https://develop.svn.wordpress.org/trunk@35761


git-svn-id: http://core.svn.wordpress.org/trunk@35725 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-03 20:17:25 +00:00
Dominik Schilling 22fe87c3b3 Build: Update source for `includes:embed` after [35718].
See #33413.
Built from https://develop.svn.wordpress.org/trunk@35720


git-svn-id: http://core.svn.wordpress.org/trunk@35684 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-11-20 15:37:26 +00:00
Andrew Nacin 1579e45d41 Simplify the include graph after work to split out classes.
see #33413. More details there.

Built from https://develop.svn.wordpress.org/trunk@35718


git-svn-id: http://core.svn.wordpress.org/trunk@35682 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-11-20 07:24:30 +00:00