Commit Graph

22155 Commits

Author SHA1 Message Date
desrosj 0211c38565 Build/Test Tools: Support NodeJS 14.x in the 4.6 branch.
This updates the 4.6 branch to support the latest LTS version of NodeJS (currently 14.x), allowing the same version to be used across all WordPress branches that receive security updates as a courtesy.

This also replaces the `npm-shrinkwrap.json` with a `package-lock.json` file. Lock files were not supported in earlier versions of NPM, but can now be used.

In addition to backporting the package updates that happened after branching 4.6, dependencies that were removed in future releases have also been updated to their latest versions.

Props desrosj, dd32, netweb, jorbin.
Merges [42460-42461,42463,42887,43320,43323,43977,44219,44233,44728,45321,45765,46404,46408-46409,47404,47867-47869,47872-47873,48705,49636,49933,49937,49939,50017,50126,50176,50185] to the 4.6 branch.
See #52341.

Built from https://develop.svn.wordpress.org/branches/4.6@50206


git-svn-id: http://core.svn.wordpress.org/branches/4.6@49879 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-02-05 04:17:44 +00:00
desrosj 1bacd1446a WordPress 4.6.20.
Built from https://develop.svn.wordpress.org/branches/4.6@49418


git-svn-id: http://core.svn.wordpress.org/branches/4.6@49177 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-10-29 19:40:16 +00:00
whyisjake abc5355d75 General: WordPress updates
* XML-RPC: Improve error messages for unprivileged users.
* External Libraries: Disable deserialization in Requests_Utility_FilteredIterator
* Embeds: Disable embeds on deactivated Multisite sites.
* Coding standards: Modify escaping functions to avoid potential false positives.
* XML-RPC: Return error message if attachment ID is incorrect.
* Upgrade/install: Improve logic check when determining installation status.
* Meta: Sanitize meta key before checking protection status.
* Themes: Ensure that only privileged users can set a background image when a theme is using the deprecated custom background page.

Brings the changes from [49380,49382-49388] to the 4.6 branch.

Props xknown, zieladam, peterwilsoncc, whyisjake, desrosj, dd32.

Built from https://develop.svn.wordpress.org/branches/4.6@49400


git-svn-id: http://core.svn.wordpress.org/branches/4.6@49159 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-10-29 19:00:24 +00:00
desrosj d7a3ab3937 WordPress 4.6.19.
Built from https://develop.svn.wordpress.org/branches/4.6@47997


git-svn-id: http://core.svn.wordpress.org/branches/4.6@47765 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-10 21:38:12 +00:00
whyisjake fea2ba3cd6 General: Backport several commits for release.
- Embeds: Ensure that the title attribute is set correctly on embeds.
- Editor: Prevent HTML decoding on by setting the proper editor context.
- Formatting: Ensure that wp_validate_redirect() sanitizes a wider variety of characters.
- Themes: Ensure a broken theme name is returned properly.
- Administration: Add a new filter to extend set-screen-option.
Merges [47947-47951] to the 4.6 branch.
Props xknown, sstoqnov, vortfu, SergeyBiryukov, whyisjake.

Built from https://develop.svn.wordpress.org/branches/4.6@47974


git-svn-id: http://core.svn.wordpress.org/branches/4.6@47744 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-10 18:55:16 +00:00
desrosj 1c099d1604 WordPress 4.6.18
Built from https://develop.svn.wordpress.org/branches/4.6@47674


git-svn-id: http://core.svn.wordpress.org/branches/4.6@47451 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-04-29 18:02:05 +00:00
whyisjake e0fa795d49 Cache API: Ensure proper escaping around the stats method in the cache API.
Brings the changes in [47637] to the 4.6 branch.

Props: nickdaugherty, batmoo, whyisjake, westi.

Built from https://develop.svn.wordpress.org/branches/4.6@47655


git-svn-id: http://core.svn.wordpress.org/branches/4.6@47432 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-04-29 16:45:22 +00:00
whyisjake 6ebc722218 User: Invalidate `user_activation_key` on password update.
Query: Ensure that only a single post can be returned on date/time based queries.
Cache API: Ensure proper escaping around the stats method in the cache API.
Formatting: Expand `sanitize_file_name` to have better support for utf8 characters.

Brings the changes in [47634], [47635], [47637], and [47638] to the 4.6 branch.

Props: batmoo, ehti, nickdaugherty, peterwilsoncc, sergeybiryukov, sstoqnov, westi, whyisjake, whyisjake, xknown.


Built from https://develop.svn.wordpress.org/branches/4.6@47651


git-svn-id: http://core.svn.wordpress.org/branches/4.6@47426 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-04-29 16:25:25 +00:00
Sergey Biryukov 5ca57c3ba6 WordPress 4.6.17
Built from https://develop.svn.wordpress.org/branches/4.6@46927


git-svn-id: http://core.svn.wordpress.org/branches/4.6@46727 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-12 20:29:22 +00:00
Sergey Biryukov 138f753da7 Update `wp_kses_bad_protocol()` to recognize `:` on uri attributes,
`wp_kses_bad_protocol()` makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function.

Brings r46895 to the 4.6 branch.

Props: xknown, nickdaugherty, peterwilsoncc.
Built from https://develop.svn.wordpress.org/branches/4.6@46914


git-svn-id: http://core.svn.wordpress.org/branches/4.6@46714 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-12 18:46:23 +00:00
desrosj 251c570d28 WordPress 4.6.16.
Built from https://develop.svn.wordpress.org/branches/4.6@46514


git-svn-id: http://core.svn.wordpress.org/branches/4.6@46311 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-10-14 20:10:39 +00:00
whyisjake 51d665a4a5 Backporting several bug fixes.
- Query: Remove the static query property.
- HTTP API: Protect against hex interpretation.
- Filesystem API: Prevent directory travelersals when creating new folders.
- Administration: Ensure that admin referer nonce is valid.
- REST API: Send a Vary: Origin header on GET requests.

Backports [46474], [46475], [46476], [46477], [46478], [46483], [46485] to the 4.6 branch.

Built from https://develop.svn.wordpress.org/branches/4.6@46496


git-svn-id: http://core.svn.wordpress.org/branches/4.6@46293 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-10-14 19:02:25 +00:00
desrosj c17ad2c252 WordPress 4.6.15.
Built from https://develop.svn.wordpress.org/branches/4.6@46040


git-svn-id: http://core.svn.wordpress.org/branches/4.6@45852 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 22:04:44 +00:00
Andrew Ozz 94e8b0b76b jQuery: Backport the patch from jQuery 3.4.0.
Merges [45342] to the 4.6 branch.

Props MikeNGarrett, peterwilsoncc, azaozz.
Fixes #47020.
Built from https://develop.svn.wordpress.org/branches/4.6@46026


git-svn-id: http://core.svn.wordpress.org/branches/4.6@45836 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 21:48:30 +00:00
desrosj c33acf1903 Fix for URL sanitization in `wp_kses_bad_protocol_once()`.
Merges [45997] to the 4.6 branch.

Props irsdl, sstoqnov, whyisjake.
Built from https://develop.svn.wordpress.org/branches/4.6@46008


git-svn-id: http://core.svn.wordpress.org/branches/4.6@45819 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 21:40:13 +00:00
Sergey Biryukov ef17e2b3b8 Improve handling the existing `rel` attribute in `wp_rel_nofollow_callback()`.
Merges [45990] to the 4.6 branch.
Props xknown, sstoqnov.
Built from https://develop.svn.wordpress.org/branches/4.6@45998


git-svn-id: http://core.svn.wordpress.org/branches/4.6@45809 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 17:53:19 +00:00
Sergey Biryukov f08a1c1302 Improve URL validation in `wp_validate_redirect()`.
Merges [45971] to the 4.6 branch.
Props vortfu, whyisjake, peterwilsoncc.
Built from https://develop.svn.wordpress.org/branches/4.6@45978


git-svn-id: http://core.svn.wordpress.org/branches/4.6@45789 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 17:12:24 +00:00
whyisjake ed63f9e30d Remove _convert_urlencoded_to_entities() from the get_the_content() callback.
Merges [45937] to the 4.6 branch.

Props vortfu, whyisjake, peterwilsoncc

Built from https://develop.svn.wordpress.org/branches/4.6@45956


git-svn-id: http://core.svn.wordpress.org/branches/4.6@45767 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 16:40:03 +00:00
Gary Pendergast 5db18ede70 WordPress 4.6.14
Built from https://develop.svn.wordpress.org/branches/4.6@44874


git-svn-id: http://core.svn.wordpress.org/branches/4.6@44705 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-03-13 01:18:21 +00:00
Sergey Biryukov 1ff333ca3b Comments: Improve comment content filtering.
Merges [44842] to the 4.6 branch.
Built from https://develop.svn.wordpress.org/branches/4.6@44848


git-svn-id: http://core.svn.wordpress.org/branches/4.6@44680 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-03-12 22:37:22 +00:00
Sergey Biryukov f2daa0b4e6 Formatting: Improve `rel="nofollow"` handling in comments.
Merges [44833] to the 4.6 branch.
Built from https://develop.svn.wordpress.org/branches/4.6@44839


git-svn-id: http://core.svn.wordpress.org/branches/4.6@44671 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-03-12 22:23:22 +00:00
Jeremy Felt c046ee1abd Bump 4.6 branch to version 4.6.13.
Built from https://develop.svn.wordpress.org/branches/4.6@44081


git-svn-id: http://core.svn.wordpress.org/branches/4.6@43911 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-13 02:14:04 +00:00
Peter Wilson 41a7a8e581 Multisite: Validate activation links.
Merges [44048] to the 4.6 branch.

Built from https://develop.svn.wordpress.org/branches/4.6@44057


git-svn-id: http://core.svn.wordpress.org/branches/4.6@43887 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-13 01:42:20 +00:00
iandunn c54c0ddbf4 KSES: Make the URI attributes DRY.
This commit introduces the `wp_kses_uri_attributes` function and filter. The function centralizes the list of attributes, in order to prevent inconsistency, and the filter provides a way for plugins to customize the attributes.

Merges [44014] and [44017] to the `4.6` branch.

Built from https://develop.svn.wordpress.org/branches/4.6@44031


git-svn-id: http://core.svn.wordpress.org/branches/4.6@43861 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-13 00:52:22 +00:00
Peter Wilson 8c5cdf2b39 Multisite: Improve messaging for previously activated users.
Ensure activation of a site is not attempted multiple times and users are shown the correct message if they follow the link a second time.

Merges [44021] to the 4.6 branch.

Built from https://develop.svn.wordpress.org/branches/4.6@44028


git-svn-id: http://core.svn.wordpress.org/branches/4.6@43858 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-13 00:45:21 +00:00
Gary Pendergast 6e7503eedc KSES: Conditionally remove the `<form>` element from `$allowedposttags`.
To avoid backwards compatibility issues, `<form>` is re-added if a custom filter has added the `<input>` or `<select>` elements to `$allowedposttags`.

Merges [43994] to the 4.6 branch.

Built from https://develop.svn.wordpress.org/branches/4.6@44001


git-svn-id: http://core.svn.wordpress.org/branches/4.6@43833 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-12 23:27:21 +00:00
Jeremy Felt bcbb4f7808 Media: Improve verification of MIME file types.
Merges [43988] to the 4.6 branch.

Built from https://develop.svn.wordpress.org/branches/4.6@43992


git-svn-id: http://core.svn.wordpress.org/branches/4.6@43824 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-12 23:08:22 +00:00
Aaron Campbell 4f99911c22 Bump 4.6 branch to version 4.6.12
Built from https://develop.svn.wordpress.org/branches/4.6@43410


git-svn-id: http://core.svn.wordpress.org/branches/4.6@43238 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-07-05 16:12:07 +00:00
John Blackbourn c656a7d373 Media: Limit thumbnail file deletions to the same directory as the original file.
Merges [43393] to the 4.6 branch.

Built from https://develop.svn.wordpress.org/branches/4.6@43396


git-svn-id: http://core.svn.wordpress.org/branches/4.6@43224 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-07-05 14:53:26 +00:00
Aaron Campbell 5798a9e9ae Bump 4.6 branch to version 4.6.11
Built from https://develop.svn.wordpress.org/branches/4.6@42936


git-svn-id: http://core.svn.wordpress.org/branches/4.6@42766 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-04-03 20:28:04 +00:00
Dominik Schilling 1a13b0102b Template: Make sure the version string is correctly escaped for use in attributes.
Merge of [42893] to the 4.6 branch.

Built from https://develop.svn.wordpress.org/branches/4.6@42920


git-svn-id: http://core.svn.wordpress.org/branches/4.6@42750 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-04-03 16:07:40 +00:00
Dominik Schilling c1af867a7c Meta: Simplify the delete all meta query in `delete_metadata()`.
Merge of [42913] to the 4.6 branch.

Built from https://develop.svn.wordpress.org/branches/4.6@42915


git-svn-id: http://core.svn.wordpress.org/branches/4.6@42745 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-04-03 15:42:32 +00:00
Dominik Schilling 5a4e8a9b94 HTTP: Don't treat `localhost` as same host by default.
Merge of [42894] to the 4.6 branch.

Built from https://develop.svn.wordpress.org/branches/4.6@42911


git-svn-id: http://core.svn.wordpress.org/branches/4.6@42741 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-04-03 15:37:22 +00:00
Dion Hulse daf7cc8b30 Bump the 4.6 branch to 4.6.10.
Built from https://develop.svn.wordpress.org/branches/4.6@42497


git-svn-id: http://core.svn.wordpress.org/branches/4.6@42326 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-01-16 21:41:36 +00:00
Dion Hulse ce6ffb6d25 External Libraries: Remove unnecessary / obsoleted MediaElement.js files.
Merges [42478] to the 4.6 branch.
Fixes #42720 for 4.6.

Built from https://develop.svn.wordpress.org/branches/4.6@42480


git-svn-id: http://core.svn.wordpress.org/branches/4.6@42309 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-01-16 08:06:35 +00:00
John Blackbourn 8b0e75a650 Bump 4.6 branch to version 4.6.9.
Built from https://develop.svn.wordpress.org/branches/4.6@42319


git-svn-id: http://core.svn.wordpress.org/branches/4.6@42148 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 18:59:35 +00:00
John Blackbourn 969ac61dc4 Hardening: Remove the ability to upload JavaScript files for users who do not have the `unfiltered_html` capability.
Merges [42261] to the 4.6 branch.

Built from https://develop.svn.wordpress.org/branches/4.6@42279


git-svn-id: http://core.svn.wordpress.org/branches/4.6@42108 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:24:34 +00:00
John Blackbourn ed0c328547 Hardening: Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds.
Merges [42260] to the 4.6 branch.

Built from https://develop.svn.wordpress.org/branches/4.6@42278


git-svn-id: http://core.svn.wordpress.org/branches/4.6@42107 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:23:06 +00:00
John Blackbourn 22068f006c Hardening: Add escaping to the language attributes used on `html` elements.
Merges [42259] to the 4.6 branch.

Built from https://develop.svn.wordpress.org/branches/4.6@42277


git-svn-id: http://core.svn.wordpress.org/branches/4.6@42106 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:22:33 +00:00
Dion Hulse 551d27db59 WPDB: Check that `AUTH_SALT` is not empty, Fix a PHP notice when `AUTH_SALT` is undefined.
Props jsonfry, mkomar, pento.
Merges [42119] and [42120] to the 4.6 branch.
Fixes #42431 and #42401 for 4.6.

Built from https://develop.svn.wordpress.org/branches/4.6@42232


git-svn-id: http://core.svn.wordpress.org/branches/4.6@42061 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-27 01:09:36 +00:00
Gary Pendergast 9c29274681 Bump 4.6 branch to version 4.6.8.
Built from https://develop.svn.wordpress.org/branches/4.6@42071


git-svn-id: http://core.svn.wordpress.org/branches/4.6@41900 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-10-31 13:15:33 +00:00
Gary Pendergast e8617fb3a5 Database: Restore numbered placeholders in `wpdb::prepare()`.
[41496] removed support for numbered placeholders in queries send through `wpdb::prepare()`, which, despite being undocumented, were quite commonly used.

This change restores support for numbered placeholders (as well as a subset of placeholder formatting), while also adding extra checks to ensure the correct number of arguments are being passed to `wpdb::prepare()`, given the number of placeholders.

Merges [41662], [42056] to the 4.6 branch.
See #41925.


Built from https://develop.svn.wordpress.org/branches/4.6@42059


git-svn-id: http://core.svn.wordpress.org/branches/4.6@41888 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-10-31 12:41:33 +00:00
Dominik Schilling 8d5d807270 Bump 4.6 branch to version 4.6.7.
Built from https://develop.svn.wordpress.org/branches/4.6@41512


git-svn-id: http://core.svn.wordpress.org/branches/4.6@41345 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 19:59:33 +00:00
Aaron Campbell 2fabb6d0e2 Database: Hardening to bring `wpdb::prepare()` inline with documentation.
`wpdb::prepare()` supports %s, %d, and %F as placeholders in the query string. Any other non-escaped % will be escaped.

Merges [41496] to 4.6 branch.


Built from https://develop.svn.wordpress.org/branches/4.6@41499


git-svn-id: http://core.svn.wordpress.org/branches/4.6@41332 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 18:13:34 +00:00
Aaron Campbell ce78b2a4fb Database: Don’t trigger `_doing_it_wrong()` for null values in `wpdb::prepare()`.
While `wpdb::prepare()` does not support null values (see #12819) they still appear in the wild like in the WordPress Importer and other plugins.

Merges [41483] to 4.6 branch.


Built from https://develop.svn.wordpress.org/branches/4.6@41486


git-svn-id: http://core.svn.wordpress.org/branches/4.6@41319 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 16:21:34 +00:00
Aaron Campbell 22f3d4e600 Database: Hardening for `wpdb::prepare()`
Previously if you passed an array of values for placeholders, additional values could be passed as well. Now additional values will be ignored.

Merges [41470] to 4.6 branch.


Built from https://develop.svn.wordpress.org/branches/4.6@41473


git-svn-id: http://core.svn.wordpress.org/branches/4.6@41306 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 15:00:35 +00:00
Aaron Campbell 77b60a60a0 oEmbed: Add extra hardening around allowed HTML for improved sandboxing.
Merges [41448] to 4.6 branch.



Built from https://develop.svn.wordpress.org/branches/4.6@41453


git-svn-id: http://core.svn.wordpress.org/branches/4.6@41286 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 13:49:46 +00:00
Dominik Schilling 441a970ecd TinyMCE: Improve the previews for shortcodes.
Merge of [41395] to the 4.6 branch.

Built from https://develop.svn.wordpress.org/branches/4.6@41437


git-svn-id: http://core.svn.wordpress.org/branches/4.6@41270 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 12:42:38 +00:00
Dominik Schilling e684cc66cd Customize: Ensure valid themes in the preview.
Merge of [41397] to the 4.6 branch.

Built from https://develop.svn.wordpress.org/branches/4.6@41431


git-svn-id: http://core.svn.wordpress.org/branches/4.6@41264 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 11:51:38 +00:00
Dominik Schilling 7e0de7a0e3 Editor: Prevent adding `javascript:` and `data:` URLs through the inline link dialog.
Merge of [41393] to the 4.6 branch.

Built from https://develop.svn.wordpress.org/branches/4.6@41402


git-svn-id: http://core.svn.wordpress.org/branches/4.6@41235 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 10:16:42 +00:00