Commit Graph

36771 Commits

Author SHA1 Message Date
desrosj 03c2d89d0a WordPress 4.8.15.
Built from https://develop.svn.wordpress.org/branches/4.8@49416


git-svn-id: http://core.svn.wordpress.org/branches/4.8@49175 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-10-29 19:39:27 +00:00
whyisjake 2544e89df4 General: WordPress updates
* XML-RPC: Improve error messages for unprivileged users.
* External Libraries: Disable deserialization in Requests_Utility_FilteredIterator
* Embeds: Disable embeds on deactivated Multisite sites.
* Coding standards: Modify escaping functions to avoid potential false positives.
* XML-RPC: Return error message if attachment ID is incorrect.
* Upgrade/install: Improve logic check when determining installation status.
* Meta: Sanitize meta key before checking protection status.
* Themes: Ensure that only privileged users can set a background image when a theme is using the deprecated custom background page.

Brings the changes from [49380,49382-49388] to the 4.8 branch.

Props xknown, zieladam, peterwilsoncc, whyisjake, desrosj, dd32.

Built from https://develop.svn.wordpress.org/branches/4.8@49398


git-svn-id: http://core.svn.wordpress.org/branches/4.8@49157 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-10-29 18:55:23 +00:00
Sergey Biryukov f175cf83a7 Administration: Pass the result of `set-screen-option` filter to the new `set_screen_option_{$option}` filter to ensure backward compatibility.
Rename the `$keep` parameter of both filters to `$screen_option` for clarity, update the documentation to better reflect its purpose.

Follow-up to [47951].

Props Chouby, sswells, SergeyBiryukov.
Merges [48241] to the 4.8 branch.
Fixes #50392.
Built from https://develop.svn.wordpress.org/branches/4.8@48250


git-svn-id: http://core.svn.wordpress.org/branches/4.8@48019 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-07-01 09:50:46 +00:00
desrosj 499c907011 WordPress 4.8.14.
Built from https://develop.svn.wordpress.org/branches/4.8@47995


git-svn-id: http://core.svn.wordpress.org/branches/4.8@47763 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-10 21:37:26 +00:00
whyisjake 27f0839d04 General: Backport several commits for release.
- Embeds: Ensure that the title attribute is set correctly on embeds.
- Editor: Prevent HTML decoding on by setting the proper editor context.
- Formatting: Ensure that wp_validate_redirect() sanitizes a wider variety of characters.
- Themes: Ensure a broken theme name is returned properly.
- Administration: Add a new filter to extend set-screen-option.

Merges [47947-47951] to the 4.8 branch.

Props xknown, sstoqnov, vortfu, SergeyBiryukov, whyisjake.

Built from https://develop.svn.wordpress.org/branches/4.8@47980


git-svn-id: http://core.svn.wordpress.org/branches/4.8@47749 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-10 18:56:52 +00:00
Sergey Biryukov f501f7d79b Update the About page for WordPress 4.8.13
Built from https://develop.svn.wordpress.org/branches/4.8@47698


git-svn-id: http://core.svn.wordpress.org/branches/4.8@47475 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-04-29 18:35:07 +00:00
desrosj 049d99e977 WordPress 4.8.13
Built from https://develop.svn.wordpress.org/branches/4.8@47672


git-svn-id: http://core.svn.wordpress.org/branches/4.8@47449 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-04-29 18:01:18 +00:00
whyisjake 166492f860 Customize: Add additional filters to Customizer to prevent JSON corruption.
User: Invalidate `user_activation_key` on password update.
Query: Ensure that only a single post can be returned on date/time based queries.
Cache API: Ensure proper escaping around the stats method in the cache API.
Formatting: Expand `sanitize_file_name` to have better support for utf8 characters.

Brings the changes in [47633], [47634], [47635], [47637], and [47638] to the 4.8 branch.

Props: batmoo, ehti, nickdaugherty, peterwilsoncc, sergeybiryukov, sstoqnov, westi, westonruter, whyisjake, whyisjake, xknown.

Built from https://develop.svn.wordpress.org/branches/4.8@47649


git-svn-id: http://core.svn.wordpress.org/branches/4.8@47424 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-04-29 16:19:21 +00:00
Sergey Biryukov 9548cae7ec WordPress 4.8.12
Built from https://develop.svn.wordpress.org/branches/4.8@46925


git-svn-id: http://core.svn.wordpress.org/branches/4.8@46725 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-12 20:28:21 +00:00
Sergey Biryukov b12e78ee0b Ensure that a user can publish_posts before making a post sticky.
Props: danielbachhuber, whyisjake, peterwilson, xknown.

Brings r46893 to the 4.8 branch.

Update `wp_kses_bad_protocol()` to recognize `:` on uri attributes,

`wp_kses_bad_protocol()` makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function.

Brings r46895 to the 4.8 branch.

Props: xknown, nickdaugherty, peterwilsoncc.
Built from https://develop.svn.wordpress.org/branches/4.8@46917


git-svn-id: http://core.svn.wordpress.org/branches/4.8@46717 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-12 18:54:21 +00:00
desrosj c359dde932 WordPress 4.8.11.
Built from https://develop.svn.wordpress.org/branches/4.8@46512


git-svn-id: http://core.svn.wordpress.org/branches/4.8@46309 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-10-14 20:09:50 +00:00
whyisjake 20821b59c0 Backporting several bug fixes.
- Query: Remove the static query property.
- HTTP API: Protect against hex interpretation.
- Filesystem API: Prevent directory travelersals when creating new folders.
- Administration: Ensure that admin referer nonce is valid.
- REST API: Send a Vary: Origin header on GET requests.

Backports [46474], [46475], [46476], [46477], [46478], [46483], [46485] to the 4.8 branch.

Built from https://develop.svn.wordpress.org/branches/4.8@46494


git-svn-id: http://core.svn.wordpress.org/branches/4.8@46291 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-10-14 18:45:23 +00:00
desrosj 0f9e4ca0a2 WordPress 4.8.10.
Built from https://develop.svn.wordpress.org/branches/4.8@46042


git-svn-id: http://core.svn.wordpress.org/branches/4.8@45854 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 22:05:29 +00:00
Andrew Ozz 8c59b4a3c2 jQuery: Backport the patch from jQuery 3.4.0.
Merges [45342] to the 4.8 branch.

Props MikeNGarrett, peterwilsoncc, azaozz.
Fixes #47020.
Built from https://develop.svn.wordpress.org/branches/4.8@46021


git-svn-id: http://core.svn.wordpress.org/branches/4.8@45832 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 21:45:54 +00:00
desrosj fdc41b55e7 Fix for URL sanitization in `wp_kses_bad_protocol_once()`.
Merges [45997] to the 4.8 branch.

Props irsdl, sstoqnov, whyisjake.
Built from https://develop.svn.wordpress.org/branches/4.8@46006


git-svn-id: http://core.svn.wordpress.org/branches/4.8@45817 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 21:39:27 +00:00
Sergey Biryukov f76869ca2f Improve handling the existing `rel` attribute in `wp_rel_nofollow_callback()`.
Merges [45990] to the 4.8 branch.
Props xknown, sstoqnov.
Built from https://develop.svn.wordpress.org/branches/4.8@45995


git-svn-id: http://core.svn.wordpress.org/branches/4.8@45806 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 17:48:46 +00:00
Sergey Biryukov 7b4f9a5118 Improve URL validation in `wp_validate_redirect()`.
Merges [45971] to the 4.8 branch.
Props vortfu, whyisjake, peterwilsoncc.
Built from https://develop.svn.wordpress.org/branches/4.8@45976


git-svn-id: http://core.svn.wordpress.org/branches/4.8@45787 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 17:11:21 +00:00
whyisjake 1242539c0e Remove _convert_urlencoded_to_entities() from the get_the_content() callback.
Merges [45937] to the 4.8 branch.

Props vortfu, whyisjake, peterwilsoncc

Built from https://develop.svn.wordpress.org/branches/4.8@45949


git-svn-id: http://core.svn.wordpress.org/branches/4.8@45760 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 16:36:45 +00:00
Sergey Biryukov 33f4539c6e Escape the output in `wp_ajax_upload_attachment()`.
Merges [45936] to the 4.8 branch.
Props whyisjake, sstoqnov.
Built from https://develop.svn.wordpress.org/branches/4.8@45944


git-svn-id: http://core.svn.wordpress.org/branches/4.8@45755 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 16:31:23 +00:00
Gary Pendergast b3a9479bd3 WordPress 4.8.9
Built from https://develop.svn.wordpress.org/branches/4.8@44870


git-svn-id: http://core.svn.wordpress.org/branches/4.8@44701 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-03-13 01:05:20 +00:00
Sergey Biryukov a32075cd83 Comments: Improve comment content filtering.
Merges [44842] to the 4.8 branch.
Built from https://develop.svn.wordpress.org/branches/4.8@44846


git-svn-id: http://core.svn.wordpress.org/branches/4.8@44678 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-03-12 22:35:20 +00:00
Sergey Biryukov 010a30cf09 Formatting: Improve `rel="nofollow"` handling in comments.
Merges [44833] to the 4.8 branch.
Built from https://develop.svn.wordpress.org/branches/4.8@44837


git-svn-id: http://core.svn.wordpress.org/branches/4.8@44669 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-03-12 22:21:23 +00:00
Jeremy Felt d86c7ad402 Bump 4.8 branch to version 4.8.8.
Built from https://develop.svn.wordpress.org/branches/4.8@44079


git-svn-id: http://core.svn.wordpress.org/branches/4.8@43909 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-13 02:13:20 +00:00
Gary Pendergast 7bd776bdb3 Editor: Remove unwanted fields before saving posts.
The `meta_input`, `file`, and `guid` fields are not intended to be updated through user input.

Merges [44047] to the 4.8 branch.


Built from https://develop.svn.wordpress.org/branches/4.8@44055


git-svn-id: http://core.svn.wordpress.org/branches/4.8@43885 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-13 01:40:21 +00:00
Peter Wilson dfc71aee34 Multisite: Validate activation links.
Merges [44048] to the 4.8 branch.

Built from https://develop.svn.wordpress.org/branches/4.8@44052


git-svn-id: http://core.svn.wordpress.org/branches/4.8@43882 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-13 01:35:21 +00:00
Peter Wilson a5be721238 Multisite: Improve messaging for previously activated users.
Ensure activation of a site is not attempted multiple times and users are shown the correct message if they follow the link a second time.

Merges [44021] to the 4.8 branch.

Built from https://develop.svn.wordpress.org/branches/4.8@44025


git-svn-id: http://core.svn.wordpress.org/branches/4.8@43855 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-13 00:37:22 +00:00
iandunn 1bb4687f0b KSES: Make the URI attributes DRY.
This commit introduces the `wp_kses_uri_attributes` function and filter. The function centralizes the list of attributes, in order to prevent inconsistency, and the filter provides a way for plugins to customize the attributes.

Merges [44014] and [44017] to the 4.8 branch.

Built from https://develop.svn.wordpress.org/branches/4.8@44023


git-svn-id: http://core.svn.wordpress.org/branches/4.8@43853 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-13 00:33:20 +00:00
Gary Pendergast e00499f8df KSES: Conditionally remove the `<form>` element from `$allowedposttags`.
To avoid backwards compatibility issues, `<form>` is re-added if a custom filter has added the `<input>` or `<select>` elements to `$allowedposttags`.

Merges [43994] to the 4.8 branch.

Built from https://develop.svn.wordpress.org/branches/4.8@43999


git-svn-id: http://core.svn.wordpress.org/branches/4.8@43831 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-12 23:20:23 +00:00
Jeremy Felt b20bad3d40 Media: Improve verification of MIME file types.
Merges [43988] to the 4.8 branch.

Built from https://develop.svn.wordpress.org/branches/4.8@43990


git-svn-id: http://core.svn.wordpress.org/branches/4.8@43822 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-12 23:04:22 +00:00
Aaron Campbell ad514185cd Bump 4.8 branch to version 4.8.7
Built from https://develop.svn.wordpress.org/branches/4.8@43408


git-svn-id: http://core.svn.wordpress.org/branches/4.8@43236 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-07-05 16:11:22 +00:00
John Blackbourn dc4313f798 Media: Limit thumbnail file deletions to the same directory as the original file.
Merges [43393] into the 4.8 branch.

Built from https://develop.svn.wordpress.org/branches/4.8@43394


git-svn-id: http://core.svn.wordpress.org/branches/4.8@43222 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-07-05 14:48:23 +00:00
Aaron Campbell b9381e6229 Bump 4.8 branch to version 4.8.6
Built from https://develop.svn.wordpress.org/branches/4.8@42934


git-svn-id: http://core.svn.wordpress.org/branches/4.8@42764 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-04-03 20:23:31 +00:00
Dominik Schilling ae68925e49 Template: Make sure the version string is correctly escaped for use in attributes.
Merge of [42893] to the 4.8 branch.

Built from https://develop.svn.wordpress.org/branches/4.8@42918


git-svn-id: http://core.svn.wordpress.org/branches/4.8@42748 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-04-03 16:06:33 +00:00
Dominik Schilling 62ccb52bbc Meta: Simplify the delete all meta query in `delete_metadata()`.
Built from https://develop.svn.wordpress.org/branches/4.8@42913


git-svn-id: http://core.svn.wordpress.org/branches/4.8@42743 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-04-03 15:40:32 +00:00
Dominik Schilling 54e04cd70e HTTP: Don't treat `localhost` as same host by default.
Merge of [42894] to the 4.8 branch.

Built from https://develop.svn.wordpress.org/branches/4.8@42909


git-svn-id: http://core.svn.wordpress.org/branches/4.8@42739 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-04-03 15:36:15 +00:00
Dominik Schilling 4f2919a7ef Login: Use `wp_safe_redirect()` when redirecting the login page if forced to use HTTPS.
Merge of [42892] to the 4.8 branch.

Built from https://develop.svn.wordpress.org/branches/4.8@42896


git-svn-id: http://core.svn.wordpress.org/branches/4.8@42726 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-04-03 15:29:34 +00:00
Sergey Biryukov 86c462ab7e General: Update copyright year to 2018 in license.txt.
Props rachelbaker.
Merges [42424] to the 4.8 branch.
Fixes #43007.
Built from https://develop.svn.wordpress.org/branches/4.8@42553


git-svn-id: http://core.svn.wordpress.org/branches/4.8@42382 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-01-23 11:25:33 +00:00
Dion Hulse d75574cd84 Bump the 4.8 branch to 4.8.5.
Built from https://develop.svn.wordpress.org/branches/4.8@42495


git-svn-id: http://core.svn.wordpress.org/branches/4.8@42324 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-01-16 21:39:32 +00:00
Dion Hulse 726b806eab External Libraries: Remove unnecessary / obsoleted MediaElement.js files.
Fixes #42720 for 4.8.

Built from https://develop.svn.wordpress.org/branches/4.8@42478


git-svn-id: http://core.svn.wordpress.org/branches/4.8@42307 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-01-16 08:02:34 +00:00
Dion Hulse 53c05552f3 Upgrade: When deleting old files, if deletion fails attempt to empty the file instead.
Props joemcgill, dd32.
Merges [42434] to the 4.8 branch.
Fixes #42963 for 4.8.

Built from https://develop.svn.wordpress.org/branches/4.8@42466


git-svn-id: http://core.svn.wordpress.org/branches/4.8@42295 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-01-16 06:53:33 +00:00
John Blackbourn 9222292ccb Bump 4.8 branch to version 4.8.4.
Built from https://develop.svn.wordpress.org/branches/4.8@42317


git-svn-id: http://core.svn.wordpress.org/branches/4.8@42146 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 18:57:33 +00:00
John Blackbourn 47c076a77b Hardening: Remove the ability to upload JavaScript files for users who do not have the `unfiltered_html` capability.
Merges [42261] to the 4.8 branch.

Built from https://develop.svn.wordpress.org/branches/4.8@42271


git-svn-id: http://core.svn.wordpress.org/branches/4.8@42100 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:16:05 +00:00
John Blackbourn 3995f1e60f Hardening: Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds.
Merges [42260] to the 4.8 branch.

Built from https://develop.svn.wordpress.org/branches/4.8@42270


git-svn-id: http://core.svn.wordpress.org/branches/4.8@42099 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:15:34 +00:00
John Blackbourn c5713fc570 Hardening: Add escaping to the language attributes used on `html` elements.
Merges [42259] to the 4.8 branch.

Built from https://develop.svn.wordpress.org/branches/4.8@42269


git-svn-id: http://core.svn.wordpress.org/branches/4.8@42098 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:14:07 +00:00
John Blackbourn 2aba074c5b Hardening: Use a properly generated hash for the `newbloguser` key instead of a determinate substring.
Merges [42258] to the 4.8 branch.

Built from https://develop.svn.wordpress.org/branches/4.8@42268


git-svn-id: http://core.svn.wordpress.org/branches/4.8@42097 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:13:35 +00:00
John Blackbourn 8101b2aa4d Users: Correct the value of the `lang` attribute in the admin area.
This corrects the value when the user's language is set to `English (United States)` but the site language is not.

Props ocean90, afercia

See #42242

Merges [42220] to the 4.8 branch.

Built from https://develop.svn.wordpress.org/branches/4.8@42262


git-svn-id: http://core.svn.wordpress.org/branches/4.8@42091 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:05:34 +00:00
Dion Hulse 9eb5084390 WPDB: Check that `AUTH_SALT` is not empty, Fix a PHP notice when `AUTH_SALT` is undefined.
Props jsonfry, mkomar, pento.
Merges [42119] and [42120] to the 4.8 branch.
Fixes #42431 and #42401 for 4.8.

Built from https://develop.svn.wordpress.org/branches/4.8@42230


git-svn-id: http://core.svn.wordpress.org/branches/4.8@42059 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-27 01:07:34 +00:00
Dion Hulse 5f52157d46 Bump Akismet external to 4.0.1.
git-svn-id: http://core.svn.wordpress.org/branches/4.8@41951 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-07 03:10:32 +00:00
Gary Pendergast 3fdaf059b9 Bump 4.8 branch to version 4.8.3.
Built from https://develop.svn.wordpress.org/branches/4.8@42069


git-svn-id: http://core.svn.wordpress.org/branches/4.8@41898 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-10-31 13:07:32 +00:00
Gary Pendergast a59f4bc10f Database: Restore numbered placeholders in `wpdb::prepare()`.
[41496] removed support for numbered placeholders in queries send through `wpdb::prepare()`, which, despite being undocumented, were quite commonly used.

This change restores support for numbered placeholders (as well as a subset of placeholder formatting), while also adding extra checks to ensure the correct number of arguments are being passed to `wpdb::prepare()`, given the number of placeholders.

Merges [41662], [42056] to the 4.8 branch.
See #41925.


Built from https://develop.svn.wordpress.org/branches/4.8@42057


git-svn-id: http://core.svn.wordpress.org/branches/4.8@41886 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-10-31 12:23:33 +00:00