When WordPress sends out a password-reset or new-user email, it generates
a link for someone to follow in order to take them to the reset page. If
the user login name ends in a period, however, that generated URL will
end in a period and many email clients will confuse it with a
sentence-ending period instead of being part of the query arguments.
In this patch, the generated URL's query argument are rearranged so that
the link will never end in a period. Alternative ideas were explored to
create a new function to escape URL-ending periods, but this patch resolves
the reported problem without raising any further architectural questions.
Developed in https://github.com/WordPress/wordpress-develop/pull/6834
Discussed in https://core.trac.wordpress.org/ticket/42957
Props audrasjb, costdev, daveagp, dmsnell, hellofromTonya, markparnell, mukesh27, nhrrob, obrienlabs, paulcline.
Fixes#42957.
Built from https://develop.svn.wordpress.org/trunk@58674
git-svn-id: http://core.svn.wordpress.org/trunk@58076 1a063a9b-81f0-0310-95a4-ce76da25c4cd
While technically only `null`, `WP_User`, or `WP_Error` should be returned from the `authenticate` filter, a plugin might return boolean `false` instead, which would trigger the `authentication_failed` error prior to [57882].
This commit aims to preserve that behavior in case `false` is returned.
Follow-up to [57882].
Props johnbillion.
See #60700.
Built from https://develop.svn.wordpress.org/trunk@57990
git-svn-id: http://core.svn.wordpress.org/trunk@57476 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The `$x_redirect_by` parameter is supported by `wp_redirect()` and `wp_safe_redirect()` to set the `X-Redirect-By` header.
It can be modified via the `x_redirect_by` filter.
This updates the docblock to clarify that `false` can be passed to disable sending the header, which was previously undocumented behavior.
Props kkmuffme, swissspidy.
Fixes#60209.
Built from https://develop.svn.wordpress.org/trunk@57693
git-svn-id: http://core.svn.wordpress.org/trunk@57194 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Includes:
* Expanding and synchronizing documentation for the `default` and `rating` arguments.
* Adding `@since` entries for the `loading`, `fetchpriority`, and `decoding` arguments.
* Wrapping long lines as per the documentation standards.
* Fixing a typo in the `identicon` value.
* Minor formatting edits for consistency.
Follow-up to [31107], [45632], [47554], [53480], [56037].
See #58833.
Built from https://develop.svn.wordpress.org/trunk@56767
git-svn-id: http://core.svn.wordpress.org/trunk@56279 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The `wp_get_loading_optimization_attributes()` function was introduced in 6.3, as a single centralized place to control loading optimization attributes for various tags, most importantly images.
This changeset consolidates the `decoding="async"` optimization, which was added in 6.1, to occur solely as part of `wp_get_loading_optimization_attributes()`, removing duplicate code and allowing centralized filtering based on [56651].
As part of the change, the `wp_img_tag_add_decoding_attr()` function has been deprecated. The filter of the same name continues to be maintained for backward compatibility, as before covering only images that are part of a content blob such as post content (`the_content`).
Props pereirinha, mukesh27, joemcgill, flixos90.
Fixes#58892.
See #53232.
Built from https://develop.svn.wordpress.org/trunk@56690
git-svn-id: http://core.svn.wordpress.org/trunk@56202 1a063a9b-81f0-0310-95a4-ce76da25c4cd
`str_contains()` was introduced in PHP 8.0 to perform a case-sensitive check indicating if the string to search in (haystack) contains the given substring (needle).
WordPress core includes a polyfill for `str_contains()` on PHP < 8.0 as of WordPress 5.9.
This commit replaces `false !== strpos( ... )` with `str_contains()` in core files, making the code more readable and consistent, as well as better aligned with modern development practices.
Follow-up to [55988], [55990], [56014], [56021], [56031], [56032], [56065], [56241].
See #58206.
Built from https://develop.svn.wordpress.org/trunk@56245
git-svn-id: http://core.svn.wordpress.org/trunk@55757 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset adds support for the `fetchpriority` attribute, which is typically added to a single image in each HTML response with a value of "high". This enhances load time performance (also Largest Contentful Paint, or LCP) by telling the browser to prioritize this image for downloading even before the layout of the page has been computed. In lab tests, this has shown to improve LCP performance by ~10% on average.
Specifically, `fetchpriority="high"` is added to the first image that satisfies all of the following conditions:
* The image is not lazy-loaded, i.e. does not have `loading="lazy"`.
* The image does not already have a (conflicting) `fetchpriority` attribute.
* The size of of the image (i.e. width * height) is greater than 50,000 squarepixels.
While these heuristics are based on several field analyses, there will always be room for optimization. Sites can customize the squarepixel threshold using a new filter `wp_min_priority_img_pixels` which should return an integer for the value.
Since the logic for adding `fetchpriority="high"` is heavily intertwined with the logic for adding `loading="lazy"`, yet the features should work decoupled from each other, the majority of code changes in this changeset is refactoring of the existing lazy-loading logic to be reusable. For this purpose, a new function `wp_get_loading_optimization_attributes()` has been introduced which returns an associative array of performance-relevant attributes for a given HTML element. This function replaces `wp_get_loading_attr_default()`, which has been deprecated. As another result of that change, a new function `wp_img_tag_add_loading_optimization_attrs()` replaces the more specific `wp_img_tag_add_loading_attr()`, which has been deprecated as well.
See https://make.wordpress.org/core/2023/05/02/proposal-for-enhancing-lcp-image-performance-with-fetchpriority/ for the original proposal and additional context.
Props thekt12, joemcgill, spacedmonkey, mukesh27, costdev, 10upsimon.
Fixes#58235.
Built from https://develop.svn.wordpress.org/trunk@56037
git-svn-id: http://core.svn.wordpress.org/trunk@55549 1a063a9b-81f0-0310-95a4-ce76da25c4cd
`str_starts_with()` and `str_ends_with()` were introduced in PHP 8.0 to perform a case-sensitive check indicating if the string to search in (haystack) begins or ends with the given substring (needle).
WordPress core includes a polyfill for these functions on PHP < 8.0 as of WordPress 5.9.
This commit uses `str_starts_with()` and `str_ends_with()` in core files where appropriate:
* `$needle === substr( $string, 0, $length )`, where `$length` is the length of `$needle`, is replaced with `str_starts_with( $haystack, $needle )`.
* `$needle === substr( $string, $offset )`, where `$offset` is negative and the absolute value of `$offset` is the length of `$needle`, is replaced with `str_ends_with( $haystack, $needle )`.
This aims to make the code more readable and consistent, as well as better aligned with modern development practices.
Follow-up to [52039], [52040], [52326], [55703], [55710], [55987], [55988].
Props Soean, spacedmonkey, Clorith, ocean90, azaozz, sabernhardt, SergeyBiryukov.
Fixes#58220.
Built from https://develop.svn.wordpress.org/trunk@55990
git-svn-id: http://core.svn.wordpress.org/trunk@55502 1a063a9b-81f0-0310-95a4-ce76da25c4cd
`str_contains()` was introduced in PHP 8.0 to perform a case-sensitive check indicating if the string to search in (haystack) contains the given substring (needle).
WordPress core includes a polyfill for `str_contains()` on PHP < 8.0 as of WordPress 5.9.
This commit replaces `false !== strpos( ... )` with `str_contains()` in core files, making the code more readable and consistent, as well as better aligned with modern development practices.
Follow-up to [52039], [52040], [52326], [55703], [55710], [55987].
Props Soean, spacedmonkey, costdev, dingo_d, azaozz, mikeschroder, flixos90, peterwilsoncc, SergeyBiryukov.
Fixes#58206.
Built from https://develop.svn.wordpress.org/trunk@55988
git-svn-id: http://core.svn.wordpress.org/trunk@55500 1a063a9b-81f0-0310-95a4-ce76da25c4cd
`str_starts_with()` was introduced in PHP 8.0 to perform a case-sensitive check indicating if the string to search in (haystack) begins with the given substring (needle).
WordPress core includes a polyfill for `str_starts_with()` on PHP < 8.0 as of WordPress 5.9.
This commit replaces `0 === strpos( ... )` with `str_starts_with()` in core files, making the code more readable and consistent, as well as improving performance.
While `strpos()` is slightly faster than the polyfill on PHP < 8.0, `str_starts_with()` is noticeably faster on PHP 8.0+, as it is optimized to avoid unnecessarily searching along the whole haystack if it does not find the needle.
Follow-up to [52039], [52040], [52326].
Props spacedmonkey, costdev, sabernhardt, mukesh27, desrosj, jorbin, TobiasBg, ayeshrajans, lgadzhev, SergeyBiryukov.
Fixes#58012.
Built from https://develop.svn.wordpress.org/trunk@55703
git-svn-id: http://core.svn.wordpress.org/trunk@55215 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This avoids an endless loop if `get_current_user_id()` is used in a callback attached to the `gettext` filter.
With the translated phrase moved into a separate assignment, the function succeeds in setting the static `$duplicated_keys` array once and no longer goes into this code section on subsequent calls.
Follow-up to [54249].
Props adityaarora010196, SergeyBiryukov.
Fixes#57121.
Built from https://develop.svn.wordpress.org/trunk@55433
git-svn-id: http://core.svn.wordpress.org/trunk@54966 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This resolves 80+ WPCS warnings in core:
{{{
Variable "$comment_ID" is not in valid snake_case format
}}}
While matching the database field of the same name, the `$comment_ID` variable did not follow the WordPress coding standards, and is now renamed to address that.
This affects:
* Function parameters in:
* `get_comment_author()`
* `comment_author()`
* `get_comment_author_email()`
* `comment_author_email()`
* `get_comment_author_link()`
* `comment_author_link()`
* `get_comment_author_IP()`
* `comment_author_IP()`
* `get_comment_author_rl()`
* `comment_author_url()`
* `get_comment_date()`
* `comment_date()`
* `get_comment_excerpt()`
* `comment_excerpt()`
* `get_comment_text()`
* `comment_text()`
* `get_comment_time()`
* `comment_time()`
* `get_comment_type()`
* `get_page_of_comment()`
* `wp_new_comment_notify_moderator()`
* `wp_new_comment_notify_postauthor()`
* `get_commentdata()`
* Internal variables in:
* `get_comment_ID()`
* `wp_new_comment()`
* `wp_xmlrpc_server::wp_deleteComment()`
* `wp_xmlrpc_server::wp_editComment()`
* `wp_xmlrpc_server::wp_newComment()`
* `wp_xmlrpc_server::pingback_ping()`
* Hook parameters in:
* `get_comment_author`
* `comment_author`
* `get_comment_author_email`
* `author_email`
* `get_comment_author_link`
* `get_comment_author_IP`
* `get_comment_author_url`
* `comment_url`
* `get_comment_excerpt`
* `comment_excerpt`
* `get_comment_ID`
* `get_comment_type`
* `get_page_of_comment`
* `comment_{$new_status}_{$comment->comment_type}`
* `comment_post`
* `notify_moderator`
* `notify_post_author`
* `commentrss2_item`
* `xmlrpc_call_success_wp_deleteComment`
* `xmlrpc_call_success_wp_editComment`
* `xmlrpc_call_success_wp_newComment`
* `pingback_post`
Note: The name change only affects variable names and DocBlocks.
The change does not affect:
* `comment_ID` as the `$orderby` value in `WP_Comment_Query::__construct()`
* `comment_ID` as the `$orderby` value in `WP_Comment::get_children()`
* `comment_ID` as part of `$commentarr` parameter in `wp_update_comment()`
The associated array keys still match the database field.
Follow-up to [53723].
Props krunal265, costdev, SergeyBiryukov.
Fixes#57671. See #56791.
Built from https://develop.svn.wordpress.org/trunk@55308
git-svn-id: http://core.svn.wordpress.org/trunk@54841 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset improves the consistency in capitalization of fetching and outputting of request headers. It also updates occurrences found in some docblocks.
Props johnjamesjacoby, costdev, audrasjb, petitphp, mhkuu, SergeyBiryukov.
Fixes#54225.
Built from https://develop.svn.wordpress.org/trunk@55210
git-svn-id: http://core.svn.wordpress.org/trunk@54743 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset adds `$user_id`, `$expire`, `$expiration` and `$token` parameters to provide context to `send_auth_cookies` hook, which allows the filter to skip sending auth cookies.
Props dd32, mukesh27, costdev, peterwilsoncc, audrasjb.
Fixes#56971.
See #39367.
Built from https://develop.svn.wordpress.org/trunk@55164
git-svn-id: http://core.svn.wordpress.org/trunk@54697 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This new function makes it easier to switch to a specific user’s locale by reducing duplicate code and storing the user’s ID as additional context for plugins to consume. Existing usage of `switch_to_locale()` in core has been replaced with `switch_to_user_locale()` where appropriate.
Also, this change ensures `WP_Locale_Switcher` properly filters `determine_locale` so that anyyone using the `determine_locale()` function will get the correct locale information when switching is in effect.
Props costdev.
Fixes#57123.
See #26511.
Built from https://develop.svn.wordpress.org/trunk@55161
git-svn-id: http://core.svn.wordpress.org/trunk@54694 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset introduces the `wp_set_password` action hook, triggered after a password is set for a given user. As several plugins are calling `wp_set_password()` directly, adding an action to the end of the function will help plugin authors to catch all instances of password setting.
Props tanner-m, audrasjb.
Fixes#57436.
Built from https://develop.svn.wordpress.org/trunk@55056
git-svn-id: http://core.svn.wordpress.org/trunk@54589 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Previous to this change, attachment filenames in outgoing emails could only ever be derived from their paths (passed in as a numerically indexed array of `$attachments`).
This changeset adds support for passing an associative `$attachments` array, where the key strings will be used as filenames instead.
Includes 2 new unit tests to ensure both array formats continue to work as intended.
Props johnjamesjacoby, ritteshpatel, swissspidy, syntaxart.
Fixes#28407.
Built from https://develop.svn.wordpress.org/trunk@55030
git-svn-id: http://core.svn.wordpress.org/trunk@54563 1a063a9b-81f0-0310-95a4-ce76da25c4cd
While using reserved PHP keywords as parameter name labels is allowed, in the context of function calls using named parameters in PHP 8.0+, this will easily lead to confusion. To avoid that, it is recommended not to use reserved keywords as function parameter names.
This commit:
* Renames the `$die` parameter to `$stop` in `check_ajax_referer()`.
* Renames the `$default` parameter to `$fallback_url` in `wp_validate_redirect()`.
* Renames the `$default` parameter to `$default_value` in `get_avatar()`.
Follow-up to [52946], [52996], [52997], [52998], [53003], [53014], [53029], [53039], [53116], [53117], [53137], [53174], [53184], [53185], [53192], [53193], [53198], [53203], [53207], [53215], [53216], [53220], [53230], [53232], [53236], [53239], [53240], [53242], [53243], [53245], [53246], [53257], [53269], [53270], [53271], [53272], [53273], [53274], [53275], [53276], [53277], [53281], [53283], [53284], [53285], [53287], [53364], [53365], [54927], [54929], [54930], [54931], [54932], [54933], [54938], [54943], [54944], [54945], [54946], [54947], [54948], [54950], [54951].
Props jrf, aristath, poena, justinahinon, SergeyBiryukov.
See #56788.
Built from https://develop.svn.wordpress.org/trunk@54952
git-svn-id: http://core.svn.wordpress.org/trunk@54504 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This fixes the currently flagged `WordPress.PHP.StrictInArray.MissingTrueStrict` issues:
* `Not using strict comparison for in_array; supply true for third argument.`
These all do comparisons with strings, so all the more reason why it is imperative that a strict comparison is used.
Follow-up to [47550], [47557], [54155], [53480].
Props jrf.
See #56791.
Built from https://develop.svn.wordpress.org/trunk@54895
git-svn-id: http://core.svn.wordpress.org/trunk@54447 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In `wp_salt()` WordPress pre-populates the check for duplicate salt values with the default put your unique phrase here. As the `wp-config.php file` for non-en_US can be translated in downloaded packages, a translated version of this phrase ought to be in the pre-populated duplicate values array too.
Props peterwilsoncc, SergeyBiryukov, whaze, costdev, audrasjb.
Fixes#55937.
Built from https://develop.svn.wordpress.org/trunk@54249
git-svn-id: http://core.svn.wordpress.org/trunk@53808 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset contextualizes the usage of `nonce_life` filter by passing the `$action` parameter. It allows to alterate the default lifespan of nonces on a case by case basis.
Props giuseppemazzapica, dwainm, DrewAPicture, jorbin, audrasjb, SergeyBiryukov, costdev, antonvlasenko.
Fixes#35188.
Built from https://develop.svn.wordpress.org/trunk@54218
git-svn-id: http://core.svn.wordpress.org/trunk@53777 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When extracting the email and name from a “From” header, the last character of the name is incorrectly trimmed when a space is not included between the name and the opening `<`.
Though the space is required for the header to be compliant with RFC5322 (see https://www.rfc-editor.org/rfc/rfc5322#section-3.4), the absence of a space can be ignored here. PHPMailer accepts the name and email as separate parameters and constructs the header correctly later on.
Props hakanca, mikehansenme, SergeyBiryukov, kovshenin, mattyrob, drewapicture, desrosj.
Fixes#19847.
Built from https://develop.svn.wordpress.org/trunk@53900
git-svn-id: http://core.svn.wordpress.org/trunk@53459 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Make the descriptions for `update_post_author_caches()` and `update_post_caches()` more specific.
* Move the unit test into its own file, for consistency with `update_post_cache()` tests. This also allows for using shared fixtures in case more tests are added in the future.
Follow-up to [53482].
See #55716.
Built from https://develop.svn.wordpress.org/trunk@53483
git-svn-id: http://core.svn.wordpress.org/trunk@53072 1a063a9b-81f0-0310-95a4-ce76da25c4cd
For a call to `WP_Query` or a post REST API request that contains posts from multiple authors, call the `cache_users` function, to ensure that all user data for post authors is primed in
a single database query. This results in far fewer database queries on multiple author sites.
Props spacedmonkey, timothyblynjacobs, peterwilsoncc.
Fixes#55716.
Built from https://develop.svn.wordpress.org/trunk@53482
git-svn-id: http://core.svn.wordpress.org/trunk@53071 1a063a9b-81f0-0310-95a4-ce76da25c4cd