- Comments: Prevent users who can not see a post from seeing comments on it.
- Shortcodes: Restrict media shortcode ajax to certain type.
- REST API: Ensure no-cache headers are sent when methods are overridden.
- REST API: Limit `search_columns` for users without `list_users`.
- Prevent unintended behavior when certain objects are unserialized.
Merges [56833], [56834], [56835], [56836], and [56838] to the 5.1 branch.
Props xknown, jorbin, joehoyle, timothyblynjacobs, peterwilsoncc, ehtis, tykoted, antpb, rmccue.
Built from https://develop.svn.wordpress.org/branches/5.1@56873
git-svn-id: http://core.svn.wordpress.org/branches/5.1@56384 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Add strings for use in future maintenance/security releases to indicate the security support status of the version of WordPress.
Two strings are introduced:
* indicating the version of WordPress is not receiving security updates, and,
* indicating the version of WordPress will shortly stop receiving security updates.
This change does not make use of the strings, the purpose is to make them available to translators prior to dropping support of selected versions of WordPress.
Props costdev, chesio, robinwpdeveloper, desrosj, rudlinkon, mukesh27, sumitbagthariya16.
Merges [54322] to the 5.1 branch.
See #56532.
Built from https://develop.svn.wordpress.org/branches/5.1@54439
git-svn-id: http://core.svn.wordpress.org/branches/5.1@53998 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- Update `lodash` to the latest version `4.17.21`.
- Disable some attributes for rich text.
- Use hashed/deterministic moduleIDs in webpack config.
Props ellatrix, peterwilsoncc, get_dave, mcsf, talldanwp, youknowriad, desrosj, nerrad, gziolo.
Merges [50940-50941,50984-50985,51426] to the 5.1 branch.
Built from https://develop.svn.wordpress.org/branches/5.1@51757
git-svn-id: http://core.svn.wordpress.org/branches/5.1@51364 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This backports several build and test tool improvements to the 5.1 branch. Most notably, this includes:
- The changes required to allow each workflow to be triggered by the `workflow_dispatch` event so that tests can be run on a schedule [50590].
- Splitting single site and multisite tests into parallel jobs [50379].
- Split slow tests into separate, parallel jobs for PHP <= 5.6 [50444].
- Better branch and path scoping for GitHub Action workflows when running on `pull_request` [50432,50479].
- Several `devDependency` updates.
Merges [45317,50267,50379,50387,50413,50416,50432,50435-50436,50444,50446,50473-50474,50476,50479,50485-50487,50545,50579,50590,50598] to the 5.1 branch.
See #50401, #51801, #51802, #52548, #52608, #52612, #52624, #52625, #52645, #52653, #52658, #52660, #52667.
Built from https://develop.svn.wordpress.org/branches/5.1@50622
git-svn-id: http://core.svn.wordpress.org/branches/5.1@50235 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This updates the 5.1 branch to support the latest LTS version of NodeJS (currently 14.x), allowing the same version to be used across all WordPress branches that receive security updates as a courtesy.
In addition to backporting the package updates that happened after branching 5.1, dependencies that were removed in future releases have also been updated to their latest versions.
Props desrosj, dd32, netweb, jorbin.
Merges [44233,44728,45321,45765,45826,46403-46404,46408-46409,47404,47867-47869,47872-47873,48705,49636,49933,49937,49939,49940,49983,49989,50017,50126,50176,50185] to the 5.1 branch.
See #52341.
Built from https://develop.svn.wordpress.org/branches/5.1@50199
git-svn-id: http://core.svn.wordpress.org/branches/5.1@49874 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This updates the `dealerdirect/phpcodesniffer-composer-installer` package to allow installing version `0.7.0` which supports Composer 2.0.
It also includes several minor spacing/alignment coding standards fixes that are made as a result of the package update.
Props itowhid06, jrf.
Merges [49306] to the 5.1 branch.
See #51624, #48301.
Built from https://develop.svn.wordpress.org/branches/5.1@49516
git-svn-id: http://core.svn.wordpress.org/branches/5.1@49271 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit brings the changes in [49452] to the 5.1 branch.
If reinstalling WordPress, there is a condition where tables would exist in the database. Ensures that$
Fixes#51676.
Props xknown, garubi, mukesh27, desrosj, johnbillion, metalandcoffee, davidbaumwald, whyisjake.
Built from https://develop.svn.wordpress.org/branches/5.1@49457
git-svn-id: http://core.svn.wordpress.org/branches/5.1@49216 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* XML-RPC: Improve error messages for unprivileged users.
* External Libraries: Disable deserialization in Requests_Utility_FilteredIterator
* Embeds: Disable embeds on deactivated Multisite sites.
* Coding standards: Modify escaping functions to avoid potential false positives.
* XML-RPC: Return error message if attachment ID is incorrect.
* Upgrade/install: Improve logic check when determining installation status.
* Meta: Sanitize meta key before checking protection status.
* Themes: Ensure that only privileged users can set a background image when a theme is using the deprecated custom background page.
Brings the changes from [49380,49382-49388] to the 5.1 branch.
Props xknown, zieladam, peterwilsoncc, whyisjake, desrosj, dd32.
Built from https://develop.svn.wordpress.org/branches/5.1@49395
git-svn-id: http://core.svn.wordpress.org/branches/5.1@49154 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- Embeds: Ensure that the title attribute is set correctly on embeds.
- Editor: Prevent HTML decoding on by setting the proper editor context.
- Formatting: Ensure that wp_validate_redirect() sanitizes a wider variety of characters.
- Themes: Ensure a broken theme name is returned properly.
- Administration: Add a new filter to extend set-screen-option.
Merges [47947-47951] to the 5.1 branch.
Props xknown, sstoqnov, vortfu, SergeyBiryukov, whyisjake.
Built from https://develop.svn.wordpress.org/branches/5.1@47963
git-svn-id: http://core.svn.wordpress.org/branches/5.1@47734 1a063a9b-81f0-0310-95a4-ce76da25c4cd
After a comment is submitted, only allow a brief window where the comment is live on the site.
Props jonkolbert, ayeshrajans, Asif2BD, peterwilsoncc, imath, audrasjb, jonoaldersonwp, whyisjake, SergeyBiryukov.
Merges [47887] and [47889] to the 5.1 branch.
Fixes#49956.
Built from https://develop.svn.wordpress.org/branches/5.1@47918
git-svn-id: http://core.svn.wordpress.org/branches/5.1@47692 1a063a9b-81f0-0310-95a4-ce76da25c4cd
User: Invalidate `user_activation_key` on password update.
Query: Ensure that only a single post can be returned on date/time based queries.
Block Editor: Coding standards, properly escape class names.
Cache API: Ensure proper escaping around the stats method in the cache API.
Formatting: Expand `sanitize_file_name` to have better support for utf8 characters.
Brings the changes in [47633], [47634], [47635], [47636], [47637], and [47638] to the 5.1 branch.
Props: aduth, batmoo, ehti, ellatrix, jorgefilipecosta, nickdaugherty, noisysocks, pento, peterwilsoncc, sergeybiryukov, sstoqnov, talldanwp, westi, westonruter, whyisjake, whyisjake, xknown.
Built from https://develop.svn.wordpress.org/branches/5.1@47646
git-svn-id: http://core.svn.wordpress.org/branches/5.1@47421 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Props: danielbachhuber, whyisjake, peterwilson, xknown.
Prevent stored XSS through wp_targeted_link_rel().
Props: vortfu, whyisjake, peterwilsoncc, xknown, SergeyBiryukov, flaviozavan.
Update wp_kses_bad_protocol() to recognize : on uri attributes,
wp_kses_bad_protocol() makes sure to validate that uri attributes don't contain invalid/or not allowed protocols. While this works fine in most cases, there's a risk that by using the colon html5 named entity, one is able to bypass this function.
Brings r46895 to the 5.3 branch.
Props: xknown, nickdaugherty, peterwilsoncc.
Prevent stored XSS in the block editor.
Brings r46896 to the 5.3 branch.
Prevent escaped unicode characters become unescaped in unsafe HTML during JSON decoding.
Props: aduth, epiqueras.
Built from https://develop.svn.wordpress.org/branches/5.1@46907
git-svn-id: http://core.svn.wordpress.org/branches/5.1@46707 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- Query: Remove the static query property.
- HTTP API: Protect against hex interpretation.
- Filesystem API: Prevent directory travelersals when creating new folders.
- Administration: Ensure that admin referer nonce is valid.
- REST API: Send a Vary: Origin header on GET requests.
Backports [46474], [46475], [46476], [46477], [46478], [46483], [46485] to the 5.1 branch.
Built from https://develop.svn.wordpress.org/branches/5.1@46490
git-svn-id: http://core.svn.wordpress.org/branches/5.1@46288 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The Site Health tool serves two purposes:
- Provide site owners with information to improve the performance, reliability, and security of their site.
- Collect comprehensive debug information about the site.
By encouraging site owners to maintain their site and adhere to modern best practices, we ultimately improve the software hygeine of both the WordPress ecosystem, and the open internet as a whole.
Props Clorith, hedgefield, melchoyce, xkon, karmatosed, jordesign, earnjam, ianbelanger, wpscholar, desrosj, pedromendonca, peterbooker, jcastaneda, garyj, soean, pento, timothyblynjacobs, zodiac1978, dgroddick, garrett-eclipse, netweb, tobifjellner, pixolin, afercia, joedolson, birgire.
See #46573.
Built from https://develop.svn.wordpress.org/branches/5.1@44984
git-svn-id: http://core.svn.wordpress.org/branches/5.1@44815 1a063a9b-81f0-0310-95a4-ce76da25c4cd