Commit Graph

170 Commits

Author SHA1 Message Date
Sergey Biryukov e782caa1e7 Comments: Escape permalink values on edit screen to prevent XSS.
There doesn't appear to be any way for an attacker to introduce malicious input into the URL, unless a plugin is filtering the URL to add it, but it's better to be safe than sorry.

Props 1naveengiri, joyously.
Merges [43290] to the 4.9 branch.
Fixes #44115.
Built from https://develop.svn.wordpress.org/branches/4.9@43301


git-svn-id: http://core.svn.wordpress.org/branches/4.9@43130 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-05-21 12:40:26 +00:00
Andrea Fercia 576bdf9f8c Accessibility: Standardize the remove/delete/cancel links in the Menus screen and Publish meta boxes.
The `submitdelete` CSS class is used in various places across the admin for some
"red" action links. It is worth simplifying this rule for further improvements
related to color contrast.

- simplifies a non-standard styling for the "Remove/Cancel" links in the Menus screen
- underlines all the "Move to trash/Delete" red links in all the Publish meta boxes
- fixes CSS classes usage for all the Publish meta boxes primary buttons
- fixes broken layout for the old Link Manager publish meta box

Props karmatosed, hugobaeta, monikarao, afercia.
Fixes #37969, #37018. See #37448, #37138, #27314.

Built from https://develop.svn.wordpress.org/trunk@38616


git-svn-id: http://core.svn.wordpress.org/trunk@38559 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-09-17 15:39:30 +00:00
Peter Wilson 47d26cd9fb DOCS: Replace HTTP links with HTTPS.
Replaces unsecure links in documentation and translator comments with their secure versions.

Props johnpgreen, netweb

Fixes #36993

Built from https://develop.svn.wordpress.org/trunk@37674


git-svn-id: http://core.svn.wordpress.org/trunk@37640 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-10 04:50:33 +00:00
Andrea Fercia bf3b51adaf Accessibility: improve the color contrast in the Edit Comment "Status" box.
The current orange and red used for the radio button labels in the Edit Comment
"Status" box don't have a sufficient color contrast ratio with the background.
Removing the colors improves accessibility and consistency.

See #35659, #35622.
Fixes #36967.
Built from https://develop.svn.wordpress.org/trunk@37611


git-svn-id: http://core.svn.wordpress.org/trunk@37579 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-01 17:51:27 +00:00
Drew Jaynes c3055cc190 Docs: Standardize hook docs in wp-admin/* to use third-person singular verbs per the inline documentation standards for PHP.
See #36913.

Built from https://develop.svn.wordpress.org/trunk@37488


git-svn-id: http://core.svn.wordpress.org/trunk@37456 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-22 18:01:30 +00:00
Rachel Baker a6e66c0cfc Comments: On the Edit Comment screen do not show the permalink for unapproved comments.
Fixes #36161.
Built from https://develop.svn.wordpress.org/trunk@36958


git-svn-id: http://core.svn.wordpress.org/trunk@36926 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-03-10 21:18:27 +00:00
Sergey Biryukov fe131bacd1 I18N: Use better context for comment statuses.
See #35054.
Built from https://develop.svn.wordpress.org/trunk@35902


git-svn-id: http://core.svn.wordpress.org/trunk@35866 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-13 19:11:26 +00:00
Andrea Fercia f1787056de Bump the "Status" H3 heading to H2 on the Edit Comment screen for better accessibility.
Fixes #34286.
Built from https://develop.svn.wordpress.org/trunk@35160


git-svn-id: http://core.svn.wordpress.org/trunk@35126 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-14 17:44:24 +00:00
Sergey Biryukov 8e353f294c Add missing translator comment after [34295].
See #31853.
Built from https://develop.svn.wordpress.org/trunk@34301


git-svn-id: http://core.svn.wordpress.org/trunk@34265 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-18 18:50:24 +00:00
Scott Taylor 20a42701f4 Don't use `<code>` in translation strings in `edit-form-comment.php`.
Props ramiy.
Fixes #31853.

Built from https://develop.svn.wordpress.org/trunk@34295


git-svn-id: http://core.svn.wordpress.org/trunk@34259 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-18 18:28:26 +00:00
Scott Taylor 4dbaf63b67 Edit Comment screen: remove the "View Comment" button (actually a link) from the publish meta box. Mimic the "Edit URL/Permalink" UI from the Edit Post screen to show the comment link below the screen title, but make it an actual link, not a button.
Props ocean90, DrewAPicture, wonderboymusic.
Fixes #19168.

Built from https://develop.svn.wordpress.org/trunk@34072


git-svn-id: http://core.svn.wordpress.org/trunk@34040 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-12 03:20:24 +00:00
Scott Taylor db4f22bfb5 After [33961], pass `$comment` to `get_comment_link()` where possible to avoid extra cache/db lookups.
See #33638.

Built from https://develop.svn.wordpress.org/trunk@34042


git-svn-id: http://core.svn.wordpress.org/trunk@34010 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-11 06:21:25 +00:00
Scott Taylor fc328f5484 After [33961], pass `$comment` to `get_comment_author_link()` where possible to avoid extra cache/db lookups.
See #33638.

Built from https://develop.svn.wordpress.org/trunk@34039


git-svn-id: http://core.svn.wordpress.org/trunk@34007 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-11 06:05:24 +00:00
Scott Taylor 98acab10ea Comments/PHP Notices: check that a parent comment exists before displaying an orphan's link to it in the admin.
Props rachelbaker.
Fixes #33710.

Built from https://develop.svn.wordpress.org/trunk@34015


git-svn-id: http://core.svn.wordpress.org/trunk@33984 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-10 20:51:23 +00:00
Scott Taylor e73ee5ac98 Introduce `WP_Comment` class to model/strongly-type rows from the comments database table. Inclusion of this class is a pre-req for some more general comment cleanup and sanity.
* Takes inspiration from `WP_Post` and adds sanity to comment caching. 
* Clarifies when the current global value for `$comment` is returned. The current implementation in `get_comment()` introduces side effects and an occasion stale global value for `$comment` when comment caches are cleaned.
* Strongly-types `@param` docs
* This class is marked `final` for now

Props wonderboymusic, nacin.

See #32619.

Built from https://develop.svn.wordpress.org/trunk@33891


git-svn-id: http://core.svn.wordpress.org/trunk@33860 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-03 18:17:24 +00:00
Helen Hou-Sandí 1f500055a6 Drop the hyphen from e-mail and standardize on email.
The AP Stylebook changed this in 2011, and we're woefully inconsistent, so let's go with the standard.

props morganestes, voldemortensen, niallkennedy (for patching on the previous AP style).
fixes #26156.

Built from https://develop.svn.wordpress.org/trunk@33774


git-svn-id: http://core.svn.wordpress.org/trunk@33742 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-08-28 03:17:21 +00:00
Dominik Schilling 96a6f0ac1f Pinking shears.
Built from https://develop.svn.wordpress.org/trunk@33627


git-svn-id: http://core.svn.wordpress.org/trunk@33594 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-08-17 21:39:25 +00:00
Drew Jaynes c333809c0e Fix the summary and add a missing variable in the hook docs for the `edit_comment_misc_actions` filter.
See [32929]. See #32891.

Built from https://develop.svn.wordpress.org/trunk@33177


git-svn-id: http://core.svn.wordpress.org/trunk@33149 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-07-12 18:29:23 +00:00
Konstantin Obenland 7dc1d06e64 Proper heading for admin screens.
First step towards restoring a good heading structure in wp-admin.
The previous `<h1>` contained the site title and a link to the front page and was removed with the toolbar refactoring in 3.2.

Props joedolson, afercia.
Fixes #31650.


Built from https://develop.svn.wordpress.org/trunk@32974


git-svn-id: http://core.svn.wordpress.org/trunk@32945 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-06-27 15:41:25 +00:00
Scott Taylor 587c570efa After [32796], improve the accessibility and markup for instances of `touch_time()`.
Props rianrietveld, afercia.
Fixes #31714.

Built from https://develop.svn.wordpress.org/trunk@32945


git-svn-id: http://core.svn.wordpress.org/trunk@32916 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-06-25 19:30:25 +00:00
Scott Taylor f23199caaa Remove the `whois.arin.net` link from `wp_notify_postauthor()` and `wp_notify_moderator()`.
Also, remove from `edit-form-comment.php` and add a new filter: `edit_comment_misc_actions`. 

Props ozh, joedolson, rachelbaker.
Fixes #15281.

Built from https://develop.svn.wordpress.org/trunk@32929


git-svn-id: http://core.svn.wordpress.org/trunk@32900 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-06-24 20:56:27 +00:00
Scott Taylor 45d5037a10 Avoid using HTML in translation strings in `edit-form-comment.php`.
Fixes #31847.

Built from https://develop.svn.wordpress.org/trunk@32801


git-svn-id: http://core.svn.wordpress.org/trunk@32772 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-06-16 20:08:24 +00:00
Helen Hou-Sandí 457456ef25 Comments: Better markup for the edit screen.
Previously there were no labels, and since labels can't contain links and the links were of dubious value, we've removed those.

props afercia, DrewAPicture.
fixes #31326.

Built from https://develop.svn.wordpress.org/trunk@32796


git-svn-id: http://core.svn.wordpress.org/trunk@32767 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-06-16 18:54:26 +00:00
Dion Hulse cc903c3422 Remove ambiguity in the time display format in core, switches to using 24hr notation where am/pm isn't specified.
* `H:i - 09:54`
* `g:i a - 9:54 am`
* `F j, Y - January 3, 2015`

These shouldn't be used without a/A (am/AM)
* `h:i - 01:23`
* `G:i - 1:23`

Props iseulde. Fixes #31121

Built from https://develop.svn.wordpress.org/trunk@31862


git-svn-id: http://core.svn.wordpress.org/trunk@31841 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-03-23 02:14:27 +00:00
Sergey Biryukov bc54c02021 Remove hidden `user_id` input from Edit Comment screen.
Since [31172], it caused the comment's `user_id` field to be unexpectedly changed to the user who edits the comment.

fixes #30307.
Built from https://develop.svn.wordpress.org/trunk@31776


git-svn-id: http://core.svn.wordpress.org/trunk@31756 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-03-14 00:53:27 +00:00
Scott Taylor 0ec87e4584 There are a few functions that have the ability to return `false` instead of a string, so the return value should be checked before being passed to functions that expect string.
These are trivial, but they clear out some Scrutinizer issues.

See #30799.

Built from https://develop.svn.wordpress.org/trunk@31681


git-svn-id: http://core.svn.wordpress.org/trunk@31662 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-03-09 02:11:28 +00:00
Helen Hou-Sandí 7ce4256d4d Comments: Show more identifying information for moderation and editing.
Attempting to moderate comments without context about the post is more difficult than necessary. The comment moderation screen you are sent to via email link was also in need of some better visual treatment.

props thaicloud, seanchayes, adamsilverstein.
see #23988.

Built from https://develop.svn.wordpress.org/trunk@31641


git-svn-id: http://core.svn.wordpress.org/trunk@31622 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-03-06 14:06:24 +00:00
Sergey Biryukov 1541bc1537 Pass comment author name and comment ID to 'get_comment_author_link' filter on Edit Comment screen, for consistency with [30092].
props tyxla.
fixes #30894.
Built from https://develop.svn.wordpress.org/trunk@31053


git-svn-id: http://core.svn.wordpress.org/trunk@31034 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-01-05 19:10:23 +00:00
Andrew Ozz 7cc113ab66 Do not autofocus text fields on page load on mobile devices. This is currently broken in many mobile browsers:
- iOS Safari opens the keyboard and auto-scrolls on the first tap anywhere on the screen triggering the click at an unexpected place. That makes it impossible to follow links or press buttons.
- Chrome on iOS opens the keyboard on load and may scroll the focused field off screen.
- The Android 4.4 browser only highlights the field, the user has to tap it to open the keyboard and type.
See #30703.
Built from https://develop.svn.wordpress.org/trunk@30842


git-svn-id: http://core.svn.wordpress.org/trunk@30832 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-12-13 22:08:23 +00:00
Scott Taylor 130771a383 `hackificator` doesn't like mixed quote styles in some generated HTML. The switch from single to double allows these files to be parsed.
See #27881.

Built from https://develop.svn.wordpress.org/trunk@28497


git-svn-id: http://core.svn.wordpress.org/trunk@28323 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-05-19 01:59:15 +00:00
Sergey Biryukov 5f0f676199 Use a consistent format for translator comments.
props GaryJ.
fixes #27228.
Built from https://develop.svn.wordpress.org/trunk@27325


git-svn-id: http://core.svn.wordpress.org/trunk@27177 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-02-28 08:09:13 +00:00
Andrew Ozz eb1d21d782 Remove all "valign" attributes from tables in wp-admin, props MikeHansenMe, Marventus. Fixes #22712.
Built from https://develop.svn.wordpress.org/trunk@27029


git-svn-id: http://core.svn.wordpress.org/trunk@26905 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-01-24 19:06:15 +00:00
Andrew Ozz 8d6059b383 Remove all screen_icon() calls and deprecate the functions, props TobiasBg, fixes #26119
Built from https://develop.svn.wordpress.org/trunk@26518


git-svn-id: http://core.svn.wordpress.org/trunk@26411 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-12-02 03:53:11 +00:00
Andrew Nacin d0cfa40983 Add jshintrc to qunit.
props jorbin.
see #25187.

Built from https://develop.svn.wordpress.org/trunk@25992


git-svn-id: http://core.svn.wordpress.org/trunk@25925 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-10-30 14:39:10 +00:00
Helen Hou-Sandí 399a2f2ac2 Show the IP address, if available, in the comment edit screen submit meta box. props leewillis77. fixes #24638.
Built from https://develop.svn.wordpress.org/trunk@25314


git-svn-id: http://core.svn.wordpress.org/trunk@25276 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-09-10 14:41:11 +00:00
Helen Hou-Sandí eb44516e48 Add more descriptive classes to submit meta box sections. props nofearinc. fixes #22333.
Built from https://develop.svn.wordpress.org/trunk@25083


git-svn-id: http://core.svn.wordpress.org/trunk@25068 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-08-22 15:24:10 +00:00
Andrew Nacin 00b7fa589a Remove ancient 'lookup' quicktag from the text editor. This had called up answers.com.
props mboynes, jonbishop, SergeyBiryukov.
fixes #23322.



git-svn-id: http://core.svn.wordpress.org/trunk@24052 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-04-22 20:17:25 +00:00
Helen Hou-Sandí bf12a91981 Add `.edit-form-section` class to the comment edit form for correct spacing. fixes #23240.
git-svn-id: http://core.svn.wordpress.org/trunk@23955 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-04-10 19:20:13 +00:00
Andrew Nacin 7b47322e22 Ensure the referer functions operate completely on unslashed data: wp_referer_field(), wp_original_referer_field(), wp_get_referer(), wp_get_original_referer().
Use wp_slash() instead of addslashes().

see #21767.



git-svn-id: http://core.svn.wordpress.org/trunk@23578 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-03-01 17:58:43 +00:00
Ryan Boren 5f809d1d22 Use wp_unslash() instead of stripslashes() and stripslashes_deep(). Use wp_slash() instead of add_magic_quotes().
see #21767


git-svn-id: http://core.svn.wordpress.org/trunk@23563 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-03-01 17:00:25 +00:00
Ryan Boren 43a7e695e9 Revert 23416, 23419, 23445 except for wp_reset_vars() changes. We are going a different direction with the slashing cleanup, so resetting to a clean slate. see #21767
git-svn-id: http://core.svn.wordpress.org/trunk@23554 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-03-01 16:28:40 +00:00
Ryan Boren cc5ed3a485 Change all core API to expect unslashed rather than slashed arguments.
The exceptions to this are update_post_meta() and add_post_meta() which are often used by plugins in POST handlers and will continue accepting slashed data for now.

Introduce wp_upate_post_meta() and wp_add_post_meta() as unslashed alternatives to update_post_meta() and add_post_meta(). These functions could become methods in WP_Post so don't use them too heavily yet.

Remove all escape() calls from wp_xmlrpc_server. Now that core expects unslashed data this is no longer needed.

Remove addslashes(), addslashes_gpc(), add_magic_quotes() calls on data being prepared for handoff to core functions that until now expected slashed data. Adding slashes in no longer necessary.

Introduce wp_unslash() and use to it remove slashes from GPCS data before using it in core API. Almost every instance of stripslashes() in core should now be wp_unslash(). In the future (a release or three) when GPCS is no longer slashed, wp_unslash() will stop stripping slashes and simply return what is passed. At this point wp_unslash() calls can be removed from core.

Introduce wp_slash() for slashing GPCS data. This will also turn into a noop once GPCS is no longer slashed. wp_slash() should almost never be used. It is mainly of use in unit tests.

Plugins should use wp_unslash() on data being passed to core API.

Plugins should no longer slash data being passed to core. So when you get_post() and then wp_insert_post() the post data from get_post() no longer needs addslashes(). Most plugins were not bothering with this. They will magically start doing the right thing. Unfortunately, those few souls who did it properly will now have to avoid calling addslashes() for 3.6 and newer.

Use wp_kses_post() and wp_kses_data(), which expect unslashed data, instead of wp_filter_post_kses() and wp_filter_kses(), which expect slashed data. Filters are no longer passed slashed data.

Remove many no longer necessary calls to $wpdb->escape() and esc_sql().

In wp_get_referer() and wp_get_original_referer(), return unslashed data.

Remove old stripslashes() calls from WP_Widget::update() handlers. These haven't been necessary since WP_Widget.

Switch several queries over to prepare().

Expect something to break.

Props alexkingorg
see #21767


git-svn-id: http://core.svn.wordpress.org/trunk@23416 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-02-14 22:51:06 +00:00
azaozz 34535097b7 Remove nearly all tabindex attributes from the admin, leaving them only where absolutely necessary (for now that's only the toolbar).
Add tabindex="-1" for the menu images links to avoid double tab stops there when the menu is expanded.

Fix/add auto-focus on the first input fields on the Add/Edit Post, all taxonomy, all edit taxonomy, Log In and Edit Comment screens.

See #21340.

git-svn-id: http://core.svn.wordpress.org/trunk@21311 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-07-24 00:15:15 +00:00
azaozz bba9c91990 Responsive columns on the dashboard and write screens, first run, see #20015
git-svn-id: http://svn.automattic.com/wordpress/trunk@20272 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-03-23 21:41:00 +00:00
nacin 8c841df86d Revert type="email" (HTML5) as some browsers that do validation on these fields do not work for IDN domains yet. Core does not support these well either, but server-side validation can at least be dealt with by a plugin. see #17863.
git-svn-id: http://svn.automattic.com/wordpress/trunk@20196 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-03-15 18:09:14 +00:00
azaozz f3b63e4537 Set proper HTML5 input types in the admin, props georgestephanis, fixes #17863
git-svn-id: http://svn.automattic.com/wordpress/trunk@20168 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-03-10 01:23:48 +00:00
nacin 13be6d8fb9 In miscellaneous publishing actions, use :last-child instead of a separate misc-pub-section-last class to control borders. Allows for sane use of the post_submitbox_misc_actions hook. (Actually uses :first-child for browser compat reasons.) fixes #19604.
git-svn-id: http://svn.automattic.com/wordpress/trunk@20077 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-03-02 19:52:23 +00:00
westi a1d2e646ab Make sure to echo out the comment_post_ID when building the edit comment form otherwise the post comment counts will get out of sync. Fixes #20108 props dllh.
git-svn-id: http://svn.automattic.com/wordpress/trunk@19981 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-02-23 18:16:46 +00:00
duck_ f17cb006cf Remove extraneous single quote. Props garyc40. Fixes #19801.
git-svn-id: http://svn.automattic.com/wordpress/trunk@19731 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-01-11 23:35:35 +00:00
nacin d39a1d4b1b Remove dead variables and strings from edit-form-comment. props ocean90, fixes #19481.
git-svn-id: http://svn.automattic.com/wordpress/trunk@19612 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-12-20 21:39:46 +00:00