* Code editor is integrated into the Theme/Plugin Editor, Additional CSS in Customizer, and Custom HTML widget. Code editor is not yet integrated into the post editor, and it may not be until accessibility concerns are addressed.
* The CodeMirror component in the Custom HTML widget is integrated in a similar way to TinyMCE being integrated into the Text widget, adopting the same approach for integrating dynamic JavaScript-initialized fields.
* Linting is performed for JS, CSS, HTML, and JSON via JSHint, CSSLint, HTMLHint, and JSONLint respectively. Linting is not yet supported for PHP.
* When user lacks `unfiltered_html` the capability, the Custom HTML widget will report any Kses-invalid elements and attributes as errors via a custom Kses rule for HTMLHint.
* When linting errors are detected, the user will be prevented from saving the code until the errors are fixed, reducing instances of broken websites.
* The placeholder value is removed from Custom CSS in favor of a fleshed-out section description which now auto-expands when the CSS field is empty. See #39892.
* The CodeMirror library is included as `wp.CodeMirror` to prevent conflicts with any existing `CodeMirror` global.
* An `wp.codeEditor.initialize()` API in JS is provided to convert a `textarea` into CodeMirror, with a `wp_enqueue_code_editor()` function in PHP to manage enqueueing the assets and settings needed to edit a given type of code.
* A user preference is added to manage whether or not "syntax highlighting" is enabled. The feature is opt-out, being enabled by default.
* Allowed file extensions in the theme and plugin editors have been updated to include formats which CodeMirror has modes for: `conf`, `css`, `diff`, `patch`, `html`, `htm`, `http`, `js`, `json`, `jsx`, `less`, `md`, `php`, `phtml`, `php3`, `php4`, `php5`, `php7`, `phps`, `scss`, `sass`, `sh`, `bash`, `sql`, `svg`, `xml`, `yml`, `yaml`, `txt`.
Props westonruter, georgestephanis, obenland, melchoyce, pixolin, mizejewski, michelleweber, afercia, grahamarmfield, samikeijonen, rianrietveld, iseulde.
See #38707.
Fixes#12423, #39892.
Built from https://develop.svn.wordpress.org/trunk@41376
git-svn-id: http://core.svn.wordpress.org/trunk@41209 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This adds this previously Multisite-only functionality to single site installations too. This change prevents accidental or erroneous email address changes from potentially locking users out of their account.
Props rodrigosprimo, tharsheblows, johnbillion
Fixes#16470
Built from https://develop.svn.wordpress.org/trunk@41163
git-svn-id: http://core.svn.wordpress.org/trunk@41003 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Previously there was no way to remove the user locale setting again, even though that might be desirable.
This adds a new 'Site Default' option to the user-specific language setting by introducing a new `show_site_locale_default` argument to `wp_dropdown_languages()`.
Props ocean90.
See #29783.
Fixes#38632.
Built from https://develop.svn.wordpress.org/trunk@39169
git-svn-id: http://core.svn.wordpress.org/trunk@39109 1a063a9b-81f0-0310-95a4-ce76da25c4cd
By enabling the user to select their preferred locale when editing the profile, we allow for greater personalization of the WordPress admin and therefore a better user experience.
The back end will be displayed in the user's individual locale while the locale used on the front end equals the one set for the whole site. If the user didn't specify a locale, the site's locale will be used as a fallback. The new `locale` property of the `WP_User` class can be used to retrieve the user's locale setting.
Props ocean90, ipm-frommen, swissspidy.
Fixes#29783.
Built from https://develop.svn.wordpress.org/trunk@38705
git-svn-id: http://core.svn.wordpress.org/trunk@38648 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Introduces some consistency in the usage of the button CSS classes, fixes the
focus style for accessibility and responsiveness of the buttons.
- Adds the `button` class to all primary buttons make them responsive
- Removes all `secondary-button` classes and replaces it with button when needed. `button-secondary` shouldn't be used and exists just for backward compatibility reasons
- Replaces classes inside `submit_button()` with a shorthand for some buttons, and use an empty string for the default `button` class. Passing `button` is unnecessary
- Adjusts `get_submit_button()` to remove empty items
Props iseulde, dimchik, chris_d2d, mhowell, afercia.
Fixes#27314, #37138, #37448.
Built from https://develop.svn.wordpress.org/trunk@38672
git-svn-id: http://core.svn.wordpress.org/trunk@38615 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Prevents JavaScript errors by checking zxcvbn is defined before calling.
Changes `wp.passwordStrength.meter()` to return `-1` if the strength of the password is unknown.
On the user profile screen, `generatePassword()` checks if the user has entered the password before setting the value of the password input box.
Props peterwilsoncc, adamsilverstein.
Fixes#34905.
Built from https://develop.svn.wordpress.org/trunk@37940
git-svn-id: http://core.svn.wordpress.org/trunk@37881 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The new format looks like "Sorry, you are not allowed to <action>.". This provides a consistent experience for all error messages related to missing permissions. It also reduces the number of similar strings and allows translators to provide a consistent style in their language.
Props ramiy, Presskopp.
Fixes#34521.
Built from https://develop.svn.wordpress.org/trunk@37914
git-svn-id: http://core.svn.wordpress.org/trunk@37855 1a063a9b-81f0-0310-95a4-ce76da25c4cd
To prevent inconsistent data across sites in a network the new email address is now stored in usermeta. Adds visual feedback for the case when an update has failed.
All existing options will be removed on a database upgrade.
Props MikeHansenMe, kovshenin, jeremyfelt, ocean90.
Fixes#23358.
Built from https://develop.svn.wordpress.org/trunk@36679
git-svn-id: http://core.svn.wordpress.org/trunk@36646 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The `_network_option()` parameter order will be changing to accept `$network_id` first. The `_site_option()` functions will remain in use throughout core as our way of retrieving a network option for the current network.
See #28290.
Built from https://develop.svn.wordpress.org/trunk@34912
git-svn-id: http://core.svn.wordpress.org/trunk@34877 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Ongoing effort to restore a good headings hierarchy in the admin screens after the reintroduction of the missing main `<h1>` in [32974].
Fix a typo in the DocBlock for the `additional_capabilities_display` filter.
Props metodiew.
Fixes#33606. See #31650.
Built from https://develop.svn.wordpress.org/trunk@33909
git-svn-id: http://core.svn.wordpress.org/trunk@33878 1a063a9b-81f0-0310-95a4-ce76da25c4cd
First step towards restoring a good heading structure in wp-admin.
The previous `<h1>` contained the site title and a link to the front page and was removed with the toolbar refactoring in 3.2.
Props joedolson, afercia.
Fixes#31650.
Built from https://develop.svn.wordpress.org/trunk@32974
git-svn-id: http://core.svn.wordpress.org/trunk@32945 1a063a9b-81f0-0310-95a4-ce76da25c4cd
These no longer return upon refreshing the page when JS is on and working, so users should be able to dismiss them. This is particularly important on the post edit screen when DFW is triggered, but pretty much all notices can be dismissed if needed. A post on Make/Core will follow with information on how this can be leveraged in plugins.
props valendesigns, afercia, paulwilde, adamsilverstein, helen.
fixes#31233. see #23367.
Built from https://develop.svn.wordpress.org/trunk@31973
git-svn-id: http://core.svn.wordpress.org/trunk@31952 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Previously, if “No role on this site” was assigned to a user AND that user did not have an empty role array stored for the site, the `$blog_prefix . ‘capabilities’` meta for that user would be deleted completely after changes to the user were saved. Any custom capabilities stored (i.e. `$user->add_role()`) would be removed as well.
This removes the code controlling the old WPMU handling of “no role” and allows custom stored capabilities to remain. Users with no role and custom capabilities will now appear in the users list table with “None” as the role.
In the process we’re able to better clarify the multisite specific pieces that do occur.
Props PeteMall, jeremyfelt.
Fixes#18934.
Built from https://develop.svn.wordpress.org/trunk@31516
git-svn-id: http://core.svn.wordpress.org/trunk@31497 1a063a9b-81f0-0310-95a4-ce76da25c4cd
By not setting this attribute, the buttons default to submit and as the first
submit button on the page, it causes pressing the enter key to log you out of
all sessions. This change restores the pre 4.1 behavior where pressing enter
while focused on a form field submits the form.
props ocean90
fixes#30871 for trunk
Built from https://develop.svn.wordpress.org/trunk@31010
git-svn-id: http://core.svn.wordpress.org/trunk@30991 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Chrome now ignores `autocomplete="off"` in <input>, so this hack uses
a hidden, non-named, non-empty input, right before the password field.
see #24364. props azaozz, nacin, bobbingwide, aaroncampbell.
git-svn-id: http://core.svn.wordpress.org/trunk@24552 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The exceptions to this are update_post_meta() and add_post_meta() which are often used by plugins in POST handlers and will continue accepting slashed data for now.
Introduce wp_upate_post_meta() and wp_add_post_meta() as unslashed alternatives to update_post_meta() and add_post_meta(). These functions could become methods in WP_Post so don't use them too heavily yet.
Remove all escape() calls from wp_xmlrpc_server. Now that core expects unslashed data this is no longer needed.
Remove addslashes(), addslashes_gpc(), add_magic_quotes() calls on data being prepared for handoff to core functions that until now expected slashed data. Adding slashes in no longer necessary.
Introduce wp_unslash() and use to it remove slashes from GPCS data before using it in core API. Almost every instance of stripslashes() in core should now be wp_unslash(). In the future (a release or three) when GPCS is no longer slashed, wp_unslash() will stop stripping slashes and simply return what is passed. At this point wp_unslash() calls can be removed from core.
Introduce wp_slash() for slashing GPCS data. This will also turn into a noop once GPCS is no longer slashed. wp_slash() should almost never be used. It is mainly of use in unit tests.
Plugins should use wp_unslash() on data being passed to core API.
Plugins should no longer slash data being passed to core. So when you get_post() and then wp_insert_post() the post data from get_post() no longer needs addslashes(). Most plugins were not bothering with this. They will magically start doing the right thing. Unfortunately, those few souls who did it properly will now have to avoid calling addslashes() for 3.6 and newer.
Use wp_kses_post() and wp_kses_data(), which expect unslashed data, instead of wp_filter_post_kses() and wp_filter_kses(), which expect slashed data. Filters are no longer passed slashed data.
Remove many no longer necessary calls to $wpdb->escape() and esc_sql().
In wp_get_referer() and wp_get_original_referer(), return unslashed data.
Remove old stripslashes() calls from WP_Widget::update() handlers. These haven't been necessary since WP_Widget.
Switch several queries over to prepare().
Expect something to break.
Props alexkingorg
see #21767
git-svn-id: http://core.svn.wordpress.org/trunk@23416 1a063a9b-81f0-0310-95a4-ce76da25c4cd
"selected" role passed into it on the user-edit screen is editable.
props johnjamesjacoby. see #22361.
git-svn-id: http://core.svn.wordpress.org/trunk@22687 1a063a9b-81f0-0310-95a4-ce76da25c4cd