Commit Graph

250 Commits

Author SHA1 Message Date
Gary Pendergast 2c3205bb84 KSES: Add options for restricting tags based upon their attributes.
This change adds two now attribute-related config options to KSES:
- An array of allowed values can be defined for attributes. If the attribute value doesn't fall into the list, the attribute will be removed from the tag.
- Attributes can be marked as required. If a required attribute is not present, KSES will remove all attributes from the tag. As KSES doesn't match opening and closing tags, it's not possible to safely remove the tag itself, the safest fallback is to strip all attributes from the tag, instead.

Included with this change is an implementation of these options, allowing the `<object>` tag to be stored in posts, but only when it has a `type` attribute set to `application/pdf`.

Props pento, swissspidy, peterwilsoncc, dd32, jorbin.
Fixes #54261.


Built from https://develop.svn.wordpress.org/trunk@51963


git-svn-id: http://core.svn.wordpress.org/trunk@51552 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-11-01 02:13:56 +00:00
Sergey Biryukov 15e552e105 Docs: Move `@since` notes from the `safe_style_css` filter to the `safecss_filter_attr()` function.
The filter allows to modify the list of allowed CSS attributes, however support for specific CSS attributes is added to the function rather than the filter.

Follow-up to [37931], [38121], [42880], [44136], [44531], [45242], [45363], [46235], [46793], [50634], [50923].

Props tmatsuur, muhammadfaizanhaidar, sabernhardt.
Fixes #53731.
Built from https://develop.svn.wordpress.org/trunk@51729


git-svn-id: http://core.svn.wordpress.org/trunk@51335 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-09-03 01:37:57 +00:00
John Blackbourn 52d6bd3529 Security: Correct the inline docs for the `wp_kses_allowed_html` filter.
Props peterwilsoncc

Fixes #53597

Built from https://develop.svn.wordpress.org/trunk@51675


git-svn-id: http://core.svn.wordpress.org/trunk@51281 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-08-26 19:28:57 +00:00
Sergey Biryukov 72acd346a2 Coding Standards: Fix incorrect comment indent in `safecss_filter_attr()`.
Props jrf.
See #53359.
Built from https://develop.svn.wordpress.org/trunk@51550


git-svn-id: http://core.svn.wordpress.org/trunk@51161 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-08-05 12:59:58 +00:00
John Blackbourn ea60cd8191 Docs: Descriptive improvements and corrections for various docblocks.
See #53399

Built from https://develop.svn.wordpress.org/trunk@51300


git-svn-id: http://core.svn.wordpress.org/trunk@50909 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-07-01 21:12:58 +00:00
desrosj 836b5ad7c7 Coding Standards: Apply some minor coding standards adjustments.
Follow up to [50977], [50987], and [50995].

See #41683, #53156, #53175.
Built from https://develop.svn.wordpress.org/trunk@51007


git-svn-id: http://core.svn.wordpress.org/trunk@50616 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-05-25 17:43:57 +00:00
Aaron Jorbin b6b98b8e2d Formatting: Add 'main' tag to kses
`main` is a valid HTML element that is especially valuable for KSES to support in light of full site editing.

Related: https://github.com/WordPress/gutenberg/pull/28576 for the addition of `main` to the group block.

Fixes #53156.
Props glendaviesnz.


Built from https://develop.svn.wordpress.org/trunk@50987


git-svn-id: http://core.svn.wordpress.org/trunk@50596 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-05-25 01:43:55 +00:00
Sergey Biryukov b8487747b8 KSES: Allow `calc()` and `var()` values to be used in inline CSS.
Props aristath, displaynone, joyously, olafklejnstrupjensen, sabernhardt, jamesbonham, poena.
Fixes #46197, #46498.
Built from https://develop.svn.wordpress.org/trunk@50923


git-svn-id: http://core.svn.wordpress.org/trunk@50532 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-05-17 21:04:59 +00:00
Sergey Biryukov ac943f171a KSES: Remove duplicate `object-position` property.
As part of some recent changes, the property was added to the list of safe CSS properties twice.

Follow-up to [50634], [50761].

See #52991.
Built from https://develop.svn.wordpress.org/trunk@50922


git-svn-id: http://core.svn.wordpress.org/trunk@50531 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-05-17 20:48:01 +00:00
gziolo ad48a15387 Editor: Update WordPress packages to use with WordPress 5.8
In the response to the discussion during the Dev Chat, I'm doing a first pass to keep WordPress packages up to date in the WordPress 5.8 release cycle.

See https://github.com/WordPress/wordpress-develop/pull/1176 for more details.

Props youknowriad, aristath, andraganescu.
See #52991.


Built from https://develop.svn.wordpress.org/trunk@50761


git-svn-id: http://core.svn.wordpress.org/trunk@50370 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-04-15 15:19:43 +00:00
Sergey Biryukov 526dfa8b12 KSES: Add `object-position` to the list of safe CSS properties.
This resolves an issue with the Cover block, where the `object-position` property is removed from the content when a non-admin user saves the post, leading to block recovery loop.

Props Mamaduka, aristath.
Fixes #52961.
Built from https://develop.svn.wordpress.org/trunk@50634


git-svn-id: http://core.svn.wordpress.org/trunk@50246 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-04-02 12:41:09 +00:00
John Blackbourn dfe1f9b322 Docs: Promote many `bool` types to `true` or `false` where only that value is used.
See #51800

Built from https://develop.svn.wordpress.org/trunk@49927


git-svn-id: http://core.svn.wordpress.org/trunk@49626 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-01-03 22:04:04 +00:00
Sergey Biryukov 5770b676b0 Docs: Correct an example in `wp_kses_normalize_entities()` description.
Props ediamin.
Fixes #51620.
Built from https://develop.svn.wordpress.org/trunk@49304


git-svn-id: http://core.svn.wordpress.org/trunk@49066 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-10-25 00:14:05 +00:00
John Blackbourn 1fbcdb2213 Docs: Various corrections to inline docblocks.
See #49572
Built from https://develop.svn.wordpress.org/trunk@48573


git-svn-id: http://core.svn.wordpress.org/trunk@48335 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-07-23 00:48:06 +00:00
whyisjake daace832e3 Media: Add "loading" as an allowed kses image attribute
With loading="lazy" being added to all images in [47554], let's ensure that it passes kses attributes too.

Fixes #50731.
Props TimothyBlynJacobs, peterwilsoncc, azaozz. 


Built from https://develop.svn.wordpress.org/trunk@48572


git-svn-id: http://core.svn.wordpress.org/trunk@48334 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-07-23 00:44:04 +00:00
Sergey Biryukov 0ce2ddce47 Docs: Synchronize description for the `$allowed_html` parameter of various KSES functions.
Follow-up to [43016].

Props Christian1012, jdgrimes, markparnell.
Fixes #39542. See #33801.
Built from https://develop.svn.wordpress.org/trunk@48478


git-svn-id: http://core.svn.wordpress.org/trunk@48247 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-07-14 12:41:03 +00:00
Sergey Biryukov 3336009e34 Docs: Replace "html" and "xhtml" instances in DocBlocks and comments with "HTML" and "XHTML".
This ensures consistent capitalization where appropriate.

Props navidos, desrosj.
Fixes #50473.
Built from https://develop.svn.wordpress.org/trunk@48199


git-svn-id: http://core.svn.wordpress.org/trunk@47968 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-28 14:02:06 +00:00
Sergey Biryukov c892c420b7 Docs: Miscellaneous DocBlock corrections.
See #49572.
Built from https://develop.svn.wordpress.org/trunk@48198


git-svn-id: http://core.svn.wordpress.org/trunk@47967 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-28 11:53:04 +00:00
Sergey Biryukov 5e7dfff3a0 Docs: Use sentence case for comments in `tests/kses.php`, per the documentation standards.
Follow-up to [48132].

See #49464, #49572.
Built from https://develop.svn.wordpress.org/trunk@48139


git-svn-id: http://core.svn.wordpress.org/trunk@47908 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-23 11:11:10 +00:00
whyisjake 446d06c45d Formatting: Extend `wp_kses_hair` and `wp_kses_hair_parse` to allow digits and underscores.
Fixes a lot of issues around parsing XML/HTML attributes.

Fixes #49464.

See #34406, #48608.

Props codeforest, zodiac1978, johnpgreen, dlh, ayeshrajans, johnpgreen, rilwis, travisnorthcutt, miqrogroove, chriscct7, whyisjake.

Built from https://develop.svn.wordpress.org/trunk@48132


git-svn-id: http://core.svn.wordpress.org/trunk@47901 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-23 05:07:11 +00:00
desrosj 4b60af1a6a General: Remove “whitelist” and “blacklist” in favor of more clear and inclusive language.
“The WordPress open source community cares about diversity. We strive to maintain a welcoming environment where everyone can feel included.”

With this commit, all occurrences of “whitelist” and “blacklist” (with the single exception of the `$new_whitelist_options` global variable) are removed. A new ticket has been opened to explore renaming the `$new_whitelist_options` variable (#50434).

Changing to more specific names or rewording sentences containing these terms not only makes the code more inclusive, but also helps provide clarity. These terms are often ambiguous. What is being blocked or allowed is not always immediately clear. This can make it more difficult for non-native English speakers to read through the codebase.

Words matter. If one contributor feels more welcome because these terms are removed, this was worth the effort.

Props strangerstudios, jorbin, desrosj, joemcgill, timothyblynjacobs, ocean90, ayeshrajans, davidbaumwald, earnjam.
See #48900, #50434.
Fixes #50413.
Built from https://develop.svn.wordpress.org/trunk@48121


git-svn-id: http://core.svn.wordpress.org/trunk@47890 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-22 17:26:13 +00:00
Sergey Biryukov e13c363b17 Docs: Capitalize "ID", when referring to a post ID, term ID, etc. in a more consistent way.
See #49572.
Built from https://develop.svn.wordpress.org/trunk@48104


git-svn-id: http://core.svn.wordpress.org/trunk@47873 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-20 12:02:12 +00:00
Adam Silverstein 810e9c3c2b Formatting: new filter `safecss_filter_attr_allow_css` on css parts.
Enables developers to determine whether a section of CSS should be allowed or discarded. By default, the value will be false if the part contains \ ( & } = or comments. Returning true allows the CSS part to be included in the output.

Replaces the `safe_style_disallowed_chars` filter introduced in r47891.

Props azaozz.
Fixes #37134.


Built from https://develop.svn.wordpress.org/trunk@48086


git-svn-id: http://core.svn.wordpress.org/trunk@47853 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-18 21:01:11 +00:00
Pascal Birchler 609dd1d14f Sitemaps: Add XML sitemaps functionality to WordPress.
While web crawlers are able to discover pages from links within the site and from other sites, XML sitemaps supplement this approach by allowing crawlers to quickly and comprehensively identify all URLs included in the sitemap and learn other signals about those URLs using the associated metadata.

See https://make.wordpress.org/core/2020/06/10/merge-announcement-extensible-core-sitemaps/ for more details.

This feature exposes the sitemap index via `/wp-sitemap.xml` and exposes a variety of new filters and hooks for developers to modify the behavior. Users can disable sitemaps completely by turning off search engine visibility in WordPress admin.

This change also introduces a new `esc_xml()` function to escape strings for output in XML, as well as XML support to `wp_kses_normalize_entities()`.

Props Adrian McShane, afragen, adamsilverstein, casiepa, flixos90, garrett-eclipse, joemcgill, kburgoine, kraftbj, milana_cap, pacifika, pbiron, pfefferle, Ruxandra Gradina, swissspidy, szepeviktor, tangrufus, tweetythierry.
Fixes #50117.
See #3670. See #19998.

Built from https://develop.svn.wordpress.org/trunk@48072


git-svn-id: http://core.svn.wordpress.org/trunk@47839 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-17 15:24:07 +00:00
Sergey Biryukov 72b5018aa3 Docs: Miscellaneous DocBlock corrections.
See #49572.
Built from https://develop.svn.wordpress.org/trunk@47892


git-svn-id: http://core.svn.wordpress.org/trunk@47666 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-03 10:02:13 +00:00
Adam Silverstein 86b50870ec Formatting: add a new 'safe_style_disallowed_chars' filter.
Enable developers to change the regex used in `safecss_filter_attr` to limit characters in the parsed CSS.

Props paulschreiber, swissspidy, rmccue, bartekcholewa, miinasikk.
Fixes #37134.


Built from https://develop.svn.wordpress.org/trunk@47891


git-svn-id: http://core.svn.wordpress.org/trunk@47665 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-02 23:46:11 +00:00
Peter Wilson 39babb4dfb KSES: Support the `video` element's `playsinline` attribute.
Allow users without the `unfiltered_html` capability to use the `playsinline` attribute when embedding videos.

Additionally this adds unit tests for passing the video element through kses.

Fixes #50167. See #29826.

Built from https://develop.svn.wordpress.org/trunk@47837


git-svn-id: http://core.svn.wordpress.org/trunk@47613 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-05-21 04:54:11 +00:00
Sergey Biryukov 7932193708 Coding Standards: Use strict comparison where static strings are involved.
This reduces the number of `WordPress.PHP.StrictComparisons.LooseComparison` issues in half, from 1897 to 890.

Includes minor code layout fixes for better readability.

See #49542.
Built from https://develop.svn.wordpress.org/trunk@47808


git-svn-id: http://core.svn.wordpress.org/trunk@47584 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-05-16 18:42:12 +00:00
Sergey Biryukov 38676936ba Coding Standards: Use strict type check for `in_array()` and `array_search()` where strings are involved.
This reduces the number of `WordPress.PHP.StrictInArray.MissingTrueStrict` issues from 486 to 50.

Includes minor code layout fixes for better readability.

See #49542.
Built from https://develop.svn.wordpress.org/trunk@47550


git-svn-id: http://core.svn.wordpress.org/trunk@47325 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-04-05 03:02:11 +00:00
Sergey Biryukov 641c632b0c Coding Standards: Use Yoda conditions where appropriate.
See #49222.
Built from https://develop.svn.wordpress.org/trunk@47219


git-svn-id: http://core.svn.wordpress.org/trunk@47019 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-02-09 16:55:09 +00:00
Sergey Biryukov 001ffe81fb Docs: Improve inline comments per the documentation standards.
Includes minor code layout fixes for better readability.

See #48303.
Built from https://develop.svn.wordpress.org/trunk@47122


git-svn-id: http://core.svn.wordpress.org/trunk@46922 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-01-29 00:45:18 +00:00
Sergey Biryukov 1b675c6e4a Formatting: Return early from `wp_kses_attr_check()` if the element is not in the list of allowed elements and attributes.
Props krynes, tristanleboss.
Fixes #48549.
Built from https://develop.svn.wordpress.org/trunk@46959


git-svn-id: http://core.svn.wordpress.org/trunk@46759 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-14 15:53:06 +00:00
whyisjake 84e4c8531a Update `wp_kses_bad_protocol()` to recognize `&colon;` on uri attributes,
`wp_kses_bad_protocol()` makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function.

Props: xknown, nickdaugherty, peterwilsoncc.

Built from https://develop.svn.wordpress.org/trunk@46895


git-svn-id: http://core.svn.wordpress.org/trunk@46695 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-12 17:55:05 +00:00
Sergey Biryukov 7acfab22b8 KSES: Add support for gradient backgrounds.
Props jorgefilipecosta.
Fixes #48376.
Built from https://develop.svn.wordpress.org/trunk@46793


git-svn-id: http://core.svn.wordpress.org/trunk@46593 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-11-28 00:29:02 +00:00
John Blackbourn f545bb3f63 Docs: Improve documentation of known return types, plus other docs fixes.
See #48303

Built from https://develop.svn.wordpress.org/trunk@46660


git-svn-id: http://core.svn.wordpress.org/trunk@46460 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-11-05 21:23:02 +00:00
Peter Wilson 428600fb93 KSES: Add support for modern layout techniques in `style` attribute.
Adds support for `flex`, `grid` and `column` layout techniques to the list of CSS attributes considered safe for inline CSS. The `\` character and CSS functions, eg `minmax()` are not yet supported.

Extends support of `border` properties to include `border-radius` and individual `background` properties to include all those implicitly supported by the shorthand attribute.

Props mrahmadawais, marybaum, birgire, peterwilsoncc, azaozz.
Fixes #37248.
See #47367.

Built from https://develop.svn.wordpress.org/trunk@46235


git-svn-id: http://core.svn.wordpress.org/trunk@46047 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-22 22:17:57 +00:00
desrosj 30ac675795 Fix for URL sanitization that can lead to cross-site scripting (XSS) attacks.
Props irsdl, sstoqnov, whyisjake.
Built from https://develop.svn.wordpress.org/trunk@45997


git-svn-id: http://core.svn.wordpress.org/trunk@45808 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 17:52:56 +00:00
Gary Pendergast 4803fc405e Coding Standards: Fix the `Squiz.PHP.DisallowMultipleAssignments` violations in `wp-includes`.
See #47632.


Built from https://develop.svn.wordpress.org/trunk@45590


git-svn-id: http://core.svn.wordpress.org/trunk@45401 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-07-02 23:42:58 +00:00
Peter Wilson 460e256026 KSES: Add `flex` and related long form properties to safe CSS.
Allow `flex`, `flex-grow`, `flex-shrink` and `flex-basis` to be used in inline CSS. As of WordPress 5.3 the block editor is expected to use `flex-basis` inline to set the width in the column block.

Props aduth.
Fixes #47281.
See #37248.


Built from https://develop.svn.wordpress.org/trunk@45363


git-svn-id: http://core.svn.wordpress.org/trunk@45174 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-05-18 04:34:52 +00:00
Gary Pendergast 4325de4629 KSES: Add `background-position` and `grid-template-columns` as safe CSS properties.
Props aduth.
Fixes #46597.


Built from https://develop.svn.wordpress.org/trunk@45242


git-svn-id: http://core.svn.wordpress.org/trunk@45051 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-04-18 05:56:51 +00:00
desrosj 72098048c6 Docs: Update `since` annotation for `text-transform` support in `safecss_filter_attr()`.
Introduced in [42880].

Fixes #42729.
Built from https://develop.svn.wordpress.org/trunk@44531


git-svn-id: http://core.svn.wordpress.org/trunk@44362 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-01-10 01:43:49 +00:00
desrosj 8cb7058273 PHPCS: Fix alignment issues.
This fixes some array alignment issues introduced in [44293].
Built from https://develop.svn.wordpress.org/trunk@44294


git-svn-id: http://core.svn.wordpress.org/trunk@44124 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-18 16:58:48 +00:00
desrosj 164452f942 KSES: Conditionally remove the `<form>` element from `$allowedposttags`.
To avoid backwards compatibility issues, `<form>` is re-added if a custom filter has added the `<input>` or `<select>` elements to `$allowedposttags`.

Merges [43994] to trunk.
Built from https://develop.svn.wordpress.org/trunk@44293


git-svn-id: http://core.svn.wordpress.org/trunk@44123 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-18 16:46:48 +00:00
iandunn 614df6b5cc KSES: Make the URI attributes DRY.
This commit introduces the `wp_kses_uri_attributes` function and filter. The function centralizes the list of attributes, in order to prevent inconsistency, and the filter provides a way for plugins to customize the attributes.

Merges [44014] and [44017] to `trunk`.

Built from https://develop.svn.wordpress.org/trunk@44207


git-svn-id: http://core.svn.wordpress.org/trunk@44037 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-15 11:18:25 +00:00
Gary Pendergast e740c695e6 KSES: Allow the `download` attribute on `<a>` tags.
To avoid this being a vector for bypassing the filetypes that are allowed to be uploaded, this attribute is only allowed to be added without a value.

Merges [43813] from the 5.0 branch to trunk.

Props kalpshit, arshidkv12, welcher, peterwilsoncc, marina_wp, pento.
Fixes #44724.


Built from https://develop.svn.wordpress.org/trunk@44156


git-svn-id: http://core.svn.wordpress.org/trunk@43986 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-14 03:28:38 +00:00
Gary Pendergast 1947e4424a KSES: Allow `url()` to be used in inline CSS.
The cover image block uses the `url()` function in its inline CSS, to show the cover image. KSES didn't allow this, causing the block to not save correctly for Author and Contributor users. As KSES does already check each attribute name against an allowed list, we're able to add an extra check for certain attributes to be able to use the `url()` function, too.

Merges [43781] from the 5.0 branch to core.

Props peterwilsoncc, azaozz, pento, dd32.
Fixes #45067.


Built from https://develop.svn.wordpress.org/trunk@44136


git-svn-id: http://core.svn.wordpress.org/trunk@43966 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-14 01:41:36 +00:00
Jeremy Felt 32e9dea3ea KSES: Add selected ARIA attributes support.
Allow low-privileged users to use the ARIA attributes `aria-describedby`, `aria-details`, `aria-label`, `aria-labelledby` and `aria-hidden`.

Merges [43731] to trunk.

Props mattheu, swissspidy, rianrietveld, afercia, GaryJ.
See #30421.

Built from https://develop.svn.wordpress.org/trunk@43984


git-svn-id: http://core.svn.wordpress.org/trunk@43816 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-12 03:15:24 +00:00
Jeremy Felt a0309e80b6 KSES: Allow HTML data-* attributes.
Add global support for HTML attributes prefixed `data-` for authors and contributors, as required by the new editor.

Merges [43727] to trunk.

Props azaozz, peterwilsoncc.
Fixes #33121.

Built from https://develop.svn.wordpress.org/trunk@43981


git-svn-id: http://core.svn.wordpress.org/trunk@43813 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-12 02:39:25 +00:00
Gary Pendergast 56c162fbc9 Coding Standards: Upgrade WPCS to 1.0.0
WPCS 1.0.0 includes a bunch of new auto-fixers, which drops the number of coding standards issues across WordPress significantly. Prior to running the auto-fixers, there were 15,312 issues detected. With this commit, we now drop to 4,769 issues.

This change includes three notable additions:
- Multiline function calls must now put each parameter on a new line.
- Auto-formatting files is now part of the `grunt precommit` script. 
- Auto-fixable coding standards issues will now cause Travis failures.

Fixes #44600.


Built from https://develop.svn.wordpress.org/trunk@43571


git-svn-id: http://core.svn.wordpress.org/trunk@43400 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-08-17 01:51:36 +00:00
John Blackbourn 4ccca7a835 Formatting: Begin the process of improving the docs for KSES related functions.
See #33801

Built from https://develop.svn.wordpress.org/trunk@43016


git-svn-id: http://core.svn.wordpress.org/trunk@42845 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-04-28 13:58:21 +00:00
Sergey Biryukov 0e9549d424 Formatting: Permit use of `text-transform` in `safecss_filter_attr()`.
Add unit tests for `safecss_filter_attr()`.

Props birgire, juiiee8487, danielbachhuber.
Fixes #42729.
Built from https://develop.svn.wordpress.org/trunk@42880


git-svn-id: http://core.svn.wordpress.org/trunk@42710 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-03-27 00:54:34 +00:00
Sergey Biryukov 8a701e5b3f Formatting: Avoid a PHP 7.2 warning in `wp_kses_attr()` when one of `$allowedtags` elements is an uncountable value.
Props andrei0x309, soulseekah, SergeyBiryukov.
Fixes #43312.
Built from https://develop.svn.wordpress.org/trunk@42860


git-svn-id: http://core.svn.wordpress.org/trunk@42690 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-03-20 21:35:31 +00:00
Sergey Biryukov 5d1e06f939 Docs: Move inline comments in `wp_kses_split2()` before the blocks they apply to.
See #42505.
Built from https://develop.svn.wordpress.org/trunk@42712


git-svn-id: http://core.svn.wordpress.org/trunk@42540 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-02-14 11:46:33 +00:00
Gary Pendergast aaf99e6913 Code is Poetry.
WordPress' code just... wasn't.
This is now dealt with.

Props jrf, pento, netweb, GaryJ, jdgrimes, westonruter, Greg Sherwood from PHPCS, and everyone who's ever contributed to WPCS and PHPCS.
Fixes #41057.


Built from https://develop.svn.wordpress.org/trunk@42343


git-svn-id: http://core.svn.wordpress.org/trunk@42172 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-30 23:11:00 +00:00
Gary Pendergast 882db52bdd General: Add inline PHPCS options to leave regex indentation.
We have a handful of super long regexen that are written over multiple lines, as a collection of strings concatenated together. Each string is indented appropriately for the regex, but PHPCS doesn't recognised this, so defaults to removing the extra whitespace.

Disabling the `Squiz.Strings.ConcatenationSpacing.PaddingFound` rule for these blocks stops the extra whitespace from being removed.

See #41057.


Built from https://develop.svn.wordpress.org/trunk@42249


git-svn-id: http://core.svn.wordpress.org/trunk@42078 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-28 04:24:57 +00:00
Gary Pendergast c90cfa3b50 General: Fix some precision alignment formatting warnings.
The WPCS `WordPress.WhiteSpace.PrecisionAlignment` rule throws warnings for a bunch of code that will likely cause issues for `wpcbf`. Fixing these manually beforehand gives us better auto-fixed results later.

See #41057.


Built from https://develop.svn.wordpress.org/trunk@42228


git-svn-id: http://core.svn.wordpress.org/trunk@42057 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-26 23:57:55 +00:00
Drew Jaynes 474711aac1 Docs: Adjust notation for the `$context` parameter in the DocBlocks for the `wp_kses_allowed_html()` function and its associated `wp_kses_allowed_html` filter.
`$context|$allowedtags` can be either a string or array.

Props bor0.
Fixes #40575.

Built from https://develop.svn.wordpress.org/trunk@40950


git-svn-id: http://core.svn.wordpress.org/trunk@40800 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-06-25 22:16:40 +00:00
Dominik Schilling 77858f4b92 KSES: Support `'tag' => true` as a shorthand for `'tag' => array()` in `wp_kses_attr()`.
`Automatic_Upgrader_Skin::feedback()` had always assumed that this is already the case, now it is.

See #20017.
Fixes #40680.
Built from https://develop.svn.wordpress.org/trunk@40637


git-svn-id: http://core.svn.wordpress.org/trunk@40498 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-11 19:23:43 +00:00
John Blackbourn d327c92e4b Docs: Add and correct `@since` docs for a variety of functions and methods.
Props keesiemeijer, chris_dev
Fixes #39343, #39357, #39344
See #39130

Built from https://develop.svn.wordpress.org/trunk@39638


git-svn-id: http://core.svn.wordpress.org/trunk@39578 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-12-27 09:21:44 +00:00
Gary Pendergast 456f8015b7 KSES: Deprecate `wp_kses_js_entities()`.
This function was originally introduced to fix an XSS attack in Netscape 4, which never affected any other browsers, or later versions of Netscape.

I'm willing to go out on a limb, and say that we've officially dropped security support for Netscape 4.

Props dmsnell, desrosj.
Fixes #33848.


Built from https://develop.svn.wordpress.org/trunk@38785


git-svn-id: http://core.svn.wordpress.org/trunk@38728 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-10-13 22:25:31 +00:00
Aaron Jorbin dd983343d3 Formatting: Allow KSES custom elements with hyphens
The W3C Custom Elements spec (http://www.w3.org/TR/custom-elements/#concepts) allows you to use your own custom DOM elements/tags. One of the main requirements is that the tag name "must contain a U+002D HYPHEN-MINUS character". This adjusts KSES to allow it.

Fixes #34105.
Props batmoo.


Built from https://develop.svn.wordpress.org/trunk@38511


git-svn-id: http://core.svn.wordpress.org/trunk@38452 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-09-02 04:16:28 +00:00
Drew Jaynes 6cc13f0c54 Docs: Fix formatting, tense, verb conjugation, and other syntax for wp-includes/* elements introduced or changed in 4.6.
Part 1/2.

See #37318.

Built from https://develop.svn.wordpress.org/trunk@38121


git-svn-id: http://core.svn.wordpress.org/trunk@38062 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-07-20 16:57:32 +00:00
Drew Jaynes 5e467a2774 Docs: Add changelog entries to the hook doc for the `safe_style_css` filter denoting recent CSS attribute additions.
* `min-height`, `max-height`, `min-width`, and `max-width` were added in 4.4, see [33739].
* `list-style-type` was added in 4.6, see [37898].

See #35877. See #32246.

Built from https://develop.svn.wordpress.org/trunk@37931


git-svn-id: http://core.svn.wordpress.org/trunk@37872 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-30 17:02:30 +00:00
Jeremy Felt 571f70c60a KSES: Add `list-style-type` to the list of allowed CSS attributes.
Props azaozz.
Fixes #35877.

Built from https://develop.svn.wordpress.org/trunk@37898


git-svn-id: http://core.svn.wordpress.org/trunk@37839 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-28 22:10:31 +00:00
Jeremy Felt d9d7e5fa63 KSES: Adjust the list of safecss attributes for readability.
Props azaozz.
See #35877.

Built from https://develop.svn.wordpress.org/trunk@37897


git-svn-id: http://core.svn.wordpress.org/trunk@37838 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-28 22:06:31 +00:00
Drew Jaynes d28f1a08ef Docs: Apply inline `@see` tags to hooks referenced in DocBlocks in a variety of wp-includes/* files.
Applying these specially-crafted `@see` tags allows the Code Reference parser to recognize and link these elements as actions and filters.

See #36921.

Built from https://develop.svn.wordpress.org/trunk@37543


git-svn-id: http://core.svn.wordpress.org/trunk@37511 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-23 19:01:27 +00:00
Drew Jaynes 9cb5247392 Docs: Standardize filter docs in remaining wp-includes/* files to use third-person singular verbs per the inline documentation standards for PHP.
See #36913.

Built from https://develop.svn.wordpress.org/trunk@37518


git-svn-id: http://core.svn.wordpress.org/trunk@37486 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-22 18:50:28 +00:00
Drew Jaynes fe3b007fdd Docs: Remove inline `@see` tags from function, class, and method references in inline docs.
Known functions, classes, and methods are now auto-linked in Code Reference pages following #meta1483.

Note: Hook references are still linked via inline `@see` tags due to the unlikelihood of reliably matching for known hooks based on a RegEx pattern.

See #32246.

Built from https://develop.svn.wordpress.org/trunk@37342


git-svn-id: http://core.svn.wordpress.org/trunk@37308 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-02 04:00:28 +00:00
Drew Jaynes 6a94d3e2e3 Docs: Use the correct parameter name in the DocBlock for `wp_kses_post_deep()`, introduced in [36429].
Props sebastianpisula.
Fixes #35700. See #35316.

Built from https://develop.svn.wordpress.org/trunk@36489


git-svn-id: http://core.svn.wordpress.org/trunk@36456 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-07 00:18:26 +00:00
Dominik Schilling cd892b86b4 Media: In `wp_read_image_metadata()` make sure that IPTC keywords are UTF8 encoded.
Prevents missing `_wp_attachment_metadata` when an image contains keywords with latin extended characters.

Fixes #35316.
Built from https://develop.svn.wordpress.org/trunk@36429


git-svn-id: http://core.svn.wordpress.org/trunk@36396 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-01 14:53:27 +00:00
John Blackbourn a5d44337b2 Docs: `@param` fixes for a variety of docblocks.
See #32246

Built from https://develop.svn.wordpress.org/trunk@36232


git-svn-id: http://core.svn.wordpress.org/trunk@36199 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-01-09 01:45:26 +00:00
Sergey Biryukov ae37057114 KSES: Allow the `reversed` attribute for `<ol>`.
Props lancewillett.
Fixes #35079.
Built from https://develop.svn.wordpress.org/trunk@35960


git-svn-id: http://core.svn.wordpress.org/trunk@35924 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-16 09:54:26 +00:00
Scott Taylor 55e16aa98a KSES: have you ever heard of the `<bdo>` HTML tag? Same. http://www.w3schools.com/tags/tag_bdo.asp
Adds unit test.

Props iandunn.
Fixes #34063.

Built from https://develop.svn.wordpress.org/trunk@35141


git-svn-id: http://core.svn.wordpress.org/trunk@35106 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-13 17:18:25 +00:00
Scott Taylor 8d27055b0c Allow these CSS properties in KSES: `min-height', 'max-height', 'min-width', 'max-width'`
Props MikeHansenMe.
Fixes #31949.

Built from https://develop.svn.wordpress.org/trunk@33739


git-svn-id: http://core.svn.wordpress.org/trunk@33707 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-08-25 21:46:20 +00:00
Gary Pendergast c3e0ed7e03 Shortcodes: Improve the reliablity of shortcodes inside HTML tags.
Props miqrogroove.

See #15694.


Built from https://develop.svn.wordpress.org/trunk@33359


git-svn-id: http://core.svn.wordpress.org/trunk@33331 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-07-22 05:15:25 +00:00
Scott Taylor 32dabc1f90 Don't strip `\0` (backslash+zero) from post content for users without "unfiltered_html"
Adds unit tests.

Props miqrogroove.
Fixes #28699.

Built from https://develop.svn.wordpress.org/trunk@32860


git-svn-id: http://core.svn.wordpress.org/trunk@32831 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-06-19 18:47:27 +00:00
Scott Taylor f888767c73 `$status` shouldn't be loosely compared to `true` in `wp_xmlrpc_server::wp_deleteComment()`.
`$initial` shouldn't be loosely compared to `true` in `get_calendar()`.
`current_user_can()` shouldn't be loosely compared to `false` in `kses_init()`
`$get_all` shouldn't be loosely compared to `true` in `get_blog_details()`.
`is_array()` and `in_array()` shouldn't be loosely compared in `wpmu_validate_user_signup()`.
`$result` should by strictly compared in `check_ajax_referer()`.
`wp_verify_nonce()` should by strictly compared in `_show_post_preview()`.
`is_user_logged_in()` should not be loosly compared against `false` in `wp-signup.php`.

See #32444.

Built from https://develop.svn.wordpress.org/trunk@32733


git-svn-id: http://core.svn.wordpress.org/trunk@32704 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-06-12 17:48:26 +00:00
Scott Taylor 4b24007353 Add missing doc blocks to `kses.php` - also fix some unfortunate whitespace issues in related funcs.
See #32444.

Built from https://develop.svn.wordpress.org/trunk@32603


git-svn-id: http://core.svn.wordpress.org/trunk@32573 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-05-26 18:06:24 +00:00
Scott Taylor 86f29795a4 Add `<s>` to `$allowedtags` in KSES.
From https://developer.mozilla.org/en-US/docs/Web/HTML/Element/s :
"The <strike> element, alter ego of the <s> element is obsolete and should not be used on Web sites any more."

`<strike>` shall remain for BC, but `<s>` should not be stripped from the author (et al) role's HTML input.

Props paulschreiber.
Fixes #30954.

Built from https://develop.svn.wordpress.org/trunk@31205


git-svn-id: http://core.svn.wordpress.org/trunk@31186 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-01-16 16:07:23 +00:00
Scott Taylor fc843ce4d0 There are some random `add_action()` and `add_filter()` calls littered around some files in `wp-includes/`. These should be moved to `wp-includes/default-filters.php` with the rest of the registered hooks. It seems like this was the best practice for awhile and then we randomly stopped. This file loads way before any of the includes, so the hooks will be registered for any request that loads WordPress, even `SHORTINIT` - a lot of the hooks registered won't run anyways (that's already the case).
See #30947.

Built from https://develop.svn.wordpress.org/trunk@31168


git-svn-id: http://core.svn.wordpress.org/trunk@31149 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-01-12 16:40:23 +00:00
Scott Taylor 4a1ad9acec Jump statements should not be followed by other statements (there were 5 lingering).
See #30799.

Built from https://develop.svn.wordpress.org/trunk@31100


git-svn-id: http://core.svn.wordpress.org/trunk@31081 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-01-08 21:15:22 +00:00
Scott Taylor ac4e67b82e Perl-style comments should not be used
See #30799.

Built from https://develop.svn.wordpress.org/trunk@31079


git-svn-id: http://core.svn.wordpress.org/trunk@31060 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-01-08 05:52:24 +00:00
Drew Jaynes ad1ecf88c5 Only backtick-escape individual HTML entities in the DocBlock for `wp_kses_normalize_entities()`.
Props TobiasBg.
Fixes #30473.

Built from https://develop.svn.wordpress.org/trunk@30726


git-svn-id: http://core.svn.wordpress.org/trunk@30716 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-12-03 11:47:23 +00:00
Drew Jaynes 3d77f9a816 Remove some now-unnecessary double quotes around HTML entities used in DocBlock comments.
See #30473.

Built from https://develop.svn.wordpress.org/trunk@30721


git-svn-id: http://core.svn.wordpress.org/trunk@30711 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-12-03 08:49:23 +00:00
Drew Jaynes 8e5543da53 Backtick-escape three sets of HTML entities used in DocBlock descriptions in wp-includes/kses.php.
Without the escaping, the Code Reference/browser may inadvertently attempt to convert and display entities.

Fixes #30473.

Built from https://develop.svn.wordpress.org/trunk@30720


git-svn-id: http://core.svn.wordpress.org/trunk@30710 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-12-03 08:47:22 +00:00
Andrew Nacin e7614d6c45 Fix typo in style filter. props miqrogroove
Built from https://develop.svn.wordpress.org/trunk@30425


git-svn-id: http://core.svn.wordpress.org/trunk@30420 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-11-20 13:15:24 +00:00
Drew Jaynes f8657d5890 Remove redundant and erroneous `@uses` tag from most core inline documentation.
Per our inline documentation standards, no further use of the `@uses` tag is recommended as used and used-by relationships can be derived through other means. This removes most uses of the tag in core documentation, with remaining tags to be converted to `@global` or `@see` as they apply.

Fixes #30191.

Built from https://develop.svn.wordpress.org/trunk@30105


git-svn-id: http://core.svn.wordpress.org/trunk@30105 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-10-30 01:05:24 +00:00
Scott Taylor 2ad420dddf Add `audio`, `video`, and `track` to `$allowedposttags` (KSES).
Props jwenerd, wonderboymusic. 
Fixes #29826.

Built from https://develop.svn.wordpress.org/trunk@30064


git-svn-id: http://core.svn.wordpress.org/trunk@30064 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-10-28 19:36:23 +00:00
Andrew Nacin ae21b1884d kses: Add colgroup.
props collinsinternet.
fixes #29433.

Built from https://develop.svn.wordpress.org/trunk@29740


git-svn-id: http://core.svn.wordpress.org/trunk@29514 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-09-12 05:51:17 +00:00
Sergey Biryukov 788597141a Make wp_kses_no_null() remove any invalid control characters in a string.
props mauteri, miqrogroove.
fixes #28506.
Built from https://develop.svn.wordpress.org/trunk@28942


git-svn-id: http://core.svn.wordpress.org/trunk@28740 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-07-01 18:01:17 +00:00
Scott Taylor 38e39c93ea In `kses.php`, ensure that `$allowedposttags`, `$allowedtags`, and `$allowedentitynames` are added to the global namespace.
Props Jaza613.
Fixes #28582.


Built from https://develop.svn.wordpress.org/trunk@28845


git-svn-id: http://core.svn.wordpress.org/trunk@28649 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-06-26 02:14:15 +00:00
Andrew Nacin fbbc31f3c5 Inline documentation for hooks in wp-includes/kses.php.
props siobhyb, DrewAPicture.
fixes #25800.

Built from https://develop.svn.wordpress.org/trunk@27739


git-svn-id: http://core.svn.wordpress.org/trunk@27576 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-03-26 14:57:15 +00:00
Andrew Nacin f9fd129f28 Allow XML attributes with colons to be read by kses.
The attribute would still need to be whitelisted to get through the filters.

props jorbin.
fixes #17847.

Built from https://develop.svn.wordpress.org/trunk@27707


git-svn-id: http://core.svn.wordpress.org/trunk@27546 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-03-25 12:53:16 +00:00
Andrew Nacin 5fd175300c Allow the role attribute in kses for all elements.
props mikecorkum.
fixes #24098.

Built from https://develop.svn.wordpress.org/trunk@27388


git-svn-id: http://core.svn.wordpress.org/trunk@27236 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-03-04 02:11:16 +00:00
Andrew Nacin 8ec592f244 Add dfn, mark, and samp to kses.
props kraftbj.
fixes #24950.

Built from https://develop.svn.wordpress.org/trunk@26973


git-svn-id: http://core.svn.wordpress.org/trunk@26852 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-01-17 08:38:09 +00:00
Peter Westwood e1e79ddf64 KSES: Extend support in wp_kses_normalize_entities to named entities with up to two numbers on the end of the name so as to support a wider list of valid entities.
Fixes â#26290

Built from https://develop.svn.wordpress.org/trunk@26440


git-svn-id: http://core.svn.wordpress.org/trunk@26338 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-11-27 22:32:09 +00:00
Andrew Nacin d362dc1e49 Allow the value attribute for list items processed by kses.
props kraftbj.
fixes #24293.

Built from https://develop.svn.wordpress.org/trunk@25460


git-svn-id: http://core.svn.wordpress.org/trunk@25381 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-09-16 20:49:10 +00:00
Ryan Boren 43a7e695e9 Revert 23416, 23419, 23445 except for wp_reset_vars() changes. We are going a different direction with the slashing cleanup, so resetting to a clean slate. see #21767
git-svn-id: http://core.svn.wordpress.org/trunk@23554 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-03-01 16:28:40 +00:00
Ryan Boren cc5ed3a485 Change all core API to expect unslashed rather than slashed arguments.
The exceptions to this are update_post_meta() and add_post_meta() which are often used by plugins in POST handlers and will continue accepting slashed data for now.

Introduce wp_upate_post_meta() and wp_add_post_meta() as unslashed alternatives to update_post_meta() and add_post_meta(). These functions could become methods in WP_Post so don't use them too heavily yet.

Remove all escape() calls from wp_xmlrpc_server. Now that core expects unslashed data this is no longer needed.

Remove addslashes(), addslashes_gpc(), add_magic_quotes() calls on data being prepared for handoff to core functions that until now expected slashed data. Adding slashes in no longer necessary.

Introduce wp_unslash() and use to it remove slashes from GPCS data before using it in core API. Almost every instance of stripslashes() in core should now be wp_unslash(). In the future (a release or three) when GPCS is no longer slashed, wp_unslash() will stop stripping slashes and simply return what is passed. At this point wp_unslash() calls can be removed from core.

Introduce wp_slash() for slashing GPCS data. This will also turn into a noop once GPCS is no longer slashed. wp_slash() should almost never be used. It is mainly of use in unit tests.

Plugins should use wp_unslash() on data being passed to core API.

Plugins should no longer slash data being passed to core. So when you get_post() and then wp_insert_post() the post data from get_post() no longer needs addslashes(). Most plugins were not bothering with this. They will magically start doing the right thing. Unfortunately, those few souls who did it properly will now have to avoid calling addslashes() for 3.6 and newer.

Use wp_kses_post() and wp_kses_data(), which expect unslashed data, instead of wp_filter_post_kses() and wp_filter_kses(), which expect slashed data. Filters are no longer passed slashed data.

Remove many no longer necessary calls to $wpdb->escape() and esc_sql().

In wp_get_referer() and wp_get_original_referer(), return unslashed data.

Remove old stripslashes() calls from WP_Widget::update() handlers. These haven't been necessary since WP_Widget.

Switch several queries over to prepare().

Expect something to break.

Props alexkingorg
see #21767


git-svn-id: http://core.svn.wordpress.org/trunk@23416 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-02-14 22:51:06 +00:00
Andrew Nacin 40543db45f Recommend the wp_kses_allowed_html filter over CUSTOM_TAGS. Soft deprecate CUSTOM_TAGS. see #17977, #20210.
git-svn-id: http://core.svn.wordpress.org/trunk@21796 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-09-10 18:00:41 +00:00