Commit Graph

26888 Commits

Author SHA1 Message Date
audrasjb 505b7c55f5 WordPress 5.2.21.
Built from https://develop.svn.wordpress.org/branches/5.2@58516


git-svn-id: http://core.svn.wordpress.org/branches/5.2@57964 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2024-06-24 16:29:38 +00:00
audrasjb 0ce3117702 Editor: Fix Path Traversal issue on Windows in Template-Part Block.
Merges [58470] to the 5.2 branch.
Props xknown, jorbin.



Built from https://develop.svn.wordpress.org/branches/5.2@58490


git-svn-id: http://core.svn.wordpress.org/branches/5.2@57939 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2024-06-24 15:40:48 +00:00
Aaron Jorbin 2848c103ab General: Backport polyfills for `str_ends_with()` and `str_starts_with()`.
Merges [52040], [56016], and [56015] to 5.2 branch.

Props ocean90, SergeyBiryukov, desrosj, joemcgill, jorbin, mukesh27.

Built from https://develop.svn.wordpress.org/branches/5.2@57461


git-svn-id: http://core.svn.wordpress.org/branches/5.2@56962 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2024-01-30 18:29:47 +00:00
Joe McGill 433521e44b WordPress 5.2.20.
Built from https://develop.svn.wordpress.org/branches/5.2@57426


git-svn-id: http://core.svn.wordpress.org/branches/5.2@56932 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2024-01-30 16:23:46 +00:00
audrasjb 60e90ad7c6 WordPress 5.2.19.
Built from https://develop.svn.wordpress.org/branches/5.2@56881


git-svn-id: http://core.svn.wordpress.org/branches/5.2@56392 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-10-12 18:27:43 +00:00
davidbaumwald ab61d84ae4 Grouped backports to the 5.2 branch.
- Comments: Prevent users who can not see a post from seeing comments on it.
- Shortcodes: Restrict media shortcode ajax to certain type.
- REST API: Ensure no-cache headers are sent when methods are overridden.
- REST API: Limit `search_columns` for users without `list_users`.
- Prevent unintended behavior when certain objects are unserialized.

Merges [56833], [56834], [56835], [56836], and [56838] to the 5.2 branch.
Props xknown, jorbin, joehoyle, timothyblynjacobs, peterwilsoncc, ehtis, tykoted, antpb, rmccue.
Built from https://develop.svn.wordpress.org/branches/5.2@56876


git-svn-id: http://core.svn.wordpress.org/branches/5.2@56387 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-10-12 18:23:19 +00:00
audrasjb 72431d4111 Grouped backports to the 5.2 branch.
- Media: Prevent CSRF setting attachment thumbnails.
- Embeds: Add protocol validation for WordPress Embed code.
- I18N: Introduce sanitization function for locale.
- Editor: Ensure block comments are of a valid form.

Merges [55760-55764] to the 5.2 branch.
Props dd32, isabel_brison, martinkrcho, matveb, ocean90, paulkevan, peterwilsoncc, timothyblynjacobs, xknown, youknowriad.


Built from https://develop.svn.wordpress.org/branches/5.2@55789


git-svn-id: http://core.svn.wordpress.org/branches/5.2@55301 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-05-16 16:00:52 +00:00
audrasjb ee7c7b71f5 WordPress 5.2.17.
Built from https://develop.svn.wordpress.org/branches/5.2@54591


git-svn-id: http://core.svn.wordpress.org/branches/5.2@54145 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-10-17 19:53:21 +00:00
desrosj 33101d0a78 Editor: Bump `@wordpress` packages for 5.2.17.
Package updates for bug fixes:

* @wordpress/block-library: 2.4.13
* @wordpress/edit-post: 3.3.13
Built from https://develop.svn.wordpress.org/branches/5.2@54572


git-svn-id: http://core.svn.wordpress.org/branches/5.2@54126 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-10-17 18:17:44 +00:00
audrasjb 006c1baf95 Grouped backports to the 5.2 branch.
- Editor: Bump @wordpress packages for the branch,
- Media: Refactor search by filename within the admin,
- REST API: Lockdown post parameter of the terms endpoint,
- Customize: Escape blogname option in underscores templates,
- Query: Validate relation in `WP_Date_Query`,
- Posts, Post types: Apply KSES to post-by-email content,
- General: Validate host on "Are you sure?" screen,
- Posts, Post types: Remove emails from post-by-email logs,
- Pings/trackbacks: Apply KSES to all trackbacks,
- Mail: Reset PHPMailer properties between use,
- Comments: Apply kses when editing comments,
- Widgets: Escape RSS error messages for display.

Merges [54521-54530] to the 5.2 branch.
Props audrasjb, costdev, cu121, dd32, davidbaumwald, ehtis, johnbillion, johnjamesjacoby, martinkrcho, matveb, oztaser, paulkevan, peterwilsoncc, ravipatel, SergeyBiryukov, talldanwp, timothyblynjacobs, tykoted, voldemortensen, vortfu, xknown.

Built from https://develop.svn.wordpress.org/branches/5.2@54563


git-svn-id: http://core.svn.wordpress.org/branches/5.2@54118 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-10-17 18:08:45 +00:00
desrosj a0464a56a7 WordPress 5.2.16.
Built from https://develop.svn.wordpress.org/branches/5.2@53995


git-svn-id: http://core.svn.wordpress.org/branches/5.2@53554 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-08-30 17:33:40 +00:00
Sergey Biryukov aa4f24179e Grouped backports to the 5.2 branch.
- Posts, Post Types: Escape output within `the_meta()`.
- General: Ensure bookmark query limits are numeric.
- Plugins: Escape output in error messages.
- Build/Test Tools: Allow the PHPCS plugin in Composer configuration.

Merges [52412,53958-53960] to the 5.2 branch.
Props tykoted, martinkrcho, xknown, dd32, peterwilsoncc, paulkevan, timothyblynjacobs.

Built from https://develop.svn.wordpress.org/branches/5.2@53971


git-svn-id: http://core.svn.wordpress.org/branches/5.2@53530 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-08-30 15:39:45 +00:00
davidbaumwald 65e7638ee8 WordPress 5.2.15.
Built from https://develop.svn.wordpress.org/branches/5.2@52875


git-svn-id: http://core.svn.wordpress.org/branches/5.2@52464 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-03-10 22:03:45 +00:00
Sergey Biryukov 84645e0cb9 External Librairies: Update jQuery.query to version 2.2.3.
This updates the "jquery-query" library from version 2.1.7 to 2.2.3.

Props jorbin, peterwilsoncc, xknown, audrasjb, jorgefilipecosta.
Merges [52844] to the 5.2 branch.
Built from https://develop.svn.wordpress.org/branches/5.2@52854


git-svn-id: http://core.svn.wordpress.org/branches/5.2@52443 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-03-10 21:19:47 +00:00
desrosj e888732769 WordPress 5.2.14.
Built from https://develop.svn.wordpress.org/branches/5.2@52493


git-svn-id: http://core.svn.wordpress.org/branches/5.2@52085 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-01-06 18:51:31 +00:00
desrosj e3221c7d25 Grouped backports to the 5.2 branch.
- Query: Improve sanitization within `WP_Tax_Query`.
- Query: Improve sanitization within `WP_Meta_Query`.
- Upgrade/Install: Avoid using `unserialize()` unnecessarily.
- Formatting: Correctly encode ASCII characters in post slugs.

Merges [52454-52457] to the 5.2 branch.
Props vortfu, dd32, ehtis, zieladam, whyisjake, xknown, peterwilsoncc, desrosj, iandunn.
Built from https://develop.svn.wordpress.org/branches/5.2@52471


git-svn-id: http://core.svn.wordpress.org/branches/5.2@52063 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-01-06 18:13:36 +00:00
desrosj 0ebcbe65d6 WordPress 5.2.13.
Built from https://develop.svn.wordpress.org/branches/5.2@52119


git-svn-id: http://core.svn.wordpress.org/branches/5.2@51711 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-11-10 17:11:42 +00:00
desrosj 432a1065cd Script Loader: Sync default package script versions in 5.2 branch.
Follow up to [47946], [50074] and [51756].

Fixes #54413.
Built from https://develop.svn.wordpress.org/branches/5.2@52105


git-svn-id: http://core.svn.wordpress.org/branches/5.2@51697 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-11-10 13:37:44 +00:00
desrosj 2c03ecf9b1 HTTP: Remove the DST Root CA X3 certificate expired on September 30, 2021.
> The currently recommended certificate chain as presented to Let’s Encrypt ACME clients when new certificates are issued contains an intermediate certificate (ISRG Root X1) that is signed by an old DST Root CA X3 certificate that expires on 2021-09-30. In some cases the OpenSSL 1.0.2 version will regard the certificates issued by the Let’s Encrypt CA as having an expired trust chain.
> 
> Most up-to-date CA cert trusted bundles, as provided by operating systems, contain this soon-to-be-expired certificate. The current CA cert bundles also contain an ISRG Root X1 self-signed certificate. This means that clients verifying certificate chains can find the alternative non-expired path to the ISRG Root X1 self-signed certificate in their trust store.
> 
> Unfortunately this does not apply to OpenSSL 1.0.2 which always prefers the untrusted chain and if that chain contains a path that leads to an expired trusted root certificate (DST Root CA X3), it will be selected for the certificate verification and the expiration will be reported.

References:
* [https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ Old Let’s Encrypt Root Certificate Expiration and OpenSSL 1.0.2]
* [https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ DST Root CA X3 Expiration (September 2021)]

Follow-up to [25224], [25426], [25569], [27307], [30491], [30765], [34283], [35919], [36570], [46094].

Props bradleyt, fierevere, SergeyBiryukov, peterwilsoncc.
Merges [51883] to the 5.2 branch.
Fixes #54207. See #50828.
Built from https://develop.svn.wordpress.org/branches/5.2@52102


git-svn-id: http://core.svn.wordpress.org/branches/5.2@51694 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-11-10 02:18:44 +00:00
desrosj 7c0a526276 WordPress 5.2.12.
Built from https://develop.svn.wordpress.org/branches/5.2@51764


git-svn-id: http://core.svn.wordpress.org/branches/5.2@51371 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-09-08 21:37:42 +00:00
desrosj 5a4b00a618 Grouped merges for 5.2.12.
- Update `lodash` to the latest version `4.17.21`.
- Disable some attributes for rich text.
- Use hashed/deterministic moduleIDs in webpack config.

Props ellatrix, peterwilsoncc, get_dave, mcsf, talldanwp, youknowriad, desrosj, nerrad, gziolo.
Merges [50940-50941,50984-50985,51426] to the 5.2 branch.
Built from https://develop.svn.wordpress.org/branches/5.2@51756


git-svn-id: http://core.svn.wordpress.org/branches/5.2@51363 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-09-08 21:22:54 +00:00
Sergey Biryukov 5702452f4b General: Only use `_jsonp_wp_die_handler()` for JSONP REST API requests.
Props mdawaffe, peterwilsoncc.
Merges [51740] to the 5.2 branch.
Built from https://develop.svn.wordpress.org/branches/5.2@51747


git-svn-id: http://core.svn.wordpress.org/branches/5.2@51355 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-09-08 17:28:31 +00:00
Peter Wilson 504360c3e0 WordPress 5.2.11.
Built from https://develop.svn.wordpress.org/branches/5.2@50874


git-svn-id: http://core.svn.wordpress.org/branches/5.2@50483 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-05-12 23:16:42 +00:00
Peter Wilson 433a1c9f31 External libraries: Improve attachment handling in PHPMailer
Props: audrasjb, ayeshrajans, desrosj, peterwilsoncc, xknown.
Partially merges [50799] to the 5.2 branch.


Built from https://develop.svn.wordpress.org/branches/5.2@50852


git-svn-id: http://core.svn.wordpress.org/branches/5.2@50461 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-05-12 22:29:44 +00:00
Peter Wilson ffd641f40a Version bump for 5.2.10.
Built from https://develop.svn.wordpress.org/branches/5.2@50741


git-svn-id: http://core.svn.wordpress.org/branches/5.2@50350 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-04-15 01:38:32 +00:00
desrosj 8043803e2e Grouped merges for 5.2.10.
* REST API: Allow authors to read their own password protected posts.
* About page update

Merges [50717] to the 5.2 branch.

Built from https://develop.svn.wordpress.org/branches/5.2@50729


git-svn-id: http://core.svn.wordpress.org/branches/5.2@50338 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-04-15 01:11:37 +00:00
desrosj 36cc3aab1a Build/Test Tools: Backport GitHub Action and build improvements to the 5.2 branch.
This backports several build and test tool improvements to the 5.2 branch. Most notably, this includes:

- The changes required to allow each workflow to be triggered by the `workflow_dispatch` event so that tests can be run on a schedule [50590].
- The ability to run PHPUnit tests from `src` instead of `build` [50441-50443].
- Splitting single site and multisite tests into parallel jobs [50379].
- Split slow tests into separate, parallel jobs for PHP 5.6 [50444].
- Better branch and path scoping for GitHub Action workflows when running on `pull_request` [50432,50479].
- Several `devDependency` updates.

Merges [50267,50299,50379,50387,50413,50416,50432,50435-50436,50441-50444,50446,50473-50474,50476,50479,50485-50487,50545,50579,50590,50598] to the 5.2 branch.
See #50401, #51734, #51801, #51802, #52548, #52608, #52612, #52623, #52624, #52625, #52645, #52653, #52658, #52660, #52667.
Built from https://develop.svn.wordpress.org/branches/5.2@50606


git-svn-id: http://core.svn.wordpress.org/branches/5.2@50219 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-03-26 20:03:48 +00:00
desrosj cf023b82bd Build/Test Tools: Support NodeJS 14.x in the 5.2 branch.
This updates the 5.2 branch to support the latest LTS version of NodeJS (currently 14.x), allowing the same version to be used across all WordPress branches that receive security updates as a courtesy.

In addition to backporting the package updates that happened after branching 5.2, dependencies that were removed in future releases have also been updated to their latest versions.

Props desrosj, dd32, netweb, jorbin, whyisjake.
Merges [45321,45765,45826,45875,46403-46404,46408-46409,47404,47867,47872-47873,48213,48705,49636,49933,49937,49939-49940,49983,49989,50017,50126,50176,50185] to the 5.2 branch.
See #52341.
Built from https://develop.svn.wordpress.org/branches/5.2@50191


git-svn-id: http://core.svn.wordpress.org/branches/5.2@49869 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-02-05 03:20:06 +00:00
Sergey Biryukov 3f4fe8f059 Tests: Skip `test_readme()` if the HTTP request to `secure.php.net` or `dev.mysql.com` failed on timeout.
Move `skipTestOnTimeout()` to `WP_UnitTestCase_Base` to avoid duplication.

Merges [46682] and [46996] to the 5.2 branch.
See #51669.
Built from https://develop.svn.wordpress.org/branches/5.2@50093


git-svn-id: http://core.svn.wordpress.org/branches/5.2@49787 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-01-30 13:03:47 +00:00
desrosj 4c0fc42454 Build Tools: One additional coding standards fix now detected after [49514].
See #51624, #48301.
Built from https://develop.svn.wordpress.org/branches/5.2@49515


git-svn-id: http://core.svn.wordpress.org/branches/5.2@49270 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-11-06 16:38:52 +00:00
desrosj b4da91521f Build Tools: Fix running installing Composer dependencies using Composer 2.0.
This updates the `dealerdirect/phpcodesniffer-composer-installer` package to allow installing version `0.7.0` which supports Composer 2.0.

It also includes several minor spacing/alignment coding standards fixes that are made as a result of the package update.

Props itowhid06, jrf.
Merges [49306] to the 5.2 branch.
See #51624, #48301.
Built from https://develop.svn.wordpress.org/branches/5.2@49514


git-svn-id: http://core.svn.wordpress.org/branches/5.2@49269 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-11-06 16:29:54 +00:00
Sergey Biryukov 130b6904f3 WordPress 5.2.9.
Built from https://develop.svn.wordpress.org/branches/5.2@49461


git-svn-id: http://core.svn.wordpress.org/branches/5.2@49220 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-10-30 19:50:57 +00:00
whyisjake 0cf9faf171 Upgrade/Install: During the install process, add additional checking for exising tables.
This commit brings the changes in [49452] to the 5.2 branch.

If reinstalling WordPress, there is a condition where tables would exist in the database. Ensures that$

Fixes #51676.

Props xknown, garubi, mukesh27, desrosj, johnbillion, metalandcoffee, davidbaumwald, whyisjake.

Built from https://develop.svn.wordpress.org/branches/5.2@49456


git-svn-id: http://core.svn.wordpress.org/branches/5.2@49215 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-10-30 18:30:03 +00:00
desrosj 8dd5c0cdec WordPress 5.2.8.
Built from https://develop.svn.wordpress.org/branches/5.2@49412


git-svn-id: http://core.svn.wordpress.org/branches/5.2@49171 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-10-29 19:37:05 +00:00
whyisjake 505afcd180 General: WordPress updates
* XML-RPC: Improve error messages for unprivileged users.
* External Libraries: Disable deserialization in Requests_Utility_FilteredIterator
* Embeds: Disable embeds on deactivated Multisite sites.
* Coding standards: Modify escaping functions to avoid potential false positives.
* XML-RPC: Return error message if attachment ID is incorrect.
* Upgrade/install: Improve logic check when determining installation status.
* Meta: Sanitize meta key before checking protection status.
* Themes: Ensure that only privileged users can set a background image when a theme is using the deprecated custom background page.

Brings the changes from [49380,49382-49388] to the 5.2 branch.

Props xknown, zieladam, peterwilsoncc, whyisjake, desrosj, dd32.

Built from https://develop.svn.wordpress.org/branches/5.2@49394


git-svn-id: http://core.svn.wordpress.org/branches/5.2@49153 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-10-29 18:45:55 +00:00
desrosj 8b8aef2834 WordPress 5.2.7.
Built from https://develop.svn.wordpress.org/branches/5.2@47991


git-svn-id: http://core.svn.wordpress.org/branches/5.2@47759 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-10 21:34:59 +00:00
whyisjake 8e6550737f Editor: Ensure latest comments can only be viewed from public posts.
This brings the changes from [47984] to the 5.2 branch.
Props: poena, xknown.

Built from https://develop.svn.wordpress.org/branches/5.2@47986


git-svn-id: http://core.svn.wordpress.org/branches/5.2@47754 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-10 19:26:53 +00:00
desrosj 0d6541c100 General: Backport several commits for release.
- Embeds: Ensure that the title attribute is set correctly on embeds.
- Editor: Prevent HTML decoding on by setting the proper editor context.
- Formatting: Ensure that wp_validate_redirect() sanitizes a wider variety of characters.
- Themes: Ensure a broken theme name is returned properly.
- Administration: Add a new filter to extend set-screen-option. 

Merges [47948-47951] to the 5.2 branch.
Props xknown, sstoqnov, vortfu, SergeyBiryukov, whyisjake.
Built from https://develop.svn.wordpress.org/branches/5.2@47960


git-svn-id: http://core.svn.wordpress.org/branches/5.2@47732 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-10 18:12:52 +00:00
Sergey Biryukov ff95ac1af3 Editor: Bump `package-lock.json` on the 5.2 branch.
Follow-up to [47946].

See #50094.
Built from https://develop.svn.wordpress.org/branches/5.2@47958


git-svn-id: http://core.svn.wordpress.org/branches/5.2@47730 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-10 17:51:12 +00:00
Sergey Biryukov 4f0367ef88 Comments: Ensure that unmoderated comments won't be search indexed.
After a comment is submitted, only allow a brief window where the comment is live on the site.

Props jonkolbert, ayeshrajans, Asif2BD, peterwilsoncc, imath, audrasjb, jonoaldersonwp, whyisjake, SergeyBiryukov.
Merges [47887] and [47889] to the 5.2 branch.
See #49956.
Built from https://develop.svn.wordpress.org/branches/5.2@47917


git-svn-id: http://core.svn.wordpress.org/branches/5.2@47691 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-06 09:59:56 +00:00
desrosj c9886c5357 WordPress 5.2.6
Built from https://develop.svn.wordpress.org/branches/5.2@47668


git-svn-id: http://core.svn.wordpress.org/branches/5.2@47445 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-04-29 17:58:51 +00:00
whyisjake bf5d4c15cc Customize: Add additional filters to Customizer to prevent JSON corruption.
User: Invalidate `user_activation_key` on password update.
Query: Ensure that only a single post can be returned on date/time based queries.
Block Editor: Coding standards, properly escape class names.
Cache API: Ensure proper escaping around the stats method in the cache API.
Formatting: Expand `sanitize_file_name` to have better support for utf8 characters.

Brings the changes in [47633], [47634], [47635], [47636], [47637], and [47638] to the 5.2 branch.

Props: aduth, batmoo, ehti, ellatrix, jorgefilipecosta, nickdaugherty, noisysocks, pento, peterwilsoncc, sergeybiryukov, sstoqnov, talldanwp, westi, westonruter, whyisjake, whyisjake, xknown.

Built from https://develop.svn.wordpress.org/branches/5.2@47645


git-svn-id: http://core.svn.wordpress.org/branches/5.2@47420 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-04-29 16:07:54 +00:00
Sergey Biryukov 7d171684bc WordPress 5.2.5
Built from https://develop.svn.wordpress.org/branches/5.2@46921


git-svn-id: http://core.svn.wordpress.org/branches/5.2@46721 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-12 20:24:58 +00:00
whyisjake da95cca74c Ensure that a user can publish_posts before making a post sticky.
Props: danielbachhuber, whyisjake, peterwilson, xknown.

Prevent  stored XSS through wp_targeted_link_rel().

Props: vortfu, whyisjake, peterwilsoncc, xknown,  SergeyBiryukov, flaviozavan.

Update `wp_kses_bad_protocol()` to recognize `:` on uri attributes,

`wp_kses_bad_protocol()` makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function.

Brings r46895 to the 5.3 branch.

Props: xknown, nickdaugherty, peterwilsoncc.

Prevent stored XSS in the block editor.

Brings r46896 to the 5.3 branch.

Prevent escaped unicode characters become unescaped in unsafe HTML during JSON decoding.

Props: aduth, epiqueras.

Built from https://develop.svn.wordpress.org/branches/5.2@46901


git-svn-id: http://core.svn.wordpress.org/branches/5.2@46701 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-12 18:18:54 +00:00
whyisjake 42a430a0a9 REST API: Allow for multiple Vary: Origin headers in GET responses.
Simple fix, we pass false as the second parameter to the header function.

This is something that we added downstream of the 5.2.4 release, but we missed in 5.2/trunk.

Fixes #48309, see also [46544].
Props xknown, whyisjake.

Built from https://develop.svn.wordpress.org/branches/5.2@46545


git-svn-id: http://core.svn.wordpress.org/branches/5.2@46342 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-10-15 15:54:53 +00:00
desrosj d60f90873c Post WordPress 5.2.4 version bump. The 5.2 branch is now 5.2.5-alpha.
Built from https://develop.svn.wordpress.org/branches/5.2@46540


git-svn-id: http://core.svn.wordpress.org/branches/5.2@46337 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-10-14 22:02:53 +00:00
desrosj 9380cf2995 WordPress 5.2.4.
Built from https://develop.svn.wordpress.org/branches/5.2@46508


git-svn-id: http://core.svn.wordpress.org/branches/5.2@46305 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-10-14 20:06:55 +00:00
whyisjake e9ecfd078e REST API: Send a Vary: Origin header on GET requests.
Add this header on all GET requests to prevent cached requests.

Fixes some code dulication from [46484] and backports the changes from [46484] to the 5.2 branch.
Props darthhexx, davidbinda, nickdaugherty, whyisjake.

Built from https://develop.svn.wordpress.org/branches/5.2@46487


git-svn-id: http://core.svn.wordpress.org/branches/5.2@46285 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-10-14 17:44:54 +00:00
whyisjake 0ca56956ae Administration: Ensure that admin referer nonce is valid.
Coding standards, ensure that nonce is valid with identical, rather then equal operator.

Backports [46477] to the 5.2 branch.
Props vortfu, xknown, whyisjake.

Built from https://develop.svn.wordpress.org/branches/5.2@46486


git-svn-id: http://core.svn.wordpress.org/branches/5.2@46284 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-10-14 17:34:53 +00:00
whyisjake cbc773dcbb Filesystem API: Prevent directory travelersals when creating new folders.
Reject file paths that contain sub-directory paths.

Props iandunn, xknown, sstoqnov, whyisjake.

Built from https://develop.svn.wordpress.org/branches/5.2@46484


git-svn-id: http://core.svn.wordpress.org/branches/5.2@46282 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-10-14 16:34:53 +00:00