* XML-RPC: Improve error messages for unprivileged users.
* External Libraries: Disable deserialization in Requests_Utility_FilteredIterator
* Embeds: Disable embeds on deactivated Multisite sites.
* Coding standards: Modify escaping functions to avoid potential false positives.
* XML-RPC: Return error message if attachment ID is incorrect.
* Upgrade/install: Improve logic check when determining installation status.
* Meta: Sanitize meta key before checking protection status.
* Themes: Ensure that only privileged users can set a background image when a theme is using the deprecated custom background page.
Brings the changes from [49380,49382-49388] to the 4.5 branch.
Props xknown, zieladam, peterwilsoncc, whyisjake, desrosj, dd32.
Built from https://develop.svn.wordpress.org/branches/4.5@49401
git-svn-id: http://core.svn.wordpress.org/branches/4.5@49160 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Introduces `customize-selective-refresh-widgets` theme support feature and adds to themes.
* Introduces `customize_selective_refresh` arg for `WP_Widget::$widget_options` and adds to all core widgets.
* Remove `selective_refresh` from being a component that can be removed via `customize_loaded_components` filter.
* Add `WP_Customize_Widgets::get_selective_refreshable_widgets()` and `WP_Customize_Widgets::is_widget_selective_refreshable()`.
* Fix default `selector` for `Partial` instances.
* Implement and improve Masronry sidebar refresh logic in Twenty Thirteen and Twenty Fourteen, including preservation of initial widget position after refresh.
* Re-initialize ME.js when refreshing `Twenty_Fourteen_Ephemera_Widget`.
See #27355.
Fixes#35855.
Built from https://develop.svn.wordpress.org/trunk@37040
git-svn-id: http://core.svn.wordpress.org/trunk@37007 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The plugin details modal can be invoked from several screens. There's now a new
`.open-plugin-details-modal` CSS class to be used in combination with the
`.thickbox` CSS class that adds everything needed for accessibility.
- Adds an ARIA role `dialog` and an `aria-label` attribute to the modal
- Adds a `title` attribute to the iframe inside the modal
- Constrains tabbing within the modal
- Restores focus back in a proper place when closing the modal
Also, improves a bit the native Thickbox implementation: it should probably be
replaced with some more modern tool but at least keyboard focus should be moved
inside the modal.
Fixes#33305.
Built from https://develop.svn.wordpress.org/trunk@36964
git-svn-id: http://core.svn.wordpress.org/trunk@36932 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Eliminates need to click more than one checkbox to have preferences saved.
* Adds debouncing to saving user-selected menu item properties.
* Also removes discrepancies between available nav menu item properties on admin page vs Customizer.
Fixes#35273.
Props afercia, westonruter.
Built from https://develop.svn.wordpress.org/trunk@36908
git-svn-id: http://core.svn.wordpress.org/trunk@36876 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Removes double `margin-bottom` from all the media controls.
* All media controls now send `{settingId}-attachment-data` messages to the preview when a media setting is updated so that the preview has access to the attachment data.
* Fixes receiving of `attachment-data` message for `custom_logo` which resulted in instant JS-applied preview not working. See #36096.
See #33755.
Fixes#35941.
Built from https://develop.svn.wordpress.org/trunk@36851
git-svn-id: http://core.svn.wordpress.org/trunk@36818 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Removes overly-zealous filtering of autofocus panels, sections, and controls which are unrecognized or for which the user doesn't have the capability to focus (in which case it would no-op anyway). Also defers autofocus logic until instances are created, even after initial `ready` event. This ensures that autofocus can apply for any panels, sections, or controls that get created via the loaded preview.
See #28650.
Fixes#36018.
Built from https://develop.svn.wordpress.org/trunk@36796
git-svn-id: http://core.svn.wordpress.org/trunk@36763 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Improves parity between partials and controls. A partial or control can be settingless if instantiated with `settings` param as empty array (otherwise, if null, then the partial/control ID is used).
* Eliminate need to create dummy settings that serve no purpose except to place a control in the UI.
* Removes dummy settings for `create_new_menu` and `new_menu_name`.
* Introduces `WP_Customize_Control::$capability` and `WP_Customize_Partial::$capability`, and if set checks them in the respective `check_capabilities()` methods.
* Prevents PHP fatal error from happening when non-existing settings are provided to control: "Call to a member function `check_capabilities()` on a non-object".
* Fixes issue where nav menu items and widgets were no longer working with selective refresh because cap check was failing.
See #27355.
Fixes#35926.
Built from https://develop.svn.wordpress.org/trunk@36689
git-svn-id: http://core.svn.wordpress.org/trunk@36656 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Correct several incorrect uses of `_.union`. Since Underscore 1.7.0 `_.union` supports only arrays and not variadic args.
* Use a namespaced event `themes:update`. Backbone 1.2 added a built in `update` event that triggers after any amount of models are added or removed from a collection.
Props adamsilverstein.
See #34350.
Built from https://develop.svn.wordpress.org/trunk@36580
git-svn-id: http://core.svn.wordpress.org/trunk@36547 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Backbone, from 1.1.2 to 1.2.3. Underscore, from 1.6.0 to 1.8.3.
The new versions of Backbone and Underscore offer numerous small bug fixes and some optimizations and other improvements. Check the [http://backbonejs.org/#changelog Backbone changelog] and [http://underscorejs.org/#changelog Underscore changelog] for the full details.
The new versions include some significant changes that may break existing code. Plugins or themes that rely on the bundled Backbone and/or Underscore libraries should carefully check functionality with the latest versions and run any available unit tests to ensure compatibility.
Some changes of note that were addressed in core as part of this upgrade:
* `_.flatten` no longer works with objects since Underscore.js 1.7. `_.flatten()` working with objects was an unintended side-affect of the implementation, see [https://github.com/jashkenas/underscore/issues/1904#issuecomment-60241576 underscore#1904]. Check any `_flatten` usage and only flatten arrays.
* As of Backbone 1.2.0, you can no longer modify the `events` hash or your view's `el` property in `initialize`, so don't try to modify them there.
* Since Underscore 1.7, Underscore templates no longer accept an initial data object. `_.template` always returns a function now so make sure you use it that way.
Props adamsilverstein.
Fixes#34350.
Built from https://develop.svn.wordpress.org/trunk@36546
git-svn-id: http://core.svn.wordpress.org/trunk@36513 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Introduces `WP_Customize_Manager::get_previewable_devices()` with a `customize_previewable_devices` filter to change the default device and which devices are available for previewing. This is a feature that was first pioneered on WordPress.com.
Props celloexpressions, folletto, valendesigns, westonruter, welcher, adamsilverstein, michaelarestad, Fab1en.
Fixes#31195.
Built from https://develop.svn.wordpress.org/trunk@36532
git-svn-id: http://core.svn.wordpress.org/trunk@36499 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In the Edit Menu screen, each menu item creates 11 form input elements. In menus with more than 71 menu items, often items after the 71st weren't saved. This was because PHP's runtime configuration `max_input_vars` default value is 1000. Large menus exceed this, so PHP didn't populate the `$_POST` superglobal for the latter menu items.
The entire form is now JSON-encoded into a single input which populates `$_POST` manually on form submission.
This was attempted previously in [36506] which was reverted in [36507]. Some form fields were not being slurped into the form's JSON representation, and it did not scale for a site with many posts. This approach fixes those problems.
Props ocean90, afercia.
See #14134.
Built from https://develop.svn.wordpress.org/trunk@36510
git-svn-id: http://core.svn.wordpress.org/trunk@36477 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In the Edit Menu screen, each menu item creates 11 form input elements. In menus with more than 71 menu items, often items after the 71st weren't saved. This was because PHP's runtime configuration `max_input_vars` default value is 1000. Large menus exceed this, so PHP didn't populate the `$_POST` superglobal for the latter menu items.
The entire form is now JSON-encoded into a single input which populates `$_POST` manually on form submission.
See #14134.
Built from https://develop.svn.wordpress.org/trunk@36506
git-svn-id: http://core.svn.wordpress.org/trunk@36473 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Fixes regression introduced in [36414] where the nonce for listing available nav menu items was updated to use the new centralized location at `wp.customize.settings.nonce`, but the nonce for search did not get updated.
See #35617.
Built from https://develop.svn.wordpress.org/trunk@36432
git-svn-id: http://core.svn.wordpress.org/trunk@36399 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Introduce `WP_Customize_Manager::get_nonces()` to consolidate logic for retrieving nonces.
* Export nonces centrally in `wp.customize.settings.nonce` with each request and update nav menus preview to utilize.
* Send updated nonces to preview upon `nonce-refresh`.
* Request full preview refresh if Nav Menu selective refresh request fails (e.g. due to bad nonce).
* Update nav menus and widgets in Customizer to utilize `customize_refresh_nonces` for exporting nonces and keeping them up to date.
See #27355.
Fixes#35617.
Built from https://develop.svn.wordpress.org/trunk@36414
git-svn-id: http://core.svn.wordpress.org/trunk@36381 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Ensure that Setting `Value` objects in preview get initial `_dirty` flag set if values among POST data.
* Upon `saved` event, send `saved` message to preview with the `response` to trigger `saved` event there.
* Reset `_dirty` flag for all setting `Value` objects in preview upon `saved`.
* Continue to create settings synced from pane even after initial bootstrap, and create them as dirty.
* Ensure that `id` property is set for setting `Value` objects in preview.
See #27355.
Fixes#35616.
Built from https://develop.svn.wordpress.org/trunk@36407
git-svn-id: http://core.svn.wordpress.org/trunk@36374 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Fixes a layout issue in the Customizer UI. Also de-duplicate title display logic, outputting "Loading..." as site title in PHP with actual title being set upon Customizer `ready`. Also update the site title in response to a `blogname` setting change as opposed to `input` DOM events on the control.
Fixes#35579.
Built from https://develop.svn.wordpress.org/trunk@36388
git-svn-id: http://core.svn.wordpress.org/trunk@36355 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Add missing `params.completeCallback` to `MenuItemControl.focus()` for parity with `Control.focus()`. Also adds `params` to `MenuItemControl.expandForm`, `MenuItemControl.collapseForm()`, and `MenuItemControl.toggleForm()`.
Props MattGeri, westonruter.
Fixes#32681.
Built from https://develop.svn.wordpress.org/trunk@36383
git-svn-id: http://core.svn.wordpress.org/trunk@36350 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Also, adds missing labels and improves the existing ones.
Updates the "custom links" labels and inputs in the Customizer too.
Introduces a generic, reusable, `.wp-initial-focus` CSS class to be used for
the sole purpose of setting the initial focus.
"Quick Search": uniform the attached events and avoids new AJAX requests to
be triggered when the pressed key doesn't change the searched term.
Fixes#35374.
Built from https://develop.svn.wordpress.org/trunk@36379
git-svn-id: http://core.svn.wordpress.org/trunk@36346 1a063a9b-81f0-0310-95a4-ce76da25c4cd