* XML-RPC: Improve error messages for unprivileged users.
* External Libraries: Disable deserialization in Requests_Utility_FilteredIterator
* Embeds: Disable embeds on deactivated Multisite sites.
* Coding standards: Modify escaping functions to avoid potential false positives.
* XML-RPC: Return error message if attachment ID is incorrect.
* Upgrade/install: Improve logic check when determining installation status.
* Meta: Sanitize meta key before checking protection status.
* Themes: Ensure that only privileged users can set a background image when a theme is using the deprecated custom background page.
Brings the changes from [49380,49382-49388] to the 4.5 branch.
Props xknown, zieladam, peterwilsoncc, whyisjake, desrosj, dd32.
Built from https://develop.svn.wordpress.org/branches/4.5@49401
git-svn-id: http://core.svn.wordpress.org/branches/4.5@49160 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Query: Ensure that only a single post can be returned on date/time based queries.
Cache API: Ensure proper escaping around the stats method in the cache API.
Formatting: Expand `sanitize_file_name` to have better support for utf8 characters.
Brings the changes in [47634], [47635], [47637], and [47638] to the 4.7 branch.
Props: batmoo, ehti, nickdaugherty, peterwilsoncc, sergeybiryukov, sstoqnov, westi, whyisjake, whyisjake, xknown.
Built from https://develop.svn.wordpress.org/branches/4.5@47652
git-svn-id: http://core.svn.wordpress.org/branches/4.5@47427 1a063a9b-81f0-0310-95a4-ce76da25c4cd
[37028] missed some logic to capture the base emoji skin tone, to compare to the modified emoji skin tone. This caused all browsers to report that they supported skin tone modifiers, regardless of whether they actually did.
Merge of [37256] to the 4.5 branch.
Fixes#36604.
Built from https://develop.svn.wordpress.org/branches/4.5@37257
git-svn-id: http://core.svn.wordpress.org/branches/4.5@37223 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When the browser test for diversity emoji was added in [36160], it included a workaround for Chrome not being able to compare `Uint8ClampedArray` objects directly, by converting them to a string. Unfortunately, Safari doesn't support the `Uint8ClampedArray.toString()` method correctly, so the test was incorrectly failing in Safari.
Fixes#36266 for trunk.
Built from https://develop.svn.wordpress.org/trunk@37028
git-svn-id: http://core.svn.wordpress.org/trunk@36995 1a063a9b-81f0-0310-95a4-ce76da25c4cd
As new sets of emoji are added to Unicode, and browsers add support for them at random intervals, we'll inevitably need to add new tests to the emoji loader. This change makes it much easier to add new tests as they're needed.
Fixes#35300.
Built from https://develop.svn.wordpress.org/trunk@36816
git-svn-id: http://core.svn.wordpress.org/trunk@36783 1a063a9b-81f0-0310-95a4-ce76da25c4cd
[35709] was overly broad, and stopped transforming `&` characters within tag attributes. So that sites aren't generating invalid HTML, we need to restore this functionality, while continuing to not transform `&` within blocked tags.
Fixes#35008 for trunk.
Built from https://develop.svn.wordpress.org/trunk@36036
git-svn-id: http://core.svn.wordpress.org/trunk@36001 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Twelve years later, after no fewer than three themes have intentionally implemented popup comments in their functionality, before being abandoned for at least the last six years, we've reached a time where we can put this era behind us. A time when we can remove comment popup functionality from WordPress.
If this breaks the internet, I'll eat my hat.
Fixes#28617
Built from https://develop.svn.wordpress.org/trunk@35848
git-svn-id: http://core.svn.wordpress.org/trunk@35812 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The whole string is escaped with `esc_html()` anyway, so we don't
need to `wp_kses_post()`. This is a better experience for users who
want to use angle brackets in their site title or description.
Does not allow any HTML, adds unit tests.
props BandonRandon, pauldewouters.
fixes#27942.
Built from https://develop.svn.wordpress.org/trunk@35788
git-svn-id: http://core.svn.wordpress.org/trunk@35752 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Previously, `&` would be converted everywhere, which caused problems when it was converted within a `<script>`, for example.
`convert_chars()` is now removed from the `the_content` filter, as it was doing the same job as `wptexturize()`.
KSES correctly handles converting `&` within HTML attributes, so there's no need for `wptexturize()` and `convert_chars()` to do the same job.
Fixes#34698.
Built from https://develop.svn.wordpress.org/trunk@35709
git-svn-id: http://core.svn.wordpress.org/trunk@35673 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Updates `rawurlencode_deep()`, `urlencode_deep()`, and `stripslashes_deep()` to use `map_deep()`. Introduces `urldecode_deep()` for completeness.
Props wpmuguru, nbachiyski, boonebgorges, MikeHansenMe, chriscct7, realloc, johnbillion
Fixes#22300
Built from https://develop.svn.wordpress.org/trunk@35252
git-svn-id: http://core.svn.wordpress.org/trunk@35218 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Move pattern from `wptexturize()` into a separate function.
* Move pattern from `wp_html_split()` into a separate function.
* Beautify code for `wp_html_split()`.
* Remove unnecessary instances of `/s` modifier in patterns that don't use dots.
* Add `tests/phpunit/data/formatting/whole-posts.php` for testing larger strings.
* Add function `benchmark_pcre_backtracking()`.
* Add tests for `wp_html_split()`.
* Add tests for `wptexturize()`.
* Add tests for `get_shortcode_regex()`.
Props miqrogroove.
Fixes#34121.
Built from https://develop.svn.wordpress.org/trunk@34761
git-svn-id: http://core.svn.wordpress.org/trunk@34726 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Previously, it was necessary to explain in a double-negative that `$richedit` being false would prevent `$content` from being passed through `esc_textarea()`. The updated `$rich_edit` name and documentation now better reflects the intent of the parameter.
Fixes#21613.
Built from https://develop.svn.wordpress.org/trunk@34727
git-svn-id: http://core.svn.wordpress.org/trunk@34691 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Square brackets must be encoded in the path, path parameters, query parameters, and fragment, but must not be encoded in anything up to the domain and port.
Adds a bunch of tests, including square brackets in query parameters, IPv6 URLs, and several other permutations.
See #16859
Built from https://develop.svn.wordpress.org/trunk@34674
git-svn-id: http://core.svn.wordpress.org/trunk@34638 1a063a9b-81f0-0310-95a4-ce76da25c4cd