- Don't use <base> tag to set target="_blank". It can break form submission. Instead, set target only on links with JS.
- Fix same domain comparison in wp_auth_check_html() when FORCE_SSL_LOGIN == true.
- Properly show/hide the "Close" button when the dialog is shown multiple times.
See #23295
git-svn-id: http://core.svn.wordpress.org/trunk@24208 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* get_tag_regex() altered based on Unit Tests.
* Changes to post-formats.js to provide size and link context during image selection.
* Captions are now output in the_post_format_image() when present.
* The meta value for url is respected for the image post format when the HTML in the image meta doesn't include a link
props wonderboymusic. fixes#23965, #23964. see #24147, #24046.
git-svn-id: http://core.svn.wordpress.org/trunk@24066 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- The login page has "X-Frame-Options: DENY" header.
- Cross-domain when displaying on the front-end on multisite with domain mapping.
- The site forces ssl login but not ssl admin.
Add onbeforeunload prompt to counter (frame-busting) JS redirects. Move the JS and CSS into separate files. See #23295.
git-svn-id: http://core.svn.wordpress.org/trunk@23805 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The exceptions to this are update_post_meta() and add_post_meta() which are often used by plugins in POST handlers and will continue accepting slashed data for now.
Introduce wp_upate_post_meta() and wp_add_post_meta() as unslashed alternatives to update_post_meta() and add_post_meta(). These functions could become methods in WP_Post so don't use them too heavily yet.
Remove all escape() calls from wp_xmlrpc_server. Now that core expects unslashed data this is no longer needed.
Remove addslashes(), addslashes_gpc(), add_magic_quotes() calls on data being prepared for handoff to core functions that until now expected slashed data. Adding slashes in no longer necessary.
Introduce wp_unslash() and use to it remove slashes from GPCS data before using it in core API. Almost every instance of stripslashes() in core should now be wp_unslash(). In the future (a release or three) when GPCS is no longer slashed, wp_unslash() will stop stripping slashes and simply return what is passed. At this point wp_unslash() calls can be removed from core.
Introduce wp_slash() for slashing GPCS data. This will also turn into a noop once GPCS is no longer slashed. wp_slash() should almost never be used. It is mainly of use in unit tests.
Plugins should use wp_unslash() on data being passed to core API.
Plugins should no longer slash data being passed to core. So when you get_post() and then wp_insert_post() the post data from get_post() no longer needs addslashes(). Most plugins were not bothering with this. They will magically start doing the right thing. Unfortunately, those few souls who did it properly will now have to avoid calling addslashes() for 3.6 and newer.
Use wp_kses_post() and wp_kses_data(), which expect unslashed data, instead of wp_filter_post_kses() and wp_filter_kses(), which expect slashed data. Filters are no longer passed slashed data.
Remove many no longer necessary calls to $wpdb->escape() and esc_sql().
In wp_get_referer() and wp_get_original_referer(), return unslashed data.
Remove old stripslashes() calls from WP_Widget::update() handlers. These haven't been necessary since WP_Widget.
Switch several queries over to prepare().
Expect something to break.
Props alexkingorg
see #21767
git-svn-id: http://core.svn.wordpress.org/trunk@23416 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* In 3.4.x, both $url and UPLOADS had trailing slashes
* Due to refactoring, $url is no longer expected to have a trailing slash
* Because of the mismatch, the str_replace() was not working, resulting in an incorrectly verbose upload dir URL
git-svn-id: http://core.svn.wordpress.org/trunk@22736 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Prevents wp_upload_dir() from obeying the UPLOADS constant when ms-files rewriting is enabled and a blog is switched.
Reverts [22106] thanks to [22108].
see #19235.
git-svn-id: http://core.svn.wordpress.org/trunk@22222 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Introduce a wp_checkdate() function with a single filter to centralise the code that validates dates.
* Improve the error message
* Correctly handle the return value of wp_insert_post which is not always a WP_Error on failure
Fixes#17180
git-svn-id: http://core.svn.wordpress.org/trunk@21922 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Will be replaced with http://wordpress.org/extend/plugins/atom-publishing-protocol/.
* Introduces an action, xmlrpc_rsd_apis, to add APIs to xmlrpc.php?rsd.
* Introduces support for 'error' being 403 and 50x in class-wp.php.
* Removes 'Remote Publishing' from Writing Settings (see [21804]). Keeps the remote_publishing settings section.
DB version is bumped to generate the new wp-app rewrite rule and remove the old enable_app option.
props wonderboymusic.
fixes#21509.
git-svn-id: http://core.svn.wordpress.org/trunk@21818 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Introduce wp_send_json_success() and wp_send_json_error(), which will allow us to fire appropriate done() or fail() callbacks in JS.
props koopersmith. see #21390.
git-svn-id: http://core.svn.wordpress.org/trunk@21679 1a063a9b-81f0-0310-95a4-ce76da25c4cd
wp-includes/admin-bar.php:
* Replace get_admin_url() and get_home_url() with admin_url() and home_url() and place them inside a switch/restore. Likewise replace current_user_can_for_blog() with current_user_can(). This avoids doing multiple switch restores.
wp-includes/ms-blogs.php:
* Deprecate the $validate argument to switch_to_blog(). This avoids a not very necessary call to get_blog_details(), possibly saving a few queries.
* Use $_wp_switched and $_wp_switched_stack instead of $switched and $switched_stack to make it less likely these globals will be stomped.
* Use GLOBALS to access blog_id and other globals. I've preferred this style lately since it makes it obvious a global is being used and avoids global blog_id being stomped by a local variable.
* Lose some is_object() checks. wp_get_current_user() always returns an object, for example.
* Call the new WP_Roles::reinit() method.
wp-includes/class-wp-xmlrpc-server.php:
* Replace current_user_can_for_blog() with current_user_can() and move it inside the switch/restore pair. This eliminates a switch/restore.
wp-includes/capabilities.php:
* Use array_keys() instead of $role => $data since $data is unused. I *think* this is a bit faster.
* Introduce WP_Roles::reinit(). This reinitializes WP_Roles and is used after switch_to_blog() has already update the blog ID in the wpdb object. If a global roles array is being used instead of the db, reinit is skipped.
* current_user_can_for_blog() now does a switch/restore. It didn't before meaning it could be reinitializing the user with the wrong role information for the current blog.
wp-includes/ms-settings.php:
* Define $_wp_switched_stack and $_wp_switched. This way switch_to_blog() and restore_current_blog() can rely on it being set.
wp-settings.php:
* Instantiate the WP_Roles global. This was it is always defined during init. To remove the WP_Roles checks from WP_Role and WP_User this would probably have to move before plugins are loaded, which might not be a good thing.
wp-includes/functions.php:
* Update wp_upload_dir() to reference _wp_switched.
git-svn-id: http://core.svn.wordpress.org/trunk@21485 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* logIO() and the global $xmlrpc_logging in XML-RPC.
* log_app() and the global $app_logging in APP.
* debug_fwrite(), debug_fopen(), debug_fclose(), and $debug.
see #20051.
git-svn-id: http://svn.automattic.com/wordpress/trunk@19935 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Allows unit testing of core ajax actions.
* wp_die() now has separate filters to choose a handler depending on the context (ajax, XML-RPC, else).
* wp_die) in ajax context does not need to be called with a string. Conversion takes place before die().
props kurtpayne, see #15327.
git-svn-id: http://svn.automattic.com/wordpress/trunk@19801 1a063a9b-81f0-0310-95a4-ce76da25c4cd