John Blackbourn
63cc2673a1
Hardening: Add escaping to the language attributes used on `html` elements.
...
Merges [42259] to the 4.2 branch.
Built from https://develop.svn.wordpress.org/branches/4.2@42293
git-svn-id: http://core.svn.wordpress.org/branches/4.2@42122 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:33:54 +00:00
Dion Hulse
9dadfcb012
WPDB: Check that `AUTH_SALT` is not empty, Fix a PHP notice when `AUTH_SALT` is undefined.
...
Props jsonfry, mkomar, pento.
Merges [42119] and [42120] to the 4.2 branch.
Fixes #42431 and #42401 for 4.2.
Built from https://develop.svn.wordpress.org/branches/4.2@42236
git-svn-id: http://core.svn.wordpress.org/branches/4.2@42065 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-27 01:12:56 +00:00
Gary Pendergast
eb5a635d04
Bump 4.2 branch to version 4.3.17.
...
Built from https://develop.svn.wordpress.org/branches/4.2@42075
git-svn-id: http://core.svn.wordpress.org/branches/4.2@41904 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-10-31 13:42:30 +00:00
Gary Pendergast
86acf8b033
Database: Restore numbered placeholders in `wpdb::prepare()`.
...
[41496] removed support for numbered placeholders in queries send through `wpdb::prepare()`, which, despite being undocumented, were quite commonly used.
This change restores support for numbered placeholders (as well as a subset of placeholder formatting), while also adding extra checks to ensure the correct number of arguments are being passed to `wpdb::prepare()`, given the number of placeholders.
Merges [41662], [42056] to the 4.2 branch.
See #41925 .
Built from https://develop.svn.wordpress.org/branches/4.2@42063
git-svn-id: http://core.svn.wordpress.org/branches/4.2@41892 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-10-31 12:51:31 +00:00
Dominik Schilling
c4fb8dfbf1
Bump 4.2 branch to version 4.2.16.
...
Built from https://develop.svn.wordpress.org/branches/4.2@41516
git-svn-id: http://core.svn.wordpress.org/branches/4.2@41349 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 20:03:31 +00:00
Aaron Campbell
a964c2ba2e
Database: Hardening to bring `wpdb::prepare()` inline with documentation.
...
`wpdb::prepare()` supports %s, %d, and %F as placeholders in the query string. Any other non-escaped % will be escaped.
Merges [41496] to 4.2 branch.
Built from https://develop.svn.wordpress.org/branches/4.2@41503
git-svn-id: http://core.svn.wordpress.org/branches/4.2@41336 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 18:31:29 +00:00
Aaron Campbell
79e0bb13d4
Database: Don’t trigger `_doing_it_wrong()` for null values in `wpdb::prepare()`.
...
While `wpdb::prepare()` does not support null values (see #12819 ) they still appear in the wild like in the WordPress Importer and other plugins.
Merges [41483] to 4.2 branch.
Built from https://develop.svn.wordpress.org/branches/4.2@41490
git-svn-id: http://core.svn.wordpress.org/branches/4.2@41323 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 16:25:54 +00:00
Aaron Campbell
be9edc6bc3
Database: Hardening for `wpdb::prepare()`
...
Previously if you passed an array of values for placeholders, additional values could be passed as well. Now additional values will be ignored.
Merges [41470] to 4.2 branch.
Built from https://develop.svn.wordpress.org/branches/4.2@41477
git-svn-id: http://core.svn.wordpress.org/branches/4.2@41310 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 15:03:30 +00:00
Dominik Schilling
74df39530d
TinyMCE: Improve the previews for shortcodes.
...
Merge of [41395] to the 4.2 branch.
Built from https://develop.svn.wordpress.org/branches/4.2@41441
git-svn-id: http://core.svn.wordpress.org/branches/4.2@41274 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 12:44:31 +00:00
Dominik Schilling
ecf502b597
Editor: Prevent adding `javascript:` and `data:` URLs through the inline link dialog.
...
Merge of [41393] to the 4.2 branch.
Built from https://develop.svn.wordpress.org/branches/4.2@41406
git-svn-id: http://core.svn.wordpress.org/branches/4.2@41239 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 10:19:28 +00:00
Aaron Campbell
a01117bf0d
Bump 4.2 branch to version 4.2.15.
...
Built from https://develop.svn.wordpress.org/branches/4.2@40753
git-svn-id: http://core.svn.wordpress.org/branches/4.2@40611 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 21:52:23 +00:00
Pascal Birchler
7f8136dfd7
Media: Simplify upload error message construction.
...
Merges [40736] to the 4.2 branch.
Built from https://develop.svn.wordpress.org/branches/4.2@40742
git-svn-id: http://core.svn.wordpress.org/branches/4.2@40600 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 18:03:56 +00:00
Dominik Schilling
8f47014af6
Customize: Ignore invalid customization sessions.
...
Merge of [40704] to the 4.2 branch.
Built from https://develop.svn.wordpress.org/branches/4.2@40710
git-svn-id: http://core.svn.wordpress.org/branches/4.2@40573 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 12:19:29 +00:00
Pascal Birchler
92f3fdb956
Adjust post meta checks
...
Merges [40692] to the 4.2 branch.
Built from https://develop.svn.wordpress.org/branches/4.2@40698
git-svn-id: http://core.svn.wordpress.org/branches/4.2@40561 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 08:52:55 +00:00
Pascal Birchler
7fc612abfb
Whitelist post arguments in XML-RPC
...
Merges [40677] to the 4.2 branch.
Built from https://develop.svn.wordpress.org/branches/4.2@40683
git-svn-id: http://core.svn.wordpress.org/branches/4.2@40546 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 08:24:31 +00:00
Pascal Birchler
5565b98dde
Bump 4.2 branch to version 4.2.14.
...
Built from https://develop.svn.wordpress.org/branches/4.2@40492
git-svn-id: http://core.svn.wordpress.org/branches/4.2@40368 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-04-20 16:26:30 +00:00
James Nylen
b9a98e7562
Bump 4.2 branch to version 4.2.13.
...
Built from https://develop.svn.wordpress.org/branches/4.2@40207
git-svn-id: http://core.svn.wordpress.org/branches/4.2@40146 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-03-06 16:32:30 +00:00
Aaron Campbell
db266e95e1
Strip control characters before validating redirect.
...
Merges [40183] to 4.2 branch.
Built from https://develop.svn.wordpress.org/branches/4.2@40189
git-svn-id: http://core.svn.wordpress.org/branches/4.2@40128 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-03-06 13:44:24 +00:00
Dominik Schilling
462631b8cc
Embeds: URL encode YouTube video IDs for broader compatibility.
...
Merge of [40160] to the 4.2 branch.
Built from https://develop.svn.wordpress.org/branches/4.2@40166
git-svn-id: http://core.svn.wordpress.org/branches/4.2@40105 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-03-06 12:07:35 +00:00
Aaron Campbell
f449b0a0ce
Bump 4.2 branch to version 4.2.12.
...
Built from https://develop.svn.wordpress.org/branches/4.2@40001
git-svn-id: http://core.svn.wordpress.org/branches/4.2@39938 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-26 18:25:29 +00:00
Dominik Schilling
b7509648b8
Query: Ensure that queries work correctly with post type names with special characters.
...
Merge of [39952] to the 4.2 branch.
Built from https://develop.svn.wordpress.org/branches/4.2@39961
git-svn-id: http://core.svn.wordpress.org/branches/4.2@39898 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-26 13:52:00 +00:00
Aaron Campbell
ab64033700
Bump 4.2 branch to version 4.2.11.
...
Built from https://develop.svn.wordpress.org/branches/4.2@39865
git-svn-id: http://core.svn.wordpress.org/branches/4.2@39802 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-11 16:58:29 +00:00
Joe McGill
073c7e6092
Media: Fix exif_imagetype check in wp_get_image_mime
...
This is a follow up to [39831].
Merges [39850] to the 4.2 branch.
Built from https://develop.svn.wordpress.org/branches/4.2@39856
git-svn-id: http://core.svn.wordpress.org/branches/4.2@39793 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-11 16:43:32 +00:00
Joe McGill
99f9d45c10
Media: Improve image filetype checking.
...
This adds a new function `wp_get_image_mime()` which is used by
`wp_check_filetype_and_ext()` to validate image files using
`exif_imagetype()` if available instead of `getimagesize()`.
`getimagesize()` is less performant than `exif_imagetype()` and is
dependent on GD. If `exif_imagetype()` is not available, it falls back to
`getimagesize()` as before.
If `wp_check_filetype_and_ext()` can't validate the filetype, we now return
`false` for ext/MIME values.
Merges [39831] to the 4.2 branch.
Built from https://develop.svn.wordpress.org/branches/4.2@39837
git-svn-id: http://core.svn.wordpress.org/branches/4.2@39775 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-11 13:18:29 +00:00
Dominik Schilling
76d93255d6
Themes: Fix markup for theme name fallbacks.
...
Merge of [39807] to the 4.2 branch.
Built from https://develop.svn.wordpress.org/branches/4.2@39814
git-svn-id: http://core.svn.wordpress.org/branches/4.2@39752 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-11 11:11:56 +00:00
Jeremy Felt
ed1586d7ff
Multisite: Use `wp_rand()` in signup key creation.
...
Merges [39795] to the 4.2 branch.
Built from https://develop.svn.wordpress.org/branches/4.2@39801
git-svn-id: http://core.svn.wordpress.org/branches/4.2@39739 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-11 05:34:56 +00:00
Dion Hulse
4873f1b139
Update PHPMailer to 5.2.22.
...
The full list of changes is available here:
https://github.com/PHPMailer/PHPMailer/compare/v5.2.21...v5.2.22
Merges [39759] to the 4.2 branch.
Fixes #37210 for 4.2.
Built from https://develop.svn.wordpress.org/branches/4.2@39789
git-svn-id: http://core.svn.wordpress.org/branches/4.2@39727 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-11 05:25:28 +00:00
Dion Hulse
755a765d49
Mail: Upgrade PHPMailer to 5.2.21.
...
Merges [39645], [36083], [33142], [33124] to the 4.2 branch.
See #37210 .
Built from https://develop.svn.wordpress.org/branches/4.2@39726
git-svn-id: http://core.svn.wordpress.org/branches/4.2@39666 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-06 22:06:00 +00:00
Jeremy Felt
e57416e1d7
Bump 4.2 branch to 4.2.10.
...
Built from https://develop.svn.wordpress.org/branches/4.2@38553
git-svn-id: http://core.svn.wordpress.org/branches/4.2@38496 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-09-07 15:00:32 +00:00
Boone Gorges
3042245749
Bump 4.2 branch to 4.2.9.
...
Built from https://develop.svn.wordpress.org/branches/4.2@37831
git-svn-id: http://core.svn.wordpress.org/branches/4.2@37796 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-21 16:36:27 +00:00
Joe McGill
754a809bfb
Media: Improve handling of extensionless filenames.
...
Merge of [37756] to the 4.2 branch.
See #37111 .
Built from https://develop.svn.wordpress.org/branches/4.2@37816
git-svn-id: http://core.svn.wordpress.org/branches/4.2@37781 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-21 14:56:48 +00:00
Nikolay Bachiyski
437f727e8f
Admin: Escape attachment name in case it contains special characters
...
Merge of [37774] to the 4.2 branch.
Built from https://develop.svn.wordpress.org/branches/4.2@37789
git-svn-id: http://core.svn.wordpress.org/branches/4.2@37754 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-21 14:26:11 +00:00
Jeremy Felt
0ba49c4a4c
Admin: Allow for the consistent filtering of `auth_redirect_scheme`
...
Merge of [37651] to the 4.2 branch.
See #37047 .
Built from https://develop.svn.wordpress.org/branches/4.2@37761
git-svn-id: http://core.svn.wordpress.org/branches/4.2@37726 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-21 14:12:47 +00:00
Dominik Schilling
94306911e2
Bump 4.2 branch to 4.2.8.
...
Built from https://develop.svn.wordpress.org/branches/4.2@37387
git-svn-id: http://core.svn.wordpress.org/branches/4.2@37353 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-06 18:13:27 +00:00
Nikolay Bachiyski
96731bcfb4
External Libraries: Update plupload from upstream
...
Built from https://develop.svn.wordpress.org/branches/4.2@37379
git-svn-id: http://core.svn.wordpress.org/branches/4.2@37345 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-06 17:59:26 +00:00
Dominik Schilling
e35259b0bc
External Libraries: Update MediaElement.js from upstream.
...
Merge of [37370] to the 4.2 branch.
Built from https://develop.svn.wordpress.org/branches/4.2@37375
git-svn-id: http://core.svn.wordpress.org/branches/4.2@37341 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-06 17:55:00 +00:00
Nikolay Bachiyski
0986b209ea
Taxonomies: make sure taxonomy functions work correctly with taxonomy names with special characters
...
The codex says that taxonomy names "should only contain lowercase letters and the underscore character", but that's not enforced. It's too late to enforce it, since some plugins haven't been following it and the official phpdoc doesn't mention this restriction.
Merge of [37133] to the 4.2 branch.
Built from https://develop.svn.wordpress.org/branches/4.2@37137
git-svn-id: http://core.svn.wordpress.org/branches/4.2@37104 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-03-30 17:29:28 +00:00
Dominik Schilling
a60f6eea61
HTTP: Improve detection of valid IP addresses.
...
Merge of [37115] to the 4.2 branch.
Built from https://develop.svn.wordpress.org/branches/4.2@37118
git-svn-id: http://core.svn.wordpress.org/branches/4.2@37085 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-03-30 15:52:12 +00:00
Nikolay Bachiyski
080ef55551
Snoopy: use escapeshellarg instead of escapeshellcmd
...
We are escaping arguments, not commands, so we'd better use the semantically correct function, even though they are similar.
Merges [37094] to the 4.2 branch.
Built from https://develop.svn.wordpress.org/branches/4.2@37097
git-svn-id: http://core.svn.wordpress.org/branches/4.2@37064 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-03-30 14:08:28 +00:00
Dominik Schilling
666b9f8558
Bump 4.2 branch to 4.2.7.
...
Built from https://develop.svn.wordpress.org/branches/4.2@36457
git-svn-id: http://core.svn.wordpress.org/branches/4.2@36424 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-02 17:28:49 +00:00
Dominik Schilling
c1769766f6
Better validation of the URL used in HTTP redirects.
...
Merges [36444] to the 4.2 branch.
Built from https://develop.svn.wordpress.org/branches/4.2@36449
git-svn-id: http://core.svn.wordpress.org/branches/4.2@36416 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-02 17:00:28 +00:00
Dominik Schilling
c30865a6b5
HTTP: `0.1.2.3` is not a valid IP.
...
Merges [36435] to the 4.2 branch.
Built from https://develop.svn.wordpress.org/branches/4.2@36438
git-svn-id: http://core.svn.wordpress.org/branches/4.2@36405 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-02 13:04:20 +00:00
Dominik Schilling
c897bed043
Bump 4.2 branch to 4.2.6.
...
Built from https://develop.svn.wordpress.org/branches/4.2@36198
git-svn-id: http://core.svn.wordpress.org/branches/4.2@36165 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-01-06 18:49:27 +00:00
Aaron Jorbin
f26900d209
Theme: Escape error messages
...
[36185] for 4.2 branch
Built from https://develop.svn.wordpress.org/branches/4.2@36188
git-svn-id: http://core.svn.wordpress.org/branches/4.2@36155 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-01-06 17:26:28 +00:00
Dion Hulse
5686506414
Background Updates: Remove the 7am/7pm background update check.
...
This changeset is a more basic version of [36180], clearing the extra now redundant schedule.
As the functionality for this was introduced in 3.9, [28129] has been backported to 3.7/3.8, allowing the API TTL to be respected by those versions.
See #27772 .
Fixes #35323 .
Built from https://develop.svn.wordpress.org/trunk@36184
git-svn-id: http://core.svn.wordpress.org/branches/4.2@36151 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-01-06 13:24:33 +00:00
Helen Hou-Sandí
ca39e38e59
Finish bumping the 4.2 branch to 4.2.5.
...
Built from https://develop.svn.wordpress.org/branches/4.2@34190
git-svn-id: http://core.svn.wordpress.org/branches/4.2@34158 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-15 14:50:07 +00:00
Dominik Schilling
ec4db723d2
XMLRPC: Don't allow private posts to be sticky.
...
Merge of [33325], [33612], and [34135] to the 4.2 branch.
See #20662 .
Built from https://develop.svn.wordpress.org/branches/4.2@34152
git-svn-id: http://core.svn.wordpress.org/branches/4.2@34120 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-14 22:51:28 +00:00
Nikolay Bachiyski
a4dba03383
Shortcodes: don't allow unclosed HTML elements in attributes
...
Merges [34134] for 4.2 branch
Built from https://develop.svn.wordpress.org/branches/4.2@34145
git-svn-id: http://core.svn.wordpress.org/branches/4.2@34113 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-14 22:48:27 +00:00
Gary Pendergast
56b1ceaf04
WPDB: `get_table_from_query()` didn't find table names with hyphens in them.
...
Merge of [33718] to the 4.2 branch.
Props dustinbolton, pento.
See #33470 .
Built from https://develop.svn.wordpress.org/branches/4.2@33992
git-svn-id: http://core.svn.wordpress.org/branches/4.2@33961 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-10 06:57:28 +00:00
Gary Pendergast
6b2df3479c
Capabilities: Fall back to the `edit_posts` capability for orphaned comments.
...
Merge of the `capabilities.php` part of [33614] to the 4.2 branch.
Props pento, dd32.
See #33154 .
Built from https://develop.svn.wordpress.org/branches/4.2@33972
git-svn-id: http://core.svn.wordpress.org/branches/4.2@33941 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-09 06:01:28 +00:00