The Interactivity API has been rendering client data in a SCRIPT element with the
type `application/json` so that it's not executed as a script, but is available
to one. The data runs through `wp_json_encode()` and is encoded with some flags
to ensure that potentially-dangerous characters are escaped.
However, this can lead to some challenges. Eagerly escaping when not necessary
can make the data difficult to comprehend when reading the output HTML. For example,
all non-ASCII Unicode characters are escaped with their code point equivalent.
This results in `\ud83c\udd70` instead of `🅰`.
In this patch, the flags for JSON encoding are refined to ensure what's necessary
while relaxing other rules (leaving in those Unicode characters if the blog charset
is UTF-8). This makes for Interactivity API data that's quicker as a human reader
to decipher and diagnose.
In summary:
- This data is JSON encoded and printed in a `<script type="application/json">` tag.
- If we ensure that `<` is never printed inside the data, it should be impossible to
break out of the script tag and the browser treats everything as the element's `textContent`.
- All other escaping becomes unnecessary at that point, including unicode escaping
if the page uses the UTF-8 charset (the same encoding as JSON).
See https://github.com/WordPress/wordpress-develop/pull/6433#pullrequestreview-2043218338
Developed in https://github.com/WordPress/wordpress-develop/pull/6520
Discussed in https://core.trac.wordpress.org/ticket/61170Fixes: #61170
Follow-up to: [57563].
Props: bjorsch, dmsnell, jonsurrell, sabernhardt, westonruter.
Built from https://develop.svn.wordpress.org/trunk@58159
git-svn-id: http://core.svn.wordpress.org/trunk@57622 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The `version` property throws a warning when working with the local Docker environment. According to the Docker Compose spec, the property only remains for backward compatibility and should be removed.
Props narenin, mukesh27, swissspidy.
Fixes#61101.
Built from https://develop.svn.wordpress.org/trunk@58157
git-svn-id: http://core.svn.wordpress.org/trunk@57620 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This ensures that not only the return values match the expected results, but also that their type is the same.
Going forward, stricter type checking by using `assertSame()` should generally be preferred to `assertEquals()` where appropriate, to make the tests more reliable.
Includes correcting a few erroneously duplicated test cases to match their intended purpose.
Follow-up to [57724].
See #60706.
Built from https://develop.svn.wordpress.org/trunk@58150
git-svn-id: http://core.svn.wordpress.org/trunk@57615 1a063a9b-81f0-0310-95a4-ce76da25c4cd
There are several exist places in Core that attempt to detect if a blog charset
is UTF-8. Each place attempts to perform the same check, except the logic is
spread throughout and there's no single method provided to make this
determination in a consistent way. The `_canonical_charset()` method exists,
but is marked private for use.
In this patch the new `unicode` module provides `is_utf8_charset()` as a method
taking an optional charset slug and indicating if it represents UTF-8,
examining all of the allowable variants of that slug. Associated code is
updated to use this new function, including `_canonical_charset()`. If no slug
is provided, it will look up the current `get_option( 'blog_charset' )`.
Finally, the test functions governing `_canonical_charset()` have been
rewritten as a single test with a data provider instead of as separate test
functions.
Developed in https://github.com/WordPress/wordpress-develop/pull/6535
Discussed in https://core.trac.wordpress.org/ticket/61182Fixes#61182.
Props dmsnell, jonsurrell.
Built from https://develop.svn.wordpress.org/trunk@58147
git-svn-id: http://core.svn.wordpress.org/trunk@57612 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Add visible labels to inputs that are using placeholder attributes as a substitute for visible labeling.
Labels added or made visible on the customizer theme search, customizer widget search, customizer menu item search, customizer new page UI, the search plugins screens, the media search screens, and the classic editor link inserter.
Props afercia, joedolson, rcreators, sabernhardt.
See #40331.
Built from https://develop.svn.wordpress.org/trunk@58146
git-svn-id: http://core.svn.wordpress.org/trunk@57611 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When generating a human readable code coverage report in HTML format, the Codecov action used to fail silently. An error is now being returned, resulting in a workflow failure.
This adds a skip condition to the appropriate steps so the coverage report is only uploaded when a `clover` format is generated.
See #60733.
Built from https://develop.svn.wordpress.org/trunk@58144
git-svn-id: http://core.svn.wordpress.org/trunk@57609 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Chrome unreliably loads a lazy-loaded iframe when it is hidden using `clip: rect(1px, 1px, 1px, 1px)`. Instead of using `clip`, a lazy-loaded iframe can also be hidden with `visibility:hidden` which results in it loading not only in Chrome but all other browsers. With this change applied, the hard-coded check to prevent lazy-loading post embeds is now removed. An added benefit to using `visibility:hidden` is that the entire iframe in this case is not interactable, meaning that users navigating the document with the keyboard will not unexpectedly encounter tab stops inside of the hidden iframe, as can happen now with `clip` when the JS fails to reveal the loaded iframe. Note also that the `clip` property is deprecated.
Lastly, when such a post embed iframe is rendered in an RSS feed, the `style` attribute is now removed using the HTML Tag Processor as opposed to using string replacement.
Fixes#58773.
Props westonruter, joemcgill, swissspidy, joedolson, adamsilverstein.
Built from https://develop.svn.wordpress.org/trunk@58143
git-svn-id: http://core.svn.wordpress.org/trunk@57608 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The primary menu was disappearing at 481px. This adjusts to resolve this. It was shown when adjust the browser window not in responsive design mode.
Props stephenbrook, audrasjb, mukesh27, sabernhardt, poena, kristenfisher427, siliconforks, jwgoedert, joedolson.
Fixes#52354.
Built from https://develop.svn.wordpress.org/trunk@58142
git-svn-id: http://core.svn.wordpress.org/trunk@57607 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The link is a part of the deprecation notice displayed when saving an unregistered setting.
Follow-up to [13646], [13785], [14070], [32116], [34315], [45674].
Props timse201, sabernhardt, amitraj2203, khokansardar, SergeyBiryukov.
Fixes#61199.
Built from https://develop.svn.wordpress.org/trunk@58140
git-svn-id: http://core.svn.wordpress.org/trunk@57605 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Add a confirmation dialog when users navigate away from the user profile screen if they have unsaved changes to prevent data loss.
Props ashokrane, karlijnbk, diedeexterkate, jwgoedert, joedolson, swissspidy, afercia.
Fixes#40493.
Built from https://develop.svn.wordpress.org/trunk@58137
git-svn-id: http://core.svn.wordpress.org/trunk@57602 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The heading image had quality issues on iOS Safari in portrait and landscape modes. This resolves it through adding 200cv for smaller screens so less than full size.
Props poena, richardevs, laurelfulford, davidakennedy, joemcgill, SergeyBiryukov, ianbelanger, sabernhardt, shailu25, robertghetau.
Fixes#39253.
Built from https://develop.svn.wordpress.org/trunk@58135
git-svn-id: http://core.svn.wordpress.org/trunk@57600 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Reduce the number of queries getting and setting transients on sites without a persistent cache.
Transients are stored in two options: one each for the transient value and timeout. Priming the cache reduces the database queries for getting a transient from two to one.
Props peterwilsoncc, swissspidy.
Fixes#61193.
Built from https://develop.svn.wordpress.org/trunk@58134
git-svn-id: http://core.svn.wordpress.org/trunk@57599 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Based on the current browser support policies and expectations, this is no longer needed. There are almost no browsers in use where this is still in use. The same fix was removed from core themes in #54421.
Props joedolson, sabernhardt, shailu25.
Fixes#60479.
Built from https://develop.svn.wordpress.org/trunk@58133
git-svn-id: http://core.svn.wordpress.org/trunk@57598 1a063a9b-81f0-0310-95a4-ce76da25c4cd
If organizing uploads into month- and year-based folders, uploading an attachment to an existing post should store the file in `wp-content/uploads/<year>/<month>` based on the post's publish date. This is in line with the behavior in classic editor / the media modal.
Props swissspidy, adamsilverstein, timothyblynjacobs, skithund, sergeybiryukov, patricia70.
Fixes#61189.
Built from https://develop.svn.wordpress.org/trunk@58130
git-svn-id: http://core.svn.wordpress.org/trunk@57595 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This builds on the temporary backup system introduced in 6.3 to allow automatic updates to benefit from fatal error protection. A loopback request is performed to the home page of the site and the plugin is rolled back to its backed up version if a fatal error is observed.
For debugging and observability during beta, this change includes several calls to `error_log()` during the upgrade and rollback stages. These calls can be removed or placed behind a flag once we're ready for RC1.
Props costdev, johnbillion, mukesh27, afragen, audrasjb, justlevine, kirasong, peterwilsoncc
Fixes#58281
Built from https://develop.svn.wordpress.org/trunk@58128
git-svn-id: http://core.svn.wordpress.org/trunk@57593 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Interactivity API has hooks that run on the frontend, but not in wp-admin. This means that interactivity data was not printed to the HTML and the interactivity Script Modules were not registered.
Fixes#61087.
Props jonsurrell, cbravobernal, gziolo.
Built from https://develop.svn.wordpress.org/trunk@58127
git-svn-id: http://core.svn.wordpress.org/trunk@57592 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Script Modules cannot be used in wp-admin. The necessary hooks are registered on wp_head or wp_footer, but should also be registered for the admin variants so that modules can be used from wp-admin.
Fixes#61086.
Props jonsurrell, cbravobernal, gziolo.
Built from https://develop.svn.wordpress.org/trunk@58126
git-svn-id: http://core.svn.wordpress.org/trunk@57591 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This results in the prevention of an installation running on a port on localhost (for example `localhost:8889`) being converted to a subdomain Multisite installation, whereas previously it was incorrectly allowed.
Props spacedmonkey
See #21077
Built from https://develop.svn.wordpress.org/trunk@58125
git-svn-id: http://core.svn.wordpress.org/trunk@57590 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Includes correcting a conditional in `_wp_menu_item_classes_by_context()` where `$parent_item->object`, which contains a string like `page`, was erroneously compared to the queried object's ID. The correct property to compare is `$parent_item->object_id`.
Follow-up to [14876], [14923], [14942], [15302], [16731], [16742], [22302], [47550], [47557], [47808].
Props aristath, poena, afercia, SergeyBiryukov.
See #60700.
Built from https://develop.svn.wordpress.org/trunk@58124
git-svn-id: http://core.svn.wordpress.org/trunk@57589 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Query caching in `WP_Query` was added in [53941]. When this functionality was added to the `WP_Query` class, a number of edge cases were missed that would result in redundant duplicate queries. It was possible to pass parameters to `WP_Query` that would be different but would result in the same database query being generated. As the cache key is generated from a mixture of query arguments and the SQL query, this resulted in different cache keys for the same database query, resulting in unnecessary duplicate queries. In this change, the logic in the `generate_cache_key` method has been improved to ensure reuse of existing caches. The following edge cases have been considered:
- Passing `post_type` as an empty string.
- Passing `post_type` as the string `any`.
- Passing `post_type` as array vs. string.
- Passing `post_type` as an array in a different order.
- Not passing `orderby`.
- Passing `post_status` as an array vs. string.
- Passing `post_status` as an array in a different order.
This change also fixes an issue where the old SQL query would not match, as the queries had different whitespaces.
Props spacedmonkey, joemcgill, pbearne, peterwilsoncc, rajinsharwar, mukesh27, thekt12, huzaifaalmesbah, rodionov201.
Fixes#59442.
Built from https://develop.svn.wordpress.org/trunk@58122
git-svn-id: http://core.svn.wordpress.org/trunk@57587 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The `check-latest` setting is used to ensure the latest version of Node.js is always installed in GitHub Action workflows.
This input was added and turned on in [57212] when the minimum required version of Node.js was bumped to `20.10.0`. Because GitHub Action runner image updates are deployed on a rolling basis over the course of several days, a version of Node.js that met this new requirement was not always present (especially on Windows runners). Using this input was a temporary fix to ensure stability for Core’s test workflows.
The `check-latest` input does have some side effects. Two examples are:
- An additional request is performed to check the latest version every time `setup-node` is used with this option enabled. More requests are made to download and install a newer version of Node.js when one is available.
- When new versions of Node.js are released, the Core workflows immediately switch to the new version, which could potentially have undiscovered bugs or regressions.
The latter has surfaced today due to a regression in Node.js 20.13.0 on Windows (see https://github.com/nodejs/node/issues/52884).
A bit of time has passed and a version >=20.10.0 is now reliably available on all GitHub Action runners. Running the very latest release Node.js is also not important for Core’s testing setup, so `check-version` can safely be removed to address both side effects detailed above.
Props johnbillion.
Fixes#60129.
Built from https://develop.svn.wordpress.org/trunk@58120
git-svn-id: http://core.svn.wordpress.org/trunk@57585 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset adds a `wp-admin/user/contribute.php` file to allow the "Get Involved" link to work on User Admin.
This changeset prevents an unintended 404 that occurs when a logged-in user clicks the "Get Involved" link (located in the menu-bar) from inside of the multisite-specific User Dashboard.
Related: r56220, r56309, #23348.
Props ignatiusjeroe, audrasjb, tobiasbg.
Fixes#61122.
Built from https://develop.svn.wordpress.org/trunk@58118
git-svn-id: http://core.svn.wordpress.org/trunk@57583 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This prevents a fatal error in `wp_apply_custom_classname_support()`, which expects an array data type for block attributes, and makes sure the block editor can still load if there is a mistake in the attributes of a block.
Follow-up to [54498].
Props caercam.
Fixes#61151.
Built from https://develop.svn.wordpress.org/trunk@58112
git-svn-id: http://core.svn.wordpress.org/trunk@57577 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This adds descriptions to multiple bundled themes. All patterns without the "Inserter" parameter set to "false" or "no", should use the description parameter (These patterns are hidden in the block inserter and do not use the descriptions).
Props poena, StringPiggy, oglekler, audrasjb, huzaifaalmesbah, swisspidy.
Fixes#59688.
Built from https://develop.svn.wordpress.org/trunk@58111
git-svn-id: http://core.svn.wordpress.org/trunk@57576 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This updates the docblock attributes for `wp_get_attachment_image()` to account for attribute values that are being determined by `wp_get_loading_optimization_attributes()`. Updates docs for `$attr['loading']` and adds docs for `$attr['fetchpriority']`.
Props joemcgill, dmsnell.
Fixes#59550.
Built from https://develop.svn.wordpress.org/trunk@58110
git-svn-id: http://core.svn.wordpress.org/trunk@57575 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The FAQ pattern uses multiple details blocks in a row. This ends up with it behaving as an accordion and opens to issues. In ticket discussion this was decided to be removed to set a good example of how to build.
Props poena, alh0319, abditsori, richtabor, joedolson, huzaifaalmesbah, krupajnanda, luminuu, shailu25, swisspidy.
Fixes#60335.
Built from https://develop.svn.wordpress.org/trunk@58106
git-svn-id: http://core.svn.wordpress.org/trunk@57571 1a063a9b-81f0-0310-95a4-ce76da25c4cd