The HTML4 Plupload handler uses a hidden iframe to POST the upload form,
Unfortunately Internet Explorer 9 doesn't support the `application/json`
content-type which `wp_send_json_success()` and requires `text/html` instead.
This partially reverts [30354], keeping the better error messages.
Fixes#31037 for trunk.
Built from https://develop.svn.wordpress.org/trunk@31429
git-svn-id: http://core.svn.wordpress.org/trunk@31410 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The UI for these taxonomies was hidden in [31308], but it remained possible to
send a direct POST request to the `inline-edit` endpoint to bypass the
restriction. The current changeset fixes this.
Props meloniq.
Fixes#26948.
Built from https://develop.svn.wordpress.org/trunk@31313
git-svn-id: http://core.svn.wordpress.org/trunk@31294 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Bump MediaElement script loader versions to 2.16.2 - missed in [30634], oops!
* Add `Froogaloop` to `js/mediaelement` scripts for Vimeo
* Check for Vimeo in the same locations that YouTube is checked
* Dynamically load Froogaloop script in admin when editing a TinyMCE view
* Edit MediaElement to call `mejs.$.extend` instead of `$.extend` in `mejs.HtmlMediaElementShim.createPlugin()`, since `$` is not available via WP's jQuery (I will report this upstream):
6f9a78e008/src/js/me-shim.js (L631)Fixes#29267.
Built from https://develop.svn.wordpress.org/trunk@31016
git-svn-id: http://core.svn.wordpress.org/trunk@30997 1a063a9b-81f0-0310-95a4-ce76da25c4cd
If the token is set (`$keep` is a string), this means the user is viewing their own profile-editing screen and destroying their own sessions (except the current one). If it isn't set (`$keep` is null), the user is editing another user's profile and destroying all of their sessions with no exceptions.
See #30264, #30469
Built from https://develop.svn.wordpress.org/trunk@30595
git-svn-id: http://core.svn.wordpress.org/trunk@30585 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Variables in DocBlocks should be backtick-escaped
* Parameter and return types should be as specific as possible
* `@param` types and variables should align with each other, but not intentionally with the `@return` description
See #30230.
Built from https://develop.svn.wordpress.org/trunk@30284
git-svn-id: http://core.svn.wordpress.org/trunk@30284 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Use a `MutationObserver` to listen to the `body` class of the parent editor frame.
* In `wpview_media_sandbox_styles()`, only return the MEjs stylesheets.
* In `wp_ajax_parse_media_shortcode()` and `wp_ajax_parse_embed()`, return an object instead of an HTML blob to allow passing `body` and `head` separately
Props avryl, azaozz.
Fixes#29048.
Built from https://develop.svn.wordpress.org/trunk@29615
git-svn-id: http://core.svn.wordpress.org/trunk@29389 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Add a setting to `_wpMediaViewsL10n.settings`: `mediaTrash`
* In the attachment edit modal, properly toggle between Trash/Untrash
* In `media.view.Attachment`, add a method for `untrashAttachment`
* When creating the grid toolbar, switch the setting order of subviews so that `media.view.DeleteSelectedButton` can listen to the instance of `media.view.AttachmentFilters.All` to update the text in its UI.
* Add a new filter to `media.view.AttachmentFilters.All`, `trash`, when `settings.mediaTrash` is true
* Allow the cached queries in `Query.get()` to be flushed when race conditions exist and collections need to be refreshed. This is currently only being used when `MEDIA_TRASH` is set, to refresh the filtered/mirrored collections related to `all`, `trash`, and any already queried filter.
* Cleanup the bootstrapping of `media.view.MediaFrame.Manage`
* Allow `wp_ajax_query_attachments()` to return items from the trash when `MEDIA_TRASH` is `true`
* Allow `wp_ajax_save_attachment()` to set `post_status` when `MEDIA_TRASH` is `true`. It allows `wp_delete_post()` to be called, which will trash the attachment instead of deleting when the flag is set.
Props koop for the knowledge sharing and thought partnership.
See #29145.
Built from https://develop.svn.wordpress.org/trunk@29490
git-svn-id: http://core.svn.wordpress.org/trunk@29268 1a063a9b-81f0-0310-95a4-ce76da25c4cd
We will no longer replace previously valid oEmbed responses with an `{{unknown}}` cache value. When this happens due to reaching a rate limit or a service going down, it is data loss, and is not acceptable. This means that oEmbed caches for a post are no longer deleted indiscriminately every time that post is saved.
oEmbed continues to be cached in post meta, with the addition of a separate meta key containing the timestamp of the last retrieval, which is used to avoid re-requesting a recently cached oEmbed response. By default, we consider a valued cached in the past day to be fresh. This can greatly reduce the number of outbound requests, especially in cases where a post containing multiple embeds is saved frequently.
The TTL used to determine whether or not to request a response can be filtered using `oembed_ttl`, thus allowing for the possibility of respecting the optional oEmbed response parameter `cache_age` or altering the period of time a cached value is considered to be fresh.
Now that oEmbeds are previewed in the visual editor as well as the media modal, oEmbed caches are often populated before a post is saved or published. By pre-populating and avoiding having to re-request that response, we also greatly reduce the chances of a stampede happening when a published post is visible before oEmbed caching is complete.
As it previously stood, a stampede was extremely likely to happen, as the AJAX caching was only triggered when `$_GET['message']` was 1. The published message is 6. We now trigger the caching every time `$_GET['message']` is present on the edit screen, as we are able to avoid triggering so many HTTP requests overall.
props markjaquith. fixes#14759. see #17210.
Built from https://develop.svn.wordpress.org/trunk@28972
git-svn-id: http://core.svn.wordpress.org/trunk@28761 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* In `wp_ajax_add_tag()`, `$post_type` is set and never used.
* In `wp_ajax_hidden_columns()`, `$hidden` is set twice, but only checks for the existence of `$_POST['hidden']` the first time. The two lines can be combined and work together.
* In `wp_ajax_inline_save()`, `$mode` is set and never used.
* In `wp_ajax_find_posts()`, `$searchand = $search = '';` is leftover cruft, neither variable is used. `$wpdb` does not need to be imported, it is never used.
* In `wp_ajax_wp_fullscreen_save_post()`, `$post_type` is set and never used.
* In `wp_ajax_save_attachment_order()`, `$post` is set and never used.
* In `wp_ajax_send_attachment_to_editor()`, `$title` is set and never used.
See #27882.
Built from https://develop.svn.wordpress.org/trunk@28292
git-svn-id: http://core.svn.wordpress.org/trunk@28120 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- Removes wp-tinymce-schema.js and mark-loaded.js, no longer needed.
- Removes the inlinepopups and most of the wpdialogs plugins; wpdialog.js is moved to wp-includes/js.
- Adds charmap, compat3x, image, link and textcolor plugins, previously contained in /themes/advanced.
- Updates the wordpress, wpeditimage, wpfullscreen, wpgallery and wplink plugins.
- Updates DFW, wp-admin/js/wp-fullscreen.js.
See #24067.
Built from https://develop.svn.wordpress.org/trunk@26876
git-svn-id: http://core.svn.wordpress.org/trunk@26759 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Update about page, there's now 8.
* Display them four wide, not three, and ensure adequate spacing.
* Use a dedicated nonce.
* Push Light to the front in addition to Default.
* Use user-profile.js on about.php. A few extra things are initialized but they are harmless.
see #26468, #26387.
Built from https://develop.svn.wordpress.org/trunk@26776
git-svn-id: http://core.svn.wordpress.org/trunk@26663 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Use wp_add_dashboard_widget() rather than add_meta_box().
* Use original functions like wp_dashboard_primary(), wp_dashboard_right_now(), wp_dashboard_quick_press() (where possible).
* Only include plugins section of the news widget when appropriate, which necessitates the set_current_screen() via the ajax action.
* Remove some debug cruft that was preventing caching and invalidation.
* Simplify lots of things where possible.
see #25824.
Built from https://develop.svn.wordpress.org/trunk@26220
git-svn-id: http://core.svn.wordpress.org/trunk@26128 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Color scheme selection on your own profile page gives you a preview and autosaves the selection.
Also introduces the usage of a preprocessor for core files, namely Sass. For 3.8, we will not expand its implementation past the color schemes. This does require Ruby as well as Sass 3.3.0+ due to the usage of the sourcemap option.
Note that only the default color scheme is available when running out of src. Use build to test the rest as well as the color picker.
props ryelle, melchoyce, tillkruess, drw158, littlethingsstudio, helen. see #25858, #22862.
Built from https://develop.svn.wordpress.org/trunk@26137
git-svn-id: http://core.svn.wordpress.org/trunk@26048 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* `wp_ajax_get_comments()` relies on the `$post_id` global - even though `$_POST['p']` is passed to every action in the test methods. If `$post_id` is still lingering in between tests and doesn't match `p` in the request, the cap check might pass while the queries for comments will blow up. I added `unset( $GLOBALS['post_id'] )` to `Tests_Ajax_GetComments::setUp()`.
* If the global `$post_id` is empty, but `$_REQUEST['p']` is not, `$post_id` is now set to `absint( $_REQUEST['p'] )` and sanity-checked in `wp_ajax_get_comments()`.
* `map_meta_cap()` always assumes that `get_comment()` succeeds when checking for the `edit_comment` cap. It doesn't. I added sanity checks in a few places where it will break early if `get_post()` or `get_comment()` are empty.
* `wp_update_comment()` always assumes `get_comment()` succeeds. It doesn't. I added a check for empty.
All AJAX unit tests run and pass in debug mode. All general unit tests pass against these changes.
Fixes#25282.
Built from https://develop.svn.wordpress.org/trunk@25438
git-svn-id: http://core.svn.wordpress.org/trunk@25360 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* There are several places where a `$_POST` index was unchecked before setting a variable
* In `wp_notify_postauthor()`, `$comment` was being returned null, but its properties were being accessed.
* In `check_ajax_referer()`, 3 different values can be checked for nonce on `$_REQUEST`, but only 1 had an `isset()`
See #25282.
Built from https://develop.svn.wordpress.org/trunk@25433
git-svn-id: http://core.svn.wordpress.org/trunk@25355 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Eliminates the bloated Revisions meta box in favor of 'Revisions: #' in the publish box.
* Adds ability to compare autosave to current post, when revisions are disabled.
* Makes autosaves stand out visually, including "Restore This Autosave".
Also:
* Adds missing capability check for restoring a revision.
* When no revision matches the post's current modified time, avoid marking an autosave as 'current'.
* Fixes wp_get_post_autosave() to return an autosave even when revisions are disabled.
* Add 'check_enabled' arg to wp_get_post_revisions(); false avoids the wp_revisions_enabled() check.
* Adds a responsive slider that is narrower for fewer versions. props markjaquith.
see #24804.
git-svn-id: http://core.svn.wordpress.org/trunk@24790 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Loading indicator when the user is waiting for a trip to the server.
* Bug fixes for diff priming.
* Fix the date display.
* Forget about local comparator, instead order by `modified` on the server.
* Initialize the frame model before the view (this was the source of a LOT of heartache).
git-svn-id: http://core.svn.wordpress.org/trunk@24667 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- Update the heartbeat nonce when refreshing nonces on the Edit Post screen.
- After a user logs in from the auth-check dialog, speed up heatrbeat to check/refresh nonces on the Edit Post screen.
- Speeding up heartbeat: bring back the setting how long it should last (how many ticks).
- Add 'heartbeat-nonces-expired' jQuery event when nonces have expired and the user is logged in.
See #23295, see #23216.
git-svn-id: http://core.svn.wordpress.org/trunk@24528 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Much simpler PHP API
* Cleaner and more Backbone-y JS API
* Consequently, does batch queries; this now scales up to hundreds of revisions
Currently missing, but much easier considering the cleaned up base:
* Compare two mode
* RTL
props koopersmith, nacin, adamsilverstein, ocean90. see #24425
git-svn-id: http://core.svn.wordpress.org/trunk@24520 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- Move nonces refreshing from autosave to lock checking.
- Do autosave only when there is something to save.
See #23295
git-svn-id: http://core.svn.wordpress.org/trunk@24209 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Refines the UI to make it clearer and easier to use
* Introduces weighted tickmarks
* Fixes comparison bugs.
See #23497 props adamsilverstein
git-svn-id: http://core.svn.wordpress.org/trunk@23769 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Various Updates including:
* i18n fixes
* Added tracking of what revision ID was restored
* async fetching of diffs so that slider works sooner even with many revisions
See #23497 props adamsilverstein, ethitter
git-svn-id: http://core.svn.wordpress.org/trunk@23639 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This implements a new revisions ui using Backbone and preserves all the old methods of "integration" so the change should be transparent to plugins using revisi
ons with CPTs.
This is the first pass and so there are a number of things still to be resolved, more details in the ticket. Feedback welcomed.
git-svn-id: http://core.svn.wordpress.org/trunk@23506 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The exceptions to this are update_post_meta() and add_post_meta() which are often used by plugins in POST handlers and will continue accepting slashed data for now.
Introduce wp_upate_post_meta() and wp_add_post_meta() as unslashed alternatives to update_post_meta() and add_post_meta(). These functions could become methods in WP_Post so don't use them too heavily yet.
Remove all escape() calls from wp_xmlrpc_server. Now that core expects unslashed data this is no longer needed.
Remove addslashes(), addslashes_gpc(), add_magic_quotes() calls on data being prepared for handoff to core functions that until now expected slashed data. Adding slashes in no longer necessary.
Introduce wp_unslash() and use to it remove slashes from GPCS data before using it in core API. Almost every instance of stripslashes() in core should now be wp_unslash(). In the future (a release or three) when GPCS is no longer slashed, wp_unslash() will stop stripping slashes and simply return what is passed. At this point wp_unslash() calls can be removed from core.
Introduce wp_slash() for slashing GPCS data. This will also turn into a noop once GPCS is no longer slashed. wp_slash() should almost never be used. It is mainly of use in unit tests.
Plugins should use wp_unslash() on data being passed to core API.
Plugins should no longer slash data being passed to core. So when you get_post() and then wp_insert_post() the post data from get_post() no longer needs addslashes(). Most plugins were not bothering with this. They will magically start doing the right thing. Unfortunately, those few souls who did it properly will now have to avoid calling addslashes() for 3.6 and newer.
Use wp_kses_post() and wp_kses_data(), which expect unslashed data, instead of wp_filter_post_kses() and wp_filter_kses(), which expect slashed data. Filters are no longer passed slashed data.
Remove many no longer necessary calls to $wpdb->escape() and esc_sql().
In wp_get_referer() and wp_get_original_referer(), return unslashed data.
Remove old stripslashes() calls from WP_Widget::update() handlers. These haven't been necessary since WP_Widget.
Switch several queries over to prepare().
Expect something to break.
Props alexkingorg
see #21767
git-svn-id: http://core.svn.wordpress.org/trunk@23416 1a063a9b-81f0-0310-95a4-ce76da25c4cd
We tried in vain -- a noble but ultimately failed effort -- to reduce the number of fields for attachments from four (title, caption, alt, description) to one (caption for images, title otherwise). Alternative text needed to stay for accessibility reasons, of course.
Eventually title returned due to heavy plugin reliance. Description is too used by too many plugins (often times incorrectly -- the caption is more likely the proper field), hence its less-than-triumphant return today.
Version 3.5 has tried to streamline media in a number of ways. Removing fields may have been too much at once, as it forced not only a user interface change, but a paradigm change as well.
Finally, on upload we populate the description field with IPTC/EXIF captions, rather than the caption field. See #22768, this should be fixed. For now, Description stays.
This commit also restores 'Title' attribute editing to the main tab of the Edit Image dialog. The "Title" field no longer populates title attributes for <img> tags by design (for accessibility and other purposes, see #18984). So, here is a more obvious 'workaround' for the tooltip community.
Finally, this:
* Cleans up the post.php attachment editor, including by showing a prettier form of the mime type.
* Enables plugins to specifically hide attachment_fields_to_edit from either post.php (where you can create meta boxes) or the modal (which you may not want to clutter), for compatibility reasons.
* Hides the 'Describe this file...' placeholder when a field is read-only in the modal.
props nacin, helenyhou.
fixes#22759.
git-svn-id: http://core.svn.wordpress.org/trunk@23083 1a063a9b-81f0-0310-95a4-ce76da25c4cd