Commit Graph

40663 Commits

Author SHA1 Message Date
desrosj 7c466f7c74 Build/Test Tools: Support NodeJS 14.x in the 5.3 branch.
This updates the 5.3 branch to support the latest LTS version of NodeJS (currently 14.x), allowing the same version to be used across all WordPress branches that receive security updates as a courtesy.

In addition to backporting the package updates that happened after branching 5.3, dependencies that were removed in future releases have also been updated to their latest versions.

Props desrosj, dd32, netweb, jorbin.
Merges [47404,47867,47872-47873,48213,48705,49636,49933,49937,49939,49940,49983,49989,50017,50126,50176,50185] to the 5.3 branch.
See #52341.

Built from https://develop.svn.wordpress.org/branches/5.3@50190


git-svn-id: http://core.svn.wordpress.org/branches/5.3@49868 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-02-05 03:16:11 +00:00
Sergey Biryukov 31270d4511 WordPress 5.3.6.
Built from https://develop.svn.wordpress.org/branches/5.3@49460


git-svn-id: http://core.svn.wordpress.org/branches/5.3@49219 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-10-30 19:49:08 +00:00
whyisjake 22149ac868 Upgrade/Install: During the install process, add additional checking for exising tables.
This commit brings the changes in [49452] to the 5.3 branch.

If reinstalling WordPress, there is a condition where tables would exist in the database. Ensures that$

Fixes #51676.

Props xknown, garubi, mukesh27, desrosj, johnbillion, metalandcoffee, davidbaumwald, whyisjake.

Built from https://develop.svn.wordpress.org/branches/5.3@49455


git-svn-id: http://core.svn.wordpress.org/branches/5.3@49214 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-10-30 18:29:07 +00:00
desrosj 98b1bc6752 WordPress 5.3.5.
Built from https://develop.svn.wordpress.org/branches/5.3@49411


git-svn-id: http://core.svn.wordpress.org/branches/5.3@49170 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-10-29 19:36:14 +00:00
whyisjake 9138d6e6ca General: WordPress updates
* XML-RPC: Improve error messages for unprivileged users.
* External Libraries: Disable deserialization in Requests_Utility_FilteredIterator
* Embeds: Disable embeds on deactivated Multisite sites.
* Coding standards: Modify escaping functions to avoid potential false positives.
* XML-RPC: Return error message if attachment ID is incorrect.
* Upgrade/install: Improve logic check when determining installation status.
* Meta: Sanitize meta key before checking protection status.
* Themes: Ensure that only privileged users can set a background image when a theme is using the deprecated custom background page.

Brings the changes from [49380,49382-49388] to the 5.3 branch.

Props xknown, zieladam, peterwilsoncc, whyisjake, desrosj, dd32.

Built from https://develop.svn.wordpress.org/branches/5.3@49393


git-svn-id: http://core.svn.wordpress.org/branches/5.3@49152 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-10-29 18:44:12 +00:00
desrosj 669c5eacf1 Build/Test Tools: Explicitly specify a version number in the `.nvmrc` file for the 5.3 branch.
This ensures the ability to run NodeJS related tasks when using `nvm install` or `nvm use` will continue to be usable as new versions of NodeJS are moved into LTS.

The alias `lts/*` currently resolves to NodeJS 12.x (which is the highest version of NodeJS supported in the 5.3 branch). However, `lts/*` will point to newer versions in the near future.

This also removes the explicit version when running `nvm install` during automated testing. The command will now fall back to the version in the `.nvmrc` file.

See #51603.
Built from https://develop.svn.wordpress.org/branches/5.3@49279


git-svn-id: http://core.svn.wordpress.org/branches/5.3@49039 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-10-22 18:10:51 +00:00
Sergey Biryukov 4b84596f68 Administration: Pass the result of `set-screen-option` filter to the new `set_screen_option_{$option}` filter to ensure backward compatibility.
Rename the `$keep` parameter of both filters to `$screen_option` for clarity, update the documentation to better reflect its purpose.

Follow-up to [47951].

Props Chouby, sswells, SergeyBiryukov.
Merges [48241] to the 5.3 branch.
Fixes #50392.
Built from https://develop.svn.wordpress.org/branches/5.3@48245


git-svn-id: http://core.svn.wordpress.org/branches/5.3@48014 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-07-01 09:47:03 +00:00
desrosj 1a89f620f9 WordPress 5.3.4.
Built from https://develop.svn.wordpress.org/branches/5.3@47990


git-svn-id: http://core.svn.wordpress.org/branches/5.3@47758 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-10 21:34:05 +00:00
desrosj b454439e6f General: Backport several commits for release.
- Embeds: Ensure that the title attribute is set correctly on embeds.
- Editor: Prevent HTML decoding on by setting the proper editor context.
- Formatting: Ensure that `wp_validate_redirect()` sanitizes a wider variety of characters.
- Themes: Ensure a broken theme name is returned properly.
- Administration: Add a new filter to extend `set-screen-option`.

Merges [47948-47951] to the 5.3 branch.
Props xknown, sstoqnov, vortfu, SergeyBiryukov, whyisjake.
Built from https://develop.svn.wordpress.org/branches/5.3@47959


git-svn-id: http://core.svn.wordpress.org/branches/5.3@47731 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-10 18:00:01 +00:00
whyisjake 66d6663227 Editor: Bump dependencies for WordPress 5.4.1 release.
Changes:
 - @wordpress/block-library: 2.9.6 => 2.9.7
 - @wordpress/edit-post: 3.8.6 => 3.8.7

Fixes #50094.
Props talldanwp, whyisjake.

Built from https://develop.svn.wordpress.org/branches/5.3@47945


git-svn-id: http://core.svn.wordpress.org/branches/5.3@47718 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-10 15:48:08 +00:00
Sergey Biryukov 7a55e4aa60 Comments: Ensure that unmoderated comments won't be search indexed.
After a comment is submitted, only allow a brief window where the comment is live on the site.

Props jonkolbert, ayeshrajans, Asif2BD, peterwilsoncc, imath, audrasjb, jonoaldersonwp, whyisjake, SergeyBiryukov.
Merges [47887] and [47889] to the 5.3 branch.
See #49956.
Built from https://develop.svn.wordpress.org/branches/5.3@47916


git-svn-id: http://core.svn.wordpress.org/branches/5.3@47690 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-06 09:53:04 +00:00
Sergey Biryukov 85e65c746a Themes: Add "Block Editor Styles" and "Wide Blocks" to the list of WordPress theme features.
These were added to Theme Directory API in anticipation of being committed to core for WordPress 5.2+, which has not happened until now.

Follow-up to [meta8273].

Merges [47790] to the 5.3 branch.
See #46272.
Built from https://develop.svn.wordpress.org/branches/5.3@47792


git-svn-id: http://core.svn.wordpress.org/branches/5.3@47568 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-05-14 09:23:12 +00:00
Sergey Biryukov 5cb06dca4f Help/About: WordPress 5.3.3 included 10 bug fixes in addition to security fixes.
Built from https://develop.svn.wordpress.org/branches/5.3@47726


git-svn-id: http://core.svn.wordpress.org/branches/5.3@47503 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-04-29 22:13:06 +00:00
Sergey Biryukov d99c518d40 Update the About page for WordPress 5.3.3
Built from https://develop.svn.wordpress.org/branches/5.3@47705


git-svn-id: http://core.svn.wordpress.org/branches/5.3@47482 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-04-29 18:43:02 +00:00
desrosj 9e08f12e0d Actually, WordPress 5.3.3 comes first.
Built from https://develop.svn.wordpress.org/branches/5.3@47684


git-svn-id: http://core.svn.wordpress.org/branches/5.3@47461 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-04-29 18:06:02 +00:00
desrosj 644cb5fc24 WordPress 5.3.4
Built from https://develop.svn.wordpress.org/branches/5.3@47667


git-svn-id: http://core.svn.wordpress.org/branches/5.3@47444 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-04-29 17:57:14 +00:00
whyisjake bb6a2aa182 Customize: Add additional filters to Customizer to prevent JSON corruption.
User: Invalidate `user_activation_key` on password update.
Query: Ensure that only a single post can be returned on date/time based queries.
Block Editor: Coding standards, properly escape class names.
Cache API: Ensure proper escaping around the stats method in the cache API.
Formatting: Expand `sanitize_file_name` to have better support for utf8 characters.

Brings the changes in [47633], [47634], [47635], [47636], [47637], and [47638] to the 5.4 branch.

Props: aduth, batmoo, ehti, ellatrix, jorgefilipecosta, nickdaugherty, noisysocks, pento, peterwilsoncc, sergeybiryukov, sstoqnov, talldanwp, westi, westonruter, whyisjake, whyisjake, xknown.

Built from https://develop.svn.wordpress.org/branches/5.3@47644


git-svn-id: http://core.svn.wordpress.org/branches/5.3@47419 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-04-29 16:06:08 +00:00
whyisjake 676e70c5c7 Bundled Themes: Update copyright year in readme.txt. - Revert [47629]
Reverts [47629] as the tests will be updated, rather then the themes.

Props peterwilsoncc, whyisjake.
Fixes #48566.

Built from https://develop.svn.wordpress.org/branches/5.3@47630


git-svn-id: http://core.svn.wordpress.org/branches/5.3@47405 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-04-28 03:07:03 +00:00
whyisjake 5dee0c5fa4 Bundled Themes: Update copyright year in `readme.txt`.
Add a unit test to ensure the year stays up to date.

Extends [46721] to 2020 and the 5.3 branch.

Fixes #48566.


Built from https://develop.svn.wordpress.org/branches/5.3@47629


git-svn-id: http://core.svn.wordpress.org/branches/5.3@47404 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-04-28 02:19:06 +00:00
Sergey Biryukov b3d7e737ab Media: Improve the appearance of image editor on small and medium screens.
This prevents the main area of Edit Media screen from being pushed down too far.

Props sabernhardt, afercia, fierevere, sathyapulse, mikeschroder, johnbillion.
Merges [47418] to the 5.3 branch.
Fixes #48780. See #47136.
Built from https://develop.svn.wordpress.org/branches/5.3@47419


git-svn-id: http://core.svn.wordpress.org/branches/5.3@47206 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-03-03 17:25:02 +00:00
Sergey Biryukov 511f7cb751 Privacy: Fix the URLs and legacy redirects for the personal data export and erasure screens.
Props Jurgen Oldenburg, garrett-eclipse.
Merges [47412] to the 5.3 branch.
Fixes #49476.
Built from https://develop.svn.wordpress.org/branches/5.3@47417


git-svn-id: http://core.svn.wordpress.org/branches/5.3@47204 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-03-03 17:09:04 +00:00
Sergey Biryukov 0d0a870240 Tests: Correct assertions in `test_site_dates_are_gmt()`.
`assertSame()` doesn't have the `$delta` parameter, only `assertEquals()` does.

Follow-up to [47313].

Merges [47318] to the 5.3 branch.
See #40364.
Built from https://develop.svn.wordpress.org/branches/5.3@47319


git-svn-id: http://core.svn.wordpress.org/branches/5.3@47117 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-02-19 05:14:03 +00:00
Sergey Biryukov cd6ac02117 Tests: Use delta comparison in `test_site_dates_are_gmt()` to avoid race conditions.
Merges [47313] to the 5.3 branch.
See #40364.
Built from https://develop.svn.wordpress.org/branches/5.3@47314


git-svn-id: http://core.svn.wordpress.org/branches/5.3@47114 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-02-19 02:56:04 +00:00
Sergey Biryukov 77512de0c2 Administration: Correct alignment of form controls inside custom meta boxes.
Props audrasjb, dontdream, valentinbora.
Merges [47289] to the 5.3 branch.
Fixes #49013.
Built from https://develop.svn.wordpress.org/branches/5.3@47290


git-svn-id: http://core.svn.wordpress.org/branches/5.3@47090 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-02-14 00:55:03 +00:00
Sergey Biryukov 4e55b9a259 Twenty Nineteen: Standardize the Required PHP and Tested Up To headers.
* Remove `WordPress` from `Requires at least` headers.
* Ensure the `Requires at least` and `Requires PHP` headers are present in the `style.css` file.

Follow-up to [46676], which updated `style-rtl.css`, but not `style.scss` or `style.css`.

Merges [47136] to the 5.3 branch.
See #48517.
Built from https://develop.svn.wordpress.org/branches/5.3@47137


git-svn-id: http://core.svn.wordpress.org/branches/5.3@46937 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-01-30 20:08:04 +00:00
Sergey Biryukov 449c2e21f1 Media: Make sure `attachment_url_to_postid()` performs a case-sensitive search for the uploaded file name.
Previously, the first available match was returned, regardless of the case, which was not always the expected result.

Props archon810, ben.greeley, tristangemus, vsamoletov, SergeyBiryukov.
Merges [47010] to the 5.3 branch.
Fixes #39768.
Built from https://develop.svn.wordpress.org/branches/5.3@47132


git-svn-id: http://core.svn.wordpress.org/branches/5.3@46932 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-01-29 16:36:03 +00:00
Sergey Biryukov e6d839b936 Editor: Add unit tests for v5.3.1 block serialization functions.
[46896] was intended to have included unit tests for the block serialization functions added as part of the changeset.

Props aduth.
Merges [46997] to the 5.3 branch.
Fixes #49048.
Built from https://develop.svn.wordpress.org/branches/5.3@47131


git-svn-id: http://core.svn.wordpress.org/branches/5.3@46931 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-01-29 16:21:05 +00:00
Sergey Biryukov 22b941b16e Upgrade/Install: Correct vertical alignment for "Continue" button on language selection during the install process.
Props garrett-eclipse, audrasjb.
Merges [47070] to the 5.3 branch.
Fixes #49018.
Built from https://develop.svn.wordpress.org/branches/5.3@47130


git-svn-id: http://core.svn.wordpress.org/branches/5.3@46930 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-01-29 16:19:00 +00:00
Sergey Biryukov 3fc8c7687d Editor: Correct vertical alignment for "Published on" month dropdown in Classic Editor.
Props pratik-jain, justinahinon, audrasjb.
Merges [47072] to the 5.3 branch.
Fixes #49115.
Built from https://develop.svn.wordpress.org/branches/5.3@47129


git-svn-id: http://core.svn.wordpress.org/branches/5.3@46929 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-01-29 16:17:02 +00:00
Sergey Biryukov f5a8d325ee File Editor: Remove extra padding on submit button for "Select plugin/theme to edit" dropdown on smaller screens.
Props passoniate.
Merges [47071] to the 5.3 branch.
Fixes #49197.
Built from https://develop.svn.wordpress.org/branches/5.3@47128


git-svn-id: http://core.svn.wordpress.org/branches/5.3@46928 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-01-29 16:14:04 +00:00
Sergey Biryukov c7963618ca Date/Time: Use `wp_date()` to display the correct time of the next DST transition in Timezone setting on General Settings screen.
Props Rarst, autotutorial.
Merges [47073] to the 5.3 branch.
Fixes #49038.
Built from https://develop.svn.wordpress.org/branches/5.3@47127


git-svn-id: http://core.svn.wordpress.org/branches/5.3@46927 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-01-29 16:12:04 +00:00
Sergey Biryukov b1e2b6174d Media: After [46375], enable JavaScript translations for the `media-views` script.
Props ocean90, audrasjb.
Merges [47040] to the 5.3 branch.
Fixes #49134.
Built from https://develop.svn.wordpress.org/branches/5.3@47126


git-svn-id: http://core.svn.wordpress.org/branches/5.3@46926 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-01-29 16:10:02 +00:00
Sergey Biryukov dd4a67807a Build/Test Tools: Pass the `TRAVIS_BRANCH` and `TRAVIS_PULL_REQUEST` environment variables along to the Docker container.
This ensures that `WP_UnitTestCase::skipOnAutomatedBranches()` has access to these variables.

Correct the check for pull requests in `WP_UnitTestCase_Base::skipOnAutomatedBranches()`.

Merges [46999], [47000], and [47001] to the 5.3 branch.
Fixes #49050.
Built from https://develop.svn.wordpress.org/branches/5.3@47125


git-svn-id: http://core.svn.wordpress.org/branches/5.3@46925 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-01-29 15:22:05 +00:00
Sergey Biryukov 5ae97a43f1 Post WordPress 5.3.2 version bump.
Built from https://develop.svn.wordpress.org/branches/5.3@46995


git-svn-id: http://core.svn.wordpress.org/branches/5.3@46795 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-18 22:49:03 +00:00
Sergey Biryukov 6abeb15791 WordPress 5.3.2
Built from https://develop.svn.wordpress.org/branches/5.3@46993


git-svn-id: http://core.svn.wordpress.org/branches/5.3@46793 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-18 22:12:02 +00:00
Sergey Biryukov 9525d1c9f7 Help/About: Update the About page for 5.3.2.
Props audrasjb.
Fixes #49019.
Built from https://develop.svn.wordpress.org/branches/5.3@46992


git-svn-id: http://core.svn.wordpress.org/branches/5.3@46792 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-18 16:02:03 +00:00
Sergey Biryukov 6f6975efde Post WordPress 5.3.2 RC1 version bump
Built from https://develop.svn.wordpress.org/branches/5.3@46984


git-svn-id: http://core.svn.wordpress.org/branches/5.3@46784 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-17 22:25:03 +00:00
Sergey Biryukov 3aee1ab019 WordPress 5.3.2 RC1
Built from https://develop.svn.wordpress.org/branches/5.3@46983


git-svn-id: http://core.svn.wordpress.org/branches/5.3@46783 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-17 22:11:02 +00:00
Sergey Biryukov f1bcfd66d2 Tests: Use delta comparison in test_should_fall_back_to_last_post_modified() to avoid race conditions.
Merges [46981] to the 5.3 branch.
See #48957.
Built from https://develop.svn.wordpress.org/branches/5.3@46982


git-svn-id: http://core.svn.wordpress.org/branches/5.3@46782 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-17 21:35:03 +00:00
Andrew Ozz 99c691c8e2 Upload: Fix the final file name collision test in `wp_unique_filename()` when uploading a file with upper case extension and limit it to run for each file in the directory + 1. Add a unit test to catch that in the future.
Props pbiron, azaozz.
Merges [46966] and [46976] to the 5.3 branch.
Fixes #48975.

Built from https://develop.svn.wordpress.org/branches/5.3@46980


git-svn-id: http://core.svn.wordpress.org/branches/5.3@46780 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-17 21:20:03 +00:00
Andrew Ozz fd030a496f Upload:
- Fix PHP warnings in `wp_unique_filename()` when the destination directory is unreadable.
- Run the final name collision test only for files that are saved to the uploads directory.
- Update the unit tests to match.

Props eden159, audrasjb, azaozz.
Merges [46965] to the 5.3 branch.
Fixes #48960.
Built from https://develop.svn.wordpress.org/branches/5.3@46979


git-svn-id: http://core.svn.wordpress.org/branches/5.3@46779 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-17 21:12:03 +00:00
Sergey Biryukov 7b21983b01 Administration: Fix the colors in all color schemes for the `.active` class for buttons.
Props ryelle, audrasjb.
Merges [46967] to the 5.3 branch.
Fixes #49003.
Built from https://develop.svn.wordpress.org/branches/5.3@46978


git-svn-id: http://core.svn.wordpress.org/branches/5.3@46778 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-17 21:03:02 +00:00
Sergey Biryukov cd10cf0c79 Date/Time: Ensure that `get_feed_build_date()` correctly handles a modified post object with invalid date.
* Clarify in the documentation that the function returns `false` on failure.
* Consistently pass the return value through the `get_feed_build_date` filter.

Props Rarst, dd32, azaozz, tellyworth.
Merges [46974] and [46973] to the 5.3 branch.
Fixes #48957.
Built from https://develop.svn.wordpress.org/branches/5.3@46977


git-svn-id: http://core.svn.wordpress.org/branches/5.3@46777 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-17 20:54:03 +00:00
Sergey Biryukov 6d7dca07b0 Date/Time: In `wp_insert_post()`, when checking the post date to set `future` or `publish` status, use a proper delta comparison.
[3525] allowed a difference up to 59 seconds between the post date/time and the current time to consider the post published instead of scheduled, but that didn't take start of a new minute into account.

Rapidly creating post fixtures in unit tests could encounter a one-second discrepancy between `current_time( 'mysql' )` and `gmdate( 'Y-m-d H:i:s' )`, returning values like `2019-12-16 23:43:00` vs. `2019-12-16 23:42:59`, respectively, and setting the post to a `future` status instead of `publish`.

[45851], while working as intended, made the issue somewhat more likely to occur.

This caused all sorts of occasional random failures in various tests on Travis, mostly on PHP 7.1.

Merges [46968] and [46969] to the 5.3 branch.
Fixes #48145.
Built from https://develop.svn.wordpress.org/branches/5.3@46975


git-svn-id: http://core.svn.wordpress.org/branches/5.3@46775 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-17 20:47:06 +00:00
Sergey Biryukov 2c9cdc0550 Post WordPress 5.3.1 version bump.
Built from https://develop.svn.wordpress.org/branches/5.3@46956


git-svn-id: http://core.svn.wordpress.org/branches/5.3@46755 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-13 00:17:03 +00:00
Sergey Biryukov 5bbd15d57f WordPress 5.3.1
Built from https://develop.svn.wordpress.org/branches/5.3@46920


git-svn-id: http://core.svn.wordpress.org/branches/5.3@46720 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-12 20:24:04 +00:00
Sergey Biryukov 6b07ab9913 Bundled Themes: Bump version number and update changelog in Twenty Twenty for WordPress 5.3.1.
This bumps the Twenty Twenty version number to `1.1` and update the `readme.txt` changelog.

Props audrasjb, sinatrateam, SergeyBiryukov, ianbelanger.
Merges [46902] to the 5.3 branch.
Fixes #48944.
Built from https://develop.svn.wordpress.org/branches/5.3@46905


git-svn-id: http://core.svn.wordpress.org/branches/5.3@46705 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-12 18:31:04 +00:00
whyisjake 20740afc8f Prevent stored XSS in the block editor.
Brings r46896 to the 5.3 branch.

Prevent escaped unicode characters become unescaped in unsafe HTML during JSON decoding.


Built from https://develop.svn.wordpress.org/branches/5.3@46900


git-svn-id: http://core.svn.wordpress.org/branches/5.3@46700 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-12 18:14:06 +00:00
whyisjake 58f8f500d3 Update `wp_kses_bad_protocol()` to recognize `:` on uri attributes,
`wp_kses_bad_protocol()` makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function.

Brings r46895 to the 5.3 branch.

Props: xknown, nickdaugherty, peterwilsoncc.

Built from https://develop.svn.wordpress.org/branches/5.3@46899


git-svn-id: http://core.svn.wordpress.org/branches/5.3@46699 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-12 18:13:03 +00:00
whyisjake 8221d6d320 Prevent stored XSS through wp_targeted_link_rel().
Brings r46894 to the 5.3 branch.

Props: vortfu, whyisjake, peterwilsoncc, xknown,  SergeyBiryukov, flaviozavan.

Built from https://develop.svn.wordpress.org/branches/5.3@46898


git-svn-id: http://core.svn.wordpress.org/branches/5.3@46698 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-12 18:11:01 +00:00