Commit Graph

211 Commits

Author SHA1 Message Date
audrasjb 22c9355e2d Docs: Fix an error in `wp_kses_attr()` docblock.
Props kebbet.
See #54729.

Built from https://develop.svn.wordpress.org/trunk@52693


git-svn-id: http://core.svn.wordpress.org/trunk@52282 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-02-08 16:25:01 +00:00
Sergey Biryukov 6329aacac8 Docs: Correct `@global` tag in `wp_kses_xml_named_entities()`.
This updates the variable name in the DocBlock to the correct one.

Follow-up to [48072], [52229].

Props david.binda.
Fixes #54899.
Built from https://develop.svn.wordpress.org/trunk@52639


git-svn-id: http://core.svn.wordpress.org/trunk@52228 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-01-25 11:16:05 +00:00
Sergey Biryukov 18d741be37 KSES: Use the polyfilled PHP 8 string functions in `_wp_kses_allow_pdf_objects()`:
* `str_contains()`
* `str_ends_with()`
* `str_starts_with()`

Additionally, include a test for a PDF file in an `<object>` tag with an unsupported protocol.

Follow-up to [51963], [52039], [52040], [52304], [52309].

Props TobiasBg, ramonopoly.
See #54261.
Built from https://develop.svn.wordpress.org/trunk@52326


git-svn-id: http://core.svn.wordpress.org/trunk@51918 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-12-06 11:08:01 +00:00
Peter Wilson 37180741b4 KSES: Accept port number in PDF upload paths.
Improves the URL validation in `_wp_kses_allow_pdf_objects()` to account for sites using an upload path that contains a port, for example wp.org:8080.

Follow up to [51963], [52304].

Props ocean90, ramonopoly, talldanwp.
See #54261.


Built from https://develop.svn.wordpress.org/trunk@52309


git-svn-id: http://core.svn.wordpress.org/trunk@51901 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-12-03 02:44:00 +00:00
Peter Wilson 2d944ca1d9 KSES: Allow attributes to be restricted via callbacks.
Add callback validation to HTML tag attributes for increased flexibility over an array of values only.

In `object` tags, validate the `data` attribute via a callback to ensure it is a PDF and matches the `type` attribute. This prevents mime type mismatches in browsers.

Follow up to [51963].

Props Pento, dd32, swissspidy, xknown, peterwilsoncc.
Fixes #54261.


Built from https://develop.svn.wordpress.org/trunk@52304


git-svn-id: http://core.svn.wordpress.org/trunk@51896 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-12-02 00:56:01 +00:00
Sergey Biryukov 86cd872c29 Docs: Add a `@since` note and description to `wp_kses_attr()` for new attribute-related KSES options:
* Support for an array of allowed values for attributes.
* Support for required attributes.

Follow-up to [51963].

See #54261.
Built from https://develop.svn.wordpress.org/trunk@52234


git-svn-id: http://core.svn.wordpress.org/trunk@51826 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-11-23 18:39:00 +00:00
Sergey Biryukov 1d1581b660 KSES: Use correct global in `wp_kses_xml_named_entities()`.
This fixes a discrepancy where the the global name used in the function did not match the one declared at the beginning of `kses.php`, and ensures that the function gets the correct array of allowed XML entity names.

Includes unit tests.

Follow-up to [48072].

Props ovidiul, costdev, peterwilsoncc, SergeyBiryukov.
Fixes #54060.
Built from https://develop.svn.wordpress.org/trunk@52229


git-svn-id: http://core.svn.wordpress.org/trunk@51821 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-11-21 17:17:02 +00:00
desrosj d77367a962 General: Minor fixes to Global Style related code.
Follow up to [52041,52049-52052,52054,52106,52108-52110].

Props swisspidy, TobiasBg, spacedmonkey, kebbet, oandregal.
See #54336.
Built from https://develop.svn.wordpress.org/trunk@52128


git-svn-id: http://core.svn.wordpress.org/trunk@51720 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-11-10 19:56:00 +00:00
noisysocks c421e9b34a Add Site Editor and PHP changes from Gutenberg 10.1 - 11.9
- First pass at adding the site editor from the Gutenberg plugin to
  wp-admin/site-editor.php.
- Adds miscellaneous PHP changes from Gutenberg 10.1 - 11.9.

Follows [52042].
See #54337.
Props youknowriad, aristath, hellofromtonya, gziolo.

Built from https://develop.svn.wordpress.org/trunk@52069


git-svn-id: http://core.svn.wordpress.org/trunk@51661 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-11-09 02:17:17 +00:00
jorgefilipecosta d8da1f0ac9 Add: Global styles user content escaping.
This commit adds global styles user content escaping. In addition, it ports the logic on the Gutenberg plugin implemented on WordPress/gutenberg#28061 to the core.
The logic tries to follow what was done for standard post content.

See #54336.
Props oandregal.
Built from https://develop.svn.wordpress.org/trunk@52052


git-svn-id: http://core.svn.wordpress.org/trunk@51644 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-11-08 21:24:59 +00:00
jorgefilipecosta 065c639a2a Update theme.json classes for WordPress 5.9.
This commit ports to core the changes to the classes that deal with theme.json code.

See #54336.
Props oandregal, spacedmonkey, noisysocks, hellofromtonya, youknowriad.
Built from https://develop.svn.wordpress.org/trunk@52049


git-svn-id: http://core.svn.wordpress.org/trunk@51641 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-11-08 19:19:58 +00:00
Gary Pendergast 2c3205bb84 KSES: Add options for restricting tags based upon their attributes.
This change adds two now attribute-related config options to KSES:
- An array of allowed values can be defined for attributes. If the attribute value doesn't fall into the list, the attribute will be removed from the tag.
- Attributes can be marked as required. If a required attribute is not present, KSES will remove all attributes from the tag. As KSES doesn't match opening and closing tags, it's not possible to safely remove the tag itself, the safest fallback is to strip all attributes from the tag, instead.

Included with this change is an implementation of these options, allowing the `<object>` tag to be stored in posts, but only when it has a `type` attribute set to `application/pdf`.

Props pento, swissspidy, peterwilsoncc, dd32, jorbin.
Fixes #54261.


Built from https://develop.svn.wordpress.org/trunk@51963


git-svn-id: http://core.svn.wordpress.org/trunk@51552 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-11-01 02:13:56 +00:00
Sergey Biryukov 15e552e105 Docs: Move `@since` notes from the `safe_style_css` filter to the `safecss_filter_attr()` function.
The filter allows to modify the list of allowed CSS attributes, however support for specific CSS attributes is added to the function rather than the filter.

Follow-up to [37931], [38121], [42880], [44136], [44531], [45242], [45363], [46235], [46793], [50634], [50923].

Props tmatsuur, muhammadfaizanhaidar, sabernhardt.
Fixes #53731.
Built from https://develop.svn.wordpress.org/trunk@51729


git-svn-id: http://core.svn.wordpress.org/trunk@51335 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-09-03 01:37:57 +00:00
John Blackbourn 52d6bd3529 Security: Correct the inline docs for the `wp_kses_allowed_html` filter.
Props peterwilsoncc

Fixes #53597

Built from https://develop.svn.wordpress.org/trunk@51675


git-svn-id: http://core.svn.wordpress.org/trunk@51281 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-08-26 19:28:57 +00:00
Sergey Biryukov 72acd346a2 Coding Standards: Fix incorrect comment indent in `safecss_filter_attr()`.
Props jrf.
See #53359.
Built from https://develop.svn.wordpress.org/trunk@51550


git-svn-id: http://core.svn.wordpress.org/trunk@51161 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-08-05 12:59:58 +00:00
John Blackbourn ea60cd8191 Docs: Descriptive improvements and corrections for various docblocks.
See #53399

Built from https://develop.svn.wordpress.org/trunk@51300


git-svn-id: http://core.svn.wordpress.org/trunk@50909 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-07-01 21:12:58 +00:00
desrosj 836b5ad7c7 Coding Standards: Apply some minor coding standards adjustments.
Follow up to [50977], [50987], and [50995].

See #41683, #53156, #53175.
Built from https://develop.svn.wordpress.org/trunk@51007


git-svn-id: http://core.svn.wordpress.org/trunk@50616 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-05-25 17:43:57 +00:00
Aaron Jorbin b6b98b8e2d Formatting: Add 'main' tag to kses
`main` is a valid HTML element that is especially valuable for KSES to support in light of full site editing.

Related: https://github.com/WordPress/gutenberg/pull/28576 for the addition of `main` to the group block.

Fixes #53156.
Props glendaviesnz.


Built from https://develop.svn.wordpress.org/trunk@50987


git-svn-id: http://core.svn.wordpress.org/trunk@50596 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-05-25 01:43:55 +00:00
Sergey Biryukov b8487747b8 KSES: Allow `calc()` and `var()` values to be used in inline CSS.
Props aristath, displaynone, joyously, olafklejnstrupjensen, sabernhardt, jamesbonham, poena.
Fixes #46197, #46498.
Built from https://develop.svn.wordpress.org/trunk@50923


git-svn-id: http://core.svn.wordpress.org/trunk@50532 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-05-17 21:04:59 +00:00
Sergey Biryukov ac943f171a KSES: Remove duplicate `object-position` property.
As part of some recent changes, the property was added to the list of safe CSS properties twice.

Follow-up to [50634], [50761].

See #52991.
Built from https://develop.svn.wordpress.org/trunk@50922


git-svn-id: http://core.svn.wordpress.org/trunk@50531 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-05-17 20:48:01 +00:00
gziolo ad48a15387 Editor: Update WordPress packages to use with WordPress 5.8
In the response to the discussion during the Dev Chat, I'm doing a first pass to keep WordPress packages up to date in the WordPress 5.8 release cycle.

See https://github.com/WordPress/wordpress-develop/pull/1176 for more details.

Props youknowriad, aristath, andraganescu.
See #52991.


Built from https://develop.svn.wordpress.org/trunk@50761


git-svn-id: http://core.svn.wordpress.org/trunk@50370 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-04-15 15:19:43 +00:00
Sergey Biryukov 526dfa8b12 KSES: Add `object-position` to the list of safe CSS properties.
This resolves an issue with the Cover block, where the `object-position` property is removed from the content when a non-admin user saves the post, leading to block recovery loop.

Props Mamaduka, aristath.
Fixes #52961.
Built from https://develop.svn.wordpress.org/trunk@50634


git-svn-id: http://core.svn.wordpress.org/trunk@50246 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-04-02 12:41:09 +00:00
John Blackbourn dfe1f9b322 Docs: Promote many `bool` types to `true` or `false` where only that value is used.
See #51800

Built from https://develop.svn.wordpress.org/trunk@49927


git-svn-id: http://core.svn.wordpress.org/trunk@49626 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-01-03 22:04:04 +00:00
Sergey Biryukov 5770b676b0 Docs: Correct an example in `wp_kses_normalize_entities()` description.
Props ediamin.
Fixes #51620.
Built from https://develop.svn.wordpress.org/trunk@49304


git-svn-id: http://core.svn.wordpress.org/trunk@49066 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-10-25 00:14:05 +00:00
John Blackbourn 1fbcdb2213 Docs: Various corrections to inline docblocks.
See #49572
Built from https://develop.svn.wordpress.org/trunk@48573


git-svn-id: http://core.svn.wordpress.org/trunk@48335 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-07-23 00:48:06 +00:00
whyisjake daace832e3 Media: Add "loading" as an allowed kses image attribute
With loading="lazy" being added to all images in [47554], let's ensure that it passes kses attributes too.

Fixes #50731.
Props TimothyBlynJacobs, peterwilsoncc, azaozz. 


Built from https://develop.svn.wordpress.org/trunk@48572


git-svn-id: http://core.svn.wordpress.org/trunk@48334 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-07-23 00:44:04 +00:00
Sergey Biryukov 0ce2ddce47 Docs: Synchronize description for the `$allowed_html` parameter of various KSES functions.
Follow-up to [43016].

Props Christian1012, jdgrimes, markparnell.
Fixes #39542. See #33801.
Built from https://develop.svn.wordpress.org/trunk@48478


git-svn-id: http://core.svn.wordpress.org/trunk@48247 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-07-14 12:41:03 +00:00
Sergey Biryukov 3336009e34 Docs: Replace "html" and "xhtml" instances in DocBlocks and comments with "HTML" and "XHTML".
This ensures consistent capitalization where appropriate.

Props navidos, desrosj.
Fixes #50473.
Built from https://develop.svn.wordpress.org/trunk@48199


git-svn-id: http://core.svn.wordpress.org/trunk@47968 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-28 14:02:06 +00:00
Sergey Biryukov c892c420b7 Docs: Miscellaneous DocBlock corrections.
See #49572.
Built from https://develop.svn.wordpress.org/trunk@48198


git-svn-id: http://core.svn.wordpress.org/trunk@47967 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-28 11:53:04 +00:00
Sergey Biryukov 5e7dfff3a0 Docs: Use sentence case for comments in `tests/kses.php`, per the documentation standards.
Follow-up to [48132].

See #49464, #49572.
Built from https://develop.svn.wordpress.org/trunk@48139


git-svn-id: http://core.svn.wordpress.org/trunk@47908 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-23 11:11:10 +00:00
whyisjake 446d06c45d Formatting: Extend `wp_kses_hair` and `wp_kses_hair_parse` to allow digits and underscores.
Fixes a lot of issues around parsing XML/HTML attributes.

Fixes #49464.

See #34406, #48608.

Props codeforest, zodiac1978, johnpgreen, dlh, ayeshrajans, johnpgreen, rilwis, travisnorthcutt, miqrogroove, chriscct7, whyisjake.

Built from https://develop.svn.wordpress.org/trunk@48132


git-svn-id: http://core.svn.wordpress.org/trunk@47901 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-23 05:07:11 +00:00
desrosj 4b60af1a6a General: Remove “whitelist” and “blacklist” in favor of more clear and inclusive language.
“The WordPress open source community cares about diversity. We strive to maintain a welcoming environment where everyone can feel included.”

With this commit, all occurrences of “whitelist” and “blacklist” (with the single exception of the `$new_whitelist_options` global variable) are removed. A new ticket has been opened to explore renaming the `$new_whitelist_options` variable (#50434).

Changing to more specific names or rewording sentences containing these terms not only makes the code more inclusive, but also helps provide clarity. These terms are often ambiguous. What is being blocked or allowed is not always immediately clear. This can make it more difficult for non-native English speakers to read through the codebase.

Words matter. If one contributor feels more welcome because these terms are removed, this was worth the effort.

Props strangerstudios, jorbin, desrosj, joemcgill, timothyblynjacobs, ocean90, ayeshrajans, davidbaumwald, earnjam.
See #48900, #50434.
Fixes #50413.
Built from https://develop.svn.wordpress.org/trunk@48121


git-svn-id: http://core.svn.wordpress.org/trunk@47890 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-22 17:26:13 +00:00
Sergey Biryukov e13c363b17 Docs: Capitalize "ID", when referring to a post ID, term ID, etc. in a more consistent way.
See #49572.
Built from https://develop.svn.wordpress.org/trunk@48104


git-svn-id: http://core.svn.wordpress.org/trunk@47873 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-20 12:02:12 +00:00
Adam Silverstein 810e9c3c2b Formatting: new filter `safecss_filter_attr_allow_css` on css parts.
Enables developers to determine whether a section of CSS should be allowed or discarded. By default, the value will be false if the part contains \ ( & } = or comments. Returning true allows the CSS part to be included in the output.

Replaces the `safe_style_disallowed_chars` filter introduced in r47891.

Props azaozz.
Fixes #37134.


Built from https://develop.svn.wordpress.org/trunk@48086


git-svn-id: http://core.svn.wordpress.org/trunk@47853 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-18 21:01:11 +00:00
Pascal Birchler 609dd1d14f Sitemaps: Add XML sitemaps functionality to WordPress.
While web crawlers are able to discover pages from links within the site and from other sites, XML sitemaps supplement this approach by allowing crawlers to quickly and comprehensively identify all URLs included in the sitemap and learn other signals about those URLs using the associated metadata.

See https://make.wordpress.org/core/2020/06/10/merge-announcement-extensible-core-sitemaps/ for more details.

This feature exposes the sitemap index via `/wp-sitemap.xml` and exposes a variety of new filters and hooks for developers to modify the behavior. Users can disable sitemaps completely by turning off search engine visibility in WordPress admin.

This change also introduces a new `esc_xml()` function to escape strings for output in XML, as well as XML support to `wp_kses_normalize_entities()`.

Props Adrian McShane, afragen, adamsilverstein, casiepa, flixos90, garrett-eclipse, joemcgill, kburgoine, kraftbj, milana_cap, pacifika, pbiron, pfefferle, Ruxandra Gradina, swissspidy, szepeviktor, tangrufus, tweetythierry.
Fixes #50117.
See #3670. See #19998.

Built from https://develop.svn.wordpress.org/trunk@48072


git-svn-id: http://core.svn.wordpress.org/trunk@47839 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-17 15:24:07 +00:00
Sergey Biryukov 72b5018aa3 Docs: Miscellaneous DocBlock corrections.
See #49572.
Built from https://develop.svn.wordpress.org/trunk@47892


git-svn-id: http://core.svn.wordpress.org/trunk@47666 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-03 10:02:13 +00:00
Adam Silverstein 86b50870ec Formatting: add a new 'safe_style_disallowed_chars' filter.
Enable developers to change the regex used in `safecss_filter_attr` to limit characters in the parsed CSS.

Props paulschreiber, swissspidy, rmccue, bartekcholewa, miinasikk.
Fixes #37134.


Built from https://develop.svn.wordpress.org/trunk@47891


git-svn-id: http://core.svn.wordpress.org/trunk@47665 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-02 23:46:11 +00:00
Peter Wilson 39babb4dfb KSES: Support the `video` element's `playsinline` attribute.
Allow users without the `unfiltered_html` capability to use the `playsinline` attribute when embedding videos.

Additionally this adds unit tests for passing the video element through kses.

Fixes #50167. See #29826.

Built from https://develop.svn.wordpress.org/trunk@47837


git-svn-id: http://core.svn.wordpress.org/trunk@47613 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-05-21 04:54:11 +00:00
Sergey Biryukov 7932193708 Coding Standards: Use strict comparison where static strings are involved.
This reduces the number of `WordPress.PHP.StrictComparisons.LooseComparison` issues in half, from 1897 to 890.

Includes minor code layout fixes for better readability.

See #49542.
Built from https://develop.svn.wordpress.org/trunk@47808


git-svn-id: http://core.svn.wordpress.org/trunk@47584 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-05-16 18:42:12 +00:00
Sergey Biryukov 38676936ba Coding Standards: Use strict type check for `in_array()` and `array_search()` where strings are involved.
This reduces the number of `WordPress.PHP.StrictInArray.MissingTrueStrict` issues from 486 to 50.

Includes minor code layout fixes for better readability.

See #49542.
Built from https://develop.svn.wordpress.org/trunk@47550


git-svn-id: http://core.svn.wordpress.org/trunk@47325 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-04-05 03:02:11 +00:00
Sergey Biryukov 641c632b0c Coding Standards: Use Yoda conditions where appropriate.
See #49222.
Built from https://develop.svn.wordpress.org/trunk@47219


git-svn-id: http://core.svn.wordpress.org/trunk@47019 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-02-09 16:55:09 +00:00
Sergey Biryukov 001ffe81fb Docs: Improve inline comments per the documentation standards.
Includes minor code layout fixes for better readability.

See #48303.
Built from https://develop.svn.wordpress.org/trunk@47122


git-svn-id: http://core.svn.wordpress.org/trunk@46922 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-01-29 00:45:18 +00:00
Sergey Biryukov 1b675c6e4a Formatting: Return early from `wp_kses_attr_check()` if the element is not in the list of allowed elements and attributes.
Props krynes, tristanleboss.
Fixes #48549.
Built from https://develop.svn.wordpress.org/trunk@46959


git-svn-id: http://core.svn.wordpress.org/trunk@46759 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-14 15:53:06 +00:00
whyisjake 84e4c8531a Update `wp_kses_bad_protocol()` to recognize `&colon;` on uri attributes,
`wp_kses_bad_protocol()` makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function.

Props: xknown, nickdaugherty, peterwilsoncc.

Built from https://develop.svn.wordpress.org/trunk@46895


git-svn-id: http://core.svn.wordpress.org/trunk@46695 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-12 17:55:05 +00:00
Sergey Biryukov 7acfab22b8 KSES: Add support for gradient backgrounds.
Props jorgefilipecosta.
Fixes #48376.
Built from https://develop.svn.wordpress.org/trunk@46793


git-svn-id: http://core.svn.wordpress.org/trunk@46593 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-11-28 00:29:02 +00:00
John Blackbourn f545bb3f63 Docs: Improve documentation of known return types, plus other docs fixes.
See #48303

Built from https://develop.svn.wordpress.org/trunk@46660


git-svn-id: http://core.svn.wordpress.org/trunk@46460 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-11-05 21:23:02 +00:00
Peter Wilson 428600fb93 KSES: Add support for modern layout techniques in `style` attribute.
Adds support for `flex`, `grid` and `column` layout techniques to the list of CSS attributes considered safe for inline CSS. The `\` character and CSS functions, eg `minmax()` are not yet supported.

Extends support of `border` properties to include `border-radius` and individual `background` properties to include all those implicitly supported by the shorthand attribute.

Props mrahmadawais, marybaum, birgire, peterwilsoncc, azaozz.
Fixes #37248.
See #47367.

Built from https://develop.svn.wordpress.org/trunk@46235


git-svn-id: http://core.svn.wordpress.org/trunk@46047 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-22 22:17:57 +00:00
desrosj 30ac675795 Fix for URL sanitization that can lead to cross-site scripting (XSS) attacks.
Props irsdl, sstoqnov, whyisjake.
Built from https://develop.svn.wordpress.org/trunk@45997


git-svn-id: http://core.svn.wordpress.org/trunk@45808 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 17:52:56 +00:00
Gary Pendergast 4803fc405e Coding Standards: Fix the `Squiz.PHP.DisallowMultipleAssignments` violations in `wp-includes`.
See #47632.


Built from https://develop.svn.wordpress.org/trunk@45590


git-svn-id: http://core.svn.wordpress.org/trunk@45401 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-07-02 23:42:58 +00:00
Peter Wilson 460e256026 KSES: Add `flex` and related long form properties to safe CSS.
Allow `flex`, `flex-grow`, `flex-shrink` and `flex-basis` to be used in inline CSS. As of WordPress 5.3 the block editor is expected to use `flex-basis` inline to set the width in the column block.

Props aduth.
Fixes #47281.
See #37248.


Built from https://develop.svn.wordpress.org/trunk@45363


git-svn-id: http://core.svn.wordpress.org/trunk@45174 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-05-18 04:34:52 +00:00