whyisjake
9b67830c05
General: WordPress updates
...
* XML-RPC: Improve error messages for unprivileged users.
* External Libraries: Disable deserialization in Requests_Utility_FilteredIterator
* Embeds: Disable embeds on deactivated Multisite sites.
* Coding standards: Modify escaping functions to avoid potential false positives.
* XML-RPC: Return error message if attachment ID is incorrect.
* Upgrade/install: Improve logic check when determining installation status.
* Meta: Sanitize meta key before checking protection status.
* Themes: Ensure that only privileged users can set a background image when a theme is using the deprecated custom background page.
Brings the changes from [49380,49382-49388] to the 4.7 branch.
Props xknown, zieladam, peterwilsoncc, whyisjake, desrosj, dd32.
Built from https://develop.svn.wordpress.org/branches/4.7@49399
git-svn-id: http://core.svn.wordpress.org/branches/4.7@49158 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-10-29 18:57:24 +00:00
Sergey Biryukov
2353b610e9
Administration: Pass the result of `set-screen-option` filter to the new `set_screen_option_{$option}` filter to ensure backward compatibility.
...
Rename the `$keep` parameter of both filters to `$screen_option` for clarity, update the documentation to better reflect its purpose.
Follow-up to [47951].
Props Chouby, sswells, SergeyBiryukov.
Merges [48241] to the 4.7 branch.
Fixes #50392 .
Built from https://develop.svn.wordpress.org/branches/4.7@48251
git-svn-id: http://core.svn.wordpress.org/branches/4.7@48020 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-07-01 09:51:10 +00:00
desrosj
62593e3f73
WordPress 4.7.18.
...
Built from https://develop.svn.wordpress.org/branches/4.7@47996
git-svn-id: http://core.svn.wordpress.org/branches/4.7@47764 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-10 21:37:49 +00:00
whyisjake
e8b6c5c329
General: Backport several commits for release.
...
- Embeds: Ensure that the title attribute is set correctly on embeds.
- Editor: Prevent HTML decoding on by setting the proper editor context.
- Formatting: Ensure that wp_validate_redirect() sanitizes a wider variety of characters.
- Themes: Ensure a broken theme name is returned properly.
- Administration: Add a new filter to extend set-screen-option.
Merges [47947-47951] to the 4.7 branch.
Props xknown, sstoqnov, vortfu, SergeyBiryukov, whyisjake.
Built from https://develop.svn.wordpress.org/branches/4.7@47978
git-svn-id: http://core.svn.wordpress.org/branches/4.7@47747 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-10 18:56:20 +00:00
Sergey Biryukov
31561a4a82
Update the About page for WordPress 4.7.17
...
Built from https://develop.svn.wordpress.org/branches/4.7@47697
git-svn-id: http://core.svn.wordpress.org/branches/4.7@47474 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-04-29 18:34:45 +00:00
desrosj
4ab5fa91c5
WordPress 4.7.17
...
Built from https://develop.svn.wordpress.org/branches/4.7@47673
git-svn-id: http://core.svn.wordpress.org/branches/4.7@47450 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-04-29 18:01:41 +00:00
whyisjake
ea6d1132c0
Customize: Add additional filters to Customizer to prevent JSON corruption.
...
User: Invalidate `user_activation_key` on password update.
Query: Ensure that only a single post can be returned on date/time based queries.
Cache API: Ensure proper escaping around the stats method in the cache API.
Formatting: Expand `sanitize_file_name` to have better support for utf8 characters.
Brings the changes in [47633], [47634], [47635], [47637], and [47638] to the 4.7 branch.
Props: batmoo, ehti, nickdaugherty, peterwilsoncc, sergeybiryukov, sstoqnov, westi, westonruter, whyisjake, whyisjake, xknown.
Built from https://develop.svn.wordpress.org/branches/4.7@47650
git-svn-id: http://core.svn.wordpress.org/branches/4.7@47425 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-04-29 16:23:25 +00:00
Sergey Biryukov
f2b4026b21
WordPress 4.7.16
...
Built from https://develop.svn.wordpress.org/branches/4.7@46926
git-svn-id: http://core.svn.wordpress.org/branches/4.7@46726 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-12 20:28:44 +00:00
Sergey Biryukov
950fa8df85
Ensure that a user can publish_posts before making a post sticky.
...
Props: danielbachhuber, whyisjake, peterwilson, xknown.
Brings r46893 to the 4.7 branch.
Update `wp_kses_bad_protocol()` to recognize `:` on uri attributes,
`wp_kses_bad_protocol()` makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function.
Brings r46895 to the 4.7 branch.
Props: xknown, nickdaugherty, peterwilsoncc.
Built from https://develop.svn.wordpress.org/branches/4.7@46916
git-svn-id: http://core.svn.wordpress.org/branches/4.7@46716 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-12 18:53:12 +00:00
desrosj
eb11d89736
WordPress 4.7.15.
...
Built from https://develop.svn.wordpress.org/branches/4.7@46513
git-svn-id: http://core.svn.wordpress.org/branches/4.7@46310 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-10-14 20:10:15 +00:00
whyisjake
8e914c079d
Backporting several bug fixes.
...
- Query: Remove the static query property.
- HTTP API: Protect against hex interpretation.
- Filesystem API: Prevent directory travelersals when creating new folders.
- Administration: Ensure that admin referer nonce is valid.
- REST API: Send a Vary: Origin header on GET requests.
Backports [46474], [46475], [46476], [46477], [46478], [46483], [46485] to the 4.7 branch.
Built from https://develop.svn.wordpress.org/branches/4.7@46495
git-svn-id: http://core.svn.wordpress.org/branches/4.7@46292 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-10-14 18:50:26 +00:00
desrosj
1f06c6044e
WordPress 4.7.14.
...
Built from https://develop.svn.wordpress.org/branches/4.7@46041
git-svn-id: http://core.svn.wordpress.org/branches/4.7@45853 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 22:05:08 +00:00
Andrew Ozz
780518b8cd
jQuery: Backport the patch from jQuery 3.4.0.
...
Merges [45342] to the 4.7 branch.
Props MikeNGarrett, peterwilsoncc, azaozz.
Fixes #47020 .
Built from https://develop.svn.wordpress.org/branches/4.7@46025
git-svn-id: http://core.svn.wordpress.org/branches/4.7@45835 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 21:48:07 +00:00
desrosj
24d6999662
Fix for URL sanitization in `wp_kses_bad_protocol_once()`.
...
Merges [45997] to the 4.7 branch.
Props irsdl, sstoqnov, whyisjake.
Built from https://develop.svn.wordpress.org/branches/4.7@46007
git-svn-id: http://core.svn.wordpress.org/branches/4.7@45818 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 21:39:51 +00:00
Sergey Biryukov
b75e1d43ea
Improve handling the existing `rel` attribute in `wp_rel_nofollow_callback()`.
...
Merges [45990] to the 4.7 branch.
Props xknown, sstoqnov.
Built from https://develop.svn.wordpress.org/branches/4.7@45996
git-svn-id: http://core.svn.wordpress.org/branches/4.7@45807 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 17:49:11 +00:00
Sergey Biryukov
8dcb0cce77
Improve URL validation in `wp_validate_redirect()`.
...
Merges [45971] to the 4.7 branch.
Props vortfu, whyisjake, peterwilsoncc.
Built from https://develop.svn.wordpress.org/branches/4.7@45977
git-svn-id: http://core.svn.wordpress.org/branches/4.7@45788 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 17:11:44 +00:00
whyisjake
1009c60fc2
Remove _convert_urlencoded_to_entities() from the get_the_content() callback.
...
Merges [45937] to the 4.7 branch.
Props vortfu, whyisjake, peterwilsoncc
Built from https://develop.svn.wordpress.org/branches/4.7@45954
git-svn-id: http://core.svn.wordpress.org/branches/4.7@45765 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 16:39:24 +00:00
Sergey Biryukov
ac5e918526
Escape the output in `wp_ajax_upload_attachment()`.
...
Merges [45936] to the 4.7 branch.
Props whyisjake, sstoqnov.
Built from https://develop.svn.wordpress.org/branches/4.7@45947
git-svn-id: http://core.svn.wordpress.org/branches/4.7@45758 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 16:35:47 +00:00
Gary Pendergast
c1d8f3c319
WordPress 4.7.13
...
Built from https://develop.svn.wordpress.org/branches/4.7@44872
git-svn-id: http://core.svn.wordpress.org/branches/4.7@44703 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-03-13 01:13:22 +00:00
Sergey Biryukov
c088a3b025
Comments: Improve comment content filtering.
...
Merges [44842] to the 4.7 branch.
Built from https://develop.svn.wordpress.org/branches/4.7@44847
git-svn-id: http://core.svn.wordpress.org/branches/4.7@44679 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-03-12 22:36:22 +00:00
Sergey Biryukov
a3c0162465
Formatting: Improve `rel="nofollow"` handling in comments.
...
Merges [44833] to the 4.7 branch.
Built from https://develop.svn.wordpress.org/branches/4.7@44838
git-svn-id: http://core.svn.wordpress.org/branches/4.7@44670 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-03-12 22:22:24 +00:00
Jeremy Felt
f646b1a559
Bump 4.7 branch to version 4.7.12.
...
Built from https://develop.svn.wordpress.org/branches/4.7@44080
git-svn-id: http://core.svn.wordpress.org/branches/4.7@43910 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-13 02:13:42 +00:00
Gary Pendergast
6f9a887644
Editor: Remove unwanted fields before saving posts.
...
The `meta_input`, `file`, and `guid` fields are not intended to be updated through user input.
Merges [44047] to the 4.7 branch.
Built from https://develop.svn.wordpress.org/branches/4.7@44056
git-svn-id: http://core.svn.wordpress.org/branches/4.7@43886 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-13 01:41:22 +00:00
Peter Wilson
51631c8f07
Multisite: Validate activation links.
...
Merges [44048] to the 4.7 branch.
Built from https://develop.svn.wordpress.org/branches/4.7@44054
git-svn-id: http://core.svn.wordpress.org/branches/4.7@43884 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-13 01:39:22 +00:00
iandunn
fd88de7653
KSES: Make the URI attributes DRY.
...
This commit introduces the `wp_kses_uri_attributes` function and filter. The function centralizes the list of attributes, in order to prevent inconsistency, and the filter provides a way for plugins to customize the attributes.
Merges [44014] and [44017] to the `4.7` branch.
Built from https://develop.svn.wordpress.org/branches/4.7@44027
git-svn-id: http://core.svn.wordpress.org/branches/4.7@43857 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-13 00:44:22 +00:00
Peter Wilson
b6b16c2c8e
Multisite: Improve messaging for previously activated users.
...
Ensure activation of a site is not attempted multiple times and users are shown the correct message if they follow the link a second time.
Merges [44021] to the 4.7 branch.
Built from https://develop.svn.wordpress.org/branches/4.7@44026
git-svn-id: http://core.svn.wordpress.org/branches/4.7@43856 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-13 00:40:23 +00:00
Gary Pendergast
aa242921e2
KSES: Conditionally remove the `<form>` element from `$allowedposttags`.
...
To avoid backwards compatibility issues, `<form>` is re-added if a custom filter has added the `<input>` or `<select>` elements to `$allowedposttags`.
Merges [43994] to the 4.7 branch.
Built from https://develop.svn.wordpress.org/branches/4.7@44000
git-svn-id: http://core.svn.wordpress.org/branches/4.7@43832 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-12 23:25:24 +00:00
Jeremy Felt
a124bbcf14
Media: Improve verification of MIME file types.
...
Merges [43988] to the 4.7 branch.
Built from https://develop.svn.wordpress.org/branches/4.7@43991
git-svn-id: http://core.svn.wordpress.org/branches/4.7@43823 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-12 23:05:23 +00:00
Aaron Campbell
c7498304f3
Bump 4.7 branch to version 4.7.11
...
Built from https://develop.svn.wordpress.org/branches/4.7@43409
git-svn-id: http://core.svn.wordpress.org/branches/4.7@43237 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-07-05 16:11:43 +00:00
John Blackbourn
82649117f3
Media: Limit thumbnail file deletions to the same directory as the original file.
...
Merges [43393] into the 4.7 branch.
Built from https://develop.svn.wordpress.org/branches/4.7@43395
git-svn-id: http://core.svn.wordpress.org/branches/4.7@43223 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-07-05 14:51:26 +00:00
Aaron Campbell
cf0f4c6d2c
Bump 4.7 branch to version 4.7.10
...
Built from https://develop.svn.wordpress.org/branches/4.7@42935
git-svn-id: http://core.svn.wordpress.org/branches/4.7@42765 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-04-03 20:27:32 +00:00
Dominik Schilling
e6f4baa9b7
Template: Make sure the version string is correctly escaped for use in attributes.
...
Merge of [42893] to the 4.7 branch.
Built from https://develop.svn.wordpress.org/branches/4.7@42919
git-svn-id: http://core.svn.wordpress.org/branches/4.7@42749 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-04-03 16:07:07 +00:00
Dominik Schilling
f016a8555a
Meta: Simplify the delete all meta query in `delete_metadata()`.
...
Merge of [42913] to the 4.7 branch.
Built from https://develop.svn.wordpress.org/branches/4.7@42914
git-svn-id: http://core.svn.wordpress.org/branches/4.7@42744 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-04-03 15:41:36 +00:00
Dominik Schilling
67bcd5bbc0
HTTP: Don't treat `localhost` as same host by default.
...
Merge of [42894] to the 4.7 branch.
Built from https://develop.svn.wordpress.org/branches/4.7@42910
git-svn-id: http://core.svn.wordpress.org/branches/4.7@42740 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-04-03 15:36:49 +00:00
Dominik Schilling
d7640f2536
Login: Use `wp_safe_redirect()` when redirecting the login page if forced to use HTTPS.
...
Merge of [42892] to the 4.7 branch.
Built from https://develop.svn.wordpress.org/branches/4.7@42897
git-svn-id: http://core.svn.wordpress.org/branches/4.7@42727 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-04-03 15:30:06 +00:00
Sergey Biryukov
f89000d2b4
General: Update copyright year to 2018 in license.txt.
...
Props rachelbaker.
Merges [42424] to the 4.7 branch.
Fixes #43007 .
Built from https://develop.svn.wordpress.org/branches/4.7@42554
git-svn-id: http://core.svn.wordpress.org/branches/4.7@42383 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-01-23 11:26:37 +00:00
Dion Hulse
b631c9a667
Bump the 4.7 branch to 4.7.9.
...
Built from https://develop.svn.wordpress.org/branches/4.7@42496
git-svn-id: http://core.svn.wordpress.org/branches/4.7@42325 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-01-16 21:40:05 +00:00
Dion Hulse
7949731503
External Libraries: Remove unnecessary / obsoleted MediaElement.js files.
...
Merges [42478] to the 4.7 branch.
Fixes #42720 for 4.7.
Built from https://develop.svn.wordpress.org/branches/4.7@42479
git-svn-id: http://core.svn.wordpress.org/branches/4.7@42308 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-01-16 08:05:38 +00:00
Dion Hulse
5c6ad6022c
Upgrade: When deleting old files, if deletion fails attempt to empty the file instead.
...
Props joemcgill, dd32.
Merges [42434] to the 4.7 branch.
Fixes #42963 for 4.7.
Built from https://develop.svn.wordpress.org/branches/4.7@42467
git-svn-id: http://core.svn.wordpress.org/branches/4.7@42296 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-01-16 06:54:06 +00:00
John Blackbourn
5abbd8a7b5
Bump 4.7 branch to 4.7.8.
...
Built from https://develop.svn.wordpress.org/branches/4.7@42318
git-svn-id: http://core.svn.wordpress.org/branches/4.7@42147 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 18:58:34 +00:00
John Blackbourn
ce44be8623
Hardening: Remove the ability to upload JavaScript files for users who do not have the `unfiltered_html` capability.
...
Merges [42261] to the 4.7 branch.
Built from https://develop.svn.wordpress.org/branches/4.7@42275
git-svn-id: http://core.svn.wordpress.org/branches/4.7@42104 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:20:35 +00:00
John Blackbourn
6ad95824d6
Hardening: Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds.
...
Merges [42260] to the 4.7 branch.
Built from https://develop.svn.wordpress.org/branches/4.7@42274
git-svn-id: http://core.svn.wordpress.org/branches/4.7@42103 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:19:34 +00:00
John Blackbourn
e951da4039
Hardening: Add escaping to the language attributes used on `html` elements.
...
Merges [42259] to the 4.7 branch.
Built from https://develop.svn.wordpress.org/branches/4.7@42273
git-svn-id: http://core.svn.wordpress.org/branches/4.7@42102 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:18:35 +00:00
John Blackbourn
547fd42bfe
Hardening: Use a properly generated hash for the `newbloguser` key instead of a determinate substring.
...
Merges [42258] to the 4.7 branch.
Built from https://develop.svn.wordpress.org/branches/4.7@42272
git-svn-id: http://core.svn.wordpress.org/branches/4.7@42101 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:17:35 +00:00
John Blackbourn
7b76bf79e7
Users: Correct the value of the `lang` attribute in the admin area.
...
This corrects the value when the user's language is set to `English (United States)` but the site language is not.
Props ocean90, afercia
See #42242
Merges [42220] to the 4.7 branch.
Built from https://develop.svn.wordpress.org/branches/4.7@42263
git-svn-id: http://core.svn.wordpress.org/branches/4.7@42092 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:06:34 +00:00
Dion Hulse
2bb8ddb13f
WPDB: Check that `AUTH_SALT` is not empty, Fix a PHP notice when `AUTH_SALT` is undefined.
...
Props jsonfry, mkomar, pento.
Merges [42119] and [42120] to the 4.7 branch.
Fixes #42431 and #42401 for 4.7.
Built from https://develop.svn.wordpress.org/branches/4.7@42231
git-svn-id: http://core.svn.wordpress.org/branches/4.7@42060 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-27 01:08:36 +00:00
John Blackbourn
ccc801963c
General: Remove the version number from the readme file in the 4.7 branch.
...
See #42386
Built from https://develop.svn.wordpress.org/branches/4.7@42100
git-svn-id: http://core.svn.wordpress.org/branches/4.7@41929 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-10-31 18:06:45 +00:00
Gary Pendergast
b14e1b3d42
Bump 4.7 branch to version 4.7.7.
...
Built from https://develop.svn.wordpress.org/branches/4.7@42070
git-svn-id: http://core.svn.wordpress.org/branches/4.7@41899 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-10-31 13:13:33 +00:00
Gary Pendergast
cf1f0311c8
Database: Restore numbered placeholders in `wpdb::prepare()`.
...
[41496] removed support for numbered placeholders in queries send through `wpdb::prepare()`, which, despite being undocumented, were quite commonly used.
This change restores support for numbered placeholders (as well as a subset of placeholder formatting), while also adding extra checks to ensure the correct number of arguments are being passed to `wpdb::prepare()`, given the number of placeholders.
Merges [41662], [42056] to the 4.7 branch.
See #41925 .
Built from https://develop.svn.wordpress.org/branches/4.7@42058
git-svn-id: http://core.svn.wordpress.org/branches/4.7@41887 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-10-31 12:34:34 +00:00
Dominik Schilling
0a70974b31
Taxonomy/Users: Use correct escaping function for URLs.
...
Merge of [41522] to the 4.7 branch.
Built from https://develop.svn.wordpress.org/branches/4.7@41524
git-svn-id: http://core.svn.wordpress.org/branches/4.7@41357 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 21:21:35 +00:00