Introduces client and server side validation to ensure the `replytocom` query string parameter can not be exploited to reply to an unapproved comment or display the name of an unapproved commenter.
This only affects commenting via the front end of the site. Comment replies via the dashboard continue their current behaviour of logging the reply and approving the parent comment.
Introduces the `$post` parameter, defaulting to the current global post, to `get_cancel_comment_reply_link()` and `comment_form_title()`.
Introduces `_get_comment_reply_id()` for determining the comment reply ID based on the `replytocom` query string parameter.
Renames the parameter `$post_id` to `$post` in `get_comment_id_fields()` and `comment_id_fields()` to accept either a post ID or `WP_Post` object.
Adds a new `WP_Error` return state to `wp_handle_comment_submission()` to prevent replies to unapproved comments. The error code is `comment_reply_to_unapproved_comment` with the message `Sorry, replies to unapproved comments are not allowed.`.
Props costdev, jrf, hellofromtonya, fasuto, boniu91, milana_cap.
Fixes#53962.
Built from https://develop.svn.wordpress.org/trunk@55369
git-svn-id: http://core.svn.wordpress.org/trunk@54902 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Fixes the conditions for when to enqueue the opinionated block styles (i.e. `'wp-block-library-theme'` stylesheet):
* the theme adds `'wp-block-styles'` theme support;
* and no editor styles are declared.
This resolves an issue with themes that do not add the `'wp-block-styles'` theme support while not impacting themes that do.
Follow-up to [53419], [52069], [50761], [44157].
Props mikachan, costdev, glendaviesnz, hellofromTonya, jffng, mamaduka, ndiego, poena, sannevndrmeulen, scruffian.
Fixes#57561.
Built from https://develop.svn.wordpress.org/trunk@55368
git-svn-id: http://core.svn.wordpress.org/trunk@54901 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This resolves a fatal error and displays an actionable message if the `mysqli` PHP extension is missing.
Previously, `wp_check_php_mysql_versions()` performed an early check whether `mysql`, `mysqli`, or `mysqlnd` extensions are loaded, but that did not work if the `mysqlnd` extension is the only one present.
Checking specifically for `mysqli_connect()` or `mysql_connect()` functions should be a more reliable approach and more closely mirrors the existing checks in the `wpdb` class.
Follow-up to [1955], [4489], [7234], [12732], [19760], [27257], [36434].
Props bgin, desrosj, dimadin, ipajen, hellofromTonya, sc0ttkclark, azaozz, SergeyBiryukov.
Fixes#51988.
Built from https://develop.svn.wordpress.org/trunk@55367
git-svn-id: http://core.svn.wordpress.org/trunk@54900 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The `$post_ID` variable is [546f59c678/WordPress/Sniffs/NamingConventions/ValidVariableNameSniff.php (L54) technically allowed in WPCS], as there is a global of the same name that needs to remain for backward compatibility. However, this name is mostly a remnant of legacy code, and switching to `$post_id` where appropriate brings more consistency with the rest of core.
Additionally, this commit resolves a few WPCS warnings in core:
{{{
Variable "$post_IDs" is not in valid snake_case format
}}}
This affects:
* Function parameters in:
* `add_meta()`
* `post_preview()`
* `WP_Embed::delete_oembed_caches()`
* `WP_Embed::cache_oembed()`
* `wp_get_post_cats()`
* `wp_set_post_cats()`
* `wp_unique_post_slug()`
* `wp_set_post_categories()`
* `wp_check_post_hierarchy_for_loops()`
* `wp_add_trashed_suffix_to_post_name_for_trashed_posts()`
* `wp_filter_wp_template_unique_post_slug()`
* `wp_xmlrpc_server::add_enclosure_if_new()`
* `wp_xmlrpc_server::attach_uploads()`
* `wp_xmlrpc_server::mt_getTrackbackPings()`
* Internal variables in:
* `wp_ajax_inline_save()`
* `wp_ajax_set_post_thumbnail()`
* `wp_ajax_get_post_thumbnail_html()`
* `edit_post()`
* `bulk_edit_posts()`
* `wp_write_post()`
* `WP_Embed::shortcode()`
* `wp_insert_post()`
* `wp_xmlrpc_server::_insert_post()`
* `wp_xmlrpc_server::blogger_getPost()`
* `wp_xmlrpc_server::blogger_newPost()`
* `wp_xmlrpc_server::blogger_editPost()`
* `wp_xmlrpc_server::blogger_deletePost()`
* `wp_xmlrpc_server::mw_getPost()`
* `wp_xmlrpc_server::mw_newPost()`
* `wp_xmlrpc_server::mw_editPost()`
* `wp_xmlrpc_server::mt_getPostCategories()`
* `wp_xmlrpc_server::mt_setPostCategories()`
* `wp_xmlrpc_server::mt_publishPost()`
* `wp_xmlrpc_server::pingback_ping()`
* Hook parameters in:
* `oembed_ttl`
* `embed_oembed_html`
* `wp_insert_post_parent`
* `add_trashed_suffix_to_trashed_posts`
* `pre_post_update`
* `edit_attachment`
* `attachment_updated`
* `add_attachment`
* `edit_post_{$post->post_type}`
* `edit_post`
* `post_updated`
* `save_post_{$post->post_type}`
* `save_post`
* `wp_insert_post`
* `pre_wp_unique_post_slug`
* `wp_unique_post_slug`
* `xmlrpc_call_success_blogger_newPost`
* `xmlrpc_call_success_blogger_editPost`
* `xmlrpc_call_success_blogger_deletePost`
* `xmlrpc_call_success_mw_newPost`
* `xmlrpc_call_success_mw_editPost`
Note: The name change only affects variable names and DocBlocks.
The change does not affect the `$post_ID` global still used in a few places.
Follow-up to [51399], [52958], [53723], [53729], [55190], [55308], [55334].
Props mahekkalola, tanjimtc71, SergeyBiryukov.
Fixes#57692.
Built from https://develop.svn.wordpress.org/trunk@55365
git-svn-id: http://core.svn.wordpress.org/trunk@54898 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit renames a few internal variables for better clarity and consistency:
* `$nextpage` to `$next_page` in:
* `get_next_posts_page_link()`
* `get_next_posts_link()`
* `get_next_comments_link()`
* `$nextpage` to `$previous_page` in:
* `get_previous_posts_page_link()`
* `$prevpage` to `$previous_page` in:
* `get_previous_comments_link()`
Includes minor code layout fixes for better readability.
Follow-up to [5045], [8502], [8961], [28111].
Props dalirajab, SergeyBiryukov.
Fixes#57746.
Built from https://develop.svn.wordpress.org/trunk@55364
git-svn-id: http://core.svn.wordpress.org/trunk@54897 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Previously, the `rest_pre_dispatch` filter could be used to return a `WP_Error` instance. This would cause a fatal error for `rest_post_dispath`
filters that were rightly expecting a `WP_REST_Response` object to be passed instead.
Props DaveFX, felipeelia.
Fixes#56566.
Built from https://develop.svn.wordpress.org/trunk@55361
git-svn-id: http://core.svn.wordpress.org/trunk@54894 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset fixes an issue where the available theme updates count was not updated after a theme is deleted.
Props nazmulhasan103, riccardodicurti, sabernhardt, ironprogrammer, costdev, robinwpdeveloper, rahmantasnia.
Fixes#57183.
Built from https://develop.svn.wordpress.org/trunk@55359
git-svn-id: http://core.svn.wordpress.org/trunk@54892 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This now runs in local Docker as well. Sets the executable propset to explicitly identify `install-tool.sh` and `setup.sh` as executable. Unclear if this will sync via the Git mirror; ideally it would as otherwise the two files show as modified in a Git clone even in a fresh container.
Props samruddhikhandale.
See #57187.
Built from https://develop.svn.wordpress.org/trunk@55353
git-svn-id: http://core.svn.wordpress.org/trunk@54886 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This avoids a fatal error if these functions are called in a mu-plugin before `$wp_locale` is set:
* `wp_get_list_item_separator()`
* `wp_get_word_count_type()`
Follow-up to [52929], [52933], [55279], [55295].
Props kraftbj.
Fixes#56698.
Built from https://develop.svn.wordpress.org/trunk@55351
git-svn-id: http://core.svn.wordpress.org/trunk@54884 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This aims to clarify a few inline comments related to removing percent-encoded characters and HTML entities.
Affected functions:
* `sanitize_user()`
* `sanitize_title_with_dashes()`
* `sanitize_html_class()`
* `_sanitize_text_fields()`
* `get_comments_number_text()`
Follow-up to [465], [3454], [11433], [12503], [37987].
Props ace100, tanjimtc71, codemonksuvro, SergeyBiryukov.
Fixes#57712.
Built from https://develop.svn.wordpress.org/trunk@55346
git-svn-id: http://core.svn.wordpress.org/trunk@54879 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Layout style properties are stored using indirect values, rather than direct CSS properties.
Allow users without the `unfiltered_html` capability to modify global styles using the indirect block spacing properties `contentSize`, `wideSize`, and `blockGap`, using a mapping of the eventual CSS property to the indirect property stored in `theme.json`. The mapped CSS property is then used for CSS validation.
Props andrewserong, costdev, hellofromtonya, mamaduka, mmtr86.
Fixes#57321.
Built from https://develop.svn.wordpress.org/trunk@55345
git-svn-id: http://core.svn.wordpress.org/trunk@54878 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Sets the `styles` block setting to an empty array in the `REST_Block_Type_Controller_Test::test_get_item_invalid()` test to resolve:
{{{
Warning: foreach() argument must be of type array|object, string given in wp-includes/class-wp-theme-json.php on line 835
}}}
Previously the test set the `styles` setting to a string value, which is incompatible. The problem surfaced after [55172] added a `foreach` to iterate the `styles`. The root cause was due to this test passing a string instead of an array.
Why?
`WP_Block_Type` `styles` property is documented as only accepting an array data type. At the time of this changeset, it does not validate before setting the property.
Code interacting with the property expects it to be an array data type. The PHP Warning alerts that of a doing it wrong when the incorrect data type is registered for the block type.
Follow-up to [55172], [48173].
Props tanjimtc71, hellofromTonya, kapilpaul.
Fixes#57706.
Built from https://develop.svn.wordpress.org/trunk@55342
git-svn-id: http://core.svn.wordpress.org/trunk@54875 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The call stack for `WP_UnitTestCase_Base::set_up()` includes a call to `WP_List_Util::pluck()`, which creates an inaccurate coverage report for this method.
To resolve, `parent::set_up()` is removed from `Tests_Functions_wpListPluck::set_up()`.
To ensure that deprecation and incorrect usage notices continue to be detectable, `$this->expectDeprecated()` is added in the test's `set_up()` fixture.
Follow-up to [51663], [28900].
Props costdev, jrf, SergeyBiryukov, audrasjb.
Fixes#56706.
Built from https://develop.svn.wordpress.org/trunk@55341
git-svn-id: http://core.svn.wordpress.org/trunk@54874 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Per the [https://developer.wordpress.org/coding-standards/inline-documentation-standards/php/#6-file-headers documentation standards], whenever possible, all WordPress files should contain a header DocBlock, regardless of the file’s contents – this includes files containing classes.
However, this recommendation makes less sense for unit test classes if not applied consistently, and the duplicate tags cause some confusion.
This commit aims to reduce confusion and avoid repeating information by combining the DocBlocks.
Follow-up to [40607], [43183], [43291], [43292], [43499], [43568], [44502], [44535], [44628], [44786], [44824], [44906], [44909], [46175].
Props wojtekn, antonvlasenko, arafatjamil01, hztyfoon, mukesh27, costdev, jamilbd07, robinwpdeveloper, SergeyBiryukov.
Fixes#57099.
Built from https://develop.svn.wordpress.org/trunk@55337
git-svn-id: http://core.svn.wordpress.org/trunk@54870 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Although `add_action` and `add_filter` are internally the same, `pre_get_posts` is an action hook. This change updates the hook type to match what developers would expect when evaluating the code.
Follow-up to [52316].
Props swissspidy, riccardodicurti.
Fixes#57097.
Built from https://develop.svn.wordpress.org/trunk@55335
git-svn-id: http://core.svn.wordpress.org/trunk@54868 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This resolves a few WPCS warnings:
{{{
Variable "$cat_ID" is not in valid snake_case format, try "$cat_i_d"
}}}
Affected functions:
* `wp_delete_category()`
* `get_category_rss_link()`
* `get_catname()`
Follow-up to [836], [2068], [2551], [2695], [6365], [10959], [52958], [55190].
Fixes#56754.
Built from https://develop.svn.wordpress.org/trunk@55334
git-svn-id: http://core.svn.wordpress.org/trunk@54867 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Updates the `@wordpress` packages to include the following changes:
- Add missing period in keyboard shortcut descriptions
- Site Editor: Append template type and name to the site editor page title
- Specify active color state for template navigation button
- Global Styles: Move more link about custom CSS to part of description
- ToolsPanel: Display optional items when values are updated externally
- File block: Re-add editor styles for classic themes
- Enable undo after creating a new menu
- Style Book: Exclude blocks that are not allowed to insert
- Add basic tsconfig.json validation
- Fix Experiments native variant breakage
- Update moment and moment-timezone packages to fix timezone issues
- NavigatorButton: Reuse Button types
- ToolsPanel: Ensure display of optional items when panel id is null
- ColorPalette: Ensure text label contrast checking works with CSS variables
- Components: Add support for named arguments in the navigator components
- Rename experiments package to private-apis
- Cherry-pick CLI: Fix the default label to match the documentation
- Handle block metadata attribute and related experimental APIs
- Fix: Remove browser default border for iframe in the editor
- [Layout]: Fix align controls for hybrid themes
- Visual Regression tests: use default playwright utils
- SelectControl: Fix multiple prop styling
- Fix clicking on the toggle button not closing the block inserter
- Update deps for the useEffect that creates navigation menus
- Minor updates in Private APIs docs
- Site Editor: Fix custom Template Parts rename action
- [Block Library - Cover]: Ensure url is not malformed due to sanitization through wp_kses
- Revert "Prevent the image from being resized larger than its container"
- Lodash: Remove from @wordpress/keycodes package
- Distraction free mode: Fix keyboard shortcut not working
- Popover: lock the __experimentalPopoverPositionToPlacement function
- Rename the "experiments" export to "privateApis"
- Add an aria label to the site save dialog
- Navigator: add more pattern matching tests, refine existing tests
- Add parent navigation support for the navigator component
- Add back link to Design heading in site editor navigation to return to Dashboard
- Add a nested level when selecting templates or template parts
- Move site editor 6.2 specific code to the right file
- Fix site editor navigation
References:
* [1bf01c01a8 Gutenberg's commit for publishing the packages]
Follow-up to [55257].
Props ntsekouras.
See #57471.
Built from https://develop.svn.wordpress.org/trunk@55333
git-svn-id: http://core.svn.wordpress.org/trunk@54866 1a063a9b-81f0-0310-95a4-ce76da25c4cd
As menus are re-arranged, it's possible a menu item was created prior to its parent.
This introduces a test to ensure the order in which menu items are created relevant to their parents does not trigger errors.
Props costdev, peterwilsoncc.
Fixes#57122.
Built from https://develop.svn.wordpress.org/trunk@55328
git-svn-id: http://core.svn.wordpress.org/trunk@54861 1a063a9b-81f0-0310-95a4-ce76da25c4cd
User should not have to reach the admin menu toggle in order to close the menu. This can be a problem for one-handed mobile use, users with small hands, and numerous other situational usages.
Close the admin menu when focus moves anywhere other than the menu or the menu toggle and the current document is active.
Props kaneva, sabernhardt, costdev, ryokuhi, hellofromtonya, dhusakovic, thelovekesh, joedolson.
Fixes#53587.
Built from https://develop.svn.wordpress.org/trunk@55326
git-svn-id: http://core.svn.wordpress.org/trunk@54859 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Removes the `WP_Error` code for `'Invalid user ID.'`. Why?
tl;dr
This branch will never be entered as the `$user` will never be falsey.
Longer reasoning:
[39954] introduced `WP_REST_Users_Controller::get_user()` method to encapsulate getting the user and handling the `'Invalid user ID.'` `WP_Error`. It replaced `get_userdata()` in `WP_REST_Users_Controller::update_item()` but left the existing `'Invalid user ID.'` `WP_Error` introduced in [38832].
The code removed in this changeset will never be reached because `$user` will never be falsey. Rather, `WP_REST_Users_Controller::get_user()` will always return an instance of `WP_Error` or `WP_User`.
Could the user's ID be falsey?
No. Why? `WP_REST_Users_Controller::get_user()` checks that the user exists, which checks if the ID is falsey.
Therefore, the code can safely be removed.
Follow-up to [39954], [38832].
Props jrf, costdev, hellofromTonya, SergeyBiryukov.
Fixes#56662.
Built from https://develop.svn.wordpress.org/trunk@55325
git-svn-id: http://core.svn.wordpress.org/trunk@54858 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This ensures that `get_comments()` is called with the correct parameter name in:
* `wp_comments_personal_data_exporter()`
* `wp_comments_personal_data_eraser()`
Follow-up to [42888], [42994].
Props smeunus, kapilpaul, SergeyBiryukov.
Fixes#57700.
Built from https://develop.svn.wordpress.org/trunk@55324
git-svn-id: http://core.svn.wordpress.org/trunk@54857 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Adds styles into `wp-includes/css/classic-themes.css` to restore file block button element styling for classic themes.
Why?
In [54257] and [54118], button element styles were moved from each block to `theme.json`. For the file block, the download button styles were removed from the block's stylesheet. These changes impacted themes without a `theme.json` file (i.e. classic themes).
This changeset restores the styles for backwards-compatibility.
References:
* [https://github.com/WordPress/gutenberg/pull/47686 Gutenberg PR 47686]
Follow-up to [54257], [54118].
Props wildworks, scruffian, mamaduka, ntsekouras.
Fixes#57688.
Built from https://develop.svn.wordpress.org/trunk@55323
git-svn-id: http://core.svn.wordpress.org/trunk@54856 1a063a9b-81f0-0310-95a4-ce76da25c4cd
[52065] originally introduced the logic to guess the LCP image based on certain heuristics and to not lazy-load that image. However, with the introduction of block themes, that logic was not functioning correctly, resulting in all featured images to be lazy-loaded, regardless of whether it was the LCP image or not.
Together with an update to the `core/post-featured-image` block included in [55079], this changeset fixes the logic to correctly handle featured images in block themes as well.
Additionally, in combination with an update to the `core/template-part` block from [55246], this changeset includes an enhancement which uses the benefits of block template parts to avoid lazy-loading images in the `header` block template part, making the lazy-loading heuristics even more accurate for sites using a block theme.
Props flixos90, adamsilverstein, mamaduka, antonvlasenko, shahidul95, reduanmasud, costdev, mukesh27, ironprogrammer, manfcarlo, robinwpdeveloper, spacedmonkey.
Fixes#56930.
Built from https://develop.svn.wordpress.org/trunk@55318
git-svn-id: http://core.svn.wordpress.org/trunk@54851 1a063a9b-81f0-0310-95a4-ce76da25c4cd