- Editor: Fix Path Traversal issue on Windows in Template-Part Block.
- Editor: Sanitize Template Part HTML tag on save.
- HTML API: Run URL attributes through `esc_url()`.
Merges [58470], [58471], [58472] and [58473] to the 6.2 branch.
Props xknown, peterwilsoncc, jorbin, bernhard-reiter, azaozz, dmsnell, gziolo.
Built from https://develop.svn.wordpress.org/branches/6.2@58479
git-svn-id: http://core.svn.wordpress.org/branches/6.2@57928 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- Install: When populating options, maybe_serialize instead of always serialize.
- Uploads: Check for and verify ZIP archives.
Merges [57388] and [57389] to the 6.2 branch.
Props costdev, peterwilsoncc, azaozz, tykoted, johnbillion, desrosj, afragen, jorbin, xknown.
Built from https://develop.svn.wordpress.org/branches/6.2@57393
git-svn-id: http://core.svn.wordpress.org/branches/6.2@56899 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- REST API: Limit `search_columns` for users without `list_users`.
- Comments: Prevent users who can not see a post from seeing comments on it.
- Application Passwords: Prevent the use of some pseudo protocols in application passwords.
- Restrict media shortcode ajax to certain type
- REST API: Ensure no-cache headers are sent when methods are overriden.
- Prevent unintended behavior when certain objects are unserialized.
Merges [56833], [56834], [56835], [56836], [56837], and [56838] to the 6.2 branch.
Props xknown, jorbin, Vortfu, joehoyle, timothyblynjacobs, peterwilsoncc, ehtis, tykoted, martinkrcho, paulkevan, dd32, antpb, rmccue.
Built from https://develop.svn.wordpress.org/branches/6.2@56895
git-svn-id: http://core.svn.wordpress.org/branches/6.2@56406 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In PHPUnit 10.3.5, 9.6.13 and 8.5.34, the child processes used for process isolation now use temporary files to communicate their result to the parent process.
This caused a failure in some tests that set the `open_basedir` PHP directive to a value that did not include `sys_get_temp_dir()`.
This adds `sys_get_temp_dir()` to the `open_basedir` value set by the tests to ensure that permission is still granted for the temporary directory.
PHPUnit uses `sys_get_temp_dir()`. To ensure the result is the same, Core's `get_temp_dir()` function is not used.
References:
- https://github.com/sebastianbergmann/phpunit/issues/5356
Props desrosj, mukesh27, SergeyBiryukov, costdev.
Merges [56622] to the 6.2 branch.
See #59394.
Built from https://develop.svn.wordpress.org/branches/6.2@56625
git-svn-id: http://core.svn.wordpress.org/branches/6.2@56137 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This updates the block editor related npm dependencies to their latest patch versions ahead of WordPress 6.2.1 RC1.
Updated packages:
- @wordpress/annotations@2.26.4
- @wordpress/block-directory@4.3.12
- @wordpress/block-editor@11.3.10
- @wordpress/block-library@8.3.12
- @wordpress/components@23.3.7
- @wordpress/customize-widgets@4.3.12
- @wordpress/edit-post@7.3.12
- @wordpress/edit-site@5.3.12
- @wordpress/edit-widgets@5.3.12
- @wordpress/editor@13.3.10
- @wordpress/format-library@4.3.10
- @wordpress/interface@5.3.8
- @wordpress/list-reusable-blocks@4.3.7
- @wordpress/preferences@3.3.7
- @wordpress/reusable-blocks@4.3.10
- @wordpress/rich-text@6.3.4
- @wordpress/server-side-render@4.3.7
- @wordpress/widgets@3.3.10
This changeset includes the following fixes:
- i18n: Add context to labels related to CSS position properties gutenberg#49135
- Comments: Fix 'sprintf requires more than 1 params' error gutenberg#49054
- Fix the site editor loading in multi-site installs gutenberg#49861
- Fix quick inserter going off-screen in some situations gutenberg#49881
- Site Editor: Decode the site title properly gutenberg#49685
- Firefox: fix input rules (React async state issue) gutenberg#48210
- Only show alignment info when parent layout is constrained. gutenberg#49703
- [Inserter]: Fix onHover error on patterns tab in mobile gutenberg#49450
- Fix site editor redirection after creating new template or template part gutenberg#49364
Props mamaduka, audrasjb, wildworks, ocean90, aristath, costdev, hellofromtonya, youknowriad, mdxfr, oandregal, mattwiebe, bph, ndiego, talldanwp, joen, ellatrix, kevin940726, isabel_brison, andrewserong, ntsekouras, welcher.
Merges [55737] to branch 6.2.
Fixes#58274.
Built from https://develop.svn.wordpress.org/branches/6.2@55738
git-svn-id: http://core.svn.wordpress.org/branches/6.2@55250 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- Replace `preg_match_all()` and its secondary `str_replace()` call with `preg_replace_callback()`.
- Fix case where paths beginning with `http` and `https` (but not `http:` and `https:`) were erroneously not counted as relative.
- Improve code style and readability by consolidating conditions and returning once.
- Use `str_starts_with()` consistently instead of `strpos()`.
Follow-up to [52036], [52695], and [52754].
Props westonruter, adamsilverstein, azaozz.
Merges [55658] and [55669] to the 6.2 branch.
Fixes#58069.
See #54243.
Built from https://develop.svn.wordpress.org/branches/6.2@55736
git-svn-id: http://core.svn.wordpress.org/branches/6.2@55248 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset removes the `aligncenter` class from `h2` and `is-subheading` items in the WordPress 6.2 About Page, for more consistent alignment. Also, future minor releases will add more left-aligned paragraphs under the "Maintenance Releases" section.
Props shagors, sabernhardt, mukesh27, amin7, costdev, pavanpatil1, audrasjb.
Merges [55716] to the 6.2 branch.
Fixes#57387.
Built from https://develop.svn.wordpress.org/branches/6.2@55731
git-svn-id: http://core.svn.wordpress.org/branches/6.2@55243 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This moves a reference link in `::get_attribute_names_with_prefix()` below the code example, so that it is correctly displayed in the Developer Resources.
Includes updating some other `@see` tags for consistency as per the documentation standards.
Additionally, the example code for `WP_HTML_Tag_Processor::get_tag()` is updated to show lowercase tag names in the input HTML, so that it does not convey the wrong impression that the uppercase output from `::get_tag()` depends on the case of the input HTML.
Follow-up to [55203].
Props dmsnell, johnbillion, audrasjb, SergeyBiryukov.
Merges [55724] to the 6.2 branch.
Fixes#58254.
Built from https://develop.svn.wordpress.org/branches/6.2@55728
git-svn-id: http://core.svn.wordpress.org/branches/6.2@55240 1a063a9b-81f0-0310-95a4-ce76da25c4cd
A bug was discovered where where the parser wasn't returning to the
start of the affected tag after making some updates.
In few words, the Tag Processor has not been treating its own internal
pointer `bytes_already_parsed` the same way it treats its bookmarks.
That is, when updates are applied to the input document and then
`get_updated_html()` is called, the internal pointer transfers to
the newly-updated content as if no updates had been applied since
the previous call to `get_updated_html()`.
In this patch we're creating a new "shift accumulator" to account for
all of the updates that accrue before calling `get_updated_html()`.
This accumulated shift will be applied when swapping the input document
with the output buffer, which should result in the pointer pointing to
the same logical spot in the document it did before the udpate.
In effect this patch adds a single workaround for treating the
internal pointer like a bookmark, plus a temporary pointer which points
to the beginning of the current tag when calling `get_updated_html()`.
This will preserve the assumption that updating a document doesn't
move that pointer, or shift which tag is currently matched.
Props dmsnell, zieladam.
Merges [55706] to the 6.2 branch.
Fixes#58179.
Built from https://develop.svn.wordpress.org/branches/6.2@55708
git-svn-id: http://core.svn.wordpress.org/branches/6.2@55220 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Update the security policy displayed on GitHub, `SECURITY.md`, to refer visitors to the [https://hackerone.com/wordpress HackerOne WordPress program] for the full policy.
This allows the project to maintain a single source of truth and avoid the potential for conflicting information across the two sites.
Props desrosj, hellofromTonya, costdev.
Merges [55670] to the 6.2 branch.
Fixes#57937.
Built from https://develop.svn.wordpress.org/branches/6.2@55679
git-svn-id: http://core.svn.wordpress.org/branches/6.2@55191 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- Comments created by means of a tag closer with an invalid tag name, e.g. `</3>`.
- Comments closed with the invalid `--!>` closer. (Comments should be closed by `-->` but if the `!` appears it will also close it, in error.)
- Empty tag name elements, which are technically skipped over and aren't comments, e.g. `</>`.
Props dmsnell, costdev.
Merges [55667] to the 6.2 branch.
Fixes#58007.
Built from https://develop.svn.wordpress.org/branches/6.2@55668
git-svn-id: http://core.svn.wordpress.org/branches/6.2@55180 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When setting a new value for an attribute multiple times and providing
multiple case variations of the attribute name the Tag Processor has
been appending multiple copies of the attribute into the updated HTML.
This means that only the first attribute set determines the value in
the final output, plus the output will //appear// wrong.
In this patch we're adding a test to catch the situation and resolving it
by using the appropriate comparable attribute name as a key for storing
the updates as we go. Previously we stored updates to the attribute by
its given `$name`, but when a new update of the same name with a
case variant was queued, it would not override the previously-enqueued
value as it out to have.
Props dmsnell, zieladam.
Merges [55659] to the 6.2 branch.
Fixes#58146.
Built from https://develop.svn.wordpress.org/branches/6.2@55662
git-svn-id: http://core.svn.wordpress.org/branches/6.2@55174 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This brings more consistency with other screens and avoids a PHP warning in `get_plugin_page_hookname()`:
{{{
preg_replace(): Passing null to parameter #3 ($subject) of type array|string is deprecated
}}}
Follow-up to [13257], [13366], [55263].
Props nendeb55, costdev, SergeyBiryukov.
Merges [55552] to the 6.2 branch.
Fixes#57918.
Built from https://develop.svn.wordpress.org/branches/6.2@55639
git-svn-id: http://core.svn.wordpress.org/branches/6.2@55151 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset replaces a `notice-updated` class with `notice-success` to fix an issue where the notices were using a gray border color instead of green when enabling or disabling a theme for a network.
Follow-up to [55418].
Props ocean90, audrasjb, marineevain, SergeyBiryukov, dhrumilk, chiragrathod103.
Merges [55584] to the 6.2 branch.
Fixes#58096.
Built from https://develop.svn.wordpress.org/branches/6.2@55638
git-svn-id: http://core.svn.wordpress.org/branches/6.2@55150 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This fixes a few WPCS warnings along the lines of:
* Array double arrow not aligned correctly
* Equals sign not aligned with surrounding statements
* Usage of ELSE IF is discouraged; use ELSEIF instead
Follow-up to [55099], [55192], [55194], [55271].
Props davidbaumwald, jrf, SergeyBiryukov.
Merges [55606] to the 6.2 branch.
Fixes#57994.
Built from https://develop.svn.wordpress.org/branches/6.2@55636
git-svn-id: http://core.svn.wordpress.org/branches/6.2@55148 1a063a9b-81f0-0310-95a4-ce76da25c4cd
If `SCRIPT_DEBUG` is disabled, `register_block_style_handle()` loads core blocks' styles with the `.min` suffix, while non-core ones never use the minified files, but the suffix was still mistakenly included in the `-rtl` file lookup.
This commit updates the logic to match the style path set earlier in the function, ensuring that RTL stylesheets are loaded properly for both core and non-core blocks, with or without `SCRIPT_DEBUG`.
Follow-up to [49982], [50836], [54330], [55486].
Props david.binda.
Merges [55544] and [55547] to the 6.2 branch.
Fixes#57903.
Built from https://develop.svn.wordpress.org/branches/6.2@55635
git-svn-id: http://core.svn.wordpress.org/branches/6.2@55147 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In a recent change, `comment_time()` was updated to accept a `$comment_id` parameter for consistency with `comment_date()`, following a similar change for `get_comment_time()`.
However, the new parameter was not correctly passed to `get_comment_time()` inside the function. It should be passed as the fourth parameter after `$format`, `$gmt` and `$translate`, not the second.
This commit adds the missing arguments and a few unit tests to confirm the correct behavior.
Follow-up to [55284], [55287], [55308].
Props costdev, tmatsuur, ugyensupport, johnbillion.
Merges [55632] to the 6.2 branch.
Fixes#58064.
Built from https://develop.svn.wordpress.org/branches/6.2@55634
git-svn-id: http://core.svn.wordpress.org/branches/6.2@55146 1a063a9b-81f0-0310-95a4-ce76da25c4cd
On the About page, wraps the Field Guide's link in `__()` to provide a localized field guide, when available.
Follow-up to [55600].
Props davidbaumwald, sergeybiryukov, desrosj, javiercasares, oglekler, mukesh27, clorith, eboxnet, costdev, ocean90.
Reviewed by sergeybiryukov.
Merges [55601] to the 6.2 branch.
Fixes#57477.
Built from https://develop.svn.wordpress.org/branches/6.2@55603
git-svn-id: http://core.svn.wordpress.org/branches/6.2@55115 1a063a9b-81f0-0310-95a4-ce76da25c4cd
audrasjb
John Blackbourn
Joe McGill
Aaron Jorbin
davidbaumwald
desrosj
costdev
Bernhard Reiter
Sergey Biryukov
Peter Wilson
hellofromTonya