Commit Graph

36156 Commits

Author SHA1 Message Date
John Blackbourn ce44be8623 Hardening: Remove the ability to upload JavaScript files for users who do not have the `unfiltered_html` capability.
Merges [42261] to the 4.7 branch.

Built from https://develop.svn.wordpress.org/branches/4.7@42275


git-svn-id: http://core.svn.wordpress.org/branches/4.7@42104 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:20:35 +00:00
John Blackbourn 6ad95824d6 Hardening: Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds.
Merges [42260] to the 4.7 branch.

Built from https://develop.svn.wordpress.org/branches/4.7@42274


git-svn-id: http://core.svn.wordpress.org/branches/4.7@42103 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:19:34 +00:00
John Blackbourn e951da4039 Hardening: Add escaping to the language attributes used on `html` elements.
Merges [42259] to the 4.7 branch.

Built from https://develop.svn.wordpress.org/branches/4.7@42273


git-svn-id: http://core.svn.wordpress.org/branches/4.7@42102 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:18:35 +00:00
John Blackbourn 547fd42bfe Hardening: Use a properly generated hash for the `newbloguser` key instead of a determinate substring.
Merges [42258] to the 4.7 branch.

Built from https://develop.svn.wordpress.org/branches/4.7@42272


git-svn-id: http://core.svn.wordpress.org/branches/4.7@42101 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:17:35 +00:00
John Blackbourn 7b76bf79e7 Users: Correct the value of the `lang` attribute in the admin area.
This corrects the value when the user's language is set to `English (United States)` but the site language is not.

Props ocean90, afercia

See #42242

Merges [42220] to the 4.7 branch.

Built from https://develop.svn.wordpress.org/branches/4.7@42263


git-svn-id: http://core.svn.wordpress.org/branches/4.7@42092 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:06:34 +00:00
Dion Hulse 2bb8ddb13f WPDB: Check that `AUTH_SALT` is not empty, Fix a PHP notice when `AUTH_SALT` is undefined.
Props jsonfry, mkomar, pento.
Merges [42119] and [42120] to the 4.7 branch.
Fixes #42431 and #42401 for 4.7.

Built from https://develop.svn.wordpress.org/branches/4.7@42231


git-svn-id: http://core.svn.wordpress.org/branches/4.7@42060 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-27 01:08:36 +00:00
John Blackbourn ccc801963c General: Remove the version number from the readme file in the 4.7 branch.
See #42386

Built from https://develop.svn.wordpress.org/branches/4.7@42100


git-svn-id: http://core.svn.wordpress.org/branches/4.7@41929 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-10-31 18:06:45 +00:00
Gary Pendergast b14e1b3d42 Bump 4.7 branch to version 4.7.7.
Built from https://develop.svn.wordpress.org/branches/4.7@42070


git-svn-id: http://core.svn.wordpress.org/branches/4.7@41899 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-10-31 13:13:33 +00:00
Gary Pendergast cf1f0311c8 Database: Restore numbered placeholders in `wpdb::prepare()`.
[41496] removed support for numbered placeholders in queries send through `wpdb::prepare()`, which, despite being undocumented, were quite commonly used.

This change restores support for numbered placeholders (as well as a subset of placeholder formatting), while also adding extra checks to ensure the correct number of arguments are being passed to `wpdb::prepare()`, given the number of placeholders.

Merges [41662], [42056] to the 4.7 branch.
See #41925.


Built from https://develop.svn.wordpress.org/branches/4.7@42058


git-svn-id: http://core.svn.wordpress.org/branches/4.7@41887 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-10-31 12:34:34 +00:00
Dominik Schilling 0a70974b31 Taxonomy/Users: Use correct escaping function for URLs.
Merge of [41522] to the 4.7 branch.
Built from https://develop.svn.wordpress.org/branches/4.7@41524


git-svn-id: http://core.svn.wordpress.org/branches/4.7@41357 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 21:21:35 +00:00
Dominik Schilling f920f99c1c Bump 4.7 branch to version 4.7.6.
Built from https://develop.svn.wordpress.org/branches/4.7@41511


git-svn-id: http://core.svn.wordpress.org/branches/4.7@41344 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 19:56:36 +00:00
Dominik Schilling ec72da84f3 Bump 4.7 branch to version 4.7.3.
Built from https://develop.svn.wordpress.org/branches/4.7@41510


git-svn-id: http://core.svn.wordpress.org/branches/4.7@41343 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 19:51:32 +00:00
Aaron Campbell 727aa4586a Database: Hardening to bring `wpdb::prepare()` inline with documentation.
`wpdb::prepare()` supports %s, %d, and %F as placeholders in the query string. Any other non-escaped % will be escaped.

Merges [41496] to 4.7 branch.


Built from https://develop.svn.wordpress.org/branches/4.7@41498


git-svn-id: http://core.svn.wordpress.org/branches/4.7@41331 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 18:12:33 +00:00
Aaron Campbell 8e19eed411 Database: Don’t trigger `_doing_it_wrong()` for null values in `wpdb::prepare()`.
While `wpdb::prepare()` does not support null values (see #12819) they still appear in the wild like in the WordPress Importer and other plugins.

Merges [41483] to 4.7 branch.


Built from https://develop.svn.wordpress.org/branches/4.7@41485


git-svn-id: http://core.svn.wordpress.org/branches/4.7@41318 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 16:20:06 +00:00
Aaron Campbell 5b685405be Database: Hardening for `wpdb::prepare()`
Previously if you passed an array of values for placeholders, additional values could be passed as well. Now additional values will be ignored.

Merges [41470] to 4.7 branch.


Built from https://develop.svn.wordpress.org/branches/4.7@41472


git-svn-id: http://core.svn.wordpress.org/branches/4.7@41305 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 14:59:36 +00:00
John Blackbourn 2915a1c876 Filesystem API: Ensure filenames are valid before attempting to unzip them to ensure malformed file paths don't cause issues.
Merges [41457] to the 4.7 branch.

Built from https://develop.svn.wordpress.org/branches/4.7@41459


git-svn-id: http://core.svn.wordpress.org/branches/4.7@41292 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 14:38:34 +00:00
Aaron Campbell 2a7026d88f oEmbed: Add extra hardening around allowed HTML for improved sandboxing.
Merges [41448] to 4.7 branch.



Built from https://develop.svn.wordpress.org/branches/4.7@41451


git-svn-id: http://core.svn.wordpress.org/branches/4.7@41284 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 13:48:35 +00:00
Dominik Schilling af0877f0db TinyMCE: Improve the previews for shortcodes.
Merge of [41395] to the 4.7 branch.

Built from https://develop.svn.wordpress.org/branches/4.7@41436


git-svn-id: http://core.svn.wordpress.org/branches/4.7@41269 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 12:42:05 +00:00
Dominik Schilling c259dff63c Customize: Ensure valid themes in the preview.
Merge of [41397] to the 4.7 branch.

Built from https://develop.svn.wordpress.org/branches/4.7@41430


git-svn-id: http://core.svn.wordpress.org/branches/4.7@41263 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 11:51:06 +00:00
Dominik Schilling a0af012ed0 Taxonomy/Users: Provide a fallback for incorrect HTTP referrers.
Merge of [41398] to the 4.7 branch.

Built from https://develop.svn.wordpress.org/branches/4.7@41418


git-svn-id: http://core.svn.wordpress.org/branches/4.7@41251 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 11:12:08 +00:00
John Blackbourn 7c8fbd2966 General: Add missing URL-encoding and add extra hardening to plugin and template names when they're displayed in the admin area.
Merges [41412] to the 4.7 branch

See #13377

Built from https://develop.svn.wordpress.org/branches/4.7@41413


git-svn-id: http://core.svn.wordpress.org/branches/4.7@41246 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 10:21:48 +00:00
Dominik Schilling 1e45c3e2fe Editor: Prevent adding `javascript:` and `data:` URLs through the inline link dialog.
Merge of [41393] to the 4.7 branch.

Built from https://develop.svn.wordpress.org/branches/4.7@41401


git-svn-id: http://core.svn.wordpress.org/branches/4.7@41234 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 10:16:08 +00:00
John Blackbourn fae164a240 Build/Test tools: Trim the test matrix on Travis in order to speed up the 4.7 branch build.
This removes the PHP 7.0, 5.5, 5.4, 5.3, and nightly jobs.

Fixes #41707

Built from https://develop.svn.wordpress.org/branches/4.7@41307


git-svn-id: http://core.svn.wordpress.org/branches/4.7@41138 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-08-22 21:41:32 +00:00
John Blackbourn f8663be50e Build/Test Tools: Remove ancient UT ticket handling for the 4.7 branch.
See #40533

Merges [40523] to the 4.7 branch.

Built from https://develop.svn.wordpress.org/branches/4.7@41305


git-svn-id: http://core.svn.wordpress.org/branches/4.7@41137 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-08-22 19:59:36 +00:00
John Blackbourn 9cc990bb3e Build/Test tools: Use the latest in the 4.x and 6.x branches of PHPUnit when running tests on Travis for the 4.7 branch.
See #41472

Merges [41294] to the 4.7 branch.

Built from https://develop.svn.wordpress.org/branches/4.7@41296


git-svn-id: http://core.svn.wordpress.org/branches/4.7@41136 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-08-22 17:11:09 +00:00
John Blackbourn b98a29c182 Build: Switch PHP 5.2 and 5.3 to Travis' Ubuntu `precise` image
Starting today, Travis will begin switching the default image to `trusty`, which does not support PHP 5.2 or 5.3.

This is not a full fix, because Travis will be dropping `precise` support entirely in September (https://github.com/travis-ci/travis-ci/issues/8072).  However, it buys us some time until then.

See #41292

Merges [41072] to the 4.7 branch.

Built from https://develop.svn.wordpress.org/branches/4.7@41074


git-svn-id: http://core.svn.wordpress.org/branches/4.7@40925 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-07-18 13:06:34 +00:00
John Blackbourn 61af9be9c6 Build/Test Tools: Fix PHP 5.2 compatibility for grandchild methods which expect exceptions to be raised.
This is due to `is_callable( 'parent::setExpectedException' )` not being supported on PHP 5.2 when the method being checked only exists on the grandparent class.

See #39822

Merges [40872] and [40873] to the 4.7 branch.

Built from https://develop.svn.wordpress.org/branches/4.7@40876


git-svn-id: http://core.svn.wordpress.org/branches/4.7@40726 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-06-05 10:42:38 +00:00
Konstantin Obenland 7783f8a29b Import Twenty Sixteen for the 4.7 branch.
See #36497.

Built from https://develop.svn.wordpress.org/branches/4.7@40855


git-svn-id: http://core.svn.wordpress.org/branches/4.7@40706 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-30 22:57:36 +00:00
John Blackbourn 1802c0b26d Build/Test Tools: Add a missing class to the PHPUnit 6 back compat.
See #39822

Merges [40853] to the 4.7 branch.

Built from https://develop.svn.wordpress.org/branches/4.7@40854


git-svn-id: http://core.svn.wordpress.org/branches/4.7@40705 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-30 22:08:35 +00:00
Aaron Campbell 819af82764 Post-4.7.5 version bump for 4.7 branch.
Built from https://develop.svn.wordpress.org/branches/4.7@40770


git-svn-id: http://core.svn.wordpress.org/branches/4.7@40628 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 23:01:32 +00:00
Aaron Campbell 9fad803761 Bump 4.7 branch to version 4.7.5.
Built from https://develop.svn.wordpress.org/branches/4.7@40748


git-svn-id: http://core.svn.wordpress.org/branches/4.7@40606 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 21:48:33 +00:00
Pascal Birchler 314556b55c Media: Simplify upload error message construction.
Merges [40736] to the 4.7 branch.

Built from https://develop.svn.wordpress.org/branches/4.7@40737


git-svn-id: http://core.svn.wordpress.org/branches/4.7@40595 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 18:00:35 +00:00
Pascal Birchler 79988bff38 REST API: JS Client - Enable connecting to multiple endpoints.
Enable connecting to multiple wp-api `endpoints`. Calling `wp.api.init` with a new `apiRoot` will parse the new endpoint's schema and store a new set of models and collections. A collection of 
connected endpoints is stored in `wp.api.endpoints`.

Props lucasstark.
Fixes #39683.

Merges [40364] to the 4.7 branch.

Built from https://develop.svn.wordpress.org/branches/4.7@40735


git-svn-id: http://core.svn.wordpress.org/branches/4.7@40593 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 16:35:33 +00:00
Aaron Campbell a86f61290e Add nonce for updating file system credentials.
Merges [40723] to 4.7 branch.

Built from https://develop.svn.wordpress.org/branches/4.7@40724


git-svn-id: http://core.svn.wordpress.org/branches/4.7@40582 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 14:51:35 +00:00
Weston Ruter 58075bfc88 Customize: Fix phpunit tests after [40704] due to logic inversion error.
Merge of [40716] to the 4.7 branch.

Built from https://develop.svn.wordpress.org/branches/4.7@40717


git-svn-id: http://core.svn.wordpress.org/branches/4.7@40580 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 14:37:35 +00:00
Dominik Schilling 2d7fa9d0dc Customize: Ignore invalid customization sessions.
Merge of [40704] to the 4.7 branch.
Built from https://develop.svn.wordpress.org/branches/4.7@40705


git-svn-id: http://core.svn.wordpress.org/branches/4.7@40568 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 12:14:35 +00:00
Pascal Birchler 0f3180de02 Adjust post meta checks
Merges [40692] to the 4.7 branch.

Built from https://develop.svn.wordpress.org/branches/4.7@40693


git-svn-id: http://core.svn.wordpress.org/branches/4.7@40556 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 08:48:34 +00:00
Pascal Birchler 8ef530d469 Improve redirect handling
Merges[40689] to the 4.7 branch.

Built from https://develop.svn.wordpress.org/branches/4.7@40690


git-svn-id: http://core.svn.wordpress.org/branches/4.7@40553 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 08:40:36 +00:00
Pascal Birchler 031cbb0548 Whitelist post arguments in XML-RPC
Merges [40677] to the 4.7 branch.

Built from https://develop.svn.wordpress.org/branches/4.7@40678


git-svn-id: http://core.svn.wordpress.org/branches/4.7@40541 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 08:17:34 +00:00
Dion Hulse 22f5836c8c Bump Akismet external to 3.3.2
See #40002


git-svn-id: http://core.svn.wordpress.org/branches/4.7@40508 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-12 04:08:46 +00:00
Aaron Jorbin d2a0e52c43 Build/Test: Post Travis results to Slack from WordPress/wordpress-develop
Backports [40604] to 4.7

Now that the WordPress/wordpress-develop GitHub repo is syncing correctly, we can use it for Travis integration.

Props jorbin for getting the ball rolling so long ago, unprops jorbin because his Travis build can finally be retired. Props Pento.

Fixes #40712.

Built from https://develop.svn.wordpress.org/branches/4.7@40616


git-svn-id: http://core.svn.wordpress.org/branches/4.7@40486 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-11 00:31:33 +00:00
Dion Hulse 7b810872a1 Bump Akismet external to 3.3.1
See #40002


git-svn-id: http://core.svn.wordpress.org/branches/4.7@40437 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-02 23:36:14 +00:00
John Blackbourn 799bdcec00 Build/Test Tools: Backport various recent changes to the 4.7 branch.
* Add support for PHPUnit 6+.
* Add Composer files to the cache on Travis.
* Remove HHVM from the test infrastructure on Travis.

Merges [40536], [40538], [40539], and [40546] to the 4.7 branch.

See #40539
Fixes #39822, #40548

Built from https://develop.svn.wordpress.org/branches/4.7@40547


git-svn-id: http://core.svn.wordpress.org/branches/4.7@40423 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-04-24 00:38:35 +00:00
Boone Gorges 820070e588 Restore support for taxonomy 'args' override when querying object terms.
[7520] introduced an undocumented feature whereby developers could
register a custom taxonomy with an 'args' parameter, consisting of
an array of config params that, when present, override corresponding
params in the `$args` array passed to `wp_get_object_terms()` when
using that function to query for terms in the specified taxonomy.

The `wp_get_object_terms()` refactor in [38667] failed to respect
this secret covenant, and the current changeset atones for the
transgression.

Ports [40513] to the 4.7 branch.

Props danielbachhuber.
Fixes #40496.

Built from https://develop.svn.wordpress.org/branches/4.7@40514


git-svn-id: http://core.svn.wordpress.org/branches/4.7@40390 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-04-21 19:18:36 +00:00
Dion Hulse 0516c67beb List Tables: After [38703], [38706], and [40118], adjust the jQuery selector to make the selection of a range of checkboxes work again.
Unprop afercia.
Merges [40268] to the 4.7 branch.
Fixes #40056.

Built from https://develop.svn.wordpress.org/branches/4.7@40512


git-svn-id: http://core.svn.wordpress.org/branches/4.7@40388 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-04-21 07:36:37 +00:00
Pascal Birchler 75de3e9c44 Post-4.7.4 version bump for 4.7 branch.
Built from https://develop.svn.wordpress.org/branches/4.7@40509


git-svn-id: http://core.svn.wordpress.org/branches/4.7@40385 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-04-20 18:54:36 +00:00
Pascal Birchler 8cf8ada93d Bump 4.7 branch to version 4.7.4.
Built from https://develop.svn.wordpress.org/branches/4.7@40487


git-svn-id: http://core.svn.wordpress.org/branches/4.7@40363 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-04-20 16:21:36 +00:00
Andrew Ozz 84387613b6 TinyMCE: Fix cursor position after updating a wpview node. Fix hiding the inline toolbar on editor blur.
Props iseulde, azaozz.

Merges [40481] to the 4.7 branch.
Fixes #40480.

Built from https://develop.svn.wordpress.org/branches/4.7@40482


git-svn-id: http://core.svn.wordpress.org/branches/4.7@40358 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-04-19 22:18:36 +00:00
Pascal Birchler 9e791361e1 Bump 4.7 branch to 4.7.4-RC1.
Built from https://develop.svn.wordpress.org/branches/4.7@40475


git-svn-id: http://core.svn.wordpress.org/branches/4.7@40351 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-04-18 17:06:37 +00:00
Pascal Birchler 8e0e34aa23 4.7.4-RC
Built from https://develop.svn.wordpress.org/branches/4.7@40474


git-svn-id: http://core.svn.wordpress.org/branches/4.7@40350 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-04-18 15:52:36 +00:00