For error detection and rollback functions WordPress also starts a loopback request to the homepage. This loopback request is made with special parameters that when they don't match, generates an erorr. This hardens that flow by exiting out of the check if the nonce or key is missing or the nonce is not saved in the DB. It further hardens it by not caching the failures and asking search engines not to index the url with the failures.
Props georgwordpress, swissspidy, jorbin.
Fixes#62105.
Built from https://develop.svn.wordpress.org/trunk@59171
git-svn-id: http://core.svn.wordpress.org/trunk@58566 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This originally broke in [58165] and unfortunately went unnoticed for a while because the failing request to send the data did not cause the GitHub workflows to fail. This changeset resolves the underlying access problem, which was happening because reusable GitHub workflows do not automatically receive secrets from the calling workflow. More concretely, the relevant `CODEVITALS_PROJECT_TOKEN` was not being explicitly passed to the reusable workflow.
The changeset also includes a change so that in the future a failing request would cause the workflow to fail, which ensures a similar problem further down the road wouldn't go unnoticed.
Props joemcgill, flixos90, swissspidy, mukesh27, sergeybiryukov
Fixes#62153.
See #61213.
Built from https://develop.svn.wordpress.org/trunk@59170
git-svn-id: http://core.svn.wordpress.org/trunk@58565 1a063a9b-81f0-0310-95a4-ce76da25c4cd
There’s now a number of automated comments left on pull requests to help contributors that a PR can easily be overridden with activity.
Some of the comments are only relevant until a specific action is taken. One such comment is for informing the PR author that a link to a Trac ticket is a requirement for considering any suggested changes.
This updates the pull request comment workflow to remove the comment once a link to a Trac ticket is properly included.
Props debarghyabanerjee.
Fixes#61567.
Built from https://develop.svn.wordpress.org/trunk@59169
git-svn-id: http://core.svn.wordpress.org/trunk@58564 1a063a9b-81f0-0310-95a4-ce76da25c4cd
With PHP 8.4 due out in November later this year, contributors have been working on ensuring WordPress 6.7 is as compatible as possible. Enough progress has been made during this release cycle where PHPUnit tests now run successfully with no failures reported.
This change enables PHP 8.4 testing throughout Core’s GitHub Action workflows to ensure no new problems are introduced going forward.
There are two exceptions to this:
- The Importer plugin has some compatibility issues that produce test failures. There is an open pull request upstream, but these problematic tests have been marked skipped when running on PHP 8.4 until that PR is merged.
- Since no stable versions of xDebug with PHP 8.4 support have been published, these tests are also skipped for now.
Props jrf, desrosj.
See #62061.
Built from https://develop.svn.wordpress.org/trunk@59168
git-svn-id: http://core.svn.wordpress.org/trunk@58563 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In most cases, running the installation testing workflow in forked repositories is unnecessary and wasteful. This adds conditions to that workflow to prevent the tests from running on forks unless a pull request is being made back to that fork.
This pattern is already used across other workflows.
Props jrf.
See #61564.
Built from https://develop.svn.wordpress.org/trunk@59167
git-svn-id: http://core.svn.wordpress.org/trunk@58562 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Includes:
* Correcting the test class name as per the naming conventions.
* Documenting data provider values using hash notation.
* Passing the `$attrs` parameter to the function if not `null`.
Follow-up to [26328], [55563], [59162].
See #61530.
Built from https://develop.svn.wordpress.org/trunk@59163
git-svn-id: http://core.svn.wordpress.org/trunk@58558 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In [56515], the default value of `Add New` was changed to "Add New Post / Add New Page". This caused problems with post types where `add_new` was not declared.
Change core usage to reference the `add_new_item` value and revert the default value of `add_new` back to "Add New / Add New". This retains the accessibility advantages without creating counter intuitive usage of the `add_new` key.
With this change, post types registered with no `add_new` key will be unimpacted in core, and post types registered with no `add_new_item` key will use the default "Add New Post", which is not a change from the current state.
Props smerriman, afercia, rcreators, joedolson, eclev91, johnbillion.
Fixes#60045.
Built from https://develop.svn.wordpress.org/trunk@59161
git-svn-id: http://core.svn.wordpress.org/trunk@58556 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Fix several settings groups in the discussion options that were written in a compound/sentence structure format. These formats are difficult to parse for screen reader users and have significant layout problems in mobile viewports.
Change settings to use independent labeling.
Props Cheffheid, anthakkar08, DrewAPicture, afercia, jwgoedert, sannevndrmeulen, sudipatel007, tirth03, joedolson.
See #31354.
Built from https://develop.svn.wordpress.org/trunk@59160
git-svn-id: http://core.svn.wordpress.org/trunk@58555 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Expands the use of `wp_get_wp_version()` to get an unmodified value of the current WordPress version in various locations in which it would be unhelpful if a plugin has modified the global `$wp_version`.
This includes:
* Theme and plugin compatibility tests
* During the upgrade process of WP Core
* Debug and site health data reports of the current version
* Version number display in the dashboard
* Block theme export and caching utilities
* The `WPDB` class
Props peterwilsoncc, hellofromtonya.
See #61627.
Built from https://develop.svn.wordpress.org/trunk@59159
git-svn-id: http://core.svn.wordpress.org/trunk@58554 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Inline comments must end in full stops, exclamation marks, or question marks.
* There must be exactly one blank line after the file comment.
Follow-up to [24832], [25023], [25088], [25090], [25213], [51045].
Props pitamdey, dhruvang21, aristath.
Fixes#62098.
Built from https://develop.svn.wordpress.org/trunk@59158
git-svn-id: http://core.svn.wordpress.org/trunk@58553 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In [59127], `_doing_it_wrong` warnings were added if plugins or themes load translations too early, either through a manual function call or just-in-time loading.
Because many plugins and themes still manually call `load_plugin_textdomain()`, `load_theme_textdomain()` or `load_muplugin_textdomain()`, even though they don't have to anymore, that caused a lot of warnings.
With this new approach, these functions merely register the translations path in the existing `WP_Textdomain_Registry` and do not immediately try to load the translations anymore. The loading is all handled by the just-in-time functionality.
This way, warnings will only be emitted if triggering the just-in-time loading too early, greatly improving the developer experience and to a degree also performance.
Props swissspidy, sergeybiryukov, mukesh27.
See #44937.
Built from https://develop.svn.wordpress.org/trunk@59157
git-svn-id: http://core.svn.wordpress.org/trunk@58552 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Includes:
* Simplifying the logic and bringing some consistency to how the values are checked and displayed.
* Correcting the debug value for `DB_COLLATE`. This should be the actual contents of the constant, and empty if it is indeed empty, as the debug data that's copied and shared should represent the raw value, and does not need to be in a user-readable format.
Follow-up to [45782], [52021], [54239], [59147].
Props Clorith, SergeyBiryukov.
See #58265.
Built from https://develop.svn.wordpress.org/trunk@59155
git-svn-id: http://core.svn.wordpress.org/trunk@58550 1a063a9b-81f0-0310-95a4-ce76da25c4cd
[59083] introduced an issue where Script Modules registered src does not correctly respect the includes path.
Before that change, script modules were registered using includes_url. The patch used a hard-coded path which breaks when sites are not served from the root, e.g. the site root is https://example.com/wp instead of https://example.com/.
Follow-up to [59083].
Props nendeb55, jonsurrell, cbravobernal.
Fixes#62146.
Built from https://develop.svn.wordpress.org/trunk@59154
git-svn-id: http://core.svn.wordpress.org/trunk@58549 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Right now, for example if DB_COLLATE is defined as '', the value will not be shown in the WordPress Constants list, there's just an empty space. This adds a message so it's clearer when the constant is empty.
Props Presskopp, brobken, Clorith.
Fixes#58265.
Built from https://develop.svn.wordpress.org/trunk@59147
git-svn-id: http://core.svn.wordpress.org/trunk@58543 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This adds tracking of the JPEG XL image type support alongside WebP, HEIC, and AVIF image types when requesting an upgrade from WordPress.org.
This will check for JPEG XL support in both ImageMagick and GD, even though GD technically does not yet have support for JPEG XL.
Props deepakrohilla, swissspidy, dd32, ayeshrajans, samiamnot, joemcgill.
Fixes#62050.
Built from https://develop.svn.wordpress.org/trunk@59140
git-svn-id: http://core.svn.wordpress.org/trunk@58536 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Check whether the media frame menu has action items. If not, hide the sidebar. Prevents showing a sidebar that looks interactive but contains no controls that are interactive. When in Create Gallery mode, the only action available is 'Create Gallery', and it is always active.
Props ukdrahul, ababir, ruchirj, nhrrob, joedolson, shailu25, mukesh27, sudipatel007, dhrumilk.
Fixes#60666.
Built from https://develop.svn.wordpress.org/trunk@59139
git-svn-id: http://core.svn.wordpress.org/trunk@58535 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Add an `h1` heading with the existing `login_header()` text string on each view of the login screen. Mark the existing `h1`, used to wrap the WordPress logo, with `role="presentation"`, to remove it from the headings hierarchy.
Props roytanck, joedolson, ryokuhi, sabernhardt, pamprn, nagpai, mukesh27.
Fixes#51786.
Built from https://develop.svn.wordpress.org/trunk@59138
git-svn-id: http://core.svn.wordpress.org/trunk@58534 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This updates several `devDependencies` to their latest versions:
- `autoprefixer` (`10.4.20`)
- `cssnano` (`7.0.6`)
- `grunt-contrib-qunit` (`10.1.1`)
- `grunt-webpack` (`7.0.0`)
- `postcss` (`8.4.47`)
- `qunit` (`2.22.0`)
- `sass` (`1.79.4`)
- `uuid` (`10.0.0`)
- `wait-on` (18.0.1`)
Also included are two minor updates to bundled dependencies:
- `json2php` (`0.0.9`)
- `wicg-inert` (`3.1.3`).
After applying these updates, `npm audit fix` and `grunt precommit:css` were run.
See #62137.
Built from https://develop.svn.wordpress.org/trunk@59135
git-svn-id: http://core.svn.wordpress.org/trunk@58531 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Add an error notice if a user attempts to apply bulk edits with no items selected. Applies to post lists, comments, taxonomies, and plugins screens.
Props garrett-eclipse, nrqsnchz, sumitsingh, nihar007, royho, sabernhardt, oglekler, quadthemes, ankit-k-gupta, fnpen, ukdrahul, joedolson.
Fixes#45006, #58479.
Built from https://develop.svn.wordpress.org/trunk@59134
git-svn-id: http://core.svn.wordpress.org/trunk@58530 1a063a9b-81f0-0310-95a4-ce76da25c4cd
r59091 introduced a backward compatibility (BC) break for a static homepage that includes a shortcode's or block's with paginated content that uses the `'paged'` query var, e.g. bbPress.
In this use case, attempting to navigate the shortcode / block's pagination causes a canonical redirect, rather than navigating to the next page of content within that shortcode or block.
Follow-up to [59091].
Props davidbinda, jjj.
See #50163, #meta5184.
Built from https://develop.svn.wordpress.org/trunk@59133
git-svn-id: http://core.svn.wordpress.org/trunk@58529 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Typically, when registering a new block type, its metadata is read from the provided `block.json` file. The more block types are registered on a site, the more costly becomes this process, as it involves filesystem reads and parsing JSON.
WordPress Core's built-in blocks have in the past worked around that by having a auto-generated PHP manifest file that includes the already parsed JSON data for all blocks. This changeset effectively allows plugins to do the same, by introducing a new API function `wp_register_block_metadata_collection()`. The WordPress Core block manifest is now handled using this API as well, rather than custom logic baked into `register_block_type_from_metadata()`.
The `wp_register_block_metadata_collection()` function requires two parameters:
* `$path`: The base path in which block files for the collection reside.
* `$manifest`: The path to the manifest file for the collection.
Every `block.json` file that is supposed to be part of the collection must reside within the provided `$path`, within its own block-specific directory matching the block name (without the block namespace). For example, for a collection `$path` of `/wp-content/plugins/test-plugin` and a block `test-plugin/testimonial`, the block file could be `/wp-content/plugins/test-plugins/blocks/testimonial/block.json`.
It is recommended that plugins use the new API function for enhanced performance, especially if they register several block types. However, the use of the function is entirely optional. Not using it will not result in any difference in user-facing behavior.
Props mreishus, flixos90, gziolo, spacedmonkey, azaozz, mukesh27.
Fixes#62002.
Built from https://develop.svn.wordpress.org/trunk@59132
git-svn-id: http://core.svn.wordpress.org/trunk@58528 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Introduces the `wp_interactivity_get_element()` function to the Interactivity API, analogous to the `getElement()` function in the `@wordpress/interactivity` JavaScript module. This function allows access to the current element being processed during directive processing.
The function returns an array containing the `attributes` property, which includes only the originally defined attributes present on the element. Attributes added or modified by directive processing are not included. This is intended for use in derived state properties inside `wp_interactivity_state()`, similar to how `wp_interactivity_get_context()` is used.
Example usage:
```php
wp_interactivity_state( 'myPlugin', array(
'buttonText' => function() {
$context = wp_interactivity_get_context();
$element = wp_interactivity_get_element();
return isset( $context['buttonText'] )
? $context['buttonText']
: $element['attributes']['data-default-button-text'];
},
) );
```
Includes unit tests to cover the new functionality.
Props darerodz, swissspidy, cbravobernal, czapla.
Fixes#62136.
Built from https://develop.svn.wordpress.org/trunk@59131
git-svn-id: http://core.svn.wordpress.org/trunk@58527 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Moves the 'loading' and 'loaded' i18n strings for the `interactivity-router` to the script module data via the `script_module_data_@wordpress/interactivity-router` filter.
Key changes:
- Add the `filter_script_module_interactivity_router_data()` method, hooked into the `script_module_data_@wordpress/interactivity-router` filter, to set the `i18n` data with the 'loading' and 'loaded' messages.
- Rename the `print_router_loading_and_screen_reader_markup()` method to `print_router_markup()` and remove the screen reader markup from it because it's no longer needed.
- Deprecate the `print_router_loading_and_screen_reader_markup()` method.
- Remove the `loading` and `loaded` strings from the `core/router` store state because they're no longer needed.
- Initialize the `core/router` store with a minimal navigation object to prevent errors in the interactivity-router script module when the store is not properly initialized.
- Update corresponding unit tests to reflect these changes.
This change ensures that the `interactivity-router` i18n messages are localized in a single place and removes the need to initialize them in the `core/router` store state.
Props jonsurrell, swissspidy, czapla, gziolo.
See #60647.
Built from https://develop.svn.wordpress.org/trunk@59130
git-svn-id: http://core.svn.wordpress.org/trunk@58526 1a063a9b-81f0-0310-95a4-ce76da25c4cd
If sending an email to the site administrator's email address, look up if a user with the same email exists and switch to that user's locale.
If not, falls back to the site locale as usual.
Props benniledl, swissspidy, mukesh27.
Fixes#61518.
Built from https://develop.svn.wordpress.org/trunk@59128
git-svn-id: http://core.svn.wordpress.org/trunk@58524 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Some plugins and themes load translations too early, before the current user is known.
This happens either explicitly or through just-in-time translation loading.
If the current user (and thus their locale) is not known, WordPress might attempt to load translations in the wrong locale.
This change adds `_doing_it_wrong` messages to warn about such cases. It also helps avoiding accidentally trying to load translations twice (once just-in-time and once manually).
Projects triggering such a message are encourage to load translations no earlier than the `after_setup_theme` hook.
Props garrett-eclipse, Kau-Boy, swissspidy, johnbillion, alanfuller. rodelgc.
Fixes#44937.
Built from https://develop.svn.wordpress.org/trunk@59127
git-svn-id: http://core.svn.wordpress.org/trunk@58523 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Remove hardcoded path added in [57922] which ignored the fact that themes can also use script translations.
They should not be affected even if plugins are installed outside the typical `wp-content/plugins` location.
Props itapress, swissspidy.
Fixes#62016.
Built from https://develop.svn.wordpress.org/trunk@59126
git-svn-id: http://core.svn.wordpress.org/trunk@58522 1a063a9b-81f0-0310-95a4-ce76da25c4cd
If a prospective hooked block has its `multiple` block-supports field set to `false` (thus allowing only one instance of the block to be present), ensure that:
1. Only one instance of the block will be inserted if it's not yet present in the current context.
2. The block will not be inserted at all if an instance of it is already present in the current context.
As always in Block Hooks parlance, "context" denotes the containing template, template part, pattern, or navigation post that a hooked block is supposed to be inserted into.
The markup of a webpage that uses a Block Theme typically comprises a number of such contexts -- one template and any number of template parts, patterns, and navigation posts. Note that the limitation imposed by this changeset only applies on a per-context basis, so it's still possible that the resulting page contains more than one instance of a hooked block with `"multiple": false` set, as each context could contribute up to one such instance.
Props bernhard-reiter, jonsurrell, gziolo.
Fixes#61902.
Built from https://develop.svn.wordpress.org/trunk@59124
git-svn-id: http://core.svn.wordpress.org/trunk@58520 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Adds a `canUpdateBlockBindings` editor setting that allows to decide if the user is able to create and modify bindings through the UI. By default, only admin users can do it, but it can be overridden with `block_editor_settings_all` filter.
Props santosguillamot, gziolo, jorbin, noisysocks, matveb, cbravobernal, youknowriad, mamaduka, timothyblynjacobs, peterwilsoncc, drivingralle.
Fixes#61945.
Built from https://develop.svn.wordpress.org/trunk@59122
git-svn-id: http://core.svn.wordpress.org/trunk@58518 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Removes the automatic addition of `rel="noopener noreferrer"` from links targeting a new tab or window, `target='_blank'`. Since this was introduced, supported browsers have changed their security policies and no longer allow the opened link to have JavaScript access to the previous tab.
Deprecates:
* `wp_targeted_link_rel()`
* `wp_targeted_link_rel_callback()`
* `wp_init_targeted_link_rel_filters()`: converted to a noop function
* `wp_remove_targeted_link_rel_filters()`: converted to a noop function
The deprecated functions are retained in `formatting.php` as in `SHORTINIT` mode the file is included while `deprecated.php` is not.
This also removes the `noopener` from links hard coded within the WordPress dashboard linking to documentation and other resources.
Props audrasjb, azaozz, dhruval04, dorzki, neo2k23, presskopp, sabernhardt, swissspidy, tobiasbg.
Fixes#53843.
Built from https://develop.svn.wordpress.org/trunk@59120
git-svn-id: http://core.svn.wordpress.org/trunk@58516 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Introduces the filter `pre_attachment_url_to_postid` to allow developers to short-circuit the function `attachment_url_to_postid()`.
The return values are expected to be an attachment ID, zero (`0`) to indicate no attachment was found or `null` to indicate the function should proceed as usual.
The function performs an expensive database query so developers making use of the function frequently may wish to use a custom table with appropriate indexes to reduce the load on their database server.
Props antpb, apermo, audrasjb, joedolson.
Fixes#61383.
Built from https://develop.svn.wordpress.org/trunk@59118
git-svn-id: http://core.svn.wordpress.org/trunk@58514 1a063a9b-81f0-0310-95a4-ce76da25c4cd