WordPress does not currently provide an explicit method for escaping SQL table and column names. This leads to potential security vulnerabilities, and makes reviewing code for security unnecessarily difficult. Also, static analysis tools also flag the queries as having unescaped SQL input.
Tables and column names in queries are usually in-the-raw, since using the existing `%s` will straight quote the value, making the query invalid.
This change introduces a new `%i` placeholder in `$wpdb->prepare` to properly quote table and column names using backticks.
Props tellyworth, iandunn, craigfrancis, peterwilsoncc, johnbillion, apokalyptik.
Fixes#52506.
Built from https://develop.svn.wordpress.org/trunk@53575
git-svn-id: http://core.svn.wordpress.org/trunk@53164 1a063a9b-81f0-0310-95a4-ce76da25c4cd
One of these was previously renamed to mention `update_metadata_by_mid()`.
While `update_metadata_by_mid()` is indeed called in `wp_ajax_add_meta()` to update an existing meta value, the functionality change that the test intended to verify was in the latter function.
Follow-up to [44153], [53561].
See #55652.
Built from https://develop.svn.wordpress.org/trunk@53572
git-svn-id: http://core.svn.wordpress.org/trunk@53161 1a063a9b-81f0-0310-95a4-ce76da25c4cd
[https://github.com/WordPress/gutenberg/issues/38719 In 5.9 these utility classnames were removed], which removed the ability for theme/plugin authors to assign their own custom CSS related to specific layout selections. This was mostly related to the Button block.
This commit adds these classes dynamically based on attributes, rather than saving them to the serialized content.
Original PR from Gutenberg repository:
* [https://github.com/WordPress/gutenberg/pull/41487#41487 Add utility classnames back to blocks that have layout attributes specified]
Props glendaviesnz, peterwilsoncc, andrewserong, zieladam, matveb, samikeijonen.
See #56058.
Built from https://develop.svn.wordpress.org/trunk@53568
git-svn-id: http://core.svn.wordpress.org/trunk@53157 1a063a9b-81f0-0310-95a4-ce76da25c4cd
`use_block_editor_for_post_type` and `use_block_editor_for_post` can be very useful in more contexts than wp-admin, especially when a site is in transition. For example, you may want to do things on init that are different.
Neither function depends on other functions that are available only in wp-admin (other than use_block_editor_for_post() relying on use_block_editor_for_post_type() and an admin-referrer check that's historically gated by a query variable and now also gated by is_admin), therefore moving them to wp-includes seems both feasible and beneficial
Props ethitter, jorbin.
Fixes#51819.
Built from https://develop.svn.wordpress.org/trunk@53559
git-svn-id: http://core.svn.wordpress.org/trunk@53148 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Dynamic (non-explicitly declared) properties are deprecated as of PHP 8.2 and are expected to become a fatal error in PHP 9.0.
In this particular case, the test class contains a `set_up()` method that sets a group of properties, which are ''used'' by the tests, but never ''changed'' by the tests.
In other words, setting these properties in the `set_up()` is an unnecessary overhead and the properties should be changed to class constants.
Notes:
* As the `$img_html` property, which was previously being set, is not actually used in any of the tests, that property has not been converted to a constant.
* The values which were previously being set using a heredoc, now use a nowdoc (supported since PHP 5.3), as they don't contain any interpolation.
* The use of constant scalar expressions (`IMG_URL`) and constant arrays (`IMG_META`) in class constants is supported since PHP 5.6.
Follow-up to [711/tests], [1260/tests], [34855], [41724], [53557].
Props jrf.
See #56033.
Built from https://develop.svn.wordpress.org/trunk@53558
git-svn-id: http://core.svn.wordpress.org/trunk@53147 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Dynamic (non-explicitly declared) properties are deprecated as of PHP 8.2 and are expected to become a fatal error in PHP 9.0.
In this particular case, the test classes contain a `set_up()` method that sets a group of properties, which are ''used'' by the tests, but the values of these properties are never ''changed'' by the tests.
In other words, setting these properties in the `set_up()` is an unnecessary overhead and the properties should be changed to class constants.
Follow-up to [1041/tests], [1071/tests].
Props jrf.
See #56033.
Built from https://develop.svn.wordpress.org/trunk@53557
git-svn-id: http://core.svn.wordpress.org/trunk@53146 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Give the test method a most descriptive name.
* Use a single assertion for the URL list instead of a `foreach` loop to provide more context in case of failure.
* Add a failure message to each assertion, as there are multiple assertions used in the test.
Follow-up to [53548].
See #55633.
Built from https://develop.svn.wordpress.org/trunk@53556
git-svn-id: http://core.svn.wordpress.org/trunk@53145 1a063a9b-81f0-0310-95a4-ce76da25c4cd
`true` is now passed to the `fail_ci_if_error` input when the `codecov/codecov-action` action is used.
When uploading a code coverage report is unsuccessful, the action will now fail and return an error. This will help avoid situations like #56022 where the report was suddenly failing to upload even though the workflow itself appeared to be successful.
See #55652.
Built from https://develop.svn.wordpress.org/trunk@53554
git-svn-id: http://core.svn.wordpress.org/trunk@53143 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This adds the `pull_request` event to the Code Coverage Report workflow, allowing changes to be verified in a pull request before being committed.
The `branches` and `paths` filters are used to limit when the workflow runs to pull requests with:
- A base branch of `trunk`.
- Changing specific files that can potentially affect the way a coverage report is generated.
Reports generated on `pull_request` events are for testing purposes only and are not submitted to Codecov.
The `docker-compose.yml` file has also been added to the `paths` filter for both `push` and `pull_request` events. Changes to this file could potentially affect the environment used to generate the report (such as the ones in [53552]).
Props afragen, johnbillion, desrosj.
See #55652.
Built from https://develop.svn.wordpress.org/trunk@53553
git-svn-id: http://core.svn.wordpress.org/trunk@53142 1a063a9b-81f0-0310-95a4-ce76da25c4cd
One change in the update from Xdebug version 2.x to 3.x was a shift from enabling features to switching into modes.
When the version of Xdebug installed in the PHP 7.4 Docker container was updated from 2.x to 3.x, the code coverage reporting workflow stopped generating reports due to a lack of available coverage drivers.
This change adds the `XDEBUG_MODE` environment variable to the local Docker environment configuration to allow the active modes to be changed. This environment variable takes precedence over the `xdebug.mode` setting, but will not change the value of the `xdebug.mode` setting.
The `LOCAL_PHP_XDEBUG_MODE` environment variable has been added to the `.env` file and can be used to change the modes enabled in the Docker container. The code coverage reporting workflow uses this variable to enable the `coverage` mode, which is required for generating a test coverage report.
By default, `debug` and `debug modes are active, which enables the more commonly used features of Xdebug: development helpers and step debugging.
Props afragen, johnbillion, desrosj.
Fixes#56022.
Built from https://develop.svn.wordpress.org/trunk@53552
git-svn-id: http://core.svn.wordpress.org/trunk@53141 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Cache result of database queries in `_find_post_by_old_slug` and `_find_post_by_old_date` functions. This means that repeated requests to a url where the page is not found, will result in hitting a cache for sites running persistent object caching.
Props Spacedmonkey, dd32, mukesh27, pbearne, flixos90.
Fixes#36723.
Built from https://develop.svn.wordpress.org/trunk@53549
git-svn-id: http://core.svn.wordpress.org/trunk@53138 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Includes:
* Documenting the returned array using hash notation.
* Adding a `@since` note for the `$filesize` value being included in the returned array.
This affects:
* `wp_generate_attachment_metadata()`
* `wp_get_attachment_metadata()`
* `WP_Image_Editor::save()`
* `WP_Image_Editor_GD::save()` and `::_save()`
* `WP_Image_Editor_Imagick::save()` and `::_save()`
Follow-up to [22094], [22619], [52837], [53546].
See #55646.
Built from https://develop.svn.wordpress.org/trunk@53547
git-svn-id: http://core.svn.wordpress.org/trunk@53136 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Since WordPress 3.5, `wp_save_image_file()` uses `WP_Image_Editor` classes under the hood to save the images.
While the `save()` method in those instances returns `array|WP_Error` and is documented as such, the return type of the `wp_save_image_file()` function was still left as `bool`.
A better solution would be to adjust the function to return the documented boolean type. However, doing that after 20+ major WP releases would be a backward compatibility break, so the documentation is now updated instead.
Includes:
* Documenting the returned array using hash notation.
* Adding a `@since` note for the `$image` parameter expecting a `WP_Image_Editor` instance.
* Adding a `@since` note for the `$filesize` value being included in the returned array.
Follow-up to [22094], [22619], [52837].
Props jrf, SergeyBiryukov.
See #55646.
Built from https://develop.svn.wordpress.org/trunk@53546
git-svn-id: http://core.svn.wordpress.org/trunk@53135 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Move logic to generate link to global styles to the `prepare_links` method in theme REST API controller. This way all logic to generate links is within the `prepare_links` method, bringing this controller inline with other REST API controllers.
Props SergeyBiryukov, Spacedmonkey.
Fixes#56018.
Built from https://develop.svn.wordpress.org/trunk@53544
git-svn-id: http://core.svn.wordpress.org/trunk@53133 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Includes:
* Making the test method names more specific.
* Converting one-off helper methods to static closures.
* Adding a failure message to each assertion when multiple assertions are used in the test.
Follow-up to [1126/tests], [1201/tests], [53292], [53495], [53522], [53538].
See #55652.
Built from https://develop.svn.wordpress.org/trunk@53541
git-svn-id: http://core.svn.wordpress.org/trunk@53130 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset removes Meetup as an oEmbed source, since Meetup.com have deprecated their oEmbed endpoint. The block has already been removed from the editor, see GB#35085.
Props peterwilsoncc, audrasjb, swissspidy.
Fixes#55997.
Built from https://develop.svn.wordpress.org/trunk@53540
git-svn-id: http://core.svn.wordpress.org/trunk@53129 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Includes:
* Adding `@covers` annotations.
* Adding a failure message to each assertion when multiple assertions are used in the test.
Follow-up to [1126/tests], [53495], [53497], [53521], [53523], [53524], [53525], [53526], [53529], [53530], [53531], [53537].
Props jrf.
See #55652.
Built from https://develop.svn.wordpress.org/trunk@53538
git-svn-id: http://core.svn.wordpress.org/trunk@53127 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This one test was testing three different situations. When one assertion fails, the rest of the test would not be executed, so this leads to hiding one error behind another.
Splitting the test into three distinct test methods still allows for testing each situation, but tests each one in isolation and won't hide errors.
The third part of the test, dealing with image editor engine classes, will also now use a data provider.
Using a data provider has a number of advantages:
1. If the first test case fails, it won't prevent the other test cases from being tested.
2. The output from PHPUnit will be more descriptive in case of failure when using a data provider.
3. Using named test cases in the data provider will also make the `--testdox` output much more descriptive and informative.
The actual cases being tested, or the test itself have not been changed.
Includes:
* Adding `@covers` annotations.
* Adding a failure message to each assertion when multiple assertions are used in the test.
* Reusing an existing data provider with the available image editor engine classes.
Follow-up to [1061/tests], [53495], [53497], [53521], [53523], [53524], [53525], [53526], [53529], [53530], [53531].
Props jrf.
See #55652.
Built from https://develop.svn.wordpress.org/trunk@53537
git-svn-id: http://core.svn.wordpress.org/trunk@53126 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Previously, in case of failure, `WP_UnitTestCase_Base::assertNotWPError()` displayed the actual error message from the passed `WP_Error` object, but only if the `$message` parameter was empty.
This made the assertion less helpful, as the actual error message was lost in case there was a non-empty `$message` parameter passed to the method, as per the [https://make.wordpress.org/core/handbook/testing/automated-testing/writing-phpunit-tests/#using-assertions Writing PHP Tests] guidelines:
> All PHPUnit assertions, as well as all WordPress custom assertions, allow for a `$message` parameter to be passed. This message will be displayed when the assertion fails and can help immensely when debugging a test. This parameter should always be used if more than one assertion is used in a test method.
This commit ensures that the actual error message is always displayed, in addition to the passed `$message` parameter.
The same applies to `WP_UnitTestCase_Base::assertNotIXRError()`.
Follow-up to [34638], [40417].
Props jrf, SergeyBiryukov.
See #55652.
Built from https://develop.svn.wordpress.org/trunk@53536
git-svn-id: http://core.svn.wordpress.org/trunk@53125 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This adjusts the logic used to determine the outcome of the previous workflow run of the current one to account for `schedule` and `workflow_dispatch` events.
In the current state, only workflows triggered by `push` events are examined. This is causing failures when trying to post Slack notifications for the Test Coverage workflow, and inconsistent results for `workflow_dispatch` events when testing older branches on a schedule.
Follow up to [53466] and [53468].
See #55652.
Built from https://develop.svn.wordpress.org/trunk@53534
git-svn-id: http://core.svn.wordpress.org/trunk@53123 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Using a data provider has a number of advantages:
1. If the first test case fails, it won't prevent the other test cases from being tested.
2. The output from PHPUnit will be more descriptive in case of failure when using a data provider.
3. Using named test cases in the data provider will also make the `--testdox` output much more descriptive and informative.
The actual cases being tested, or the test itself have not been changed.
Includes:
* Adding a `@covers` annotation.
* Adding a failure message to each assertion.
* Adding a skip annotation for unsupported mime types.
* Making the test method name more specific.
Follow-up to [1061/tests], [53495], [53497], [53521], [53523], [53524], [53525], [53526], [53529], [53530].
Props jrf.
See #55652.
Built from https://develop.svn.wordpress.org/trunk@53531
git-svn-id: http://core.svn.wordpress.org/trunk@53120 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Using a data provider has a number of advantages:
1. If the first test case fails, it won't prevent the other test cases from being tested.
2. The output from PHPUnit will be more descriptive in case of failure when using a data provider.
3. Using named test cases in the data provider will also make the `--testdox` output much more descriptive and informative.
The actual cases being tested, or the test itself have not been changed.
Includes:
* Adding a `@covers` annotation.
* Adding a failure message to each assertion.
* Making the test method name more specific.
Follow-up to [1061/tests], [53495], [53497], [53521], [53523], [53524], [53525], [53526], [53529].
Props jrf.
See #55652.
Built from https://develop.svn.wordpress.org/trunk@53530
git-svn-id: http://core.svn.wordpress.org/trunk@53119 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Using a data provider has a number of advantages:
1. If the first test case fails, it won't prevent the other test cases from being tested.
2. The output from PHPUnit will be more descriptive in case of failure when using a data provider.
3. Using named test cases in the data provider will also make the `--testdox` output much more descriptive and informative.
The actual cases being tested, or the test itself have not been changed.
Includes:
* Adding a `@covers` annotation.
* Adding a skip annotation for unsupported mime types.
* Adding a failure message to each assertion.
Follow-up to [1061/tests], [53495], [53497], [53521], [53523], [53524], [53525], [53526].
Props jrf.
See #55652.
Built from https://develop.svn.wordpress.org/trunk@53529
git-svn-id: http://core.svn.wordpress.org/trunk@53118 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Using a data provider has a number of advantages:
1. If the first test case fails, it won't prevent the other test cases from being tested.
2. While the assertion used in this test method ''does'' have a "failure message" (👍), the output from PHPUnit itself will already be more descriptive in case of failure when using a data provider.
3. Using named test cases in the data provider will also make the `--testdox` output much more descriptive and informative.
The actual cases being tested, or the test itself have not been changed.
Includes:
* Adding a `@covers` annotation.
Follow-up to [184/tests], [53495], [53497], [53521], [53523], [53524], [53525].
Props jrf.
See #55652.
Built from https://develop.svn.wordpress.org/trunk@53526
git-svn-id: http://core.svn.wordpress.org/trunk@53115 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Using a data provider has a number of advantages:
1. If the first test case fails, it won't prevent the other test cases from being tested.
2. While the assertion used in this test method ''does'' have a "failure message" (👍), the output from PHPUnit itself will already be more descriptive in case of failure when using a data provider.
3. Using named test cases in the data provider will also make the `--testdox` output much more descriptive and informative.
The actual cases being tested, or the test itself have not been changed.
Includes:
* Changing the conditional addition of the `.ico` file type to be unconditional, it was only needed for PHP < 5.3.
* Adding a `@covers` annotation.
Follow-up to [184/tests], [42780], [53495], [53497], [53521], [53523], [53524].
Props jrf.
See #55652.
Built from https://develop.svn.wordpress.org/trunk@53525
git-svn-id: http://core.svn.wordpress.org/trunk@53114 1a063a9b-81f0-0310-95a4-ce76da25c4cd