John Blackbourn
f3529cb89d
Bump 4.1 branch to version 4.1.21.
...
Built from https://develop.svn.wordpress.org/branches/4.1@42324
git-svn-id: http://core.svn.wordpress.org/branches/4.1@42153 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 19:02:55 +00:00
John Blackbourn
7f0c6cb620
Hardening: Remove the ability to upload JavaScript files for users who do not have the `unfiltered_html` capability.
...
Merges [42261] to the 4.1 branch.
Built from https://develop.svn.wordpress.org/branches/4.1@42299
git-svn-id: http://core.svn.wordpress.org/branches/4.1@42128 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:38:28 +00:00
John Blackbourn
348148eee2
Hardening: Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds.
...
Merges [42260] to the 4.1 branch.
Built from https://develop.svn.wordpress.org/branches/4.1@42298
git-svn-id: http://core.svn.wordpress.org/branches/4.1@42127 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:37:18 +00:00
John Blackbourn
e16db41a65
Hardening: Add escaping to the language attributes used on `html` elements.
...
Merges [42259] to the 4.1 branch.
Built from https://develop.svn.wordpress.org/branches/4.1@42297
git-svn-id: http://core.svn.wordpress.org/branches/4.1@42126 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:36:53 +00:00
Dion Hulse
3c4befe52b
WPDB: Check that `AUTH_SALT` is not empty, Fix a PHP notice when `AUTH_SALT` is undefined.
...
Props jsonfry, mkomar, pento.
Merges [42119] and [42120] to the 4.1 branch.
Fixes #42431 and #42401 for 4.1.
Built from https://develop.svn.wordpress.org/branches/4.1@42237
git-svn-id: http://core.svn.wordpress.org/branches/4.1@42066 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-27 01:13:21 +00:00
Gary Pendergast
1466683d48
Bump 4.1 branch to version 4.1.20.
...
Built from https://develop.svn.wordpress.org/branches/4.1@42076
git-svn-id: http://core.svn.wordpress.org/branches/4.1@41905 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-10-31 13:43:26 +00:00
Gary Pendergast
16391a9641
Database: Restore numbered placeholders in `wpdb::prepare()`.
...
[41496] removed support for numbered placeholders in queries send through `wpdb::prepare()`, which, despite being undocumented, were quite commonly used.
This change restores support for numbered placeholders (as well as a subset of placeholder formatting), while also adding extra checks to ensure the correct number of arguments are being passed to `wpdb::prepare()`, given the number of placeholders.
Merges [41662], [42056] to the 4.2 branch.
See #41925 .
Built from https://develop.svn.wordpress.org/branches/4.1@42064
git-svn-id: http://core.svn.wordpress.org/branches/4.1@41893 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-10-31 12:53:27 +00:00
Aaron Campbell
6b3afa9678
Bump 4.1 branch to version 4.1.19.
...
Built from https://develop.svn.wordpress.org/branches/4.1@41517
git-svn-id: http://core.svn.wordpress.org/branches/4.1@41350 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 20:07:25 +00:00
Aaron Campbell
89333247c9
Database: Hardening to bring `wpdb::prepare()` inline with documentation.
...
`wpdb::prepare()` supports %s, %d, and %F as placeholders in the query string. Any other non-escaped % will be escaped.
Merges [41496] to 4.1 branch.
Built from https://develop.svn.wordpress.org/branches/4.1@41504
git-svn-id: http://core.svn.wordpress.org/branches/4.1@41337 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 18:33:25 +00:00
Aaron Campbell
68b9288c14
Database: Don’t trigger `_doing_it_wrong()` for null values in `wpdb::prepare()`.
...
While `wpdb::prepare()` does not support null values (see #12819 ) they still appear in the wild like in the WordPress Importer and other plugins.
Merges [41483] to 4.1 branch.
Built from https://develop.svn.wordpress.org/branches/4.1@41491
git-svn-id: http://core.svn.wordpress.org/branches/4.1@41324 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 16:26:18 +00:00
Aaron Campbell
688d186ddd
Database: Hardening for `wpdb::prepare()`
...
Previously if you passed an array of values for placeholders, additional values could be passed as well. Now additional values will be ignored.
Merges [41470] to 4.1 branch.
Built from https://develop.svn.wordpress.org/branches/4.1@41478
git-svn-id: http://core.svn.wordpress.org/branches/4.1@41311 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 15:03:53 +00:00
Dominik Schilling
acc424ed10
TinyMCE: Improve the previews for shortcodes.
...
Merge of [41395] to the 4.1 branch.
Built from https://develop.svn.wordpress.org/branches/4.1@41442
git-svn-id: http://core.svn.wordpress.org/branches/4.1@41275 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 12:44:54 +00:00
Dominik Schilling
900cd482a4
Editor: Prevent adding `javascript:` and `data:` URLs through the inline link dialog.
...
Merge of [41393] to the 4.1 branch.
Built from https://develop.svn.wordpress.org/branches/4.1@41407
git-svn-id: http://core.svn.wordpress.org/branches/4.1@41240 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 10:19:51 +00:00
Aaron Campbell
9eb95c11ff
Bump 4.1 branch to version 4.1.18.
...
Built from https://develop.svn.wordpress.org/branches/4.1@40754
git-svn-id: http://core.svn.wordpress.org/branches/4.1@40612 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 21:53:24 +00:00
Pascal Birchler
f4aa87318c
Media: Simplify upload error message construction.
...
Merges [40736] to the 4.1 branch.
Built from https://develop.svn.wordpress.org/branches/4.1@40743
git-svn-id: http://core.svn.wordpress.org/branches/4.1@40601 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 18:04:19 +00:00
Dominik Schilling
f1dd14eb48
Customize: Ignore invalid customization sessions.
...
Merge of [40704] to the 4.1 branch.
Built from https://develop.svn.wordpress.org/branches/4.1@40711
git-svn-id: http://core.svn.wordpress.org/branches/4.1@40574 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 12:20:25 +00:00
Pascal Birchler
03ff944f46
Adjust post meta checks
...
Merges [40692] to the 4.1 branch.
Built from https://develop.svn.wordpress.org/branches/4.1@40699
git-svn-id: http://core.svn.wordpress.org/branches/4.1@40562 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 08:53:19 +00:00
Pascal Birchler
c17688406b
Whitelist post arguments in XML-RPC
...
Merges [40677] to the 4.1 branch.
Built from https://develop.svn.wordpress.org/branches/4.1@40684
git-svn-id: http://core.svn.wordpress.org/branches/4.1@40547 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 08:26:26 +00:00
Pascal Birchler
d4a45dc58d
Bump 4.1 branch to version 4.1.17.
...
Built from https://develop.svn.wordpress.org/branches/4.1@40493
git-svn-id: http://core.svn.wordpress.org/branches/4.1@40369 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-04-20 16:27:26 +00:00
James Nylen
d19df5f1e4
Bump 4.1 branch to version 4.1.16.
...
Built from https://develop.svn.wordpress.org/branches/4.1@40208
git-svn-id: http://core.svn.wordpress.org/branches/4.1@40147 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-03-06 16:35:25 +00:00
Aaron Campbell
0d1be6d9ca
Strip control characters before validating redirect.
...
Merges [40183] to 4.1 branch.
Built from https://develop.svn.wordpress.org/branches/4.1@40190
git-svn-id: http://core.svn.wordpress.org/branches/4.1@40129 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-03-06 13:45:27 +00:00
Dominik Schilling
c5c1dce809
Embeds: URL encode YouTube video IDs for broader compatibility.
...
Merge of [40160] to the 4.1 branch.
Built from https://develop.svn.wordpress.org/branches/4.1@40167
git-svn-id: http://core.svn.wordpress.org/branches/4.1@40106 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-03-06 12:08:26 +00:00
Aaron Campbell
c0abe8d804
Bump 4.1 branch to version 4.1.15.
...
Built from https://develop.svn.wordpress.org/branches/4.1@40002
git-svn-id: http://core.svn.wordpress.org/branches/4.1@39939 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-26 18:26:25 +00:00
Dominik Schilling
0a69a201ad
Query: Ensure that queries work correctly with post type names with special characters.
...
Merge of [39952] to the 4.1 branch.
Built from https://develop.svn.wordpress.org/branches/4.1@39962
git-svn-id: http://core.svn.wordpress.org/branches/4.1@39899 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-26 13:52:26 +00:00
Aaron Campbell
edd582c69e
Bump 4.1 branch to version 4.1.14.
...
Built from https://develop.svn.wordpress.org/branches/4.1@39866
git-svn-id: http://core.svn.wordpress.org/branches/4.1@39803 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-11 16:58:53 +00:00
Joe McGill
8dd8485f19
Media: Fix exif_imagetype check in wp_get_image_mime
...
This is a follow up to [39831].
Merges [39850] to the 4.1 branch.
Built from https://develop.svn.wordpress.org/branches/4.1@39857
git-svn-id: http://core.svn.wordpress.org/branches/4.1@39794 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-11 16:44:24 +00:00
Joe McGill
6fd71daf13
Media: Improve image filetype checking.
...
This adds a new function `wp_get_image_mime()` which is used by
`wp_check_filetype_and_ext()` to validate image files using
`exif_imagetype()` if available instead of `getimagesize()`.
`getimagesize()` is less performant than `exif_imagetype()` and is
dependent on GD. If `exif_imagetype()` is not available, it falls back to
`getimagesize()` as before.
If `wp_check_filetype_and_ext()` can't validate the filetype, we now return
`false` for ext/MIME values.
Merges [39831] to the 4.1 branch.
Built from https://develop.svn.wordpress.org/branches/4.1@39838
git-svn-id: http://core.svn.wordpress.org/branches/4.1@39776 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-11 13:18:53 +00:00
Dominik Schilling
cf41259781
Themes: Fix markup for theme name fallbacks.
...
Merge of [39807] to the 4.1 branch.
Built from https://develop.svn.wordpress.org/branches/4.1@39815
git-svn-id: http://core.svn.wordpress.org/branches/4.1@39753 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-11 11:12:20 +00:00
Jeremy Felt
335301e8f6
Multisite: Use `wp_rand()` in signup key creation.
...
Merges [39795] to the 4.1 branch.
Built from https://develop.svn.wordpress.org/branches/4.1@39802
git-svn-id: http://core.svn.wordpress.org/branches/4.1@39740 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-11 05:35:19 +00:00
Dion Hulse
e68653dd45
Update PHPMailer to 5.2.22.
...
The full list of changes is available here:
https://github.com/PHPMailer/PHPMailer/compare/v5.2.21...v5.2.22
Merges [39759] to the 4.1 branch.
Fixes #37210 for 4.1.
Built from https://develop.svn.wordpress.org/branches/4.1@39790
git-svn-id: http://core.svn.wordpress.org/branches/4.1@39728 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-11 05:25:51 +00:00
Dion Hulse
e754067ae9
Mail: Upgrade PHPMailer to 5.2.21.
...
Merges [39645], [36083], [33142], [33124] to the 4.1 branch.
See #37210 .
Built from https://develop.svn.wordpress.org/branches/4.1@39727
git-svn-id: http://core.svn.wordpress.org/branches/4.1@39667 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-06 22:06:24 +00:00
Jeremy Felt
9a9ecd5c32
Bump 4.1 branch to 4.1.13.
...
Built from https://develop.svn.wordpress.org/branches/4.1@38554
git-svn-id: http://core.svn.wordpress.org/branches/4.1@38497 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-09-07 15:00:58 +00:00
Boone Gorges
3d28255a66
Bump 4.1 branch to 4.1.12.
...
Built from https://develop.svn.wordpress.org/branches/4.1@37832
git-svn-id: http://core.svn.wordpress.org/branches/4.1@37797 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-21 16:39:24 +00:00
Joe McGill
8bb91d40a2
Media: Improve handling of extensionless filenames.
...
Merge of [37756] to the 4.1 branch.
See #37111 .
Built from https://develop.svn.wordpress.org/branches/4.1@37818
git-svn-id: http://core.svn.wordpress.org/branches/4.1@37783 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-21 14:57:40 +00:00
Nikolay Bachiyski
25df9d65a8
Admin: Escape attachment name in case it contains special characters
...
Merge of [37774] to the 4.1 branch.
Built from https://develop.svn.wordpress.org/branches/4.1@37790
git-svn-id: http://core.svn.wordpress.org/branches/4.1@37755 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-21 14:26:33 +00:00
Jeremy Felt
8d2141b7ee
Admin: Allow for the consistent filtering of `auth_redirect_scheme`
...
Merge of [37651] to the 4.1 branch.
See #37047 .
Built from https://develop.svn.wordpress.org/branches/4.1@37762
git-svn-id: http://core.svn.wordpress.org/branches/4.1@37727 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-21 14:13:23 +00:00
Dominik Schilling
2dbd645312
Bump 4.1 branch to 4.1.11.
...
Built from https://develop.svn.wordpress.org/branches/4.1@37388
git-svn-id: http://core.svn.wordpress.org/branches/4.1@37354 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-06 18:14:22 +00:00
Nikolay Bachiyski
58a1804e9c
External Libraries: Update plupload from upstream
...
Built from https://develop.svn.wordpress.org/branches/4.1@37378
git-svn-id: http://core.svn.wordpress.org/branches/4.1@37344 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-06 17:57:22 +00:00
Nikolay Bachiyski
38154c01ce
Taxonomies: make sure taxonomy functions work correctly with taxonomy names with special characters
...
The codex says that taxonomy names "should only contain lowercase letters and the underscore character", but that's not enforced. It's too late to enforce it, since some plugins haven't been following it and the official phpdoc doesn't mention this restriction.
Merge of [37133] to the 4.1 branch.
Built from https://develop.svn.wordpress.org/branches/4.1@37138
git-svn-id: http://core.svn.wordpress.org/branches/4.1@37105 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-03-30 17:32:22 +00:00
Dominik Schilling
e73593c805
HTTP: Improve detection of valid IP addresses.
...
Merge of [37115] to the 4.1 branch.
Built from https://develop.svn.wordpress.org/branches/4.1@37119
git-svn-id: http://core.svn.wordpress.org/branches/4.1@37086 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-03-30 15:52:33 +00:00
Nikolay Bachiyski
63bde8f97e
Snoopy: use escapeshellarg instead of escapeshellcmd
...
We are escaping arguments, not commands, so we'd better use the semantically correct function, even though they are similar.
Merges [37094] to the 4.1 branch.
Built from https://develop.svn.wordpress.org/branches/4.1@37098
git-svn-id: http://core.svn.wordpress.org/branches/4.1@37065 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-03-30 14:10:23 +00:00
Dominik Schilling
7df345b1cc
Bump 4.1 branch to 4.1.10.
...
Built from https://develop.svn.wordpress.org/branches/4.1@36458
git-svn-id: http://core.svn.wordpress.org/branches/4.1@36425 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-02 17:29:22 +00:00
Dominik Schilling
5b076e981c
Better validation of the URL used in HTTP redirects.
...
Merges [36444] to the 4.1 branch.
Built from https://develop.svn.wordpress.org/branches/4.1@36450
git-svn-id: http://core.svn.wordpress.org/branches/4.1@36417 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-02 17:00:50 +00:00
Dominik Schilling
ac434506e1
HTTP: `0.1.2.3` is not a valid IP.
...
Merges [36435] to the 4.1 branch.
Built from https://develop.svn.wordpress.org/branches/4.1@36439
git-svn-id: http://core.svn.wordpress.org/branches/4.1@36406 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-02 13:04:42 +00:00
Dominik Schilling
197d5128b2
Bump 4.1 branch to 4.1.9.
...
Built from https://develop.svn.wordpress.org/branches/4.1@36199
git-svn-id: http://core.svn.wordpress.org/branches/4.1@36166 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-01-06 18:50:23 +00:00
Aaron Jorbin
e253e4e3d6
Theme: Escape error messages
...
[36185] for 4.1 branch
Built from https://develop.svn.wordpress.org/branches/4.1@36189
git-svn-id: http://core.svn.wordpress.org/branches/4.1@36156 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-01-06 17:26:50 +00:00
Dion Hulse
3ff8fa5386
Background Updates: Remove the 7am/7pm background update check.
...
This changeset is a more basic version of [36180], clearing the extra now redundant schedule.
As the functionality for this was introduced in 3.9, [28129] has been backported to 3.7/3.8, allowing the API TTL to be respected by those versions.
See #27772 .
Fixes #35323 .
Built from https://develop.svn.wordpress.org/trunk@36184
git-svn-id: http://core.svn.wordpress.org/branches/4.1@36151 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-01-06 13:24:33 +00:00
Helen Hou-Sandí
a39030c223
Finish bumping the 4.1 branch to 4.1.8.
...
Built from https://develop.svn.wordpress.org/branches/4.1@34192
git-svn-id: http://core.svn.wordpress.org/branches/4.1@34160 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-15 14:51:36 +00:00
Dominik Schilling
d38d60223d
XMLRPC: Don't allow private posts to be sticky.
...
Merge of [33325], [33612], and [34135] to the 4.1 branch.
See #20662 .
Built from https://develop.svn.wordpress.org/branches/4.1@34153
git-svn-id: http://core.svn.wordpress.org/branches/4.1@34121 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-14 23:01:22 +00:00
Nikolay Bachiyski
76e13dd238
Shortcodes: don't allow unclosed HTML elements in attributes
...
Merges [34134] for 4.1 branch
Built from https://develop.svn.wordpress.org/branches/4.1@34146
git-svn-id: http://core.svn.wordpress.org/branches/4.1@34114 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-14 22:48:48 +00:00