This changeset adds `spellcheck="false"` attribute to various password fields.
The spellcheck global attribute defines whether the element may be checked for spelling errors. The `false` value indicates that the element should not be checked for spelling errors, which is relevant for a password field.
Furthermore, and as per MDN specs, using spellchecking can have consequences for users' security and privacy. The specification does not regulate how spellchecking is done and the content of the element may be sent to a third party for spellchecking results. Thus, it is recommended to set `spellcheck` attribute to `false` for elements that can contain sensitive information. Which is the case for password fields.
Props dziudek, audrasjb, gainesm, fosuahmed.
Fixes#56763.
Built from https://develop.svn.wordpress.org/trunk@55094
git-svn-id: http://core.svn.wordpress.org/trunk@54627 1a063a9b-81f0-0310-95a4-ce76da25c4cd
While using reserved PHP keywords as parameter name labels is allowed, in the context of function calls using named parameters in PHP 8.0+, this will easily lead to confusion. To avoid that, it is recommended not to use reserved keywords as function parameter names.
This commit:
* Renames the `$echo` parameter to `$display` in:
* `wp_loginout()`
* `wp_register()`
* `get_calendar()`
* `the_date()`
* `the_modified_date()`
* `checked()`
* `selected()`
* `disabled()`
* `wp_readonly()`
* `__checked_selected_helper()`
* Renames the `$readonly` parameter to `$readonly_value` in `wp_readonly()`.
Follow-up to [52946], [52996], [52997], [52998], [53003], [53014], [53029], [53039], [53116], [53117], [53137], [53174], [53184], [53185], [53192], [53193], [53198], [53203], [53207], [53215], [53216], [53220], [53230], [53232], [53236], [53239], [53240], [53242], [53243], [53245], [53246], [53257], [53269], [53270], [53271], [53272], [53273], [53274], [53275], [53276], [53277], [53281], [53283], [53284], [53285], [53287], [53364], [53365], [54927], [54929], [54930], [54931].
Props jrf, aristath, poena, justinahinon, SergeyBiryukov.
See #56788.
Built from https://develop.svn.wordpress.org/trunk@54932
git-svn-id: http://core.svn.wordpress.org/trunk@54484 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This affects:
* The `wp_lostpassword_url()` function.
* The `lost_password_html_link` filter.
The filter description was copied from the function, which appears to be not quite accurate, as the lost password can only be reset, not retrieved.
Follow-up to [11448], [54206].
See #55646.
Built from https://develop.svn.wordpress.org/trunk@54224
git-svn-id: http://core.svn.wordpress.org/trunk@53783 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The previously available set of filters in the `feed_links()` function to enable or disable display of various feed links was quite limited:
* `feed_links_show_posts_feed` to control the main feed
* `feed_links_show_comments_feed` to control both the global comments feed and the comment feed for singular posts.
In order to disable the other feeds (post type archive, category, tag, custom taxonomy, author archive, search results), one would have to unhook `feed_links_extra()` from `wp_head`, but that would completely remove all of those feeds, as well as the single post comments feed.
To allow for more flexibility, this commit introduces a full set of filters in the `feed_links_extra()` function to control each one of the feeds independently, including a way to enable/disable the single post comments feed when the global comments feed is disabled/enabled:
* `feed_links_extra_show_post_comments_feed`
* `feed_links_extra_show_post_type_archive_feed`
* `feed_links_extra_show_category_feed`
* `feed_links_extra_show_tag_feed`
* `feed_links_extra_show_tax_feed`
* `feed_links_extra_show_author_feed`
* `feed_links_extra_show_search_feed`
All of them default to `true`, except for `feed_links_extra_show_post_comments_feed` which defaults to the result of `feed_links_show_comments_feed` to ensure backward compatibility.
Follow-up to [33838], [33839], [53125].
Props lopo, mukesh27, audrasjb, SergeyBiryukov.
Fixes#55904.
Built from https://develop.svn.wordpress.org/trunk@54161
git-svn-id: http://core.svn.wordpress.org/trunk@53720 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset introduces two new hooks:
- `wp_required_field_indicator` allows developers to filter the HTML output of the `wp_required_field_indicator()` function.
- `wp_required_field_message` does the same for the `wp_required_field_message()` function.
The changeset also adds new phpunit tests for these filters.
Follow-up to [53888], [54136].
Props kebbet, audrasjb, sabernhardt, costdev, mukesh27.
Fixes#56389.
See #54394.
Built from https://develop.svn.wordpress.org/trunk@54137
git-svn-id: http://core.svn.wordpress.org/trunk@53696 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset removes `aria-hidden="true"` attribute used for required fields in comments template, for better accessibility. It removes the attribute from both `wp_required_field_indicator()` and `wp_required_field_message()` patterns.
Follow-up to [53888].
Props juliemoynat, audrasjb, joedolson, sabernhardt, afercia, costdev.
Fixes#55717.
Built from https://develop.svn.wordpress.org/trunk@54136
git-svn-id: http://core.svn.wordpress.org/trunk@53695 1a063a9b-81f0-0310-95a4-ce76da25c4cd
A default DNS prefetch entry for s.w.org was previously included to save a few ms in case an emoji is used that is not supported by the browser. It appears this use case doesn't justify a prefetch to s.w.org on every WordPress website.
This changesets removes `emoji_svg_url` prefetch from `wp_resource_hints()`. It also updates unit tests in `Tests_General_wpResourceHints` by removing `test_should_have_defaults_on_frontend()` entirely and removing s.w.org prefetch from expected output of ten other test functions.
Plugin authors can use the `wp_resource_hints` filter if they need to re-add the DNS prefetch entry for s.w.org.
Follow-up to [37920], [38122].
Props joelhardi, superpoincare, jhabdas, garrett-eclipse, sabernhardt, SergeyBiryukov.
Fixes#40426.
See #37387.
Built from https://develop.svn.wordpress.org/trunk@53904
git-svn-id: http://core.svn.wordpress.org/trunk@53463 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset introduces new `wp_required_field_indicator()` and `wp_required_field_message()` helper functions to generate reusable and consistent required field indicator and message. It also implements these functions in various admin screens.
Props sabernhardt, ryokuhi, joedolson, audrasjb, SergeyBiryukov.
Fixes#54394.
Built from https://develop.svn.wordpress.org/trunk@53888
git-svn-id: http://core.svn.wordpress.org/trunk@53447 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Add a `wp_preload_resources` filter that developers can use to add resource preloading.
Preloading helps the browser discover and prioritize important resources earlier during the page load. This ensures that they are available earlier and are less likely to block the page's render.
Props nico23, swissspidy, igrigorik, westonruter, azaozz, furi3r, aristath, spacedmonkey, peterwilsoncc, mihai2u, gziolo.
Fixes#42438.
Built from https://develop.svn.wordpress.org/trunk@53846
git-svn-id: http://core.svn.wordpress.org/trunk@53405 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Previously, it was used in core and older bundled themes to display the list of allowed tags in the comment form.
Follow-up to [709], [2009], [2012], [2032], [2040], [13030], [14365], [32858], [34316], [34351].
See #55646.
Built from https://develop.svn.wordpress.org/trunk@53703
git-svn-id: http://core.svn.wordpress.org/trunk@53262 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This aims to improve performance by calling `sanitize_url()` directly, instead of the `esc_url_raw()` wrapper. As of WordPress 6.1, `sanitize_url()` is the recommended function for sanitizing a URL for database or redirect usage.
Follow-up to [11383], [13096], [51597], [53452].
Props benjgrolleau, peterwilsoncc, SergeyBiryukov.
Fixes#55852.
Built from https://develop.svn.wordpress.org/trunk@53455
git-svn-id: http://core.svn.wordpress.org/trunk@53044 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Remove the `link[rel=alternate]` element from the HTML header when the comment feeds are disabled. Previously the HTML element was output with an empty `href` attribute.
The element is removed if `get_post_comments_feed_link()` returns an empty string or the feed is disabled via the `feed_links_show_comments_feed` filter.
Props barryceelen, audrasjb, costdev, rachelbaker, Boniu91.
Fixes#54703.
Built from https://develop.svn.wordpress.org/trunk@53125
git-svn-id: http://core.svn.wordpress.org/trunk@52714 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Set valid autocomplete attributes for registration and login fields for username, email, and current password. Autocomplete values are required in WCAG 2.1 at level AA for login forms.
Props johnjamesjacoby, dhanendran, rianrietveld, joedolson, peterwilsoncc.
Fixes#41136.
Built from https://develop.svn.wordpress.org/trunk@53041
git-svn-id: http://core.svn.wordpress.org/trunk@52630 1a063a9b-81f0-0310-95a4-ce76da25c4cd
[52232] relocated the Theme Editor menu item from Appearance to Tools for block themes. This commit relocates the Plugin Editor menu item from Plugins to Tools for block themes for a consistent workflow.
Both the Theme Editor and Plugin Editor menu items are renamed to "Theme File Editor" and "Plugin File Editor" respectively. Why? To better identify their purpose, i.e. to directly edit the code in the theme or plugin files. The rename is not limited to only block themes.
Follow-up to [52232].
Props poena, annezazu, audrasjb, clorith, courane01, costdev, dryanpress, desrosj, hellofromTonya, ipstenu, jameskoster, joen, johnbillion, joyously, manfcarlo, marybaum, pbiron, SergeyBiryukov, walbo, youknowriad.
Fixes#54382.
Built from https://develop.svn.wordpress.org/trunk@52406
git-svn-id: http://core.svn.wordpress.org/trunk@51998 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When `m` query_tag has a valid year, i.e. `?m=2021`, and there are posts for that year, `substr()` returns a `false` on PHP 5.6 and an empty string on PHP 7.0+. Passing either of those values to `$wp_locale->get_month()` results in a PHP notice on PHP 5.6 to PHP 7.4 and a PHP Warning on PHP 8.0+.
Why? The `$month` lookup table has zeroized keys from '01' to '12'. A empty value is passed to `zeroise()` returns `'00'` which is directly passed as a key in the month property. That key does not exist.
While `$wp_locale->get_month()` would benefit from guarding/validation, this fix ensures a falsey value is not passed as a month.
Tests are added including a test that fails with this fix not applied.
Follow-up to [801], [35294], [35624].
Props antpb, audrasjb, costdev, davidmosterd, drewapicture, herregroen, hellofromTonya, michelwppi, sergeybiryukov.
Fixes#31521.
Built from https://develop.svn.wordpress.org/trunk@52136
git-svn-id: http://core.svn.wordpress.org/trunk@51728 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Split long concatenated lines using `sprintf()`. This aims to improve readability and avoid multiple `esc_attr()` calls for the same value.
* Escape the form `name` and `id` attributes.
Follow-up to [12696], [18444], [19033].
Props sabbirshouvo, mukesh27, audrasjb, henry.wright, SergeyBiryukov.
Fixes#54279.
Built from https://develop.svn.wordpress.org/trunk@51926
git-svn-id: http://core.svn.wordpress.org/trunk@51519 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Since PHP 8.1, `readonly` is a reserved keyword and cannot be used as a function name.
In order to avoid PHP parser errors, the `readonly()` function was extracted to a separate file and is now only included conditionally on PHP < 8.1.
This commit also:
* Moves the tests for the `__checked_selected_helper()` function and all the related functions to their own file.
* Switches to named data providers. This makes the output when using the `--testdox` option more descriptive and is helpful when trying to debug which data set from a data provider failed the test.
* Improves the tests in question to make them feature-complete and expand test coverage.
Props jrf, ayeshrajans, haosun, knutsp, swissspidy, SergeyBiryukov.
Fixes#53858.
Built from https://develop.svn.wordpress.org/trunk@51586
git-svn-id: http://core.svn.wordpress.org/trunk@51197 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Clarify that as of WordPress 4.7, the `$urls` parameter can accept arrays of specific HTML attributes as its child elements, in addition to URLs.
Follow-up to [37920], [38826].
Props vanyukov, Rahmohn, desrosj, peterwilsoncc, SergeyBiryukov.
Fixes#52842.
Built from https://develop.svn.wordpress.org/trunk@51048
git-svn-id: http://core.svn.wordpress.org/trunk@50657 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In `wp_get_document_title(), the returned value is currently passed directly through `wptexturize()`, `convert_chars()`, and `capital_P_dangit()`, and is done so after the `document_title_parts` filter is run.
This makes it impossible to fully control the output of `wp_get_document_title()` and is inconsistent with how other similar text is processed with these functions.
This commit introduces the `document_title` filter, which is run immediately before returning the results of the `wp_get_document_title()` function and moves the three formatting functions mentioned above to the new filter hook. This allows developers to further modify the title after being prepared by WordPress, or to modify the functions hooked to this filter as they wish.
Props dragunoff, jeremyfelt, paaggeli, audrasjb.
Fixes#51643.
Built from https://develop.svn.wordpress.org/trunk@51019
git-svn-id: http://core.svn.wordpress.org/trunk@50628 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This is part of a larger project in cleaning up core's admin CSS. This collapses all colors used in the CSS to one of 12 blues, greens, reds, and yellows, 13 grays, pure black, and pure white. The colors are perceptually uniform from light to dark, half of each range has a 4.5 or higher contrast against white, the other half has a 4.5 or higher contrast against black.
Standardizing on this set of colors will help contributors make consistent, accessible design decisions. The full color palette can be seen here: https://codepen.io/ryelle/full/WNGVEjw
Props notlaura, danfarrow, kburgoine, drw158, audrasjb, Joen, hedgefield, ibdz, melchoyce.
See #49999.
Built from https://develop.svn.wordpress.org/trunk@50025
git-svn-id: http://core.svn.wordpress.org/trunk@49726 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset introduces a filter-based Robots API, providing central control over the `robots` meta tag.
* Introduces `wp_robots()` function which should be called anywhere a `robots` meta tag should be included.
* Introduces `wp_robots` filter which allows adding or modifying directives for the `robots` meta tag. The `wp_robots()` function is entirely filter-based, i.e. if no filter is added to `wp_robots`, no directives will be present, and therefore the entire `robots` meta tag will be omitted.
* Introduces the following `wp_robots` filter functions which replace similar existing functions that were manually rendering a `robots` meta tag:
* `wp_robots_noindex()` replaces `noindex()`, which has been deprecated.
* `wp_robots_no_robots()` replaces `wp_no_robots()`, which has been deprecated.
* `wp_robots_sensitive_page()` replaces `wp_sensitive_page_meta()`, which has been deprecated. Its rendering of the `referrer` meta tag has been moved to another new function `wp_strict_cross_origin_referrer()`.
Migration to the new functions is straightforward. For example, a call to `add_action( 'wp_head', 'wp_no_robots' )` should be replaced with `add_filter( 'wp_robots', 'wp_robots_no_robots' )`.
Plugins and themes that render their own `robots` meta tags are encouraged to switch to rely on the `wp_robots` filter in order to use the central management layer now provided by WordPress core.
Props adamsilverstein, flixos90, timothyblynjacobs, westonruter.
See #51511.
Built from https://develop.svn.wordpress.org/trunk@49992
git-svn-id: http://core.svn.wordpress.org/trunk@49693 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Per accessibility best practices, it is recommended that all HTML `<img>` elements have an `alt` attribute. Any decorative images should have an empty `alt` attribute (`alt=""`).
Props laxman-prajapati, sabernhardt, audrasjb.
Fixes#51846.
Built from https://develop.svn.wordpress.org/trunk@49949
git-svn-id: http://core.svn.wordpress.org/trunk@49648 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Using the canonical function name for PHP functions is strongly recommended, as aliases may be deprecated or removed without (much) warning.
This replaces all uses of the following:
* `join()` with `implode()`
* `sizeof()` with `count()`
* `is_writeable()` with `is_writable()`
* `doubleval()` with a `(float)` cast
In part, this is a follow-up to #47746.
Props jrf.
See #50767.
Built from https://develop.svn.wordpress.org/trunk@49193
git-svn-id: http://core.svn.wordpress.org/trunk@48955 1a063a9b-81f0-0310-95a4-ce76da25c4cd