WordPress/wp-includes
Sergey Biryukov 22450a0f8b Update `wp_kses_bad_protocol()` to recognize `:` on uri attributes,
`wp_kses_bad_protocol()` makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function.

Brings r46895 to the 4.5 branch.

Props: xknown, nickdaugherty, peterwilsoncc.
Built from https://develop.svn.wordpress.org/branches/4.5@46913


git-svn-id: http://core.svn.wordpress.org/branches/4.5@46713 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-12 18:45:22 +00:00
..
ID3
SimplePie Feeds: add `CEST` to `$timezone` in `SimplePie_Parse_Date`. 2015-10-20 05:57:24 +00:00
Text Fix the `@author` doc param encoding in `Text/Diff/Engine/string` so the file is recognized as UTF-8, not ISO-8859-1. 2015-10-24 22:45:25 +00:00
certificates HTTP API: Certificate bundle: Attempt to move a certificate lower in the file to allow older OpenSSL versions to parse it & communicate with WordPress.org securely again. 2016-02-18 08:21:28 +00:00
css TinyMCE, inline link: Make styles for the autocomplete results available on front end. 2016-04-11 15:12:29 +00:00
customize Customize: Separate preview and actions in the site icon control. 2016-06-16 09:53:28 +00:00
fonts Dashicons: Fix incorrect ID in SVG version of font. 2016-03-18 20:43:26 +00:00
images Embeds: Load the default site icon from the `wp-includes` directory. 2016-02-23 16:55:27 +00:00
js jQuery: Backport the patch from jQuery 3.4.0. 2019-09-04 21:48:52 +00:00
pomo Merge the changes to GlotPress's POMO from upstream to WordPress's copy. 2015-11-20 04:34:25 +00:00
random_compat Update Random_Compat from 1.1.6 to 1.2.1. 2016-03-08 17:15:27 +00:00
rest-api REST API: Deliver parameters unadulterated instead of slashed. 2016-04-06 21:02:28 +00:00
theme-compat Embeds: Change attachment metadata condition to prevent a warning in the embeds template. 2016-05-17 20:38:32 +00:00
widgets Customize: Require opt-in for selective refresh of widgets. 2016-03-21 21:59:29 +00:00
admin-bar.php Add grunt prerelease task 2016-03-10 05:37:27 +00:00
atomlib.php
author-template.php Networks and sites: Replace "blog" usage with "site" in docs. 2016-01-28 03:51:26 +00:00
bookmark-template.php
bookmark.php Docs: Add a missing notation for the `$bookmark_id` parameter in the DocBlock for `clean_bookmark_cache()`. 2015-12-18 23:01:28 +00:00
cache.php Spelling: Standardize on "front end"/"back end" (noun) and "front-end"/"back-end" (adjective). 2016-02-25 12:53:27 +00:00
canonical.php Canonical: Generate the correct canonical url for paged posts/pages when they're used as the page_on_front. 2016-01-09 07:33:27 +00:00
capabilities.php Docs: Add a note to the DocBlock for `current_user_can()` to explain that it will always return true for super admins, unless specifically denied. 2016-02-07 01:27:26 +00:00
category-template.php Taxonomy: Correct the accetped types for the `taxonomy` element in the arguments passed to `wp_dropdown_categories()`. 2016-01-13 20:16:29 +00:00
category.php Improve error handling in `get_categories()`. 2016-03-14 13:53:28 +00:00
class-IXR.php XMLRPC: Revert [35509] which caused a change of behviour in at least one XMLRPC client. 2015-12-31 04:06:26 +00:00
class-feed.php Docs: Add missing `@param` and `@return` notations to the DocBlock for `WP_Feed_Cache_Transient::save()`. 2016-02-26 09:27:26 +00:00
class-http.php HTTP API: Add the missing `1xx` HTTP response codes as constants of the `WP_Http` class, and add tests to ensure all available response codes are covered. 2016-02-28 01:46:26 +00:00
class-json.php The the Docs: Fix the the dittography 2015-12-06 21:23:25 +00:00
class-oembed.php General: Backport PHP 7.1 fixes to the 4.5 branch to avoid fatal errors and warnings. 2017-07-24 22:25:32 +00:00
class-phpass.php Remove closing PHP tag from `wp-includes/class-phpass.php`. 2015-10-06 23:45:25 +00:00
class-phpmailer.php Update PHPMailer to 5.2.22. 2017-01-11 05:23:31 +00:00
class-pop3.php
class-simplepie.php
class-smtp.php Update PHPMailer to 5.2.22. 2017-01-11 05:23:31 +00:00
class-snoopy.php Snoopy: use escapeshellarg instead of escapeshellcmd 2016-03-30 13:58:28 +00:00
class-walker-category-dropdown.php Docs: Improve inline documentation in property and method DocBlocks for `Walker_CategoryDropdown`. 2016-03-22 17:22:29 +00:00
class-walker-category.php Docs: Mark optional parameters in `Walker_Category` methods as such. 2016-03-22 17:30:26 +00:00
class-walker-comment.php Docs: Normalize `Walker_Comment` method parameter docs spacing following [37051]. 2016-03-22 17:46:27 +00:00
class-walker-page-dropdown.php Docs: The page object type in use in `Walker_PageDropdown` is `WP_Post`. 2016-03-22 17:53:27 +00:00
class-walker-page.php Docs: Mark optional method parameters as such in `Walker_Page`. 2016-03-22 18:07:27 +00:00
class-wp-admin-bar.php Docs: Improve the DocBlock summary and add a missing initial `@since` version for `WP_Admin_Bar::add_node()`. 2016-03-03 15:58:27 +00:00
class-wp-ajax-response.php Docs: Document default `WP_Ajax_Response::add()` arguments as a hash notation. 2016-03-18 11:59:27 +00:00
class-wp-comment-query.php Docs: Standardize the changelog entry for the new `$author_url` argument, introduced in [36224]. 2016-03-03 16:02:27 +00:00
class-wp-comment.php Comments: Correct description of `comment_author` property in WP_Comment class. 2016-01-17 15:00:27 +00:00
class-wp-customize-control.php Customize: Allow controls to be registered without any associated settings. 2016-02-24 18:28:28 +00:00
class-wp-customize-manager.php Customize: Ensure valid themes in the preview. 2017-09-19 11:52:08 +00:00
class-wp-customize-nav-menus.php Customize: Require opt-in for selective refresh of widgets. 2016-03-21 21:59:29 +00:00
class-wp-customize-panel.php Customizer: Merge two translator comments. 2016-03-02 23:10:26 +00:00
class-wp-customize-section.php Customize: move `WP_Customize_Section` subclasses to `wp-includes/customize`, they load in the exact same place. 2015-10-24 18:21:25 +00:00
class-wp-customize-setting.php Customize: Harden assignment of Customizer settings transports for selective refreshable widgets 2016-04-07 20:59:29 +00:00
class-wp-customize-widgets.php Customize: Handle filtering `sidebars_widgets` when the underlying option is non-existent. 2016-05-17 20:34:30 +00:00
class-wp-editor.php Accessibility: improvements for the Editor wpLink modal form fields. 2016-04-05 22:24:27 +00:00
class-wp-embed.php Docs: Correct grammar when referring to "a URL" vs "an URL" in several places. 2016-03-12 12:39:27 +00:00
class-wp-error.php
class-wp-http-cookie.php
class-wp-http-curl.php Docs: Correct grammar when referring to "a URL" vs "an URL" in several places. 2016-03-12 12:39:27 +00:00
class-wp-http-encoding.php
class-wp-http-ixr-client.php
class-wp-http-proxy.php Networks and sites: Replace "blog" usage with "site" in docs. 2016-01-28 03:35:27 +00:00
class-wp-http-response.php HTTP/REST API: move `WP_HTTP_Response` to `wp-includes/` with the rest (ha!) of the HTTP classes. This is PHP 5.2, so this class is global, and as per @rmccue, unrelated to REST specifically. 2015-10-08 19:27:28 +00:00
class-wp-http-streams.php Docs: Add missing parameter documentation for the `$args` parameter in the DocBlock for `WP_Http_Streams::test()`. 2015-12-14 23:54:26 +00:00
class-wp-image-editor-gd.php Media: add a new image size, `medium_large`. Bumps db version to add new options. 2015-10-31 20:50:25 +00:00
class-wp-image-editor-imagick.php Media: Resolve fatal error on resize with ImageMagick < 6.4.6 2016-04-19 20:46:30 +00:00
class-wp-image-editor.php Media: Reduce default image compression quality to '82'. 2016-02-22 22:19:26 +00:00
class-wp-meta-query.php Docs: Correctly document parameters in the hook doc for the `get_meta_sql` filter as individual parameters rather than an array. 2016-02-26 17:10:26 +00:00
class-wp-metadata-lazyloader.php Docs: Standardize file header summary for wp-includes/class-wp-metadata-lazyloader.php. 2016-03-09 16:59:27 +00:00
class-wp-network.php Docs: Fix type documentation for `WP_Network` properties. 2016-01-18 02:59:27 +00:00
class-wp-oembed-controller.php oEmbed: Drop the trailing slash from the namespace. 2015-11-17 11:27:29 +00:00
class-wp-post.php Docs: Add missing descriptions for the `$wpdb` global in DocBlocks all the places. 2015-10-14 23:44:25 +00:00
class-wp-rewrite.php Rewrite Rules: Allow rewrite rules to work in nested WordPress installations on IIS. 2016-03-10 20:01:28 +00:00
class-wp-role.php Docs: Clarify documentation for `WP_Role::has_cap()` to more clearing indicate that the method checks for capabilities against the role rather than the user. 2015-12-14 20:05:27 +00:00
class-wp-roles.php Networks and sites: Replace "blog" usage with "site" in docs. 2016-01-28 03:35:27 +00:00
class-wp-site.php Docs: Make some minor improvements to inline docs for `WP_Site`, introduced in [36393]. 2016-02-07 02:13:26 +00:00
class-wp-tax-query.php Correct some `@param` doc names in the `WP_Tax_Query` and `WP_User_Query` classes. 2015-12-14 02:50:27 +00:00
class-wp-term.php Docs: Various docblock corrections. 2016-01-10 01:26:25 +00:00
class-wp-theme.php Themes: Fix markup for theme name fallbacks. 2017-01-11 11:10:05 +00:00
class-wp-user-query.php Networks and sites: Replace "blog" usage with "site" in docs. 2016-01-28 03:51:26 +00:00
class-wp-user.php Networks and sites: Replace "blog" usage with "site" in docs. 2016-01-28 03:51:26 +00:00
class-wp-walker.php Avoid a PHP notice when trying to access the `post_parent` property of hierarchical post type nav menu items. 2015-12-12 01:06:29 +00:00
class-wp-widget-factory.php Docs: Use third-person singular verbs for method summaries in `WP_Widget_Factory`. 2016-03-23 04:51:26 +00:00
class-wp-widget.php Docs: Improve inline documentation syntax throughout `WP_Widget`. 2016-03-23 05:32:27 +00:00
class-wp-xmlrpc-server.php Adjust post meta checks 2017-05-16 08:50:31 +00:00
class-wp.php Backporting several bug fixes. 2019-10-14 19:07:24 +00:00
class.wp-dependencies.php Docs: Re-add a `@param` that went missing in [36993]. 2016-03-14 22:39:26 +00:00
class.wp-scripts.php Ensure consistent dependency order when using `wp_add_inline_script()` 2016-04-10 03:33:26 +00:00
class.wp-styles.php Dependencies: Improve group processing of script dependencies. 2016-03-06 19:50:27 +00:00
comment-template.php Add grunt prerelease task 2016-03-10 05:37:27 +00:00
comment.php Comments: Improve comment content filtering. 2019-03-12 22:38:19 +00:00
compat.php Docs: Fix one line of the DocBlock for the `JsonSerializable` compat interface to use a tab instead of spaces. 2016-02-07 01:18:27 +00:00
cron.php Docs: Adjust formatting for an added-parameter changelog entry in the hook doc for the `cron_request` filter. 2016-01-14 17:30:28 +00:00
date.php Docs: Remove some more dittography. 2015-12-06 21:50:25 +00:00
default-constants.php Revert [35804]. This change has unintended side effects, notably that media URLs in the admin area now unexpectedly use the `https` scheme. A more comprehensive approach will be taken in 4.5. 2015-12-22 13:02:29 +00:00
default-filters.php Embeds: Improve performance when embedding a post of the current site. 2016-06-15 11:32:29 +00:00
default-widgets.php
deprecated.php Docs: Ignore `_wp_upload_dir_baseurl()` from parsing for the Code Reference. 2016-03-30 15:29:26 +00:00
embed-template.php Docs: Update the `@deprecated` tag comment for wp-includes/embed-template.php to reference the correct file path following [36693]. 2016-02-27 21:22:25 +00:00
embed.php oEmbed: Add extra hardening around allowed HTML for improved sandboxing. 2017-09-19 13:50:32 +00:00
feed-atom-comments.php Themes: Improve document title output. 2015-10-20 16:21:25 +00:00
feed-atom.php Feeds: `<comments>` is optional in RSS2, so don't include it when comments aren't present or open. Same for `<wfw:commentRss>` and `<slash:comments>` 2015-11-04 17:47:25 +00:00
feed-rdf.php Themes: Improve document title output. 2015-10-20 16:21:25 +00:00
feed-rss.php Themes: Improve document title output. 2015-10-20 16:21:25 +00:00
feed-rss2-comments.php Themes: Improve document title output. 2015-10-20 16:21:25 +00:00
feed-rss2.php Feeds: `<comments>` is optional in RSS2, so don't include it when comments aren't present or open. Same for `<wfw:commentRss>` and `<slash:comments>` 2015-11-04 17:47:25 +00:00
feed.php Hardening: Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds. 2017-11-29 16:27:01 +00:00
formatting.php Improve handling the existing `rel` attribute in `wp_rel_nofollow_callback()`. 2019-09-04 17:54:21 +00:00
functions.php Backporting several bug fixes. 2019-10-14 19:07:24 +00:00
functions.wp-scripts.php Docs: Improvements and corrections for the `$ver` parameter of the dependencies API functions. 2016-03-14 22:37:26 +00:00
functions.wp-styles.php Docs: Improvements and corrections for the `$ver` parameter of the dependencies API functions. 2016-03-14 22:37:26 +00:00
general-template.php Multisite: Improve messaging for previously activated users. 2018-12-13 00:47:20 +00:00
http.php Backporting several bug fixes. 2019-10-14 19:07:24 +00:00
kses.php Update `wp_kses_bad_protocol()` to recognize `&colon;` on uri attributes, 2019-12-12 18:45:22 +00:00
l10n.php Docs: Correct `_n_noop()` and `_nx_noop()` descriptions to use third-person singular verbs. 2016-02-28 20:43:26 +00:00
link-template.php Docs: Improve the usefulness of the DocBlock summary for `get_edit_term_link()`. 2016-03-10 17:48:26 +00:00
load.php Bootstrap/Load: Silence `ini_set()` in `wp_debug_mode()`. 2016-05-17 20:31:29 +00:00
locale.php Docs: Add a missing summary to the DocBlock for `WP_Locale::rtl_src_admin_notice()`. 2015-12-16 18:08:26 +00:00
media-template.php Accessibility: add missing `alt` attributes to a gaggle of `<img>`s. 2015-11-07 16:12:27 +00:00
media.php Responsive Images: the `src` of the image has to be first in the `srcset`, because of a bug in iOS8. Update the unit tests to reflect the changes. 2016-03-18 19:45:26 +00:00
meta.php Meta: Simplify the delete all meta query in `delete_metadata()`. 2018-04-03 15:43:03 +00:00
ms-blogs.php Docs: Update param/return types for `WP_Site` in `ms-blogs.php` 2016-03-09 07:42:26 +00:00
ms-default-constants.php I18N: Remove `<code>` tags from translatable string in `wp-admin/network/site-new.php`. 2016-02-29 03:17:26 +00:00
ms-default-filters.php
ms-deprecated.php Multisite: Validate activation links. 2018-12-13 01:44:20 +00:00
ms-files.php
ms-functions.php Multisite: Use `wp_rand()` in signup key creation. 2017-01-11 05:33:32 +00:00
ms-load.php I18N: Move translatable Codex URLs to separate strings in `wp-includes/ms-load.php`. 2015-11-18 17:42:26 +00:00
ms-settings.php Multisite: Introduce the WP_Site class. 2016-01-25 21:51:26 +00:00
nav-menu-template.php Menus: Bring back line break between menu items. 2015-12-24 00:21:27 +00:00
nav-menu.php Menus: Avoid a notice when outputting a description for an existing archive menu item for a post type that doesn't. 2016-03-08 18:25:26 +00:00
option.php Clarify return types in `get_option()` documentation. 2016-01-09 03:12:26 +00:00
pluggable-deprecated.php Users: Introduce `_wp_get_current_user()` for improved backward compatibility. 2016-02-23 22:26:28 +00:00
pluggable.php Backporting several bug fixes. 2019-10-14 19:07:24 +00:00
plugin.php Docs: Fix indentation in `add_filter()` example. 2016-01-25 18:58:27 +00:00
post-formats.php
post-template.php Remove _convert_urlencoded_to_entities() from the get_the_content() callback. 2019-09-04 16:41:21 +00:00
post-thumbnail-template.php Docs: Adjust documentation for the `$size` parameter in `the_post_thumbnail_url()` to clarify the required order of width and height values when passing an array. 2015-10-12 17:00:26 +00:00
post.php Media: Limit thumbnail file deletions to the same directory as the original file. 2018-07-05 14:55:23 +00:00
query.php Backporting several bug fixes. 2019-10-14 19:07:24 +00:00
registration-functions.php
registration.php
rest-api.php Backporting several bug fixes. 2019-10-14 19:07:24 +00:00
revision.php Revisions: Clean up `_wp_post_revision_fields()`: 2016-02-24 00:44:59 +00:00
rewrite.php Docs: Correct grammar when referring to "a URL" vs "an URL" in several places. 2016-03-12 12:39:27 +00:00
rss-functions.php
rss.php
script-loader.php TinyMCE: Improve the previews for shortcodes. 2017-09-19 12:43:08 +00:00
session.php Docs: `@param` fixes for a variety of docblocks. 2016-01-09 01:45:26 +00:00
shortcodes.php Shortcodes: `=` is a reserved character in shortcode names, mark it as such. 2015-12-26 04:46:28 +00:00
taxonomy.php Taxonomies: make sure taxonomy functions work correctly with taxonomy names with special characters 2016-03-30 17:13:28 +00:00
template-loader.php Embeds: Add support for embeds in the theme template hierarchy. 2016-03-07 19:33:26 +00:00
template.php Docs: Correct a typo in the DocBlock summary for `get_embed_template()`, introduced in [36963]. 2016-03-10 22:45:26 +00:00
theme.php Prevent PHP Warnings when using Custom Logo with no params 2016-03-30 02:22:26 +00:00
update.php Docs: Add a couple of spaces before hook docs for filters introduced in 4.5. 2016-03-16 16:15:28 +00:00
user.php General: Backport PHP 7.1 fixes to the 4.5 branch to avoid fatal errors and warnings. 2017-07-24 22:25:32 +00:00
vars.php Uploads: Remove an unnecessary static var from `wp_is_mobile()` to allow its direct and indirect use within unit tests. The static `$is_m 2016-03-03 03:25:26 +00:00
version.php WordPress 4.5.19. 2019-10-14 20:11:21 +00:00
widgets.php Spelling: Standardize on "front end"/"back end" (noun) and "front-end"/"back-end" (adjective). 2016-02-25 12:53:27 +00:00
wlwmanifest.xml
wp-db.php WPDB: Check that `AUTH_SALT` is not empty, Fix a PHP notice when `AUTH_SALT` is undefined. 2017-11-27 01:10:32 +00:00
wp-diff.php