WordPress-C
/
WordPress
mirror of https://github.com/WordPress/WordPress.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
WordPress/wp-includes
History
Scott Taylor 8cf8e2c66d WP oEmbed: validate the `secret` send via `postMessage` in `wp.receiveEmbedMessage`. Also, compare `window` instances. 
In the data sent to us from the embedded iframe by postMessage(), the secret value is being used directly in a document.querySelectorAll() call without first being validated or escaped.

In theory, this could lead to some broken embeds.

Props mdawaffe.
Fixes #34831.

Built from https://develop.svn.wordpress.org/trunk@35761


git-svn-id: http://core.svn.wordpress.org/trunk@35725 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 		2015-12-03 20:17:25 +00:00
..
ID3 Update getID3 to 1.9.9 2015-06-28 00:17:25 +00:00
SimplePie Feeds: add `CEST` to `$timezone` in `SimplePie_Parse_Date`. 2015-10-20 05:57:24 +00:00
Text Fix the `@author` doc param encoding in `Text/Diff/Engine/string` so the file is recognized as UTF-8, not ISO-8859-1. 2015-10-24 22:45:25 +00:00
certificates HTTP: Update the Root Certificate bundle. 2015-09-18 08:43:26 +00:00
css Media: Reset box-sizing for input elements in the entire media modal. 2015-11-18 23:36:28 +00:00
customize Customize: Ensure that a setting (especially a multidimensional one) can still be previewed when the post value to preview is set after `preview()` is invoked. 2015-11-21 02:52:27 +00:00
fonts Dashicons: Fix font ID in SVG file. 2015-07-23 10:03:24 +00:00
images Embeds: Revert [35083], as the PNG files ended up not being used in [35466]. 2015-10-31 04:42:25 +00:00
js WP oEmbed: validate the `secret` send via `postMessage` in `wp.receiveEmbedMessage`. Also, compare `window` instances. 2015-12-03 20:17:25 +00:00
pomo Merge the changes to GlotPress's POMO from upstream to WordPress's copy. 2015-11-20 04:34:25 +00:00
random_compat Update random_compat to master. 2015-11-10 12:00:30 +00:00
rest-api Route HEAD API requests through the GET callback method 2015-12-03 16:34:25 +00:00
theme-compat Don't use `<a>` in translatable strings in `theme-compat/sidebar.php`. 2015-10-30 10:40:26 +00:00
widgets Widgets: Fix typo in `WP_Widget_Tag_Cloud::form()`. 2015-11-08 20:35:27 +00:00
admin-bar.php Do not pass FALSE as second parameter in variable class_exists() checks 2015-11-30 04:15:27 +00:00
atomlib.php Deprecate php4 style constructors 2015-06-28 15:27:24 +00:00
author-template.php Remove `<code>` tag from translatable string in `the_author()`. 2015-11-05 23:38:27 +00:00
bookmark-template.php Sanitize the class passed to `wp_list_bookmarks()` and allow passing an array. 2015-06-22 20:55:28 +00:00
bookmark.php After [35718], update the location of some files in `This filter is documented in` docs. 2015-11-22 03:51:28 +00:00
cache.php Filesystem: Following the introduction of the `KB|MB|GB|TB_IN_BYTES` constants in [35286], use them in various places in core. 2015-10-21 14:03:25 +00:00
canonical.php Canonical: when `/%post_id%/` is the permalink structure, don't redirect IDs that match Auto Drafts. 2015-10-31 20:54:25 +00:00
capabilities.php When a post is scheduled for publication, treat it the same as a published post when calculating the capabilities required to edit or delete it. 2015-11-29 02:27:18 +00:00
category-template.php In `wp_list_categories()`, rewrite a long condition for clarity. 2015-10-20 16:13:26 +00:00
category.php Simplify the include graph after work to split out classes. 2015-11-20 07:24:30 +00:00
class-IXR.php XMLRPC: ensure that empty strings are not passed as `null`, which will then fail `isset()` 2015-11-04 18:08:25 +00:00
class-feed.php Pass `false` as the 2nd argument to `class_exists()` to disable autoloading and to not cause problems for those who define `__autoload()`. 2015-09-20 03:52:25 +00:00
class-http.php Docs: Syntax fixes for deprecating `WP_Http::parse_url()`. 2015-10-23 15:43:24 +00:00
class-json.php Docs: Put "it's" in its place (again). 2015-09-16 12:46:28 +00:00
class-oembed.php Add support for oEmbeds from Speaker Deck. 2015-11-18 22:05:25 +00:00
class-phpass.php Remove closing PHP tag from `wp-includes/class-phpass.php`. 2015-10-06 23:45:25 +00:00
class-phpmailer.php Remove debug cruft from [33124]. 2015-07-09 07:56:24 +00:00
class-pop3.php Docs: Put "it's" in its place (again). 2015-09-16 12:46:28 +00:00
class-simplepie.php Pass `false` as the 2nd argument to `class_exists()` to disable autoloading and to not cause problems for those who define `__autoload()`. 2015-09-20 03:52:25 +00:00
class-smtp.php Update PHPMailer to 5.2.10 from 5.2.7. 2015-07-08 17:16:25 +00:00
class-snoopy.php Pass `false` as the 2nd argument to `class_exists()` to disable autoloading and to not cause problems for those who define `__autoload()`. 2015-09-20 03:52:25 +00:00
class-walker-category-dropdown.php Docs: Clarify the file header for wp-includes/class-walker-category-dropdown.php, introduced in [34110]. 2015-09-22 14:03:25 +00:00
class-walker-category.php Taxonomy: in `wp_list_categories()`, add an arg: `separator`, to allow the overriding of `<br/>`. 2015-10-13 17:02:25 +00:00
class-walker-comment.php Docs: some `@global object` vernaculars should be converted to the actual object type. 2015-10-10 15:45:25 +00:00
class-walker-page-dropdown.php Docs: Clarify the file header subpackage for wp-includes/class-walker-page-dropdown.php, introduced in [34109]. 2015-09-22 13:58:24 +00:00
class-walker-page.php Docs: Actually, the subpackage for `Walker_Page` should be Template. 2015-09-22 15:09:24 +00:00
class-wp-admin-bar.php Docs: Add missing file headers to two Toolbar API files: wp-includes/admin-bar.php and wp-includes/class-wp-admin-bar.php. 2015-10-14 17:27:25 +00:00
class-wp-ajax-response.php
class-wp-comment-query.php Ensure that order is specified when querying for comment descendants. 2015-12-03 15:50:27 +00:00
class-wp-comment.php Prevent extra db queries in `WP_Comment::get_children()`. 2015-10-01 03:58:23 +00:00
class-wp-customize-control.php Customize: move `WP_Customize_Control` subclasses to `wp-includes/customize`, they load in the exact same place. 2015-10-24 18:57:25 +00:00
class-wp-customize-manager.php Customize: Ensure that a setting (especially a multidimensional one) can still be previewed when the post value to preview is set after `preview()` is invoked. 2015-11-21 02:52:27 +00:00
class-wp-customize-nav-menus.php Customizer: Use correct context and translator comments for menu location strings. 2015-11-20 17:46:25 +00:00
class-wp-customize-panel.php Customize: move `WP_Customize_Panel` subclass to `wp-includes/customize`, it loads in the exact same place. 2015-10-24 18:25:24 +00:00
class-wp-customize-section.php Customize: move `WP_Customize_Section` subclasses to `wp-includes/customize`, they load in the exact same place. 2015-10-24 18:21:25 +00:00
class-wp-customize-setting.php Customize: Ensure that a setting (especially a multidimensional one) can still be previewed when the post value to preview is set after `preview()` is invoked. 2015-11-21 02:52:27 +00:00
class-wp-customize-widgets.php Customize: Ensure that a setting (especially a multidimensional one) can still be previewed when the post value to preview is set after `preview()` is invoked. 2015-11-21 02:52:27 +00:00
class-wp-editor.php Correct the parameter type for the `$stylesheet` parameter in the `mce_css` filter documentation. 2015-11-18 17:07:37 +00:00
class-wp-embed.php Embeds: Remove the `allow_insecure_embeds` filter. 2015-11-19 05:02:27 +00:00
class-wp-error.php Use `void` instead of `null` where appropriate when pipe-delimiting `@return` types. If a `@return` only contains `void`, remove it. 2015-05-24 05:40:25 +00:00
class-wp-http-cookie.php Docs: object != class 2015-09-26 07:04:28 +00:00
class-wp-http-curl.php Don't set `CURLOPT_CAINFO` when `sslverify` is false when sending HTTP API requests through cURL. This avoids sending redundant information to cURL, and avoids a bug in Apple's SecureTransport library which causes a request to fail when a CA bundle is set but certificate verification is disabled. 2015-09-27 21:37:24 +00:00
class-wp-http-encoding.php Docs: Add a missing file header for wp-includes/class-wp-http-encoding.php, introduced in [33748]. 2015-09-03 03:28:21 +00:00
class-wp-http-ixr-client.php Docs: Update the hook doc summary for the `wp_http_ixr_client_headers` filter, introduced in [34164]. 2015-09-15 16:16:43 +00:00
class-wp-http-proxy.php Docs: Add a missing file header to wp-includes/class-wp-http-proxy.php, introduced in [33748]. 2015-09-03 03:30:21 +00:00
class-wp-http-response.php HTTP/REST API: move `WP_HTTP_Response` to `wp-includes/` with the rest (ha!) of the HTTP classes. This is PHP 5.2, so this class is global, and as per @rmccue, unrelated to REST specifically. 2015-10-08 19:27:28 +00:00
class-wp-http-streams.php Docs: object != class 2015-09-26 07:04:28 +00:00
class-wp-image-editor-gd.php Media: add a new image size, `medium_large`. Bumps db version to add new options. 2015-10-31 20:50:25 +00:00
class-wp-image-editor-imagick.php Media: add a new image size, `medium_large`. Bumps db version to add new options. 2015-10-31 20:50:25 +00:00
class-wp-image-editor.php `foreach` is a statement, not a function. 2015-08-25 20:28:22 +00:00
class-wp-meta-query.php Docs: Add missing descriptions for the `$wpdb` global in DocBlocks all the places. 2015-10-14 23:44:25 +00:00
class-wp-network.php Multisite: Clarify documentation for `WP_Network::get_by_path()`. 2015-11-08 02:25:25 +00:00
class-wp-oembed-controller.php oEmbed: Drop the trailing slash from the namespace. 2015-11-17 11:27:29 +00:00
class-wp-post.php Docs: Add missing descriptions for the `$wpdb` global in DocBlocks all the places. 2015-10-14 23:44:25 +00:00
class-wp-rewrite.php Docs: Add a couple of strategically-placed spaces in `WP_Rewrite`. 2015-10-08 22:07:24 +00:00
class-wp-role.php Docs: The Users subpackage is plural. 2015-09-22 13:46:25 +00:00
class-wp-roles.php Docs: Add missing descriptions for the `$wpdb` global in DocBlocks all the places. 2015-10-14 23:44:25 +00:00
class-wp-tax-query.php Docs: Add a file header to wp-includes/class-wp-tax-query.php, introduced in [33760]. 2015-09-22 13:16:30 +00:00
class-wp-term.php Make `get_term()` behave more consistently in the context of shared terms. 2015-11-05 16:45:25 +00:00
class-wp-theme.php Upgrade: New themes are not automatically installed on upgrade. This can still be explicitly asked for by defining `CORE_UPGRADE_SKIP_NEW_BUNDLED` as `false`. 2015-11-25 21:45:25 +00:00
class-wp-user-query.php Correct documentation for 'fields' param of `WP_User_Query`. 2015-11-16 19:04:55 +00:00
class-wp-user.php Docs: Move an inline comment that was preventing the hook docs for the `user_has_cap` filter from being parsed. 2015-11-10 06:45:25 +00:00
class-wp-walker.php Docs: Add missing parameter and return descriptions for `Walker::get_number_of_root_elements()`. 2015-09-14 15:33:27 +00:00
class-wp-widget-factory.php Docs: The Widgets subpackage is plural. 2015-09-22 13:48:25 +00:00
class-wp-widget.php Widgets: when getting settings, and none exist, set them to empty to avoid extraneous database queries on subsequent requests. 2015-10-13 01:13:24 +00:00
class-wp-xmlrpc-server.php Media: add a new image size, `medium_large`. Bumps db version to add new options. 2015-10-31 20:50:25 +00:00
class-wp.php Embeds: Who put this REST API infrastructure in my WordPress? 2015-10-29 22:51:24 +00:00
class.wp-dependencies.php `foreach` is a statement, not a function. 2015-08-25 20:28:22 +00:00
class.wp-scripts.php Scripts: in `WP_Scripts::set_group()`, the `args` prop of the `_WP_Dependency` instance defaults to `null` - check that it is set before comparing. 2015-10-06 13:54:25 +00:00
class.wp-styles.php Add a missing `$html` parameter variable in the hook docs for the `style_loader_tag` filter. 2015-07-13 21:03:24 +00:00
comment-template.php In a similar vein to [34133], escape the email address and IP address of comment authors to increase defence in depth. 2015-11-29 02:43:24 +00:00
comment.php Ensure the correct error message is returned when a user attempts to comment on a post to which they do not have access. 2015-11-28 18:29:32 +00:00
compat.php Use PHP7's `random_int()` CSPRNG functionality in `wp_rand()` with a fallback to the `random_compat` library for PHP 5.x. 2015-10-09 04:28:24 +00:00
cron.php Cron: In `spawn_cron()`, when using `ALTERNATE_WP_CRON`, return early for any non-`GET`, instead of naively checking `! empty( $_POST )`. 2015-09-26 04:51:26 +00:00
date.php Ensure that `WP_Date_Query` accepts a value of `0` for 'hour'. 2015-10-09 16:33:25 +00:00
default-constants.php Set Twenty Sixteen as the default theme. 2015-11-25 21:52:26 +00:00
default-filters.php Users: Allow to create users without sending an email to the new user. 2015-11-25 22:38:29 +00:00
default-widgets.php Docs: Clarify the file header summary for wp-includes/default-widgets.php, the top-level file for bringing in the core widget classes. 2015-09-22 13:36:25 +00:00
deprecated.php Template: Un-deprecate `wp_title()`. 2015-11-11 23:50:25 +00:00
embed-template.php Embeds: Introduce `print_embed_comments_button()`, `print_embed_sharing_button()`, and `print_embed_sharing_dialog()`, which respectively output the comments button, sharing buttons, and sharing dialog elements in the embed template. 2015-11-18 20:51:26 +00:00
embed.php WP oEmbed: validate the `secret` send via `postMessage` in `wp.receiveEmbedMessage`. Also, compare `window` instances. 2015-12-03 20:17:25 +00:00
feed-atom-comments.php Themes: Improve document title output. 2015-10-20 16:21:25 +00:00
feed-atom.php Feeds: `<comments>` is optional in RSS2, so don't include it when comments aren't present or open. Same for `<wfw:commentRss>` and `<slash:comments>` 2015-11-04 17:47:25 +00:00
feed-rdf.php Themes: Improve document title output. 2015-10-20 16:21:25 +00:00
feed-rss.php Themes: Improve document title output. 2015-10-20 16:21:25 +00:00
feed-rss2-comments.php Themes: Improve document title output. 2015-10-20 16:21:25 +00:00
feed-rss2.php Feeds: `<comments>` is optional in RSS2, so don't include it when comments aren't present or open. Same for `<wfw:commentRss>` and `<slash:comments>` 2015-11-04 17:47:25 +00:00
feed.php Use correct placeholders for translator comments added in [35303]. 2015-10-24 18:50:24 +00:00
formatting.php Texturize: Only convert `&` to `&#038;` within text nodes. 2015-11-19 23:31:26 +00:00
functions.php I18N: Move translatable Codex URLs to separate strings in `wp-includes/functions.php`. 2015-11-18 17:41:27 +00:00
functions.wp-scripts.php After [32596] and [32597], ensure that `wp_scripts|styles()` is called to ensure an instance is created of `WP_Scripts|Styles()` before calling `->do_items()`. 2015-06-12 16:54:24 +00:00
functions.wp-styles.php After [32596] and [32597], ensure that `wp_scripts|styles()` is called to ensure an instance is created of `WP_Scripts|Styles()` before calling `->do_items()`. 2015-06-12 16:54:24 +00:00
general-template.php Template: Use `template-loader.php` as cononical source of truth for conditional ordering. 2015-11-19 17:09:26 +00:00
http.php Simplify the include graph after work to split out classes. 2015-11-20 07:24:30 +00:00
kses.php KSES: have you ever heard of the `<bdo>` HTML tag? Same. http://www.w3schools.com/tags/tag_bdo.asp 2015-10-13 17:18:25 +00:00
l10n.php Revert [34778], continue using `_site_option()` for the current network. 2015-10-07 17:11:25 +00:00
link-template.php Move the `show_ui` logic into the `get_edit_post_link()` and `get_edit_term_link()` functions to facilitate post types and terms which specify `show_ui` as false but provide a custom editing UI via the `get_edit_post_link` and `get_edit_term_link` filters. 2015-11-19 16:25:26 +00:00
load.php Revert [34291] bringing back my-hacks 2015-11-18 20:49:26 +00:00
locale.php Revert [35336] and [35337]. 2015-11-18 20:30:25 +00:00
media-template.php Accessibility: add missing `alt` attributes to a gaggle of `<img>`s. 2015-11-07 16:12:27 +00:00
media.php Responsive Images: Currently images are included in the `srcset` if the aspect ratio difference is smaller than `0.01`. This number is too high, set it to `0.002` 2015-12-01 20:58:24 +00:00
meta.php After [35718], update the location of some files in `This filter is documented in` docs. 2015-11-22 03:51:28 +00:00
ms-blogs.php Ensure that the scheme used in the URL returned by `get_blogaddress_by_id()` always reflects the blog's URL, instead of using `http`. 2015-10-30 02:02:24 +00:00
ms-default-constants.php Docs: Add missing descriptions for the `$wpdb` global in DocBlocks all the places. 2015-10-14 23:44:25 +00:00
ms-default-filters.php Move new user notification emails to `add_action()` callbacks. 2015-09-16 22:19:24 +00:00
ms-deprecated.php Docs: Add missing descriptions for the `$wpdb` global in DocBlocks all the places. 2015-10-14 23:44:25 +00:00
ms-files.php `if` is a statment, not a function. 2015-06-16 20:01:25 +00:00
ms-functions.php After [35718], update the location of some files in `This filter is documented in` docs. 2015-11-22 03:51:28 +00:00
ms-load.php I18N: Move translatable Codex URLs to separate strings in `wp-includes/ms-load.php`. 2015-11-18 17:42:26 +00:00
ms-settings.php Use `wp_installing()` instead of `WP_INSTALLING` constant. 2015-10-05 15:06:28 +00:00
nav-menu-template.php Nav Menus: show custom post type Archive item at the top of the `View All` tab for the post type on the legacy Nav Menu screen. 2015-10-24 17:46:25 +00:00
nav-menu.php Don't use `<strong>` in translatable string in `wp-includes/nav-menu.php`. 2015-10-30 08:57:26 +00:00
option.php Rename internal variable in `set_transient()`. 2015-10-29 11:52:28 +00:00
pluggable-deprecated.php Pass `false` as the 2nd argument to `class_exists()` to disable autoloading and to not cause problems for those who define `__autoload()`. 2015-09-20 03:52:25 +00:00
pluggable.php Passwords: Support the pre-4.3 behavior of `wp_new_user_notification()`. 2015-11-24 23:07:26 +00:00
plugin.php `callback` is not a valid type in PHP, PSR-5, or phpDocumentor. `callable` should be used instead. 2015-09-25 23:58:25 +00:00
post-formats.php `foreach` is a statement, not a function. 2015-08-25 20:28:22 +00:00
post-template.php Template: Defining a default value for `show_home` breaks back compat. 2015-11-25 18:55:26 +00:00
post-thumbnail-template.php Docs: Adjust documentation for the `$size` parameter in `the_post_thumbnail_url()` to clarify the required order of width and height values when passing an array. 2015-10-12 17:00:26 +00:00
post.php After [35718], update the location of some files in `This filter is documented in` docs. 2015-11-22 03:51:28 +00:00
query.php In `WP_Query`, set `is_home` to `false` during REST requests. 2015-11-18 21:18:26 +00:00
registration-functions.php
registration.php
rest-api.php Simplify the include graph after work to split out classes. 2015-11-20 07:24:30 +00:00
revision.php Docs: Correct description for `_wp_post_revision_fields()` arguments. 2015-10-22 12:17:28 +00:00
rewrite.php Simplify the include graph after work to split out classes. 2015-11-20 07:24:30 +00:00
rss-functions.php
rss.php `foreach` is a statement, not a function. 2015-08-25 20:28:22 +00:00
script-loader.php Bump the version of MediaElement in script-loader.php to match what we're shipping with. 2015-11-20 03:32:26 +00:00
session.php Fix some internal types that are passed to functions to avoid changing the acceptable types passed as arguments to those functions: 2015-01-16 22:51:21 +00:00
shortcodes.php Use correct placeholders in translator comments added in [35542]. 2015-11-05 21:05:25 +00:00
taxonomy.php After [35718], update the location of some files in `This filter is documented in` docs. 2015-11-22 03:51:28 +00:00
template-loader.php Embeds: Add oEmbed provider support. 2015-10-07 10:36:25 +00:00
template.php List the possible values for the dynamic portion of the `{type}_template` hook. 2015-10-28 14:06:27 +00:00
theme.php Upgrade: New themes are not automatically installed on upgrade. This can still be explicitly asked for by defining `CORE_UPGRADE_SKIP_NEW_BUNDLED` as `false`. 2015-11-25 21:45:25 +00:00
update.php Use `wp_installing()` instead of `WP_INSTALLING` constant. 2015-10-05 15:06:28 +00:00
user.php Users: Allow to create users without sending an email to the new user. 2015-11-25 22:38:29 +00:00
vars.php Introduce a new `$is_edge` global for the Microsoft Edge browser. 2015-09-05 22:33:23 +00:00
version.php WP oEmbed: validate the `secret` send via `postMessage` in `wp.receiveEmbedMessage`. Also, compare `window` instances. 2015-12-03 20:17:25 +00:00
widgets.php After [35718], update the location of some files in `This filter is documented in` docs. 2015-11-22 03:51:28 +00:00
wlwmanifest.xml
wp-db.php WPDB: Fall back to the connection charset when sanity checking strings. 2015-11-17 06:13:26 +00:00
wp-diff.php Pass `false` as the 2nd argument to `class_exists()` to disable autoloading and to not cause problems for those who define `__autoload()`. 2015-09-20 03:52:25 +00:00