WordPress/wp-includes
Boone Gorges f345a72c58 Prevent terms in a show_in_quick_edit=false taxonomy from being updated by a faked AJAX request.
The UI for these taxonomies was hidden in [31308], but it remained possible to
send a direct POST request to the `inline-edit` endpoint to bypass the
restriction. The current changeset fixes this.

Props meloniq.
Fixes #26948.
Built from https://develop.svn.wordpress.org/trunk@31313


git-svn-id: http://core.svn.wordpress.org/trunk@31294 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-01-31 19:38:24 +00:00
..
ID3
SimplePie
Text
certificates WP_HTTP: Revert r30491 which updated the bundled root certificates. There's a report that this is breaking under certain PHP/OpenSSL versions (which we've encountered before), and we're safer with a slighty out of date CA bundle than breaking HTTPS communication on affected sites. 2014-12-07 03:13:22 +00:00
css Media: Prevent filter selects from jiggling when the spinner shows. 2015-01-16 03:00:23 +00:00
fonts Dashicons: Update to the latest files. 2014-12-09 19:34:23 +00:00
images TwentyFifteen: 2014-11-25 06:12:22 +00:00
js TinyMCE: fix vertical positioning of the image toolbar when there are several instances of the editor. Props avryl, fixes #31028. 2015-01-18 17:56:23 +00:00
pomo Add missing `@param`s to `src/wp-includes/pomo` files. 2014-11-30 21:41:22 +00:00
theme-compat Improve various hook and filter docs so they are correctly parsed for the code reference. 2014-12-06 21:32:24 +00:00
admin-bar.php Customizer: Use deep-link for Widgets in toolbar on front-end. 2015-01-13 07:45:22 +00:00
atomlib.php
author-template.php There are some random `add_action()` and `add_filter()` calls littered around some files in `wp-includes/`. These should be moved to `wp-includes/default-filters.php` with the rest of the registered hooks. It seems like this was the best practice for awhile and then we randomly stopped. This file loads way before any of the includes, so the hooks will be registered for any request that loads WordPress, even `SHORTINIT` - a lot of the hooks registered won't run anyways (that's already the case). 2015-01-12 16:40:23 +00:00
bookmark-template.php Ensure inline code is markdown-escaped as such, and that code snippets in descriptions are properly indented. 2014-11-24 04:42:22 +00:00
bookmark.php The keyword `elseif` should be used instead of `else if` so that all control keywords look like single words. 2015-01-08 07:05:25 +00:00
cache.php Adding a `@return` annotation to constructors is generally not recommended as a constructor does not have a meaningful return value. Constructors do not have meaningful return values, anything that is returned from here is discarded. 2015-01-10 06:54:23 +00:00
canonical.php There are some random `add_action()` and `add_filter()` calls littered around some files in `wp-includes/`. These should be moved to `wp-includes/default-filters.php` with the rest of the registered hooks. It seems like this was the best practice for awhile and then we randomly stopped. This file loads way before any of the includes, so the hooks will be registered for any request that loads WordPress, even `SHORTINIT` - a lot of the hooks registered won't run anyways (that's already the case). 2015-01-12 16:40:23 +00:00
capabilities.php [31210] broke Supportflow on dotorg, which declares these methods as `protected`. Switch to `protected` for the noop methods. The subclasses can make them more visible using `public`. 2015-01-16 18:37:24 +00:00
category-template.php In PHP 5.0.0, `is_a()` became deprecated in favour of the `instanceof` operator. Calling `is_a()` would result in an `E_STRICT` warning. 2015-01-16 01:06:24 +00:00
category.php Add inline `@see` tags to the docs for the `get_categories_taxonomy` hook. 2014-11-17 17:37:23 +00:00
class-IXR.php XML-RPC: Send 405 Method Not Allowed for GET requests. 2014-12-30 20:41:23 +00:00
class-feed.php In PHP 5.0.0, `is_a()` became deprecated in favour of the `instanceof` operator. Calling `is_a()` would result in an `E_STRICT` warning. 2015-01-16 01:06:24 +00:00
class-http.php HTTP API: Fix an issue where the `limit_response_size` parameter wasn't working properly with large documents and the cURL transport. 2015-01-29 03:58:23 +00:00
class-json.php
class-oembed.php In `WP_oEmbed`, only allow `__call()` to run against a whitelist of methods, `$compat_methods`. 2015-01-11 22:27:23 +00:00
class-phpass.php Prevent high resource usage when hashing large passwords. props mdawaffe, pento 2014-11-20 16:03:24 +00:00
class-phpmailer.php
class-pop3.php
class-simplepie.php
class-smtp.php
class-snoopy.php
class-wp-admin-bar.php
class-wp-ajax-response.php `WP_Ajax_Response` has one property only, `$responses`. It was public until [28508], when it became `private` in name only. Is it worth 4 magic methods to pretend that this property is `private`? It is not. 2015-01-11 00:13:23 +00:00
class-wp-customize-control.php Overriding methods should do more than simply call the same method in the super class. 2015-01-08 21:20:22 +00:00
class-wp-customize-manager.php Customizer: Replicate behavior from options-reading.php and hide front page options if there are no pages. 2015-01-18 06:01:24 +00:00
class-wp-customize-panel.php Adding a `@return` annotation to constructors is generally not recommended as a constructor does not have a meaningful return value. Constructors do not have meaningful return values, anything that is returned from here is discarded. 2015-01-10 06:54:23 +00:00
class-wp-customize-section.php Adding a `@return` annotation to constructors is generally not recommended as a constructor does not have a meaningful return value. Constructors do not have meaningful return values, anything that is returned from here is discarded. 2015-01-10 06:54:23 +00:00
class-wp-customize-setting.php Adding a `@return` annotation to constructors is generally not recommended as a constructor does not have a meaningful return value. Constructors do not have meaningful return values, anything that is returned from here is discarded. 2015-01-10 06:54:23 +00:00
class-wp-customize-widgets.php Customizer: Fix form tag replacement in WP_Customize_Widgets::get_widget_control() after [31200]. 2015-01-17 13:11:23 +00:00
class-wp-editor.php TinyMCE: add breaking out of blockquotes by pressing Enter twice. Togging blockquote on|off with the button and the shortcut is unchanged. Props avryl, fixes #23110. 2015-01-16 23:36:22 +00:00
class-wp-embed.php Don't force newlines around URLs in WP_Embed::autoembed(). 2015-01-07 07:51:22 +00:00
class-wp-error.php In PHP 5.0.0, `is_a()` became deprecated in favour of the `instanceof` operator. Calling `is_a()` would result in an `E_STRICT` warning. 2015-01-16 01:06:24 +00:00
class-wp-http-ixr-client.php Improve various `@param` docs for `src/wp-includes/*`. 2014-12-01 01:34:24 +00:00
class-wp-image-editor-gd.php Preserve alpha transparency when rotating a PNG while GD is the active image editor. 2015-01-03 22:02:24 +00:00
class-wp-image-editor-imagick.php Fix some `@param` docs that have chars too close them. 2015-01-10 06:57:22 +00:00
class-wp-image-editor.php Fix some `@param` docs that have chars too close them. 2015-01-10 06:57:22 +00:00
class-wp-theme.php In PHP 5.0.0, `is_a()` became deprecated in favour of the `instanceof` operator. Calling `is_a()` would result in an `E_STRICT` warning. 2015-01-16 01:06:24 +00:00
class-wp-walker.php `Walker::$has_children` should be public for backward compatibility. 2015-01-11 01:56:22 +00:00
class-wp-xmlrpc-server.php Fix a typo in [30138]. 2015-01-25 09:48:21 +00:00
class-wp.php [31210] broke Supportflow on dotorg, which declares these methods as `protected`. Switch to `protected` for the noop methods. The subclasses can make them more visible using `public`. 2015-01-16 18:37:24 +00:00
class.wp-dependencies.php Ensure inline code is markdown-escaped as such, and that code snippets in descriptions are properly indented. 2014-11-24 04:58:22 +00:00
class.wp-scripts.php Add support for IE conditional comments for WP_Scripts to match the functionality of WP_Styles, including unit tests. Props filosofo, aaroncampbell, ethitter, georgestephanis, valendesigns. Fixes #16024. 2015-01-17 01:37:22 +00:00
class.wp-styles.php Ensure that inline styles attached to conditional stylesheets are also conditional. 2015-01-03 04:10:21 +00:00
comment-template.php In `comment_form()`, add the HTML5 `required` attribute next to `aria-required` in fields that utilize it. 2015-01-16 15:56:23 +00:00
comment.php Comments: When a comment fails to insert, remove invalid characters from the email and URL fields, too. 2015-01-21 23:18:22 +00:00
compat.php In PHP 5.0.0, `is_a()` became deprecated in favour of the `instanceof` operator. Calling `is_a()` would result in an `E_STRICT` warning. 2015-01-16 01:06:24 +00:00
cron.php Improve various `@param` docs for `src/wp-includes/*`. 2014-12-01 01:34:24 +00:00
date.php `WP_Date_Query` date validation should not fail for hour = 0. 2015-01-20 19:13:22 +00:00
default-constants.php Remove obsolete inline comment. 2015-01-06 01:57:22 +00:00
default-filters.php There are some random `add_action()` and `add_filter()` calls littered around some files in `wp-includes/`. These should be moved to `wp-includes/default-filters.php` with the rest of the registered hooks. It seems like this was the best practice for awhile and then we randomly stopped. This file loads way before any of the includes, so the hooks will be registered for any request that loads WordPress, even `SHORTINIT` - a lot of the hooks registered won't run anyways (that's already the case). 2015-01-12 16:40:23 +00:00
default-widgets.php Display correct title in Archives widget if the type of archive was changed using the 'widget_archives_dropdown_args' filter. 2015-01-19 08:26:24 +00:00
deprecated.php `@param` cleanup: 2015-01-16 19:03:23 +00:00
feed-atom-comments.php
feed-atom.php
feed-rdf.php Improve various hook and filter docs so they are correctly parsed for the code reference. 2014-12-06 21:32:24 +00:00
feed-rss.php
feed-rss2-comments.php Improve various hook and filter docs so they are correctly parsed for the code reference. 2014-12-06 21:32:24 +00:00
feed-rss2.php Improve various hook and filter docs so they are correctly parsed for the code reference. 2014-12-06 21:32:24 +00:00
feed.php Improve various `@param` docs for `src/wp-includes/*`. 2014-12-01 01:34:24 +00:00
formatting.php Texturize: Add "em" as a cockney term, so that "'em" is texturized with an apostrophe, instead of an open quote. 2015-01-20 18:44:26 +00:00
functions.php `@param` cleanup: 2015-01-16 19:03:23 +00:00
functions.wp-scripts.php Add support for IE conditional comments for WP_Scripts to match the functionality of WP_Styles, including unit tests. Props filosofo, aaroncampbell, ethitter, georgestephanis, valendesigns. Fixes #16024. 2015-01-17 01:37:22 +00:00
functions.wp-styles.php Make `_wp_scripts_maybe_doing_it_wrong( $function )` "private". 2015-01-16 02:42:22 +00:00
general-template.php Add a changelog entry for the new parameter added in [31228]. 2015-01-17 17:31:23 +00:00
http.php Improve various `@param` docs. 2014-11-30 23:24:25 +00:00
kses.php Add `<s>` to `$allowedtags` in KSES. 2015-01-16 16:07:23 +00:00
l10n.php The keyword `elseif` should be used instead of `else if` so that all control keywords look like single words. 2015-01-08 07:05:25 +00:00
link-template.php In `get_adjacent_post()`, return private post if the current user has the capacity to read it. 2015-01-30 02:20:23 +00:00
load.php Use `PHP_SAPI` constant instead of `php_sapi_name()` in `iis7_supports_permalinks()`, `wp_fix_server_vars()`, and `wp_redirect()`. 2015-01-10 04:59:22 +00:00
locale.php Adding a `@return` annotation to constructors is generally not recommended as a constructor does not have a meaningful return value. Constructors do not have meaningful return values, anything that is returned from here is discarded. 2015-01-10 06:54:23 +00:00
media-template.php Support chromeless Vimeo via MEjs: 2014-12-31 20:41:24 +00:00
media.php Add changelog entries to the `post_gallery` and `post_playlist` hook docs for the `$instance` variable that was added in [31304]. 2015-01-31 00:33:22 +00:00
meta.php Improve support for ordering `WP_Query` results by postmeta. 2015-01-31 15:48:24 +00:00
ms-blogs.php Don't overcheck the expected return from `get_blog_details()` in `get_blogaddress_by_id()` 2015-01-14 05:33:25 +00:00
ms-default-constants.php
ms-default-filters.php There are some random `add_action()` and `add_filter()` calls littered around some files in `wp-includes/`. These should be moved to `wp-includes/default-filters.php` with the rest of the registered hooks. It seems like this was the best practice for awhile and then we randomly stopped. This file loads way before any of the includes, so the hooks will be registered for any request that loads WordPress, even `SHORTINIT` - a lot of the hooks registered won't run anyways (that's already the case). 2015-01-12 16:40:23 +00:00
ms-deprecated.php [31210] broke Supportflow on dotorg, which declares these methods as `protected`. Switch to `protected` for the noop methods. The subclasses can make them more visible using `public`. 2015-01-16 18:37:24 +00:00
ms-files.php
ms-functions.php Fix an inaccurate summary and description in the DocBlock for `wpmu_validate_user_signup()`. 2015-01-29 11:46:22 +00:00
ms-load.php For clarity, initialize some arrays that previously were only assigned via short circuit in loops. 2014-12-20 22:47:22 +00:00
ms-settings.php
nav-menu-template.php There are some random `add_action()` and `add_filter()` calls littered around some files in `wp-includes/`. These should be moved to `wp-includes/default-filters.php` with the rest of the registered hooks. It seems like this was the best practice for awhile and then we randomly stopped. This file loads way before any of the includes, so the hooks will be registered for any request that loads WordPress, even `SHORTINIT` - a lot of the hooks registered won't run anyways (that's already the case). 2015-01-12 16:40:23 +00:00
nav-menu.php The keyword `elseif` should be used instead of `else if` so that all control keywords look like single words. 2015-01-08 07:05:25 +00:00
option.php Allow $autoload in add_option() to receive false. 2015-01-25 07:51:23 +00:00
pluggable-deprecated.php Improve the `@param` docs for `src/wp-includes/pluggable*`. 2014-11-30 22:19:25 +00:00
pluggable.php In PHP 5.0.0, `is_a()` became deprecated in favour of the `instanceof` operator. Calling `is_a()` would result in an `E_STRICT` warning. 2015-01-16 01:06:24 +00:00
plugin.php The keyword `elseif` should be used instead of `else if` so that all control keywords look like single words. 2015-01-08 07:05:25 +00:00
post-formats.php There are some random `add_action()` and `add_filter()` calls littered around some files in `wp-includes/`. These should be moved to `wp-includes/default-filters.php` with the rest of the registered hooks. It seems like this was the best practice for awhile and then we randomly stopped. This file loads way before any of the includes, so the hooks will be registered for any request that loads WordPress, even `SHORTINIT` - a lot of the hooks registered won't run anyways (that's already the case). 2015-01-12 16:40:23 +00:00
post-template.php Add classes for custom taxonomy terms in `get_post_class()`. 2015-01-23 15:41:22 +00:00
post-thumbnail-template.php A couple more tweaks to the post-thumbnail-template.php description. 2015-01-04 23:10:21 +00:00
post.php In PHP 5.0.0, `is_a()` became deprecated in favour of the `instanceof` operator. Calling `is_a()` would result in an `E_STRICT` warning. 2015-01-16 01:06:24 +00:00
query.php Improve support for ordering `WP_Query` results by postmeta. 2015-01-31 15:48:24 +00:00
registration-functions.php
registration.php
revision.php Improve various `@param` docs. 2014-11-30 22:56:25 +00:00
rewrite.php Adding a `@return` annotation to constructors is generally not recommended as a constructor does not have a meaningful return value. Constructors do not have meaningful return values, anything that is returned from here is discarded. 2015-01-10 06:54:23 +00:00
rss-functions.php
rss.php Fill in the `@param` types for the args for functions missing them in `wp-admin/includes/deprecated.php` (pour one out). 2014-11-03 06:08:22 +00:00
script-loader.php jQuery UI: Add missing dependencies for puff and scale effects. 2015-01-23 22:39:23 +00:00
session.php Fix some internal types that are passed to functions to avoid changing the acceptable types passed as arguments to those functions: 2015-01-16 22:51:21 +00:00
shortcodes.php Remove a stray period introduced in [31242]. 2015-01-19 08:47:24 +00:00
taxonomy.php Introduce 'show_in_quick_edit' parameter for `register_taxonomy()`. 2015-01-30 19:18:23 +00:00
template-loader.php
template.php In PHP 5.0.0, `is_a()` became deprecated in favour of the `instanceof` operator. Calling `is_a()` would result in an `E_STRICT` warning. 2015-01-16 01:06:24 +00:00
theme.php Introduce has_header_image() to check whether a header image is set. 2015-01-17 06:34:23 +00:00
update.php There are some random `add_action()` and `add_filter()` calls littered around some files in `wp-includes/`. These should be moved to `wp-includes/default-filters.php` with the rest of the registered hooks. It seems like this was the best practice for awhile and then we randomly stopped. This file loads way before any of the includes, so the hooks will be registered for any request that loads WordPress, even `SHORTINIT` - a lot of the hooks registered won't run anyways (that's already the case). 2015-01-12 16:40:23 +00:00
user.php In wp_update_user(), make sure $userdata['ID'] is set before using it. 2015-01-22 14:46:23 +00:00
vars.php
version.php Prevent terms in a show_in_quick_edit=false taxonomy from being updated by a faked AJAX request. 2015-01-31 19:38:24 +00:00
widgets.php In PHP 5.0.0, `is_a()` became deprecated in favour of the `instanceof` operator. Calling `is_a()` would result in an `E_STRICT` warning. 2015-01-16 01:06:24 +00:00
wlwmanifest.xml
wp-db.php Add missing descriptions to the `$blogid` and `$siteid` property DocBlocks in the `wpdb` class. 2015-01-29 11:35:22 +00:00
wp-diff.php Add a missing description for the `$_diff_threshold` property in the `WP_Text_Diff_Renderer_Table` class. 2015-01-29 11:36:22 +00:00