diff --git a/wp-includes/comment.php b/wp-includes/comment.php
index 871351f47e..99f5a84000 100644
--- a/wp-includes/comment.php
+++ b/wp-includes/comment.php
@@ -1989,6 +1989,15 @@ function wp_update_comment($commentarr) {
return 0;
}
+ $filter_comment = false;
+ if ( ! has_filter( 'pre_comment_content', 'wp_filter_kses' ) ) {
+ $filter_comment = ! user_can( isset( $comment['user_id'] ) ? $comment['user_id'] : 0, 'unfiltered_html' );
+ }
+
+ if ( $filter_comment ) {
+ add_filter( 'pre_comment_content', 'wp_filter_kses' );
+ }
+
// Escape data pulled from DB.
$comment = wp_slash($comment);
@@ -1999,6 +2008,10 @@ function wp_update_comment($commentarr) {
$commentarr = wp_filter_comment( $commentarr );
+ if ( $filter_comment ) {
+ remove_filter( 'pre_comment_content', 'wp_filter_kses' );
+ }
+
// Now extract the merged array.
$data = wp_unslash( $commentarr );
diff --git a/wp-includes/customize/class-wp-customize-header-image-control.php b/wp-includes/customize/class-wp-customize-header-image-control.php
index 9852de6ddc..42f40e331e 100644
--- a/wp-includes/customize/class-wp-customize-header-image-control.php
+++ b/wp-includes/customize/class-wp-customize-header-image-control.php
@@ -107,10 +107,10 @@ class WP_Customize_Header_Image_Control extends WP_Customize_Image_Control {
<# } #>
<# } #>
diff --git a/wp-includes/customize/class-wp-customize-site-icon-control.php b/wp-includes/customize/class-wp-customize-site-icon-control.php
index 58fea53757..bfb505a3c9 100644
--- a/wp-includes/customize/class-wp-customize-site-icon-control.php
+++ b/wp-includes/customize/class-wp-customize-site-icon-control.php
@@ -69,7 +69,7 @@ class WP_Customize_Site_Icon_Control extends WP_Customize_Cropped_Image_Control
-
+
diff --git a/wp-includes/date.php b/wp-includes/date.php
index d1f85f8c0d..d136a44f4e 100644
--- a/wp-includes/date.php
+++ b/wp-includes/date.php
@@ -152,8 +152,8 @@ class WP_Date_Query {
*/
public function __construct( $date_query, $default_column = 'post_date' ) {
- if ( isset( $date_query['relation'] ) && 'OR' === strtoupper( $date_query['relation'] ) ) {
- $this->relation = 'OR';
+ if ( isset( $date_query['relation'] ) ) {
+ $this->relation = $this->sanitize_relation( $date_query['relation'] );
} else {
$this->relation = 'AND';
}
@@ -233,6 +233,9 @@ class WP_Date_Query {
$this->validate_date_values( $queries );
}
+ // Sanitize the relation parameter.
+ $queries['relation'] = $this->sanitize_relation( $queries['relation'] );
+
foreach ( $queries as $key => $q ) {
if ( ! is_array( $q ) || in_array( $key, $this->time_keys, true ) ) {
// This is a first-order query. Trust the values and sanitize when building SQL.
@@ -1015,4 +1018,20 @@ class WP_Date_Query {
return $wpdb->prepare( "DATE_FORMAT( $column, %s ) $compare %f", $format, $time );
}
+
+ /**
+ * Sanitizes a 'relation' operator.
+ *
+ * @since 6.0.3
+ *
+ * @param string $relation Raw relation key from the query argument.
+ * @return string Sanitized relation ('AND' or 'OR').
+ */
+ public function sanitize_relation( $relation ) {
+ if ( 'OR' === strtoupper( $relation ) ) {
+ return 'OR';
+ } else {
+ return 'AND';
+ }
+ }
}
diff --git a/wp-includes/functions.php b/wp-includes/functions.php
index 1456e18fe9..35068ed5b6 100644
--- a/wp-includes/functions.php
+++ b/wp-includes/functions.php
@@ -2627,8 +2627,16 @@ function wp_nonce_ays( $action ) {
$html .= sprintf( __( "Do you really want to log out?"), wp_logout_url( $redirect_to ) );
} else {
$html = __( 'Are you sure you want to do this?' );
- if ( wp_get_referer() )
- $html .= "" . __( 'Please try again.' ) . "";
+ if ( wp_get_referer() ) {
+ $wp_http_referer = remove_query_arg( 'updated', wp_get_referer() );
+ $wp_http_referer = wp_validate_redirect( esc_url_raw( $wp_http_referer ) );
+ $html .= '
';
+ $html .= sprintf(
+ '%s',
+ esc_url( $wp_http_referer ),
+ __( 'Please try again.' )
+ );
+ }
}
wp_die( $html, __( 'WordPress Failure Notice' ), 403 );
diff --git a/wp-includes/media-template.php b/wp-includes/media-template.php
index 7d2d2bf48b..84e8b4a168 100644
--- a/wp-includes/media-template.php
+++ b/wp-includes/media-template.php
@@ -1245,7 +1245,7 @@ function wp_print_media_templates() {
-
+
diff --git a/wp-includes/pluggable.php b/wp-includes/pluggable.php
index a210c401a8..422580fdae 100644
--- a/wp-includes/pluggable.php
+++ b/wp-includes/pluggable.php
@@ -308,6 +308,8 @@ function wp_mail( $to, $subject, $message, $headers = '', $attachments = array()
$phpmailer->ClearAttachments();
$phpmailer->ClearCustomHeaders();
$phpmailer->ClearReplyTos();
+ $phpmailer->Body = '';
+ $phpmailer->AltBody = '';
// From email and name
// If we don't have a name from the input headers
diff --git a/wp-includes/widgets.php b/wp-includes/widgets.php
index 3540be9b30..4b6b0442be 100644
--- a/wp-includes/widgets.php
+++ b/wp-includes/widgets.php
@@ -1233,7 +1233,7 @@ function wp_widget_rss_output( $rss, $args = array() ) {
if ( is_wp_error($rss) ) {
if ( is_admin() || current_user_can('manage_options') )
- echo '' . sprintf( __('RSS Error: %s'), $rss->get_error_message() ) . '
';
+ echo '' . sprintf( __('RSS Error: %s'), esc_html( $rss->get_error_message() ) ) . '
';
return;
}
@@ -1342,7 +1342,7 @@ function wp_widget_rss_form( $args, $inputs = null ) {
$args['show_date'] = isset( $args['show_date'] ) ? (int) $args['show_date'] : (int) $inputs['show_date'];
if ( ! empty( $args['error'] ) ) {
- echo '' . sprintf( __( 'RSS Error: %s' ), $args['error'] ) . '
';
+ echo '' . sprintf( __( 'RSS Error: %s' ), esc_html( $args['error'] ) ) . '
';
}
$esc_number = esc_attr( $args['number'] );
diff --git a/wp-mail.php b/wp-mail.php
index b5af05abf9..72bf3e8eee 100644
--- a/wp-mail.php
+++ b/wp-mail.php
@@ -60,6 +60,9 @@ if( 0 === $count ) {
wp_die( __('There doesn’t seem to be any new mail.') );
}
+// Always run as an unauthenticated user.
+wp_set_current_user( 0 );
+
for ( $i = 1; $i <= $count; $i++ ) {
$message = $pop3->get($i);
@@ -124,7 +127,6 @@ for ( $i = 1; $i <= $count; $i++ ) {
$author = trim($line);
$author = sanitize_email($author);
if ( is_email($author) ) {
- echo '' . sprintf(__('Author is %s'), $author) . '
';
$userdata = get_user_by('email', $author);
if ( ! empty( $userdata ) ) {
$post_author = $userdata->ID;
diff --git a/wp-trackback.php b/wp-trackback.php
index 3d211043eb..8fe5b087be 100644
--- a/wp-trackback.php
+++ b/wp-trackback.php
@@ -13,6 +13,9 @@ if (empty($wp)) {
wp( array( 'tb' => '1' ) );
}
+// Always run as an unauthenticated user.
+wp_set_current_user( 0 );
+
/**
* Response to a trackback.
*