Upstream
/
WordPress
mirror of https://github.com/WordPress/WordPress.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
30,924 Commits 48 Branches 719 Tags 912 MiB
Commit Graph

410 Commits

Author SHA1 Message Date
Sergey Biryukov 3296fa0099 Grouped backports to the 4.3 branch. 
- Posts, Post types: Apply KSES to post-by-email content,
- General: Validate host on "Are you sure?" screen,
- Posts, Post types: Remove emails from post-by-email logs,
- Pings/trackbacks: Apply KSES to all trackbacks,
- Comments: Apply kses when editing comments,
- Customize: Escape blogname option in underscores templates,
- Mail: Reset PHPMailer properties between use,
- Query: Validate relation in `WP_Date_Query`,
- Widgets: Escape RSS error messages for display.

Merges [54521], [54522], [54523], [54525], [54526], [54527], [54529], [54530], [54541] to the 4.3 branch.
Props voldemortensen, johnbillion, paulkevan, peterwilsoncc, xknown, dd32, audrasjb, martinkrcho, davidbaumwald, tykoted, johnjamesjacoby, ehtis, matveb, talldanwp.

Built from https://develop.svn.wordpress.org/branches/4.3@54557


git-svn-id: http://core.svn.wordpress.org/branches/4.3@54112 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2022-10-17 18:00:20 +00:00
whyisjake 1bb15bafa8 General: Backport several commits for release. 
- Embeds: Ensure that the title attribute is set correctly on embeds.
- Editor: Prevent HTML decoding on by setting the proper editor context.
- Formatting: Ensure that wp_validate_redirect() sanitizes a wider variety of characters.
- Themes: Ensure a broken theme name is returned properly.
- Administration: Add a new filter to extend set-screen-option.

Merges [47947-47951] to the 4.3 branch.

Props xknown, sstoqnov, vortfu, SergeyBiryukov, whyisjake.

Built from https://develop.svn.wordpress.org/branches/4.3@47982


git-svn-id: http://core.svn.wordpress.org/branches/4.3@47751 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2020-06-10 19:04:18 +00:00
whyisjake ee4a39e150 Backporting several bug fixes. 
- Query: Remove the static query property.
- HTTP API: Protect against hex interpretation.
- Filesystem API: Prevent directory travelersals when creating new folders.
- Administration: Ensure that admin referer nonce is valid.
- REST API: Send a Vary: Origin header on GET requests.
- Customizer: Properly sanitize background images.

Backports [46474], [46475], [46476], [46477], [46478], [46483], [46485] to the 4.3 branch.

Built from https://develop.svn.wordpress.org/branches/4.3@46499


git-svn-id: http://core.svn.wordpress.org/branches/4.3@46296 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2019-10-14 19:12:19 +00:00
Sergey Biryukov 96c871a4f9 Improve URL validation in `wp_validate_redirect()`. 
Merges [45971] to the 4.3 branch.
Props vortfu, whyisjake, peterwilsoncc.
Built from https://develop.svn.wordpress.org/branches/4.3@45982


git-svn-id: http://core.svn.wordpress.org/branches/4.3@45793 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2019-09-04 17:14:37 +00:00
Aaron Campbell 6751b328d9 Strip control characters before validating redirect. 
Merges [40183] to 4.3 branch.

Built from https://develop.svn.wordpress.org/branches/4.3@40188


git-svn-id: http://core.svn.wordpress.org/branches/4.3@40127 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2017-03-06 13:43:55 +00:00
Jeremy Felt a939b84057 Admin: Allow for the consistent filtering of `auth_redirect_scheme` 
Merge of [37651] to the 4.3 branch.

See #37047.

Built from https://develop.svn.wordpress.org/branches/4.3@37760


git-svn-id: http://core.svn.wordpress.org/branches/4.3@37725 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2016-06-21 14:12:19 +00:00
Dominik Schilling eb0bd01048 Better validation of the URL used in HTTP redirects. 
Merges [36444] to the 4.3 branch.
Built from https://develop.svn.wordpress.org/branches/4.3@36448


git-svn-id: http://core.svn.wordpress.org/branches/4.3@36415 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2016-02-02 16:59:51 +00:00
Dominik Schilling cca265971e Passwords: Deprecate second parameter of `wp_new_user_notification()`. 
The second parameter `$plaintext_pass` was removed in [33023] and restored as `$notify` in [33620] with a different behavior. If you have a plugin overriding `wp_new_user_notification()` which hasn't been updated you would get a notification with your username and the password "both".
To prevent this the second parameter is now deprecated and reintroduced as the third parameter.

Adds unit tests.

Merge of [34116] to the 4.3 branch.

Props kraftbj, adamsilverstein, welcher, ocean90.
See #33654.
Built from https://develop.svn.wordpress.org/branches/4.3@34118


git-svn-id: http://core.svn.wordpress.org/branches/4.3@34086 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-09-14 13:03:24 +00:00
Dominik Schilling e52a25130a Users: Import the global var `$wp_hasher` in `wp_new_user_notification()`. 
Adds `@global` entries to the DocBlock.

Merge of [34052] to the 4.3 branch.

See #33826.
Built from https://develop.svn.wordpress.org/branches/4.3@34053


git-svn-id: http://core.svn.wordpress.org/branches/4.3@34021 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-09-11 19:18:23 +00:00
Dion Hulse 7f29687a55 Revert [33845] 
git-svn-id: http://core.svn.wordpress.org/branches/4.3@33847 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-09-03 03:33:24 +00:00
Dion Hulse f0706a0895 Term Splitting: Switch to a faster cron unschedule process to benefit sites with thousands of affected jobs. Fix the cron hook name in the failsafe rescheduler. 
Merges [33727] to the 4.3 branch
Props Otto42, dd32, peterwilsoncc
Fixes #33423 for trunk

Built from https://develop.svn.wordpress.org/branches/4.3@33877


git-svn-id: http://core.svn.wordpress.org/branches/4.3@33845 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-09-03 03:31:17 +00:00
Dion Hulse 7cfe2d293f Revert [33688] which removed all branches/4.3 files due to a sync script error. 
git-svn-id: http://core.svn.wordpress.org/branches/4.3@33692 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-08-24 22:14:43 +00:00
Weston Ruter 4e96fc9fd7 Widgets: Switch back to using `array_key_exists()` instead of `isset()` for widget instance existence check. 
Reverts unnecessary change in [32602] since `array_key_exists()` does actually work with `ArrayIterator` objects.

Merges [33696] to the 4.3 branch.
See #32474.
Fixes #33442 for the 4.3 branch.

Built from https://develop.svn.wordpress.org/branches/4.3@33721


git-svn-id: http://core.svn.wordpress.org/branches/4.3@33688 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-08-24 19:31:16 +00:00
Dion Hulse 0b648f198b Revert [33614] which removed all branches/4.3 files due to a sync script error. 
git-svn-id: http://core.svn.wordpress.org/branches/4.3@33616 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-08-19 13:24:10 +00:00
Dion Hulse 7f86f37642 Term Splitting: Fix a reversal of parameters to wp_schedule_single_event() introduced in [33621]. 
The existing invalid cron entries will not be purged automatically (as the 'timestamp' is never matched) so we do this ourselves.

Merges [33646] to the 4.3 branch.
Props mechter for noticing!
See #30261.
Fixes #33423 for the 4.3 branch.

Built from https://develop.svn.wordpress.org/branches/4.3@33647


git-svn-id: http://core.svn.wordpress.org/branches/4.3@33614 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-08-19 11:37:14 +00:00
Konstantin Obenland e6bc6242ad Passwords: Restore second parameter for `wp_new_user_notification()`. 
After [33023] users would always be notified, this restores previous behavior.

Props markjaquith, ocean90.
Fixes #33358.


Built from https://develop.svn.wordpress.org/trunk@33620


git-svn-id: http://core.svn.wordpress.org/trunk@33587 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-08-17 14:25:27 +00:00
Konstantin Obenland 7e3f0cf45e Passwords: New UI for install screen. 
Also synchronises the use of `pw_weak` as an input name and removes trailing
periods from checkbox labels.

Props MikeHansenMe, adamsilverstein, obenland.
See #32589.


Built from https://develop.svn.wordpress.org/trunk@33246


git-svn-id: http://core.svn.wordpress.org/trunk@33218 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-07-13 22:22:24 +00:00
Drew Jaynes 92d342f0d2 Fix the parameter description syntax in the hook docs for the `wp_safe_redirect_fallback` filter, added in 4.3. 
See #32891.

Built from https://develop.svn.wordpress.org/trunk@33233


git-svn-id: http://core.svn.wordpress.org/trunk@33205 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-07-13 21:46:25 +00:00
Mark Jaquith 423a1a7ca4 New password change/set UI. 
* Generate the password for the user
* More tightly integrate password strength meter
* Warn on weak passwords

see #32589

props MikeHansenMe, adamsilverstein, binarykitten
Built from https://develop.svn.wordpress.org/trunk@33023


git-svn-id: http://core.svn.wordpress.org/trunk@32994 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-07-01 14:48:24 +00:00
Helen Hou-Sandí 275bff1895 Fire the `check_admin_referer` action on failure as well as success. 
This enables things like logging nonce failures in the admin.

props markjaquith.
fixes #32207.

Built from https://develop.svn.wordpress.org/trunk@33017


git-svn-id: http://core.svn.wordpress.org/trunk@32988 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-07-01 03:37:23 +00:00
Sergey Biryukov 74c7f59bb2 Revert [32702]. The URL may not have an `s` parameter as there are filters in place so that a plugin can return a URL with a completely different structure. 
see #32572.
Built from https://develop.svn.wordpress.org/trunk@32969


git-svn-id: http://core.svn.wordpress.org/trunk@32940 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-06-27 08:35:24 +00:00
Scott Taylor f23199caaa Remove the `whois.arin.net` link from `wp_notify_postauthor()` and `wp_notify_moderator()`. 
Also, remove from `edit-form-comment.php` and add a new filter: `edit_comment_misc_actions`. 

Props ozh, joedolson, rachelbaker.
Fixes #15281.

Built from https://develop.svn.wordpress.org/trunk@32929


git-svn-id: http://core.svn.wordpress.org/trunk@32900 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-06-24 20:56:27 +00:00
Scott Taylor 5c6b63d3a6 `if` is a statment, not a function. 
See #32444.

Built from https://develop.svn.wordpress.org/trunk@32800


git-svn-id: http://core.svn.wordpress.org/trunk@32771 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-06-16 20:01:25 +00:00
Dion Hulse 2b2368d68f Add a filter to wp_safe_redirect() for the fallback URL. 
Props anubisthejackle. Fixes #22612

Built from https://develop.svn.wordpress.org/trunk@32793


git-svn-id: http://core.svn.wordpress.org/trunk@32764 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-06-16 05:26:26 +00:00
Scott Taylor f888767c73 `$status` shouldn't be loosely compared to `true` in `wp_xmlrpc_server::wp_deleteComment()`. 
`$initial` shouldn't be loosely compared to `true` in `get_calendar()`.
`current_user_can()` shouldn't be loosely compared to `false` in `kses_init()`
`$get_all` shouldn't be loosely compared to `true` in `get_blog_details()`.
`is_array()` and `in_array()` shouldn't be loosely compared in `wpmu_validate_user_signup()`.
`$result` should by strictly compared in `check_ajax_referer()`.
`wp_verify_nonce()` should by strictly compared in `_show_post_preview()`.
`is_user_logged_in()` should not be loosly compared against `false` in `wp-signup.php`.

See #32444.

Built from https://develop.svn.wordpress.org/trunk@32733


git-svn-id: http://core.svn.wordpress.org/trunk@32704 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-06-12 17:48:26 +00:00
Sergey Biryukov c9dd28908a In `get_avatar()`, avoid a second `get_avatar_data()` call to get the 2x URL. 
props ravinderk.
fixes #32572.
Built from https://develop.svn.wordpress.org/trunk@32702


git-svn-id: http://core.svn.wordpress.org/trunk@32672 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-06-07 14:58:26 +00:00
Boone Gorges f88996bed7 In `wp_notify_moderator()`, don't throw notice when comment belongs to a post with no author. 
Props Oxymoron.
Fixes #32566.
Built from https://develop.svn.wordpress.org/trunk@32692


git-svn-id: http://core.svn.wordpress.org/trunk@32662 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-06-04 17:29:25 +00:00
Scott Taylor 26554549c7 Add missing doc blocks for `pluggable.php`. 
Correct some `@return` values.
`is_user_logged_in()` can simply return the `->exists()` call instead of if/else'ing true/false.

See #32444.

Built from https://develop.svn.wordpress.org/trunk@32614


git-svn-id: http://core.svn.wordpress.org/trunk@32584 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-05-27 15:32:26 +00:00
John Blackbourn bb02256966 Introduce a `$token` argument to `wp_set_auth_cookie()` so session tokens can be reused by custom authentication implementations. 
Props rmccue

Fixes 30247

Built from https://develop.svn.wordpress.org/trunk@32465


git-svn-id: http://core.svn.wordpress.org/trunk@32435 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-05-09 00:28:27 +00:00
Gary Pendergast 7ca423d449 The UTF-8 regex can occasionally fail on very low memory machines. Reduce the amount of memory it uses. 
See #32204.


Built from https://develop.svn.wordpress.org/trunk@32375


git-svn-id: http://core.svn.wordpress.org/trunk@32345 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-05-06 06:58:24 +00:00
Sergey Biryukov eef2dcfccd Merge two different translator comments for the same string. 
props pavelevap.
fixes #31999.
Built from https://develop.svn.wordpress.org/trunk@32210


git-svn-id: http://core.svn.wordpress.org/trunk@32183 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-04-20 15:36:26 +00:00
Boone Gorges 5b629644f9 Improve handling of incomplete From and Content-Type headers in `wp_mail()`. 
When an incomplete header is provided (eg, 'From' with an email address but no
name), ensure that the WP defaults are filled in properly.

Props valendesigns.
Fixes #30266.
Built from https://develop.svn.wordpress.org/trunk@32070


git-svn-id: http://core.svn.wordpress.org/trunk@32049 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-04-07 20:10:26 +00:00
Drew Jaynes 46cf634c90 Various inline documentation syntactical fixes in wp-includes/pluggable.php for 4.2 changes. 
See #31888.

Built from https://develop.svn.wordpress.org/trunk@32045


git-svn-id: http://core.svn.wordpress.org/trunk@32024 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-04-05 16:46:26 +00:00
Sergey Biryukov a1fb0a378c Restore line breaks before comment text in comment notification emails. 
fixes #31508.
Built from https://develop.svn.wordpress.org/trunk@31770


git-svn-id: http://core.svn.wordpress.org/trunk@31750 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-03-13 18:29:27 +00:00
Helen Hou-Sandí 0b3170fc7d Gravatars: Remove redundant 1x srcset. 
props miqrogroove.
see #22329.

Built from https://develop.svn.wordpress.org/trunk@31722


git-svn-id: http://core.svn.wordpress.org/trunk@31703 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-03-11 16:56:27 +00:00
Helen Hou-Sandí 0bf35836c3 Gravatars: Enable HiDPI versions for browsers that support srcset. 
props iseulde.
see #22329.

Built from https://develop.svn.wordpress.org/trunk@31721


git-svn-id: http://core.svn.wordpress.org/trunk@31702 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-03-11 16:32:26 +00:00
Drew Jaynes 33d9dd8066 Adjust the description for the `$extra_attr` argument in the DocBlocks for `get_avatar_data()` and `get_avatar()`. 
See [31561]. See #31469.

Built from https://develop.svn.wordpress.org/trunk@31591


git-svn-id: http://core.svn.wordpress.org/trunk@31572 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-03-01 07:19:24 +00:00
Gary Pendergast 18bb886b22 When sanitizing a URL to redirect to, UTF-8 characters can be URL encoded, instead of being removed. 
While RFC 3986 does not specify which character sets are allowed in URIs, Section 2.5 states that octects matching UTF-8 character encoding should be percent-encoded, then unreserved octets outside of the UTF-8 range should be percent-encoded. As browsers tend to only implement support for UTF-8 in URLs, this change only implements the UTF-8 encoding part. We may revisit the second part if it becomes an issue.

Fixes #31486


Built from https://develop.svn.wordpress.org/trunk@31587


git-svn-id: http://core.svn.wordpress.org/trunk@31568 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-02-28 02:21:26 +00:00
Scott Taylor e899c370a4 In `get_avatar_data()` and `get_avatar()`, allow `height` and `width` to be specified separately (both default to `size`). Also allow arbitrary attributes on the `<img>` via the `extra_attr` arg. 
Props miqrogroove.
See #31469.

Built from https://develop.svn.wordpress.org/trunk@31561


git-svn-id: http://core.svn.wordpress.org/trunk@31542 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-02-26 21:17:24 +00:00
Sergey Biryukov add5f9bdf2 Remove `src` from duplicate hook comments for `get_avatar` and `get_avatar_data`. 
see #21195.
Built from https://develop.svn.wordpress.org/trunk@31480


git-svn-id: http://core.svn.wordpress.org/trunk@31461 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-02-19 14:59:26 +00:00
Sergey Biryukov 01bb8478ff Fix a typo in duplicate hook comment. 
see [31107], #21195.
Built from https://develop.svn.wordpress.org/trunk@31479


git-svn-id: http://core.svn.wordpress.org/trunk@31460 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-02-19 14:56:28 +00:00
Drew Jaynes 947d04f323 Improve return and parameter documentation for `check_admin_referer()`, `check_ajax_referer()`, and `wp_verify_nonce()`. 
Also update and clarify docsfor the `check_admin_referer` and `check_ajax_referer` hooks.

Props johnbillion, DrewAPicture.
Fixes #31055.

Built from https://develop.svn.wordpress.org/trunk@31381


git-svn-id: http://core.svn.wordpress.org/trunk@31362 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-02-09 04:57:27 +00:00
Scott Taylor fe6b5983df In PHP 5.0.0, `is_a()` became deprecated in favour of the `instanceof` operator. Calling `is_a()` would result in an `E_STRICT` warning. 
In PHP 5.3.0, `is_a()` is no longer deprecated, and will therefore no longer throw `E_STRICT` warnings.

To avoid warnings in PHP < 5.3.0, convert all `is_a()` calls to `$var instanceof WP_Class` calls.

`instanceof` does not throw any error if the variable being tested is not an object, it simply returns `false`.

Props markoheijnen, wonderboymusic.
Fixes #25672.

Built from https://develop.svn.wordpress.org/trunk@31188


git-svn-id: http://core.svn.wordpress.org/trunk@31169 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-01-16 01:06:24 +00:00
Gary Pendergast 4bc89fef32 In `get_avatar()`, revert the `<img>` tag attributes to using single quotes, instead of double quotes. This behaviour was changed in [31107], but caused problems for code that attempted to parse the `<img>` tag. 
See #21195


Built from https://develop.svn.wordpress.org/trunk@31152


git-svn-id: http://core.svn.wordpress.org/trunk@31133 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-01-12 00:03:24 +00:00
Scott Taylor ac654632fe Use `PHP_SAPI` constant instead of `php_sapi_name()` in `iis7_supports_permalinks()`, `wp_fix_server_vars()`, and `wp_redirect()`. 
See #30799.

Built from https://develop.svn.wordpress.org/trunk@31120


git-svn-id: http://core.svn.wordpress.org/trunk@31101 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-01-10 04:59:22 +00:00
Gary Pendergast 5ee3ff435d Add `get_avatar_url()`, for retrieving just the URL of an avatar, rather than the entire `<img>` tag that `get_avatar()` produces. 
Unlike `get_avatar()`, `get_avatar_url()` is not pluggable. It can be extended/or modified through the new filters included.

Fixes #21195.

Props mdawaffe, pento, pathawks, DrewAPicture


Built from https://develop.svn.wordpress.org/trunk@31107


git-svn-id: http://core.svn.wordpress.org/trunk@31088 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-01-09 04:43:23 +00:00
Sergey Biryukov e253251ef4 Remove space before comma in wp_notify_postauthor() and wp_notify_moderator(). 
see #30930.
Built from https://develop.svn.wordpress.org/trunk@31060


git-svn-id: http://core.svn.wordpress.org/trunk@31041 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-01-06 17:17:21 +00:00
Sergey Biryukov 71d255fde1 Remove padding from the comment notification emails in wp_notify_moderator(). 
See [30015] for wp_notify_postauthor().

props pavelevap.
fixes #30930.
Built from https://develop.svn.wordpress.org/trunk@31059


git-svn-id: http://core.svn.wordpress.org/trunk@31040 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-01-06 17:10:35 +00:00
John Blackbourn d614abe3a2 Allow brackets in a URL when it's sanitised for a redirect. Brackets are valid in query parameters. 
Fixes #30308
Props voldemortensen

Built from https://develop.svn.wordpress.org/trunk@30684


git-svn-id: http://core.svn.wordpress.org/trunk@30674 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2014-12-01 03:21:22 +00:00
John Blackbourn 17ddc06287 Allow square brackets in a URL when it's sanitised for a redirect. Square brackets are valid in query parameters and IPv6 addresses. 
Fixes #17052
Props voldemortensen

Built from https://develop.svn.wordpress.org/trunk@30683


git-svn-id: http://core.svn.wordpress.org/trunk@30673 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2014-12-01 03:16:22 +00:00