Upstream/WordPress
1
0
Fork 0
mirror of https://github.com/WordPress/WordPress.git synced 2024-06-25 06:14:58 +02:00
Code Issues Projects Releases Wiki Activity
30,926 Commits 48 Branches 744 Tags 923 MiB
4.3-branch
Commit Graph

410 Commits

Author SHA1 Message Date
Sergey Biryukov
3296fa0099 Grouped backports to the 4.3 branch. 
- Posts, Post types: Apply KSES to post-by-email content,
- General: Validate host on "Are you sure?" screen,
- Posts, Post types: Remove emails from post-by-email logs,
- Pings/trackbacks: Apply KSES to all trackbacks,
- Comments: Apply kses when editing comments,
- Customize: Escape blogname option in underscores templates,
- Mail: Reset PHPMailer properties between use,
- Query: Validate relation in `WP_Date_Query`,
- Widgets: Escape RSS error messages for display.

Merges [54521], [54522], [54523], [54525], [54526], [54527], [54529], [54530], [54541] to the 4.3 branch.
Props voldemortensen, johnbillion, paulkevan, peterwilsoncc, xknown, dd32, audrasjb, martinkrcho, davidbaumwald, tykoted, johnjamesjacoby, ehtis, matveb, talldanwp.

Built from https://develop.svn.wordpress.org/branches/4.3@54557


git-svn-id: http://core.svn.wordpress.org/branches/4.3@54112 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2022-10-17 18:00:20 +00:00
whyisjake
1bb15bafa8 General: Backport several commits for release. 
- Embeds: Ensure that the title attribute is set correctly on embeds.
- Editor: Prevent HTML decoding on by setting the proper editor context.
- Formatting: Ensure that wp_validate_redirect() sanitizes a wider variety of characters.
- Themes: Ensure a broken theme name is returned properly.
- Administration: Add a new filter to extend set-screen-option.

Merges [47947-47951] to the 4.3 branch.

Props xknown, sstoqnov, vortfu, SergeyBiryukov, whyisjake.

Built from https://develop.svn.wordpress.org/branches/4.3@47982


git-svn-id: http://core.svn.wordpress.org/branches/4.3@47751 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2020-06-10 19:04:18 +00:00
whyisjake
ee4a39e150 Backporting several bug fixes. 
- Query: Remove the static query property.
- HTTP API: Protect against hex interpretation.
- Filesystem API: Prevent directory travelersals when creating new folders.
- Administration: Ensure that admin referer nonce is valid.
- REST API: Send a Vary: Origin header on GET requests.
- Customizer: Properly sanitize background images.

Backports [46474], [46475], [46476], [46477], [46478], [46483], [46485] to the 4.3 branch.

Built from https://develop.svn.wordpress.org/branches/4.3@46499


git-svn-id: http://core.svn.wordpress.org/branches/4.3@46296 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2019-10-14 19:12:19 +00:00
Sergey Biryukov
96c871a4f9 Improve URL validation in wp_validate_redirect(). 
Merges [45971] to the 4.3 branch.
Props vortfu, whyisjake, peterwilsoncc.
Built from https://develop.svn.wordpress.org/branches/4.3@45982


git-svn-id: http://core.svn.wordpress.org/branches/4.3@45793 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2019-09-04 17:14:37 +00:00
Aaron Campbell
6751b328d9 Strip control characters before validating redirect. 
Merges [40183] to 4.3 branch.

Built from https://develop.svn.wordpress.org/branches/4.3@40188


git-svn-id: http://core.svn.wordpress.org/branches/4.3@40127 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2017-03-06 13:43:55 +00:00
Jeremy Felt
a939b84057 Admin: Allow for the consistent filtering of auth_redirect_scheme 
Merge of [37651] to the 4.3 branch.

See #37047.

Built from https://develop.svn.wordpress.org/branches/4.3@37760


git-svn-id: http://core.svn.wordpress.org/branches/4.3@37725 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2016-06-21 14:12:19 +00:00
Dominik Schilling
eb0bd01048 Better validation of the URL used in HTTP redirects. 
Merges [36444] to the 4.3 branch.
Built from https://develop.svn.wordpress.org/branches/4.3@36448


git-svn-id: http://core.svn.wordpress.org/branches/4.3@36415 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2016-02-02 16:59:51 +00:00
Dominik Schilling
cca265971e Passwords: Deprecate second parameter of wp_new_user_notification(). 
The second parameter `$plaintext_pass` was removed in [33023] and restored as `$notify` in [33620] with a different behavior. If you have a plugin overriding `wp_new_user_notification()` which hasn't been updated you would get a notification with your username and the password "both".
To prevent this the second parameter is now deprecated and reintroduced as the third parameter.

Adds unit tests.

Merge of [34116] to the 4.3 branch.

Props kraftbj, adamsilverstein, welcher, ocean90.
See #33654.
Built from https://develop.svn.wordpress.org/branches/4.3@34118


git-svn-id: http://core.svn.wordpress.org/branches/4.3@34086 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-09-14 13:03:24 +00:00
Dominik Schilling
e52a25130a Users: Import the global var $wp_hasher in wp_new_user_notification(). 
Adds `@global` entries to the DocBlock.

Merge of [34052] to the 4.3 branch.

See #33826.
Built from https://develop.svn.wordpress.org/branches/4.3@34053


git-svn-id: http://core.svn.wordpress.org/branches/4.3@34021 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-09-11 19:18:23 +00:00
Dion Hulse
7f29687a55 Revert [33845] 
git-svn-id: http://core.svn.wordpress.org/branches/4.3@33847 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-09-03 03:33:24 +00:00
Dion Hulse
f0706a0895 Term Splitting: Switch to a faster cron unschedule process to benefit sites with thousands of affected jobs. Fix the cron hook name in the failsafe rescheduler. 
Merges [33727] to the 4.3 branch
Props Otto42, dd32, peterwilsoncc
Fixes #33423 for trunk

Built from https://develop.svn.wordpress.org/branches/4.3@33877


git-svn-id: http://core.svn.wordpress.org/branches/4.3@33845 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-09-03 03:31:17 +00:00
Dion Hulse
7cfe2d293f Revert [33688] which removed all branches/4.3 files due to a sync script error. 
git-svn-id: http://core.svn.wordpress.org/branches/4.3@33692 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-08-24 22:14:43 +00:00
Weston Ruter
4e96fc9fd7 Widgets: Switch back to using array_key_exists() instead of isset() for widget instance existence check. 
Reverts unnecessary change in [32602] since `array_key_exists()` does actually work with `ArrayIterator` objects.

Merges [33696] to the 4.3 branch.
See #32474.
Fixes #33442 for the 4.3 branch.

Built from https://develop.svn.wordpress.org/branches/4.3@33721


git-svn-id: http://core.svn.wordpress.org/branches/4.3@33688 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-08-24 19:31:16 +00:00
Dion Hulse
0b648f198b Revert [33614] which removed all branches/4.3 files due to a sync script error. 
git-svn-id: http://core.svn.wordpress.org/branches/4.3@33616 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-08-19 13:24:10 +00:00
Dion Hulse
7f86f37642 Term Splitting: Fix a reversal of parameters to wp_schedule_single_event() introduced in [33621]. 
The existing invalid cron entries will not be purged automatically (as the 'timestamp' is never matched) so we do this ourselves.

Merges [33646] to the 4.3 branch.
Props mechter for noticing!
See #30261.
Fixes #33423 for the 4.3 branch.

Built from https://develop.svn.wordpress.org/branches/4.3@33647


git-svn-id: http://core.svn.wordpress.org/branches/4.3@33614 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-08-19 11:37:14 +00:00
Konstantin Obenland
e6bc6242ad Passwords: Restore second parameter for wp_new_user_notification(). 
After [33023] users would always be notified, this restores previous behavior.

Props markjaquith, ocean90.
Fixes #33358.


Built from https://develop.svn.wordpress.org/trunk@33620


git-svn-id: http://core.svn.wordpress.org/trunk@33587 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-08-17 14:25:27 +00:00
Konstantin Obenland
7e3f0cf45e Passwords: New UI for install screen. 
Also synchronises the use of `pw_weak` as an input name and removes trailing
periods from checkbox labels.

Props MikeHansenMe, adamsilverstein, obenland.
See #32589.


Built from https://develop.svn.wordpress.org/trunk@33246


git-svn-id: http://core.svn.wordpress.org/trunk@33218 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-07-13 22:22:24 +00:00
Drew Jaynes
92d342f0d2 Fix the parameter description syntax in the hook docs for the wp_safe_redirect_fallback filter, added in 4.3. 
See #32891.

Built from https://develop.svn.wordpress.org/trunk@33233


git-svn-id: http://core.svn.wordpress.org/trunk@33205 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-07-13 21:46:25 +00:00
Mark Jaquith
423a1a7ca4 New password change/set UI. 
* Generate the password for the user
* More tightly integrate password strength meter
* Warn on weak passwords

see #32589

props MikeHansenMe, adamsilverstein, binarykitten
Built from https://develop.svn.wordpress.org/trunk@33023


git-svn-id: http://core.svn.wordpress.org/trunk@32994 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-07-01 14:48:24 +00:00
Helen Hou-Sandí
275bff1895 Fire the check_admin_referer action on failure as well as success. 
This enables things like logging nonce failures in the admin.

props markjaquith.
fixes #32207.

Built from https://develop.svn.wordpress.org/trunk@33017


git-svn-id: http://core.svn.wordpress.org/trunk@32988 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-07-01 03:37:23 +00:00
Sergey Biryukov
74c7f59bb2 Revert [32702]. The URL may not have an s parameter as there are filters in place so that a plugin can return a URL with a completely different structure. 
see #32572.
Built from https://develop.svn.wordpress.org/trunk@32969


git-svn-id: http://core.svn.wordpress.org/trunk@32940 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-06-27 08:35:24 +00:00
Scott Taylor
f23199caaa Remove the whois.arin.net link from wp_notify_postauthor() and wp_notify_moderator(). 
Also, remove from `edit-form-comment.php` and add a new filter: `edit_comment_misc_actions`. 

Props ozh, joedolson, rachelbaker.
Fixes #15281.

Built from https://develop.svn.wordpress.org/trunk@32929


git-svn-id: http://core.svn.wordpress.org/trunk@32900 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-06-24 20:56:27 +00:00
Scott Taylor
5c6b63d3a6 if is a statment, not a function. 
See #32444.

Built from https://develop.svn.wordpress.org/trunk@32800


git-svn-id: http://core.svn.wordpress.org/trunk@32771 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-06-16 20:01:25 +00:00
Dion Hulse
2b2368d68f Add a filter to wp_safe_redirect() for the fallback URL. 
Props anubisthejackle. Fixes #22612

Built from https://develop.svn.wordpress.org/trunk@32793


git-svn-id: http://core.svn.wordpress.org/trunk@32764 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-06-16 05:26:26 +00:00
Scott Taylor
f888767c73 $status shouldn't be loosely compared to true in wp_xmlrpc_server::wp_deleteComment(). 
`$initial` shouldn't be loosely compared to `true` in `get_calendar()`.
`current_user_can()` shouldn't be loosely compared to `false` in `kses_init()`
`$get_all` shouldn't be loosely compared to `true` in `get_blog_details()`.
`is_array()` and `in_array()` shouldn't be loosely compared in `wpmu_validate_user_signup()`.
`$result` should by strictly compared in `check_ajax_referer()`.
`wp_verify_nonce()` should by strictly compared in `_show_post_preview()`.
`is_user_logged_in()` should not be loosly compared against `false` in `wp-signup.php`.

See #32444.

Built from https://develop.svn.wordpress.org/trunk@32733


git-svn-id: http://core.svn.wordpress.org/trunk@32704 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-06-12 17:48:26 +00:00
Sergey Biryukov
c9dd28908a In get_avatar(), avoid a second get_avatar_data() call to get the 2x URL. 
props ravinderk.
fixes #32572.
Built from https://develop.svn.wordpress.org/trunk@32702


git-svn-id: http://core.svn.wordpress.org/trunk@32672 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-06-07 14:58:26 +00:00
Boone Gorges
f88996bed7 In wp_notify_moderator(), don't throw notice when comment belongs to a post with no author. 
Props Oxymoron.
Fixes #32566.
Built from https://develop.svn.wordpress.org/trunk@32692


git-svn-id: http://core.svn.wordpress.org/trunk@32662 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-06-04 17:29:25 +00:00
Scott Taylor
26554549c7 Add missing doc blocks for pluggable.php. 
Correct some `@return` values.
`is_user_logged_in()` can simply return the `->exists()` call instead of if/else'ing true/false.

See #32444.

Built from https://develop.svn.wordpress.org/trunk@32614


git-svn-id: http://core.svn.wordpress.org/trunk@32584 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-05-27 15:32:26 +00:00
John Blackbourn
bb02256966 Introduce a $token argument to wp_set_auth_cookie() so session tokens can be reused by custom authentication implementations. 
Props rmccue

Fixes 30247

Built from https://develop.svn.wordpress.org/trunk@32465


git-svn-id: http://core.svn.wordpress.org/trunk@32435 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-05-09 00:28:27 +00:00
Gary Pendergast
7ca423d449 The UTF-8 regex can occasionally fail on very low memory machines. Reduce the amount of memory it uses. 
See #32204.


Built from https://develop.svn.wordpress.org/trunk@32375


git-svn-id: http://core.svn.wordpress.org/trunk@32345 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-05-06 06:58:24 +00:00
Sergey Biryukov
eef2dcfccd Merge two different translator comments for the same string. 
props pavelevap.
fixes #31999.
Built from https://develop.svn.wordpress.org/trunk@32210


git-svn-id: http://core.svn.wordpress.org/trunk@32183 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-04-20 15:36:26 +00:00
Boone Gorges
5b629644f9 Improve handling of incomplete From and Content-Type headers in wp_mail(). 
When an incomplete header is provided (eg, 'From' with an email address but no
name), ensure that the WP defaults are filled in properly.

Props valendesigns.
Fixes #30266.
Built from https://develop.svn.wordpress.org/trunk@32070


git-svn-id: http://core.svn.wordpress.org/trunk@32049 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-04-07 20:10:26 +00:00
Drew Jaynes
46cf634c90 Various inline documentation syntactical fixes in wp-includes/pluggable.php for 4.2 changes. 
See #31888.

Built from https://develop.svn.wordpress.org/trunk@32045


git-svn-id: http://core.svn.wordpress.org/trunk@32024 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-04-05 16:46:26 +00:00
Sergey Biryukov
a1fb0a378c Restore line breaks before comment text in comment notification emails. 
fixes #31508.
Built from https://develop.svn.wordpress.org/trunk@31770


git-svn-id: http://core.svn.wordpress.org/trunk@31750 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-03-13 18:29:27 +00:00
Helen Hou-Sandí
0b3170fc7d Gravatars: Remove redundant 1x srcset. 
props miqrogroove.
see #22329.

Built from https://develop.svn.wordpress.org/trunk@31722


git-svn-id: http://core.svn.wordpress.org/trunk@31703 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-03-11 16:56:27 +00:00
Helen Hou-Sandí
0bf35836c3 Gravatars: Enable HiDPI versions for browsers that support srcset. 
props iseulde.
see #22329.

Built from https://develop.svn.wordpress.org/trunk@31721


git-svn-id: http://core.svn.wordpress.org/trunk@31702 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-03-11 16:32:26 +00:00
Drew Jaynes
33d9dd8066 Adjust the description for the $extra_attr argument in the DocBlocks for get_avatar_data() and get_avatar(). 
See [31561]. See #31469.

Built from https://develop.svn.wordpress.org/trunk@31591


git-svn-id: http://core.svn.wordpress.org/trunk@31572 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-03-01 07:19:24 +00:00
Gary Pendergast
18bb886b22 When sanitizing a URL to redirect to, UTF-8 characters can be URL encoded, instead of being removed. 
While RFC 3986 does not specify which character sets are allowed in URIs, Section 2.5 states that octects matching UTF-8 character encoding should be percent-encoded, then unreserved octets outside of the UTF-8 range should be percent-encoded. As browsers tend to only implement support for UTF-8 in URLs, this change only implements the UTF-8 encoding part. We may revisit the second part if it becomes an issue.

Fixes #31486


Built from https://develop.svn.wordpress.org/trunk@31587


git-svn-id: http://core.svn.wordpress.org/trunk@31568 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-02-28 02:21:26 +00:00
Scott Taylor
e899c370a4 In get_avatar_data() and get_avatar(), allow height and width to be specified separately (both default to size). Also allow arbitrary attributes on the <img> via the extra_attr arg. 
Props miqrogroove.
See #31469.

Built from https://develop.svn.wordpress.org/trunk@31561


git-svn-id: http://core.svn.wordpress.org/trunk@31542 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-02-26 21:17:24 +00:00
Sergey Biryukov
add5f9bdf2 Remove src from duplicate hook comments for get_avatar and get_avatar_data. 
see #21195.
Built from https://develop.svn.wordpress.org/trunk@31480


git-svn-id: http://core.svn.wordpress.org/trunk@31461 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-02-19 14:59:26 +00:00
Sergey Biryukov
01bb8478ff Fix a typo in duplicate hook comment. 
see [31107], #21195.
Built from https://develop.svn.wordpress.org/trunk@31479


git-svn-id: http://core.svn.wordpress.org/trunk@31460 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-02-19 14:56:28 +00:00
Drew Jaynes
947d04f323 Improve return and parameter documentation for check_admin_referer(), check_ajax_referer(), and wp_verify_nonce(). 
Also update and clarify docsfor the `check_admin_referer` and `check_ajax_referer` hooks.

Props johnbillion, DrewAPicture.
Fixes #31055.

Built from https://develop.svn.wordpress.org/trunk@31381


git-svn-id: http://core.svn.wordpress.org/trunk@31362 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-02-09 04:57:27 +00:00
Scott Taylor
fe6b5983df In PHP 5.0.0, is_a() became deprecated in favour of the instanceof operator. Calling is_a() would result in an E_STRICT warning. 
In PHP 5.3.0, `is_a()` is no longer deprecated, and will therefore no longer throw `E_STRICT` warnings.

To avoid warnings in PHP < 5.3.0, convert all `is_a()` calls to `$var instanceof WP_Class` calls.

`instanceof` does not throw any error if the variable being tested is not an object, it simply returns `false`.

Props markoheijnen, wonderboymusic.
Fixes #25672.

Built from https://develop.svn.wordpress.org/trunk@31188


git-svn-id: http://core.svn.wordpress.org/trunk@31169 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-01-16 01:06:24 +00:00
Gary Pendergast
4bc89fef32 In get_avatar(), revert the <img> tag attributes to using single quotes, instead of double quotes. This behaviour was changed in [31107], but caused problems for code that attempted to parse the <img> tag. 
See #21195


Built from https://develop.svn.wordpress.org/trunk@31152


git-svn-id: http://core.svn.wordpress.org/trunk@31133 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-01-12 00:03:24 +00:00
Scott Taylor
ac654632fe Use PHP_SAPI constant instead of php_sapi_name() in iis7_supports_permalinks(), wp_fix_server_vars(), and wp_redirect(). 
See #30799.

Built from https://develop.svn.wordpress.org/trunk@31120


git-svn-id: http://core.svn.wordpress.org/trunk@31101 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-01-10 04:59:22 +00:00
Gary Pendergast
5ee3ff435d Add get_avatar_url(), for retrieving just the URL of an avatar, rather than the entire <img> tag that get_avatar() produces. 
Unlike `get_avatar()`, `get_avatar_url()` is not pluggable. It can be extended/or modified through the new filters included.

Fixes #21195.

Props mdawaffe, pento, pathawks, DrewAPicture


Built from https://develop.svn.wordpress.org/trunk@31107


git-svn-id: http://core.svn.wordpress.org/trunk@31088 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-01-09 04:43:23 +00:00
Sergey Biryukov
e253251ef4 Remove space before comma in wp_notify_postauthor() and wp_notify_moderator(). 
see #30930.
Built from https://develop.svn.wordpress.org/trunk@31060


git-svn-id: http://core.svn.wordpress.org/trunk@31041 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-01-06 17:17:21 +00:00
Sergey Biryukov
71d255fde1 Remove padding from the comment notification emails in wp_notify_moderator(). 
See [30015] for wp_notify_postauthor().

props pavelevap.
fixes #30930.
Built from https://develop.svn.wordpress.org/trunk@31059


git-svn-id: http://core.svn.wordpress.org/trunk@31040 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2015-01-06 17:10:35 +00:00
John Blackbourn
d614abe3a2 Allow brackets in a URL when it's sanitised for a redirect. Brackets are valid in query parameters. 
Fixes #30308
Props voldemortensen

Built from https://develop.svn.wordpress.org/trunk@30684


git-svn-id: http://core.svn.wordpress.org/trunk@30674 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2014-12-01 03:21:22 +00:00
John Blackbourn
17ddc06287 Allow square brackets in a URL when it's sanitised for a redirect. Square brackets are valid in query parameters and IPv6 addresses. 
Fixes #17052
Props voldemortensen

Built from https://develop.svn.wordpress.org/trunk@30683


git-svn-id: http://core.svn.wordpress.org/trunk@30673 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2014-12-01 03:16:22 +00:00