This updates the 5.1 branch to support the latest LTS version of NodeJS (currently 14.x), allowing the same version to be used across all WordPress branches that receive security updates as a courtesy.
In addition to backporting the package updates that happened after branching 5.1, dependencies that were removed in future releases have also been updated to their latest versions.
Props desrosj, dd32, netweb, jorbin.
Merges [44233,44728,45321,45765,45826,46403-46404,46408-46409,47404,47867-47869,47872-47873,48705,49636,49933,49937,49939,49940,49983,49989,50017,50126,50176,50185] to the 5.1 branch.
See #52341.
Built from https://develop.svn.wordpress.org/branches/5.1@50199
git-svn-id: http://core.svn.wordpress.org/branches/5.1@49874 1a063a9b-81f0-0310-95a4-ce76da25c4cd
User: Invalidate `user_activation_key` on password update.
Query: Ensure that only a single post can be returned on date/time based queries.
Block Editor: Coding standards, properly escape class names.
Cache API: Ensure proper escaping around the stats method in the cache API.
Formatting: Expand `sanitize_file_name` to have better support for utf8 characters.
Brings the changes in [47633], [47634], [47635], [47636], [47637], and [47638] to the 5.1 branch.
Props: aduth, batmoo, ehti, ellatrix, jorgefilipecosta, nickdaugherty, noisysocks, pento, peterwilsoncc, sergeybiryukov, sstoqnov, talldanwp, westi, westonruter, whyisjake, whyisjake, xknown.
Built from https://develop.svn.wordpress.org/branches/5.1@47646
git-svn-id: http://core.svn.wordpress.org/branches/5.1@47421 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Props: danielbachhuber, whyisjake, peterwilson, xknown.
Prevent stored XSS through wp_targeted_link_rel().
Props: vortfu, whyisjake, peterwilsoncc, xknown, SergeyBiryukov, flaviozavan.
Update wp_kses_bad_protocol() to recognize : on uri attributes,
wp_kses_bad_protocol() makes sure to validate that uri attributes don't contain invalid/or not allowed protocols. While this works fine in most cases, there's a risk that by using the colon html5 named entity, one is able to bypass this function.
Brings r46895 to the 5.3 branch.
Props: xknown, nickdaugherty, peterwilsoncc.
Prevent stored XSS in the block editor.
Brings r46896 to the 5.3 branch.
Prevent escaped unicode characters become unescaped in unsafe HTML during JSON decoding.
Props: aduth, epiqueras.
Built from https://develop.svn.wordpress.org/branches/5.1@46907
git-svn-id: http://core.svn.wordpress.org/branches/5.1@46707 1a063a9b-81f0-0310-95a4-ce76da25c4cd
[44618] added strict type checking to `_sanitize_text_fields()`, which has caused some compat issues with plugins.
We can loosen the type checking to only reject objects and arrays, and cast other types to string.
Props Nick_theGeek, pento.
Fixes#41450.
Built from https://develop.svn.wordpress.org/trunk@44731
git-svn-id: http://core.svn.wordpress.org/trunk@44562 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The pre-save filters added to links in [43732] could invalidate JSON data when saving Customizer change-sets.
This removes the filters when saving and publishing change-sets.
Props peterwilsoncc, nikeo for testing.
See #45292.
Built from https://develop.svn.wordpress.org/trunk@44714
git-svn-id: http://core.svn.wordpress.org/trunk@44545 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Both `wp_encode_emoji()` and `wp_staticize_emoji()` perform a PHP version check when deciding how to apply their behaviour, but this check only needs to happen once, rather than every time in their internal looks.
Moving the check outside of the loop reduces processing time by 50%.
Props johnbillion.
Fixes#45930.
Built from https://develop.svn.wordpress.org/trunk@44554
git-svn-id: http://core.svn.wordpress.org/trunk@44385 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Changes of note:
- Includes the new Annotations API package.
- `wp-polyfill-ecmascript.js` is renamed to `wp-polyfill.js`.
- `strip_dynamic_blocks()` has been removed in favor of `excerpt_remove_blocks()`.
- The PHP block parser is now syncing from the `block-serialization-default-parser` package.
- `do_blocks()` uses the new parser.
- The `do_block` filter has been removed from `do_blocks()`, in favor of a `render_block` filter in `render_block()`.
Also, a little cleanup to `render_block()`. Always normalize `$block['attrs’]` to array in `’render_block’` filter.
Props pento, azaozz.
Merges [43884] and [43888] to trunk.
See #45145, #45190, #45264, #45282.
Built from https://develop.svn.wordpress.org/trunk@44261
git-svn-id: http://core.svn.wordpress.org/trunk@44091 1a063a9b-81f0-0310-95a4-ce76da25c4cd
As `do_blocks()` is run before `wpautop()` in the_content filter, we can remove in a Just In Time fashion, before that filter is run.
After `wpautop()`s original priority has passed, we can re-add it in a Just Too Late fashion, to ensure it's available if `the_content` filter is run multiple times on a page load.
Merges [43879] and [43881] from the 5.0 branch to trunk.
Props pento, nerrad.
Fixes#45290.
Built from https://develop.svn.wordpress.org/trunk@44226
git-svn-id: http://core.svn.wordpress.org/trunk@44056 1a063a9b-81f0-0310-95a4-ce76da25c4cd
WPCS 1.0.0 includes a bunch of new auto-fixers, which drops the number of coding standards issues across WordPress significantly. Prior to running the auto-fixers, there were 15,312 issues detected. With this commit, we now drop to 4,769 issues.
This change includes three notable additions:
- Multiline function calls must now put each parameter on a new line.
- Auto-formatting files is now part of the `grunt precommit` script.
- Auto-fixable coding standards issues will now cause Travis failures.
Fixes#44600.
Built from https://develop.svn.wordpress.org/trunk@43571
git-svn-id: http://core.svn.wordpress.org/trunk@43400 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Unfortunately, in my overzealous desire to fix all the un-capitalised Ps, [42343] capitalled some Ps that intentionally should not be capitals.
This commit fixes the incorrectly capitalling of Ps, as well as including unit tests and PHPCS instructions to ensure we never capitulate to capitalisationing them again.
Props superdav42.
Fixes#43040.
Fixes#43041.
Built from https://develop.svn.wordpress.org/trunk@42429
git-svn-id: http://core.svn.wordpress.org/trunk@42259 1a063a9b-81f0-0310-95a4-ce76da25c4cd
We have a handful of super long regexen that are written over multiple lines, as a collection of strings concatenated together. Each string is indented appropriately for the regex, but PHPCS doesn't recognised this, so defaults to removing the extra whitespace.
Disabling the `Squiz.Strings.ConcatenationSpacing.PaddingFound` rule for these blocks stops the extra whitespace from being removed.
See #41057.
Built from https://develop.svn.wordpress.org/trunk@42249
git-svn-id: http://core.svn.wordpress.org/trunk@42078 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The WPCS `WordPress.WhiteSpace.PrecisionAlignment` rule throws warnings for a bunch of code that will likely cause issues for `wpcbf`. Fixing these manually beforehand gives us better auto-fixed results later.
See #41057.
Built from https://develop.svn.wordpress.org/trunk@42228
git-svn-id: http://core.svn.wordpress.org/trunk@42057 1a063a9b-81f0-0310-95a4-ce76da25c4cd
[41496] removed support for numbered placeholders in queries send through `wpdb::prepare()`, which, despite being undocumented, were quite commonly used.
This change restores support for numbered placeholders (as well as a subset of placeholder formatting), while also adding extra checks to ensure the correct number of arguments are being passed to `wpdb::prepare()`, given the number of placeholders.
See #41925.
Built from https://develop.svn.wordpress.org/trunk@42056
git-svn-id: http://core.svn.wordpress.org/trunk@41885 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This was previously attempted in [41043], which unfortunately had severe performance issues, the regex it used was fatally slow on long posts.
This version now uses an array of all emoji that Twemoji supports, which maintains the accuracy of [41043], while being the same speed or only a few ms slower than the code prior to [41043].
As with [41043], the `grunt precommit:emoji` task detects when `twemoji.js` has changed, and regenerates the array.
Props jmdodd for feedback, suggestions, and insults where appropriate.
Fixes#35293. 🤞🏻
Built from https://develop.svn.wordpress.org/trunk@41701
git-svn-id: http://core.svn.wordpress.org/trunk@41535 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Moves the repeated code in the emoji browser support test to a function to reduced the potential for errors and follow DRY principles.
Renames the "emoji4" test "emoji" as unicode version specific tests were removed in [38869].
Props peterwilsoncc, pento for code review.
Fixes#41156.
Built from https://develop.svn.wordpress.org/trunk@41669
git-svn-id: http://core.svn.wordpress.org/trunk@41503 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Previously, these filters were being run once per post, but the changes in [41043] caused them to be run once per emoji found.
We will not stand idly by while this kind of unfair performance penalty is placed on the emoji literate. The filters are now run once only, emoji aficionados everywhere can rest easy, knowing their posts will be just as performant as their emoji-less cousins.
Props ocean90 for noticing this severe oversight.
See #35293.
Built from https://develop.svn.wordpress.org/trunk@41046
git-svn-id: http://core.svn.wordpress.org/trunk@40896 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Previously, `wp_encode_emoji()` and `wp_staticize_emoji()` used inaccurate regular expressions to find emoji, and transform then into HTML entities or `<img>`s, respectively. This would result in emoji not being correctly transformed, or occasionally, non-emoji being incorrectly transformed.
This commit adds a new `grunt` task - `grunt precommit:emoji`. It finds the regex in `twemoji.js`, transforms it into a PHP-friendly version, and adds it to `formatting.php`. This task is also automatically run by `grunt precommit`, when it detects that `twemoji.js` has changed.
The new regex requires features introduced in PCRE 8.32, which was introduced in PHP 5.4.14, though it was also backported to later releases of the PHP 5.3 series. For versions of PHP that don't support this, it will fall back to an updated version of the loose-matching regex.
For short posts, the performance difference between the old and new regex is negligible. As the posts get longer, however, the new method is exponentially faster.
Fixes#35293.
Built from https://develop.svn.wordpress.org/trunk@41043
git-svn-id: http://core.svn.wordpress.org/trunk@40893 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Fixes the UN flag not being correctly compared to itself, introduced in [40837].
Replaces the bearded person check with a male fairy. Emoji 5 does not have gendered bearded people, so we needed to switch it out to use the ZWJ check for a broken render.
Props peterwilsoncc for the code and commit message.
Fixes#40858.
Built from https://develop.svn.wordpress.org/trunk@40850
git-svn-id: http://core.svn.wordpress.org/trunk@40701 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Updates Twemoji to 2.3.0 to include Emoji 5 support.
The pride flag test is replaced with a test for the English flag, a five character sub-devision locale. The UN flag test is retained as the most recent two character locale.
An Emoji 5 "bearded person" replaces both Emoji 4 tests.
Fixes#40858.
Built from https://develop.svn.wordpress.org/trunk@40837
git-svn-id: http://core.svn.wordpress.org/trunk@40688 1a063a9b-81f0-0310-95a4-ce76da25c4cd
audrasjb
desrosj
whyisjake
Sergey Biryukov
Gary Pendergast
Peter Wilson
Jeremy Felt
Andrew Ozz
Pascal Birchler