- Install: When populating options, maybe_serialize instead of always serialize.
- Uploads: Check for and verify ZIP archives.
Merges [57388] and [57389] to the 5.2 branch.
Props costdev, peterwilsoncc, azaozz, tykoted, johnbillion, desrosj, afragen, jorbin, xknown.
Built from https://develop.svn.wordpress.org/branches/5.2@57403
git-svn-id: http://core.svn.wordpress.org/branches/5.2@56909 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- Comments: Prevent users who can not see a post from seeing comments on it.
- Shortcodes: Restrict media shortcode ajax to certain type.
- REST API: Ensure no-cache headers are sent when methods are overridden.
- REST API: Limit `search_columns` for users without `list_users`.
- Prevent unintended behavior when certain objects are unserialized.
Merges [56833], [56834], [56835], [56836], and [56838] to the 5.2 branch.
Props xknown, jorbin, joehoyle, timothyblynjacobs, peterwilsoncc, ehtis, tykoted, antpb, rmccue.
Built from https://develop.svn.wordpress.org/branches/5.2@56876
git-svn-id: http://core.svn.wordpress.org/branches/5.2@56387 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This updates the `dealerdirect/phpcodesniffer-composer-installer` package to allow installing version `0.7.0` which supports Composer 2.0.
It also includes several minor spacing/alignment coding standards fixes that are made as a result of the package update.
Props itowhid06, jrf.
Merges [49306] to the 5.2 branch.
See #51624, #48301.
Built from https://develop.svn.wordpress.org/branches/5.2@49514
git-svn-id: http://core.svn.wordpress.org/branches/5.2@49269 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* XML-RPC: Improve error messages for unprivileged users.
* External Libraries: Disable deserialization in Requests_Utility_FilteredIterator
* Embeds: Disable embeds on deactivated Multisite sites.
* Coding standards: Modify escaping functions to avoid potential false positives.
* XML-RPC: Return error message if attachment ID is incorrect.
* Upgrade/install: Improve logic check when determining installation status.
* Meta: Sanitize meta key before checking protection status.
* Themes: Ensure that only privileged users can set a background image when a theme is using the deprecated custom background page.
Brings the changes from [49380,49382-49388] to the 5.2 branch.
Props xknown, zieladam, peterwilsoncc, whyisjake, desrosj, dd32.
Built from https://develop.svn.wordpress.org/branches/5.2@49394
git-svn-id: http://core.svn.wordpress.org/branches/5.2@49153 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- Embeds: Ensure that the title attribute is set correctly on embeds.
- Editor: Prevent HTML decoding on by setting the proper editor context.
- Formatting: Ensure that wp_validate_redirect() sanitizes a wider variety of characters.
- Themes: Ensure a broken theme name is returned properly.
- Administration: Add a new filter to extend set-screen-option.
Merges [47948-47951] to the 5.2 branch.
Props xknown, sstoqnov, vortfu, SergeyBiryukov, whyisjake.
Built from https://develop.svn.wordpress.org/branches/5.2@47960
git-svn-id: http://core.svn.wordpress.org/branches/5.2@47732 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- adds `role="presentation"` to the edit comment table
- removes a few pointless `<fieldset>` elements
- adds a few missing `<label>` elements
- adds the CSS class `class="td-full"` to table rows spanning to multiple cells
- adds explicit `scope="row"` attribute to the table headers in `options-permalink.php`: this table is better communicated as data table
- uses consistent label association in the "Privacy Settings" page
- in the installation page "Set up your database connection": associates descriptions to their inout fields using `aria-describedby`
- improves the link to gravatar.com in the `user-edit.php` page
Props afercia.
Merges [45416] to the 5.2 branch.
See #46899.
Fixes#47390.
Built from https://develop.svn.wordpress.org/branches/5.2@45835
git-svn-id: http://core.svn.wordpress.org/branches/5.2@45646 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Adds `role="presentation"` to the `<table>` elements used for layout purposes.
Ideally, HTML tables should be used for tabular data. When tables are used for layout purposes, it's important to remove any native semantics so that assistive technologies can correctly announce the table content in a linearized fashion.
Props greatislander, afercia.
Merges [45403] to the 5.2 branch.
See #46899.
Built from https://develop.svn.wordpress.org/branches/5.2@45834
git-svn-id: http://core.svn.wordpress.org/branches/5.2@45645 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When adding a Custom Link and leaving the "Link Text" field empty, WordPress used to set a default fallback text: "Menu Item".
The changes in [36379] broke this behavior making the fallback text: `(Pending)`, with a leading space.
Pending major refactoring of the Menus page (which is going to use a block-based user interface) this change just restores the original behavior by adding the fallback text to the related AJAX response.
Props christophherr, Fencer04, thakkarhardik, backermann1978, audrasjb.
Merges [45727] to the 5.2 branch.
Fixes#38415.
Built from https://develop.svn.wordpress.org/branches/5.2@45828
git-svn-id: http://core.svn.wordpress.org/branches/5.2@45639 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Introduces the faux primitive capability `view_site_health_checks` available to single site admins and multisite super-admin to view the site health page within the admin.
The capability is mapped to the `install_plugins` capability without being dependent on the file system being writable. This fixes a bug where the feature couldn't be used by sites unable to write to the file system or managed through version control.
The capability is granted on the `user_has_cap` filter.
Props birgire, Clorith, palmiak, peterwilsoncc, spacedmonkey.
Merges [45507] to the 5.2 branch.
Fixes#46957 for 5.2.2.
Built from https://develop.svn.wordpress.org/branches/5.2@45508
git-svn-id: http://core.svn.wordpress.org/branches/5.2@45319 1a063a9b-81f0-0310-95a4-ce76da25c4cd
`wp-admin/includes/update-core.php` runs in the context of the previous WordPress version. Any calls to newly introduced functions there need to be checked via `function_exists()`.
Reviewed by desrosj, earnjam, SergeyBiryukov.
Props dd32, imath.
Merges [45365] to the 5.2 branch.
Fixes#47323.
Built from https://develop.svn.wordpress.org/branches/5.2@45366
git-svn-id: http://core.svn.wordpress.org/branches/5.2@45177 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The `sodium_compat` library can be very slow for certain operations on 32-bit architectures, which can lead to web server timeouts while attempting to verify an update. This adds a runtime speed check to skip signature verification on systems that would otherwise time out. Includes simple unit tests.
Merges [45345] to the 5.2 branch.
Props dd32, paragoninitiativeenterprises, tellyworth.
Fixes#47186.
Built from https://develop.svn.wordpress.org/branches/5.2@45356
git-svn-id: http://core.svn.wordpress.org/branches/5.2@45167 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This change removes redundant CSS properties for different health check statuses in favor of utilizing the `.dashicons` class already in Core to define them more consistently. This also fixes the vertical alignment issues.
Merges [45309] to the 5.2 branch.
Props chetan200891, Clorith, desrosj.
Fixes#46940.
Built from https://develop.svn.wordpress.org/branches/5.2@45314
git-svn-id: http://core.svn.wordpress.org/branches/5.2@45125 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When viewing Site Health for a multisite install, there are a few recommendations that are not appropriate and could have negative implications for other sites on the install if the administrator follows the advice provided.
For example, Site Health recommends that inactive plugins and themes for a site should be removed. On a single site install, this is a great recommendation. However, on a multisite install, inactive plugins and themes for one site should not be removed because they could be active for other sites on the network.
This change also disables the `test_wp_version_check_attached()` test for multisite. This test checks for the presence of the `wp_version_check()` function on the `wp_version_check` hook, which is not present for every site on multisite.
Reviewed by jeremyfelt and desrosj.
Props iandunn, Clorith, azaozz, jeremyfelt.
Fixes#47084.
Built from https://develop.svn.wordpress.org/trunk@45275
git-svn-id: http://core.svn.wordpress.org/trunk@45084 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This fixes several bugs in the signature verification code:
Disables signature checks on certain incompatible PHP versions that cause math errors when opcache is enabled;
Prevents a spurious URL and subsequent error when downloading a zip file with query arguments;
Prevents errors triggered by third-party upgrade scripts as per #46615;
Disables signature tests for Plugins, Themes, and Translations, leaving only core updates.
At the 5.2 release the API servers will only provide signatures for core update packages, which is why messages are suppressed for plugins and other package types. Signatures for those other items will become available later.
Props dd32.
See #39309, #46615
Built from https://develop.svn.wordpress.org/trunk@45262
git-svn-id: http://core.svn.wordpress.org/trunk@45071 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Currently, there are a number of scenarios where `is_block_editor()` (and `WP_Screen::is_block_editor`) would incorrectly indicate block editor support at different points of the loading process. Most notably, checking `is_block_editor` when hooking into the `current_screen` action will always result in `false`, even when the block editor is being loaded. This is because `is_block_editor` is not set to `true` until `edit-form-blocks.php` is included.
This change adds logic to `WP_Screen` to ensure the accuracy of `is_block_editor` on block editor pages earlier in the load process.
While edit screens will now be accurate 100% of the time from `current_screen` on, there are still a few edge cases where `is_block_editor` could contain an incorrect value when creating a new post.
Because a `WP_Post` object is a required parameter for the `replace_editor` filter and `use_block_editor_for_post()` function, `WP_Screen` will fall back to the value returned by `use_block_editor_for_post_type()` for the post being created. To eliminate these edge cases, the `use_block_editor_for_post_type` filter can be used to return the appropriate boolean value to indicate support.
Props Chouby, desrosj, aduth, johnbillion.
Fixes#46195.
Built from https://develop.svn.wordpress.org/trunk@45224
git-svn-id: http://core.svn.wordpress.org/trunk@45033 1a063a9b-81f0-0310-95a4-ce76da25c4cd
