- REST API: Limit `search_columns` for users without `list_users`.
- Comments: Prevent users who can not see a post from seeing comments on it.
- Application Passwords: Prevent the use of some pseudo protocols in application passwords.
- Restrict media shortcode ajax to certain type
- REST API: Ensure no-cache headers are sent when methods are overriden.
- Prevent unintended behavior when certain objects are unserialized.
Merges [56833], [56834], [56835], [56836], [56837], and [56838] to the 5.8 branch.
Props xknown, jorbin, Vortfu, joehoyle, timothyblynjacobs, peterwilsoncc, ehtis, tykoted, martinkrcho, paulkevan, dd32, antpb, rmccue.
Built from https://develop.svn.wordpress.org/branches/5.8@56884
git-svn-id: http://core.svn.wordpress.org/branches/5.8@56395 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- Editor: Bump @wordpress packages for the 5.9 branch,
- Media: Refactor search by filename within the admin,
- REST API: Lockdown post parameter of the terms endpoint,
- Customize: Escape blogname option in underscores templates,
- Query: Validate relation in `WP_Date_Query`,
- Users: Revert use of shared objects for current user,
- Posts, Post types: Apply KSES to post-by-email content,
- General: Validate host on "Are you sure?" screen,
- Posts, Post types: Remove emails from post-by-email logs,
- Pings/trackbacks: Apply KSES to all trackbacks,
- Mail: Reset PHPMailer properties between use,
- Comments: Apply kses when editing comments,
- Widgets: Escape RSS error messages for display.
Merges [54521-54530] to the 5.8 branch.
Props audrasjb, costdev, cu121, dd32, davidbaumwald, ehtis, johnbillion, johnjamesjacoby, martinkrcho, matveb, oztaser, paulkevan, peterwilsoncc, ravipatel, SergeyBiryukov, talldanwp, timothyblynjacobs, tykoted, voldemortensen, vortfu, xknown.
Built from https://develop.svn.wordpress.org/branches/5.8@54548
git-svn-id: http://core.svn.wordpress.org/branches/5.8@54103 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Patterns on the [https://wordpress.org/patterns/ Pattern Directory] can have keywords for better discoverability while searching. The way these are stored [69548ff1f0 was changed from a taxonomy to meta value], but the `/wp/v2/pattern-directory/patterns` endpoint was still pulling from that old value.
The correct property to use for this field is `meta.wpop_keywords`, which returns a single string with comma-separated keywords.
Follow-up to [51021].
Props ryelle, TimothyBlynJacobs.
Merges [53665] to the 5.8 branch.
See #56126.
Built from https://develop.svn.wordpress.org/branches/5.8@53675
git-svn-id: http://core.svn.wordpress.org/branches/5.8@53234 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This fixes a bug where widgets are unintentionally moved to the `wp_inactive_widgets` sidebar when batch updates occur through the REST API.
When batch requests are processed, only `$_wp_sidebars_widgets` is updated by previous calls to `WP_REST_Widgets_Controller::create_item()`. `$sidebars_widgets` is not aware of the new widget’s intended location, and `retrieve_widgets()` mistakenly flags the widget as inactive.
Calling `wp_get_sidebars_widgets()` before `retrieve_widgets()` ensures both global variables match and is intended as a temporary fix until the root cause of the problem can be fixed.
Props zieladam, htmgarcia, timothyblynjacobs.
Merges [51432] to the 5.8 branch.
Fixes#53657.
Built from https://develop.svn.wordpress.org/branches/5.8@51439
git-svn-id: http://core.svn.wordpress.org/branches/5.8@51050 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This switches `WP_REST_Sidebars_Controller` to use `wp_sidebar_description()` for retrieving the description of a given sidebar instead of referencing the value in the `$wp_registered_sidebars` global variable directly.
`wp_sidebar_description()` uses `wp_kses()` to only allow the default list of `$allowed_tags` to be present in a sidebar’s description.
Props timothyblynjacobs, desrosj, SergeyBiryukov.
Merges [51408] to the 5.8 branch.
Fixes#53646.
Built from https://develop.svn.wordpress.org/branches/5.8@51412
git-svn-id: http://core.svn.wordpress.org/branches/5.8@51023 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When a widget is removed from a sidebar, if it was removed from the middle of the list, the widgets property would become an object with numeric keys.
The sidebars controller now forces the widgets property to be a list.
Props walbo, timothyblynjacobs.
Merges [51377] to the 5.8 branch.
Fixes#53612.
Built from https://develop.svn.wordpress.org/branches/5.8@51385
git-svn-id: http://core.svn.wordpress.org/branches/5.8@50996 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This adds the `$request` parameter to the permissions_check() methods within `WP_REST_Widgets_Controller` and adds $request as an allowed parameter to the `permissions_check()` method within `WP_REST_Templates_Controller`.
Even when this parameter is not used by default, it should be implemented to support the class being extended and the method overridden.
Props johnbillion, timothyblynjacobs.
Merges [51349] to the 5.8 branch.
Fixes#53593.
Built from https://develop.svn.wordpress.org/branches/5.8@51350
git-svn-id: http://core.svn.wordpress.org/branches/5.8@50959 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Registered widgets that do not extend WP_Widget should appear in the
wp_inactive_widgets sidebar by default. Having the widgets REST API call
retrieve_widgets() before serving any request ensures that this will happen.
This is a similar fix to [51235].
Fixes#53534.
Props zieladam, timothyblynjacobs.
Built from https://develop.svn.wordpress.org/trunk@51248
git-svn-id: http://core.svn.wordpress.org/trunk@50857 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This fixes issues where sidebars would be unexpectedly missing from the new widgets screen. Running retrieve_widgets syncs sidebars that were registered after the last theme switch.
Props walbo, hellofromTonya, noisysocks.
Fixes#53489.
Built from https://develop.svn.wordpress.org/trunk@51235
git-svn-id: http://core.svn.wordpress.org/trunk@50844 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The register_widget function can be called with a class name or a class
instance. Once called with a class instance, the class instance is converted to
hash as used key in array.
Props spacedmonkey, zieladam.
Built from https://develop.svn.wordpress.org/trunk@51216
git-svn-id: http://core.svn.wordpress.org/trunk@50825 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The class has been heavily modified from the original source, so the copyright can be modified to simply reference the original author’s work. The carry forward of the copyright and original code is implied.
Follow up to [50993-50995,51007,51020,51029].
Props SergeyBiryukov, cbringmann, chanthaboune, desrosj.
Fixes#41683.
Built from https://develop.svn.wordpress.org/trunk@51210
git-svn-id: http://core.svn.wordpress.org/trunk@50819 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Adds new hooks (rest_save_sidebar, rest_delete_widget, rest_after_save_widget)
to the widgets REST API and uses them to delete the fresh_site option when
updating widgets via the REST API. This ensures that starter content isn't
loaded in the Customizer after a user makes changes.
Fixes#53317.
Props kevin940726, garrett-eclipse, andraganescu, hellofromtonya.
Built from https://develop.svn.wordpress.org/trunk@51068
git-svn-id: http://core.svn.wordpress.org/trunk@50677 1a063a9b-81f0-0310-95a4-ce76da25c4cd
By default, a post most contain any of the requested terms to be included in the response. This commit adds a new `operator` property that can be set to `AND` to require a post to contain all of the requested terms.
For example, `/wp/v2/posts?tags[terms]=1,2,3&tags[operator]=AND` will return posts that have tags with the ids of 1, 2, and 3.
Props dlh, earnjam, Clorith, jnylen0, sebbb.
Fixes#41287.
Built from https://develop.svn.wordpress.org/trunk@51026
git-svn-id: http://core.svn.wordpress.org/trunk@50635 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Add an endpoint for fetching block patterns from WordPress.org, and load the block patterns from this new API. Remove the block patterns that have already been moved to WordPress.org/patterns.
Props ryelle, iandunn, youknowriad, timothyblynjacobs.
Fixes#53246.
Built from https://develop.svn.wordpress.org/trunk@51021
git-svn-id: http://core.svn.wordpress.org/trunk@50630 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Add support for uploading, editing and saving WebP images when supported by the server.
Add 'image/webp' to supported mime types. Correctly identify WebP images and sizes even when PHP doesn't support WebP. Resize uploaded WebP files (when supported) and use for front end markup.
Props markoheijne, blobfolio, Clorith, joemcgill, atjn, desrosj, spacedmonkey, marylauc, mikeschroder, hellofromtonya, flixos90.
Fixes#35725.
Built from https://develop.svn.wordpress.org/trunk@50810
git-svn-id: http://core.svn.wordpress.org/trunk@50419 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Allow authenticated users to read the contents of password protected posts if they have the `edit_post` meta capability for the post.
Props xknown, zieladam, peterwilsoncc, swissspidy, timothyblynjacobs.
Built from https://develop.svn.wordpress.org/trunk@50717
git-svn-id: http://core.svn.wordpress.org/trunk@50326 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Add a check to `WP_REST_Meta_Fields::delete_meta_value()` ensuring meta data is set before attempting to delete it from the database. If the data does not exist, the delete is considered successful as the data matches the desired state.
Props BrechtVds, goaroundagain, TimothyBlynJacobs.
Fixes#52787.
Built from https://develop.svn.wordpress.org/trunk@50567
git-svn-id: http://core.svn.wordpress.org/trunk@50180 1a063a9b-81f0-0310-95a4-ce76da25c4cd