In this commit, enhancements have been made by replacing manually constructed style tags with calls to `wp_add_inline_style`. Previously, numerous style tags were generated and output directly in the header, resulting in redundant code and bypassing the core's style enqueueing system. This approach made it challenging for third-party developers to manage and control the output of these style tags.
To ensure backward compatibility, the following functions have been deprecated and replaced:
- print_embed_styles
- print_emoji_styles
- wp_admin_bar_header
- _admin_bar_bump_cb
Backward compatibility shims have also been added, ensuring that if these functions were previously unhooked from there actions, they will continue to not output a style tag.
However, for the following functions, conversion to use inline styles was not feasible due to the potential disruption it might cause by changing the style tag IDs, potentially breaking JavaScript functionality for a number of plugins in the repository:
- custom-background
- wp-custom
These changes improve code maintainability and enhance the flexibility and control available to developers when managing style outputs within WordPress core.
Props spacedmonkey, hlunter, westonruter, flixos90.
Fixes#58775.
Built from https://develop.svn.wordpress.org/trunk@56682
git-svn-id: http://core.svn.wordpress.org/trunk@56194 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Introducing Font Face, a server-side `@font-face` styles generator and printer.
tl;dr:
* Introduces Font Face.
* Deprecates `_wp_theme_json_webfonts_handler()`.
**Introduce Font Face**
From an array of fonts (i.e. each font-family and its font variations to be processed), it:
1. Validates each `font-face` declaration, i.e. the CSS property and value pairing. If validation fails, processing stops with no font-face styles printed.
3. Generates the `@font-face` CSS for each font-family.
4. Prints the CSS within a `<style id="wp-fonts-local">` element.
The entry point into Font Face is through a new global function called `wp_print_font_faces()`, which is automatically called:
* when the `'wp_head'` hook runs (for the front-end).
* when the `'admin_print_styles'` hook runs (for the back-end).
* when `_wp_get_iframed_editor_assets()` runs to inject the `@font-face` styles into the iframed editor.
Once called, it gets the fonts from Theme_JSON merged data layer, which includes theme defined fonts and user activated fonts (once the Font Library #59166 is introduced into Core).
For classic sites, themes and plugins can directly call `wp_print_font_faces()` and pass their fonts array to it for processing.
**Deprecates `_wp_theme_json_webfonts_handler()`.**
As Font Face is a direct replacement, the stopgap code in `_wp_theme_json_webfonts_handler()` (introduced in 6.0.0 via [53282]) is deprecated and unused in Core.
**Props note:**
There's a long multiple year history baked into Font Face, which dates back to the early versions of a web font API (see #46370 and [https://github.com/WordPress/gutenberg/issues/41479 roadmap]. The props list includes those who contributed from those early versions up to this commit.
**References:**
* #46370 original (Web)Fonts API proposal for registering and enqueuing web fonts.
* [https://github.com/WordPress/gutenberg/issues/41479 Gutenberg tracking issue] which includes the evolution from Webfonts API to Fonts API to Font Face.
* [53282] / #55567 Added the stopgap code `_wp_theme_json_webfonts_handler()` in 6.0.
* [https://developer.mozilla.org/en-US/docs/Web/CSS/@font-face @font-face on mdn web docs]
* #59166 Font Library: Font manager for WordPress
Follow-up to [53282].
Props aristath, jonoaldersonwp, hellofromTonya, andraganescu, annezazu, antonvlasenko, arena, askdesign, azaozz, bph, bradley2083, colorful-tones, costdev, davidbaumwald, desrosj, dingo_d, djcowan, domainsupport, dryanpress, elmastudio, flixos90, francina, garrett-eclipse, gigitux, grantmkin, grapplerulrich, gziolo, ironprogrammer, jb510, jeffpaul, jeremyyip, jffng, joostdevalk, jorgefilipecosta, juanmaguitar, mamaduka, matveb, mburridge, mitogh, ndiego, ntsekouras, oandregal, ocean90, oglekler, paaljoachim, pagelab, peterwilsoncc, poena, priethor, scruffian, SergeyBiryukov, shiloey, simison, skorasaurus, soean, westonruter, wildworks, zaguiini.
Fixes#59165.
Built from https://develop.svn.wordpress.org/trunk@56500
git-svn-id: http://core.svn.wordpress.org/trunk@56012 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Adds a nonce so that activation works for block theme previews. Temporary fix until there is a REST API endpoint for activating themes.
Props scruffian, peterwilsoncc, nithins53, nithi22, jomonthomaslobo1, poena, syamraj24, vivekawsm, mrinal013.
Fixes#58712.
Built from https://develop.svn.wordpress.org/trunk@56199
git-svn-id: http://core.svn.wordpress.org/trunk@55711 1a063a9b-81f0-0310-95a4-ce76da25c4cd
While the `image_editor_output_format` filter is primarily used in WP Admin, it can also be executed in frontend scope, as the related `WP_Image_Editor` class and `wp_unique_filename()` function are being loaded in that scope.
Follow up to [54086].
See #55443, #56526.
Built from https://develop.svn.wordpress.org/trunk@54094
git-svn-id: http://core.svn.wordpress.org/trunk@53653 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Uploaded JPEGs will automatically be converted to WebP sub-sizes instead of JPEG, saving space and making sites faster.
The original JPEG upload is always retained and can be accessed by calling `wp_get_original_image_url`.
Props azaozz, flixos90.
Fixes#55443.
Built from https://develop.svn.wordpress.org/trunk@54086
git-svn-id: http://core.svn.wordpress.org/trunk@53645 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This change moves some administration related hooks from `default-filters.php` to `admin-filters.php`. It also updates the `default-filters.php` docblock to indicate that contextualized hooks should be located in the most appropriate place.
Props dlh, hellofromTonya, antonvlasenko, audrasjb, azaozz.
Fixes#54795.
Built from https://develop.svn.wordpress.org/trunk@53266
git-svn-id: http://core.svn.wordpress.org/trunk@52855 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This filter prevented removing attachment titles. This changeset removes the filter and deprecates the related function since it is no longer used.
Props dromero20, desrosj, Junaidkbr, francina, antpb, audrasjb, aadilali, etaproducto, azouamauriac, Boniu91, SergeyBiryukov.
Fixes#39108.
Built from https://develop.svn.wordpress.org/trunk@53228
git-svn-id: http://core.svn.wordpress.org/trunk@52817 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This adds a one-off notice to the dashboard in the event WordPress has automatically deactivated a plugin due to incompatibility with the new version of WordPress.
Introduces the new private function `deactivated_plugins_notice()` to display the notice in the dashboard. Introduces the new auto-loaded option `wp_force_deactivated_plugins` to store a list of automatically deactivated plugins; the option is used on both a site and network level.
Follow up to [51180].
Props desrosj, jorbin, azaozz, SergeyBiryukov, peterwilsoncc.
See #53432.
Built from https://develop.svn.wordpress.org/trunk@51266
git-svn-id: http://core.svn.wordpress.org/trunk@50875 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In addition, add the `wp_admin_viewport_meta()` function, paired to the `admin_viewport_meta` filter to control attributes of the meta tag.
Fixes#47369.
Props BettyJJ, mukesh27, SergeyBiryukov, ajayghaghretiya1, msaggiorato, talldanwp, davidbaumwald, donmhico, audrasjb.
Built from https://develop.svn.wordpress.org/trunk@48412
git-svn-id: http://core.svn.wordpress.org/trunk@48181 1a063a9b-81f0-0310-95a4-ce76da25c4cd
“The WordPress open source community cares about diversity. We strive to maintain a welcoming environment where everyone can feel included.”
With this commit, all occurrences of “whitelist” and “blacklist” (with the single exception of the `$new_whitelist_options` global variable) are removed. A new ticket has been opened to explore renaming the `$new_whitelist_options` variable (#50434).
Changing to more specific names or rewording sentences containing these terms not only makes the code more inclusive, but also helps provide clarity. These terms are often ambiguous. What is being blocked or allowed is not always immediately clear. This can make it more difficult for non-native English speakers to read through the codebase.
Words matter. If one contributor feels more welcome because these terms are removed, this was worth the effort.
Props strangerstudios, jorbin, desrosj, joemcgill, timothyblynjacobs, ocean90, ayeshrajans, davidbaumwald, earnjam.
See #48900, #50434.
Fixes#50413.
Built from https://develop.svn.wordpress.org/trunk@48121
git-svn-id: http://core.svn.wordpress.org/trunk@47890 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset introduces several changes around usability when recovery mode is active:
* Display a notice in the admin clarifying that the user is in recovery mode.
* Use a highlight color for the admin bar link to exit recovery mode.
* Exit recovery mode automatically when logging out.
* Include a recovery mode indicator in the title tag.
Props aandrewdixon, azaozz, dhanukanuwan, flixos90, henrywright, karmatosed, mapk, melchoyce, spacedmonkey, TimothyBlynJacobs, tinkerbelly.
See #46608.
Built from https://develop.svn.wordpress.org/trunk@45117
git-svn-id: http://core.svn.wordpress.org/trunk@44926 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Using the new fatal handler introduced in [44962], an email is sent to the admin when a fatal error occurs. This email includes a secret link to enter recovery mode. When clicked, the link will be validated and on success a cookie will be placed on the client, enabling recovery mode for that user. This functionality is executed early before plugins and themes are loaded, in order to be unaffected by potential fatal errors these might be causing.
When in recovery mode, broken plugins and themes will be paused for that client, so that they are able to access the admin backend despite of these errors. They are notified about the broken extensions and the errors caused, and can then decide whether they would like to temporarily deactivate the extension or fix the problem and resume the extension.
A link in the admin bar allows the client to exit recovery mode.
Props timothyblynjacobs, afragen, flixos90, nerrad, miss_jwo, schlessera, spacedmonkey, swissspidy.
Fixes#46130, #44458.
Built from https://develop.svn.wordpress.org/trunk@44973
git-svn-id: http://core.svn.wordpress.org/trunk@44804 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Due to the high number of follow-up tickets and associated security concerns, it was decided to reschedule the fatal error recovery feature for WordPress 5.2, in order to address these issues properly. The feature will continue to be developed, with iterations being merged into trunk early in the 5.2 release cycle.
Fixes#46141. See #44458, #45932, #45940, #46038, #46047, #46068.
Built from https://develop.svn.wordpress.org/trunk@44717
git-svn-id: http://core.svn.wordpress.org/trunk@44548 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset introduces a `WP_Shutdown_Handler` class that detects fatal errors and which extension (plugin or theme) causes them. Such an error is then recorded, and an error message is displayed. Subsequently, in certain protected areas, for example the admin, the broken extension will be paused, ensuring that the website is still usable in the respective area. The major benefit is that this mechanism allows site owners to still log in to their website, to fix the problem by either disabling the extension or solving the bug and then resuming the extension.
Extensions are only paused in certain designated areas. The frontend for example stays unaffected, as it is impossible to know what pausing the extension would cause to be missing, so it might be preferrable to clearly see that the website is temporarily not accessible instead.
The fatal error recovery is especially important in scope of encouraging the switch to a maintained PHP version, as not necessarily every WordPress extension is compatible with all PHP versions. If problems occur now, non-technical site owners that do not have immediate access to the codebase are not locked out of their site and can at least temporarily solve the problem quickly.
Websites that have custom requirements in that regard can implement their own shutdown handler by adding a `shutdown-handler.php` drop-in that returns the handler instance to use, which must be based on a class that inherits `WP_Shutdown_Handler`. That handler will then be used in place of the default one.
Websites that would like to modify specifically the error template displayed in the frontend can add a `php-error.php` drop-in that works similarly to the existing `db-error.php` drop-in.
Props afragen, bradleyt, flixos90, ocean90, schlessera, SergeyBiryukov, spacedmonkey.
Fixes#44458.
Built from https://develop.svn.wordpress.org/trunk@44524
git-svn-id: http://core.svn.wordpress.org/trunk@44355 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Previously, when a plugin updated its suggested privacy policy text, an admin notice was shown on all screens in the Administration Panels. That was done in order to make sure that administrators were aware of it, so that they could update their policy if needed. That was a very heavy-handed and intrusive approach, though, which leads to a poor user experience, and notice fatigue.
An alternative approach is to use bubble notifications in the menu, similar to when plugins have updates that need to be installed. That still makes it obvious that something needs the administrator's attention, but is not as distracting as a notice.
The notice will still appear on the Privacy page, though, since it is relevant to that screen, and provides an explanation of why the bubble is appearing.
Props azaozz, xkon, iandunn.
Fixes#43954. See #43953.
Built from https://develop.svn.wordpress.org/trunk@43223
git-svn-id: http://core.svn.wordpress.org/trunk@43052 1a063a9b-81f0-0310-95a4-ce76da25c4cd
r42986 introduced the beginnings of an Ajax handler for processing requests to erase personal data. At the time, a method for marking requests as completed was planned, but had not yet been created. This commit introduces that mechanism, bringing the erasure process closer to completion.
Props coreymckrill, allendav.
Fixes#43922.
Built from https://develop.svn.wordpress.org/trunk@43185
git-svn-id: http://core.svn.wordpress.org/trunk@43014 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The personal data export and erasure tools allow plugins to register their own callbacks, in order to add additional data to the export and erasure processes. Previously, these were registered without specifying a constant identifier in the array of callbacks. Using mutable integers makes it difficult for plugins to modify the callbacks of other plugins, though.
Using associative array keys instead provides a covenient and reliable way to identify and interact with another plugin's callbacks.
Props desrosj, allendav, ocean90.
Fixes#43931.
Built from https://develop.svn.wordpress.org/trunk@43154
git-svn-id: http://core.svn.wordpress.org/trunk@42983 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This sets a referrer policy of `same-origin` which adds hardening by preventing a referrer being sent from the admin area or login screens to other origins. This helps prevent unwanted exposure of potentially sensitive information that may be contained within URLs.
This change introduces a new filter, `admin_referrer_policy`, for filtering the referrer policy header value. The header can be disabled if necessary by removing the `wp_admin_headers` action from the `admin_init` and `login_init` hooks.
Props joostdevalk
Fixes#42036
Built from https://develop.svn.wordpress.org/trunk@41741
git-svn-id: http://core.svn.wordpress.org/trunk@41575 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This adds this previously Multisite-only functionality to single site installations too. This change prevents accidental or erroneous email address changes from potentially locking users out of their site.
Props MatheusGimenez, johnbillion
Fixes#39118
Built from https://develop.svn.wordpress.org/trunk@41254
git-svn-id: http://core.svn.wordpress.org/trunk@41094 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This reduces the chances of a site compromise going unnoticed, in the same way that the same notifications for user account email address changes reduces the chances of a user account compromise going unnoticed.
Props MatheusGimenez, johnbillion
Fixes#39117
Built from https://develop.svn.wordpress.org/trunk@41164
git-svn-id: http://core.svn.wordpress.org/trunk@41004 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This adds this previously Multisite-only functionality to single site installations too. This change prevents accidental or erroneous email address changes from potentially locking users out of their account.
Props rodrigosprimo, tharsheblows, johnbillion
Fixes#16470
Built from https://develop.svn.wordpress.org/trunk@41163
git-svn-id: http://core.svn.wordpress.org/trunk@41003 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Since [37221] the upload form is added to every plugin install screen via `install_plugins_upload()`. Previously the form was added through the `install_plugins_upload` (alias of `install_plugins_$tab`) action which allowed plugin authors to replace the form. This restores the previous behaviour.
* Add the form only to non-upload plugin install screens.
* Replace `install_plugins_upload()` with the `install_plugins_upload` and `install_plugins_pre_upload` actions.
* Remove `$upload_tab_class` and add a CSS class for the current tab to `.wrap`
* Adjust CSS selectors and toggle the whole container to support upload without an `upload-plugin` class.
Props DavidAnderson, ocean90.
Fixes#37495.
Built from https://develop.svn.wordpress.org/trunk@38172
git-svn-id: http://core.svn.wordpress.org/trunk@38113 1a063a9b-81f0-0310-95a4-ce76da25c4cd
`wp_plugin_update_rows()` and `wp_theme_update_rows()` are using the site transients `update_plugins` and `update_themes` which are set by `wp_update_plugins()` and `wp_update_themes()`. Both functions are hooked into `load-plugins.php` and `load-themes.php`. Therefore the update rows need to be registered after the transients were populated.
See #13071.
Built from https://develop.svn.wordpress.org/trunk@37978
git-svn-id: http://core.svn.wordpress.org/trunk@37919 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Resource hints allow browsers to prefetch specific pages or render them in the background to perform DNS lookups or to begin the connection handshake (DNS, TCP, TLS) in the background.
By default, `wp_resource_hints()` prints hints for "s.w.org" (the WordPress.org CDN) and for all scripts and styles which are enqueued from external hosts.
Use the `wp_resource_hints` filter to add custom domains and URLs for `dns-prefetch`, `preconnect`, `prefetch` or `prerender`.
Props voldemortensen, swissspidy.
Fixes#34292.
Built from https://develop.svn.wordpress.org/trunk@37920
git-svn-id: http://core.svn.wordpress.org/trunk@37861 1a063a9b-81f0-0310-95a4-ce76da25c4cd
spacedmonkey
hellofromTonya
isabel_brison
Joe McGill
Felix Arntz
Adam Silverstein
Sergey Biryukov
audrasjb
Peter Wilson
whyisjake
Andrew Ozz
desrosj
Gary Pendergast
iandunn
John Blackbourn
Dominik Schilling
Andrea Fercia
Drew Jaynes
Mark Jaquith
Konstantin Obenland