Commit Graph

840 Commits

Author SHA1 Message Date
audrasjb
b6fad3a241 Docs: Remove an obsolete function description in addslashes_gpc().
- Usage of `get_magic_quotes_gpc()` was removed from `addslashes_gpc()` in [46105] / #47783.
- A similar description fragment was removed from `wp_parse_str()` in that changeset, but this one was missed.
- The `get_magic_quotes_gpc()` function itself was deprecated in PHP 7.4 and removed in PHP 8.0.

Props mitweka, audrasjb, SergeyBiryukov.
Fixes #56233.
See #55646.

Built from https://develop.svn.wordpress.org/trunk@53776


git-svn-id: http://core.svn.wordpress.org/trunk@53335 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-07-25 17:28:09 +00:00
audrasjb
83da7ca360 Docs: Refine @return docblock mentions for esc_sql(), wp_slash() and wp_unslash().
Props malthert, SergeyBiryukov, johnbillion, desrosj, byohann6.
Fixes #53946.
See #55646.

Built from https://develop.svn.wordpress.org/trunk@53775


git-svn-id: http://core.svn.wordpress.org/trunk@53334 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-07-25 15:43:09 +00:00
audrasjb
f7921555ca Formatting: Normalize to Unicode NFC encoding before converting accent characters in remove_accents().
This changeset adds Unicode sequence normalization from NFD to NFC, via the `normalizer_normalize()` PHP function which is available with the recommended `intl` PHP extension.

This fixes an issue where NFD characters were not properly sanitized. It also provides a unit test for NFD sequences (alternate Unicode representations of the same characters).

Props NumidWasNotAvailable, targz, nacin, nunomorgadinho, p_enrique, gitlost, SergeyBiryukov, markoheijnen, mikeschroder, ocean90, pento, helen, rodrigosevero, zodiac1978, ironprogrammer, audrasjb, azaozz, laboiteare, nuryko, virgar, dxd5001, onnimonni, johnbillion.
Fixes #24661, #47763, #35951.
See #30130, #52654.

Built from https://develop.svn.wordpress.org/trunk@53754


git-svn-id: http://core.svn.wordpress.org/trunk@53313 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-07-21 21:11:12 +00:00
Sergey Biryukov
01d172b581 General: Replace all esc_url_raw() calls in core with sanitize_url().
This aims to improve performance by calling `sanitize_url()` directly, instead of the `esc_url_raw()` wrapper. As of WordPress 6.1, `sanitize_url()` is the recommended function for sanitizing a URL for database or redirect usage.

Follow-up to [11383], [13096], [51597], [53452].

Props benjgrolleau, peterwilsoncc, SergeyBiryukov.
Fixes #55852.
Built from https://develop.svn.wordpress.org/trunk@53455


git-svn-id: http://core.svn.wordpress.org/trunk@53044 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-06-01 18:14:10 +00:00
Sergey Biryukov
d0712f35d4 Formatting: Make sanitize_url() the recommended function for sanitizing a URL.
A general security rule is "Sanitize when you save, escape when you echo".

In WordPress 5.9, `sanitize_url()` was un-deprecated in order to better align with the naming of other sanitizing functions, while still being an alias for `esc_url_raw()`.

This commit reverses the order and turns `esc_url_raw()` into a wrapper for `sanitize_url()`, making the latter the canonical function call and aiming to improve performance by reducing the number of function calls required when using the recommended technique.

Follow-up to [11383], [13096], [51597].

Props benjgrolleau, peterwilsoncc, SergeyBiryukov.
See #55852.
Built from https://develop.svn.wordpress.org/trunk@53452


git-svn-id: http://core.svn.wordpress.org/trunk@53041 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-05-31 15:17:14 +00:00
audrasjb
eca9278a10 Docs: Update a link to the Custom Elements spec in force_balance_tags() docblock.
This changeset replaces a link to the outdated W3C specs on Custom Elements with a link to the corresponding WhatWG specification.

See #54729.

Built from https://develop.svn.wordpress.org/trunk@53204


git-svn-id: http://core.svn.wordpress.org/trunk@52793 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-04-18 14:35:07 +00:00
Peter Wilson
b53f7ce56f Emoji: Update the Twemoji to version 14.0.2.
This version introduces support for the latest Emoji added in Emoji 14. 

"Insert witty comment newly supported emoji."

Props kraftbj, desrosj, dd32, milana_cap.
Fixes #55395.



Built from https://develop.svn.wordpress.org/trunk@53150


git-svn-id: http://core.svn.wordpress.org/trunk@52739 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-04-12 05:56:23 +00:00
audrasjb
70dea8e3c2 Formatting: Avoid escaping valid XML values in esc_xml().
This change improves the `esc_xml()` function by replacing two `empty()` checks with `isset()` to cover values that are not equal to `''` but still returning `true` when checked with `empty()`, like `'0'`, `0` or `false`. It also updates the related unit tests accordingly.

Props rumpel2116, pbiron.
Fixes #55399.

Built from https://develop.svn.wordpress.org/trunk@53144


git-svn-id: http://core.svn.wordpress.org/trunk@52733 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-04-11 20:00:09 +00:00
Sergey Biryukov
521db02647 Docs: Further remove HTML markup from various function summaries.
Per the [https://developer.wordpress.org/coding-standards/inline-documentation-standards/php/#summary-formerly-short-description WordPress PHP documentation standards], no HTML markup or Markdown of any kind should be used in the summary. This ensures that the summary is displayed correctly in the [https://developer.wordpress.org/reference/ WordPress Code Reference].

This commit also improves formatting of HTML special characters in descriptions in `wp-includes/formatting.php`.

Follow-up to [53048].

Props johnbillion, mukesh27.
Fixes #55506.
Built from https://develop.svn.wordpress.org/trunk@53053


git-svn-id: http://core.svn.wordpress.org/trunk@52642 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-04-02 13:55:11 +00:00
Sergey Biryukov
c17ccc5490 Docs: Add inline comments for non-visible characters in sanitize_title_with_dashes().
This aims to clarify the list of characters that are stripped from URLs or converted to a hyphen.

Follow-up to [51984].

See #47912, #54729.
Built from https://develop.svn.wordpress.org/trunk@52821


git-svn-id: http://core.svn.wordpress.org/trunk@52410 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-03-04 14:11:02 +00:00
Sergey Biryukov
e32e1750fd Docs: Use third-person singular verbs for function descriptions in wp-includes/formatting.php, per the documentation standards.
See #54729.
Built from https://develop.svn.wordpress.org/trunk@52810


git-svn-id: http://core.svn.wordpress.org/trunk@52399 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-02-28 16:03:00 +00:00
Sergey Biryukov
d0fb86dafb I18N: Add a $locale parameter for remove_accents().
This highlights the fact that `remove_accents()` is locale-aware and makes it easier to utilize the function with different locales without having to use `switch_to_locale()` or the `locale` filter.

Additionally, this commit relaxes the check for character replacements in German locales to include formal and informal variants of any `de_*` locale, even if WordPress does not have a native translation for some of them yet.

Props malthert, johnbillion, knutsp, ocean90, SergeyBiryukov.
Fixes #54415.
Built from https://develop.svn.wordpress.org/trunk@52809


git-svn-id: http://core.svn.wordpress.org/trunk@52398 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-02-28 15:42:05 +00:00
hellofromTonya
1f56c94459 Formatting: Make terms in wpautop() and shortcode_unautop() more welcoming and inclusive.
The developer facing humor in these functions were from a different era of WordPress. Tolerance for in-jokes and other developer facing humor has decreased over the years. Terms like "pee" and "tinkle" may make some folks chuckle while for others it makes them uncomfortable.

Terminology of the past is being (or has been) re-evaluated to transform words into a language that are inclusive and welcome for all. This commit is part of that effort as it replaces.

Follow-up [13], [9255].

Props ricomoorman, tzipporahwitty, ironprogrammer, peterwilsoncc, jeremyfelt, Viper007Bond, rmccue, SergeyBiryukov, hellofromTonya.
Fixes #25615.
Built from https://develop.svn.wordpress.org/trunk@52789


git-svn-id: http://core.svn.wordpress.org/trunk@52378 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-02-23 20:03:09 +00:00
Sergey Biryukov
2eaeae58ff Docs: Update spelling for inline comments in a few files.
Per the [https://make.wordpress.org/core/handbook/best-practices/spelling/ spelling] and [https://make.wordpress.org/docs/style-guide/language-grammar/word-choice/ word choice] documentation guidelines, American (US) spelling should be preferred.

Props mohadeseghasemi, subrataemfluence, rehanali, SergeyBiryukov.
Fixes #46837.
Built from https://develop.svn.wordpress.org/trunk@52640


git-svn-id: http://core.svn.wordpress.org/trunk@52229 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-01-25 13:55:05 +00:00
desrosj
77a972838c Formatting: Correctly encode ASCII characters in post slugs.
Props zieladam, whyisjake, xknown, peterwilsoncc, desrosj, iandunn.
Built from https://develop.svn.wordpress.org/trunk@52457


git-svn-id: http://core.svn.wordpress.org/trunk@52049 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-01-06 17:10:00 +00:00
hellofromTonya
dfef2c917f Formatting: Use is_scalar() in sanitize_key().
This is a follow-up to [52292] which introduced `is_string()` to check the given key is a string to be sanitized, else the key is set to an empty string. 

`sanitize_key()` is clearly identified (in the documentation) to only work with ''string'' keys. However, it had a bug in it that allowed non-strings to pass through it:
* A non-scalar "key" would throw a PHP Warning (which was resolved in [52292]. 
* A non-string scalar "key" was handled by the PHP native `strtolower()` which converted it into a string.

While `is_string()` is valid, non-string scalar types passed as the key to be sanitized were being set to an empty string. Given that `strtolower()` handles these without error or deprecation as of PHP 8.1, `is_scalar()` protects the website from issues while retaining the past behavior of converting integer keys (for example) into a string.

Changes include:
* Using `is_scalar()` instead of `is_string()`
* Refactor for readability and less code
* More tests

Please note, this does not change the behavior of the function, nor redefine it to now accept non-string scalars.

References:
* https://developer.wordpress.org/reference/functions/sanitize_key/
* https://www.php.net/manual/en/function.strtolower.php

Follow-up [52292].

Props wppunk, hellofromTonya, costdev, jrf.
Fixes #54160.
Built from https://develop.svn.wordpress.org/trunk@52370


git-svn-id: http://core.svn.wordpress.org/trunk@51962 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-12-14 15:01:03 +00:00
John Blackbourn
39bff93b6b Docs: Various inline documentation corrections and improvements.
See #53399

Built from https://develop.svn.wordpress.org/trunk@52332


git-svn-id: http://core.svn.wordpress.org/trunk@51924 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-12-07 12:20:02 +00:00
Sergey Biryukov
a9edd7ba88 Build/Test Tools: Remove the replace:emoji-banner-text Grunt task.
The task was previously used to ensure that `/*! This file is auto-generated */` comment is not included on front end as part of the inline emoji detection script.

As the `wp-emoji-loader.js` script is now included via `file_get_contents()` and `wp_print_inline_script_tag()` instead of `grunt-include` to simplify the logic, the task does not find anything to replace and is no longer necessary.

Additionally, include a line break before the `wp-emoji-loader.js` script content for better line wrapping.

Follow-up to [48096], [50651], [52132].

See #44632, #44306, #53363.
Built from https://develop.svn.wordpress.org/trunk@52325


git-svn-id: http://core.svn.wordpress.org/trunk@51917 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-12-06 10:14:06 +00:00
Sergey Biryukov
566d5d2170 Options, Meta APIs: Improve error handling in sanitize_option().
To prevent potential false negatives, set `$error` to `null` initially, so we can better tell if it was ever changed during the sanitization and be able to better react if an empty string is added to it.

Additionally, and mainly for the sake of the Settings API at this point, add error messages to some `WP_Error` objects returned from `wpdb` methods that were previously causing the issues here.

Follow-up to [32791].

Props iCaleb, audrasjb, hellofromTonya, SergeyBiryukov.
Fixes #53986.
Built from https://develop.svn.wordpress.org/trunk@52294


git-svn-id: http://core.svn.wordpress.org/trunk@51886 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-11-30 21:03:00 +00:00
hellofromTonya
9ede1fe55b Formatting: Handle non-scalar types passed to sanitize_key().
`sanitize_key()` expects a string type for the given `key`. Passing any other data type to `strtolower()` can result in `E_WARNING: strtolower() expects parameter 1 to be string, array given`.

A check is added that if the key is not a string, the key is set to an empty string. For performance, the additional string processing is skipped if the key is an empty string.

This change maintains backwards-compatibility for valid string keys while fixing the bug of non-string keys.

Props costdev, dd32. 
Fixes #54160.
Built from https://develop.svn.wordpress.org/trunk@52292


git-svn-id: http://core.svn.wordpress.org/trunk@51884 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-11-30 20:11:02 +00:00
hellofromTonya
8d5af49e49 Formatting: Add additional support for single and nestable tags in force_balance_tags().
Adds `track` and `wbr` support for single tags.

Adds `article`, `aside`, `details`, `figure`, and `section` for nestable tags.

Updates tests.

Follow-up to [5805], [21828], [45929].

Props glendaviesnz, costdev, talldanwp, ramonopoly, sergeybiryukov.
Fixes #50225.
Built from https://develop.svn.wordpress.org/trunk@52188


git-svn-id: http://core.svn.wordpress.org/trunk@51780 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-11-16 19:42:01 +00:00
Weston Ruter
9038612705 Embeds: Conditionally enqueue wp-embed only if needed and send ready message in case script loads after post embed windows.
* Prevent loading `wp-embed` script unconditionally on every page in favor of conditionally enqueueing when a post embed is detected. The `wp-embed` script is also explicitly marked as being in the footer group. Sites which currently disable post embed scripts from being enqueued via `remove_action( 'wp_head', 'wp_oembed_add_host_js' )` will continue to do so.
* Send a `ready` message from the host page to each post embed window in case the `iframe` loads before the `wp-embed` script does. When the `ready` message is received by the post embed window, it sends the same `height` message as it sends when it loads.
* Eliminate use of `grunt-include` to inject emoji script and the post embed script. Instead obtain the script contents via `file_get_contents()` (as is done elsewhere in core) and utilize `wp_print_inline_script_tag()`/`wp_get_inline_script_tag()` to construct out the script. This simplifies the logic and allows the running of src without `SCRIPT_DEBUG` enabled.
* For the embed code that users are provided to copy for embedding outside of WP, add the `secret` on the `blockquote` and `iframe`. This ensures the `blockquote` will be hidden when the `iframe` loads. The embed code in question is accessed here via `get_post_embed_html()`.

Props westonruter, swissspidy, pento, flixos90, ocean90.
Fixes #44632, #44306.

Built from https://develop.svn.wordpress.org/trunk@52132


git-svn-id: http://core.svn.wordpress.org/trunk@51724 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-11-11 02:49:18 +00:00
John Blackbourn
2a3ad7c430 Docs: Various docblock improvements and corrections.
See #53399

Built from https://develop.svn.wordpress.org/trunk@52035


git-svn-id: http://core.svn.wordpress.org/trunk@51627 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-11-08 10:48:59 +00:00
johnjamesjacoby
43644069ea Permalinks: Sanitize non-visible characters inside sanitize_title_with_dashes().
This change prevents non-visible characters in titles from creating encoded values in permalinks, opting instead for the following replacement strategy:

* Non-visible non-zero-width characters are replaced with hyphens
* Non-visible zero-width characters are removed entirely

Included with this change are 64 additional PHPUnit assertions to confirm that only the targeted non-visible characters are sanitized as intended.

Before this change, URLs would unintentionally contain encoded values where these non-visible characters were. After this change, URLs intentionally strip out or hyphenate these non-visible characters.

Props costdev, dhanendran, hellofromtonya, paaljoachim, peterwilsoncc, poena, sergeybiryukov.

Fixes #47912.
Built from https://develop.svn.wordpress.org/trunk@51984


git-svn-id: http://core.svn.wordpress.org/trunk@51573 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-11-02 18:47:57 +00:00
John Blackbourn
6babc3833b Docs: Miscellaneous docblock improvements.
See #53399

Built from https://develop.svn.wordpress.org/trunk@51955


git-svn-id: http://core.svn.wordpress.org/trunk@51544 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-10-29 23:13:05 +00:00
Sergey Biryukov
a60032feec Coding Standards: Add a leading zero in the CSS declarations printed by the print_emoji_styles() function.
Follow-up to [31733], [31786].

Props audrasjb, sabernhardt.
Fixes #54284.
Built from https://develop.svn.wordpress.org/trunk@51918


git-svn-id: http://core.svn.wordpress.org/trunk@51511 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-10-18 16:53:57 +00:00
hellofromTonya
c7d3e267b8 Coding Standards: Use static closures when not using $this.
When a closure does not use `$this`, it can be made `static` for improved performance.

Static closures are supported in PHP since PHP 5.4. ​

Props jrf, hellofromTonya, swissspidy, SergeyBiryukov.
See #53359.
Built from https://develop.svn.wordpress.org/trunk@51657


git-svn-id: http://core.svn.wordpress.org/trunk@51263 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-08-26 12:59:02 +00:00
Sergey Biryukov
8a98b96f36 Code Modernization: Correct handling of null in wp_parse_str().
This fixes `parse_str(): Passing null to parameter #1 ($string) of type string is deprecated` notices on PHP 8.1, without change in behaviour.

Impact: 311 of the pre-existing tests are affected by this issue.

The PHP native `parse_str()` function expects a string, however, based on the failing tests, it is clear there are functions in WordPress which passes a non-string – including `null` – value to the `wp_parse_str()` function, which would subsequently pass it onto the PHP native function without further input validation.

Most notable offender is the `wp_parse_args()` function which special cases arrays and objects, but passes everything else off to `wp_parse_str()`.

Several ways to fix this issue have been explored, including checking the received value with `is_string()` or `is_scalar()` before passing it off to the PHP native `parse_str()` function.

In the end it was decided against these in favor of a string cast as:
* `is_string()` would significantly change the behavior for anything non-string.
* `is_scalar()` up to a point as well, as it does not take objects with a `__toString()` method into account.

Executing a string cast on the received value before passing it on maintains the pre-existing behavior while still preventing the deprecation notice coming from PHP 8.1.

Reference: [https://www.php.net/manual/en/function.parse-str.php PHP Manual: parse_str()]

Follow-up to [5709].

Props jrf, hellofromTonya, lucatume, SergeyBiryukov.
See #53635.
Built from https://develop.svn.wordpress.org/trunk@51624


git-svn-id: http://core.svn.wordpress.org/trunk@51230 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-08-16 22:18:02 +00:00
Sergey Biryukov
6b144ab46a Docs: Correct @since version for the wp_parse_str filter.
The filter was introduced along with the `wp_parse_str()` function in WordPress 2.2.1.

Follow-up to [5709], [8662], [26485].

See #53399.
Built from https://develop.svn.wordpress.org/trunk@51609


git-svn-id: http://core.svn.wordpress.org/trunk@51220 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-08-13 15:50:58 +00:00
Sergey Biryukov
d8413a32e1 General: Restore (un-deprecate) the sanitize_url() function.
A general security rule is "Sanitize when you save, escape when you echo", and for the most part WordPress has well-named functions like `sanitize_email()` and others, with `esc_url_raw()` being a single exception that does not follow the naming.

This commit restores the previously deprecated `sanitize_url()` function as a valid alias of `esc_url_raw()`.

This better aligns with the naming with other `sanitize_*()` functions:

* `sanitize_bookmark()`
* `sanitize_bookmark_field()`
* `sanitize_category()`
* `sanitize_category_field()`
* `sanitize_comment_cookies()`
* `sanitize_email()`
* `sanitize_file_name()`
* `sanitize_hex_color()`
* `sanitize_hex_color_no_hash()`
* `sanitize_html_class()`
* `sanitize_key()`
* `sanitize_meta()`
* `sanitize_mime_type()`
* `sanitize_option()`
* `sanitize_post()`
* `sanitize_post_field()`
* `sanitize_sql_orderby()`
* `sanitize_term()`
* `sanitize_term_field()`
* `sanitize_text_field()`
* `sanitize_textarea_field()`
* `sanitize_title()`
* `sanitize_title_for_query()`
* `sanitize_title_with_dashes()`
* `sanitize_trackback_urls()`
* `sanitize_user()`
* `sanitize_user_field()`

Follow-up to [11383], [13096].

Props Ipstenu, aadilali.
Fixes #53876.
Built from https://develop.svn.wordpress.org/trunk@51597


git-svn-id: http://core.svn.wordpress.org/trunk@51208 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-08-10 19:44:59 +00:00
Sergey Biryukov
31c5fc58f2 Docs: Add a @see reference to the wp_mail_content_type filter in wp_staticize_emoji_for_email().
Follow-up to [31860].

See #53399.
Built from https://develop.svn.wordpress.org/trunk@51589


git-svn-id: http://core.svn.wordpress.org/trunk@51200 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-08-10 12:53:59 +00:00
Sergey Biryukov
815e31f611 Coding Standards: Remove redundant semicolons after closing curly brackets.
Props jrf.
See #53359.
Built from https://develop.svn.wordpress.org/trunk@51552


git-svn-id: http://core.svn.wordpress.org/trunk@51163 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-08-05 13:15:55 +00:00
desrosj
b60a512de4 Emoji: Update the Twemoji library to version 13.1.0.
This version introduces support for the latest Emoji added in version Emoji 13.1, which includes “face in clouds”, “face exhaling”, and of course, “face with spiral eyes”.

A new corresponding folder has been pushed to WordPress.org in [dotorg:17419].

Rages deep within, ❤️‍🔥.

Props kraftbj., desrosj.
Fixes #52852.
Built from https://develop.svn.wordpress.org/trunk@51113


git-svn-id: http://core.svn.wordpress.org/trunk@50722 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-06-08 22:15:12 +00:00
Adam Silverstein
524030edfa Images: enable WebP support.
Add support for uploading, editing and saving WebP images when supported by the server.

Add 'image/webp' to supported mime types. Correctly identify WebP images and sizes even when PHP doesn't support WebP. Resize uploaded WebP files (when supported) and use for front end markup.

Props markoheijne, blobfolio, Clorith, joemcgill, atjn, desrosj, spacedmonkey, marylauc, mikeschroder, hellofromtonya, flixos90.
Fixes #35725.


Built from https://develop.svn.wordpress.org/trunk@50810


git-svn-id: http://core.svn.wordpress.org/trunk@50419 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-05-04 14:44:58 +00:00
Sergey Biryukov
ed240e087e Docs: Correct description for wp_slash() and wp_unslash().
The array received or returned by these functions is not always an array of strings, for example when slashing or unslashing an array of arrays.

Follow-up to [47400], [48441], [49926].

Props johnbillion.
See #51800.
Built from https://develop.svn.wordpress.org/trunk@49968


git-svn-id: http://core.svn.wordpress.org/trunk@49669 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-01-17 16:38:06 +00:00
Dominik Schilling
87b092dc30 I18N: Add support for German (Austria) locale in remove_accents().
Props patopaiar, nonverbla.
Fixes #52110.
Built from https://develop.svn.wordpress.org/trunk@49967


git-svn-id: http://core.svn.wordpress.org/trunk@49668 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-01-17 15:46:08 +00:00
desrosj
05f174acf6 Build/Test Tools: Update UglifyJS to the latest version.
This updates the `uglify-js` package from version `3.6.0` to `3.12.4`.

See #51801.
Built from https://develop.svn.wordpress.org/trunk@49940


git-svn-id: http://core.svn.wordpress.org/trunk@49639 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-01-06 15:29:24 +00:00
John Blackbourn
dfe1f9b322 Docs: Promote many bool types to true or false where only that value is used.
See #51800

Built from https://develop.svn.wordpress.org/trunk@49927


git-svn-id: http://core.svn.wordpress.org/trunk@49626 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-01-03 22:04:04 +00:00
John Blackbourn
53da9208dd Docs: Various docblock corrections particularly relating to boolean types.
See #51800

Built from https://develop.svn.wordpress.org/trunk@49926


git-svn-id: http://core.svn.wordpress.org/trunk@49625 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-01-03 21:57:09 +00:00
Sergey Biryukov
5550b5fd6a Docs: Move sanitize_file_name filter documentation to the canonical place.
See #51800.
Built from https://develop.svn.wordpress.org/trunk@49858


git-svn-id: http://core.svn.wordpress.org/trunk@49577 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-12-21 18:25:05 +00:00
Sergey Biryukov
af95efdd34 Docs: Add a @see reference to esc_url() from esc_url_raw().
Follow-up to [49512].

See #50585.
Built from https://develop.svn.wordpress.org/trunk@49513


git-svn-id: http://core.svn.wordpress.org/trunk@49268 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-11-06 14:16:07 +00:00
Sergey Biryukov
6dd28116a1 Docs: Improve return value description for esc_url().
Add a reference to `esc_url()` from `esc_url_raw()` return value description.

Props stevenlinx, audrasjb, helen.
Fixes #50585.
Built from https://develop.svn.wordpress.org/trunk@49512


git-svn-id: http://core.svn.wordpress.org/trunk@49267 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-11-06 14:03:06 +00:00
Sergey Biryukov
1543954adc Docs: Update description for the $context parameter of sanitize_title() and sanitize_title_with_dashes().
This brings some consistency between the two DocBlocks and adjusts the latter one per the documentation standards.

Follow-up to [49482].

See #50569.
Built from https://develop.svn.wordpress.org/trunk@49484


git-svn-id: http://core.svn.wordpress.org/trunk@49243 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-11-02 20:20:07 +00:00
Helen Hou-Sandí
f2875b6f7c Formatting: Update docs for $context in sanitize_title_with_dashes().
Props stevenlinx, audrasjb.
Fixes #50569.

Built from https://develop.svn.wordpress.org/trunk@49482


git-svn-id: http://core.svn.wordpress.org/trunk@49241 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-11-02 20:12:06 +00:00
desrosj
8f7975cbea Emoji: Update Twemoji to version 13.0.1.
This release fixes minor issues with 8 different Emoji and revises the person/woman/man kneeling Emoji to be in a more obvious kneeling position.

🧎

These updates were pushed to a new, `13.0.1` folder on the CDN in [dotorg:16573].

For a full list of changes in this update, see https://github.com/twitter/twemoji/compare/v13.0.0...v13.0.1.

Props hareesh-pillai, otto42, desrosj.
Fixes #51356.
Built from https://develop.svn.wordpress.org/trunk@49239


git-svn-id: http://core.svn.wordpress.org/trunk@49001 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-10-20 16:55:23 +00:00
Sergey Biryukov
651f426b3a General: Remove noreferrer from wp_targeted_link_rel() and other uses.
When `noopener noreferrer` was originally added in #37941 and related tickets, the `noreferrer` bit was specifically included due to Firefox not supporting `noopener` at the time.

Since `noopener` has been supported by all major browsers for a while, it should now be safe to remove the `noreferrer` attribute from core.

Props Mista-Flo, audrasjb, joostdevalk, jonoaldersonwp, peterwilsoncc, elgameel.
Fixes #49558.
Built from https://develop.svn.wordpress.org/trunk@49215


git-svn-id: http://core.svn.wordpress.org/trunk@48977 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-10-19 23:39:04 +00:00
Sergey Biryukov
0e3147c40e Coding Standards: Replace alias PHP functions with the canonical names.
Using the canonical function name for PHP functions is strongly recommended, as aliases may be deprecated or removed without (much) warning.

This replaces all uses of the following:
* `join()` with `implode()`
* `sizeof()` with `count()`
* `is_writeable()` with `is_writable()`
* `doubleval()` with a `(float)` cast

In part, this is a follow-up to #47746.

Props jrf.
See #50767.
Built from https://develop.svn.wordpress.org/trunk@49193


git-svn-id: http://core.svn.wordpress.org/trunk@48955 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-10-18 17:27:06 +00:00
Sergey Biryukov
120291367a Formatting: Deprecate wp_slash_strings_only() in favor of wp_slash().
The reason for introducing `wp_slash_strings_only()` in [46454] was to keep non-string values untouched.

Later, `wp_slash()` itself was updated in [48433] to prevent changing non-string values.

To avoid confusion, `wp_slash_strings_only()` is now deprecated.

Props ayeshrajans, ocean90.
Fixes #50635.
Built from https://develop.svn.wordpress.org/trunk@49188


git-svn-id: http://core.svn.wordpress.org/trunk@48950 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-10-18 06:57:04 +00:00
Sergey Biryukov
897f004a9c General: Replace older-style PHP type conversion functions with type casts.
This improves performance, readability, and consistency throughout core.

* `intval()` → `(int)`
* `strval()` → `(string)`
* `floatval()` → `(float)`

Props ayeshrajans.
Fixes #42918.
Built from https://develop.svn.wordpress.org/trunk@49108


git-svn-id: http://core.svn.wordpress.org/trunk@48870 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-10-08 21:15:13 +00:00
Sergey Biryukov
ac00862f44 Formatting: Make sure links_add_target() adds the target attribute to the correct tag.
Previously, the attribute could unintentionally be added to a tag that starts with the same characters, e.g. `<aside>` instead of `<a>`.

Props antonlukin.
Fixes #51313.
Built from https://develop.svn.wordpress.org/trunk@48983


git-svn-id: http://core.svn.wordpress.org/trunk@48745 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-09-17 10:14:07 +00:00
Sergey Biryukov
13647464a5 Formatting: Make the check for empty text in wp_trim_excerpt() more resilient.
This addresses a regression in [47808], which caused excerpts to be generated from post content if an empty string is passed, but not for other values considered empty, e.g. `null` or `false`.

Props riaanlom, laxman-prajapati, SergeyBiryukov.
Fixes #51042.
Built from https://develop.svn.wordpress.org/trunk@48817


git-svn-id: http://core.svn.wordpress.org/trunk@48579 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-08-18 15:10:04 +00:00
Sergey Biryukov
101d00601e Media: Remove accents in sanitize_file_name().
This brings some consistency with `sanitize_title()` and `sanitize_user()`.

Props tar.gz, NumidWasNotAvailable, juliobox, p_enrique, cristovaov, zodiac1978, mikeschroder, markoheijnen, chriscct7, swissspidy, DrProtocols, pento, gitlost, joemcgill, dustinbolton, programmin, Vayu, MaximeCulea, lucasbustamante, nilovelez, RavanH, audrasjb, SergeyBiryukov.
See #22363.
Built from https://develop.svn.wordpress.org/trunk@48603


git-svn-id: http://core.svn.wordpress.org/trunk@48365 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-07-24 18:03:02 +00:00
Sergey Biryukov
544fbefffa Media: Filter out a few more special characters in sanitize_file_name().
Props audrasjb.
Fixes #50231.
Built from https://develop.svn.wordpress.org/trunk@48596


git-svn-id: http://core.svn.wordpress.org/trunk@48358 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-07-24 00:59:07 +00:00
Sergey Biryukov
e1830a8182 Formatting: Filter out the bullet character in sanitize_title_with_dashes().
Props roytanck, deepaklalwani, veromary.
Fixes #49791.
Built from https://develop.svn.wordpress.org/trunk@48593


git-svn-id: http://core.svn.wordpress.org/trunk@48355 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-07-24 00:03:05 +00:00
John Blackbourn
9bc7d0a776 Docs: Another pass at some inline docs fixes mostly made by PHPCBF.
See #49572, #50744
Built from https://develop.svn.wordpress.org/trunk@48590


git-svn-id: http://core.svn.wordpress.org/trunk@48352 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-07-23 21:11:05 +00:00
Aaron Jorbin
6cab8cce22 General: Update code for readability and inclusion
There are two pieces in here:

1) The update to change blacklist to blocklist is moved to disallowed_list. "Block" has a meaning in our code, and there could be ambiguity between this code and code related to blocks.

2) This improves backwards compatibility for code that was accessing the now deprecated code.

Previously: [48477], [48405], [48400], [48121], [48122], [48124], [48142], [48566]

Props: desrosj, SergeyBiryukov, johnjamesjacoby
Fixes: #50413


Built from https://develop.svn.wordpress.org/trunk@48575


git-svn-id: http://core.svn.wordpress.org/trunk@48337 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-07-23 03:14:06 +00:00
Sergey Biryukov
81a001117c Docs: Improve documentation for sanitize_user(), sanitize_title(), sanitize_title_with_dashes().
See #49572.
Built from https://develop.svn.wordpress.org/trunk@48444


git-svn-id: http://core.svn.wordpress.org/trunk@48213 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-07-12 01:13:02 +00:00
Sergey Biryukov
c38f99df9a Docs: Synchronize @since notes for add_magic_quotes() and wp_slash().
Follow-up to [48205], [48433].

See #49572.
Built from https://develop.svn.wordpress.org/trunk@48441


git-svn-id: http://core.svn.wordpress.org/trunk@48210 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-07-11 22:48:07 +00:00
whyisjake
7448ce4839 Formatting: Prevent wp_slash from returning non-strings as strings.
If a bool/float/int is passed into wp_slash it will be coerced into a string.

This changes the behavior to only slash strings. At the same time, handles recursion a little nicer by calling array_map for arrays.

Fixes #42195, #24106.

Props johnbillion, andizer, jrf, ryotasakamoto, SergeyBiryukov, donmhico, TobiasBg, markoheijnen, ryan, nacin, devesine, whyisjake.


Built from https://develop.svn.wordpress.org/trunk@48433


git-svn-id: http://core.svn.wordpress.org/trunk@48202 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-07-11 00:13:04 +00:00
whyisjake
919729508c Formatting: Improve the docblock for sanitize_title().
Since sanitize title is largely used for html attributes, or post slugs, make note that accents will be removed and that the string will be limited to alphanumeric characters, underscores, and dashes.

Fixes #33756.
Props ericlewis, swissspidy, wonderboymusic, psdtohtmlguru, DrewAPicture, SergeyBiryukov, sjmur, gma992, shulard, ebinnion, whyisjake.


Built from https://develop.svn.wordpress.org/trunk@48432


git-svn-id: http://core.svn.wordpress.org/trunk@48201 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-07-10 23:28:04 +00:00
Sergey Biryukov
3336009e34 Docs: Replace "html" and "xhtml" instances in DocBlocks and comments with "HTML" and "XHTML".
This ensures consistent capitalization where appropriate.

Props navidos, desrosj.
Fixes #50473.
Built from https://develop.svn.wordpress.org/trunk@48199


git-svn-id: http://core.svn.wordpress.org/trunk@47968 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-28 14:02:06 +00:00
Sergey Biryukov
40c389c95e Docs: Standardize on "Returning a value from the filter" vs. "Passing a value to the filter".
The filter is the callback function added with `add_filter()`, therefore the hook passes a value to the filter, and the filter returns a value to change its behaviour.

The documentation is referring to the latter.

Props johnbillion.
See #49572, #16557.
Built from https://develop.svn.wordpress.org/trunk@48185


git-svn-id: http://core.svn.wordpress.org/trunk@47954 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-26 18:49:09 +00:00
Sergey Biryukov
a55c84380a Docs: Spell "line breaks" in a consistent way.
See #49572.
Built from https://develop.svn.wordpress.org/trunk@48175


git-svn-id: http://core.svn.wordpress.org/trunk@47944 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-26 09:30:11 +00:00
Sergey Biryukov
a659c36414 Docs: Add a note that the $br parameter of wpautop() does not affect line breaks within <script>, <style>, and <svg> tags.
Props stevenlinx.
Fixes #50477.
Built from https://develop.svn.wordpress.org/trunk@48174


git-svn-id: http://core.svn.wordpress.org/trunk@47943 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-26 09:20:11 +00:00
desrosj
4b60af1a6a General: Remove “whitelist” and “blacklist” in favor of more clear and inclusive language.
“The WordPress open source community cares about diversity. We strive to maintain a welcoming environment where everyone can feel included.”

With this commit, all occurrences of “whitelist” and “blacklist” (with the single exception of the `$new_whitelist_options` global variable) are removed. A new ticket has been opened to explore renaming the `$new_whitelist_options` variable (#50434).

Changing to more specific names or rewording sentences containing these terms not only makes the code more inclusive, but also helps provide clarity. These terms are often ambiguous. What is being blocked or allowed is not always immediately clear. This can make it more difficult for non-native English speakers to read through the codebase.

Words matter. If one contributor feels more welcome because these terms are removed, this was worth the effort.

Props strangerstudios, jorbin, desrosj, joemcgill, timothyblynjacobs, ocean90, ayeshrajans, davidbaumwald, earnjam.
See #48900, #50434.
Fixes #50413.
Built from https://develop.svn.wordpress.org/trunk@48121


git-svn-id: http://core.svn.wordpress.org/trunk@47890 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-22 17:26:13 +00:00
Sergey Biryukov
b16368c268 Docs: Remove @staticvar tags from core.
The tag was supported in phpDocumentor 1.x, but is no longer supported in 2.x and 3.x.

Usage of static variables is considered an internal implementation detail and has no information value for someone reading the docs.

Props alishanvr, jrf.
Fixes #50426.
Built from https://develop.svn.wordpress.org/trunk@48109


git-svn-id: http://core.svn.wordpress.org/trunk@47878 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-20 12:40:12 +00:00
John Blackbourn
1a77bb81d8 Docs: Remove unnecessary variables names from @return tags.
See #49572.
Built from https://develop.svn.wordpress.org/trunk@48100


git-svn-id: http://core.svn.wordpress.org/trunk@47869 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-19 22:55:12 +00:00
John Blackbourn
37234874a5 Docs: Misc improvements to inline docs.
See #49572.
Built from https://develop.svn.wordpress.org/trunk@48099


git-svn-id: http://core.svn.wordpress.org/trunk@47868 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-19 22:28:13 +00:00
Sergey Biryukov
99d49a0cc3 Build/Test Tools: Replace the banner text from wp-emoji-loader.min.js in formatting.php during build process.
This ensures that `/*! This file is auto-generated */` comment is not included on front end as part of the inline Emoji detection script.

Follow-up to [41271], [46589].

Props superpoincare, SergeyBiryukov.
Fixes #49861.
Built from https://develop.svn.wordpress.org/trunk@48096


git-svn-id: http://core.svn.wordpress.org/trunk@47865 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-19 22:08:08 +00:00
Pascal Birchler
609dd1d14f Sitemaps: Add XML sitemaps functionality to WordPress.
While web crawlers are able to discover pages from links within the site and from other sites, XML sitemaps supplement this approach by allowing crawlers to quickly and comprehensively identify all URLs included in the sitemap and learn other signals about those URLs using the associated metadata.

See https://make.wordpress.org/core/2020/06/10/merge-announcement-extensible-core-sitemaps/ for more details.

This feature exposes the sitemap index via `/wp-sitemap.xml` and exposes a variety of new filters and hooks for developers to modify the behavior. Users can disable sitemaps completely by turning off search engine visibility in WordPress admin.

This change also introduces a new `esc_xml()` function to escape strings for output in XML, as well as XML support to `wp_kses_normalize_entities()`.

Props Adrian McShane, afragen, adamsilverstein, casiepa, flixos90, garrett-eclipse, joemcgill, kburgoine, kraftbj, milana_cap, pacifika, pbiron, pfefferle, Ruxandra Gradina, swissspidy, szepeviktor, tangrufus, tweetythierry.
Fixes #50117.
See #3670. See #19998.

Built from https://develop.svn.wordpress.org/trunk@48072


git-svn-id: http://core.svn.wordpress.org/trunk@47839 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-17 15:24:07 +00:00
desrosj
4cdd79af25 Emoji: Upgrade Twemoji to version 13.0.0.
🥸

Props kraftbj, desrosj, otto42.
Fixes #50148.
Built from https://develop.svn.wordpress.org/trunk@48048


git-svn-id: http://core.svn.wordpress.org/trunk@47815 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-15 18:04:26 +00:00
Sergey Biryukov
b9751d4efe Coding Standards: Use strict comparison for count() calls.
See #49542.
Built from https://develop.svn.wordpress.org/trunk@47848


git-svn-id: http://core.svn.wordpress.org/trunk@47624 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-05-23 11:38:08 +00:00
Sergey Biryukov
7932193708 Coding Standards: Use strict comparison where static strings are involved.
This reduces the number of `WordPress.PHP.StrictComparisons.LooseComparison` issues in half, from 1897 to 890.

Includes minor code layout fixes for better readability.

See #49542.
Built from https://develop.svn.wordpress.org/trunk@47808


git-svn-id: http://core.svn.wordpress.org/trunk@47584 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-05-16 18:42:12 +00:00
Sergey Biryukov
2517abb4bd Docs: Add a note that the $protocols parameter of esc_url_raw() defaults to return value of wp_allowed_protocols().
This complements already existing note in `esc_url()`.

Props audrasjb.
Fixes #50147.
Built from https://develop.svn.wordpress.org/trunk@47783


git-svn-id: http://core.svn.wordpress.org/trunk@47559 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-05-11 20:34:13 +00:00
whyisjake
fd21a9346c Formatting: Expand sanitize_file_name to have better support for utf8 characters.
Props: xknown, peterwilsoncc.

Built from https://develop.svn.wordpress.org/trunk@47638


git-svn-id: http://core.svn.wordpress.org/trunk@47413 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-04-29 15:40:07 +00:00
Sergey Biryukov
38676936ba Coding Standards: Use strict type check for in_array() and array_search() where strings are involved.
This reduces the number of `WordPress.PHP.StrictInArray.MissingTrueStrict` issues from 486 to 50.

Includes minor code layout fixes for better readability.

See #49542.
Built from https://develop.svn.wordpress.org/trunk@47550


git-svn-id: http://core.svn.wordpress.org/trunk@47325 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-04-05 03:02:11 +00:00
John Blackbourn
7004afe4f4 Docs: Various docblock corrections and improvements.
See #49572
Built from https://develop.svn.wordpress.org/trunk@47461


git-svn-id: http://core.svn.wordpress.org/trunk@47248 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-03-16 18:40:07 +00:00
Sergey Biryukov
f82fd2c436 Docs: Use more specific type in parameter description for wp_unslash().
Props marekdedic.
See #48303.
Built from https://develop.svn.wordpress.org/trunk@47400


git-svn-id: http://core.svn.wordpress.org/trunk@47187 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-03-01 16:26:05 +00:00
Sergey Biryukov
641c632b0c Coding Standards: Use Yoda conditions where appropriate.
See #49222.
Built from https://develop.svn.wordpress.org/trunk@47219


git-svn-id: http://core.svn.wordpress.org/trunk@47019 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-02-09 16:55:09 +00:00
Sergey Biryukov
001ffe81fb Docs: Improve inline comments per the documentation standards.
Includes minor code layout fixes for better readability.

See #48303.
Built from https://develop.svn.wordpress.org/trunk@47122


git-svn-id: http://core.svn.wordpress.org/trunk@46922 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-01-29 00:45:18 +00:00
Sergey Biryukov
2900bb8ea7 Docs: Update links to https://secure.php.net/, they now redirect to https://www.php.net/.
See #48303.
Built from https://develop.svn.wordpress.org/trunk@47088


git-svn-id: http://core.svn.wordpress.org/trunk@46888 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-01-20 03:14:06 +00:00
Sergey Biryukov
8260786e64 Docs: Clarify descriptions for get_gmt_from_date() and get_date_from_gmt().
Props johnbillion, Rarst.
Fixes #48650.
Built from https://develop.svn.wordpress.org/trunk@46958


git-svn-id: http://core.svn.wordpress.org/trunk@46757 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-13 21:45:02 +00:00
whyisjake
317465e2fe Prevent stored XSS in the block editor.
Prevent escaped unicode characters become unescaped in unsafe HTML during JSON decoding.

Props: aduth, epiqueras, 

Built from https://develop.svn.wordpress.org/trunk@46896


git-svn-id: http://core.svn.wordpress.org/trunk@46696 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-12 18:02:03 +00:00
whyisjake
80eab318eb Prevent stored XSS through wp_targeted_link_rel().
Props: vortfu, whyisjake, peterwilsoncc, xknown,  SergeyBiryukov, flaviozavan.


Built from https://develop.svn.wordpress.org/trunk@46894


git-svn-id: http://core.svn.wordpress.org/trunk@46694 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-12 17:54:02 +00:00
John Blackbourn
f545bb3f63 Docs: Improve documentation of known return types, plus other docs fixes.
See #48303

Built from https://develop.svn.wordpress.org/trunk@46660


git-svn-id: http://core.svn.wordpress.org/trunk@46460 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-11-05 21:23:02 +00:00
John Blackbourn
c8f91f77ac Docs: Correct invalid hook docblocks.
See #48303

Built from https://develop.svn.wordpress.org/trunk@46603


git-svn-id: http://core.svn.wordpress.org/trunk@46400 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-10-27 19:11:02 +00:00
John Blackbourn
3caaa40fc6 Docs: Switch more docs over to typed array notation, plus some fixes.
See #48303, #41756

Built from https://develop.svn.wordpress.org/trunk@46596


git-svn-id: http://core.svn.wordpress.org/trunk@46393 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-10-26 21:09:04 +00:00
Sergey Biryukov
ac3ff7eb1a Docs: Improve documentation for wptexturize().
Props atachibana.
Fixes #48397.
Built from https://develop.svn.wordpress.org/trunk@46592


git-svn-id: http://core.svn.wordpress.org/trunk@46389 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-10-26 00:58:04 +00:00
Sergey Biryukov
49007e52bc Build/Test Tools: Add banner to RTL CSS and minified JS files.
Patches occasionally come in on generated files. We should be kind to new contributors and give them a hint that these files are auto-generated.

This is a follow-up to [41271], which added the banner to minified CSS files.

Fixes #48424. See #30666.
Built from https://develop.svn.wordpress.org/trunk@46589


git-svn-id: http://core.svn.wordpress.org/trunk@46386 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-10-26 00:17:07 +00:00
Sergey Biryukov
654c413990 Comments: Add rel="nofollow ugc" attribute when converting plain URLs to <a> tags in comments via make_clickable().
Introduce `make_clickable_rel` filter for the `rel` value that is added to URL matches converted to links.

This is a follow-up to [46349], which added the `rel="nofollow ugc"` attribute to existing `<a>` tags in comments via `wp_rel_ugc()`.

UGC stands for User Generated Content, and the `ugc` attribute value is recommended for links within user generated content, such as comments and forum posts.

See https://webmasters.googleblog.com/2019/09/evolving-nofollow-new-ways-to-identify.html.

Props blogginglife, SergeyBiryukov.
Reviewed by desrosj, audrasjb.
Fixes #48022.
Built from https://develop.svn.wordpress.org/trunk@46564


git-svn-id: http://core.svn.wordpress.org/trunk@46361 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-10-21 20:41:04 +00:00
Peter Wilson
5d6cd13597 Docs: Correct documentation typo in print_emoji_detection_script().
Props itowhid06.
Fixes #48298. See #47110.

Built from https://develop.svn.wordpress.org/trunk@46470


git-svn-id: http://core.svn.wordpress.org/trunk@46268 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-10-13 02:48:01 +00:00
K. Adam White
55560a708f REST API: Do not addslash when receiving meta arrays of non-string values.
Slashing non-string data caused PUT requests containing unmodified meta arrays of integers to fail the check against the existing stored meta value, causing a 500 when posting an unmodified response body back to the server.

Props TimothyBlynJacobs, augustuswm.
Fixes #48264.

Built from https://develop.svn.wordpress.org/trunk@46454


git-svn-id: http://core.svn.wordpress.org/trunk@46252 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-10-09 17:36:01 +00:00
Sergey Biryukov
8d1e51e9c7 Docs: Add a @since note about new parameters with the spread operator added to function signatures.
Props jrf.
See #47678.
Built from https://develop.svn.wordpress.org/trunk@46451


git-svn-id: http://core.svn.wordpress.org/trunk@46249 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-10-09 04:28:02 +00:00
Aaron Jorbin
0e21d32900 Build/Test: Bump devDependencies for WordPress 5.3
This upgrades a number of devDependencies.  Some of these include changes to how the tasks are configured.

Uglify: There are deprecated options from 2.x to 4.x, see: https://github.com/gruntjs/grunt-contrib-uglify#options

Autoprefixer: Browserslist now warns when passing in the browser list, so that is put into package.json

As with most changes to uglify, this changes every minified JS file.

Fixes #48203.



Built from https://develop.svn.wordpress.org/trunk@46408


git-svn-id: http://core.svn.wordpress.org/trunk@46206 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-10-05 19:49:10 +00:00
Sergey Biryukov
f1e54593f0 Comments: Remove a one-time variable in wp_rel_nofollow() and wp_rel_ugc().
See #48022.
Built from https://develop.svn.wordpress.org/trunk@46396


git-svn-id: http://core.svn.wordpress.org/trunk@46195 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-10-05 00:56:57 +00:00
Sergey Biryukov
2afdc64723 Comments: Add rel="nofollow ugc" attribute to links in comments.
UGC stands for User Generated Content, and the `ugc` attribute value is recommended for links within user generated content, such as comments and forum posts.

See https://webmasters.googleblog.com/2019/09/evolving-nofollow-new-ways-to-identify.html.

Props audrasjb, joostdevalk, dkarfa, SergeyBiryukov.
Fixes #48022.
Built from https://develop.svn.wordpress.org/trunk@46349


git-svn-id: http://core.svn.wordpress.org/trunk@46148 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-30 01:30:58 +00:00
John Blackbourn
e36d1bcbd8 Docs: Docblock corrections and improvements, mostly related to various pre_* filters.
See #47110

Built from https://develop.svn.wordpress.org/trunk@46232


git-svn-id: http://core.svn.wordpress.org/trunk@46044 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-21 17:41:57 +00:00
Sergey Biryukov
eb3f420848 Code Modernization: Remove all code using a version_compare() with a PHP version older than PHP 5.6.
Props jrf.
Fixes #48074.
Built from https://develop.svn.wordpress.org/trunk@46214


git-svn-id: http://core.svn.wordpress.org/trunk@46026 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-20 22:02:57 +00:00
Sergey Biryukov
252628652e Script Loader: Introduce HTML5 support for scripts and styles.
When a theme declares HTML5 support for script and styles via `add_theme_support( 'html5', array( 'script', 'style' ) )`, the `type="text/javascript"` and `type="text/css"` attributes are omitted.

These attributes are unnecessary in HTML5 and cause warnings in the W3C Markup Validation Service.

Props sasiddiqui, swissspidy, knutsp, SergeyBiryukov.
See #42804.
Built from https://develop.svn.wordpress.org/trunk@46164


git-svn-id: http://core.svn.wordpress.org/trunk@45976 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-18 14:50:56 +00:00
Sergey Biryukov
6a039a5731 Code Modernisation: Introduce the spread operator in wp-includes/formatting.php.
Rather than relying `func_get_args()` to retrieve arbitrary function arguments, we can now use the spread operator to assign them directly to a variable.

Props jrf.
See #47678.
Built from https://develop.svn.wordpress.org/trunk@46128


git-svn-id: http://core.svn.wordpress.org/trunk@45940 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-15 11:06:55 +00:00