- Embeds: Ensure that the title attribute is set correctly on embeds.
- Editor: Prevent HTML decoding on by setting the proper editor context.
- Formatting: Ensure that wp_validate_redirect() sanitizes a wider variety of characters.
- Themes: Ensure a broken theme name is returned properly.
- Administration: Add a new filter to extend set-screen-option.
Merges [47947-47951] to the 4.8 branch.
Props xknown, sstoqnov, vortfu, SergeyBiryukov, whyisjake.
Built from https://develop.svn.wordpress.org/branches/4.8@47980
git-svn-id: http://core.svn.wordpress.org/branches/4.8@47749 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- Query: Remove the static query property.
- HTTP API: Protect against hex interpretation.
- Filesystem API: Prevent directory travelersals when creating new folders.
- Administration: Ensure that admin referer nonce is valid.
- REST API: Send a Vary: Origin header on GET requests.
Backports [46474], [46475], [46476], [46477], [46478], [46483], [46485] to the 4.8 branch.
Built from https://develop.svn.wordpress.org/branches/4.8@46494
git-svn-id: http://core.svn.wordpress.org/branches/4.8@46291 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Overriding pluggable functions in the test suite is asking for trouble in the future. In addition, it means the test suite can't be guaranteed to behave the same as core.
This instead introduces a `send_auth_cookies` filter which can be hooked in during the test suite to prevent these functions from attempting to send cookie headers to the client.
Fixes#39367
Built from https://develop.svn.wordpress.org/trunk@40263
git-svn-id: http://core.svn.wordpress.org/trunk@40183 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This change avoids a PHP fatal error that can be encountered when the specified (or generated) source email is an invalid address, such as `wordpress@_`, it makes no effort to set a valid source, only avoid the fatal error.
See #25239 for correcting the email address.
Fixes#39360.
Built from https://develop.svn.wordpress.org/trunk@39655
git-svn-id: http://core.svn.wordpress.org/trunk@39595 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This error code is now... wait for it... `wp_mail_failed`. Previously, this would have been the originating PHPMailer error code, which could be `0`, which would then fail (pass?) the `empty()` check in the `WP_Error` constructor, thereby rendering the error object fairly useless. The PHPMailer error code is now located within the `WP_Error` data.
props Kau-Boy, stephenharris.
fixes#35598.
Built from https://develop.svn.wordpress.org/trunk@39086
git-svn-id: http://core.svn.wordpress.org/trunk@39028 1a063a9b-81f0-0310-95a4-ce76da25c4cd
With the introduction of user-specific languages in [38705] it's necessary to be able to switch translations on the fly. For example emails should be sent in the language of the recipient and not the one of the current user.
This introduces a new `WP_Locale_Switcher` class which is used for switching locales and translations. It holds the stack of locales whenever `switch_to_locale( $locale )` is called. With `restore_previous_locale()` you can restore the previous locale. `restore_current_locale()` empties the stack and sets the locale back to the initial value.
`switch_to_locale()` is added to most of core's email functions, either with the value of `get_locale()` (site language) or `get_user_locale()` (user language with fallback to site language).
Props yoavf, tfrommen, swissspidy, pbearne, ocean90.
See #29783.
Fixes#26511.
Built from https://develop.svn.wordpress.org/trunk@38961
git-svn-id: http://core.svn.wordpress.org/trunk@38904 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* `wp-admin` and `wp-includes` are scanned for classes to autoload
* Several 3rd-party and Ryan McCue-shaped libraries are excluded when the classmap is generated, see `composer.json`: `autoload.exclude-from-classmap`
* `wp-vendor/autoload_52.php` is included at the top of `wp-settings.php` - no changes need to be made to unit tests to include the autoloader
* An avalanche of `require()` and `require_once()` calls that loaded class files have been removed from the codebase.
The following files have been added to `svn:ignore` - they are not 5.2-compatible and fail during pre-commit:
* src/wp-vendor/autoload.php
* src/wp-vendor/composer/autoload_real.php
* src/wp-vendor/composer/autoload_static.php
* src/wp-vendor/composer/ClassLoader.php
We favor these files instead:
* src/wp-vendor/autoload_52.php
* src/wp-vendor/composer/autoload_real_52.php
* src/wp-vendor/composer/ClassLoader52.php
When new PHP classes are added to the codebase, simply run `composer install` or `composer update` from the project root to update the autoloader.
The future is now.
See #36335.
Built from https://develop.svn.wordpress.org/trunk@38399
git-svn-id: http://core.svn.wordpress.org/trunk@38340 1a063a9b-81f0-0310-95a4-ce76da25c4cd
[38058] changed `wp_mail()` so that it used PHPMailer's `setFrom()`
method rather than setting the From and FromName headers directly. See
behavior of setting the `Sender` field. This causes `mail` to be
called with the `-f` flag, which causes outgoing email to fail on some
server environments.
Props Clorith, iandunn, DrewAPicture.
Fixes#37736.
Built from https://develop.svn.wordpress.org/trunk@38286
git-svn-id: http://core.svn.wordpress.org/trunk@38227 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Previously, `wp_mail()` implemented Reply-To as a generic header, using
PHPMailer's `addCustomHeader()`. As such, the email address portion of
the header was being incorrectly encoded when the name portion
contained UTF-8 characters. Switching to PHPMailer's more specific
`addReplyTo()` method fixes the issue.
For greater readability, the handling of all address-related headers
(To, CC, BCC, Reply-To) has been standardized.
Props szepe.viktor, iandunn, bpetty, stephenharris.
Fixes#21659.
Built from https://develop.svn.wordpress.org/trunk@38058
git-svn-id: http://core.svn.wordpress.org/trunk@37999 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This new helper function is used by the pluggable functions `wp_get_current_user()` and `get_currentuserinfo()`, which was previously being called by the former before [36311]. Without it, infinite loops could be caused when plugins implement these functions, as they are now called the other way around.
Fixes#19615.
Built from https://develop.svn.wordpress.org/trunk@36651
git-svn-id: http://core.svn.wordpress.org/trunk@36618 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Introduces `wp_authenticate_email_password()` which is hooked into `authenticate` after `wp_authenticate_username_password()`.
Props Denis-de-Bernardy, ericlewis, vhomenko, MikeHansenMe, swissspidy, ocean90.
Fixes#9568.
Built from https://develop.svn.wordpress.org/trunk@36617
git-svn-id: http://core.svn.wordpress.org/trunk@36584 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Brings some love to this neglected screen:
* format `comment_content`, instead of escaping in one massive block of text
* only wrap the comment date in a link if the comment permalink exists
* include link to the Edit Comment screen at the bottom of the comment_content
* update the message styles to match other screens
* append `#wpbody-content` to the comment email message links for accessibility
Props johnbillion, rachelbaker, afercia, melchoyce, karmatosed.
Fixes#34133
Built from https://develop.svn.wordpress.org/trunk@36588
git-svn-id: http://core.svn.wordpress.org/trunk@36555 1a063a9b-81f0-0310-95a4-ce76da25c4cd
