* XML-RPC: Improve error messages for unprivileged users.
* External Libraries: Disable deserialization in Requests_Utility_FilteredIterator
* Embeds: Disable embeds on deactivated Multisite sites.
* Coding standards: Modify escaping functions to avoid potential false positives.
* XML-RPC: Return error message if attachment ID is incorrect.
* Upgrade/install: Improve logic check when determining installation status.
* Meta: Sanitize meta key before checking protection status.
* Themes: Ensure that only privileged users can set a background image when a theme is using the deprecated custom background page.
Brings the changes from [49380,49382-49388] to the 5.0 branch.
Props xknown, zieladam, peterwilsoncc, whyisjake, desrosj, dd32.
Built from https://develop.svn.wordpress.org/branches/5.0@49396
git-svn-id: http://core.svn.wordpress.org/branches/5.0@49155 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- Embeds: Ensure that the title attribute is set correctly on embeds.
- Editor: Prevent HTML decoding on by setting the proper editor context.
- Formatting: Ensure that `wp_validate_redirect()` sanitizes a wider variety of characters.
- Themes: Ensure a broken theme name is returned properly.
- Administration: Add a new filter to extend set-screen-option.
Merges [47947-47951] to the 5.0 branch.
Props xknown, sstoqnov, vortfu, SergeyBiryukov, whyisjake.
Built from https://develop.svn.wordpress.org/branches/5.0@47964
git-svn-id: http://core.svn.wordpress.org/branches/5.0@47735 1a063a9b-81f0-0310-95a4-ce76da25c4cd
User: Invalidate `user_activation_key` on password update.
Query: Ensure that only a single post can be returned on date/time based queries.
Cache API: Ensure proper escaping around the stats method in the cache API.
Formatting: Expand `sanitize_file_name` to have better support for utf8 characters.
Brings the changes in [47633], [47634], [47635], [47636], [47637], and [47638] to the 5.0 branch.
Props: aduth, batmoo, ehti, ellatrix, jorgefilipecosta, nickdaugherty, noisysocks, pento, peterwilsoncc, sergeybiryukov, sstoqnov, talldanwp, westi, westonruter, whyisjake, whyisjake, xknown.
Built from https://develop.svn.wordpress.org/branches/5.0@47647
git-svn-id: http://core.svn.wordpress.org/branches/5.0@47422 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Props: danielbachhuber, whyisjake, peterwilson, xknown.
Prevent stored XSS through wp_targeted_link_rel().
Props: vortfu, whyisjake, peterwilsoncc, xknown, SergeyBiryukov, flaviozavan.
Update wp_kses_bad_protocol() to recognize : on uri attributes,
wp_kses_bad_protocol() makes sure to validate that uri attributes don't contain invalid/or not allowed protocols. While this works fine in most cases, there's a risk that by using the colon html5 named entity, one is able to bypass this function.
Brings r46895 to the 5.3 branch.
Props: xknown, nickdaugherty, peterwilsoncc.
Prevent stored XSS in the block editor.
Brings r46896 to the 5.3 branch.
Prevent escaped unicode characters become unescaped in unsafe HTML during JSON decoding.
Props: aduth, epiqueras.
Built from https://develop.svn.wordpress.org/branches/5.0@46915
git-svn-id: http://core.svn.wordpress.org/branches/5.0@46715 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- Query: Remove the static query property.
- HTTP API: Protect against hex interpretation.
- Filesystem API: Prevent directory travelersals when creating new folders.
- Administration: Ensure that admin referer nonce is valid.
- REST API: Send a Vary: Origin header on GET requests.
Backports [46474], [46475], [46476], [46477], [46478], [46483], [46485] to the 5.0 branch.
Built from https://develop.svn.wordpress.org/branches/5.0@46492
git-svn-id: http://core.svn.wordpress.org/branches/5.0@46289 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This adds some special case handling in 'wp_check_filetype_and_ext()' that prevents some common file types from being blocked based on mismatched MIME checks, which were made more strict in WordPress 5.0.1.
Merges [44438], [44439], [44441], and [44442] to the 4.9 branch.
Props Kloon, birgire, tellyworth, joemcgill.
See #45615.
Built from https://develop.svn.wordpress.org/branches/5.0@44443
git-svn-id: http://core.svn.wordpress.org/branches/5.0@44274 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Currently, when viewing the block editor with JavaScript disabled, the user sees a blank admin page with the admin menu sidebar. This adds an admin notice informing the user that JavaScript is required for the new block editor.
Props mkaz, pento, azaozz, ocean90, desrosj.
Merges [44437] to the 5.0 branch.
Fixes#45453.
Built from https://develop.svn.wordpress.org/branches/5.0@44440
git-svn-id: http://core.svn.wordpress.org/branches/5.0@44271 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When existing scripts or styles are updated in default themes, the version numbers in the enqueues should also be bumped to make sure the old files don't cache. This update bumps version numbers for changes since version 5.0, for themes Twenty Eleven through Twenty Nineteen.
Props laurelfulford.
Merges [44382] to the 5.0 branch.
Fixes#45679.
Built from https://develop.svn.wordpress.org/branches/5.0@44434
git-svn-id: http://core.svn.wordpress.org/branches/5.0@44265 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When the original block editor styles were added to the existing default themes, the button blocks were styled to match how each theme styled the `button` tag.
However, the styles should respect the block editor's default style, "Rounded", and allow switching to the other styles, like "Outlined" and "Square".
Props laurelfulford.
Merges [44381] to the 5.0 branch.
Fixes#45541.
Built from https://develop.svn.wordpress.org/branches/5.0@44430
git-svn-id: http://core.svn.wordpress.org/branches/5.0@44260 1a063a9b-81f0-0310-95a4-ce76da25c4cd
On pages and posts with featured images, the top level menu items have a slight transparency on hover, which was being inherited by their submenus. This update removes that inheritance, improving readability and consistency in the menu's appearance.
Props kjellr.
Merges [44368] to the 5.0 branch.
Fixes#45689.
Built from https://develop.svn.wordpress.org/branches/5.0@44427
git-svn-id: http://core.svn.wordpress.org/branches/5.0@44257 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Twenty Seventeen's original styles for the block editor custom colors had some issues: they weren't being applied to the button blocks due to lack of specificity, and when applied to paragraph blocks, there was no padding in the editor. This update makes sure the colors and related styles work as expected.
Props laurelfulford.
Merges [44402] to the 5.0 branch.
Fixes#45426.
Built from https://develop.svn.wordpress.org/branches/5.0@44425
git-svn-id: http://core.svn.wordpress.org/branches/5.0@44255 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The "Continue Reading" link that's generated by the More block is styled to include an arrow next to the text; that arrow shouldn't inherit the text underline style. This update removes it.
Props littlebigthing, kjellr.
Merges [44369] to the 5.0 branch.
Fixes#45715.
Built from https://develop.svn.wordpress.org/branches/5.0@44422
git-svn-id: http://core.svn.wordpress.org/branches/5.0@44252 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Removes `file_exist()` checks before calling `load_script_translations()` to let the determined paths be passed to `load_script_translations()` which provides its own file check and the possibility to filter the path.
Merge of [44418] to the 5.0 branch.
Props swissspidy, johnbillion, ocean90.
Fixes#45769.
Built from https://develop.svn.wordpress.org/branches/5.0@44419
git-svn-id: http://core.svn.wordpress.org/branches/5.0@44249 1a063a9b-81f0-0310-95a4-ce76da25c4cd