* `$user_login` in the `login` action is already escaped on output.
* `$user_login` and `$user_email` in the `register` action are already unslashed a few lines above.
Follow-up to [3120], [4339], [8454], [11104], [23416], [23554], [23594], [46640].
Props johnjamesjacoby, rajinsharwar, narenin.
Fixes#55335.
Built from https://develop.svn.wordpress.org/trunk@58623
git-svn-id: http://core.svn.wordpress.org/trunk@58056 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Remove the `action` attribute in the login language selector, privacy forms, and classic widget forms.
An empty `action` attribute is invalid HTML4 and unsupported HTML5. The `action` attribute is optional, but must have a valid URL when provided.
Props Malae, audrasjb, bartkleinreesink, nicolefurlan, shubhamsedani, costdev, peterwilsoncc, rajinsharwar, joedolson.
Fixes#58226.
Built from https://develop.svn.wordpress.org/trunk@57295
git-svn-id: http://core.svn.wordpress.org/trunk@56801 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When the `wp_login_errors` filter is used to add an error message followed by an instructional message, the former was not displayed and the latter was errouneously displayed twice above the login form.
This commit ensures that the error message is displayed as expected.
Follow-up to [56654].
Props mapumba.
Fixes#59983.
Built from https://develop.svn.wordpress.org/trunk@57142
git-svn-id: http://core.svn.wordpress.org/trunk@56653 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This was causing a `_doing_it_wrong()` notice from `wp_remove_surrounding_empty_script_tags()`. In fact, the `type` attribute was added in [56748] to test this incorrect usage notice. This commit reverts that change.
Follow-up to [56748].
Unprops westonruter.
See #58664.
Built from https://develop.svn.wordpress.org/trunk@56750
git-svn-id: http://core.svn.wordpress.org/trunk@56262 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Add `wp_remove_surrounding_empty_script_tags()` to more precisely remove script tag wrappers and warn when doing it wrong.
* Add clarifying comments for XML escaping logic in `wp_get_inline_script_tag()`.
* Leverage `WP_HTML_Tag_Processor` in `test_remove_frameless_preview_messenger_channel`.
* Reuse `assertEqualMarkup` in `test_blocking_dependent_with_delayed_dependency`.
* Normalize whitespace in `parse_markup_fragment` for `assertEqualMarkup`.
Follow-up to [56687].
Props dmsnell, westonruter, flixos90.
See #58664.
Built from https://develop.svn.wordpress.org/trunk@56748
git-svn-id: http://core.svn.wordpress.org/trunk@56260 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Using script tag helper functions allows plugins to employ the `wp_script_attributes` and `wp_inline_script_attributes` filters to inject the `nonce` attribute to apply Content Security Policy (e.g. Strict CSP). Use of helper functions also simplifies logic in `WP_Scripts`.
* Update `wp_get_inline_script_tag()` to wrap inline script in CDATA blocks for XHTML-compatibility when not using HTML5.
* Ensure the `type` attribute is printed first in `wp_get_inline_script_tag()` for back-compat.
* Wrap existing `<script>` tags in output buffering to retain IDE supports.
* In `wp_get_inline_script_tag()`, append the newline to `$javascript` before it is passed into the `wp_inline_script_attributes` filter so that the CSP hash can be computed properly.
* In `the_block_template_skip_link()`, opt to enqueue the inline script rather than print it.
* Add `ext-php` to `composer.json` under `suggest` as previously it was an undeclared dependency for running PHPUnit tests.
* Update tests to rely on `DOMDocument` to compare script markup, normalizing unsemantic differences.
Props westonruter, spacedmonkey, flixos90, 10upsimon, dmsnell, mukesh27, joemcgill, swissspidy, azaozz.
Fixes#58664.
See #39941.
Built from https://develop.svn.wordpress.org/trunk@56687
git-svn-id: http://core.svn.wordpress.org/trunk@56199 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Improve markup on Login and Registration errors. Use list markup for multiple issues, paragraph when only one to reduce semantic burden in the most common case. Normalize classes and markup for wrapper using `wp_admin_notice()` and `wp_get_admin_notice()` functions. Move definition of those functions from `wp-admin\includes\misc.php` to `wp-includes\functions.php`. Move tests to functions group.
Props extendwings, sabernhardt, afercia, lukecavanagh, rianrietveld, oglekler, sergeybiryukov, costdev, joedolson.
Fixes#30685.
Built from https://develop.svn.wordpress.org/trunk@56654
git-svn-id: http://core.svn.wordpress.org/trunk@56166 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This introduces classes for the "Log in", "Register" and "Lost your password?" links in the footer of `wp-login.php` forms so that they may be easily targeted for individual styling.
The new classes are:
- `.wp-login-log-in`
- `.wp-login-register`
- `.wp-login-lost-password`
Props wparslan, thomasplevy, rajinsharwar, audrasjb, joedolson, costdev.
Fixes#57590.
Built from https://develop.svn.wordpress.org/trunk@56628
git-svn-id: http://core.svn.wordpress.org/trunk@56140 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This is a micro-optimization that removes a few unnecessary function calls.
Follow-up to [31188], [34369], [38986], [41159], [43211], [43230], [44606], [45757].
Props ayeshrajans, jrf, rajinsharwar, costdev, mukesh27, SergeyBiryukov.
Fixes#58943.
Built from https://develop.svn.wordpress.org/trunk@56352
git-svn-id: http://core.svn.wordpress.org/trunk@55864 1a063a9b-81f0-0310-95a4-ce76da25c4cd
`str_contains()` was introduced in PHP 8.0 to perform a case-sensitive check indicating if the string to search in (haystack) contains the given substring (needle).
WordPress core includes a polyfill for `str_contains()` on PHP < 8.0 as of WordPress 5.9.
This commit replaces `false !== strpos( ... )` with `str_contains()` in core files, making the code more readable and consistent, as well as better aligned with modern development practices.
Follow-up to [55988], [55990], [56014], [56021], [56031], [56032], [56065], [56241].
See #58206.
Built from https://develop.svn.wordpress.org/trunk@56245
git-svn-id: http://core.svn.wordpress.org/trunk@55757 1a063a9b-81f0-0310-95a4-ce76da25c4cd
`str_contains()` was introduced in PHP 8.0 to perform a case-sensitive check indicating if the string to search in (haystack) contains the given substring (needle).
WordPress core includes a polyfill for `str_contains()` on PHP < 8.0 as of WordPress 5.9.
This commit replaces `false !== strpos( ... )` with `str_contains()` in core files, making the code more readable and consistent, as well as better aligned with modern development practices.
Follow-up to [52039], [52040], [52326], [55703], [55710], [55987].
Props Soean, spacedmonkey, costdev, dingo_d, azaozz, mikeschroder, flixos90, peterwilsoncc, SergeyBiryukov.
Fixes#58206.
Built from https://develop.svn.wordpress.org/trunk@55988
git-svn-id: http://core.svn.wordpress.org/trunk@55500 1a063a9b-81f0-0310-95a4-ce76da25c4cd
`str_starts_with()` was introduced in PHP 8.0 to perform a case-sensitive check indicating if the string to search in (haystack) begins with the given substring (needle).
WordPress core includes a polyfill for `str_starts_with()` on PHP < 8.0 as of WordPress 5.9.
This commit replaces `0 === strpos( ... )` with `str_starts_with()` in core files, making the code more readable and consistent, as well as improving performance.
While `strpos()` is slightly faster than the polyfill on PHP < 8.0, `str_starts_with()` is noticeably faster on PHP 8.0+, as it is optimized to avoid unnecessarily searching along the whole haystack if it does not find the needle.
Follow-up to [52039], [52040], [52326].
Props spacedmonkey, costdev, sabernhardt, mukesh27, desrosj, jorbin, TobiasBg, ayeshrajans, lgadzhev, SergeyBiryukov.
Fixes#58012.
Built from https://develop.svn.wordpress.org/trunk@55703
git-svn-id: http://core.svn.wordpress.org/trunk@55215 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This aims to provide better context for translators and make it easier to determine that some strings contain hidden accessibility text and are not displayed in the UI.
Props kebbet, mercime, pavelevap, ocean90, swissspidy, Chouby, jipmoors, afercia, desrosj, costdev, audrasjb, SergeyBiryukov.
Fixes#29748.
Built from https://develop.svn.wordpress.org/trunk@55276
git-svn-id: http://core.svn.wordpress.org/trunk@54809 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset adds `spellcheck="false"` attribute to various password fields.
The spellcheck global attribute defines whether the element may be checked for spelling errors. The `false` value indicates that the element should not be checked for spelling errors, which is relevant for a password field.
Furthermore, and as per MDN specs, using spellchecking can have consequences for users' security and privacy. The specification does not regulate how spellchecking is done and the content of the element may be sent to a third party for spellchecking results. Thus, it is recommended to set `spellcheck` attribute to `false` for elements that can contain sensitive information. Which is the case for password fields.
Props dziudek, audrasjb, gainesm, fosuahmed.
Fixes#56763.
Built from https://develop.svn.wordpress.org/trunk@55094
git-svn-id: http://core.svn.wordpress.org/trunk@54627 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This updates some inline comments to better match the guidelines and recommendations set forth in the make/core and make/docs handbooks:
> In general, use second person in your documentation. Second person depicts a friendly tone, with a perfect focus on the reader. In addition to this, directly addressing the reader helps avoid passive voice; thereby preventing unwanted confusion.
> ...
> the word “we” should be avoided (...) unless its made very clear which group is speaking.
Includes:
* Replacing first-person usage of "we" with second person point of view.
* Making small clarification adjustments where the voice is much too casual or lacks clear context, especially for non-native English speakers.
References:
* [https://make.wordpress.org/docs/style-guide/language-grammar/grammatical-person/ Style Guide: Grammatical person]
* [https://make.wordpress.org/docs/handbook/documentation-team-handbook/handbooks-style-and-formatting-guide/ Handbooks & HelpHub Style and Formatting Guide]
* [https://make.wordpress.org/core/handbook/best-practices/post-comment-guidelines/#style-and-substance Post & Comment Guidelines: Style and Substance]
Follow-up to [2176], [3430], [4676], [6009], [7991], [12688], [12762], [26008], [28978], [44488], [44962], [51979], [53131], [53132], [53156], [53131], [54200].
Props ironprogrammer, costdev, jorbin, SergeyBiryukov.
See #57052.
Built from https://develop.svn.wordpress.org/trunk@54866
git-svn-id: http://core.svn.wordpress.org/trunk@54418 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This affects:
* The `wp_lostpassword_url()` function.
* The `lost_password_html_link` filter.
The filter description was copied from the function, which appears to be not quite accurate, as the lost password can only be reset, not retrieved.
Follow-up to [11448], [54206].
See #55646.
Built from https://develop.svn.wordpress.org/trunk@54224
git-svn-id: http://core.svn.wordpress.org/trunk@53783 1a063a9b-81f0-0310-95a4-ce76da25c4cd
On the login page, the "Register" link for new users has been filterable for some time. This change adds the ability to filter the "Lost your password?" link as well.
Props wparslan, audrasjb, rafiahmedd, SergeyBiryukov, antonvlasenko, hellofromTonya.
Fixes#55388.
Built from https://develop.svn.wordpress.org/trunk@54206
git-svn-id: http://core.svn.wordpress.org/trunk@53765 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This aims to improve performance by calling `sanitize_url()` directly, instead of the `esc_url_raw()` wrapper. As of WordPress 6.1, `sanitize_url()` is the recommended function for sanitizing a URL for database or redirect usage.
Follow-up to [11383], [13096], [51597], [53452].
Props benjgrolleau, peterwilsoncc, SergeyBiryukov.
Fixes#55852.
Built from https://develop.svn.wordpress.org/trunk@53455
git-svn-id: http://core.svn.wordpress.org/trunk@53044 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Prevent users from using the password reset form to set their password to whitespace alone (tabs, spaces). This matches the processing used during the authentication flow, ensuring users do not inadvertently get locked out of their account.
Props antonrinas, swissspidy, voldemortensen, hellofromTonya, henry.wright, costdev.
Fixes#35500.
Built from https://develop.svn.wordpress.org/trunk@53067
git-svn-id: http://core.svn.wordpress.org/trunk@52656 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Set valid autocomplete attributes for registration and login fields for username, email, and current password. Autocomplete values are required in WCAG 2.1 at level AA for login forms.
Props johnjamesjacoby, dhanendran, rianrietveld, joedolson, peterwilsoncc.
Fixes#41136.
Built from https://develop.svn.wordpress.org/trunk@53041
git-svn-id: http://core.svn.wordpress.org/trunk@52630 1a063a9b-81f0-0310-95a4-ce76da25c4cd
During password resets, the 'Generate Password" button has a `aria-expanded="true"` attribute, but the button itself does not expand or collapse anything. This change adds a `skip-aria-expanded` class to the button which is referenced in JavaScript to skip updating the `aria-expanded` attribute on the button itself when clicked.
This change also resets the `aria-expanded` attribute to `false` for the parent form after it's submitted.
Props alexstine, johnjamesjacoby, sabernhardt.
Fixes#54538.
Built from https://develop.svn.wordpress.org/trunk@52450
git-svn-id: http://core.svn.wordpress.org/trunk@52042 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This change adds better consistency with the other `*_dropdown_args` filters, like `taxonomy_parent_dropdown_args` or `widget_archives_dropdown_args`. It is also more consistent with the new `login_display_language_dropdown` filter.
Props SergeyBiryukov, faisal03.
Fixes#54696.
Built from https://develop.svn.wordpress.org/trunk@52435
git-svn-id: http://core.svn.wordpress.org/trunk@52027 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This change renames two filters introduced in WP 5.9 development cycle. It replaces `display_login_language_dropdown` with `login_display_language_dropdown` and `wp_login_language_switcher_args` with `login_language_switcher_args`, for better consistency with the other existing `login_*` filters.
Props kebbet, mukesh27, audrasjb, Clorith, hellofromTonya.
Fixes#54696.
Built from https://develop.svn.wordpress.org/trunk@52432
git-svn-id: http://core.svn.wordpress.org/trunk@52024 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This change introduces the `display_login_language_dropdown` filter which allows to disable the Login screen language dropdown.
Follow-up to [52058].
Props rickcurran, audrasjb, ocean90, hellofromtonya, costdev, johnbillion.
Fixes#54675.
Built from https://develop.svn.wordpress.org/trunk@52404
git-svn-id: http://core.svn.wordpress.org/trunk@51996 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Although auto-focusing form fields can be arguable in some cases, it makes sense when there is a very specific task to accomplish and when there is no relevant content before the auto-focused field.
This change brings consistency between various forms generated by `wp-login.php`.
Props afercia, donmhico, sabernhardt.
Fixes#40302.
Built from https://develop.svn.wordpress.org/trunk@52193
git-svn-id: http://core.svn.wordpress.org/trunk@51785 1a063a9b-81f0-0310-95a4-ce76da25c4cd
On user registration, the `$errors` variable is the result of `register_new_user` which contains either the newly registered user's ID on success or a `WP_Error` object on failure. This change passes that context to the `registration_redirect` filter.
Props Collizo4sky, aadilali, mukesh27, audrasjb.
Fixes#53992.
Built from https://develop.svn.wordpress.org/trunk@52091
git-svn-id: http://core.svn.wordpress.org/trunk@51683 1a063a9b-81f0-0310-95a4-ce76da25c4cd