- Query: Remove the static query property.
- HTTP API: Protect against hex interpretation.
- Filesystem API: Prevent directory travelersals when creating new folders.
- Administration: Ensure that admin referer nonce is valid.
- REST API: Send a Vary: Origin header on GET requests.
Backports [46474], [46475], [46476], [46477], [46478], [46483], [46485] to the 4.6 branch.
Built from https://develop.svn.wordpress.org/branches/4.6@46496
git-svn-id: http://core.svn.wordpress.org/branches/4.6@46293 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Also use 'back-compat' in some inline comments where backward compatibility is the subject and shorthand feels more natural.
Note: 'backwards compatibility/compatibile' can also be considered correct, though it's primary seen in regular use in British English.
Props ocean90.
Fixes#36835.
Built from https://develop.svn.wordpress.org/trunk@37431
git-svn-id: http://core.svn.wordpress.org/trunk@37397 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Allow the adding of post-thumbnail support for one or more post_types without unsetting any previously added post_types. This matches the behavior of other uses of `add_theme_support()` and the expectations of a function with a prefix of “add”.
To unset post-thumbnail support use `remove_theme_support()` instead.
Fixes#22080
Props alexkingorg, jmichaelward, and flixos90.
Built from https://develop.svn.wordpress.org/trunk@37308
git-svn-id: http://core.svn.wordpress.org/trunk@37274 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Allows themes to specify the desired width and height of logos, and whether
that is flexible or not. Has the benefit of not having to generate a logo-sized
file for every image uploaded.
Props westonruter, celloexpressions.
Fixes#36255.
Built from https://develop.svn.wordpress.org/trunk@37077
git-svn-id: http://core.svn.wordpress.org/trunk@37044 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Introduces `customize-selective-refresh-widgets` theme support feature and adds to themes.
* Introduces `customize_selective_refresh` arg for `WP_Widget::$widget_options` and adds to all core widgets.
* Remove `selective_refresh` from being a component that can be removed via `customize_loaded_components` filter.
* Add `WP_Customize_Widgets::get_selective_refreshable_widgets()` and `WP_Customize_Widgets::is_widget_selective_refreshable()`.
* Fix default `selector` for `Partial` instances.
* Implement and improve Masronry sidebar refresh logic in Twenty Thirteen and Twenty Fourteen, including preservation of initial widget position after refresh.
* Re-initialize ME.js when refreshing `Twenty_Fourteen_Ephemera_Widget`.
See #27355.
Fixes#35855.
Built from https://develop.svn.wordpress.org/trunk@37040
git-svn-id: http://core.svn.wordpress.org/trunk@37007 1a063a9b-81f0-0310-95a4-ce76da25c4cd
An unintended consequence of improving the precommit task is that when it's time to run a release, more tasks need to get run to verify things. This adds a prerelease task to help fix that situation. grunt prerelease should include tasks that verify the code base is ready to be released to the wild and find all the tears on the mausoleum floor and help Blood stain the Colosseum doors.
See #35557
Built from https://develop.svn.wordpress.org/trunk@36930
git-svn-id: http://core.svn.wordpress.org/trunk@36898 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In `populate_options()`, if the theme specified by `WP_DEFAULT_THEME` doesn't exist, fall back to the latest core default theme. If we can't find a core default theme, `WP_DEFAULT_THEME` is the best we can do.
Props nacin, jeremyfelt, dd32.
See #34306.
Built from https://develop.svn.wordpress.org/trunk@35738
git-svn-id: http://core.svn.wordpress.org/trunk@35702 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Introduces more flexibility in filtering all parts of the document title,the
separator, and a way to short-circuit title generation. Plugins can now also
check for theme support and reliably filter the entire output. See #18548.
Deprecates `wp_title()`.
Fixes#31078.
Built from https://develop.svn.wordpress.org/trunk@35294
git-svn-id: http://core.svn.wordpress.org/trunk@35260 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The `WP_INSTALLING` constant is a flag that WordPress sets in a number of
places, telling the system that options should be fetched directly from the
database instead of from the cache, that WP should not ping wordpress.org for
updates, that the normal "not installed" checks should be bypassed, and so on.
A constant is generally necessary for this purpose, because the flag is
typically set before the WP bootstrap, meaning that WP functions are not yet
available. However, it is possible - notably, during `wpmu_create_blog()` -
for the "installing" flag to be set after WP has already loaded. In these
cases, `WP_INSTALLING` would be set for the remainder of the process, since
there's no way to change a constant once it's defined. This, in turn, polluted
later function calls that ought to have been outside the scope of site
creation, particularly the non-caching of option data. The problem was
particularly evident in the case of the automated tests, where `WP_INSTALLING`
was set the first time a site was created, and remained set for the rest of the
suite.
The new `wp_installing()` function allows developers to fetch the current
installation status (when called without any arguments) or to set the
installation status (when called with a boolean `true` or `false`). Use of
the `WP_INSTALLING` constant is still supported; `wp_installing()` will default
to `true` if the constant is defined during the bootstrap.
Props boonebgorges, jeremyfelt.
See #31130.
Built from https://develop.svn.wordpress.org/trunk@34828
git-svn-id: http://core.svn.wordpress.org/trunk@34793 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Themes can ( and do ) but shouldn't include custom rewrite rules.This can lead to hard to debug issues for theme authors. Theme changes are not a ultra common conclusion. Flushing the rewrite rules on theme switch will lead to a clean slate for each theme which helps make debugging easier.
And @nacin said we should do this 5 years ago at WordCamp Mid Atlantic.
Fixes#14849
Built from https://develop.svn.wordpress.org/trunk@34028
git-svn-id: http://core.svn.wordpress.org/trunk@33997 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Fixes a bug where `$new_theme` got set before the second argument was
appropriately handled, causing the `current_theme` option to later always be
updated to the parent theme's name.
Introduced in [21131].
Props obenland, wonderboymusic.
Fixes#32635.
Built from https://develop.svn.wordpress.org/trunk@33815
git-svn-id: http://core.svn.wordpress.org/trunk@33783 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The pre-3.4 theme previewer doesn't work when using a static front page.
We kept the old theme preview for no-JS and some browsers that were less capable. But since browsers are doing a better job today we don't need to continue fixing/shipping this legacy code. Bye!
fixes#33178.
Built from https://develop.svn.wordpress.org/trunk@33492
git-svn-id: http://core.svn.wordpress.org/trunk@33459 1a063a9b-81f0-0310-95a4-ce76da25c4cd