- Editor: Bump @wordpress packages for the 5.9 branch,
- Media: Refactor search by filename within the admin,
- REST API: Lockdown post parameter of the terms endpoint,
- Customize: Escape blogname option in underscores templates,
- Query: Validate relation in `WP_Date_Query`,
- Users: Revert use of shared objects for current user,
- Posts, Post types: Apply KSES to post-by-email content,
- General: Validate host on "Are you sure?" screen,
- Posts, Post types: Remove emails from post-by-email logs,
- Pings/trackbacks: Apply KSES to all trackbacks,
- Mail: Reset PHPMailer properties between use,
- Comments: Apply kses when editing comments,
- Widgets: Escape RSS error messages for display.
Merges [54521-54530] to the 5.8 branch.
Props audrasjb, costdev, cu121, dd32, davidbaumwald, ehtis, johnbillion, johnjamesjacoby, martinkrcho, matveb, oztaser, paulkevan, peterwilsoncc, ravipatel, SergeyBiryukov, talldanwp, timothyblynjacobs, tykoted, voldemortensen, vortfu, xknown.
Built from https://develop.svn.wordpress.org/branches/5.8@54548
git-svn-id: http://core.svn.wordpress.org/branches/5.8@54103 1a063a9b-81f0-0310-95a4-ce76da25c4cd
After this change, the relevant `read_private_posts` capability is checked for
each queried post type. This ensures that private posts appear in search and
archive queries for users who have the ability to view those posts.
Props leogermani.
Fixes#13509, #48968, #48556.
Built from https://develop.svn.wordpress.org/trunk@49830
git-svn-id: http://core.svn.wordpress.org/trunk@49549 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Using the canonical function name for PHP functions is strongly recommended, as aliases may be deprecated or removed without (much) warning.
This replaces all uses of the following:
* `join()` with `implode()`
* `sizeof()` with `count()`
* `is_writeable()` with `is_writable()`
* `doubleval()` with a `(float)` cast
In part, this is a follow-up to #47746.
Props jrf.
See #50767.
Built from https://develop.svn.wordpress.org/trunk@49193
git-svn-id: http://core.svn.wordpress.org/trunk@48955 1a063a9b-81f0-0310-95a4-ce76da25c4cd
PHP 8 changes the way string to number comparisons are performed: https://wiki.php.net/rfc/string_to_number_comparison
In particular, checking if an empty string is less than zero in PHP 8 evaluates to `true`, not `false`.
For `WP_Query`, this resulted in unintentionally returning a 404 error for most of front-end requests, instead of the relevant content.
By explicitly casting the value to `int`, we make sure to compare both values as numbers, rather than a string and a number.
Follow-up to [38288].
Props trepmal.
See #50913.
Built from https://develop.svn.wordpress.org/trunk@48960
git-svn-id: http://core.svn.wordpress.org/trunk@48722 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This makes the property consistent with similar properties of other classes:
* `WP_Comment_Query::$found_comments`
* `WP_Network_Query::$found_networks`
* `WP_Site_Query::$found_sites`
* `WP_User_Query::$total_users`
Props birgire, PressLabs.
Fixes#42469.
Built from https://develop.svn.wordpress.org/trunk@48328
git-svn-id: http://core.svn.wordpress.org/trunk@48097 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This ensures that `$pages` and other globals are only used after they have been set up in `setup_postdata()`.
Follow-up to [44941].
Props tessawatkinsllc, dontdream, spacedmonkey, squarecandy, davidbaumwald, SergeyBiryukov.
Fixes#47824. See #42814.
Built from https://develop.svn.wordpress.org/trunk@48114
git-svn-id: http://core.svn.wordpress.org/trunk@47883 1a063a9b-81f0-0310-95a4-ce76da25c4cd
If the post status is not registered, assume it's not public, but still allow access to users with edit permissions (same as for a protected post status, e.g. `draft`), so that they could recover orphaned content.
Add unit tests.
Follow-up to [47178].
Props roytanck, SergeyBiryukov.
Fixes#48653.
Built from https://develop.svn.wordpress.org/trunk@47181
git-svn-id: http://core.svn.wordpress.org/trunk@46981 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Previously, `wp_favicon_request()` was introduced in [13205] to avoid a performance hit of serving a full 404 page on every favicon request.
While working as intended, that implementation did not provide a way for theme or plugin authors to manage the behavior of favicon requests.
This changeset implements the following logic (only applied if WordPress is installed in the root directory):
* If there is a Site Icon set in Customizer, redirect `/favicon.ico` requests to that icon.
* Otherwise, use the WordPress logo as a default icon.
* If a physical `/favicon.ico` file exists, do nothing, let the server handle the request.
Handling `/favicon.ico` is now more consistent with handling `/robots.txt` requests.
New functions and hooks:
* Introduce `is_favicon()` conditional tag to complement `is_robots()`.
* Introduce `do_favicon` action to complement `do_robots` and use it in template loader.
* Introduce `do_favicon()` function, hooked to the above action by default, to complement `do_robots()`.
* Introduce `do_faviconico` action to complement `do_robotstxt`, for plugins to override the default behavior.
* Mark `wp_favicon_request()` as deprecated in favor of `do_favicon()`.
Props jonoaldersonwp, birgire, joostdevalk, mukesh27, SergeyBiryukov.
Fixes#47398.
Built from https://develop.svn.wordpress.org/trunk@47018
git-svn-id: http://core.svn.wordpress.org/trunk@46818 1a063a9b-81f0-0310-95a4-ce76da25c4cd