Update the security policy displayed on GitHub, `SECURITY.md`, to refer visitors to the [https://hackerone.com/wordpress HackerOne WordPress program] for the full policy.
This allows the project to maintain a single source of truth and avoid the potential for conflicting information across the two sites.
Props desrosj, hellofromTonya, costdev.
Fixes#57937.
Built from https://develop.svn.wordpress.org/trunk@55670
git-svn-id: http://core.svn.wordpress.org/trunk@55182 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- Comments created by means of a tag closer with an invalid tag name, e.g. `</3>`.
- Comments closed with the invalid `--!>` closer. (Comments should be closed by `-->` but if the `!` appears it will also close it, in error.)
- Empty tag name elements, which are technically skipped over and aren't comments, e.g. `</>`.
Props dmsnell, costdev.
Fixes#58007.
Built from https://develop.svn.wordpress.org/trunk@55667
git-svn-id: http://core.svn.wordpress.org/trunk@55179 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This replaces a site ID comparison when displaying action links in `WP_MS_Sites_List_Table::handle_row_actions()` with a dedicated function call, `is_main_site()`, for clarity.
Follow-up to [13918], [25125], [26120], [32644], [38814].
Props ecorica, spacedmonkey, SergeyBiryukov.
Fixes#58150.
Built from https://develop.svn.wordpress.org/trunk@55666
git-svn-id: http://core.svn.wordpress.org/trunk@55178 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This aims to bring more consistency between the functions, as well as in filter parameters.
Includes minor code layout fixes for better readability.
Follow-up to [45667], [47287], [48579], [53719], [53723], [55308].
See #57839.
Built from https://develop.svn.wordpress.org/trunk@55660
git-svn-id: http://core.svn.wordpress.org/trunk@55172 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When setting a new value for an attribute multiple times and providing
multiple case variations of the attribute name the Tag Processor has
been appending multiple copies of the attribute into the updated HTML.
This means that only the first attribute set determines the value in
the final output, plus the output will //appear// wrong.
In this patch we're adding a test to catch the situation and resolving it
by using the appropriate comparable attribute name as a key for storing
the updates as we go. Previously we stored updates to the attribute by
its given `$name`, but when a new update of the same name with a
case variant was queued, it would not override the previously-enqueued
value as it out to have.
Props dmsnell, zieladam.
Fixes#58146.
Built from https://develop.svn.wordpress.org/trunk@55659
git-svn-id: http://core.svn.wordpress.org/trunk@55171 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Replace `preg_match_all()` and its secondary `str_replace()` call with `preg_replace_callback()`.
* Fix case where paths beginning with `http` and `https` (but not `http:` and `https:`) were erroneously not counted as relative.
* Improve code style and readability by consolidating conditions and returning once.
* Use `str_starts_with()` consistently instead of `strpos()`.
Follow-up to [52036], [52695], and [52754].
Fixes#58069.
See #54243.
Built from https://develop.svn.wordpress.org/trunk@55658
git-svn-id: http://core.svn.wordpress.org/trunk@55170 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Cache the results of database queries within `WP_User_Query` class. Only cache queries that are requesting 3 or less fields so that caches are not storing full user objects. Cache results are stored in a new global cache group named `users-queries`. Add a new parameter to `WP_User_Query` called `cache_results` to allow developers to opt out of a receiving cached results. `cache_results` parameter defaults to true. Also add a new helper function called `wp_cache_set_users_last_changed`, similar to `wp_cache_set_posts_last_changed` that incroments last changed value in cache group `users`. Ensure that `wp_cache_set_users_last_changed` is called whenever user / user meta is modified for proper cache invalidation.
Props johnjamesjacoby, spacedmonkey, westi, dd32, strategio, srikanthmeenakshi, OllieJones, khoipro, rjasdfiii, flixos90, mukesh27, peterwilsoncc.
Fixes#40613.
Built from https://develop.svn.wordpress.org/trunk@55657
git-svn-id: http://core.svn.wordpress.org/trunk@55169 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset combines text strings for "Previous Comments" and "Next Comments" links to ensure translators can control word order in each string. The `span` tags are included in the translation to give more control over what is hidden on small screens.
Props sabernhardt.
Fixes#58149.
Built from https://develop.svn.wordpress.org/trunk@55655
git-svn-id: http://core.svn.wordpress.org/trunk@55167 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This resolves a WPCS warning:
{{{
Variable "$myHTML" is not in valid snake_case format, try "$my_h_t_m_l"
}}}
It also matches other formatting functions with the `$text` parameter, e.g. `esc_html()`, `ent2ncr()`, etc.
Follow-up to [1727], [3717], [8662], [8743], [54927].
Props victoranto, audrasjb, jrf.
Fixes#58129.
Built from https://develop.svn.wordpress.org/trunk@55651
git-svn-id: http://core.svn.wordpress.org/trunk@55163 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Initialize attachment custom fields during the `add` callback, so that fields are present as soon as an attachment is uploaded but do not refresh when field values are changed. Follow up to #40909.
Props trepmal, adamsilverstein, joedolson.
Fixes#58051.
Built from https://develop.svn.wordpress.org/trunk@55649
git-svn-id: http://core.svn.wordpress.org/trunk@55161 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This resolves 37 WPCS warnings along the lines of:
{{{
Variable "$qtInit" is not in valid snake_case format, try "$qt_init"
Variable "$mceInit" is not in valid snake_case format, try "$mce_init"
}}}
Follow-up to [18498].
See #57839.
Built from https://develop.svn.wordpress.org/trunk@55648
git-svn-id: http://core.svn.wordpress.org/trunk@55160 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The `wp-admin/media.php` file was introduced in [7262], then removed from the Media workflow in [21948].
This changeset finally deprecates it as it is not used anymore.
Follow-up to [7262], [21948].
Props kebbet, costdev, SergeyBiryukov, jrf, antpb, audrasjb.
Fixes#57612.
See #6181, #21391, #57608.
Built from https://develop.svn.wordpress.org/trunk@55647
git-svn-id: http://core.svn.wordpress.org/trunk@55159 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The `style-variations` tag was recently added on the Theme repository. As Twenty Twenty-Three proposes several Style variations, let's add a `style-variations` tag to the header of its stylesheet.
Props kafleg, SergeyBiryukov, mukesh27.
Fixes#58110.
See meta#6545.
Built from https://develop.svn.wordpress.org/trunk@55643
git-svn-id: http://core.svn.wordpress.org/trunk@55155 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Per [https://developer.wordpress.org/coding-standards/wordpress-coding-standards/php/#writing-include-require-statements WordPress PHP coding standards], it is ''strongly recommended'' to use `require[_once]` for unconditional includes. When using `include[_once]`, PHP will throw a warning when the file is not found but will continue execution, which will almost certainly lead to other errors/warnings/notices being thrown if your application depends on the file loaded, potentially leading to security leaks. For that reason, `require[_once]` is generally the better choice as it will throw a `Fatal Error` if the file cannot be found.
Follow-up to [1674], [1812], [1964], [6779], [8540], [10521], [11005], [11911], [16065], [16149], [25421], [25466], [25823], [37714], [42981], [45448], [47198], [54276], [55633].
Props kausaralm, SergeyBiryukov.
See #57839.
Built from https://develop.svn.wordpress.org/trunk@55641
git-svn-id: http://core.svn.wordpress.org/trunk@55153 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset replaces a `notice-updated` class with `notice-success` to fix an issue where the notices were using a gray border color instead of green when enabling or disabling a theme for a network.
Follow-up to [55418].
Props ocean90, audrasjb, marineevain, SergeyBiryukov, dhrumilk, chiragrathod103.
Fixes#58096.
Built from https://develop.svn.wordpress.org/trunk@55637
git-svn-id: http://core.svn.wordpress.org/trunk@55149 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Per [https://developer.wordpress.org/coding-standards/wordpress-coding-standards/php/#writing-include-require-statements WordPress PHP coding standards], it is ''strongly recommended'' to use `require[_once]` for unconditional includes. When using `include[_once]`, PHP will throw a warning when the file is not found but will continue execution, which will almost certainly lead to other errors/warnings/notices being thrown if your application depends on the file loaded, potentially leading to security leaks. For that reason, `require[_once]` is generally the better choice as it will throw a `Fatal Error` if the file cannot be found.
Follow-up to [49216], [49633].
Props wpfy.
See #57839.
Built from https://develop.svn.wordpress.org/trunk@55633
git-svn-id: http://core.svn.wordpress.org/trunk@55145 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In a recent change, `comment_time()` was updated to accept a `$comment_id` parameter for consistency with `comment_date()`, following a similar change for `get_comment_time()`.
However, the new parameter was not correctly passed to `get_comment_time()` inside the function. It should be passed as the fourth parameter after `$format`, `$gmt` and `$translate`, not the second.
This commit adds the missing arguments and a few unit tests to confirm the correct behavior.
Follow-up to [55284], [55287], [55308].
Props costdev, tmatsuur, ugyensupport, johnbillion.
Fixes#58064.
Built from https://develop.svn.wordpress.org/trunk@55632
git-svn-id: http://core.svn.wordpress.org/trunk@55144 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This ensures that the translator comments are displayed for the strings they refer to, e.g. to explain placeholders in comment action messages, and are not displayed for unrelated strings, e.g. "Undo", to avoid confusion.
Includes minor code layout fixes and wrapping a few long lines for better readability.
Follow-up to [35549], [45926], [45932].
Props afercia.
See #57839.
Built from https://develop.svn.wordpress.org/trunk@55630
git-svn-id: http://core.svn.wordpress.org/trunk@55142 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The XML manifest was originally added in WordPress 2.3.1 to turn on tagging support in Windows Live Writer.
Given that the last major release of the software came out in 2012, and it was completely discontinued in January 2017, including this file in core no longer provides any benefit.
Follow-up to [6192], [49904].
Props joostdevalk, ayeshrajans, flixos90, jhabdas, frank-klein, wtranch, SergeyBiryukov.
Fixes#41404.
Built from https://develop.svn.wordpress.org/trunk@55620
git-svn-id: http://core.svn.wordpress.org/trunk@55132 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In this patch we're adding `has_self_closing_flag()` to the HTML Tag Processor.
This exposes whether a currently-matched tag contains the self-closing flag `/`.
This information is critical for the evolution of the HTML API in order
to track and parse HTML structure, specifically, knowing whether an
HTML foreign element is self-closing or not.
Props dmsnell, zieladam.
Fixes#58009.
Built from https://develop.svn.wordpress.org/trunk@55619
git-svn-id: http://core.svn.wordpress.org/trunk@55131 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This adds the missing mentions of default value for the `$file` and `$parent_post_id` parameters.
Follow-up to [2921], [3092], [3303], [3851], [6155], [6379], [8669], [15590], [28788], [38408], [49936], [55021].
Props wpfy.
Fixes#58043.
Built from https://develop.svn.wordpress.org/trunk@55617
git-svn-id: http://core.svn.wordpress.org/trunk@55129 1a063a9b-81f0-0310-95a4-ce76da25c4cd
It is best to always escape the complete value of an attribute, not a partial value, as otherwise the escaping could be (partially) undone when the values are joined together.
While the hardcoded prefix/suffix values in this case don't necessarily create that risk, those may change to values which could be problematic, so making it a habit to escape the value in one go is best practice.
Includes:
* Moving a few `esc_url()` calls closer to the actual output and escaping the hash parts too.
* Wrapping a few long lines for better readability.
Follow-up to [14248], [23707], [42217], [55615].
Props jrf, SergeyBiryukov.
Fixes#57110.
Built from https://develop.svn.wordpress.org/trunk@55616
git-svn-id: http://core.svn.wordpress.org/trunk@55128 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This ensures that post type or taxonomy name is consistently escaped in:
* `wp_nav_menu_item_post_type_meta_box()`
* `wp_nav_menu_item_taxonomy_meta_box()`
Follow-up to [14248], [23707].
Props zenaulislam, SergeyBiryukov.
Fixes#57110.
Built from https://develop.svn.wordpress.org/trunk@55615
git-svn-id: http://core.svn.wordpress.org/trunk@55127 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Check to see if the theme.json file exists before processing the rest of the code in `_wp_theme_json_webfonts_handler`. This improves performance by not trying to parse the theme.json, early in the bootstrap process.
Props spacedmonkey, hellofromTonya, flixos90.
Fixes#57814.
Built from https://develop.svn.wordpress.org/trunk@55612
git-svn-id: http://core.svn.wordpress.org/trunk@55124 1a063a9b-81f0-0310-95a4-ce76da25c4cd