Values passed to parameters with this attribute will be redacted if present in a stack trace when using PHP 8.2 or later. This reduces the chance that passwords and security keys get accidentally exposed in debug logs and bug reports.
Props petitphp, TobiasBg, jrf, johnbillion.
Fixes#57304
Built from https://develop.svn.wordpress.org/trunk@59754
git-svn-id: http://core.svn.wordpress.org/trunk@59096 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This allows the subsequent redirect to behave as expected if a site is using a strict referrer policy on the front end which prevents the full referrer from being sent.
Props zodiac1978, yogeshbhutkar, hbhalodia, mukesh27.
Fixes#62881
Built from https://develop.svn.wordpress.org/trunk@59753
git-svn-id: http://core.svn.wordpress.org/trunk@59095 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This change introduces a job matrix for the "current", "before", and "base" performance tests to replace the current behaviour of running them sequentially in a single job. This speeds up the overall performance testing workflow and also reduces the chance of any given test interfering with another, for example by making a change to data in the database that affects a subsequent test.
Props johnbillion, swissspidy, dmsnell, joemcgill.
See #62221
Built from https://develop.svn.wordpress.org/trunk@59749
git-svn-id: http://core.svn.wordpress.org/trunk@59091 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When originally committed, this code was targeting 6.7.1. However, it was not backported and included in 6.7.1. Will this be followed up by another version change? You'll need to stay tuned to next week's episode of "As the WordPress Turns" to find out!
Follow-up to [59285] and [59364].
See #62270.
Built from https://develop.svn.wordpress.org/trunk@59747
git-svn-id: http://core.svn.wordpress.org/trunk@59089 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Custom post types may contain underscores, however block template registration has been using a regular expression that disallows underscores. Since the block template name for certain templates is directly associated with which post type it applies to, this regular expression was causing unexpected failures. This changeset adjusts the regular expression to allow block template names with underscore characters, effectively allowing block templates to be registered for any custom post type.
Props alexandrebuffet, ankitkumarshah, gaambo, jorbin, karthickmurugan, oglekler, poena, sukhendu2002.
Fixes#62523.
Built from https://develop.svn.wordpress.org/trunk@59742
git-svn-id: http://core.svn.wordpress.org/trunk@59084 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The Root Certificate bundle maintained by Mozilla ships in WordPress to allow SSL certificates to be verified on hosts with incomplete, outdated, or invalid local SSL configurations. To date, updates have only been merged into Core when problems arise using a highly manual process.
This introduces the `certificates:upgrade` Grunt task to automate the process of updating the included bundle with upstream changes using Composer to manage versioning.
The legacy 1024bit certificates included for backwards compatibility are now maintained in a separate file that is prepended to the built version of the bundle during the relevant Grunt tasks. Some expired certificates from this list have been removed:
- Cybertrust Global Root (expired 2021-12-15)
- Thawte Server CA (expired 2020-12-31)
- Thawte Premium Server CA (expired 2020-12-31)
The Dependabot configuration has also been updated to open pull requests when new releases occur upstream. Going forward, the recommendation is to create a task ticket for updating these certificates with each release when an update is published. See #62811 for an example of this.
Props johnbillion, desrosj, whyisjake, ayeshrajans, SergeyBiryukov, swissspidy, skithund, barry.
Fixes#62812. See #62811, 50828.
Built from https://develop.svn.wordpress.org/trunk@59740
git-svn-id: http://core.svn.wordpress.org/trunk@59082 1a063a9b-81f0-0310-95a4-ce76da25c4cd
On some instances of Windows, the assertions seem to find additional nodes. As this test is just about verifying that the handlers get called, not about testing the functionality of the handlers, we can adjust the assertion to look for a minimum number of nodes rather than exact number.
Follow-up to [59062].
Props yogeshbhutkar, hellofromTonya, SergeyBiryukov, coquardcyr, jrf, benniledl, desrosj, jorbin.
Fixes#62110. See #62061.
Built from https://develop.svn.wordpress.org/trunk@59739
git-svn-id: http://core.svn.wordpress.org/trunk@59081 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Display a message notifying the user of an incorrect password when submitting the post password form. Improve the accessibility of the form by adding a required attribute for consistent identification.
Props henry.wright, jonnyauk, kreppar, tommusrhodus, joedolson, audrasjb, jdahir0789, parthvataliya, dhruvang21.
Fixes#37332.
Built from https://develop.svn.wordpress.org/trunk@59736
git-svn-id: http://core.svn.wordpress.org/trunk@59078 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Deprecate the actions `setted_transient` and `setted_site_transient` in favour of `set_transient` and `set_site_transient` respectively.
This serves two purposes, the name is consistent with the transient specific actions `set_(site_)_transient_{$transient}`, and to make the names grammatically correct.
Props sukhendu2002, swissspidy, johnbillion, peterwilsoncc.
Fixes#62849.
Built from https://develop.svn.wordpress.org/trunk@59735
git-svn-id: http://core.svn.wordpress.org/trunk@59077 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset replaces plugin sanitized names with an auto increment integer to fix an issue with accordions displaying privacy policies for plugins with special characters in their names.
Follow-up to [50161].
Props ecgan, sabernhardt, audrasjb.
Fixes#62713.
Built from https://develop.svn.wordpress.org/trunk@59732
git-svn-id: http://core.svn.wordpress.org/trunk@59074 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset allows for block metadata collections to be registered for almost any source, such as MU plugins, themes, or custom directories with e.g. symlinked plugins or symlinked themes. Prior to the change, block metadata collections could only be registered for plugins and WordPress Core.
There are still safeguards in place to prevent registration of collections in locations that would cause conflicts. For example, it is not possible to register a collection for the entire `wp-content/plugins` directory or the entire `wp-content/themes` directory, since such a collection would conflict with any specific plugin's or theme's collection. In case developers would like to enable this safeguard for their own custom directories, they can use the new `wp_allowed_block_metadata_collection_roots` filter.
Props assassinateur, bowedk, desrosj, dougwollison, flixos90, glynnquelch, gziolo, jorbin, mreishus, swissspidy.
Fixes#62140.
Built from https://develop.svn.wordpress.org/trunk@59730
git-svn-id: http://core.svn.wordpress.org/trunk@59072 1a063a9b-81f0-0310-95a4-ce76da25c4cd
While the `skipTestOnTimeout()` method will catch a timeout and prevent it from causing a test to fail, other errors such as a failed DNS lookup or HTTPS handshake can still cause a test to unnecessarily fail. This introduces a simple retry mechanism that will hopefully further reduce the flakiness of tests that perform HTTP API requests.
Fixes#62830
Built from https://develop.svn.wordpress.org/trunk@59729
git-svn-id: http://core.svn.wordpress.org/trunk@59071 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Fix an issue introduced in [59134] that prevented manual entry of a page number in the pagination input field from navigating pages. Requiring validation of the bulk actions input also impacted other inputs nested in the same form.
Also fixes a pre-existing bug where it was not possible to navigate to page 1 using the input field.
Props ffffelix, im3dabasia1, apermo, rishavdutta, joedolson, swissspidy, jorbin, joedolson.
Fixes#62534.
Built from https://develop.svn.wordpress.org/trunk@59727
git-svn-id: http://core.svn.wordpress.org/trunk@59069 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The intention of these headers is to prevent any form of caching, whether that's in the browser or in an intermediate cache such as a proxy server. These directives instruct an intermediate cache to not store the response in their cache for any user – not just for logged-in users.
This does not affect the caching behaviour of assets within a page such as images, CSS, and JavaScript files.
Props kkmuffme, devansh2002, johnbillion.
Fixes#61942
Built from https://develop.svn.wordpress.org/trunk@59724
git-svn-id: http://core.svn.wordpress.org/trunk@59066 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Because the build process test workflow accepts an input for runner image, older workflows still use `ubuntu-latest`. This adjusts a conditional check to be more broad, allowing any `ubuntu-` image to match.
Follow up to [59720].
See #62221.
Built from https://develop.svn.wordpress.org/trunk@59722
git-svn-id: http://core.svn.wordpress.org/trunk@59064 1a063a9b-81f0-0310-95a4-ce76da25c4cd
While using the `ubuntu-latest`, `macos-latest`, and `windows-latest` runner image tags is convenient, it has proven to be problematic in a number of instances as the runners are slowly updated (see #62808 and #62843).
This switches all workflows to using specific version tags representing the latest non-preview versions, which currently are as follows:
- `ubuntu-24.04`
- `windows-2022`
- `macos-14`
Props swissspidy, johnbillion.
See #62221.
Built from https://develop.svn.wordpress.org/trunk@59720
git-svn-id: http://core.svn.wordpress.org/trunk@59062 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The menu, menu item, and menu location endpoints were added to the REST API in [52079]. In that commit, menu data was treated as private and restricted to logged-in users with the edit_theme_options capability. However, in many cases, this data can be considered public. Previously, there was no simple way for developers to allow this data to be exposed via the REST API.
This commit introduces the rest_menu_read_access filter, enabling developers to control read access to menus, menu items, and menu locations in the REST API. The same filter is applied across all three REST API classes, simplifying the process of opting into exposing this data.
Each instance of the filter provides the current request and the relevant class instance as context, allowing developers to selectively or globally enable access to the data.
Props spacedmonkey, antonvlasenko, kadamwhite, julianmar, masteradhoc.
Fixes#54304.
Built from https://develop.svn.wordpress.org/trunk@59718
git-svn-id: http://core.svn.wordpress.org/trunk@59060 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This updates the following GitHub Actions to their latest versions:
- `actions/cache`
- `actions/checkout`
- `actions/setup-node`
- `actions/upload-artifact`
- `codecov/codecov-action`
- `shivammathur/setup-php`
See #62221.
Built from https://develop.svn.wordpress.org/trunk@59716
git-svn-id: http://core.svn.wordpress.org/trunk@59058 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Replaced the raw SQL query in the `wp_get_post_autosave` function with a `WP_Query` call. This change improves code maintainability and replaces the raw SQL query with a cacheable query via `WP_Query`.
Props narenin, swissspidy, mukesh27, spacedmonkey, im3dabasia1.
Fixes#62658.
Built from https://develop.svn.wordpress.org/trunk@59715
git-svn-id: http://core.svn.wordpress.org/trunk@59057 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This sets the same referrer policy of `strict-origin-when-cross-origin` that's used in the admin area to prevent a referrer being sent to other origins. This helps prevent unwanted exposure of potentially sensitive information that may be contained within the URL.
The header can be disabled if necessary by removing the `wp_admin_headers` action from the `login_init` hook.
Props kkmuffme, sagarlakhani, albatross10
Fixes#62273
See #42036
Built from https://develop.svn.wordpress.org/trunk@59712
git-svn-id: http://core.svn.wordpress.org/trunk@59054 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset lowers the font-weight value from `600` to `400` for labels located in the Settings screens.
This is an initial implementation of the WordPress design system, aligning with the broader goal of achieving a more consistent and unified design across the administration.
Props karmatosed, audrasjb.
Fixes#62865.
Built from https://develop.svn.wordpress.org/trunk@59709
git-svn-id: http://core.svn.wordpress.org/trunk@59051 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset fixes an UI issue where the theme count in the "Add Themes" screen touches the top border on small screens.
Props sukhendu2002, diliphingarajiya, dilipbheda, ankitkumarshah, dhruvang21, im3dabasia1.
Fixes#62499.
Built from https://develop.svn.wordpress.org/trunk@59708
git-svn-id: http://core.svn.wordpress.org/trunk@59050 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset fixes a margin issue in the search input box on the Add New Plugins screen, which was previously breaking below 1138px. Specifically, the top margin was set to 0px, and the overall appearance of the search box was inconsistent between 1000px and 1138px. Now, the margin is consistent across all breakpoints.
Props jomonthomaslobo1, narenin, iflairwebtechnologies, peterwilsoncc, audrasjb, shailu25.
Fixes#61785.
Built from https://develop.svn.wordpress.org/trunk@59706
git-svn-id: http://core.svn.wordpress.org/trunk@59048 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset replaces the light grey background color with the white color defined in the Editor Storybook. This change also impacts admin color schemes that previously utilized the default admin background color.
This is an initial implementation of the WordPress design system, aligning with the broader goal of achieving a more consistent and unified design across the administration.
Props karmatosed, audrasjb.
Fixes#62831.
Built from https://develop.svn.wordpress.org/trunk@59705
git-svn-id: http://core.svn.wordpress.org/trunk@59047 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Since [13683], `the_shortlink()` has included a `title` attribute. By default, that gives the sanitized post title, and it does not sanitize custom text. Given the low value of this attribute, this changeset removes it.
Props sabernhardt, audrasjb, joedolson.
Fixes#62838.
See #24766.
Built from https://develop.svn.wordpress.org/trunk@59703
git-svn-id: http://core.svn.wordpress.org/trunk@59045 1a063a9b-81f0-0310-95a4-ce76da25c4cd
