Commit Graph

33016 Commits

Author SHA1 Message Date
desrosj
87bf09100d WordPress 4.4.22
Built from https://develop.svn.wordpress.org/branches/4.4@47676


git-svn-id: http://core.svn.wordpress.org/branches/4.4@47453 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-04-29 18:02:47 +00:00
whyisjake
bb6d812c70 User: Invalidate user_activation_key on password update.
Query: Ensure that only a single post can be returned on date/time based queries.
Cache API: Ensure proper escaping around the stats method in the cache API.
Formatting: Expand `sanitize_file_name` to have better support for utf8 characters.

Brings the changes in [47634], [47635], [47637], and [47638] to the 4.4 branch.

Props: batmoo, ehti, nickdaugherty, peterwilsoncc, sergeybiryukov, sstoqnov, westi, whyisjake, whyisjake, xknown.

Built from https://develop.svn.wordpress.org/branches/4.4@47653


git-svn-id: http://core.svn.wordpress.org/branches/4.4@47430 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-04-29 16:39:23 +00:00
Sergey Biryukov
0983cf671d WordPress 4.4.21
Built from https://develop.svn.wordpress.org/branches/4.4@46929


git-svn-id: http://core.svn.wordpress.org/branches/4.4@46729 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-12 20:31:20 +00:00
Sergey Biryukov
23ac697ad8 Update wp_kses_bad_protocol() to recognize : on uri attributes,
`wp_kses_bad_protocol()` makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function.

Brings r46895 to the 4.4 branch.

Props: xknown, nickdaugherty, peterwilsoncc.
Built from https://develop.svn.wordpress.org/branches/4.4@46912


git-svn-id: http://core.svn.wordpress.org/branches/4.4@46712 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-12 18:44:21 +00:00
desrosj
25a94707d9 WordPress 4.4.20.
Built from https://develop.svn.wordpress.org/branches/4.4@46516


git-svn-id: http://core.svn.wordpress.org/branches/4.4@46313 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-10-14 20:12:20 +00:00
whyisjake
9a0b89f7a8 Backporting several bug fixes.
- Query: Remove the static query property.
- HTTP API: Protect against hex interpretation.
- Filesystem API: Prevent directory travelersals when creating new folders.
- Administration: Ensure that admin referer nonce is valid.
- REST API: Send a Vary: Origin header on GET requests.
- Customizer: Properly sanitize background images.

Backports [46474], [46475], [46476], [46477], [46478], [46483], [46485] to the 4.4 branch.

Built from https://develop.svn.wordpress.org/branches/4.4@46498


git-svn-id: http://core.svn.wordpress.org/branches/4.4@46295 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-10-14 19:09:23 +00:00
desrosj
d1cc3f64da WordPress 4.4.19.
Built from https://develop.svn.wordpress.org/branches/4.4@46038


git-svn-id: http://core.svn.wordpress.org/branches/4.4@45850 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 22:04:00 +00:00
desrosj
feda17a63c Fix for URL sanitization in wp_kses_bad_protocol_once().
Merges [45997] to the 4.4 branch.

Props irsdl, sstoqnov, whyisjake.
Built from https://develop.svn.wordpress.org/branches/4.4@46010


git-svn-id: http://core.svn.wordpress.org/branches/4.4@45821 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 21:40:56 +00:00
Sergey Biryukov
7f160a4160 Improve handling the existing rel attribute in wp_rel_nofollow_callback().
Merges [45990] to the 4.4 branch.
Props xknown, sstoqnov.
Built from https://develop.svn.wordpress.org/branches/4.4@46001


git-svn-id: http://core.svn.wordpress.org/branches/4.4@45812 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 17:58:13 +00:00
Sergey Biryukov
16195095b8 Improve URL validation in wp_validate_redirect().
Merges [45971] to the 4.4 branch.
Props vortfu, whyisjake, peterwilsoncc.
Built from https://develop.svn.wordpress.org/branches/4.4@45981


git-svn-id: http://core.svn.wordpress.org/branches/4.4@45792 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 17:14:19 +00:00
whyisjake
7bb2a5a110 Remove _convert_urlencoded_to_entities() from the get_the_content() callback.
Merges [45937] to the 4.4 branch.

Props vortfu, whyisjake, peterwilsoncc

Built from https://develop.svn.wordpress.org/branches/4.4@45958


git-svn-id: http://core.svn.wordpress.org/branches/4.4@45769 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 16:41:42 +00:00
Sergey Biryukov
51be1d635c Escape the output in wp_ajax_upload_attachment().
Merges [45936] to the 4.4 branch.
Props whyisjake, sstoqnov.
Built from https://develop.svn.wordpress.org/branches/4.4@45951


git-svn-id: http://core.svn.wordpress.org/branches/4.4@45762 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 16:38:22 +00:00
Gary Pendergast
b82d7057c6 WordPress 4.4.18
Built from https://develop.svn.wordpress.org/branches/4.4@44878


git-svn-id: http://core.svn.wordpress.org/branches/4.4@44709 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-03-13 01:31:20 +00:00
Sergey Biryukov
f797452514 Comments: Improve comment content filtering.
Merges [44842] to the 4.4 branch.
Built from https://develop.svn.wordpress.org/branches/4.4@44850


git-svn-id: http://core.svn.wordpress.org/branches/4.4@44682 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-03-12 22:40:20 +00:00
Sergey Biryukov
ab80be3ffa Formatting: Improve rel="nofollow" handling in comments.
Merges [44833] to the 4.4 branch.
Built from https://develop.svn.wordpress.org/branches/4.4@44841


git-svn-id: http://core.svn.wordpress.org/branches/4.4@44673 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-03-12 22:27:20 +00:00
Jeremy Felt
d79c34ca3a Bump 4.4 branch to version 4.4.17.
Built from https://develop.svn.wordpress.org/branches/4.4@44083


git-svn-id: http://core.svn.wordpress.org/branches/4.4@43913 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-13 02:14:45 +00:00
Gary Pendergast
b9154e3211 Editor: Remove unwanted fields before saving posts.
The `meta_input`, `file`, and `guid` fields are not intended to be updated through user input.

Merges [44047] to the 4.4 branch.


Built from https://develop.svn.wordpress.org/branches/4.4@44062


git-svn-id: http://core.svn.wordpress.org/branches/4.4@43892 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-13 01:49:19 +00:00
Peter Wilson
7da4f3910f Multisite: Validate activation links.
Merges [44048] to the 4.4 branch.

Built from https://develop.svn.wordpress.org/branches/4.4@44061


git-svn-id: http://core.svn.wordpress.org/branches/4.4@43891 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-13 01:47:21 +00:00
iandunn
0fc5160483 KSES: Make the URI attributes DRY.
This commit introduces the `wp_kses_uri_attributes` function and filter. The function centralizes the list of attributes, in order to prevent inconsistency, and the filter provides a way for plugins to customize the attributes.

Merges [44014] and [44017] to the `4.4` branch.

Built from https://develop.svn.wordpress.org/branches/4.4@44035


git-svn-id: http://core.svn.wordpress.org/branches/4.4@43865 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-13 00:59:19 +00:00
Peter Wilson
18e6420dff Multisite: Improve messaging for previously activated users.
Ensure activation of a site is not attempted multiple times and users are shown the correct message if they follow the link a second time.

Merges [44021] to the 4.4 branch.

Built from https://develop.svn.wordpress.org/branches/4.4@44030


git-svn-id: http://core.svn.wordpress.org/branches/4.4@43860 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-13 00:50:20 +00:00
Gary Pendergast
9d99fdce47 KSES: Conditionally remove the <form> element from $allowedposttags.
To avoid backwards compatibility issues, `<form>` is re-added if a custom filter has added the `<input>` or `<select>` elements to `$allowedposttags`.

Merges [43994] to the 4.4 branch.


Built from https://develop.svn.wordpress.org/branches/4.4@44003


git-svn-id: http://core.svn.wordpress.org/branches/4.4@43835 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-12 23:36:20 +00:00
Jeremy Felt
60dacc5deb Media: Improve verification of MIME file types.
Merges [43988] to the 4.4 branch.

Built from https://develop.svn.wordpress.org/branches/4.4@43995


git-svn-id: http://core.svn.wordpress.org/branches/4.4@43827 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-12 23:14:21 +00:00
Aaron Campbell
40f9e10d03 Bump 4.4 branch to version 4.4.16
Built from https://develop.svn.wordpress.org/branches/4.4@43412


git-svn-id: http://core.svn.wordpress.org/branches/4.4@43240 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-07-05 16:12:48 +00:00
John Blackbourn
82dc7df085 Media: Limit thumbnail file deletions to the same directory as the original file.
Merges [43393] into the 4.4 branch.

Built from https://develop.svn.wordpress.org/branches/4.4@43398


git-svn-id: http://core.svn.wordpress.org/branches/4.4@43226 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-07-05 14:57:24 +00:00
Aaron Campbell
77061065b4 Bump 4.4 branch to version 4.4.15
Built from https://develop.svn.wordpress.org/branches/4.4@42938


git-svn-id: http://core.svn.wordpress.org/branches/4.4@42768 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-04-03 20:30:01 +00:00
Dominik Schilling
1816f1c364 Template: Make sure the version string is correctly escaped for use in attributes.
Merge of [42893] to the 4.4 branch.

Built from https://develop.svn.wordpress.org/branches/4.4@42922


git-svn-id: http://core.svn.wordpress.org/branches/4.4@42752 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-04-03 16:08:38 +00:00
Dominik Schilling
a45fc95823 Login: Use wp_safe_redirect() when redirecting the login page if forced to use HTTPS.
Merge of [42892] to the 4.4 branch.

Built from https://develop.svn.wordpress.org/branches/4.4@42900


git-svn-id: http://core.svn.wordpress.org/branches/4.4@42730 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-04-03 15:31:42 +00:00
Sergey Biryukov
26948373b7 General: Update copyright year to 2018 in license.txt.
Props rachelbaker.
Merges [42424] to the 4.4 branch.
Fixes #43007.
Built from https://develop.svn.wordpress.org/branches/4.4@42557


git-svn-id: http://core.svn.wordpress.org/branches/4.4@42386 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-01-23 11:28:17 +00:00
Dion Hulse
fbefbce5ea Bump the 4.4 branch to 4.4.14.
Built from https://develop.svn.wordpress.org/branches/4.4@42499


git-svn-id: http://core.svn.wordpress.org/branches/4.4@42328 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-01-16 21:42:38 +00:00
Dion Hulse
e462191652 External Libraries: Remove unnecessary / obsoleted MediaElement.js files.
Merges [42478] to the 4.4 branch.
Fixes #42720 for 4.4.

Built from https://develop.svn.wordpress.org/branches/4.4@42482


git-svn-id: http://core.svn.wordpress.org/branches/4.4@42311 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-01-16 08:09:32 +00:00
Dion Hulse
3b20d41071 Upgrade: When deleting old files, if deletion fails attempt to empty the file instead.
Props joemcgill, dd32.
Merges [42434] to the 4.4 branch.
Fixes #42963 for 4.4.

Built from https://develop.svn.wordpress.org/branches/4.4@42470


git-svn-id: http://core.svn.wordpress.org/branches/4.4@42299 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-01-16 06:56:35 +00:00
John Blackbourn
448ccd4397 Bump 4.4 branch to version 4.4.13.
Built from https://develop.svn.wordpress.org/branches/4.4@42321


git-svn-id: http://core.svn.wordpress.org/branches/4.4@42150 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 19:01:31 +00:00
John Blackbourn
4fac456d88 Hardening: Remove the ability to upload JavaScript files for users who do not have the unfiltered_html capability.
Merges [42261] to the 4.4 branch.

Built from https://develop.svn.wordpress.org/branches/4.4@42287


git-svn-id: http://core.svn.wordpress.org/branches/4.4@42116 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:30:31 +00:00
John Blackbourn
94ed06c3c0 Hardening: Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds.
Merges [42260] to the 4.4 branch.

Built from https://develop.svn.wordpress.org/branches/4.4@42286


git-svn-id: http://core.svn.wordpress.org/branches/4.4@42115 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:29:31 +00:00
John Blackbourn
5f6f29f00a Hardening: Add escaping to the language attributes used on html elements.
Merges [42259] to the 4.4 branch.

Built from https://develop.svn.wordpress.org/branches/4.4@42285


git-svn-id: http://core.svn.wordpress.org/branches/4.4@42114 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:29:00 +00:00
John Blackbourn
9352de38ba Hardening: Use a properly generated hash for the newbloguser key instead of a determinate substring.
Merges [42258] to the 4.4 branch.

Built from https://develop.svn.wordpress.org/branches/4.4@42284


git-svn-id: http://core.svn.wordpress.org/branches/4.4@42113 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:28:31 +00:00
Dion Hulse
5da6b7c200 WPDB: Check that AUTH_SALT is not empty, Fix a PHP notice when AUTH_SALT is undefined.
Props jsonfry, mkomar, pento.
Merges [42119] and [42120] to the 4.4 branch.
Fixes #42431 and #42401 for 4.4.

Built from https://develop.svn.wordpress.org/branches/4.4@42234


git-svn-id: http://core.svn.wordpress.org/branches/4.4@42063 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-27 01:11:03 +00:00
John Blackbourn
fa59d4b446 General: Remove the version number from the readme file in the 4.4 branch.
See #42386

Built from https://develop.svn.wordpress.org/branches/4.4@42103


git-svn-id: http://core.svn.wordpress.org/branches/4.4@41932 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-10-31 18:09:31 +00:00
Gary Pendergast
2f96a03e6c Bump 4.4 branch to version 4.4.12.
Built from https://develop.svn.wordpress.org/branches/4.4@42073


git-svn-id: http://core.svn.wordpress.org/branches/4.4@41902 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-10-31 13:26:30 +00:00
Gary Pendergast
aec6946594 Database: Restore numbered placeholders in wpdb::prepare().
[41496] removed support for numbered placeholders in queries send through `wpdb::prepare()`, which, despite being undocumented, were quite commonly used.

This change restores support for numbered placeholders (as well as a subset of placeholder formatting), while also adding extra checks to ensure the correct number of arguments are being passed to `wpdb::prepare()`, given the number of placeholders.

Merges [41662], [42056] to the 4.4 branch.
See #41925.


Built from https://develop.svn.wordpress.org/branches/4.4@42061


git-svn-id: http://core.svn.wordpress.org/branches/4.4@41890 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-10-31 12:46:31 +00:00
Dominik Schilling
905b95c1e7 Taxonomy/Users: Use correct escaping function for URLs.
Merge of [41522] to the 4.4 branch.
Built from https://develop.svn.wordpress.org/branches/4.4@41527


git-svn-id: http://core.svn.wordpress.org/branches/4.4@41360 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 21:33:30 +00:00
Dominik Schilling
a80bb4a686 Bump 4.4 branch to version 4.4.11.
Built from https://develop.svn.wordpress.org/branches/4.4@41514


git-svn-id: http://core.svn.wordpress.org/branches/4.4@41347 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 20:02:00 +00:00
Aaron Campbell
a89b23a75a Database: Hardening to bring wpdb::prepare() inline with documentation.
`wpdb::prepare()` supports %s, %d, and %F as placeholders in the query string. Any other non-escaped % will be escaped.

Merges [41496] to 4.4 branch.


Built from https://develop.svn.wordpress.org/branches/4.4@41501


git-svn-id: http://core.svn.wordpress.org/branches/4.4@41334 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 18:15:37 +00:00
Aaron Campbell
5a0f95b6cf Database: Don’t trigger _doing_it_wrong() for null values in wpdb::prepare().
While `wpdb::prepare()` does not support null values (see #12819) they still appear in the wild like in the WordPress Importer and other plugins.

Merges [41483] to 4.4 branch.


Built from https://develop.svn.wordpress.org/branches/4.4@41488


git-svn-id: http://core.svn.wordpress.org/branches/4.4@41321 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 16:24:03 +00:00
Aaron Campbell
45280bda66 Database: Hardening for wpdb::prepare()
Previously if you passed an array of values for placeholders, additional values could be passed as well. Now additional values will be ignored.

Merges [41470] to 4.4 branch.


Built from https://develop.svn.wordpress.org/branches/4.4@41475


git-svn-id: http://core.svn.wordpress.org/branches/4.4@41308 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 15:02:30 +00:00
John Blackbourn
5e87d63b30 Filesystem API: Ensure filenames are valid before attempting to unzip them to ensure malformed file paths don't cause issues.
Merges [41457] to the 4.4 branch.

Built from https://develop.svn.wordpress.org/branches/4.4@41462


git-svn-id: http://core.svn.wordpress.org/branches/4.4@41295 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 14:42:01 +00:00
Aaron Campbell
78462a6178 oEmbed: Add extra hardening around allowed HTML for improved sandboxing.
Merges [41448] to 4.4 branch.


Built from https://develop.svn.wordpress.org/branches/4.4@41455


git-svn-id: http://core.svn.wordpress.org/branches/4.4@41288 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 13:51:01 +00:00
Dominik Schilling
2603a8b4d6 TinyMCE: Improve the previews for shortcodes.
Merge of [41395] to the 4.4 branch.

Built from https://develop.svn.wordpress.org/branches/4.4@41439


git-svn-id: http://core.svn.wordpress.org/branches/4.4@41272 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 12:43:37 +00:00
John Blackbourn
07d70c3944 General: Add missing URL-encoding and add extra hardening to plugin and template names when they're displayed in the admin area.
Merges [41415] and [41416] into the 4.4 branch.

See #13377

Built from https://develop.svn.wordpress.org/branches/4.4@41434


git-svn-id: http://core.svn.wordpress.org/branches/4.4@41267 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 12:13:31 +00:00
Dominik Schilling
c448e53286 Customize: Ensure valid themes in the preview.
Merge of [41397] to the 4.4 branch.

Built from https://develop.svn.wordpress.org/branches/4.4@41433


git-svn-id: http://core.svn.wordpress.org/branches/4.4@41266 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 11:52:37 +00:00