desrosj
87bf09100d
WordPress 4.4.22
...
Built from https://develop.svn.wordpress.org/branches/4.4@47676
git-svn-id: http://core.svn.wordpress.org/branches/4.4@47453 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-04-29 18:02:47 +00:00
whyisjake
bb6d812c70
User: Invalidate user_activation_key
on password update.
...
Query: Ensure that only a single post can be returned on date/time based queries.
Cache API: Ensure proper escaping around the stats method in the cache API.
Formatting: Expand `sanitize_file_name` to have better support for utf8 characters.
Brings the changes in [47634], [47635], [47637], and [47638] to the 4.4 branch.
Props: batmoo, ehti, nickdaugherty, peterwilsoncc, sergeybiryukov, sstoqnov, westi, whyisjake, whyisjake, xknown.
Built from https://develop.svn.wordpress.org/branches/4.4@47653
git-svn-id: http://core.svn.wordpress.org/branches/4.4@47430 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-04-29 16:39:23 +00:00
Sergey Biryukov
0983cf671d
WordPress 4.4.21
...
Built from https://develop.svn.wordpress.org/branches/4.4@46929
git-svn-id: http://core.svn.wordpress.org/branches/4.4@46729 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-12 20:31:20 +00:00
Sergey Biryukov
23ac697ad8
Update wp_kses_bad_protocol()
to recognize :
on uri attributes,
...
`wp_kses_bad_protocol()` makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function.
Brings r46895 to the 4.4 branch.
Props: xknown, nickdaugherty, peterwilsoncc.
Built from https://develop.svn.wordpress.org/branches/4.4@46912
git-svn-id: http://core.svn.wordpress.org/branches/4.4@46712 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-12 18:44:21 +00:00
desrosj
25a94707d9
WordPress 4.4.20.
...
Built from https://develop.svn.wordpress.org/branches/4.4@46516
git-svn-id: http://core.svn.wordpress.org/branches/4.4@46313 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-10-14 20:12:20 +00:00
whyisjake
9a0b89f7a8
Backporting several bug fixes.
...
- Query: Remove the static query property.
- HTTP API: Protect against hex interpretation.
- Filesystem API: Prevent directory travelersals when creating new folders.
- Administration: Ensure that admin referer nonce is valid.
- REST API: Send a Vary: Origin header on GET requests.
- Customizer: Properly sanitize background images.
Backports [46474], [46475], [46476], [46477], [46478], [46483], [46485] to the 4.4 branch.
Built from https://develop.svn.wordpress.org/branches/4.4@46498
git-svn-id: http://core.svn.wordpress.org/branches/4.4@46295 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-10-14 19:09:23 +00:00
desrosj
d1cc3f64da
WordPress 4.4.19.
...
Built from https://develop.svn.wordpress.org/branches/4.4@46038
git-svn-id: http://core.svn.wordpress.org/branches/4.4@45850 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 22:04:00 +00:00
desrosj
feda17a63c
Fix for URL sanitization in wp_kses_bad_protocol_once()
.
...
Merges [45997] to the 4.4 branch.
Props irsdl, sstoqnov, whyisjake.
Built from https://develop.svn.wordpress.org/branches/4.4@46010
git-svn-id: http://core.svn.wordpress.org/branches/4.4@45821 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 21:40:56 +00:00
Sergey Biryukov
7f160a4160
Improve handling the existing rel
attribute in wp_rel_nofollow_callback()
.
...
Merges [45990] to the 4.4 branch.
Props xknown, sstoqnov.
Built from https://develop.svn.wordpress.org/branches/4.4@46001
git-svn-id: http://core.svn.wordpress.org/branches/4.4@45812 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 17:58:13 +00:00
Sergey Biryukov
16195095b8
Improve URL validation in wp_validate_redirect()
.
...
Merges [45971] to the 4.4 branch.
Props vortfu, whyisjake, peterwilsoncc.
Built from https://develop.svn.wordpress.org/branches/4.4@45981
git-svn-id: http://core.svn.wordpress.org/branches/4.4@45792 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 17:14:19 +00:00
whyisjake
7bb2a5a110
Remove _convert_urlencoded_to_entities() from the get_the_content() callback.
...
Merges [45937] to the 4.4 branch.
Props vortfu, whyisjake, peterwilsoncc
Built from https://develop.svn.wordpress.org/branches/4.4@45958
git-svn-id: http://core.svn.wordpress.org/branches/4.4@45769 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 16:41:42 +00:00
Sergey Biryukov
51be1d635c
Escape the output in wp_ajax_upload_attachment()
.
...
Merges [45936] to the 4.4 branch.
Props whyisjake, sstoqnov.
Built from https://develop.svn.wordpress.org/branches/4.4@45951
git-svn-id: http://core.svn.wordpress.org/branches/4.4@45762 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 16:38:22 +00:00
Gary Pendergast
b82d7057c6
WordPress 4.4.18
...
Built from https://develop.svn.wordpress.org/branches/4.4@44878
git-svn-id: http://core.svn.wordpress.org/branches/4.4@44709 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-03-13 01:31:20 +00:00
Sergey Biryukov
f797452514
Comments: Improve comment content filtering.
...
Merges [44842] to the 4.4 branch.
Built from https://develop.svn.wordpress.org/branches/4.4@44850
git-svn-id: http://core.svn.wordpress.org/branches/4.4@44682 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-03-12 22:40:20 +00:00
Sergey Biryukov
ab80be3ffa
Formatting: Improve rel="nofollow"
handling in comments.
...
Merges [44833] to the 4.4 branch.
Built from https://develop.svn.wordpress.org/branches/4.4@44841
git-svn-id: http://core.svn.wordpress.org/branches/4.4@44673 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-03-12 22:27:20 +00:00
Jeremy Felt
d79c34ca3a
Bump 4.4 branch to version 4.4.17.
...
Built from https://develop.svn.wordpress.org/branches/4.4@44083
git-svn-id: http://core.svn.wordpress.org/branches/4.4@43913 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-13 02:14:45 +00:00
Gary Pendergast
b9154e3211
Editor: Remove unwanted fields before saving posts.
...
The `meta_input`, `file`, and `guid` fields are not intended to be updated through user input.
Merges [44047] to the 4.4 branch.
Built from https://develop.svn.wordpress.org/branches/4.4@44062
git-svn-id: http://core.svn.wordpress.org/branches/4.4@43892 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-13 01:49:19 +00:00
Peter Wilson
7da4f3910f
Multisite: Validate activation links.
...
Merges [44048] to the 4.4 branch.
Built from https://develop.svn.wordpress.org/branches/4.4@44061
git-svn-id: http://core.svn.wordpress.org/branches/4.4@43891 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-13 01:47:21 +00:00
iandunn
0fc5160483
KSES: Make the URI attributes DRY.
...
This commit introduces the `wp_kses_uri_attributes` function and filter. The function centralizes the list of attributes, in order to prevent inconsistency, and the filter provides a way for plugins to customize the attributes.
Merges [44014] and [44017] to the `4.4` branch.
Built from https://develop.svn.wordpress.org/branches/4.4@44035
git-svn-id: http://core.svn.wordpress.org/branches/4.4@43865 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-13 00:59:19 +00:00
Peter Wilson
18e6420dff
Multisite: Improve messaging for previously activated users.
...
Ensure activation of a site is not attempted multiple times and users are shown the correct message if they follow the link a second time.
Merges [44021] to the 4.4 branch.
Built from https://develop.svn.wordpress.org/branches/4.4@44030
git-svn-id: http://core.svn.wordpress.org/branches/4.4@43860 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-13 00:50:20 +00:00
Gary Pendergast
9d99fdce47
KSES: Conditionally remove the <form>
element from $allowedposttags
.
...
To avoid backwards compatibility issues, `<form>` is re-added if a custom filter has added the `<input>` or `<select>` elements to `$allowedposttags`.
Merges [43994] to the 4.4 branch.
Built from https://develop.svn.wordpress.org/branches/4.4@44003
git-svn-id: http://core.svn.wordpress.org/branches/4.4@43835 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-12 23:36:20 +00:00
Jeremy Felt
60dacc5deb
Media: Improve verification of MIME file types.
...
Merges [43988] to the 4.4 branch.
Built from https://develop.svn.wordpress.org/branches/4.4@43995
git-svn-id: http://core.svn.wordpress.org/branches/4.4@43827 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-12 23:14:21 +00:00
Aaron Campbell
40f9e10d03
Bump 4.4 branch to version 4.4.16
...
Built from https://develop.svn.wordpress.org/branches/4.4@43412
git-svn-id: http://core.svn.wordpress.org/branches/4.4@43240 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-07-05 16:12:48 +00:00
John Blackbourn
82dc7df085
Media: Limit thumbnail file deletions to the same directory as the original file.
...
Merges [43393] into the 4.4 branch.
Built from https://develop.svn.wordpress.org/branches/4.4@43398
git-svn-id: http://core.svn.wordpress.org/branches/4.4@43226 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-07-05 14:57:24 +00:00
Aaron Campbell
77061065b4
Bump 4.4 branch to version 4.4.15
...
Built from https://develop.svn.wordpress.org/branches/4.4@42938
git-svn-id: http://core.svn.wordpress.org/branches/4.4@42768 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-04-03 20:30:01 +00:00
Dominik Schilling
1816f1c364
Template: Make sure the version string is correctly escaped for use in attributes.
...
Merge of [42893] to the 4.4 branch.
Built from https://develop.svn.wordpress.org/branches/4.4@42922
git-svn-id: http://core.svn.wordpress.org/branches/4.4@42752 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-04-03 16:08:38 +00:00
Dominik Schilling
a45fc95823
Login: Use wp_safe_redirect()
when redirecting the login page if forced to use HTTPS.
...
Merge of [42892] to the 4.4 branch.
Built from https://develop.svn.wordpress.org/branches/4.4@42900
git-svn-id: http://core.svn.wordpress.org/branches/4.4@42730 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-04-03 15:31:42 +00:00
Sergey Biryukov
26948373b7
General: Update copyright year to 2018 in license.txt.
...
Props rachelbaker.
Merges [42424] to the 4.4 branch.
Fixes #43007 .
Built from https://develop.svn.wordpress.org/branches/4.4@42557
git-svn-id: http://core.svn.wordpress.org/branches/4.4@42386 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-01-23 11:28:17 +00:00
Dion Hulse
fbefbce5ea
Bump the 4.4 branch to 4.4.14.
...
Built from https://develop.svn.wordpress.org/branches/4.4@42499
git-svn-id: http://core.svn.wordpress.org/branches/4.4@42328 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-01-16 21:42:38 +00:00
Dion Hulse
e462191652
External Libraries: Remove unnecessary / obsoleted MediaElement.js files.
...
Merges [42478] to the 4.4 branch.
Fixes #42720 for 4.4.
Built from https://develop.svn.wordpress.org/branches/4.4@42482
git-svn-id: http://core.svn.wordpress.org/branches/4.4@42311 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-01-16 08:09:32 +00:00
Dion Hulse
3b20d41071
Upgrade: When deleting old files, if deletion fails attempt to empty the file instead.
...
Props joemcgill, dd32.
Merges [42434] to the 4.4 branch.
Fixes #42963 for 4.4.
Built from https://develop.svn.wordpress.org/branches/4.4@42470
git-svn-id: http://core.svn.wordpress.org/branches/4.4@42299 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-01-16 06:56:35 +00:00
John Blackbourn
448ccd4397
Bump 4.4 branch to version 4.4.13.
...
Built from https://develop.svn.wordpress.org/branches/4.4@42321
git-svn-id: http://core.svn.wordpress.org/branches/4.4@42150 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 19:01:31 +00:00
John Blackbourn
4fac456d88
Hardening: Remove the ability to upload JavaScript files for users who do not have the unfiltered_html
capability.
...
Merges [42261] to the 4.4 branch.
Built from https://develop.svn.wordpress.org/branches/4.4@42287
git-svn-id: http://core.svn.wordpress.org/branches/4.4@42116 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:30:31 +00:00
John Blackbourn
94ed06c3c0
Hardening: Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds.
...
Merges [42260] to the 4.4 branch.
Built from https://develop.svn.wordpress.org/branches/4.4@42286
git-svn-id: http://core.svn.wordpress.org/branches/4.4@42115 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:29:31 +00:00
John Blackbourn
5f6f29f00a
Hardening: Add escaping to the language attributes used on html
elements.
...
Merges [42259] to the 4.4 branch.
Built from https://develop.svn.wordpress.org/branches/4.4@42285
git-svn-id: http://core.svn.wordpress.org/branches/4.4@42114 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:29:00 +00:00
John Blackbourn
9352de38ba
Hardening: Use a properly generated hash for the newbloguser
key instead of a determinate substring.
...
Merges [42258] to the 4.4 branch.
Built from https://develop.svn.wordpress.org/branches/4.4@42284
git-svn-id: http://core.svn.wordpress.org/branches/4.4@42113 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:28:31 +00:00
Dion Hulse
5da6b7c200
WPDB: Check that AUTH_SALT
is not empty, Fix a PHP notice when AUTH_SALT
is undefined.
...
Props jsonfry, mkomar, pento.
Merges [42119] and [42120] to the 4.4 branch.
Fixes #42431 and #42401 for 4.4.
Built from https://develop.svn.wordpress.org/branches/4.4@42234
git-svn-id: http://core.svn.wordpress.org/branches/4.4@42063 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-27 01:11:03 +00:00
John Blackbourn
fa59d4b446
General: Remove the version number from the readme file in the 4.4 branch.
...
See #42386
Built from https://develop.svn.wordpress.org/branches/4.4@42103
git-svn-id: http://core.svn.wordpress.org/branches/4.4@41932 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-10-31 18:09:31 +00:00
Gary Pendergast
2f96a03e6c
Bump 4.4 branch to version 4.4.12.
...
Built from https://develop.svn.wordpress.org/branches/4.4@42073
git-svn-id: http://core.svn.wordpress.org/branches/4.4@41902 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-10-31 13:26:30 +00:00
Gary Pendergast
aec6946594
Database: Restore numbered placeholders in wpdb::prepare()
.
...
[41496] removed support for numbered placeholders in queries send through `wpdb::prepare()`, which, despite being undocumented, were quite commonly used.
This change restores support for numbered placeholders (as well as a subset of placeholder formatting), while also adding extra checks to ensure the correct number of arguments are being passed to `wpdb::prepare()`, given the number of placeholders.
Merges [41662], [42056] to the 4.4 branch.
See #41925 .
Built from https://develop.svn.wordpress.org/branches/4.4@42061
git-svn-id: http://core.svn.wordpress.org/branches/4.4@41890 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-10-31 12:46:31 +00:00
Dominik Schilling
905b95c1e7
Taxonomy/Users: Use correct escaping function for URLs.
...
Merge of [41522] to the 4.4 branch.
Built from https://develop.svn.wordpress.org/branches/4.4@41527
git-svn-id: http://core.svn.wordpress.org/branches/4.4@41360 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 21:33:30 +00:00
Dominik Schilling
a80bb4a686
Bump 4.4 branch to version 4.4.11.
...
Built from https://develop.svn.wordpress.org/branches/4.4@41514
git-svn-id: http://core.svn.wordpress.org/branches/4.4@41347 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 20:02:00 +00:00
Aaron Campbell
a89b23a75a
Database: Hardening to bring wpdb::prepare()
inline with documentation.
...
`wpdb::prepare()` supports %s, %d, and %F as placeholders in the query string. Any other non-escaped % will be escaped.
Merges [41496] to 4.4 branch.
Built from https://develop.svn.wordpress.org/branches/4.4@41501
git-svn-id: http://core.svn.wordpress.org/branches/4.4@41334 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 18:15:37 +00:00
Aaron Campbell
5a0f95b6cf
Database: Don’t trigger _doing_it_wrong()
for null values in wpdb::prepare()
.
...
While `wpdb::prepare()` does not support null values (see #12819 ) they still appear in the wild like in the WordPress Importer and other plugins.
Merges [41483] to 4.4 branch.
Built from https://develop.svn.wordpress.org/branches/4.4@41488
git-svn-id: http://core.svn.wordpress.org/branches/4.4@41321 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 16:24:03 +00:00
Aaron Campbell
45280bda66
Database: Hardening for wpdb::prepare()
...
Previously if you passed an array of values for placeholders, additional values could be passed as well. Now additional values will be ignored.
Merges [41470] to 4.4 branch.
Built from https://develop.svn.wordpress.org/branches/4.4@41475
git-svn-id: http://core.svn.wordpress.org/branches/4.4@41308 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 15:02:30 +00:00
John Blackbourn
5e87d63b30
Filesystem API: Ensure filenames are valid before attempting to unzip them to ensure malformed file paths don't cause issues.
...
Merges [41457] to the 4.4 branch.
Built from https://develop.svn.wordpress.org/branches/4.4@41462
git-svn-id: http://core.svn.wordpress.org/branches/4.4@41295 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 14:42:01 +00:00
Aaron Campbell
78462a6178
oEmbed: Add extra hardening around allowed HTML for improved sandboxing.
...
Merges [41448] to 4.4 branch.
Built from https://develop.svn.wordpress.org/branches/4.4@41455
git-svn-id: http://core.svn.wordpress.org/branches/4.4@41288 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 13:51:01 +00:00
Dominik Schilling
2603a8b4d6
TinyMCE: Improve the previews for shortcodes.
...
Merge of [41395] to the 4.4 branch.
Built from https://develop.svn.wordpress.org/branches/4.4@41439
git-svn-id: http://core.svn.wordpress.org/branches/4.4@41272 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 12:43:37 +00:00
John Blackbourn
07d70c3944
General: Add missing URL-encoding and add extra hardening to plugin and template names when they're displayed in the admin area.
...
Merges [41415] and [41416] into the 4.4 branch.
See #13377
Built from https://develop.svn.wordpress.org/branches/4.4@41434
git-svn-id: http://core.svn.wordpress.org/branches/4.4@41267 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 12:13:31 +00:00
Dominik Schilling
c448e53286
Customize: Ensure valid themes in the preview.
...
Merge of [41397] to the 4.4 branch.
Built from https://develop.svn.wordpress.org/branches/4.4@41433
git-svn-id: http://core.svn.wordpress.org/branches/4.4@41266 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 11:52:37 +00:00