Props: danielbachhuber, whyisjake, peterwilson, xknown.
Prevent stored XSS through wp_targeted_link_rel().
Props: vortfu, whyisjake, peterwilsoncc, xknown, SergeyBiryukov, flaviozavan.
Update wp_kses_bad_protocol() to recognize : on uri attributes,
wp_kses_bad_protocol() makes sure to validate that uri attributes don't contain invalid/or not allowed protocols. While this works fine in most cases, there's a risk that by using the colon html5 named entity, one is able to bypass this function.
Brings r46895 to the 5.3 branch.
Props: xknown, nickdaugherty, peterwilsoncc.
Prevent stored XSS in the block editor.
Brings r46896 to the 5.3 branch.
Prevent escaped unicode characters become unescaped in unsafe HTML during JSON decoding.
Props: aduth, epiqueras.
Built from https://develop.svn.wordpress.org/branches/5.0@46915
git-svn-id: http://core.svn.wordpress.org/branches/5.0@46715 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Changes of note:
- Includes the new Annotations API package.
- `wp-polyfill-ecmascript.js` is renamed to `wp-polyfill.js`.
- `strip_dynamic_blocks()` has been removed in favour of `excerpt_remove_blocks()`.
- The PHP block parser is now syncing from the `block-serialization-default-parser` package.
- `do_blocks()` uses the new parser.
- The `do_block` filter has been removed from `do_blocks()`, in favour of a `render_block` filter in `render_block()`.
See #45145, #45190, #45264, #45282.
Built from https://develop.svn.wordpress.org/branches/5.0@43884
git-svn-id: http://core.svn.wordpress.org/branches/5.0@43713 1a063a9b-81f0-0310-95a4-ce76da25c4cd
As `do_blocks()` is run before `wpautop()` in `the_content` filter, we can remove in a Just In Time fashion, before that filter is run.
After `wpautop()`s original priority has passed, we can re-add it in a Just Too Late fashion, to ensure it's available if `the_content` filter is run multiple times on a page load.
Props pento, nerrad.
Fixes#45290.
Built from https://develop.svn.wordpress.org/branches/5.0@43879
git-svn-id: http://core.svn.wordpress.org/branches/5.0@43708 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The `WP_Block_Parser` class, and the accompanying `parse_blocks()` helper function, can be used to parse an array of blocks out of a content string.
`WP_Block_Parser` is copied from the `@wordpress/block-serialization-default-parser` package. To ensure it stays in sync with the JavaScript parser, changes should be implemented in the package first, then the package version should be upgraded to include the changes.
See #45109.
Built from https://develop.svn.wordpress.org/branches/5.0@43751
git-svn-id: http://core.svn.wordpress.org/branches/5.0@43580 1a063a9b-81f0-0310-95a4-ce76da25c4cd
These are the foundational classes allowing blocks to be registered and used throughout WordPress.
This commit also includes the `has_block()` and `has_blocks()` functions, which are required for unit testing these classes.
Props adamsilverstein, danielbachhuber, desrosj.
See #45097, #45109.
Built from https://develop.svn.wordpress.org/branches/5.0@43742
git-svn-id: http://core.svn.wordpress.org/branches/5.0@43571 1a063a9b-81f0-0310-95a4-ce76da25c4cd
