* XML-RPC: Improve error messages for unprivileged users.
* External Libraries: Disable deserialization in Requests_Utility_FilteredIterator
* Embeds: Disable embeds on deactivated Multisite sites.
* Coding standards: Modify escaping functions to avoid potential false positives.
* XML-RPC: Return error message if attachment ID is incorrect.
* Upgrade/install: Improve logic check when determining installation status.
* Meta: Sanitize meta key before checking protection status.
* Themes: Ensure that only privileged users can set a background image when a theme is using the deprecated custom background page.
Brings the changes from [49380,49382-49388] to the 5.3 branch.
Props xknown, zieladam, peterwilsoncc, whyisjake, desrosj, dd32.
Built from https://develop.svn.wordpress.org/branches/5.3@49393
git-svn-id: http://core.svn.wordpress.org/branches/5.3@49152 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This ensures the ability to run NodeJS related tasks when using `nvm install` or `nvm use` will continue to be usable as new versions of NodeJS are moved into LTS.
The alias `lts/*` currently resolves to NodeJS 12.x (which is the highest version of NodeJS supported in the 5.3 branch). However, `lts/*` will point to newer versions in the near future.
This also removes the explicit version when running `nvm install` during automated testing. The command will now fall back to the version in the `.nvmrc` file.
See #51603.
Built from https://develop.svn.wordpress.org/branches/5.3@49279
git-svn-id: http://core.svn.wordpress.org/branches/5.3@49039 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- Embeds: Ensure that the title attribute is set correctly on embeds.
- Editor: Prevent HTML decoding on by setting the proper editor context.
- Formatting: Ensure that `wp_validate_redirect()` sanitizes a wider variety of characters.
- Themes: Ensure a broken theme name is returned properly.
- Administration: Add a new filter to extend `set-screen-option`.
Merges [47948-47951] to the 5.3 branch.
Props xknown, sstoqnov, vortfu, SergeyBiryukov, whyisjake.
Built from https://develop.svn.wordpress.org/branches/5.3@47959
git-svn-id: http://core.svn.wordpress.org/branches/5.3@47731 1a063a9b-81f0-0310-95a4-ce76da25c4cd
After a comment is submitted, only allow a brief window where the comment is live on the site.
Props jonkolbert, ayeshrajans, Asif2BD, peterwilsoncc, imath, audrasjb, jonoaldersonwp, whyisjake, SergeyBiryukov.
Merges [47887] and [47889] to the 5.3 branch.
See #49956.
Built from https://develop.svn.wordpress.org/branches/5.3@47916
git-svn-id: http://core.svn.wordpress.org/branches/5.3@47690 1a063a9b-81f0-0310-95a4-ce76da25c4cd
User: Invalidate `user_activation_key` on password update.
Query: Ensure that only a single post can be returned on date/time based queries.
Block Editor: Coding standards, properly escape class names.
Cache API: Ensure proper escaping around the stats method in the cache API.
Formatting: Expand `sanitize_file_name` to have better support for utf8 characters.
Brings the changes in [47633], [47634], [47635], [47636], [47637], and [47638] to the 5.4 branch.
Props: aduth, batmoo, ehti, ellatrix, jorgefilipecosta, nickdaugherty, noisysocks, pento, peterwilsoncc, sergeybiryukov, sstoqnov, talldanwp, westi, westonruter, whyisjake, whyisjake, xknown.
Built from https://develop.svn.wordpress.org/branches/5.3@47644
git-svn-id: http://core.svn.wordpress.org/branches/5.3@47419 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Remove `WordPress` from `Requires at least` headers.
* Ensure the `Requires at least` and `Requires PHP` headers are present in the `style.css` file.
Follow-up to [46676], which updated `style-rtl.css`, but not `style.scss` or `style.css`.
Merges [47136] to the 5.3 branch.
See #48517.
Built from https://develop.svn.wordpress.org/branches/5.3@47137
git-svn-id: http://core.svn.wordpress.org/branches/5.3@46937 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- Fix PHP warnings in `wp_unique_filename()` when the destination directory is unreadable.
- Run the final name collision test only for files that are saved to the uploads directory.
- Update the unit tests to match.
Props eden159, audrasjb, azaozz.
Merges [46965] to the 5.3 branch.
Fixes#48960.
Built from https://develop.svn.wordpress.org/branches/5.3@46979
git-svn-id: http://core.svn.wordpress.org/branches/5.3@46779 1a063a9b-81f0-0310-95a4-ce76da25c4cd
[3525] allowed a difference up to 59 seconds between the post date/time and the current time to consider the post published instead of scheduled, but that didn't take start of a new minute into account.
Rapidly creating post fixtures in unit tests could encounter a one-second discrepancy between `current_time( 'mysql' )` and `gmdate( 'Y-m-d H:i:s' )`, returning values like `2019-12-16 23:43:00` vs. `2019-12-16 23:42:59`, respectively, and setting the post to a `future` status instead of `publish`.
[45851], while working as intended, made the issue somewhat more likely to occur.
This caused all sorts of occasional random failures in various tests on Travis, mostly on PHP 7.1.
Merges [46968] and [46969] to the 5.3 branch.
Fixes#48145.
Built from https://develop.svn.wordpress.org/branches/5.3@46975
git-svn-id: http://core.svn.wordpress.org/branches/5.3@46775 1a063a9b-81f0-0310-95a4-ce76da25c4cd
`wp_kses_bad_protocol()` makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function.
Brings r46895 to the 5.3 branch.
Props: xknown, nickdaugherty, peterwilsoncc.
Built from https://develop.svn.wordpress.org/branches/5.3@46899
git-svn-id: http://core.svn.wordpress.org/branches/5.3@46699 1a063a9b-81f0-0310-95a4-ce76da25c4cd