User: Invalidate `user_activation_key` on password update.
Query: Ensure that only a single post can be returned on date/time based queries.
Block Editor: Coding standards, properly escape class names.
Cache API: Ensure proper escaping around the stats method in the cache API.
Formatting: Expand `sanitize_file_name` to have better support for utf8 characters.
Brings the changes in [47633], [47634], [47635], [47636], [47637], and [47638] to the 5.4 branch.
Props: aduth, batmoo, ehti, ellatrix, jorgefilipecosta, nickdaugherty, noisysocks, pento, peterwilsoncc, sergeybiryukov, sstoqnov, talldanwp, westi, westonruter, whyisjake, whyisjake, xknown.
Built from https://develop.svn.wordpress.org/branches/5.3@47644
git-svn-id: http://core.svn.wordpress.org/branches/5.3@47419 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Introduce `make_clickable_rel` filter for the `rel` value that is added to URL matches converted to links.
This is a follow-up to [46349], which added the `rel="nofollow ugc"` attribute to existing `<a>` tags in comments via `wp_rel_ugc()`.
UGC stands for User Generated Content, and the `ugc` attribute value is recommended for links within user generated content, such as comments and forum posts.
See https://webmasters.googleblog.com/2019/09/evolving-nofollow-new-ways-to-identify.html.
Props blogginglife, SergeyBiryukov.
Reviewed by desrosj, audrasjb.
Fixes#48022.
Built from https://develop.svn.wordpress.org/trunk@46564
git-svn-id: http://core.svn.wordpress.org/trunk@46361 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Slashing non-string data caused PUT requests containing unmodified meta arrays of integers to fail the check against the existing stored meta value, causing a 500 when posting an unmodified response body back to the server.
Props TimothyBlynJacobs, augustuswm.
Fixes#48264.
Built from https://develop.svn.wordpress.org/trunk@46454
git-svn-id: http://core.svn.wordpress.org/trunk@46252 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When a theme declares HTML5 support for script and styles via `add_theme_support( 'html5', array( 'script', 'style' ) )`, the `type="text/javascript"` and `type="text/css"` attributes are omitted.
These attributes are unnecessary in HTML5 and cause warnings in the W3C Markup Validation Service.
Props sasiddiqui, swissspidy, knutsp, SergeyBiryukov.
See #42804.
Built from https://develop.svn.wordpress.org/trunk@46164
git-svn-id: http://core.svn.wordpress.org/trunk@45976 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The path to magic quote sanity took a fun and exciting turn: PHP core removed it and WordPress updated the minimum version.
For the formally external pclzip, the code is commented out to make investigating easier and in case we ever need to merge upstream (if that still exists) changes.
Props ayeshrajans, jrf, jorbin.
See #47783.
Fixes#18322.
Built from https://develop.svn.wordpress.org/trunk@46105
git-svn-id: http://core.svn.wordpress.org/trunk@45917 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset includes a major iteration on the regular expression used to balance tags, with comprehensive test coverage to ensure that all scenarios are supported or unsupported as expected.
Props dmsnell, westonruter, birgire.
Fixes#47014.
Built from https://develop.svn.wordpress.org/trunk@45929
git-svn-id: http://core.svn.wordpress.org/trunk@45740 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This upgrade adds support for the transgender flag: 🏳️⚧️
There's some additional housekeeping in this commit:
- Twemoji recently rearranged their repository and package, so `Gruntfile.js` needed tweaking to allow for that.
- As only new files were added in this Twemoji release, the CDN version didn't need updating.
Fixes#47852.
Built from https://develop.svn.wordpress.org/trunk@45769
git-svn-id: http://core.svn.wordpress.org/trunk@45580 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Noteable changes:
- The `magic_quotes_runtime` and `magic_quotes_sybase` settings were removed in PHP 5.4, so no longer need to be set.
- Some functions that use external libraries can generate errors that can't be tested for, so are globally allowed to silence errors.
- Quite a few functions would cause errors if `safe_mode` was set. This setting was removed in PHP 5.4.
- Only a handful of `header()` calls needed corresponding `headers_sent()` checks for unit tests to pass, but more may need to be added as the nightlies builds are tested.
See #46732.
Built from https://develop.svn.wordpress.org/trunk@45611
git-svn-id: http://core.svn.wordpress.org/trunk@45422 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Following [45585], older versions of PHP could segfault when attempting to autop paragraphs with 10,000+ characters.
Rather than having to negative lookahead for every character in the paragraph (which could run into recursion limits), we can quickly jump ahead to the next tag and start checking from there.
See #27350.
Built from https://develop.svn.wordpress.org/trunk@45587
git-svn-id: http://core.svn.wordpress.org/trunk@45398 1a063a9b-81f0-0310-95a4-ce76da25c4cd
`autop()` can sometimes get confused and not clean up stray `<p>` or `</p>` tags inside block level elements, which produces sub-optimal HTML. While browsers can generally handle it, there's no need to make things harder for them if we don't have to.
Props pento, ayubi, pbearne, jond, azaozz, 1994rstefan, dionysous, MikeHansenMe, jorbin, miqrogroove, niallkennedy.
Fixes#27350.
Built from https://develop.svn.wordpress.org/trunk@45585
git-svn-id: http://core.svn.wordpress.org/trunk@45396 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Inline `<svg>`s should generally work, as browsers should just ignore `<p>` or `<br/>` tags that shouldn't be inside the `<svg>`. To keep things neat, however, it's better not add them in the first place.
Props jared_smith, nacin, pento.
Fixes#9437.
Built from https://develop.svn.wordpress.org/trunk@45577
git-svn-id: http://core.svn.wordpress.org/trunk@45388 1a063a9b-81f0-0310-95a4-ce76da25c4cd
It can be tricky to know when `wpautop()` should add `<p>` tags, but one thing we can be certain about is that they really shouldn't be anywhere near `<hr>` tags.
Now they aren't.
Props solarissmoke, MattyRob, pento.
Fixes#14674.
Built from https://develop.svn.wordpress.org/trunk@45574
git-svn-id: http://core.svn.wordpress.org/trunk@45385 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Smilies in ignored tags are not supposed to be converted to emoji, but this can malfunction if the tag has attributes. For example, the Preformatted block with add a `class` to the `<pre>` tag.
Props pento, jikamens.
Fixes#47489.
Built from https://develop.svn.wordpress.org/trunk@45569
git-svn-id: http://core.svn.wordpress.org/trunk@45380 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This introduces three new strings that can be used to control the maximum length of automatically generated excerpts for posts, comments, and draft post previews in the dashboard. Optionally combined with the existing word count type control this allows languages which include many multibyte characters to specify more appropriate maximum excerpt lengths.
Props miyauchi, birgire, johnbillion
Fixes#44541
Built from https://develop.svn.wordpress.org/trunk@45505
git-svn-id: http://core.svn.wordpress.org/trunk@45316 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Use of `date()` in core depends on PHP timezone set to UTC and not changed by third party code (which cannot be guaranteed).
`gmdate()` is functionally equivalent, but is not affected by PHP timezone setting: it's always UTC, which is the exact behavior the core needs.
Props nielsdeblaauw, Rarst.
Fixes#46438. See #44491.
Built from https://develop.svn.wordpress.org/trunk@45424
git-svn-id: http://core.svn.wordpress.org/trunk@45235 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset introduces `$post` parameters to `get_the_content()` and
`wp_trim_excerpt()`. When a `$post` object is passed to one of these functions,
the functions will operate on the data from that object, rather than from the
post globals (`$authordata`, `$page`, etc). This ensures that the functions work
in a predictable manner when used outside of the regular post loop.
The global-mismatch problem is surfaced in cases where `get_the_excerpt()` is
called outside of the post loop, on posts that don't have a defined excerpt. In
these cases, the post globals - used to generate a fallback excerpt - may refer
to the incorrect object, resulting in PHP notices or other unpredictable
behavior. See #36934 for a related issue.
Props spacedmonkey, kraftbj, Shital Patel.
Fixes#42814.
Built from https://develop.svn.wordpress.org/trunk@44941
git-svn-id: http://core.svn.wordpress.org/trunk@44772 1a063a9b-81f0-0310-95a4-ce76da25c4cd
[44618] added strict type checking to `_sanitize_text_fields()`, which has caused some compat issues with plugins.
We can loosen the type checking to only reject objects and arrays, and cast other types to string.
Props Nick_theGeek, pento.
Fixes#41450.
Built from https://develop.svn.wordpress.org/trunk@44731
git-svn-id: http://core.svn.wordpress.org/trunk@44562 1a063a9b-81f0-0310-95a4-ce76da25c4cd