- REST API: Limit `search_columns` for users without `list_users`.
- Comments: Prevent users who can not see a post from seeing comments on it.
- Application Passwords: Prevent the use of some pseudo protocols in application passwords.
- Restrict media shortcode ajax to certain type
- REST API: Ensure no-cache headers are sent when methods are overriden.
- Prevent unintended behavior when certain objects are unserialized.
Merges [56833], [56834], [56835], [56836], [56837], and [56838] to the 5.8 branch.
Props xknown, jorbin, Vortfu, joehoyle, timothyblynjacobs, peterwilsoncc, ehtis, tykoted, martinkrcho, paulkevan, dd32, antpb, rmccue.
Built from https://develop.svn.wordpress.org/branches/5.8@56884
git-svn-id: http://core.svn.wordpress.org/branches/5.8@56395 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- Editor: Bump @wordpress packages for the 5.9 branch,
- Media: Refactor search by filename within the admin,
- REST API: Lockdown post parameter of the terms endpoint,
- Customize: Escape blogname option in underscores templates,
- Query: Validate relation in `WP_Date_Query`,
- Users: Revert use of shared objects for current user,
- Posts, Post types: Apply KSES to post-by-email content,
- General: Validate host on "Are you sure?" screen,
- Posts, Post types: Remove emails from post-by-email logs,
- Pings/trackbacks: Apply KSES to all trackbacks,
- Mail: Reset PHPMailer properties between use,
- Comments: Apply kses when editing comments,
- Widgets: Escape RSS error messages for display.
Merges [54521-54530] to the 5.8 branch.
Props audrasjb, costdev, cu121, dd32, davidbaumwald, ehtis, johnbillion, johnjamesjacoby, martinkrcho, matveb, oztaser, paulkevan, peterwilsoncc, ravipatel, SergeyBiryukov, talldanwp, timothyblynjacobs, tykoted, voldemortensen, vortfu, xknown.
Built from https://develop.svn.wordpress.org/branches/5.8@54548
git-svn-id: http://core.svn.wordpress.org/branches/5.8@54103 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Patterns on the [https://wordpress.org/patterns/ Pattern Directory] can have keywords for better discoverability while searching. The way these are stored [69548ff1f0 was changed from a taxonomy to meta value], but the `/wp/v2/pattern-directory/patterns` endpoint was still pulling from that old value.
The correct property to use for this field is `meta.wpop_keywords`, which returns a single string with comma-separated keywords.
Follow-up to [51021].
Props ryelle, TimothyBlynJacobs.
Merges [53665] to the 5.8 branch.
See #56126.
Built from https://develop.svn.wordpress.org/branches/5.8@53675
git-svn-id: http://core.svn.wordpress.org/branches/5.8@53234 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This avoids an `Uncaught ArgumentCountError: Too few arguments to function {closure}(), 1 passed` PHP fatal error when registering a block style with the `should_load_separate_core_block_assets` filter enabled.
Follow-up to [51471].
Props aristath, shimon246, jrf, gziolo, SergeyBiryukov.
Merges [54323] to the 5.8 branch.
Fixes#54323.
Built from https://develop.svn.wordpress.org/branches/5.8@51981
git-svn-id: http://core.svn.wordpress.org/branches/5.8@51570 1a063a9b-81f0-0310-95a4-ce76da25c4cd
> The currently recommended certificate chain as presented to Let’s Encrypt ACME clients when new certificates are issued contains an intermediate certificate (ISRG Root X1) that is signed by an old DST Root CA X3 certificate that expires on 2021-09-30. In some cases the OpenSSL 1.0.2 version will regard the certificates issued by the Let’s Encrypt CA as having an expired trust chain.
>
> Most up-to-date CA cert trusted bundles, as provided by operating systems, contain this soon-to-be-expired certificate. The current CA cert bundles also contain an ISRG Root X1 self-signed certificate. This means that clients verifying certificate chains can find the alternative non-expired path to the ISRG Root X1 self-signed certificate in their trust store.
>
> Unfortunately this does not apply to OpenSSL 1.0.2 which always prefers the untrusted chain and if that chain contains a path that leads to an expired trusted root certificate (DST Root CA X3), it will be selected for the certificate verification and the expiration will be reported.
References:
* [https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ Old Let’s Encrypt Root Certificate Expiration and OpenSSL 1.0.2]
* [https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ DST Root CA X3 Expiration (September 2021)]
Follow-up to [25224], [25426], [25569], [27307], [30491], [30765], [34283], [35919], [36570], [46094].
Props bradleyt, fierevere, SergeyBiryukov.
Merges [51883] to the 5.8 branch.
Fixes#54207. See #50828.
Built from https://develop.svn.wordpress.org/branches/5.8@51948
git-svn-id: http://core.svn.wordpress.org/branches/5.8@51537 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This unpins the version of PHP 5.6.20 used when testing the 5.6 branch of PHP.
Using 5.6.20 was an intentional decision in [49162], as that patch version is the oldest version of PHP 5.6 still supported by WordPress. However, as of September 30, 2021, the `5.6.20` image contains a version of OpenSSL with an expired certificate, sometimes resulting in an expired trust chain.
Props Clorith, hellofromTonya, SergeyBiryukov, desrosj.
Fixes#54223.
Built from https://develop.svn.wordpress.org/branches/5.8@51889
git-svn-id: http://core.svn.wordpress.org/branches/5.8@51482 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In [51838], the test wrapper methods were not being called due to the names not being recognized as supported PHPUnit "hook" names for fixtures.
This commit:
- Fixes the problem by adding extra camelCase wrappers to the `WP_UnitTestCase` to call the methods in the right order.
- Adds wrappers for the `assertPreConditions()` and `assertPostConditions()` fixture methods to make the backport feature complete for the fixture wrappers.
Test wrapper methods call fix:
By adding method overloads for the PHPUnit native camelCase fixture methods and letting those call the (camelCase) parent method first and only calling the snake_case fixture methods after, the snake_case methods can be supported and the typical run order safeguarded.
As not all test classes will have declared snake_case fixture methods, the snake_case fixture methods are also declared in the `WP_UnitTestCase`. Why? This prevents having to wrap these method calls in `method_exists()` conditions checking for the existence of the snake_case methods in an unknown Test child class. And with the normal inheritance rules in combination with calling the method using `static`, the right method will be called anyway without fatal "calling undeclared method" errors.
Note: While it will be rare, there ''may'' be cases where a test class does not adhere to the normal execution order for fixtures, i.e. for the setup methods, parent first, own code second; and for the teardown methods, own code first, parent second. For example a test class which has "some code - `parent::setUp()` call - some more code" in their `setUp()` method. In those (rare) cases, the execution order of the code will now be changed, which may have side-effects. This rare case will be identified in the dev note.
Follow-up to [51838].
Props bjorsch, swisspidy, jrf, hellofromTonya.
See #53911.
Built from https://develop.svn.wordpress.org/branches/5.8@51861
git-svn-id: http://core.svn.wordpress.org/branches/5.8@51460 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This backports the PHPUnit Polyfills package and related test infrastructure changes to make it easier for developers to continue testing on multiple versions WordPress while adding tests for newer versions of PHP, which require more modern PHPUnit practices.
One of the changes included is the addition of wrappers for the new snake_case fixture methods in PHPUnit. This allows the native camelCase standard in PHPUnit to be used, but allows for developers to transition to the new naming conventions.
Props hellofromTonya, jrf, SergeyBiryukov, johnbillion, netweb, schlessera, jeherve, lucatume, desrosj.
Merges [51559,51560,51810-51813,51828] to the 5.8 branch.
See #53911.
Built from https://develop.svn.wordpress.org/branches/5.8@51838
git-svn-id: http://core.svn.wordpress.org/branches/5.8@51445 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The following packages were updated:
- @wordpress/a11y to `3.1.2`
- @wordpress/annotations to `2.1.6`
- @wordpress/api-fetch to `5.1.2`
- @wordpress/autop to `3.1.2`
- @wordpress/babel-preset-default to `6.2.1`
- @wordpress/blob to `3.1.2`
- @wordpress/block-directory to `2.1.21`
- @wordpress/block-editor to `6.1.14`
- @wordpress/block-library to `3.2.19`
- @wordpress/block-serialization-default-parser to `4.1.2`
- @wordpress/blocks to `9.1.8`
- @wordpress/components to `14.1.11`
- @wordpress/compose to `4.1.6`
- @wordpress/core-data to `3.1.12`
- @wordpress/customize-widgets to `1.0.20`
- @wordpress/data-controls to `2.1.6`
- @wordpress/data to `5.1.6`
- @wordpress/date to `4.1.2`
- @wordpress/deprecated to `3.1.2`
- @wordpress/dom-ready to `3.1.2`
- @wordpress/dom to `3.1.5`
- @wordpress/e2e-test-utils to `5.3.1`
- @wordpress/edit-post to `4.1.21`
- @wordpress/edit-widgets to `2.1.21`
- @wordpress/editor to `10.1.17`
- @wordpress/element to `3.1.2`
- @wordpress/escape-html to `2.1.2`
- @wordpress/format-library to `2.1.14`
- @wordpress/html-entities to `3.1.2`
- @wordpress/i18n to `4.1.2`
- @wordpress/icons to `4.0.3`
- @wordpress/interface to `3.1.12`
- @wordpress/keyboard-shortcuts to `2.1.7`
- @wordpress/keycodes to `3.1.2`
- @wordpress/list-reusable-blocks to `2.1.11`
- @wordpress/media-utils to `2.1.2`
- @wordpress/notices to `3.1.6`
- @wordpress/nux to `4.1.11`
- @wordpress/plugins to `3.1.6`
- @wordpress/primitives to `2.1.2`
- @wordpress/priority-queue to `2.1.2`
- @wordpress/react-i18n to `2.1.2`
- @wordpress/redux-routine to `4.1.2`
- @wordpress/reusable-blocks to `2.1.17`
- @wordpress/rich-text to `4.1.6`
- @wordpress/scripts to `16.1.5`
- @wordpress/server-side-render to `2.1.12`
- @wordpress/shortcode to `3.1.2`
- @wordpress/url to `3.1.2`
- @wordpress/viewport to `3.1.6`
- @wordpress/warning to `2.1.2`
- @wordpress/widgets to `1.1.19`
- @wordpress/wordcount to `3.1.2`
Props oandregal, juanmaguitar, gziolo, jblz, talldanwp, ribaricplusplus, peterwisoncc, youknowriad, paaljoachim, kreppar, ellatrix, aristath, walbo, ajlende, kevin940726, mamaduka, ntsekouras, toro_unit, mkaz, joen, noisysocks, zieladam, andraganescu, antonvlasenko, terraling, dariak, vladytimy, circlecube, desrosj.
Merges [51719] to the 5.8 branch.
Fixes#54052, #52818.
Built from https://develop.svn.wordpress.org/branches/5.8@51721
git-svn-id: http://core.svn.wordpress.org/branches/5.8@51327 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Appends the wp-embed-responsive class to the body if the widgets block editor is enabled. This fixes a bug preventing embeds (e.g. YouTube embeds) appearing in the widgets block editor.
Props walbo, kevin940726, noisysocks.
Merges [51716] to the 5.8 branch.
Fixes#53609.
Built from https://develop.svn.wordpress.org/branches/5.8@51720
git-svn-id: http://core.svn.wordpress.org/branches/5.8@51326 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In [51422], a few specific edge cases were detailed so that developers using the hook were aware of known pitfalls.
These edge cases have been fixed in 5.8.1 through [51653] and [51704], so the documentation is no longer necessary.
Props azaozz, audrasjb.
Merges [51717] to the 5.8 branch.
Fixes#53955.
Built from https://develop.svn.wordpress.org/branches/5.8@51718
git-svn-id: http://core.svn.wordpress.org/branches/5.8@51324 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Move the cleaning of the `wp-includes/css/dist` folder from `clean:css` to `clean:webpack-assets` to avoid an order of operations issue in which the files were built shortly before been deleted later in the build process.
Follow up to [51689].
Props netweb, ramonopoly, peterwilsoncc.
Merges [51713] to the 5.8 branch.
Fixes#53719.
Built from https://develop.svn.wordpress.org/branches/5.8@51714
git-svn-id: http://core.svn.wordpress.org/branches/5.8@51320 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The `get_block_categories()` function expects either a `WP_Post` or a `WP_Block_Editor_Context` instance as the context argument, not a string.
Follow-up to [50996], [50997].
Props Enchiridion, pbearne, audrasjb, SergeyBiryukov.
Merges [51700] to the 5.8 branch.
Fixes#53757.
Built from https://develop.svn.wordpress.org/branches/5.8@51711
git-svn-id: http://core.svn.wordpress.org/branches/5.8@51317 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This updates the Custom HTML and Media widgets to display the correct fields when adding or editing a widget when using accessibility mode through the Classic Widgets experience.
Follow up to [49973].
Props mark-k, sabernhardt, alexstine, circlecube, audrasjb.
Merges [51701] to the 5.8 branch.
Fixes#53641.
Built from https://develop.svn.wordpress.org/branches/5.8@51710
git-svn-id: http://core.svn.wordpress.org/branches/5.8@51316 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In WordPress 5.8 we added the ability to only load styles for blocks when these blocks are rendered. However, these optimizations left out block-styles that get added using the register_block_style() function/API.
Props aristath, gziolo.
Merges [51471] to the 5.8 branch.
Fixes#53616.
Built from https://develop.svn.wordpress.org/branches/5.8@51696
git-svn-id: http://core.svn.wordpress.org/branches/5.8@51302 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This avoids a fatal error on PHP 8 caused by passing a zero value to `fread()` as the `$length` argument, which must be greater than zero.
This commit also amends the previous solution for similar issues elsewhere in the file to ensure consistent type for string values, instead of changing the type from `string` to `bool` when trying to read from an empty file.
Follow-up to [50355].
Props DavidAnderson, jrf, SergeyBiryukov.
Merges [51686] to the 5.8 branch.
Fixes#54036.
Built from https://develop.svn.wordpress.org/branches/5.8@51694
git-svn-id: http://core.svn.wordpress.org/branches/5.8@51300 1a063a9b-81f0-0310-95a4-ce76da25c4cd
