Commit Graph

16997 Commits

Author SHA1 Message Date
whyisjake
b2b0e0d427 General: WordPress updates
* XML-RPC: Improve error messages for unprivileged users.
* External Libraries: Disable deserialization in Requests_Utility_FilteredIterator
* Embeds: Disable embeds on deactivated Multisite sites.
* Coding standards: Modify escaping functions to avoid potential false positives.
* XML-RPC: Return error message if attachment ID is incorrect.
* Upgrade/install: Improve logic check when determining installation status.
* Meta: Sanitize meta key before checking protection status.
* Themes: Ensure that only privileged users can set a background image when a theme is using the deprecated custom background page.

Brings the changes from [49380,49382-49388] to the 4.2 branch.

Props xknown, zieladam, peterwilsoncc, whyisjake, desrosj, dd32.

Built from https://develop.svn.wordpress.org/branches/4.2@49404


git-svn-id: http://core.svn.wordpress.org/branches/4.2@49163 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-10-29 19:08:22 +00:00
desrosj
370ecdfd1a WordPress 4.2.28.
Built from https://develop.svn.wordpress.org/branches/4.2@48001


git-svn-id: http://core.svn.wordpress.org/branches/4.2@47769 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-10 21:39:36 +00:00
whyisjake
426696ba21 General: Backport several commits for release.
- Embeds: Ensure that the title attribute is set correctly on embeds.
- Editor: Prevent HTML decoding on by setting the proper editor context.
- Formatting: Ensure that wp_validate_redirect() sanitizes a wider variety of characters.
- Themes: Ensure a broken theme name is returned properly.
- Administration: Add a new filter to extend set-screen-option.
Merges [47947-47951] to the 4.2 branch.
Props xknown, sstoqnov, vortfu, SergeyBiryukov, whyisjake.

Built from https://develop.svn.wordpress.org/branches/4.2@47970


git-svn-id: http://core.svn.wordpress.org/branches/4.2@47741 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-10 18:53:51 +00:00
desrosj
08db0ad5a5 WordPress 4.2.27
Built from https://develop.svn.wordpress.org/branches/4.2@47678


git-svn-id: http://core.svn.wordpress.org/branches/4.2@47455 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-04-29 18:03:27 +00:00
whyisjake
7077580716 User: Invalidate user_activation_key on password update.
Query: Ensure that only a single post can be returned on date/time based queries.
Cache API: Ensure proper escaping around the stats method in the cache API.
Formatting: Expand `sanitize_file_name` to have better support for utf8 characters.

Brings the changes in [47634], [47635], [47637], and [47638] to the 4.2 branch.

Props: batmoo, ehti, nickdaugherty, peterwilsoncc, sergeybiryukov, sstoqnov, westi, whyisjake, whyisjake, xknown.

Built from https://develop.svn.wordpress.org/branches/4.2@47657


git-svn-id: http://core.svn.wordpress.org/branches/4.2@47434 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-04-29 16:52:22 +00:00
Sergey Biryukov
00ae10906e WordPress 4.2.26
Built from https://develop.svn.wordpress.org/branches/4.2@46931


git-svn-id: http://core.svn.wordpress.org/branches/4.2@46731 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-12 20:32:20 +00:00
Sergey Biryukov
7bfe4a912f Update wp_kses_bad_protocol() to recognize : on uri attributes,
`wp_kses_bad_protocol()` makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function.

Brings r46895 to the 4.2 branch.

Props: xknown, nickdaugherty, peterwilsoncc.
Built from https://develop.svn.wordpress.org/branches/4.2@46910


git-svn-id: http://core.svn.wordpress.org/branches/4.2@46710 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-12 18:41:21 +00:00
desrosj
229d71e0f8 WordPress 4.2.25.
Built from https://develop.svn.wordpress.org/branches/4.2@46518


git-svn-id: http://core.svn.wordpress.org/branches/4.2@46315 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-10-14 20:15:21 +00:00
whyisjake
1fcbdb46e6 Backporting several bug fixes.
- Query: Remove the static query property.
- HTTP API: Protect against hex interpretation.
- Filesystem API: Prevent directory travelersals when creating new folders.
- Administration: Ensure that admin referer nonce is valid.
- REST API: Send a Vary: Origin header on GET requests.
- Customizer: Properly sanitize background images.

Backports [46474], [46475], [46476], [46477], [46478], [46483], [46485] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@46500


git-svn-id: http://core.svn.wordpress.org/branches/4.2@46297 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-10-14 19:15:22 +00:00
desrosj
de854c38b5 WordPress 4.2.24.
Built from https://develop.svn.wordpress.org/branches/4.2@46036


git-svn-id: http://core.svn.wordpress.org/branches/4.2@45848 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 22:03:21 +00:00
desrosj
43cac2c9d4 Fix for URL sanitization in wp_kses_bad_protocol_once().
Merges [45997] to the 4.2 branch.

Props irsdl, sstoqnov, whyisjake.
Built from https://develop.svn.wordpress.org/branches/4.2@46012


git-svn-id: http://core.svn.wordpress.org/branches/4.2@45823 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 21:41:35 +00:00
Sergey Biryukov
561924df40 Improve URL validation in wp_validate_redirect().
Merges [45971] to the 4.2 branch.
Props vortfu, whyisjake, peterwilsoncc.
Built from https://develop.svn.wordpress.org/branches/4.2@45983


git-svn-id: http://core.svn.wordpress.org/branches/4.2@45794 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 17:14:58 +00:00
whyisjake
ca92ecbe61 Remove _convert_urlencoded_to_entities() from the get_the_content() callback.
Merges [45937] to the 4.2 branch.

Props vortfu, whyisjake, peterwilsoncc

Built from https://develop.svn.wordpress.org/branches/4.2@45961


git-svn-id: http://core.svn.wordpress.org/branches/4.2@45772 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 16:43:20 +00:00
Gary Pendergast
ebbc9ff12e WordPress 4.2.23
Built from https://develop.svn.wordpress.org/branches/4.2@44882


git-svn-id: http://core.svn.wordpress.org/branches/4.2@44713 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-03-13 01:43:20 +00:00
Jeremy Felt
3efe9a5fdb Bump 4.2 branch to version 4.2.22.
Built from https://develop.svn.wordpress.org/branches/4.2@44085


git-svn-id: http://core.svn.wordpress.org/branches/4.2@43915 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-13 02:15:37 +00:00
Peter Wilson
303bd241f3 Multisite: Validate activation links.
Merges [44048] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@44065


git-svn-id: http://core.svn.wordpress.org/branches/4.2@43895 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-13 01:51:37 +00:00
iandunn
2d9f6ab9dd KSES: Make the URI attributes DRY.
This commit introduces the `wp_kses_uri_attributes` function and filter. The function centralizes the list of attributes, in order to prevent inconsistency, and the filter provides a way for plugins to customize the attributes.

Merges [44014] and [44017] to the `4.2` branch.

Built from https://develop.svn.wordpress.org/branches/4.2@44042


git-svn-id: http://core.svn.wordpress.org/branches/4.2@43872 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-13 01:16:20 +00:00
Peter Wilson
7000d8a45f Multisite: Improve messaging for previously activated users.
Ensure activation of a site is not attempted multiple times and users are shown the correct message if they follow the link a second time.

Merges [44021] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@44034


git-svn-id: http://core.svn.wordpress.org/branches/4.2@43864 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-13 00:56:19 +00:00
Gary Pendergast
0e98d850b9 KSES: Conditionally remove the <form> element from $allowedposttags.
To avoid backwards compatibility issues, `<form>` is re-added if a custom filter has added the `<input>` or `<select>` elements to `$allowedposttags`.

Merges [43994] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@44008


git-svn-id: http://core.svn.wordpress.org/branches/4.2@43838 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-12 23:40:39 +00:00
Jeremy Felt
f91b78ec58 Media: Improve verification of MIME file types.
Merges [43988] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@43998


git-svn-id: http://core.svn.wordpress.org/branches/4.2@43830 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-12 23:18:20 +00:00
Aaron Campbell
61881c7156 Bump 4.2 branch to version 4.2.21
Built from https://develop.svn.wordpress.org/branches/4.2@43414


git-svn-id: http://core.svn.wordpress.org/branches/4.2@43242 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-07-05 16:13:28 +00:00
John Blackbourn
ef0bb8bab1 Media: Limit thumbnail file deletions to the same directory as the original file.
Merges [43393] into the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@43400


git-svn-id: http://core.svn.wordpress.org/branches/4.2@43228 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-07-05 15:06:23 +00:00
Aaron Campbell
dac39608a3 Bump 4.2 branch to version 4.2.20
Built from https://develop.svn.wordpress.org/branches/4.2@42940


git-svn-id: http://core.svn.wordpress.org/branches/4.2@42770 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-04-03 20:31:29 +00:00
Dominik Schilling
93cae5c2ab Template: Make sure the version string is correctly escaped for use in attributes.
Merge of [42893] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@42924


git-svn-id: http://core.svn.wordpress.org/branches/4.2@42754 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-04-03 16:10:29 +00:00
Dion Hulse
e74c55ff6d Bump the 4.2 branch to 4.2.19.
Built from https://develop.svn.wordpress.org/branches/4.2@42501


git-svn-id: http://core.svn.wordpress.org/branches/4.2@42330 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-01-16 21:45:31 +00:00
Dion Hulse
507c958ab6 External Libraries: Remove unnecessary / obsoleted MediaElement.js files.
Merges [42478] to the 4.2 branch.
Fixes #42720 for 4.2.

Built from https://develop.svn.wordpress.org/branches/4.2@42484


git-svn-id: http://core.svn.wordpress.org/branches/4.2@42313 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-01-16 08:12:32 +00:00
John Blackbourn
ec85529fb7 Bump 4.2 branch to version 4.2.18.
Built from https://develop.svn.wordpress.org/branches/4.2@42323


git-svn-id: http://core.svn.wordpress.org/branches/4.2@42152 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 19:02:31 +00:00
John Blackbourn
64c1ec2877 Hardening: Remove the ability to upload JavaScript files for users who do not have the unfiltered_html capability.
Merges [42261] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@42295


git-svn-id: http://core.svn.wordpress.org/branches/4.2@42124 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:35:01 +00:00
John Blackbourn
a8df162eea Hardening: Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds.
Merges [42260] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@42294


git-svn-id: http://core.svn.wordpress.org/branches/4.2@42123 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:34:32 +00:00
John Blackbourn
63cc2673a1 Hardening: Add escaping to the language attributes used on html elements.
Merges [42259] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@42293


git-svn-id: http://core.svn.wordpress.org/branches/4.2@42122 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:33:54 +00:00
Dion Hulse
9dadfcb012 WPDB: Check that AUTH_SALT is not empty, Fix a PHP notice when AUTH_SALT is undefined.
Props jsonfry, mkomar, pento.
Merges [42119] and [42120] to the 4.2 branch.
Fixes #42431 and #42401 for 4.2.

Built from https://develop.svn.wordpress.org/branches/4.2@42236


git-svn-id: http://core.svn.wordpress.org/branches/4.2@42065 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-27 01:12:56 +00:00
Gary Pendergast
eb5a635d04 Bump 4.2 branch to version 4.3.17.
Built from https://develop.svn.wordpress.org/branches/4.2@42075


git-svn-id: http://core.svn.wordpress.org/branches/4.2@41904 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-10-31 13:42:30 +00:00
Gary Pendergast
86acf8b033 Database: Restore numbered placeholders in wpdb::prepare().
[41496] removed support for numbered placeholders in queries send through `wpdb::prepare()`, which, despite being undocumented, were quite commonly used.

This change restores support for numbered placeholders (as well as a subset of placeholder formatting), while also adding extra checks to ensure the correct number of arguments are being passed to `wpdb::prepare()`, given the number of placeholders.

Merges [41662], [42056] to the 4.2 branch.
See #41925.


Built from https://develop.svn.wordpress.org/branches/4.2@42063


git-svn-id: http://core.svn.wordpress.org/branches/4.2@41892 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-10-31 12:51:31 +00:00
Dominik Schilling
c4fb8dfbf1 Bump 4.2 branch to version 4.2.16.
Built from https://develop.svn.wordpress.org/branches/4.2@41516


git-svn-id: http://core.svn.wordpress.org/branches/4.2@41349 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 20:03:31 +00:00
Aaron Campbell
a964c2ba2e Database: Hardening to bring wpdb::prepare() inline with documentation.
`wpdb::prepare()` supports %s, %d, and %F as placeholders in the query string. Any other non-escaped % will be escaped.

Merges [41496] to 4.2 branch.


Built from https://develop.svn.wordpress.org/branches/4.2@41503


git-svn-id: http://core.svn.wordpress.org/branches/4.2@41336 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 18:31:29 +00:00
Aaron Campbell
79e0bb13d4 Database: Don’t trigger _doing_it_wrong() for null values in wpdb::prepare().
While `wpdb::prepare()` does not support null values (see #12819) they still appear in the wild like in the WordPress Importer and other plugins.

Merges [41483] to 4.2 branch.


Built from https://develop.svn.wordpress.org/branches/4.2@41490


git-svn-id: http://core.svn.wordpress.org/branches/4.2@41323 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 16:25:54 +00:00
Aaron Campbell
be9edc6bc3 Database: Hardening for wpdb::prepare()
Previously if you passed an array of values for placeholders, additional values could be passed as well. Now additional values will be ignored.

Merges [41470] to 4.2 branch.


Built from https://develop.svn.wordpress.org/branches/4.2@41477


git-svn-id: http://core.svn.wordpress.org/branches/4.2@41310 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 15:03:30 +00:00
Dominik Schilling
74df39530d TinyMCE: Improve the previews for shortcodes.
Merge of [41395] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@41441


git-svn-id: http://core.svn.wordpress.org/branches/4.2@41274 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 12:44:31 +00:00
Dominik Schilling
ecf502b597 Editor: Prevent adding javascript: and data: URLs through the inline link dialog.
Merge of [41393] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@41406


git-svn-id: http://core.svn.wordpress.org/branches/4.2@41239 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 10:19:28 +00:00
Aaron Campbell
a01117bf0d Bump 4.2 branch to version 4.2.15.
Built from https://develop.svn.wordpress.org/branches/4.2@40753


git-svn-id: http://core.svn.wordpress.org/branches/4.2@40611 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 21:52:23 +00:00
Pascal Birchler
7f8136dfd7 Media: Simplify upload error message construction.
Merges [40736] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@40742


git-svn-id: http://core.svn.wordpress.org/branches/4.2@40600 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 18:03:56 +00:00
Dominik Schilling
8f47014af6 Customize: Ignore invalid customization sessions.
Merge of [40704] to the 4.2 branch.
Built from https://develop.svn.wordpress.org/branches/4.2@40710


git-svn-id: http://core.svn.wordpress.org/branches/4.2@40573 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 12:19:29 +00:00
Pascal Birchler
92f3fdb956 Adjust post meta checks
Merges [40692] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@40698


git-svn-id: http://core.svn.wordpress.org/branches/4.2@40561 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 08:52:55 +00:00
Pascal Birchler
7fc612abfb Whitelist post arguments in XML-RPC
Merges [40677] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@40683


git-svn-id: http://core.svn.wordpress.org/branches/4.2@40546 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-16 08:24:31 +00:00
Pascal Birchler
5565b98dde Bump 4.2 branch to version 4.2.14.
Built from https://develop.svn.wordpress.org/branches/4.2@40492


git-svn-id: http://core.svn.wordpress.org/branches/4.2@40368 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-04-20 16:26:30 +00:00
James Nylen
b9a98e7562 Bump 4.2 branch to version 4.2.13.
Built from https://develop.svn.wordpress.org/branches/4.2@40207


git-svn-id: http://core.svn.wordpress.org/branches/4.2@40146 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-03-06 16:32:30 +00:00
Aaron Campbell
db266e95e1 Strip control characters before validating redirect.
Merges [40183] to 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@40189


git-svn-id: http://core.svn.wordpress.org/branches/4.2@40128 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-03-06 13:44:24 +00:00
Dominik Schilling
462631b8cc Embeds: URL encode YouTube video IDs for broader compatibility.
Merge of [40160] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@40166


git-svn-id: http://core.svn.wordpress.org/branches/4.2@40105 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-03-06 12:07:35 +00:00
Aaron Campbell
f449b0a0ce Bump 4.2 branch to version 4.2.12.
Built from https://develop.svn.wordpress.org/branches/4.2@40001


git-svn-id: http://core.svn.wordpress.org/branches/4.2@39938 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-26 18:25:29 +00:00
Dominik Schilling
b7509648b8 Query: Ensure that queries work correctly with post type names with special characters.
Merge of [39952] to the 4.2 branch.
Built from https://develop.svn.wordpress.org/branches/4.2@39961


git-svn-id: http://core.svn.wordpress.org/branches/4.2@39898 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-01-26 13:52:00 +00:00