Commit Graph

33031 Commits

Author SHA1 Message Date
John Blackbourn
635d9160af Tests: Correct the public query vars test for the 4.4 branch.
See #35115

Built from https://develop.svn.wordpress.org/branches/4.4@36052


git-svn-id: http://core.svn.wordpress.org/branches/4.4@36017 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-21 08:36:22 +00:00
John Blackbourn
9bfdf6ebd2 Query: Re-initialise any dynamically-added public query vars before running the public query vars test.
Merges [36048] to the 4.4 branch.

Fixes #35115

Built from https://develop.svn.wordpress.org/branches/4.4@36051


git-svn-id: http://core.svn.wordpress.org/branches/4.4@36016 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-21 07:57:24 +00:00
John Blackbourn
8cce3f2f75 Query: Introduce a unit test which will fail when new public query vars are introduced without also updating the test. This adds an extra layer of explicitness to introducing public query vars in order to avoid introducing unintentional clashes with URL query vars that are already in use.
Merges [36045] to the 4.4 branch.

Fixes #35115

Built from https://develop.svn.wordpress.org/branches/4.4@36046


git-svn-id: http://core.svn.wordpress.org/branches/4.4@36011 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-21 05:50:22 +00:00
John Blackbourn
b7fdda8edb Avoid a PHP notice when trying to access the post_parent property of hierarchical post type nav menu items.
Merges [35876] to the 4.4 branch.

Fixes #34446

Built from https://develop.svn.wordpress.org/branches/4.4@36044


git-svn-id: http://core.svn.wordpress.org/branches/4.4@36009 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-21 03:53:25 +00:00
John Blackbourn
ce18aadc7b Login: Revert [34213] and [35897]. It has become apparent that there is a need for a separate function (and corresponding filter) which allows for the login form action URL to differ from the URL used to access the login form, so that plugins or implementations which change the login URL do not need to worry about handling the form submission at the same URL.
For now, we'll revert to the pre-4.4 behaviour of hard-coding the login form action URL as `wp-login.php` and look at implementing a separate function and corresponding filter in 4.5.

Merges [36042] to the 4.4 branch.

Props KrissieV, salcode, JPry
Fixes #34925
Fixes #35103

Built from https://develop.svn.wordpress.org/branches/4.4@36043


git-svn-id: http://core.svn.wordpress.org/branches/4.4@36008 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-21 03:30:27 +00:00
Boone Gorges
d524151147 Respect approval status when determining comment page count in comments_template().
Since 4.4, when fetching the first page of comments and the 'newest' comments
are set to display first, `comments_template()` must perform arithmetic to
determine which comments to show. See #8071. This arithmetic requires the
total comment count for the current post, which is calculated with a separate
`WP_Comment_Query`. This secondary comment query did not properly account for
non-approved comment statuses; all unapproved comments should be part of the
comment count for admins, and individual users should have their own
unapproved comments included in the count. As a result, `comments_template()`
was, in some cases, being fooled into thinking that a post had fewer comments
available for pagination than it actually had, which resulted in empty pages
of comments.

We correct this problem by mirroring 'status' and 'include_unapproved' params
of the main comment query within the secondary query used to calculate pagination.

Merges [36040] to the 4.4 branch.

Fixes #35068.

Built from https://develop.svn.wordpress.org/branches/4.4@36041


git-svn-id: http://core.svn.wordpress.org/branches/4.4@36006 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-21 03:11:21 +00:00
John Blackbourn
472e427731 Comments: When a comment is submitted, ensure the user_ID element in the array that's passed to the preprocess_comment filter gets populated.
Merges [36038] to the 4.4 branch.

Fixes #34997

Built from https://develop.svn.wordpress.org/branches/4.4@36039


git-svn-id: http://core.svn.wordpress.org/branches/4.4@36004 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-21 02:58:23 +00:00
Gary Pendergast
b702c2f95b Texturize: Transform & into & in tag attributes.
[35709] was overly broad, and stopped transforming `&` characters within tag attributes. So that sites aren't generating invalid HTML, we need to restore this functionality, while continuing to not transform `&` within blocked tags.

Merge of [36036] to the 4.4 branch.

Fixes #35008.


Built from https://develop.svn.wordpress.org/branches/4.4@36037


git-svn-id: http://core.svn.wordpress.org/branches/4.4@36002 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-21 02:46:22 +00:00
Gary Pendergast
9510566056 Query: Remove title from the public query vars list.
[33706] added `title` as a public query var, but there's not really a practical need for this, and it interferes with any plugin that uses `title` as a query var for itself.

Merge of [36034] to the 4.4 branch.

Props tyxla.

Fixes #35115.


Built from https://develop.svn.wordpress.org/branches/4.4@36035


git-svn-id: http://core.svn.wordpress.org/branches/4.4@36000 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-21 02:31:23 +00:00
Boone Gorges
25543e5450 Ensure that wp_list_categories() supports comma-separated lists for 'exclude' and 'exclude_tree'.
[34696] introduced a regression whereby comma-separated values for 'exclude'
and 'exclude_tree' would be handled improperly when merging the two parameters,
resulting in category IDs being incorrectly dropped from the combined array.

Merges [36005] to the 4.4 branch.

Props gblsm, hnle.
Fixes #35156.

Built from https://develop.svn.wordpress.org/branches/4.4@36006


git-svn-id: http://core.svn.wordpress.org/branches/4.4@35971 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-18 18:14:21 +00:00
Boone Gorges
72a264e9c0 Ensure get_terms() results are unique when using 'meta_query'.
The introduction of 'meta_query' to `get_terms()` in 4.4 made it possible for
`get_terms()` to erroneously return duplicate results. To address the issue,
we add the `DISTINCT` keyword to the SQL query when a 'meta_query' parameter
has been provided.

Merges [36003] to the 4.4 branch.

Props @jadpm.
Fixes #35137.

Built from https://develop.svn.wordpress.org/branches/4.4@36004


git-svn-id: http://core.svn.wordpress.org/branches/4.4@35969 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-18 17:49:22 +00:00
Dion Hulse
6c1286390f The wp-config-sample.php file is deliberately CRLF to recognise the fact that when it's used, it's likely to be edited on a line-endings unfriendly editor.
See [2370] and [5457]
See #28187


git-svn-id: http://core.svn.wordpress.org/branches/4.4@35925 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-16 09:58:26 +00:00
Dion Hulse
a44134a96d Filesystem: Revert [33648] and [34733] unfortunately these have caused issues for some servers, while fixing it for others.
See #28013
Fixes #34976 for the 4.4 branch
Fixes #34976 for the 4.4 branch

Built from https://develop.svn.wordpress.org/branches/4.4@35945


git-svn-id: http://core.svn.wordpress.org/branches/4.4@35909 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-15 02:37:26 +00:00
Boone Gorges
f3a8396502 After [35934], ensure get_comment_link() test works without shared fixtures.
`get_comment_link()` test fixtures are shared in trunk as of [35857]. This
change was not backported to the 4.4 branch, so the 4.4 test should not
expect shared fixtures.

See #34946.
Built from https://develop.svn.wordpress.org/branches/4.4@35936


git-svn-id: http://core.svn.wordpress.org/branches/4.4@35900 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-14 21:10:25 +00:00
Boone Gorges
92e152cc2e Omit cpage query var in comment link if comment pagination is disabled.
WP 4.4 changed the way comment pagination is calculated. See #8071. In the
context of `get_comment_link()`, these changes introduced a regression that
causes `cpage` (or its pretty-permalink correlate `comment-page-x`) to appear
in comment links when comment pagination is disabled. The current changeset
fixes the regression.

Merges [35933] to the 4.4 branch.

Fixes #34946.

Built from https://develop.svn.wordpress.org/branches/4.4@35934


git-svn-id: http://core.svn.wordpress.org/branches/4.4@35898 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-14 19:57:26 +00:00
Boone Gorges
6130060b53 Don't use array_merge() when building comment children arrays.
`array_merge()` is much slower than building the combined array using a
`foreach` loop. The performance difference was causing a speed regression with
the `get_children()` functionality introduced in 4.4.

Merges [35931] to the 4.4 branch.

Props rogerhub.
Fixes #35025.

Built from https://develop.svn.wordpress.org/branches/4.4@35932


git-svn-id: http://core.svn.wordpress.org/branches/4.4@35896 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-14 19:40:45 +00:00
Dion Hulse
57d0720db7 HTTP: Partially revert [34283] which removed the 1024bit certificates from our trust store.
Most browsers no longer trust 1024bit certificates, or certificates signed by them, instead verifying them by a trusted intermediate or a cross-sign from another trusted certificate.

Unfortunately, as it turns out, OpenSSL prior to 1.0.1g cannot correctly handle certificates chains such as this, even if one of the intermediates is trusted.
The solution is that we need to continue to trust the 1024bit legacy root certificates forthe foreseeable future

This adds the following certificates back into our trust store:
{{{
GTE CyberTrust Global Root
Thawte Server CA
Thawte Premium Server CA
Verisign Class 3 Public Primary Certification Authority
Verisign Class 3 Public Primary Certification Authority - G2
ValiCert Class 1 VA
ValiCert Class 2 VA
RSA Root Certificate 1
Entrust.net Secure Server CA
Equifax Secure Global eBusiness CA
Equifax Secure eBusiness CA 1
America Online Root Certification Authority 1
America Online Root Certification Authority 2
NetLock Business (Class B) Root
NetLock Express (Class C) Root
Verisign Class 3 Public Primary Certification Authority
}}}

Props rmccue.
Merges [35919] to the 4.4 branch.
Fixes #34935.

Built from https://develop.svn.wordpress.org/branches/4.4@35921


git-svn-id: http://core.svn.wordpress.org/branches/4.4@35885 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-14 05:25:26 +00:00
Dominik Schilling
5aedff09ce Bump package.json and readme.html to 4.4.1 in the 4.4 branch.
Built from https://develop.svn.wordpress.org/branches/4.4@35852


git-svn-id: http://core.svn.wordpress.org/branches/4.4@35816 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-10 10:56:27 +00:00
Boone Gorges
9c18a6c284 Improve handling for WP_Error objects in get_the_terms().
`wp_get_object_terms()` can return a `WP_Error` object. As such, the
`get_the_terms()` cache wrapper should handle them properly. To wit:

* Don't try to map an error object to `get_term()`. Introduced in [35032].
* Don't cache an error object as taxonomy relationships. Introduced in at least [16487], maybe earlier.

Ports [35850] to the 4.4 branch.

Props stephenharris.
Fixes #34723.

Built from https://develop.svn.wordpress.org/branches/4.4@35851


git-svn-id: http://core.svn.wordpress.org/branches/4.4@35815 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-10 03:44:26 +00:00
Dion Hulse
92e15f6a8b The 4.4 branch is now 4.4.1-alpha.
Built from https://develop.svn.wordpress.org/branches/4.4@35843


git-svn-id: http://core.svn.wordpress.org/branches/4.4@35807 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-09 01:14:27 +00:00
Scott Taylor
0fdd938601 WordPress 4.4
Built from https://develop.svn.wordpress.org/branches/4.4@35841


git-svn-id: http://core.svn.wordpress.org/branches/4.4@35805 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-08 23:44:26 +00:00
Dominik Schilling
c622fdb9c1 About Page: Add release video and update post embed.
Merge of [35839] to the 4.4 branch.

Props camikaos, siobhan, rosso99, wonderboymusic.
Fixes #34663.
Built from https://develop.svn.wordpress.org/branches/4.4@35840


git-svn-id: http://core.svn.wordpress.org/branches/4.4@35804 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-08 23:29:26 +00:00
Dominik Schilling
6b79cadc1e Install/Upgrade: Keep indexing bots away until a site is ready to be seen.
Merge of [35837] to the 4.4 branch.
Built from https://develop.svn.wordpress.org/branches/4.4@35838


git-svn-id: http://core.svn.wordpress.org/branches/4.4@35802 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-08 22:02:27 +00:00
Dominik Schilling
f75b183b3b Add missing svn:mergeinfo properties for [35835].
Built from https://develop.svn.wordpress.org/branches/4.4@35836


git-svn-id: http://core.svn.wordpress.org/branches/4.4@35800 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-08 20:40:27 +00:00
Dominik Schilling
7f2c431126 About Page: Use w.org CDN, use ReverbNation instead of Cloudup, adjust the layout.
Merge of [35832], [35833], and [35834] to the 4.4 branch.

See #34663.
Built from https://develop.svn.wordpress.org/branches/4.4@35835


git-svn-id: http://core.svn.wordpress.org/branches/4.4@35799 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-08 20:34:27 +00:00
Dominik Schilling
be0ea369a0 Bundled Themes: Update POT files.
Merge of [35829] to the 4.4 branch.

See #34804.
Built from https://develop.svn.wordpress.org/branches/4.4@35830


git-svn-id: http://core.svn.wordpress.org/branches/4.4@35794 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-08 15:20:27 +00:00
Scott Taylor
00f759f00b About Page: use the source of the Make/Core Embed response instead of discovering it (or reading from the cache) every time.
Merge of [35826] to the 4.4 branch.
See #34663.

Built from https://develop.svn.wordpress.org/branches/4.4@35828


git-svn-id: http://core.svn.wordpress.org/branches/4.4@35792 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-08 03:44:25 +00:00
Scott Taylor
d4e91bb53a About Page: use srcset for images, also known as Recursive Dogfooding.
Merge of [35825] to the 4.4 branch.

Props joemcgill.
See #34663.

Built from https://develop.svn.wordpress.org/branches/4.4@35827


git-svn-id: http://core.svn.wordpress.org/branches/4.4@35791 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-08 03:43:26 +00:00
Dominik Schilling
264b0beca2 About Page: Add Cloudup embed and cache the embeds as site transients.
Merge of [35823] to the 4.4 branch.

Props wonderboymusic.
See #34663.
Built from https://develop.svn.wordpress.org/branches/4.4@35824


git-svn-id: http://core.svn.wordpress.org/branches/4.4@35788 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-07 23:32:27 +00:00
Dominik Schilling
8529c19a8d Media: Don't generate responsive image attributes if src does not match ID in wp-image- class.
We rely on the `wp-image-` class to quickly find an attachment ID to add responsive image attributes.
To avoid incorrect images being displayed, do not add these attributes if the `src` does not match the
meta from the attachment ID in the class.

Merge of [35820] to the 4.4 branch.

Props azaozz, kovshenin, joemcgill, mikeschroder.
See #34898.
Built from https://develop.svn.wordpress.org/branches/4.4@35821


git-svn-id: http://core.svn.wordpress.org/branches/4.4@35785 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-07 20:29:26 +00:00
Dominik Schilling
41f0bf0bc1 List Tables: Revert [34728] and [35482].
Part of [34728] was already reverted in [35682], but the default values still made it impossible to set a default ordering for custom post types.

Merge of [35818] for the 4.4 branch.

See #25493.
Fixes #34825.
Built from https://develop.svn.wordpress.org/branches/4.4@35819


git-svn-id: http://core.svn.wordpress.org/branches/4.4@35783 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-07 20:08:26 +00:00
Dominik Schilling
2a9083b97e Docs: After [35314], fix the DocBlock for url_shorten().
Merge of [35813] for the 4.4 branch.

Props swissspidy.
See #20166.
Built from https://develop.svn.wordpress.org/branches/4.4@35815


git-svn-id: http://core.svn.wordpress.org/branches/4.4@35779 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-07 17:06:25 +00:00
Dominik Schilling
69aeed3bdc About: Sync tagline from about page with credits and freedoms.
Merge of [35812] to the 4.4 branch.
See #34663.
Built from https://develop.svn.wordpress.org/branches/4.4@35814


git-svn-id: http://core.svn.wordpress.org/branches/4.4@35778 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-07 16:59:27 +00:00
Dion Hulse
b5e67b1bc9 Bundled Themes: Bump version numbers in default themes.
Merges [35802] to the 4.4 branch.
Props davidakennedy.
Fixes #34804.

Built from https://develop.svn.wordpress.org/branches/4.4@35806


git-svn-id: http://core.svn.wordpress.org/branches/4.4@35770 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-06 22:10:25 +00:00
Mark Jaquith
6d8f8813a3 About Page: Add the WordPress 4.4 tagline.
"Connected" because of REST API and cross-site embeds.
"Responsive" because of responsive images and under-the-hood tweaks.

See #34663 for the 4.4 branch.
Built from https://develop.svn.wordpress.org/branches/4.4@35798


git-svn-id: http://core.svn.wordpress.org/branches/4.4@35762 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-06 21:56:59 +00:00
Andrew Nacin
d9d09aac8c Branch 4.4
Built from https://develop.svn.wordpress.org/branches/4.4@35775


git-svn-id: http://core.svn.wordpress.org/branches/4.4@35739 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-06 15:47:09 +00:00
Andrew Nacin
0cf9d8b922 Add initial_db_version to wp_version_check().
fixes #34854.

Built from https://develop.svn.wordpress.org/trunk@35774


git-svn-id: http://core.svn.wordpress.org/trunk@35738 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-06 15:44:27 +00:00
Scott Taylor
4ae83ec7ec REST API: Core typically sends nocache headers on all auth'ed responses, as in wp, admin-ajax, etc. Because the REST API infrastructure is hooked in pre-wp, we should be setting this ourselves.
Adds unit tests.

Props joehoyle.
Fixes #34832.

Built from https://develop.svn.wordpress.org/trunk@35773


git-svn-id: http://core.svn.wordpress.org/trunk@35737 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-04 23:36:25 +00:00
Boone Gorges
43d1ab4720 Use 'invalid_username' error code when tripping 'illegal_user_logins'.
This gives us better compatibility with existing errors thrown by
`sanitize_user()`, especially in Multisite, where user_login has more
restrictions on allowed characters.

Props markjaquith.
Fixes #27317.
Built from https://develop.svn.wordpress.org/trunk@35772


git-svn-id: http://core.svn.wordpress.org/trunk@35736 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-04 23:25:26 +00:00
Aaron Jorbin
c589ceb880 Make comment screen row actions focusable
In [34504], tabbing through row actions on comments that lacked links was broken. This restores the desired behavior and ensures that the row actions can be seen by no-js users.

Second Permanent Committer sign off was by WonderBoyMusic

See #15520
Fixes #34791
Props afercia, azaozz


Built from https://develop.svn.wordpress.org/trunk@35771


git-svn-id: http://core.svn.wordpress.org/trunk@35735 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-04 23:13:24 +00:00
Scott Taylor
9ea3f9f676 Canonical: introduce strip_fragment_from_url() and use when comparing URLs in redirect_canonical().
Props tellyworth.
Fixes #19918.

Built from https://develop.svn.wordpress.org/trunk@35770


git-svn-id: http://core.svn.wordpress.org/trunk@35734 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-04 23:11:26 +00:00
Drew Jaynes
ef1280f770 About page: Make strings translatable.
See #34663.

Built from https://develop.svn.wordpress.org/trunk@35769


git-svn-id: http://core.svn.wordpress.org/trunk@35733 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-04 18:09:25 +00:00
Drew Jaynes
7b20f48413 About page: Final string changes.
Props petya, ocean90, DrewAPicture
See #34663.

Built from https://develop.svn.wordpress.org/trunk@35768


git-svn-id: http://core.svn.wordpress.org/trunk@35732 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-04 17:55:28 +00:00
Dominik Schilling
3be896b142 Unit Tests: Implement addWarning() method in SpeedTrapListener.
The method was introduced in PHPUnit 5.1.0, released today.

Fixes #34846.
Built from https://develop.svn.wordpress.org/trunk@35767


git-svn-id: http://core.svn.wordpress.org/trunk@35731 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-04 16:41:26 +00:00
Drew Jaynes
65fb187505 About page: Add non-breaking spaces to "Reddit Comments" and "Speaker Deck" oEmbed provider names to prevent line wrapping between the words.
Props ocean90.
See #34663.

Built from https://develop.svn.wordpress.org/trunk@35766


git-svn-id: http://core.svn.wordpress.org/trunk@35730 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-04 16:27:25 +00:00
Drew Jaynes
3e1f22c196 About page: Fix some minor string errors and simplify URL-building for the plugin install link for capable users.
Props ocean90, DrewAPicture
See #34663.

Built from https://develop.svn.wordpress.org/trunk@35765


git-svn-id: http://core.svn.wordpress.org/trunk@35729 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-04 16:13:28 +00:00
Dominik Schilling
7250749032 Reset Password: Add a missing new operator for WP_Error in get_password_reset_key().
Missed in [34923].

Fixes #34180.

Built from https://develop.svn.wordpress.org/trunk@35764


git-svn-id: http://core.svn.wordpress.org/trunk@35728 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-04 15:31:26 +00:00
Drew Jaynes
de586c98c4 First pass of the 4.4 about page. Adds strings (not yet translatable) and screen shots (not CDN).
Props wonderboymusic, markjaquith, helen, nacin, liljimmi, mordauk, melchoyce, ryelle, ocean90, DrewAPicture
See #34663.

Built from https://develop.svn.wordpress.org/trunk@35763


git-svn-id: http://core.svn.wordpress.org/trunk@35727 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-04 12:24:26 +00:00
Andrew Nacin
9834e9993a Embeds: Enforce, via unit tests, the no-ampersand rule for wp-embed.js.
fixes #34698.

Built from https://develop.svn.wordpress.org/trunk@35762


git-svn-id: http://core.svn.wordpress.org/trunk@35726 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-04 05:46:25 +00:00
Scott Taylor
8cf8e2c66d WP oEmbed: validate the secret send via postMessage in wp.receiveEmbedMessage. Also, compare window instances.
In the data sent to us from the embedded iframe by postMessage(), the secret value is being used directly in a document.querySelectorAll() call without first being validated or escaped.

In theory, this could lead to some broken embeds.

Props mdawaffe.
Fixes #34831.

Built from https://develop.svn.wordpress.org/trunk@35761


git-svn-id: http://core.svn.wordpress.org/trunk@35725 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-03 20:17:25 +00:00