This changeset adds Unicode sequence normalization from NFD to NFC, via the `normalizer_normalize()` PHP function which is available with the recommended `intl` PHP extension.
This fixes an issue where NFD characters were not properly sanitized. It also provides a unit test for NFD sequences (alternate Unicode representations of the same characters).
Props NumidWasNotAvailable, targz, nacin, nunomorgadinho, p_enrique, gitlost, SergeyBiryukov, markoheijnen, mikeschroder, ocean90, pento, helen, rodrigosevero, zodiac1978, ironprogrammer, audrasjb, azaozz, laboiteare, nuryko, virgar, dxd5001, onnimonni, johnbillion.
Fixes#24661, #47763, #35951.
See #30130, #52654.
Built from https://develop.svn.wordpress.org/trunk@53754
git-svn-id: http://core.svn.wordpress.org/trunk@53313 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This aims to improve performance by calling `sanitize_url()` directly, instead of the `esc_url_raw()` wrapper. As of WordPress 6.1, `sanitize_url()` is the recommended function for sanitizing a URL for database or redirect usage.
Follow-up to [11383], [13096], [51597], [53452].
Props benjgrolleau, peterwilsoncc, SergeyBiryukov.
Fixes#55852.
Built from https://develop.svn.wordpress.org/trunk@53455
git-svn-id: http://core.svn.wordpress.org/trunk@53044 1a063a9b-81f0-0310-95a4-ce76da25c4cd
A general security rule is "Sanitize when you save, escape when you echo".
In WordPress 5.9, `sanitize_url()` was un-deprecated in order to better align with the naming of other sanitizing functions, while still being an alias for `esc_url_raw()`.
This commit reverses the order and turns `esc_url_raw()` into a wrapper for `sanitize_url()`, making the latter the canonical function call and aiming to improve performance by reducing the number of function calls required when using the recommended technique.
Follow-up to [11383], [13096], [51597].
Props benjgrolleau, peterwilsoncc, SergeyBiryukov.
See #55852.
Built from https://develop.svn.wordpress.org/trunk@53452
git-svn-id: http://core.svn.wordpress.org/trunk@53041 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This change improves the `esc_xml()` function by replacing two `empty()` checks with `isset()` to cover values that are not equal to `''` but still returning `true` when checked with `empty()`, like `'0'`, `0` or `false`. It also updates the related unit tests accordingly.
Props rumpel2116, pbiron.
Fixes#55399.
Built from https://develop.svn.wordpress.org/trunk@53144
git-svn-id: http://core.svn.wordpress.org/trunk@52733 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This highlights the fact that `remove_accents()` is locale-aware and makes it easier to utilize the function with different locales without having to use `switch_to_locale()` or the `locale` filter.
Additionally, this commit relaxes the check for character replacements in German locales to include formal and informal variants of any `de_*` locale, even if WordPress does not have a native translation for some of them yet.
Props malthert, johnbillion, knutsp, ocean90, SergeyBiryukov.
Fixes#54415.
Built from https://develop.svn.wordpress.org/trunk@52809
git-svn-id: http://core.svn.wordpress.org/trunk@52398 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The developer facing humor in these functions were from a different era of WordPress. Tolerance for in-jokes and other developer facing humor has decreased over the years. Terms like "pee" and "tinkle" may make some folks chuckle while for others it makes them uncomfortable.
Terminology of the past is being (or has been) re-evaluated to transform words into a language that are inclusive and welcome for all. This commit is part of that effort as it replaces.
Follow-up [13], [9255].
Props ricomoorman, tzipporahwitty, ironprogrammer, peterwilsoncc, jeremyfelt, Viper007Bond, rmccue, SergeyBiryukov, hellofromTonya.
Fixes#25615.
Built from https://develop.svn.wordpress.org/trunk@52789
git-svn-id: http://core.svn.wordpress.org/trunk@52378 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This is a follow-up to [52292] which introduced `is_string()` to check the given key is a string to be sanitized, else the key is set to an empty string.
`sanitize_key()` is clearly identified (in the documentation) to only work with ''string'' keys. However, it had a bug in it that allowed non-strings to pass through it:
* A non-scalar "key" would throw a PHP Warning (which was resolved in [52292].
* A non-string scalar "key" was handled by the PHP native `strtolower()` which converted it into a string.
While `is_string()` is valid, non-string scalar types passed as the key to be sanitized were being set to an empty string. Given that `strtolower()` handles these without error or deprecation as of PHP 8.1, `is_scalar()` protects the website from issues while retaining the past behavior of converting integer keys (for example) into a string.
Changes include:
* Using `is_scalar()` instead of `is_string()`
* Refactor for readability and less code
* More tests
Please note, this does not change the behavior of the function, nor redefine it to now accept non-string scalars.
References:
* https://developer.wordpress.org/reference/functions/sanitize_key/
* https://www.php.net/manual/en/function.strtolower.php
Follow-up [52292].
Props wppunk, hellofromTonya, costdev, jrf.
Fixes#54160.
Built from https://develop.svn.wordpress.org/trunk@52370
git-svn-id: http://core.svn.wordpress.org/trunk@51962 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The task was previously used to ensure that `/*! This file is auto-generated */` comment is not included on front end as part of the inline emoji detection script.
As the `wp-emoji-loader.js` script is now included via `file_get_contents()` and `wp_print_inline_script_tag()` instead of `grunt-include` to simplify the logic, the task does not find anything to replace and is no longer necessary.
Additionally, include a line break before the `wp-emoji-loader.js` script content for better line wrapping.
Follow-up to [48096], [50651], [52132].
See #44632, #44306, #53363.
Built from https://develop.svn.wordpress.org/trunk@52325
git-svn-id: http://core.svn.wordpress.org/trunk@51917 1a063a9b-81f0-0310-95a4-ce76da25c4cd
To prevent potential false negatives, set `$error` to `null` initially, so we can better tell if it was ever changed during the sanitization and be able to better react if an empty string is added to it.
Additionally, and mainly for the sake of the Settings API at this point, add error messages to some `WP_Error` objects returned from `wpdb` methods that were previously causing the issues here.
Follow-up to [32791].
Props iCaleb, audrasjb, hellofromTonya, SergeyBiryukov.
Fixes#53986.
Built from https://develop.svn.wordpress.org/trunk@52294
git-svn-id: http://core.svn.wordpress.org/trunk@51886 1a063a9b-81f0-0310-95a4-ce76da25c4cd
`sanitize_key()` expects a string type for the given `key`. Passing any other data type to `strtolower()` can result in `E_WARNING: strtolower() expects parameter 1 to be string, array given`.
A check is added that if the key is not a string, the key is set to an empty string. For performance, the additional string processing is skipped if the key is an empty string.
This change maintains backwards-compatibility for valid string keys while fixing the bug of non-string keys.
Props costdev, dd32.
Fixes#54160.
Built from https://develop.svn.wordpress.org/trunk@52292
git-svn-id: http://core.svn.wordpress.org/trunk@51884 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Adds `track` and `wbr` support for single tags.
Adds `article`, `aside`, `details`, `figure`, and `section` for nestable tags.
Updates tests.
Follow-up to [5805], [21828], [45929].
Props glendaviesnz, costdev, talldanwp, ramonopoly, sergeybiryukov.
Fixes#50225.
Built from https://develop.svn.wordpress.org/trunk@52188
git-svn-id: http://core.svn.wordpress.org/trunk@51780 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Prevent loading `wp-embed` script unconditionally on every page in favor of conditionally enqueueing when a post embed is detected. The `wp-embed` script is also explicitly marked as being in the footer group. Sites which currently disable post embed scripts from being enqueued via `remove_action( 'wp_head', 'wp_oembed_add_host_js' )` will continue to do so.
* Send a `ready` message from the host page to each post embed window in case the `iframe` loads before the `wp-embed` script does. When the `ready` message is received by the post embed window, it sends the same `height` message as it sends when it loads.
* Eliminate use of `grunt-include` to inject emoji script and the post embed script. Instead obtain the script contents via `file_get_contents()` (as is done elsewhere in core) and utilize `wp_print_inline_script_tag()`/`wp_get_inline_script_tag()` to construct out the script. This simplifies the logic and allows the running of src without `SCRIPT_DEBUG` enabled.
* For the embed code that users are provided to copy for embedding outside of WP, add the `secret` on the `blockquote` and `iframe`. This ensures the `blockquote` will be hidden when the `iframe` loads. The embed code in question is accessed here via `get_post_embed_html()`.
Props westonruter, swissspidy, pento, flixos90, ocean90.
Fixes#44632, #44306.
Built from https://develop.svn.wordpress.org/trunk@52132
git-svn-id: http://core.svn.wordpress.org/trunk@51724 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This change prevents non-visible characters in titles from creating encoded values in permalinks, opting instead for the following replacement strategy:
* Non-visible non-zero-width characters are replaced with hyphens
* Non-visible zero-width characters are removed entirely
Included with this change are 64 additional PHPUnit assertions to confirm that only the targeted non-visible characters are sanitized as intended.
Before this change, URLs would unintentionally contain encoded values where these non-visible characters were. After this change, URLs intentionally strip out or hyphenate these non-visible characters.
Props costdev, dhanendran, hellofromtonya, paaljoachim, peterwilsoncc, poena, sergeybiryukov.
Fixes#47912.
Built from https://develop.svn.wordpress.org/trunk@51984
git-svn-id: http://core.svn.wordpress.org/trunk@51573 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This fixes `parse_str(): Passing null to parameter #1 ($string) of type string is deprecated` notices on PHP 8.1, without change in behaviour.
Impact: 311 of the pre-existing tests are affected by this issue.
The PHP native `parse_str()` function expects a string, however, based on the failing tests, it is clear there are functions in WordPress which passes a non-string – including `null` – value to the `wp_parse_str()` function, which would subsequently pass it onto the PHP native function without further input validation.
Most notable offender is the `wp_parse_args()` function which special cases arrays and objects, but passes everything else off to `wp_parse_str()`.
Several ways to fix this issue have been explored, including checking the received value with `is_string()` or `is_scalar()` before passing it off to the PHP native `parse_str()` function.
In the end it was decided against these in favor of a string cast as:
* `is_string()` would significantly change the behavior for anything non-string.
* `is_scalar()` up to a point as well, as it does not take objects with a `__toString()` method into account.
Executing a string cast on the received value before passing it on maintains the pre-existing behavior while still preventing the deprecation notice coming from PHP 8.1.
Reference: [https://www.php.net/manual/en/function.parse-str.php PHP Manual: parse_str()]
Follow-up to [5709].
Props jrf, hellofromTonya, lucatume, SergeyBiryukov.
See #53635.
Built from https://develop.svn.wordpress.org/trunk@51624
git-svn-id: http://core.svn.wordpress.org/trunk@51230 1a063a9b-81f0-0310-95a4-ce76da25c4cd
A general security rule is "Sanitize when you save, escape when you echo", and for the most part WordPress has well-named functions like `sanitize_email()` and others, with `esc_url_raw()` being a single exception that does not follow the naming.
This commit restores the previously deprecated `sanitize_url()` function as a valid alias of `esc_url_raw()`.
This better aligns with the naming with other `sanitize_*()` functions:
* `sanitize_bookmark()`
* `sanitize_bookmark_field()`
* `sanitize_category()`
* `sanitize_category_field()`
* `sanitize_comment_cookies()`
* `sanitize_email()`
* `sanitize_file_name()`
* `sanitize_hex_color()`
* `sanitize_hex_color_no_hash()`
* `sanitize_html_class()`
* `sanitize_key()`
* `sanitize_meta()`
* `sanitize_mime_type()`
* `sanitize_option()`
* `sanitize_post()`
* `sanitize_post_field()`
* `sanitize_sql_orderby()`
* `sanitize_term()`
* `sanitize_term_field()`
* `sanitize_text_field()`
* `sanitize_textarea_field()`
* `sanitize_title()`
* `sanitize_title_for_query()`
* `sanitize_title_with_dashes()`
* `sanitize_trackback_urls()`
* `sanitize_user()`
* `sanitize_user_field()`
Follow-up to [11383], [13096].
Props Ipstenu, aadilali.
Fixes#53876.
Built from https://develop.svn.wordpress.org/trunk@51597
git-svn-id: http://core.svn.wordpress.org/trunk@51208 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This version introduces support for the latest Emoji added in version Emoji 13.1, which includes “face in clouds”, “face exhaling”, and of course, “face with spiral eyes”.
A new corresponding folder has been pushed to WordPress.org in [dotorg:17419].
Rages deep within, ❤️🔥.
Props kraftbj., desrosj.
Fixes#52852.
Built from https://develop.svn.wordpress.org/trunk@51113
git-svn-id: http://core.svn.wordpress.org/trunk@50722 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Add support for uploading, editing and saving WebP images when supported by the server.
Add 'image/webp' to supported mime types. Correctly identify WebP images and sizes even when PHP doesn't support WebP. Resize uploaded WebP files (when supported) and use for front end markup.
Props markoheijne, blobfolio, Clorith, joemcgill, atjn, desrosj, spacedmonkey, marylauc, mikeschroder, hellofromtonya, flixos90.
Fixes#35725.
Built from https://develop.svn.wordpress.org/trunk@50810
git-svn-id: http://core.svn.wordpress.org/trunk@50419 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When `noopener noreferrer` was originally added in #37941 and related tickets, the `noreferrer` bit was specifically included due to Firefox not supporting `noopener` at the time.
Since `noopener` has been supported by all major browsers for a while, it should now be safe to remove the `noreferrer` attribute from core.
Props Mista-Flo, audrasjb, joostdevalk, jonoaldersonwp, peterwilsoncc, elgameel.
Fixes#49558.
Built from https://develop.svn.wordpress.org/trunk@49215
git-svn-id: http://core.svn.wordpress.org/trunk@48977 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Using the canonical function name for PHP functions is strongly recommended, as aliases may be deprecated or removed without (much) warning.
This replaces all uses of the following:
* `join()` with `implode()`
* `sizeof()` with `count()`
* `is_writeable()` with `is_writable()`
* `doubleval()` with a `(float)` cast
In part, this is a follow-up to #47746.
Props jrf.
See #50767.
Built from https://develop.svn.wordpress.org/trunk@49193
git-svn-id: http://core.svn.wordpress.org/trunk@48955 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The reason for introducing `wp_slash_strings_only()` in [46454] was to keep non-string values untouched.
Later, `wp_slash()` itself was updated in [48433] to prevent changing non-string values.
To avoid confusion, `wp_slash_strings_only()` is now deprecated.
Props ayeshrajans, ocean90.
Fixes#50635.
Built from https://develop.svn.wordpress.org/trunk@49188
git-svn-id: http://core.svn.wordpress.org/trunk@48950 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This addresses a regression in [47808], which caused excerpts to be generated from post content if an empty string is passed, but not for other values considered empty, e.g. `null` or `false`.
Props riaanlom, laxman-prajapati, SergeyBiryukov.
Fixes#51042.
Built from https://develop.svn.wordpress.org/trunk@48817
git-svn-id: http://core.svn.wordpress.org/trunk@48579 1a063a9b-81f0-0310-95a4-ce76da25c4cd
There are two pieces in here:
1) The update to change blacklist to blocklist is moved to disallowed_list. "Block" has a meaning in our code, and there could be ambiguity between this code and code related to blocks.
2) This improves backwards compatibility for code that was accessing the now deprecated code.
Previously: [48477], [48405], [48400], [48121], [48122], [48124], [48142], [48566]
Props: desrosj, SergeyBiryukov, johnjamesjacoby
Fixes: #50413
Built from https://develop.svn.wordpress.org/trunk@48575
git-svn-id: http://core.svn.wordpress.org/trunk@48337 1a063a9b-81f0-0310-95a4-ce76da25c4cd
If a bool/float/int is passed into wp_slash it will be coerced into a string.
This changes the behavior to only slash strings. At the same time, handles recursion a little nicer by calling array_map for arrays.
Fixes#42195, #24106.
Props johnbillion, andizer, jrf, ryotasakamoto, SergeyBiryukov, donmhico, TobiasBg, markoheijnen, ryan, nacin, devesine, whyisjake.
Built from https://develop.svn.wordpress.org/trunk@48433
git-svn-id: http://core.svn.wordpress.org/trunk@48202 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Since sanitize title is largely used for html attributes, or post slugs, make note that accents will be removed and that the string will be limited to alphanumeric characters, underscores, and dashes.
Fixes#33756.
Props ericlewis, swissspidy, wonderboymusic, psdtohtmlguru, DrewAPicture, SergeyBiryukov, sjmur, gma992, shulard, ebinnion, whyisjake.
Built from https://develop.svn.wordpress.org/trunk@48432
git-svn-id: http://core.svn.wordpress.org/trunk@48201 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The filter is the callback function added with `add_filter()`, therefore the hook passes a value to the filter, and the filter returns a value to change its behaviour.
The documentation is referring to the latter.
Props johnbillion.
See #49572, #16557.
Built from https://develop.svn.wordpress.org/trunk@48185
git-svn-id: http://core.svn.wordpress.org/trunk@47954 1a063a9b-81f0-0310-95a4-ce76da25c4cd
“The WordPress open source community cares about diversity. We strive to maintain a welcoming environment where everyone can feel included.”
With this commit, all occurrences of “whitelist” and “blacklist” (with the single exception of the `$new_whitelist_options` global variable) are removed. A new ticket has been opened to explore renaming the `$new_whitelist_options` variable (#50434).
Changing to more specific names or rewording sentences containing these terms not only makes the code more inclusive, but also helps provide clarity. These terms are often ambiguous. What is being blocked or allowed is not always immediately clear. This can make it more difficult for non-native English speakers to read through the codebase.
Words matter. If one contributor feels more welcome because these terms are removed, this was worth the effort.
Props strangerstudios, jorbin, desrosj, joemcgill, timothyblynjacobs, ocean90, ayeshrajans, davidbaumwald, earnjam.
See #48900, #50434.
Fixes#50413.
Built from https://develop.svn.wordpress.org/trunk@48121
git-svn-id: http://core.svn.wordpress.org/trunk@47890 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The tag was supported in phpDocumentor 1.x, but is no longer supported in 2.x and 3.x.
Usage of static variables is considered an internal implementation detail and has no information value for someone reading the docs.
Props alishanvr, jrf.
Fixes#50426.
Built from https://develop.svn.wordpress.org/trunk@48109
git-svn-id: http://core.svn.wordpress.org/trunk@47878 1a063a9b-81f0-0310-95a4-ce76da25c4cd
While web crawlers are able to discover pages from links within the site and from other sites, XML sitemaps supplement this approach by allowing crawlers to quickly and comprehensively identify all URLs included in the sitemap and learn other signals about those URLs using the associated metadata.
See https://make.wordpress.org/core/2020/06/10/merge-announcement-extensible-core-sitemaps/ for more details.
This feature exposes the sitemap index via `/wp-sitemap.xml` and exposes a variety of new filters and hooks for developers to modify the behavior. Users can disable sitemaps completely by turning off search engine visibility in WordPress admin.
This change also introduces a new `esc_xml()` function to escape strings for output in XML, as well as XML support to `wp_kses_normalize_entities()`.
Props Adrian McShane, afragen, adamsilverstein, casiepa, flixos90, garrett-eclipse, joemcgill, kburgoine, kraftbj, milana_cap, pacifika, pbiron, pfefferle, Ruxandra Gradina, swissspidy, szepeviktor, tangrufus, tweetythierry.
Fixes#50117.
See #3670. See #19998.
Built from https://develop.svn.wordpress.org/trunk@48072
git-svn-id: http://core.svn.wordpress.org/trunk@47839 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Patches occasionally come in on generated files. We should be kind to new contributors and give them a hint that these files are auto-generated.
This is a follow-up to [41271], which added the banner to minified CSS files.
Fixes#48424. See #30666.
Built from https://develop.svn.wordpress.org/trunk@46589
git-svn-id: http://core.svn.wordpress.org/trunk@46386 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Introduce `make_clickable_rel` filter for the `rel` value that is added to URL matches converted to links.
This is a follow-up to [46349], which added the `rel="nofollow ugc"` attribute to existing `<a>` tags in comments via `wp_rel_ugc()`.
UGC stands for User Generated Content, and the `ugc` attribute value is recommended for links within user generated content, such as comments and forum posts.
See https://webmasters.googleblog.com/2019/09/evolving-nofollow-new-ways-to-identify.html.
Props blogginglife, SergeyBiryukov.
Reviewed by desrosj, audrasjb.
Fixes#48022.
Built from https://develop.svn.wordpress.org/trunk@46564
git-svn-id: http://core.svn.wordpress.org/trunk@46361 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Slashing non-string data caused PUT requests containing unmodified meta arrays of integers to fail the check against the existing stored meta value, causing a 500 when posting an unmodified response body back to the server.
Props TimothyBlynJacobs, augustuswm.
Fixes#48264.
Built from https://develop.svn.wordpress.org/trunk@46454
git-svn-id: http://core.svn.wordpress.org/trunk@46252 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When a theme declares HTML5 support for script and styles via `add_theme_support( 'html5', array( 'script', 'style' ) )`, the `type="text/javascript"` and `type="text/css"` attributes are omitted.
These attributes are unnecessary in HTML5 and cause warnings in the W3C Markup Validation Service.
Props sasiddiqui, swissspidy, knutsp, SergeyBiryukov.
See #42804.
Built from https://develop.svn.wordpress.org/trunk@46164
git-svn-id: http://core.svn.wordpress.org/trunk@45976 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The path to magic quote sanity took a fun and exciting turn: PHP core removed it and WordPress updated the minimum version.
For the formally external pclzip, the code is commented out to make investigating easier and in case we ever need to merge upstream (if that still exists) changes.
Props ayeshrajans, jrf, jorbin.
See #47783.
Fixes#18322.
Built from https://develop.svn.wordpress.org/trunk@46105
git-svn-id: http://core.svn.wordpress.org/trunk@45917 1a063a9b-81f0-0310-95a4-ce76da25c4cd
