In `wpdb::placeholder_escape()`, the key for `hash_hmac()` defaults to `AUTH_SALT`, but `hash_hmac()` will return an empty string if the key is empty.
This had the side effect of the string `{}` being incorrectly replaced with a `%` character in queries just about to be run on the database.
Props jsonfry.
Fixes#42431.
Built from https://develop.svn.wordpress.org/trunk@42120
git-svn-id: http://core.svn.wordpress.org/trunk@41949 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In `wpdb::placeholder_escape()`, the key for `hash_hmac()` falls back to `rand()` when `AUTH_SALT` is undefined. `hash_hmac()` requires the key to be a string, however, so we need to cast it as such.
Props mkomar.
Fixes#42401.
Built from https://develop.svn.wordpress.org/trunk@42119
git-svn-id: http://core.svn.wordpress.org/trunk@41948 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Consider both `selectedChangesetStatus` and `changesetStatus` states when deciding to disable.
* Factor out common logic into `canSwitchTheme` function on `ThemesPanel`.
* Keep Live Preview and Install buttons disabled in Themes controls and detail overlays when appropriate.
Props westonruter, dlh.
Amends [41788].
See #42126, #37661, #39896.
Fixes#42406.
Built from https://develop.svn.wordpress.org/trunk@42113
git-svn-id: http://core.svn.wordpress.org/trunk@41942 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Prevent edits to 2-level deep theme files from returning a `disallowed_theme_file` error when attempting to save an edit. Aligns logic for gathering `$allowed_files` in `theme-editor.php` for listing files with the validation logic in `wp_edit_theme_plugin_file()`.
Amends [41806].
See #6531.
Fixes#42425.
Built from https://develop.svn.wordpress.org/trunk@42112
git-svn-id: http://core.svn.wordpress.org/trunk@41941 1a063a9b-81f0-0310-95a4-ce76da25c4cd
[41496] removed support for numbered placeholders in queries send through `wpdb::prepare()`, which, despite being undocumented, were quite commonly used.
This change restores support for numbered placeholders (as well as a subset of placeholder formatting), while also adding extra checks to ensure the correct number of arguments are being passed to `wpdb::prepare()`, given the number of placeholders.
See #41925.
Built from https://develop.svn.wordpress.org/trunk@42056
git-svn-id: http://core.svn.wordpress.org/trunk@41885 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Improve the logic determining which endpoints support the trash by enumerating them. Endpoints that don't support the trash require `force=true` when deleting. The previous approach relied on the `force` argument description, which is a translated string and was fragile. In the future, we can expose whether an endpoint supports the trash as part of its schema and automate this logic.
Props Soean.
Fixes#40672.
Built from https://develop.svn.wordpress.org/trunk@42047
git-svn-id: http://core.svn.wordpress.org/trunk@41881 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In the original function introduced in [41380], and subsequently [41861], only the network ID was passed to the new `pre_get_main_site_id` filter. In order to make give quick access to other network properties, it was decided to pass the whole object instead. The changeset includes an additional test.
Fixes#29684.
Built from https://develop.svn.wordpress.org/trunk@42043
git-svn-id: http://core.svn.wordpress.org/trunk@41877 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Let min hour be 0 and max be 23 in 24-hour time; let min hour be 1 and max be 12 in 12-hour time.
* Show error notification when an invalid date value is provided, not just when not a future date.
* Fix translation of custom validity message.
* Start checking for validity after all inputs have been initially populated.
* Remove support for being able to enter 24:00.
* Cease forcing date input elements from being casted to integers, to allow for invalid inputs to be detected.
Props westonruter, Presskopp, peterwilsoncc, atachibana for testing.
See #39896, #28721.
Fixes#42373.
Built from https://develop.svn.wordpress.org/trunk@42042
git-svn-id: http://core.svn.wordpress.org/trunk@41876 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Passing `options.params` when constructing `Partial` is now deprecated in favor of just passing `options`.
* Improve usage of jsdoc in JS `Partial` class.
* Also add `defaults` property to `wp.customize.selectiveRefresh.Partial` class for parity with `Control`.
See #42083.
Built from https://develop.svn.wordpress.org/trunk@42037
git-svn-id: http://core.svn.wordpress.org/trunk@41871 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Deprecate PHP classes `WP_Customize_New_Menu_Section` and `WP_Customize_New_Menu_Control`.
* Deprecate JS class `wp.customize.Menus.NewMenuControl`.
* Also introduce `wp.customize.Menus.createNavMenu()` for logic to create nav menus separately from the logic for handling UI interactions.
Amends [41768].
See #40104, #42364.
Fixes#42357.
Built from https://develop.svn.wordpress.org/trunk@42034
git-svn-id: http://core.svn.wordpress.org/trunk@41868 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Expand containing panel when expanding themes section.
* Consolidate UI changes related to a section's expanded state change.
* Prevent collapsing current section when expanding.
* Auto-expand first themes section when expanding panel if one is not expanded already.
See #37661, #42354.
Fixes#42360.
Built from https://develop.svn.wordpress.org/trunk@42033
git-svn-id: http://core.svn.wordpress.org/trunk@41867 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Eliminate Media control template from having dependency on `params.settings.default` for element ID, to fix compat with `params.settings` array or single `params.setting`. See #36167.
* Move description out of label and add `aria-describedby` to Media control's Select button. See #30738, #33085.
* Obtain notification container whenever content is (re-)rendered (such as for Media control). See #38794.
* Re-render notifications after control content is re-rendered, if control is in expanded section. See #38794.
Amends [41390].
See #36167, #38794, #33085, #30738.
Built from https://develop.svn.wordpress.org/trunk@42031
git-svn-id: http://core.svn.wordpress.org/trunk@41865 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The `publish_settings` section is a fundamental dependency for Customizer, so it must be guaranteed to be registered.
Also unconditionally register core types for panels, sections, and controls in case plugin unhooks all `customize_register` actions.
See #39896.
Fixes#42337.
Built from https://develop.svn.wordpress.org/trunk@42025
git-svn-id: http://core.svn.wordpress.org/trunk@41859 1a063a9b-81f0-0310-95a4-ce76da25c4cd