Using script tag helper functions allows plugins to employ the `wp_script_attributes` and `wp_inline_script_attributes` filters to inject the `nonce` attribute to apply Content Security Policy (e.g. Strict CSP). Use of helper functions also simplifies logic in `WP_Scripts`.
* Update `wp_get_inline_script_tag()` to wrap inline script in CDATA blocks for XHTML-compatibility when not using HTML5.
* Ensure the `type` attribute is printed first in `wp_get_inline_script_tag()` for back-compat.
* Wrap existing `<script>` tags in output buffering to retain IDE supports.
* In `wp_get_inline_script_tag()`, append the newline to `$javascript` before it is passed into the `wp_inline_script_attributes` filter so that the CSP hash can be computed properly.
* In `the_block_template_skip_link()`, opt to enqueue the inline script rather than print it.
* Add `ext-php` to `composer.json` under `suggest` as previously it was an undeclared dependency for running PHPUnit tests.
* Update tests to rely on `DOMDocument` to compare script markup, normalizing unsemantic differences.
Props westonruter, spacedmonkey, flixos90, 10upsimon, dmsnell, mukesh27, joemcgill, swissspidy, azaozz.
Fixes#58664.
See #39941.
Built from https://develop.svn.wordpress.org/trunk@56687
git-svn-id: http://core.svn.wordpress.org/trunk@56199 1a063a9b-81f0-0310-95a4-ce76da25c4cd
While generally the functions `get_template_directory()` and `get_stylesheet_directory()` were long recommended to use to get the parent or child theme directory, the `TEMPLATEPATH` and `STYLESHEETPATH` constants were still used in a few places in core, most importantly in template related logic.
The remaining usage was problematic as it prevented testability of certain key components of WordPress core.
This changeset replaces all remaining usage with the corresponding functions and effectively marks these constants as deprecated. It also adds test coverage accordingly and even unlocks some existing, previously commented out test coverage to work as expected.
Performance of the new approach has been benchmarked and shows no notable differences. Yet, given that the current theme directories are not expected to change within a regular WordPress page load, the `get_template_directory()` and `get_stylesheet_directory()` functions were amended with in-memory caching of the result, unless one of the defining values is being filtered.
Props thekt12, spacedmonkey, mukesh27, aaroncampbell, scribu, lloydbudd, cais, chipbennett, toscho, omarabid, CrazyJaco, DrewAPicture, obenland, wonderboymusic, nacin, helen, dd32, chriscct7, SergeyBiryukov, swissspidy, joemcgill, flixos90.
Fixes#18298.
Built from https://develop.svn.wordpress.org/trunk@56635
git-svn-id: http://core.svn.wordpress.org/trunk@56147 1a063a9b-81f0-0310-95a4-ce76da25c4cd
`str_starts_with()` and `str_ends_with()` were introduced in PHP 8.0 to perform a case-sensitive check indicating if the string to search in (haystack) begins or ends with the given substring (needle).
WordPress core includes a polyfill for these functions on PHP < 8.0 as of WordPress 5.9.
This commit uses `str_starts_with()` and `str_ends_with()` in core files where appropriate:
* `$needle === substr( $string, 0, $length )`, where `$length` is the length of `$needle`, is replaced with `str_starts_with( $haystack, $needle )`.
* `$needle === substr( $string, $offset )`, where `$offset` is negative and the absolute value of `$offset` is the length of `$needle`, is replaced with `str_ends_with( $haystack, $needle )`.
This aims to make the code more readable and consistent, as well as better aligned with modern development practices.
Follow-up to [52039], [52040], [52326], [55703], [55710], [55987], [55988].
Props Soean, spacedmonkey, Clorith, ocean90, azaozz, sabernhardt, SergeyBiryukov.
Fixes#58220.
Built from https://develop.svn.wordpress.org/trunk@55990
git-svn-id: http://core.svn.wordpress.org/trunk@55502 1a063a9b-81f0-0310-95a4-ce76da25c4cd
`str_contains()` was introduced in PHP 8.0 to perform a case-sensitive check indicating if the string to search in (haystack) contains the given substring (needle).
WordPress core includes a polyfill for `str_contains()` on PHP < 8.0 as of WordPress 5.9.
This commit replaces `false !== strpos( ... )` with `str_contains()` in core files, making the code more readable and consistent, as well as better aligned with modern development practices.
Follow-up to [52039], [52040], [52326], [55703], [55710], [55987].
Props Soean, spacedmonkey, costdev, dingo_d, azaozz, mikeschroder, flixos90, peterwilsoncc, SergeyBiryukov.
Fixes#58206.
Built from https://develop.svn.wordpress.org/trunk@55988
git-svn-id: http://core.svn.wordpress.org/trunk@55500 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In [34270] introduced lazy loading of comment meta. However, this was only in the context of `WP_Query`. Other parts of the codebase, like `WP_Comment_Query` did not lazily load comment meta. In this change, calls to `update_meta_cache` are now replaced with `wp_lazyload_comment_meta`, that instead of priming comment meta caches, just adds them to the queue to be primed it ever called. This results in far less database queries, as there a number of places where comment meta is being primed unnecessarily and never used. Adding everything to the comment meta queue, also means that if comment meta is used, that is all loaded in a single database / cache call.
Follow on from [55671], [55747].
Props spacedmonkey, peterwilsoncc, flixos90, mukesh27.
Fixes#57801.
Built from https://develop.svn.wordpress.org/trunk@55749
git-svn-id: http://core.svn.wordpress.org/trunk@55261 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This aims to bring more consistency between the functions, as well as in filter parameters.
Includes minor code layout fixes for better readability.
Follow-up to [45667], [47287], [48579], [53719], [53723], [55308].
See #57839.
Built from https://develop.svn.wordpress.org/trunk@55660
git-svn-id: http://core.svn.wordpress.org/trunk@55172 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In a recent change, `comment_time()` was updated to accept a `$comment_id` parameter for consistency with `comment_date()`, following a similar change for `get_comment_time()`.
However, the new parameter was not correctly passed to `get_comment_time()` inside the function. It should be passed as the fourth parameter after `$format`, `$gmt` and `$translate`, not the second.
This commit adds the missing arguments and a few unit tests to confirm the correct behavior.
Follow-up to [55284], [55287], [55308].
Props costdev, tmatsuur, ugyensupport, johnbillion.
Fixes#58064.
Built from https://develop.svn.wordpress.org/trunk@55632
git-svn-id: http://core.svn.wordpress.org/trunk@55144 1a063a9b-81f0-0310-95a4-ce76da25c4cd
After the introduction of `_make_clickable_rel_attr()` in an earlier commit, the function ended up returning link markup with a mix of single and double quotes.
This commit ensures that `_make_web_ftp_clickable_cb()` always returns double quotes, restoring consistency with other similar callback functions used by `make_clickable()`:
* `_make_url_clickable_cb()`
* `_make_email_clickable_cb()`
Follow-up to [55289].
See #53290, #56444.
Built from https://develop.svn.wordpress.org/trunk@55495
git-svn-id: http://core.svn.wordpress.org/trunk@55028 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Introduces client and server side validation to ensure the `replytocom` query string parameter can not be exploited to reply to an unapproved comment or display the name of an unapproved commenter.
This only affects commenting via the front end of the site. Comment replies via the dashboard continue their current behaviour of logging the reply and approving the parent comment.
Introduces the `$post` parameter, defaulting to the current global post, to `get_cancel_comment_reply_link()` and `comment_form_title()`.
Introduces `_get_comment_reply_id()` for determining the comment reply ID based on the `replytocom` query string parameter.
Renames the parameter `$post_id` to `$post` in `get_comment_id_fields()` and `comment_id_fields()` to accept either a post ID or `WP_Post` object.
Adds a new `WP_Error` return state to `wp_handle_comment_submission()` to prevent replies to unapproved comments. The error code is `comment_reply_to_unapproved_comment` with the message `Sorry, replies to unapproved comments are not allowed.`.
Props costdev, jrf, hellofromtonya, fasuto, boniu91, milana_cap.
Fixes#53962.
Built from https://develop.svn.wordpress.org/trunk@55369
git-svn-id: http://core.svn.wordpress.org/trunk@54902 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This aims to clarify a few inline comments related to removing percent-encoded characters and HTML entities.
Affected functions:
* `sanitize_user()`
* `sanitize_title_with_dashes()`
* `sanitize_html_class()`
* `_sanitize_text_fields()`
* `get_comments_number_text()`
Follow-up to [465], [3454], [11433], [12503], [37987].
Props ace100, tanjimtc71, codemonksuvro, SergeyBiryukov.
Fixes#57712.
Built from https://develop.svn.wordpress.org/trunk@55346
git-svn-id: http://core.svn.wordpress.org/trunk@54879 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This resolves 80+ WPCS warnings in core:
{{{
Variable "$comment_ID" is not in valid snake_case format
}}}
While matching the database field of the same name, the `$comment_ID` variable did not follow the WordPress coding standards, and is now renamed to address that.
This affects:
* Function parameters in:
* `get_comment_author()`
* `comment_author()`
* `get_comment_author_email()`
* `comment_author_email()`
* `get_comment_author_link()`
* `comment_author_link()`
* `get_comment_author_IP()`
* `comment_author_IP()`
* `get_comment_author_rl()`
* `comment_author_url()`
* `get_comment_date()`
* `comment_date()`
* `get_comment_excerpt()`
* `comment_excerpt()`
* `get_comment_text()`
* `comment_text()`
* `get_comment_time()`
* `comment_time()`
* `get_comment_type()`
* `get_page_of_comment()`
* `wp_new_comment_notify_moderator()`
* `wp_new_comment_notify_postauthor()`
* `get_commentdata()`
* Internal variables in:
* `get_comment_ID()`
* `wp_new_comment()`
* `wp_xmlrpc_server::wp_deleteComment()`
* `wp_xmlrpc_server::wp_editComment()`
* `wp_xmlrpc_server::wp_newComment()`
* `wp_xmlrpc_server::pingback_ping()`
* Hook parameters in:
* `get_comment_author`
* `comment_author`
* `get_comment_author_email`
* `author_email`
* `get_comment_author_link`
* `get_comment_author_IP`
* `get_comment_author_url`
* `comment_url`
* `get_comment_excerpt`
* `comment_excerpt`
* `get_comment_ID`
* `get_comment_type`
* `get_page_of_comment`
* `comment_{$new_status}_{$comment->comment_type}`
* `comment_post`
* `notify_moderator`
* `notify_post_author`
* `commentrss2_item`
* `xmlrpc_call_success_wp_deleteComment`
* `xmlrpc_call_success_wp_editComment`
* `xmlrpc_call_success_wp_newComment`
* `pingback_post`
Note: The name change only affects variable names and DocBlocks.
The change does not affect:
* `comment_ID` as the `$orderby` value in `WP_Comment_Query::__construct()`
* `comment_ID` as the `$orderby` value in `WP_Comment::get_children()`
* `comment_ID` as part of `$commentarr` parameter in `wp_update_comment()`
The associated array keys still match the database field.
Follow-up to [53723].
Props krunal265, costdev, SergeyBiryukov.
Fixes#57671. See #56791.
Built from https://develop.svn.wordpress.org/trunk@55308
git-svn-id: http://core.svn.wordpress.org/trunk@54841 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Internal links should be followed and it should be easier to modify other rel attributes on comments. This adds a helper function for determining if a URL is internal and also adds some new filters to make it easy to modify rel attributes in comments.
Props thomasplevy, desrosj, sabernhardt, benish74, samiamnot, galbaras, jorbin.
Fixes#53290, #56444.
Built from https://develop.svn.wordpress.org/trunk@55289
git-svn-id: http://core.svn.wordpress.org/trunk@54822 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This brings consistency with:
* `get_comment_time()`
* `get_comment_date()`
* `comment_date()`
Includes:
* Correcting the `@since` tag for `get_comment_time()`.
* Synchronizing parameter description between `get_comment_date()` and `get_comment_time()`.
Follow-up to [55284].
See #52322.
Built from https://develop.svn.wordpress.org/trunk@55287
git-svn-id: http://core.svn.wordpress.org/trunk@54820 1a063a9b-81f0-0310-95a4-ce76da25c4cd
If an invalid post ID is passed to the function, `comments_open()` should return `false`, and no comment form be displayed. This commit restores the previous behavior that was unintentionally changed when standardizing on the `$post` parameter name.
Follow-up to [53715].
Props peterwilsoncc.
Fixes#56243.
Built from https://develop.svn.wordpress.org/trunk@54488
git-svn-id: http://core.svn.wordpress.org/trunk@54047 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset introduces new `wp_required_field_indicator()` and `wp_required_field_message()` helper functions to generate reusable and consistent required field indicator and message. It also implements these functions in various admin screens.
Props sabernhardt, ryokuhi, joedolson, audrasjb, SergeyBiryukov.
Fixes#54394.
Built from https://develop.svn.wordpress.org/trunk@53888
git-svn-id: http://core.svn.wordpress.org/trunk@53447 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset ensures the "Logged in as" link conveys the information about its purpose ("Edit your profile") while the information "Logged in as Jane Doe" is only a simple text.
Props juliemoynat, SergeyBiryukov, joedolson, audrasjb, lopo.
Fixes#55718.
Built from https://develop.svn.wordpress.org/trunk@53796
git-svn-id: http://core.svn.wordpress.org/trunk@53355 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This fixes two WPCS warnings:
* `Variable "$comment_post_ID" is not in valid snake_case format`
* `Variable "$comment_author_IP" is not in valid snake_case format`
While matching the database fields of the same name, these variables did not follow the WordPress coding standards, and are now renamed to address that.
Note: The name change only affects internal variables and parameters for a few actions receiving a comment post ID:
* `edit_comment`
* `comment_id_not_found`
* `comment_closed`
* `comment_on_trash`
* `comment_on_draft`
* `comment_on_password_protected`
* `pre_comment_on_post`
The change does not affect parameters for functions receiving an array of comment data:
* `wp_insert_comment()`
* `wp_new_comment()`
* `wp_update_comment()`
* `wp_handle_comment_submission()`
The associated array keys still match the database fields: `comment_post_ID` and `comment_author_IP`.
Follow-up to [1706], [2894], [8720], [28427], [28437], [28457], [34799], [53720],
See #55647, #56244.
Built from https://develop.svn.wordpress.org/trunk@53723
git-svn-id: http://core.svn.wordpress.org/trunk@53282 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This fixes a `Variable "$comment_post_ID" is not in valid snake_case format` WPCS warning.
`$comment_post_ID`, while matching the database field of the same name, does not follow the WordPress coding standards, so the variable is now renamed to `$comment_post_id`.
Additionally, these variables are renamed for clarity:
* `$tb_id` to `$post_id` (this was not the trackback ID)
* `$tb_url` to `$trackback_url`
Follow-up to [172], [637], [1616],
See #55647, #56244.
Built from https://develop.svn.wordpress.org/trunk@53719
git-svn-id: http://core.svn.wordpress.org/trunk@53278 1a063a9b-81f0-0310-95a4-ce76da25c4cd
For accessibility, input fields should identify their "purpose". The HTML5 attribute `autocomplete` allows for various user data to be quickly autofilled while adding context for some assistive technologies.
This commit adds the appropriate autofill purposes for an author's name, email, and website URL in the comment form template.
Props juliemoynat, bhrugesh96, sabernhardt.
Fixes#55779.
Built from https://develop.svn.wordpress.org/trunk@53576
git-svn-id: http://core.svn.wordpress.org/trunk@53165 1a063a9b-81f0-0310-95a4-ce76da25c4cd
While using reserved PHP keywords as parameter name labels is allowed, in the context of function calls using named parameters in PHP 8.0+, this will easily lead to confusion. To avoid that, it is recommended not to use reserved keywords as function parameter names.
This commit:
* Renames the `$class` parameter to `$css_class` in `comment_class()` and `get_comment_class()`.
* Renames the `$echo` parameter to `$display` in `comment_class()`.
Follow-up to [52946], [52996], [52997], [52998], [53003], [53014], [53029], [53039], [53116], [53117], [53137], [53174], [53184], [53185], [53192], [53193], [53198], [53203], [53207], [53215], [53216], [53220], [53230], [53232], [53236], [53239], [53240], [53242], [53243], [53245], [53246], [53257], [53269], [53270], [53271], [53272], [53273], [53274], [53275], [53276], [53277], [53281], [53283], [53284].
Props jrf, aristath, poena, justinahinon, SergeyBiryukov.
See #55327.
Built from https://develop.svn.wordpress.org/trunk@53285
git-svn-id: http://core.svn.wordpress.org/trunk@52874 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In both `get_comment_author` and `get_comment_ID`, it's possible that these functions are called without a comment context. Specifically, `get_comment_author` can be called without passing the `$comment_ID` parameter, and `get_comment_ID` relies on the `comment` global if there's no `$comment` parameter supplied. This leads to a PHP notice of "Trying to get property of a non-object."
This change adds a check to both functions to ensure the `$comment->comment_ID` property is not empty before actually using its value.
Follow-up to [52223].
Props dd32.
Fixes#54379.
Built from https://develop.svn.wordpress.org/trunk@52818
git-svn-id: http://core.svn.wordpress.org/trunk@52407 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The post for the comments or pings is retrieved by `get_post()`. If the post exists, `get_post()` returns an instance of `WP_Post`; else, it returns `null`.
In both `comments_open()` and `pings_open()`, the returned value from `get_post()` is used without checking if the object returned, if the post exists. When the post does not exist, the following notices occur:
{{{
PHP Notice: Trying to get property 'comment_status' of non-object in .../src/wp-includes/comment-template.php on line 1244
}}}
and
{{{
PHP Notice: Trying to get property 'pings_open' of non-object in ../src/wp-includes/comment-template.php on line 1274
}}}
This commit fixes these notices by checking if the post has a non-falsey value before using it as an object to set the `$open` state. As the return from `get_post()` will only be an object or `null`, the truthy check is appropriate and slightly more performant.
Tests added to validate the fix.
Follow-up to [1964], [40666].
Props dd32, audrasjb, costdev, hellofromTonya, sergeybiryukov.
Fixes#54159.
Built from https://develop.svn.wordpress.org/trunk@52223
git-svn-id: http://core.svn.wordpress.org/trunk@51815 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Though hidden via `style="display:none;"`, if the comments aren't threaded, this commit doesn't output the cancel comment reply link (skips over that logic). Change in `comment_form()`.
Adds tests.
Follow-up to [12810], [38959].
Props henrywright, jigneshnakrani, rachelbaker, desrosj, audrasjb, hellofromTonya.
Fixes#37267.
Built from https://develop.svn.wordpress.org/trunk@52175
git-svn-id: http://core.svn.wordpress.org/trunk@51767 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Add required asterisk to the comment text field. Historically, the name and email fields are marked as required, but the comment text field is not, though it is actually a required field.
Props infected, solarissmoke, rianrietveld, afercia, sabernhardt, strider72, mai21, audrasjb.
Fixes#16206.
Built from https://develop.svn.wordpress.org/trunk@52029
git-svn-id: http://core.svn.wordpress.org/trunk@51621 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Fix the link returned by `get_comment_reply_link()` so the link points to the correct page of comments when links are paginated. While this link is normally overridden by the comment-reply script, if that script is disabled, the link would point to a location that did not exist when comments were paginated.
props MrPauloEn, paaggeli, alexstine, engahmeds3ed.
Fixes#51189.
Built from https://develop.svn.wordpress.org/trunk@51081
git-svn-id: http://core.svn.wordpress.org/trunk@50690 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Using the canonical function name for PHP functions is strongly recommended, as aliases may be deprecated or removed without (much) warning.
This replaces all uses of the following:
* `join()` with `implode()`
* `sizeof()` with `count()`
* `is_writeable()` with `is_writable()`
* `doubleval()` with a `(float)` cast
In part, this is a follow-up to #47746.
Props jrf.
See #50767.
Built from https://develop.svn.wordpress.org/trunk@49193
git-svn-id: http://core.svn.wordpress.org/trunk@48955 1a063a9b-81f0-0310-95a4-ce76da25c4cd