A general security rule is "Sanitize when you save, escape when you echo".
In WordPress 5.9, `sanitize_url()` was un-deprecated in order to better align with the naming of other sanitizing functions, while still being an alias for `esc_url_raw()`.
This commit reverses the order and turns `esc_url_raw()` into a wrapper for `sanitize_url()`, making the latter the canonical function call and aiming to improve performance by reducing the number of function calls required when using the recommended technique.
Follow-up to [11383], [13096], [51597].
Props benjgrolleau, peterwilsoncc, SergeyBiryukov.
See #55852.
Built from https://develop.svn.wordpress.org/trunk@53452
git-svn-id: http://core.svn.wordpress.org/trunk@53041 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Previously, setting the `show_in_quick_edit` property to `false` removed the taxonomy from the inline edit form, but several taxonomy-related database queries were still being performed in `bulk_edit_posts()` when building the arguments to pass to `wp_update_post()`, even though terms were not modified.
This commit improves performance by avoiding unnecessary database queries when `show_in_quick_edit` is `false`, and mirrors a similar check in the `get_inline_data()` function.
Follow-up to [13535], [14580], [31307], [52841], [53368].
Props Chouby, sabernhardt, costdev, nalininonstopnewsuk, webcommsat, marybaum, meher, wparslan, SergeyBiryukov.
Fixes#42474.
Built from https://develop.svn.wordpress.org/trunk@53449
git-svn-id: http://core.svn.wordpress.org/trunk@53038 1a063a9b-81f0-0310-95a4-ce76da25c4cd
No functional changes were made to Twenty Ten during the WordPress 6.0 release cycle so the theme version bump is not needed. The "tested up to" header change is maintained.
Follow up to and partial revert of [53418].
Props desrosj, ravipatel, costdev.
Fixes#55810.
See #55754.
Built from https://develop.svn.wordpress.org/trunk@53448
git-svn-id: http://core.svn.wordpress.org/trunk@53037 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Append `?ver=6.0` to the image used for linking to the video to break the cache in browsers, proxy servers and on the CDN.
A new version of the image has been uploaded and replaced the file in the original location.
Props annezazu, critterverse, ryelle, costdev, ironprogrammer, dd32.
Fixes#55808.
Built from https://develop.svn.wordpress.org/trunk@53447
git-svn-id: http://core.svn.wordpress.org/trunk@53036 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This fixes an `Equals sign not aligned correctly` WPCS warning.
Additionally, this commit sets the `svn:eol-style` property for the `phpunit/tests/ajax/wpAjaxCropImage.php` file and corrects line endings, so that the output of `composer format` is clean.
Follow-up to [53027], [53217], [53404].
Props hellofromTonya, SergeyBiryukov.
See #55647.
Built from https://develop.svn.wordpress.org/trunk@53441
git-svn-id: http://core.svn.wordpress.org/trunk@53030 1a063a9b-81f0-0310-95a4-ce76da25c4cd
MariaDB 10.2 has reached EOL in May 2022. The recommended minimum is bumped to 10.3 for now.
Follow-up to [52319], [52358], [52420], [52424], [53431], [53433], [meta11866].
Props hellofromTonya.
Fixes#55791. See #meta6322.
Built from https://develop.svn.wordpress.org/trunk@53435
git-svn-id: http://core.svn.wordpress.org/trunk@53024 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The odd / even class attribute global variables are causing issues in comments tests when a new test is added or an existing test is modified. To stabilize the odd / even comment tests, the comment global variables are added to the base test class' `tear_down()` using the same patterns as the other global resets. This change ensures each comment test starts at the same state. In doing so, the expected odd / even class attributes are no longer affected by previous tests, i.e. test leaks.
Follow-up to [53172].
Props hellofromTonya, zieladam, peterwilsoncc.
See #54725.
Built from https://develop.svn.wordpress.org/trunk@53430
git-svn-id: http://core.svn.wordpress.org/trunk@53019 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This avoids a PHP fatal error if any of these functions are called too early:
* `have_posts()`
* `in_the_loop()`
* `rewind_posts()`
* `the_post()`
* `have_comments()`
* `the_comment()`
bringing some consistency with conditional tags: `is_single()`, `is_home()`, etc.
This commit also removes unnecessary `return` from `the_comment()`, for consistency with `the_post()`. As `WP_Query::the_comment()` does not have a return value, this statement did not have any effect in practice.
Follow-up to [4934], [8807], [16947], [17068], [17083], [49147], [53395], [53396], [53400].
Props vdankbaar, thijso, teunvgisteren, timkersten655, SergeyBiryukov.
Fixes#55722.
Built from https://develop.svn.wordpress.org/trunk@53429
git-svn-id: http://core.svn.wordpress.org/trunk@53018 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This adjusts the workflow run URLs included in Slack notifications to link to the specific attempt being reported on making it easier for someone to see the proper context of a specific notification.
Additionally, this eliminates the need for a contributor to share the reason for a failure in Slack before restarting the workflow, as the link will always be to that specificattempt. When a “fixed” notification occurs for a subsequent run attempt, the link will be to the new, successful run attempt.
See #55652.
Built from https://develop.svn.wordpress.org/trunk@53427
git-svn-id: http://core.svn.wordpress.org/trunk@53016 1a063a9b-81f0-0310-95a4-ce76da25c4cd
`phpversion()` return value and `PHP_VERSION` constant value are identical, but the latter is several times faster because it is a direct constant value lookup compared to a function call.
Props ayeshrajans, jrf, mukesh27, costdev, hellofromTonya, SergeyBiryukov.
Fixes#55680.
Built from https://develop.svn.wordpress.org/trunk@53426
git-svn-id: http://core.svn.wordpress.org/trunk@53015 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Bump bundled theme version numbers in preparation for the WordPress 6.0 release. Each theme's _tested up to_ file header has been increased to indicate WordPress 6.0 support.
The new version numbers are:
* Twenty Ten: 3.7
* Twenty Eleven: 4.1
* Twenty Twelve: 3.7
* Twenty Thirteen*: 3.7
* Twenty Fourteen: 3.4
* Twenty Fifteen*: 3.2
* Twenty Sixteen*: 2.7
* Twenty Seventeen*: 3.0
* Twenty Nineteen: 2.3
* Twenty Twenty: 2.0
* Twenty Twenty-One: 1.6
An asterisk indicates the theme includes assets requiring a manual version bump, this is set to the reverse date format of the release day: `20220524`.
Follow up to [53286] in which the Twenty Twenty-Two theme version was bumped to 1.2.
Props peterwilsoncc, desrosj, costdev, mehedi890.
Fixes#55754.
Built from https://develop.svn.wordpress.org/trunk@53418
git-svn-id: http://core.svn.wordpress.org/trunk@53007 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Updates theme validation to accept block themes. This replaces the requirement for an `index.php` with a requirement for either an `index.php`, `/templates/index.html` or the deprecated `/block-templates/index.html`.
Validation is updated for theme uploads, within `WP_Theme::__construct` and `validate_current_theme()`.
A block theme using the deprecated file structure is now included in the unit tests.
Props peterwilsoncc, sergeybiryukov, hellofromtonya, costdev, azaozz, gziolo, FlorianBrinkmann, Boniu91, aristath, poena, audrasjb.
Fixes#55754.
Built from https://develop.svn.wordpress.org/trunk@53416
git-svn-id: http://core.svn.wordpress.org/trunk@53005 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The element already has non-visual text, making the icon and the `title` attribute redundant for assistive technologies.
Follow-up to [22439], [27548], [31513], [32991], [50804].
Props sabernhardt, ryokuhi, afercia, karlgroves, SergeyBiryukov.
Fixes#55555. See #24766.
Built from https://develop.svn.wordpress.org/trunk@53414
git-svn-id: http://core.svn.wordpress.org/trunk@53003 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When redirecting the site editor to the home template include the `style` querystring parameter if it is set. This ensures the style panel opens if the user expects it.
Props grantmkin, mamaduka, peterwilsoncc.
Fixes#55752.
Built from https://develop.svn.wordpress.org/trunk@53413
git-svn-id: http://core.svn.wordpress.org/trunk@53002 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This avoids an `Undefined array key 0` PHP warning for `current_user_can()` capability checks that require a specific object to check against but an object ID was not passed.
A `_doing_it_wrong()` notice is also added, so that developers and site administrators are aware that the capability mapping is failing in the absence of the required object ID.
The list of mapped capabilities that require an object ID:
* `delete_post` / `delete_page`
* `edit_post` / `edit_page`
* `read_post` / `read_page`
* `publish_post`
* `edit_(post|comment|term|user)_meta` / `delete_*_meta` / `add_*_meta`
* `edit_comment`
* `edit_term` / `delete_term` / `assign_term`
Follow-up to [34091], [34113], [47178].
Props jeherve, peterwilsoncc, henry.wright, johnbillion, mattheweppelsheimer, hellofromTonya, JeffPaul, azouamauriac, Ninos Ego, TobiasBg, wpsmith, GaryJ, nacin, johnstonphilip, azaozz, SergeyBiryukov.
Fixes#44591.
Built from https://develop.svn.wordpress.org/trunk@53408
git-svn-id: http://core.svn.wordpress.org/trunk@52997 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When called too early, conditional query tags should throw a `_doing_it_wrong()` notice and return `false`. This commit verifies that behavior not only for `is_main_query()`, but for all the other conditional tags too.
Follow-up to [16947], [17068], [17083], [18699], [37985], [53395].
See #55104.
Built from https://develop.svn.wordpress.org/trunk@53396
git-svn-id: http://core.svn.wordpress.org/trunk@52985 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This avoids a PHP fatal error and triggers a `_doing_it_wrong()` notice if `is_main_query()` is called too early, bringing consistency with all the other `is_*()` conditionals: `is_single()`, `is_home()`, etc.
Follow-up to [16947], [17068], [17083], [18699], [37985].
Props vdankbaar, nhadsall, johnbillion, costdev, thijsoo, teunvgisteren, timkersten655, SergeyBiryukov.
Fixes#55104.
Built from https://develop.svn.wordpress.org/trunk@53395
git-svn-id: http://core.svn.wordpress.org/trunk@52984 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This replaces the references to “MySQL” with “your host’s database server” on the “Error establishing a database connection” page when Multisite could not be loaded. The generic “database server” term can refer to MySQL or MariaDB. Additionally, this brings some consistency with a similar error message in `wpdb::db_connect()`.
Follow-up to [52367], [52423].
Props tj692, hansjovisyoast, tobifjellner.
Fixes#55701.
Built from https://develop.svn.wordpress.org/trunk@53394
git-svn-id: http://core.svn.wordpress.org/trunk@52983 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Backport of the remaining Comment Template block tests from Gutenberg:
* `assertEquals()` replaced with `assertSameSetsWithIndex()`.
* assertion's argument order changed to ensure expected and then actual.
Follow-up to [53353], [53298], [53172], [53138].
Props bernhard-reiter.
Fixes#55708.
Built from https://develop.svn.wordpress.org/trunk@53388
git-svn-id: http://core.svn.wordpress.org/trunk@52977 1a063a9b-81f0-0310-95a4-ce76da25c4cd