Props: danielbachhuber, whyisjake, peterwilson, xknown.
Prevent stored XSS through wp_targeted_link_rel().
Props: vortfu, whyisjake, peterwilsoncc, xknown, SergeyBiryukov, flaviozavan.
Update `wp_kses_bad_protocol()` to recognize `:` on uri attributes,
`wp_kses_bad_protocol()` makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function.
Brings r46895 to the 5.3 branch.
Props: xknown, nickdaugherty, peterwilsoncc.
Prevent stored XSS in the block editor.
Brings r46896 to the 5.3 branch.
Prevent escaped unicode characters become unescaped in unsafe HTML during JSON decoding.
Props: aduth, epiqueras.
Built from https://develop.svn.wordpress.org/branches/5.2@46901
git-svn-id: http://core.svn.wordpress.org/branches/5.2@46701 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When `do_blocks()` is run, it sets up some special handling of the `wpautop` filter, as we don't want `wpautop` to run on block content, but we do want it to be available for subsequent runs of `the_content`, which may be happening on non-block content.
As we set this up before rendering dynamic blocks, however, a dynamic block choosing to run `the_content` will cause unintentially structural deficiences in this particular recursive block tower.
Moving this handling to after dynamic blocks are rendered makes our tower lean a little less.
Props aldavigdis, pento.
Fixes#45495.
Built from https://develop.svn.wordpress.org/trunk@45139
git-svn-id: http://core.svn.wordpress.org/trunk@44948 1a063a9b-81f0-0310-95a4-ce76da25c4cd
At the start of `render_block()`, the `pre_render_block` filter allows the function to be short-circuited, and the `render_block_data` filter is applied to the `$block` parameter before it's processed.
Props kkarpieszuk, pento.
Fixes#45451.
Built from https://develop.svn.wordpress.org/trunk@44553
git-svn-id: http://core.svn.wordpress.org/trunk@44384 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In RTL languages, WordPress adds `style-editor-rtl.css` editor styles to the global `$editor_styles`.
This patch ignores handling these styles if the file is not preset.
Also, clarify the docs for the return value of the `block_version` function.
Props mostafa.s1990, desrosj, mukesh27.
Merges [43923] and [43924] to trunk.
Fixes#45288, #45342.
Built from https://develop.svn.wordpress.org/trunk@44270
git-svn-id: http://core.svn.wordpress.org/trunk@44100 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Changes of note:
- Includes the new Annotations API package.
- `wp-polyfill-ecmascript.js` is renamed to `wp-polyfill.js`.
- `strip_dynamic_blocks()` has been removed in favor of `excerpt_remove_blocks()`.
- The PHP block parser is now syncing from the `block-serialization-default-parser` package.
- `do_blocks()` uses the new parser.
- The `do_block` filter has been removed from `do_blocks()`, in favor of a `render_block` filter in `render_block()`.
Also, a little cleanup to `render_block()`. Always normalize `$block['attrs’]` to array in `’render_block’` filter.
Props pento, azaozz.
Merges [43884] and [43888] to trunk.
See #45145, #45190, #45264, #45282.
Built from https://develop.svn.wordpress.org/trunk@44261
git-svn-id: http://core.svn.wordpress.org/trunk@44091 1a063a9b-81f0-0310-95a4-ce76da25c4cd
As `do_blocks()` is run before `wpautop()` in the_content filter, we can remove in a Just In Time fashion, before that filter is run.
After `wpautop()`s original priority has passed, we can re-add it in a Just Too Late fashion, to ensure it's available if `the_content` filter is run multiple times on a page load.
Merges [43879] and [43881] from the 5.0 branch to trunk.
Props pento, nerrad.
Fixes#45290.
Built from https://develop.svn.wordpress.org/trunk@44226
git-svn-id: http://core.svn.wordpress.org/trunk@44056 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The `block_version` denotes which version of Blocks the `post_content` contains. Introduces new `block_version()` function for versioning Blocks.
Merges [43770] from the 5.0 branch to trunk.
Props danielbachhuber, birgire.
Fixes#43887.
Built from https://develop.svn.wordpress.org/trunk@44127
git-svn-id: http://core.svn.wordpress.org/trunk@43957 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The `WP_Block_Parser` class, and the accompanying `parse_blocks()` helper function, can be used to parse an array of blocks out of a content string.
`WP_Block_Parser` is copied from the `@wordpress/block-serialization-default-parser` package. To ensure it stays in sync with the JavaScript parser, changes should be implemented in the package first, then the package version should be upgraded to include the changes.
Props pento.
Merges [43751] to trunk.
See #45109.
Built from https://develop.svn.wordpress.org/trunk@44116
git-svn-id: http://core.svn.wordpress.org/trunk@43946 1a063a9b-81f0-0310-95a4-ce76da25c4cd
These are the foundational classes allowing blocks to be registered and used throughout WordPress.
This commit also includes the `has_block()` and `has_blocks()` functions, which are required for unit testing these classes.
Merges [43742] from the 5.0 branch to trunk.
Props adamsilverstein, danielbachhuber, desrosj.
Fixes#45097.
See #45109.
Built from https://develop.svn.wordpress.org/trunk@44108
git-svn-id: http://core.svn.wordpress.org/trunk@43938 1a063a9b-81f0-0310-95a4-ce76da25c4cd