Commit Graph

36275 Commits

Author SHA1 Message Date
Jonathan Desrosiers
050f26a12d WordPress 4.7.17
git-svn-id: https://develop.svn.wordpress.org/branches/4.7@47673 602fd350-edb4-49c9-b593-d223f7449a82
2020-04-29 17:56:08 +00:00
Jake Spurlock
f9be892b76 Customize: Add additional filters to Customizer to prevent JSON corruption.
User: Invalidate `user_activation_key` on password update.
Query: Ensure that only a single post can be returned on date/time based queries.
Cache API: Ensure proper escaping around the stats method in the cache API.
Formatting: Expand `sanitize_file_name` to have better support for utf8 characters.

Brings the changes in [47633], [47634], [47635], [47637], and [47638] to the 4.7 branch.

Props: batmoo, ehti, nickdaugherty, peterwilsoncc, sergeybiryukov, sstoqnov, westi, westonruter, whyisjake, whyisjake, xknown.


git-svn-id: https://develop.svn.wordpress.org/branches/4.7@47650 602fd350-edb4-49c9-b593-d223f7449a82
2020-04-29 16:22:22 +00:00
Sergey Biryukov
154764394d Build/Test Tools: Remove unused ::assertPostHasTerms() method from tests/term.php.
The associated test was removed in [30241].

Merges [47341] to 3.7+ branches.
See #49485.

git-svn-id: https://develop.svn.wordpress.org/branches/4.7@47489 602fd350-edb4-49c9-b593-d223f7449a82
2020-03-22 14:29:03 +00:00
Sergey Biryukov
b14c1f6b97 Embeds: Remove the external oEmbed tests for YouTube.
These tests no longer test anything that WordPress core has control over. YouTube now serves everything
over HTTPS by default, so the tests for #23149 will always pass, and the tests for #32714 aren't testing
anything that core has control over.

Tests for the responses from oEmbed providers has been attempted and reverted in #32360.

Props johnbillion.
Merges [41712] to the 4.4 branch.
See #42076, #32714, #23149.

git-svn-id: https://develop.svn.wordpress.org/branches/4.7@47483 602fd350-edb4-49c9-b593-d223f7449a82
2020-03-22 13:57:09 +00:00
Sergey Biryukov
a306848d73 Embeds: Remove the external oEmbed tests for YouTube.
These tests no longer test anything that WordPress core has control over. YouTube now serves everything
over HTTPS by default, so the tests for #23149 will always pass, and the tests for #32714 aren't testing
anything that core has control over.

Tests for the responses from oEmbed providers has been attempted and reverted in #32360.

Props johnbillion.
Merges [41712] to the 4.7 branch.
See #42076, #32714, #23149.

git-svn-id: https://develop.svn.wordpress.org/branches/4.7@47480 602fd350-edb4-49c9-b593-d223f7449a82
2020-03-22 13:45:11 +00:00
Sergey Biryukov
528ad89d28 WordPress 4.7.16
git-svn-id: https://develop.svn.wordpress.org/branches/4.7@46926 602fd350-edb4-49c9-b593-d223f7449a82
2019-12-12 20:27:25 +00:00
Sergey Biryukov
ba95a9a719 Ensure that a user can publish_posts before making a post sticky.
Props: danielbachhuber, whyisjake, peterwilson, xknown.

Brings r46893 to the 4.7 branch.

Update `wp_kses_bad_protocol()` to recognize `:` on uri attributes,

`wp_kses_bad_protocol()` makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function.

Brings r46895 to the 4.7 branch.

Props: xknown, nickdaugherty, peterwilsoncc.

git-svn-id: https://develop.svn.wordpress.org/branches/4.7@46916 602fd350-edb4-49c9-b593-d223f7449a82
2019-12-12 18:51:18 +00:00
Jonathan Desrosiers
6b00370dde WordPress 4.7.15.
git-svn-id: https://develop.svn.wordpress.org/branches/4.7@46513 602fd350-edb4-49c9-b593-d223f7449a82
2019-10-14 20:07:03 +00:00
Jake Spurlock
375d3d8775 Backporting several bug fixes.
- Query: Remove the static query property.
- HTTP API: Protect against hex interpretation.
- Filesystem API: Prevent directory travelersals when creating new folders.
- Administration: Ensure that admin referer nonce is valid.
- REST API: Send a Vary: Origin header on GET requests.

Backports [46474], [46475], [46476], [46477], [46478], [46483], [46485] to the 4.7 branch.


git-svn-id: https://develop.svn.wordpress.org/branches/4.7@46495 602fd350-edb4-49c9-b593-d223f7449a82
2019-10-14 18:49:56 +00:00
Jake Spurlock
6e41ed6192 Add .nvmrc files to older versions of WordPress
When jumping between branches, it would be nice to have the correct node version for the older versions of WordPress. Let's add .nvmrc files to these older branches for the supported versions.

Merges [46295] to the 4.7 branch.

Fixes #48140



git-svn-id: https://develop.svn.wordpress.org/branches/4.7@46297 602fd350-edb4-49c9-b593-d223f7449a82
2019-09-25 20:54:05 +00:00
Jonathan Desrosiers
101562b7cd WordPress 4.7.14.
git-svn-id: https://develop.svn.wordpress.org/branches/4.7@46041 602fd350-edb4-49c9-b593-d223f7449a82
2019-09-04 21:22:13 +00:00
Andrew Ozz
69466c4e92 jQuery: Backport the patch from jQuery 3.4.0.
Merges [45342] to the 4.7 branch.

Props MikeNGarrett, peterwilsoncc, azaozz.
Fixes #47020.

git-svn-id: https://develop.svn.wordpress.org/branches/4.7@46025 602fd350-edb4-49c9-b593-d223f7449a82
2019-09-04 18:44:36 +00:00
Jonathan Desrosiers
7d32848c55 Fix for URL sanitization in wp_kses_bad_protocol_once().
Merges [45997] to the 4.7 branch.

Props irsdl, sstoqnov, whyisjake.

git-svn-id: https://develop.svn.wordpress.org/branches/4.7@46007 602fd350-edb4-49c9-b593-d223f7449a82
2019-09-04 18:19:30 +00:00
Sergey Biryukov
84cf56f966 Improve handling the existing rel attribute in wp_rel_nofollow_callback().
Merges [45990] to the 4.7 branch.
Props xknown, sstoqnov.

git-svn-id: https://develop.svn.wordpress.org/branches/4.7@45996 602fd350-edb4-49c9-b593-d223f7449a82
2019-09-04 17:47:51 +00:00
Sergey Biryukov
57f85ba712 Improve URL validation in wp_validate_redirect().
Merges [45971] to the 4.7 branch.
Props vortfu, whyisjake, peterwilsoncc.

git-svn-id: https://develop.svn.wordpress.org/branches/4.7@45977 602fd350-edb4-49c9-b593-d223f7449a82
2019-09-04 17:10:39 +00:00
Jake Spurlock
707096e9e0 Remove _convert_urlencoded_to_entities() from the get_the_content() callback.
Merges [45937] to the 4.7 branch.

Props vortfu, whyisjake, peterwilsoncc


git-svn-id: https://develop.svn.wordpress.org/branches/4.7@45954 602fd350-edb4-49c9-b593-d223f7449a82
2019-09-04 16:36:52 +00:00
Sergey Biryukov
8fcbf67732 Escape the output in wp_ajax_upload_attachment().
Merges [45936] to the 4.7 branch.
Props whyisjake, sstoqnov.

git-svn-id: https://develop.svn.wordpress.org/branches/4.7@45947 602fd350-edb4-49c9-b593-d223f7449a82
2019-09-04 16:34:50 +00:00
John Blackbourn
7cb146f92a Build/Test tools: Further trimming of CI jobs on the 4.7 branch.
This removes the PHP 5.6 job which runs without an object cache in place as the likelihood of a change being backported that only breaks 5.6 environments without an object cache is small.

Merges [45005] into the 4.7 branch.

See #42387


git-svn-id: https://develop.svn.wordpress.org/branches/4.7@45008 602fd350-edb4-49c9-b593-d223f7449a82
2019-03-25 16:26:30 +00:00
John Blackbourn
22197bb051 Build/Test tools: Switch npm dependency caching strategy on Travis CI.
This switches to caching npm's local cache instead of `node_modules` in order to prevent issues caused by modules compiled using a different version of node.

Merges [44993] into the 4.7 branch.

See #46632


git-svn-id: https://develop.svn.wordpress.org/branches/4.7@44998 602fd350-edb4-49c9-b593-d223f7449a82
2019-03-25 00:56:45 +00:00
Gary Pendergast
8ce540c75a WordPress 4.7.13
git-svn-id: https://develop.svn.wordpress.org/branches/4.7@44872 602fd350-edb4-49c9-b593-d223f7449a82
2019-03-13 01:12:46 +00:00
Sergey Biryukov
1961df533b Comments: Improve comment content filtering.
Merges [44842] to the 4.7 branch.

git-svn-id: https://develop.svn.wordpress.org/branches/4.7@44847 602fd350-edb4-49c9-b593-d223f7449a82
2019-03-12 22:35:52 +00:00
Sergey Biryukov
ba357da827 Formatting: Improve rel="nofollow" handling in comments.
Merges [44833] to the 4.7 branch.

git-svn-id: https://develop.svn.wordpress.org/branches/4.7@44838 602fd350-edb4-49c9-b593-d223f7449a82
2019-03-12 22:21:44 +00:00
Jeremy Felt
bf9a7a79cc Bump 4.7 branch to version 4.7.12.
git-svn-id: https://develop.svn.wordpress.org/branches/4.7@44080 602fd350-edb4-49c9-b593-d223f7449a82
2018-12-13 02:11:39 +00:00
Gary Pendergast
78e2bde3cd Editor: Remove unwanted fields before saving posts.
The `meta_input`, `file`, and `guid` fields are not intended to be updated through user input.

Merges [44047] to the 4.7 branch.



git-svn-id: https://develop.svn.wordpress.org/branches/4.7@44056 602fd350-edb4-49c9-b593-d223f7449a82
2018-12-13 01:40:40 +00:00
Peter Wilson
ea84b9bad8 Multisite: Validate activation links.
Merges [44048] to the 4.7 branch.


git-svn-id: https://develop.svn.wordpress.org/branches/4.7@44054 602fd350-edb4-49c9-b593-d223f7449a82
2018-12-13 01:38:24 +00:00
Ian Dunn
a3fc848cb6 KSES: Make the URI attributes DRY.
This commit introduces the `wp_kses_uri_attributes` function and filter. The function centralizes the list of attributes, in order to prevent inconsistency, and the filter provides a way for plugins to customize the attributes.

Merges [44014] and [44017] to the `4.7` branch.


git-svn-id: https://develop.svn.wordpress.org/branches/4.7@44027 602fd350-edb4-49c9-b593-d223f7449a82
2018-12-13 00:43:21 +00:00
Peter Wilson
e4b7c0bf40 Multisite: Improve messaging for previously activated users.
Ensure activation of a site is not attempted multiple times and users are shown the correct message if they follow the link a second time.

Merges [44021] to the 4.7 branch.


git-svn-id: https://develop.svn.wordpress.org/branches/4.7@44026 602fd350-edb4-49c9-b593-d223f7449a82
2018-12-13 00:39:23 +00:00
Gary Pendergast
3cdf982fff KSES: Conditionally remove the <form> element from $allowedposttags.
To avoid backwards compatibility issues, `<form>` is re-added if a custom filter has added the `<input>` or `<select>` elements to `$allowedposttags`.

Merges [43994] to the 4.7 branch.



git-svn-id: https://develop.svn.wordpress.org/branches/4.7@44000 602fd350-edb4-49c9-b593-d223f7449a82
2018-12-12 23:24:50 +00:00
Jeremy Felt
efd9885803 Media: Improve verification of MIME file types.
Merges [43988] to the 4.7 branch.


git-svn-id: https://develop.svn.wordpress.org/branches/4.7@43991 602fd350-edb4-49c9-b593-d223f7449a82
2018-12-12 23:04:17 +00:00
Aaron D. Campbell
3e822cbf1c Bump 4.7 branch to version 4.7.11
git-svn-id: https://develop.svn.wordpress.org/branches/4.7@43409 602fd350-edb4-49c9-b593-d223f7449a82
2018-07-05 16:10:24 +00:00
John Blackbourn
824d5b6bd3 Media: Limit thumbnail file deletions to the same directory as the original file.
Merges [43393] into the 4.7 branch.


git-svn-id: https://develop.svn.wordpress.org/branches/4.7@43395 602fd350-edb4-49c9-b593-d223f7449a82
2018-07-05 14:50:26 +00:00
Aaron D. Campbell
c993a967e6 Bump 4.7 branch to version 4.7.10
git-svn-id: https://develop.svn.wordpress.org/branches/4.7@42935 602fd350-edb4-49c9-b593-d223f7449a82
2018-04-03 20:26:02 +00:00
Dominik Schilling (ocean90)
3700a18382 Template: Make sure the version string is correctly escaped for use in attributes.
Merge of [42893] to the 4.7 branch.


git-svn-id: https://develop.svn.wordpress.org/branches/4.7@42919 602fd350-edb4-49c9-b593-d223f7449a82
2018-04-03 16:05:30 +00:00
Dominik Schilling (ocean90)
278641ebbc Meta: Simplify the delete all meta query in delete_metadata().
Merge of [42913] to the 4.7 branch.


git-svn-id: https://develop.svn.wordpress.org/branches/4.7@42914 602fd350-edb4-49c9-b593-d223f7449a82
2018-04-03 15:40:58 +00:00
Dominik Schilling (ocean90)
42b1dd5acc HTTP: Don't treat localhost as same host by default.
Merge of [42894] to the 4.7 branch.


git-svn-id: https://develop.svn.wordpress.org/branches/4.7@42910 602fd350-edb4-49c9-b593-d223f7449a82
2018-04-03 15:34:45 +00:00
Dominik Schilling (ocean90)
6d5d03d9a1 Login: Use wp_safe_redirect() when redirecting the login page if forced to use HTTPS.
Merge of [42892] to the 4.7 branch.


git-svn-id: https://develop.svn.wordpress.org/branches/4.7@42897 602fd350-edb4-49c9-b593-d223f7449a82
2018-04-03 15:28:30 +00:00
Sergey Biryukov
54a3c366e5 General: Update copyright year to 2018 in license.txt.
Props rachelbaker.
Merges [42424] to the 4.7 branch.
Fixes #43007.

git-svn-id: https://develop.svn.wordpress.org/branches/4.7@42554 602fd350-edb4-49c9-b593-d223f7449a82
2018-01-23 11:25:19 +00:00
Dion Hulse
7ec2dc809d Bump the 4.7 branch to 4.7.9.
git-svn-id: https://develop.svn.wordpress.org/branches/4.7@42496 602fd350-edb4-49c9-b593-d223f7449a82
2018-01-16 21:38:55 +00:00
Dion Hulse
698a3fb29c External Libraries: Remove unnecessary / obsoleted MediaElement.js files.
Merges [42478] to the 4.7 branch.
Fixes #42720 for 4.7.


git-svn-id: https://develop.svn.wordpress.org/branches/4.7@42479 602fd350-edb4-49c9-b593-d223f7449a82
2018-01-16 08:05:00 +00:00
Dion Hulse
5018b6595c Upgrade: When deleting old files, if deletion fails attempt to empty the file instead.
Props joemcgill, dd32.
Merges [42434] to the 4.7 branch.
Fixes #42963 for 4.7.


git-svn-id: https://develop.svn.wordpress.org/branches/4.7@42467 602fd350-edb4-49c9-b593-d223f7449a82
2018-01-16 06:52:42 +00:00
John Blackbourn
e80bdf5116 Bump 4.7 branch to 4.7.8.
git-svn-id: https://develop.svn.wordpress.org/branches/4.7@42318 602fd350-edb4-49c9-b593-d223f7449a82
2017-11-29 18:57:45 +00:00
John Blackbourn
87ac33af45 Hardening: Remove the ability to upload JavaScript files for users who do not have the unfiltered_html capability.
Merges [42261] to the 4.7 branch.


git-svn-id: https://develop.svn.wordpress.org/branches/4.7@42275 602fd350-edb4-49c9-b593-d223f7449a82
2017-11-29 16:19:42 +00:00
John Blackbourn
662033dc14 Hardening: Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds.
Merges [42260] to the 4.7 branch.


git-svn-id: https://develop.svn.wordpress.org/branches/4.7@42274 602fd350-edb4-49c9-b593-d223f7449a82
2017-11-29 16:18:56 +00:00
John Blackbourn
2700e8e672 Hardening: Add escaping to the language attributes used on html elements.
Merges [42259] to the 4.7 branch.


git-svn-id: https://develop.svn.wordpress.org/branches/4.7@42273 602fd350-edb4-49c9-b593-d223f7449a82
2017-11-29 16:17:04 +00:00
John Blackbourn
c30d484e4f Hardening: Use a properly generated hash for the newbloguser key instead of a determinate substring.
Merges [42258] to the 4.7 branch.


git-svn-id: https://develop.svn.wordpress.org/branches/4.7@42272 602fd350-edb4-49c9-b593-d223f7449a82
2017-11-29 16:16:03 +00:00
John Blackbourn
2844aa499e Users: Correct the value of the lang attribute in the admin area.
This corrects the value when the user's language is set to `English (United States)` but the site language is not.

Props ocean90, afercia

See #42242

Merges [42220] to the 4.7 branch.


git-svn-id: https://develop.svn.wordpress.org/branches/4.7@42263 602fd350-edb4-49c9-b593-d223f7449a82
2017-11-29 16:05:10 +00:00
Dion Hulse
eeb633b797 WPDB: Check that AUTH_SALT is not empty, Fix a PHP notice when AUTH_SALT is undefined.
Props jsonfry, mkomar, pento.
Merges [42119] and [42120] to the 4.7 branch.
Fixes #42431 and #42401 for 4.7.


git-svn-id: https://develop.svn.wordpress.org/branches/4.7@42231 602fd350-edb4-49c9-b593-d223f7449a82
2017-11-27 01:07:45 +00:00
John Blackbourn
4e26af05f6 General: Remove the version number from the readme file in the 4.7 branch.
See #42386


git-svn-id: https://develop.svn.wordpress.org/branches/4.7@42100 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-31 18:05:59 +00:00
Gary Pendergast
0c987581fe Bump 4.7 branch to version 4.7.7.
git-svn-id: https://develop.svn.wordpress.org/branches/4.7@42070 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-31 13:12:09 +00:00
Gary Pendergast
16a56fae1f Database: Restore numbered placeholders in wpdb::prepare().
[41496] removed support for numbered placeholders in queries send through `wpdb::prepare()`, which, despite being undocumented, were quite commonly used.

This change restores support for numbered placeholders (as well as a subset of placeholder formatting), while also adding extra checks to ensure the correct number of arguments are being passed to `wpdb::prepare()`, given the number of placeholders.

Merges [41662], [42056] to the 4.7 branch.
See #41925.



git-svn-id: https://develop.svn.wordpress.org/branches/4.7@42058 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-31 12:33:25 +00:00