Commit Graph

37369 Commits

Author SHA1 Message Date
John Blackbourn
bd6ee706d0 Security: Add a referrer policy header to the admin and login screens.
This sets a referrer policy of `same-origin` which adds hardening by preventing a referrer being sent from the admin area or login screens to other origins. This helps prevent unwanted exposure of potentially sensitive information that may be contained within URLs.

This change introduces a new filter, `admin_referrer_policy`, for filtering the referrer policy header value. The header can be disabled if necessary by removing the `wp_admin_headers` action from the `admin_init` and `login_init` hooks.

Props joostdevalk
Fixes #42036


git-svn-id: https://develop.svn.wordpress.org/trunk@41741 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-04 18:24:17 +00:00
westonruter
b1faca5ca8 Customize: Improve accessibility of markup for base WP_Customize_Control and WP_Customize_Nav_Menu_Control with proper use of label elements and inclusion of aria-describedby.
See #33085.
Props valendesigns, afercia, westonruter.


git-svn-id: https://develop.svn.wordpress.org/trunk@41740 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-04 18:11:08 +00:00
Weston Ruter
a0a2a4a105 Customize: Fix theme details modal by updating logic in getPreviousTheme and getNextTheme to not rely on DOM traversal and manually constructing control IDs.
Amends [41726].
See #42083, #37661.


git-svn-id: https://develop.svn.wordpress.org/trunk@41739 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-04 16:48:50 +00:00
Jeremy Felt
e7f4d926c9 Multisite: Only query for one site in domain_exists().
`get_sites()` queries for a maximum of 100 records by default. In `domain_exists()`, we only use one.

A previous commit, [41736], has this same commit message but applies to `get_blog_id_from_url()` and #42073 instead.

Props danieltj, spacedmonkey.
Fixes #42072.


git-svn-id: https://develop.svn.wordpress.org/trunk@41738 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-04 16:25:07 +00:00
K. Adam White
dd92141f54 REST API: Return 409 status when attempting to create an existing term.
Fixes an issue where submitting a well-formed request to create a term inappropriately returns a 500 error status if that term already exists.
HTTP 5xx error codes should be reserved for unexpected server errors, so "409 Conflict" is a more appropriate response.

Props alibasheer, guzzilar, shooper.
Fixes #41370.



git-svn-id: https://develop.svn.wordpress.org/trunk@41737 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-04 16:23:33 +00:00
Jeremy Felt
acf9fa4524 Multisite: Only query for one site in domain_exists().
`get_sites()` queries for a maximum of 100 records by default. In `domain_exists()`, we only use one.

Props danieltj, spacedmonkey.
Fixes #42072.


git-svn-id: https://develop.svn.wordpress.org/trunk@41736 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-04 16:10:40 +00:00
John Blackbourn
17b1f66ba0 REST API: Avoid counting an uncountable type when checking read permissions for comment posts.
This avoids deprecated notices from showing in PHP 7.2 and above.

Props ayeshrajans
Fixes #41457


git-svn-id: https://develop.svn.wordpress.org/trunk@41735 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-04 15:37:48 +00:00
Sergey Biryukov
3447d5e8c6 I18N: Make sure wp_dropdown_languages() does not print out empty name and id attributes.
Props johnjamesjacoby, afercia.
Fixes #40829.

git-svn-id: https://develop.svn.wordpress.org/trunk@41734 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-04 15:22:15 +00:00
Sergey Biryukov
2536a168bb I18N: In wp_dropdown_languages(), change the parsed arguments variable to $parsed_args, to prevent stomping the original $args array.
Props Mte90.
See #40829.

git-svn-id: https://develop.svn.wordpress.org/trunk@41733 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-04 15:07:26 +00:00
Joe McGill
59c0329461 Customizer: Minimize duplicate header crops in the media library.
This adds `Custom_Image_Header::get_previous_crop()`, which finds any
previously cropped headers created from the same base image and replaces
that attachment rather than creating a new attachment.

After updating a crop, the replaced images is also removed from the list
of previous header images in the Customizer.

See #21819.


git-svn-id: https://develop.svn.wordpress.org/trunk@41732 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-04 14:58:07 +00:00
kadamwhite
d77da9cd2a REST API: Specify specific json-schema version.
Explicitly specifies that the REST API uses JSON Schema draft-04,
as JSON Schema has deprecated versionless schema URIs and recommends
the use of a specific draft version.

Props @TimothyBlynJacobs
Fixes #41734



git-svn-id: https://develop.svn.wordpress.org/trunk@41731 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-04 14:51:03 +00:00
John Blackbourn
952e98c217 I18N: Improvements to the tests for plural forms.
* Move the `create_function()` code into a file that's only loaded, and into a test that's only run, on PHP <= 7.2 to avoid deprecated warnings in 7.2+.
* Convert the test skipping into a failure if the GlotPress locale file cannot be downloaded.
* Ensure `test_exceptions` fails if an exception is not thrown.
* Docs improvements

See #41562, #40109


git-svn-id: https://develop.svn.wordpress.org/trunk@41730 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-04 13:26:15 +00:00
Sergey Biryukov
34ce81449a Twenty Sixteen: Make sure comment number comparison in comments.php works as expected.
`get_comments_number()` returns a numeric string, not an integer.

See #39660.

git-svn-id: https://develop.svn.wordpress.org/trunk@41729 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-04 13:21:59 +00:00
Sergey Biryukov
f4298a476a Template: Introduce readonly() form helper to complement the disabled() helper added in [13658].
Props soulseekah.
Fixes #16886.

git-svn-id: https://develop.svn.wordpress.org/trunk@41728 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-04 13:18:16 +00:00
Joe Hoyle
6b533ba2b0 REST API: Support for objects in schema validation and sanitization.
When registering routes developers can now define their complex objects in the schema and benefit from the automatic validation and sanitization in the REST API. This also paves the way for support for complex object registration via register_meta and register_setting.

See #38583.
Props TimothyBlynJacobs5.

git-svn-id: https://develop.svn.wordpress.org/trunk@41727 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-04 08:26:44 +00:00
Weston Ruter
3f1de03834 Customize: Improve usability of Customize JS API.
* Eliminate need to pass both ID and instance in calls to `Values#add()` for panels, sections, controls, settings, partials, and notifications.
* Eliminate need to supply `content` param when constructing a `Control`.
* Unwrap the `options.params` object passed in constructors to just pass a flat `options`. (Back-compat is maintained.)
* Add support for `templateId` param for `Control` to override which template is used for the content.
* Remove unused `previewer` being supplied in `Control` instances.
* Rename `classes` to `containerClasses` on `Notification`.
* Automatically supply `instanceNumber` to improve stable sorting.
* Use `api.Notifications` for notifications in settings instead of `api.Value`.

See #30741.
Fixes #42083.


git-svn-id: https://develop.svn.wordpress.org/trunk@41726 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-04 06:47:37 +00:00
Gary Pendergast
1eba2e5e3e Tests: Some tests in [41722] were using newer PHPUnit features.
`test_cache` used PHPUnit's object mocking to test some internal behaviour in `Plural_Forms`, but made use of the `willReturn()` method, which was introduced in PHPUnit 4.0 as shorthand for `will($this->returnValue())`. Fixed by switching to the longer form.

Several tests used the `@expectedException` directive to catch generic `Exception` exceptions, which was added in PHPUnit 3.7. Fixed by changing to an explicit `try` / `catch` test.

See #41562.



git-svn-id: https://develop.svn.wordpress.org/trunk@41725 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-04 04:10:47 +00:00
Joe McGill
fa43ebdefd Media: Use max-width for default captions.
This alters the HTML output of the image caption shortcode to use
`max-width` instead of `width` to improve compatibility with
flexible layouts.

Props aaronrutley, desrosj.
Fixes #33981.


git-svn-id: https://develop.svn.wordpress.org/trunk@41724 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-04 02:49:19 +00:00
Gary Pendergast
156c8ec5c6 I18N: Fix a PHP error introduced in [41722].
PHP 5.2 and 5.3 don't support short array syntax, Ryan.

Fixes #41562.



git-svn-id: https://develop.svn.wordpress.org/trunk@41723 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-04 02:11:27 +00:00
Gary Pendergast
f3a52234ea I18N: Introduce the Plural_Forms class.
Historically, we've evaluated the plural forms for each language using `create_function()`. This is being deprecated in PHP 7.2, so needs to be replaced.

The `Plural_Forms` class parses the `Plural-Forms` header from the PO file, and internally caches the result of all subsequent plural form tests, allowing it to match the performance of the existing code.

Props rmccue.
Fixes #41562.



git-svn-id: https://develop.svn.wordpress.org/trunk@41722 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-04 01:29:59 +00:00
Weston Ruter
3fcfefd05c File Editors: Introduce sandboxed live editing of PHP files with rollbacks for both themes and plugins.
* Edits to active plugins which cause PHP fatal errors will no longer auto-deactivate the plugin. Supersedes #39766.
* Introduce sandboxed PHP file edits for active themes, preventing accidental whitescreening of a user's site when introducing a fatal error.
* After writing a change to a PHP file for an active theme or plugin, perform loopback requests on the file editor admin screens and the homepage to check for fatal errors. If a fatal error is encountered, roll back the edited file and display the error to the user to fix and try again.
* Introduce a secure way to scrape PHP fatal errors from a site via `wp_start_scraping_edited_file_errors()` and `wp_finalize_scraping_edited_file_errors()`.
* Moves file modifications from `theme-editor.php` and `plugin-editor.php` to common `wp_edit_theme_plugin_file()` function.
* Refactor themes and plugin editors to submit file changes via Ajax instead of doing full page refreshes when JS is available.
* Use `get` method for theme/plugin dropdowns.
* Improve styling of plugin editors, including width of plugin/theme dropdowns.
* Improve notices API for theme/plugin editor JS component.
* Strip common base directory from plugin file list. See #24048.
* Factor out functions to list editable file types in `wp_get_theme_file_editable_extensions()` and `wp_get_plugin_file_editable_extensions()`.
* Scroll to line in editor that has linting error when attempting to save. See #41886.
* Add checkbox to dismiss lint errors to proceed with saving. See #41887.
* Only style the Update File button as disabled instead of actually disabling it for accessibility reasons.
* Ensure that value from CodeMirror is used instead of `textarea` when CodeMirror is present.
* Add "Are you sure?" check when leaving editor when there are unsaved changes.

Supersedes [41560].
See #39766, #24048, #41886.
Props westonruter, Clorith, melchoyce, johnbillion, jjj, jdgrimes, azaozz.
Fixes #21622, #41887.


git-svn-id: https://develop.svn.wordpress.org/trunk@41721 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-04 00:19:16 +00:00
Weston Ruter
e965140cc9 Customize: Let establish_loaded_changeset query changesets from any author not just current user when determining which changeset to autoload in non-branching mode.
See #39896.


git-svn-id: https://develop.svn.wordpress.org/trunk@41720 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-04 00:00:47 +00:00
Felix Arntz
43a34c9167 Multisite: Improve get_blog_details() by using get_site_by().
`get_site_by()` is now the preferred way to retrieve a site object by lookup for identifying data. By using a coherent structure and `get_sites()` internally, it has several advantages over the direct database queries and complex code in `get_blog_details()`. Therefore `get_blog_details()` is now a wrapper for `get_site_by()`, providing backward compatibility fixes where necessary.

Unit tests have been adjusted to account for the `blog-details` and `blog-lookup` cache groups, which are no longer needed.

Props spacedmonkey, jeremyfelt, flixos90.
Fixes #40228.


git-svn-id: https://develop.svn.wordpress.org/trunk@41719 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-03 19:40:01 +00:00
Felix Arntz
610db1241a Multisite: Use WP_Network_Query in ms_load_current_site_and_network().
This gets rid of the last readonly direct database query for networks in core. 🎉

Props spacedmonkey.
Fixes #41762.


git-svn-id: https://develop.svn.wordpress.org/trunk@41718 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-03 19:26:01 +00:00
Felix Arntz
d54e80111a Multisite: Replace calls to refresh_blog_details() with clean_blog_cache().
Fixes #42077. See #40201.


git-svn-id: https://develop.svn.wordpress.org/trunk@41717 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-03 19:04:57 +00:00
Felix Arntz
0c1c78bf09 Multisite: Establish clean_blog_cache() as a replacement for refresh_blog_details().
Going forward, `clean_blog_cache()` is recommended to be used instead of `refresh_blog_details()`. It has been adjusted to match the functionality of the latter, with the exception that it always requires a site ID or object to be passed. The `refresh_blog_details` action has been deprecated in favor of the `clean_site_cache` action. The function itself is not formally deprecated at this point, but will likely be in the near future.

Props spacedmonkey.
Fixes #40201.


git-svn-id: https://develop.svn.wordpress.org/trunk@41716 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-03 18:40:32 +00:00
Felix Arntz
2e051261f3 Multisite: Add specific tests for clean_blog_cache() and refresh_blog_details().
See #40201.


git-svn-id: https://develop.svn.wordpress.org/trunk@41715 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-03 18:20:37 +00:00
John Blackbourn
260b9917d7 Docs: Correct some @since MU notation that was broken in [41200].
Every function introduced by MU was introduced in 3.0.0 as this was when MU was merged.

See #41509


git-svn-id: https://develop.svn.wordpress.org/trunk@41714 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-03 17:43:37 +00:00
John Blackbourn
d72e4fd9aa Plugins: Introduce a singular and plural form for the plugin deletion error message.
Props eddhurst, SergeyBiryukov

Fixes #38918


git-svn-id: https://develop.svn.wordpress.org/trunk@41713 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-03 17:12:41 +00:00
John Blackbourn
35363c99b1 Embeds: Remove the external oEmbed tests for YouTube.
These tests no longer test anything that WordPress core has control over. YouTube now serves everything
over HTTPS by default, so the tests for #23149 will always pass, and the tests for #32714 aren't testing
anything that core has control over.

Tests for the responses from oEmbed providers has been attempted and reverted in #32360.

See #42076, #32714, #23149


git-svn-id: https://develop.svn.wordpress.org/trunk@41712 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-03 16:51:25 +00:00
Andrea Fercia
d3f5e2b5dc Accessibility: Change all the #f00 and red to the official WordPress accent red.
WordPress should exclusively use colors from the official colors palette, see
https://make.wordpress.org/design/handbook/design-guide/foundations/colors/
Partially addresses accessibility color contrast ratio issues.

See #35622.


git-svn-id: https://develop.svn.wordpress.org/trunk@41711 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-03 16:01:57 +00:00
John Blackbourn
23b1296432 Login and Registration: Add unit tests for wp_auth_check().
Props pbearne, birgire

Fixes #41860


git-svn-id: https://develop.svn.wordpress.org/trunk@41710 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-03 16:01:16 +00:00
Andrea Fercia
679f45c906 Customize: Fix invalid HTML and aria-describedby values.
- fixes invalid HTML and duplicate IDs
- as per the Accessibility coding standards, all new code must use explicitly associated form labels
- properly escapes a few HTML attributes

Props celloexpressions, afercia.
Fixes #42054.


git-svn-id: https://develop.svn.wordpress.org/trunk@41709 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-03 15:43:22 +00:00
Andrew Ozz
f3a3185bd4 Tools: enable Grunt precommit task to run without requiring SVN or GIT.
Fixes #41957

git-svn-id: https://develop.svn.wordpress.org/trunk@41708 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-03 15:19:23 +00:00
Sergey Biryukov
fac51f61e3 HTTP API: Use WP_HTTP_Response::set_data() in ::__construct() instead of directly accessing the $data property.
Props tfrommen.
Fixes #41759.

git-svn-id: https://develop.svn.wordpress.org/trunk@41707 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-03 15:17:09 +00:00
Sergey Biryukov
fb06fab2e8 Posts, Post Types: Simplify the wording in post locking notice.
Props munyagu.
Fixes #42023.

git-svn-id: https://develop.svn.wordpress.org/trunk@41706 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-03 15:10:38 +00:00
Sergey Biryukov
d4dff17627 Multisite: Change IP references in new site or user notifications to IP address for clarity.
Props gk.loveweb, bradparbs.
See #40382.

git-svn-id: https://develop.svn.wordpress.org/trunk@41705 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-03 13:12:08 +00:00
Sergey Biryukov
609318a22d Comments: Change IP references in moderation option labels and email notifications to IP address for clarity.
Props mako09, gk.loveweb, bradparbs.
Fixes #40382.

git-svn-id: https://develop.svn.wordpress.org/trunk@41704 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-03 13:08:48 +00:00
Sergey Biryukov
ef549c2b53 Twenty Seventeen: Change tag cloud format to a list (<ul>) for better semantics and accessibility.
List markup allows screen reader users to know in advance how many tags are within the list.

Props sami.keijonen.
Fixes #40184.

git-svn-id: https://develop.svn.wordpress.org/trunk@41703 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-03 12:16:31 +00:00
Gary Pendergast
d2a011c666 Emoji: Fix incorrect emoji encoding in PHP < 5.4.
[41701] included a bug with PHP < 5.4. Prior to then, `html_entity_decode()` decoded into `ISO-8859-1`, when we actually need it to use `UTF-8`.

Fixes #35293.



git-svn-id: https://develop.svn.wordpress.org/trunk@41702 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-03 09:56:45 +00:00
Gary Pendergast
d3e0b4bc16 Emoji: Bring Twemoji compatibility to PHP.
This was previously attempted in [41043], which unfortunately had severe performance issues, the regex it used was fatally slow on long posts.

This version now uses an array of all emoji that Twemoji supports, which maintains the accuracy of [41043], while being the same speed or only a few ms slower than the code prior to [41043].

As with [41043], the `grunt precommit:emoji` task detects when `twemoji.js` has changed, and regenerates the array.

Props jmdodd for feedback, suggestions, and insults where appropriate.
Fixes #35293. 🤞🏻



git-svn-id: https://develop.svn.wordpress.org/trunk@41701 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-03 07:11:28 +00:00
Jeremy Felt
d4814228dc Multisite: Use %s when building query for archived sites in WP_Site_Query.
In [25548], the `archived` column in `wp_blogs` was changed from `ENUM` to `TINYINT` to match other status fields. When `WP_Site_Query` was written later, it used `%d` as a placeholder when formatting the archived status.

It is possible that this query will fail for any installations that did not update the schema for `wp_blogs` as only single quoted values are accepted for the `ENUM` type. In this case, `'0'` or `'1'` rather than `0` or `1`.

We can work around this and support both `ENUM` and `TINYINT` in the query by using the `%s` placeholder and casting the value with `absint()`.

Props stephdau.
Fixes #38856. See #27832.


git-svn-id: https://develop.svn.wordpress.org/trunk@41700 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-03 04:39:08 +00:00
Weston Ruter
bebc4cde6f Customize: Update dashboard welcome link to point to themes panel in the customizer instead of themes admin screen.
Props celloexpressions.
Fixes #42050.


git-svn-id: https://develop.svn.wordpress.org/trunk@41699 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-03 04:12:51 +00:00
Jeremy Felt
5fc09374c2 Multisite: Introduce get_site_by().
`get_site_by()` is a replacement for `get_blog_details()` that uses `WP_Site_Query` to retrieve specific sites based on a given field and value.

Props flixos90, spacedmonkey.
Fixes #40180.


git-svn-id: https://develop.svn.wordpress.org/trunk@41698 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-03 04:09:50 +00:00
Weston Ruter
2e5f329cc9 Customize: Provide validation feedback for invalid Custom Link URLs in nav menu items.
Props RMarks, EGregor, umangvaghela123, andrew.taylor, celloexpressions, westonruter, voldemortensen.
Fixes #32816.


git-svn-id: https://develop.svn.wordpress.org/trunk@41697 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-03 03:43:01 +00:00
Joe McGill
57b92c4116 Widgets: Default to "custom URL" in the image widget.
This changes the default value for `link_type` in the image widget
schema to 'custom'.

Props bor0, desrosj.
Fixes #41629.


git-svn-id: https://develop.svn.wordpress.org/trunk@41696 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-03 02:59:03 +00:00
Gary Pendergast
942482993d Plugins: Add plugin icons to the plugin list tables.
To mirror theme list table behaviour, the plugin icon now appears next to plugins in the plugin list tables. For plugins that don't have an icon, or non-W.org plugins, a fallback dashicon is shown.

Props melchoyce, afercia, paulwilde, pento, obenland.
Fixes #30186.



git-svn-id: https://develop.svn.wordpress.org/trunk@41695 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-03 00:24:31 +00:00
Weston Ruter
88db798f62 Customize: Add button in Publish Settings to discard unsaved changes (including drafted and scheduled), reverting Customizer to the last published state.
Props westonruter, melchoyce.
Amends [41667].
See #39896, #21666.


git-svn-id: https://develop.svn.wordpress.org/trunk@41694 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-03 00:21:06 +00:00
John Blackbourn
e95d1428d1 Build/Test tools: Correctly delete attachment files used in the media and post thumbnail tests.
Props atanasangelovdev

Fixes #38264 


git-svn-id: https://develop.svn.wordpress.org/trunk@41693 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-03 00:08:16 +00:00
John Blackbourn
1e16e5eee8 I18N: Allow the login screen language to be specified via a wp_lang query variable, and use this for the interim login modal.
This allows users who are using the admin area in a language other than the site language to read the notice on the login screen
(which explains that they need to log in again) in their chosen language.

Props Nikschavan, swissspidy

Fixes #40205


git-svn-id: https://develop.svn.wordpress.org/trunk@41692 602fd350-edb4-49c9-b593-d223f7449a82
2017-10-02 23:20:12 +00:00