In the data sent to us from the embedded iframe by postMessage(), the secret value is being used directly in a document.querySelectorAll() call without first being validated or escaped.
In theory, this could lead to some broken embeds.
Props mdawaffe.
Fixes#34831.
git-svn-id: https://develop.svn.wordpress.org/trunk@35761 602fd350-edb4-49c9-b593-d223f7449a82
This adds a checkbox to `wp-admin/user-new.php` to prevent sending an email with the username and a password reset link to the new user. Restores the behavior of pre-4.3.
Fixes#33504.
Props tharsheblows, SergeyBiryukov, DrewAPicture, ocean90.
git-svn-id: https://develop.svn.wordpress.org/trunk@35742 602fd350-edb4-49c9-b593-d223f7449a82
While these classes are intended for admin use, there are developers out there who include `wp-admin/includes/template.php` to access them in other contexts. There is no intention to continue to support this indefinitely, but a breaking change like that would need to happen very early in a cycle and communicated loudly.
In the meantime, if you're reading this commit message and you do the above, please update your code to not do that. Thank you :)
fixes#33413.
git-svn-id: https://develop.svn.wordpress.org/trunk@35740 602fd350-edb4-49c9-b593-d223f7449a82
In `populate_options()`, if the theme specified by `WP_DEFAULT_THEME` doesn't exist, fall back to the latest core default theme. If we can't find a core default theme, `WP_DEFAULT_THEME` is the best we can do.
Props nacin, jeremyfelt, dd32.
See #34306.
git-svn-id: https://develop.svn.wordpress.org/trunk@35738 602fd350-edb4-49c9-b593-d223f7449a82
To add a home link to the fallback menu output many themes only check if that
argument is set. Including Twenty Ten and Twenty Eleven. They check with
`isset()` so child themes and other instances using `wp_page_menu()` have a
chance to disable the home link by setting it to `false`.
Fixes#11095.
git-svn-id: https://develop.svn.wordpress.org/trunk@35737 602fd350-edb4-49c9-b593-d223f7449a82
Hello, it's me again. A pluggable function named `wp_new_user_notification()`. A few months ago, after [33023], I have lost my second parameter `$plaintext_pass`. But thanks to [33620] I got a new one.
Bad idea - It hasn't had the same behavior as my previous parameter.
To solve that the second parameter got deprecated and reintroduced as the third parameter in [34116]. I was happy again, for a short time.
You remember my lost friend `$plaintext_pass`? No? Well, if its value was empty no notification was sent to the user. This behavior was still lost. And that's what this change is about: Don't notify a user if a plugin uses `wp_new_user_notification( $user_id )`.
You're asking if I'm happy now? Dunno, but maybe you have learned something about pluggable functions, have you?
Props danielbachhuber.
Fixes#34377.
git-svn-id: https://develop.svn.wordpress.org/trunk@35735 602fd350-edb4-49c9-b593-d223f7449a82
* Introduce `customize_post_value_set_{$setting_id}` and `customize_post_value_set` actions which are done when `WP_Customize_Manager::set_post_value()` is called.
* Clear the `preview_applied` flag for aggregated multidimensional settings when a post value is set. This ensures the new value is used instead of a previously-cached previewed value.
* Move `$is_preview` property from subclasses to `WP_Customize_Setting` parent class.
* Deferred preview: Ensure that when `preview()` short-circuits due to not being applicable that it will be called again later when the post value is set.
* Populate post value for updated-widget with the (unsanitized) JS-value in `WP_Customize_Widgets::call_widget_update()` so that value will be properly sanitized when accessed in `WP_Customize_Manager::post_value()`.
Includes unit tests with assertions to check the reported issues and validate the fixes.
Fixes defect introduced in [35007].
See #32103.
Fixes#34738.
git-svn-id: https://develop.svn.wordpress.org/trunk@35724 602fd350-edb4-49c9-b593-d223f7449a82
Correct the docs for `comment_notes_before` and `comment_notes_after` arguments as well as `comment_form_before_fields` and `comment_form_after_fields` actions to better describe the current behaviour.
Fixes#34731.
git-svn-id: https://develop.svn.wordpress.org/trunk@35723 602fd350-edb4-49c9-b593-d223f7449a82
Adds the `postmeta_form_keys` filter which allows for a potentially expensive query against postmeta to be avoided.
props ericmann, tollmanz, nacin.
see #33885.
git-svn-id: https://develop.svn.wordpress.org/trunk@35717 602fd350-edb4-49c9-b593-d223f7449a82
Update `@see` tags for `wp_make_content_images_responsive()` and `wp_image_add_srcset_and_sizes()`.
Props jaspermdegroot.
See #34733.
git-svn-id: https://develop.svn.wordpress.org/trunk@35715 602fd350-edb4-49c9-b593-d223f7449a82
This prevents the admin menu from disappearing if an old `ru_RU.php` file is left over after updating directly from 3.1.x or an older version to the latest release.
See #20974.
git-svn-id: https://develop.svn.wordpress.org/trunk@35710 602fd350-edb4-49c9-b593-d223f7449a82
Previously, `&` would be converted everywhere, which caused problems when it was converted within a `<script>`, for example.
`convert_chars()` is now removed from the `the_content` filter, as it was doing the same job as `wptexturize()`.
KSES correctly handles converting `&` within HTML attributes, so there's no need for `wptexturize()` and `convert_chars()` to do the same job.
Fixes#34698.
git-svn-id: https://develop.svn.wordpress.org/trunk@35709 602fd350-edb4-49c9-b593-d223f7449a82
Older versions of WordPress will convert those `&` characters to `&`, which makes for some non-functional JS. If folks are running an older release, let's not make their lives more difficult than it already is.
Props pento, peterwilsoncc.
See #34698.
git-svn-id: https://develop.svn.wordpress.org/trunk@35708 602fd350-edb4-49c9-b593-d223f7449a82
Reverts [35700] which didn't account for author archives without posts.
Determination of the correct title is now based on the same order of
conditionals that template loader uses to select the right template.
H/t ocean90.
Fixes#34516.
git-svn-id: https://develop.svn.wordpress.org/trunk@35706 602fd350-edb4-49c9-b593-d223f7449a82