Before the docs implied the complexity of the function was O(1) by using the term "constant time", now we use the more descriptive term "Timing attack safe".
Props AramZS.
Fixes#32778.
git-svn-id: https://develop.svn.wordpress.org/trunk@35805 602fd350-edb4-49c9-b593-d223f7449a82
For accessibility, links inside lines or blocks of text should be always underlined.
Props walbo.
Fixes#34606.
git-svn-id: https://develop.svn.wordpress.org/trunk@35801 602fd350-edb4-49c9-b593-d223f7449a82
Previously when updating a post using wp_insert_post(), post_name was
regenerated based on post_title every time if post_name was not passed in
explicitly. This irons out the expectation that properties not passed into the
function should not be modified.
Props jason_the_adams.
Fixes#34865.
git-svn-id: https://develop.svn.wordpress.org/trunk@35800 602fd350-edb4-49c9-b593-d223f7449a82
Sometimes, it's easy to to type the the same word twice, especially if if it's a simple word. We probably shouldn't do do do (do do do doo) it, though.
(I've excluded external libs from this change.)
Fixes#34885.
git-svn-id: https://develop.svn.wordpress.org/trunk@35793 602fd350-edb4-49c9-b593-d223f7449a82
User dropdowns in wp-admin have traditionally shown the users' display names.
However, this causes ambiguity when users share display names. To correct this,
we now show the unique user_login in parentheses after the display name.
The new `display_name_with_login` value for the `show` parameter of
`wp_dropdown_users()` enables this functionality. The default value of `show`
has not been changed, for backward compatibility, but all instances of
`wp_dropdown_users()` in core wp-admin have been switched.
This changeset also reduces some duplicated logic when assembling a user list
when `include_selected` is true.
Props krogsgard, boonebgorges.
Fixes#31251.
git-svn-id: https://develop.svn.wordpress.org/trunk@35790 602fd350-edb4-49c9-b593-d223f7449a82
The whole string is escaped with `esc_html()` anyway, so we don't
need to `wp_kses_post()`. This is a better experience for users who
want to use angle brackets in their site title or description.
Does not allow any HTML, adds unit tests.
props BandonRandon, pauldewouters.
fixes#27942.
git-svn-id: https://develop.svn.wordpress.org/trunk@35788 602fd350-edb4-49c9-b593-d223f7449a82
New `network_site_new_created_user_pending` action fires before a new user will be created via the network site-new.php page.
Props mackensen
Fixes#33631
git-svn-id: https://develop.svn.wordpress.org/trunk@35786 602fd350-edb4-49c9-b593-d223f7449a82
Activation of a subdomain site is done through that new site's address. This address does not exist in the `wp_blogs` table until activation is complete.
In this case we need to make sure `public` is populated to avoid a PHP notice.
Props uglyrobot.
Fixes#24760.
git-svn-id: https://develop.svn.wordpress.org/trunk@35782 602fd350-edb4-49c9-b593-d223f7449a82
"Connected" because of REST API and cross-site embeds.
"Responsive" because of responsive images and under-the-hood tweaks.
See #34663.
git-svn-id: https://develop.svn.wordpress.org/trunk@35780 602fd350-edb4-49c9-b593-d223f7449a82
This gives us better compatibility with existing errors thrown by
`sanitize_user()`, especially in Multisite, where user_login has more
restrictions on allowed characters.
Props markjaquith.
Fixes#27317.
git-svn-id: https://develop.svn.wordpress.org/trunk@35772 602fd350-edb4-49c9-b593-d223f7449a82
In [34504], tabbing through row actions on comments that lacked links was broken. This restores the desired behavior and ensures that the row actions can be seen by no-js users.
Second Permanent Committer sign off was by WonderBoyMusic
See #15520Fixes#34791
Props afercia, azaozz
git-svn-id: https://develop.svn.wordpress.org/trunk@35771 602fd350-edb4-49c9-b593-d223f7449a82
In the data sent to us from the embedded iframe by postMessage(), the secret value is being used directly in a document.querySelectorAll() call without first being validated or escaped.
In theory, this could lead to some broken embeds.
Props mdawaffe.
Fixes#34831.
git-svn-id: https://develop.svn.wordpress.org/trunk@35761 602fd350-edb4-49c9-b593-d223f7449a82
This adds a checkbox to `wp-admin/user-new.php` to prevent sending an email with the username and a password reset link to the new user. Restores the behavior of pre-4.3.
Fixes#33504.
Props tharsheblows, SergeyBiryukov, DrewAPicture, ocean90.
git-svn-id: https://develop.svn.wordpress.org/trunk@35742 602fd350-edb4-49c9-b593-d223f7449a82
While these classes are intended for admin use, there are developers out there who include `wp-admin/includes/template.php` to access them in other contexts. There is no intention to continue to support this indefinitely, but a breaking change like that would need to happen very early in a cycle and communicated loudly.
In the meantime, if you're reading this commit message and you do the above, please update your code to not do that. Thank you :)
fixes#33413.
git-svn-id: https://develop.svn.wordpress.org/trunk@35740 602fd350-edb4-49c9-b593-d223f7449a82
In `populate_options()`, if the theme specified by `WP_DEFAULT_THEME` doesn't exist, fall back to the latest core default theme. If we can't find a core default theme, `WP_DEFAULT_THEME` is the best we can do.
Props nacin, jeremyfelt, dd32.
See #34306.
git-svn-id: https://develop.svn.wordpress.org/trunk@35738 602fd350-edb4-49c9-b593-d223f7449a82
To add a home link to the fallback menu output many themes only check if that
argument is set. Including Twenty Ten and Twenty Eleven. They check with
`isset()` so child themes and other instances using `wp_page_menu()` have a
chance to disable the home link by setting it to `false`.
Fixes#11095.
git-svn-id: https://develop.svn.wordpress.org/trunk@35737 602fd350-edb4-49c9-b593-d223f7449a82
Hello, it's me again. A pluggable function named `wp_new_user_notification()`. A few months ago, after [33023], I have lost my second parameter `$plaintext_pass`. But thanks to [33620] I got a new one.
Bad idea - It hasn't had the same behavior as my previous parameter.
To solve that the second parameter got deprecated and reintroduced as the third parameter in [34116]. I was happy again, for a short time.
You remember my lost friend `$plaintext_pass`? No? Well, if its value was empty no notification was sent to the user. This behavior was still lost. And that's what this change is about: Don't notify a user if a plugin uses `wp_new_user_notification( $user_id )`.
You're asking if I'm happy now? Dunno, but maybe you have learned something about pluggable functions, have you?
Props danielbachhuber.
Fixes#34377.
git-svn-id: https://develop.svn.wordpress.org/trunk@35735 602fd350-edb4-49c9-b593-d223f7449a82
* Introduce `customize_post_value_set_{$setting_id}` and `customize_post_value_set` actions which are done when `WP_Customize_Manager::set_post_value()` is called.
* Clear the `preview_applied` flag for aggregated multidimensional settings when a post value is set. This ensures the new value is used instead of a previously-cached previewed value.
* Move `$is_preview` property from subclasses to `WP_Customize_Setting` parent class.
* Deferred preview: Ensure that when `preview()` short-circuits due to not being applicable that it will be called again later when the post value is set.
* Populate post value for updated-widget with the (unsanitized) JS-value in `WP_Customize_Widgets::call_widget_update()` so that value will be properly sanitized when accessed in `WP_Customize_Manager::post_value()`.
Includes unit tests with assertions to check the reported issues and validate the fixes.
Fixes defect introduced in [35007].
See #32103.
Fixes#34738.
git-svn-id: https://develop.svn.wordpress.org/trunk@35724 602fd350-edb4-49c9-b593-d223f7449a82
Correct the docs for `comment_notes_before` and `comment_notes_after` arguments as well as `comment_form_before_fields` and `comment_form_after_fields` actions to better describe the current behaviour.
Fixes#34731.
git-svn-id: https://develop.svn.wordpress.org/trunk@35723 602fd350-edb4-49c9-b593-d223f7449a82
Adds the `postmeta_form_keys` filter which allows for a potentially expensive query against postmeta to be avoided.
props ericmann, tollmanz, nacin.
see #33885.
git-svn-id: https://develop.svn.wordpress.org/trunk@35717 602fd350-edb4-49c9-b593-d223f7449a82
Update `@see` tags for `wp_make_content_images_responsive()` and `wp_image_add_srcset_and_sizes()`.
Props jaspermdegroot.
See #34733.
git-svn-id: https://develop.svn.wordpress.org/trunk@35715 602fd350-edb4-49c9-b593-d223f7449a82
This prevents the admin menu from disappearing if an old `ru_RU.php` file is left over after updating directly from 3.1.x or an older version to the latest release.
See #20974.
git-svn-id: https://develop.svn.wordpress.org/trunk@35710 602fd350-edb4-49c9-b593-d223f7449a82
Previously, `&` would be converted everywhere, which caused problems when it was converted within a `<script>`, for example.
`convert_chars()` is now removed from the `the_content` filter, as it was doing the same job as `wptexturize()`.
KSES correctly handles converting `&` within HTML attributes, so there's no need for `wptexturize()` and `convert_chars()` to do the same job.
Fixes#34698.
git-svn-id: https://develop.svn.wordpress.org/trunk@35709 602fd350-edb4-49c9-b593-d223f7449a82
Older versions of WordPress will convert those `&` characters to `&`, which makes for some non-functional JS. If folks are running an older release, let's not make their lives more difficult than it already is.
Props pento, peterwilsoncc.
See #34698.
git-svn-id: https://develop.svn.wordpress.org/trunk@35708 602fd350-edb4-49c9-b593-d223f7449a82
Reverts [35700] which didn't account for author archives without posts.
Determination of the correct title is now based on the same order of
conditionals that template loader uses to select the right template.
H/t ocean90.
Fixes#34516.
git-svn-id: https://develop.svn.wordpress.org/trunk@35706 602fd350-edb4-49c9-b593-d223f7449a82
Since [25574] `$authordata` gets set up in `WP::register_globals()` - no need
to take a detour over the queried object.
Props greenshady for initial patch.
Fixes#34516.
git-svn-id: https://develop.svn.wordpress.org/trunk@35700 602fd350-edb4-49c9-b593-d223f7449a82
Use of `register_column_headers()` and `print_column_headers()` creates a `_WP_List_Table_Compat` without any columns. When the List Table object doesn't have any columns, there's naturally no primary column.
Props danielbachhuber.
Fixes#34148.
git-svn-id: https://develop.svn.wordpress.org/trunk@35698 602fd350-edb4-49c9-b593-d223f7449a82
