* XML-RPC: Improve error messages for unprivileged users.
* External Libraries: Disable deserialization in Requests_Utility_FilteredIterator
* Embeds: Disable embeds on deactivated Multisite sites.
* Coding standards: Modify escaping functions to avoid potential false positives.
* XML-RPC: Return error message if attachment ID is incorrect.
* Upgrade/install: Improve logic check when determining installation status.
* Meta: Sanitize meta key before checking protection status.
* Themes: Ensure that only privileged users can set a background image when a theme is using the deprecated custom background page.
Brings the changes from [49380,49382-49388] to the 4.4 branch.
Props xknown, zieladam, peterwilsoncc, whyisjake, desrosj, dd32.
git-svn-id: https://develop.svn.wordpress.org/branches/4.4@49402 602fd350-edb4-49c9-b593-d223f7449a82
Query: Ensure that only a single post can be returned on date/time based queries.
Cache API: Ensure proper escaping around the stats method in the cache API.
Formatting: Expand `sanitize_file_name` to have better support for utf8 characters.
Brings the changes in [47634], [47635], [47637], and [47638] to the 4.4 branch.
Props: batmoo, ehti, nickdaugherty, peterwilsoncc, sergeybiryukov, sstoqnov, westi, whyisjake, whyisjake, xknown.
git-svn-id: https://develop.svn.wordpress.org/branches/4.4@47653 602fd350-edb4-49c9-b593-d223f7449a82
These tests no longer test anything that WordPress core has control over. YouTube now serves everything
over HTTPS by default, so the tests for #23149 will always pass, and the tests for #32714 aren't testing
anything that core has control over.
Tests for the responses from oEmbed providers has been attempted and reverted in #32360.
Props johnbillion.
Merges [41712] to the 4.4 branch.
See #42076, #32714, #23149.
git-svn-id: https://develop.svn.wordpress.org/branches/4.4@47483 602fd350-edb4-49c9-b593-d223f7449a82
`wp_kses_bad_protocol()` makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function.
Brings r46895 to the 4.4 branch.
Props: xknown, nickdaugherty, peterwilsoncc.
git-svn-id: https://develop.svn.wordpress.org/branches/4.4@46912 602fd350-edb4-49c9-b593-d223f7449a82
[41496] removed support for numbered placeholders in queries send through `wpdb::prepare()`, which, despite being undocumented, were quite commonly used.
This change restores support for numbered placeholders (as well as a subset of placeholder formatting), while also adding extra checks to ensure the correct number of arguments are being passed to `wpdb::prepare()`, given the number of placeholders.
Merges [41662], [42056] to the 4.4 branch.
See #41925.
git-svn-id: https://develop.svn.wordpress.org/branches/4.4@42061 602fd350-edb4-49c9-b593-d223f7449a82
PHPUnit 6.4.1 and earlier versions ignored the `'0'` value, causing the issue to go unnoticed.
Merge of [41870] to the 4.4 branch.
Props SergeyBiryukov.
Fixes#42232.
git-svn-id: https://develop.svn.wordpress.org/branches/4.4@42055 602fd350-edb4-49c9-b593-d223f7449a82
`wpdb::prepare()` supports %s, %d, and %F as placeholders in the query string. Any other non-escaped % will be escaped.
Merges [41496] to 4.4 branch.
git-svn-id: https://develop.svn.wordpress.org/branches/4.4@41501 602fd350-edb4-49c9-b593-d223f7449a82
Previously if you passed an array of values for placeholders, additional values could be passed as well. Now additional values will be ignored.
Merges [41470] to 4.4 branch.
git-svn-id: https://develop.svn.wordpress.org/branches/4.4@41475 602fd350-edb4-49c9-b593-d223f7449a82
This skips time sensitive tests (copyright year and PHP/MySQL version requirements) when tests are run on branches on Travis.
Props netweb, jorbin
Fixes#39486
Merges [40241] to the 4.4 branch.
git-svn-id: https://develop.svn.wordpress.org/branches/4.4@40243 602fd350-edb4-49c9-b593-d223f7449a82
Preserves spaces and generally creates more accurate, cleaner titles from filenames of uploaded media.
Merge of [38615] to the 4.4 branch.
Fixes#37989.
git-svn-id: https://develop.svn.wordpress.org/branches/4.4@39712 602fd350-edb4-49c9-b593-d223f7449a82
When upgrading to `utf8mb4`, `TEXT` fields will be upgraded to `MEDIUMTEXT` (and likewise for all other `*TEXT` and `*BLOB` fields). This is to allow for the additional space requirements of `utf8mb4`.
On the subsequent upgrade, `dbDelta()` would try and downgrade the fields to their original size again. At best, this it a waste of time, at worst, this could truncate any data larger than the original size. There's no harm in leaving them at their new size, so let's do that.
This also fixes a typo in the `dbDelta()` tests.
Merge of [37525] to the 4.4 branch.
Partial merge of [36552] to the 4.4 branch.
See #36748.
git-svn-id: https://develop.svn.wordpress.org/branches/4.4@37936 602fd350-edb4-49c9-b593-d223f7449a82
When the post being embedded is from the same site, there's no reason to do an HTTP request for it. The data can be fetched directly using `get_oembed_response_data()`.
Merge of [37708], [37710] and [37729] to the 4.4 branch.
Fixes#36767.
git-svn-id: https://develop.svn.wordpress.org/branches/4.4@37798 602fd350-edb4-49c9-b593-d223f7449a82
Use a more accessible way to initially hide the iframe. After that, only display an iframe when it was successfully loaded.
Merge of [36648] and [36708] to the 4.4 branch.
Fixes#35894.
git-svn-id: https://develop.svn.wordpress.org/branches/4.4@37093 602fd350-edb4-49c9-b593-d223f7449a82
Due to the "exclude" support added in WP 4.4, single dashes were being
converted to "NOT LIKE '%%'" clauses, causing all searches to fail.
Ports [36989] to the 4.4 branch.
Props RomSocial, swissspidy.
Fixes#36195.
git-svn-id: https://develop.svn.wordpress.org/branches/4.4@37082 602fd350-edb4-49c9-b593-d223f7449a82
Fixes issue where user gets stuck at login screen after trying to close the app if previously they had to first login to access the Customizer. Prevents `WP_Customize_Manager::get_return_url()` from using `wp-login.php` as a referer.
Merges [36261] to the 4.4 branch.
Props chandrapatel.
See #32637.
Fixes#35355.
git-svn-id: https://develop.svn.wordpress.org/branches/4.4@36363 602fd350-edb4-49c9-b593-d223f7449a82
In order to calculate comment pagination when newest comments are displayed
first, `comments_template()` must perform a separate query to determine the
total number of paginating comments available on a post. See [34729], #8071,
pagination calculation - can be defined as a top-level comment, or a comment
with `parent=0`. However, when comment threading is disabled, yet comments
exist in the database that have parents, all comments - even those with a
parent - are "paginating". (This typically happens when comments threading was
once enabled, but has since been turned off.) As such, the total-paginating-
comments query should only be limited to top-level comments when
'thread_comments' is disabled.
Merges [36275] to the 4.4 branch.
Props jmdodd.
Fixes#35419.
git-svn-id: https://develop.svn.wordpress.org/branches/4.4@36362 602fd350-edb4-49c9-b593-d223f7449a82
The refactor of `WP_Comment_Query`'s SQL generation in [34542] introduced a bug
that caused only the last post-related filter to be respected in comment
queries. In other words, if querying for comments using params
`post_status=draft&post_author=3`, only the last-processed of these params
would be respected. The current changeset fixes the logic so that these clauses
don't overwrite each other.
Merges [36326] to the 4.4 branch.
Props chriscct7.
Fixes#35478.
git-svn-id: https://develop.svn.wordpress.org/branches/4.4@36361 602fd350-edb4-49c9-b593-d223f7449a82
[34999] modified the cache strategy for terms in the context of
`wp_get_object_terms()`. As part of these changes, the `object_id` property of
term objects had to be unset before being cached. To avoid modifying passed-by-
reference terms, `update_term_cache()` attempted to make a copy of the terms
passed to the function; however, it failed to use the `clone` keyword, and thus
only created a reference instead of a copy.
Merges [36323] to the 4.4 branch.
Props berengerzyla.
Fixes#35462.
git-svn-id: https://develop.svn.wordpress.org/branches/4.4@36358 602fd350-edb4-49c9-b593-d223f7449a82
The descendant query in `WP_Comment_Query::fill_descendants()` uses the clauses
of the main `get_comment_ids()` query as a basis, discarding the `parent`,
`parent__in`, and `parent__not_in` clauses. As implemented in WP 4.4 [34546],
the WHERE clause was assembled in such a way that any modifications applied
using the `comments_clauses` filter were not inherited by `fill_descendants()`.
This resulted in descendant queries that did not always properly filter
results, and sometimes contained syntax errors.
The current changeset fixes the problem by using the post-filter WHERE clause
as the basis for the `fill_descendants()` query. This change requires a new
approach for eliminating the unneeded parent-related clauses: instead of
eliminating values in an associative array, we must use regular expressions.
Merges [36277] to the 4.4 branch.
Props boonebgorges, firebird75.
Fixes#35192.
git-svn-id: https://develop.svn.wordpress.org/branches/4.4@36357 602fd350-edb4-49c9-b593-d223f7449a82
[36157] fixed a bug whereby `wp_list_comments()` would not properly recognize
custom pagination arguments. See #35175. However, it inadvertently introduced
a bug that caused any `$comments` array explicitly passed to the function to be
ignored, when that array was accompanied by pagination arguments that differ
from those in `$wp_query`. We address this bug by moving the logic introduced
in [36157] inside a block that only fires when no `$comments` array has been
provided to the function.
Merges [36276] to the 4.4 branch.
Props ivankristianto, boonebgorges.
Fixes#35356.
git-svn-id: https://develop.svn.wordpress.org/branches/4.4@36356 602fd350-edb4-49c9-b593-d223f7449a82
The introduction of negative search terms in 4.4 [34934] introduced the
possibility that the ORDER BY clause of a search query could be assembled in
such a way as to create invalid syntax. The current changeset fixes this by
ensuring that the ORDER BY clause corresponding to the search terms is
excluded when it would otherwise be empty.
Merges [36251] to the 4.4 branch.
Props salvoaranzulla, boonebgorges.
Fixes#35361.
git-svn-id: https://develop.svn.wordpress.org/branches/4.4@36354 602fd350-edb4-49c9-b593-d223f7449a82
When hierarchical=true, WP_Comment_Query will always fetch comments according to the comment hierarchy, even if 'thread_comments' is disabled for the site.
This can cause problems when comment threading is disabled after threaded comments have been recorded on the site; comments will no longer be returned in a strictly chronological order.
We address the issue by refraining from querying hierarchically when comment threading is disabled.
Merges [36226] to the 4.4 branch.
Props jmdodd.
Fixes#35378.
git-svn-id: https://develop.svn.wordpress.org/branches/4.4@36353 602fd350-edb4-49c9-b593-d223f7449a82
Limits using the page title to the blog page when the site has a static front page,
bringing it N’Sync with `wp_title()`.
Merges [36168] to the 4.4 branch.
Props peterwilsoncc.
Fixes#34962.
git-svn-id: https://develop.svn.wordpress.org/branches/4.4@36169 602fd350-edb4-49c9-b593-d223f7449a82
Prior to 4.4, it was possible to pass 'page' and 'per_page' values to
`wp_list_comments()` that do not match the corresponding global query vars.
This ability was lost in 4.4 with the refactor of how `comments_template()`
queries for comments; when the main comment query started fetching only the
comments that ought to appear on a page, instead of all of a post's comments,
it became impossible for the comment walker to select comments corresponding to
custom pagination parameters. See #8071.
We restore the previous behavior by (a) detecting when a 'page' or 'per_page'
parameter has been passed to `wp_list_comments()` that does not match the
corresponding query vars (so that the desired comments will not be found in
`$wp_query`), and if so, then (b) querying for all of the post's comments and
passing them to the comment walker for pagination, as was the case before 4.4.
Merges [36157] to the 4.4 branch.
Props boonebgorges, smerriman.
Fixes#35175.
git-svn-id: https://develop.svn.wordpress.org/branches/4.4@36158 602fd350-edb4-49c9-b593-d223f7449a82
Posts that are trashed shouldn't trigger post author notifications. Adds unit tests to enforce this.
Merges [36119] to the 4.4 branch.
Props scottbrownconsulting, peterwilsoncc, swissspidy.
Fixes#35006.
git-svn-id: https://develop.svn.wordpress.org/branches/4.4@36146 602fd350-edb4-49c9-b593-d223f7449a82
After [34659], it became possible to cause an incorrect redirect, by changing the slug of a post, then creating a new post with the old slug. The correct behaviour is to prevent redirecting to the old post.
Props dd32, pento.
Merge of [36128] to the 4.4 branch.
Fixes#35031.
git-svn-id: https://develop.svn.wordpress.org/branches/4.4@36129 602fd350-edb4-49c9-b593-d223f7449a82
[35333] implemented `public=false` for taxonomies. The implementation prevented
non-public taxonomies from having their archives accessed via query_var during
a normal request. But it didn't prevent non-public taxonomies from registering
their query vars in the `$wp_taxonomies` global. The latter implementation
details causes problems specifically when a taxonomy is registered with
`query_var=true`; for public taxonomies, `register_taxonomy()` translates this
into a query_var equivalent to the taxonomy name, but in the case of non-public
taxonomies, the query_var was set to the boolean itself. The boolean then
causes problems when using non-strict comparison to filter taxonomy objects by
query_var, as when using `get_taxonomies()`.
This changeset addresses the issue by forcing the query_var property of
non-public taxonomies to `false`.
Merges [36108] to the 4.4 branch.
Fixes#35089.
git-svn-id: https://develop.svn.wordpress.org/branches/4.4@36109 602fd350-edb4-49c9-b593-d223f7449a82
Reverts [34001] and fixes the original issue in #15963 - avoiding a PHP Notice for when the post doesn't exist.
Merges [36094] to the 4.4 branch.
Props tharsheblows.
See #15963.
Fixes#35084.
git-svn-id: https://develop.svn.wordpress.org/branches/4.4@36105 602fd350-edb4-49c9-b593-d223f7449a82
[34370] made the order that tabs are returned respect the order they are added, however it broke the respect of priority. By using a ksort instead of a sort, we can restore that default behavior. This adjusts the unit tests so that both order added and priority are tested.
Merges [36089] to the 4.4 branch.
Props meitar, swissspidy, jorbin
Fixes#35215. See #33941.
git-svn-id: https://develop.svn.wordpress.org/branches/4.4@36104 602fd350-edb4-49c9-b593-d223f7449a82