* XML-RPC: Improve error messages for unprivileged users.
* External Libraries: Disable deserialization in Requests_Utility_FilteredIterator
* Embeds: Disable embeds on deactivated Multisite sites.
* Coding standards: Modify escaping functions to avoid potential false positives.
* XML-RPC: Return error message if attachment ID is incorrect.
* Upgrade/install: Improve logic check when determining installation status.
* Meta: Sanitize meta key before checking protection status.
* Themes: Ensure that only privileged users can set a background image when a theme is using the deprecated custom background page.
Brings the changes from [49380,49382-49388] to the 5.1 branch.
Props xknown, zieladam, peterwilsoncc, whyisjake, desrosj, dd32.
git-svn-id: https://develop.svn.wordpress.org/branches/5.1@49395 602fd350-edb4-49c9-b593-d223f7449a82
This restores the ability to run NodeJS related tasks when using `nvm install` or `nvm use`.
The alias `lts/*` currently resolves to NodeJS 12.x (and will continue to change as newer versions are released). The 10.x version of NodeJS is the highest version supported in the 5.1 branch.
This also removes the explicit version when running `nvm install` during automated testing. The command will now fall back to the version in the `.nvmrc` file.
See #51603.
git-svn-id: https://develop.svn.wordpress.org/branches/5.1@49278 602fd350-edb4-49c9-b593-d223f7449a82
Rename the `$keep` parameter of both filters to `$screen_option` for clarity, update the documentation to better reflect its purpose.
Follow-up to [47951].
Props Chouby, sswells, SergeyBiryukov.
Merges [48241] to the 5.1 branch.
Fixes#50392.
git-svn-id: https://develop.svn.wordpress.org/branches/5.1@48247 602fd350-edb4-49c9-b593-d223f7449a82
- Embeds: Ensure that the title attribute is set correctly on embeds.
- Editor: Prevent HTML decoding on by setting the proper editor context.
- Formatting: Ensure that wp_validate_redirect() sanitizes a wider variety of characters.
- Themes: Ensure a broken theme name is returned properly.
- Administration: Add a new filter to extend set-screen-option.
Merges [47947-47951] to the 5.1 branch.
Props xknown, sstoqnov, vortfu, SergeyBiryukov, whyisjake.
git-svn-id: https://develop.svn.wordpress.org/branches/5.1@47963 602fd350-edb4-49c9-b593-d223f7449a82
After a comment is submitted, only allow a brief window where the comment is live on the site.
Props jonkolbert, ayeshrajans, Asif2BD, peterwilsoncc, imath, audrasjb, jonoaldersonwp, whyisjake, SergeyBiryukov.
Merges [47887] and [47889] to the 5.1 branch.
Fixes#49956.
git-svn-id: https://develop.svn.wordpress.org/branches/5.1@47918 602fd350-edb4-49c9-b593-d223f7449a82
User: Invalidate `user_activation_key` on password update.
Query: Ensure that only a single post can be returned on date/time based queries.
Block Editor: Coding standards, properly escape class names.
Cache API: Ensure proper escaping around the stats method in the cache API.
Formatting: Expand `sanitize_file_name` to have better support for utf8 characters.
Brings the changes in [47633], [47634], [47635], [47636], [47637], and [47638] to the 5.1 branch.
Props: aduth, batmoo, ehti, ellatrix, jorgefilipecosta, nickdaugherty, noisysocks, pento, peterwilsoncc, sergeybiryukov, sstoqnov, talldanwp, westi, westonruter, whyisjake, whyisjake, xknown.
git-svn-id: https://develop.svn.wordpress.org/branches/5.1@47646 602fd350-edb4-49c9-b593-d223f7449a82
This avoids a build error on `travis:format` job, caused by Travis running PHPUnit 9.x by default, which requires PHP 7.3+.
Merges [47336] to the 5.1 branch.
See #49485.
git-svn-id: https://develop.svn.wordpress.org/branches/5.1@47337 602fd350-edb4-49c9-b593-d223f7449a82
This removes the PHP 7.2, 7.1, 5.5, 5.4, and 5.3 jobs.
This also removes the PHP 5.6 job which runs without an object cache in place as the likelihood of a change being backported that only breaks 5.6 environments without an object cache is small.
Merges [44992] and [45005] to the 5.1 branch.
See #42387, #40407.
git-svn-id: https://develop.svn.wordpress.org/branches/5.1@47322 602fd350-edb4-49c9-b593-d223f7449a82
`assertSame()` doesn't have the `$delta` parameter, only `assertEquals()` does.
Follow-up to [47313].
Merges [47318] to the 5.1 branch.
See #40364.
git-svn-id: https://develop.svn.wordpress.org/branches/5.1@47321 602fd350-edb4-49c9-b593-d223f7449a82
Props: danielbachhuber, whyisjake, peterwilson, xknown.
Prevent stored XSS through wp_targeted_link_rel().
Props: vortfu, whyisjake, peterwilsoncc, xknown, SergeyBiryukov, flaviozavan.
Update wp_kses_bad_protocol() to recognize : on uri attributes,
wp_kses_bad_protocol() makes sure to validate that uri attributes don't contain invalid/or not allowed protocols. While this works fine in most cases, there's a risk that by using the colon html5 named entity, one is able to bypass this function.
Brings r46895 to the 5.3 branch.
Props: xknown, nickdaugherty, peterwilsoncc.
Prevent stored XSS in the block editor.
Brings r46896 to the 5.3 branch.
Prevent escaped unicode characters become unescaped in unsafe HTML during JSON decoding.
Props: aduth, epiqueras.
git-svn-id: https://develop.svn.wordpress.org/branches/5.1@46907 602fd350-edb4-49c9-b593-d223f7449a82
This switches to caching npm's local cache instead of `node_modules` in order to prevent issues caused by modules compiled using a different version of node.
Merges [44993] into the 5.1 branch.
See #46632
git-svn-id: https://develop.svn.wordpress.org/branches/5.1@44994 602fd350-edb4-49c9-b593-d223f7449a82
The Site Health tool serves two purposes:
- Provide site owners with information to improve the performance, reliability, and security of their site.
- Collect comprehensive debug information about the site.
By encouraging site owners to maintain their site and adhere to modern best practices, we ultimately improve the software hygeine of both the WordPress ecosystem, and the open internet as a whole.
Props Clorith, hedgefield, melchoyce, xkon, karmatosed, jordesign, earnjam, ianbelanger, wpscholar, desrosj, pedromendonca, peterbooker, jcastaneda, garyj, soean, pento, timothyblynjacobs, zodiac1978, dgroddick, garrett-eclipse, netweb, tobifjellner, pixolin, afercia, joedolson, birgire.
See #46573.
git-svn-id: https://develop.svn.wordpress.org/branches/5.1@44984 602fd350-edb4-49c9-b593-d223f7449a82
Prior to this change, querying sites early in the bootstrap process could potentially cause a fatal error, since at that stage the filter to bail on updating site meta cache if the respective database table has not been installed yet is not hooked in yet. This changeset forces the filter to be added if that is not already the case.
Merges [44925] to the 5.1 branch.
Props spacedmonkey.
Fixes#46167.
git-svn-id: https://develop.svn.wordpress.org/branches/5.1@44927 602fd350-edb4-49c9-b593-d223f7449a82
The `change` event was previously required to ensure that the Customizer picked detected changes to the widget's content and synced them to the preview. In the current state, though, the `trigger( 'change' )` is no longer required and is causing issues with the widget's “Done” and “Save” buttons.
Merges [44816] to the 5.1 branch.
Fixes#46335.
Props audrasjb, afercia, westonruter.
git-svn-id: https://develop.svn.wordpress.org/branches/5.1@44817 602fd350-edb4-49c9-b593-d223f7449a82
A direct URL to where a user can update PHP for their website can now be specified in one of two ways:
- Defining the `WP_DIRECT_UPDATE_PHP_URL` environment variable.
- Returning a URL to the `wp_direct_php_update_url` filter.
When a URL is specified, an additional “Update PHP” button will be displayed at the bottom of the Core dashboard widget informing administrators that their site is running an outdated version of PHP (see [42832]).
Merges [44814] to the 5.1 branch.
Fixes#46074.
Props afragen, desrosj, lukecarbis.
git-svn-id: https://develop.svn.wordpress.org/branches/5.1@44815 602fd350-edb4-49c9-b593-d223f7449a82
Restores `public`, `archived`, `mature`, `spam`, `deleted`, `lang_id`, and `WPLANG` to the `$meta` data passed to `wpmu_new_blog`. This hook was deprecated in 5.1.0, but code using it still relies on this data.
Props davidbinda, pbiron.
Merges [44805] and [44806] to the 5.1 branch.
Fixes#46351.
git-svn-id: https://develop.svn.wordpress.org/branches/5.1@44807 602fd350-edb4-49c9-b593-d223f7449a82
