- XML-RPC: Switch to `wp_safe_remote()` when fetching a pingback URL.
- HTML API: Prevent `WP_HTML_Tag_Processor` instances being unserialized and add some extra logic for validating pattern and template file paths.
- KSES: Optimize PCRE pattern detecting numeric character references.
- Customize: Improve escaping approach used for nav menu attributes.
- Media: Ensure the attachment parent is accessible to the user before showing a link to it in the media manager.
- Interactivity API: Skip binding event handler attributes. The corresponding `data-wp-on--` attribute should be used instead.
- Administration: Ensure client-side templates are only detected when they're correctly associated with a script tag.
- Filesystem API: Don't attempt to extract invalid files from a zip when using the PclZip library.
- Comments: Don't attempt to create a note if the user cannot edit the target post.
- Media: Disable XML entity substitution in getID3.
Merges [61879-61890] to the 6.8 branch.
Props johnbillion, xknown, dmsnell, jorbin, peterwilson, adamsilverstein, desrosj, luisherranz, ocean90, westonruter, jonsurrell, aurdasjb.
Built from https://develop.svn.wordpress.org/branches/6.8@61901
git-svn-id: http://core.svn.wordpress.org/branches/6.8@61183 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This updates the default on new installations for rpc.pingomatic.com to use https while also upgrading existing sites that use rpc.pingomatic.com or rpc.twingly.com to use https for those two domains.
Reviewed by audrasjb.
Merges [60421] and [60422] to the 6.8 branch.
Props sabernhardt, peterwilsoncc, jorbin, bhubbard, matt.
Fixes#42007.
Built from https://develop.svn.wordpress.org/branches/6.8@60428
git-svn-id: http://core.svn.wordpress.org/branches/6.8@59764 1a063a9b-81f0-0310-95a4-ce76da25c4cd
On small screens, the restore revision button was mostly hidden due to excessive constraints on overflow height. Fix the overflow issue and ensure that restore revision buttons are always usable.
Reviewed by audrasjb.
Merges [60259] to the 6.8 branch.
Props yogeshbhutkar, getsyash, joedolson.
Fixes#63029.
Built from https://develop.svn.wordpress.org/branches/6.8@60410
git-svn-id: http://core.svn.wordpress.org/branches/6.8@59746 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In finalizing the 6.8 announcement post (https://wordpress.org/news/2025/04/cecil/) it was identified that some of the copy on the 6.8 about page is not an accurate description of what is in 6.8. This copy is receiving a game misconduct penalty and automatic ejection. While the coach could bring on a substitute, a line change is the better option here.
Reviewed by joedolson.
Merges [60183] to the 6.8 branch.
Props abcd95, mukesh27, JeffPaul.
Fixes#63323.
Built from https://develop.svn.wordpress.org/branches/6.8@60190
git-svn-id: http://core.svn.wordpress.org/branches/6.8@59526 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Because validation was added in [59134] to prevent submitting bulk actions with no selected action, sites that remove or change the default bulk actions can fail due to the missing required inputs. Add a filter (bulk_action_observer_ids) that allows modifying the actions accepted to fulfill validation rules.
Reviewed by Jorbin.
Merges [60186] to the 6.8 branch.
Props ethitter, kabir93, jorbin, davidbaumwald, joedolson.
Fixes#63005.
Built from https://develop.svn.wordpress.org/branches/6.8@60188
git-svn-id: http://core.svn.wordpress.org/branches/6.8@59524 1a063a9b-81f0-0310-95a4-ce76da25c4cd
[59696] changed the 'Text' tab of the classic editor to 'Code' but Code was already used as a key in the array of translatable text. Since arrays keys need to be unique, this meant that it is possible for the wrong translation to appear in a locale. Using different keys fixes that.
Reviewed by joedolson.
Merges [60182] to the 6.8 branch.
Props joedolson, sabernhardt, justlevine, swissspidy, audrasjb.
Fixes#63269. See #38061.
Built from https://develop.svn.wordpress.org/branches/6.8@60187
git-svn-id: http://core.svn.wordpress.org/branches/6.8@59523 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When using a non-direct filesystem, the call in WP_Upgrader::maintenance_mode() did not include the required credentials, leading to a fatal error as the connection was not initialized properly.
This commit attempts to use the stored credentials if available, and triggers a notice otherwise.
Follow-up to [56341], [58128].
Reviewed by jorbin.
Merges [60107] to the 6.8 branch.
Props SirLouen, hideishi, dd32, tusharaddweb, takuword, SergeyBiryukov.
Fixes#62718.
Built from https://develop.svn.wordpress.org/branches/6.8@60184
git-svn-id: http://core.svn.wordpress.org/branches/6.8@59520 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Fixes a PHP Warning for an undefined array key "QUERY_STRING" in `_wp_get_site_editor_redirection_url()` in some PHP configurations.
Depending on the configuration, `$_SERVER['QUERY_STRING']` can either be unset or an empty string when no query string included in the URL. This changes the condition from a falsey check to an `empty()` check.
Reviewed by Mamaduka.
Merges [60134] to the 6.8 branch.
Props akshaydhere, dilipbheda, johnbillion, rainynewt, sabernhardt, sainathpoojary, shovan_jaya, tusharaddweb, wildworks.
Fixes#63224.
Built from https://develop.svn.wordpress.org/branches/6.8@60135
git-svn-id: http://core.svn.wordpress.org/branches/6.8@59471 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Introducing the new content for the 6.8 About page. This release introduces a new header image, but otherwise only minor tweaks to the layout and colors.
See #63025.
Props michelleames, marybaum, jeffpaul, flixos90, krupajnanda, vgnavada, karmatosed, benjamin_zekavica, ryelle, peterwilsoncc, benniledl, audrasjb.
Built from https://develop.svn.wordpress.org/trunk@60087
git-svn-id: http://core.svn.wordpress.org/trunk@59423 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Normalize behavior between uploading in the media library and uploading directly to the block editor. Now, when uploading an image with a mime type the server does not support (either in the media library or the block editor), the user will see an error message “This image cannot be processed by the web server. Convert it to JPEG or PNG before uploading”.
Alos, add a new filter `wp_prevent_unsupported_mime_type_uploads` which determines whether the server should prevent uploads for image types it doesn't support. The default value is true and the filter also receives the uploaded image mime type.
Props: joomskys, adamsilverstein, azaozz, swissspidy, joemcgill, flixos90, audrasjb.
Fixes#61167
Built from https://develop.svn.wordpress.org/trunk@60084
git-svn-id: http://core.svn.wordpress.org/trunk@59420 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Fix a PHP warning when opening a page directly in the site editor, eg by navigating to the URL `/wp-admin/site-editor.php?p=%2Fpage&postId=200`, caused by an undefined variable name.
Props abcd95, joemcgill, narenin, soyebsalar, websiteredev, wildworks.
Fixes#63122.
Built from https://develop.svn.wordpress.org/trunk@60061
git-svn-id: http://core.svn.wordpress.org/trunk@59397 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Since `ABSPATH` is defined and documented to end with a forward slash `/`, this changeset removes the first `/` from strings appended to `ABSPATH` in various files, leading to `//` in the resulting path.
Follow-up to [54872], [55720], [57545].
Props dhruvik18, SergeyBiryukov.
Fixes#63102.
Built from https://develop.svn.wordpress.org/trunk@60034
git-svn-id: http://core.svn.wordpress.org/trunk@59370 1a063a9b-81f0-0310-95a4-ce76da25c4cd
If the author display name is unknown, show an `emdash` and screen reader text `(no author)`, consistent with other cases where information is unknown. Fix an issue where an unknown author name displayed as an invisible link with no text.
Props kkmuffme, hdkothari81, shailu25, snehapatil02, sabernhardt, faisal03, rishavdutta, sumitbagthariya16, joedolson.
Fixes#62913.
Built from https://develop.svn.wordpress.org/trunk@60032
git-svn-id: http://core.svn.wordpress.org/trunk@59368 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Adjust the position of the skip link in viewports between 600 and 782 pixels, where they were hidden due to `overflow-y: auto` in the block editor. Ensures that the skip link is visibly available for users on all viewport sizes.
Props sabernhardt, narenin, audrasjb, mukesh27, joedolson, wildworks.
Fixes#63084.
Built from https://develop.svn.wordpress.org/trunk@59992
git-svn-id: http://core.svn.wordpress.org/trunk@59334 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Several significant animations in the customizer did not respect prefers reduced motion. Change CSS to wrap animations in `@media` queries to verify user preferences.
Props wildworks, sainathpoojary, abcd95, joedolson, audrasjb.
Fixes#62806.
Built from https://develop.svn.wordpress.org/trunk@59989
git-svn-id: http://core.svn.wordpress.org/trunk@59331 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When some screen option input fields are changed (post table columns, welcome panel, and metabox visibility), the change is saved to options. Other screen options (e.g. number of items per page) are only saved on submit. The changes that are saved immediately are visibly changed for sighted readers immediately. Change adds a `wp.a11y.speak()` call to inform screen readers that a value change has updated screen options.
Props kkmuffme, joedolson, yogeshbhutkar, audrasjb, sourabhjain.
Fixes#62550.
Built from https://develop.svn.wordpress.org/trunk@59988
git-svn-id: http://core.svn.wordpress.org/trunk@59330 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Change the `onclick` attribute to a separate inlined script in the error message and improve the event attachment behavior.
Props vivekawsm, mijotj, adamsilverstein, parthvataliya, adhun, sarathar, peterwilsoncc, sayedulsayem, chaion07, sppramodh, indirabiswas27, aishwarryapande, dhrumilk, manojmaharrshi, ugyensupport, imranhasanraaz, pkbhatt, shailu25, joedolson.
Fixes#60074.
Built from https://develop.svn.wordpress.org/trunk@59986
git-svn-id: http://core.svn.wordpress.org/trunk@59328 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When using a non-direct filesystem, the call in `WP_Upgrader::maintenance_mode()` did not include the required credentials, leading to a fatal error as the connection was not initialized properly.
This commit attempts to use the stored credentials if available, and triggers a notice otherwise.
Follow-up to [56341], [58128].
Props hideishi, dd32, SergeyBiryukov.
Fixes#62718.
Built from https://develop.svn.wordpress.org/trunk@59981
git-svn-id: http://core.svn.wordpress.org/trunk@59323 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset removes the `aria-describedby` attribute when not editing the current user, as no description paragraph is associated.
Props kkmuffme, audrasjb, faisal03, shailu25, nandow, eddystile, marineevain, qhaensler, virginienacci.
Fixes#63006.
Built from https://develop.svn.wordpress.org/trunk@59978
git-svn-id: http://core.svn.wordpress.org/trunk@59320 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Change several error message across core to use WordPress standard styling. Ensure only prefixes are wrapped in `strong` tags rather than the whole message, use `notice notice-error` classes where appropriate, and replace a custom error with `wp_admin_notice()` in multisite.
Props afercia, rajinsharwar, robinmartijn, mukesh27, sabernhardt, oglekler, joedolson, chaion07, im3dabasia1, audrasjb, dkarfa, najmulsaju.
Fixes#50402.
Built from https://develop.svn.wordpress.org/trunk@59960
git-svn-id: http://core.svn.wordpress.org/trunk@59302 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Add URL validation in the admin navigation menu manager that matches the validation in the customizer when adding custom links. Improve accessibility of both custom link forms by adding `aria-invalid` and `aria-describedby` attributes with visible error messages and announcing the error using `wp.a11y.speak()`.
Props joedolson, nikitasolanki1812, akrocks, pathan-amaankhan, rcreators, ironprogrammer, audrasjb, ankit-k-gupta, chaion07, rinkalpagdar, snehapatil02, jainil07, parthvataliya.
Fixes#60619, #60969.
Built from https://develop.svn.wordpress.org/trunk@59948
git-svn-id: http://core.svn.wordpress.org/trunk@59290 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset replaces `sanitize_text_field()` with `esc_url_raw()` for URLs passed via `url` and `return` query vars. This fixes an issue where the URL `example.com/หน้าภาษาไทย` would incorrectly return `example.com//` due to improper sanitization when clicking on the Customize button through the admin bar.
Props okvee, yahaly, hellofromTonya, veryard, dilip2615, amin7, swissspidy, audrasjb.
Fixes#61317.
Built from https://develop.svn.wordpress.org/trunk@59945
git-svn-id: http://core.svn.wordpress.org/trunk@59287 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset fixes some issues where Select fields were misaligned with neighboring elements, creating visual inconsistency in the customizer.
Props rkradadiya, mukesh27, laxman-prajapati, dlh, karmatosed, ankitkumarshah, sabernhardt.
Fixes#51249.
Built from https://develop.svn.wordpress.org/trunk@59942
git-svn-id: http://core.svn.wordpress.org/trunk@59284 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset fixes an issue where the `link_updated` field was not updated in the old Link Manager. When a link was created or updated the `link_updated` field remained `0000-00-00 00:00:00`.
Props lenasterg, audrasjb.
Fixes#56851.
Built from https://develop.svn.wordpress.org/trunk@59923
git-svn-id: http://core.svn.wordpress.org/trunk@59265 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This modifies the submenu for the Site Editor which previously linked directly to the Patterns page after [58278] to support accessing the Stylebook in classic themes via a new "Design" link. Currently, any classic themes that have either added support for `editor-styles` or have a theme.json file will automatically see this new link in the admin menu.
Props isabel_brison, poena, wildworks, mamaduka, karmatosed, joemcgill.
Fixes#62509.
Built from https://develop.svn.wordpress.org/trunk@59905
git-svn-id: http://core.svn.wordpress.org/trunk@59247 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Enable `download_url()` to fetch and verify file types if the URL does not contain a file extension. This allows URL downloads to handle media endpoints like istockphoto.com that use file IDs and formatting arguments to deliver images.
Props masteradhoc, mitogh, joedolson, hellofromTonya, antpb, audrasjb, navi161, dmsnell.
Fixes#54738.
Built from https://develop.svn.wordpress.org/trunk@59902
git-svn-id: http://core.svn.wordpress.org/trunk@59244 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Adds a check of the `editable_roles` filter when adding users to a multisite sub-site to ensure the role is permitted to be used on the network. If the role is blocked by the filter, attempting to add the role will trigger a `wp_die()` similar to attempting to add a user with the role on a single site install.
Props eartboard, hareesh-pillai, ideag, sukhendu2002, spacedmonkey, thomaswm.
Fixes#43251.
Built from https://develop.svn.wordpress.org/trunk@59901
git-svn-id: http://core.svn.wordpress.org/trunk@59243 1a063a9b-81f0-0310-95a4-ce76da25c4cd
