- XML-RPC: Switch to `wp_safe_remote()` when fetching a pingback URL.
- HTML API: Prevent `WP_HTML_Tag_Processor` instances being unserialized and add some extra logic for validating pattern and template file paths.
- KSES: Optimize PCRE pattern detecting numeric character references.
- Customize: Improve escaping approach used for nav menu attributes.
- Media: Ensure the attachment parent is accessible to the user before showing a link to it in the media manager.
- Interactivity API: Skip binding event handler attributes. The corresponding `data-wp-on--` attribute should be used instead.
- Administration: Ensure client-side templates are only detected when they're correctly associated with a script tag.
- Filesystem API: Don't attempt to extract invalid files from a zip when using the PclZip library.
- Comments: Don't attempt to create a note if the user cannot edit the target post.
- Media: Disable XML entity substitution in getID3.
Merges [61879-61890] to the 6.8 branch.
Props johnbillion, xknown, dmsnell, jorbin, peterwilson, adamsilverstein, desrosj, luisherranz, ocean90, westonruter, jonsurrell, aurdasjb.
Built from https://develop.svn.wordpress.org/branches/6.8@61901
git-svn-id: http://core.svn.wordpress.org/branches/6.8@61183 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This updates the default on new installations for rpc.pingomatic.com to use https while also upgrading existing sites that use rpc.pingomatic.com or rpc.twingly.com to use https for those two domains.
Reviewed by audrasjb.
Merges [60421] and [60422] to the 6.8 branch.
Props sabernhardt, peterwilsoncc, jorbin, bhubbard, matt.
Fixes#42007.
Built from https://develop.svn.wordpress.org/branches/6.8@60428
git-svn-id: http://core.svn.wordpress.org/branches/6.8@59764 1a063a9b-81f0-0310-95a4-ce76da25c4cd
On small screens, the restore revision button was mostly hidden due to excessive constraints on overflow height. Fix the overflow issue and ensure that restore revision buttons are always usable.
Reviewed by audrasjb.
Merges [60259] to the 6.8 branch.
Props yogeshbhutkar, getsyash, joedolson.
Fixes#63029.
Built from https://develop.svn.wordpress.org/branches/6.8@60410
git-svn-id: http://core.svn.wordpress.org/branches/6.8@59746 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When using a non-direct filesystem, the call in WP_Upgrader::maintenance_mode() did not include the required credentials, leading to a fatal error as the connection was not initialized properly.
This commit attempts to use the stored credentials if available, and triggers a notice otherwise.
Follow-up to [56341], [58128].
Reviewed by jorbin.
Merges [60107] to the 6.8 branch.
Props SirLouen, hideishi, dd32, tusharaddweb, takuword, SergeyBiryukov.
Fixes#62718.
Built from https://develop.svn.wordpress.org/branches/6.8@60184
git-svn-id: http://core.svn.wordpress.org/branches/6.8@59520 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Normalize behavior between uploading in the media library and uploading directly to the block editor. Now, when uploading an image with a mime type the server does not support (either in the media library or the block editor), the user will see an error message “This image cannot be processed by the web server. Convert it to JPEG or PNG before uploading”.
Alos, add a new filter `wp_prevent_unsupported_mime_type_uploads` which determines whether the server should prevent uploads for image types it doesn't support. The default value is true and the filter also receives the uploaded image mime type.
Props: joomskys, adamsilverstein, azaozz, swissspidy, joemcgill, flixos90, audrasjb.
Fixes#61167
Built from https://develop.svn.wordpress.org/trunk@60084
git-svn-id: http://core.svn.wordpress.org/trunk@59420 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Since `ABSPATH` is defined and documented to end with a forward slash `/`, this changeset removes the first `/` from strings appended to `ABSPATH` in various files, leading to `//` in the resulting path.
Follow-up to [54872], [55720], [57545].
Props dhruvik18, SergeyBiryukov.
Fixes#63102.
Built from https://develop.svn.wordpress.org/trunk@60034
git-svn-id: http://core.svn.wordpress.org/trunk@59370 1a063a9b-81f0-0310-95a4-ce76da25c4cd
If the author display name is unknown, show an `emdash` and screen reader text `(no author)`, consistent with other cases where information is unknown. Fix an issue where an unknown author name displayed as an invisible link with no text.
Props kkmuffme, hdkothari81, shailu25, snehapatil02, sabernhardt, faisal03, rishavdutta, sumitbagthariya16, joedolson.
Fixes#62913.
Built from https://develop.svn.wordpress.org/trunk@60032
git-svn-id: http://core.svn.wordpress.org/trunk@59368 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When using a non-direct filesystem, the call in `WP_Upgrader::maintenance_mode()` did not include the required credentials, leading to a fatal error as the connection was not initialized properly.
This commit attempts to use the stored credentials if available, and triggers a notice otherwise.
Follow-up to [56341], [58128].
Props hideishi, dd32, SergeyBiryukov.
Fixes#62718.
Built from https://develop.svn.wordpress.org/trunk@59981
git-svn-id: http://core.svn.wordpress.org/trunk@59323 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Change several error message across core to use WordPress standard styling. Ensure only prefixes are wrapped in `strong` tags rather than the whole message, use `notice notice-error` classes where appropriate, and replace a custom error with `wp_admin_notice()` in multisite.
Props afercia, rajinsharwar, robinmartijn, mukesh27, sabernhardt, oglekler, joedolson, chaion07, im3dabasia1, audrasjb, dkarfa, najmulsaju.
Fixes#50402.
Built from https://develop.svn.wordpress.org/trunk@59960
git-svn-id: http://core.svn.wordpress.org/trunk@59302 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Add URL validation in the admin navigation menu manager that matches the validation in the customizer when adding custom links. Improve accessibility of both custom link forms by adding `aria-invalid` and `aria-describedby` attributes with visible error messages and announcing the error using `wp.a11y.speak()`.
Props joedolson, nikitasolanki1812, akrocks, pathan-amaankhan, rcreators, ironprogrammer, audrasjb, ankit-k-gupta, chaion07, rinkalpagdar, snehapatil02, jainil07, parthvataliya.
Fixes#60619, #60969.
Built from https://develop.svn.wordpress.org/trunk@59948
git-svn-id: http://core.svn.wordpress.org/trunk@59290 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset fixes an issue where the `link_updated` field was not updated in the old Link Manager. When a link was created or updated the `link_updated` field remained `0000-00-00 00:00:00`.
Props lenasterg, audrasjb.
Fixes#56851.
Built from https://develop.svn.wordpress.org/trunk@59923
git-svn-id: http://core.svn.wordpress.org/trunk@59265 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Enable `download_url()` to fetch and verify file types if the URL does not contain a file extension. This allows URL downloads to handle media endpoints like istockphoto.com that use file IDs and formatting arguments to deliver images.
Props masteradhoc, mitogh, joedolson, hellofromTonya, antpb, audrasjb, navi161, dmsnell.
Fixes#54738.
Built from https://develop.svn.wordpress.org/trunk@59902
git-svn-id: http://core.svn.wordpress.org/trunk@59244 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Adds a check of the `editable_roles` filter when adding users to a multisite sub-site to ensure the role is permitted to be used on the network. If the role is blocked by the filter, attempting to add the role will trigger a `wp_die()` similar to attempting to add a user with the role on a single site install.
Props eartboard, hareesh-pillai, ideag, sukhendu2002, spacedmonkey, thomaswm.
Fixes#43251.
Built from https://develop.svn.wordpress.org/trunk@59901
git-svn-id: http://core.svn.wordpress.org/trunk@59243 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset introduces the `manage_users-network_custom_column` filter that fires for each custom column in the Network Users list table. This is an override hook for `manage_users_custom_column` which was already filtering each custom column in all Users list tables.
Props lenasterg, realloc, audrasjb.
Fixes#43318.
Built from https://develop.svn.wordpress.org/trunk@59878
git-svn-id: http://core.svn.wordpress.org/trunk@59220 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset enhances the filesystem checks in the Site Health debug data by addressing the following:
- Existence Check: Before checking if the fonts directory is writable, it first verifies whether the directory exists.
- Improved Messaging: If the fonts directory does not exist, the debug output now reflects this scenario as "Does not exist". If the directory exists, it shows whether it is writable or not.
Props zodiac1978, samiamnot, sainathpoojary, abcd95, ankitkumarshah, im3dabasia1.
Fixes#62633.
Built from https://develop.svn.wordpress.org/trunk@59853
git-svn-id: http://core.svn.wordpress.org/trunk@59195 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Remove a limitation that prevented PNG uploads from generating the full sized image. Fixes a bug where using the image_editor_output_format filter would not generate full sized images as expected. The removed code was present to prevent overly large PNG image output, however this issue was resolved separately in #36477.
Props: adamsilverstein, pixlpirate, flixos90, mukesh27, azaozz.
Fixes#62900.
Built from https://develop.svn.wordpress.org/trunk@59844
git-svn-id: http://core.svn.wordpress.org/trunk@59186 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Passwords and security keys that were saved in prior versions of WordPress will continue to work. Each user's password will be opportunistically rehashed and resaved when they next subsequently log in using a valid password.
The following new functions have been introduced:
* `wp_password_needs_rehash()`
* `wp_fast_hash()`
* `wp_verify_fast_hash()`
The following new filters have been introduced:
* `password_needs_rehash`
* `wp_hash_password_algorithm`
* `wp_hash_password_options`
Props ayeshrajans, bgermann, dd32, deadduck169, desrosj, haozi, harrym, iandunn, jammycakes, joehoyle, johnbillion, mbijon, mojorob, mslavco, my1xt, nacin, otto42, paragoninitiativeenterprises, paulkevan, rmccue, ryanhellyer, scribu, swalkinshaw, synchro, th23, timothyblynjacobs, tomdxw, westi, xknown.
Additional thanks go to the Roots team, Soatok, Calvin Alkan, and Raphael Ahrens.
Fixes#21022, #44628
Built from https://develop.svn.wordpress.org/trunk@59828
git-svn-id: http://core.svn.wordpress.org/trunk@59170 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset replaces the hardcoded hash symbol with running `maybe_hash_hex_color()` on the full `background-color` value provided via the custom background feature, so the hash is only added if it is needed. By doing so, if a theme developer sets a background color value that uses a hash (#), WordPress won't add an additional hash anymore when outputting the relevant CSS. Duplicate hash symbols (##) can break CSS background color declarations.
Props hovhanneshovakimyan, joyously, poena,
Fixes#40057.
Built from https://develop.svn.wordpress.org/trunk@59813
git-svn-id: http://core.svn.wordpress.org/trunk@59155 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This extension provides the `hash()` function and support for the SHA-256 algorithm, both of which are required for upcoming security related changes. This extension is almost universally enabled, however it is technically possible to disable it on PHP 7.2 and 7.3, hence the introduction of this requirement and the corresponding requirement checks prior to installing or upgrading WordPress.
Props peterwilsoncc, ayeshrajans, dd32, SergeyBiryukov, johnbillion.
Fixes#60638, #62815, #56017
See #21022
Built from https://develop.svn.wordpress.org/trunk@59803
git-svn-id: http://core.svn.wordpress.org/trunk@59145 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset improves a bunch of WP-Admin error messages, notably replacing the good old cryptic "Something went wrong" message with more helpful information.
Props peterwilsoncc, netweb, karmatosed, JoshuaWold, mrtortai, audrasjb, sukhendu2002, joedolson.
See #43622.
Built from https://develop.svn.wordpress.org/trunk@59789
git-svn-id: http://core.svn.wordpress.org/trunk@59131 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset replaces each occurrence of "Add New {Item}" label with "Add {Item}" in WordPress administration, to make the interface more consistent and simplify the translation effort.
Props jameskoster, audrasjb, ntsekouras, afercia, peterwilsoncc, youknowriad, joedolson, sukhendu2002, jdy68, beryldlg, fxbenard.
See #61219.
Built from https://develop.svn.wordpress.org/trunk@59784
git-svn-id: http://core.svn.wordpress.org/trunk@59126 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Values passed to parameters with this attribute will be redacted if present in a stack trace when using PHP 8.2 or later. This reduces the chance that passwords and security keys get accidentally exposed in debug logs and bug reports.
Props petitphp, TobiasBg, jrf, johnbillion.
Fixes#57304
Built from https://develop.svn.wordpress.org/trunk@59754
git-svn-id: http://core.svn.wordpress.org/trunk@59096 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset replaces plugin sanitized names with an auto increment integer to fix an issue with accordions displaying privacy policies for plugins with special characters in their names.
Follow-up to [50161].
Props ecgan, sabernhardt, audrasjb.
Fixes#62713.
Built from https://develop.svn.wordpress.org/trunk@59732
git-svn-id: http://core.svn.wordpress.org/trunk@59074 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This sets the same referrer policy of `strict-origin-when-cross-origin` that's used in the admin area to prevent a referrer being sent to other origins. This helps prevent unwanted exposure of potentially sensitive information that may be contained within the URL.
The header can be disabled if necessary by removing the `wp_admin_headers` action from the `login_init` hook.
Props kkmuffme, sagarlakhani, albatross10
Fixes#62273
See #42036
Built from https://develop.svn.wordpress.org/trunk@59712
git-svn-id: http://core.svn.wordpress.org/trunk@59054 1a063a9b-81f0-0310-95a4-ce76da25c4cd
