Prevent `wp_set_current_user()` from reinstantiating the current user when the user ID is passed as a string, eg `wp_set_current_user( (string) get_current_user_id() )`.
This restores the function's previous behaviour of returning early in the event the IDs loosely match.
Follow up to r57882.
Props westonruter, peterwilsoncc.
Fixes#64628.
Built from https://develop.svn.wordpress.org/trunk@61633
git-svn-id: http://core.svn.wordpress.org/trunk@60944 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This reverts [61010]. Setting the sender address by default has shown to reduce deliverability for emails for sites that were working correctly in 6.8 and before. As reduced deliverability can harm IP reputation which means it's not just the single WordPress install that is harmed, [61010] is being reverted out of an abundance of caution.
Follow up to [61010].
Props jorbin, dmsnell, SirLouen, wildworks, desrosj, siliconforks, digitalblanket, studiomondiale, zoe20, Monarobase, amanandhishoe,
Fixes #64368.See #49687.
Built from https://develop.svn.wordpress.org/trunk@61537
git-svn-id: http://core.svn.wordpress.org/trunk@60848 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This became unnecessary (and confusing) after the plaintext password was removed from the email, and the URL to set a new password was added directly above in WordPress 4.3.
Follow-up to [2872], [8058], [10931], [33023].
Props clayray, manhphucofficial, pratiklondhe, johnbillion, SergeyBiryukov.
Fixes#64316.
Built from https://develop.svn.wordpress.org/trunk@61321
git-svn-id: http://core.svn.wordpress.org/trunk@60633 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This improves how `wp_mail()` handles `Content-Type` headers for multipart messages, preventing cases where the header could be duplicated.
Developed in https://github.com/WordPress/wordpress-develop/pull/9500
Props SirLouen, gitlost, rmccue, westi, MattyRob, bgermann, nacin, SergeyBiryukov, dd32, MikeHansenMe, Kleor, kitchin, JeffMatson, abcd95, westonruter, christinecooper, JohnVieth, dawidadach, imokweb, ayeshrajans, lakshyajeet, tusharbharti, sajjad67.
Fixes#15448.
Built from https://develop.svn.wordpress.org/trunk@61201
git-svn-id: http://core.svn.wordpress.org/trunk@60537 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The PHPMailer library may automatically switch its encoding based on various internal factors.
This commit fixes a bug where the `$phpmailer` global was unintentionally persisting its `Encoding` property from the first `wp_mail()` call to all subsequent calls.
This includes unit tests to verify the fix is accurate, and a change to the mock-mailer helper that worked around this bug just-in-time when running the test suite.
Props codebuddy, dilip2615, rishabhwp, sajjad67, sirlouen, stephenharris.
Fixes#33972.
Built from https://develop.svn.wordpress.org/trunk@61131
git-svn-id: http://core.svn.wordpress.org/trunk@60467 1a063a9b-81f0-0310-95a4-ce76da25c4cd
WordPress has been calling `$phpmailer->setFrom()` with a `false` value for an attribute telling it to set the sender address for each message. This sender address is also known by other names: Envelope-From, MAIL FROM, Return-Path, etc... Unfortunately, this configuration can easily lead to mail being rejected by numerous mail hosts due to an invalid domain being generated by the local mail server/MTA.
The flag was originally added with the note that its absence “causes outgoing email to fail on some server environments.” However, it is likely that this led to the opposite effect, as evidenced by numerous reports, plugins, and workarounds over the years.
In this patch the flag is being removed, which has the effect of letting `$phpmailer` set the Sender value, which it does by default using the domain “where the front end is accessible” and which is is likely correct.
After this change there is a chance of mail failure for sites with SPF configured but which does not allow mail to be sent on behalf of this domain and if those sites also do not have a properly configured DKIM and DMARC setup. Those sites should review their SPF policies or the `wp_mail_from` filter.
Developed in https://github.com/WordPress/wordpress-develop/pull/9412
Discussed in https://core.trac.wordpress.org/ticket/49687
Follow-up to [38286].
Props cbutlerjr, dmsnell, jamieburchell, knutsp, kub1x, lordandy1984, piskvorky, SergeyBiryukov, siliconforks, SirLouen, stankea, vbbp, websupporter.
Fixes#49687.
Built from https://develop.svn.wordpress.org/trunk@61010
git-svn-id: http://core.svn.wordpress.org/trunk@60346 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In [36566], a framework for lazily loading metadata was introduced, initially supporting term and comment meta. This commit extends that support to user meta.
User meta can contain a large amount of data that is not always needed, particularly on the front end. To address this, cache_users() now calls the new function wp_lazyload_user_meta(). This function accepts an array of user IDs and adds them to the queue of metadata to be lazily loaded.
Follows on from [55671], [55747].
Props spacedmonkey, westonruter.
Fixes#63021.
Built from https://develop.svn.wordpress.org/trunk@60989
git-svn-id: http://core.svn.wordpress.org/trunk@60325 1a063a9b-81f0-0310-95a4-ce76da25c4cd
MIME allows for referencing included attachments by their `Content-ID` header using the `cid` URL scheme. This can be used to embed images inline to the HTML message. For example, `<img src="cid:logo">`, will display the contents of message part with the `Content-Id: <logo>` header.
The `wp_mail()` function now supports including inline attachments through a new `$embeds` parameter. It accepts a map of `Content-ID` values to file paths. The `wp_mail_embed_args` filter can be used to customize the resulting `PHPMailer::addEmbeddedImage` method call.
Props jesin, swissspidy, chrisvendiadvertisingcom, SirLouen, mukesh27, yashjawale, iamadisingh.
Fixes#28059.
Built from https://develop.svn.wordpress.org/trunk@60698
git-svn-id: http://core.svn.wordpress.org/trunk@60034 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This reinstates the ability for a user to log in to an account where the password is hashed using MD5. This means that the ability to reset a password directly in the database using an SQL query or a database administration tool will be retained without the need to implement or integrate with bcrypt or phpass.
A password hashed with MD5 will get upgraded to bcrypt at the point where a user successfully logs in, just as is the case with a phpass hash.
Props audrasjb, aaronjorbin, johnbillion, david-innes, benniledl.
See #21022.
Built from https://develop.svn.wordpress.org/trunk@59893
git-svn-id: http://core.svn.wordpress.org/trunk@59235 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Passwords and security keys that were saved in prior versions of WordPress will continue to work. Each user's password will be opportunistically rehashed and resaved when they next subsequently log in using a valid password.
The following new functions have been introduced:
* `wp_password_needs_rehash()`
* `wp_fast_hash()`
* `wp_verify_fast_hash()`
The following new filters have been introduced:
* `password_needs_rehash`
* `wp_hash_password_algorithm`
* `wp_hash_password_options`
Props ayeshrajans, bgermann, dd32, deadduck169, desrosj, haozi, harrym, iandunn, jammycakes, joehoyle, johnbillion, mbijon, mojorob, mslavco, my1xt, nacin, otto42, paragoninitiativeenterprises, paulkevan, rmccue, ryanhellyer, scribu, swalkinshaw, synchro, th23, timothyblynjacobs, tomdxw, westi, xknown.
Additional thanks go to the Roots team, Soatok, Calvin Alkan, and Raphael Ahrens.
Fixes#21022, #44628
Built from https://develop.svn.wordpress.org/trunk@59828
git-svn-id: http://core.svn.wordpress.org/trunk@59170 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This extension provides the `hash()` function and support for the SHA-256 algorithm, both of which are required for upcoming security related changes. This extension is almost universally enabled, however it is technically possible to disable it on PHP 7.2 and 7.3, hence the introduction of this requirement and the corresponding requirement checks prior to installing or upgrading WordPress.
Props peterwilsoncc, ayeshrajans, dd32, SergeyBiryukov, johnbillion.
Fixes#60638, #62815, #56017
See #21022
Built from https://develop.svn.wordpress.org/trunk@59803
git-svn-id: http://core.svn.wordpress.org/trunk@59145 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Values passed to parameters with this attribute will be redacted if present in a stack trace when using PHP 8.2 or later. This reduces the chance that passwords and security keys get accidentally exposed in debug logs and bug reports.
Props petitphp, TobiasBg, jrf, johnbillion.
Fixes#57304
Built from https://develop.svn.wordpress.org/trunk@59754
git-svn-id: http://core.svn.wordpress.org/trunk@59096 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Adds a new `WP_PHPMailer` class to leverage the WordPress i18n system with PHPMailer, so that any user-visible error messages can be properly translated.
Props sukhendu2002, swissspidy, audrasjb, iandunn, nacin, mark-k.
Fixes#23311.
Built from https://develop.svn.wordpress.org/trunk@59592
git-svn-id: http://core.svn.wordpress.org/trunk@58978 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Improvements were made in 6.7 to ensure that salts stored in the database were primed more efficiently.
The logic added to accomplish this suffered from an edge case where array indexes were unexpectedly missing when `wp_salt()` was called recursively.
Follow up to [58837].
Props juliobox, ankitkumarshah, dilipbheda, johnbillion, joemcgill, desrosj.
Fixes#62424.
Built from https://develop.svn.wordpress.org/trunk@59427
git-svn-id: http://core.svn.wordpress.org/trunk@58813 1a063a9b-81f0-0310-95a4-ce76da25c4cd
If sending an email to the site administrator's email address, look up if a user with the same email exists and switch to that user's locale.
If not, falls back to the site locale as usual.
Props benniledl, swissspidy, mukesh27.
Fixes#61518.
Built from https://develop.svn.wordpress.org/trunk@59128
git-svn-id: http://core.svn.wordpress.org/trunk@58524 1a063a9b-81f0-0310-95a4-ce76da25c4cd
For salts generated and stored in the database, use `wp_prime_site_option_caches()` within `wp_salt()` to prime the options in a single database query, down from up to nine database queries.
The options are primed when the corresponding constant is either undefined or uses the default string `put your unique phrase here`.
Props joemcgill, spacedmonkey, peterwilsoncc.
Fixes#59871.
Built from https://develop.svn.wordpress.org/trunk@58837
git-svn-id: http://core.svn.wordpress.org/trunk@58233 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When WordPress sends out a password-reset or new-user email, it generates
a link for someone to follow in order to take them to the reset page. If
the user login name ends in a period, however, that generated URL will
end in a period and many email clients will confuse it with a
sentence-ending period instead of being part of the query arguments.
In this patch, the generated URL's query argument are rearranged so that
the link will never end in a period. Alternative ideas were explored to
create a new function to escape URL-ending periods, but this patch resolves
the reported problem without raising any further architectural questions.
Developed in https://github.com/WordPress/wordpress-develop/pull/6834
Discussed in https://core.trac.wordpress.org/ticket/42957
Props audrasjb, costdev, daveagp, dmsnell, hellofromTonya, markparnell, mukesh27, nhrrob, obrienlabs, paulcline.
Fixes#42957.
Built from https://develop.svn.wordpress.org/trunk@58674
git-svn-id: http://core.svn.wordpress.org/trunk@58076 1a063a9b-81f0-0310-95a4-ce76da25c4cd
While technically only `null`, `WP_User`, or `WP_Error` should be returned from the `authenticate` filter, a plugin might return boolean `false` instead, which would trigger the `authentication_failed` error prior to [57882].
This commit aims to preserve that behavior in case `false` is returned.
Follow-up to [57882].
Props johnbillion.
See #60700.
Built from https://develop.svn.wordpress.org/trunk@57990
git-svn-id: http://core.svn.wordpress.org/trunk@57476 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The `$x_redirect_by` parameter is supported by `wp_redirect()` and `wp_safe_redirect()` to set the `X-Redirect-By` header.
It can be modified via the `x_redirect_by` filter.
This updates the docblock to clarify that `false` can be passed to disable sending the header, which was previously undocumented behavior.
Props kkmuffme, swissspidy.
Fixes#60209.
Built from https://develop.svn.wordpress.org/trunk@57693
git-svn-id: http://core.svn.wordpress.org/trunk@57194 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Includes:
* Expanding and synchronizing documentation for the `default` and `rating` arguments.
* Adding `@since` entries for the `loading`, `fetchpriority`, and `decoding` arguments.
* Wrapping long lines as per the documentation standards.
* Fixing a typo in the `identicon` value.
* Minor formatting edits for consistency.
Follow-up to [31107], [45632], [47554], [53480], [56037].
See #58833.
Built from https://develop.svn.wordpress.org/trunk@56767
git-svn-id: http://core.svn.wordpress.org/trunk@56279 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The `wp_get_loading_optimization_attributes()` function was introduced in 6.3, as a single centralized place to control loading optimization attributes for various tags, most importantly images.
This changeset consolidates the `decoding="async"` optimization, which was added in 6.1, to occur solely as part of `wp_get_loading_optimization_attributes()`, removing duplicate code and allowing centralized filtering based on [56651].
As part of the change, the `wp_img_tag_add_decoding_attr()` function has been deprecated. The filter of the same name continues to be maintained for backward compatibility, as before covering only images that are part of a content blob such as post content (`the_content`).
Props pereirinha, mukesh27, joemcgill, flixos90.
Fixes#58892.
See #53232.
Built from https://develop.svn.wordpress.org/trunk@56690
git-svn-id: http://core.svn.wordpress.org/trunk@56202 1a063a9b-81f0-0310-95a4-ce76da25c4cd
`str_contains()` was introduced in PHP 8.0 to perform a case-sensitive check indicating if the string to search in (haystack) contains the given substring (needle).
WordPress core includes a polyfill for `str_contains()` on PHP < 8.0 as of WordPress 5.9.
This commit replaces `false !== strpos( ... )` with `str_contains()` in core files, making the code more readable and consistent, as well as better aligned with modern development practices.
Follow-up to [55988], [55990], [56014], [56021], [56031], [56032], [56065], [56241].
See #58206.
Built from https://develop.svn.wordpress.org/trunk@56245
git-svn-id: http://core.svn.wordpress.org/trunk@55757 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset adds support for the `fetchpriority` attribute, which is typically added to a single image in each HTML response with a value of "high". This enhances load time performance (also Largest Contentful Paint, or LCP) by telling the browser to prioritize this image for downloading even before the layout of the page has been computed. In lab tests, this has shown to improve LCP performance by ~10% on average.
Specifically, `fetchpriority="high"` is added to the first image that satisfies all of the following conditions:
* The image is not lazy-loaded, i.e. does not have `loading="lazy"`.
* The image does not already have a (conflicting) `fetchpriority` attribute.
* The size of of the image (i.e. width * height) is greater than 50,000 squarepixels.
While these heuristics are based on several field analyses, there will always be room for optimization. Sites can customize the squarepixel threshold using a new filter `wp_min_priority_img_pixels` which should return an integer for the value.
Since the logic for adding `fetchpriority="high"` is heavily intertwined with the logic for adding `loading="lazy"`, yet the features should work decoupled from each other, the majority of code changes in this changeset is refactoring of the existing lazy-loading logic to be reusable. For this purpose, a new function `wp_get_loading_optimization_attributes()` has been introduced which returns an associative array of performance-relevant attributes for a given HTML element. This function replaces `wp_get_loading_attr_default()`, which has been deprecated. As another result of that change, a new function `wp_img_tag_add_loading_optimization_attrs()` replaces the more specific `wp_img_tag_add_loading_attr()`, which has been deprecated as well.
See https://make.wordpress.org/core/2023/05/02/proposal-for-enhancing-lcp-image-performance-with-fetchpriority/ for the original proposal and additional context.
Props thekt12, joemcgill, spacedmonkey, mukesh27, costdev, 10upsimon.
Fixes#58235.
Built from https://develop.svn.wordpress.org/trunk@56037
git-svn-id: http://core.svn.wordpress.org/trunk@55549 1a063a9b-81f0-0310-95a4-ce76da25c4cd
`str_starts_with()` and `str_ends_with()` were introduced in PHP 8.0 to perform a case-sensitive check indicating if the string to search in (haystack) begins or ends with the given substring (needle).
WordPress core includes a polyfill for these functions on PHP < 8.0 as of WordPress 5.9.
This commit uses `str_starts_with()` and `str_ends_with()` in core files where appropriate:
* `$needle === substr( $string, 0, $length )`, where `$length` is the length of `$needle`, is replaced with `str_starts_with( $haystack, $needle )`.
* `$needle === substr( $string, $offset )`, where `$offset` is negative and the absolute value of `$offset` is the length of `$needle`, is replaced with `str_ends_with( $haystack, $needle )`.
This aims to make the code more readable and consistent, as well as better aligned with modern development practices.
Follow-up to [52039], [52040], [52326], [55703], [55710], [55987], [55988].
Props Soean, spacedmonkey, Clorith, ocean90, azaozz, sabernhardt, SergeyBiryukov.
Fixes#58220.
Built from https://develop.svn.wordpress.org/trunk@55990
git-svn-id: http://core.svn.wordpress.org/trunk@55502 1a063a9b-81f0-0310-95a4-ce76da25c4cd
`str_contains()` was introduced in PHP 8.0 to perform a case-sensitive check indicating if the string to search in (haystack) contains the given substring (needle).
WordPress core includes a polyfill for `str_contains()` on PHP < 8.0 as of WordPress 5.9.
This commit replaces `false !== strpos( ... )` with `str_contains()` in core files, making the code more readable and consistent, as well as better aligned with modern development practices.
Follow-up to [52039], [52040], [52326], [55703], [55710], [55987].
Props Soean, spacedmonkey, costdev, dingo_d, azaozz, mikeschroder, flixos90, peterwilsoncc, SergeyBiryukov.
Fixes#58206.
Built from https://develop.svn.wordpress.org/trunk@55988
git-svn-id: http://core.svn.wordpress.org/trunk@55500 1a063a9b-81f0-0310-95a4-ce76da25c4cd
`str_starts_with()` was introduced in PHP 8.0 to perform a case-sensitive check indicating if the string to search in (haystack) begins with the given substring (needle).
WordPress core includes a polyfill for `str_starts_with()` on PHP < 8.0 as of WordPress 5.9.
This commit replaces `0 === strpos( ... )` with `str_starts_with()` in core files, making the code more readable and consistent, as well as improving performance.
While `strpos()` is slightly faster than the polyfill on PHP < 8.0, `str_starts_with()` is noticeably faster on PHP 8.0+, as it is optimized to avoid unnecessarily searching along the whole haystack if it does not find the needle.
Follow-up to [52039], [52040], [52326].
Props spacedmonkey, costdev, sabernhardt, mukesh27, desrosj, jorbin, TobiasBg, ayeshrajans, lgadzhev, SergeyBiryukov.
Fixes#58012.
Built from https://develop.svn.wordpress.org/trunk@55703
git-svn-id: http://core.svn.wordpress.org/trunk@55215 1a063a9b-81f0-0310-95a4-ce76da25c4cd
