desrosj 789f4459e4 Grouped backports for the 6.8 branch. ...

- XML-RPC: Switch to `wp_safe_remote()` when fetching a pingback URL.
- HTML API: Prevent `WP_HTML_Tag_Processor` instances being unserialized and add some extra logic for validating pattern and template file paths.
- KSES: Optimize PCRE pattern detecting numeric character references.
- Customize: Improve escaping approach used for nav menu attributes.
- Media: Ensure the attachment parent is accessible to the user before showing a link to it in the media manager.
- Interactivity API: Skip binding event handler attributes. The corresponding `data-wp-on--` attribute should be used instead.
- Administration: Ensure client-side templates are only detected when they're correctly associated with a script tag.
- Filesystem API: Don't attempt to extract invalid files from a zip when using the PclZip library.
- Comments: Don't attempt to create a note if the user cannot edit the target post.
- Media: Disable XML entity substitution in getID3.

Merges [61879-61890] to the 6.8 branch.

Props johnbillion, xknown, dmsnell, jorbin, peterwilson, adamsilverstein, desrosj, luisherranz, ocean90, westonruter, jonsurrell, aurdasjb.
Built from https://develop.svn.wordpress.org/branches/6.8@61901


git-svn-id: http://core.svn.wordpress.org/branches/6.8@61183 1a063a9b-81f0-0310-95a4-ce76da25c4cd

2026-03-10 16:37:37 +00:00

73 KiB

Raw Permalink Blame History

View Raw