Tag 3.7.36

Built from https://develop.svn.wordpress.org/tags/3.7.36@50910


git-svn-id: http://core.svn.wordpress.org/tags/3.7.36@50519 1a063a9b-81f0-0310-95a4-ce76da25c4cd

index.php

@@ -14,4 +14,4 @@
 define('WP_USE_THEMES', true);
 
 /** Loads the WordPress Environment and Template */
-require('./wp-blog-header.php');
+require( dirname( __FILE__ ) . '/wp-blog-header.php' );

license.txt

@@ -1,6 +1,6 @@
 WordPress - Web publishing software
 
-Copyright 2011 by the contributors
+Copyright 2018 by the contributors
 
 This program is free software; you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by

readme.html

@@ -1,5 +1,5 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml">
+<!DOCTYPE html>
+<html>
 <head>
 	<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
 	<title>WordPress &#8250; ReadMe</title>
@@ -8,12 +8,11 @@
 <body>
 <h1 id="logo">
 	<a href="http://wordpress.org/"><img alt="WordPress" src="wp-admin/images/wordpress-logo.png" /></a>
-	<br /> Version 3.5
 </h1>
 <p style="text-align: center">Semantic Personal Publishing Platform</p>
 
 <h1>First Things First</h1>
-<p>Welcome. WordPress is a very special project to me. Every developer and contributor adds something unique to the mix, and together we create something beautiful that I'm proud to be a part of. Thousands of hours have gone into WordPress, and we're dedicated to making it better every day. Thank you for making it part of your world.</p>
+<p>Welcome. WordPress is a very special project to me. Every developer and contributor adds something unique to the mix, and together we create something beautiful that I&#8217;m proud to be a part of. Thousands of hours have gone into WordPress, and we&#8217;re dedicated to making it better every day. Thank you for making it part of your world.</p>
 <p style="text-align: right">&#8212; Matt Mullenweg</p>
 
 <h1>Installation: Famous 5-minute install</h1>
@@ -21,35 +20,32 @@
 	<li>Unzip the package in an empty directory and upload everything.</li>
 	<li>Open <span class="file"><a href="wp-admin/install.php">wp-admin/install.php</a></span> in your browser. It will take you through the process to set up a <code>wp-config.php</code> file with your database connection details.
 		<ol>
-			<li>If for some reason this doesn't work, don't worry. It doesn't work on all web hosts. Open up <code>wp-config-sample.php</code> with a text editor like WordPad or similar and fill in your database connection details.</li>
+			<li>If for some reason this doesn&#8217;t work, don&#8217;t worry. It doesn&#8217;t work on all web hosts. Open up <code>wp-config-sample.php</code> with a text editor like WordPad or similar and fill in your database connection details.</li>
 			<li>Save the file as <code>wp-config.php</code> and upload it.</li>
 			<li>Open <span class="file"><a href="wp-admin/install.php">wp-admin/install.php</a></span> in your browser.</li>
 		</ol>
 	</li>
 	<li>Once the configuration file is set up, the installer will set up the tables needed for your blog. If there is an error, double check your <code>wp-config.php</code> file, and try again. If it fails again, please go to the <a href="http://wordpress.org/support/" title="WordPress support">support forums</a> with as much data as you can gather.</li>
 	<li><strong>If you did not enter a password, note the password given to you.</strong> If you did not provide a username, it will be <code>admin</code>.</li>
-	<li>The installer should then send you to the <a href="wp-login.php">login page</a>. Sign in with the username and password you chose during the installation. If a password was generated for you, you can then click on 'Profile' to change the password.</li>
+	<li>The installer should then send you to the <a href="wp-login.php">login page</a>. Sign in with the username and password you chose during the installation. If a password was generated for you, you can then click on &#8220;Profile&#8221; to change the password.</li>
 </ol>
 
 <h1>Updating</h1>
 <h2>Using the Automatic Updater</h2>
 <p>If you are updating from version 2.7 or higher, you can use the automatic updater:</p>
 <ol>
-	<li>Open the <span class="file"><a href="wp-admin/update-core.php">wp-admin/update-core.php</a></span> in your browser and follow the instructions.</li>
-	<li>You wanted more, perhaps? That's it!</li>
+	<li>Open <span class="file"><a href="wp-admin/update-core.php">wp-admin/update-core.php</a></span> in your browser and follow the instructions.</li>
+	<li>You wanted more, perhaps? That&#8217;s it!</li>
 </ol>
 
 <h2>Updating Manually</h2>
 <ol>
 	<li>Before you update anything, make sure you have backup copies of any files you may have modified such as <code>index.php</code>.</li>
-	<li>Delete your old WordPress files, saving ones you've modified.</li>
+	<li>Delete your old WordPress files, saving ones you&#8217;ve modified.</li>
 	<li>Upload the new files.</li>
 	<li>Point your browser to <span class="file"><a href="wp-admin/upgrade.php">/wp-admin/upgrade.php</a>.</span></li>
 </ol>
 
-<h2>Theme Template Changes</h2>
-<p>If you have customized your theme templates, you may have to make some changes across major versions.</p>
-
 <h1>Migrating from other systems</h1>
 <p>WordPress can <a href="http://codex.wordpress.org/Importing_Content">import from a number of systems</a>. First you need to get WordPress installed and working as described above, before using <a href="wp-admin/import.php" title="Import to WordPress">our import tools</a>.</p>
 
@@ -66,34 +62,24 @@
 </ul>
 
 <h1>Online Resources</h1>
-<p>If you have any questions that aren't addressed in this document, please take advantage of WordPress' numerous online resources:</p>
+<p>If you have any questions that aren&#8217;t addressed in this document, please take advantage of WordPress&#8217; numerous online resources:</p>
 <dl>
 	<dt><a href="http://codex.wordpress.org/">The WordPress Codex</a></dt>
 		<dd>The Codex is the encyclopedia of all things WordPress. It is the most comprehensive source of information for WordPress available.</dd>
 	<dt><a href="http://wordpress.org/news/">The WordPress Blog</a></dt>
-		<dd>This is where you'll find the latest updates and news related to WordPress. Recent WordPress news appears in your administrative dashboard by default.</dd>
+		<dd>This is where you&#8217;ll find the latest updates and news related to WordPress. Recent WordPress news appears in your administrative dashboard by default.</dd>
 	<dt><a href="http://planet.wordpress.org/">WordPress Planet</a></dt>
 		<dd>The WordPress Planet is a news aggregator that brings together posts from WordPress blogs around the web.</dd>
 	<dt><a href="http://wordpress.org/support/">WordPress Support Forums</a></dt>
-		<dd>If you've looked everywhere and still can't find an answer, the support forums are very active and have a large community ready to help. To help them help you be sure to use a descriptive thread title and describe your question in as much detail as possible.</dd>
+		<dd>If you&#8217;ve looked everywhere and still can&#8217;t find an answer, the support forums are very active and have a large community ready to help. To help them help you be sure to use a descriptive thread title and describe your question in as much detail as possible.</dd>
 	<dt><a href="http://codex.wordpress.org/IRC">WordPress <abbr title="Internet Relay Chat">IRC</abbr> Channel</a></dt>
 		<dd>There is an online chat channel that is used for discussion among people who use WordPress and occasionally support topics. The above wiki page should point you in the right direction. (<a href="irc://irc.freenode.net/wordpress">irc.freenode.net #wordpress</a>)</dd>
 </dl>
 
-<h1><abbr title="eXtensible Markup Language">XML</abbr>-<abbr title="Remote Procedure Call">RPC</abbr> and Atom Interface</h1>
-<p>You can post to your WordPress blog with tools like <a href="http://download.live.com/writer">Windows Live Writer</a>, <a href="http://illuminex.com/ecto/">Ecto</a>, <a href="http://bloggar.com/">w.bloggar</a>, <a href="http://radio.userland.com/">Radio Userland</a> (which means you can use Radio's email-to-blog feature), <a href="http://www.newzcrawler.com/">NewzCrawler</a>, and other tools that support the blogging <abbr title="application programming interface">API</abbr>s! :) You can read more about <a href="http://codex.wordpress.org/XML-RPC_Support"><abbr>XML</abbr>-<abbr>RPC</abbr> support on the Codex</a>.</p>
-
-<h1>Post via Email</h1>
-<p>You can post from an email client! To set this up go to your &quot;Writing&quot; options screen and fill in the connection details for your secret <abbr title="Post Office Protocol version 3">POP3</abbr> account. Then you need to set up <code>wp-mail.php</code> to execute periodically to check the mailbox for new posts. You can do it with <a href="http://en.wikipedia.org/wiki/Cron">cron</a>-jobs, or if your host doesn't support it you can look into the various website-monitoring services, and make them check your <code>wp-mail.php</code> <abbr title="Uniform Resource Locator">URL</abbr>.</p>
-<p>Posting is easy: Any email sent to the address you specify will be posted, with the subject as the title. It is best to keep the address discrete. The script will <em>delete</em> emails that are successfully posted.</p>
-
-<h1>User Roles</h1>
-<p>We introduced a very flexible roles system in version 2.0. You can <a href="http://codex.wordpress.org/Roles_and_Capabilities" title="WordPress roles and capabilities">read more about Roles and Capabilities on the Codex</a>.</p>
-
 <h1>Final Notes</h1>
 <ul>
 	<li>If you have any suggestions, ideas, or comments, or if you (gasp!) found a bug, join us in the <a href="http://wordpress.org/support/">Support Forums</a>.</li>
-	<li>WordPress has a robust plugin <abbr title="application programming interface">API</abbr> that makes extending the code easy. If you are a developer interested in utilizing this, see the <a href="http://codex.wordpress.org/Plugin_API" title="WordPress plugin API">plugin documentation in the Codex</a>. You shouldn't modify any of the core code.</li>
+	<li>WordPress has a robust plugin <abbr title="application programming interface">API</abbr> that makes extending the code easy. If you are a developer interested in utilizing this, see the <a href="http://codex.wordpress.org/Plugin_API" title="WordPress plugin API">plugin documentation in the Codex</a>. You shouldn&#8217;t modify any of the core code.</li>
 </ul>
 
 <h1>Share the Love</h1>

wp-activate.php

@@ -6,22 +6,73 @@
  * @package WordPress
  */
 
-/** Define ABSPATH as this file's directory */
 define( 'WP_INSTALLING', true );
 
 /** Sets up the WordPress Environment. */
 require( dirname(__FILE__) . '/wp-load.php' );
 
-require( './wp-blog-header.php' );
+require( dirname( __FILE__ ) . '/wp-blog-header.php' );
 
 if ( !is_multisite() ) {
 	wp_redirect( site_url( '/wp-login.php?action=register' ) );
 	die();
 }
 
+$valid_error_codes = array( 'already_active', 'blog_taken' );
+
+list( $activate_path ) = explode( '?', wp_unslash( $_SERVER['REQUEST_URI'] ) );
+$activate_cookie = 'wp-activate-' . COOKIEHASH;
+
+$key    = '';
+$result = null;
+
+if ( isset( $_GET['key'] ) && isset( $_POST['key'] ) && $_GET['key'] !== $_POST['key'] ) {
+	wp_die( __( 'A key value mismatch has been detected. Please follow the link provided in your activation email.' ), __( 'An error occurred during the activation' ), 400 );
+} elseif ( ! empty( $_GET['key'] ) ) {
+	$key = $_GET['key'];
+} elseif ( ! empty( $_POST['key'] ) ) {
+	$key = $_POST['key'];
+}
+
+if ( $key ) {
+	$redirect_url = remove_query_arg( 'key' );
+
+	if ( $redirect_url !== remove_query_arg( false ) ) {
+		setcookie( $activate_cookie, $key, 0, $activate_path, COOKIE_DOMAIN, is_ssl(), true );
+		wp_safe_redirect( $redirect_url );
+		exit;
+	} else {
+		$result = wpmu_activate_signup( $key );
+	}
+}
+
+if ( $result === null && isset( $_COOKIE[ $activate_cookie ] ) ) {
+	$key    = $_COOKIE[ $activate_cookie ];
+	$result = wpmu_activate_signup( $key );
+	setcookie( $activate_cookie, ' ', time() - YEAR_IN_SECONDS, $activate_path, COOKIE_DOMAIN, is_ssl(), true );
+}
+
+if ( $result === null || ( is_wp_error( $result ) && 'invalid_key' === $result->get_error_code() ) ) {
+	status_header( 404 );
+} elseif ( is_wp_error( $result ) ) {
+	$error_code = $result->get_error_code();
+
+	if ( ! in_array( $error_code, $valid_error_codes ) ) {
+		status_header( 400 );
+	}
+}
+
 if ( is_object( $wp_object_cache ) )
 	$wp_object_cache->cache_enabled = false;
 
+// Fix for page title
+$wp_query->is_404 = false;
+
+/**
+ * Fires before the Site Activation page is loaded.
+ *
+ * @since 3.0
+ */
 do_action( 'activate_header' );
 
 /**
@@ -30,7 +81,12 @@ do_action( 'activate_header' );
  * @since MU
  */
 function do_activate_header() {
-	do_action( 'activate_wp_head' );
+    /**
+     * Fires before the Site Activation page is loaded, but on the wp_head action.
+     *
+     * @since 3.0
+     */
+    do_action( 'activate_wp_head' );
 }
 add_action( 'wp_head', 'do_activate_header' );
 
@@ -51,12 +107,13 @@ function wpmu_activate_stylesheet() {
 	<?php
 }
 add_action( 'wp_head', 'wpmu_activate_stylesheet' );
+add_action( 'wp_head', 'wp_sensitive_page_meta' );
 
 get_header();
 ?>
 
 <div id="content" class="widecolumn">
-	<?php if ( empty($_GET['key']) && empty($_POST['key']) ) { ?>
+	<?php if ( ! $key ) { ?>
 
 		<h2><?php _e('Activation Key Required') ?></h2>
 		<form name="activateform" id="activateform" method="post" action="<?php echo network_site_url('wp-activate.php'); ?>">
@@ -70,28 +127,25 @@ get_header();
 		</form>
 
 	<?php } else {
-
-		$key = !empty($_GET['key']) ? $_GET['key'] : $_POST['key'];
-		$result = wpmu_activate_signup($key);
-		if ( is_wp_error($result) ) {
-			if ( 'already_active' == $result->get_error_code() || 'blog_taken' == $result->get_error_code() ) {
-			    $signup = $result->get_error_data();
-				?>
-				<h2><?php _e('Your account is now active!'); ?></h2>
-				<?php
-				echo '<p class="lead-in">';
-				if ( $signup->domain . $signup->path == '' ) {
-					printf( __('Your account has been activated. You may now <a href="%1$s">log in</a> to the site using your chosen username of &#8220;%2$s&#8221;. Please check your email inbox at %3$s for your password and login instructions. If you do not receive an email, please check your junk or spam folder. If you still do not receive an email within an hour, you can <a href="%4$s">reset your password</a>.'), network_site_url( 'wp-login.php', 'login' ), $signup->user_login, $signup->user_email, wp_lostpassword_url() );
-				} else {
-					printf( __('Your site at <a href="%1$s">%2$s</a> is active. You may now log in to your site using your chosen username of &#8220;%3$s&#8221;. Please check your email inbox at %4$s for your password and login instructions. If you do not receive an email, please check your junk or spam folder. If you still do not receive an email within an hour, you can <a href="%5$s">reset your password</a>.'), 'http://' . $signup->domain, $signup->domain, $signup->user_login, $signup->user_email, wp_lostpassword_url() );
-				}
-				echo '</p>';
+		if ( is_wp_error( $result ) && in_array( $result->get_error_code(), $valid_error_codes ) ) {
+			$signup = $result->get_error_data();
+			?>
+			<h2><?php _e('Your account is now active!'); ?></h2>
+			<?php
+			echo '<p class="lead-in">';
+			if ( $signup->domain . $signup->path == '' ) {
+				printf( __('Your account has been activated. You may now <a href="%1$s">log in</a> to the site using your chosen username of &#8220;%2$s&#8221;. Please check your email inbox at %3$s for your password and login instructions. If you do not receive an email, please check your junk or spam folder. If you still do not receive an email within an hour, you can <a href="%4$s">reset your password</a>.'), network_site_url( 'wp-login.php', 'login' ), $signup->user_login, $signup->user_email, wp_lostpassword_url() );
 			} else {
-				?>
-				<h2><?php _e('An error occurred during the activation'); ?></h2>
-				<?php
-			    echo '<p>'.$result->get_error_message().'</p>';
+				printf( __('Your site at <a href="%1$s">%2$s</a> is active. You may now log in to your site using your chosen username of &#8220;%3$s&#8221;. Please check your email inbox at %4$s for your password and login instructions. If you do not receive an email, please check your junk or spam folder. If you still do not receive an email within an hour, you can <a href="%5$s">reset your password</a>.'), 'http://' . $signup->domain, $signup->domain, $signup->user_login, $signup->user_email, wp_lostpassword_url() );
 			}
+			echo '</p>';
+		} elseif ( $result === null || is_wp_error( $result ) ) {
+			?>
+			<h2><?php _e('An error occurred during the activation'); ?></h2>
+			<?php if ( is_wp_error( $result ) ) {
+				echo '<p>' . $result->get_error_message() . '</p>';
+			} ?>
+			<?php
 		} else {
 			extract($result);
 			$url = get_blogaddress_by_id( (int) $blog_id);
@@ -117,4 +171,4 @@ get_header();
 	var key_input = document.getElementById('key');
 	key_input && key_input.focus();
 </script>
-<?php get_footer(); ?>
+<?php get_footer(); ?>

wp-admin/about.php

@@ -7,19 +7,21 @@
  */
 
 /** WordPress Administration Bootstrap */
-require_once( './admin.php' );
+require_once( dirname( __FILE__ ) . '/admin.php' );
 
 $title = __( 'About' );
 
 list( $display_version ) = explode( '-', $wp_version );
 
+wp_enqueue_script( 'about' );
+
 include( ABSPATH . 'wp-admin/admin-header.php' );
 ?>
 <div class="wrap about-wrap">
 
 <h1><?php printf( __( 'Welcome to WordPress %s' ), $display_version ); ?></h1>
 
-<div class="about-text"><?php printf( __( 'Thank you for updating to the latest version! WordPress %s is more polished and enjoyable than ever before. We hope you like it.' ), $display_version ); ?></div>
+<div class="about-text"><?php echo str_replace( '3.7', $display_version, __( 'Thank you for updating to WordPress 3.7! You might not notice a thing, and we&#8217;re okay with that.' ) ); ?></div>
 
 <div class="wp-badge"><?php printf( __( 'Version %s' ), $display_version ); ?></div>
 
@@ -33,90 +35,382 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
 	</a>
 </h2>
 
+<div class="changelog point-releases">
+	<h3><?php echo _n( 'Maintenance and Security Release', 'Maintenance and Security Releases', 36 ); ?></h3>
+	<p>
+		<?php
+		printf(
+			/* translators: %s: WordPress version number */
+			__( '<strong>Version %s</strong> addressed one security issue.' ),
+			'3.7.36'
+		);
+		?>
+		<?php
+		printf(
+			/* translators: %s: HelpHub URL */
+			__( 'For more information, see <a href="%s">the release notes</a>.' ),
+			sprintf(
+				/* translators: %s: WordPress version */
+				esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+				sanitize_title( '3.7.36' )
+			)
+		);
+		?>
+	</p>
+	<p>
+		<?php
+		printf(
+			/* translators: %s: WordPress version number */
+			__( '<strong>Version %s</strong> addressed some security issues.' ),
+			'3.7.35'
+		);
+		?>
+		<?php
+		printf(
+			/* translators: %s: HelpHub URL */
+			__( 'For more information, see <a href="%s">the release notes</a>.' ),
+			sprintf(
+				/* translators: %s: WordPress version */
+				esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+				sanitize_title( '3.7.35' )
+			)
+		);
+		?>
+	</p>
+	<p>
+		<?php
+		printf(
+			/* translators: %s: WordPress version number */
+			__( '<strong>Version %s</strong> addressed some security issues.' ),
+			'3.7.34'
+		);
+		?>
+		<?php
+		printf(
+			/* translators: %s: HelpHub URL */
+			__( 'For more information, see <a href="%s">the release notes</a>.' ),
+			sprintf(
+				/* translators: %s: WordPress version */
+				esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+				sanitize_title( '3.7.34' )
+			)
+		);
+		?>
+	</p>
+	<p>
+		<?php
+		printf(
+			/* translators: %s: WordPress version number */
+			__( '<strong>Version %s</strong> addressed some security issues.' ),
+			'3.7.33'
+		);
+		?>
+		<?php
+		printf(
+			/* translators: %s: HelpHub URL */
+			__( 'For more information, see <a href="%s">the release notes</a>.' ),
+			sprintf(
+				/* translators: %s: WordPress version */
+				esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+				sanitize_title( '3.7.33' )
+			)
+		);
+		?>
+	</p>
+	<p>
+		<?php
+		printf(
+			/* translators: %s: WordPress version number */
+			__( '<strong>Version %s</strong> addressed one security issue.' ),
+			'3.7.32'
+		);
+		?>
+		<?php
+		printf(
+			/* translators: %s: HelpHub URL */
+			__( 'For more information, see <a href="%s">the release notes</a>.' ),
+			sprintf(
+				/* translators: %s: WordPress version */
+				esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+				sanitize_title( '3.7.32' )
+			)
+		);
+		?>
+	</p>
+	<p>
+		<?php
+		printf(
+			/* translators: %s: WordPress version number */
+			__( '<strong>Version %s</strong> addressed some security issues.' ),
+			'3.7.31'
+		);
+		?>
+		<?php
+		printf(
+			/* translators: %s: HelpHub URL */
+			__( 'For more information, see <a href="%s">the release notes</a>.' ),
+			sprintf(
+				/* translators: %s: WordPress version */
+				esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+				sanitize_title( '3.7.31' )
+			)
+		);
+		?>
+	</p>
+	<p>
+		<?php
+		printf(
+			/* translators: %s: WordPress version number */
+			__( '<strong>Version %s</strong> addressed some security issues.' ),
+			'3.7.30'
+		);
+		?>
+		<?php
+		printf(
+			/* translators: %s: HelpHub URL */
+			__( 'For more information, see <a href="%s">the release notes</a>.' ),
+			sprintf(
+				/* translators: %s: WordPress version */
+				esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+				sanitize_title( '3.7.30' )
+			)
+		);
+		?>
+	</p>
+	<p>
+		<?php
+		printf(
+			/* translators: %s: WordPress version number */
+			__( '<strong>Version %s</strong> addressed a security issue.' ),
+			'3.7.29'
+		);
+		?>
+		<?php
+		printf(
+			/* translators: %s: HelpHub URL */
+			__( 'For more information, see <a href="%s">the release notes</a>.' ),
+			sprintf(
+				/* translators: %s: WordPress version */
+				esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+				sanitize_title( '3.7.29' )
+			)
+		);
+		?>
+	</p>
+	<p>
+		<?php
+		/* translators: %s: WordPress version number */
+		printf( __( '<strong>Version %s</strong> addressed some security issues.' ), '3.7.28' );
+		?>
+		<?php
+		/* translators: %s: Codex URL */
+		printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.28' );
+		?>
+	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
+			'<strong>Version %1$s</strong> addressed some security issues.', 1 ), '3.7.27' ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.27' ); ?>
+	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
+			'<strong>Version %1$s</strong> addressed some security issues.', 2 ), '3.7.26' ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.26' ); ?>
+	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
+			'<strong>Version %1$s</strong> addressed some security issues.', 1 ), '3.7.25' ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.25' ); ?>
+	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
+			'<strong>Version %1$s</strong> addressed some security issues.', 4 ), '3.7.24' ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.24' ); ?>
+	</p>
+	<p><?php printf( __( '<strong>Version %s</strong> addressed one security issue.' ), '3.7.23' ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.23' ); ?>
+	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
+			'<strong>Version %1$s</strong> addressed some security issues.', 7 ), '3.7.22' ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.22' ); ?>
+	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
+			'<strong>Version %1$s</strong> addressed some security issues.', 5 ), '3.7.21' ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.21' ); ?>
+	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed %2$s bug.',
+			'<strong>Version %1$s</strong> addressed %2$s bugs.', 1 ), '3.7.20', number_format_i18n( 1 ) ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.20' ); ?>
+	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
+         '<strong>Version %1$s</strong> addressed some security issues.', 5 ), '3.7.19' ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.19' ); ?>
+	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
+         '<strong>Version %1$s</strong> addressed some security issues.', 3 ), '3.7.18' ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.18' ); ?>
+	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
+         '<strong>Version %1$s</strong> addressed some security issues.', 8 ), '3.7.17' ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.17' ); ?>
+	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
+         '<strong>Version %1$s</strong> addressed some security issues.', 2 ), '3.7.16' ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.16' ); ?>
+	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
+         '<strong>Version %1$s</strong> addressed some security issues.', 9 ), '3.7.15' ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.15' ); ?>
+	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
+         '<strong>Version %1$s</strong> addressed some security issues.', 6 ), '3.7.14' ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.14' ); ?>
+ 	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
+         '<strong>Version %1$s</strong> addressed some security issues.', 2 ), '3.7.13' ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.13' ); ?>
+ 	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
+         '<strong>Version %1$s</strong> addressed some security issues.', 1 ), '3.7.12' ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.12' ); ?>
+ 	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bug.',
+         '<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bugs.', 2 ), '3.7.11', number_format_i18n( 2 ) ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.11' ); ?>
+	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bug.',
+         '<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bugs.', 2 ), '3.7.10', number_format_i18n( 2 ) ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.10' ); ?>
+	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
+         '<strong>Version %1$s</strong> addressed some security issues.', 2 ), '3.7.9' ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.9' ); ?>
+ 	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bug.',
+         '<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bugs.', 3 ), '3.7.8', number_format_i18n( 3 ) ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.8' ); ?>
+	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed %2$s bug.',
+         '<strong>Version %1$s</strong> addressed %2$s bugs.', 1 ), '3.7.7', number_format_i18n( 1 ) ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.7' ); ?>
+ 	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
+         '<strong>Version %1$s</strong> addressed some security issues.', 8 ), '3.7.6' ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.6' ); ?>
+ 	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
+         '<strong>Version %1$s</strong> addressed some security issues.', 8 ), '3.7.5', number_format_i18n( 8 ) ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.5' ); ?>
+ 	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
+         '<strong>Version %1$s</strong> addressed some security issues.', 5 ), '3.7.4', number_format_i18n( 5 ) ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.4' ); ?>
+ 	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed %2$s bug.',
+		'<strong>Version %1$s</strong> addressed %2$s bugs.', 2 ), '3.7.3', number_format_i18n( 2 ) ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'http://codex.wordpress.org/Version_3.7.3' ); ?>
+ 	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bug.',
+         '<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bugs.', 9 ), '3.7.2', number_format_i18n( 9 ) ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.2' ); ?>
+ 	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed %2$s bug.',
+		'<strong>Version %1$s</strong> addressed %2$s bugs.', 11 ), '3.7.1', number_format_i18n( 11 ) ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.1' ); ?>
+ 	</p>
+</div>
+
 <div class="changelog">
-	<h3><?php _e( 'New Media Manager' ); ?></h3>
+	<h3><?php _e( 'Background Updates' ); ?></h3>
+
+	<div class="feature-section col three-col about-updates">
+		<div class="col-1">
+			<h4><?php _e( 'Updates While You Sleep' ); ?></h4>
+			<p><?php _e( 'With WordPress 3.7, you don&#8217;t have to lift a finger to apply maintenance and security updates. Most sites are now able to automatically apply these updates in the background, though some configurations may not allow it.' ); ?></p>
+		</div>
+		<div class="col-2">
+			<img alt="" src="<?php echo admin_url( 'images/about-updates-2x.png' ); ?>" />
+		</div>
+		<div class="col-3 last-feature">
+			<h4><?php _e( 'More Reliable Than Ever' ); ?></h4>
+			<p><?php _e( 'The update process has been made even more reliable and secure, with dozens of new checks and safeguards.' ); ?></p>
+			<p><?php _e( 'You&#8217;ll still need to click &#8220;Update Now&#8221; once WordPress 3.8 is released, but we&#8217;ve never had more confidence in that beautiful blue button.' ); ?></p>
+		</div>
+		<?php
+		if ( current_user_can( 'update_core' ) ) {
+			$future_minor_update = (object) array(
+				'current'       => $wp_version . '.1.next.minor',
+				'version'       => $wp_version . '.1.next.minor',
+				'php_version'   => $required_php_version,
+				'mysql_version' => $required_mysql_version,
+			);
+			require_once ABSPATH . 'wp-admin/includes/class-wp-upgrader.php';
+			$updater = new WP_Automatic_Updater;
+			$can_auto_update = wp_http_supports( array( 'ssl' ) ) && $updater->should_update( 'core', $future_minor_update, ABSPATH );
+
+			if ( $can_auto_update ) {
+				echo '<p class="about-auto-update cool">' . __( 'This site <strong>is</strong> able to apply these updates automatically. Cool!' ). '</p>';
+
+			// If the updater is disabled entirely, don't show them anything.
+			} elseif ( ! $updater->is_disabled() ) {
+				echo '<p class="about-auto-update">';
+				// If this is is filtered to false, they won't get emails, so don't claim we will.
+				// Assumption: If the user can update core, they can see what the admin email is.
+
+				/** This filter is documented in wp-admin/includes/class-wp-upgrader.php */
+				if ( apply_filters( 'send_core_update_notification_email', true, $future_minor_update ) ) {
+					printf( __( 'This site <strong>is not</strong> able to apply these updates automatically. But we&#8217;ll email %s when there is a new security release.' ), esc_html( get_site_option( 'admin_email' ) ) );
+				} else {
+					_e( 'This site <strong>is not</strong> able to apply these updates automatically.' );
+				}
+				echo '</p>';
+			}
+		}
+		?>
+	</div>
+</div>
+
+<div class="changelog about-passwords">
+	<h3><?php _e( 'Create Stronger Passwords' ); ?></h3>
 
 	<div class="feature-section col two-col">
-		<img alt="" src="<?php echo esc_url( admin_url( 'images/screenshots/about-media.png' ) ); ?>" class="image-100" />
-
 		<div>
-			<h4><?php _e( 'Beautiful Interface' ); ?></h4>
-			<p><?php _e( 'Adding media has been streamlined with an all-new experience, making it a breeze to upload files and place them into your posts.' ); ?></p>
+			<p><?php _e( 'Your password is your site&#8217;s first line of defense. It&#8217;s best to create passwords that are complex, long, and unique. To that end, our password meter has been updated in WordPress 3.7 to recognize common mistakes that can weaken your password: dates, names, keyboard patterns (123456789), and even pop culture references.' ); ?></p>
+			<p><strong><?php _e( 'Try it out on the right.' ); ?></strong></p>
+		</div>
+		<div class="last-feature about-password-meter">
+			<input type="password" id="pass" size="25" value="" />
+			<p id="pass-strength-result" ><?php _e( 'Strength indicator' ); ?></p>
+			<?php printf( __( 'Getting the urge to <a href="%s">change your password</a>?' ), esc_url( self_admin_url( 'profile.php' ) ) ); ?>
+		</div>
+	</div>
+</div>
+
+<div class="changelog">
+	<div class="feature-section col two-col">
+		<div>
+			<h3><?php _e( 'Improved Search Results' ); ?></h3>
+			<p><img alt="" src="<?php echo admin_url( 'images/about-search-2x.png' ); ?>" /><?php _e( 'Search results are now ordered by how well the search query matches a post, instead of ordered only by date. For example, when your search terms match a post title, that result will be pushed to the top.' ); ?></p>
 		</div>
 		<div class="last-feature">
-			<h4><?php _e( 'Picturesque Galleries' ); ?></h4>
-			<p><?php _e( 'Creating image galleries is faster with drag and drop reordering, inline caption editing, and simplified controls for layout.' ); ?></p>
+			<h3><?php _e( 'Better Global Support' ); ?></h3>
+			<p><img alt="" src="<?php echo admin_url( 'images/about-globe-2x.png' ); ?>" /><?php _e( 'Localized versions of WordPress will receive faster and more complete translations. WordPress 3.7 adds support for automatically installing the right language files and keeping them up to date.' ); ?></p>
 		</div>
 	</div>
 </div>
 
-<div class="changelog">
-	<h3><?php _e( 'New Default Theme' ); ?></h3>
-
-	<div class="feature-section images-stagger-right">
-		<img alt="" src="<?php echo esc_url( admin_url( 'images/screenshots/about-twenty-twelve.png' ) ); ?>" class="image-66" />
-		<h4><?php _e( 'Introducing Twenty Twelve' ); ?></h4>
-		<p><?php _e( 'The newest default theme for WordPress is simple, flexible, and elegant.' ); ?></p>
-		<p><?php _e( 'What makes it really shine are the design details, like the gorgeous Open Sans typeface and a fully responsive design that looks great on any device.' ); ?></p>
-		<p><?php _e( 'Naturally, Twenty Twelve supports all the theme features you’ve come to know and love, but it is also designed to be as great for a website as it is for a blog.' ); ?></p>
-	</div>
-</div>
-
-<div class="changelog">
-	<h3><?php _e( 'Retina Ready' ); ?></h3>
-
-	<div class="feature-section images-stagger-right">
-		<img alt="" src="<?php echo esc_url( admin_url( 'images/screenshots/about-retina.png' ) ); ?>" class="image-66" />
-		<h4><?php _e( 'So Sharp You Can&#8217;t See the Pixels' ); ?></h4>
-		<p><?php _e( 'The WordPress dashboard now looks beautiful on high-resolution screens like those found on the iPad, Kindle Fire HD, Nexus 10, and MacBook Pro with Retina Display. Icons and other visual elements are crystal clear and full of detail.' ); ?></p>
-	</div>
-</div>
-
-<div class="changelog">
-	<h3><?php _e( 'Smoother Experience' ); ?></h3>
-
-	<div class="feature-section images-stagger-right">
-		<img alt="" src="<?php echo esc_url( admin_url( 'images/screenshots/about-color-picker.png' ) ); ?>" class="image-30" />
-		<h4><?php _e( 'Better Accessibility' ); ?></h4>
-		<p><?php _e( 'WordPress supports more usage modes than ever before. Screenreaders, touch devices, and mouseless workflows all have improved ease of use and accessibility.' ); ?></p>
-
-		<h4><?php _e( 'More Polish' ); ?></h4>
-		<p><?php _e( 'A number of screens and controls have been refined. For example, a new color picker makes it easier for you to choose that perfect shade of blue.' ); ?></p>
-	</div>
-</div>
-
 <div class="changelog">
 	<h3><?php _e( 'Under the Hood' ); ?></h3>
 
 	<div class="feature-section col three-col">
 		<div>
-			<h4><?php _e( 'Meta Query Additions' ); ?></h4>
-			<p><?php _e( 'The <code>WP_Comment_Query</code> and <code>WP_User_Query</code> classes now support meta queries just like <code>WP_Query.</code> Meta queries now support querying for objects without a particular meta key.' ); ?></p>
+			<h4><?php _e( 'More Background Updates (Experimental)' ); ?></h4>
+			<p><?php _e( 'Want WordPress to always update automatically, even for major feature releases? Want to always keep a certain plugin up to date in the background? WordPress 3.7 comes with fine-grained update controls for developers and systems administrators.' ); ?></p>
 		</div>
 		<div>
-			<h4><?php _e( 'Post Objects' ); ?></h4>
-			<p><?php _e( 'Post objects are now instances of a <code>WP_Post</code> class, which improves performance by loading selected properties on demand.' ); ?></p>
+			<h4><?php _e( 'Advanced Date Queries' ); ?></h4>
+			<p><?php _e( 'Developers can now query for posts within a date range, or that are older than or newer than a specific point in time. Or get really fancy: all posts written on Friday afternoons? Not&nbsp;a&nbsp;problem.' ); ?></p>
 		</div>
 		<div class="last-feature">
-			<h4><?php _e( 'Image Editing API' ); ?></h4>
-			<p><?php _e( 'The <code>WP_Image_Editor</code> class abstracts image editing functionality such as cropping and scaling, and uses ImageMagick when available.' ); ?></p>
-		</div>
-	</div>
-
-	<div class="feature-section col three-col">
-		<div>
 			<h4><?php _e( 'Multisite Improvements' ); ?></h4>
-			<p><?php _e( '<code>switch_to_blog()</code> is now significantly faster and more reliable.' ); ?></p>
+			<p><?php _e( '<code>wp_get_sites()</code> allows developers to easily get an array of all the sites on your network without resorting to a direct database query &mdash; just one of many improvements to multisite in WordPress 3.7.' ); ?></p>
 		</div>
-		<div>
-			<h4><?php _e( 'XML-RPC API' ); ?></h4>
-			<p><?php printf( __( 'The <a href="%s">WordPress API</a> is now always enabled, and supports fetching users, editing profiles, managing post revisions, and searching posts.' ), __( 'http://codex.wordpress.org/XML-RPC_WordPress_API' ) ); ?></p>
-		</div>
-		<div class="last-feature">
-			<h4><?php _e( 'External Libraries' ); ?></h4>
-			<p><?php printf( __( 'WordPress now includes the <a href="%1$s">Underscore</a> and <a href="%2$s">Backbone</a> JavaScript libraries. TinyMCE, jQuery, jQuery UI, and SimplePie have all been updated to the latest versions.' ), 'http://underscorejs.org/', 'http://backbonejs.org/' ); ?></p>
-		</div>
-	</div>
 </div>
 
 <div class="return-to-dashboard">

wp-admin/admin-ajax.php

@@ -32,12 +32,13 @@ require_once( ABSPATH . 'wp-admin/includes/admin.php' );
 /** Load Ajax Handlers for WordPress Core */
 require_once( ABSPATH . 'wp-admin/includes/ajax-actions.php' );
 
-@header( 'Content-Type: text/html; charset=' . get_option( 'blog_charset' ) );
+@header( 'Content-Type: text/plain; charset=' . get_option( 'blog_charset' ) );
 @header( 'X-Robots-Tag: noindex' );
 
 send_nosniff_header();
 nocache_headers();
 
+/** This action is documented in wp-admin/admin.php */
 do_action( 'admin_init' );
 
 $core_actions_get = array(
@@ -56,7 +57,7 @@ $core_actions_post = array(
 	'save-widget', 'set-post-thumbnail', 'date_format', 'time_format', 'wp-fullscreen-save-post',
 	'wp-remove-post-lock', 'dismiss-wp-pointer', 'upload-attachment', 'get-attachment',
 	'query-attachments', 'save-attachment', 'save-attachment-compat', 'send-link-to-editor',
-	'send-attachment-to-editor', 'save-attachment-order',
+	'send-attachment-to-editor', 'save-attachment-order', 'heartbeat', 'get-revision-diffs',
 );
 
 // Register core Ajax calls.
@@ -66,12 +67,28 @@ if ( ! empty( $_GET['action'] ) && in_array( $_GET['action'], $core_actions_get
 if ( ! empty( $_POST['action'] ) && in_array( $_POST['action'], $core_actions_post ) )
 	add_action( 'wp_ajax_' . $_POST['action'], 'wp_ajax_' . str_replace( '-', '_', $_POST['action'] ), 1 );
 
-add_action( 'wp_ajax_nopriv_autosave', 'wp_ajax_nopriv_autosave', 1 );
-
-if ( is_user_logged_in() )
-	do_action( 'wp_ajax_' . $_REQUEST['action'] ); // Authenticated actions
-else
-	do_action( 'wp_ajax_nopriv_' . $_REQUEST['action'] ); // Non-admin actions
+add_action( 'wp_ajax_nopriv_heartbeat', 'wp_ajax_nopriv_heartbeat', 1 );
 
+if ( is_user_logged_in() ) {
+	/**
+	 * Fires authenticated AJAX actions for logged-in users.
+	 *
+	 * The dynamic portion of the hook name, $_REQUEST['action'],
+	 * refers to the name of the AJAX action callback being fired.
+	 *
+	 * @since 2.1.0
+	 */
+	do_action( 'wp_ajax_' . $_REQUEST['action'] );
+} else {
+	/**
+	 * Fires non-authenticated AJAX actions for logged-out users.
+	 *
+	 * The dynamic portion of the hook name, $_REQUEST['action'],
+	 * refers to the name of the AJAX action callback being fired.
+	 *
+	 * @since 2.8.0
+	 */
+	do_action( 'wp_ajax_nopriv_' . $_REQUEST['action'] );
+}
 // Default status
 die( '0' );

wp-admin/admin-footer.php

@@ -16,16 +16,64 @@ if ( !defined('ABSPATH') )
 <div class="clear"></div></div><!-- wpcontent -->
 
 <div id="wpfooter">
-<?php do_action( 'in_admin_footer' ); ?>
-<p id="footer-left" class="alignleft"><?php
-echo apply_filters( 'admin_footer_text', '<span id="footer-thankyou">' . __( 'Thank you for creating with <a href="http://wordpress.org/">WordPress</a>.' ) . '</span>' );
-?></p>
-<p id="footer-upgrade" class="alignright"><?php echo apply_filters( 'update_footer', '' ); ?></p>
-<div class="clear"></div>
+	<?php
+	/**
+	 * Fires after the opening tag for the admin footer.
+	 *
+	 * @since 2.5.0
+	 */
+	do_action( 'in_admin_footer' );
+	?>
+	<p id="footer-left" class="alignleft">
+		<?php
+		/**
+		 * Filter the "Thank you" text displayed in the admin footer.
+		 *
+		 * @since 2.8.0
+		 * @param string The content that will be printed.
+		 */
+		echo apply_filters( 'admin_footer_text', '<span id="footer-thankyou">' . __( 'Thank you for creating with <a href="http://wordpress.org/">WordPress</a>.' ) . '</span>' );
+		?>
+	</p>
+	<p id="footer-upgrade" class="alignright">
+		<?php
+		/**
+		 * Filter the version/update text displayed in the admin footer.
+		 *
+		 * @see core_update_footer() WordPress prints the current version and update information,
+		 *	using core_update_footer() at priority 10.
+		 *
+		 * @since 2.3.0
+		 * @param string The content that will be printed.
+		 */
+		echo apply_filters( 'update_footer', '' );
+		?>
+	</p>
+	<div class="clear"></div>
 </div>
 <?php
+/**
+ * Print scripts or data before the default footer scripts.
+ *
+ * @since 1.2.0
+ * @param string The data to print.
+ */
 do_action('admin_footer', '');
+
+/**
+ * Prints any scripts and data queued for the footer.
+ *
+ * @since 2.8.0
+ */
 do_action('admin_print_footer_scripts');
+
+/**
+ * Print scripts or data after the default footer scripts.
+ *
+ * @since 2.8.0
+ *
+ * @param string $GLOBALS['hook_suffix'] The current admin page.
+ */
 do_action("admin_footer-" . $GLOBALS['hook_suffix']);
 
 // get_site_option() won't exist when auto upgrading from <= 2.7

wp-admin/admin-header.php

@@ -8,7 +8,7 @@
 
 @header('Content-Type: ' . get_option('html_type') . '; charset=' . get_option('blog_charset'));
 if ( ! defined( 'WP_ADMIN' ) )
-	require_once( './admin.php' );
+	require_once( dirname( __FILE__ ) . '/admin.php' );
 
 // In case admin-header.php is included in a function.
 global $title, $hook_suffix, $current_screen, $wp_locale, $pagenow, $wp_version,
@@ -22,9 +22,9 @@ get_admin_page_title();
 $title = esc_html( strip_tags( $title ) );
 
 if ( is_network_admin() )
-	$admin_title = __( 'Network Admin' );
+	$admin_title = sprintf( __('Network Admin: %s'), esc_html( $current_site->site_name ) );
 elseif ( is_user_admin() )
-	$admin_title = __( 'Global Dashboard' );
+	$admin_title = sprintf( __('Global Dashboard: %s'), esc_html( $current_site->site_name ) );
 else
 	$admin_title = get_bloginfo( 'name' );
 
@@ -33,6 +33,14 @@ if ( $admin_title == $title )
 else
 	$admin_title = sprintf( __( '%1$s ‹ %2$s — WordPress' ), $title, $admin_title );
 
+/**
+ * Filter the <title> content for an admin page.
+ *
+ * @since 3.1.0
+ *
+ * @param string $admin_title The page title, with extra context added.
+ * @param string $title       The original page title.
+ */
 $admin_title = apply_filters( 'admin_title', $admin_title, $title );
 
 wp_user_settings();
@@ -49,24 +57,67 @@ wp_enqueue_script('utils');
 $admin_body_class = preg_replace('/[^a-z0-9_-]+/i', '-', $hook_suffix);
 ?>
 <script type="text/javascript">
-addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
-var ajaxurl = '<?php echo admin_url( 'admin-ajax.php', 'relative' ); ?>',
-	pagenow = '<?php echo $current_screen->id; ?>',
-	typenow = '<?php echo $current_screen->post_type; ?>',
-	adminpage = '<?php echo $admin_body_class; ?>',
-	thousandsSeparator = '<?php echo addslashes( $wp_locale->number_format['thousands_sep'] ); ?>',
-	decimalPoint = '<?php echo addslashes( $wp_locale->number_format['decimal_point'] ); ?>',
+addLoadEvent = function(func){if(typeof jQuery!=='undefined')jQuery(document).ready(func);else if(typeof wpOnload!=='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
+var ajaxurl = '<?php echo esc_js( admin_url( 'admin-ajax.php', 'relative' ) ); ?>',
+	pagenow = '<?php echo esc_js( $current_screen->id ); ?>',
+	typenow = '<?php echo esc_js( $current_screen->post_type ); ?>',
+	adminpage = '<?php echo esc_js( $admin_body_class ); ?>',
+	thousandsSeparator = '<?php echo esc_js( $wp_locale->number_format['thousands_sep'] ); ?>',
+	decimalPoint = '<?php echo esc_js( $wp_locale->number_format['decimal_point'] ); ?>',
 	isRtl = <?php echo (int) is_rtl(); ?>;
 </script>
 <?php
 
-do_action('admin_enqueue_scripts', $hook_suffix);
-do_action("admin_print_styles-$hook_suffix");
-do_action('admin_print_styles');
-do_action("admin_print_scripts-$hook_suffix");
-do_action('admin_print_scripts');
-do_action("admin_head-$hook_suffix");
-do_action('admin_head');
+/**
+ * Enqueue scripts for all admin pages.
+ *
+ * @since 2.8.0
+ *
+ * @param string $hook_suffix The current admin page.
+ */
+do_action( 'admin_enqueue_scripts', $hook_suffix );
+
+/**
+ * Print styles for a specific admin page based on $hook_suffix.
+ *
+ * @since 2.6.0
+ */
+do_action( "admin_print_styles-$hook_suffix" );
+
+/**
+ * Print styles for all admin pages.
+ *
+ * @since 2.6.0
+ */
+do_action( 'admin_print_styles' );
+
+/**
+ * Print scripts for a specific admin page based on $hook_suffix.
+ *
+ * @since 2.1.0
+ */
+do_action( "admin_print_scripts-$hook_suffix" );
+
+/**
+ * Print scripts for all admin pages.
+ *
+ * @since 2.1.0
+ */
+do_action( 'admin_print_scripts' );
+
+/**
+ * Fires in <head> for a specific admin page based on $hook_suffix.
+ *
+ * @since 2.1.0
+ */
+do_action( "admin_head-$hook_suffix" );
+
+/**
+ * Fires in <head> for all admin pages.
+ *
+ * @since 2.1.0
+ */
+do_action( 'admin_head' );
 
 if ( get_user_setting('mfold') == 'f' )
 	$admin_body_class .= ' folded';
@@ -80,6 +131,12 @@ if ( is_admin_bar_showing() )
 if ( is_rtl() )
 	$admin_body_class .= ' rtl';
 
+if ( $current_screen->post_type )
+	$admin_body_class .= ' post-type-' . $current_screen->post_type;
+
+if ( $current_screen->taxonomy )
+	$admin_body_class .= ' taxonomy-' . $current_screen->taxonomy;
+
 $admin_body_class .= ' branch-' . str_replace( array( '.', ',' ), '-', floatval( $wp_version ) );
 $admin_body_class .= ' version-' . str_replace( '.', '-', preg_replace( '/^([.0-9]+).*/', '$1', $wp_version ) );
 $admin_body_class .= ' admin-color-' . sanitize_html_class( get_user_option( 'admin_color' ), 'fresh' );
@@ -92,15 +149,27 @@ $admin_body_class .= ' no-customize-support';
 
 ?>
 </head>
+<?php
+/**
+ * Filter the admin <body> CSS classes.
+ *
+ * This filter differs from the post_class or body_class filters in two important ways:
+ * 1. $classes is a space-separated string of class names instead of an array.
+ * 2. Not all core admin classes are filterable, notably: wp-admin, wp-core-ui, and no-js cannot be removed.
+ *
+ * @since 2.3.0
+ *
+ * @param string $classes Space-separated string of CSS classes.
+ */
+?>
 <body class="wp-admin wp-core-ui no-js <?php echo apply_filters( 'admin_body_class', '' ) . " $admin_body_class"; ?>">
 <script type="text/javascript">
 	document.body.className = document.body.className.replace('no-js','js');
 </script>
 
 <?php
-// If the customize-loader script is enqueued, make sure the customize
-// body classes are correct as early as possible.
-if ( wp_script_is( 'customize-loader', 'queue' ) && current_user_can( 'edit_theme_options' ) )
+// Make sure the customize body classes are correct as early as possible.
+if ( current_user_can( 'edit_theme_options' ) )
 	wp_customize_support_script();
 ?>
 
@@ -110,7 +179,12 @@ if ( wp_script_is( 'customize-loader', 'queue' ) && current_user_can( 'edit_them
 <div id="wpcontent">
 
 <?php
-do_action('in_admin_header');
+/**
+ * Fires at the beginning of the content section in an admin page.
+ *
+ * @since 3.0.0
+ */
+do_action( 'in_admin_header' );
 ?>
 
 <div id="wpbody">
@@ -126,14 +200,35 @@ $current_screen->set_parentage( $parent_file );
 
 $current_screen->render_screen_meta();
 
-if ( is_network_admin() )
-	do_action('network_admin_notices');
-elseif ( is_user_admin() )
-	do_action('user_admin_notices');
-else
-	do_action('admin_notices');
+if ( is_network_admin() ) {
+	/**
+	 * Print network admin screen notices.
+	 *
+	 * @since 3.1.0
+	 */
+	do_action( 'network_admin_notices' );
+} elseif ( is_user_admin() ) {
+	/**
+	 * Print user admin screen notices.
+	 *
+	 * @since 3.1.0
+	 */
+	do_action( 'user_admin_notices' );
+} else {
+	/**
+	 * Print admin screen notices.
+	 *
+	 * @since 3.1.0
+	 */
+	do_action( 'admin_notices' );
+}
 
-do_action('all_admin_notices');
+/**
+ * Print generic admin screen notices.
+ *
+ * @since 3.1.0
+ */
+do_action( 'all_admin_notices' );
 
 if ( $parent_file == 'options-general.php' )
 	require(ABSPATH . 'wp-admin/options-head.php');

wp-admin/admin-post.php

@@ -1,6 +1,8 @@
 <?php
 /**
- * WordPress Administration Generic POST Handler.
+ * WordPress Generic Request (POST/GET) Handler
+ *
+ * Intended for form submission handling in themes and plugins.
  *
  * @package WordPress
  * @subpackage Administration
@@ -12,13 +14,17 @@ define('WP_ADMIN', true);
 if ( defined('ABSPATH') )
 	require_once(ABSPATH . 'wp-load.php');
 else
-	require_once('../wp-load.php');
+	require_once( dirname( dirname( __FILE__ ) ) . '/wp-load.php' );
+
+/** Allow for cross-domain requests (from the frontend). */
+send_origin_headers();
 
 require_once(ABSPATH . 'wp-admin/includes/admin.php');
 
 nocache_headers();
 
-do_action('admin_init');
+/** This action is documented in wp-admin/admin.php */
+do_action( 'admin_init' );
 
 $action = 'admin_post';
 
@@ -28,4 +34,12 @@ if ( !wp_validate_auth_cookie() )
 if ( !empty($_REQUEST['action']) )
 	$action .= '_' . $_REQUEST['action'];
 
-do_action($action);
+/**
+ * Fires the requested handler action.
+ *
+ * admin_post_nopriv_{$_REQUEST['action']} is called for not-logged-in users.
+ * admin_post_{$_REQUEST['action']} is called for logged-in users.
+ *
+ * @since 2.6.0
+ */
+do_action( $action );

wp-admin/admin.php

@@ -36,27 +36,43 @@ if ( get_option('db_upgraded') ) {
 	update_option( 'db_upgraded',  false );
 
 	/**
-	 * Runs on the next page load after successful upgrade
+	 * Fires on the next page load after a successful DB upgrade.
 	 *
-	 * @since 2.8
+	 * @since 2.8.0
 	 */
-	do_action('after_db_upgrade');
+	do_action( 'after_db_upgrade' );
 } elseif ( get_option('db_version') != $wp_db_version && empty($_POST) ) {
 	if ( !is_multisite() ) {
-		wp_redirect(admin_url('upgrade.php?_wp_http_referer=' . urlencode(stripslashes($_SERVER['REQUEST_URI']))));
+		wp_redirect( admin_url( 'upgrade.php?_wp_http_referer=' . urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ) ) );
 		exit;
+
+	/**
+	 * Filter whether to attempt to perform the multisite DB upgrade routine.
+	 *
+	 * In single site, the user would be redirected to wp-admin/upgrade.php.
+	 * In multisite, it is automatically fired, but only when this filter
+	 * returns true.
+	 *
+	 * If the network is 50 sites or less, it will run every time. Otherwise,
+	 * it will throttle itself to reduce load.
+	 *
+	 * @since 3.0.0
+	 *
+	 * @param bool true Whether to perform the Multisite upgrade routine. Default true.
+	 */
 	} elseif ( apply_filters( 'do_mu_upgrade', true ) ) {
-		/**
-		 * On really small MU installs run the upgrader every time,
-		 * else run it less often to reduce load.
-		 *
-		 * @since 2.8.4b
-		 */
 		$c = get_blog_count();
 		// If 50 or fewer sites, run every time. Else, run "about ten percent" of the time. Shh, don't check that math.
 		if ( $c <= 50 || ( $c > 50 && mt_rand( 0, (int)( $c / 50 ) ) == 1 ) ) {
 			require_once( ABSPATH . WPINC . '/http.php' );
 			$response = wp_remote_get( admin_url( 'upgrade.php?step=1' ), array( 'timeout' => 120, 'httpversion' => '1.1' ) );
+			/**
+			 * Fires after the multisite DB upgrade is complete.
+			 *
+			 * @since 3.0.0
+			 *
+			 * @param array|WP_Error $response The upgrade response array or WP_Error on failure.
+			 */
 			do_action( 'after_mu_upgrade', $response );
 			unset($response);
 		}
@@ -77,14 +93,12 @@ set_screen_options();
 $date_format = get_option('date_format');
 $time_format = get_option('time_format');
 
-wp_reset_vars(array('profile', 'redirect', 'redirect_url', 'a', 'text', 'trackback', 'pingback'));
-
 wp_enqueue_script( 'common' );
 
 $editing = false;
 
 if ( isset($_GET['page']) ) {
-	$plugin_page = stripslashes($_GET['page']);
+	$plugin_page = wp_unslash( $_GET['page'] );
 	$plugin_page = plugin_basename($plugin_page);
 }
 
@@ -105,10 +119,35 @@ elseif ( WP_USER_ADMIN )
 else
 	require(ABSPATH . 'wp-admin/menu.php');
 
-if ( current_user_can( 'manage_options' ) )
+if ( current_user_can( 'manage_options' ) ) {
+	/**
+	 * Filter the maximum memory limit available for administration screens.
+	 *
+	 * This only applies to administrators, who may require more memory for tasks like updates.
+	 * Memory limits when processing images (uploaded or edited by users of any role) are
+	 * handled separately.
+	 *
+	 * The WP_MAX_MEMORY_LIMIT constant specifically defines the maximum memory limit available
+	 * when in the administration back-end. The default is 256M, or 256 megabytes of memory.
+	 *
+	 * @since 3.0.0
+	 *
+	 * @param string 'WP_MAX_MEMORY_LIMIT' The maximum WordPress memory limit. Default 256M.
+	 */
 	@ini_set( 'memory_limit', apply_filters( 'admin_memory_limit', WP_MAX_MEMORY_LIMIT ) );
+}
 
-do_action('admin_init');
+/**
+ * Fires as an admin screen or script is being initialized.
+ *
+ * Note, this does not just run on user-facing admin screens.
+ * It runs on admin-ajax.php and admin-post.php as well.
+ *
+ * This is roughly analgous to the more general 'init' hook, which fires earlier.
+ *
+ * @since 2.5.0
+ */
+do_action( 'admin_init' );
 
 if ( isset($plugin_page) ) {
 	if ( !empty($typenow) )
@@ -144,11 +183,38 @@ set_current_screen();
 // Handle plugin admin pages.
 if ( isset($plugin_page) ) {
 	if ( $page_hook ) {
-		do_action('load-' . $page_hook);
+		/**
+		 * Fires before a particular screen is loaded.
+		 *
+		 * The load-* hook fires in a number of contexts. This hook is for plugin screens
+		 * where a callback is provided when the screen is registered.
+		 *
+		 * The dynamic portion of the hook name, $page_hook, refers to a mixture of plugin
+		 * page information including:
+		 * 1. The page type. If the plugin page is registered as a submenu page, such as for
+		 *    Settings, the page type would be 'settings'. Otherwise the type is 'toplevel'.
+		 * 2. A separator of '_page_'.
+		 * 3. The plugin basename minus the file extension.
+		 *
+		 * Together, the three parts form the $page_hook. Citing the example above,
+		 * the hook name used would be 'load-settings_page_pluginbasename'.
+		 *
+		 * @see get_plugin_page_hook()
+		 *
+		 * @since 2.1.0
+		 */
+		do_action( 'load-' . $page_hook );
 		if (! isset($_GET['noheader']))
 			require_once(ABSPATH . 'wp-admin/admin-header.php');
 
-		do_action($page_hook);
+		/**
+		 * Used to call the registered callback for a plugin screen.
+		 *
+		 * @access private
+		 *
+		 * @since 1.5.0
+		 */
+		do_action( $page_hook );
 	} else {
 		if ( validate_file($plugin_page) )
 			wp_die(__('Invalid plugin page'));
@@ -156,7 +222,19 @@ if ( isset($plugin_page) ) {
 		if ( !( file_exists(WP_PLUGIN_DIR . "/$plugin_page") && is_file(WP_PLUGIN_DIR . "/$plugin_page") ) && !( file_exists(WPMU_PLUGIN_DIR . "/$plugin_page") && is_file(WPMU_PLUGIN_DIR . "/$plugin_page") ) )
 			wp_die(sprintf(__('Cannot load %s.'), htmlentities($plugin_page)));
 
-		do_action('load-' . $plugin_page);
+		/**
+		 * Fires before a particular screen is loaded.
+		 *
+		 * The load-* hook fires in a number of contexts. This hook is for plugin screens
+		 * where the file to load is directly included, rather than the use of a function.
+		 *
+		 * The dynamic portion of the hook name, $plugin_page, refers to the plugin basename.
+		 *
+		 * @see plugin_basename()
+		 *
+		 * @since 1.5.0
+		 */
+		do_action( 'load-' . $plugin_page );
 
 		if ( !isset($_GET['noheader']))
 			require_once(ABSPATH . 'wp-admin/admin-header.php');
@@ -187,6 +265,13 @@ if ( isset($plugin_page) ) {
 		exit;
 	}
 
+	/**
+	 * Fires before an importer screen is loaded.
+	 *
+	 * The dynamic portion of the hook name, $importer, refers to the importer slug.
+	 *
+	 * @since 3.5.0
+	 */
 	do_action( 'load-importer-' . $importer );
 
 	$parent_file = 'tools.php';
@@ -200,6 +285,16 @@ if ( isset($plugin_page) ) {
 
 	define('WP_IMPORTING', true);
 
+	/**
+	 * Whether to filter imported data through kses on import.
+	 *
+	 * Multisite uses this hook to filter all data through kses by default,
+	 * as a super administrator may be assisting an untrusted user.
+	 *
+	 * @since 3.1.0
+	 *
+	 * @param bool false Whether to force data to be filtered through kses. Default false.
+	 */
 	if ( apply_filters( 'force_filtered_html_on_import', false ) )
 		kses_init_filters();  // Always filter imported data with kses on multisite.
 
@@ -212,7 +307,18 @@ if ( isset($plugin_page) ) {
 
 	exit();
 } else {
-	do_action("load-$pagenow");
+	/**
+	 * Fires before a particular screen is loaded.
+	 *
+	 * The load-* hook fires in a number of contexts. This hook is for core screens.
+	 *
+	 * The dynamic portion of the hook name, $pagenow, is a global variable
+	 * referring to the filename of the current page, such as 'admin.php',
+	 * 'post-new.php' etc. A complete hook for the latter would be 'load-post-new.php'.
+	 *
+	 * @since 2.1.0
+	 */
+	do_action( 'load-' . $pagenow );
 	// Backwards compatibility with old load-page-new.php, load-page.php,
 	// and load-categories.php actions.
 	if ( $typenow == 'page' ) {
@@ -228,5 +334,14 @@ if ( isset($plugin_page) ) {
 	}
 }
 
-if ( !empty($_REQUEST['action']) )
-	do_action('admin_action_' . $_REQUEST['action']);
+if ( ! empty( $_REQUEST['action'] ) ) {
+	/**
+	 * Fires when an 'action' request variable is sent.
+	 *
+	 * The dynamic portion of the hook name, $_REQUEST['action'],
+	 * refers to the action derived from the GET or POST request.
+	 *
+	 * @since 2.6.0
+	 */
+	do_action( 'admin_action_' . $_REQUEST['action'] );
+}

wp-admin/async-upload.php

@@ -11,7 +11,7 @@ define('WP_ADMIN', true);
 if ( defined('ABSPATH') )
 	require_once(ABSPATH . 'wp-load.php');
 else
-	require_once('../wp-load.php');
+	require_once( dirname( dirname( __FILE__ ) ) . '/wp-load.php' );
 
 if ( ! ( isset( $_REQUEST['action'] ) && 'upload-attachment' == $_REQUEST['action'] ) ) {
 	// Flash often fails to send cookies with the POST or upload, so we need to pass it in GET or POST instead
@@ -24,7 +24,7 @@ if ( ! ( isset( $_REQUEST['action'] ) && 'upload-attachment' == $_REQUEST['actio
 	unset($current_user);
 }
 
-require_once('./admin.php');
+require_once( ABSPATH . 'wp-admin/admin.php' );
 
 if ( !current_user_can('upload_files') )
 	wp_die(__('You do not have permission to upload files.'));
@@ -47,8 +47,7 @@ if ( isset($_REQUEST['attachment_id']) && ($id = intval($_REQUEST['attachment_id
 	$post = get_post( $id );
 	if ( 'attachment' != $post->post_type )
 		wp_die( __( 'Unknown post type.' ) );
-	$post_type_object = get_post_type_object( 'attachment' );
-	if ( ! current_user_can( $post_type_object->cap->edit_post, $id ) )
+	if ( ! current_user_can( 'edit_post', $id ) )
 		wp_die( __( 'You are not allowed to edit this item.' ) );
 
 	switch ( $_REQUEST['fetch'] ) {
@@ -57,7 +56,7 @@ if ( isset($_REQUEST['attachment_id']) && ($id = intval($_REQUEST['attachment_id
 				echo '<img class="pinkynail" src="' . esc_url( $thumb_url[0] ) . '" alt="" />';
 			echo '<a class="edit-attachment" href="' . esc_url( get_edit_post_link( $id ) ) . '" target="_blank">' . _x( 'Edit', 'media item' ) . '</a>';
 			$title = $post->post_title ? $post->post_title : wp_basename( $post->guid ); // title shouldn't ever be empty, but use filename just in cas.e
-			echo '<div class="filename new"><span class="title">' . esc_html( wp_html_excerpt( $title, 60 ) ) . '</span></div>';
+			echo '<div class="filename new"><span class="title">' . esc_html( wp_html_excerpt( $title, 60, '&hellip;' ) ) . '</span></div>';
 			break;
 		case 2 :
 			add_filter('attachment_fields_to_edit', 'media_single_attachment_fields_to_edit', 10, 2);

wp-admin/comment.php

@@ -7,7 +7,7 @@
  */
 
 /** Load WordPress Bootstrap */
-require_once('./admin.php');
+require_once( dirname( __FILE__ ) . '/admin.php' );
 
 $parent_file = 'edit-comments.php';
 $submenu_file = 'edit-comments.php';
@@ -36,7 +36,7 @@ if ( isset( $_GET['dt'] ) ) {
  */
 function comment_footer_die( $msg ) {
 	echo "<div class='wrap'><p>$msg</p></div>";
-	include('./admin-footer.php');
+	include( ABSPATH . 'wp-admin/admin-footer.php' );
 	die;
 }
 
@@ -60,7 +60,7 @@ case 'editcomment' :
 	);
 
 	wp_enqueue_script('comment');
-	require_once('./admin-header.php');
+	require_once( ABSPATH . 'wp-admin/admin-header.php' );
 
 	$comment_id = absint( $_GET['c'] );
 
@@ -75,7 +75,7 @@ case 'editcomment' :
 
 	$comment = get_comment_to_edit( $comment_id );
 
-	include('./edit-form-comment.php');
+	include( ABSPATH . 'wp-admin/edit-form-comment.php' );
 
 	break;
 
@@ -104,7 +104,7 @@ case 'spam'    :
 		die();
  	}
 
-	require_once('./admin-header.php');
+	require_once( ABSPATH . 'wp-admin/admin-header.php' );
 
 	$formaction    = $action . 'comment';
 	$nonce_action  = 'approve' == $action ? 'approve-comment_' : 'delete-comment_';
@@ -279,6 +279,15 @@ case 'editedcomment' :
 	edit_comment();
 
 	$location = ( empty( $_POST['referredby'] ) ? "edit-comments.php?p=$comment_post_id" : $_POST['referredby'] ) . '#comment-' . $comment_id;
+
+	/**
+	 * Filter the URI the user is redirected to after editing a comment in the admin.
+	 *
+	 * @since 2.1.0
+	 *
+	 * @param string $location The URI the user will be redirected to.
+	 * @param int $comment_id The ID of the comment being edited.
+	 */
 	$location = apply_filters( 'comment_edit_redirect', $location, $comment_id );
 	wp_redirect( $location );
 
@@ -291,4 +300,4 @@ default:
 
 } // end switch
 
-include('./admin-footer.php');
+include( ABSPATH . 'wp-admin/admin-footer.php' );

wp-admin/credits.php

@@ -7,10 +7,19 @@
  */
 
 /** WordPress Administration Bootstrap */
-require_once( './admin.php' );
+require_once( dirname( __FILE__ ) . '/admin.php' );
 
 $title = __( 'Credits' );
 
+/**
+ * Retrieve the contributor credits.
+ *
+ * @global string $wp_version The current WordPress version.
+ *
+ * @since 3.2.0
+ *
+ * @return array A list of all of the contributors.
+*/
 function wp_credits() {
 	global $wp_version;
 	$locale = get_locale();
@@ -20,12 +29,12 @@ function wp_credits() {
 	if ( ! is_array( $results )
 		|| ( isset( $results['data']['version'] ) && strpos( $wp_version, $results['data']['version'] ) !== 0 )
 	) {
-		$response = wp_remote_get( "http://api.wordpress.org/core/credits/1.0/?version=$wp_version&locale=$locale" );
+		$response = wp_remote_get( "http://api.wordpress.org/core/credits/1.1/?version=$wp_version&locale=$locale" );
 
 		if ( is_wp_error( $response ) || 200 != wp_remote_retrieve_response_code( $response ) )
 			return false;
 
-		$results = maybe_unserialize( wp_remote_retrieve_body( $response ) );
+		$results = json_decode( wp_remote_retrieve_body( $response ), true );
 
 		if ( ! is_array( $results ) )
 			return false;
@@ -36,10 +45,30 @@ function wp_credits() {
 	return $results;
 }
 
+/**
+ * Retrieve the link to a contributor's WordPress.org profile page.
+ *
+ * @access private
+ * @since 3.2.0
+ *
+ * @param string &$display_name The contributor's display name, passed by reference.
+ * @param string $user_name     The contributor's username.
+ * @param string $profiles      URL to the contributor's WordPress.org profile page.
+ * @return string A contributor's display name, hyperlinked to a WordPress.org profile page.
+ */
 function _wp_credits_add_profile_link( &$display_name, $username, $profiles ) {
 	$display_name = '<a href="' . esc_url( sprintf( $profiles, $username ) ) . '">' . esc_html( $display_name ) . '</a>';
 }
 
+/**
+ * Retrieve the link to an external library used in WordPress.
+ *
+ * @access private
+ * @since 3.2.0
+ *
+ * @param string &$data External library data, passed by reference.
+ * @return string Link to the external library.
+ */
 function _wp_credits_build_object_link( &$data ) {
 	$data = '<a href="' . esc_url( $data[1] ) . '">' . $data[0] . '</a>';
 }
@@ -52,7 +81,7 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
 
 <h1><?php printf( __( 'Welcome to WordPress %s' ), $display_version ); ?></h1>
 
-<div class="about-text"><?php printf( __( 'Thank you for updating to the latest version! WordPress %s is more polished and enjoyable than ever before. We hope you like it.' ), $display_version ); ?></div>
+<div class="about-text"><?php echo str_replace( '3.7', $display_version, __( 'Thank you for updating to WordPress 3.7! You might not notice a thing, and we&#8217;re okay with that.' ) ); ?></div>
 
 <div class="wp-badge"><?php printf( __( 'Version %s' ), $display_version ); ?></div>
 

wp-admin/css/color-picker.min.css

@@ -1 +1 @@
-.wp-color-picker{width:80px}.wp-picker-container .hidden{display:none}.wp-color-result{background-color:#f9f9f9;border:1px solid #bbb;border-radius:2px;cursor:pointer;display:inline-block;height:22px;margin:0 6px 6px 0;position:relative;top:1px;user-select:none;-moz-user-select:none;-ms-user-select:none;-webkit-user-select:none;vertical-align:bottom;display:inline-block;padding-left:30px}.wp-color-result:after{background:#f3f3f3;background-image:-webkit-gradient(linear,left top,left bottom,from(#fefefe),to(#f4f4f4));background-image:-webkit-linear-gradient(top,#fefefe,#f4f4f4);background-image:-moz-linear-gradient(top,#fefefe,#f4f4f4);background-image:-o-linear-gradient(top,#fefefe,#f4f4f4);background-image:linear-gradient(to bottom,#fefefe,#f4f4f4);color:#333;text-shadow:0 1px 0 #fff;border-radius:0 1px 1px 0;border-left:1px solid #bbb;content:attr(title);display:block;font-size:11px;line-height:22px;padding:0 6px;position:relative;right:0;text-align:center;top:0}.wp-color-result:hover{border-color:#aaa;-webkit-box-shadow:0 1px 2px rgba(0,0,0,0.2);box-shadow:0 1px 1px rgba(0,0,0,0.1)}.wp-color-result:hover:after{color:#222;border-color:#aaa;border-left:1px solid #999}.wp-color-result.wp-picker-open{top:0}.wp-color-result.wp-picker-open:after{content:attr(data-current)}.wp-picker-container,.wp-picker-container:active{display:inline-block;outline:0}.wp-color-result:focus{border-color:#888;-webkit-box-shadow:0 1px 2px rgba(0,0,0,0.2);box-shadow:0 1px 2px rgba(0,0,0,0.2)}.wp-color-result:focus:after{border-color:#888}.wp-picker-open+.wp-picker-input-wrap{display:inline-block;vertical-align:top}.wp-picker-container .button{margin-left:6px}.wp-picker-container .iris-square-slider .ui-slider-handle:focus{background-color:#555}.wp-picker-container .iris-picker{border-color:#dfdfdf;margin-top:6px}input[type="text"].iris-error{background-color:#ffebe8;border-color:#c00;color:#000}
+.wp-color-picker{width:80px}.wp-picker-container .hidden{display:none}.wp-color-result{background-color:#f9f9f9;border:1px solid #bbb;border-radius:2px;cursor:pointer;display:inline-block;height:22px;margin:0 6px 6px 0;position:relative;top:1px;user-select:none;-moz-user-select:none;-ms-user-select:none;-webkit-user-select:none;vertical-align:bottom;display:inline-block;padding-left:30px}.wp-color-result:after{background:#f3f3f3;background-image:-webkit-gradient(linear,left top,left bottom,from(#fefefe),to(#f4f4f4));background-image:-webkit-linear-gradient(top,#fefefe,#f4f4f4);background-image:-moz-linear-gradient(top,#fefefe,#f4f4f4);background-image:-o-linear-gradient(top,#fefefe,#f4f4f4);background-image:linear-gradient(to bottom,#fefefe,#f4f4f4);color:#333;text-shadow:0 1px 0 #fff;border-radius:0 1px 1px 0;border-left:1px solid #bbb;content:attr(title);display:block;font-size:11px;line-height:22px;padding:0 6px;position:relative;right:0;text-align:center;top:0}.wp-color-result:hover{border-color:#aaa;-webkit-box-shadow:0 1px 2px rgba(0,0,0,.2);box-shadow:0 1px 1px rgba(0,0,0,.1)}.wp-color-result:hover:after{color:#222;border-color:#aaa;border-left:1px solid #999}.wp-color-result.wp-picker-open{top:0}.wp-color-result.wp-picker-open:after{content:attr(data-current)}.wp-picker-container,.wp-picker-container:active{display:inline-block;outline:0}.wp-color-result:focus{border-color:#888;-webkit-box-shadow:0 1px 2px rgba(0,0,0,.2);box-shadow:0 1px 2px rgba(0,0,0,.2)}.wp-color-result:focus:after{border-color:#888}.wp-picker-open+.wp-picker-input-wrap{display:inline-block;vertical-align:top}.wp-picker-container .button{margin-left:6px}.wp-picker-container .iris-square-slider .ui-slider-handle:focus{background-color:#555}.wp-picker-container .iris-picker{border-color:#dfdfdf;margin-top:6px}input[type=text].iris-error{background-color:#ffebe8;border-color:#c00;color:#000}

wp-admin/css/colors-classic.css

@@ -83,7 +83,7 @@ div.dashboard-widget,
 	background-color: #f1f1f1;
 }
 
-.widefat {
+table.widefat {
 	border-color: #d1e5ee;
 	background-color: #fff;
 }
@@ -164,6 +164,7 @@ textarea.disabled {
 	color: #fff;
 }
 
+.revisions-meta,
 .widget .widget-top,
 .postbox h3,
 .stuffbox h3,
@@ -1457,25 +1458,81 @@ div.wp-menu-image {
 
 /* end screen icons */
 
+/* Post format icons */
+
+.post-format-icon {
+	background: url(../images/post-formats-vs.png) no-repeat;
+}
+
 /* Diff */
 table.diff .diff-deletedline {
-	background-color: #fdd;
+	background-color: #ffe9e9;
 }
 
 table.diff .diff-deletedline del {
-	background-color: #f99;
+	background-color: #faa;
 }
 
 table.diff .diff-addedline {
-	background-color: #dfd;
+	background-color: #e9ffe9;
 }
 
 table.diff .diff-addedline ins {
-	background-color: #9f9;
+	background-color: #afa;
 }
 
-#att-info {
-	background-color: #e4f2fd;
+.revisions-meta {
+	border: 1px solid #d1e5ee;
+}
+
+.revisions-controls {
+	background: #fff;
+	background: -webkit-gradient(linear, left bottom, left top, color-stop(0%,rgba(255,255,255,1)), color-stop(30px,rgba(255,255,255,1)), color-stop(100%,rgba(255,255,255,1)));
+	background: -webkit-linear-gradient(bottom, rgba(255,255,255,0) 0%, rgba(255,255,255,1) 30px, rgba(255,255,255,1) 100%);
+	background:    -moz-linear-gradient(bottom, rgba(255,255,255,0) 0%,rgba(255,255,255,1) 30px, rgba(255,255,255,1) 100%);
+	background:      -o-linear-gradient(bottom, rgba(255,255,255,0) 0%, rgba(255,255,255,1) 30px, rgba(255,255,255,1) 100%);
+	background: linear-gradient(to top, rgba(255,255,255,0) 0%, rgba(255,255,255,1) 30px, rgba(255,255,255,1) 100%);
+}
+
+.revisions-tooltip,
+.revisions-tooltip-arrow span {
+	border-color: #d1e5ee;
+	background-color: #fff;
+}
+
+.revisions-tickmarks > div {
+	border-color: #d1e5ee;
+}
+
+/* jQuery UI Slider */
+.wp-slider.ui-slider {
+	border-color: #d1e5ee;
+}
+
+.wp-slider .ui-slider-handle {
+	color: #333;
+	border-color: none;
+}
+
+.wp-slider .ui-slider-handle {
+	border-color: #d0dfe9;
+	background: #eff8ff;
+	background-image: -webkit-gradient(linear, left bottom, left top, from(#eff8ff), to(#fff));
+	background-image: -webkit-linear-gradient(bottom, #eff8ff, #fff);
+	background-image:    -moz-linear-gradient(bottom, #eff8ff, #fff);
+	background-image:      -o-linear-gradient(bottom, #eff8ff, #fff);
+	background-image: linear-gradient(to top, #eff8ff, #fff);
+}
+
+.wp-slider .ui-slider-handle:hover,
+.wp-slider .ui-slider-handle:focus {
+	border-color: #a0c3d5;
+}
+
+.wp-slider .ui-slider-handle.ui-state-hover,
+.wp-slider .ui-slider-handle.ui-state-focus {
+	border-color: #a0c3d5;
+	outline: none;
 }
 
 /* edit image */
@@ -1535,11 +1592,6 @@ table.diff .diff-addedline ins {
 	border-color: #ddd;
 }
 
-.inline-editor .categories .catshow,
-.inline-editor .categories .cathide {
-	color: #21759b;
-}
-
 .inline-editor .quick-edit-save {
 	background-color: #f1f1f1;
 }
@@ -1948,13 +2000,6 @@ h2.nav-tab-wrapper, h3.nav-tab-wrapper {
 	color: #464646;
 }
 
-.about-wrap .feature-section img {
-	background: #fff;
-	border: 1px #ccc solid;
-	-webkit-box-shadow: 0 1px 3px rgba( 0, 0, 0, 0.3 );
-	box-shadow:         0 1px 3px rgba( 0, 0, 0, 0.3 );
-}
-
 .about-wrap h4.wp-people-group {
 	text-shadow: 1px 1px 1px #fff;
 }
@@ -2198,4 +2243,10 @@ h2.nav-tab-wrapper, h3.nav-tab-wrapper {
 		background-size: 16px auto;
 	}
 
+	/* 16px post formats */
+	.post-format-icon {
+		background-image: url(../images/post-formats32-vs.png);
+		background-size: 16px 304px;
+	}
+
 }

wp-admin/css/colors-fresh.css

@@ -83,13 +83,10 @@ div.dashboard-widget,
 	background-color: #f1f1f1;
 }
 
-.widefat {
+table.widefat {
 	border-color: #dfdfdf;
 	background-color: #f9f9f9;
 }
-textarea.widefat {
-	background-color: #fff;
-}
 
 div.dashboard-widget-error {
 	background-color: #c43;
@@ -167,6 +164,7 @@ textarea.disabled {
 	color: #fff;
 }
 
+.revisions-meta,
 .widget .widget-top,
 .postbox h3,
 .stuffbox h3,
@@ -187,6 +185,8 @@ h3.dashboard-widget-title small,
 	background-image: linear-gradient(to top, #ececec, #f9f9f9);
 }
 
+
+
 .widget .widget-top,
 .postbox h3,
 .stuffbox h3 {
@@ -412,7 +412,8 @@ div.dashboard-widget-submit input:hover,
 
 .submitbox .submitdelete:hover,
 #media-items a.delete:hover,
-#media-items a.delete-permanently:hover {
+#media-items a.delete-permanently:hover,
+#nav-menu-footer .menu-delete:hover {
 	color: #fff;
 	background-color: #f00;
 	border-bottom-color: #f00;
@@ -1351,25 +1352,78 @@ div.wp-menu-image {
 
 /* end screen icons */
 
+/* Post format icons */
+
+.post-format-icon {
+	background: url(../images/post-formats.png) no-repeat;
+}
+
 /* Diff */
 table.diff .diff-deletedline {
-	background-color: #fdd;
+	background-color: #ffe9e9;
 }
 
 table.diff .diff-deletedline del {
-	background-color: #f99;
+	background-color: #faa;
 }
 
 table.diff .diff-addedline {
-	background-color: #dfd;
+	background-color: #e9ffe9;
 }
 
 table.diff .diff-addedline ins {
-	background-color: #9f9;
+	background-color: #afa;
 }
 
-#att-info {
-	background-color: #e4f2Fd;
+.revisions-meta {
+	border: 1px solid #dfdfdf;
+}
+
+.revisions-controls {
+	background: #fff;
+	background: -webkit-gradient(linear, left bottom, left top, color-stop(0%,rgba(255,255,255,1)), color-stop(30px,rgba(255,255,255,1)), color-stop(100%,rgba(255,255,255,1)));
+	background: -webkit-linear-gradient(bottom, rgba(255,255,255,0) 0%, rgba(255,255,255,1) 30px, rgba(255,255,255,1) 100%);
+	background:    -moz-linear-gradient(bottom, rgba(255,255,255,0) 0%,rgba(255,255,255,1) 30px, rgba(255,255,255,1) 100%);
+	background:      -o-linear-gradient(bottom, rgba(255,255,255,0) 0%, rgba(255,255,255,1) 30px, rgba(255,255,255,1) 100%);
+	background: linear-gradient(to top, rgba(255,255,255,0) 0%, rgba(255,255,255,1) 30px, rgba(255,255,255,1) 100%);
+}
+
+.revisions-tooltip,
+.revisions-tooltip-arrow span {
+	border-color: #d7d7d7;
+	background-color: #fff;
+}
+
+.revisions-tickmarks > div {
+	border-color: #aaa;
+}
+
+/* jQuery UI Slider */
+.wp-slider.ui-slider {
+	border-color: #d7d7d7;
+}
+
+.wp-slider .ui-slider-handle {
+	border-color: #ccc;
+	border-radius: 50%;
+	background: #f4f4f4;
+	background-image: -webkit-gradient(linear, left bottom, left top, from(#dfdfdf), to(#fff));
+	background-image: -webkit-linear-gradient(bottom, #dfdfdf, #fff);
+	background-image:    -moz-linear-gradient(bottom, #dfdfdf, #fff);
+	background-image:      -o-linear-gradient(bottom, #dfdfdf, #fff);
+	background-image: linear-gradient(to top, #dfdfdf, #fff);
+	color: #333;
+}
+
+.wp-slider .ui-slider-handle:hover,
+.wp-slider .ui-slider-handle:focus {
+	border-color: #aaa;
+}
+
+.wp-slider .ui-slider-handle.ui-state-hover,
+.wp-slider .ui-slider-handle.ui-state-focus {
+	border-color: #aaa;
+	outline: none;
 }
 
 /* edit image */
@@ -1429,11 +1483,6 @@ table.diff .diff-addedline ins {
 	border-color: #ddd;
 }
 
-.inline-editor .categories .catshow,
-.inline-editor .categories .cathide {
-	color: #21759b;
-}
-
 .inline-editor .quick-edit-save {
 	background-color: #f1f1f1;
 }
@@ -1749,6 +1798,23 @@ div.widgets-sortables,
 	background: #21759b;
 	color: #fff;
 }
+
+.manage-menus {
+	border: 1px solid #eeeeee;
+	background: #fbfbfb;
+}
+
+.theme-location-set {
+	color: #999999;
+}
+
+.nav-menus-php .delete-action a {
+	color: #bc0b0b;
+}
+
+.is-submenu {
+	color: #999999;
+}
 /* end added from nav-menu.css */
 
 .nav-tab {
@@ -1823,13 +1889,6 @@ h2.nav-tab-wrapper, h3.nav-tab-wrapper {
 	color: #464646;
 }
 
-.about-wrap .feature-section img {
-	background: #fff;
-	border: 1px #ccc solid;
-	-webkit-box-shadow: 0 1px 3px rgba( 0, 0, 0, 0.3 );
-	box-shadow:         0 1px 3px rgba( 0, 0, 0, 0.3 );
-}
-
 .about-wrap h4.wp-people-group {
 	text-shadow: 1px 1px 1px #fff;
 }
@@ -2073,4 +2132,10 @@ h2.nav-tab-wrapper, h3.nav-tab-wrapper {
 		background-size: 16px auto;
 	}
 
+	/* 16px post formats */
+	.post-format-icon {
+		background-image: url(../images/post-formats32.png);
+		background-size: 16px 304px;
+	}
+
 }

wp-admin/css/customize-controls-rtl.css

@@ -1,11 +1,3 @@
-.control-section .customize-section-title {
-	font-family: Tahoma, Arial, sans-serif;
-}
-.customize-section-title:after {
-	right: auto;
-	left: 20px;
-}
-
 #customize-header-actions .button-primary {
 	float: left;
 }
@@ -29,11 +21,11 @@
 /*
  * Dropdowns
  */
-.customize-section .dropdown {
+.accordion-section .dropdown {
 	float: right;
 }
 
-.customize-section .dropdown-content {
+.accordion-section .dropdown-content {
 	float: right;
 	margin-right: 0px;
 	margin-left: 16px;
@@ -65,21 +57,21 @@
 	margin-left: 5px;
 }
 
-.customize-section input[type="text"].color-picker-hex {
-	float: right;
+.accordion-section input[type="text"].color-picker-hex {
+	direction: ltr;
 }
 
 /*
  * Image Picker
  */
-.customize-section .customize-control-image .actions {
+.accordion-section .customize-control-image .actions {
 	text-align: left;
 }
 
 .customize-control-image .library,
 .customize-control-image .actions,
-.customize-section .customize-control-image .library ul,
-.customize-section .customize-control-image .library li,
-.customize-section .customize-control-image .library-content {
+.accordion-section .customize-control-image .library ul,
+.accordion-section .customize-control-image .library li,
+.accordion-section .customize-control-image .library-content {
 	float: right;
 }

wp-admin/css/customize-controls-rtl.min.css

@@ -1 +1 @@
-.control-section .customize-section-title{font-family:Tahoma,Arial,sans-serif}.customize-section-title:after{right:auto;left:20px}#customize-header-actions .button-primary{float:left}#customize-header-actions .spinner{float:left;margin-right:0;margin-left:4px}.customize-control{float:right}.customize-control-radio input,.customize-control-checkbox input{margin-right:0;margin-left:5px}.customize-section .dropdown{float:right}.customize-section .dropdown-content{float:right;margin-right:0;margin-left:16px;-webkit-border-radius:0 3px 3px 0;border-radius:0 3px 3px 0}.customize-control .dropdown-arrow{right:auto;left:0;border-color:#ccc;border-style:solid;border-width:1px 0 1px 1px;-webkit-border-radius:3px 0 0 3px;border-radius:3px 0 0 3px}.customize-control .dropdown-arrow:after{right:auto;left:4px}.customize-control-color .dropdown{margin-right:0;margin-left:5px}.customize-section input[type="text"].color-picker-hex{float:right}.customize-section .customize-control-image .actions{text-align:left}.customize-control-image .library,.customize-control-image .actions,.customize-section .customize-control-image .library ul,.customize-section .customize-control-image .library li,.customize-section .customize-control-image .library-content{float:right}
+#customize-header-actions .button-primary{float:left}#customize-header-actions .spinner{float:left;margin-right:0;margin-left:4px}.customize-control{float:right}.customize-control-checkbox input,.customize-control-radio input{margin-right:0;margin-left:5px}.accordion-section .dropdown{float:right}.accordion-section .dropdown-content{float:right;margin-right:0;margin-left:16px;-webkit-border-radius:0 3px 3px 0;border-radius:0 3px 3px 0}.customize-control .dropdown-arrow{right:auto;left:0;border-color:#ccc;border-style:solid;border-width:1px 0 1px 1px;-webkit-border-radius:3px 0 0 3px;border-radius:3px 0 0 3px}.customize-control .dropdown-arrow:after{right:auto;left:4px}.customize-control-color .dropdown{margin-right:0;margin-left:5px}.accordion-section input[type=text].color-picker-hex{direction:ltr}.accordion-section .customize-control-image .actions{text-align:left}.accordion-section .customize-control-image .library li,.accordion-section .customize-control-image .library ul,.accordion-section .customize-control-image .library-content,.customize-control-image .actions,.customize-control-image .library{float:right}

wp-admin/css/customize-controls.css

@@ -6,124 +6,7 @@ body {
 	text-decoration: none;
 }
 
-.customize-section {
-	border-top: 1px solid #fff;
-	border-bottom: 1px solid #dfdfdf;
-	margin: 0;
-}
-
-.control-section.customize-section:hover,
-.control-section.customize-section.open {
-	border-top-color: #808080;
-}
-
-.control-section.customize-section:hover {
-	border-bottom-color: #6d6d6d;
-}
-
-.customize-section.open:hover {
-	border-bottom-color: #dfdfdf;
-}
-
-.customize-section:last-child {
-	box-shadow: 0 1px 0 0px #fff;
-}
-
-.customize-section-title {
-	margin: 0;
-	padding: 15px 20px;
-	position: relative;
-
-	cursor: pointer;
-
-	-webkit-user-select: none;
-	-moz-user-select: none;
-	user-select: none;
-}
-
-.customize-section-title:focus {
-	outline: none;
-}
-
-.cannot-expand .customize-section-title {
-	cursor: auto;
-}
-
-.customize-section-content {
-	display: none;
-	padding: 10px 20px 15px;
-	overflow: hidden;
-}
-
-.control-section .customize-section-title {
-	padding: 10px 20px;
-	font-size: 15px;
-	font-family: Georgia, "Times New Roman", "Bitstream Charter", Times, serif;
-	font-weight: normal;
-	text-shadow: 0 1px 0 #fff;
-	background: #f5f5f5;
-	background-image: -webkit-gradient(linear, left bottom, left top, from(#eee), to(#f5f5f5));
-	background-image: -webkit-linear-gradient(bottom, #eee, #f5f5f5);
-	background-image:    -moz-linear-gradient(bottom, #eee, #f5f5f5);
-	background-image:      -o-linear-gradient(bottom, #eee, #f5f5f5);
-	background-image: linear-gradient(to top, #eee, #f5f5f5);
-}
-
-.control-section:hover .customize-section-title,
-.control-section .customize-section-title:hover,
-.control-section.open .customize-section-title,
-.control-section .customize-section-title:focus {
-	color: #fff;
-	text-shadow: 0 -1px 0 #333;
-	background: #808080;
-	background-image: -webkit-gradient(linear, left bottom, left top, from(#6d6d6d), to(#808080));
-	background-image: -webkit-linear-gradient(bottom, #6d6d6d, #808080);
-	background-image:    -moz-linear-gradient(bottom, #6d6d6d, #808080);
-	background-image:      -o-linear-gradient(bottom, #6d6d6d, #808080);
-	background-image: linear-gradient(to top, #6d6d6d, #808080);
-}
-
-.control-section.open .customize-section-title {
-	border-bottom: 1px solid #6d6d6d;
-}
-
-.customize-section.open .customize-section-content {
-	display: block;
-	background: #fdfdfd;
-}
-
-.customize-section-title:after {
-	content: '';
-	width: 0;
-	height: 0;
-	border-color: #ccc transparent;
-	border-style: solid;
-	border-width: 6px 6px 0;
-	position: absolute;
-	top: 25px;
-	right: 20px;
-	z-index: 1;
-}
-
-.cannot-expand .customize-section-title:after {
-	display: none;
-}
-
-.customize-section-title:hover:after,
-.customize-section-title:focus:after {
-	border-color: #aaa transparent;
-}
-
-.control-section .customize-section-title:hover:after,
-.control-section .customize-section-title:focus:after {
-	border-color: #eee transparent;
-}
-
-.control-section .customize-section-title:after {
-	top: 15px;
-}
-
-#customize-info .customize-section-content {
+#customize-info .accordion-section-content {
 	background: transparent;
 }
 
@@ -158,7 +41,7 @@ body {
 }
 
 #customize-theme-controls > ul,
-#customize-theme-controls .customize-section-content {
+#customize-theme-controls .accordion-section-content {
 	margin: 0;
 }
 
@@ -238,6 +121,36 @@ body {
 	height: 100%;
 }
 
+#customize-theme-controls .accordion-section-title:hover:after,
+#customize-theme-controls .accordion-section-title:focus:after {
+	border-color: #eee transparent;
+}
+
+#customize-theme-controls .control-section:hover .accordion-section-title,
+#customize-theme-controls .control-section .accordion-section-title:hover,
+#customize-theme-controls .control-section.open .accordion-section-title,
+#customize-theme-controls .control-section .accordion-section-title:focus {
+	color: #fff;
+	text-shadow: 0 -1px 0 #333;
+	background: #808080;
+	background-image: -webkit-gradient(linear, left bottom, left top, from(#6d6d6d), to(#808080));
+	background-image: -webkit-linear-gradient(bottom, #6d6d6d, #808080);
+	background-image:    -moz-linear-gradient(bottom, #6d6d6d, #808080);
+	background-image:      -o-linear-gradient(bottom, #6d6d6d, #808080);
+	background-image: linear-gradient(to top, #6d6d6d, #808080);
+	border-left: 1px solid #808080;
+	border-right: 1px solid #808080;
+}
+
+#customize-theme-controls .control-section.accordion-section:hover,
+#customize-theme-controls .control-section.accordion-section.open {
+	border-top-color: #808080;
+}
+
+#customize-theme-controls .control-section.open .accordion-section-title {
+	border-bottom: 1px solid #6d6d6d;
+}
+
 /*
  * Style for custom settings
  */
@@ -245,7 +158,7 @@ body {
 /*
  * Dropdowns
  */
-.customize-section .dropdown {
+.accordion-section .dropdown {
 	float: left;
 	display: block;
 	position: relative;
@@ -255,7 +168,7 @@ body {
 	border-radius: 3px;
 }
 
-.customize-section .dropdown-content {
+.accordion-section .dropdown-content {
 	overflow: hidden;
 	float: left;
 	min-width: 30px;
@@ -301,12 +214,12 @@ body {
 	z-index: 1;
 }
 
-.customize-section .dropdown:hover .dropdown-content,
+.accordion-section .dropdown:hover .dropdown-content,
 .customize-control .dropdown:hover .dropdown-arrow {
 	border-color: #aaa;
 }
 
-.customize-section .dropdown:hover .dropdown-arrow:after {
+.accordion-section .dropdown:hover .dropdown-arrow:after {
 	border-color: #aaa transparent;
 }
 
@@ -341,7 +254,7 @@ body {
 	border-color: rgba( 0, 0, 0, 0.25 );
 }
 
-.customize-section input[type="text"].color-picker-hex {
+.accordion-section input[type="text"].color-picker-hex {
 	width: 65px;
 	font-family: monospace;
 	text-align: center;
@@ -349,10 +262,10 @@ body {
 }
 
 /* The centered cursor overlaps the placeholder in webkit. Hide it when selected. */
-.customize-section input[type="text"].color-picker-hex:focus::-webkit-input-placeholder {
+.accordion-section input[type="text"].color-picker-hex:focus::-webkit-input-placeholder {
 	color: transparent;
 }
-.customize-section input[type="text"].color-picker-hex:-moz-placeholder {
+.accordion-section input[type="text"].color-picker-hex:-moz-placeholder {
 	color: #999;
 }
 
@@ -371,18 +284,18 @@ body {
 	display: block;
 }
 
-.customize-section .customize-control-image .dropdown-content {
+.accordion-section .customize-control-image .dropdown-content {
 	height: auto;
 	min-height: 24px;
 	min-width: 40px;
 	padding: 0;
 }
 
-.customize-section .customize-control-image .dropdown-status {
+.accordion-section .customize-control-image .dropdown-status {
 	padding: 4px 5px;
 }
 
-.customize-section .customize-control-image .preview-thumbnail img {
+.accordion-section .customize-control-image .preview-thumbnail img {
 	display: block;
 	width: 100%;
 	max-width: 122px;
@@ -390,18 +303,18 @@ body {
 	margin: 0 auto;
 }
 
-.customize-section .customize-control-image .actions {
+.accordion-section .customize-control-image .actions {
 	text-align: right;
 }
 
-.customize-section .customize-control-image .library ul {
+.accordion-section .customize-control-image .library ul {
 	border-bottom: 1px solid #dfdfdf;
 	float: left;
 	width: 100%;
 	margin: 10px 0 0;
 }
 
-.customize-section .customize-control-image .library li {
+.accordion-section .customize-control-image .library li {
 	color: #999;
 	float: left;
 	padding: 3px 5px;
@@ -411,7 +324,7 @@ body {
 	border-width: 1px 1px 0 1px;
 }
 
-.customize-section .customize-control-image .library li.library-selected {
+.accordion-section .customize-control-image .library li.library-selected {
 	margin-bottom: -1px;
 	padding-bottom: 4px;
 
@@ -422,27 +335,27 @@ body {
 	border-radius: 3px 3px 0 0 ;
 }
 
-.customize-section .customize-control-image .library-content {
+.accordion-section .customize-control-image .library-content {
 	display: none;
 	width: 100%;
 	float: left;
 	padding: 10px 0;
 }
 
-.customize-section .customize-control-image .library-content.library-selected {
+.accordion-section .customize-control-image .library-content.library-selected {
 	display: block;
 }
 
-.customize-section .customize-control-image .library .thumbnail {
+.accordion-section .customize-control-image .library .thumbnail {
 	display: block;
 	width: 100%;
 }
 
-.customize-section .customize-control-image .library .thumbnail:hover img {
+.accordion-section .customize-control-image .library .thumbnail:hover img {
 	border-color: #21759b;
 }
 
-.customize-section .customize-control-image .library .thumbnail img {
+.accordion-section .customize-control-image .library .thumbnail img {
 	display: block;
 	max-width: 90%;
 	max-height: 80px;
@@ -453,13 +366,13 @@ body {
 	border: 1px solid #dfdfdf;
 }
 
-.customize-section .customize-control-upload .upload-fallback,
-.customize-section .customize-control-image .upload-fallback {
+.accordion-section .customize-control-upload .upload-fallback,
+.accordion-section .customize-control-image .upload-fallback {
 	display: none;
 }
 
-.customize-section .customize-control-upload .upload-dropzone,
-.customize-section .customize-control-image .upload-dropzone {
+.accordion-section .customize-control-upload .upload-dropzone,
+.accordion-section .customize-control-image .upload-dropzone {
 	display: none;
 	padding: 15px 10px;
 	border: 3px dashed #dfdfdf;
@@ -470,8 +383,8 @@ body {
 	cursor: default;
 }
 
-.customize-section .customize-control-upload .upload-dropzone.supports-drag-drop,
-.customize-section .customize-control-image .upload-dropzone.supports-drag-drop {
+.accordion-section .customize-control-upload .upload-dropzone.supports-drag-drop,
+.accordion-section .customize-control-image .upload-dropzone.supports-drag-drop {
 	display: block;
 	-webkit-transition: border-color 0.1s;
 	-moz-transition:    border-color 0.1s;
@@ -480,13 +393,13 @@ body {
 	transition:         border-color 0.1s;
 }
 
-.customize-section .customize-control-upload .library ul li,
-.customize-section .customize-control-image .library ul li {
+.accordion-section .customize-control-upload .library ul li,
+.accordion-section .customize-control-image .library ul li {
 	cursor: pointer;
 }
 
-.customize-section .customize-control-upload .upload-dropzone.supports-drag-drop.drag-over,
-.customize-section .customize-control-image .upload-dropzone.supports-drag-drop.drag-over {
+.accordion-section .customize-control-upload .upload-dropzone.supports-drag-drop.drag-over,
+.accordion-section .customize-control-image .upload-dropzone.supports-drag-drop.drag-over {
 	border-color: #83b4d8;
 }
 

wp-admin/css/ie-rtl.css

@@ -73,10 +73,6 @@ div#dashboard-widgets {
 	padding-left: 1px;
 }
 
-.tagchecklist span a {
-	margin: 4px -9px 0 0;
-}
-
 .widefat th input {
 	margin: 0 5px 0 0;
 }
@@ -234,7 +230,7 @@ p.button-controls,
 	right: 0;
 }
 
-.screen-reader-text { 
+.screen-reader-text {
 	right: auto;
-	text-indent: -1000em; 
-} 
+	text-indent: -1000em;
+}

wp-admin/css/ie-rtl.min.css

@@ -1 +1 @@
-body{direction:rtl;width:99.5%}.rtl #adminmenuback{left:auto;right:0;background-image:none}.rtl #adminmenuback,.rtl #adminmenuwrap{border-width:0 0 0 1px}#plupload-upload-ui{zoom:1}.post-com-count-wrapper a.post-com-count{float:none}#adminmenu .wp-submenu ul{width:99%}#adminmenu .wp-submenu .wp-submenu .wp-submenu,#adminmenu .wp-menu-open .wp-submenu .wp-submenu{border:1px solid #dfdfdf}.folded #adminmenu .wp-submenu{right:30px}#wpcontent #adminmenu .wp-submenu li.wp-submenu-head{padding:3px 10px 4px 4px}div.quicktags-toolbar input{min-width:0}.inline-edit-row fieldset label span.title{float:right}.inline-edit-row fieldset label span.input-text-wrap{margin-right:0}p.search-box{float:left}#bh{margin:7px 10px 0 0;float:left}.postbox div.inside,.wp-editor-wrap .wp-editor-container .wp-editor-area,#nav-menu-theme-locations .howto select{width:97.5%}div#dashboard-widgets{padding-right:0;padding-left:1px}.tagchecklist span a{margin:4px -9px 0 0}.widefat th input{margin:0 5px 0 0}#TB_window{width:670px;position:absolute;top:50%;left:50%;margin-right:335px!important}#dashboard_plugins{direction:ltr}#dashboard_plugins h3.hndle{direction:rtl}#dashboard_incoming_links ul li,#dashboard_secondary ul li,#dashboard_primary ul li,p.row-actions{width:100%}#post-status-info{height:25px}p.submit{height:22px}.available-theme .action-links li{padding-left:7px;margin-left:7px}form#widgets-filter{position:static}.menu-item-depth-0{margin-left:0}.menu-item-depth-1{margin-left:-30px}.menu-item-depth-2{margin-left:-60px}.menu-item-depth-3{margin-left:-90px}.menu-item-depth-4{margin-left:-120px}.menu-item-depth-5{margin-left:-150px}.menu-item-depth-6{margin-left:-180px}.menu-item-depth-7{margin-left:-210px}.menu-item-depth-8{margin-left:-240px}.menu-item-depth-9{margin-left:-270px}.menu-item-depth-10{margin-left:-300px}.menu-item-depth-11{margin-left:-330px}#menu-management,.nav-menus-php .menu-edit,#nav-menu-header .submitbox{zoom:1}.nav-menus-php label{max-width:90%!important}p.button-controls,.nav-menus-php .tabs-panel{max-width:90%}.nav-menus-php .major-publishing-actions .publishing-action{float:none}#wpbody #nav-menu-header label{float:none}#nav-menu-header{margin-top:-10px}#nav-menu-footer{margin-bottom:-20px}#update-nav-menu .publishing-action{max-width:200px}#nav-menus-frame #update-nav-menu .delete-action{margin-top:-25px;float:left}#menu-to-edit li{margin-top:-10px;margin-bottom:-10px}.sortable-placeholder{margin-top:0!important;margin-left:0!important;margin-bottom:13px!important;padding:0!important}.auto-add-pages{clear:both;float:none}#nav-menus-frame .open-label span{float:none;display:inline-block}#nav-menus-frame .delete-action{float:none}#title-wrap #title-prompt-text{right:0}.screen-reader-text{right:auto;text-indent:-1000em}
+body{direction:rtl;width:99.5%}.rtl #adminmenuback{left:auto;right:0;background-image:none}.rtl #adminmenuback,.rtl #adminmenuwrap{border-width:0 0 0 1px}#plupload-upload-ui{zoom:1}.post-com-count-wrapper a.post-com-count{float:none}#adminmenu .wp-submenu ul{width:99%}#adminmenu .wp-menu-open .wp-submenu .wp-submenu,#adminmenu .wp-submenu .wp-submenu .wp-submenu{border:1px solid #dfdfdf}.folded #adminmenu .wp-submenu{right:30px}#wpcontent #adminmenu .wp-submenu li.wp-submenu-head{padding:3px 10px 4px 4px}div.quicktags-toolbar input{min-width:0}.inline-edit-row fieldset label span.title{float:right}.inline-edit-row fieldset label span.input-text-wrap{margin-right:0}p.search-box{float:left}#bh{margin:7px 10px 0 0;float:left}#nav-menu-theme-locations .howto select,.postbox div.inside,.wp-editor-wrap .wp-editor-container .wp-editor-area{width:97.5%}div#dashboard-widgets{padding-right:0;padding-left:1px}.widefat th input{margin:0 5px 0 0}#TB_window{width:670px;position:absolute;top:50%;left:50%;margin-right:335px!important}#dashboard_plugins{direction:ltr}#dashboard_plugins h3.hndle{direction:rtl}#dashboard_incoming_links ul li,#dashboard_primary ul li,#dashboard_secondary ul li,p.row-actions{width:100%}#post-status-info{height:25px}p.submit{height:22px}.available-theme .action-links li{padding-left:7px;margin-left:7px}form#widgets-filter{position:static}.menu-item-depth-0{margin-left:0}.menu-item-depth-1{margin-left:-30px}.menu-item-depth-2{margin-left:-60px}.menu-item-depth-3{margin-left:-90px}.menu-item-depth-4{margin-left:-120px}.menu-item-depth-5{margin-left:-150px}.menu-item-depth-6{margin-left:-180px}.menu-item-depth-7{margin-left:-210px}.menu-item-depth-8{margin-left:-240px}.menu-item-depth-9{margin-left:-270px}.menu-item-depth-10{margin-left:-300px}.menu-item-depth-11{margin-left:-330px}#menu-management,#nav-menu-header .submitbox,.nav-menus-php .menu-edit{zoom:1}.nav-menus-php label{max-width:90%!important}.nav-menus-php .tabs-panel,p.button-controls{max-width:90%}.nav-menus-php .major-publishing-actions .publishing-action{float:none}#wpbody #nav-menu-header label{float:none}#nav-menu-header{margin-top:-10px}#nav-menu-footer{margin-bottom:-20px}#update-nav-menu .publishing-action{max-width:200px}#nav-menus-frame #update-nav-menu .delete-action{margin-top:-25px;float:left}#menu-to-edit li{margin-top:-10px;margin-bottom:-10px}.sortable-placeholder{margin-top:0!important;margin-left:0!important;margin-bottom:13px!important;padding:0!important}.auto-add-pages{clear:both;float:none}#nav-menus-frame .open-label span{float:none;display:inline-block}#nav-menus-frame .delete-action{float:none}#title-wrap #title-prompt-text{right:0}.screen-reader-text{right:auto;text-indent:-1000em}

wp-admin/css/ie.css

@@ -371,10 +371,6 @@ div#dashboard-widgets {
 	display: block;
 }
 
-.tagchecklist span a {
-	margin: 4px 0 0 -9px;
-}
-
 .tablenav .button-secondary,
 .nav .button-secondary {
 	padding-top: 2px;
@@ -396,6 +392,12 @@ div#dashboard-widgets {
 	display: inline;
 }
 
+a.post-state-format {
+	text-indent: 0;
+	line-height: 0;
+	font-size: 0;
+}
+
 table.ie-fixed {
 	table-layout: fixed;
 }
@@ -484,20 +486,6 @@ table.ie-fixed {
 	min-width: 400px;
 }
 
-.about-wrap img.element-screenshot {
-	padding: 2px;
-}
-
-.about-wrap .feature-section img,
-.about-wrap .feature-section .image-mask {
-	border-width: 1px;
-	border-style: solid;
-}
-
-.about-wrap .feature-section.three-col img {
-	margin-left: 0;
-}
-
 .available-theme {
 	display: inline;
 }
@@ -511,13 +499,21 @@ table.ie-fixed {
 	margin-right: 7px;
 }
 
-.about-wrap .three-col-images img {
-	margin: 0 0.6% 10px;
+.about-wrap .three-col.about-updates .col-2 {
+	width: 15%;
 }
 
-.about-wrap .three-col-images .last-feature,
-.about-wrap .three-col-images .first-feature {
-	float: none;
+.about-wrap .about-password-meter input {
+	width: 98%;
+}
+
+.revisions-tickmarks,
+.revisions-tooltip {
+	display: none !important;
+}
+
+.revisions.pinned .revisions-controls {
+	position: relative;
 }
 
 /* IE6 leftovers */

wp-admin/css/install.css

@@ -215,10 +215,12 @@ textarea {
 }
 
 .message {
-	border: 1px solid #e6db55;
-	padding: 0.3em 0.6em;
+	border: 1px solid #c00;
+	-webkit-border-radius: 3px;
+	border-radius:         3px;
+	padding: 0.5em 0.7em;
 	margin: 5px 0 15px;
-	background-color: #ffffe0;
+	background-color: #ffebe8;
 }
 
 /* install-rtl */

wp-admin/css/install.min.css

@@ -1 +1 @@
-html{background:#f9f9f9}body{background:#fff;color:#333;font-family:sans-serif;margin:2em auto;padding:1em 2em;-webkit-border-radius:3px;border-radius:3px;border:1px solid #dfdfdf;max-width:700px}a{color:#21759b;text-decoration:none}a:hover{color:#d54e21}h1{border-bottom:1px solid #dadada;clear:both;color:#666;font:24px Georgia,"Times New Roman",Times,serif;margin:30px 0 0 0;padding:0;padding-bottom:7px}h2{font-size:16px}p,li,dd,dt{padding-bottom:2px;font-size:14px;line-height:1.5}code,.code{font-size:14px}ul,ol,dl{padding:5px 5px 5px 22px}a img{border:0}abbr{border:0;font-variant:normal}#logo{margin:6px 0 14px 0;border-bottom:0;text-align:center}#logo a{background-image:url('../images/wordpress-logo.png?ver=20120216');background-size:274px 63px;background-position:top center;background-repeat:no-repeat;height:67px;text-indent:-9999px;outline:0;overflow:hidden;display:block}@media print,(-o-min-device-pixel-ratio:5/4),(-webkit-min-device-pixel-ratio:1.25),(min-resolution:120dpi){#logo a{background-image:url('../images/wordpress-logo-2x.png?ver=20120412');background-size:274px 63px}}.step{margin:20px 0 15px}.step,th{text-align:left;padding:0}.step .button-large{font-size:14px}textarea{border:1px solid #dfdfdf;-webkit-border-radius:3px;border-radius:3px;font-family:sans-serif;width:695px}.form-table{border-collapse:collapse;margin-top:1em;width:100%}.form-table td{margin-bottom:9px;padding:10px 20px 10px 0;border-bottom:8px solid #fff;font-size:14px;vertical-align:top}.form-table th{font-size:14px;text-align:left;padding:16px 20px 10px 0;border-bottom:8px solid #fff;width:140px;vertical-align:top}.form-table code{line-height:18px;font-size:14px}.form-table p{margin:4px 0 0 0;font-size:11px}.form-table input{line-height:20px;font-size:15px;padding:2px;border:1px #dfdfdf solid;-webkit-border-radius:3px;border-radius:3px;font-family:sans-serif}.form-table input[type=text],.form-table input[type=password]{width:206px}.form-table th p{font-weight:normal}.form-table.install-success td{vertical-align:middle;padding:16px 20px 10px 0}.form-table.install-success td p{margin:0;font-size:14px}.form-table.install-success td code{margin:0;font-size:18px}#error-page{margin-top:50px}#error-page p{font-size:14px;line-height:18px;margin:25px 0 20px}#error-page code,.code{font-family:Consolas,Monaco,monospace}#pass-strength-result{background-color:#eee;border-color:#ddd!important;border-style:solid;border-width:1px;margin:5px 5px 5px 0;padding:5px;text-align:center;width:200px;display:none}#pass-strength-result.bad{background-color:#ffb78c;border-color:#ff853c!important}#pass-strength-result.good{background-color:#ffec8b;border-color:#fc0!important}#pass-strength-result.short{background-color:#ffa0a0;border-color:#f04040!important}#pass-strength-result.strong{background-color:#c3ff88;border-color:#8dff1c!important}.message{border:1px solid #e6db55;padding:.3em .6em;margin:5px 0 15px;background-color:#ffffe0}body.rtl{font-family:Tahoma,arial}.rtl h1{font-family:arial;margin:5px -4px 0 0}.rtl ul,.rtl ol{padding:5px 22px 5px 5px}.rtl .step,.rtl th,.rtl .form-table th{text-align:right}.rtl .submit input,.rtl .button,.rtl .button-secondary{margin-right:0}.rtl #dbname,.rtl #uname,.rtl #pwd,.rtl #dbhost,.rtl #prefix,.rtl #user_login,.rtl #admin_email,.rtl #pass1,.rtl #pass2{direction:ltr}
+html{background:#f9f9f9}body{background:#fff;color:#333;font-family:sans-serif;margin:2em auto;padding:1em 2em;-webkit-border-radius:3px;border-radius:3px;border:1px solid #dfdfdf;max-width:700px}a{color:#21759b;text-decoration:none}a:hover{color:#d54e21}h1{border-bottom:1px solid #dadada;clear:both;color:#666;font:24px Georgia,"Times New Roman",Times,serif;margin:30px 0 0 0;padding:0;padding-bottom:7px}h2{font-size:16px}dd,dt,li,p{padding-bottom:2px;font-size:14px;line-height:1.5}.code,code{font-size:14px}dl,ol,ul{padding:5px 5px 5px 22px}a img{border:0}abbr{border:0;font-variant:normal}#logo{margin:6px 0 14px 0;border-bottom:none;text-align:center}#logo a{background-image:url('../images/wordpress-logo.png?ver=20120216');background-size:274px 63px;background-position:top center;background-repeat:no-repeat;height:67px;text-indent:-9999px;outline:0;overflow:hidden;display:block}@media print,(-o-min-device-pixel-ratio:5/4),(-webkit-min-device-pixel-ratio:1.25),(min-resolution:120dpi){#logo a{background-image:url('../images/wordpress-logo-2x.png?ver=20120412');background-size:274px 63px}}.step{margin:20px 0 15px}.step,th{text-align:left;padding:0}.step .button-large{font-size:14px}textarea{border:1px solid #dfdfdf;-webkit-border-radius:3px;border-radius:3px;font-family:sans-serif;width:695px}.form-table{border-collapse:collapse;margin-top:1em;width:100%}.form-table td{margin-bottom:9px;padding:10px 20px 10px 0;border-bottom:8px solid #fff;font-size:14px;vertical-align:top}.form-table th{font-size:14px;text-align:left;padding:16px 20px 10px 0;border-bottom:8px solid #fff;width:140px;vertical-align:top}.form-table code{line-height:18px;font-size:14px}.form-table p{margin:4px 0 0 0;font-size:11px}.form-table input{line-height:20px;font-size:15px;padding:2px;border:1px #dfdfdf solid;-webkit-border-radius:3px;border-radius:3px;font-family:sans-serif}.form-table input[type=password],.form-table input[type=text]{width:206px}.form-table th p{font-weight:400}.form-table.install-success td{vertical-align:middle;padding:16px 20px 10px 0}.form-table.install-success td p{margin:0;font-size:14px}.form-table.install-success td code{margin:0;font-size:18px}#error-page{margin-top:50px}#error-page p{font-size:14px;line-height:18px;margin:25px 0 20px}#error-page code,.code{font-family:Consolas,Monaco,monospace}#pass-strength-result{background-color:#eee;border-color:#ddd!important;border-style:solid;border-width:1px;margin:5px 5px 5px 0;padding:5px;text-align:center;width:200px;display:none}#pass-strength-result.bad{background-color:#ffb78c;border-color:#ff853c!important}#pass-strength-result.good{background-color:#ffec8b;border-color:#fc0!important}#pass-strength-result.short{background-color:#ffa0a0;border-color:#f04040!important}#pass-strength-result.strong{background-color:#c3ff88;border-color:#8dff1c!important}.message{border:1px solid #c00;-webkit-border-radius:3px;border-radius:3px;padding:.5em .7em;margin:5px 0 15px;background-color:#ffebe8}body.rtl{font-family:Tahoma,arial}.rtl h1{font-family:arial;margin:5px -4px 0 0}.rtl ol,.rtl ul{padding:5px 22px 5px 5px}.rtl .form-table th,.rtl .step,.rtl th{text-align:right}.rtl .button,.rtl .button-secondary,.rtl .submit input{margin-right:0}.rtl #admin_email,.rtl #dbhost,.rtl #dbname,.rtl #pass1,.rtl #pass2,.rtl #prefix,.rtl #pwd,.rtl #uname,.rtl #user_login{direction:ltr}

wp-admin/css/media-rtl.min.css

@@ -1 +1 @@
-body#media-upload ul#sidemenu{left:auto;right:0}#search-filter{text-align:left}.align .field label{padding:0 23px 0 0;margin:0 3px 0 1em}.image-align-none-label,.image-align-left-label,.image-align-center-label,.image-align-right-label{background-position:center right}tr.image-size label{margin:0 5px 0 0}.file-error{margin:0 50px 5px 0}.progress{left:auto;right:0}.describe td{padding:0 0 0 5px}#media-upload .describe th.label{text-align:right}.menu_order{float:left}.media-upload-form label.form-help,td.help,#media-upload p.help,#media-upload label.help{font-family:Tahoma,Arial}#gallery-settings #basic th.label{padding:5px 0 5px 5px}#gallery-settings .title,h3.media-title{font-family:Tahoma,Arial}#gallery-settings .describe th.label{text-align:right}#gallery-settings label,#gallery-settings legend{margin-right:0;margin-left:15px}#gallery-settings .align .field label{margin:0 3px 0 1em}#sort-buttons{margin:3px 0 -8px 25px;text-align:left}#sort-buttons #asc,#sort-buttons #showall{padding-left:0;padding-right:5px}#sort-buttons span{margin-right:0;margin-left:25px}
+body#media-upload ul#sidemenu{left:auto;right:0}#search-filter{text-align:left}.align .field label{padding:0 23px 0 0;margin:0 3px 0 1em}.image-align-center-label,.image-align-left-label,.image-align-none-label,.image-align-right-label{background-position:center right}tr.image-size label{margin:0 5px 0 0}.file-error{margin:0 50px 5px 0}.progress{left:auto;right:0}.describe td{padding:0 0 0 5px}#media-upload .describe th.label{text-align:right}.menu_order{float:left}#media-upload label.help,#media-upload p.help,.media-upload-form label.form-help,td.help{font-family:Tahoma,Arial}#gallery-settings #basic th.label{padding:5px 0 5px 5px}#gallery-settings .title,h3.media-title{font-family:Tahoma,Arial}#gallery-settings .describe th.label{text-align:right}#gallery-settings label,#gallery-settings legend{margin-right:0;margin-left:15px}#gallery-settings .align .field label{margin:0 3px 0 1em}#sort-buttons{margin:3px 0 -8px 25px;text-align:left}#sort-buttons #asc,#sort-buttons #showall{padding-left:0;padding-right:5px}#sort-buttons span{margin-right:0;margin-left:25px}

wp-admin/css/media.min.css

@@ -1 +1 @@
-div#media-upload-header{margin:0;padding:5px 5px 0;font-weight:bold;position:relative;border-bottom-width:1px;border-bottom-style:solid}body#media-upload ul#sidemenu{font-weight:normal;margin:0 5px;left:0;bottom:-1px;float:none;overflow:hidden}form{margin:1em}#search-filter{text-align:right}th{position:relative}.media-upload-form label.form-help,td.help{font-family:sans-serif;font-style:italic;font-weight:normal}.media-upload-form p.help{margin:0;padding:0}.media-upload-form fieldset{width:100%;border:0;text-align:justify;margin:0 0 1em 0;padding:0}.image-align-none-label{background:url(../images/align-none.png) no-repeat center left}.image-align-left-label{background:url(../images/align-left.png) no-repeat center left}.image-align-center-label{background:url(../images/align-center.png) no-repeat center left}.image-align-right-label{background:url(../images/align-right.png) no-repeat center left}tr.image-size td{width:460px}tr.image-size div.image-size-item{margin:0 0 5px}#library-form .progress,#gallery-form .progress,.insert-gallery,.describe.startopen,.describe.startclosed{display:none}.media-item .thumbnail{max-width:128px;max-height:128px}thead.media-item-info tr{background-color:transparent}.form-table thead.media-item-info{border:8px solid #fff}abbr.required{text-decoration:none;border:0}.describe label{display:inline}.describe td.error{padding:2px 8px}.describe td.A1{width:132px}.describe input[type="text"],.describe textarea{width:460px;border-width:1px;border-style:solid}#media-upload p.ml-submit{padding:1em 0}#media-upload p.help,#media-upload label.help{font-family:sans-serif;font-style:italic;font-weight:normal}#media-upload .ui-sortable .media-item{cursor:move}#media-upload tr.image-size{margin-bottom:1em;height:3em}#media-upload #filter{width:623px}#media-upload #filter .subsubsub{margin:8px 0}#filter .tablenav select{border-style:solid;border-width:1px;padding:2px;vertical-align:top;width:auto}#media-upload .del-attachment{display:none;margin:5px 0}.menu_order{float:right;font-size:11px;margin:10px 10px 0}.menu_order_input{border:1px solid #ddd;font-size:10px;padding:1px;width:23px}.ui-sortable-helper{background-color:#fff;border:1px solid #aaa;opacity:.6;filter:alpha(opacity=60)}#media-upload th.order-head{width:20%;text-align:center}#media-upload th.actions-head{width:25%;text-align:center}#media-upload a.wp-post-thumbnail{margin:0 20px}#media-upload .widefat{width:626px;border-style:solid solid none}.sorthelper{height:37px;width:623px;display:block}#gallery-settings th.label{width:160px}#gallery-settings #basic th.label{padding:5px 5px 5px 0}#gallery-settings .title{clear:both;padding:0 0 3px;font-size:1.6em;border-bottom:1px solid #dadada}h3.media-title{font-size:1.6em}h4.media-sub-title{border-bottom:1px solid #dadada;font-size:1.3em;margin:12px;padding:0 0 3px}#gallery-settings .title,h3.media-title,h4.media-sub-title{font-family:Georgia,"Times New Roman",Times,serif;font-weight:normal;color:#5a5a5a}#gallery-settings .describe td{vertical-align:middle;height:3em}#gallery-settings .describe th.label{padding-top:.5em;text-align:left}#gallery-settings .describe{padding:5px;width:615px;clear:both;cursor:default}#gallery-settings .describe select{width:15em}#gallery-settings .describe select option,#gallery-settings .describe td{padding:0}#gallery-settings label,#gallery-settings legend{font-size:13px;color:#464646;margin-right:15px}#gallery-settings .align .field label{margin:0 1em 0 3px}#gallery-settings p.ml-submit{border-top:1px solid #dfdfdf}#gallery-settings select#columns{width:6em}#sort-buttons{font-size:.8em;margin:3px 25px -8px 0;text-align:right;max-width:625px}#sort-buttons a{text-decoration:none}#sort-buttons #asc,#sort-buttons #showall{padding-left:5px}#sort-buttons span{margin-right:25px}p.media-types{margin:1em}tr.not-image{display:none}table.not-image tr.not-image{display:table-row}table.not-image tr.image-only{display:none}@media print,(-o-min-device-pixel-ratio:5/4),(-webkit-min-device-pixel-ratio:1.25),(min-resolution:120dpi){.image-align-none-label{background-image:url("../images/align-none-2x.png?ver=20120916");background-size:21px 15px}.image-align-left-label{background-image:url("../images/align-left-2x.png?ver=20120916");background-size:22px 15px}.image-align-center-label{background-image:url("../images/align-center-2x.png?ver=20120916");background-size:21px 15px}.image-align-right-label{background-image:url("../images/align-right-2x.png?ver=20120916");background-size:22px 15px}}
+div#media-upload-header{margin:0;padding:5px 5px 0;font-weight:700;position:relative;border-bottom-width:1px;border-bottom-style:solid}body#media-upload ul#sidemenu{font-weight:400;margin:0 5px;left:0;bottom:-1px;float:none;overflow:hidden}form{margin:1em}#search-filter{text-align:right}th{position:relative}.media-upload-form label.form-help,td.help{font-family:sans-serif;font-style:italic;font-weight:400}.media-upload-form p.help{margin:0;padding:0}.media-upload-form fieldset{width:100%;border:none;text-align:justify;margin:0 0 1em 0;padding:0}.image-align-none-label{background:url(../images/align-none.png) no-repeat center left}.image-align-left-label{background:url(../images/align-left.png) no-repeat center left}.image-align-center-label{background:url(../images/align-center.png) no-repeat center left}.image-align-right-label{background:url(../images/align-right.png) no-repeat center left}tr.image-size td{width:460px}tr.image-size div.image-size-item{margin:0 0 5px}#gallery-form .progress,#library-form .progress,.describe.startclosed,.describe.startopen,.insert-gallery{display:none}.media-item .thumbnail{max-width:128px;max-height:128px}thead.media-item-info tr{background-color:transparent}.form-table thead.media-item-info{border:8px solid #fff}abbr.required{text-decoration:none;border:none}.describe label{display:inline}.describe td.error{padding:2px 8px}.describe td.A1{width:132px}.describe input[type=text],.describe textarea{width:460px;border-width:1px;border-style:solid}#media-upload p.ml-submit{padding:1em 0}#media-upload label.help,#media-upload p.help{font-family:sans-serif;font-style:italic;font-weight:400}#media-upload .ui-sortable .media-item{cursor:move}#media-upload tr.image-size{margin-bottom:1em;height:3em}#media-upload #filter{width:623px}#media-upload #filter .subsubsub{margin:8px 0}#filter .tablenav select{border-style:solid;border-width:1px;padding:2px;vertical-align:top;width:auto}#media-upload .del-attachment{display:none;margin:5px 0}.menu_order{float:right;font-size:11px;margin:10px 10px 0}.menu_order_input{border:1px solid #ddd;font-size:10px;padding:1px;width:23px}.ui-sortable-helper{background-color:#fff;border:1px solid #aaa;opacity:.6}#media-upload th.order-head{width:20%;text-align:center}#media-upload th.actions-head{width:25%;text-align:center}#media-upload a.wp-post-thumbnail{margin:0 20px}#media-upload .widefat{width:626px;border-style:solid solid none}.sorthelper{height:37px;width:623px;display:block}#gallery-settings th.label{width:160px}#gallery-settings #basic th.label{padding:5px 5px 5px 0}#gallery-settings .title{clear:both;padding:0 0 3px;font-size:1.6em;border-bottom:1px solid #dadada}h3.media-title{font-size:1.6em}h4.media-sub-title{border-bottom:1px solid #dadada;font-size:1.3em;margin:12px;padding:0 0 3px}#gallery-settings .title,h3.media-title,h4.media-sub-title{font-family:Georgia,"Times New Roman",Times,serif;font-weight:400;color:#5a5a5a}#gallery-settings .describe td{vertical-align:middle;height:3em}#gallery-settings .describe th.label{padding-top:.5em;text-align:left}#gallery-settings .describe{padding:5px;width:615px;clear:both;cursor:default}#gallery-settings .describe select{width:15em}#gallery-settings .describe select option,#gallery-settings .describe td{padding:0}#gallery-settings label,#gallery-settings legend{font-size:13px;color:#464646;margin-right:15px}#gallery-settings .align .field label{margin:0 1em 0 3px}#gallery-settings p.ml-submit{border-top:1px solid #dfdfdf}#gallery-settings select#columns{width:6em}#sort-buttons{font-size:.8em;margin:3px 25px -8px 0;text-align:right;max-width:625px}#sort-buttons a{text-decoration:none}#sort-buttons #asc,#sort-buttons #showall{padding-left:5px}#sort-buttons span{margin-right:25px}p.media-types{margin:1em}tr.not-image{display:none}table.not-image tr.not-image{display:table-row}table.not-image tr.image-only{display:none}@media print,(-o-min-device-pixel-ratio:5/4),(-webkit-min-device-pixel-ratio:1.25),(min-resolution:120dpi){.image-align-none-label{background-image:url("../images/align-none-2x.png?ver=20120916");background-size:21px 15px}.image-align-left-label{background-image:url("../images/align-left-2x.png?ver=20120916");background-size:22px 15px}.image-align-center-label{background-image:url("../images/align-center-2x.png?ver=20120916");background-size:21px 15px}.image-align-right-label{background-image:url("../images/align-right-2x.png?ver=20120916");background-size:22px 15px}}

wp-admin/css/wp-admin-rtl.css

@@ -23,6 +23,7 @@ TABLE OF CONTENTS:
 	11.1 - Custom Fields
 	11.2 - Post Revisions
 	11.3 - Featured Images
+	11.4 - Post formats
 12.0 - Categories
 13.0 - Tags
 14.0 - Media Screen
@@ -44,6 +45,8 @@ TABLE OF CONTENTS:
 25.0 - TinyMCE tweaks
 26.0 - Full Overlay w/ Sidebar
 27.0 - Customize Loader
+28.0 - Nav Menus
+29.0 - HiDPI
 
 
 ------------------------------------------------------------------------------*/
@@ -688,17 +691,29 @@ form.upgrade .hint {
 .fixed .column-comments {
 	text-align: right;
 }
+
 .fixed .column-comments .vers {
 	padding-left: 0;
 	padding-right: 3px;
 }
+
 .fixed .column-comments a {
 	float: right;
 }
+
+.fixed .column-menus {
+	text-align: right;
+}
+
 .sorting-indicator {
 	margin-left: 0;
 	margin-right: 7px;
 }
+
+tr.wp-locked .locked-indicator {
+	margin: -2px 6px 0 0;
+}
+
 th.sortable a span,
 th.sorted a span {
 	float: right;
@@ -816,8 +831,6 @@ th.sorted a span {
 }
 
 .inline-edit-row fieldset ul.cat-checklist label,
-.inline-edit-row .catshow,
-.inline-edit-row .cathide,
 .inline-edit-row #bulk-titles div {
 	font-family: Tahoma, Arial, sans-serif;
 }
@@ -941,6 +954,23 @@ th.sorted a span {
 	padding-left: 10px;
 }
 
+#post-lock-dialog .post-locked-message a.button {
+	margin-right: 0;
+	margin-left: 10px;
+}
+
+#post-lock-dialog .post-locked-avatar {
+	float: right;
+	margin: 0 0 20px 20px;
+}
+
+#post-lock-dialog .locked-saving img {
+	float: right;
+	margin-right: 0;
+	margin-left: 3px;
+}
+
+
 /*------------------------------------------------------------------------------
   11.1 - Custom Fields
 ------------------------------------------------------------------------------*/
@@ -950,9 +980,113 @@ th.sorted a span {
 /*------------------------------------------------------------------------------
   11.2 - Post Revisions
 ------------------------------------------------------------------------------*/
+.wp-slider .ui-slider-handle.from-handle:before,
+.wp-slider .ui-slider-handle.to-handle:before {
+	height: 8px;
+	width: 7px;
+}
 
-table.diff td, table.diff th {
-	font-family: Consolas, Monaco, monospace;
+.wp-slider .ui-slider-handle.from-handle:before {
+	background-position: -5px -10px;
+	left: 6px;
+}
+
+.wp-slider .ui-slider-handle.to-handle:before {
+	background-position: -4px -29px;
+	left: 6px;
+}
+
+.revision-toggle-compare-mode {
+	right: auto;
+	left: 0;
+}
+
+.revisions .loading-indicator {
+	margin-right: -90px;
+}
+
+body.folded .revisions .loading-indicator {
+	margin-right: -32px;
+}
+
+.revisions-next {
+	float: left;
+}
+
+.revisions-previous {
+	float: right;
+}
+
+.diff-title strong {
+	text-align: left;
+	float: right;
+	margin-right: 0;
+	margin-left: 5px;
+}
+
+.revisions-controls .author-card .avatar,
+.revisions-controls .author-card .author-info {
+	float: right;
+}
+
+.diff-meta input.restore-revision {
+	float: left;
+}
+
+.diff-col-title-added,
+.diff-col-title-removed {
+	text-align: right;
+	float: right;
+}
+
+.revisions-tooltip {
+	margin-left: 0;
+	margin-right: -69px;
+}
+
+.revisions-tooltip.flipped {
+	margin-right: 0;
+	margin-left: -70px;
+}
+
+.ie8 .revisions-tooltip {
+	margin-right: -75px;
+}
+
+.ie8 .revisions-tooltip.flipped {
+	margin-left: -63px;
+}
+
+.revisions-tooltip-arrow {
+	right: 0;
+	margin-left: 0;
+	margin-right: 35px;
+}
+
+.revisions-tooltip.flipped .revisions-tooltip-arrow {
+	margin-right: 0;
+	margin-left: 35px;
+	right: auto;
+	left: 0;
+}
+
+.revisions-tooltip-arrow > span {
+	left: auto;
+	right: 20px;
+}
+
+.revisions-tooltip.flipped .revisions-tooltip-arrow > span {
+	right: auto;
+	left: 20px;
+}
+
+.ie8 .revisions-tooltip-arrow > span {
+	right: 21px;
+}
+
+.revisions-tickmarks > div {
+	float: right;
+	border-width: 0 0 0 1px;
 }
 
 /*------------------------------------------------------------------------------
@@ -963,6 +1097,62 @@ table.diff td, table.diff th {
 	float: right;
 }
 
+/*------------------------------------------------------------------------------
+  11.4 - Post formats
+------------------------------------------------------------------------------*/
+
+a.post-state-format {
+	margin-right: 0;
+	margin-left: 5px;
+}
+
+label.post-format-icon {
+	margin-left: 0;
+	margin-right: 5px;
+	padding-left: 0px;
+	padding-right: 21px;
+}
+
+.post-format-icon.post-format-standard  {
+	background-position: 100% 0;
+}
+
+.post-format-icon.post-format-image  {
+	background-position: 100% -32px;
+}
+
+.post-format-icon.post-format-gallery {
+	background-position: 100% -64px;
+}
+
+.post-format-icon.post-format-audio {
+	background-position: 100% -96px;
+}
+
+.post-format-icon.post-format-video {
+	background-position: 100% -128px;
+}
+
+.post-format-icon.post-format-chat {
+	background-position: 100% -160px;
+}
+
+.post-format-icon.post-format-status {
+	background-position: 100% -192px;
+}
+
+.post-format-icon.post-format-aside {
+	background-position: 100% -224px;
+}
+
+.post-format-icon.post-format-quote {
+	background-position: 100% -256px;
+}
+
+.post-format-icon.post-format-link {
+	background-position: 100% -288px;
+}
+
 /*------------------------------------------------------------------------------
   12.0 - Categories
 ------------------------------------------------------------------------------*/
@@ -1448,6 +1638,18 @@ h2 .nav-tab {
 	font-family: Tahoma, Arial, sans-serif;
 }
 
+#permalink_structure {
+	float: right;
+}
+
+.options-permalink-php code {
+	unicode-bidi: embed;
+}
+
+.options-permalink-php #rules {
+	direction: ltr;
+}
+
 /*------------------------------------------------------------------------------
   21.0 - Admin Footer
 ------------------------------------------------------------------------------*/
@@ -1504,37 +1706,21 @@ h2 .nav-tab {
 	float: right;
 }
 
+.about-wrap .feature-section.two-col div,
 .about-wrap .feature-section.three-col div {
 	margin-right: 0;
 	margin-left: 4.999999999%;
 	float: right;
 }
 
-.about-wrap .feature-section.three-col h4 {
-	text-align: right;
-}
-
-.about-wrap .feature-section.three-col img {
-	margin-right: 5px;
+.about-wrap .feature-section.col .last-feature {
 	margin-left: 0;
 }
 
-.about-wrap .feature-section.three-col .last-feature {
-	margin-left: 0;
-}
-
-.about-wrap .feature-section img {
-	margin: 0 0 10px 0.7%;
-}
-
-.about-wrap .feature-section.images-stagger-right img {
+.about-wrap .feature-section div p img {
 	float: left;
-	margin: 0 2em 12px 5px;
-}
-
-.about-wrap .feature-section.images-stagger-left img {
-	float: right;
-	margin: 0 5px 12px 2em;
+	margin-left: 0;
+	margin-right: 10px;
 }
 
 .about-wrap li.wp-person,
@@ -1544,19 +1730,6 @@ h2 .nav-tab {
 	margin-left: 10px;
 }
 
-@media only screen and (max-width: 768px) {
-	.about-wrap .feature-section img.image-66 {
-		float: none;
-	}
-
-	.about-wrap .feature-section.images-stagger-right img.image-66 {
-		margin-right: 3px;
-	}
-
-	.about-wrap .feature-section.images-stagger-left img.image-66 {
-		margin-left: 3px;
-	}
-}
 
 /*------------------------------------------------------------------------------
   23.0 - Misc
@@ -1590,7 +1763,7 @@ h2 .nav-tab {
 
 }
 .tagchecklist span a {
-	margin: 6px -9px 0pt 0pt;
+	margin: 4px -10px 0 0;
 	float: right;
 }
 
@@ -1717,9 +1890,10 @@ table .column-rating {
 }
 
 /* Collapse Button */
-.wp-full-overlay .collapse-sidebar {
-	right: 0;
+.wp-full-overlay a.collapse-sidebar {
 	left: auto;
+	right: 0;
+	margin-left: 0;
 	margin-right: 15px;
 }
 
@@ -1730,7 +1904,7 @@ table .column-rating {
 .wp-full-overlay .collapse-sidebar-arrow {
 	margin-right: 2px;
 	margin-left: 0;
-	background: transparent url('../images/arrows.png') no-repeat 0 -108px;
+	background: transparent url('../images/arrows.png') no-repeat 1px -108px;
 }
 
 .wp-full-overlay.collapsed .collapse-sidebar-arrow {
@@ -2083,6 +2257,27 @@ body.login {
 	float: right;
 }
 
+.menu-location-menus select {
+	float: right;
+}
+
+.locations-row-links {
+	float: right;
+	margin: 4px 6px 0 0;
+}
+
+.locations-add-menu-link {
+	direction: rtl;
+}
+
+.locations-edit-menu-link {
+	border-left: 1px solid #CCCCCC;
+	border-right: 0;
+	padding-left: 6px;
+	padding-right: 0;
+	float: right;
+}
+
 /* Menu Container */
 #menu-management-liquid {
 	float: right;
@@ -2141,9 +2336,11 @@ body.login {
 }
 
 /* Add Menu Item Boxes */
-.postbox .howto input {
+.postbox .howto input,
+.accordion-container .howto input {
 	float: left;
 }
+
 #nav-menu-theme-locations .button-controls {
 	text-align: left;
 }
@@ -2202,12 +2399,23 @@ body.login {
 .menu-item-handle .item-title {
 	margin-left:13em;
 	margin-right:0;
+	overflow: hidden;
 }
 .menu-item-handle .item-edit {
 	right: auto;
 	left: -20px;
 }
 
+.menu-item-handle .menu-item-title {
+	float: right;
+}
+
+.menu-item-settings .field-move a,
+.menu-item-settings .field-move span {
+	float: right;
+	margin-left: 4px;
+}
+
 /* WARNING: The factor of 30px is hardcoded into the nav-menus javascript. */
 .menu-item-depth-0 { margin-right: 0px; margin-left:0;}
 .menu-item-depth-1 { margin-right: 30px; margin-left:0;}
@@ -2305,10 +2513,6 @@ body.login {
 	margin-right:0;
 }
 
-.auto-add-pages {
-	float: right;
-}
-
 /* Star ratings */
 div.star-holder {
 	background: url('../images/stars-rtl.png?ver=20121108') repeat-x bottom right;
@@ -2318,27 +2522,17 @@ div.star-holder .star-rating {
 	float: right;
 }
 
+#plugin-information .wrap {
+	margin: 4px 15px 0 0;
+}
+
 #plugin-information ul#sidemenu {
 	left: auto;
 	right: 0;
 }
 
-#plugin-information h2 {
-	margin-right: 0;
-	margin-left: 200px;
-}
-
 #plugin-information .fyi {
-	margin-left: 5px;
-	margin-right: 20px;
-}
-
-#plugin-information .fyi h2 {
-	margin-left: 0;
-}
-
-#plugin-information .fyi ul {
-	padding: 10px 7px 10px 5px;
+	float: right;
 }
 
 #plugin-information #section-screenshots li p {
@@ -2346,13 +2540,6 @@ div.star-holder .star-rating {
 	padding-right: 20px;
 }
 
-#plugin-information #section-screenshots ol,
-#plugin-information .updated,
-#plugin-information pre {
-	margin-right: 0;
-	margin-left: 215px;
-}
-
 #plugin-information .updated,
 #plugin-information .error {
 	clear: none;
@@ -2441,6 +2628,14 @@ h3.tb {
 	left: 25px;
 }
 
+#TB_closeAjaxWindow {
+	float: left;
+}
+
+#TB_ajaxWindowTitle {
+	float: right;
+}
+
 #post_status {
 	margin-left: 0;
 	margin-right: 10px;
@@ -2536,9 +2731,64 @@ div.sidebar-name h3 {
 	direction: ltr;
 }
 
-/**
- * HiDPI Displays
- */
+.control-section .accordion-section-title {
+	font-family: Tahoma, Arial, sans-serif;
+}
+
+.js .accordion-section-title:after {
+	right: auto;
+	left: 20px;
+}
+
+/*------------------------------------------------------------------------------
+  28.0 - Nav Menus
+------------------------------------------------------------------------------*/
+.nav-menus-php .major-publishing-actions .publishing-action {
+	float: left;
+}
+
+.menu-settings dd {
+	float: right;
+}
+
+.manage-menus span {
+	float: right;
+}
+
+.manage-menus select {
+	float: right;
+	margin-right: 0;
+	margin-left: 6px;
+}
+
+.manage-menus .submit-btn {
+	float: right;
+}
+
+.manage-menus .selected-menu {
+	float: right;
+	margin: 5px 0 0 6px;
+}
+
+.nav-menus-php .add-new-menu-action {
+	float: right;
+	margin: 4px 6px 0 0;
+}
+
+.nav-menus-php .meta-sep,
+.nav-menus-php .submitdelete,
+.nav-menus-php .submitcancel {
+	float: right;
+}
+
+.is-submenu {
+	float: right;
+	margin-right: 8px;
+}
+
+/*------------------------------------------------------------------------------
+  29.0 - HiDPI
+------------------------------------------------------------------------------*/
 @media print,
   (-o-min-device-pixel-ratio: 5/4),
   (-webkit-min-device-pixel-ratio: 1.25),
@@ -2572,6 +2822,12 @@ div.sidebar-name h3 {
 	#content-resize-handle {
 		background: transparent url('../images/resize-rtl-2x.gif') no-repeat scroll left bottom;
 	}
+
+	.wp-slider .ui-slider-handle:before {
+		background-image: url(../images/arrows-pr-2x.png);
+		background-size: 16px 102px;
+	}
+
 }
 
 /* =Localized CSS
@@ -2590,8 +2846,6 @@ body.locale-he-il,
 .locale-he-il .inline-edit-row fieldset span.title,
 .locale-he-il .inline-edit-row fieldset span.checkbox-title,
 .locale-he-il .inline-edit-row fieldset ul.cat-checklist label,
-.locale-he-il .inline-edit-row .catshow,
-.locale-he-il .inline-edit-row .cathide,
 .locale-he-il .inline-edit-row #bulk-titles div,
 .locale-he-il p.help,
 .locale-he-il p.description,

wp-admin/custom-background.php

@@ -67,11 +67,11 @@ class Custom_Background {
 		if ( ! current_user_can('edit_theme_options') )
 			return;
 
-		$this->page = $page = add_theme_page(__('Background'), __('Background'), 'edit_theme_options', 'custom-background', array(&$this, 'admin_page'));
+		$this->page = $page = add_theme_page(__('Background'), __('Background'), 'edit_theme_options', 'custom-background', array($this, 'admin_page'));
 
-		add_action("load-$page", array(&$this, 'admin_load'));
-		add_action("load-$page", array(&$this, 'take_action'), 49);
-		add_action("load-$page", array(&$this, 'handle_upload'), 49);
+		add_action("load-$page", array($this, 'admin_load'));
+		add_action("load-$page", array($this, 'take_action'), 49);
+		add_action("load-$page", array($this, 'handle_upload'), 49);
 
 		if ( $this->admin_header_callback )
 			add_action("admin_head-$page", $this->admin_header_callback, 51);
@@ -203,16 +203,17 @@ if ( $bgcolor = get_background_color() )
 	$background_styles .= 'background-color: #' . $bgcolor . ';';
 
 if ( get_background_image() ) {
+	$background_image_thumb = esc_url( set_url_scheme( get_theme_mod( 'background_image_thumb', str_replace( '%', '%%', get_background_image() ) ) ) );
 	// background-image URL must be single quote, see below
-	$background_styles .= ' background-image: url(\'' . set_url_scheme( get_theme_mod( 'background_image_thumb', get_background_image() ) ) . '\');'
+	$background_styles .= ' background-image: url(\'' . $background_image_thumb . '\');'
 		. ' background-repeat: ' . get_theme_mod('background_repeat', 'repeat') . ';'
 		. ' background-position: top ' . get_theme_mod('background_position_x', 'left');
 }
 ?>
 <div id="custom-background-image" style="<?php echo $background_styles; ?>"><?php // must be double quote, see above ?>
 <?php if ( get_background_image() ) { ?>
-<img class="custom-background-image" src="<?php echo set_url_scheme( get_theme_mod( 'background_image_thumb', get_background_image() ) ); ?>" style="visibility:hidden;" alt="" /><br />
-<img class="custom-background-image" src="<?php echo set_url_scheme( get_theme_mod( 'background_image_thumb', get_background_image() ) ); ?>" style="visibility:hidden;" alt="" />
+<img class="custom-background-image" src="<?php echo $background_image_thumb; ?>" style="visibility:hidden;" alt="" /><br />
+<img class="custom-background-image" src="<?php echo $background_image_thumb; ?>" style="visibility:hidden;" alt="" />
 <?php } ?>
 </div>
 <?php } ?>
@@ -301,7 +302,7 @@ if ( get_background_image() ) {
 </tr>
 
 <tr valign="top">
-<th scope="row"><?php _e( 'Attachment' ); ?></th>
+<th scope="row"><?php _ex( 'Attachment', 'Background Attachment' ); ?></th>
 <td><fieldset><legend class="screen-reader-text"><span><?php _e( 'Background Attachment' ); ?></span></legend>
 <label>
 <input name="background-attachment" type="radio" value="scroll" <?php checked('scroll', get_theme_mod('background_attachment', 'scroll')); ?> />
@@ -385,7 +386,8 @@ if ( current_theme_supports( 'custom-background', 'default-color' ) )
 		$thumbnail = wp_get_attachment_image_src( $id, 'thumbnail' );
 		set_theme_mod('background_image_thumb', esc_url_raw( $thumbnail[0] ) );
 
-		do_action('wp_create_file_in_uploads', $file, $id); // For replication
+		/** This action is documented in wp-admin/custom-header.php */
+		do_action( 'wp_create_file_in_uploads', $file, $id ); // For replication
 		$this->updated = true;
 	}
 
@@ -408,8 +410,10 @@ if ( current_theme_supports( 'custom-background', 'default-color' ) )
 	}
 
 	public function wp_set_background_image() {
+		check_ajax_referer( 'custom-background' );
 		if ( ! current_user_can('edit_theme_options') || ! isset( $_POST['attachment_id'] ) ) exit;
 		$attachment_id = absint($_POST['attachment_id']);
+		/** This filter is documented in wp-admin/includes/media.php */
 		$sizes = array_keys(apply_filters( 'image_size_names_choose', array('thumbnail' => __('Thumbnail'), 'medium' => __('Medium'), 'large' => __('Large'), 'full' => __('Full Size')) ));
 		$size = 'thumbnail';
 		if ( in_array( $_POST['size'], $sizes ) )

wp-admin/custom-header.php

@@ -84,13 +84,13 @@ class Custom_Image_Header {
 		if ( ! current_user_can('edit_theme_options') )
 			return;
 
-		$this->page = $page = add_theme_page(__('Header'), __('Header'), 'edit_theme_options', 'custom-header', array(&$this, 'admin_page'));
+		$this->page = $page = add_theme_page(__('Header'), __('Header'), 'edit_theme_options', 'custom-header', array($this, 'admin_page'));
 
-		add_action("admin_print_scripts-$page", array(&$this, 'js_includes'));
-		add_action("admin_print_styles-$page", array(&$this, 'css_includes'));
-		add_action("admin_head-$page", array(&$this, 'help') );
-		add_action("admin_head-$page", array(&$this, 'take_action'), 50);
-		add_action("admin_head-$page", array(&$this, 'js'), 50);
+		add_action("admin_print_scripts-$page", array($this, 'js_includes'));
+		add_action("admin_print_styles-$page", array($this, 'css_includes'));
+		add_action("admin_head-$page", array($this, 'help') );
+		add_action("admin_head-$page", array($this, 'take_action'), 50);
+		add_action("admin_head-$page", array($this, 'js'), 50);
 		if ( $this->admin_header_callback )
 			add_action("admin_head-$page", $this->admin_header_callback, 51);
 	}
@@ -320,7 +320,7 @@ class Custom_Image_Header {
 <script type="text/javascript">
 /* <![CDATA[ */
 (function($){
-	var default_color = '#<?php echo get_theme_support( 'custom-header', 'default-text-color' ); ?>',
+	var default_color = '#<?php echo esc_js( get_theme_support( 'custom-header', 'default-text-color' ) ); ?>',
 		header_text_fields;
 
 	function pickColor(color) {
@@ -464,6 +464,7 @@ class Custom_Image_Header {
 <table class="form-table">
 <tbody>
 
+<?php if ( get_custom_header() || display_header_text() ) : ?>
 <tr valign="top">
 <th scope="row"><?php _e( 'Preview' ); ?></th>
 <td>
@@ -490,6 +491,8 @@ class Custom_Image_Header {
 	<?php } ?>
 </td>
 </tr>
+<?php endif; ?>
+
 <?php if ( current_theme_supports( 'custom-header', 'uploads' ) ) : ?>
 <tr valign="top">
 <th scope="row"><?php _e( 'Select Image' ); ?></th>
@@ -630,6 +633,11 @@ if ( current_theme_supports( 'custom-header', 'default-text-color' ) ) {
 </table>
 <?php endif;
 
+/**
+ * Fires just before the submit button in the custom header options form.
+ *
+ * @since 3.1.0
+ */
 do_action( 'custom_header_options' );
 
 wp_nonce_field( 'custom-header-options', '_wpnonce-custom-header-options' ); ?>
@@ -663,8 +671,8 @@ wp_nonce_field( 'custom-header-options', '_wpnonce-custom-header-options' ); ?>
 			list( $width, $height, $type, $attr ) = getimagesize( $file );
 		} else {
 			$data = wp_get_attachment_metadata( $attachment_id );
-			$height = $data[ 'height' ];
-			$width = $data[ 'width' ];
+			$height = isset( $data[ 'height' ] ) ? $data[ 'height' ] : 0;
+			$width = isset( $data[ 'width' ] ) ? $data[ 'width' ] : 0;
 			unset( $data );
 		}
 
@@ -687,7 +695,16 @@ wp_nonce_field( 'custom-header-options', '_wpnonce-custom-header-options' ); ?>
 
 			$this->set_header_image( compact( 'url', 'attachment_id', 'width', 'height' ) );
 
-			do_action('wp_create_file_in_uploads', $file, $attachment_id); // For replication
+			/**
+			 * Fires after the header image is set or an error is returned.
+			 *
+			 * @since 2.1.0
+			 *
+			 * @param string $file          Path to the file.
+			 * @param int    $attachment_id Attachment ID.
+			 */
+			do_action( 'wp_create_file_in_uploads', $file, $attachment_id ); // For replication
+
 			return $this->finished();
 		} elseif ( $width > $max_width ) {
 			$oitar = $width / $max_width;
@@ -695,7 +712,8 @@ wp_nonce_field( 'custom-header-options', '_wpnonce-custom-header-options' ); ?>
 			if ( ! $image || is_wp_error( $image ) )
 				wp_die( __( 'Image could not be processed. Please go back and try again.' ), __( 'Image Processing Error' ) );
 
-			$image = apply_filters('wp_create_file_in_uploads', $image, $attachment_id); // For replication
+			/** This filter is documented in wp-admin/custom-header.php */
+			$image = apply_filters( 'wp_create_file_in_uploads', $image, $attachment_id ); // For replication
 
 			$url = str_replace(basename($url), basename($image), $url);
 			$width = $width / $oitar;
@@ -836,7 +854,8 @@ wp_nonce_field( 'custom-header-options', '_wpnonce-custom-header-options' ); ?>
 		if ( ! $cropped || is_wp_error( $cropped ) )
 			wp_die( __( 'Image could not be processed. Please go back and try again.' ), __( 'Image Processing Error' ) );
 
-		$cropped = apply_filters('wp_create_file_in_uploads', $cropped, $attachment_id); // For replication
+		/** This filter is documented in wp-admin/custom-header.php */
+		$cropped = apply_filters( 'wp_create_file_in_uploads', $cropped, $attachment_id ); // For replication
 
 		$parent = get_post($attachment_id);
 		$parent_url = $parent->guid;
@@ -867,10 +886,21 @@ wp_nonce_field( 'custom-header-options', '_wpnonce-custom-header-options' ); ?>
 
 		// cleanup
 		$medium = str_replace( basename( $original ), 'midsize-' . basename( $original ), $original );
-		if ( file_exists( $medium ) )
+		if ( file_exists( $medium ) ) {
+			/**
+			 * Filter the path of the file to delete.
+			 *
+			 * @since 2.1.0
+			 *
+			 * @param string $medium Path to the file to delete.
+			 */
 			@unlink( apply_filters( 'wp_delete_file', $medium ) );
-		if ( empty( $_POST['create-new-attachment'] ) && empty( $_POST['skip-cropping'] ) )
+		}
+
+		if ( empty( $_POST['create-new-attachment'] ) && empty( $_POST['skip-cropping'] ) ) {
+			/** This filter is documented in wp-admin/custom-header.php */
 			@unlink( apply_filters( 'wp_delete_file', $original ) );
+		}
 
 		return $this->finished();
 	}
@@ -1001,6 +1031,7 @@ wp_nonce_field( 'custom-header-options', '_wpnonce-custom-header-options' ); ?>
 
 		$default = sprintf( $default, get_template_directory_uri(), get_stylesheet_directory_uri() );
 
+		$default_data = array();
 		foreach ( $this->default_headers as $header => $details ) {
 			if ( $details['url'] == $default ) {
 				$default_data = $details;

wp-admin/customize.php

@@ -9,15 +9,16 @@
 
 define( 'IFRAME_REQUEST', true );
 
-require_once( './admin.php' );
+require_once( dirname( __FILE__ ) . '/admin.php' );
 if ( ! current_user_can( 'edit_theme_options' ) )
 	wp_die( __( 'Cheatin’ uh?' ) );
 
 wp_reset_vars( array( 'url', 'return' ) );
 $url = urldecode( $url );
+$url = esc_url_raw( $url );
 $url = wp_validate_redirect( $url, home_url( '/' ) );
 if ( $return )
-	$return = wp_validate_redirect( urldecode( $return ) );
+	$return = wp_validate_redirect( esc_url_raw( urldecode( $return ) ) );
 if ( ! $return )
 	$return = $url;
 
@@ -31,11 +32,23 @@ add_action( 'customize_controls_print_scripts',        'print_head_scripts', 20
 add_action( 'customize_controls_print_footer_scripts', '_wp_footer_scripts'     );
 add_action( 'customize_controls_print_styles',         'print_admin_styles', 20 );
 
+/**
+ * Fires when Customizer controls are initialized, before scripts are enqueued.
+ *
+ * @since 3.4.0
+ */
 do_action( 'customize_controls_init' );
 
 wp_enqueue_script( 'customize-controls' );
 wp_enqueue_style( 'customize-controls' );
 
+wp_enqueue_script( 'accordion' );
+
+/**
+ * Enqueue Customizer control scripts.
+ *
+ * @since 3.4.0
+ */
 do_action( 'customize_controls_enqueue_scripts' );
 
 // Let's roll.
@@ -44,7 +57,7 @@ do_action( 'customize_controls_enqueue_scripts' );
 wp_user_settings();
 _wp_admin_html_begin();
 
-$body_class = 'wp-core-ui';
+$body_class = 'wp-core-ui js';
 
 if ( wp_is_mobile() ) :
 	$body_class .= ' mobile';
@@ -64,7 +77,18 @@ $body_class .= ' locale-' . sanitize_html_class( strtolower( str_replace( '_', '
 $admin_title = sprintf( __( '%1$s — WordPress' ), strip_tags( sprintf( __( 'Customize %s' ), $wp_customize->theme()->display('Name') ) ) );
 ?><title><?php echo $admin_title; ?></title><?php
 
+/**
+ * Print Customizer control styles.
+ *
+ * @since 3.4.0
+ */
 do_action( 'customize_controls_print_styles' );
+
+/**
+ * Print Customizer control scripts.
+ *
+ * @since 3.4.0
+ */
 do_action( 'customize_controls_print_scripts' );
 ?>
 </head>
@@ -88,16 +112,16 @@ do_action( 'customize_controls_print_scripts' );
 			$cannot_expand = ! ( $screenshot || $wp_customize->theme()->get('Description') );
 		?>
 
-		<div class="wp-full-overlay-sidebar-content" tabindex="-1">
-			<div id="customize-info" class="customize-section<?php if ( $cannot_expand ) echo ' cannot-expand'; ?>">
-				<div class="customize-section-title" aria-label="<?php esc_attr_e( 'Theme Customizer Options' ); ?>" tabindex="0">
+		<div class="wp-full-overlay-sidebar-content accordion-container" tabindex="-1">
+			<div id="customize-info" class="accordion-section <?php if ( $cannot_expand ) echo ' cannot-expand'; ?>">
+				<div class="accordion-section-title" aria-label="<?php esc_attr_e( 'Theme Customizer Options' ); ?>" tabindex="0">
 					<span class="preview-notice"><?php
 						/* translators: %s is the theme name in the Customize/Live Preview pane */
 						echo sprintf( __( 'You are previewing %s' ), '<strong class="theme-name">' . $wp_customize->theme()->display('Name') . '</strong>' );
 					?></span>
 				</div>
 				<?php if ( ! $cannot_expand ) : ?>
-				<div class="customize-section-content">
+				<div class="accordion-section-content">
 					<?php if ( $screenshot ) : ?>
 						<img class="theme-screenshot" src="<?php echo esc_url( $screenshot ); ?>" />
 					<?php endif; ?>
@@ -127,6 +151,11 @@ do_action( 'customize_controls_print_scripts' );
 	<div id="customize-preview" class="wp-full-overlay-main"></div>
 	<?php
 
+	/**
+	 * Print Customizer control scripts in the footer.
+	 *
+	 * @since 3.4.0
+	 */
 	do_action( 'customize_controls_print_footer_scripts' );
 
 	// If the frontend and the admin are served from the same domain, load the
@@ -144,6 +173,13 @@ do_action( 'customize_controls_print_scripts' );
 	if ( is_ssl() && ! $cross_domain )
 		$allowed_urls[] = home_url( '/', 'https' );
 
+	/**
+	 * Filter the list of URLs allowed to be clicked and followed in the Customizer preview.
+	 *
+	 * @since 3.4.0
+	 *
+	 * @param array $allowed_urls An array of allowed URLs.
+	 */
 	$allowed_urls = array_unique( apply_filters( 'customize_allowed_urls', $allowed_urls ) );
 
 	$fallback_url = add_query_arg( array(

wp-admin/edit-comments.php

@@ -7,7 +7,7 @@
  */
 
 /** WordPress Administration Bootstrap */
-require_once('./admin.php');
+require_once( dirname( __FILE__ ) . '/admin.php' );
 if ( !current_user_can('edit_posts') )
 	wp_die(__('Cheatin’ uh?'));
 
@@ -20,9 +20,9 @@ if ( $doaction ) {
 	check_admin_referer( 'bulk-comments' );
 
 	if ( 'delete_all' == $doaction && !empty( $_REQUEST['pagegen_timestamp'] ) ) {
-		$comment_status = $wpdb->escape( $_REQUEST['comment_status'] );
-		$delete_time = $wpdb->escape( $_REQUEST['pagegen_timestamp'] );
-		$comment_ids = $wpdb->get_col( "SELECT comment_ID FROM $wpdb->comments WHERE comment_approved = '$comment_status' AND '$delete_time' > comment_date_gmt" );
+		$comment_status = wp_unslash( $_REQUEST['comment_status'] );
+		$delete_time = wp_unslash( $_REQUEST['pagegen_timestamp'] );
+		$comment_ids = $wpdb->get_col( $wpdb->prepare( "SELECT comment_ID FROM $wpdb->comments WHERE comment_approved = %s AND %s > comment_date_gmt", $comment_status, $delete_time ) );
 		$doaction = 'delete';
 	} elseif ( isset( $_REQUEST['delete_comments'] ) ) {
 		$comment_ids = $_REQUEST['delete_comments'];
@@ -95,7 +95,7 @@ if ( $doaction ) {
 	wp_safe_redirect( $redirect_to );
 	exit;
 } elseif ( ! empty( $_GET['_wp_http_referer'] ) ) {
-	 wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), stripslashes( $_SERVER['REQUEST_URI'] ) ) );
+	 wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), wp_unslash( $_SERVER['REQUEST_URI'] ) ) );
 	 exit;
 }
 
@@ -105,7 +105,7 @@ wp_enqueue_script('admin-comments');
 enqueue_comment_hotkeys_js();
 
 if ( $post_id )
-	$title = sprintf(__('Comments on “%s”'), wp_html_excerpt(_draft_or_post_title($post_id), 50));
+	$title = sprintf( __( 'Comments on “%s”' ), wp_html_excerpt( _draft_or_post_title( $post_id ), 50, '…' ) );
 else
 	$title = __('Comments');
 
@@ -136,24 +136,24 @@ get_current_screen()->set_help_sidebar(
 	'<p>' . __( '<a href="http://wordpress.org/support/" target="_blank">Support Forums</a>' ) . '</p>'
 );
 
-require_once('./admin-header.php');
+require_once( ABSPATH . 'wp-admin/admin-header.php' );
 ?>
 
 <div class="wrap">
 <?php screen_icon(); ?>
 <h2><?php
 if ( $post_id )
-	echo sprintf(__('Comments on &#8220;%s&#8221;'),
-		sprintf('<a href="%s">%s</a>',
-			get_edit_post_link($post_id),
-			wp_html_excerpt(_draft_or_post_title($post_id), 50)
+	echo sprintf( __( 'Comments on &#8220;%s&#8221;' ),
+		sprintf( '<a href="%s">%s</a>',
+			get_edit_post_link( $post_id ),
+			wp_html_excerpt( _draft_or_post_title( $post_id ), 50, '&hellip;' )
 		)
 	);
 else
 	echo __('Comments');
 
 if ( isset($_REQUEST['s']) && $_REQUEST['s'] )
-	printf( '<span class="subtitle">' . sprintf( __( 'Search results for &#8220;%s&#8221;' ), wp_html_excerpt( esc_html( stripslashes( $_REQUEST['s'] ) ), 50 ) ) . '</span>' ); ?>
+	echo '<span class="subtitle">' . sprintf( __( 'Search results for &#8220;%s&#8221;' ), wp_html_excerpt( esc_html( wp_unslash( $_REQUEST['s'] ) ), 50, '&hellip;' ) ) . '</span>'; ?>
 </h2>
 
 <?php
@@ -252,4 +252,4 @@ if ( isset($_REQUEST['approved']) || isset($_REQUEST['deleted']) || isset($_REQU
 <?php
 wp_comment_reply('-1', true, 'detail');
 wp_comment_trashnotice();
-include('./admin-footer.php'); ?>
+include( ABSPATH . 'wp-admin/admin-footer.php' ); ?>

wp-admin/edit-form-advanced.php

@@ -29,6 +29,12 @@ if ( post_type_supports($post_type, 'editor') || post_type_supports($post_type,
 	wp_enqueue_media( array( 'post' => $post_ID ) );
 }
 
+// Add the local autosave notice HTML
+add_action( 'admin_footer', '_local_storage_notice' );
+
+/*
+ * @todo Document the $messages array(s).
+ */
 $messages = array();
 $messages['post'] = array(
 	 0 => '', // Unused. Messages start at index 1.
@@ -61,6 +67,13 @@ $messages['page'] = array(
 );
 $messages['attachment'] = array_fill( 1, 10, __( 'Media attachment updated.' ) ); // Hack, for now.
 
+/**
+ * Filter the post updated messages.
+ *
+ * @since 3.0.0
+ *
+ * @param array $messages Post updated messages. For defaults @see $messages declarations above.
+ */
 $messages = apply_filters( 'post_updated_messages', $messages );
 
 $message = false;
@@ -95,13 +108,29 @@ if ( $autosave && mysql2date( 'U', $autosave->post_modified_gmt, false ) > mysql
 			break;
 		}
 	}
+	// If this autosave isn't different from the current post, begone.
+	if ( ! $notice )
+		wp_delete_post_revision( $autosave->ID );
 	unset($autosave_field, $_autosave_field);
 }
 
 $post_type_object = get_post_type_object($post_type);
 
 // All meta boxes should be defined and added before the first do_meta_boxes() call (or potentially during the do_meta_boxes action).
-require_once('./includes/meta-boxes.php');
+require_once( ABSPATH . 'wp-admin/includes/meta-boxes.php' );
+
+
+$publish_callback_args = null;
+if ( post_type_supports($post_type, 'revisions') && 'auto-draft' != $post->post_status ) {
+	$revisions = wp_get_post_revisions( $post_ID );
+
+	// We should aim to show the revisions metabox only when there are revisions.
+	if ( count( $revisions ) > 1 ) {
+		reset( $revisions ); // Reset pointer for key()
+		$publish_callback_args = array( 'revisions_count' => count( $revisions ), 'revision_id' => key( $revisions ) );
+		add_meta_box('revisionsdiv', __('Revisions'), 'post_revisions_meta_box', null, 'normal', 'core');
+	}
+}
 
 if ( 'attachment' == $post_type ) {
 	wp_enqueue_script( 'image-edit' );
@@ -109,7 +138,7 @@ if ( 'attachment' == $post_type ) {
 	add_meta_box( 'submitdiv', __('Save'), 'attachment_submit_meta_box', null, 'side', 'core' );
 	add_action( 'edit_form_after_title', 'edit_form_image_editor' );
 } else {
-	add_meta_box( 'submitdiv', __( 'Publish' ), 'post_submit_meta_box', null, 'side', 'core' );
+	add_meta_box( 'submitdiv', __( 'Publish' ), 'post_submit_meta_box', null, 'side', 'core', $publish_callback_args );
 }
 
 if ( current_theme_supports( 'post-formats' ) && post_type_supports( $post_type, 'post-formats' ) )
@@ -117,23 +146,32 @@ if ( current_theme_supports( 'post-formats' ) && post_type_supports( $post_type,
 
 // all taxonomies
 foreach ( get_object_taxonomies( $post ) as $tax_name ) {
-	$taxonomy = get_taxonomy($tax_name);
+	$taxonomy = get_taxonomy( $tax_name );
 	if ( ! $taxonomy->show_ui )
 		continue;
 
 	$label = $taxonomy->labels->name;
 
-	if ( !is_taxonomy_hierarchical($tax_name) )
-		add_meta_box('tagsdiv-' . $tax_name, $label, 'post_tags_meta_box', null, 'side', 'core', array( 'taxonomy' => $tax_name ));
+	if ( ! is_taxonomy_hierarchical( $tax_name ) )
+		$tax_meta_box_id = 'tagsdiv-' . $tax_name;
 	else
-		add_meta_box($tax_name . 'div', $label, 'post_categories_meta_box', null, 'side', 'core', array( 'taxonomy' => $tax_name ));
+		$tax_meta_box_id = $tax_name . 'div';
+
+	add_meta_box( $tax_meta_box_id, $label, $taxonomy->meta_box_cb, null, 'side', 'core', array( 'taxonomy' => $tax_name ) );
 }
 
 if ( post_type_supports($post_type, 'page-attributes') )
 	add_meta_box('pageparentdiv', 'page' == $post_type ? __('Page Attributes') : __('Attributes'), 'page_attributes_meta_box', null, 'side', 'core');
 
-if ( current_theme_supports( 'post-thumbnails', $post_type ) && post_type_supports( $post_type, 'thumbnail' ) )
-		add_meta_box('postimagediv', __('Featured Image'), 'post_thumbnail_meta_box', null, 'side', 'low');
+$audio_post_support = $video_post_support = false;
+$theme_support = current_theme_supports( 'post-thumbnails', $post_type ) && post_type_supports( $post_type, 'thumbnail' );
+if ( 'attachment' === $post_type && ! empty( $post->post_mime_type ) ) {
+	$audio_post_support = 0 === strpos( $post->post_mime_type, 'audio/' ) && current_theme_supports( 'post-thumbnails', 'attachment:audio' ) && post_type_supports( 'attachment:audio', 'thumbnail' );
+	$video_post_support = 0 === strpos( $post->post_mime_type, 'video/' ) && current_theme_supports( 'post-thumbnails', 'attachment:video' ) && post_type_supports( 'attachment:video', 'thumbnail' );
+}
+
+if ( $theme_support || $audio_post_support || $video_post_support )
+	add_meta_box('postimagediv', __('Featured Image'), 'post_thumbnail_meta_box', null, 'side', 'low');
 
 if ( post_type_supports($post_type, 'excerpt') )
 	add_meta_box('postexcerpt', __('Excerpt'), 'post_excerpt_meta_box', null, 'normal', 'core');
@@ -144,7 +182,16 @@ if ( post_type_supports($post_type, 'trackbacks') )
 if ( post_type_supports($post_type, 'custom-fields') )
 	add_meta_box('postcustom', __('Custom Fields'), 'post_custom_meta_box', null, 'normal', 'core');
 
-do_action('dbx_post_advanced');
+/**
+ * Fires in the middle of built-in meta box registration.
+ *
+ * @since 2.1.0
+ * @deprecated 3.7.0 Use 'add_meta_boxes' instead.
+ *
+ * @param WP_Post $post Post object.
+ */
+do_action( 'dbx_post_advanced', $post );
+
 if ( post_type_supports($post_type, 'comments') )
 	add_meta_box('commentstatusdiv', __('Discussion'), 'post_comment_status_meta_box', null, 'normal', 'core');
 
@@ -159,15 +206,43 @@ if ( post_type_supports($post_type, 'author') ) {
 		add_meta_box('authordiv', __('Author'), 'post_author_meta_box', null, 'normal', 'core');
 }
 
-if ( post_type_supports($post_type, 'revisions') && 0 < $post_ID && wp_get_post_revisions( $post_ID ) )
-	add_meta_box('revisionsdiv', __('Revisions'), 'post_revisions_meta_box', null, 'normal', 'core');
+/**
+ * Fires after all built-in meta boxes have been added.
+ *
+ * @since 3.0.0
+ *
+ * @param string  $post_type Post type.
+ * @param WP_Post $post      Post object.
+ */
+do_action( 'add_meta_boxes', $post_type, $post );
 
-do_action('add_meta_boxes', $post_type, $post);
-do_action('add_meta_boxes_' . $post_type, $post);
+/**
+ * Fires after all built-in meta boxes have been added, contextually for the given post type.
+ *
+ * The dynamic portion of the hook, $post_type, refers to the post type of the post.
+ *
+ * @since 3.0.0
+ *
+ * @param WP_Post $post Post object.
+ */
+do_action( 'add_meta_boxes_' . $post_type, $post );
 
-do_action('do_meta_boxes', $post_type, 'normal', $post);
-do_action('do_meta_boxes', $post_type, 'advanced', $post);
-do_action('do_meta_boxes', $post_type, 'side', $post);
+/**
+ * Fires after meta boxes have been added.
+ *
+ * Fires once for each of the default meta box contexts: normal, advanced, and side.
+ *
+ * @since 3.0.0
+ *
+ * @param string  $post_type Post type of the post.
+ * @param string  $context   string  Meta box context.
+ * @param WP_Post $post      Post object.
+ */
+do_action( 'do_meta_boxes', $post_type, 'normal', $post );
+/** This action is documented in wp-admin/edit-form-advanced.php */
+do_action( 'do_meta_boxes', $post_type, 'advanced', $post );
+/** This action is documented in wp-admin/edit-form-advanced.php */
+do_action( 'do_meta_boxes', $post_type, 'side', $post );
 
 add_screen_option('layout_columns', array('max' => 2, 'default' => 2) );
 
@@ -280,7 +355,7 @@ if ( 'post' == $post_type ) {
 	) );
 }
 
-require_once('./admin-header.php');
+require_once( ABSPATH . 'wp-admin/admin-header.php' );
 ?>
 
 <div class="wrap">
@@ -288,15 +363,29 @@ require_once('./admin-header.php');
 <h2><?php
 echo esc_html( $title );
 if ( isset( $post_new_file ) && current_user_can( $post_type_object->cap->create_posts ) )
-	echo ' <a href="' . esc_url( $post_new_file ) . '" class="add-new-h2">' . esc_html( $post_type_object->labels->add_new ) . '</a>';
+	echo ' <a href="' . esc_url( admin_url( $post_new_file ) ) . '" class="add-new-h2">' . esc_html( $post_type_object->labels->add_new ) . '</a>';
 ?></h2>
 <?php if ( $notice ) : ?>
-<div id="notice" class="error"><p><?php echo $notice ?></p></div>
+<div id="notice" class="error"><p id="has-newer-autosave"><?php echo $notice ?></p></div>
 <?php endif; ?>
 <?php if ( $message ) : ?>
 <div id="message" class="updated"><p><?php echo $message; ?></p></div>
 <?php endif; ?>
-<form name="post" action="post.php" method="post" id="post"<?php do_action('post_edit_form_tag'); ?>>
+<div id="lost-connection-notice" class="error hidden">
+	<p><span class="spinner"></span> <?php _e( '<strong>Connection lost.</strong> Saving has been disabled until you&#8217;re reconnected.' ); ?>
+	<span class="hide-if-no-sessionstorage"><?php _e( 'We&#8217;re backing up this post in your browser, just in case.' ); ?></span>
+	</p>
+</div>
+<?php
+/**
+ * Fires inside the post editor <form> tag.
+ *
+ * @since 3.0.0
+ *
+ * @param WP_Post $post Post object.
+ */
+?>
+<form name="post" action="post.php" method="post" id="post"<?php do_action( 'post_edit_form_tag', $post ); ?>>
 <?php wp_nonce_field($nonce_action); ?>
 <input type="hidden" id="user-id" name="user_ID" value="<?php echo (int) $user_ID ?>" />
 <input type="hidden" id="hiddenaction" name="action" value="<?php echo esc_attr( $form_action ) ?>" />
@@ -304,7 +393,7 @@ if ( isset( $post_new_file ) && current_user_can( $post_type_object->cap->create
 <input type="hidden" id="post_author" name="post_author" value="<?php echo esc_attr( $post->post_author ); ?>" />
 <input type="hidden" id="post_type" name="post_type" value="<?php echo esc_attr( $post_type ) ?>" />
 <input type="hidden" id="original_post_status" name="original_post_status" value="<?php echo esc_attr( $post->post_status) ?>" />
-<input type="hidden" id="referredby" name="referredby" value="<?php echo esc_url(stripslashes(wp_get_referer())); ?>" />
+<input type="hidden" id="referredby" name="referredby" value="<?php echo esc_url(wp_get_referer()); ?>" />
 <?php if ( ! empty( $active_post_lock ) ) { ?>
 <input type="hidden" id="active_post_lock" value="<?php echo esc_attr( implode( ':', $active_post_lock ) ); ?>" />
 <?php
@@ -319,13 +408,35 @@ wp_nonce_field( 'meta-box-order', 'meta-box-order-nonce', false );
 wp_nonce_field( 'closedpostboxes', 'closedpostboxesnonce', false );
 ?>
 
-<div id="poststuff">
+<?php
+/**
+ * Fires at the beginning of the edit form.
+ *
+ * At this point, the required hidden fields and nonces have already been output.
+ *
+ * @since 3.7.0
+ *
+ * @param WP_Post $post Post object.
+ */
+do_action( 'edit_form_top', $post ); ?>
 
+<div id="poststuff">
 <div id="post-body" class="metabox-holder columns-<?php echo 1 == get_current_screen()->get_columns() ? '1' : '2'; ?>">
 <div id="post-body-content">
+
 <?php if ( post_type_supports($post_type, 'title') ) { ?>
 <div id="titlediv">
 <div id="titlewrap">
+	<?php
+	/**
+	 * Filter the title field placeholder text.
+	 *
+	 * @since 3.1.0
+	 *
+	 * @param string  $text Placeholder text. Default 'Enter title here'.
+	 * @param WP_Post $post Post object.
+	 */
+	?>
 	<label class="screen-reader-text" id="title-prompt-text" for="title"><?php echo apply_filters( 'enter_title_here', __( 'Enter title here' ), $post ); ?></label>
 	<input type="text" name="post_title" size="30" value="<?php echo esc_attr( htmlspecialchars( $post->post_title ) ); ?>" id="title" autocomplete="off" />
 </div>
@@ -333,13 +444,16 @@ wp_nonce_field( 'closedpostboxes', 'closedpostboxesnonce', false );
 <?php
 $sample_permalink_html = $post_type_object->public ? get_sample_permalink_html($post->ID) : '';
 $shortlink = wp_get_shortlink($post->ID, 'post');
-if ( !empty($shortlink) )
+$permalink = get_permalink( $post->ID );
+if ( !empty( $shortlink ) && $shortlink !== $permalink && $permalink !== home_url('?page_id=' . $post->ID) )
     $sample_permalink_html .= '<input id="shortlink" type="hidden" value="' . esc_attr($shortlink) . '" /><a href="#" class="button button-small" onclick="prompt(&#39;URL:&#39;, jQuery(\'#shortlink\').val()); return false;">' . __('Get Shortlink') . '</a>';
 
-if ( $post_type_object->public && ! ( 'pending' == get_post_status( $post ) && !current_user_can( $post_type_object->cap->publish_posts ) ) ) { ?>
+if ( $post_type_object->public && ! ( 'pending' == get_post_status( $post ) && !current_user_can( $post_type_object->cap->publish_posts ) ) ) {
+	$has_sample_permalink = $sample_permalink_html && 'auto-draft' != $post->post_status;
+?>
 	<div id="edit-slug-box" class="hide-if-no-js">
 	<?php
-		if ( $sample_permalink_html && 'auto-draft' != $post->post_status )
+		if ( $has_sample_permalink )
 			echo $sample_permalink_html;
 	?>
 	</div>
@@ -353,15 +467,24 @@ wp_nonce_field( 'samplepermalink', 'samplepermalinknonce', false );
 </div><!-- /titlediv -->
 <?php
 }
-
-do_action( 'edit_form_after_title' );
+/**
+ * Fires after the title field.
+ *
+ * @since 3.5.0
+ *
+ * @param WP_Post $post Post object.
+ */
+do_action( 'edit_form_after_title', $post );
 
 if ( post_type_supports($post_type, 'editor') ) {
 ?>
-<div id="postdivrich" class="postarea">
-
-<?php wp_editor($post->post_content, 'content', array('dfw' => true, 'tabfocus_elements' => 'sample-permalink,post-preview', 'editor_height' => 360) ); ?>
+<div id="postdivrich" class="postarea edit-form-section">
 
+<?php wp_editor( $post->post_content, 'content', array(
+	'dfw' => true,
+	'tabfocus_elements' => 'insert-media-button,save-post',
+	'editor_height' => 360,
+) ); ?>
 <table id="post-status-info" cellspacing="0"><tbody><tr>
 	<td id="wp-word-count"><?php printf( __( 'Word count: %s' ), '<span class="word-count">0</span>' ); ?></td>
 	<td class="autosave-info">
@@ -369,8 +492,7 @@ if ( post_type_supports($post_type, 'editor') ) {
 <?php
 	if ( 'auto-draft' != $post->post_status ) {
 		echo '<span id="last-edit">';
-		if ( $last_id = get_post_meta($post_ID, '_edit_last', true) ) {
-			$last_user = get_userdata($last_id);
+		if ( $last_user = get_userdata( get_post_meta( $post_ID, '_edit_last', true ) ) ) {
 			printf(__('Last edited by %1$s on %2$s at %3$s'), esc_html( $last_user->display_name ), mysql2date(get_option('date_format'), $post->post_modified), mysql2date(get_option('time_format'), $post->post_modified));
 		} else {
 			printf(__('Last edited on %1$s at %2$s'), mysql2date(get_option('date_format'), $post->post_modified), mysql2date(get_option('time_format'), $post->post_modified));
@@ -381,18 +503,46 @@ if ( post_type_supports($post_type, 'editor') ) {
 </tr></tbody></table>
 
 </div>
-<?php } ?>
-
-<?php do_action( 'edit_form_after_editor' ); ?>
+<?php }
+/**
+ * Fires after the content editor.
+ *
+ * @since 3.5.0
+ *
+ * @param WP_Post $post Post object.
+ */
+do_action( 'edit_form_after_editor', $post );
+?>
 </div><!-- /post-body-content -->
 
 <div id="postbox-container-1" class="postbox-container">
 <?php
 
-if ( 'page' == $post_type )
-	do_action('submitpage_box');
-else
-	do_action('submitpost_box');
+if ( 'page' == $post_type ) {
+	/**
+	 * Fires before meta boxes with 'side' context are output for the 'page' post type.
+	 *
+	 * The submitpage box is a meta box with 'side' context, so this hook fires just before it is output.
+	 *
+	 * @since 2.5.0
+	 *
+	 * @param WP_Post $post Post object.
+	 */
+	do_action( 'submitpage_box', $post );
+}
+else {
+	/**
+	 * Fires before meta boxes with 'side' context are output for all post types other than 'page'.
+	 *
+	 * The submitpost box is a meta box with 'side' context, so this hook fires just before it is output.
+	 *
+	 * @since 2.5.0
+	 *
+	 * @param WP_Post $post Post object.
+	 */
+	do_action( 'submitpost_box', $post );
+}
+
 
 do_meta_boxes($post_type, 'side', $post);
 
@@ -403,18 +553,41 @@ do_meta_boxes($post_type, 'side', $post);
 
 do_meta_boxes(null, 'normal', $post);
 
-if ( 'page' == $post_type )
-	do_action('edit_page_form');
-else
-	do_action('edit_form_advanced');
+if ( 'page' == $post_type ) {
+	/**
+	 * Fires after 'normal' context meta boxes have been output for the 'page' post type.
+	 *
+	 * @since 1.5.2
+	 *
+	 * @param WP_Post $post Post object.
+	 */
+	do_action( 'edit_page_form', $post );
+}
+else {
+	/**
+	 * Fires after 'normal' context meta boxes have been output for all post types other than 'page'.
+	 *
+	 * @since 1.5.2
+	 *
+	 * @param WP_Post $post Post object.
+	 */
+	do_action( 'edit_form_advanced', $post );
+}
+
 
 do_meta_boxes(null, 'advanced', $post);
 
 ?>
 </div>
 <?php
-
-do_action('dbx_post_sidebar');
+/**
+ * Fires after all meta box sections have been output, before the closing #post-body div.
+ *
+ * @since 2.1.0
+ *
+ * @param WP_Post $post Post object.
+ */
+do_action( 'dbx_post_sidebar', $post );
 
 ?>
 </div><!-- /post-body -->
@@ -428,7 +601,7 @@ if ( post_type_supports( $post_type, 'comments' ) )
 	wp_comment_reply();
 ?>
 
-<?php if ( (isset($post->post_title) && '' == $post->post_title) || (isset($_GET['message']) && 2 > $_GET['message']) ) : ?>
+<?php if ( post_type_supports( $post_type, 'title' ) && '' === $post->post_title ) : ?>
 <script type="text/javascript">
 try{document.post.title.focus();}catch(e){}
 </script>

wp-admin/edit-form-comment.php

@@ -23,7 +23,7 @@ if ( !defined('ABSPATH') )
 <input type="hidden" name="comment_post_ID" value="<?php echo esc_attr( $comment->comment_post_ID ); ?>" />
 
 <div id="post-body" class="metabox-holder columns-2">
-<div id="post-body-content">
+<div id="post-body-content" class="edit-form-section">
 <div id="namediv" class="stuffbox">
 <h3><label for="name"><?php _e( 'Author' ) ?></label></h3>
 <div class="inside">
@@ -63,7 +63,7 @@ if ( !defined('ABSPATH') )
 
 <div id="postdiv" class="postarea">
 <?php
-	$quicktags_settings = array( 'buttons' => 'strong,em,link,block,del,ins,img,ul,ol,li,code,spell,close' );
+	$quicktags_settings = array( 'buttons' => 'strong,em,link,block,del,ins,img,ul,ol,li,code,close' );
 	wp_editor( $comment->comment_content, 'content', array( 'media_buttons' => false, 'tinymce' => false, 'quicktags' => $quicktags_settings ) );
 	wp_nonce_field( 'closedpostboxes', 'closedpostboxesnonce', false ); ?>
 </div>
@@ -85,13 +85,19 @@ if ( !defined('ABSPATH') )
 
 <div id="misc-publishing-actions">
 
-<div class="misc-pub-section" id="comment-status-radio">
+<div class="misc-pub-section misc-pub-comment-status" id="comment-status-radio">
 <label class="approved"><input type="radio"<?php checked( $comment->comment_approved, '1' ); ?> name="comment_status" value="1" /><?php /* translators: comment type radio button */ _ex('Approved', 'adjective') ?></label><br />
 <label class="waiting"><input type="radio"<?php checked( $comment->comment_approved, '0' ); ?> name="comment_status" value="0" /><?php /* translators: comment type radio button */ _ex('Pending', 'adjective') ?></label><br />
 <label class="spam"><input type="radio"<?php checked( $comment->comment_approved, 'spam' ); ?> name="comment_status" value="spam" /><?php /* translators: comment type radio button */ _ex('Spam', 'adjective'); ?></label>
 </div>
 
-<div class="misc-pub-section curtime">
+<?php if ( $ip = get_comment_author_IP() ) : ?>
+<div class="misc-pub-section misc-pub-comment-author-ip">
+	<?php _e( 'IP address:' ); ?> <strong><a href="<?php echo esc_url( sprintf( 'http://whois.arin.net/rest/ip/%s', $ip ) ); ?>"><?php echo esc_html( $ip ); ?></a></strong>
+</div>
+<?php endif; ?>
+
+<div class="misc-pub-section curtime misc-pub-curtime">
 <?php
 // translators: Publish box date format, see http://php.net/date
 $datef = __( 'M j, Y @ G:i' );
@@ -132,7 +138,7 @@ do_meta_boxes(null, 'normal', $comment);
 
 <input type="hidden" name="c" value="<?php echo esc_attr($comment->comment_ID) ?>" />
 <input type="hidden" name="p" value="<?php echo esc_attr($comment->comment_post_ID) ?>" />
-<input name="referredby" type="hidden" id="referredby" value="<?php echo esc_url(stripslashes(wp_get_referer())); ?>" />
+<input name="referredby" type="hidden" id="referredby" value="<?php echo esc_url( wp_get_referer() ); ?>" />
 <?php wp_original_referer_field(true, 'previous'); ?>
 <input type="hidden" name="noredir" value="1" />
 

wp-admin/edit-link-form.php

@@ -22,7 +22,7 @@ if ( ! empty($link_id) ) {
 	$nonce_action = 'add-bookmark';
 }
 
-require_once('./includes/meta-boxes.php');
+require_once( ABSPATH . 'wp-admin/includes/meta-boxes.php' );
 
 add_meta_box('linksubmitdiv', __('Save'), 'link_submit_meta_box', null, 'side', 'core');
 add_meta_box('linkcategorydiv', __('Categories'), 'link_categories_meta_box', null, 'normal', 'core');
@@ -33,8 +33,11 @@ add_meta_box('linkadvanceddiv', __('Advanced'), 'link_advanced_meta_box', null,
 do_action('add_meta_boxes', 'link', $link);
 do_action('add_meta_boxes_link', $link);
 
+/** This action is documented in wp-admin/edit-form-advanced.php */
 do_action('do_meta_boxes', 'link', 'normal', $link);
+/** This action is documented in wp-admin/edit-form-advanced.php */
 do_action('do_meta_boxes', 'link', 'advanced', $link);
+/** This action is documented in wp-admin/edit-form-advanced.php */
 do_action('do_meta_boxes', 'link', 'side', $link);
 
 add_screen_option('layout_columns', array('max' => 2, 'default' => 2) );
@@ -54,7 +57,7 @@ get_current_screen()->set_help_sidebar(
 	'<p>' . __( '<a href="http://wordpress.org/support/" target="_blank">Support Forums</a>' ) . '</p>'
 );
 
-require_once ('admin-header.php');
+require_once( ABSPATH . 'wp-admin/admin-header.php' );
 ?>
 
 <div class="wrap">
@@ -82,7 +85,7 @@ wp_nonce_field( 'meta-box-order', 'meta-box-order-nonce', false ); ?>
 <div id="namediv" class="stuffbox">
 <h3><label for="link_name"><?php _ex('Name', 'link name') ?></label></h3>
 <div class="inside">
-	<input type="text" name="link_name" size="30" value="<?php echo esc_attr($link->link_name); ?>" id="link_name" />
+	<input type="text" name="link_name" size="30" maxlength="255" value="<?php echo esc_attr($link->link_name); ?>" id="link_name" />
     <p><?php _e('Example: Nifty blogging software'); ?></p>
 </div>
 </div>
@@ -90,7 +93,7 @@ wp_nonce_field( 'meta-box-order', 'meta-box-order-nonce', false ); ?>
 <div id="addressdiv" class="stuffbox">
 <h3><label for="link_url"><?php _e('Web Address') ?></label></h3>
 <div class="inside">
-	<input type="text" name="link_url" size="30" class="code" value="<?php echo esc_attr($link->link_url); ?>" id="link_url" />
+	<input type="text" name="link_url" size="30" maxlength="255" class="code" value="<?php echo esc_attr($link->link_url); ?>" id="link_url" />
     <p><?php _e('Example: <code>http://wordpress.org/</code> &#8212; don&#8217;t forget the <code>http://</code>'); ?></p>
 </div>
 </div>
@@ -98,7 +101,7 @@ wp_nonce_field( 'meta-box-order', 'meta-box-order-nonce', false ); ?>
 <div id="descriptiondiv" class="stuffbox">
 <h3><label for="link_description"><?php _e('Description') ?></label></h3>
 <div class="inside">
-	<input type="text" name="link_description" size="30" value="<?php echo isset($link->link_description) ? esc_attr($link->link_description) : ''; ?>" id="link_description" />
+	<input type="text" name="link_description" size="30" maxlength="255" value="<?php echo isset($link->link_description) ? esc_attr($link->link_description) : ''; ?>" id="link_description" />
     <p><?php _e('This will be shown when someone hovers over the link in the blogroll, or optionally below the link.'); ?></p>
 </div>
 </div>
@@ -126,7 +129,6 @@ do_meta_boxes(null, 'advanced', $link);
 if ( $link_id ) : ?>
 <input type="hidden" name="action" value="save" />
 <input type="hidden" name="link_id" value="<?php echo (int) $link_id; ?>" />
-<input type="hidden" name="order_by" value="<?php echo esc_attr($order_by); ?>" />
 <input type="hidden" name="cat_id" value="<?php echo (int) $cat_id ?>" />
 <?php else: ?>
 <input type="hidden" name="action" value="add" />

wp-admin/edit-tag-form.php

@@ -30,7 +30,7 @@ do_action($taxonomy . '_pre_edit_form', $tag, $taxonomy); ?>
 <?php screen_icon(); ?>
 <h2><?php echo $tax->labels->edit_item; ?></h2>
 <div id="ajax-response"></div>
-<form name="edittag" id="edittag" method="post" action="edit-tags.php" class="validate">
+<form name="edittag" id="edittag" method="post" action="edit-tags.php" class="validate"<?php do_action( $taxonomy . '_term_edit_form_tag' ); ?>>
 <input type="hidden" name="action" value="editedtag" />
 <input type="hidden" name="tag_ID" value="<?php echo esc_attr($tag->term_id) ?>" />
 <input type="hidden" name="taxonomy" value="<?php echo esc_attr($taxonomy) ?>" />

wp-admin/edit-tags.php

@@ -7,7 +7,7 @@
  */
 
 /** WordPress Administration Bootstrap */
-require_once('./admin.php');
+require_once( dirname( __FILE__ ) . '/admin.php' );
 
 if ( ! $taxnow )
 	wp_die( __( 'Invalid taxonomy' ) );
@@ -126,8 +126,8 @@ case 'edit':
 	$tag = get_term( $tag_ID, $taxonomy, OBJECT, 'edit' );
 	if ( ! $tag )
 		wp_die( __( 'You attempted to edit an item that doesn’t exist. Perhaps it was deleted?' ) );
-	require_once ( 'admin-header.php' );
-	include( './edit-tag-form.php' );
+	require_once( ABSPATH . 'wp-admin/admin-header.php' );
+	include( ABSPATH . 'wp-admin/edit-tag-form.php' );
 
 break;
 
@@ -164,7 +164,7 @@ break;
 
 default:
 if ( ! empty($_REQUEST['_wp_http_referer']) ) {
-	$location = remove_query_arg( array('_wp_http_referer', '_wpnonce'), stripslashes($_SERVER['REQUEST_URI']) );
+	$location = remove_query_arg( array('_wp_http_referer', '_wpnonce'), wp_unslash($_SERVER['REQUEST_URI']) );
 
 	if ( ! empty( $_REQUEST['paged'] ) )
 		$location = add_query_arg( 'paged', (int) $_REQUEST['paged'] );
@@ -247,17 +247,49 @@ if ( 'category' == $taxonomy || 'link_category' == $taxonomy || 'post_tag' == $t
 	unset( $help );
 }
 
-require_once ('admin-header.php');
+require_once( ABSPATH . 'wp-admin/admin-header.php' );
 
 if ( !current_user_can($tax->cap->edit_terms) )
 	wp_die( __('You are not allowed to edit this item.') );
 
-$messages[1] = __('Item added.');
-$messages[2] = __('Item deleted.');
-$messages[3] = __('Item updated.');
-$messages[4] = __('Item not added.');
-$messages[5] = __('Item not updated.');
-$messages[6] = __('Items deleted.');
+$messages = array();
+$messages['_item'] = array(
+	0 => '', // Unused. Messages start at index 1.
+	1 => __( 'Item added.' ),
+	2 => __( 'Item deleted.' ),
+	3 => __( 'Item updated.' ),
+	4 => __( 'Item not added.' ),
+	5 => __( 'Item not updated.' ),
+	6 => __( 'Items deleted.' )
+);
+$messages['category'] = array(
+	0 => '', // Unused. Messages start at index 1.
+	1 => __( 'Category added.' ),
+	2 => __( 'Category deleted.' ),
+	3 => __( 'Category updated.' ),
+	4 => __( 'Category not added.' ),
+	5 => __( 'Category not updated.' ),
+	6 => __( 'Categories deleted.' )
+);
+$messages['post_tag'] = array(
+	0 => '', // Unused. Messages start at index 1.
+	1 => __( 'Tag added.' ),
+	2 => __( 'Tag deleted.' ),
+	3 => __( 'Tag updated.' ),
+	4 => __( 'Tag not added.' ),
+	5 => __( 'Tag not updated.' ),
+	6 => __( 'Tags deleted.' )
+);
+
+$messages = apply_filters( 'term_updated_messages', $messages );
+
+$message = false;
+if ( isset( $_REQUEST['message'] ) && ( $msg = (int) $_REQUEST['message'] ) ) {
+	if ( isset( $messages[ $taxonomy ][ $msg ] ) )
+		$message = $messages[ $taxonomy ][ $msg ];
+	elseif ( ! isset( $messages[ $taxonomy ] ) && isset( $messages['_item'][ $msg ] ) )
+		$message = $messages['_item'][ $msg ];
+}
 
 ?>
 
@@ -265,11 +297,11 @@ $messages[6] = __('Items deleted.');
 <?php screen_icon(); ?>
 <h2><?php echo esc_html( $title );
 if ( !empty($_REQUEST['s']) )
-	printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( stripslashes($_REQUEST['s']) ) ); ?>
+	printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( wp_unslash($_REQUEST['s']) ) ); ?>
 </h2>
 
-<?php if ( isset($_REQUEST['message']) && ( $msg = (int) $_REQUEST['message'] ) ) : ?>
-<div id="message" class="updated"><p><?php echo $messages[$msg]; ?></p></div>
+<?php if ( $message ) : ?>
+<div id="message" class="updated"><p><?php echo $message; ?></p></div>
 <?php $_SERVER['REQUEST_URI'] = remove_query_arg(array('message'), $_SERVER['REQUEST_URI']);
 endif; ?>
 <div id="ajax-response"></div>
@@ -349,7 +381,7 @@ if ( current_user_can($tax->cap->edit_terms) ) {
 
 <div class="form-wrap">
 <h3><?php echo $tax->labels->add_new_item; ?></h3>
-<form id="addtag" method="post" action="edit-tags.php" class="validate">
+<form id="addtag" method="post" action="edit-tags.php" class="validate"<?php do_action( $taxonomy . '_term_new_form_tag' ); ?>>
 <input type="hidden" name="action" value="add-tag" />
 <input type="hidden" name="screen" value="<?php echo esc_attr($current_screen->id); ?>" />
 <input type="hidden" name="taxonomy" value="<?php echo esc_attr($taxonomy); ?>" />
@@ -371,7 +403,20 @@ if ( current_user_can($tax->cap->edit_terms) ) {
 <?php if ( is_taxonomy_hierarchical($taxonomy) ) : ?>
 <div class="form-field">
 	<label for="parent"><?php _ex('Parent', 'Taxonomy Parent'); ?></label>
-	<?php wp_dropdown_categories(array('hide_empty' => 0, 'hide_if_empty' => false, 'taxonomy' => $taxonomy, 'name' => 'parent', 'orderby' => 'name', 'hierarchical' => true, 'show_option_none' => __('None'))); ?>
+	<?php
+	$dropdown_args = array(
+		'hide_empty'       => 0,
+		'hide_if_empty'    => false,
+		'taxonomy'         => $taxonomy,
+		'name'             => 'parent',
+		'orderby'          => 'name',
+		'hierarchical'     => true,
+		'show_option_none' => __( 'None' ),
+	);
+
+	$dropdown_args = apply_filters( 'taxonomy_parent_dropdown_args', $dropdown_args, $taxonomy );
+	wp_dropdown_categories( $dropdown_args );
+	?>
 	<?php if ( 'category' == $taxonomy ) : // @todo: Generic text for hierarchical taxonomies ?>
 		<p><?php _e('Categories, unlike tags, can have a hierarchy. You might have a Jazz category, and under that have children categories for Bebop and Big Band. Totally optional.'); ?></p>
 	<?php endif; ?>
@@ -417,4 +462,4 @@ try{document.forms.addtag['tag-name'].focus();}catch(e){}
 break;
 }
 
-include('./admin-footer.php');
+include( ABSPATH . 'wp-admin/admin-footer.php' );

wp-admin/edit.php

@@ -7,7 +7,7 @@
  */
 
 /** WordPress Administration Bootstrap */
-require_once( './admin.php' );
+require_once( dirname( __FILE__ ) . '/admin.php' );
 
 if ( ! $typenow )
 	wp_die( __( 'Invalid post type' ) );
@@ -48,7 +48,7 @@ $doaction = $wp_list_table->current_action();
 if ( $doaction ) {
 	check_admin_referer('bulk-posts');
 
-	$sendback = remove_query_arg( array('trashed', 'untrashed', 'deleted', 'ids'), wp_get_referer() );
+	$sendback = remove_query_arg( array('trashed', 'untrashed', 'deleted', 'locked', 'ids'), wp_get_referer() );
 	if ( ! $sendback )
 		$sendback = admin_url( $parent_file );
 	$sendback = add_query_arg( 'paged', $pagenum, $sendback );
@@ -75,22 +75,29 @@ if ( $doaction ) {
 
 	switch ( $doaction ) {
 		case 'trash':
-			$trashed = 0;
+			$trashed = $locked = 0;
+
 			foreach( (array) $post_ids as $post_id ) {
-				if ( !current_user_can($post_type_object->cap->delete_post, $post_id) )
+				if ( !current_user_can( 'delete_post', $post_id) )
 					wp_die( __('You are not allowed to move this item to the Trash.') );
 
+				if ( wp_check_post_lock( $post_id ) ) {
+					$locked++;
+					continue;
+				}
+
 				if ( !wp_trash_post($post_id) )
 					wp_die( __('Error in moving to Trash.') );
 
 				$trashed++;
 			}
-			$sendback = add_query_arg( array('trashed' => $trashed, 'ids' => join(',', $post_ids) ), $sendback );
+
+			$sendback = add_query_arg( array('trashed' => $trashed, 'ids' => join(',', $post_ids), 'locked' => $locked ), $sendback );
 			break;
 		case 'untrash':
 			$untrashed = 0;
 			foreach( (array) $post_ids as $post_id ) {
-				if ( !current_user_can($post_type_object->cap->delete_post, $post_id) )
+				if ( !current_user_can( 'delete_post', $post_id) )
 					wp_die( __('You are not allowed to restore this item from the Trash.') );
 
 				if ( !wp_untrash_post($post_id) )
@@ -105,15 +112,15 @@ if ( $doaction ) {
 			foreach( (array) $post_ids as $post_id ) {
 				$post_del = get_post($post_id);
 
-				if ( !current_user_can($post_type_object->cap->delete_post, $post_id) )
+				if ( !current_user_can( 'delete_post', $post_id ) )
 					wp_die( __('You are not allowed to delete this item.') );
 
 				if ( $post_del->post_type == 'attachment' ) {
 					if ( ! wp_delete_attachment($post_id) )
-						wp_die( __('Error in deleting...') );
+						wp_die( __('Error in deleting.') );
 				} else {
 					if ( !wp_delete_post($post_id) )
-						wp_die( __('Error in deleting...') );
+						wp_die( __('Error in deleting.') );
 				}
 				$deleted++;
 			}
@@ -138,7 +145,7 @@ if ( $doaction ) {
 	wp_redirect($sendback);
 	exit();
 } elseif ( ! empty($_REQUEST['_wp_http_referer']) ) {
-	 wp_redirect( remove_query_arg( array('_wp_http_referer', '_wpnonce'), stripslashes($_SERVER['REQUEST_URI']) ) );
+	 wp_redirect( remove_query_arg( array('_wp_http_referer', '_wpnonce'), wp_unslash($_SERVER['REQUEST_URI']) ) );
 	 exit;
 }
 
@@ -217,52 +224,77 @@ if ( 'post' == $post_type ) {
 
 add_screen_option( 'per_page', array( 'label' => $title, 'default' => 20, 'option' => 'edit_' . $post_type . '_per_page' ) );
 
-require_once('./admin-header.php');
+$bulk_counts = array(
+	'updated'   => isset( $_REQUEST['updated'] )   ? absint( $_REQUEST['updated'] )   : 0,
+	'locked'    => isset( $_REQUEST['locked'] )    ? absint( $_REQUEST['locked'] )    : 0,
+	'deleted'   => isset( $_REQUEST['deleted'] )   ? absint( $_REQUEST['deleted'] )   : 0,
+	'trashed'   => isset( $_REQUEST['trashed'] )   ? absint( $_REQUEST['trashed'] )   : 0,
+	'untrashed' => isset( $_REQUEST['untrashed'] ) ? absint( $_REQUEST['untrashed'] ) : 0,
+);
+
+$bulk_messages = array();
+$bulk_messages['post'] = array(
+	'updated'   => _n( '%s post updated.', '%s posts updated.', $bulk_counts['updated'] ),
+	'locked'    => _n( '%s post not updated, somebody is editing it.', '%s posts not updated, somebody is editing them.', $bulk_counts['locked'] ),
+	'deleted'   => _n( '%s post permanently deleted.', '%s posts permanently deleted.', $bulk_counts['deleted'] ),
+	'trashed'   => _n( '%s post moved to the Trash.', '%s posts moved to the Trash.', $bulk_counts['trashed'] ),
+	'untrashed' => _n( '%s post restored from the Trash.', '%s posts restored from the Trash.', $bulk_counts['untrashed'] ),
+);
+$bulk_messages['page'] = array(
+	'updated'   => _n( '%s page updated.', '%s pages updated.', $bulk_counts['updated'] ),
+	'locked'    => _n( '%s page not updated, somebody is editing it.', '%s pages not updated, somebody is editing them.', $bulk_counts['locked'] ),
+	'deleted'   => _n( '%s page permanently deleted.', '%s pages permanently deleted.', $bulk_counts['deleted'] ),
+	'trashed'   => _n( '%s page moved to the Trash.', '%s pages moved to the Trash.', $bulk_counts['trashed'] ),
+	'untrashed' => _n( '%s page restored from the Trash.', '%s pages restored from the Trash.', $bulk_counts['untrashed'] ),
+);
+
+/**
+ * Filter the bulk action updated messages.
+ *
+ * By default, custom post types use the messages for the 'post' post type.
+ *
+ * @since 3.7.0
+ *
+ * @param array $bulk_messages Arrays of messages, each keyed by the corresponding post type. Messages are
+ *                             keyed with 'updated', 'locked', 'deleted', 'trashed', and 'untrashed'.
+ * @param array $bulk_counts   Array of item counts for each message, used to build internationalized strings.
+ */
+$bulk_messages = apply_filters( 'bulk_post_updated_messages', $bulk_messages, $bulk_counts );
+$bulk_counts = array_filter( $bulk_counts );
+
+require_once( ABSPATH . 'wp-admin/admin-header.php' );
 ?>
 <div class="wrap">
 <?php screen_icon(); ?>
 <h2><?php
 echo esc_html( $post_type_object->labels->name );
 if ( current_user_can( $post_type_object->cap->create_posts ) )
-	echo ' <a href="' . esc_url( $post_new_file ) . '" class="add-new-h2">' . esc_html( $post_type_object->labels->add_new ) . '</a>';
+	echo ' <a href="' . esc_url( admin_url( $post_new_file ) ) . '" class="add-new-h2">' . esc_html( $post_type_object->labels->add_new ) . '</a>';
 if ( ! empty( $_REQUEST['s'] ) )
 	printf( ' <span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', get_search_query() );
 ?></h2>
 
-<?php if ( isset( $_REQUEST['locked'] ) || isset( $_REQUEST['updated'] ) || isset( $_REQUEST['deleted'] ) || isset( $_REQUEST['trashed'] ) || isset( $_REQUEST['untrashed'] ) ) {
-	$messages = array();
-?>
-<div id="message" class="updated"><p>
-<?php if ( isset( $_REQUEST['updated'] ) && $updated = absint( $_REQUEST['updated'] ) ) {
-	$messages[] = sprintf( _n( '%s post updated.', '%s posts updated.', $updated ), number_format_i18n( $updated ) );
-}
+<?php
+// If we have a bulk message to issue:
+$messages = array();
+foreach ( $bulk_counts as $message => $count ) {
+	if ( isset( $bulk_messages[ $post_type ][ $message ] ) )
+		$messages[] = sprintf( $bulk_messages[ $post_type ][ $message ], number_format_i18n( $count ) );
+	elseif ( isset( $bulk_messages['post'][ $message ] ) )
+		$messages[] = sprintf( $bulk_messages['post'][ $message ], number_format_i18n( $count ) );
 
-if ( isset( $_REQUEST['locked'] ) && $locked = absint( $_REQUEST['locked'] ) ) {
-	$messages[] = sprintf( _n( '%s item not updated, somebody is editing it.', '%s items not updated, somebody is editing them.', $locked ), number_format_i18n( $locked ) );
-}
-
-if ( isset( $_REQUEST['deleted'] ) && $deleted = absint( $_REQUEST['deleted'] ) ) {
-	$messages[] = sprintf( _n( 'Item permanently deleted.', '%s items permanently deleted.', $deleted ), number_format_i18n( $deleted ) );
-}
-
-if ( isset( $_REQUEST['trashed'] ) && $trashed = absint( $_REQUEST['trashed'] ) ) {
-	$messages[] = sprintf( _n( 'Item moved to the Trash.', '%s items moved to the Trash.', $trashed ), number_format_i18n( $trashed ) );
-	$ids = isset($_REQUEST['ids']) ? $_REQUEST['ids'] : 0;
-	$messages[] = '<a href="' . esc_url( wp_nonce_url( "edit.php?post_type=$post_type&doaction=undo&action=untrash&ids=$ids", "bulk-posts" ) ) . '">' . __('Undo') . '</a>';
-}
-
-if ( isset( $_REQUEST['untrashed'] ) && $untrashed = absint( $_REQUEST['untrashed'] ) ) {
-	$messages[] = sprintf( _n( 'Item restored from the Trash.', '%s items restored from the Trash.', $untrashed ), number_format_i18n( $untrashed ) );
+	if ( $message == 'trashed' && isset( $_REQUEST['ids'] ) ) {
+		$ids = preg_replace( '/[^0-9,]/', '', $_REQUEST['ids'] );
+		$messages[] = '<a href="' . esc_url( wp_nonce_url( "edit.php?post_type=$post_type&doaction=undo&action=untrash&ids=$ids", "bulk-posts" ) ) . '">' . __('Undo') . '</a>';
+	}
 }
 
 if ( $messages )
-	echo join( ' ', $messages );
+	echo '<div id="message" class="updated"><p>' . join( ' ', $messages ) . '</p></div>';
 unset( $messages );
 
 $_SERVER['REQUEST_URI'] = remove_query_arg( array( 'locked', 'skipped', 'updated', 'deleted', 'trashed', 'untrashed' ), $_SERVER['REQUEST_URI'] );
 ?>
-</p></div>
-<?php } ?>
 
 <?php $wp_list_table->views(); ?>
 
@@ -290,4 +322,4 @@ if ( $wp_list_table->has_items() )
 </div>
 
 <?php
-include('./admin-footer.php');
+include( ABSPATH . 'wp-admin/admin-footer.php' );

wp-admin/export.php

@@ -7,13 +7,13 @@
  */
 
 /** Load WordPress Bootstrap */
-require_once ('admin.php');
+require_once( dirname( __FILE__ ) . '/admin.php' );
 
 if ( !current_user_can('export') )
 	wp_die(__('You do not have sufficient permissions to export the content of this site.'));
 
 /** Load WordPress export API */
-require_once('./includes/export.php');
+require_once( ABSPATH . 'wp-admin/includes/export.php' );
 $title = __('Export');
 
 /**
@@ -94,14 +94,31 @@ if ( isset( $_GET['download'] ) ) {
 		$args['content'] = $_GET['content'];
 	}
 
+	/**
+	 * Filter the export args.
+	 *
+	 * @since 3.5.0
+	 *
+	 * @param array $args The arguments to send to the exporter.
+	 */
 	$args = apply_filters( 'export_args', $args );
 
 	export_wp( $args );
 	die();
 }
 
-require_once ('admin-header.php');
+require_once( ABSPATH . 'wp-admin/admin-header.php' );
 
+/**
+ * Create the date options fields for exporting a given post type.
+ *
+ * @global wpdb      $wpdb      WordPress database object.
+ * @global WP_Locale $wp_locale Date and Time Locale object.
+ *
+ * @since 3.1.0
+ *
+ * @param string $post_type The post type. Default 'post'.
+ */
 function export_date_options( $post_type = 'post' ) {
 	global $wpdb, $wp_locale;
 
@@ -211,10 +228,17 @@ function export_date_options( $post_type = 'post' ) {
 <p><label><input type="radio" name="content" value="<?php echo esc_attr( $post_type->name ); ?>" /> <?php echo esc_html( $post_type->label ); ?></label></p>
 <?php endforeach; ?>
 
-<?php do_action( 'export_filters' ) ?>
+<?php
+/**
+ * Fires after the export filters form.
+ *
+ * @since 3.5.0
+ */
+do_action( 'export_filters' );
+?>
 
 <?php submit_button( __('Download Export File') ); ?>
 </form>
 </div>
 
-<?php include('admin-footer.php'); ?>
+<?php include( ABSPATH . 'wp-admin/admin-footer.php' ); ?>

wp-admin/freedoms.php

@@ -7,7 +7,7 @@
  */
 
 /** WordPress Administration Bootstrap */
-require_once( './admin.php' );
+require_once( dirname( __FILE__ ) . '/admin.php' );
 
 $title = __( 'Freedoms' );
 
@@ -19,7 +19,7 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
 
 <h1><?php printf( __( 'Welcome to WordPress %s' ), $display_version ); ?></h1>
 
-<div class="about-text"><?php printf( __( 'Thank you for updating to the latest version! WordPress %s is more polished and enjoyable than ever before. We hope you like it.' ), $display_version ); ?></div>
+<div class="about-text"><?php echo str_replace( '3.7', $display_version, __( 'Thank you for updating to WordPress 3.7! You might not notice a thing, and we&#8217;re okay with that.' ) ); ?></div>
 
 <div class="wp-badge"><?php printf( __( 'Version %s' ), $display_version ); ?></div>
 
@@ -46,8 +46,8 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
 
 <p><?php
 
-$plugins_url = current_user_can( 'activate_plugins' ) ? admin_url( 'plugins.php' ) : 'http://wordpress.org/extend/plugins/';
-$themes_url = current_user_can( 'switch_themes' ) ? admin_url( 'themes.php' ) : 'http://wordpress.org/extend/themes/';
+$plugins_url = current_user_can( 'activate_plugins' ) ? admin_url( 'plugins.php' ) : 'http://wordpress.org/plugins/';
+$themes_url = current_user_can( 'switch_themes' ) ? admin_url( 'themes.php' ) : 'http://wordpress.org/themes/';
 
 printf( __( 'Every plugin and theme in WordPress.org&#8217;s directory is 100%% GPL or a similarly free and compatible license, so you can feel safe finding <a href="%1$s">plugins</a> and <a href="%2$s">themes</a> there. If you get a plugin or theme from another source, make sure to <a href="%3$s">ask them if it&#8217;s GPL</a> first. If they don&#8217;t respect the WordPress license, we don&#8217;t recommend them.' ), $plugins_url, $themes_url, 'http://wordpress.org/about/license/' ); ?></p>
 

wp-admin/import.php

@@ -9,7 +9,7 @@
 define('WP_LOAD_IMPORTERS', true);
 
 /** Load WordPress Bootstrap */
-require_once ('admin.php');
+require_once( dirname( __FILE__ ) . '/admin.php' );
 
 if ( !current_user_can('import') )
 	wp_die(__('You do not have sufficient permissions to import content in this site.'));
@@ -47,7 +47,7 @@ if ( ! empty( $_GET['invalid'] ) && isset( $popular_importers[ $_GET['invalid']
 add_thickbox();
 wp_enqueue_script( 'plugin-install' );
 
-require_once ('admin-header.php');
+require_once( ABSPATH . 'wp-admin/admin-header.php' );
 $parent_file = 'tools.php';
 ?>
 
@@ -130,4 +130,4 @@ if ( current_user_can('install_plugins') )
 
 <?php
 
-include ('admin-footer.php');
+include( ABSPATH . 'wp-admin/admin-footer.php' );

wp-admin/includes/ajax-actions.php

@@ -10,19 +10,61 @@
  * No-privilege Ajax handlers.
  */
 
-function wp_ajax_nopriv_autosave() {
-	$id = isset( $_POST['post_ID'] ) ? (int) $_POST['post_ID'] : 0;
+/**
+ * Heartbeat API (experimental)
+ *
+ * Runs when the user is not logged in.
+ */
+function wp_ajax_nopriv_heartbeat() {
+	$response = array();
 
-	if ( ! $id )
-		wp_die( -1 );
+	// screen_id is the same as $current_screen->id and the JS global 'pagenow'
+	if ( ! empty($_POST['screen_id']) )
+		$screen_id = sanitize_key($_POST['screen_id']);
+	else
+		$screen_id = 'front';
 
-	$message = sprintf( __('<strong>ALERT: You are logged out!</strong> Could not save draft. <a href="%s" target="_blank">Please log in again.</a>'), wp_login_url() );
-	$x = new WP_Ajax_Response( array(
-		'what' => 'autosave',
-		'id' => $id,
-		'data' => $message
-	) );
-	$x->send();
+	if ( ! empty($_POST['data']) ) {
+		$data = wp_unslash( (array) $_POST['data'] );
+
+		/**
+		 * Filter Heartbeat AJAX response in no-privilege environments.
+		 *
+		 * @since 3.6.0
+		 *
+		 * @param array|object $response  The no-priv Heartbeat response object or array.
+		 * @param array        $data      An array of data passed via $_POST.
+		 * @param string       $screen_id The screen id.
+		 */
+		$response = apply_filters( 'heartbeat_nopriv_received', $response, $data, $screen_id );
+	}
+
+	/**
+	 * Filter Heartbeat AJAX response when no data is passed.
+	 *
+	 * @since 3.6.0
+	 *
+	 * @param array|object $response  The Heartbeat response object or array.
+	 * @param string       $screen_id The screen id.
+	 */
+	$response = apply_filters( 'heartbeat_nopriv_send', $response, $screen_id );
+
+	/**
+	 * Fires when Heartbeat ticks in no-privilege environments.
+	 *
+	 * Allows the transport to be easily replaced with long-polling.
+	 *
+	 * @since 3.6.0
+	 *
+	 * @param array|object $response  The no-priv Heartbeat response.
+	 * @param string       $screen_id The screen id.
+	 */
+	do_action( 'heartbeat_nopriv_tick', $response, $screen_id );
+
+	// send the current time according to the server
+	$response['server_time'] = time();
+
+	wp_send_json($response);
 }
 
 /*
@@ -59,7 +101,7 @@ function wp_ajax_ajax_tag_search() {
 		wp_die( 0 );
 	}
 
-	$s = stripslashes( $_GET['q'] );
+	$s = wp_unslash( $_GET['q'] );
 
 	$comma = _x( ',', 'tag delimiter' );
 	if ( ',' !== $comma )
@@ -72,7 +114,7 @@ function wp_ajax_ajax_tag_search() {
 	if ( strlen( $s ) < 2 )
 		wp_die(); // require 2 chars for matching
 
-	$results = $wpdb->get_col( $wpdb->prepare( "SELECT t.name FROM $wpdb->term_taxonomy AS tt INNER JOIN $wpdb->terms AS t ON tt.term_id = t.term_id WHERE tt.taxonomy = %s AND t.name LIKE (%s)", $taxonomy, '%' . like_escape( $s ) . '%' ) );
+	$results = get_terms( $taxonomy, array( 'name__like' => $s, 'fields' => 'names', 'hide_empty' => false ) );
 
 	echo join( $results, "\n" );
 	wp_die();
@@ -148,6 +190,7 @@ function wp_ajax_autocomplete_user() {
 	if ( ! is_multisite() || ! current_user_can( 'promote_users' ) || wp_is_large_network( 'users' ) )
 		wp_die( -1 );
 
+	/** This filter is documented in wp-admin/user-new.php */
 	if ( ! is_super_admin() && ! apply_filters( 'autocomplete_users_for_site_admins', false ) )
 		wp_die( -1 );
 
@@ -226,10 +269,11 @@ function wp_ajax_logged_in() {
  * @return die
  */
 function _wp_ajax_delete_comment_response( $comment_id, $delta = -1 ) {
-	$total = (int) @$_POST['_total'];
-	$per_page = (int) @$_POST['_per_page'];
-	$page = (int) @$_POST['_page'];
-	$url = esc_url_raw( @$_POST['_url'] );
+	$total    = isset( $_POST['_total'] )    ? (int) $_POST['_total']    : 0;
+	$per_page = isset( $_POST['_per_page'] ) ? (int) $_POST['_per_page'] : 0;
+	$page     = isset( $_POST['_page'] )     ? (int) $_POST['_page']     : 0;
+	$url      = isset( $_POST['_url'] )      ? esc_url_raw( $_POST['_url'] ) : '';
+
 	// JS didn't send us everything we need to know. Just die with success message
 	if ( !$total || !$per_page || !$page || !$url )
 		wp_die( time() );
@@ -531,7 +575,7 @@ function wp_ajax_dim_comment() {
 		wp_die( -1 );
 
 	$current = wp_get_comment_status( $comment->comment_ID );
-	if ( $_POST['new'] == $current )
+	if ( isset( $_POST['new'] ) && $_POST['new'] == $current )
 		wp_die( time() );
 
 	check_ajax_referer( "approve-comment_$id" );
@@ -559,7 +603,7 @@ function wp_ajax_add_link_category( $action ) {
 	check_ajax_referer( $action );
 	if ( !current_user_can( 'manage_categories' ) )
 		wp_die( -1 );
-	$names = explode(',', $_POST['newcat']);
+	$names = explode(',', wp_unslash( $_POST['newcat'] ) );
 	$x = new WP_Ajax_Response();
 	foreach ( $names as $cat_name ) {
 		$cat_name = trim($cat_name);
@@ -572,7 +616,7 @@ function wp_ajax_add_link_category( $action ) {
 			continue;
 		else if ( is_array( $cat_id ) )
 			$cat_id = $cat_id['term_id'];
-		$cat_name = esc_html(stripslashes($cat_name));
+		$cat_name = esc_html( $cat_name );
 		$x->add( array(
 			'what' => 'link-category',
 			'id' => $cat_id,
@@ -651,7 +695,7 @@ function wp_ajax_get_tagcloud() {
 	$tags = get_terms( $taxonomy, array( 'number' => 45, 'orderby' => 'count', 'order' => 'DESC' ) );
 
 	if ( empty( $tags ) )
-		wp_die( isset( $tax->no_tagcloud ) ? $tax->no_tagcloud : __('No tags found!') );
+		wp_die( $tax->labels->not_found );
 
 	if ( is_wp_error( $tags ) )
 		wp_die( $tags->get_error_message() );
@@ -679,9 +723,18 @@ function wp_ajax_get_comments( $action ) {
 
 	check_ajax_referer( $action );
 
+	if ( empty( $post_id ) && ! empty( $_REQUEST['p'] ) ) {
+		$id = absint( $_REQUEST['p'] );
+		if ( ! empty( $id ) )
+			$post_id = $id;
+	}
+
+	if ( empty( $post_id ) )
+		wp_die( -1 );
+
 	$wp_list_table = _get_list_table( 'WP_Post_Comments_List_Table', array( 'screen' => 'edit-comments' ) );
 
-	if ( !current_user_can( 'edit_post', $post_id ) )
+	if ( ! current_user_can( 'edit_post', $post_id ) )
 		wp_die( -1 );
 
 	$wp_list_table->prepare_items();
@@ -715,27 +768,34 @@ function wp_ajax_replyto_comment( $action ) {
 	check_ajax_referer( $action, '_ajax_nonce-replyto-comment' );
 
 	$comment_post_ID = (int) $_POST['comment_post_ID'];
+	$post = get_post( $comment_post_ID );
+	if ( ! $post )
+		wp_die( -1 );
+
 	if ( !current_user_can( 'edit_post', $comment_post_ID ) )
 		wp_die( -1 );
 
-	$status = $wpdb->get_var( $wpdb->prepare("SELECT post_status FROM $wpdb->posts WHERE ID = %d", $comment_post_ID) );
-
-	if ( empty($status) )
+	if ( empty( $post->post_status ) )
 		wp_die( 1 );
-	elseif ( in_array($status, array('draft', 'pending', 'trash') ) )
+	elseif ( in_array($post->post_status, array('draft', 'pending', 'trash') ) )
 		wp_die( __('ERROR: you are replying to a comment on a draft post.') );
 
 	$user = wp_get_current_user();
 	if ( $user->exists() ) {
 		$user_ID = $user->ID;
-		$comment_author       = $wpdb->escape($user->display_name);
-		$comment_author_email = $wpdb->escape($user->user_email);
-		$comment_author_url   = $wpdb->escape($user->user_url);
+		$comment_author       = wp_slash( $user->display_name );
+		$comment_author_email = wp_slash( $user->user_email );
+		$comment_author_url   = wp_slash( $user->user_url );
 		$comment_content      = trim($_POST['content']);
 		if ( current_user_can( 'unfiltered_html' ) ) {
+			if ( ! isset( $_POST['_wp_unfiltered_html_comment'] ) )
+				$_POST['_wp_unfiltered_html_comment'] = '';
+
 			if ( wp_create_nonce( 'unfiltered-html-comment' ) != $_POST['_wp_unfiltered_html_comment'] ) {
 				kses_remove_filters(); // start with a clean slate
 				kses_init_filters(); // set up the filters
+				remove_filter( 'pre_comment_content', 'wp_filter_post_kses' );
+				add_filter( 'pre_comment_content', 'wp_filter_kses' );
 			}
 		}
 	} else {
@@ -745,7 +805,9 @@ function wp_ajax_replyto_comment( $action ) {
 	if ( '' == $comment_content )
 		wp_die( __( 'ERROR: please type a comment.' ) );
 
-	$comment_parent = absint($_POST['comment_ID']);
+	$comment_parent = 0;
+	if ( isset( $_POST['comment_ID'] ) )
+		$comment_parent = absint( $_POST['comment_ID'] );
 	$comment_auto_approved = false;
 	$commentdata = compact('comment_post_ID', 'comment_author', 'comment_author_email', 'comment_author_url', 'comment_content', 'comment_type', 'comment_parent', 'user_ID');
 
@@ -766,19 +828,18 @@ function wp_ajax_replyto_comment( $action ) {
 	$position = ( isset($_POST['position']) && (int) $_POST['position'] ) ? (int) $_POST['position'] : '-1';
 
 	ob_start();
-		if ( 'dashboard' == $_REQUEST['mode'] ) {
-			require_once( ABSPATH . 'wp-admin/includes/dashboard.php' );
-			_wp_dashboard_recent_comments_row( $comment );
+	if ( isset( $_REQUEST['mode'] ) && 'dashboard' == $_REQUEST['mode'] ) {
+		require_once( ABSPATH . 'wp-admin/includes/dashboard.php' );
+		_wp_dashboard_recent_comments_row( $comment );
+	} else {
+		if ( isset( $_REQUEST['mode'] ) && 'single' == $_REQUEST['mode'] ) {
+			$wp_list_table = _get_list_table('WP_Post_Comments_List_Table', array( 'screen' => 'edit-comments' ) );
 		} else {
-			if ( 'single' == $_REQUEST['mode'] ) {
-				$wp_list_table = _get_list_table('WP_Post_Comments_List_Table', array( 'screen' => 'edit-comments' ) );
-			} else {
-				$wp_list_table = _get_list_table('WP_Comments_List_Table', array( 'screen' => 'edit-comments' ) );
-			}
-			$wp_list_table->single_row( $comment );
+			$wp_list_table = _get_list_table('WP_Comments_List_Table', array( 'screen' => 'edit-comments' ) );
 		}
-		$comment_list_item = ob_get_contents();
-	ob_end_clean();
+		$wp_list_table->single_row( $comment );
+	}
+	$comment_list_item = ob_get_clean();
 
 	$response =  array(
 		'what' => 'comment',
@@ -807,7 +868,8 @@ function wp_ajax_edit_comment() {
 	if ( '' == $_POST['content'] )
 		wp_die( __( 'ERROR: please type a comment.' ) );
 
-	$_POST['comment_status'] = $_POST['status'];
+	if ( isset( $_POST['status'] ) )
+		$_POST['comment_status'] = $_POST['status'];
 	edit_comment();
 
 	$position = ( isset($_POST['position']) && (int) $_POST['position']) ? (int) $_POST['position'] : '-1';
@@ -817,11 +879,12 @@ function wp_ajax_edit_comment() {
 	$wp_list_table = _get_list_table( $checkbox ? 'WP_Comments_List_Table' : 'WP_Post_Comments_List_Table', array( 'screen' => 'edit-comments' ) );
 
 	$comment = get_comment( $comment_id );
+	if ( empty( $comment->comment_ID ) )
+		wp_die( -1 );
 
 	ob_start();
-		$wp_list_table->single_row( $comment );
-		$comment_list_item = ob_get_contents();
-	ob_end_clean();
+	$wp_list_table->single_row( $comment );
+	$comment_list_item = ob_get_clean();
 
 	$x = new WP_Ajax_Response();
 
@@ -888,6 +951,14 @@ function wp_ajax_add_menu_item() {
 		}
 	}
 
+	/**
+	 * Filter the Walker class used when adding nav menu items.
+	 *
+	 * @since 3.4.0
+	 *
+	 * @param string $class   The walker class to use. Default 'Walker_Nav_Menu_Edit'.
+	 * @param int    $menu_id The menu id, derived from $_POST['menu'].
+	 */
 	$walker_class_name = apply_filters( 'wp_edit_nav_menu_walker', 'Walker_Nav_Menu_Edit', $_POST['menu'] );
 
 	if ( ! class_exists( $walker_class_name ) )
@@ -903,6 +974,7 @@ function wp_ajax_add_menu_item() {
 		);
 		echo walk_nav_menu_tree( $menu_items, 0, (object) $args );
 	}
+	wp_die();
 }
 
 function wp_ajax_add_meta() {
@@ -924,7 +996,7 @@ function wp_ajax_add_meta() {
 			$_POST['post_type'] = $post->post_type;
 			$_POST['post_status'] = 'draft';
 			$now = current_time('timestamp', 1);
-			$_POST['post_title'] = sprintf('Draft created on %s at %s', date(get_option('date_format'), $now), date(get_option('time_format'), $now));
+			$_POST['post_title'] = sprintf( __( 'Draft created on %1$s at %2$s' ), date( get_option( 'date_format' ), $now ), date( get_option( 'time_format' ), $now ) );
 
 			if ( $pid = edit_post() ) {
 				if ( is_wp_error( $pid ) ) {
@@ -956,8 +1028,8 @@ function wp_ajax_add_meta() {
 		) );
 	} else { // Update?
 		$mid = (int) key( $_POST['meta'] );
-		$key = stripslashes( $_POST['meta'][$mid]['key'] );
-		$value = stripslashes( $_POST['meta'][$mid]['value'] );
+		$key = wp_unslash( $_POST['meta'][$mid]['key'] );
+		$value = wp_unslash( $_POST['meta'][$mid]['value'] );
 		if ( '' == trim($key) )
 			wp_die( __( 'Please provide a custom field name.' ) );
 		if ( '' == trim($value) )
@@ -1024,68 +1096,50 @@ function wp_ajax_add_user( $action ) {
 }
 
 function wp_ajax_autosave() {
-	global $login_grace_period;
-
 	define( 'DOING_AUTOSAVE', true );
 
-	$nonce_age = check_ajax_referer( 'autosave', 'autosavenonce' );
+	check_ajax_referer( 'autosave', 'autosavenonce' );
 
-	$_POST['post_category'] = explode(",", $_POST['catslist']);
-	if ( $_POST['post_type'] == 'page' || empty($_POST['post_category']) )
-		unset($_POST['post_category']);
-
-	$do_autosave = (bool) $_POST['autosave'];
-	$do_lock = true;
-
-	$data = $alert = '';
-	/* translators: draft saved date format, see http://php.net/date */
-	$draft_saved_date_format = __('g:i:s a');
-	/* translators: %s: date and time */
-	$message = sprintf( __('Draft saved at %s.'), date_i18n( $draft_saved_date_format ) );
+	if ( ! empty( $_POST['catslist'] ) )
+		$_POST['post_category'] = explode( ',', $_POST['catslist'] );
+	if ( $_POST['post_type'] == 'page' || empty( $_POST['post_category'] ) )
+		unset( $_POST['post_category'] );
 
+	$data = '';
 	$supplemental = array();
-	if ( isset($login_grace_period) )
-		$alert .= sprintf( __('Your login has expired. Please open a new browser window and <a href="%s" target="_blank">log in again</a>. '), add_query_arg( 'interim-login', 1, wp_login_url() ) );
-
 	$id = $revision_id = 0;
 
-	$post_ID = (int) $_POST['post_ID'];
-	$_POST['ID'] = $post_ID;
-	$post = get_post($post_ID);
+	$post_id = (int) $_POST['post_id'];
+	$_POST['ID'] = $_POST['post_ID'] = $post_id;
+	$post = get_post( $post_id );
+	if ( empty( $post->ID ) || ! current_user_can( 'edit_post', $post->ID ) )
+		wp_die( __( 'You are not allowed to edit this post.' ) );
+
+	if ( 'page' == $post->post_type && ! current_user_can( 'edit_page', $post->ID ) )
+		wp_die( __( 'You are not allowed to edit this page.' ) );
+
 	if ( 'auto-draft' == $post->post_status )
 		$_POST['post_status'] = 'draft';
 
-	if ( $last = wp_check_post_lock( $post->ID ) ) {
-		$do_autosave = $do_lock = false;
-
-		$last_user = get_userdata( $last );
-		$last_user_name = $last_user ? $last_user->display_name : __( 'Someone' );
-		$data = __( 'Autosave disabled.' );
-
-		$supplemental['disable_autosave'] = 'disable';
-		$alert .= sprintf( __( '%s is currently editing this article. If you update it, you will overwrite the changes.' ), esc_html( $last_user_name ) );
-	}
-
-	if ( 'page' == $post->post_type ) {
-		if ( !current_user_can('edit_page', $post_ID) )
-			wp_die( __( 'You are not allowed to edit this page.' ) );
-	} else {
-		if ( !current_user_can('edit_post', $post_ID) )
-			wp_die( __( 'You are not allowed to edit this post.' ) );
-	}
-
-	if ( $do_autosave ) {
-		// Drafts and auto-drafts are just overwritten by autosave
-		if ( 'auto-draft' == $post->post_status || 'draft' == $post->post_status ) {
+	if ( ! empty( $_POST['autosave'] ) ) {
+		if ( ! wp_check_post_lock( $post->ID ) && get_current_user_id() == $post->post_author && ( 'auto-draft' == $post->post_status || 'draft' == $post->post_status ) ) {
+			// Drafts and auto-drafts are just overwritten by autosave for the same user if the post is not locked
 			$id = edit_post();
-		} else { // Non drafts are not overwritten. The autosave is stored in a special post revision.
+		} else {
+			// Non drafts or other users drafts are not overwritten. The autosave is stored in a special post revision for each user.
 			$revision_id = wp_create_post_autosave( $post->ID );
 			if ( is_wp_error($revision_id) )
 				$id = $revision_id;
 			else
 				$id = $post->ID;
 		}
-		$data = $message;
+
+		if ( ! is_wp_error($id) ) {
+			/* translators: draft saved date format, see http://php.net/date */
+			$draft_saved_date_format = __('g:i:s a');
+			/* translators: %s: date and time */
+			$data = sprintf( __('Draft saved at %s.'), date_i18n( $draft_saved_date_format ) );
+		}
 	} else {
 		if ( ! empty( $_POST['auto_draft'] ) )
 			$id = 0; // This tells us it didn't actually save
@@ -1093,32 +1147,11 @@ function wp_ajax_autosave() {
 			$id = $post->ID;
 	}
 
-	if ( $do_lock && empty( $_POST['auto_draft'] ) && $id && is_numeric( $id ) ) {
-		$lock_result = wp_set_post_lock( $id );
-		$supplemental['active-post-lock'] = implode( ':', $lock_result );
-	}
-
-	if ( $nonce_age == 2 ) {
-		$supplemental['replace-autosavenonce'] = wp_create_nonce('autosave');
-		$supplemental['replace-getpermalinknonce'] = wp_create_nonce('getpermalink');
-		$supplemental['replace-samplepermalinknonce'] = wp_create_nonce('samplepermalink');
-		$supplemental['replace-closedpostboxesnonce'] = wp_create_nonce('closedpostboxes');
-		$supplemental['replace-_ajax_linking_nonce'] = wp_create_nonce( 'internal-linking' );
-		if ( $id ) {
-			if ( $_POST['post_type'] == 'post' )
-				$supplemental['replace-_wpnonce'] = wp_create_nonce('update-post_' . $id);
-			elseif ( $_POST['post_type'] == 'page' )
-				$supplemental['replace-_wpnonce'] = wp_create_nonce('update-page_' . $id);
-		}
-	}
-
-	if ( ! empty($alert) )
-		$supplemental['alert'] = $alert;
-
+	// @todo Consider exposing any errors, rather than having 'Saving draft...'
 	$x = new WP_Ajax_Response( array(
 		'what' => 'autosave',
 		'id' => $id,
-		'data' => $id ? $data : '',
+		'data' => $data,
 		'supplemental' => $supplemental
 	) );
 	$x->send();
@@ -1197,7 +1230,15 @@ function wp_ajax_menu_get_metabox() {
 	}
 
 	if ( ! empty( $_POST['item-object'] ) && isset( $items[$_POST['item-object']] ) ) {
-		$item = apply_filters( 'nav_menu_meta_box_object', $items[ $_POST['item-object'] ] );
+		$menus_meta_box_object = $items[ $_POST['item-object'] ];
+		/**
+		 * Filter a nav menu meta box object.
+		 *
+		 * @since 3.0.0
+		 *
+		 * @param object $menus_meta_box_object A nav menu meta box object, such as Page, Post, Category, Tag, etc.
+		 */
+		$item = apply_filters( 'nav_menu_meta_box_object', $menus_meta_box_object );
 		ob_start();
 		call_user_func_array($callback, array(
 			null,
@@ -1226,7 +1267,7 @@ function wp_ajax_wp_link_ajax() {
 	$args = array();
 
 	if ( isset( $_POST['search'] ) )
-		$args['s'] = stripslashes( $_POST['search'] );
+		$args['s'] = wp_unslash( $_POST['search'] );
 	$args['pagenum'] = ! empty( $_POST['page'] ) ? absint( $_POST['page'] ) : 1;
 
 	require(ABSPATH . WPINC . '/class-wp-editor.php');
@@ -1327,28 +1368,36 @@ function wp_ajax_inline_save() {
 	$data = &$_POST;
 
 	$post = get_post( $post_ID, ARRAY_A );
-	$post = add_magic_quotes($post); //since it is from db
+	$post = wp_slash($post); //since it is from db
 
 	$data['content'] = $post['post_content'];
 	$data['excerpt'] = $post['post_excerpt'];
 
 	// rename
-	$data['user_ID'] = $GLOBALS['user_ID'];
+	$data['user_ID'] = get_current_user_id();
 
 	if ( isset($data['post_parent']) )
 		$data['parent_id'] = $data['post_parent'];
 
-	// status
-	if ( isset($data['keep_private']) && 'private' == $data['keep_private'] )
+	// Status.
+	if ( isset( $data['keep_private'] ) && 'private' == $data['keep_private'] ) {
+		$data['visibility']  = 'private';
 		$data['post_status'] = 'private';
-	else
+	} else {
 		$data['post_status'] = $data['_status'];
+	}
 
 	if ( empty($data['comment_status']) )
 		$data['comment_status'] = 'closed';
 	if ( empty($data['ping_status']) )
 		$data['ping_status'] = 'closed';
 
+	// Hack: wp_unique_post_slug() doesn't work for drafts, so we will fake that our post is published.
+	if ( ! empty( $data['post_name'] ) && in_array( $post['post_status'], array( 'draft', 'pending' ) ) ) {
+		$post['post_status'] = 'publish';
+		$data['post_name'] = wp_unique_post_slug( $data['post_name'], $post['ID'], $post['post_status'], $post['post_type'], $post['post_parent'] );
+	}
+
 	// update the post
 	edit_post();
 
@@ -1412,7 +1461,7 @@ function wp_ajax_inline_save_tax() {
 		$parent = $parent_tag->parent;
 		$level++;
 	}
-	echo $wp_list_table->single_row( $tag, $level );
+	$wp_list_table->single_row( $tag, $level );
 	wp_die();
 }
 
@@ -1424,7 +1473,7 @@ function wp_ajax_find_posts() {
 	$post_types = get_post_types( array( 'public' => true ), 'objects' );
 	unset( $post_types['attachment'] );
 
-	$s = stripslashes( $_POST['ps'] );
+	$s = wp_unslash( $_POST['ps'] );
 	$searchand = $search = '';
 	$args = array(
 		'post_type' => array_keys( $post_types ),
@@ -1520,9 +1569,26 @@ function wp_ajax_save_widget() {
 
 	unset( $_POST['savewidgets'], $_POST['action'] );
 
-	do_action('load-widgets.php');
-	do_action('widgets.php');
-	do_action('sidebar_admin_setup');
+	/**
+	 * Fires early when editing the widgets displayed in sidebars.
+	 *
+	 * @since 2.8.0
+	 */
+	do_action( 'load-widgets.php' );
+
+	/**
+	 * Fires early when editing the widgets displayed in sidebars.
+	 *
+	 * @since 2.8.0
+	 */
+	do_action( 'widgets.php' );
+
+	/**
+	 * Fires early when editing the widgets displayed in sidebars.
+	 *
+	 * @since 2.2.0
+	 */
+	do_action( 'sidebar_admin_setup' );
 
 	$id_base = $_POST['id_base'];
 	$widget_id = $_POST['widget-id'];
@@ -1595,7 +1661,11 @@ function wp_ajax_upload_attachment() {
 		$post_id = null;
 	}
 
-	$post_data = isset( $_REQUEST['post_data'] ) ? $_REQUEST['post_data'] : array();
+	$post_data = ! empty( $_REQUEST['post_data'] ) ? _wp_get_allowed_postdata( _wp_translate_postdata( false, (array) $_REQUEST['post_data'] ) ) : array();
+
+	if ( is_wp_error( $post_data ) ) {
+		wp_die( $post_data->get_error_message() );
+	}
 
 	// If the context is custom header or background, make sure the uploaded file is an image.
 	if ( isset( $post_data['context'] ) && in_array( $post_data['context'], array( 'custom-header', 'custom-background' ) ) ) {
@@ -1605,7 +1675,7 @@ function wp_ajax_upload_attachment() {
 				'success' => false,
 				'data'    => array(
 					'message'  => __( 'The uploaded file is not a valid image. Please try again.' ),
-					'filename' => $_FILES['async-upload']['name'],
+					'filename' => esc_html( $_FILES['async-upload']['name'] ),
 				)
 			) );
 
@@ -1620,7 +1690,7 @@ function wp_ajax_upload_attachment() {
 			'success' => false,
 			'data'    => array(
 				'message'  => $attachment_id->get_error_message(),
-				'filename' => $_FILES['async-upload']['name'],
+				'filename' => esc_html( $_FILES['async-upload']['name'] ),
 			)
 		) );
 
@@ -1776,7 +1846,14 @@ function wp_ajax_wp_remove_post_lock() {
 	if ( $active_lock[1] != get_current_user_id() )
 		wp_die( 0 );
 
-	$new_lock = ( time() - apply_filters( 'wp_check_post_lock_window', AUTOSAVE_INTERVAL * 2 ) + 5 ) . ':' . $active_lock[1];
+	/**
+	 * Filter the post lock window duration.
+	 *
+	 * @since 3.3.0
+	 *
+	 * @param int $interval The interval in seconds the post lock duration should last, plus 5 seconds. Default 120.
+	 */
+	$new_lock = ( time() - apply_filters( 'wp_check_post_lock_window', 120 ) + 5 ) . ':' . $active_lock[1];
 	update_post_meta( $post_id, '_edit_lock', $new_lock, implode( ':', $active_lock ) );
 	wp_die( 1 );
 }
@@ -1847,6 +1924,14 @@ function wp_ajax_query_attachments() {
 	if ( current_user_can( get_post_type_object( 'attachment' )->cap->read_private_posts ) )
 		$query['post_status'] .= ',private';
 
+	/**
+	 * Filter the arguments passed to WP_Query during an AJAX call for querying attachments.
+	 *
+	 * @since 3.7.0
+	 *
+	 * @param array $query An array of query variables. @see WP_Query::parse_query()
+	 */
+	$query = apply_filters( 'ajax_query_attachments_args', $query );
 	$query = new WP_Query( $query );
 
 	$posts = array_map( 'wp_prepare_attachment_for_js', $query->posts );
@@ -1888,11 +1973,10 @@ function wp_ajax_save_attachment() {
 		$post['post_content'] = $changes['description'];
 
 	if ( isset( $changes['alt'] ) ) {
-		$alt = get_post_meta( $id, '_wp_attachment_image_alt', true );
-		$new_alt = stripslashes( $changes['alt'] );
-		if ( $alt != $new_alt ) {
-			$new_alt = wp_strip_all_tags( $new_alt, true );
-			update_post_meta( $id, '_wp_attachment_image_alt', addslashes( $new_alt ) );
+		$alt = wp_unslash( $changes['alt'] );
+		if ( $alt != get_post_meta( $id, '_wp_attachment_image_alt', true ) ) {
+			$alt = wp_strip_all_tags( $alt, true );
+			update_post_meta( $id, '_wp_attachment_image_alt', wp_slash( $alt ) );
 		}
 	}
 
@@ -1926,6 +2010,7 @@ function wp_ajax_save_attachment_compat() {
 	if ( 'attachment' != $post['post_type'] )
 		wp_send_json_error();
 
+	/** This filter is documented in wp-admin/includes/media.php */
 	$post = apply_filters( 'attachment_fields_to_save', $post, $attachment_data );
 
 	if ( isset( $post['errors'] ) ) {
@@ -1989,7 +2074,7 @@ function wp_ajax_save_attachment_order() {
 function wp_ajax_send_attachment_to_editor() {
 	check_ajax_referer( 'media-send-to-editor', 'nonce' );
 
-	$attachment = stripslashes_deep( $_POST['attachment'] );
+	$attachment = wp_unslash( $_POST['attachment'] );
 
 	$id = intval( $attachment['id'] );
 
@@ -2015,7 +2100,7 @@ function wp_ajax_send_attachment_to_editor() {
 		$html = '<a href="' . esc_url( $url ) . '"' . $rel . '>' . $html . '</a>';
 	}
 
-	remove_filter( 'media_send_to_editor', 'image_media_send_to_editor', 10, 3 );
+	remove_filter( 'media_send_to_editor', 'image_media_send_to_editor' );
 
 	if ( 'image' === substr( $post->post_mime_type, 0, 5 ) ) {
 		$align = isset( $attachment['align'] ) ? $attachment['align'] : 'none';
@@ -2024,8 +2109,11 @@ function wp_ajax_send_attachment_to_editor() {
 		$caption = isset( $attachment['post_excerpt'] ) ? $attachment['post_excerpt'] : '';
 		$title = ''; // We no longer insert title tags into <img> tags, as they are redundant.
 		$html = get_image_send_to_editor( $id, $caption, $title, $align, $url, (bool) $rel, $size, $alt );
+	} elseif ( 'video' === substr( $post->post_mime_type, 0, 5 ) || 'audio' === substr( $post->post_mime_type, 0, 5 )  ) {
+		$html = stripslashes_deep( $_POST['html'] );
 	}
 
+	/** This filter is documented in wp-admin/includes/media.php */
 	$html = apply_filters( 'media_send_to_editor', $html, $id, $attachment );
 
 	wp_send_json_success( $html );
@@ -2044,7 +2132,7 @@ function wp_ajax_send_attachment_to_editor() {
 function wp_ajax_send_link_to_editor() {
 	check_ajax_referer( 'media-send-to-editor', 'nonce' );
 
-	if ( ! $src = stripslashes( $_POST['src'] ) )
+	if ( ! $src = wp_unslash( $_POST['src'] ) )
 		wp_send_json_error();
 
 	if ( ! strpos( $src, '://' ) )
@@ -2053,7 +2141,7 @@ function wp_ajax_send_link_to_editor() {
 	if ( ! $src = esc_url_raw( $src ) )
 		wp_send_json_error();
 
-	if ( ! $title = trim( stripslashes( $_POST['title'] ) ) )
+	if ( ! $title = trim( wp_unslash( $_POST['title'] ) ) )
 		$title = wp_basename( $src );
 
 	$html = '';
@@ -2066,7 +2154,101 @@ function wp_ajax_send_link_to_editor() {
 		&& ( 'audio' == $ext_type || 'video' == $ext_type ) )
 			$type = $ext_type;
 
+	/** This filter is documented in wp-admin/includes/media.php */
 	$html = apply_filters( $type . '_send_to_editor_url', $html, $src, $title );
 
 	wp_send_json_success( $html );
 }
+
+/**
+ * Heartbeat API (experimental)
+ *
+ * Runs when the user is logged in.
+ */
+function wp_ajax_heartbeat() {
+	if ( empty( $_POST['_nonce'] ) )
+		wp_send_json_error();
+
+	$response = array();
+
+	if ( false === wp_verify_nonce( $_POST['_nonce'], 'heartbeat-nonce' ) ) {
+		// User is logged in but nonces have expired.
+		$response['nonces_expired'] = true;
+		wp_send_json($response);
+	}
+
+	// screen_id is the same as $current_screen->id and the JS global 'pagenow'
+	if ( ! empty($_POST['screen_id']) )
+		$screen_id = sanitize_key($_POST['screen_id']);
+	else
+		$screen_id = 'front';
+
+	if ( ! empty($_POST['data']) ) {
+		$data = (array) $_POST['data'];
+
+		/**
+		 * Filter the Heartbeat response received.
+		 *
+		 * @since 3.6.0
+		 *
+		 * @param array|object $response  The Heartbeat response object or array.
+		 * @param array        $data      The $_POST data sent.
+		 * @param string       $screen_id The screen id.
+		 */
+		$response = apply_filters( 'heartbeat_received', $response, $data, $screen_id );
+	}
+
+	/**
+	 * Filter the Heartbeat response sent.
+	 *
+	 * @since 3.6.0
+	 *
+	 * @param array|object $response  The Heartbeat response object or array.
+	 * @param string       $screen_id The screen id.
+	 */
+	$response = apply_filters( 'heartbeat_send', $response, $screen_id );
+
+	/**
+	 * Fires when Heartbeat ticks in logged-in environments.
+	 *
+	 * Allows the transport to be easily replaced with long-polling.
+	 *
+	 * @since 3.6.0
+	 *
+	 * @param array|object $response  The Heartbeat response object or array.
+	 * @param string       $screen_id The screen id.
+	 */
+	do_action( 'heartbeat_tick', $response, $screen_id );
+
+	// Send the current time according to the server
+	$response['server_time'] = time();
+
+	wp_send_json($response);
+}
+
+function wp_ajax_get_revision_diffs() {
+	require ABSPATH . 'wp-admin/includes/revision.php';
+
+	if ( ! $post = get_post( (int) $_REQUEST['post_id'] ) )
+		wp_send_json_error();
+
+	if ( ! current_user_can( 'edit_post', $post->ID ) )
+		wp_send_json_error();
+
+	// Really just pre-loading the cache here.
+	if ( ! $revisions = wp_get_post_revisions( $post->ID, array( 'check_enabled' => false ) ) )
+		wp_send_json_error();
+
+	$return = array();
+	@set_time_limit( 0 );
+
+	foreach ( $_REQUEST['compare'] as $compare_key ) {
+		list( $compare_from, $compare_to ) = explode( ':', $compare_key ); // from:to
+
+		$return[] = array(
+			'id' => $compare_key,
+			'fields' => wp_get_revision_ui_diff( $post, $compare_from, $compare_to ),
+		);
+	}
+	wp_send_json_success( $return );
+}

wp-admin/includes/bookmark.php

@@ -55,12 +55,12 @@ function edit_link( $link_id = 0 ) {
 function get_default_link_to_edit() {
 	$link = new stdClass;
 	if ( isset( $_GET['linkurl'] ) )
-		$link->link_url = esc_url( $_GET['linkurl'] );
+		$link->link_url = esc_url( wp_unslash( $_GET['linkurl'] ) );
 	else
 		$link->link_url = '';
 
 	if ( isset( $_GET['name'] ) )
-		$link->link_name = esc_attr( $_GET['name'] );
+		$link->link_name = esc_attr( wp_unslash( $_GET['name'] ) );
 	else
 		$link->link_name = '';
 
@@ -70,7 +70,7 @@ function get_default_link_to_edit() {
 }
 
 /**
- * Delete link specified from database
+ * Delete link specified from database.
  *
  * @since 2.0.0
  *
@@ -79,13 +79,25 @@ function get_default_link_to_edit() {
  */
 function wp_delete_link( $link_id ) {
 	global $wpdb;
-
+	/**
+	 * Fires before a link is deleted.
+	 *
+	 * @since 2.0.0
+	 *
+	 * @param int $link_id ID of the link to delete.
+	 */
 	do_action( 'delete_link', $link_id );
 
 	wp_delete_object_term_relationships( $link_id, 'link_category' );
 
 	$wpdb->delete( $wpdb->links, array( 'link_id' => $link_id ) );
-
+	/**
+	 * Fires after a link has been deleted.
+	 *
+	 * @since 2.2.0
+	 *
+	 * @param int $link_id ID of the deleted link.
+	 */
 	do_action( 'deleted_link', $link_id );
 
 	clean_bookmark_cache( $link_id );
@@ -137,7 +149,7 @@ function wp_insert_link( $linkdata, $wp_error = false ) {
 	$linkdata = wp_parse_args( $linkdata, $defaults );
 	$linkdata = sanitize_bookmark( $linkdata, 'db' );
 
-	extract( stripslashes_deep( $linkdata ), EXTR_SKIP );
+	extract( wp_unslash( $linkdata ), EXTR_SKIP );
 
 	$update = false;
 
@@ -206,11 +218,25 @@ function wp_insert_link( $linkdata, $wp_error = false ) {
 
 	wp_set_link_cats( $link_id, $link_category );
 
-	if ( $update )
+	if ( $update ) {
+		/**
+		 * Fires after a link was updated in the database.
+		 *
+		 * @since 2.0.0
+		 *
+		 * @param int $link_id ID of the link that was updated.
+		 */
 		do_action( 'edit_link', $link_id );
-	else
+	} else {
+		/**
+		 * Fires after a link was added to the database.
+		 *
+		 * @since 2.0.0
+		 *
+		 * @param int $link_id ID of the link that was added.
+		 */
 		do_action( 'add_link', $link_id );
-
+	}
 	clean_bookmark_cache( $link_id );
 
 	return $link_id;
@@ -251,7 +277,7 @@ function wp_update_link( $linkdata ) {
 	$link = get_bookmark( $link_id, ARRAY_A );
 
 	// Escape data pulled from DB.
-	$link = add_magic_quotes( $link );
+	$link = wp_slash( $link );
 
 	// Passed link category list overwrites existing category list if not empty.
 	if ( isset( $linkdata['link_category'] ) && is_array( $linkdata['link_category'] )

wp-admin/includes/class-ftp-pure.php

@@ -9,7 +9,7 @@
  * @copyright Alexey Dotsenko
  * @author Alexey Dotsenko
  * @link http://www.phpclasses.org/browse/package/1743.html Site
- * @license LGPL License http://www.opensource.org/licenses/lgpl-license.html
+ * @license LGPL http://www.opensource.org/licenses/lgpl-license.html
  */
 
 /**
@@ -23,7 +23,7 @@
  * @copyright Alexey Dotsenko
  * @author Alexey Dotsenko
  * @link http://www.phpclasses.org/browse/package/1743.html Site
- * @license LGPL License http://www.opensource.org/licenses/lgpl-license.html
+ * @license LGPL http://www.opensource.org/licenses/lgpl-license.html
  */
 class ftp extends ftp_base {
 

wp-admin/includes/class-ftp-sockets.php

@@ -9,7 +9,7 @@
  * @copyright Alexey Dotsenko
  * @author Alexey Dotsenko
  * @link http://www.phpclasses.org/browse/package/1743.html Site
- * @license LGPL License http://www.opensource.org/licenses/lgpl-license.html
+ * @license LGPL http://www.opensource.org/licenses/lgpl-license.html
  */
 
 /**
@@ -23,7 +23,7 @@
  * @copyright Alexey Dotsenko
  * @author Alexey Dotsenko
  * @link http://www.phpclasses.org/browse/package/1743.html Site
- * @license LGPL License http://www.opensource.org/licenses/lgpl-license.html
+ * @license LGPL http://www.opensource.org/licenses/lgpl-license.html
  */
 class ftp extends ftp_base {
 

wp-admin/includes/class-ftp.php

@@ -9,7 +9,7 @@
  * @copyright Alexey Dotsenko
  * @author Alexey Dotsenko
  * @link http://www.phpclasses.org/browse/package/1743.html Site
- * @license LGPL License http://www.opensource.org/licenses/lgpl-license.html
+ * @license LGPL http://www.opensource.org/licenses/lgpl-license.html
  */
 
 /**

wp-admin/includes/class-wp-comments-list-table.php

@@ -52,6 +52,8 @@ class WP_Comments_List_Table extends WP_List_Table {
 
 		$search = ( isset( $_REQUEST['s'] ) ) ? $_REQUEST['s'] : '';
 
+		$post_type = ( isset( $_REQUEST['post_type'] ) ) ? sanitize_key( $_REQUEST['post_type'] ) : '';
+
 		$user_id = ( isset( $_REQUEST['user_id'] ) ) ? $_REQUEST['user_id'] : '';
 
 		$orderby = ( isset( $_REQUEST['orderby'] ) ) ? $_REQUEST['orderby'] : '';
@@ -96,6 +98,7 @@ class WP_Comments_List_Table extends WP_List_Table {
 			'type' => $comment_type,
 			'orderby' => $orderby,
 			'order' => $order,
+			'post_type' => $post_type,
 		);
 
 		$_comments = get_comments( $args );
@@ -170,7 +173,7 @@ class WP_Comments_List_Table extends WP_List_Table {
 			/*
 			// I toyed with this, but decided against it. Leaving it in here in case anyone thinks it is a good idea. ~ Mark
 			if ( !empty( $_REQUEST['s'] ) )
-				$link = add_query_arg( 's', esc_attr( stripslashes( $_REQUEST['s'] ) ), $link );
+				$link = add_query_arg( 's', esc_attr( wp_unslash( $_REQUEST['s'] ) ), $link );
 			*/
 			$status_links[$status] = "<a href='$link'$class>" . sprintf(
 				translate_nooped_plural( $label, $num_comments->$status ),
@@ -315,7 +318,7 @@ class WP_Comments_List_Table extends WP_List_Table {
 		$this->user_can = current_user_can( 'edit_comment', $comment->comment_ID );
 
 		echo "<tr id='comment-$comment->comment_ID' class='$the_comment_class'>";
-		echo $this->single_row_columns( $comment );
+		$this->single_row_columns( $comment );
 		echo "</tr>\n";
 	}
 
@@ -336,12 +339,6 @@ class WP_Comments_List_Table extends WP_List_Table {
 		$comment_url = esc_url( get_comment_link( $comment->comment_ID ) );
 		$the_comment_status = wp_get_comment_status( $comment->comment_ID );
 
-		$ptime = date( 'G', strtotime( $comment->comment_date ) );
-		if ( ( abs( time() - $ptime ) ) < DAY_IN_SECONDS )
-			$ptime = sprintf( __( '%s ago' ), human_time_diff( $ptime ) );
-		else
-			$ptime = mysql2date( __( 'Y/m/d \a\t g:i A' ), $comment->comment_date );
-
 		if ( $user_can ) {
 			$del_nonce = esc_html( '_wpnonce=' . wp_create_nonce( "delete-comment_$comment->comment_ID" ) );
 			$approve_nonce = esc_html( '_wpnonce=' . wp_create_nonce( "approve-comment_$comment->comment_ID" ) );
@@ -360,8 +357,10 @@ class WP_Comments_List_Table extends WP_List_Table {
 		echo '<div class="submitted-on">';
 		/* translators: 2: comment date, 3: comment time */
 		printf( __( 'Submitted on <a href="%1$s">%2$s at %3$s</a>' ), $comment_url,
-			/* translators: comment date format. See http://php.net/date */ get_comment_date( __( 'Y/m/d' ) ),
-			/* translators: comment time format. See http://php.net/date */ get_comment_date( get_option( 'time_format' ) ) );
+			/* translators: comment date format. See http://php.net/date */
+			get_comment_date( __( 'Y/m/d' ) ),
+			get_comment_date( get_option( 'time_format' ) )
+		);
 
 		if ( $comment->comment_parent ) {
 			$parent = get_comment( $comment->comment_parent );
@@ -456,7 +455,7 @@ class WP_Comments_List_Table extends WP_List_Table {
 			$author_url = '';
 		$author_url_display = preg_replace( '|http://(www\.)?|i', '', $author_url );
 		if ( strlen( $author_url_display ) > 50 )
-			$author_url_display = substr( $author_url_display, 0, 49 ) . '...';
+			$author_url_display = substr( $author_url_display, 0, 49 ) . '&hellip;';
 
 		echo "<strong>"; comment_author(); echo '</strong><br />';
 		if ( !empty( $author_url ) )
@@ -494,9 +493,9 @@ class WP_Comments_List_Table extends WP_List_Table {
 
 		if ( current_user_can( 'edit_post', $post->ID ) ) {
 			$post_link = "<a href='" . get_edit_post_link( $post->ID ) . "'>";
-			$post_link .= get_the_title( $post->ID ) . '</a>';
+			$post_link .= esc_html( get_the_title( $post->ID ) ) . '</a>';
 		} else {
-			$post_link = get_the_title( $post->ID );
+			$post_link = esc_html( get_the_title( $post->ID ) );
 		}
 
 		echo '<div class="response-links"><span class="post-com-count-wrapper">';

wp-admin/includes/class-wp-filesystem-base.php

@@ -1,6 +1,6 @@
 <?php
 /**
- * Base WordPress Filesystem.
+ * Base WordPress Filesystem
  *
  * @package WordPress
  * @subpackage Filesystem
@@ -9,22 +9,23 @@
 /**
  * Base WordPress Filesystem class for which Filesystem implementations extend
  *
- * @since 2.5
+ * @since 2.5.0
  */
 class WP_Filesystem_Base {
 	/**
 	 * Whether to display debug data for the connection.
 	 *
-	 * @since 2.5
 	 * @access public
+	 * @since 2.5.0
 	 * @var bool
 	 */
 	var $verbose = false;
+
 	/**
 	 * Cached list of local filepaths to mapped remote filepaths.
 	 *
-	 * @since 2.7
 	 * @access private
+	 * @since 2.7.0
 	 * @var array
 	 */
 	var $cache = array();
@@ -32,63 +33,81 @@ class WP_Filesystem_Base {
 	/**
 	 * The Access method of the current connection, Set automatically.
 	 *
-	 * @since 2.5
 	 * @access public
+	 * @since 2.5.0
 	 * @var string
 	 */
 	var $method = '';
 
 	/**
-	 * Returns the path on the remote filesystem of ABSPATH
+	 * Constructor (empty).
+	 */
+	function __construct() {}
+
+	/**
+	 * Return the path on the remote filesystem of ABSPATH.
 	 *
-	 * @since 2.7
 	 * @access public
+	 * @since 2.7.0
+	 *
 	 * @return string The location of the remote path.
 	 */
 	function abspath() {
 		$folder = $this->find_folder(ABSPATH);
-		//Perhaps the FTP folder is rooted at the WordPress install, Check for wp-includes folder in root, Could have some false positives, but rare.
+		// Perhaps the FTP folder is rooted at the WordPress install, Check for wp-includes folder in root, Could have some false positives, but rare.
 		if ( ! $folder && $this->is_dir('/wp-includes') )
 			$folder = '/';
 		return $folder;
 	}
+
 	/**
-	 * Returns the path on the remote filesystem of WP_CONTENT_DIR
+	 * Return the path on the remote filesystem of WP_CONTENT_DIR.
 	 *
-	 * @since 2.7
 	 * @access public
+	 * @since 2.7.0
+	 *
 	 * @return string The location of the remote path.
 	 */
 	function wp_content_dir() {
 		return $this->find_folder(WP_CONTENT_DIR);
 	}
+
 	/**
-	 * Returns the path on the remote filesystem of WP_PLUGIN_DIR
+	 * Return the path on the remote filesystem of WP_PLUGIN_DIR.
 	 *
-	 * @since 2.7
 	 * @access public
+	 * @since 2.7.0
 	 *
 	 * @return string The location of the remote path.
 	 */
 	function wp_plugins_dir() {
 		return $this->find_folder(WP_PLUGIN_DIR);
 	}
+
 	/**
-	 * Returns the path on the remote filesystem of the Themes Directory
+	 * Return the path on the remote filesystem of the Themes Directory.
 	 *
-	 * @since 2.7
 	 * @access public
+	 * @since 2.7.0
 	 *
+	 * @param string $theme The Theme stylesheet or template for the directory.
 	 * @return string The location of the remote path.
 	 */
-	function wp_themes_dir() {
-		return $this->wp_content_dir() . 'themes/';
+	function wp_themes_dir( $theme = false ) {
+		$theme_root = get_theme_root( $theme );
+
+		// Account for relative theme roots
+		if ( '/themes' == $theme_root || ! is_dir( $theme_root ) )
+			$theme_root = WP_CONTENT_DIR . $theme_root;
+
+		return $this->find_folder( $theme_root );
 	}
+
 	/**
-	 * Returns the path on the remote filesystem of WP_LANG_DIR
+	 * Return the path on the remote filesystem of WP_LANG_DIR.
 	 *
-	 * @since 3.2.0
 	 * @access public
+	 * @since 3.2.0
 	 *
 	 * @return string The location of the remote path.
 	 */
@@ -97,73 +116,109 @@ class WP_Filesystem_Base {
 	}
 
 	/**
-	 * Locates a folder on the remote filesystem.
+	 * Locate a folder on the remote filesystem.
 	 *
-	 * Deprecated; use WP_Filesystem::abspath() or WP_Filesystem::wp_*_dir() methods instead.
-	 *
-	 * @since 2.5
-	 * @deprecated 2.7
 	 * @access public
+	 * @since 2.5.0
+	 * @deprecated 2.7.0 use WP_Filesystem::abspath() or WP_Filesystem::wp_*_dir() instead.
+	 * @see WP_Filesystem::abspath()
+	 * @see WP_Filesystem::wp_content_dir()
+	 * @see WP_Filesystem::wp_plugins_dir()
+	 * @see WP_Filesystem::wp_themes_dir()
+	 * @see WP_Filesystem::wp_lang_dir()
 	 *
-	 * @param string $base The folder to start searching from
-	 * @param bool $echo True to display debug information
+	 * @param string $base The folder to start searching from.
+	 * @param bool   $echo True to display debug information.
+	 *                     Default false.
 	 * @return string The location of the remote path.
 	 */
-	function find_base_dir($base = '.', $echo = false) {
-		_deprecated_function(__FUNCTION__, '2.7', 'WP_Filesystem::abspath() or WP_Filesystem::wp_*_dir()' );
-		$this->verbose = $echo;
-		return $this->abspath();
-	}
-	/**
-	 * Locates a folder on the remote filesystem.
-	 *
-	 * Deprecated; use WP_Filesystem::abspath() or WP_Filesystem::wp_*_dir() methods instead.
-	 *
-	 * @since 2.5
-	 * @deprecated 2.7
-	 * @access public
-	 *
-	 * @param string $base The folder to start searching from
-	 * @param bool $echo True to display debug information
-	 * @return string The location of the remote path.
-	 */
-	function get_base_dir($base = '.', $echo = false) {
+	function find_base_dir( $base = '.', $echo = false ) {
 		_deprecated_function(__FUNCTION__, '2.7', 'WP_Filesystem::abspath() or WP_Filesystem::wp_*_dir()' );
 		$this->verbose = $echo;
 		return $this->abspath();
 	}
 
 	/**
-	 * Locates a folder on the remote filesystem.
+	 * Locate a folder on the remote filesystem.
 	 *
-	 * Assumes that on Windows systems, Stripping off the Drive letter is OK
-	 * Sanitizes \\ to / in windows filepaths.
-	 *
-	 * @since 2.7
 	 * @access public
+	 * @since 2.5.0
+	 * @deprecated 2.7.0 use WP_Filesystem::abspath() or WP_Filesystem::wp_*_dir() methods instead.
+	 * @see WP_Filesystem::abspath()
+	 * @see WP_Filesystem::wp_content_dir()
+	 * @see WP_Filesystem::wp_plugins_dir()
+	 * @see WP_Filesystem::wp_themes_dir()
+	 * @see WP_Filesystem::wp_lang_dir()
 	 *
-	 * @param string $folder the folder to locate
+	 * @param string $base The folder to start searching from.
+	 * @param bool   $echo True to display debug information.
 	 * @return string The location of the remote path.
 	 */
-	function find_folder($folder) {
+	function get_base_dir( $base = '.', $echo = false ) {
+		_deprecated_function(__FUNCTION__, '2.7', 'WP_Filesystem::abspath() or WP_Filesystem::wp_*_dir()' );
+		$this->verbose = $echo;
+		return $this->abspath();
+	}
 
-		if ( strpos($this->method, 'ftp') !== false ) {
-			$constant_overrides = array( 'FTP_BASE' => ABSPATH, 'FTP_CONTENT_DIR' => WP_CONTENT_DIR, 'FTP_PLUGIN_DIR' => WP_PLUGIN_DIR, 'FTP_LANG_DIR' => WP_LANG_DIR );
-			foreach ( $constant_overrides as $constant => $dir )
-				if ( defined($constant) && $folder === $dir )
-					return trailingslashit(constant($constant));
+	/**
+	 * Locate a folder on the remote filesystem.
+	 *
+	 * Assumes that on Windows systems, Stripping off the Drive
+	 * letter is OK Sanitizes \\ to / in windows filepaths.
+	 *
+	 * @access public
+	 * @since 2.7.0
+	 *
+	 * @param string $folder the folder to locate.
+	 * @return string The location of the remote path.
+	 */
+	function find_folder( $folder ) {
+
+		if ( isset( $this->cache[ $folder ] ) )
+			return $this->cache[ $folder ];
+
+		if ( stripos($this->method, 'ftp') !== false ) {
+			$constant_overrides = array(
+				'FTP_BASE' => ABSPATH,
+				'FTP_CONTENT_DIR' => WP_CONTENT_DIR,
+				'FTP_PLUGIN_DIR' => WP_PLUGIN_DIR,
+				'FTP_LANG_DIR' => WP_LANG_DIR
+			);
+
+			// Direct matches ( folder = CONSTANT/ )
+			foreach ( $constant_overrides as $constant => $dir ) {
+				if ( ! defined( $constant ) )
+					continue;
+				if ( $folder === $dir )
+					return trailingslashit( constant( $constant ) );
+			}
+
+			// Prefix Matches ( folder = CONSTANT/subdir )
+			foreach ( $constant_overrides as $constant => $dir ) {
+				if ( ! defined( $constant ) )
+					continue;
+				if ( 0 === stripos( $folder, $dir ) ) { // $folder starts with $dir
+					$potential_folder = preg_replace( '#^' . preg_quote( $dir, '#' ) . '/#i', trailingslashit( constant( $constant ) ), $folder );
+					$potential_folder = trailingslashit( $potential_folder );
+
+					if ( $this->is_dir( $potential_folder ) ) {
+						$this->cache[ $folder ] = $potential_folder;
+						return $potential_folder;
+					}
+				}
+			}
 		} elseif ( 'direct' == $this->method ) {
-			$folder = str_replace('\\', '/', $folder); //Windows path sanitisation
+			$folder = str_replace('\\', '/', $folder); // Windows path sanitisation
 			return trailingslashit($folder);
 		}
 
-		$folder = preg_replace('|^([a-z]{1}):|i', '', $folder); //Strip out windows drive letter if it's there.
-		$folder = str_replace('\\', '/', $folder); //Windows path sanitisation
+		$folder = preg_replace('|^([a-z]{1}):|i', '', $folder); // Strip out windows drive letter if it's there.
+		$folder = str_replace('\\', '/', $folder); // Windows path sanitisation
 
 		if ( isset($this->cache[ $folder ] ) )
 			return $this->cache[ $folder ];
 
-		if ( $this->exists($folder) ) { //Folder exists at that absolute path.
+		if ( $this->exists($folder) ) { // Folder exists at that absolute path.
 			$folder = trailingslashit($folder);
 			$this->cache[ $folder ] = $folder;
 			return $folder;
@@ -174,43 +229,47 @@ class WP_Filesystem_Base {
 	}
 
 	/**
-	 * Locates a folder on the remote filesystem.
+	 * Locate a folder on the remote filesystem.
 	 *
-	 * Expects Windows sanitized path
+	 * Expects Windows sanitized path.
 	 *
-	 * @since 2.7
 	 * @access private
+	 * @since 2.7.0
 	 *
-	 * @param string $folder the folder to locate
-	 * @param string $base the folder to start searching from
-	 * @param bool $loop if the function has recursed, Internal use only
+	 * @param string $folder The folder to locate.
+	 * @param string $base   The folder to start searching from.
+	 * @param bool   $loop   If the function has recursed, Internal use only.
 	 * @return string The location of the remote path.
 	 */
-	function search_for_folder($folder, $base = '.', $loop = false ) {
+	function search_for_folder( $folder, $base = '.', $loop = false ) {
 		if ( empty( $base ) || '.' == $base )
 			$base = trailingslashit($this->cwd());
 
 		$folder = untrailingslashit($folder);
 
+		if ( $this->verbose )
+			printf( "\n" . __('Looking for %1$s in %2$s') . "<br/>\n", $folder, $base );
+
 		$folder_parts = explode('/', $folder);
-		$last_index = array_pop( array_keys( $folder_parts ) );
+		$folder_part_keys = array_keys( $folder_parts );
+		$last_index = array_pop( $folder_part_keys );
 		$last_path = $folder_parts[ $last_index ];
 
 		$files = $this->dirlist( $base );
 
 		foreach ( $folder_parts as $index => $key ) {
 			if ( $index == $last_index )
-				continue; //We want this to be caught by the next code block.
+				continue; // We want this to be caught by the next code block.
 
-			//Working from /home/ to /user/ to /wordpress/ see if that file exists within the current folder,
-			// If its found, change into it and follow through looking for it.
+			// Working from /home/ to /user/ to /wordpress/ see if that file exists within the current folder,
+			// If it's found, change into it and follow through looking for it.
 			// If it cant find WordPress down that route, it'll continue onto the next folder level, and see if that matches, and so on.
 			// If it reaches the end, and still cant find it, it'll return false for the entire function.
 			if ( isset($files[ $key ]) ){
-				//Lets try that folder:
+				// Lets try that folder:
 				$newdir = trailingslashit(path_join($base, $key));
 				if ( $this->verbose )
-					printf( __('Changing to %s') . '<br/>', $newdir );
+					printf( "\n" . __('Changing to %s') . "<br/>\n", $newdir );
 				// only search for the remaining path tokens in the directory, not the full path again
 				$newfolder = implode( '/', array_slice( $folder_parts, $index + 1 ) );
 				if ( $ret = $this->search_for_folder( $newfolder, $newdir, $loop) )
@@ -218,32 +277,38 @@ class WP_Filesystem_Base {
 			}
 		}
 
-		//Only check this as a last resort, to prevent locating the incorrect install. All above procedures will fail quickly if this is the right branch to take.
+		// Only check this as a last resort, to prevent locating the incorrect install. All above procedures will fail quickly if this is the right branch to take.
 		if (isset( $files[ $last_path ] ) ) {
 			if ( $this->verbose )
-				printf( __('Found %s') . '<br/>',  $base . $last_path );
+				printf( "\n" . __('Found %s') . "<br/>\n",  $base . $last_path );
 			return trailingslashit($base . $last_path);
 		}
-		if ( $loop )
-			return false; //Prevent this function from looping again.
-		//As an extra last resort, Change back to / if the folder wasn't found. This comes into effect when the CWD is /home/user/ but WP is at /var/www/.... mainly dedicated setups.
-		return $this->search_for_folder($folder, '/', true);
+
+		// Prevent this function from looping again.
+		// No need to proceed if we've just searched in /
+		if ( $loop || '/' == $base )
+			return false;
+
+		// As an extra last resort, Change back to / if the folder wasn't found.
+		// This comes into effect when the CWD is /home/user/ but WP is at /var/www/....
+		return $this->search_for_folder( $folder, '/', true );
 
 	}
 
 	/**
-	 * Returns the *nix style file permissions for a file
+	 * Return the *nix-style file permissions for a file.
 	 *
-	 * From the PHP documentation page for fileperms()
+	 * From the PHP documentation page for fileperms().
 	 *
 	 * @link http://docs.php.net/fileperms
-	 * @since 2.5
-	 * @access public
 	 *
-	 * @param string $file string filename
-	 * @return int octal representation of permissions
+	 * @access public
+	 * @since 2.5.0
+	 *
+	 * @param string $file String filename.
+	 * @return string The *nix-style representation of permissions.
 	 */
-	function gethchmod($file){
+	function gethchmod( $file ){
 		$perms = $this->getchmod($file);
 		if (($perms & 0xC000) == 0xC000) // Socket
 			$info = 's';
@@ -286,19 +351,20 @@ class WP_Filesystem_Base {
 	}
 
 	/**
-	 * Converts *nix style file permissions to a octal number.
+	 * Convert *nix-style file permissions to a octal number.
 	 *
 	 * Converts '-rw-r--r--' to 0644
 	 * From "info at rvgate dot nl"'s comment on the PHP documentation for chmod()
  	 *
 	 * @link http://docs.php.net/manual/en/function.chmod.php#49614
-	 * @since 2.5
-	 * @access public
 	 *
-	 * @param string $mode string *nix style file permission
+	 * @access public
+	 * @since 2.5.0
+	 *
+	 * @param string $mode string The *nix-style file permission.
 	 * @return int octal representation
 	 */
-	function getnumchmodfromh($mode) {
+	function getnumchmodfromh( $mode ) {
 		$realmode = '';
 		$legal =  array('', 'w', 'r', 'x', '-');
 		$attarray = preg_split('//', $mode);
@@ -319,15 +385,379 @@ class WP_Filesystem_Base {
 	}
 
 	/**
-	 * Determines if the string provided contains binary characters.
+	 * Determine if the string provided contains binary characters.
 	 *
-	 * @since 2.7
 	 * @access private
+	 * @since 2.7.0
 	 *
-	 * @param string $text String to test against
-	 * @return bool true if string is binary, false otherwise
+	 * @param string $text String to test against.
+	 * @return bool true if string is binary, false otherwise.
 	 */
 	function is_binary( $text ) {
-		return (bool) preg_match('|[^\x20-\x7E]|', $text); //chr(32)..chr(127)
+		return (bool) preg_match( '|[^\x20-\x7E]|', $text ); // chr(32)..chr(127)
 	}
-}
+
+	/**
+	 * Change the ownership of a file / folder.
+	 *
+	 * Default behavior is to do nothing, override this in your subclass, if desired.
+	 *
+	 * @since 2.5.0
+	 *
+	 * @param string $file      Path to the file.
+	 * @param mixed  $owner     A user name or number.
+	 * @param bool   $recursive Optional. If set True changes file owner recursivly. Defaults to False.
+	 * @return bool Returns true on success or false on failure.
+	 */
+	function chown( $file, $owner, $recursive = false ) {
+		return false;
+	}
+
+	/**
+	 * Connect filesystem.
+	 *
+	 * @since 2.5.0
+	 *
+	 * @return bool True on success or false on failure (always true for WP_Filesystem_Direct).
+	 */
+	function connect() {
+		return true;
+	}
+
+	/**
+	 * Read entire file into a string.
+	 *
+	 * @since 2.5.0
+	 *
+	 * @param string $file Name of the file to read.
+	 * @return string|bool Returns the read data or false on failure.
+	 */
+	function get_contents( $file ) {
+		return false;
+	}
+
+	/**
+	 * Read entire file into an array.
+	 *
+	 * @since 2.5.0
+	 *
+	 * @param string $file Path to the file.
+	 * @return array|bool the file contents in an array or false on failure.
+	 */
+	function get_contents_array( $file ) {
+		return false;
+	}
+
+	/**
+	 * Write a string to a file.
+	 *
+	 * @since 2.5.0
+	 *
+	 * @param string $file     Remote path to the file where to write the data.
+	 * @param string $contents The data to write.
+	 * @param int    $mode     Optional. The file permissions as octal number, usually 0644.
+	 * @return bool False on failure.
+	 */
+	function put_contents( $file, $contents, $mode = false ) {
+		return false;
+	}
+
+	/**
+	 * Get the current working directory.
+	 *
+	 * @since 2.5.0
+	 *
+	 * @return string|bool The current working directory on success, or false on failure.
+	 */
+	function cwd() {
+		return false;
+	}
+
+	/**
+	 * Change current directory.
+	 *
+	 * @since 2.5.0
+	 *
+	 * @param string $dir The new current directory.
+	 * @return bool Returns true on success or false on failure.
+	 */
+	function chdir( $dir ) {
+		return false;
+	}
+
+	/**
+	 * Change the file group.
+	 *
+	 * @since 2.5.0
+	 *
+	 * @param string $file      Path to the file.
+	 * @param mixed  $group     A group name or number.
+	 * @param bool   $recursive Optional. If set True changes file group recursively. Defaults to False.
+	 * @return bool Returns true on success or false on failure.
+	 */
+	function chgrp( $file, $group, $recursive = false ) {
+		return false;
+	}
+
+	/**
+	 * Change filesystem permissions.
+	 *
+	 * @since 2.5.0
+	 *
+	 * @param string $file      Path to the file.
+	 * @param int    $mode      Optional. The permissions as octal number, usually 0644 for files, 0755 for dirs.
+	 * @param bool   $recursive Optional. If set True changes file group recursively. Defaults to False.
+	 * @return bool Returns true on success or false on failure.
+	 */
+	function chmod( $file, $mode = false, $recursive = false ) {
+		return false;
+	}
+
+	/**
+	 * Get the file owner.
+	 *
+	 * @since 2.5.0
+	 *
+	 * @param string $file Path to the file.
+	 * @return string|bool Username of the user or false on error.
+	 */
+	function owner( $file ) {
+		return false;
+	}
+
+	/**
+	 * Get the file's group.
+	 *
+	 * @since 2.5.0
+	 *
+	 * @param string $file Path to the file.
+	 * @return string|bool The group or false on error.
+	 */
+	function group( $file ) {
+		return false;
+	}
+
+	/**
+	 * Copy a file.
+	 *
+	 * @since 2.5.0
+	 *
+	 * @param string $source      Path to the source file.
+	 * @param string $destination Path to the destination file.
+	 * @param bool   $overwrite   Optional. Whether to overwrite the destination file if it exists.
+	 *                            Default false.
+	 * @param int    $mode        Optional. The permissions as octal number, usually 0644 for files, 0755 for dirs.
+	 *                            Default false.
+	 * @return bool True if file copied successfully, False otherwise.
+	 */
+	function copy( $source, $destination, $overwrite = false, $mode = false ) {
+		return false;
+	}
+
+	/**
+	 * Move a file.
+	 *
+	 * @since 2.5.0
+	 *
+	 * @param string $source      Path to the source file.
+	 * @param string $destination Path to the destination file.
+	 * @param bool   $overwrite   Optional. Whether to overwrite the destination file if it exists.
+	 *                            Default false.
+	 * @return bool True if file copied successfully, False otherwise.
+	 */
+	function move( $source, $destination, $overwrite = false ) {
+		return false;
+	}
+
+	/**
+	 * Delete a file or directory.
+	 *
+	 * @since 2.5.0
+	 *
+	 * @param string $file      Path to the file.
+	 * @param bool   $recursive Optional. If set True changes file group recursively. Defaults to False.
+	 *                          Default false.
+	 * @param bool   $type      Type of resource. 'f' for file, 'd' for directory.
+	 *                          Default false.
+	 * @return bool True if the file or directory was deleted, false on failure.
+	 */
+	function delete( $file, $recursive = false, $type = false ) {
+		return false;
+	}
+
+	/**
+	 * Check if a file or directory exists.
+	 *
+	 * @since 2.5.0
+	 *
+	 * @param string $file Path to file/directory.
+	 * @return bool Whether $file exists or not.
+	 */
+	function exists( $file ) {
+		return false;
+	}
+
+	/**
+	 * Check if resource is a file.
+	 *
+	 * @since 2.5.0
+	 *
+	 * @param string $file File path.
+	 * @return bool Whether $file is a file.
+	 */
+	function is_file( $file ) {
+		return false;
+	}
+
+	/**
+	 * Check if resource is a directory.
+	 *
+	 * @since 2.5.0
+	 *
+	 * @param string $path Directory path.
+	 * @return bool Whether $path is a directory.
+	 */
+	function is_dir( $path ) {
+		return false;
+	}
+
+	/**
+	 * Check if a file is readable.
+	 *
+	 * @since 2.5.0
+	 *
+	 * @param string $file Path to file.
+	 * @return bool Whether $file is readable.
+	 */
+	function is_readable( $file ) {
+		return false;
+	}
+
+	/**
+	 * Check if a file or directory is writable.
+	 *
+	 * @since 2.5.0
+	 *
+	 * @param string $path Path to file/directory.
+	 * @return bool Whether $file is writable.
+	 */
+	function is_writable( $file ) {
+		return false;
+	}
+
+	/**
+	 * Gets the file's last access time.
+	 *
+	 * @since 2.5.0
+	 *
+	 * @param string $file Path to file.
+	 * @return int Unix timestamp representing last access time.
+	 */
+	function atime( $file ) {
+		return false;
+	}
+
+	/**
+	 * Gets the file modification time.
+	 *
+	 * @since 2.5.0
+	 *
+	 * @param string $file Path to file.
+	 * @return int Unix timestamp representing modification time.
+	 */
+	function mtime( $file ) {
+		return false;
+	}
+
+	/**
+	 * Gets the file size (in bytes).
+	 *
+	 * @since 2.5.0
+	 *
+	 * @param string $file Path to file.
+	 * @return int Size of the file in bytes.
+	 */
+	function size( $file ) {
+		return false;
+	}
+
+	/**
+	 * Set the access and modification times of a file.
+	 *
+	 * Note: If $file doesn't exist, it will be created.
+	 *
+	 * @since 2.5.0
+	 *
+	 * @param string $file  Path to file.
+	 * @param int    $time  Optional. Modified time to set for file.
+	 *                      Default 0.
+	 * @param int    $atime Optional. Access time to set for file.
+	 *                      Default 0.
+	 * @return bool Whether operation was successful or not.
+	 */
+	function touch( $file, $time = 0, $atime = 0 ) {
+		return false;
+	}
+
+	/**
+	 * Create a directory.
+	 *
+	 * @since 2.5.0
+	 *
+	 * @param string $path  Path for new directory.
+	 * @param mixed  $chmod Optional. The permissions as octal number, (or False to skip chmod)
+	 *                      Default false.
+	 * @param mixed  $chown Optional. A user name or number (or False to skip chown)
+	 *                      Default false.
+	 * @param mixed  $chgrp Optional. A group name or number (or False to skip chgrp).
+	 *                      Default false.
+	 * @return bool False if directory cannot be created, true otherwise.
+	 */
+	function mkdir( $path, $chmod = false, $chown = false, $chgrp = false ) {
+		return false;
+	}
+
+	/**
+	 * Delete a directory.
+	 *
+	 * @since 2.5.0
+	 *
+	 * @param string $path      Path to directory.
+	 * @param bool   $recursive Optional. Whether to recursively remove files/directories.
+	 *                          Default false.
+	 * @return bool Whether directory is deleted successfully or not.
+	 */
+	function rmdir( $path, $recursive = false ) {
+		return false;
+	}
+
+	/**
+	 * Get details for files in a directory or a specific file.
+	 *
+	 * @since 2.5.0
+	 *
+	 * @param string $path           Path to directory or file.
+	 * @param bool   $include_hidden Optional. Whether to include details of hidden ("." prefixed) files.
+	 *                               Default true.
+	 * @param bool   $recursive      Optional. Whether to recursively include file details in nested directories.
+	 *                               Default false.
+	 * @return array|bool {
+	 *     Array of files. False if unable to list directory contents.
+	 *
+	 *     @type string 'name'        Name of the file/directory.
+	 *     @type string 'perms'       *nix representation of permissions.
+	 *     @type int    'permsn'      Octal representation of permissions.
+	 *     @type string 'owner'       Owner name or ID.
+	 *     @type int    'size'        Size of file in bytes.
+	 *     @type int    'lastmodunix' Last modified unix timestamp.
+	 *     @type mixed  'lastmod'     Last modified month (3 letter) and day (without leading 0).
+	 *     @type int    'time'        Last modified time.
+	 *     @type string 'type'        Type of resource. 'f' for file, 'd' for directory.
+	 *     @type mixed  'files'       If a directory and $recursive is true, contains another array of files.
+	 * }
+	 */
+	function dirlist( $path, $include_hidden = true, $recursive = false ) {
+		return false;
+	}
+
+} // WP_Filesystem_Base

wp-admin/includes/class-wp-filesystem-direct.php

@@ -15,7 +15,7 @@
  * @uses WP_Filesystem_Base Extends class
  */
 class WP_Filesystem_Direct extends WP_Filesystem_Base {
-	var $errors = null;
+
 	/**
 	 * constructor
 	 *
@@ -25,14 +25,7 @@ class WP_Filesystem_Direct extends WP_Filesystem_Base {
 		$this->method = 'direct';
 		$this->errors = new WP_Error();
 	}
-	/**
-	 * connect filesystem.
-	 *
-	 * @return bool Returns true on success or false on failure (always true for WP_Filesystem_Direct).
-	 */
-	function connect() {
-		return true;
-	}
+
 	/**
 	 * Reads entire file into a string
 	 *
@@ -42,6 +35,7 @@ class WP_Filesystem_Direct extends WP_Filesystem_Base {
 	function get_contents($file) {
 		return @file_get_contents($file);
 	}
+
 	/**
 	 * Reads entire file into an array
 	 *
@@ -51,6 +45,7 @@ class WP_Filesystem_Direct extends WP_Filesystem_Base {
 	function get_contents_array($file) {
 		return @file($file);
 	}
+
 	/**
 	 * Write a string to a file
 	 *
@@ -59,14 +54,29 @@ class WP_Filesystem_Direct extends WP_Filesystem_Base {
 	 * @param int $mode (optional) The file permissions as octal number, usually 0644.
 	 * @return bool False upon failure.
 	 */
-	function put_contents($file, $contents, $mode = false ) {
-		if ( ! ($fp = @fopen($file, 'w')) )
+	function put_contents( $file, $contents, $mode = false ) {
+		$fp = @fopen( $file, 'wb' );
+		if ( ! $fp )
 			return false;
-		@fwrite($fp, $contents);
-		@fclose($fp);
-		$this->chmod($file, $mode);
+
+		mbstring_binary_safe_encoding();
+
+		$data_length = strlen( $contents );
+
+		$bytes_written = fwrite( $fp, $contents );
+
+		reset_mbstring_encoding();
+
+		fclose( $fp );
+
+		if ( $data_length !== $bytes_written )
+			return false;
+
+		$this->chmod( $file, $mode );
+
 		return true;
 	}
+
 	/**
 	 * Gets the current working directory
 	 *
@@ -75,6 +85,7 @@ class WP_Filesystem_Direct extends WP_Filesystem_Base {
 	function cwd() {
 		return @getcwd();
 	}
+
 	/**
 	 * Change directory
 	 *
@@ -84,6 +95,7 @@ class WP_Filesystem_Direct extends WP_Filesystem_Base {
 	function chdir($dir) {
 		return @chdir($dir);
 	}
+
 	/**
 	 * Changes file group
 	 *
@@ -99,7 +111,7 @@ class WP_Filesystem_Direct extends WP_Filesystem_Base {
 			return @chgrp($file, $group);
 		if ( ! $this->is_dir($file) )
 			return @chgrp($file, $group);
-		//Is a directory, and we want recursive
+		// Is a directory, and we want recursive
 		$file = trailingslashit($file);
 		$filelist = $this->dirlist($file);
 		foreach ($filelist as $filename)
@@ -107,6 +119,7 @@ class WP_Filesystem_Direct extends WP_Filesystem_Base {
 
 		return true;
 	}
+
 	/**
 	 * Changes filesystem permissions
 	 *
@@ -127,7 +140,7 @@ class WP_Filesystem_Direct extends WP_Filesystem_Base {
 
 		if ( ! $recursive || ! $this->is_dir($file) )
 			return @chmod($file, $mode);
-		//Is a directory, and we want recursive
+		// Is a directory, and we want recursive
 		$file = trailingslashit($file);
 		$filelist = $this->dirlist($file);
 		foreach ( (array)$filelist as $filename => $filemeta)
@@ -135,6 +148,7 @@ class WP_Filesystem_Direct extends WP_Filesystem_Base {
 
 		return true;
 	}
+
 	/**
 	 * Changes file owner
 	 *
@@ -150,18 +164,19 @@ class WP_Filesystem_Direct extends WP_Filesystem_Base {
 			return @chown($file, $owner);
 		if ( ! $this->is_dir($file) )
 			return @chown($file, $owner);
-		//Is a directory, and we want recursive
+		// Is a directory, and we want recursive
 		$filelist = $this->dirlist($file);
 		foreach ($filelist as $filename) {
 			$this->chown($file . '/' . $filename, $owner, $recursive);
 		}
 		return true;
 	}
+
 	/**
 	 * Gets file owner
 	 *
 	 * @param string $file Path to the file.
-	 * @return string Username of the user.
+	 * @return string|bool Username of the user or false on error.
 	 */
 	function owner($file) {
 		$owneruid = @fileowner($file);
@@ -172,6 +187,7 @@ class WP_Filesystem_Direct extends WP_Filesystem_Base {
 		$ownerarray = posix_getpwuid($owneruid);
 		return $ownerarray['name'];
 	}
+
 	/**
 	 * Gets file permissions
 	 *
@@ -183,6 +199,7 @@ class WP_Filesystem_Direct extends WP_Filesystem_Base {
 	function getchmod($file) {
 		return substr(decoct(@fileperms($file)),3);
 	}
+
 	function group($file) {
 		$gid = @filegroup($file);
 		if ( ! $gid )
@@ -220,27 +237,30 @@ class WP_Filesystem_Direct extends WP_Filesystem_Base {
 	}
 
 	function delete($file, $recursive = false, $type = false) {
-		if ( empty($file) ) //Some filesystems report this as /, which can cause non-expected recursive deletion of all files in the filesystem.
+		if ( empty( $file ) ) // Some filesystems report this as /, which can cause non-expected recursive deletion of all files in the filesystem.
 			return false;
-		$file = str_replace('\\', '/', $file); //for win32, occasional problems deleting files otherwise
+		$file = str_replace( '\\', '/', $file ); // for win32, occasional problems deleting files otherwise
 
 		if ( 'f' == $type || $this->is_file($file) )
 			return @unlink($file);
 		if ( ! $recursive && $this->is_dir($file) )
 			return @rmdir($file);
 
-		//At this point its a folder, and we're in recursive mode
+		// At this point it's a folder, and we're in recursive mode
 		$file = trailingslashit($file);
 		$filelist = $this->dirlist($file, true);
 
 		$retval = true;
-		if ( is_array($filelist) ) //false if no files, So check first.
-			foreach ($filelist as $filename => $fileinfo)
+		if ( is_array( $filelist ) ) {
+			foreach ( $filelist as $filename => $fileinfo ) {
 				if ( ! $this->delete($file . $filename, $recursive, $fileinfo['type']) )
 					$retval = false;
+			}
+		}
 
 		if ( file_exists($file) && ! @rmdir($file) )
 			$retval = false;
+
 		return $retval;
 	}
 
@@ -271,6 +291,7 @@ class WP_Filesystem_Direct extends WP_Filesystem_Base {
 	function mtime($file) {
 		return @filemtime($file);
 	}
+
 	function size($file) {
 		return @filesize($file);
 	}

wp-admin/includes/class-wp-filesystem-ftpext.php

@@ -23,14 +23,13 @@ class WP_Filesystem_FTPext extends WP_Filesystem_Base {
 		$this->method = 'ftpext';
 		$this->errors = new WP_Error();
 
-		//Check if possible to use ftp functions.
+		// Check if possible to use ftp functions.
 		if ( ! extension_loaded('ftp') ) {
 			$this->errors->add('no_ftp_ext', __('The ftp PHP extension is not available'));
 			return false;
 		}
 
-		// Set defaults:
-		//This Class uses the timeout on a per-connection basis, Others use it on a per-action basis.
+		// This Class uses the timeout on a per-connection basis, Others use it on a per-action basis.
 
 		if ( ! defined('FS_TIMEOUT') )
 			define('FS_TIMEOUT', 240);
@@ -80,7 +79,7 @@ class WP_Filesystem_FTPext extends WP_Filesystem_Base {
 			return false;
 		}
 
-		//Set the Connection to use Passive FTP
+		// Set the Connection to use Passive FTP
 		@ftp_pasv( $this->link, true );
 		if ( @ftp_get_option($this->link, FTP_TIMEOUT_SEC) < FS_TIMEOUT )
 			@ftp_set_option($this->link, FTP_TIMEOUT_SEC, FS_TIMEOUT);
@@ -88,20 +87,17 @@ class WP_Filesystem_FTPext extends WP_Filesystem_Base {
 		return true;
 	}
 
-	function get_contents($file, $type = '', $resumepos = 0 ) {
-		if ( empty($type) )
-			$type = FTP_BINARY;
-
+	function get_contents( $file ) {
 		$tempfile = wp_tempnam($file);
 		$temp = fopen($tempfile, 'w+');
 
 		if ( ! $temp )
 			return false;
 
-		if ( ! @ftp_fget($this->link, $temp, $file, $type, $resumepos) )
+		if ( ! @ftp_fget($this->link, $temp, $file, FTP_BINARY ) )
 			return false;
 
-		fseek($temp, 0); //Skip back to the start of the file being written to
+		fseek( $temp, 0 ); // Skip back to the start of the file being written to
 		$contents = '';
 
 		while ( ! feof($temp) )
@@ -111,21 +107,33 @@ class WP_Filesystem_FTPext extends WP_Filesystem_Base {
 		unlink($tempfile);
 		return $contents;
 	}
+
 	function get_contents_array($file) {
 		return explode("\n", $this->get_contents($file));
 	}
 
 	function put_contents($file, $contents, $mode = false ) {
 		$tempfile = wp_tempnam($file);
-		$temp = fopen($tempfile, 'w+');
+		$temp = fopen( $tempfile, 'wb+' );
 		if ( ! $temp )
 			return false;
 
-		fwrite($temp, $contents);
-		fseek($temp, 0); //Skip back to the start of the file being written to
+		mbstring_binary_safe_encoding();
 
-		$type = $this->is_binary($contents) ? FTP_BINARY : FTP_ASCII;
-		$ret = @ftp_fput($this->link, $file, $temp, $type);
+		$data_length = strlen( $contents );
+		$bytes_written = fwrite( $temp, $contents );
+
+		reset_mbstring_encoding();
+
+		if ( $data_length !== $bytes_written ) {
+			fclose( $temp );
+			unlink( $tempfile );
+			return false;
+		}
+
+		fseek( $temp, 0 ); // Skip back to the start of the file being written to
+
+		$ret = @ftp_fput( $this->link, $file, $temp, FTP_BINARY );
 
 		fclose($temp);
 		unlink($tempfile);
@@ -134,18 +142,22 @@ class WP_Filesystem_FTPext extends WP_Filesystem_Base {
 
 		return $ret;
 	}
+
 	function cwd() {
 		$cwd = @ftp_pwd($this->link);
 		if ( $cwd )
 			$cwd = trailingslashit($cwd);
 		return $cwd;
 	}
+
 	function chdir($dir) {
 		return @ftp_chdir($this->link, $dir);
 	}
+
 	function chgrp($file, $group, $recursive = false ) {
 		return false;
 	}
+
 	function chmod($file, $mode = false, $recursive = false) {
 		if ( ! $mode ) {
 			if ( $this->is_file($file) )
@@ -168,29 +180,31 @@ class WP_Filesystem_FTPext extends WP_Filesystem_Base {
 			return (bool)@ftp_site($this->link, sprintf('CHMOD %o %s', $mode, $file));
 		return (bool)@ftp_chmod($this->link, $mode, $file);
 	}
-	function chown($file, $owner, $recursive = false ) {
-		return false;
-	}
+
 	function owner($file) {
 		$dir = $this->dirlist($file);
 		return $dir[$file]['owner'];
 	}
+
 	function getchmod($file) {
 		$dir = $this->dirlist($file);
 		return $dir[$file]['permsn'];
 	}
+
 	function group($file) {
 		$dir = $this->dirlist($file);
 		return $dir[$file]['group'];
 	}
+
 	function copy($source, $destination, $overwrite = false, $mode = false) {
 		if ( ! $overwrite && $this->exists($destination) )
 			return false;
 		$content = $this->get_contents($source);
-		if ( false === $content)
+		if ( false === $content )
 			return false;
 		return $this->put_contents($destination, $content, $mode);
 	}
+
 	function move($source, $destination, $overwrite = false) {
 		return ftp_rename($this->link, $source, $destination);
 	}
@@ -214,9 +228,11 @@ class WP_Filesystem_FTPext extends WP_Filesystem_Base {
 		$list = @ftp_nlist($this->link, $file);
 		return !empty($list); //empty list = no file, so invert.
 	}
+
 	function is_file($file) {
 		return $this->exists($file) && !$this->is_dir($file);
 	}
+
 	function is_dir($path) {
 		$cwd = $this->cwd();
 		$result = @ftp_chdir($this->link, trailingslashit($path) );
@@ -226,26 +242,31 @@ class WP_Filesystem_FTPext extends WP_Filesystem_Base {
 		}
 		return false;
 	}
+
 	function is_readable($file) {
-		//Get dir list, Check if the file is readable by the current user??
 		return true;
 	}
+
 	function is_writable($file) {
-		//Get dir list, Check if the file is writable by the current user??
 		return true;
 	}
+
 	function atime($file) {
 		return false;
 	}
+
 	function mtime($file) {
 		return ftp_mdtm($this->link, $file);
 	}
+
 	function size($file) {
 		return ftp_size($this->link, $file);
 	}
+
 	function touch($file, $time = 0, $atime = 0) {
 		return false;
 	}
+
 	function mkdir($path, $chmod = false, $chown = false, $chgrp = false) {
 		$path = untrailingslashit($path);
 		if ( empty($path) )
@@ -260,6 +281,7 @@ class WP_Filesystem_FTPext extends WP_Filesystem_Base {
 			$this->chgrp($path, $chgrp);
 		return true;
 	}
+
 	function rmdir($path, $recursive = false) {
 		return $this->delete($path, $recursive);
 	}

wp-admin/includes/class-wp-filesystem-ftpsockets.php

@@ -23,12 +23,11 @@ class WP_Filesystem_ftpsockets extends WP_Filesystem_Base {
 		$this->method = 'ftpsockets';
 		$this->errors = new WP_Error();
 
-		//Check if possible to use ftp functions.
+		// Check if possible to use ftp functions.
 		if ( ! @include_once ABSPATH . 'wp-admin/includes/class-ftp.php' )
 				return false;
 		$this->ftp = new ftp();
 
-		//Set defaults:
 		if ( empty($opt['port']) )
 			$this->options['port'] = 21;
 		else
@@ -75,32 +74,35 @@ class WP_Filesystem_ftpsockets extends WP_Filesystem_Base {
 			return false;
 		}
 
-		$this->ftp->SetType(FTP_AUTOASCII);
-		$this->ftp->Passive(true);
-		$this->ftp->setTimeout(FS_TIMEOUT);
+		$this->ftp->SetType( FTP_BINARY );
+		$this->ftp->Passive( true );
+		$this->ftp->setTimeout( FS_TIMEOUT );
 		return true;
 	}
 
-	function get_contents($file, $type = '', $resumepos = 0) {
+	function get_contents( $file ) {
 		if ( ! $this->exists($file) )
 			return false;
 
-		if ( empty($type) )
-			$type = FTP_AUTOASCII;
-		$this->ftp->SetType($type);
-
 		$temp = wp_tempnam( $file );
 
 		if ( ! $temphandle = fopen($temp, 'w+') )
 			return false;
 
+		mbstring_binary_safe_encoding();
+
 		if ( ! $this->ftp->fget($temphandle, $file) ) {
 			fclose($temphandle);
 			unlink($temp);
-			return ''; //Blank document, File does exist, Its just blank.
+
+			reset_mbstring_encoding();
+
+			return ''; // Blank document, File does exist, It's just blank.
 		}
 
-		fseek($temphandle, 0); //Skip back to the start of the file being written to
+		reset_mbstring_encoding();
+
+		fseek( $temphandle, 0 ); // Skip back to the start of the file being written to
 		$contents = '';
 
 		while ( ! feof($temphandle) )
@@ -122,14 +124,25 @@ class WP_Filesystem_ftpsockets extends WP_Filesystem_Base {
 			return false;
 		}
 
-		fwrite($temphandle, $contents);
-		fseek($temphandle, 0); //Skip back to the start of the file being written to
+		// The FTP class uses string functions internally during file download/upload
+		mbstring_binary_safe_encoding();
 
-		$type = $this->is_binary($contents) ? FTP_BINARY : FTP_ASCII;
-		$this->ftp->SetType($type);
+		$bytes_written = fwrite( $temphandle, $contents );
+		if ( false === $bytes_written || $bytes_written != strlen( $contents ) ) {
+			fclose( $temphandle );
+			unlink( $temp );
+
+			reset_mbstring_encoding();
+
+			return false;
+		}
+
+		fseek( $temphandle, 0 ); // Skip back to the start of the file being written to
 
 		$ret = $this->ftp->fput($file, $temphandle);
 
+		reset_mbstring_encoding();
+
 		fclose($temphandle);
 		unlink($temp);
 
@@ -174,10 +187,6 @@ class WP_Filesystem_ftpsockets extends WP_Filesystem_Base {
 		return $this->ftp->chmod($file, $mode);
 	}
 
-	function chown($file, $owner, $recursive = false ) {
-		return false;
-	}
-
 	function owner($file) {
 		$dir = $this->dirlist($file);
 		return $dir[$file]['owner'];
@@ -219,8 +228,10 @@ class WP_Filesystem_ftpsockets extends WP_Filesystem_Base {
 		return $this->ftp->mdel($file);
 	}
 
-	function exists($file) {
-		return $this->ftp->is_exists($file);
+	function exists( $file ) {
+		$list = $this->ftp->nlist( $file );
+		return !empty( $list ); //empty list = no file, so invert.
+		// return $this->ftp->is_exists($file); has issues with ABOR+426 responses on the ncFTPd server
 	}
 
 	function is_file($file) {
@@ -241,12 +252,10 @@ class WP_Filesystem_ftpsockets extends WP_Filesystem_Base {
 	}
 
 	function is_readable($file) {
-		//Get dir list, Check if the file is writable by the current user??
 		return true;
 	}
 
 	function is_writable($file) {
-		//Get dir list, Check if the file is writable by the current user??
 		return true;
 	}
 
@@ -295,9 +304,15 @@ class WP_Filesystem_ftpsockets extends WP_Filesystem_Base {
 			$limit_file = false;
 		}
 
+		mbstring_binary_safe_encoding();
+
 		$list = $this->ftp->dirlist($path);
-		if ( empty($list) && !$this->exists($path) )
+		if ( empty( $list ) && ! $this->exists( $path ) ) {
+
+			reset_mbstring_encoding();
+
 			return false;
+		}
 
 		$ret = array();
 		foreach ( $list as $struc ) {
@@ -324,6 +339,9 @@ class WP_Filesystem_ftpsockets extends WP_Filesystem_Base {
 
 			$ret[ $struc['name'] ] = $struc;
 		}
+
+		reset_mbstring_encoding();
+
 		return $ret;
 	}
 

wp-admin/includes/class-wp-filesystem-ssh2.php

@@ -1,13 +1,6 @@
 <?php
 /**
- * WordPress SSH2 Filesystem.
- *
- * @package WordPress
- * @subpackage Filesystem
- */
-
-/**
- * WordPress Filesystem Class for implementing SSH2.
+ * WordPress Filesystem Class for implementing SSH2
  *
  * To use this class you must follow these steps for PHP 5.2.6+
  *
@@ -35,10 +28,10 @@
  *
  * Note: as of WordPress 2.8, This utilises the PHP5+ function 'stream_get_contents'
  *
- * @since 2.7
+ * @since 2.7.0
+ *
  * @package WordPress
  * @subpackage Filesystem
- * @uses WP_Filesystem_Base Extends class
  */
 class WP_Filesystem_SSH2 extends WP_Filesystem_Base {
 
@@ -150,7 +143,7 @@ class WP_Filesystem_SSH2 extends WP_Filesystem_Base {
 		return false;
 	}
 
-	function get_contents($file, $type = '', $resumepos = 0 ) {
+	function get_contents( $file ) {
 		$file = ltrim($file, '/');
 		return file_get_contents('ssh2.sftp://' . $this->sftp_link . '/' . $file);
 	}
@@ -161,12 +154,14 @@ class WP_Filesystem_SSH2 extends WP_Filesystem_Base {
 	}
 
 	function put_contents($file, $contents, $mode = false ) {
-		$file = ltrim($file, '/');
-		$ret = file_put_contents('ssh2.sftp://' . $this->sftp_link . '/' . $file, $contents);
+		$ret = file_put_contents( 'ssh2.sftp://' . $this->sftp_link . '/' . ltrim( $file, '/' ), $contents );
+
+		if ( $ret !== strlen( $contents ) )
+			return false;
 
 		$this->chmod($file, $mode);
 
-		return false !== $ret;
+		return true;
 	}
 
 	function cwd() {
@@ -184,8 +179,8 @@ class WP_Filesystem_SSH2 extends WP_Filesystem_Base {
 		if ( ! $this->exists($file) )
 			return false;
 		if ( ! $recursive || ! $this->is_dir($file) )
-			return $this->run_command(sprintf('chgrp %o %s', $mode, escapeshellarg($file)), true);
-		return $this->run_command(sprintf('chgrp -R %o %s', $mode, escapeshellarg($file)), true);
+			return $this->run_command(sprintf('chgrp %s %s', escapeshellarg($group), escapeshellarg($file)), true);
+		return $this->run_command(sprintf('chgrp -R %s %s', escapeshellarg($group), escapeshellarg($file)), true);
 	}
 
 	function chmod($file, $mode = false, $recursive = false) {
@@ -206,12 +201,22 @@ class WP_Filesystem_SSH2 extends WP_Filesystem_Base {
 		return $this->run_command(sprintf('chmod -R %o %s', $mode, escapeshellarg($file)), true);
 	}
 
-	function chown($file, $owner, $recursive = false ) {
+	/**
+	 * Change the ownership of a file / folder.
+	 *
+	 * @since Unknown
+	 *
+	 * @param string $file    Path to the file.
+	 * @param mixed  $owner   A user name or number.
+	 * @param bool $recursive Optional. If set True changes file owner recursivly. Defaults to False.
+	 * @return bool Returns true on success or false on failure.
+	 */
+	function chown( $file, $owner, $recursive = false ) {
 		if ( ! $this->exists($file) )
 			return false;
 		if ( ! $recursive || ! $this->is_dir($file) )
-			return $this->run_command(sprintf('chown %o %s', $mode, escapeshellarg($file)), true);
-		return $this->run_command(sprintf('chown -R %o %s', $mode, escapeshellarg($file)), true);
+			return $this->run_command(sprintf('chown %s %s', escapeshellarg($owner), escapeshellarg($file)), true);
+		return $this->run_command(sprintf('chown -R %s %s', escapeshellarg($owner), escapeshellarg($file)), true);
 	}
 
 	function owner($file) {

wp-admin/includes/class-wp-importer.php

@@ -179,7 +179,7 @@ class WP_Importer {
 	 */
 	function get_page( $url, $username = '', $password = '', $head = false ) {
 		// Increase the timeout
-		add_filter( 'http_request_timeout', array( &$this, 'bump_request_timeout' ) );
+		add_filter( 'http_request_timeout', array( $this, 'bump_request_timeout' ) );
 
 		$headers = array();
 		$args = array();
@@ -190,7 +190,7 @@ class WP_Importer {
 
 		$args['headers'] = $headers;
 
-		return wp_remote_request( $url, $args );
+		return wp_safe_remote_request( $url, $args );
 	}
 
 	/**

wp-admin/includes/class-wp-links-list-table.php

@@ -23,7 +23,7 @@ class WP_Links_List_Table extends WP_List_Table {
 	function prepare_items() {
 		global $cat_id, $s, $orderby, $order;
 
-		wp_reset_vars( array( 'action', 'cat_id', 'linkurl', 'name', 'image', 'description', 'visible', 'target', 'category', 'link_id', 'submit', 'orderby', 'order', 'links_show_cat_id', 'rating', 'rel', 'notes', 'linkcheck[]', 's' ) );
+		wp_reset_vars( array( 'action', 'cat_id', 'link_id', 'orderby', 'order', 's' ) );
 
 		$args = array( 'hide_invisible' => 0, 'hide_empty' => 0 );
 

wp-admin/includes/class-wp-list-table.php

@@ -72,7 +72,7 @@ class WP_List_Table {
 	var $_pagination;
 
 	/**
-	 * Constructor. The child class should call this constructor from it's own constructor
+	 * Constructor. The child class should call this constructor from its own constructor
 	 *
 	 * @param array $args An associative array with information about the current table
 	 * @access protected
@@ -87,7 +87,7 @@ class WP_List_Table {
 
 		$this->screen = convert_to_screen( $args['screen'] );
 
-		add_filter( "manage_{$this->screen->id}_columns", array( &$this, 'get_columns' ), 0 );
+		add_filter( "manage_{$this->screen->id}_columns", array( $this, 'get_columns' ), 0 );
 
 		if ( !$args['plural'] )
 			$args['plural'] = $this->screen->base;
@@ -99,7 +99,7 @@ class WP_List_Table {
 
 		if ( $args['ajax'] ) {
 			// wp_enqueue_script( 'list-table' );
-			add_action( 'admin_footer', array( &$this, '_js_vars' ) );
+			add_action( 'admin_footer', array( $this, '_js_vars' ) );
 		}
 	}
 
@@ -340,7 +340,7 @@ class WP_List_Table {
 		if ( !$action_count )
 			return '';
 
-		$out = '<div class="' . ( $always_visible ? 'row-actions-visible' : 'row-actions' ) . '">';
+		$out = '<div class="' . ( $always_visible ? 'row-actions visible' : 'row-actions' ) . '">';
 		foreach ( $actions as $action => $link ) {
 			++$i;
 			( $i == $action_count ) ? $sep = '' : $sep = ' | ';
@@ -367,6 +367,16 @@ class WP_List_Table {
 			ORDER BY post_date DESC
 		", $post_type ) );
 
+		/**
+		 * Filter the months dropdown results.
+		 *
+		 * @since 3.7.0
+		 *
+		 * @param object $months    The months dropdown query results.
+		 * @param string $post_type The post type.
+		 */
+		$months = apply_filters( 'months_dropdown_results', $months, $post_type );
+
 		$month_count = count( $months );
 
 		if ( !$month_count || ( 1 == $month_count && 0 == $months[0]->month ) )
@@ -764,7 +774,7 @@ class WP_List_Table {
 ?>
 	<div class="tablenav <?php echo esc_attr( $which ); ?>">
 
-		<div class="alignleft actions">
+		<div class="alignleft actions bulkactions">
 			<?php $this->bulk_actions(); ?>
 		</div>
 <?php
@@ -826,7 +836,7 @@ class WP_List_Table {
 		$row_class = ( $row_class == '' ? ' class="alternate"' : '' );
 
 		echo '<tr' . $row_class . '>';
-		echo $this->single_row_columns( $item );
+		$this->single_row_columns( $item );
 		echo '</tr>';
 	}
 
@@ -857,7 +867,7 @@ class WP_List_Table {
 			}
 			elseif ( method_exists( $this, 'column_' . $column_name ) ) {
 				echo "<td $attributes>";
-				echo call_user_func( array( &$this, 'column_' . $column_name ), $item );
+				echo call_user_func( array( $this, 'column_' . $column_name ), $item );
 				echo "</td>";
 			}
 			else {

wp-admin/includes/class-wp-media-list-table.php

@@ -47,8 +47,7 @@ class WP_Media_List_Table extends WP_List_Table {
 		$type_links = array();
 		$_num_posts = (array) wp_count_attachments();
 		$_total_posts = array_sum($_num_posts) - $_num_posts['trash'];
-		if ( !isset( $total_orphans ) )
-				$total_orphans = $wpdb->get_var( "SELECT COUNT( * ) FROM $wpdb->posts WHERE post_type = 'attachment' AND post_status != 'trash' AND post_parent < 1" );
+		$total_orphans = $wpdb->get_var( "SELECT COUNT( * ) FROM $wpdb->posts WHERE post_type = 'attachment' AND post_status != 'trash' AND post_parent < 1" );
 		$matches = wp_match_mime_types(array_keys($post_mime_types), array_keys($_num_posts));
 		foreach ( $matches as $type => $reals )
 			foreach ( $reals as $real )
@@ -176,7 +175,7 @@ class WP_Media_List_Table extends WP_List_Table {
 	}
 
 	function display_rows() {
-		global $post, $id;
+		global $post;
 
 		add_filter( 'the_title','esc_html' );
 		$alt = '';
@@ -192,7 +191,7 @@ class WP_Media_List_Table extends WP_List_Table {
 			$post_owner = ( get_current_user_id() == $post->post_author ) ? 'self' : 'other';
 			$att_title = _draft_or_post_title();
 ?>
-	<tr id='post-<?php echo $id; ?>' class='<?php echo trim( $alt . ' author-' . $post_owner . ' status-' . $post->post_status ); ?>' valign="top">
+	<tr id='post-<?php echo $post->ID; ?>' class='<?php echo trim( $alt . ' author-' . $post_owner . ' status-' . $post->post_status ); ?>' valign="top">
 <?php
 
 list( $columns, $hidden ) = $this->get_column_info();
@@ -266,7 +265,12 @@ foreach ( $columns as $column_name => $column_display_name ) {
 
 	case 'author':
 ?>
-		<td <?php echo $attributes ?>><?php the_author() ?></td>
+		<td <?php echo $attributes ?>><?php
+			printf( '<a href="%s">%s</a>',
+				esc_url( add_query_arg( array( 'author' => get_the_author_meta('ID') ), 'upload.php' ) ),
+				get_the_author()
+			);
+		?></td>
 <?php
 		break;
 
@@ -297,13 +301,17 @@ foreach ( $columns as $column_name => $column_display_name ) {
 		break;
 
 	case 'parent':
-		if ( $post->post_parent > 0 ) {
-			if ( get_post( $post->post_parent ) ) {
-				$title =_draft_or_post_title( $post->post_parent );
-			}
+		if ( $post->post_parent > 0 )
+			$parent = get_post( $post->post_parent );
+		else
+			$parent = false;
+
+		if ( $parent ) {
+			$title = _draft_or_post_title( $post->post_parent );
+			$parent_type = get_post_type_object( $parent->post_type );
 ?>
 			<td <?php echo $attributes ?>><strong>
-				<?php if( current_user_can( 'edit_post', $post->post_parent ) ) { ?>
+				<?php if ( current_user_can( 'edit_post', $post->post_parent ) && $parent_type->show_ui ) { ?>
 					<a href="<?php echo get_edit_post_link( $post->post_parent ); ?>">
 						<?php echo $title ?></a><?php
 				} else {
@@ -315,7 +323,7 @@ foreach ( $columns as $column_name => $column_display_name ) {
 		} else {
 ?>
 			<td <?php echo $attributes ?>><?php _e( '(Unattached)' ); ?><br />
-			<?php if( $user_can_edit ) {?>
+			<?php if ( $user_can_edit ) { ?>
 				<a class="hide-if-no-js"
 					onclick="findPosts.open( 'media[]','<?php echo $post->ID ?>' ); return false;"
 					href="#the-list">
@@ -375,7 +383,7 @@ foreach ( $columns as $column_name => $column_display_name ) {
 		}
 ?>
 		<td <?php echo $attributes ?>>
-			<?php do_action( 'manage_media_custom_column', $column_name, $id ); ?>
+			<?php do_action( 'manage_media_custom_column', $column_name, $post->ID ); ?>
 		</td>
 <?php
 		break;

wp-admin/includes/class-wp-ms-sites-list-table.php

@@ -29,7 +29,7 @@ class WP_MS_Sites_List_Table extends WP_List_Table {
 
 		$pagenum = $this->get_pagenum();
 
-		$s = isset( $_REQUEST['s'] ) ? stripslashes( trim( $_REQUEST[ 's' ] ) ) : '';
+		$s = isset( $_REQUEST['s'] ) ? wp_unslash( trim( $_REQUEST[ 's' ] ) ) : '';
 		$wild = '';
 		if ( false !== strpos($s, '*') ) {
 			$wild = '%';
@@ -214,8 +214,10 @@ class WP_MS_Sites_List_Table extends WP_List_Table {
 				switch ( $column_name ) {
 					case 'cb': ?>
 						<th scope="row" class="check-column">
+							<?php if ( ! is_main_site( $blog['blog_id'] ) ) : ?>
 							<label class="screen-reader-text" for="blog_<?php echo $blog['blog_id']; ?>"><?php printf( __( 'Select %s' ), $blogname ); ?></label>
 							<input type="checkbox" id="blog_<?php echo $blog['blog_id'] ?>" name="allblogs[]" value="<?php echo esc_attr( $blog['blog_id'] ) ?>" />
+							<?php endif; ?>
 						</th>
 					<?php
 					break;

wp-admin/includes/class-wp-ms-themes-list-table.php

@@ -84,7 +84,7 @@ class WP_MS_Themes_List_Table extends WP_List_Table {
 
 		if ( $s ) {
 			$status = 'search';
-			$themes['search'] = array_filter( array_merge( $themes['all'], $themes['broken'] ), array( &$this, '_search_callback' ) );
+			$themes['search'] = array_filter( array_merge( $themes['all'], $themes['broken'] ), array( $this, '_search_callback' ) );
 		}
 
 		$totals = array();
@@ -108,7 +108,7 @@ class WP_MS_Themes_List_Table extends WP_List_Table {
 				if ( 'ASC' == $order )
 					$this->items = array_reverse( $this->items );
 			} else {
-				uasort( $this->items, array( &$this, '_order_callback' ) );
+				uasort( $this->items, array( $this, '_order_callback' ) );
 			}
 		}
 
@@ -126,7 +126,7 @@ class WP_MS_Themes_List_Table extends WP_List_Table {
 	function _search_callback( $theme ) {
 		static $term;
 		if ( is_null( $term ) )
-			$term = stripslashes( $_REQUEST['s'] );
+			$term = wp_unslash( $_REQUEST['s'] );
 
 		foreach ( array( 'Name', 'Description', 'Author', 'Author', 'AuthorURI' ) as $field ) {
 			// Don't mark up; Do translate.
@@ -243,11 +243,11 @@ class WP_MS_Themes_List_Table extends WP_List_Table {
 	}
 
 	function display_rows() {
-		foreach ( $this->items as $key => $theme )
-			$this->single_row( $key, $theme );
+		foreach ( $this->items as $theme )
+			$this->single_row( $theme );
 	}
 
-	function single_row( $key, $theme ) {
+	function single_row( $theme ) {
 		global $status, $page, $s, $totals;
 
 		$context = $status;
@@ -284,8 +284,8 @@ class WP_MS_Themes_List_Table extends WP_List_Table {
 		if ( ! $allowed && current_user_can( 'delete_themes' ) && ! $this->is_site_themes && $stylesheet != get_option( 'stylesheet' ) && $stylesheet != get_option( 'template' ) )
 			$actions['delete'] = '<a href="' . esc_url( wp_nonce_url( 'themes.php?action=delete-selected&amp;checked[]=' . $theme_key . '&amp;theme_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'bulk-themes' ) ) . '" title="' . esc_attr__( 'Delete this theme' ) . '" class="delete">' . __( 'Delete' ) . '</a>';
 
-		$actions = apply_filters( 'theme_action_links', array_filter( $actions ), $stylesheet, $theme, $context );
-		$actions = apply_filters( "theme_action_links_$stylesheet", $actions, $stylesheet, $theme, $context );
+		$actions = apply_filters( 'theme_action_links', array_filter( $actions ), $theme, $context );
+		$actions = apply_filters( "theme_action_links_$stylesheet", $actions, $theme, $context );
 
 		$class = ! $allowed ? 'inactive' : 'active';
 		$checkbox_id = "checkbox_" . md5( $theme->get('Name') );

wp-admin/includes/class-wp-ms-users-list-table.php

@@ -173,10 +173,10 @@ class WP_MS_Users_List_Table extends WP_List_Table {
 
 					case 'username':
 						$avatar	= get_avatar( $user->user_email, 32 );
-						$edit_link = esc_url( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), get_edit_user_link( $user->ID ) ) );
+						$edit_link = esc_url( add_query_arg( 'wp_http_referer', urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ), get_edit_user_link( $user->ID ) ) );
 
 						echo "<td $attributes>"; ?>
-							<?php echo $avatar; ?><strong><a href="<?php echo $edit_link; ?>" class="edit"><?php echo stripslashes( $user->user_login ); ?></a><?php
+							<?php echo $avatar; ?><strong><a href="<?php echo $edit_link; ?>" class="edit"><?php echo $user->user_login; ?></a><?php
 							if ( in_array( $user->user_login, $super_admins ) )
 								echo ' - ' . __( 'Super Admin' );
 							?></strong>
@@ -186,7 +186,7 @@ class WP_MS_Users_List_Table extends WP_List_Table {
 								$actions['edit'] = '<a href="' . $edit_link . '">' . __( 'Edit' ) . '</a>';
 
 								if ( current_user_can( 'delete_user', $user->ID ) && ! in_array( $user->user_login, $super_admins ) ) {
-									$actions['delete'] = '<a href="' . $delete = esc_url( network_admin_url( add_query_arg( '_wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), wp_nonce_url( 'users.php', 'deleteuser' ) . '&amp;action=deleteuser&amp;id=' . $user->ID ) ) ) . '" class="delete">' . __( 'Delete' ) . '</a>';
+									$actions['delete'] = '<a href="' . $delete = esc_url( network_admin_url( add_query_arg( '_wp_http_referer', urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ), wp_nonce_url( 'users.php', 'deleteuser' ) . '&amp;action=deleteuser&amp;id=' . $user->ID ) ) ) . '" class="delete">' . __( 'Delete' ) . '</a>';
 								}
 
 								$actions = apply_filters( 'ms_user_row_actions', $actions, $user );
@@ -201,7 +201,7 @@ class WP_MS_Users_List_Table extends WP_List_Table {
 					break;
 
 					case 'email':
-						echo "<td $attributes><a href='mailto:$user->user_email'>$user->user_email</a></td>";
+						echo "<td $attributes><a href='" . esc_url( "mailto:$user->user_email" ) . "'>$user->user_email</a></td>";
 					break;
 
 					case 'registered':

wp-admin/includes/class-wp-plugin-install-list-table.php

@@ -37,10 +37,26 @@ class WP_Plugin_Install_List_Table extends WP_List_Table {
 
 		$nonmenu_tabs = array( 'plugin-information' ); //Valid actions to perform which do not have a Menu item.
 
+		/**
+		 * Filter the tabs shown on the Plugin Install screen.
+		 *
+		 * @since 2.7.0
+		 *
+		 * @param array $tabs The tabs shown on the Plugin Install screen. Defaults are 'dashboard', 'search',
+		 *                    'upload', 'featured', 'popular', 'new', and 'favorites'.
+		 */
 		$tabs = apply_filters( 'install_plugins_tabs', $tabs );
+
+		/**
+		 * Filter tabs not associated with a menu item on the Plugin Install screen.
+		 *
+		 * @since 2.7.0
+		 *
+		 * @param array $nonmenu_tabs The tabs that don't have a Menu item on the Plugin Install screen.
+		 */
 		$nonmenu_tabs = apply_filters( 'install_plugins_nonmenu_tabs', $nonmenu_tabs );
 
-		// If a non-valid menu tab has been selected, And its not a non-menu action.
+		// If a non-valid menu tab has been selected, And it's not a non-menu action.
 		if ( empty( $tab ) || ( !isset( $tabs[ $tab ] ) && !in_array( $tab, (array) $nonmenu_tabs ) ) )
 			$tab = key( $tabs );
 
@@ -48,8 +64,8 @@ class WP_Plugin_Install_List_Table extends WP_List_Table {
 
 		switch ( $tab ) {
 			case 'search':
-				$type = isset( $_REQUEST['type'] ) ? stripslashes( $_REQUEST['type'] ) : 'term';
-				$term = isset( $_REQUEST['s'] ) ? stripslashes( $_REQUEST['s'] ) : '';
+				$type = isset( $_REQUEST['type'] ) ? wp_unslash( $_REQUEST['type'] ) : 'term';
+				$term = isset( $_REQUEST['s'] ) ? wp_unslash( $_REQUEST['s'] ) : '';
 
 				switch ( $type ) {
 					case 'tag':
@@ -73,7 +89,7 @@ class WP_Plugin_Install_List_Table extends WP_List_Table {
 				break;
 
 			case 'favorites':
-				$user = isset( $_GET['user'] ) ? stripslashes( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
+				$user = isset( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
 				update_user_meta( get_current_user_id(), 'wporg_favorites', $user );
 				if ( $user )
 					$args['user'] = $user;
@@ -85,8 +101,22 @@ class WP_Plugin_Install_List_Table extends WP_List_Table {
 
 			default:
 				$args = false;
+				break;
 		}
 
+		/**
+		 * Filter API request arguments for each Plugin Install screen tab.
+		 *
+		 * The dynamic portion of the hook name, $tab, refers to the plugin install tabs.
+		 * Default tabs are 'dashboard', 'search', 'upload', 'featured', 'popular', 'new',
+		 * and 'favorites'.
+		 *
+		 * @since 3.7.0
+		 *
+		 * @param array|bool $args Plugin Install API arguments.
+		 */
+		$args = apply_filters( "install_plugins_table_api_args_$tab", $args );
+
 		if ( !$args )
 			return;
 
@@ -124,7 +154,13 @@ class WP_Plugin_Install_List_Table extends WP_List_Table {
 		if ( 'top' ==  $which ) { ?>
 			<div class="tablenav top">
 				<div class="alignleft actions">
-					<?php do_action( 'install_plugins_table_header' ); ?>
+					<?php
+					/**
+					 * Fires before the Plugin Install table header pagination is displayed.
+					 *
+					 * @since 2.7.0
+					 */
+					do_action( 'install_plugins_table_header' ); ?>
 				</div>
 				<?php $this->pagination( $which ); ?>
 				<br class="clear" />
@@ -218,6 +254,14 @@ class WP_Plugin_Install_List_Table extends WP_List_Table {
 				}
 			}
 
+			/**
+			 * Filter the install action links for a plugin.
+			 *
+			 * @since 2.7.0
+			 *
+			 * @param array $action_links An array of plugin action hyperlinks. Defaults are links to Details and Install Now.
+			 * @param array $plugin       The plugin currently being listed.
+			 */
 			$action_links = apply_filters( 'plugin_install_action_links', $action_links, $plugin );
 		?>
 		<tr>

wp-admin/includes/class-wp-plugins-list-table.php

@@ -22,7 +22,7 @@ class WP_Plugins_List_Table extends WP_List_Table {
 			$status = $_REQUEST['plugin_status'];
 
 		if ( isset($_REQUEST['s']) )
-			$_SERVER['REQUEST_URI'] = add_query_arg('s', stripslashes($_REQUEST['s']) );
+			$_SERVER['REQUEST_URI'] = add_query_arg('s', wp_unslash($_REQUEST['s']) );
 
 		$page = $this->get_pagenum();
 	}
@@ -53,7 +53,7 @@ class WP_Plugins_List_Table extends WP_List_Table {
 
 		$screen = $this->screen;
 
-		if ( ! is_multisite() || ( $screen->is_network && current_user_can('manage_network_plugins') ) ) {
+		if ( ! is_multisite() || ( $screen->in_admin( 'network' ) && current_user_can( 'manage_network_plugins' ) ) ) {
 			if ( apply_filters( 'show_advanced_plugins', true, 'mustuse' ) )
 				$plugins['mustuse'] = get_mu_plugins();
 			if ( apply_filters( 'show_advanced_plugins', true, 'dropins' ) )
@@ -72,7 +72,7 @@ class WP_Plugins_List_Table extends WP_List_Table {
 
 		set_transient( 'plugin_slugs', array_keys( $plugins['all'] ), DAY_IN_SECONDS );
 
-		if ( ! $screen->is_network ) {
+		if ( ! $screen->in_admin( 'network' ) ) {
 			$recently_activated = get_option( 'recently_activated', array() );
 
 			foreach ( $recently_activated as $key => $time )
@@ -83,15 +83,15 @@ class WP_Plugins_List_Table extends WP_List_Table {
 
 		foreach ( (array) $plugins['all'] as $plugin_file => $plugin_data ) {
 			// Filter into individual sections
-			if ( is_multisite() && ! $screen->is_network && is_network_only_plugin( $plugin_file ) ) {
+			if ( is_multisite() && ! $screen->in_admin( 'network' ) && is_network_only_plugin( $plugin_file ) ) {
 				unset( $plugins['all'][ $plugin_file ] );
-			} elseif ( ! $screen->is_network && is_plugin_active_for_network( $plugin_file ) ) {
+			} elseif ( ! $screen->in_admin( 'network' ) && is_plugin_active_for_network( $plugin_file ) ) {
 				unset( $plugins['all'][ $plugin_file ] );
-			} elseif ( ( ! $screen->is_network && is_plugin_active( $plugin_file ) )
-				|| ( $screen->is_network && is_plugin_active_for_network( $plugin_file ) ) ) {
+			} elseif ( ( ! $screen->in_admin( 'network' ) && is_plugin_active( $plugin_file ) )
+				|| ( $screen->in_admin( 'network' ) && is_plugin_active_for_network( $plugin_file ) ) ) {
 				$plugins['active'][ $plugin_file ] = $plugin_data;
 			} else {
-				if ( ! $screen->is_network && isset( $recently_activated[ $plugin_file ] ) ) // Was the plugin recently activated?
+				if ( ! $screen->in_admin( 'network' ) && isset( $recently_activated[ $plugin_file ] ) ) // Was the plugin recently activated?
 					$plugins['recently_activated'][ $plugin_file ] = $plugin_data;
 				$plugins['inactive'][ $plugin_file ] = $plugin_data;
 			}
@@ -99,7 +99,7 @@ class WP_Plugins_List_Table extends WP_List_Table {
 
 		if ( $s ) {
 			$status = 'search';
-			$plugins['search'] = array_filter( $plugins['all'], array( &$this, '_search_callback' ) );
+			$plugins['search'] = array_filter( $plugins['all'], array( $this, '_search_callback' ) );
 		}
 
 		$totals = array();
@@ -121,7 +121,7 @@ class WP_Plugins_List_Table extends WP_List_Table {
 			$orderby = ucfirst( $orderby );
 			$order = strtoupper( $order );
 
-			uasort( $this->items, array( &$this, '_order_callback' ) );
+			uasort( $this->items, array( $this, '_order_callback' ) );
 		}
 
 		$plugins_per_page = $this->get_items_per_page( str_replace( '-', '_', $screen->id . '_per_page' ), 999 );
@@ -140,7 +140,7 @@ class WP_Plugins_List_Table extends WP_List_Table {
 	function _search_callback( $plugin ) {
 		static $term;
 		if ( is_null( $term ) )
-			$term = stripslashes( $_REQUEST['s'] );
+			$term = wp_unslash( $_REQUEST['s'] );
 
 		foreach ( $plugin as $value )
 			if ( stripos( $value, $term ) !== false )
@@ -237,12 +237,12 @@ class WP_Plugins_List_Table extends WP_List_Table {
 		$actions = array();
 
 		if ( 'active' != $status )
-			$actions['activate-selected'] = $this->screen->is_network ? __( 'Network Activate' ) : __( 'Activate' );
+			$actions['activate-selected'] = $this->screen->in_admin( 'network' ) ? __( 'Network Activate' ) : __( 'Activate' );
 
 		if ( 'inactive' != $status && 'recent' != $status )
-			$actions['deactivate-selected'] = $this->screen->is_network ? __( 'Network Deactivate' ) : __( 'Deactivate' );
+			$actions['deactivate-selected'] = $this->screen->in_admin( 'network' ) ? __( 'Network Deactivate' ) : __( 'Deactivate' );
 
-		if ( !is_multisite() || $this->screen->is_network ) {
+		if ( !is_multisite() || $this->screen->in_admin( 'network' ) ) {
 			if ( current_user_can( 'update_plugins' ) )
 				$actions['update-selected'] = __( 'Update' );
 			if ( current_user_can( 'delete_plugins' ) && ( 'active' != $status ) )
@@ -269,7 +269,7 @@ class WP_Plugins_List_Table extends WP_List_Table {
 
 		echo '<div class="alignleft actions">';
 
-		if ( ! $this->screen->is_network && 'recently_activated' == $status )
+		if ( ! $this->screen->in_admin( 'network' ) && 'recently_activated' == $status )
 			submit_button( __( 'Clear List' ), 'button', 'clear-recent-list', false );
 		elseif ( 'top' == $which && 'mustuse' == $status )
 			echo '<p>' . sprintf( __( 'Files in the <code>%s</code> directory are executed automatically.' ), str_replace( ABSPATH, '/', WPMU_PLUGIN_DIR ) ) . '</p>';
@@ -289,7 +289,7 @@ class WP_Plugins_List_Table extends WP_List_Table {
 	function display_rows() {
 		global $status;
 
-		if ( is_multisite() && ! $this->screen->is_network && in_array( $status, array( 'mustuse', 'dropins' ) ) )
+		if ( is_multisite() && ! $this->screen->in_admin( 'network' ) && in_array( $status, array( 'mustuse', 'dropins' ) ) )
 			return;
 
 		foreach ( $this->items as $plugin_file => $plugin_data )
@@ -321,7 +321,7 @@ class WP_Plugins_List_Table extends WP_List_Table {
 			if ( true === ( $dropins[ $plugin_file ][1] ) ) { // Doesn't require a constant
 				$is_active = true;
 				$description = '<p><strong>' . $dropins[ $plugin_file ][0] . '</strong></p>';
-			} elseif ( constant( $dropins[ $plugin_file ][1] ) ) { // Constant is true
+			} elseif ( defined( $dropins[ $plugin_file ][1] ) && constant( $dropins[ $plugin_file ][1] ) ) { // Constant is true
 				$is_active = true;
 				$description = '<p><strong>' . $dropins[ $plugin_file ][0] . '</strong></p>';
 			} else {
@@ -331,37 +331,37 @@ class WP_Plugins_List_Table extends WP_List_Table {
 			if ( $plugin_data['Description'] )
 				$description .= '<p>' . $plugin_data['Description'] . '</p>';
 		} else {
-			if ( $screen->is_network )
+			if ( $screen->in_admin( 'network' ) )
 				$is_active = is_plugin_active_for_network( $plugin_file );
 			else
 				$is_active = is_plugin_active( $plugin_file );
 
-			if ( $screen->is_network ) {
+			if ( $screen->in_admin( 'network' ) ) {
 				if ( $is_active ) {
 					if ( current_user_can( 'manage_network_plugins' ) )
-						$actions['deactivate'] = '<a href="' . wp_nonce_url('plugins.php?action=deactivate&amp;plugin=' . $plugin_file . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'deactivate-plugin_' . $plugin_file) . '" title="' . esc_attr__('Deactivate this plugin') . '">' . __('Network Deactivate') . '</a>';
+						$actions['deactivate'] = '<a href="' . wp_nonce_url('plugins.php?action=deactivate&amp;plugin=' . urlencode( $plugin_file ) . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'deactivate-plugin_' . $plugin_file) . '" title="' . esc_attr__('Deactivate this plugin') . '">' . __('Network Deactivate') . '</a>';
 				} else {
 					if ( current_user_can( 'manage_network_plugins' ) )
-						$actions['activate'] = '<a href="' . wp_nonce_url('plugins.php?action=activate&amp;plugin=' . $plugin_file . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'activate-plugin_' . $plugin_file) . '" title="' . esc_attr__('Activate this plugin for all sites in this network') . '" class="edit">' . __('Network Activate') . '</a>';
+						$actions['activate'] = '<a href="' . wp_nonce_url('plugins.php?action=activate&amp;plugin=' . urlencode( $plugin_file ) . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'activate-plugin_' . $plugin_file) . '" title="' . esc_attr__('Activate this plugin for all sites in this network') . '" class="edit">' . __('Network Activate') . '</a>';
 					if ( current_user_can( 'delete_plugins' ) && ! is_plugin_active( $plugin_file ) )
-						$actions['delete'] = '<a href="' . wp_nonce_url('plugins.php?action=delete-selected&amp;checked[]=' . $plugin_file . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'bulk-plugins') . '" title="' . esc_attr__('Delete this plugin') . '" class="delete">' . __('Delete') . '</a>';
+						$actions['delete'] = '<a href="' . wp_nonce_url('plugins.php?action=delete-selected&amp;checked[]=' . urlencode( $plugin_file ) . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'bulk-plugins') . '" title="' . esc_attr__('Delete this plugin') . '" class="delete">' . __('Delete') . '</a>';
 				}
 			} else {
 				if ( $is_active ) {
-					$actions['deactivate'] = '<a href="' . wp_nonce_url('plugins.php?action=deactivate&amp;plugin=' . $plugin_file . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'deactivate-plugin_' . $plugin_file) . '" title="' . esc_attr__('Deactivate this plugin') . '">' . __('Deactivate') . '</a>';
+					$actions['deactivate'] = '<a href="' . wp_nonce_url('plugins.php?action=deactivate&amp;plugin=' . urlencode( $plugin_file ) . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'deactivate-plugin_' . $plugin_file) . '" title="' . esc_attr__('Deactivate this plugin') . '">' . __('Deactivate') . '</a>';
 				} else {
-					$actions['activate'] = '<a href="' . wp_nonce_url('plugins.php?action=activate&amp;plugin=' . $plugin_file . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'activate-plugin_' . $plugin_file) . '" title="' . esc_attr__('Activate this plugin') . '" class="edit">' . __('Activate') . '</a>';
+					$actions['activate'] = '<a href="' . wp_nonce_url('plugins.php?action=activate&amp;plugin=' . urlencode( $plugin_file ) . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'activate-plugin_' . $plugin_file) . '" title="' . esc_attr__('Activate this plugin') . '" class="edit">' . __('Activate') . '</a>';
 
 					if ( ! is_multisite() && current_user_can('delete_plugins') )
-						$actions['delete'] = '<a href="' . wp_nonce_url('plugins.php?action=delete-selected&amp;checked[]=' . $plugin_file . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'bulk-plugins') . '" title="' . esc_attr__('Delete this plugin') . '" class="delete">' . __('Delete') . '</a>';
+						$actions['delete'] = '<a href="' . wp_nonce_url('plugins.php?action=delete-selected&amp;checked[]=' . urlencode( $plugin_file ) . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'bulk-plugins') . '" title="' . esc_attr__('Delete this plugin') . '" class="delete">' . __('Delete') . '</a>';
 				} // end if $is_active
-			 } // end if $screen->is_network
+			 } // end if $screen->in_admin( 'network' )
 
-			if ( ( ! is_multisite() || $screen->is_network ) && current_user_can('edit_plugins') && is_writable(WP_PLUGIN_DIR . '/' . $plugin_file) )
-				$actions['edit'] = '<a href="plugin-editor.php?file=' . $plugin_file . '" title="' . esc_attr__('Open this file in the Plugin Editor') . '" class="edit">' . __('Edit') . '</a>';
+			if ( ( ! is_multisite() || $screen->in_admin( 'network' ) ) && current_user_can('edit_plugins') && is_writable(WP_PLUGIN_DIR . '/' . $plugin_file) )
+				$actions['edit'] = '<a href="plugin-editor.php?file=' . urlencode( $plugin_file ) . '" title="' . esc_attr__('Open this file in the Plugin Editor') . '" class="edit">' . __('Edit') . '</a>';
 		} // end if $context
 
-		$prefix = $screen->is_network ? 'network_admin_' : '';
+		$prefix = $screen->in_admin( 'network' ) ? 'network_admin_' : '';
 		$actions = apply_filters( $prefix . 'plugin_action_links', array_filter( $actions ), $plugin_file, $plugin_data, $context );
 		$actions = apply_filters( $prefix . "plugin_action_links_$plugin_file", $actions, $plugin_file, $plugin_data, $context );
 

wp-admin/includes/class-wp-posts-list-table.php

@@ -57,9 +57,10 @@ class WP_Posts_List_Table extends WP_List_Table {
 		$post_type_object = get_post_type_object( $post_type );
 
 		if ( !current_user_can( $post_type_object->cap->edit_others_posts ) ) {
+			$exclude_states = get_post_stati( array( 'show_in_admin_all_list' => false ) );
 			$this->user_posts_count = $wpdb->get_var( $wpdb->prepare( "
 				SELECT COUNT( 1 ) FROM $wpdb->posts
-				WHERE post_type = %s AND post_status NOT IN ( 'trash', 'auto-draft' )
+				WHERE post_type = %s AND post_status NOT IN ( '" . implode( "','", $exclude_states ) . "' )
 				AND post_author = %d
 			", $post_type, get_current_user_id() ) );
 
@@ -69,7 +70,7 @@ class WP_Posts_List_Table extends WP_List_Table {
 
 		if ( 'post' == $post_type && $sticky_posts = get_option( 'sticky_posts' ) ) {
 			$sticky_posts = implode( ', ', array_map( 'absint', (array) $sticky_posts ) );
-			$this->sticky_posts_count = $wpdb->get_var( $wpdb->prepare( "SELECT COUNT( 1 ) FROM $wpdb->posts WHERE post_type = %s AND post_status != 'trash' AND ID IN ($sticky_posts)", $post_type ) );
+			$this->sticky_posts_count = $wpdb->get_var( $wpdb->prepare( "SELECT COUNT( 1 ) FROM $wpdb->posts WHERE post_type = %s AND post_status NOT IN ('trash', 'auto-draft') AND ID IN ($sticky_posts)", $post_type ) );
 		}
 	}
 
@@ -382,8 +383,10 @@ class WP_Posts_List_Table extends WP_List_Table {
 			if ( $count >= $end )
 				break;
 
-			if ( $count >= $start )
-				echo "\t" . $this->single_row( $page, $level );
+			if ( $count >= $start ) {
+				echo "\t";
+				$this->single_row( $page, $level );
+			}
 
 			$count++;
 
@@ -397,8 +400,12 @@ class WP_Posts_List_Table extends WP_List_Table {
 				foreach ( $orphans as $op ) {
 					if ( $count >= $end )
 						break;
-					if ( $count >= $start )
-						echo "\t" . $this->single_row( $op, 0 );
+
+					if ( $count >= $start ) {
+						echo "\t";
+						$this->single_row( $op, 0 );
+					}
+
 					$count++;
 				}
 			}
@@ -411,12 +418,12 @@ class WP_Posts_List_Table extends WP_List_Table {
 	 *
 	 * @since 3.1.0 (Standalone function exists since 2.6.0)
 	 *
-	 * @param unknown_type $children_pages
-	 * @param unknown_type $count
-	 * @param unknown_type $parent
-	 * @param unknown_type $level
-	 * @param unknown_type $pagenum
-	 * @param unknown_type $per_page
+	 * @param array $children_pages
+	 * @param int $count
+	 * @param int $parent
+	 * @param int $level
+	 * @param int $pagenum
+	 * @param int $per_page
 	 */
 	function _page_rows( &$children_pages, &$count, $parent, $level, $pagenum, $per_page ) {
 
@@ -444,13 +451,16 @@ class WP_Posts_List_Table extends WP_List_Table {
 				}
 				$num_parents = count( $my_parents );
 				while ( $my_parent = array_pop( $my_parents ) ) {
-					echo "\t" . $this->single_row( $my_parent, $level - $num_parents );
+					echo "\t";
+					$this->single_row( $my_parent, $level - $num_parents );
 					$num_parents--;
 				}
 			}
 
-			if ( $count >= $start )
-				echo "\t" . $this->single_row( $page, $level );
+			if ( $count >= $start ) {
+				echo "\t";
+				$this->single_row( $page, $level );
+			}
 
 			$count++;
 
@@ -471,10 +481,16 @@ class WP_Posts_List_Table extends WP_List_Table {
 		$edit_link = get_edit_post_link( $post->ID );
 		$title = _draft_or_post_title();
 		$post_type_object = get_post_type_object( $post->post_type );
-		$can_edit_post = current_user_can( $post_type_object->cap->edit_post, $post->ID );
+		$can_edit_post = current_user_can( 'edit_post', $post->ID );
 
 		$alternate = 'alternate' == $alternate ? '' : 'alternate';
 		$classes = $alternate . ' iedit author-' . ( get_current_user_id() == $post->post_author ? 'self' : 'other' );
+
+		$lock_holder = wp_check_post_lock( $post->ID );
+		if ( $lock_holder ) {
+			$classes .= ' wp-locked';
+			$lock_holder = get_userdata( $lock_holder );
+		}
 	?>
 		<tr id="post-<?php echo $post->ID; ?>" class="<?php echo implode( ' ', get_post_class( $classes, $post->ID ) ); ?>" valign="top">
 	<?php
@@ -495,18 +511,23 @@ class WP_Posts_List_Table extends WP_List_Table {
 			case 'cb':
 			?>
 			<th scope="row" class="check-column">
-				<?php if ( $can_edit_post ) { ?>
+				<?php
+				if ( $can_edit_post ) {
+
+				?>
 				<label class="screen-reader-text" for="cb-select-<?php the_ID(); ?>"><?php printf( __( 'Select %s' ), $title ); ?></label>
 				<input id="cb-select-<?php the_ID(); ?>" type="checkbox" name="post[]" value="<?php the_ID(); ?>" />
-				<?php } ?>
+				<div class="locked-indicator"></div>
+				<?php
+				}
+				?>
 			</th>
 			<?php
 			break;
 
 			case 'title':
+				$attributes = 'class="post-title page-title column-title"' . $style;
 				if ( $this->hierarchical_display ) {
-					$attributes = 'class="post-title page-title column-title"' . $style;
-
 					if ( 0 == $level && (int) $post->post_parent > 0 ) {
 						//sent level 0 by accident, by default, or because we don't know the actual level
 						$find_main_page = (int) $post->post_parent;
@@ -519,25 +540,48 @@ class WP_Posts_List_Table extends WP_List_Table {
 							$level++;
 							$find_main_page = (int) $parent->post_parent;
 
-							if ( !isset( $parent_name ) )
+							if ( !isset( $parent_name ) ) {
+								/** This filter is documented in wp-includes/post-template.php */
 								$parent_name = apply_filters( 'the_title', $parent->post_title, $parent->ID );
+							}
 						}
 					}
-
-					$pad = str_repeat( '&#8212; ', $level );
-?>
-			<td <?php echo $attributes ?>><strong><?php if ( $can_edit_post && $post->post_status != 'trash' ) { ?><a class="row-title" href="<?php echo $edit_link; ?>" title="<?php echo esc_attr( sprintf( __( 'Edit &#8220;%s&#8221;' ), $title ) ); ?>"><?php echo $pad; echo $title ?></a><?php } else { echo $pad; echo $title; }; _post_states( $post ); echo isset( $parent_name ) ? ' | ' . $post_type_object->labels->parent_item_colon . ' ' . esc_html( $parent_name ) : ''; ?></strong>
-<?php
 				}
-				else {
-					$attributes = 'class="post-title page-title column-title"' . $style;
 
-					$pad = str_repeat( '&#8212; ', $level );
-?>
-			<td <?php echo $attributes ?>><strong><?php if ( $can_edit_post && $post->post_status != 'trash' ) { ?><a class="row-title" href="<?php echo $edit_link; ?>" title="<?php echo esc_attr( sprintf( __( 'Edit &#8220;%s&#8221;' ), $title ) ); ?>"><?php echo $pad; echo $title ?></a><?php } else { echo $pad; echo $title; }; _post_states( $post ); ?></strong>
-<?php
-					if ( 'excerpt' == $mode && current_user_can( 'read_post', $post->ID ) )
-						the_excerpt();
+				$pad = str_repeat( '&#8212; ', $level );
+				echo "<td $attributes><strong>";
+
+				if ( $format = get_post_format( $post->ID ) ) {
+					$label = get_post_format_string( $format );
+
+					echo '<a href="' . esc_url( add_query_arg( array( 'post_format' => $format, 'post_type' => $post->post_type ), 'edit.php' ) ) . '" class="post-state-format post-format-icon post-format-' . $format . '" title="' . $label . '">' . $label . ":</a> ";
+				}
+
+				if ( $can_edit_post && $post->post_status != 'trash' ) {
+					echo '<a class="row-title" href="' . $edit_link . '" title="' . esc_attr( sprintf( __( 'Edit &#8220;%s&#8221;' ), $title ) ) . '">' . $pad . $title . '</a>';
+				} else {
+					echo $pad . $title;
+				}
+				_post_states( $post );
+
+				if ( isset( $parent_name ) )
+					echo ' | ' . $post_type_object->labels->parent_item_colon . ' ' . esc_html( $parent_name );
+
+				echo "</strong>\n";
+
+				if ( $can_edit_post && $post->post_status != 'trash' ) {
+					if ( $lock_holder ) {
+						$locked_avatar = get_avatar( $lock_holder->ID, 18 );
+						$locked_text = esc_html( sprintf( __( '%s is currently editing' ), $lock_holder->display_name ) );
+					} else {
+						$locked_avatar = $locked_text = '';
+					}
+
+					echo '<div class="locked-info"><span class="locked-avatar">' . $locked_avatar . '</span> <span class="locked-text">' . $locked_text . "</span></div>\n";
+				}
+
+				if ( ! $this->hierarchical_display && 'excerpt' == $mode && current_user_can( 'read_post', $post->ID ) ) {
+						echo esc_html( get_the_excerpt() );
 				}
 
 				$actions = array();
@@ -545,7 +589,7 @@ class WP_Posts_List_Table extends WP_List_Table {
 					$actions['edit'] = '<a href="' . get_edit_post_link( $post->ID, true ) . '" title="' . esc_attr( __( 'Edit this item' ) ) . '">' . __( 'Edit' ) . '</a>';
 					$actions['inline hide-if-no-js'] = '<a href="#" class="editinline" title="' . esc_attr( __( 'Edit this item inline' ) ) . '">' . __( 'Quick&nbsp;Edit' ) . '</a>';
 				}
-				if ( current_user_can( $post_type_object->cap->delete_post, $post->ID ) ) {
+				if ( current_user_can( 'delete_post', $post->ID ) ) {
 					if ( 'trash' == $post->post_status )
 						$actions['untrash'] = "<a title='" . esc_attr( __( 'Restore this item from the Trash' ) ) . "' href='" . wp_nonce_url( admin_url( sprintf( $post_type_object->_edit_link . '&amp;action=untrash', $post->ID ) ), 'untrash-post_' . $post->ID ) . "'>" . __( 'Restore' ) . "</a>";
 					elseif ( EMPTY_TRASH_DAYS )
@@ -556,7 +600,7 @@ class WP_Posts_List_Table extends WP_List_Table {
 				if ( $post_type_object->public ) {
 					if ( in_array( $post->post_status, array( 'pending', 'draft', 'future' ) ) ) {
 						if ( $can_edit_post )
-							$actions['view'] = '<a href="' . esc_url( add_query_arg( 'preview', 'true', get_permalink( $post->ID ) ) ) . '" title="' . esc_attr( sprintf( __( 'Preview &#8220;%s&#8221;' ), $title ) ) . '" rel="permalink">' . __( 'Preview' ) . '</a>';
+							$actions['view'] = '<a href="' . esc_url( apply_filters( 'preview_post_link', set_url_scheme( add_query_arg( 'preview', 'true', get_permalink( $post->ID ) ) ) ) ) . '" title="' . esc_attr( sprintf( __( 'Preview &#8220;%s&#8221;' ), $title ) ) . '" rel="permalink">' . __( 'Preview' ) . '</a>';
 					} elseif ( 'trash' != $post->post_status ) {
 						$actions['view'] = '<a href="' . get_permalink( $post->ID ) . '" title="' . esc_attr( sprintf( __( 'View &#8220;%s&#8221;' ), $title ) ) . '" rel="permalink">' . __( 'View' ) . '</a>';
 					}
@@ -789,7 +833,7 @@ class WP_Posts_List_Table extends WP_List_Table {
 	<?php if ( !$bulk ) echo $authors_dropdown;
 	endif; // post_type_supports author
 
-	if ( !$bulk ) :
+	if ( !$bulk && $can_publish ) :
 	?>
 
 			<div class="inline-edit-group">
@@ -820,10 +864,7 @@ class WP_Posts_List_Table extends WP_List_Table {
 
 	<?php foreach ( $hierarchical_taxonomies as $taxonomy ) : ?>
 
-			<span class="title inline-edit-categories-label"><?php echo esc_html( $taxonomy->labels->name ) ?>
-				<span class="catshow"><?php _e( '[more]' ); ?></span>
-				<span class="cathide" style="display:none;"><?php _e( '[less]' ); ?></span>
-			</span>
+			<span class="title inline-edit-categories-label"><?php echo esc_html( $taxonomy->labels->name ) ?></span>
 			<input type="hidden" name="<?php echo ( $taxonomy->name == 'category' ) ? 'post_category[]' : 'tax_input[' . esc_attr( $taxonomy->name ) . '][]'; ?>" value="0" />
 			<ul class="cat-checklist <?php echo esc_attr( $taxonomy->name )?>-checklist">
 				<?php wp_terms_checklist( null, array( 'taxonomy' => $taxonomy->name ) ) ?>
@@ -998,30 +1039,31 @@ class WP_Posts_List_Table extends WP_List_Table {
 
 			</div>
 
-	<?php if ( post_type_supports( $screen->post_type, 'post-formats' ) && current_theme_supports( 'post-formats' ) ) :
-		$post_formats = get_theme_support( 'post-formats' );
-		if ( isset( $post_formats[0] ) && is_array( $post_formats[0] ) ) :
-			$all_post_formats = get_post_format_strings();
-			unset( $all_post_formats['standard'] ); ?>
-			<div class="inline-edit-group">
-				<label class="alignleft" for="post_format">
-				<span class="title"><?php _ex( 'Format', 'post format' ); ?></span>
-				<select name="post_format">
-				<?php if ( $bulk ) : ?>
-					<option value="-1"><?php _e( '&mdash; No Change &mdash;' ); ?></option>
-				<?php endif; ?>
-					<option value="0"><?php _ex( 'Standard', 'Post format' ); ?></option>
-				<?php foreach ( $all_post_formats as $slug => $format ) :
-					$unsupported = ! in_array( $slug, $post_formats[0] );
-					if ( $bulk && $unsupported )
-						continue;
-					?>
-					<option value="<?php echo esc_attr( $slug ); ?>"<?php if ( $unsupported ) echo ' class="unsupported"'; ?>><?php echo esc_html( $format ); ?></option>
-				<?php endforeach; ?>
-				</select></label>
-			</div>
-		<?php endif; ?>
-	<?php endif; // post-formats ?>
+	<?php
+
+	if ( $bulk && post_type_supports( $screen->post_type, 'post-formats' ) ) {
+		$all_post_formats = get_post_format_strings();
+
+		?>
+		<label class="alignleft" for="post_format">
+		<span class="title"><?php _ex( 'Format', 'post format' ); ?></span>
+		<select name="post_format">
+			<option value="-1"><?php _e( '&mdash; No Change &mdash;' ); ?></option>
+			<?php
+
+			foreach ( $all_post_formats as $slug => $format ) {
+				?>
+				<option value="<?php echo esc_attr( $slug ); ?>"><?php echo esc_html( $format ); ?></option>
+				<?php
+			}
+
+			?>
+		</select></label>
+	<?php
+
+	}
+
+	?>
 
 		</div></fieldset>
 
@@ -1035,18 +1077,20 @@ class WP_Posts_List_Table extends WP_List_Table {
 		}
 	?>
 		<p class="submit inline-edit-save">
-			<a accesskey="c" href="#inline-edit" title="<?php esc_attr_e( 'Cancel' ); ?>" class="button-secondary cancel alignleft"><?php _e( 'Cancel' ); ?></a>
+			<a accesskey="c" href="#inline-edit" class="button-secondary cancel alignleft"><?php _e( 'Cancel' ); ?></a>
 			<?php if ( ! $bulk ) {
 				wp_nonce_field( 'inlineeditnonce', '_inline_edit', false );
-				$update_text = __( 'Update' );
 				?>
-				<a accesskey="s" href="#inline-edit" title="<?php esc_attr_e( 'Update' ); ?>" class="button-primary save alignright"><?php echo esc_attr( $update_text ); ?></a>
+				<a accesskey="s" href="#inline-edit" class="button-primary save alignright"><?php _e( 'Update' ); ?></a>
 				<span class="spinner"></span>
 			<?php } else {
 				submit_button( __( 'Update' ), 'button-primary alignright', 'bulk_edit', false, array( 'accesskey' => 's' ) );
 			} ?>
 			<input type="hidden" name="post_view" value="<?php echo esc_attr( $m ); ?>" />
 			<input type="hidden" name="screen" value="<?php echo esc_attr( $screen->id ); ?>" />
+			<?php if ( ! $bulk && ! post_type_supports( $screen->post_type, 'author' ) ) { ?>
+				<input type="hidden" name="post_author" value="<?php echo esc_attr( $post->post_author ); ?>" />
+			<?php } ?>
 			<span class="error" style="display:none"></span>
 			<br class="clear" />
 		</p>

wp-admin/includes/class-wp-terms-list-table.php

@@ -52,7 +52,7 @@ class WP_Terms_List_Table extends WP_List_Table {
 			$tags_per_page = apply_filters( 'edit_categories_per_page', $tags_per_page ); // Old filter
 		}
 
-		$search = !empty( $_REQUEST['s'] ) ? trim( stripslashes( $_REQUEST['s'] ) ) : '';
+		$search = !empty( $_REQUEST['s'] ) ? trim( wp_unslash( $_REQUEST['s'] ) ) : '';
 
 		$args = array(
 			'search' => $search,
@@ -61,10 +61,10 @@ class WP_Terms_List_Table extends WP_List_Table {
 		);
 
 		if ( !empty( $_REQUEST['orderby'] ) )
-			$args['orderby'] = trim( stripslashes( $_REQUEST['orderby'] ) );
+			$args['orderby'] = trim( wp_unslash( $_REQUEST['orderby'] ) );
 
 		if ( !empty( $_REQUEST['order'] ) )
-			$args['order'] = trim( stripslashes( $_REQUEST['order'] ) );
+			$args['order'] = trim( wp_unslash( $_REQUEST['order'] ) );
 
 		$this->callback_args = $args;
 
@@ -136,7 +136,6 @@ class WP_Terms_List_Table extends WP_List_Table {
 		$args['offset'] = $offset = ( $page - 1 ) * $number;
 
 		// convert it to table rows
-		$out = '';
 		$count = 0;
 
 		$terms = array();
@@ -144,37 +143,37 @@ class WP_Terms_List_Table extends WP_List_Table {
 		if ( is_taxonomy_hierarchical( $taxonomy ) && !isset( $orderby ) ) {
 			// We'll need the full set of terms then.
 			$args['number'] = $args['offset'] = 0;
-
-			$terms = get_terms( $taxonomy, $args );
-			if ( !empty( $search ) ) // Ignore children on searches.
-				$children = array();
-			else
-				$children = _get_term_hierarchy( $taxonomy );
-
-			// Some funky recursion to get the job done( Paging & parents mainly ) is contained within, Skip it for non-hierarchical taxonomies for performance sake
-			$out .= $this->_rows( $taxonomy, $terms, $children, $offset, $number, $count );
-		} else {
-			$terms = get_terms( $taxonomy, $args );
-			foreach ( $terms as $term )
-				$out .= $this->single_row( $term, 0, $taxonomy );
-			$count = $number; // Only displaying a single page.
 		}
+		$terms = get_terms( $taxonomy, $args );
 
 		if ( empty( $terms ) ) {
 			list( $columns, $hidden ) = $this->get_column_info();
 			echo '<tr class="no-items"><td class="colspanchange" colspan="' . $this->get_column_count() . '">';
 			$this->no_items();
 			echo '</td></tr>';
+			return;
+		}
+
+		if ( is_taxonomy_hierarchical( $taxonomy ) && !isset( $orderby ) ) {
+			if ( !empty( $search ) ) // Ignore children on searches.
+				$children = array();
+			else
+				$children = _get_term_hierarchy( $taxonomy );
+
+			// Some funky recursion to get the job done( Paging & parents mainly ) is contained within, Skip it for non-hierarchical taxonomies for performance sake
+			$this->_rows( $taxonomy, $terms, $children, $offset, $number, $count );
 		} else {
-			echo $out;
+			$terms = get_terms( $taxonomy, $args );
+			foreach ( $terms as $term )
+				$this->single_row( $term );
+			$count = $number; // Only displaying a single page.
 		}
 	}
 
-	function _rows( $taxonomy, $terms, &$children, $start = 0, $per_page = 20, &$count, $parent = 0, $level = 0 ) {
+	function _rows( $taxonomy, $terms, &$children, $start, $per_page, &$count, $parent = 0, $level = 0 ) {
 
 		$end = $start + $per_page;
 
-		$output = '';
 		foreach ( $terms as $key => $term ) {
 
 			if ( $count >= $end )
@@ -199,23 +198,24 @@ class WP_Terms_List_Table extends WP_List_Table {
 
 				$num_parents = count( $my_parents );
 				while ( $my_parent = array_pop( $my_parents ) ) {
-					$output .=  "\t" . $this->single_row( $my_parent, $level - $num_parents, $taxonomy );
+					echo "\t";
+					$this->single_row( $my_parent, $level - $num_parents );
 					$num_parents--;
 				}
 			}
 
-			if ( $count >= $start )
-				$output .= "\t" . $this->single_row( $term, $level, $taxonomy );
+			if ( $count >= $start ) {
+				echo "\t";
+				$this->single_row( $term, $level );
+			}
 
 			++$count;
 
 			unset( $terms[$key] );
 
 			if ( isset( $children[$term->term_id] ) && empty( $_REQUEST['s'] ) )
-				$output .= $this->_rows( $taxonomy, $terms, $children, $start, $per_page, $count, $term->term_id, $level + 1 );
+				$this->_rows( $taxonomy, $terms, $children, $start, $per_page, $count, $term->term_id, $level + 1 );
 		}
-
-		return $output;
 	}
 
 	function single_row( $tag, $level = 0 ) {
@@ -225,7 +225,7 @@ class WP_Terms_List_Table extends WP_List_Table {
 		$this->level = $level;
 
 		echo '<tr id="tag-' . $tag->term_id . '"' . $row_class . '>';
-		echo $this->single_row_columns( $tag );
+		$this->single_row_columns( $tag );
 		echo '</tr>';
 	}
 
@@ -259,7 +259,8 @@ class WP_Terms_List_Table extends WP_List_Table {
 		}
 		if ( current_user_can( $tax->cap->delete_terms ) && $tag->term_id != $default_term )
 			$actions['delete'] = "<a class='delete-tag' href='" . wp_nonce_url( "edit-tags.php?action=delete&amp;taxonomy=$taxonomy&amp;tag_ID=$tag->term_id", 'delete-tag_' . $tag->term_id ) . "'>" . __( 'Delete' ) . "</a>";
-		$actions['view'] = '<a href="' . get_term_link( $tag ) . '">' . __( 'View' ) . '</a>';
+		if ( $tax->public )
+			$actions['view'] = '<a href="' . get_term_link( $tag ) . '">' . __( 'View' ) . '</a>';
 
 		$actions = apply_filters( 'tag_row_actions', $actions, $tag );
 		$actions = apply_filters( "{$taxonomy}_row_actions", $actions, $tag );
@@ -361,9 +362,8 @@ class WP_Terms_List_Table extends WP_List_Table {
 	?>
 
 		<p class="inline-edit-save submit">
-			<a accesskey="c" href="#inline-edit" title="<?php esc_attr_e( 'Cancel' ); ?>" class="cancel button-secondary alignleft"><?php _e( 'Cancel' ); ?></a>
-			<?php $update_text = $tax->labels->update_item; ?>
-			<a accesskey="s" href="#inline-edit" title="<?php echo esc_attr( $update_text ); ?>" class="save button-primary alignright"><?php echo $update_text; ?></a>
+			<a accesskey="c" href="#inline-edit" class="cancel button-secondary alignleft"><?php _e( 'Cancel' ); ?></a>
+			<a accesskey="s" href="#inline-edit" class="save button-primary alignright"><?php echo $tax->labels->update_item; ?></a>
 			<span class="spinner"></span>
 			<span class="error" style="display:none;"></span>
 			<?php wp_nonce_field( 'taxinlineeditnonce', '_inline_edit', false ); ?>

wp-admin/includes/class-wp-theme-install-list-table.php

@@ -24,7 +24,7 @@ class WP_Theme_Install_List_Table extends WP_Themes_List_Table {
 		$search_terms = array();
 		$search_string = '';
 		if ( ! empty( $_REQUEST['s'] ) ){
-			$search_string = strtolower( stripslashes( $_REQUEST['s'] ) );
+			$search_string = strtolower( wp_unslash( $_REQUEST['s'] ) );
 			$search_terms = array_unique( array_filter( array_map( 'trim', explode( ',', $search_string ) ) ) );
 		}
 
@@ -51,7 +51,7 @@ class WP_Theme_Install_List_Table extends WP_Themes_List_Table {
 		$tabs = apply_filters( 'install_themes_tabs', $tabs );
 		$nonmenu_tabs = apply_filters( 'install_themes_nonmenu_tabs', $nonmenu_tabs );
 
-		// If a non-valid menu tab has been selected, And its not a non-menu action.
+		// If a non-valid menu tab has been selected, And it's not a non-menu action.
 		if ( empty( $tab ) || ( ! isset( $tabs[ $tab ] ) && ! in_array( $tab, (array) $nonmenu_tabs ) ) )
 			$tab = key( $tabs );
 
@@ -59,7 +59,7 @@ class WP_Theme_Install_List_Table extends WP_Themes_List_Table {
 
 		switch ( $tab ) {
 			case 'search':
-				$type = isset( $_REQUEST['type'] ) ? stripslashes( $_REQUEST['type'] ) : 'term';
+				$type = isset( $_REQUEST['type'] ) ? wp_unslash( $_REQUEST['type'] ) : 'term';
 				switch ( $type ) {
 					case 'tag':
 						$args['tag'] = array_map( 'sanitize_key', $search_terms );
@@ -90,8 +90,11 @@ class WP_Theme_Install_List_Table extends WP_Themes_List_Table {
 
 			default:
 				$args = false;
+				break;
 		}
 
+		$args = apply_filters( 'install_themes_table_api_args_' . $tab, $args );
+
 		if ( ! $args )
 			return;
 
@@ -164,17 +167,17 @@ class WP_Theme_Install_List_Table extends WP_Themes_List_Table {
 	 *
 	 * Example theme data:
 	 *   object(stdClass)[59]
-	 *     public 'name' => string 'Magazine Basic' (length=14)
-	 *     public 'slug' => string 'magazine-basic' (length=14)
-	 *     public 'version' => string '1.1' (length=3)
-	 *     public 'author' => string 'tinkerpriest' (length=12)
-	 *     public 'preview_url' => string 'http://wp-themes.com/?magazine-basic' (length=36)
-	 *     public 'screenshot_url' => string 'http://wp-themes.com/wp-content/themes/magazine-basic/screenshot.png' (length=68)
+	 *     public 'name' => string 'Magazine Basic'
+	 *     public 'slug' => string 'magazine-basic'
+	 *     public 'version' => string '1.1'
+	 *     public 'author' => string 'tinkerpriest'
+	 *     public 'preview_url' => string 'http://wp-themes.com/?magazine-basic'
+	 *     public 'screenshot_url' => string 'http://wp-themes.com/wp-content/themes/magazine-basic/screenshot.png'
 	 *     public 'rating' => float 80
 	 *     public 'num_ratings' => int 1
-	 *     public 'homepage' => string 'http://wordpress.org/extend/themes/magazine-basic' (length=49)
-	 *     public 'description' => string 'A basic magazine style layout with a fully customizable layout through a backend interface. Designed by <a href="http://bavotasan.com">c.bavota</a> of <a href="http://tinkerpriestmedia.com">Tinker Priest Media</a>.' (length=214)
-	 *     public 'download_link' => string 'http://wordpress.org/extend/themes/download/magazine-basic.1.1.zip' (length=66)
+	 *     public 'homepage' => string 'http://wordpress.org/themes/magazine-basic'
+	 *     public 'description' => string 'A basic magazine style layout with a fully customizable layout through a backend interface. Designed by <a href="http://bavotasan.com">c.bavota</a> of <a href="http://tinkerpriestmedia.com">Tinker Priest Media</a>.'
+	 *     public 'download_link' => string 'http://wordpress.org/themes/download/magazine-basic.1.1.zip'
 	 */
 	function single_row( $theme ) {
 		global $themes_allowedtags;
@@ -362,7 +365,7 @@ class WP_Theme_Install_List_Table extends WP_Themes_List_Table {
 	 * @uses $tab Global; current tab within Themes->Install screen
 	 * @uses $type Global; type of search.
 	 */
-	function _js_vars() {
+	function _js_vars( $extra_args = array() ) {
 		global $tab, $type;
 		parent::_js_vars( compact( 'tab', 'type' ) );
 	}

wp-admin/includes/class-wp-themes-list-table.php

@@ -28,7 +28,7 @@ class WP_Themes_List_Table extends WP_List_Table {
 		$themes = wp_get_themes( array( 'allowed' => true ) );
 
 		if ( ! empty( $_REQUEST['s'] ) )
-			$this->search_terms = array_unique( array_filter( array_map( 'trim', explode( ',', strtolower( stripslashes( $_REQUEST['s'] ) ) ) ) ) );
+			$this->search_terms = array_unique( array_filter( array_map( 'trim', explode( ',', strtolower( wp_unslash( $_REQUEST['s'] ) ) ) ) ) );
 
 		if ( ! empty( $_REQUEST['features'] ) )
 			$this->features = $_REQUEST['features'];
@@ -114,6 +114,16 @@ class WP_Themes_List_Table extends WP_List_Table {
 		return array();
 	}
 
+	function display_rows_or_placeholder() {
+		if ( $this->has_items() ) {
+			$this->display_rows();
+		} else {
+			echo '<div class="no-items">';
+			$this->no_items();
+			echo '</div>';
+		}
+	}
+
 	function display_rows() {
 		$themes = $this->items;
 
@@ -149,6 +159,7 @@ class WP_Themes_List_Table extends WP_List_Table {
 					. "' );" . '">' . __( 'Delete' ) . '</a>';
 
 			$actions       = apply_filters( 'theme_action_links', $actions, $theme );
+			$actions       = apply_filters( "theme_action_links_$stylesheet", $actions, $theme );
 			$delete_action = isset( $actions['delete'] ) ? '<div class="delete-theme">' . $actions['delete'] . '</div>' : '';
 			unset( $actions['delete'] );
 
@@ -235,7 +246,7 @@ class WP_Themes_List_Table extends WP_List_Table {
 	 * @uses _pagination_args['total_pages']
 	 */
 	 function _js_vars( $extra_args = array() ) {
-		$search_string = isset( $_REQUEST['s'] ) ? esc_attr( stripslashes( $_REQUEST['s'] ) ) : '';
+		$search_string = isset( $_REQUEST['s'] ) ? esc_attr( wp_unslash( $_REQUEST['s'] ) ) : '';
 
 		$args = array(
 			'search' => $search_string,

wp-admin/includes/class-wp-upgrader-skins.php

@@ -0,0 +1,662 @@
+<?php
+/**
+ * The User Interface "Skins" for the WordPress File Upgrader
+ *
+ * @package WordPress
+ * @subpackage Upgrader
+ * @since 2.8.0
+ */
+
+/**
+ * Generic Skin for the WordPress Upgrader classes. This skin is designed to be extended for specific purposes.
+ *
+ * @package WordPress
+ * @subpackage Upgrader
+ * @since 2.8.0
+ */
+class WP_Upgrader_Skin {
+
+	var $upgrader;
+	var $done_header = false;
+	var $result = false;
+
+	function __construct($args = array()) {
+		$defaults = array( 'url' => '', 'nonce' => '', 'title' => '', 'context' => false );
+		$this->options = wp_parse_args($args, $defaults);
+	}
+
+	function set_upgrader(&$upgrader) {
+		if ( is_object($upgrader) )
+			$this->upgrader =& $upgrader;
+		$this->add_strings();
+	}
+
+	function add_strings() {
+	}
+
+	function set_result($result) {
+		$this->result = $result;
+	}
+
+	function request_filesystem_credentials($error = false) {
+		$url = $this->options['url'];
+		$context = $this->options['context'];
+		if ( !empty($this->options['nonce']) )
+			$url = wp_nonce_url($url, $this->options['nonce']);
+		return request_filesystem_credentials($url, '', $error, $context); //Possible to bring inline, Leaving as is for now.
+	}
+
+	function header() {
+		if ( $this->done_header )
+			return;
+		$this->done_header = true;
+		echo '<div class="wrap">';
+		screen_icon();
+		echo '<h2>' . $this->options['title'] . '</h2>';
+	}
+	function footer() {
+		echo '</div>';
+	}
+
+	function error($errors) {
+		if ( ! $this->done_header )
+			$this->header();
+		if ( is_string($errors) ) {
+			$this->feedback($errors);
+		} elseif ( is_wp_error($errors) && $errors->get_error_code() ) {
+			foreach ( $errors->get_error_messages() as $message ) {
+				if ( $errors->get_error_data() && is_string( $errors->get_error_data() ) )
+					$this->feedback($message . ' ' . esc_html( $errors->get_error_data() ) );
+				else
+					$this->feedback($message);
+			}
+		}
+	}
+
+	function feedback($string) {
+		if ( isset( $this->upgrader->strings[$string] ) )
+			$string = $this->upgrader->strings[$string];
+
+		if ( strpos($string, '%') !== false ) {
+			$args = func_get_args();
+			$args = array_splice($args, 1);
+			if ( $args ) {
+				$args = array_map( 'strip_tags', $args );
+				$args = array_map( 'esc_html', $args );
+				$string = vsprintf($string, $args);
+			}
+		}
+		if ( empty($string) )
+			return;
+		show_message($string);
+	}
+	function before() {}
+	function after() {}
+
+}
+
+/**
+ * Plugin Upgrader Skin for WordPress Plugin Upgrades.
+ *
+ * @package WordPress
+ * @subpackage Upgrader
+ * @since 2.8.0
+ */
+class Plugin_Upgrader_Skin extends WP_Upgrader_Skin {
+	var $plugin = '';
+	var $plugin_active = false;
+	var $plugin_network_active = false;
+
+	function __construct($args = array()) {
+		$defaults = array( 'url' => '', 'plugin' => '', 'nonce' => '', 'title' => __('Update Plugin') );
+		$args = wp_parse_args($args, $defaults);
+
+		$this->plugin = $args['plugin'];
+
+		$this->plugin_active = is_plugin_active( $this->plugin );
+		$this->plugin_network_active = is_plugin_active_for_network( $this->plugin );
+
+		parent::__construct($args);
+	}
+
+	function after() {
+		$this->plugin = $this->upgrader->plugin_info();
+		if ( !empty($this->plugin) && !is_wp_error($this->result) && $this->plugin_active ){
+			echo '<iframe style="border:0;overflow:hidden" width="100%" height="170px" src="' . wp_nonce_url('update.php?action=activate-plugin&networkwide=' . $this->plugin_network_active . '&plugin=' . urlencode( $this->plugin ), 'activate-plugin_' . $this->plugin) .'"></iframe>';
+		}
+
+		$update_actions =  array(
+			'activate_plugin' => '<a href="' . wp_nonce_url('plugins.php?action=activate&amp;plugin=' . urlencode( $this->plugin ), 'activate-plugin_' . $this->plugin) . '" title="' . esc_attr__('Activate this plugin') . '" target="_parent">' . __('Activate Plugin') . '</a>',
+			'plugins_page' => '<a href="' . self_admin_url('plugins.php') . '" title="' . esc_attr__('Go to plugins page') . '" target="_parent">' . __('Return to Plugins page') . '</a>'
+		);
+		if ( $this->plugin_active || ! $this->result || is_wp_error( $this->result ) || ! current_user_can( 'activate_plugins' ) )
+			unset( $update_actions['activate_plugin'] );
+
+		$update_actions = apply_filters('update_plugin_complete_actions', $update_actions, $this->plugin);
+		if ( ! empty($update_actions) )
+			$this->feedback(implode(' | ', (array)$update_actions));
+	}
+
+	function before() {
+		if ( $this->upgrader->show_before ) {
+			echo $this->upgrader->show_before;
+			$this->upgrader->show_before = '';
+		}
+	}
+}
+
+/**
+ * Plugin Upgrader Skin for WordPress Plugin Upgrades.
+ *
+ * @package WordPress
+ * @subpackage Upgrader
+ * @since 3.0.0
+ */
+class Bulk_Upgrader_Skin extends WP_Upgrader_Skin {
+	var $in_loop = false;
+	var $error = false;
+
+	function __construct($args = array()) {
+		$defaults = array( 'url' => '', 'nonce' => '' );
+		$args = wp_parse_args($args, $defaults);
+
+		parent::__construct($args);
+	}
+
+	function add_strings() {
+		$this->upgrader->strings['skin_upgrade_start'] = __('The update process is starting. This process may take a while on some hosts, so please be patient.');
+		$this->upgrader->strings['skin_update_failed_error'] = __('An error occurred while updating %1$s: <strong>%2$s</strong>');
+		$this->upgrader->strings['skin_update_failed'] = __('The update of %1$s failed.');
+		$this->upgrader->strings['skin_update_successful'] = __('%1$s updated successfully.').' <a onclick="%2$s" href="#" class="hide-if-no-js"><span>'.__('Show Details').'</span><span class="hidden">'.__('Hide Details').'</span>.</a>';
+		$this->upgrader->strings['skin_upgrade_end'] = __('All updates have been completed.');
+	}
+
+	function feedback($string) {
+		if ( isset( $this->upgrader->strings[$string] ) )
+			$string = $this->upgrader->strings[$string];
+
+		if ( strpos($string, '%') !== false ) {
+			$args = func_get_args();
+			$args = array_splice($args, 1);
+			if ( $args ) {
+				$args = array_map( 'strip_tags', $args );
+				$args = array_map( 'esc_html', $args );
+				$string = vsprintf($string, $args);
+			}
+		}
+		if ( empty($string) )
+			return;
+		if ( $this->in_loop )
+			echo "$string<br />\n";
+		else
+			echo "<p>$string</p>\n";
+	}
+
+	function header() {
+		// Nothing, This will be displayed within a iframe.
+	}
+
+	function footer() {
+		// Nothing, This will be displayed within a iframe.
+	}
+	function error($error) {
+		if ( is_string($error) && isset( $this->upgrader->strings[$error] ) )
+			$this->error = $this->upgrader->strings[$error];
+
+		if ( is_wp_error($error) ) {
+			foreach ( $error->get_error_messages() as $emessage ) {
+				if ( $error->get_error_data() && is_string( $error->get_error_data() ) )
+					$messages[] = $emessage . ' ' . esc_html( $error->get_error_data() );
+				else
+					$messages[] = $emessage;
+			}
+			$this->error = implode(', ', $messages);
+		}
+		echo '<script type="text/javascript">jQuery(\'.waiting-' . esc_js($this->upgrader->update_current) . '\').hide();</script>';
+	}
+
+	function bulk_header() {
+		$this->feedback('skin_upgrade_start');
+	}
+
+	function bulk_footer() {
+		$this->feedback('skin_upgrade_end');
+	}
+
+	function before($title = '') {
+		$this->in_loop = true;
+		printf( '<h4>' . $this->upgrader->strings['skin_before_update_header'] . ' <span class="spinner waiting-' . $this->upgrader->update_current . '"></span></h4>',  $title, $this->upgrader->update_current, $this->upgrader->update_count);
+		echo '<script type="text/javascript">jQuery(\'.waiting-' . esc_js($this->upgrader->update_current) . '\').css("display", "inline-block");</script>';
+		echo '<div class="update-messages hide-if-js" id="progress-' . esc_attr($this->upgrader->update_current) . '"><p>';
+		$this->flush_output();
+	}
+
+	function after($title = '') {
+		echo '</p></div>';
+		if ( $this->error || ! $this->result ) {
+			if ( $this->error )
+				echo '<div class="error"><p>' . sprintf($this->upgrader->strings['skin_update_failed_error'], $title, $this->error) . '</p></div>';
+			else
+				echo '<div class="error"><p>' . sprintf($this->upgrader->strings['skin_update_failed'], $title) . '</p></div>';
+
+			echo '<script type="text/javascript">jQuery(\'#progress-' . esc_js($this->upgrader->update_current) . '\').show();</script>';
+		}
+		if ( $this->result && ! is_wp_error( $this->result ) ) {
+			if ( ! $this->error )
+				echo '<div class="updated"><p>' . sprintf($this->upgrader->strings['skin_update_successful'], $title, 'jQuery(\'#progress-' . esc_js($this->upgrader->update_current) . '\').toggle();jQuery(\'span\', this).toggle(); return false;') . '</p></div>';
+			echo '<script type="text/javascript">jQuery(\'.waiting-' . esc_js($this->upgrader->update_current) . '\').hide();</script>';
+		}
+
+		$this->reset();
+		$this->flush_output();
+	}
+
+	function reset() {
+		$this->in_loop = false;
+		$this->error = false;
+	}
+
+	function flush_output() {
+		wp_ob_end_flush_all();
+		flush();
+	}
+}
+
+class Bulk_Plugin_Upgrader_Skin extends Bulk_Upgrader_Skin {
+	var $plugin_info = array(); // Plugin_Upgrader::bulk() will fill this in.
+
+	function __construct($args = array()) {
+		parent::__construct($args);
+	}
+
+	function add_strings() {
+		parent::add_strings();
+		$this->upgrader->strings['skin_before_update_header'] = __('Updating Plugin %1$s (%2$d/%3$d)');
+	}
+
+	function before($title = '') {
+		parent::before($this->plugin_info['Title']);
+	}
+
+	function after($title = '') {
+		parent::after($this->plugin_info['Title']);
+	}
+	function bulk_footer() {
+		parent::bulk_footer();
+		$update_actions =  array(
+			'plugins_page' => '<a href="' . self_admin_url('plugins.php') . '" title="' . esc_attr__('Go to plugins page') . '" target="_parent">' . __('Return to Plugins page') . '</a>',
+			'updates_page' => '<a href="' . self_admin_url('update-core.php') . '" title="' . esc_attr__('Go to WordPress Updates page') . '" target="_parent">' . __('Return to WordPress Updates') . '</a>'
+		);
+		if ( ! current_user_can( 'activate_plugins' ) )
+			unset( $update_actions['plugins_page'] );
+
+		$update_actions = apply_filters('update_bulk_plugins_complete_actions', $update_actions, $this->plugin_info);
+		if ( ! empty($update_actions) )
+			$this->feedback(implode(' | ', (array)$update_actions));
+	}
+}
+
+class Bulk_Theme_Upgrader_Skin extends Bulk_Upgrader_Skin {
+	var $theme_info = array(); // Theme_Upgrader::bulk() will fill this in.
+
+	function __construct($args = array()) {
+		parent::__construct($args);
+	}
+
+	function add_strings() {
+		parent::add_strings();
+		$this->upgrader->strings['skin_before_update_header'] = __('Updating Theme %1$s (%2$d/%3$d)');
+	}
+
+	function before($title = '') {
+		parent::before( $this->theme_info->display('Name') );
+	}
+
+	function after($title = '') {
+		parent::after( $this->theme_info->display('Name') );
+	}
+
+	function bulk_footer() {
+		parent::bulk_footer();
+		$update_actions =  array(
+			'themes_page' => '<a href="' . self_admin_url('themes.php') . '" title="' . esc_attr__('Go to themes page') . '" target="_parent">' . __('Return to Themes page') . '</a>',
+			'updates_page' => '<a href="' . self_admin_url('update-core.php') . '" title="' . esc_attr__('Go to WordPress Updates page') . '" target="_parent">' . __('Return to WordPress Updates') . '</a>'
+		);
+		if ( ! current_user_can( 'switch_themes' ) && ! current_user_can( 'edit_theme_options' ) )
+			unset( $update_actions['themes_page'] );
+
+		$update_actions = apply_filters('update_bulk_theme_complete_actions', $update_actions, $this->theme_info );
+		if ( ! empty($update_actions) )
+			$this->feedback(implode(' | ', (array)$update_actions));
+	}
+}
+
+/**
+ * Plugin Installer Skin for WordPress Plugin Installer.
+ *
+ * @package WordPress
+ * @subpackage Upgrader
+ * @since 2.8.0
+ */
+class Plugin_Installer_Skin extends WP_Upgrader_Skin {
+	var $api;
+	var $type;
+
+	function __construct($args = array()) {
+		$defaults = array( 'type' => 'web', 'url' => '', 'plugin' => '', 'nonce' => '', 'title' => '' );
+		$args = wp_parse_args($args, $defaults);
+
+		$this->type = $args['type'];
+		$this->api = isset($args['api']) ? $args['api'] : array();
+
+		parent::__construct($args);
+	}
+
+	function before() {
+		if ( !empty($this->api) )
+			$this->upgrader->strings['process_success'] = sprintf( __('Successfully installed the plugin <strong>%s %s</strong>.'), $this->api->name, $this->api->version);
+	}
+
+	function after() {
+
+		$plugin_file = $this->upgrader->plugin_info();
+
+		$install_actions = array();
+
+		$from = isset($_GET['from']) ? wp_unslash( $_GET['from'] ) : 'plugins';
+
+		if ( 'import' == $from )
+			$install_actions['activate_plugin'] = '<a href="' . wp_nonce_url('plugins.php?action=activate&amp;from=import&amp;plugin=' . urlencode( $plugin_file ), 'activate-plugin_' . $plugin_file) . '" title="' . esc_attr__('Activate this plugin') . '" target="_parent">' . __('Activate Plugin &amp; Run Importer') . '</a>';
+		else
+			$install_actions['activate_plugin'] = '<a href="' . wp_nonce_url('plugins.php?action=activate&amp;plugin=' . urlencode( $plugin_file ), 'activate-plugin_' . $plugin_file) . '" title="' . esc_attr__('Activate this plugin') . '" target="_parent">' . __('Activate Plugin') . '</a>';
+
+		if ( is_multisite() && current_user_can( 'manage_network_plugins' ) ) {
+			$install_actions['network_activate'] = '<a href="' . wp_nonce_url('plugins.php?action=activate&amp;networkwide=1&amp;plugin=' . urlencode( $plugin_file ), 'activate-plugin_' . $plugin_file) . '" title="' . esc_attr__('Activate this plugin for all sites in this network') . '" target="_parent">' . __('Network Activate') . '</a>';
+			unset( $install_actions['activate_plugin'] );
+		}
+
+		if ( 'import' == $from )
+			$install_actions['importers_page'] = '<a href="' . admin_url('import.php') . '" title="' . esc_attr__('Return to Importers') . '" target="_parent">' . __('Return to Importers') . '</a>';
+		else if ( $this->type == 'web' )
+			$install_actions['plugins_page'] = '<a href="' . self_admin_url('plugin-install.php') . '" title="' . esc_attr__('Return to Plugin Installer') . '" target="_parent">' . __('Return to Plugin Installer') . '</a>';
+		else
+			$install_actions['plugins_page'] = '<a href="' . self_admin_url('plugins.php') . '" title="' . esc_attr__('Return to Plugins page') . '" target="_parent">' . __('Return to Plugins page') . '</a>';
+
+		if ( ! $this->result || is_wp_error($this->result) ) {
+			unset( $install_actions['activate_plugin'], $install_actions['network_activate'] );
+		} elseif ( ! current_user_can( 'activate_plugins' ) ) {
+			unset( $install_actions['activate_plugin'] );
+		}
+
+		$install_actions = apply_filters('install_plugin_complete_actions', $install_actions, $this->api, $plugin_file);
+		if ( ! empty($install_actions) )
+			$this->feedback(implode(' | ', (array)$install_actions));
+	}
+}
+
+/**
+ * Theme Installer Skin for the WordPress Theme Installer.
+ *
+ * @package WordPress
+ * @subpackage Upgrader
+ * @since 2.8.0
+ */
+class Theme_Installer_Skin extends WP_Upgrader_Skin {
+	var $api;
+	var $type;
+
+	function __construct($args = array()) {
+		$defaults = array( 'type' => 'web', 'url' => '', 'theme' => '', 'nonce' => '', 'title' => '' );
+		$args = wp_parse_args($args, $defaults);
+
+		$this->type = $args['type'];
+		$this->api = isset($args['api']) ? $args['api'] : array();
+
+		parent::__construct($args);
+	}
+
+	function before() {
+		if ( !empty($this->api) )
+			$this->upgrader->strings['process_success'] = sprintf( $this->upgrader->strings['process_success_specific'], $this->api->name, $this->api->version);
+	}
+
+	function after() {
+		if ( empty($this->upgrader->result['destination_name']) )
+			return;
+
+		$theme_info = $this->upgrader->theme_info();
+		if ( empty( $theme_info ) )
+			return;
+
+		$name       = $theme_info->display('Name');
+		$stylesheet = $this->upgrader->result['destination_name'];
+		$template   = $theme_info->get_template();
+
+		$preview_link = add_query_arg( array(
+			'preview'    => 1,
+			'template'   => urlencode( $template ),
+			'stylesheet' => urlencode( $stylesheet ),
+		), trailingslashit( home_url() ) );
+
+		$activate_link = add_query_arg( array(
+			'action'     => 'activate',
+			'template'   => urlencode( $template ),
+			'stylesheet' => urlencode( $stylesheet ),
+		), admin_url('themes.php') );
+		$activate_link = wp_nonce_url( $activate_link, 'switch-theme_' . $stylesheet );
+
+		$install_actions = array();
+		$install_actions['preview']  = '<a href="' . esc_url( $preview_link ) . '" class="hide-if-customize" title="' . esc_attr( sprintf( __('Preview &#8220;%s&#8221;'), $name ) ) . '">' . __('Preview') . '</a>';
+		$install_actions['preview'] .= '<a href="' . wp_customize_url( $stylesheet ) . '" class="hide-if-no-customize load-customize" title="' . esc_attr( sprintf( __('Preview &#8220;%s&#8221;'), $name ) ) . '">' . __('Live Preview') . '</a>';
+		$install_actions['activate'] = '<a href="' . esc_url( $activate_link ) . '" class="activatelink" title="' . esc_attr( sprintf( __('Activate &#8220;%s&#8221;'), $name ) ) . '">' . __('Activate') . '</a>';
+
+		if ( is_network_admin() && current_user_can( 'manage_network_themes' ) )
+			$install_actions['network_enable'] = '<a href="' . esc_url( wp_nonce_url( 'themes.php?action=enable&amp;theme=' . urlencode( $stylesheet ), 'enable-theme_' . $stylesheet ) ) . '" title="' . esc_attr__( 'Enable this theme for all sites in this network' ) . '" target="_parent">' . __( 'Network Enable' ) . '</a>';
+
+		if ( $this->type == 'web' )
+			$install_actions['themes_page'] = '<a href="' . self_admin_url('theme-install.php') . '" title="' . esc_attr__('Return to Theme Installer') . '" target="_parent">' . __('Return to Theme Installer') . '</a>';
+		elseif ( current_user_can( 'switch_themes' ) || current_user_can( 'edit_theme_options' ) )
+			$install_actions['themes_page'] = '<a href="' . self_admin_url('themes.php') . '" title="' . esc_attr__('Themes page') . '" target="_parent">' . __('Return to Themes page') . '</a>';
+
+		if ( ! $this->result || is_wp_error($this->result) || is_network_admin() || ! current_user_can( 'switch_themes' ) )
+			unset( $install_actions['activate'], $install_actions['preview'] );
+
+		$install_actions = apply_filters('install_theme_complete_actions', $install_actions, $this->api, $stylesheet, $theme_info);
+		if ( ! empty($install_actions) )
+			$this->feedback(implode(' | ', (array)$install_actions));
+	}
+}
+
+/**
+ * Theme Upgrader Skin for WordPress Theme Upgrades.
+ *
+ * @package WordPress
+ * @subpackage Upgrader
+ * @since 2.8.0
+ */
+class Theme_Upgrader_Skin extends WP_Upgrader_Skin {
+	var $theme = '';
+
+	function __construct($args = array()) {
+		$defaults = array( 'url' => '', 'theme' => '', 'nonce' => '', 'title' => __('Update Theme') );
+		$args = wp_parse_args($args, $defaults);
+
+		$this->theme = $args['theme'];
+
+		parent::__construct($args);
+	}
+
+	function after() {
+
+		$update_actions = array();
+		if ( ! empty( $this->upgrader->result['destination_name'] ) && $theme_info = $this->upgrader->theme_info() ) {
+			$name       = $theme_info->display('Name');
+			$stylesheet = $this->upgrader->result['destination_name'];
+			$template   = $theme_info->get_template();
+
+			$preview_link = add_query_arg( array(
+				'preview'    => 1,
+				'template'   => urlencode( $template ),
+				'stylesheet' => urlencode( $stylesheet ),
+			), trailingslashit( home_url() ) );
+
+			$activate_link = add_query_arg( array(
+				'action'     => 'activate',
+				'template'   => urlencode( $template ),
+				'stylesheet' => urlencode( $stylesheet ),
+			), admin_url('themes.php') );
+			$activate_link = wp_nonce_url( $activate_link, 'switch-theme_' . $stylesheet );
+
+			if ( get_stylesheet() == $stylesheet ) {
+				if ( current_user_can( 'edit_theme_options' ) )
+					$update_actions['preview']  = '<a href="' . wp_customize_url( $stylesheet ) . '" class="hide-if-no-customize load-customize" title="' . esc_attr( sprintf( __('Customize &#8220;%s&#8221;'), $name ) ) . '">' . __('Customize') . '</a>';
+			} elseif ( current_user_can( 'switch_themes' ) ) {
+				$update_actions['preview']  = '<a href="' . esc_url( $preview_link ) . '" class="hide-if-customize" title="' . esc_attr( sprintf( __('Preview &#8220;%s&#8221;'), $name ) ) . '">' . __('Preview') . '</a>';
+				$update_actions['preview'] .= '<a href="' . wp_customize_url( $stylesheet ) . '" class="hide-if-no-customize load-customize" title="' . esc_attr( sprintf( __('Preview &#8220;%s&#8221;'), $name ) ) . '">' . __('Live Preview') . '</a>';
+				$update_actions['activate'] = '<a href="' . esc_url( $activate_link ) . '" class="activatelink" title="' . esc_attr( sprintf( __('Activate &#8220;%s&#8221;'), $name ) ) . '">' . __('Activate') . '</a>';
+			}
+
+			if ( ! $this->result || is_wp_error( $this->result ) || is_network_admin() )
+				unset( $update_actions['preview'], $update_actions['activate'] );
+		}
+
+		$update_actions['themes_page'] = '<a href="' . self_admin_url('themes.php') . '" title="' . esc_attr__('Return to Themes page') . '" target="_parent">' . __('Return to Themes page') . '</a>';
+
+		$update_actions = apply_filters('update_theme_complete_actions', $update_actions, $this->theme);
+		if ( ! empty($update_actions) )
+			$this->feedback(implode(' | ', (array)$update_actions));
+	}
+}
+
+/**
+ * Translation Upgrader Skin for WordPress Translation Upgrades.
+ *
+ * @package WordPress
+ * @subpackage Upgrader
+ * @since 3.7.0
+ */
+class Language_Pack_Upgrader_Skin extends WP_Upgrader_Skin {
+	var $language_update = null;
+	var $done_header = false;
+	var $display_footer_actions = true;
+
+	function __construct( $args = array() ) {
+		$defaults = array( 'url' => '', 'nonce' => '', 'title' => __( 'Update Translations' ), 'skip_header_footer' => false );
+		$args = wp_parse_args( $args, $defaults );
+		if ( $args['skip_header_footer'] ) {
+			$this->done_header = true;
+			$this->display_footer_actions = false;
+		}
+		parent::__construct( $args );
+	}
+
+	function before() {
+		$name = $this->upgrader->get_name_for_update( $this->language_update );
+
+		echo '<div class="update-messages lp-show-latest">';
+
+		printf( '<h4>' . __( 'Updating translations for %1$s (%2$s)&#8230;' ) . '</h4>', $name, $this->language_update->language );
+	}
+
+	function error( $error ) {
+		echo '<div class="lp-error">';
+		parent::error( $error );
+		echo '</div>';
+	}
+
+	function after() {
+		echo '</div>';
+	}
+
+	function bulk_footer() {
+		$update_actions = array();
+		$update_actions['updates_page'] = '<a href="' . self_admin_url( 'update-core.php' ) . '" title="' . esc_attr__( 'Go to WordPress Updates page' ) . '" target="_parent">' . __( 'Return to WordPress Updates' ) . '</a>';
+		$update_actions = apply_filters( 'update_translations_complete_actions', $update_actions );
+
+		if ( $update_actions && $this->display_footer_actions )
+			$this->feedback( implode( ' | ', $update_actions ) );
+
+		parent::footer();
+	}
+}
+
+/**
+ * Upgrader Skin for Automatic WordPress Upgrades
+ *
+ * This skin is designed to be used when no output is intended, all output
+ * is captured and stored for the caller to process and log/email/discard.
+ *
+ * @package WordPress
+ * @subpackage Upgrader
+ * @since 3.7.0
+ */
+class Automatic_Upgrader_Skin extends WP_Upgrader_Skin {
+	protected $messages = array();
+
+	function request_filesystem_credentials( $error = false, $context = '' ) {
+		if ( $context )
+			$this->options['context'] = $context;
+		// TODO: fix up request_filesystem_credentials(), or split it, to allow us to request a no-output version
+		// This will output a credentials form in event of failure, We don't want that, so just hide with a buffer
+		ob_start();
+		$result = parent::request_filesystem_credentials( $error );
+		ob_end_clean();
+		return $result;
+	}
+
+	function get_upgrade_messages() {
+		return $this->messages;
+	}
+
+	function feedback( $data ) {
+		if ( is_wp_error( $data ) )
+			$string = $data->get_error_message();
+		else if ( is_array( $data ) )
+			return;
+		else
+			$string = $data;
+
+		if ( ! empty( $this->upgrader->strings[ $string ] ) )
+			$string = $this->upgrader->strings[ $string ];
+
+		if ( strpos( $string, '%' ) !== false ) {
+			$args = func_get_args();
+			$args = array_splice( $args, 1 );
+			if ( ! empty( $args ) )
+				$string = vsprintf( $string, $args );
+		}
+
+		$string = trim( $string );
+
+		// Only allow basic HTML in the messages, as it'll be used in emails/logs rather than direct browser output.
+		$string = wp_kses( $string, array(
+			'a' => array(
+				'href' => true
+			),
+			'br' => true,
+			'em' => true,
+			'strong' => true,
+		) );
+
+		if ( empty( $string ) )
+			return;
+
+		$this->messages[] = $string;
+	}
+
+	function header() {
+		ob_start();
+	}
+
+	function footer() {
+		$output = ob_get_contents();
+		if ( ! empty( $output ) )
+			$this->feedback( $output );
+		ob_end_clean();
+	}
+
+	function bulk_header() {}
+	function bulk_footer() {}
+	function before() {}
+	function after() {}
+}

wp-admin/includes/class-wp-users-list-table.php

@@ -209,7 +209,7 @@ class WP_Users_List_Table extends WP_List_Table {
 				continue;
 
 			$style = ( ' class="alternate"' == $style ) ? '' : ' class="alternate"';
-			echo "\n\t", $this->single_row( $user_object, $style, $role, isset( $post_counts ) ? $post_counts[ $userid ] : 0 );
+			echo "\n\t" . $this->single_row( $user_object, $style, $role, isset( $post_counts ) ? $post_counts[ $userid ] : 0 );
 		}
 	}
 
@@ -241,7 +241,7 @@ class WP_Users_List_Table extends WP_List_Table {
 		// Check if the user for this row is editable
 		if ( current_user_can( 'list_users' ) ) {
 			// Set up the user editing link
-			$edit_link = esc_url( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), get_edit_user_link( $user_object->ID ) ) );
+			$edit_link = esc_url( add_query_arg( 'wp_http_referer', urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ), get_edit_user_link( $user_object->ID ) ) );
 
 			// Set up the hover actions for this user
 			$actions = array();
@@ -260,7 +260,7 @@ class WP_Users_List_Table extends WP_List_Table {
 			$actions = apply_filters( 'user_row_actions', $actions, $user_object );
 			$edit .= $this->row_actions( $actions );
 
-			// Set up the checkbox ( because the user is editable, otherwise its empty )
+			// Set up the checkbox ( because the user is editable, otherwise it's empty )
 			$checkbox = '<label class="screen-reader-text" for="cb-select-' . $user_object->ID . '">' . sprintf( __( 'Select %s' ), $user_object->user_login ) . '</label>'
 						. "<input type='checkbox' name='users[]' id='user_{$user_object->ID}' class='$role' value='{$user_object->ID}' />";
 
@@ -294,7 +294,7 @@ class WP_Users_List_Table extends WP_List_Table {
 					$r .= "<td $attributes>$user_object->first_name $user_object->last_name</td>";
 					break;
 				case 'email':
-					$r .= "<td $attributes><a href='mailto:$email' title='" . esc_attr( sprintf( __( 'E-mail: %s' ), $email ) ) . "'>$email</a></td>";
+					$r .= "<td $attributes><a href='" . esc_url( "mailto:$email" ) . "' title='" . esc_attr( sprintf( __( 'E-mail: %s' ), $email ) ) . "'>$email</a></td>";
 					break;
 				case 'role':
 					$r .= "<td $attributes>$role_name</td>";

wp-admin/includes/comment.php

@@ -7,14 +7,14 @@
  */
 
 /**
- * {@internal Missing Short Description}}
+ * Determine if a comment exists based on author and date.
  *
  * @since 2.0.0
  * @uses $wpdb
  *
  * @param string $comment_author Author of the comment
  * @param string $comment_date Date of the comment
- * @return mixed Comment ID on success.
+ * @return mixed Comment post ID on success.
  */
 function comment_exists($comment_author, $comment_date) {
 	global $wpdb;
@@ -36,12 +36,18 @@ function edit_comment() {
 	if ( ! current_user_can( 'edit_comment', (int) $_POST['comment_ID'] ) )
 		wp_die ( __( 'You are not allowed to edit comments on this post.' ) );
 
-	$_POST['comment_author'] = $_POST['newcomment_author'];
-	$_POST['comment_author_email'] = $_POST['newcomment_author_email'];
-	$_POST['comment_author_url'] = $_POST['newcomment_author_url'];
-	$_POST['comment_approved'] = $_POST['comment_status'];
-	$_POST['comment_content'] = $_POST['content'];
-	$_POST['comment_ID'] = (int) $_POST['comment_ID'];
+	if ( isset( $_POST['newcomment_author'] ) )
+		$_POST['comment_author'] = $_POST['newcomment_author'];
+	if ( isset( $_POST['newcomment_author_email'] ) )
+		$_POST['comment_author_email'] = $_POST['newcomment_author_email'];
+	if ( isset( $_POST['newcomment_author_url'] ) )
+		$_POST['comment_author_url'] = $_POST['newcomment_author_url'];
+	if ( isset( $_POST['comment_status'] ) )
+		$_POST['comment_approved'] = $_POST['comment_status'];
+	if ( isset( $_POST['content'] ) )
+		$_POST['comment_content'] = $_POST['content'];
+	if ( isset( $_POST['comment_ID'] ) )
+		$_POST['comment_ID'] = (int) $_POST['comment_ID'];
 
 	foreach ( array ('aa', 'mm', 'jj', 'hh', 'mn') as $timeunit ) {
 		if ( !empty( $_POST['hidden_' . $timeunit] ) && $_POST['hidden_' . $timeunit] != $_POST[$timeunit] ) {
@@ -68,11 +74,11 @@ function edit_comment() {
 }
 
 /**
- * {@internal Missing Short Description}}
+ * Returns a comment object based on comment ID.
  *
  * @since 2.0.0
  *
- * @param int $id ID of comment to retrieve
+ * @param int $id ID of comment to retrieve.
  * @return bool|object Comment if found. False on failure.
  */
 function get_comment_to_edit( $id ) {
@@ -83,7 +89,14 @@ function get_comment_to_edit( $id ) {
 	$comment->comment_post_ID = (int) $comment->comment_post_ID;
 
 	$comment->comment_content = format_to_edit( $comment->comment_content );
-	$comment->comment_content = apply_filters( 'comment_edit_pre', $comment->comment_content);
+	/**
+	 * Filter the comment content before editing.
+	 *
+	 * @since 2.0.0
+	 *
+	 * @param string $comment->comment_content Comment content.
+	 */
+	$comment->comment_content = apply_filters( 'comment_edit_pre', $comment->comment_content );
 
 	$comment->comment_author = format_to_edit( $comment->comment_author );
 	$comment->comment_author_email = format_to_edit( $comment->comment_author_email );
@@ -148,7 +161,7 @@ function get_pending_comments_num( $post_id ) {
  */
 function floated_admin_avatar( $name ) {
 	global $comment;
-	$avatar = get_avatar( $comment, 32 );
+	$avatar = get_avatar( $comment, 32, 'mystery' );
 	return "$avatar $name";
 }
 

wp-admin/includes/dashboard.php

@@ -142,11 +142,13 @@ function wp_dashboard_setup() {
 	if ( $update )
 		update_option( 'dashboard_widget_options', $widget_options );
 
+	/** This action is documented in wp-admin/edit-form-advanced.php */
 	do_action('do_meta_boxes', $screen->id, 'normal', '');
+	/** This action is documented in wp-admin/edit-form-advanced.php */
 	do_action('do_meta_boxes', $screen->id, 'side', '');
 }
 
-function wp_add_dashboard_widget( $widget_id, $widget_name, $callback, $control_callback = null ) {
+function wp_add_dashboard_widget( $widget_id, $widget_name, $callback, $control_callback = null, $callback_args = null ) {
 	$screen = get_current_screen();
 	global $wp_dashboard_control_callbacks;
 
@@ -177,7 +179,7 @@ function wp_add_dashboard_widget( $widget_id, $widget_name, $callback, $control_
 	if ( 'dashboard_browser_nag' === $widget_id )
 		$priority = 'high';
 
-	add_meta_box( $widget_id, $widget_name, $callback, $screen, $location, $priority );
+	add_meta_box( $widget_id, $widget_name, $callback, $screen, $location, $priority, $callback_args );
 }
 
 function _wp_dashboard_control_callback( $dashboard, $meta_box ) {
@@ -232,7 +234,7 @@ function wp_dashboard_right_now() {
 
 	$num_tags = wp_count_terms('post_tag');
 
-	$num_comm = wp_count_comments( );
+	$num_comm = wp_count_comments();
 
 	echo "\n\t".'<div class="table table_content">';
 	echo "\n\t".'<p class="sub">' . __('Content') . '</p>'."\n\t".'<table>';
@@ -366,7 +368,7 @@ function wp_dashboard_right_now() {
 
 	if ( $theme->errors() ) {
 		if ( ! is_multisite() || is_super_admin() )
-			echo '<span class="error-message">' . __('ERROR: The themes directory is either empty or doesn&#8217;t exist. Please check your installation.') . '</span>';
+			echo '<span class="error-message">' . sprintf( __( 'ERROR: %s' ), $theme->errors()->get_error_message() ) . '</span>';
 	} elseif ( ! empty($wp_registered_sidebars) ) {
 		$sidebars_widgets = wp_get_sidebars_widgets();
 		$num_widgets = 0;
@@ -486,6 +488,10 @@ function wp_dashboard_quick_press() {
 		$_REQUEST = array(); // hack for get_default_post_to_edit()
 	}
 
+	if ( ! current_user_can( 'edit_posts' ) ) {
+		return;
+	}
+
 	/* Check if a new auto-draft (= no new post_ID) is needed or if the old can be used */
 	$last_post_id = (int) get_user_option( 'dashboard_quick_press_last_post_id' ); // Get the last post_ID
 	if ( $last_post_id ) {
@@ -589,8 +595,8 @@ function wp_dashboard_recent_drafts( $drafts = false ) {
 			$url = get_edit_post_link( $draft->ID );
 			$title = _draft_or_post_title( $draft->ID );
 			$item = "<h4><a href='$url' title='" . sprintf( __( 'Edit &#8220;%s&#8221;' ), esc_attr( $title ) ) . "'>" . esc_html($title) . "</a> <abbr title='" . get_the_time(__('Y/m/d g:i:s A'), $draft) . "'>" . get_the_time( get_option( 'date_format' ), $draft ) . '</abbr></h4>';
-			if ( $the_content = preg_split( '#[\r\n\t ]#', strip_tags( $draft->post_content ), 11, PREG_SPLIT_NO_EMPTY ) )
-				$item .= '<p>' . join( ' ', array_slice( $the_content, 0, 10 ) ) . ( 10 < count( $the_content ) ? '&hellip;' : '' ) . '</p>';
+			if ( $the_content = wp_trim_words( $draft->post_content, 10 ) )
+				$item .= '<p>' . $the_content . '</p>';
 			$list[] = $item;
 		}
 ?>
@@ -656,7 +662,7 @@ function _wp_dashboard_recent_comments_row( &$comment, $show_date = true ) {
 	$GLOBALS['comment'] =& $comment;
 
 	$comment_post_url = get_edit_post_link( $comment->comment_post_ID );
-	$comment_post_title = strip_tags(get_the_title( $comment->comment_post_ID ));
+	$comment_post_title = _draft_or_post_title( $comment->comment_post_ID );
 	$comment_post_link = "<a href='$comment_post_url'>$comment_post_title</a>";
 	$comment_link = '<a class="comment-link" href="' . esc_url(get_comment_link()) . '">#</a>';
 
@@ -710,7 +716,7 @@ function _wp_dashboard_recent_comments_row( &$comment, $show_date = true ) {
 		<div id="comment-<?php echo $comment->comment_ID; ?>" <?php comment_class( array( 'comment-item', wp_get_comment_status($comment->comment_ID) ) ); ?>>
 			<?php if ( !$comment->comment_type || 'comment' == $comment->comment_type ) : ?>
 
-			<?php echo get_avatar( $comment, 50 ); ?>
+			<?php echo get_avatar( $comment, 50, 'mystery' ); ?>
 
 			<div class="dashboard-comment-wrap">
 			<h4 class="comment-meta">
@@ -827,7 +833,7 @@ function wp_dashboard_incoming_links_output() {
 			$publisher = "<strong>$publisher</strong>";
 
 		$content = $item->get_content();
-		$content = wp_html_excerpt($content, 50) . ' ...';
+		$content = wp_html_excerpt( $content, 50, ' &hellip;' );
 
 		if ( $link )
 			/* translators: incoming links feed, %1$s is other person, %3$s is content */
@@ -869,7 +875,7 @@ function wp_dashboard_primary_control() {
 }
 
 /**
- * {@internal Missing Short Description}}
+ * Display primary dashboard RSS widget feed.
  *
  * @since 2.5.0
  *
@@ -923,8 +929,8 @@ function wp_dashboard_secondary_output() {
 
 function wp_dashboard_plugins() {
 	wp_dashboard_cached_rss_widget( 'dashboard_plugins', 'wp_dashboard_plugins_output', array(
-		'http://wordpress.org/extend/plugins/rss/browse/popular/',
-		'http://wordpress.org/extend/plugins/rss/browse/new/'
+		'http://wordpress.org/plugins/rss/browse/popular/',
+		'http://wordpress.org/plugins/rss/browse/new/'
 	) );
 }
 
@@ -934,8 +940,8 @@ function wp_dashboard_plugins() {
  * @since 2.5.0
  */
 function wp_dashboard_plugins_output() {
-	$popular = fetch_feed( 'http://wordpress.org/extend/plugins/rss/browse/popular/' );
-	$new     = fetch_feed( 'http://wordpress.org/extend/plugins/rss/browse/new/' );
+	$popular = fetch_feed( 'http://wordpress.org/plugins/rss/browse/popular/' );
+	$new     = fetch_feed( 'http://wordpress.org/plugins/rss/browse/new/' );
 
 	if ( false === $plugin_slugs = get_transient( 'plugin_slugs' ) ) {
 		$plugin_slugs = array_keys( get_plugins() );
@@ -1093,8 +1099,9 @@ function wp_dashboard_rss_control( $widget_id, $form_inputs = array() ) {
 	$widget_options[$widget_id]['number'] = $number;
 
 	if ( 'POST' == $_SERVER['REQUEST_METHOD'] && isset($_POST['widget-rss'][$number]) ) {
-		$_POST['widget-rss'][$number] = stripslashes_deep( $_POST['widget-rss'][$number] );
+		$_POST['widget-rss'][$number] = wp_unslash( $_POST['widget-rss'][$number] );
 		$widget_options[$widget_id] = wp_widget_rss_process( $_POST['widget-rss'][$number] );
+		$widget_options[$widget_id]['number'] = $number;
 		// title is optional. If black, fill it if possible
 		if ( !$widget_options[$widget_id]['title'] && isset($_POST['widget-rss'][$number]['title']) ) {
 			$rss = fetch_feed($widget_options[$widget_id]['url']);
@@ -1114,7 +1121,15 @@ function wp_dashboard_rss_control( $widget_id, $form_inputs = array() ) {
 	wp_widget_rss_form( $widget_options[$widget_id], $form_inputs );
 }
 
-// Display File upload quota on dashboard
+/**
+ * Display file upload quota on dashboard.
+ *
+ * Runs on the activity_box_end hook in wp_dashboard_right_now().
+ *
+ * @since 3.0.0
+ *
+ * @return bool True if not multisite, user can't upload files, or the space check option is disabled.
+*/
 function wp_dashboard_quota() {
 	if ( !is_multisite() || !current_user_can('upload_files') || get_site_option( 'upload_space_check_disabled' ) )
 		return true;
@@ -1217,7 +1232,7 @@ function wp_check_browser_version() {
 			'user-agent'	=> 'WordPress/' . $wp_version . '; ' . home_url()
 		);
 
-		$response = wp_remote_post( 'http://api.wordpress.org/core/browse-happy/1.0/', $options );
+		$response = wp_remote_post( 'http://api.wordpress.org/core/browse-happy/1.1/', $options );
 
 		if ( is_wp_error( $response ) || 200 != wp_remote_retrieve_response_code( $response ) )
 			return false;
@@ -1233,7 +1248,7 @@ function wp_check_browser_version() {
 		 *  'img_src' - string - An image representing the browser
 		 *  'img_src_ssl' - string - An image (over SSL) representing the browser
 		 */
-		$response = maybe_unserialize( wp_remote_retrieve_body( $response ) );
+		$response = json_decode( wp_remote_retrieve_body( $response ), true );
 
 		if ( ! is_array( $response ) )
 			return false;

wp-admin/includes/deprecated.php

@@ -13,8 +13,8 @@
  */
 
 /**
- * @since 2.1
- * @deprecated 2.1
+ * @since 2.1.0
+ * @deprecated 2.1.0
  * @deprecated Use wp_editor().
  * @see wp_editor()
  */
@@ -27,8 +27,8 @@ function tinymce_include() {
 /**
  * Unused Admin function.
  *
- * @since 2.0
- * @deprecated 2.5
+ * @since 2.0.0
+ * @deprecated 2.5.0
  *
  */
 function documentation_link() {
@@ -106,6 +106,22 @@ function dropdown_link_categories( $default = 0 ) {
 	wp_link_category_checklist( $link_id );
 }
 
+/**
+ * Get the real filesystem path to a file to edit within the admin.
+ *
+ * @since 1.5.0
+ * @deprecated 2.9.0
+ * @uses WP_CONTENT_DIR Full filesystem path to the wp-content directory.
+ *
+ * @param string $file Filesystem path relative to the wp-content directory.
+ * @return string Full filesystem path to edit.
+ */
+function get_real_file_to_edit( $file ) {
+	_deprecated_function( __FUNCTION__, '2.9' );
+
+	return WP_CONTENT_DIR . $file;
+}
+
 /**
  * {@internal Missing Short Description}}
  *
@@ -207,7 +223,7 @@ function codepress_footer_js() {
 /**
  * Determine whether to use CodePress.
  *
- * @since 2.8
+ * @since 2.8.0
  * @deprecated 3.0.0
 **/
 function use_codepress() {
@@ -472,14 +488,13 @@ class WP_User_Search {
 	function WP_User_Search ($search_term = '', $page = '', $role = '') {
 		_deprecated_function( __FUNCTION__, '3.1', 'WP_User_Query' );
 
-		$this->search_term = stripslashes( $search_term );
+		$this->search_term = wp_unslash( $search_term );
 		$this->raw_page = ( '' == $page ) ? false : (int) $page;
 		$this->page = (int) ( '' == $page ) ? 1 : $page;
 		$this->role = $role;
 
 		$this->prepare_query();
 		$this->query();
-		$this->prepare_vars_for_template_usage();
 		$this->do_paging();
 	}
 
@@ -550,9 +565,7 @@ class WP_User_Search {
 	 * @since 2.1.0
 	 * @access public
 	 */
-	function prepare_vars_for_template_usage() {
-		$this->search_term = stripslashes($this->search_term); // done with DB, from now on we want slashes gone
-	}
+	function prepare_vars_for_template_usage() {}
 
 	/**
 	 * {@internal Missing Short Description}}
@@ -722,7 +735,7 @@ function wp_dashboard_quick_press_output() {
 
 /**
  * @since 2.7.0
- * @deprecated 3.3
+ * @deprecated 3.3.0
  * @deprecated Use wp_editor()
  * @see wp_editor()
  */
@@ -927,6 +940,7 @@ function get_allowed_themes() {
  * {@internal Missing Short Description}}
  *
  * @since 1.5.0
+ * @deprecated 3.4.0
  *
  * @return unknown
  */
@@ -950,6 +964,7 @@ function get_broken_themes() {
  * {@internal Missing Short Description}}
  *
  * @since 2.0.0
+ * @deprecated 3.4.0
  *
  * @return unknown
  */
@@ -1015,7 +1030,7 @@ function get_default_page_to_edit() {
  * @since 1.2.0
  * @deprecated 3.5.0
  * @deprecated Use image_resize()
- * @see  image_resize()
+ * @see image_resize()
  *
  * @param mixed $file Filename of the original image, Or attachment id.
  * @param int $max_side Maximum length of a single side for the thumbnail.
@@ -1023,6 +1038,96 @@ function get_default_page_to_edit() {
  * @return string Thumbnail path on success, Error string on failure.
  */
 function wp_create_thumbnail( $file, $max_side, $deprecated = '' ) {
-	_deprecated_function( __FUNCTION__, '3.5', 'image_resize' );
+	_deprecated_function( __FUNCTION__, '3.5', 'image_resize()' );
 	return apply_filters( 'wp_create_thumbnail', image_resize( $file, $max_side, $max_side ) );
 }
+
+/**
+ * This was once used to display a metabox for the nav menu theme locations.
+ *
+ * Deprecated in favor of a 'Manage Locations' tab added to nav menus management screen.
+ *
+ * @since 3.0.0
+ * @deprecated 3.6.0
+ */
+function wp_nav_menu_locations_meta_box() {
+	_deprecated_function( __FUNCTION__, '3.6' );
+}
+
+/**
+ * This was once used to kick-off the Core Updater.
+ *
+ * Deprecated in favor of instantating a Core_Upgrader instance directly,
+ * and calling the 'upgrade' method.
+ *
+ * @since 2.7.0
+ * @deprecated 3.7.0
+ */
+function wp_update_core($current, $feedback = '') {
+	_deprecated_function( __FUNCTION__, '3.7', 'new Core_Upgrader();' );
+
+	if ( !empty($feedback) )
+		add_filter('update_feedback', $feedback);
+
+	include ABSPATH . 'wp-admin/includes/class-wp-upgrader.php';
+	$upgrader = new Core_Upgrader();
+	return $upgrader->upgrade($current);
+
+}
+
+/**
+ * This was once used to kick-off the Plugin Updater.
+ *
+ * Deprecated in favor of instantating a Plugin_Upgrader instance directly,
+ * and calling the 'upgrade' method.
+ * Unused since 2.8.0.
+ *
+ * @since 2.5.0
+ * @deprecated 3.7.0
+ */
+function wp_update_plugin($plugin, $feedback = '') {
+	_deprecated_function( __FUNCTION__, '3.7', 'new Plugin_Upgrader();' );
+
+	if ( !empty($feedback) )
+		add_filter('update_feedback', $feedback);
+
+	include ABSPATH . 'wp-admin/includes/class-wp-upgrader.php';
+	$upgrader = new Plugin_Upgrader();
+	return $upgrader->upgrade($plugin);
+}
+
+/**
+ * This was once used to kick-off the Plugin Updater.
+ *
+ * Deprecated in favor of instantating a Plugin_Upgrader instance directly,
+ * and calling the 'upgrade' method.
+ * Unused since 2.8.0.
+ *
+ * @since 2.7.0
+ * @deprecated 3.7.0
+ */
+function wp_update_theme($theme, $feedback = '') {
+	_deprecated_function( __FUNCTION__, '3.7', 'new Theme_Upgrader();' );
+
+	if ( !empty($feedback) )
+		add_filter('update_feedback', $feedback);
+
+	include ABSPATH . 'wp-admin/includes/class-wp-upgrader.php';
+	$upgrader = new Theme_Upgrader();
+	return $upgrader->upgrade($theme);
+}
+
+/**
+ * This was once used to display attachment links. Now it is deprecated and stubbed.
+ *
+ * {@internal Missing Short Description}}
+ *
+ * @since 2.0.0
+ * @deprecated 3.7.0
+ *
+ * @param unknown_type $id
+ * @return unknown
+ */
+function the_attachment_links( $id = false ) {
+	_deprecated_function( __FUNCTION__, '3.7' );
+}

wp-admin/includes/export.php

@@ -367,11 +367,12 @@ function export_wp( $args = array() ) {
 		$is_sticky = is_sticky( $post->ID ) ? 1 : 0;
 ?>
 	<item>
+		<?php /** This filter is documented in wp-includes/feed.php */ ?>
 		<title><?php echo apply_filters( 'the_title_rss', $post->post_title ); ?></title>
 		<link><?php the_permalink_rss() ?></link>
 		<pubDate><?php echo mysql2date( 'D, d M Y H:i:s +0000', get_post_time( 'Y-m-d H:i:s', true ), false ); ?></pubDate>
-		<dc:creator><?php echo get_the_author_meta( 'login' ); ?></dc:creator>
-		<guid isPermaLink="false"><?php esc_url( the_guid() ); ?></guid>
+		<dc:creator><?php echo wxr_cdata( get_the_author_meta( 'login' ) ); ?></dc:creator>
+		<guid isPermaLink="false"><?php the_guid(); ?></guid>
 		<description></description>
 		<content:encoded><?php echo wxr_cdata( apply_filters( 'the_content_export', $post->post_content ) ); ?></content:encoded>
 		<excerpt:encoded><?php echo wxr_cdata( apply_filters( 'the_excerpt_export', $post->post_excerpt ) ); ?></excerpt:encoded>

wp-admin/includes/file.php

@@ -90,31 +90,7 @@ function get_home_path() {
 		$home_path = ABSPATH;
 	}
 
-	return $home_path;
-}
-
-/**
- * Get the real file system path to a file to edit within the admin
- *
- * If the $file is index.php or .htaccess this function will assume it is relative
- * to the install root, otherwise it is assumed the file is relative to the wp-content
- * directory
- *
- * @since 1.5.0
- *
- * @uses get_home_path
- * @uses WP_CONTENT_DIR full filesystem path to the wp-content directory
- * @param string $file filesystem path relative to the WordPress install directory or to the wp-content directory
- * @return string full file system path to edit
- */
-function get_real_file_to_edit( $file ) {
-	if ('index.php' == $file || '.htaccess' == $file ) {
-		$real_file = get_home_path() . $file;
-	} else {
-		$real_file = WP_CONTENT_DIR . $file;
-	}
-
-	return $real_file;
+	return str_replace( '\\', '/', $home_path );
 }
 
 /**
@@ -328,8 +304,14 @@ function wp_handle_upload( &$file, $overrides = false, $time = null ) {
 
 	// Move the file to the uploads dir
 	$new_file = $uploads['path'] . "/$filename";
-	if ( false === @ move_uploaded_file( $file['tmp_name'], $new_file ) )
-		return $upload_error_handler( $file, sprintf( __('The uploaded file could not be moved to %s.' ), $uploads['path'] ) );
+	if ( false === @ move_uploaded_file( $file['tmp_name'], $new_file ) ) {
+		if ( 0 === strpos( $uploads['basedir'], ABSPATH ) )
+			$error_path = str_replace( ABSPATH, '', $uploads['basedir'] ) . $uploads['subdir'];
+		else
+			$error_path = basename( $uploads['basedir'] ) . $uploads['subdir'];
+
+		return $upload_error_handler( $file, sprintf( __('The uploaded file could not be moved to %s.' ), $error_path ) );
+	}
 
 	// Set correct file permissions
 	$stat = stat( dirname( $new_file ));
@@ -452,7 +434,11 @@ function wp_handle_sideload( &$file, $overrides = false, $time = null ) {
 	// Move the file to the uploads dir
 	$new_file = $uploads['path'] . "/$filename";
 	if ( false === @ rename( $file['tmp_name'], $new_file ) ) {
-		return $upload_error_handler( $file, sprintf( __('The uploaded file could not be moved to %s.' ), $uploads['path'] ) );
+		if ( 0 === strpos( $uploads['basedir'], ABSPATH ) )
+			$error_path = str_replace( ABSPATH, '', $uploads['basedir'] ) . $uploads['subdir'];
+		else
+			$error_path = basename( $uploads['basedir'] ) . $uploads['subdir'];
+		return $upload_error_handler( $file, sprintf( __('The uploaded file could not be moved to %s.' ), $error_path ) );
 	}
 
 	// Set correct file permissions
@@ -487,7 +473,7 @@ function download_url( $url, $timeout = 300 ) {
 	if ( ! $tmpfname )
 		return new WP_Error('http_no_file', __('Could not create Temporary file.'));
 
-	$response = wp_remote_get( $url, array( 'timeout' => $timeout, 'stream' => true, 'filename' => $tmpfname ) );
+	$response = wp_safe_remote_get( $url, array( 'timeout' => $timeout, 'stream' => true, 'filename' => $tmpfname ) );
 
 	if ( is_wp_error( $response ) ) {
 		unlink( $tmpfname );
@@ -499,9 +485,43 @@ function download_url( $url, $timeout = 300 ) {
 		return new WP_Error( 'http_404', trim( wp_remote_retrieve_response_message( $response ) ) );
 	}
 
+	$content_md5 = wp_remote_retrieve_header( $response, 'content-md5' );
+	if ( $content_md5 ) {
+		$md5_check = verify_file_md5( $tmpfname, $content_md5 );
+		if ( is_wp_error( $md5_check ) ) {
+			unlink( $tmpfname );
+			return $md5_check;
+		}
+	}
+
 	return $tmpfname;
 }
 
+/**
+ * Calculates and compares the MD5 of a file to it's expected value.
+ *
+ * @since 3.7.0
+ *
+ * @param string $filename The filename to check the MD5 of.
+ * @param string $expected_md5 The expected MD5 of the file, either a base64 encoded raw md5, or a hex-encoded md5
+ * @return bool|object WP_Error on failure, true on success, false when the MD5 format is unknown/unexpected
+ */
+function verify_file_md5( $filename, $expected_md5 ) {
+	if ( 32 == strlen( $expected_md5 ) )
+		$expected_raw_md5 = pack( 'H*', $expected_md5 );
+	elseif ( 24 == strlen( $expected_md5 ) )
+		$expected_raw_md5 = base64_decode( $expected_md5 );
+	else
+		return false; // unknown format
+
+	$file_md5 = md5_file( $filename, true );
+
+	if ( $file_md5 === $expected_raw_md5 )
+		return true;
+
+	return new WP_Error( 'md5_mismatch', sprintf( __( 'The checksum of the file (%1$s) does not match the expected checksum value (%2$s).' ), bin2hex( $file_md5 ), bin2hex( $expected_raw_md5 ) ) );
+}
+
 /**
  * Unzips a specified ZIP file to a location on the Filesystem via the WordPress Filesystem Abstraction.
  * Assumes that WP_Filesystem() has already been called and set up. Does not extract a root-level __MACOSX directory, if present.
@@ -576,24 +596,42 @@ function _unzip_file_ziparchive($file, $to, $needed_dirs = array() ) {
 
 	$z = new ZipArchive();
 
-	// PHP4-compat - php4 classes can't contain constants
-	$zopen = $z->open($file, /* ZIPARCHIVE::CHECKCONS */ 4);
+	$zopen = $z->open( $file, ZIPARCHIVE::CHECKCONS );
 	if ( true !== $zopen )
-		return new WP_Error('incompatible_archive', __('Incompatible Archive.'));
+		return new WP_Error( 'incompatible_archive', __( 'Incompatible Archive.' ), array( 'ziparchive_error' => $zopen ) );
+
+	$uncompressed_size = 0;
 
 	for ( $i = 0; $i < $z->numFiles; $i++ ) {
 		if ( ! $info = $z->statIndex($i) )
-			return new WP_Error('stat_failed', __('Could not retrieve file from archive.'));
+			return new WP_Error( 'stat_failed_ziparchive', __( 'Could not retrieve file from archive.' ) );
 
 		if ( '__MACOSX/' === substr($info['name'], 0, 9) ) // Skip the OS X-created __MACOSX directory
 			continue;
 
+		if ( 0 !== validate_file( $info['name'] ) ) {
+			return new WP_Error( 'invalid_file_ziparchive', __( 'Could not extract file from archive.' ), $info['name'] );
+		}
+
+		$uncompressed_size += $info['size'];
+
 		if ( '/' == substr($info['name'], -1) ) // directory
 			$needed_dirs[] = $to . untrailingslashit($info['name']);
 		else
 			$needed_dirs[] = $to . untrailingslashit(dirname($info['name']));
 	}
 
+	/*
+	 * disk_free_space() could return false. Assume that any falsey value is an error.
+	 * A disk that has zero free bytes has bigger problems.
+	 * Require we have enough space to unzip the file and copy its contents, with a 10% buffer.
+	 */
+	if ( defined( 'DOING_CRON' ) && DOING_CRON ) {
+		$available_space = @disk_free_space( WP_CONTENT_DIR );
+		if ( $available_space && ( $uncompressed_size * 2.1 ) > $available_space )
+			return new WP_Error( 'disk_full_unzip_file', __( 'Could not copy files. You may have run out of disk space.' ), compact( 'uncompressed_size', 'available_space' ) );
+	}
+
 	$needed_dirs = array_unique($needed_dirs);
 	foreach ( $needed_dirs as $dir ) {
 		// Check the parent folders of the folders all exist within the creation array.
@@ -613,13 +651,13 @@ function _unzip_file_ziparchive($file, $to, $needed_dirs = array() ) {
 	// Create those directories if need be:
 	foreach ( $needed_dirs as $_dir ) {
 		if ( ! $wp_filesystem->mkdir($_dir, FS_CHMOD_DIR) && ! $wp_filesystem->is_dir($_dir) ) // Only check to see if the Dir exists upon creation failure. Less I/O this way.
-			return new WP_Error('mkdir_failed', __('Could not create directory.'), $_dir);
+			return new WP_Error( 'mkdir_failed_ziparchive', __( 'Could not create directory.' ), substr( $_dir, strlen( $to ) ) );
 	}
 	unset($needed_dirs);
 
 	for ( $i = 0; $i < $z->numFiles; $i++ ) {
 		if ( ! $info = $z->statIndex($i) )
-			return new WP_Error('stat_failed', __('Could not retrieve file from archive.'));
+			return new WP_Error( 'stat_failed_ziparchive', __( 'Could not retrieve file from archive.' ) );
 
 		if ( '/' == substr($info['name'], -1) ) // directory
 			continue;
@@ -629,10 +667,10 @@ function _unzip_file_ziparchive($file, $to, $needed_dirs = array() ) {
 
 		$contents = $z->getFromIndex($i);
 		if ( false === $contents )
-			return new WP_Error('extract_failed', __('Could not extract file from archive.'), $info['name']);
+			return new WP_Error( 'extract_failed_ziparchive', __( 'Could not extract file from archive.' ), $info['name'] );
 
 		if ( ! $wp_filesystem->put_contents( $to . $info['name'], $contents, FS_CHMOD_FILE) )
-			return new WP_Error('copy_failed', __('Could not copy file.'), $to . $info['name']);
+			return new WP_Error( 'copy_failed_ziparchive', __( 'Could not copy file.' ), $info['name'] );
 	}
 
 	$z->close();
@@ -656,11 +694,7 @@ function _unzip_file_ziparchive($file, $to, $needed_dirs = array() ) {
 function _unzip_file_pclzip($file, $to, $needed_dirs = array()) {
 	global $wp_filesystem;
 
-	// See #15789 - PclZip uses string functions on binary data, If it's overloaded with Multibyte safe functions the results are incorrect.
-	if ( ini_get('mbstring.func_overload') && function_exists('mb_internal_encoding') ) {
-		$previous_encoding = mb_internal_encoding();
-		mb_internal_encoding('ISO-8859-1');
-	}
+	mbstring_binary_safe_encoding();
 
 	require_once(ABSPATH . 'wp-admin/includes/class-pclzip.php');
 
@@ -668,24 +702,38 @@ function _unzip_file_pclzip($file, $to, $needed_dirs = array()) {
 
 	$archive_files = $archive->extract(PCLZIP_OPT_EXTRACT_AS_STRING);
 
-	if ( isset($previous_encoding) )
-		mb_internal_encoding($previous_encoding);
+	reset_mbstring_encoding();
 
 	// Is the archive valid?
 	if ( !is_array($archive_files) )
 		return new WP_Error('incompatible_archive', __('Incompatible Archive.'), $archive->errorInfo(true));
 
 	if ( 0 == count($archive_files) )
-		return new WP_Error('empty_archive', __('Empty archive.'));
+		return new WP_Error( 'empty_archive_pclzip', __( 'Empty archive.' ) );
+
+	$uncompressed_size = 0;
 
 	// Determine any children directories needed (From within the archive)
 	foreach ( $archive_files as $file ) {
 		if ( '__MACOSX/' === substr($file['filename'], 0, 9) ) // Skip the OS X-created __MACOSX directory
 			continue;
 
+		$uncompressed_size += $file['size'];
+
 		$needed_dirs[] = $to . untrailingslashit( $file['folder'] ? $file['filename'] : dirname($file['filename']) );
 	}
 
+	/*
+	 * disk_free_space() could return false. Assume that any falsey value is an error.
+	 * A disk that has zero free bytes has bigger problems.
+	 * Require we have enough space to unzip the file and copy its contents, with a 10% buffer.
+	 */
+	if ( defined( 'DOING_CRON' ) && DOING_CRON ) {
+		$available_space = @disk_free_space( WP_CONTENT_DIR );
+		if ( $available_space && ( $uncompressed_size * 2.1 ) > $available_space )
+			return new WP_Error( 'disk_full_unzip_file', __( 'Could not copy files. You may have run out of disk space.' ), compact( 'uncompressed_size', 'available_space' ) );
+	}
+
 	$needed_dirs = array_unique($needed_dirs);
 	foreach ( $needed_dirs as $dir ) {
 		// Check the parent folders of the folders all exist within the creation array.
@@ -704,8 +752,9 @@ function _unzip_file_pclzip($file, $to, $needed_dirs = array()) {
 
 	// Create those directories if need be:
 	foreach ( $needed_dirs as $_dir ) {
-		if ( ! $wp_filesystem->mkdir($_dir, FS_CHMOD_DIR) && ! $wp_filesystem->is_dir($_dir) ) // Only check to see if the dir exists upon creation failure. Less I/O this way.
-			return new WP_Error('mkdir_failed', __('Could not create directory.'), $_dir);
+		// Only check to see if the dir exists upon creation failure. Less I/O this way.
+		if ( ! $wp_filesystem->mkdir( $_dir, FS_CHMOD_DIR ) && ! $wp_filesystem->is_dir( $_dir ) )
+			return new WP_Error( 'mkdir_failed_pclzip', __( 'Could not create directory.' ), substr( $_dir, strlen( $to ) ) );
 	}
 	unset($needed_dirs);
 
@@ -717,8 +766,12 @@ function _unzip_file_pclzip($file, $to, $needed_dirs = array()) {
 		if ( '__MACOSX/' === substr($file['filename'], 0, 9) ) // Don't extract the OS X-created __MACOSX directory files
 			continue;
 
+		if ( 0 !== validate_file( $file['filename'] ) ) {
+			return new WP_Error( 'invalid_file_pclzip', __( 'Could not extract file from archive.' ), $file['filename'] );
+		}
+
 		if ( ! $wp_filesystem->put_contents( $to . $file['filename'], $file['content'], FS_CHMOD_FILE) )
-			return new WP_Error('copy_failed', __('Could not copy file.'), $to . $file['filename']);
+			return new WP_Error( 'copy_failed_pclzip', __( 'Could not copy file.' ), $file['filename'] );
 	}
 	return true;
 }
@@ -742,31 +795,31 @@ function copy_dir($from, $to, $skip_list = array() ) {
 	$from = trailingslashit($from);
 	$to = trailingslashit($to);
 
-	$skip_regex = '';
-	foreach ( (array)$skip_list as $key => $skip_file )
-		$skip_regex .= preg_quote($skip_file, '!') . '|';
-
-	if ( !empty($skip_regex) )
-		$skip_regex = '!(' . rtrim($skip_regex, '|') . ')$!i';
-
 	foreach ( (array) $dirlist as $filename => $fileinfo ) {
-		if ( !empty($skip_regex) )
-			if ( preg_match($skip_regex, $from . $filename) )
-				continue;
+		if ( in_array( $filename, $skip_list ) )
+			continue;
 
 		if ( 'f' == $fileinfo['type'] ) {
 			if ( ! $wp_filesystem->copy($from . $filename, $to . $filename, true, FS_CHMOD_FILE) ) {
 				// If copy failed, chmod file to 0644 and try again.
-				$wp_filesystem->chmod($to . $filename, 0644);
+				$wp_filesystem->chmod( $to . $filename, FS_CHMOD_FILE );
 				if ( ! $wp_filesystem->copy($from . $filename, $to . $filename, true, FS_CHMOD_FILE) )
-					return new WP_Error('copy_failed', __('Could not copy file.'), $to . $filename);
+					return new WP_Error( 'copy_failed_copy_dir', __( 'Could not copy file.' ), $to . $filename );
 			}
 		} elseif ( 'd' == $fileinfo['type'] ) {
 			if ( !$wp_filesystem->is_dir($to . $filename) ) {
 				if ( !$wp_filesystem->mkdir($to . $filename, FS_CHMOD_DIR) )
-					return new WP_Error('mkdir_failed', __('Could not create directory.'), $to . $filename);
+					return new WP_Error( 'mkdir_failed_copy_dir', __( 'Could not create directory.' ), $to . $filename );
 			}
-			$result = copy_dir($from . $filename, $to . $filename, $skip_list);
+
+			// generate the $sub_skip_list for the subdirectory as a sub-set of the existing $skip_list
+			$sub_skip_list = array();
+			foreach ( $skip_list as $skip_item ) {
+				if ( 0 === strpos( $skip_item, $filename . '/' ) )
+					$sub_skip_list[] = preg_replace( '!^' . preg_quote( $filename, '!' ) . '/!i', '', $skip_item );
+			}
+
+			$result = copy_dir($from . $filename, $to . $filename, $sub_skip_list);
 			if ( is_wp_error($result) )
 				return $result;
 		}
@@ -821,9 +874,9 @@ function WP_Filesystem( $args = false, $context = false ) {
 
 	// Set the permission constants if not already set.
 	if ( ! defined('FS_CHMOD_DIR') )
-		define('FS_CHMOD_DIR', 0755 );
+		define('FS_CHMOD_DIR', ( fileperms( ABSPATH ) & 0777 | 0755 ) );
 	if ( ! defined('FS_CHMOD_FILE') )
-		define('FS_CHMOD_FILE', 0644 );
+		define('FS_CHMOD_FILE', ( fileperms( ABSPATH . 'index.php' ) & 0777 | 0644 ) );
 
 	return true;
 }
@@ -850,6 +903,11 @@ function get_filesystem_method($args = array(), $context = false) {
 	if ( ! $method && function_exists('getmyuid') && function_exists('fileowner') ){
 		if ( !$context )
 			$context = WP_CONTENT_DIR;
+
+		// If the directory doesn't exist (wp-content/languages) then use the parent directory as we'll create it.
+		if ( WP_LANG_DIR == $context && ! is_dir( $context ) )
+			$context = dirname( $context );
+
 		$context = trailingslashit($context);
 		$temp_file_name = $context . 'temp-write-test-' . time();
 		$temp_handle = @fopen($temp_file_name, 'w');
@@ -900,14 +958,28 @@ function request_filesystem_credentials($form_post, $type = '', $error = false,
 
 	$credentials = get_option('ftp_credentials', array( 'hostname' => '', 'username' => ''));
 
+	$submitted_form = wp_unslash( $_POST );
+
+	// Verify nonce, or unset submitted form field values on failure
+	if ( ! isset( $_POST['_fs_nonce'] ) || ! wp_verify_nonce( $_POST['_fs_nonce'], 'filesystem-credentials' ) ) {
+		unset(
+			$submitted_form['hostname'],
+			$submitted_form['username'],
+			$submitted_form['password'],
+			$submitted_form['public_key'],
+			$submitted_form['private_key'],
+			$submitted_form['connection_type']
+		);
+	}
+
 	// If defined, set it to that, Else, If POST'd, set it to that, If not, Set it to whatever it previously was(saved details in option)
-	$credentials['hostname'] = defined('FTP_HOST') ? FTP_HOST : (!empty($_POST['hostname']) ? stripslashes($_POST['hostname']) : $credentials['hostname']);
-	$credentials['username'] = defined('FTP_USER') ? FTP_USER : (!empty($_POST['username']) ? stripslashes($_POST['username']) : $credentials['username']);
-	$credentials['password'] = defined('FTP_PASS') ? FTP_PASS : (!empty($_POST['password']) ? stripslashes($_POST['password']) : '');
+	$credentials['hostname'] = defined('FTP_HOST') ? FTP_HOST : (!empty($submitted_form['hostname']) ? $submitted_form['hostname'] : $credentials['hostname']);
+	$credentials['username'] = defined('FTP_USER') ? FTP_USER : (!empty($submitted_form['username']) ? $submitted_form['username'] : $credentials['username']);
+	$credentials['password'] = defined('FTP_PASS') ? FTP_PASS : (!empty($submitted_form['password']) ? $submitted_form['password'] : '');
 
 	// Check to see if we are setting the public/private keys for ssh
-	$credentials['public_key'] = defined('FTP_PUBKEY') ? FTP_PUBKEY : (!empty($_POST['public_key']) ? stripslashes($_POST['public_key']) : '');
-	$credentials['private_key'] = defined('FTP_PRIKEY') ? FTP_PRIKEY : (!empty($_POST['private_key']) ? stripslashes($_POST['private_key']) : '');
+	$credentials['public_key'] = defined('FTP_PUBKEY') ? FTP_PUBKEY : (!empty($submitted_form['public_key']) ? $submitted_form['public_key'] : '');
+	$credentials['private_key'] = defined('FTP_PRIKEY') ? FTP_PRIKEY : (!empty($submitted_form['private_key']) ? $submitted_form['private_key'] : '');
 
 	//sanitize the hostname, Some people might pass in odd-data:
 	$credentials['hostname'] = preg_replace('|\w+://|', '', $credentials['hostname']); //Strip any schemes off
@@ -924,9 +996,9 @@ function request_filesystem_credentials($form_post, $type = '', $error = false,
 		$credentials['connection_type'] = 'ssh';
 	else if ( (defined('FTP_SSL') && FTP_SSL) && 'ftpext' == $type ) //Only the FTP Extension understands SSL
 		$credentials['connection_type'] = 'ftps';
-	else if ( !empty($_POST['connection_type']) )
-		$credentials['connection_type'] = stripslashes($_POST['connection_type']);
-	else if ( !isset($credentials['connection_type']) ) //All else fails (And its not defaulted to something else saved), Default to FTP
+	else if ( !empty($submitted_form['connection_type']) )
+		$credentials['connection_type'] = $submitted_form['connection_type'];
+	else if ( !isset($credentials['connection_type']) ) //All else fails (And it's not defaulted to something else saved), Default to FTP
 		$credentials['connection_type'] = 'ftp';
 
 	if ( ! $error &&
@@ -979,10 +1051,9 @@ jQuery(function($){
 });
 -->
 </script>
-<form action="<?php echo $form_post ?>" method="post">
-<div class="wrap">
-<?php screen_icon(); ?>
-<h2><?php _e('Connection Information') ?></h2>
+<form action="<?php echo esc_url( $form_post ) ?>" method="post">
+<div>
+<h3><?php _e('Connection Information') ?></h3>
 <p><?php
 	$label_user = __('Username');
 	$label_pass = __('Password');
@@ -1015,7 +1086,8 @@ jQuery(function($){
 
 <tr valign="top">
 <th scope="row"><label for="password"><?php echo $label_pass; ?></label></th>
-<td><input name="password" type="password" id="password" value="<?php if ( defined('FTP_PASS') ) echo '*****'; ?>"<?php disabled( defined('FTP_PASS') ); ?> size="40" /></td>
+<td><div><input name="password" type="password" id="password" value="<?php if ( defined('FTP_PASS') ) echo '*****'; ?>"<?php disabled( defined('FTP_PASS') ); ?> size="40" /></div>
+<div><em><?php if ( ! defined('FTP_PASS') ) _e( 'This password will not be stored on the server.' ); ?></em></div></td>
 </tr>
 
 <?php if ( isset($types['ssh']) ) : ?>
@@ -1049,11 +1121,14 @@ jQuery(function($){
 
 <?php
 foreach ( (array) $extra_fields as $field ) {
-	if ( isset( $_POST[ $field ] ) )
-		echo '<input type="hidden" name="' . esc_attr( $field ) . '" value="' . esc_attr( stripslashes( $_POST[ $field ] ) ) . '" />';
+	if ( isset( $submitted_form[ $field ] ) )
+		echo '<input type="hidden" name="' . esc_attr( $field ) . '" value="' . esc_attr( $submitted_form[ $field ] ) . '" />';
 }
-submit_button( __( 'Proceed' ), 'button', 'upgrade' );
 ?>
+	<p class="request-filesystem-credentials-action-buttons">
+		<?php wp_nonce_field( 'filesystem-credentials', '_fs_nonce', false, true ); ?>
+		<?php submit_button( __( 'Proceed' ), 'button', 'upgrade', false ); ?>
+	</p>
 </div>
 </form>
 <?php

wp-admin/includes/image-edit.php

@@ -13,7 +13,7 @@ function wp_image_editor($post_id, $msg = false) {
 	$sub_sizes = isset($meta['sizes']) && is_array($meta['sizes']);
 	$note = '';
 
-	if ( is_array($meta) && isset($meta['width']) )
+	if ( isset( $meta['width'], $meta['height'] ) )
 		$big = max( $meta['width'], $meta['height'] );
 	else
 		die( __('Image data does not exist. Please re-upload the image.') );
@@ -21,8 +21,9 @@ function wp_image_editor($post_id, $msg = false) {
 	$sizer = $big > 400 ? 400 / $big : 1;
 
 	$backup_sizes = get_post_meta( $post_id, '_wp_attachment_backup_sizes', true );
-	$can_restore = !empty($backup_sizes) && isset($backup_sizes['full-orig'])
-		&& $backup_sizes['full-orig']['file'] != basename($meta['file']);
+	$can_restore = false;
+	if ( ! empty( $backup_sizes ) && isset( $backup_sizes['full-orig'], $meta['file'] ) )
+		$can_restore = $backup_sizes['full-orig']['file'] != basename( $meta['file'] );
 
 	if ( $msg ) {
 		if ( isset($msg->error) )
@@ -63,8 +64,8 @@ function wp_image_editor($post_id, $msg = false) {
 	<input type="hidden" id="imgedit-history-<?php echo $post_id; ?>" value="" />
 	<input type="hidden" id="imgedit-undone-<?php echo $post_id; ?>" value="0" />
 	<input type="hidden" id="imgedit-selection-<?php echo $post_id; ?>" value="" />
-	<input type="hidden" id="imgedit-x-<?php echo $post_id; ?>" value="<?php echo $meta['width']; ?>" />
-	<input type="hidden" id="imgedit-y-<?php echo $post_id; ?>" value="<?php echo $meta['height']; ?>" />
+	<input type="hidden" id="imgedit-x-<?php echo $post_id; ?>" value="<?php echo isset( $meta['width'] ) ? $meta['width'] : 0; ?>" />
+	<input type="hidden" id="imgedit-y-<?php echo $post_id; ?>" value="<?php echo isset( $meta['height'] ) ? $meta['height'] : 0; ?>" />
 
 	<div id="imgedit-crop-<?php echo $post_id; ?>" class="imgedit-crop-wrap">
 	<img id="image-preview-<?php echo $post_id; ?>" onload="imageEdit.imgLoaded('<?php echo $post_id; ?>')" src="<?php echo admin_url( 'admin-ajax.php', 'relative' ); ?>?action=imgedit-preview&amp;_ajax_nonce=<?php echo $nonce; ?>&amp;postid=<?php echo $post_id; ?>&amp;rand=<?php echo rand(1, 99999); ?>" />
@@ -81,10 +82,12 @@ function wp_image_editor($post_id, $msg = false) {
 	<div class="imgedit-group-top">
 		<a class="imgedit-help-toggle" onclick="imageEdit.toggleHelp(this);return false;" href="#"><strong><?php _e('Scale Image'); ?></strong></a>
 		<div class="imgedit-help">
-		<p><?php _e('You can proportionally scale the original image. For best results the scaling should be done before performing any other operations on it like crop, rotate, etc. Note that if you make the image larger it may become fuzzy.'); ?></p>
+		<p><?php _e('You can proportionally scale the original image. For best results the scaling should be done before performing any other operations on it like crop, rotate, etc. Note that images can only be scaled down, not up.'); ?></p>
+		<?php if ( isset( $meta['width'], $meta['height'] ) ): ?>
 		<p><?php printf( __('Original dimensions %s'), $meta['width'] . '&times;' . $meta['height'] ); ?></p>
+		<?php endif ?>
 		<div class="imgedit-submit">
-		<span class="nowrap"><input type="text" id="imgedit-scale-width-<?php echo $post_id; ?>" onkeyup="imageEdit.scaleChanged(<?php echo $post_id; ?>, 1)" onblur="imageEdit.scaleChanged(<?php echo $post_id; ?>, 1)" style="width:4em;" value="<?php echo $meta['width']; ?>" />&times;<input type="text" id="imgedit-scale-height-<?php echo $post_id; ?>" onkeyup="imageEdit.scaleChanged(<?php echo $post_id; ?>, 0)" onblur="imageEdit.scaleChanged(<?php echo $post_id; ?>, 0)" style="width:4em;" value="<?php echo $meta['height']; ?>" />
+		<span class="nowrap"><input type="text" id="imgedit-scale-width-<?php echo $post_id; ?>" onkeyup="imageEdit.scaleChanged(<?php echo $post_id; ?>, 1)" onblur="imageEdit.scaleChanged(<?php echo $post_id; ?>, 1)" style="width:4em;" value="<?php echo isset( $meta['width'] ) ? $meta['width'] : 0; ?>" />&times;<input type="text" id="imgedit-scale-height-<?php echo $post_id; ?>" onkeyup="imageEdit.scaleChanged(<?php echo $post_id; ?>, 0)" onblur="imageEdit.scaleChanged(<?php echo $post_id; ?>, 0)" style="width:4em;" value="<?php echo isset( $meta['height'] ) ? $meta['height'] : 0; ?>" />
 		<span class="imgedit-scale-warn" id="imgedit-scale-warn-<?php echo $post_id; ?>">!</span></span>
 		<input type="button" onclick="imageEdit.action(<?php echo "$post_id, '$nonce'"; ?>, 'scale')" class="button-primary" value="<?php esc_attr_e( 'Scale' ); ?>" />
 		</div>
@@ -454,7 +457,7 @@ function stream_preview_image( $post_id ) {
     if ( is_wp_error( $img ) )
         return false;
 
-	$changes = !empty($_REQUEST['history']) ? json_decode( stripslashes($_REQUEST['history']) ) : null;
+	$changes = !empty($_REQUEST['history']) ? json_decode( wp_unslash($_REQUEST['history']) ) : null;
 	if ( $changes )
 		$img = image_edit_apply_changes( $img, $changes );
 
@@ -464,8 +467,8 @@ function stream_preview_image( $post_id ) {
 	$h = $size['height'];
 
 	$ratio = _image_get_preview_ratio( $w, $h );
-	$w2 = $w * $ratio;
-	$h2 = $h * $ratio;
+	$w2 = max ( 1, $w * $ratio );
+	$h2 = max ( 1, $h * $ratio );
 
 	if ( is_wp_error( $img->resize( $w2, $h2 ) ) )
 		return false;
@@ -496,10 +499,11 @@ function wp_restore_image($post_id) {
 			if ( defined('IMAGE_EDIT_OVERWRITE') && IMAGE_EDIT_OVERWRITE ) {
 				// delete only if it's edited image
 				if ( preg_match('/-e[0-9]{13}\./', $parts['basename']) ) {
+					/** This filter is documented in wp-admin/custom-header.php */
 					$delpath = apply_filters('wp_delete_file', $file);
 					@unlink($delpath);
 				}
-			} else {
+			} elseif ( isset( $meta['width'], $meta['height'] ) ) {
 				$backup_sizes["full-$suffix"] = array('width' => $meta['width'], 'height' => $meta['height'], 'file' => $parts['basename']);
 			}
 		}
@@ -519,6 +523,7 @@ function wp_restore_image($post_id) {
 				if ( defined('IMAGE_EDIT_OVERWRITE') && IMAGE_EDIT_OVERWRITE ) {
 					// delete only if it's edited image
 					if ( preg_match('/-e[0-9]{13}-/', $meta['sizes'][$default_size]['file']) ) {
+						/** This filter is documented in wp-admin/custom-header.php */
 						$delpath = apply_filters( 'wp_delete_file', path_join($parts['dirname'], $meta['sizes'][$default_size]['file']) );
 						@unlink($delpath);
 					}
@@ -587,7 +592,7 @@ function wp_save_image( $post_id ) {
 			return $return;
 		}
 	} elseif ( !empty($_REQUEST['history']) ) {
-		$changes = json_decode( stripslashes($_REQUEST['history']) );
+		$changes = json_decode( wp_unslash($_REQUEST['history']) );
 		if ( $changes )
 			$img = image_edit_apply_changes($img, $changes);
 	} else {
@@ -692,7 +697,7 @@ function wp_save_image( $post_id ) {
 			$_sizes[ $size ] = array( 'width' => get_option("{$size}_size_w"), 'height' => get_option("{$size}_size_h"), 'crop' => $crop );
 		}
 
-		$meta['sizes'] = $img->multi_resize( $_sizes );
+		$meta['sizes'] = array_merge( $meta['sizes'], $img->multi_resize( $_sizes ) );
 	}
 
 	unset( $img );
@@ -719,6 +724,7 @@ function wp_save_image( $post_id ) {
 	}
 
 	if ( $delete ) {
+		/** This filter is documented in wp-admin/custom-header.php */
 		$delpath = apply_filters('wp_delete_file', $new_path);
 		@unlink( $delpath );
 	}

wp-admin/includes/image.php

@@ -20,7 +20,7 @@
  * @param int $dst_h The destination height.
  * @param int $src_abs Optional. If the source crop points are absolute.
  * @param string $dst_file Optional. The destination file to write to.
- * @return string|WP_Error|false New filepath on success, WP_Error or false on failure.
+ * @return string|WP_Error New filepath on success, WP_Error on failure.
  */
 function wp_crop_image( $src, $src_x, $src_y, $src_w, $src_h, $dst_w, $dst_h, $src_abs = false, $dst_file = false ) {
 	$src_file = $src;
@@ -54,6 +54,9 @@ function wp_crop_image( $src, $src_x, $src_y, $src_w, $src_h, $dst_w, $dst_h, $s
 	$dst_file = dirname( $dst_file ) . '/' . wp_unique_filename( dirname( $dst_file ), basename( $dst_file ) );
 
 	$result = $editor->save( $dst_file );
+	if ( is_wp_error( $result ) )
+		return $result;
+
 	return $dst_file;
 }
 
@@ -70,6 +73,7 @@ function wp_generate_attachment_metadata( $attachment_id, $file ) {
 	$attachment = get_post( $attachment_id );
 
 	$metadata = array();
+	$support = false;
 	if ( preg_match('!^image/!', get_post_mime_type( $attachment )) && file_is_displayable_image($file) ) {
 		$imagesize = getimagesize( $file );
 		$metadata['width'] = $imagesize[0];
@@ -81,6 +85,7 @@ function wp_generate_attachment_metadata( $attachment_id, $file ) {
 		// make thumbnails and other intermediate sizes
 		global $_wp_additional_image_sizes;
 
+		$sizes = array();
 		foreach ( get_intermediate_image_sizes() as $s ) {
 			$sizes[$s] = array( 'width' => '', 'height' => '', 'crop' => false );
 			if ( isset( $_wp_additional_image_sizes[$s]['width'] ) )
@@ -113,8 +118,41 @@ function wp_generate_attachment_metadata( $attachment_id, $file ) {
 		if ( $image_meta )
 			$metadata['image_meta'] = $image_meta;
 
+	} elseif ( preg_match( '#^video/#', get_post_mime_type( $attachment ) ) ) {
+		$metadata = wp_read_video_metadata( $file );
+		$support = current_theme_supports( 'post-thumbnails', 'attachment:video' ) && post_type_supports( 'attachment:video', 'thumbnail' );
+	} elseif ( preg_match( '#^audio/#', get_post_mime_type( $attachment ) ) ) {
+		$metadata = wp_read_audio_metadata( $file );
+		$support = current_theme_supports( 'post-thumbnails', 'attachment:audio' ) && post_type_supports( 'attachment:audio', 'thumbnail' );
 	}
 
+	if ( $support && ! empty( $metadata['image']['data'] ) ) {
+		$ext = '.jpg';
+		switch ( $metadata['image']['mime'] ) {
+		case 'image/gif':
+			$ext = '.gif';
+			break;
+		case 'image/png':
+			$ext = '.png';
+			break;
+		}
+		$basename = str_replace( '.', '-', basename( $file ) ) . '-image' . $ext;
+		$uploaded = wp_upload_bits( $basename, '', $metadata['image']['data'] );
+		if ( false === $uploaded['error'] ) {
+			$attachment = array(
+				'post_mime_type' => $metadata['image']['mime'],
+				'post_type' => 'attachment',
+				'post_content' => '',
+			);
+			$sub_attachment_id = wp_insert_attachment( $attachment, $uploaded['file'] );
+			$attach_data = wp_generate_attachment_metadata( $sub_attachment_id, $uploaded['file'] );
+			wp_update_attachment_metadata( $sub_attachment_id, $attach_data );
+			update_post_meta( $attachment_id, '_thumbnail_id', $sub_attachment_id );
+		}
+	}
+	// remove the blob of binary data from the array
+	unset( $metadata['image']['data'] );
+
 	return apply_filters( 'wp_generate_attachment_metadata', $metadata, $attachment_id );
 }
 
@@ -276,6 +314,12 @@ function wp_read_image_metadata( $file ) {
 			$meta[ $key ] = utf8_encode( $meta[ $key ] );
 	}
 
+	foreach ( $meta as &$value ) {
+		if ( is_string( $value ) ) {
+			$value = wp_kses_post( $value );
+		}
+	}
+
 	return apply_filters( 'wp_read_image_metadata', $meta, $file, $sourceImageType );
 
 }

wp-admin/includes/import.php

@@ -108,9 +108,10 @@ function wp_get_popular_importers() {
 	$popular_importers = get_site_transient( 'popular_importers_' . $locale );
 
 	if ( ! $popular_importers ) {
-		$url = add_query_arg( 'locale', get_locale(), 'http://api.wordpress.org/core/importers/1.0/' );
+		$url = add_query_arg( 'locale', get_locale(), 'http://api.wordpress.org/core/importers/1.1/' );
 		$options = array( 'user-agent' => 'WordPress/' . $wp_version . '; ' . home_url() );
-		$popular_importers = maybe_unserialize( wp_remote_retrieve_body( wp_remote_get( $url, $options ) ) );
+		$response = wp_remote_get( $url, $options );
+		$popular_importers = json_decode( wp_remote_retrieve_body( $response ), true );
 
 		if ( is_array( $popular_importers ) )
 			set_site_transient( 'popular_importers_' . $locale, $popular_importers, 2 * DAY_IN_SECONDS );

wp-admin/includes/list-table.php

@@ -95,7 +95,7 @@ class _WP_List_Table_Compat extends WP_List_Table {
 
 		if ( !empty( $columns ) ) {
 			$this->_columns = $columns;
-			add_filter( 'manage_' . $screen->id . '_columns', array( &$this, 'get_columns' ), 0 );
+			add_filter( 'manage_' . $screen->id . '_columns', array( $this, 'get_columns' ), 0 );
 		}
 	}
 

wp-admin/includes/media.php

@@ -221,11 +221,63 @@ function media_handle_upload($file_id, $post_id, $post_data = array(), $override
 	$url = $file['url'];
 	$type = $file['type'];
 	$file = $file['file'];
-	$title = $name;
+	$title = sanitize_text_field( $name );
 	$content = '';
 
+	if ( preg_match( '#^audio#', $type ) ) {
+		$meta = wp_read_audio_metadata( $file );
+
+		if ( ! empty( $meta['title'] ) )
+			$title = $meta['title'];
+
+		$content = '';
+
+		if ( ! empty( $title ) ) {
+
+			if ( ! empty( $meta['album'] ) && ! empty( $meta['artist'] ) ) {
+				/* translators: 1: audio track title, 2: album title, 3: artist name */
+				$content .= sprintf( __( '"%1$s" from %2$s by %3$s.' ), $title, $meta['album'], $meta['artist'] );
+			} else if ( ! empty( $meta['album'] ) ) {
+				/* translators: 1: audio track title, 2: album title */
+				$content .= sprintf( __( '"%1$s" from %2$s.' ), $title, $meta['album'] );
+			} else if ( ! empty( $meta['artist'] ) ) {
+				/* translators: 1: audio track title, 2: artist name */
+				$content .= sprintf( __( '"%1$s" by %2$s.' ), $title, $meta['artist'] );
+			} else {
+				$content .= sprintf( __( '"%s".' ), $title );
+			}
+
+		} else if ( ! empty( $meta['album'] ) ) {
+
+			if ( ! empty( $meta['artist'] ) ) {
+				/* translators: 1: audio album title, 2: artist name */
+				$content .= sprintf( __( '%1$s by %2$s.' ), $meta['album'], $meta['artist'] );
+			} else {
+				$content .= $meta['album'] . '.';
+			}
+
+		} else if ( ! empty( $meta['artist'] ) ) {
+
+			$content .= $meta['artist'] . '.';
+
+		}
+
+		if ( ! empty( $meta['year'] ) )
+			$content .= ' ' . sprintf( __( 'Released: %d.' ), $meta['year'] );
+
+		if ( ! empty( $meta['track_number'] ) ) {
+			$track_number = explode( '/', $meta['track_number'] );
+			if ( isset( $track_number[1] ) )
+				$content .= ' ' . sprintf( __( 'Track %1$s of %2$s.' ), number_format_i18n( $track_number[0] ), number_format_i18n( $track_number[1] ) );
+			else
+				$content .= ' ' . sprintf( __( 'Track %1$s.' ), number_format_i18n( $track_number[0] ) );
+		}
+
+		if ( ! empty( $meta['genre'] ) )
+			$content .= ' ' . sprintf( __( 'Genre: %s.' ), $meta['genre'] );
+
 	// use image exif/iptc data for title and caption defaults if possible
-	if ( $image_meta = @wp_read_image_metadata($file) ) {
+	} elseif ( $image_meta = @wp_read_image_metadata( $file ) ) {
 		if ( trim( $image_meta['title'] ) && ! is_numeric( sanitize_title( $image_meta['title'] ) ) )
 			$title = $image_meta['title'];
 		if ( trim( $image_meta['caption'] ) )
@@ -340,8 +392,7 @@ wp_enqueue_style( 'ie' );
 <script type="text/javascript">
 //<![CDATA[
 addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
-var userSettings = {'url':'<?php echo SITECOOKIEPATH; ?>','uid':'<?php if ( ! isset($current_user) ) $current_user = wp_get_current_user(); echo $current_user->ID; ?>','time':'<?php echo time(); ?>'};
-var ajaxurl = '<?php echo admin_url( 'admin-ajax.php', 'relative' ); ?>', pagenow = 'media-upload-popup', adminpage = 'media-upload-popup',
+var ajaxurl = '<?php echo esc_js( admin_url( 'admin-ajax.php', 'relative' ) ); ?>', pagenow = 'media-upload-popup', adminpage = 'media-upload-popup',
 isRtl = <?php echo (int) is_rtl(); ?>;
 //]]>
 </script>
@@ -393,7 +444,7 @@ function media_buttons($editor_id = 'content') {
 
 	$img = '<span class="wp-media-buttons-icon"></span> ';
 
-	echo '<a href="#" class="button insert-media add_media" data-editor="' . esc_attr( $editor_id ) . '" title="' . esc_attr__( 'Add Media' ) . '">' . $img . __( 'Add Media' ) . '</a>';
+	echo '<a href="#" id="insert-media-button" class="button insert-media add_media" data-editor="' . esc_attr( $editor_id ) . '" title="' . esc_attr__( 'Add Media' ) . '">' . $img . __( 'Add Media' ) . '</a>';
 
 	// Don't use this filter. Want to add a button? Use the media_buttons action.
 	$legacy_filter = apply_filters('media_buttons_context', ''); // deprecated
@@ -445,9 +496,8 @@ function media_upload_form_handler() {
 
 	if ( !empty($_POST['attachments']) ) foreach ( $_POST['attachments'] as $attachment_id => $attachment ) {
 		$post = $_post = get_post($attachment_id, ARRAY_A);
-		$post_type_object = get_post_type_object( $post[ 'post_type' ] );
 
-		if ( !current_user_can( $post_type_object->cap->edit_post, $attachment_id ) )
+		if ( !current_user_can( 'edit_post', $attachment_id ) )
 			continue;
 
 		if ( isset($attachment['post_content']) )
@@ -467,11 +517,11 @@ function media_upload_form_handler() {
 		$post = apply_filters('attachment_fields_to_save', $post, $attachment);
 
 		if ( isset($attachment['image_alt']) ) {
-			$image_alt = get_post_meta($attachment_id, '_wp_attachment_image_alt', true);
-			if ( $image_alt != stripslashes($attachment['image_alt']) ) {
-				$image_alt = wp_strip_all_tags( stripslashes($attachment['image_alt']), true );
+			$image_alt = wp_unslash( $attachment['image_alt'] );
+			if ( $image_alt != get_post_meta($attachment_id, '_wp_attachment_image_alt', true) ) {
+				$image_alt = wp_strip_all_tags( $image_alt, true );
 				// update_meta expects slashed
-				update_post_meta( $attachment_id, '_wp_attachment_image_alt', addslashes($image_alt) );
+				update_post_meta( $attachment_id, '_wp_attachment_image_alt', wp_slash( $image_alt ) );
 			}
 		}
 
@@ -501,7 +551,7 @@ function media_upload_form_handler() {
 	}
 
 	if ( isset($send_id) ) {
-		$attachment = stripslashes_deep( $_POST['attachments'][$send_id] );
+		$attachment = wp_unslash( $_POST['attachments'][$send_id] );
 
 		$html = isset( $attachment['post_title'] ) ? $attachment['post_title'] : '';
 		if ( !empty($attachment['url']) ) {
@@ -546,7 +596,7 @@ function wp_media_upload_handler() {
 			$src = "http://$src";
 
 		if ( isset( $_POST['media_type'] ) && 'image' != $_POST['media_type'] ) {
-			$title = esc_html( stripslashes( $_POST['title'] ) );
+			$title = esc_html( wp_unslash( $_POST['title'] ) );
 			if ( empty( $title ) )
 				$title = esc_html( basename( $src ) );
 
@@ -561,9 +611,9 @@ function wp_media_upload_handler() {
 			$html = apply_filters( $type . '_send_to_editor_url', $html, esc_url_raw( $src ), $title );
 		} else {
 			$align = '';
-			$alt = esc_attr( stripslashes( $_POST['alt'] ) );
+			$alt = esc_attr( wp_unslash( $_POST['alt'] ) );
 			if ( isset($_POST['align']) ) {
-				$align = esc_attr( stripslashes( $_POST['align'] ) );
+				$align = esc_attr( wp_unslash( $_POST['align'] ) );
 				$class = " class='align$align'";
 			}
 			if ( !empty($src) )
@@ -864,18 +914,19 @@ function media_post_single_attachment_fields_to_edit( $form_fields, $post ) {
  * @param array $attachment {@internal $attachment not used}}
  * @return array
  */
-function image_attachment_fields_to_save($post, $attachment) {
-	if ( substr($post['post_mime_type'], 0, 5) == 'image' ) {
-		if ( strlen(trim($post['post_title'])) == 0 ) {
-			$post['post_title'] = preg_replace('/\.\w+$/', '', basename($post['guid']));
-			$post['errors']['post_title']['errors'][] = __('Empty Title filled from filename.');
+function image_attachment_fields_to_save( $post, $attachment ) {
+	if ( substr( $post['post_mime_type'], 0, 5 ) == 'image' ) {
+		if ( strlen( trim( $post['post_title'] ) ) == 0 ) {
+			$attachment_url = ( isset( $post['attachment_url'] ) ) ? $post['attachment_url'] : $post['guid'];
+			$post['post_title'] = preg_replace( '/\.\w+$/', '', wp_basename( $attachment_url ) );
+			$post['errors']['post_title']['errors'][] = __( 'Empty Title filled from filename.' );
 		}
 	}
 
 	return $post;
 }
 
-add_filter('attachment_fields_to_save', 'image_attachment_fields_to_save', 10, 2);
+add_filter( 'attachment_fields_to_save', 'image_attachment_fields_to_save', 10, 2 );
 
 /**
  * {@internal Missing Short Description}}
@@ -1108,7 +1159,7 @@ function get_media_item( $attachment_id, $args = null ) {
 	}
 
 	$display_title = ( !empty( $title ) ) ? $title : $filename; // $title shouldn't ever be empty, but just in case
-	$display_title = $show_title ? "<div class='filename new'><span class='title'>" . wp_html_excerpt( $display_title, 60 ) . "</span></div>" : '';
+	$display_title = $show_title ? "<div class='filename new'><span class='title'>" . wp_html_excerpt( $display_title, 60, '&hellip;' ) . "</span></div>" : '';
 
 	$gallery = ( ( isset( $_REQUEST['tab'] ) && 'gallery' == $_REQUEST['tab'] ) || ( isset( $redir_tab ) && 'gallery' == $redir_tab ) );
 	$order = '';
@@ -1127,7 +1178,7 @@ function get_media_item( $attachment_id, $args = null ) {
 
 	$media_dims = '';
 	$meta = wp_get_attachment_metadata( $post->ID );
-	if ( is_array( $meta ) && array_key_exists( 'width', $meta ) && array_key_exists( 'height', $meta ) )
+	if ( isset( $meta['width'], $meta['height'] ) )
 		$media_dims .= "<span id='media-dims-$post->ID'>{$meta['width']}&nbsp;&times;&nbsp;{$meta['height']}</span> ";
 	$media_dims = apply_filters( 'media_meta', $media_dims, $post );
 
@@ -1417,6 +1468,9 @@ function get_compat_media_markup( $attachment_id, $args = null ) {
 		$item .= '<input type="hidden" name="' . esc_attr( $hidden_field ) . '" value="' . esc_attr( $value ) . '" />' . "\n";
 	}
 
+	if ( $item )
+		$item = '<input type="hidden" name="attachments[' . $attachment_id . '][menu_order]" value="' . esc_attr( $post->menu_order ) . '" />' . $item;
+
 	return array(
 		'item'   => $item,
 		'meta'   => $media_meta,
@@ -1446,10 +1500,10 @@ function media_upload_header() {
  * @param unknown_type $errors
  */
 function media_upload_form( $errors = null ) {
-	global $type, $tab, $pagenow, $is_IE, $is_opera;
+	global $type, $tab, $is_IE, $is_opera;
 
 	if ( ! _device_can_upload() ) {
-		echo '<p>' . __('The web browser on your device cannot be used to upload files. You may be able to use the <a href="http://wordpress.org/extend/mobile/">native app for your device</a> instead.') . '</p>';
+		echo '<p>' . sprintf( __('The web browser on your device cannot be used to upload files. You may be able to use the <a href="%s">native app for your device</a> instead.'), 'http://wordpress.org/mobile/' ) . '</p>';
 		return;
 	}
 
@@ -1504,7 +1558,7 @@ $post_params = array(
 $post_params = apply_filters( 'upload_post_params', $post_params ); // hook change! old name: 'swfupload_post_params'
 
 $plupload_init = array(
-	'runtimes' => 'html5,silverlight,flash,html4',
+	'runtimes' => 'html5,silverlight,html4',
 	'browse_button' => 'plupload-browse-button',
 	'container' => 'plupload-upload-ui',
 	'drop_element' => 'drag-drop-area',
@@ -1599,7 +1653,7 @@ function media_upload_type_form($type = 'file', $errors = null, $id = null) {
 		$form_class .= ' html-uploader';
 ?>
 
-<form enctype="multipart/form-data" method="post" action="<?php echo esc_attr($form_action_url); ?>" class="<?php echo $form_class; ?>" id="<?php echo $type; ?>-form">
+<form enctype="multipart/form-data" method="post" action="<?php echo esc_url( $form_action_url ); ?>" class="<?php echo $form_class; ?>" id="<?php echo $type; ?>-form">
 <?php submit_button( '', 'hidden', 'save', false ); ?>
 <input type="hidden" name="post_id" id="post_id" value="<?php echo (int) $post_id; ?>" />
 <?php wp_nonce_field('media-form'); ?>
@@ -1664,7 +1718,7 @@ function media_upload_type_url_form($type = null, $errors = null, $id = null) {
 		$form_class .= ' html-uploader';
 ?>
 
-<form enctype="multipart/form-data" method="post" action="<?php echo esc_attr($form_action_url); ?>" class="<?php echo $form_class; ?>" id="<?php echo $type; ?>-form">
+<form enctype="multipart/form-data" method="post" action="<?php echo esc_url( $form_action_url ); ?>" class="<?php echo $form_class; ?>" id="<?php echo $type; ?>-form">
 <input type="hidden" name="post_id" id="post_id" value="<?php echo (int) $post_id; ?>" />
 <?php wp_nonce_field('media-form'); ?>
 
@@ -1815,7 +1869,7 @@ jQuery(function($){
 <a href="#" id="desc"><?php _e('Descending'); ?></a> |
 <a href="#" id="clear"><?php _ex('Clear', 'verb'); ?></a>
 </div>
-<form enctype="multipart/form-data" method="post" action="<?php echo esc_attr($form_action_url); ?>" class="<?php echo $form_class; ?>" id="gallery-form">
+<form enctype="multipart/form-data" method="post" action="<?php echo esc_url( $form_action_url ); ?>" class="<?php echo $form_class; ?>" id="gallery-form">
 <?php wp_nonce_field('media-form'); ?>
 <?php //media_upload_form( $errors ); ?>
 <table class="widefat" cellspacing="0">
@@ -2024,17 +2078,18 @@ $arc_query = "SELECT DISTINCT YEAR(post_date) AS yyear, MONTH(post_date) AS mmon
 $arc_result = $wpdb->get_results( $arc_query );
 
 $month_count = count($arc_result);
+$selected_month = isset( $_GET['m'] ) ? $_GET['m'] : 0;
 
 if ( $month_count && !( 1 == $month_count && 0 == $arc_result[0]->mmonth ) ) { ?>
 <select name='m'>
-<option<?php selected( @$_GET['m'], 0 ); ?> value='0'><?php _e('Show all dates'); ?></option>
+<option<?php selected( $selected_month, 0 ); ?> value='0'><?php _e('Show all dates'); ?></option>
 <?php
 foreach ($arc_result as $arc_row) {
 	if ( $arc_row->yyear == 0 )
 		continue;
 	$arc_row->mmonth = zeroise( $arc_row->mmonth, 2 );
 
-	if ( isset($_GET['m']) && ( $arc_row->yyear . $arc_row->mmonth == $_GET['m'] ) )
+	if ( $arc_row->yyear . $arc_row->mmonth == $selected_month )
 		$default = ' selected="selected"';
 	else
 		$default = '';
@@ -2055,7 +2110,7 @@ foreach ($arc_result as $arc_row) {
 </div>
 </form>
 
-<form enctype="multipart/form-data" method="post" action="<?php echo esc_attr($form_action_url); ?>" class="<?php echo $form_class; ?>" id="library-form">
+<form enctype="multipart/form-data" method="post" action="<?php echo esc_url( $form_action_url ); ?>" class="<?php echo $form_class; ?>" id="library-form">
 
 <?php wp_nonce_field('media-form'); ?>
 <?php //media_upload_form( $errors ); ?>
@@ -2267,9 +2322,7 @@ function multisite_over_quota_message() {
  *
  * @since 3.5.0
  */
-function edit_form_image_editor() {
-	$post = get_post();
-
+function edit_form_image_editor( $post ) {
 	$open = isset( $_GET['image-editor'] );
 	if ( $open )
 		require_once ABSPATH . 'wp-admin/includes/image-edit.php';
@@ -2282,8 +2335,9 @@ function edit_form_image_editor() {
 	$title = esc_attr( $post->post_title );
 	$alt_text = get_post_meta( $post->ID, '_wp_attachment_image_alt', true );
 
-	$att_url = wp_get_attachment_url( $post->ID );
-
+	$att_url = wp_get_attachment_url( $post->ID ); ?>
+	<div class="wp_attachment_holder">
+	<?php
 	if ( wp_attachment_is_image( $post->ID ) ) :
 		$image_edit_button = '';
 		if ( wp_image_editor_supports( array( 'mime_type' => $post->post_mime_type ) ) ) {
@@ -2291,7 +2345,7 @@ function edit_form_image_editor() {
 			$image_edit_button = "<input type='button' id='imgedit-open-btn-$post->ID' onclick='imageEdit.open( $post->ID, \"$nonce\" )' class='button' value='" . esc_attr__( 'Edit Image' ) . "' /> <span class='spinner'></span>";
 		}
  	?>
-	<div class="wp_attachment_holder">
+
 		<div class="imgedit-response" id="imgedit-response-<?php echo $attachment_id; ?>"></div>
 
 		<div<?php if ( $open ) echo ' style="display:none"'; ?> class="wp_attachment_image" id="media-head-<?php echo $attachment_id; ?>">
@@ -2301,10 +2355,34 @@ function edit_form_image_editor() {
 		<div<?php if ( ! $open ) echo ' style="display:none"'; ?> class="image-editor" id="image-editor-<?php echo $attachment_id; ?>">
 			<?php if ( $open ) wp_image_editor( $attachment_id ); ?>
 		</div>
-	</div>
-	<?php endif; ?>
+	<?php
+	elseif ( $attachment_id && 0 === strpos( $post->post_mime_type, 'audio/' ) ):
 
-	<div class="wp_attachment_details">
+		echo wp_audio_shortcode( array( 'src' => $att_url ) );
+
+	elseif ( $attachment_id && 0 === strpos( $post->post_mime_type, 'video/' ) ):
+
+		$meta = wp_get_attachment_metadata( $attachment_id );
+		$w = ! empty( $meta['width'] ) ? min( $meta['width'], 600 ) : 0;
+		$h = 0;
+		if ( ! empty( $meta['height'] ) )
+			$h = $meta['height'];
+		if ( $h && $w < $meta['width'] )
+			$h = round( ( $meta['height'] * $w ) / $meta['width'] );
+
+		$attr = array( 'src' => $att_url );
+
+		if ( ! empty( $meta['width' ] ) )
+			$attr['width'] = $w;
+
+		if ( ! empty( $meta['height'] ) )
+			$attr['height'] = $h;
+
+		echo wp_video_shortcode( $attr );
+
+	endif; ?>
+	</div>
+	<div class="wp_attachment_details edit-form-section">
 		<p>
 			<label for="attachment_caption"><strong><?php _e( 'Caption' ); ?></strong></label><br />
 			<textarea class="widefat" name="excerpt" id="attachment_caption"><?php echo $post->post_excerpt; ?></textarea>
@@ -2318,7 +2396,7 @@ function edit_form_image_editor() {
 	<?php endif; ?>
 
 	<?php
-		$quicktags_settings = array( 'buttons' => 'strong,em,link,block,del,ins,img,ul,ol,li,code,spell,close' );
+		$quicktags_settings = array( 'buttons' => 'strong,em,link,block,del,ins,img,ul,ol,li,code,close' );
 		$editor_args = array(
 			'textarea_name' => 'content',
 			'textarea_rows' => 5,
@@ -2329,7 +2407,7 @@ function edit_form_image_editor() {
 	?>
 
 	<label for="content"><strong><?php _e( 'Description' ); ?></strong></label>
-	<?php wp_editor( $post->post_content, 'attachment_content', $editor_args ); ?>
+	<?php wp_editor( format_to_edit( $post->post_content ), 'attachment_content', $editor_args ); ?>
 
 	</div>
 	<?php
@@ -2346,24 +2424,24 @@ function edit_form_image_editor() {
 function attachment_submitbox_metadata() {
 	$post = get_post();
 
-	$filename = esc_html( basename( $post->guid ) );
+	$filename = esc_html( wp_basename( $post->guid ) );
 
 	$media_dims = '';
 	$meta = wp_get_attachment_metadata( $post->ID );
-	if ( is_array( $meta ) && array_key_exists( 'width', $meta ) && array_key_exists( 'height', $meta ) )
+	if ( isset( $meta['width'], $meta['height'] ) )
 		$media_dims .= "<span id='media-dims-$post->ID'>{$meta['width']}&nbsp;&times;&nbsp;{$meta['height']}</span> ";
 	$media_dims = apply_filters( 'media_meta', $media_dims, $post );
 
 	$att_url = wp_get_attachment_url( $post->ID );
 ?>
-	<div class="misc-pub-section">
+	<div class="misc-pub-section misc-pub-attachment">
 			<label for="attachment_url"><?php _e( 'File URL:' ); ?></label>
 			<input type="text" class="widefat urlfield" readonly="readonly" name="attachment_url" value="<?php echo esc_attr($att_url); ?>" />
 	</div>
-	<div class="misc-pub-section">
+	<div class="misc-pub-section misc-pub-filename">
 		<?php _e( 'File name:' ); ?> <strong><?php echo $filename; ?></strong>
 	</div>
-	<div class="misc-pub-section">
+	<div class="misc-pub-section misc-pub-filetype">
 		<?php _e( 'File type:' ); ?> <strong><?php
 			if ( preg_match( '/^.*?\.(\w+)$/', get_attached_file( $post->ID ), $matches ) )
 				echo esc_html( strtoupper( $matches[1] ) );
@@ -2372,8 +2450,103 @@ function attachment_submitbox_metadata() {
 		?></strong>
 	</div>
 
-<?php if ( $media_dims ) : ?>
-	<div class="misc-pub-section">
+	<?php
+		$file  = get_attached_file( $post->ID );
+		$file_size = false;
+
+		if ( isset( $meta['filesize'] ) )
+			$file_size = $meta['filesize'];
+		elseif ( file_exists( $file ) )
+			$file_size = filesize( $file );
+
+		if ( ! empty( $file_size ) ) : ?>
+			<div class="misc-pub-section misc-pub-filesize">
+				<?php _e( 'File size:' ); ?> <strong><?php echo size_format( $file_size ); ?></strong>
+			</div>
+			<?php
+		endif;
+
+	if ( preg_match( '#^(audio|video)#', $post->post_mime_type ) ):
+
+		/**
+		 * Audio and video metadata fields to be shown in the publish meta box.
+		 *
+		 * The key for each item in the array should correspond to an attachment
+		 * metadata key, and the value should be the desired label.
+		 *
+		 * @since  3.7.0
+		 *
+		 * @param array $fields {
+		 *     An array of the attachment metadata keys and labels.
+		 *
+		 *     @type string 'mime_type'        Label to be shown before the field mime_type.
+		 *     @type string 'year'             Label to be shown before the field year.
+		 *     @type string 'genre'            Label to be shown before the field genre.
+		 *     @type string 'length_formatted' Label to be shown before the field length_formatted.
+		 * }
+		 */
+		$fields = apply_filters( 'media_submitbox_misc_sections', array(
+			'mime_type'        => __( 'Mime-type:' ),
+			'year'             => __( 'Year:' ),
+			'genre'            => __( 'Genre:' ),
+			'length_formatted' => __( 'Length:' ),
+		) );
+
+		foreach ( $fields as $key => $label ):
+			if ( ! empty( $meta[$key] ) ) : ?>
+		<div class="misc-pub-section misc-pub-mime-meta misc-pub-<?php echo sanitize_html_class( $key ); ?>">
+			<?php echo $label ?> <strong><?php echo esc_html( $meta[$key] ); ?></strong>
+		</div>
+	<?php
+			endif;
+		endforeach;
+
+		if ( ! empty( $meta['bitrate'] ) ) : ?>
+		<div class="misc-pub-section misc-pub-bitrate">
+			<?php _e( 'Bitrate:' ); ?> <strong><?php
+				echo round( $meta['bitrate'] / 1000 ), 'kb/s';
+
+				if ( ! empty( $meta['bitrate_mode'] ) )
+					echo ' ', strtoupper( $meta['bitrate_mode'] );
+
+			?></strong>
+		</div>
+	<?php
+		endif;
+
+		/**
+		 * Audio attachment metadata fields to be shown in the publish meta box.
+		 *
+		 * The key for each item in the array should correspond to an attachment
+		 * metadata key, and the value should be the desired label.
+		 *
+		 * @since  3.7.0
+		 *
+		 * @param array $fields {
+		 *     An array of the attachment metadata keys and labels.
+		 *
+		 *     @type string 'dataformat' Label to be shown before the field dataformat.
+		 *     @type string 'codec'      Label to be shown before the field codec.
+		 * }
+		 */
+		$audio_fields = apply_filters( 'audio_submitbox_misc_sections', array(
+			'dataformat' => __( 'Audio Format:' ),
+			'codec'      => __( 'Audio Codec:' )
+		) );
+
+		foreach ( $audio_fields as $key => $label ):
+			if ( ! empty( $meta['audio'][$key] ) ) : ?>
+		<div class="misc-pub-section misc-pub-audio misc-pub-<?php echo sanitize_html_class( $key ); ?>">
+			<?php echo $label; ?> <strong><?php echo esc_html( $meta['audio'][$key] ); ?></strong>
+		</div>
+	<?php
+			endif;
+		endforeach;
+
+	endif;
+
+	if ( $media_dims ) : ?>
+	<div class="misc-pub-section misc-pub-dimensions">
 		<?php _e( 'Dimensions:' ); ?> <strong><?php echo $media_dims; ?></strong>
 	</div>
 <?php
@@ -2394,3 +2567,142 @@ add_filter( 'media_upload_gallery', 'media_upload_gallery' );
 add_filter( 'media_upload_library', 'media_upload_library' );
 
 add_action( 'attachment_submitbox_misc_actions', 'attachment_submitbox_metadata' );
+
+/**
+ * Parse ID3v2, ID3v1, and getID3 comments to extract usable data
+ *
+ * @since 3.6.0
+ *
+ * @param array $metadata An existing array with data
+ * @param array $data Data supplied by ID3 tags
+ */
+function wp_add_id3_tag_data( &$metadata, $data ) {
+	foreach ( array( 'id3v2', 'id3v1' ) as $version ) {
+		if ( ! empty( $data[$version]['comments'] ) ) {
+			foreach ( $data[$version]['comments'] as $key => $list ) {
+				if ( ! empty( $list ) ) {
+					$metadata[$key] = wp_kses_post( reset( $list ) );
+					// fix bug in byte stream analysis
+					if ( 'terms_of_use' === $key && 0 === strpos( $metadata[$key], 'yright notice.' ) )
+						$metadata[$key] = 'Cop' . $metadata[$key];
+				}
+			}
+			break;
+		}
+	}
+
+	if ( ! empty( $data['id3v2']['APIC'] ) ) {
+		$image = reset( $data['id3v2']['APIC']);
+		if ( ! empty( $image['data'] ) ) {
+			$metadata['image'] = array(
+				'data' => $image['data'],
+				'mime' => $image['image_mime'],
+				'width' => $image['image_width'],
+				'height' => $image['image_height']
+			);
+		}
+	} elseif ( ! empty( $data['comments']['picture'] ) ) {
+		$image = reset( $data['comments']['picture'] );
+		if ( ! empty( $image['data'] ) ) {
+			$metadata['image'] = array(
+				'data' => $image['data'],
+				'mime' => $image['image_mime']
+			);
+		}
+	}
+}
+
+/**
+ * Retrieve metadata from a video file's ID3 tags
+ *
+ * @since 3.6.0
+ *
+ * @param string $file Path to file.
+ * @return array|boolean Returns array of metadata, if found.
+ */
+function wp_read_video_metadata( $file ) {
+	if ( ! file_exists( $file ) )
+		return false;
+
+	$metadata = array();
+
+	if ( ! class_exists( 'getID3' ) )
+		require( ABSPATH . WPINC . '/ID3/getid3.php' );
+	$id3 = new getID3();
+	$data = $id3->analyze( $file );
+
+	if ( isset( $data['video']['lossless'] ) )
+		$metadata['lossless'] = $data['video']['lossless'];
+	if ( ! empty( $data['video']['bitrate'] ) )
+		$metadata['bitrate'] = (int) $data['video']['bitrate'];
+	if ( ! empty( $data['video']['bitrate_mode'] ) )
+		$metadata['bitrate_mode'] = $data['video']['bitrate_mode'];
+	if ( ! empty( $data['filesize'] ) )
+		$metadata['filesize'] = (int) $data['filesize'];
+	if ( ! empty( $data['mime_type'] ) )
+		$metadata['mime_type'] = $data['mime_type'];
+	if ( ! empty( $data['playtime_seconds'] ) )
+		$metadata['length'] = (int) ceil( $data['playtime_seconds'] );
+	if ( ! empty( $data['playtime_string'] ) )
+		$metadata['length_formatted'] = $data['playtime_string'];
+	if ( ! empty( $data['video']['resolution_x'] ) )
+		$metadata['width'] = (int) $data['video']['resolution_x'];
+	if ( ! empty( $data['video']['resolution_y'] ) )
+		$metadata['height'] = (int) $data['video']['resolution_y'];
+	if ( ! empty( $data['fileformat'] ) )
+		$metadata['fileformat'] = $data['fileformat'];
+	if ( ! empty( $data['video']['dataformat'] ) )
+		$metadata['dataformat'] = $data['video']['dataformat'];
+	if ( ! empty( $data['video']['encoder'] ) )
+		$metadata['encoder'] = $data['video']['encoder'];
+	if ( ! empty( $data['video']['codec'] ) )
+		$metadata['codec'] = $data['video']['codec'];
+
+	if ( ! empty( $data['audio'] ) ) {
+		unset( $data['audio']['streams'] );
+		$metadata['audio'] = $data['audio'];
+	}
+
+	wp_add_id3_tag_data( $metadata, $data );
+
+	return $metadata;
+}
+
+/**
+ * Retrieve metadata from a audio file's ID3 tags
+ *
+ * @since 3.6.0
+ *
+ * @param string $file Path to file.
+ * @return array|boolean Returns array of metadata, if found.
+ */
+function wp_read_audio_metadata( $file ) {
+	if ( ! file_exists( $file ) )
+		return false;
+	$metadata = array();
+
+	if ( ! class_exists( 'getID3' ) )
+		require( ABSPATH . WPINC . '/ID3/getid3.php' );
+	$id3 = new getID3();
+	$data = $id3->analyze( $file );
+
+	if ( ! empty( $data['audio'] ) ) {
+		unset( $data['audio']['streams'] );
+		$metadata = $data['audio'];
+	}
+
+	if ( ! empty( $data['fileformat'] ) )
+		$metadata['fileformat'] = $data['fileformat'];
+	if ( ! empty( $data['filesize'] ) )
+		$metadata['filesize'] = (int) $data['filesize'];
+	if ( ! empty( $data['mime_type'] ) )
+		$metadata['mime_type'] = $data['mime_type'];
+	if ( ! empty( $data['playtime_seconds'] ) )
+		$metadata['length'] = (int) ceil( $data['playtime_seconds'] );
+	if ( ! empty( $data['playtime_string'] ) )
+		$metadata['length_formatted'] = $data['playtime_string'];
+
+	wp_add_id3_tag_data( $metadata, $data );
+
+	return $metadata;
+}