Tag 3.7.39

Built from https://develop.svn.wordpress.org/tags/3.7.39@54034


git-svn-id: http://core.svn.wordpress.org/tags/3.7.39@53593 1a063a9b-81f0-0310-95a4-ce76da25c4cd

license.txt

@@ -1,6 +1,6 @@
 WordPress - Web publishing software
 
-Copyright 2013 by the contributors
+Copyright 2018 by the contributors
 
 This program is free software; you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by

readme.html

@@ -8,7 +8,6 @@
 <body>
 <h1 id="logo">
 	<a href="http://wordpress.org/"><img alt="WordPress" src="wp-admin/images/wordpress-logo.png" /></a>
-	<br /> Version 3.7.2
 </h1>
 <p style="text-align: center">Semantic Personal Publishing Platform</p>
 

wp-activate.php

@@ -18,6 +18,50 @@ if ( !is_multisite() ) {
 	die();
 }
 
+$valid_error_codes = array( 'already_active', 'blog_taken' );
+
+list( $activate_path ) = explode( '?', wp_unslash( $_SERVER['REQUEST_URI'] ) );
+$activate_cookie = 'wp-activate-' . COOKIEHASH;
+
+$key    = '';
+$result = null;
+
+if ( isset( $_GET['key'] ) && isset( $_POST['key'] ) && $_GET['key'] !== $_POST['key'] ) {
+	wp_die( __( 'A key value mismatch has been detected. Please follow the link provided in your activation email.' ), __( 'An error occurred during the activation' ), 400 );
+} elseif ( ! empty( $_GET['key'] ) ) {
+	$key = $_GET['key'];
+} elseif ( ! empty( $_POST['key'] ) ) {
+	$key = $_POST['key'];
+}
+
+if ( $key ) {
+	$redirect_url = remove_query_arg( 'key' );
+
+	if ( $redirect_url !== remove_query_arg( false ) ) {
+		setcookie( $activate_cookie, $key, 0, $activate_path, COOKIE_DOMAIN, is_ssl(), true );
+		wp_safe_redirect( $redirect_url );
+		exit;
+	} else {
+		$result = wpmu_activate_signup( $key );
+	}
+}
+
+if ( $result === null && isset( $_COOKIE[ $activate_cookie ] ) ) {
+	$key    = $_COOKIE[ $activate_cookie ];
+	$result = wpmu_activate_signup( $key );
+	setcookie( $activate_cookie, ' ', time() - YEAR_IN_SECONDS, $activate_path, COOKIE_DOMAIN, is_ssl(), true );
+}
+
+if ( $result === null || ( is_wp_error( $result ) && 'invalid_key' === $result->get_error_code() ) ) {
+	status_header( 404 );
+} elseif ( is_wp_error( $result ) ) {
+	$error_code = $result->get_error_code();
+
+	if ( ! in_array( $error_code, $valid_error_codes ) ) {
+		status_header( 400 );
+	}
+}
+
 if ( is_object( $wp_object_cache ) )
 	$wp_object_cache->cache_enabled = false;
 
@@ -63,12 +107,13 @@ function wpmu_activate_stylesheet() {
 	<?php
 }
 add_action( 'wp_head', 'wpmu_activate_stylesheet' );
+add_action( 'wp_head', 'wp_sensitive_page_meta' );
 
 get_header();
 ?>
 
 <div id="content" class="widecolumn">
-	<?php if ( empty($_GET['key']) && empty($_POST['key']) ) { ?>
+	<?php if ( ! $key ) { ?>
 
 		<h2><?php _e('Activation Key Required') ?></h2>
 		<form name="activateform" id="activateform" method="post" action="<?php echo network_site_url('wp-activate.php'); ?>">
@@ -82,28 +127,25 @@ get_header();
 		</form>
 
 	<?php } else {
-
-		$key = !empty($_GET['key']) ? $_GET['key'] : $_POST['key'];
-		$result = wpmu_activate_signup($key);
-		if ( is_wp_error($result) ) {
-			if ( 'already_active' == $result->get_error_code() || 'blog_taken' == $result->get_error_code() ) {
-			    $signup = $result->get_error_data();
-				?>
-				<h2><?php _e('Your account is now active!'); ?></h2>
-				<?php
-				echo '<p class="lead-in">';
-				if ( $signup->domain . $signup->path == '' ) {
-					printf( __('Your account has been activated. You may now <a href="%1$s">log in</a> to the site using your chosen username of &#8220;%2$s&#8221;. Please check your email inbox at %3$s for your password and login instructions. If you do not receive an email, please check your junk or spam folder. If you still do not receive an email within an hour, you can <a href="%4$s">reset your password</a>.'), network_site_url( 'wp-login.php', 'login' ), $signup->user_login, $signup->user_email, wp_lostpassword_url() );
-				} else {
-					printf( __('Your site at <a href="%1$s">%2$s</a> is active. You may now log in to your site using your chosen username of &#8220;%3$s&#8221;. Please check your email inbox at %4$s for your password and login instructions. If you do not receive an email, please check your junk or spam folder. If you still do not receive an email within an hour, you can <a href="%5$s">reset your password</a>.'), 'http://' . $signup->domain, $signup->domain, $signup->user_login, $signup->user_email, wp_lostpassword_url() );
-				}
-				echo '</p>';
+		if ( is_wp_error( $result ) && in_array( $result->get_error_code(), $valid_error_codes ) ) {
+			$signup = $result->get_error_data();
+			?>
+			<h2><?php _e('Your account is now active!'); ?></h2>
+			<?php
+			echo '<p class="lead-in">';
+			if ( $signup->domain . $signup->path == '' ) {
+				printf( __('Your account has been activated. You may now <a href="%1$s">log in</a> to the site using your chosen username of &#8220;%2$s&#8221;. Please check your email inbox at %3$s for your password and login instructions. If you do not receive an email, please check your junk or spam folder. If you still do not receive an email within an hour, you can <a href="%4$s">reset your password</a>.'), network_site_url( 'wp-login.php', 'login' ), $signup->user_login, $signup->user_email, wp_lostpassword_url() );
 			} else {
-				?>
-				<h2><?php _e('An error occurred during the activation'); ?></h2>
-				<?php
-			    echo '<p>'.$result->get_error_message().'</p>';
+				printf( __('Your site at <a href="%1$s">%2$s</a> is active. You may now log in to your site using your chosen username of &#8220;%3$s&#8221;. Please check your email inbox at %4$s for your password and login instructions. If you do not receive an email, please check your junk or spam folder. If you still do not receive an email within an hour, you can <a href="%5$s">reset your password</a>.'), 'http://' . $signup->domain, $signup->domain, $signup->user_login, $signup->user_email, wp_lostpassword_url() );
 			}
+			echo '</p>';
+		} elseif ( $result === null || is_wp_error( $result ) ) {
+			?>
+			<h2><?php _e('An error occurred during the activation'); ?></h2>
+			<?php if ( is_wp_error( $result ) ) {
+				echo '<p>' . $result->get_error_message() . '</p>';
+			} ?>
+			<?php
 		} else {
 			extract($result);
 			$url = get_blogaddress_by_id( (int) $blog_id);

wp-admin/about.php

@@ -36,14 +36,343 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
 </h2>
 
 <div class="changelog point-releases">
-	<h3><?php echo _n( 'Maintenance and Security Release', 'Maintenance and Security Releases', 2 ); ?></h3>
+	<h3><?php echo _n( 'Maintenance and Security Release', 'Maintenance and Security Releases', 39 ); ?></h3>
+	<p>
+		<?php
+		printf(
+			/* translators: %s: WordPress version number */
+			__( '<strong>Version %s</strong> addressed some security issues.' ),
+			'3.7.39'
+		);
+		?>
+		<?php
+		printf(
+			/* translators: %s: HelpHub URL */
+			__( 'For more information, see <a href="%s">the release notes</a>.' ),
+			sprintf(
+				/* translators: %s: WordPress version */
+				esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+				sanitize_title( '3.7.39' )
+			)
+		);
+		?>
+	</p>
+	<p>
+		<?php
+		printf(
+			/* translators: %s: WordPress version number */
+			__( '<strong>Version %s</strong> addressed one security issue.' ),
+			'3.7.38'
+		);
+		?>
+		<?php
+		printf(
+			/* translators: %s: HelpHub URL */
+			__( 'For more information, see <a href="%s">the release notes</a>.' ),
+			sprintf(
+				/* translators: %s: WordPress version */
+				esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+				sanitize_title( '3.7.38' )
+			)
+		);
+		?>
+	</p>
+	<p>
+		<?php
+		printf(
+			/* translators: %s: WordPress version number */
+			__( '<strong>Version %s</strong> addressed some security issues.' ),
+			'3.7.37'
+		);
+		?>
+		<?php
+		printf(
+			/* translators: %s: HelpHub URL */
+			__( 'For more information, see <a href="%s">the release notes</a>.' ),
+			sprintf(
+				/* translators: %s: WordPress version */
+				esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+				sanitize_title( '3.7.37' )
+			)
+		);
+		?>
+	</p>
+	<p>
+		<?php
+		printf(
+			/* translators: %s: WordPress version number */
+			__( '<strong>Version %s</strong> addressed one security issue.' ),
+			'3.7.36'
+		);
+		?>
+		<?php
+		printf(
+			/* translators: %s: HelpHub URL */
+			__( 'For more information, see <a href="%s">the release notes</a>.' ),
+			sprintf(
+				/* translators: %s: WordPress version */
+				esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+				sanitize_title( '3.7.36' )
+			)
+		);
+		?>
+	</p>
+	<p>
+		<?php
+		printf(
+			/* translators: %s: WordPress version number */
+			__( '<strong>Version %s</strong> addressed some security issues.' ),
+			'3.7.35'
+		);
+		?>
+		<?php
+		printf(
+			/* translators: %s: HelpHub URL */
+			__( 'For more information, see <a href="%s">the release notes</a>.' ),
+			sprintf(
+				/* translators: %s: WordPress version */
+				esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+				sanitize_title( '3.7.35' )
+			)
+		);
+		?>
+	</p>
+	<p>
+		<?php
+		printf(
+			/* translators: %s: WordPress version number */
+			__( '<strong>Version %s</strong> addressed some security issues.' ),
+			'3.7.34'
+		);
+		?>
+		<?php
+		printf(
+			/* translators: %s: HelpHub URL */
+			__( 'For more information, see <a href="%s">the release notes</a>.' ),
+			sprintf(
+				/* translators: %s: WordPress version */
+				esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+				sanitize_title( '3.7.34' )
+			)
+		);
+		?>
+	</p>
+	<p>
+		<?php
+		printf(
+			/* translators: %s: WordPress version number */
+			__( '<strong>Version %s</strong> addressed some security issues.' ),
+			'3.7.33'
+		);
+		?>
+		<?php
+		printf(
+			/* translators: %s: HelpHub URL */
+			__( 'For more information, see <a href="%s">the release notes</a>.' ),
+			sprintf(
+				/* translators: %s: WordPress version */
+				esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+				sanitize_title( '3.7.33' )
+			)
+		);
+		?>
+	</p>
+	<p>
+		<?php
+		printf(
+			/* translators: %s: WordPress version number */
+			__( '<strong>Version %s</strong> addressed one security issue.' ),
+			'3.7.32'
+		);
+		?>
+		<?php
+		printf(
+			/* translators: %s: HelpHub URL */
+			__( 'For more information, see <a href="%s">the release notes</a>.' ),
+			sprintf(
+				/* translators: %s: WordPress version */
+				esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+				sanitize_title( '3.7.32' )
+			)
+		);
+		?>
+	</p>
+	<p>
+		<?php
+		printf(
+			/* translators: %s: WordPress version number */
+			__( '<strong>Version %s</strong> addressed some security issues.' ),
+			'3.7.31'
+		);
+		?>
+		<?php
+		printf(
+			/* translators: %s: HelpHub URL */
+			__( 'For more information, see <a href="%s">the release notes</a>.' ),
+			sprintf(
+				/* translators: %s: WordPress version */
+				esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+				sanitize_title( '3.7.31' )
+			)
+		);
+		?>
+	</p>
+	<p>
+		<?php
+		printf(
+			/* translators: %s: WordPress version number */
+			__( '<strong>Version %s</strong> addressed some security issues.' ),
+			'3.7.30'
+		);
+		?>
+		<?php
+		printf(
+			/* translators: %s: HelpHub URL */
+			__( 'For more information, see <a href="%s">the release notes</a>.' ),
+			sprintf(
+				/* translators: %s: WordPress version */
+				esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+				sanitize_title( '3.7.30' )
+			)
+		);
+		?>
+	</p>
+	<p>
+		<?php
+		printf(
+			/* translators: %s: WordPress version number */
+			__( '<strong>Version %s</strong> addressed a security issue.' ),
+			'3.7.29'
+		);
+		?>
+		<?php
+		printf(
+			/* translators: %s: HelpHub URL */
+			__( 'For more information, see <a href="%s">the release notes</a>.' ),
+			sprintf(
+				/* translators: %s: WordPress version */
+				esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+				sanitize_title( '3.7.29' )
+			)
+		);
+		?>
+	</p>
+	<p>
+		<?php
+		/* translators: %s: WordPress version number */
+		printf( __( '<strong>Version %s</strong> addressed some security issues.' ), '3.7.28' );
+		?>
+		<?php
+		/* translators: %s: Codex URL */
+		printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.28' );
+		?>
+	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
+			'<strong>Version %1$s</strong> addressed some security issues.', 1 ), '3.7.27' ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.27' ); ?>
+	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
+			'<strong>Version %1$s</strong> addressed some security issues.', 2 ), '3.7.26' ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.26' ); ?>
+	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
+			'<strong>Version %1$s</strong> addressed some security issues.', 1 ), '3.7.25' ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.25' ); ?>
+	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
+			'<strong>Version %1$s</strong> addressed some security issues.', 4 ), '3.7.24' ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.24' ); ?>
+	</p>
+	<p><?php printf( __( '<strong>Version %s</strong> addressed one security issue.' ), '3.7.23' ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.23' ); ?>
+	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
+			'<strong>Version %1$s</strong> addressed some security issues.', 7 ), '3.7.22' ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.22' ); ?>
+	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
+			'<strong>Version %1$s</strong> addressed some security issues.', 5 ), '3.7.21' ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.21' ); ?>
+	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed %2$s bug.',
+			'<strong>Version %1$s</strong> addressed %2$s bugs.', 1 ), '3.7.20', number_format_i18n( 1 ) ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.20' ); ?>
+	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
+         '<strong>Version %1$s</strong> addressed some security issues.', 5 ), '3.7.19' ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.19' ); ?>
+	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
+         '<strong>Version %1$s</strong> addressed some security issues.', 3 ), '3.7.18' ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.18' ); ?>
+	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
+         '<strong>Version %1$s</strong> addressed some security issues.', 8 ), '3.7.17' ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.17' ); ?>
+	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
+         '<strong>Version %1$s</strong> addressed some security issues.', 2 ), '3.7.16' ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.16' ); ?>
+	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
+         '<strong>Version %1$s</strong> addressed some security issues.', 9 ), '3.7.15' ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.15' ); ?>
+	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
+         '<strong>Version %1$s</strong> addressed some security issues.', 6 ), '3.7.14' ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.14' ); ?>
+ 	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
+         '<strong>Version %1$s</strong> addressed some security issues.', 2 ), '3.7.13' ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.13' ); ?>
+ 	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
+         '<strong>Version %1$s</strong> addressed some security issues.', 1 ), '3.7.12' ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.12' ); ?>
+ 	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bug.',
+         '<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bugs.', 2 ), '3.7.11', number_format_i18n( 2 ) ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.11' ); ?>
+	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bug.',
+         '<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bugs.', 2 ), '3.7.10', number_format_i18n( 2 ) ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.10' ); ?>
+	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
+         '<strong>Version %1$s</strong> addressed some security issues.', 2 ), '3.7.9' ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.9' ); ?>
+ 	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bug.',
+         '<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bugs.', 3 ), '3.7.8', number_format_i18n( 3 ) ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.8' ); ?>
+	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed %2$s bug.',
+         '<strong>Version %1$s</strong> addressed %2$s bugs.', 1 ), '3.7.7', number_format_i18n( 1 ) ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.7' ); ?>
+ 	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
+         '<strong>Version %1$s</strong> addressed some security issues.', 8 ), '3.7.6' ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.6' ); ?>
+ 	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
+         '<strong>Version %1$s</strong> addressed some security issues.', 8 ), '3.7.5', number_format_i18n( 8 ) ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.5' ); ?>
+ 	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed a security issue.',
+         '<strong>Version %1$s</strong> addressed some security issues.', 5 ), '3.7.4', number_format_i18n( 5 ) ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.4' ); ?>
+ 	</p>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed %2$s bug.',
+		'<strong>Version %1$s</strong> addressed %2$s bugs.', 2 ), '3.7.3', number_format_i18n( 2 ) ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'http://codex.wordpress.org/Version_3.7.3' ); ?>
+ 	</p>
 	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bug.',
          '<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bugs.', 9 ), '3.7.2', number_format_i18n( 9 ) ); ?>
-		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'http://codex.wordpress.org/Version_3.7.2' ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.2' ); ?>
  	</p>
 	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed %2$s bug.',
 		'<strong>Version %1$s</strong> addressed %2$s bugs.', 11 ), '3.7.1', number_format_i18n( 11 ) ); ?>
-		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'http://codex.wordpress.org/Version_3.7.1' ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_3.7.1' ); ?>
  	</p>
 </div>
 

wp-admin/admin-ajax.php

@@ -32,7 +32,7 @@ require_once( ABSPATH . 'wp-admin/includes/admin.php' );
 /** Load Ajax Handlers for WordPress Core */
 require_once( ABSPATH . 'wp-admin/includes/ajax-actions.php' );
 
-@header( 'Content-Type: text/html; charset=' . get_option( 'blog_charset' ) );
+@header( 'Content-Type: text/plain; charset=' . get_option( 'blog_charset' ) );
 @header( 'X-Robots-Tag: noindex' );
 
 send_nosniff_header();

wp-admin/admin-header.php

@@ -57,13 +57,13 @@ wp_enqueue_script('utils');
 $admin_body_class = preg_replace('/[^a-z0-9_-]+/i', '-', $hook_suffix);
 ?>
 <script type="text/javascript">
-addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
-var ajaxurl = '<?php echo admin_url( 'admin-ajax.php', 'relative' ); ?>',
-	pagenow = '<?php echo $current_screen->id; ?>',
-	typenow = '<?php echo $current_screen->post_type; ?>',
-	adminpage = '<?php echo $admin_body_class; ?>',
-	thousandsSeparator = '<?php echo addslashes( $wp_locale->number_format['thousands_sep'] ); ?>',
-	decimalPoint = '<?php echo addslashes( $wp_locale->number_format['decimal_point'] ); ?>',
+addLoadEvent = function(func){if(typeof jQuery!=='undefined')jQuery(document).ready(func);else if(typeof wpOnload!=='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
+var ajaxurl = '<?php echo esc_js( admin_url( 'admin-ajax.php', 'relative' ) ); ?>',
+	pagenow = '<?php echo esc_js( $current_screen->id ); ?>',
+	typenow = '<?php echo esc_js( $current_screen->post_type ); ?>',
+	adminpage = '<?php echo esc_js( $admin_body_class ); ?>',
+	thousandsSeparator = '<?php echo esc_js( $wp_locale->number_format['thousands_sep'] ); ?>',
+	decimalPoint = '<?php echo esc_js( $wp_locale->number_format['decimal_point'] ); ?>',
 	isRtl = <?php echo (int) is_rtl(); ?>;
 </script>
 <?php

wp-admin/css/customize-controls-rtl.min.css

@@ -1 +1 @@
-#customize-header-actions .button-primary{float:left}#customize-header-actions .spinner{float:left;margin-right:0;margin-left:4px}.customize-control{float:right}.customize-control-radio input,.customize-control-checkbox input{margin-right:0;margin-left:5px}.accordion-section .dropdown{float:right}.accordion-section .dropdown-content{float:right;margin-right:0;margin-left:16px;-webkit-border-radius:0 3px 3px 0;border-radius:0 3px 3px 0}.customize-control .dropdown-arrow{right:auto;left:0;border-color:#ccc;border-style:solid;border-width:1px 0 1px 1px;-webkit-border-radius:3px 0 0 3px;border-radius:3px 0 0 3px}.customize-control .dropdown-arrow:after{right:auto;left:4px}.customize-control-color .dropdown{margin-right:0;margin-left:5px}.accordion-section input[type=text].color-picker-hex{direction:ltr}.accordion-section .customize-control-image .actions{text-align:left}.customize-control-image .library,.customize-control-image .actions,.accordion-section .customize-control-image .library ul,.accordion-section .customize-control-image .library li,.accordion-section .customize-control-image .library-content{float:right}
+#customize-header-actions .button-primary{float:left}#customize-header-actions .spinner{float:left;margin-right:0;margin-left:4px}.customize-control{float:right}.customize-control-checkbox input,.customize-control-radio input{margin-right:0;margin-left:5px}.accordion-section .dropdown{float:right}.accordion-section .dropdown-content{float:right;margin-right:0;margin-left:16px;-webkit-border-radius:0 3px 3px 0;border-radius:0 3px 3px 0}.customize-control .dropdown-arrow{right:auto;left:0;border-color:#ccc;border-style:solid;border-width:1px 0 1px 1px;-webkit-border-radius:3px 0 0 3px;border-radius:3px 0 0 3px}.customize-control .dropdown-arrow:after{right:auto;left:4px}.customize-control-color .dropdown{margin-right:0;margin-left:5px}.accordion-section input[type=text].color-picker-hex{direction:ltr}.accordion-section .customize-control-image .actions{text-align:left}.accordion-section .customize-control-image .library li,.accordion-section .customize-control-image .library ul,.accordion-section .customize-control-image .library-content,.customize-control-image .actions,.customize-control-image .library{float:right}

wp-admin/css/ie-rtl.min.css

@@ -1 +1 @@
-body{direction:rtl;width:99.5%}.rtl #adminmenuback{left:auto;right:0;background-image:none}.rtl #adminmenuback,.rtl #adminmenuwrap{border-width:0 0 0 1px}#plupload-upload-ui{zoom:1}.post-com-count-wrapper a.post-com-count{float:none}#adminmenu .wp-submenu ul{width:99%}#adminmenu .wp-submenu .wp-submenu .wp-submenu,#adminmenu .wp-menu-open .wp-submenu .wp-submenu{border:1px solid #dfdfdf}.folded #adminmenu .wp-submenu{right:30px}#wpcontent #adminmenu .wp-submenu li.wp-submenu-head{padding:3px 10px 4px 4px}div.quicktags-toolbar input{min-width:0}.inline-edit-row fieldset label span.title{float:right}.inline-edit-row fieldset label span.input-text-wrap{margin-right:0}p.search-box{float:left}#bh{margin:7px 10px 0 0;float:left}.postbox div.inside,.wp-editor-wrap .wp-editor-container .wp-editor-area,#nav-menu-theme-locations .howto select{width:97.5%}div#dashboard-widgets{padding-right:0;padding-left:1px}.widefat th input{margin:0 5px 0 0}#TB_window{width:670px;position:absolute;top:50%;left:50%;margin-right:335px!important}#dashboard_plugins{direction:ltr}#dashboard_plugins h3.hndle{direction:rtl}#dashboard_incoming_links ul li,#dashboard_secondary ul li,#dashboard_primary ul li,p.row-actions{width:100%}#post-status-info{height:25px}p.submit{height:22px}.available-theme .action-links li{padding-left:7px;margin-left:7px}form#widgets-filter{position:static}.menu-item-depth-0{margin-left:0}.menu-item-depth-1{margin-left:-30px}.menu-item-depth-2{margin-left:-60px}.menu-item-depth-3{margin-left:-90px}.menu-item-depth-4{margin-left:-120px}.menu-item-depth-5{margin-left:-150px}.menu-item-depth-6{margin-left:-180px}.menu-item-depth-7{margin-left:-210px}.menu-item-depth-8{margin-left:-240px}.menu-item-depth-9{margin-left:-270px}.menu-item-depth-10{margin-left:-300px}.menu-item-depth-11{margin-left:-330px}#menu-management,.nav-menus-php .menu-edit,#nav-menu-header .submitbox{zoom:1}.nav-menus-php label{max-width:90%!important}p.button-controls,.nav-menus-php .tabs-panel{max-width:90%}.nav-menus-php .major-publishing-actions .publishing-action{float:none}#wpbody #nav-menu-header label{float:none}#nav-menu-header{margin-top:-10px}#nav-menu-footer{margin-bottom:-20px}#update-nav-menu .publishing-action{max-width:200px}#nav-menus-frame #update-nav-menu .delete-action{margin-top:-25px;float:left}#menu-to-edit li{margin-top:-10px;margin-bottom:-10px}.sortable-placeholder{margin-top:0!important;margin-left:0!important;margin-bottom:13px!important;padding:0!important}.auto-add-pages{clear:both;float:none}#nav-menus-frame .open-label span{float:none;display:inline-block}#nav-menus-frame .delete-action{float:none}#title-wrap #title-prompt-text{right:0}.screen-reader-text{right:auto;text-indent:-1000em}
+body{direction:rtl;width:99.5%}.rtl #adminmenuback{left:auto;right:0;background-image:none}.rtl #adminmenuback,.rtl #adminmenuwrap{border-width:0 0 0 1px}#plupload-upload-ui{zoom:1}.post-com-count-wrapper a.post-com-count{float:none}#adminmenu .wp-submenu ul{width:99%}#adminmenu .wp-menu-open .wp-submenu .wp-submenu,#adminmenu .wp-submenu .wp-submenu .wp-submenu{border:1px solid #dfdfdf}.folded #adminmenu .wp-submenu{right:30px}#wpcontent #adminmenu .wp-submenu li.wp-submenu-head{padding:3px 10px 4px 4px}div.quicktags-toolbar input{min-width:0}.inline-edit-row fieldset label span.title{float:right}.inline-edit-row fieldset label span.input-text-wrap{margin-right:0}p.search-box{float:left}#bh{margin:7px 10px 0 0;float:left}#nav-menu-theme-locations .howto select,.postbox div.inside,.wp-editor-wrap .wp-editor-container .wp-editor-area{width:97.5%}div#dashboard-widgets{padding-right:0;padding-left:1px}.widefat th input{margin:0 5px 0 0}#TB_window{width:670px;position:absolute;top:50%;left:50%;margin-right:335px!important}#dashboard_plugins{direction:ltr}#dashboard_plugins h3.hndle{direction:rtl}#dashboard_incoming_links ul li,#dashboard_primary ul li,#dashboard_secondary ul li,p.row-actions{width:100%}#post-status-info{height:25px}p.submit{height:22px}.available-theme .action-links li{padding-left:7px;margin-left:7px}form#widgets-filter{position:static}.menu-item-depth-0{margin-left:0}.menu-item-depth-1{margin-left:-30px}.menu-item-depth-2{margin-left:-60px}.menu-item-depth-3{margin-left:-90px}.menu-item-depth-4{margin-left:-120px}.menu-item-depth-5{margin-left:-150px}.menu-item-depth-6{margin-left:-180px}.menu-item-depth-7{margin-left:-210px}.menu-item-depth-8{margin-left:-240px}.menu-item-depth-9{margin-left:-270px}.menu-item-depth-10{margin-left:-300px}.menu-item-depth-11{margin-left:-330px}#menu-management,#nav-menu-header .submitbox,.nav-menus-php .menu-edit{zoom:1}.nav-menus-php label{max-width:90%!important}.nav-menus-php .tabs-panel,p.button-controls{max-width:90%}.nav-menus-php .major-publishing-actions .publishing-action{float:none}#wpbody #nav-menu-header label{float:none}#nav-menu-header{margin-top:-10px}#nav-menu-footer{margin-bottom:-20px}#update-nav-menu .publishing-action{max-width:200px}#nav-menus-frame #update-nav-menu .delete-action{margin-top:-25px;float:left}#menu-to-edit li{margin-top:-10px;margin-bottom:-10px}.sortable-placeholder{margin-top:0!important;margin-left:0!important;margin-bottom:13px!important;padding:0!important}.auto-add-pages{clear:both;float:none}#nav-menus-frame .open-label span{float:none;display:inline-block}#nav-menus-frame .delete-action{float:none}#title-wrap #title-prompt-text{right:0}.screen-reader-text{right:auto;text-indent:-1000em}

wp-admin/css/install.min.css

@@ -1 +1 @@
-html{background:#f9f9f9}body{background:#fff;color:#333;font-family:sans-serif;margin:2em auto;padding:1em 2em;-webkit-border-radius:3px;border-radius:3px;border:1px solid #dfdfdf;max-width:700px}a{color:#21759b;text-decoration:none}a:hover{color:#d54e21}h1{border-bottom:1px solid #dadada;clear:both;color:#666;font:24px Georgia,"Times New Roman",Times,serif;margin:30px 0 0;padding:0;padding-bottom:7px}h2{font-size:16px}p,li,dd,dt{padding-bottom:2px;font-size:14px;line-height:1.5}code,.code{font-size:14px}ul,ol,dl{padding:5px 5px 5px 22px}a img{border:0}abbr{border:0;font-variant:normal}#logo{margin:6px 0 14px;border-bottom:0;text-align:center}#logo a{background-image:url(../images/wordpress-logo.png?ver=20120216);background-size:274px 63px;background-position:top center;background-repeat:no-repeat;height:67px;text-indent:-9999px;outline:0;overflow:hidden;display:block}@media print,(-o-min-device-pixel-ratio:5/4),(-webkit-min-device-pixel-ratio:1.25),(min-resolution:120dpi){#logo a{background-image:url(../images/wordpress-logo-2x.png?ver=20120412);background-size:274px 63px}}.step{margin:20px 0 15px}.step,th{text-align:left;padding:0}.step .button-large{font-size:14px}textarea{border:1px solid #dfdfdf;-webkit-border-radius:3px;border-radius:3px;font-family:sans-serif;width:695px}.form-table{border-collapse:collapse;margin-top:1em;width:100%}.form-table td{margin-bottom:9px;padding:10px 20px 10px 0;border-bottom:8px solid #fff;font-size:14px;vertical-align:top}.form-table th{font-size:14px;text-align:left;padding:16px 20px 10px 0;border-bottom:8px solid #fff;width:140px;vertical-align:top}.form-table code{line-height:18px;font-size:14px}.form-table p{margin:4px 0 0;font-size:11px}.form-table input{line-height:20px;font-size:15px;padding:2px;border:1px #dfdfdf solid;-webkit-border-radius:3px;border-radius:3px;font-family:sans-serif}.form-table input[type=text],.form-table input[type=password]{width:206px}.form-table th p{font-weight:400}.form-table.install-success td{vertical-align:middle;padding:16px 20px 10px 0}.form-table.install-success td p{margin:0;font-size:14px}.form-table.install-success td code{margin:0;font-size:18px}#error-page{margin-top:50px}#error-page p{font-size:14px;line-height:18px;margin:25px 0 20px}#error-page code,.code{font-family:Consolas,Monaco,monospace}#pass-strength-result{background-color:#eee;border-color:#ddd!important;border-style:solid;border-width:1px;margin:5px 5px 5px 0;padding:5px;text-align:center;width:200px;display:none}#pass-strength-result.bad{background-color:#ffb78c;border-color:#ff853c!important}#pass-strength-result.good{background-color:#ffec8b;border-color:#fc0!important}#pass-strength-result.short{background-color:#ffa0a0;border-color:#f04040!important}#pass-strength-result.strong{background-color:#c3ff88;border-color:#8dff1c!important}.message{border:1px solid #c00;-webkit-border-radius:3px;border-radius:3px;padding:.5em .7em;margin:5px 0 15px;background-color:#ffebe8}body.rtl{font-family:Tahoma,arial}.rtl h1{font-family:arial;margin:5px -4px 0 0}.rtl ul,.rtl ol{padding:5px 22px 5px 5px}.rtl .step,.rtl th,.rtl .form-table th{text-align:right}.rtl .submit input,.rtl .button,.rtl .button-secondary{margin-right:0}.rtl #dbname,.rtl #uname,.rtl #pwd,.rtl #dbhost,.rtl #prefix,.rtl #user_login,.rtl #admin_email,.rtl #pass1,.rtl #pass2{direction:ltr}
+html{background:#f9f9f9}body{background:#fff;color:#333;font-family:sans-serif;margin:2em auto;padding:1em 2em;-webkit-border-radius:3px;border-radius:3px;border:1px solid #dfdfdf;max-width:700px}a{color:#21759b;text-decoration:none}a:hover{color:#d54e21}h1{border-bottom:1px solid #dadada;clear:both;color:#666;font:24px Georgia,"Times New Roman",Times,serif;margin:30px 0 0 0;padding:0;padding-bottom:7px}h2{font-size:16px}dd,dt,li,p{padding-bottom:2px;font-size:14px;line-height:1.5}.code,code{font-size:14px}dl,ol,ul{padding:5px 5px 5px 22px}a img{border:0}abbr{border:0;font-variant:normal}#logo{margin:6px 0 14px 0;border-bottom:none;text-align:center}#logo a{background-image:url('../images/wordpress-logo.png?ver=20120216');background-size:274px 63px;background-position:top center;background-repeat:no-repeat;height:67px;text-indent:-9999px;outline:0;overflow:hidden;display:block}@media print,(-o-min-device-pixel-ratio:5/4),(-webkit-min-device-pixel-ratio:1.25),(min-resolution:120dpi){#logo a{background-image:url('../images/wordpress-logo-2x.png?ver=20120412');background-size:274px 63px}}.step{margin:20px 0 15px}.step,th{text-align:left;padding:0}.step .button-large{font-size:14px}textarea{border:1px solid #dfdfdf;-webkit-border-radius:3px;border-radius:3px;font-family:sans-serif;width:695px}.form-table{border-collapse:collapse;margin-top:1em;width:100%}.form-table td{margin-bottom:9px;padding:10px 20px 10px 0;border-bottom:8px solid #fff;font-size:14px;vertical-align:top}.form-table th{font-size:14px;text-align:left;padding:16px 20px 10px 0;border-bottom:8px solid #fff;width:140px;vertical-align:top}.form-table code{line-height:18px;font-size:14px}.form-table p{margin:4px 0 0 0;font-size:11px}.form-table input{line-height:20px;font-size:15px;padding:2px;border:1px #dfdfdf solid;-webkit-border-radius:3px;border-radius:3px;font-family:sans-serif}.form-table input[type=password],.form-table input[type=text]{width:206px}.form-table th p{font-weight:400}.form-table.install-success td{vertical-align:middle;padding:16px 20px 10px 0}.form-table.install-success td p{margin:0;font-size:14px}.form-table.install-success td code{margin:0;font-size:18px}#error-page{margin-top:50px}#error-page p{font-size:14px;line-height:18px;margin:25px 0 20px}#error-page code,.code{font-family:Consolas,Monaco,monospace}#pass-strength-result{background-color:#eee;border-color:#ddd!important;border-style:solid;border-width:1px;margin:5px 5px 5px 0;padding:5px;text-align:center;width:200px;display:none}#pass-strength-result.bad{background-color:#ffb78c;border-color:#ff853c!important}#pass-strength-result.good{background-color:#ffec8b;border-color:#fc0!important}#pass-strength-result.short{background-color:#ffa0a0;border-color:#f04040!important}#pass-strength-result.strong{background-color:#c3ff88;border-color:#8dff1c!important}.message{border:1px solid #c00;-webkit-border-radius:3px;border-radius:3px;padding:.5em .7em;margin:5px 0 15px;background-color:#ffebe8}body.rtl{font-family:Tahoma,arial}.rtl h1{font-family:arial;margin:5px -4px 0 0}.rtl ol,.rtl ul{padding:5px 22px 5px 5px}.rtl .form-table th,.rtl .step,.rtl th{text-align:right}.rtl .button,.rtl .button-secondary,.rtl .submit input{margin-right:0}.rtl #admin_email,.rtl #dbhost,.rtl #dbname,.rtl #pass1,.rtl #pass2,.rtl #prefix,.rtl #pwd,.rtl #uname,.rtl #user_login{direction:ltr}

wp-admin/css/media-rtl.min.css

@@ -1 +1 @@
-body#media-upload ul#sidemenu{left:auto;right:0}#search-filter{text-align:left}.align .field label{padding:0 23px 0 0;margin:0 3px 0 1em}.image-align-none-label,.image-align-left-label,.image-align-center-label,.image-align-right-label{background-position:center right}tr.image-size label{margin:0 5px 0 0}.file-error{margin:0 50px 5px 0}.progress{left:auto;right:0}.describe td{padding:0 0 0 5px}#media-upload .describe th.label{text-align:right}.menu_order{float:left}.media-upload-form label.form-help,td.help,#media-upload p.help,#media-upload label.help{font-family:Tahoma,Arial}#gallery-settings #basic th.label{padding:5px 0 5px 5px}#gallery-settings .title,h3.media-title{font-family:Tahoma,Arial}#gallery-settings .describe th.label{text-align:right}#gallery-settings label,#gallery-settings legend{margin-right:0;margin-left:15px}#gallery-settings .align .field label{margin:0 3px 0 1em}#sort-buttons{margin:3px 0 -8px 25px;text-align:left}#sort-buttons #asc,#sort-buttons #showall{padding-left:0;padding-right:5px}#sort-buttons span{margin-right:0;margin-left:25px}
+body#media-upload ul#sidemenu{left:auto;right:0}#search-filter{text-align:left}.align .field label{padding:0 23px 0 0;margin:0 3px 0 1em}.image-align-center-label,.image-align-left-label,.image-align-none-label,.image-align-right-label{background-position:center right}tr.image-size label{margin:0 5px 0 0}.file-error{margin:0 50px 5px 0}.progress{left:auto;right:0}.describe td{padding:0 0 0 5px}#media-upload .describe th.label{text-align:right}.menu_order{float:left}#media-upload label.help,#media-upload p.help,.media-upload-form label.form-help,td.help{font-family:Tahoma,Arial}#gallery-settings #basic th.label{padding:5px 0 5px 5px}#gallery-settings .title,h3.media-title{font-family:Tahoma,Arial}#gallery-settings .describe th.label{text-align:right}#gallery-settings label,#gallery-settings legend{margin-right:0;margin-left:15px}#gallery-settings .align .field label{margin:0 3px 0 1em}#sort-buttons{margin:3px 0 -8px 25px;text-align:left}#sort-buttons #asc,#sort-buttons #showall{padding-left:0;padding-right:5px}#sort-buttons span{margin-right:0;margin-left:25px}

wp-admin/css/media.min.css

@@ -1 +1 @@
-div#media-upload-header{margin:0;padding:5px 5px 0;font-weight:700;position:relative;border-bottom-width:1px;border-bottom-style:solid}body#media-upload ul#sidemenu{font-weight:400;margin:0 5px;left:0;bottom:-1px;float:none;overflow:hidden}form{margin:1em}#search-filter{text-align:right}th{position:relative}.media-upload-form label.form-help,td.help{font-family:sans-serif;font-style:italic;font-weight:400}.media-upload-form p.help{margin:0;padding:0}.media-upload-form fieldset{width:100%;border:0;text-align:justify;margin:0 0 1em;padding:0}.image-align-none-label{background:url(../images/align-none.png) no-repeat center left}.image-align-left-label{background:url(../images/align-left.png) no-repeat center left}.image-align-center-label{background:url(../images/align-center.png) no-repeat center left}.image-align-right-label{background:url(../images/align-right.png) no-repeat center left}tr.image-size td{width:460px}tr.image-size div.image-size-item{margin:0 0 5px}#library-form .progress,#gallery-form .progress,.insert-gallery,.describe.startopen,.describe.startclosed{display:none}.media-item .thumbnail{max-width:128px;max-height:128px}thead.media-item-info tr{background-color:transparent}.form-table thead.media-item-info{border:8px solid #fff}abbr.required{text-decoration:none;border:0}.describe label{display:inline}.describe td.error{padding:2px 8px}.describe td.A1{width:132px}.describe input[type=text],.describe textarea{width:460px;border-width:1px;border-style:solid}#media-upload p.ml-submit{padding:1em 0}#media-upload p.help,#media-upload label.help{font-family:sans-serif;font-style:italic;font-weight:400}#media-upload .ui-sortable .media-item{cursor:move}#media-upload tr.image-size{margin-bottom:1em;height:3em}#media-upload #filter{width:623px}#media-upload #filter .subsubsub{margin:8px 0}#filter .tablenav select{border-style:solid;border-width:1px;padding:2px;vertical-align:top;width:auto}#media-upload .del-attachment{display:none;margin:5px 0}.menu_order{float:right;font-size:11px;margin:10px 10px 0}.menu_order_input{border:1px solid #ddd;font-size:10px;padding:1px;width:23px}.ui-sortable-helper{background-color:#fff;border:1px solid #aaa;opacity:.6;filter:alpha(opacity=60)}#media-upload th.order-head{width:20%;text-align:center}#media-upload th.actions-head{width:25%;text-align:center}#media-upload a.wp-post-thumbnail{margin:0 20px}#media-upload .widefat{width:626px;border-style:solid solid none}.sorthelper{height:37px;width:623px;display:block}#gallery-settings th.label{width:160px}#gallery-settings #basic th.label{padding:5px 5px 5px 0}#gallery-settings .title{clear:both;padding:0 0 3px;font-size:1.6em;border-bottom:1px solid #DADADA}h3.media-title{font-size:1.6em}h4.media-sub-title{border-bottom:1px solid #DADADA;font-size:1.3em;margin:12px;padding:0 0 3px}#gallery-settings .title,h3.media-title,h4.media-sub-title{font-family:Georgia,"Times New Roman",Times,serif;font-weight:400;color:#5A5A5A}#gallery-settings .describe td{vertical-align:middle;height:3em}#gallery-settings .describe th.label{padding-top:.5em;text-align:left}#gallery-settings .describe{padding:5px;width:615px;clear:both;cursor:default}#gallery-settings .describe select{width:15em}#gallery-settings .describe select option,#gallery-settings .describe td{padding:0}#gallery-settings label,#gallery-settings legend{font-size:13px;color:#464646;margin-right:15px}#gallery-settings .align .field label{margin:0 1em 0 3px}#gallery-settings p.ml-submit{border-top:1px solid #dfdfdf}#gallery-settings select#columns{width:6em}#sort-buttons{font-size:.8em;margin:3px 25px -8px 0;text-align:right;max-width:625px}#sort-buttons a{text-decoration:none}#sort-buttons #asc,#sort-buttons #showall{padding-left:5px}#sort-buttons span{margin-right:25px}p.media-types{margin:1em}tr.not-image{display:none}table.not-image tr.not-image{display:table-row}table.not-image tr.image-only{display:none}@media print,(-o-min-device-pixel-ratio:5/4),(-webkit-min-device-pixel-ratio:1.25),(min-resolution:120dpi){.image-align-none-label{background-image:url(../images/align-none-2x.png?ver=20120916);background-size:21px 15px}.image-align-left-label{background-image:url(../images/align-left-2x.png?ver=20120916);background-size:22px 15px}.image-align-center-label{background-image:url(../images/align-center-2x.png?ver=20120916);background-size:21px 15px}.image-align-right-label{background-image:url(../images/align-right-2x.png?ver=20120916);background-size:22px 15px}}
+div#media-upload-header{margin:0;padding:5px 5px 0;font-weight:700;position:relative;border-bottom-width:1px;border-bottom-style:solid}body#media-upload ul#sidemenu{font-weight:400;margin:0 5px;left:0;bottom:-1px;float:none;overflow:hidden}form{margin:1em}#search-filter{text-align:right}th{position:relative}.media-upload-form label.form-help,td.help{font-family:sans-serif;font-style:italic;font-weight:400}.media-upload-form p.help{margin:0;padding:0}.media-upload-form fieldset{width:100%;border:none;text-align:justify;margin:0 0 1em 0;padding:0}.image-align-none-label{background:url(../images/align-none.png) no-repeat center left}.image-align-left-label{background:url(../images/align-left.png) no-repeat center left}.image-align-center-label{background:url(../images/align-center.png) no-repeat center left}.image-align-right-label{background:url(../images/align-right.png) no-repeat center left}tr.image-size td{width:460px}tr.image-size div.image-size-item{margin:0 0 5px}#gallery-form .progress,#library-form .progress,.describe.startclosed,.describe.startopen,.insert-gallery{display:none}.media-item .thumbnail{max-width:128px;max-height:128px}thead.media-item-info tr{background-color:transparent}.form-table thead.media-item-info{border:8px solid #fff}abbr.required{text-decoration:none;border:none}.describe label{display:inline}.describe td.error{padding:2px 8px}.describe td.A1{width:132px}.describe input[type=text],.describe textarea{width:460px;border-width:1px;border-style:solid}#media-upload p.ml-submit{padding:1em 0}#media-upload label.help,#media-upload p.help{font-family:sans-serif;font-style:italic;font-weight:400}#media-upload .ui-sortable .media-item{cursor:move}#media-upload tr.image-size{margin-bottom:1em;height:3em}#media-upload #filter{width:623px}#media-upload #filter .subsubsub{margin:8px 0}#filter .tablenav select{border-style:solid;border-width:1px;padding:2px;vertical-align:top;width:auto}#media-upload .del-attachment{display:none;margin:5px 0}.menu_order{float:right;font-size:11px;margin:10px 10px 0}.menu_order_input{border:1px solid #ddd;font-size:10px;padding:1px;width:23px}.ui-sortable-helper{background-color:#fff;border:1px solid #aaa;opacity:.6}#media-upload th.order-head{width:20%;text-align:center}#media-upload th.actions-head{width:25%;text-align:center}#media-upload a.wp-post-thumbnail{margin:0 20px}#media-upload .widefat{width:626px;border-style:solid solid none}.sorthelper{height:37px;width:623px;display:block}#gallery-settings th.label{width:160px}#gallery-settings #basic th.label{padding:5px 5px 5px 0}#gallery-settings .title{clear:both;padding:0 0 3px;font-size:1.6em;border-bottom:1px solid #dadada}h3.media-title{font-size:1.6em}h4.media-sub-title{border-bottom:1px solid #dadada;font-size:1.3em;margin:12px;padding:0 0 3px}#gallery-settings .title,h3.media-title,h4.media-sub-title{font-family:Georgia,"Times New Roman",Times,serif;font-weight:400;color:#5a5a5a}#gallery-settings .describe td{vertical-align:middle;height:3em}#gallery-settings .describe th.label{padding-top:.5em;text-align:left}#gallery-settings .describe{padding:5px;width:615px;clear:both;cursor:default}#gallery-settings .describe select{width:15em}#gallery-settings .describe select option,#gallery-settings .describe td{padding:0}#gallery-settings label,#gallery-settings legend{font-size:13px;color:#464646;margin-right:15px}#gallery-settings .align .field label{margin:0 1em 0 3px}#gallery-settings p.ml-submit{border-top:1px solid #dfdfdf}#gallery-settings select#columns{width:6em}#sort-buttons{font-size:.8em;margin:3px 25px -8px 0;text-align:right;max-width:625px}#sort-buttons a{text-decoration:none}#sort-buttons #asc,#sort-buttons #showall{padding-left:5px}#sort-buttons span{margin-right:25px}p.media-types{margin:1em}tr.not-image{display:none}table.not-image tr.not-image{display:table-row}table.not-image tr.image-only{display:none}@media print,(-o-min-device-pixel-ratio:5/4),(-webkit-min-device-pixel-ratio:1.25),(min-resolution:120dpi){.image-align-none-label{background-image:url("../images/align-none-2x.png?ver=20120916");background-size:21px 15px}.image-align-left-label{background-image:url("../images/align-left-2x.png?ver=20120916");background-size:22px 15px}.image-align-center-label{background-image:url("../images/align-center-2x.png?ver=20120916");background-size:21px 15px}.image-align-right-label{background-image:url("../images/align-right-2x.png?ver=20120916");background-size:22px 15px}}

wp-admin/custom-background.php

@@ -410,6 +410,7 @@ if ( current_theme_supports( 'custom-background', 'default-color' ) )
 	}
 
 	public function wp_set_background_image() {
+		check_ajax_referer( 'custom-background' );
 		if ( ! current_user_can('edit_theme_options') || ! isset( $_POST['attachment_id'] ) ) exit;
 		$attachment_id = absint($_POST['attachment_id']);
 		/** This filter is documented in wp-admin/includes/media.php */

wp-admin/custom-header.php

@@ -320,7 +320,7 @@ class Custom_Image_Header {
 <script type="text/javascript">
 /* <![CDATA[ */
 (function($){
-	var default_color = '#<?php echo get_theme_support( 'custom-header', 'default-text-color' ); ?>',
+	var default_color = '#<?php echo esc_js( get_theme_support( 'custom-header', 'default-text-color' ) ); ?>',
 		header_text_fields;
 
 	function pickColor(color) {

wp-admin/customize.php

@@ -15,9 +15,10 @@ if ( ! current_user_can( 'edit_theme_options' ) )
 
 wp_reset_vars( array( 'url', 'return' ) );
 $url = urldecode( $url );
+$url = esc_url_raw( $url );
 $url = wp_validate_redirect( $url, home_url( '/' ) );
 if ( $return )
-	$return = wp_validate_redirect( urldecode( $return ) );
+	$return = wp_validate_redirect( esc_url_raw( urldecode( $return ) ) );
 if ( ! $return )
 	$return = $url;
 

wp-admin/includes/ajax-actions.php

@@ -794,6 +794,8 @@ function wp_ajax_replyto_comment( $action ) {
 			if ( wp_create_nonce( 'unfiltered-html-comment' ) != $_POST['_wp_unfiltered_html_comment'] ) {
 				kses_remove_filters(); // start with a clean slate
 				kses_init_filters(); // set up the filters
+				remove_filter( 'pre_comment_content', 'wp_filter_post_kses' );
+				add_filter( 'pre_comment_content', 'wp_filter_kses' );
 			}
 		}
 	} else {
@@ -1377,11 +1379,13 @@ function wp_ajax_inline_save() {
 	if ( isset($data['post_parent']) )
 		$data['parent_id'] = $data['post_parent'];
 
-	// status
-	if ( isset($data['keep_private']) && 'private' == $data['keep_private'] )
+	// Status.
+	if ( isset( $data['keep_private'] ) && 'private' == $data['keep_private'] ) {
+		$data['visibility']  = 'private';
 		$data['post_status'] = 'private';
-	else
+	} else {
 		$data['post_status'] = $data['_status'];
+	}
 
 	if ( empty($data['comment_status']) )
 		$data['comment_status'] = 'closed';
@@ -1657,7 +1661,11 @@ function wp_ajax_upload_attachment() {
 		$post_id = null;
 	}
 
-	$post_data = isset( $_REQUEST['post_data'] ) ? $_REQUEST['post_data'] : array();
+	$post_data = ! empty( $_REQUEST['post_data'] ) ? _wp_get_allowed_postdata( _wp_translate_postdata( false, (array) $_REQUEST['post_data'] ) ) : array();
+
+	if ( is_wp_error( $post_data ) ) {
+		wp_die( $post_data->get_error_message() );
+	}
 
 	// If the context is custom header or background, make sure the uploaded file is an image.
 	if ( isset( $post_data['context'] ) && in_array( $post_data['context'], array( 'custom-header', 'custom-background' ) ) ) {
@@ -1667,7 +1675,7 @@ function wp_ajax_upload_attachment() {
 				'success' => false,
 				'data'    => array(
 					'message'  => __( 'The uploaded file is not a valid image. Please try again.' ),
-					'filename' => $_FILES['async-upload']['name'],
+					'filename' => esc_html( $_FILES['async-upload']['name'] ),
 				)
 			) );
 
@@ -1682,7 +1690,7 @@ function wp_ajax_upload_attachment() {
 			'success' => false,
 			'data'    => array(
 				'message'  => $attachment_id->get_error_message(),
-				'filename' => $_FILES['async-upload']['name'],
+				'filename' => esc_html( $_FILES['async-upload']['name'] ),
 			)
 		) );
 
@@ -2224,7 +2232,7 @@ function wp_ajax_get_revision_diffs() {
 	if ( ! $post = get_post( (int) $_REQUEST['post_id'] ) )
 		wp_send_json_error();
 
-	if ( ! current_user_can( 'read_post', $post->ID ) )
+	if ( ! current_user_can( 'edit_post', $post->ID ) )
 		wp_send_json_error();
 
 	// Really just pre-loading the cache here.

wp-admin/includes/class-wp-comments-list-table.php

@@ -493,9 +493,9 @@ class WP_Comments_List_Table extends WP_List_Table {
 
 		if ( current_user_can( 'edit_post', $post->ID ) ) {
 			$post_link = "<a href='" . get_edit_post_link( $post->ID ) . "'>";
-			$post_link .= get_the_title( $post->ID ) . '</a>';
+			$post_link .= esc_html( get_the_title( $post->ID ) ) . '</a>';
 		} else {
-			$post_link = get_the_title( $post->ID );
+			$post_link = esc_html( get_the_title( $post->ID ) );
 		}
 
 		echo '<div class="response-links"><span class="post-com-count-wrapper">';

wp-admin/includes/class-wp-ms-users-list-table.php

@@ -201,7 +201,7 @@ class WP_MS_Users_List_Table extends WP_List_Table {
 					break;
 
 					case 'email':
-						echo "<td $attributes><a href='mailto:$user->user_email'>$user->user_email</a></td>";
+						echo "<td $attributes><a href='" . esc_url( "mailto:$user->user_email" ) . "'>$user->user_email</a></td>";
 					break;
 
 					case 'registered':

wp-admin/includes/class-wp-plugins-list-table.php

@@ -339,26 +339,26 @@ class WP_Plugins_List_Table extends WP_List_Table {
 			if ( $screen->in_admin( 'network' ) ) {
 				if ( $is_active ) {
 					if ( current_user_can( 'manage_network_plugins' ) )
-						$actions['deactivate'] = '<a href="' . wp_nonce_url('plugins.php?action=deactivate&amp;plugin=' . $plugin_file . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'deactivate-plugin_' . $plugin_file) . '" title="' . esc_attr__('Deactivate this plugin') . '">' . __('Network Deactivate') . '</a>';
+						$actions['deactivate'] = '<a href="' . wp_nonce_url('plugins.php?action=deactivate&amp;plugin=' . urlencode( $plugin_file ) . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'deactivate-plugin_' . $plugin_file) . '" title="' . esc_attr__('Deactivate this plugin') . '">' . __('Network Deactivate') . '</a>';
 				} else {
 					if ( current_user_can( 'manage_network_plugins' ) )
-						$actions['activate'] = '<a href="' . wp_nonce_url('plugins.php?action=activate&amp;plugin=' . $plugin_file . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'activate-plugin_' . $plugin_file) . '" title="' . esc_attr__('Activate this plugin for all sites in this network') . '" class="edit">' . __('Network Activate') . '</a>';
+						$actions['activate'] = '<a href="' . wp_nonce_url('plugins.php?action=activate&amp;plugin=' . urlencode( $plugin_file ) . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'activate-plugin_' . $plugin_file) . '" title="' . esc_attr__('Activate this plugin for all sites in this network') . '" class="edit">' . __('Network Activate') . '</a>';
 					if ( current_user_can( 'delete_plugins' ) && ! is_plugin_active( $plugin_file ) )
-						$actions['delete'] = '<a href="' . wp_nonce_url('plugins.php?action=delete-selected&amp;checked[]=' . $plugin_file . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'bulk-plugins') . '" title="' . esc_attr__('Delete this plugin') . '" class="delete">' . __('Delete') . '</a>';
+						$actions['delete'] = '<a href="' . wp_nonce_url('plugins.php?action=delete-selected&amp;checked[]=' . urlencode( $plugin_file ) . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'bulk-plugins') . '" title="' . esc_attr__('Delete this plugin') . '" class="delete">' . __('Delete') . '</a>';
 				}
 			} else {
 				if ( $is_active ) {
-					$actions['deactivate'] = '<a href="' . wp_nonce_url('plugins.php?action=deactivate&amp;plugin=' . $plugin_file . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'deactivate-plugin_' . $plugin_file) . '" title="' . esc_attr__('Deactivate this plugin') . '">' . __('Deactivate') . '</a>';
+					$actions['deactivate'] = '<a href="' . wp_nonce_url('plugins.php?action=deactivate&amp;plugin=' . urlencode( $plugin_file ) . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'deactivate-plugin_' . $plugin_file) . '" title="' . esc_attr__('Deactivate this plugin') . '">' . __('Deactivate') . '</a>';
 				} else {
-					$actions['activate'] = '<a href="' . wp_nonce_url('plugins.php?action=activate&amp;plugin=' . $plugin_file . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'activate-plugin_' . $plugin_file) . '" title="' . esc_attr__('Activate this plugin') . '" class="edit">' . __('Activate') . '</a>';
+					$actions['activate'] = '<a href="' . wp_nonce_url('plugins.php?action=activate&amp;plugin=' . urlencode( $plugin_file ) . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'activate-plugin_' . $plugin_file) . '" title="' . esc_attr__('Activate this plugin') . '" class="edit">' . __('Activate') . '</a>';
 
 					if ( ! is_multisite() && current_user_can('delete_plugins') )
-						$actions['delete'] = '<a href="' . wp_nonce_url('plugins.php?action=delete-selected&amp;checked[]=' . $plugin_file . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'bulk-plugins') . '" title="' . esc_attr__('Delete this plugin') . '" class="delete">' . __('Delete') . '</a>';
+						$actions['delete'] = '<a href="' . wp_nonce_url('plugins.php?action=delete-selected&amp;checked[]=' . urlencode( $plugin_file ) . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'bulk-plugins') . '" title="' . esc_attr__('Delete this plugin') . '" class="delete">' . __('Delete') . '</a>';
 				} // end if $is_active
 			 } // end if $screen->in_admin( 'network' )
 
 			if ( ( ! is_multisite() || $screen->in_admin( 'network' ) ) && current_user_can('edit_plugins') && is_writable(WP_PLUGIN_DIR . '/' . $plugin_file) )
-				$actions['edit'] = '<a href="plugin-editor.php?file=' . $plugin_file . '" title="' . esc_attr__('Open this file in the Plugin Editor') . '" class="edit">' . __('Edit') . '</a>';
+				$actions['edit'] = '<a href="plugin-editor.php?file=' . urlencode( $plugin_file ) . '" title="' . esc_attr__('Open this file in the Plugin Editor') . '" class="edit">' . __('Edit') . '</a>';
 		} // end if $context
 
 		$prefix = $screen->in_admin( 'network' ) ? 'network_admin_' : '';

wp-admin/includes/class-wp-posts-list-table.php

@@ -580,8 +580,9 @@ class WP_Posts_List_Table extends WP_List_Table {
 					echo '<div class="locked-info"><span class="locked-avatar">' . $locked_avatar . '</span> <span class="locked-text">' . $locked_text . "</span></div>\n";
 				}
 
-				if ( ! $this->hierarchical_display && 'excerpt' == $mode && current_user_can( 'read_post', $post->ID ) )
-						the_excerpt();
+				if ( ! $this->hierarchical_display && 'excerpt' == $mode && current_user_can( 'read_post', $post->ID ) ) {
+						echo esc_html( get_the_excerpt() );
+				}
 
 				$actions = array();
 				if ( $can_edit_post && 'trash' != $post->post_status ) {

wp-admin/includes/class-wp-upgrader.php

@@ -1602,8 +1602,12 @@ class File_Upload_Upgrader {
 			if ( ! ( ( $uploads = wp_upload_dir() ) && false === $uploads['error'] ) )
 				wp_die( $uploads['error'] );
 
-			$this->filename = $_GET[$urlholder];
+			$this->filename = sanitize_file_name( $_GET[ $urlholder ] );
 			$this->package = $uploads['basedir'] . '/' . $this->filename;
+
+			if ( 0 !== strpos( realpath( $this->package ), realpath( $uploads['basedir'] ) ) ) {
+				wp_die( __( 'Please select a file' ) );
+			}
 		}
 	}
 

wp-admin/includes/class-wp-users-list-table.php

@@ -294,7 +294,7 @@ class WP_Users_List_Table extends WP_List_Table {
 					$r .= "<td $attributes>$user_object->first_name $user_object->last_name</td>";
 					break;
 				case 'email':
-					$r .= "<td $attributes><a href='mailto:$email' title='" . esc_attr( sprintf( __( 'E-mail: %s' ), $email ) ) . "'>$email</a></td>";
+					$r .= "<td $attributes><a href='" . esc_url( "mailto:$email" ) . "' title='" . esc_attr( sprintf( __( 'E-mail: %s' ), $email ) ) . "'>$email</a></td>";
 					break;
 				case 'role':
 					$r .= "<td $attributes>$role_name</td>";

wp-admin/includes/dashboard.php

@@ -488,6 +488,10 @@ function wp_dashboard_quick_press() {
 		$_REQUEST = array(); // hack for get_default_post_to_edit()
 	}
 
+	if ( ! current_user_can( 'edit_posts' ) ) {
+		return;
+	}
+
 	/* Check if a new auto-draft (= no new post_ID) is needed or if the old can be used */
 	$last_post_id = (int) get_user_option( 'dashboard_quick_press_last_post_id' ); // Get the last post_ID
 	if ( $last_post_id ) {
@@ -658,7 +662,7 @@ function _wp_dashboard_recent_comments_row( &$comment, $show_date = true ) {
 	$GLOBALS['comment'] =& $comment;
 
 	$comment_post_url = get_edit_post_link( $comment->comment_post_ID );
-	$comment_post_title = strip_tags(get_the_title( $comment->comment_post_ID ));
+	$comment_post_title = _draft_or_post_title( $comment->comment_post_ID );
 	$comment_post_link = "<a href='$comment_post_url'>$comment_post_title</a>";
 	$comment_link = '<a class="comment-link" href="' . esc_url(get_comment_link()) . '">#</a>';
 

wp-admin/includes/file.php

@@ -609,6 +609,10 @@ function _unzip_file_ziparchive($file, $to, $needed_dirs = array() ) {
 		if ( '__MACOSX/' === substr($info['name'], 0, 9) ) // Skip the OS X-created __MACOSX directory
 			continue;
 
+		if ( 0 !== validate_file( $info['name'] ) ) {
+			return new WP_Error( 'invalid_file_ziparchive', __( 'Could not extract file from archive.' ), $info['name'] );
+		}
+
 		$uncompressed_size += $info['size'];
 
 		if ( '/' == substr($info['name'], -1) ) // directory
@@ -762,6 +766,10 @@ function _unzip_file_pclzip($file, $to, $needed_dirs = array()) {
 		if ( '__MACOSX/' === substr($file['filename'], 0, 9) ) // Don't extract the OS X-created __MACOSX directory files
 			continue;
 
+		if ( 0 !== validate_file( $file['filename'] ) ) {
+			return new WP_Error( 'invalid_file_pclzip', __( 'Could not extract file from archive.' ), $file['filename'] );
+		}
+
 		if ( ! $wp_filesystem->put_contents( $to . $file['filename'], $file['content'], FS_CHMOD_FILE) )
 			return new WP_Error( 'copy_failed_pclzip', __( 'Could not copy file.' ), $file['filename'] );
 	}
@@ -950,14 +958,28 @@ function request_filesystem_credentials($form_post, $type = '', $error = false,
 
 	$credentials = get_option('ftp_credentials', array( 'hostname' => '', 'username' => ''));
 
+	$submitted_form = wp_unslash( $_POST );
+
+	// Verify nonce, or unset submitted form field values on failure
+	if ( ! isset( $_POST['_fs_nonce'] ) || ! wp_verify_nonce( $_POST['_fs_nonce'], 'filesystem-credentials' ) ) {
+		unset(
+			$submitted_form['hostname'],
+			$submitted_form['username'],
+			$submitted_form['password'],
+			$submitted_form['public_key'],
+			$submitted_form['private_key'],
+			$submitted_form['connection_type']
+		);
+	}
+
 	// If defined, set it to that, Else, If POST'd, set it to that, If not, Set it to whatever it previously was(saved details in option)
-	$credentials['hostname'] = defined('FTP_HOST') ? FTP_HOST : (!empty($_POST['hostname']) ? wp_unslash( $_POST['hostname'] ) : $credentials['hostname']);
-	$credentials['username'] = defined('FTP_USER') ? FTP_USER : (!empty($_POST['username']) ? wp_unslash( $_POST['username'] ) : $credentials['username']);
-	$credentials['password'] = defined('FTP_PASS') ? FTP_PASS : (!empty($_POST['password']) ? wp_unslash( $_POST['password'] ) : '');
+	$credentials['hostname'] = defined('FTP_HOST') ? FTP_HOST : (!empty($submitted_form['hostname']) ? $submitted_form['hostname'] : $credentials['hostname']);
+	$credentials['username'] = defined('FTP_USER') ? FTP_USER : (!empty($submitted_form['username']) ? $submitted_form['username'] : $credentials['username']);
+	$credentials['password'] = defined('FTP_PASS') ? FTP_PASS : (!empty($submitted_form['password']) ? $submitted_form['password'] : '');
 
 	// Check to see if we are setting the public/private keys for ssh
-	$credentials['public_key'] = defined('FTP_PUBKEY') ? FTP_PUBKEY : (!empty($_POST['public_key']) ? wp_unslash( $_POST['public_key'] ) : '');
-	$credentials['private_key'] = defined('FTP_PRIKEY') ? FTP_PRIKEY : (!empty($_POST['private_key']) ? wp_unslash( $_POST['private_key'] ) : '');
+	$credentials['public_key'] = defined('FTP_PUBKEY') ? FTP_PUBKEY : (!empty($submitted_form['public_key']) ? $submitted_form['public_key'] : '');
+	$credentials['private_key'] = defined('FTP_PRIKEY') ? FTP_PRIKEY : (!empty($submitted_form['private_key']) ? $submitted_form['private_key'] : '');
 
 	//sanitize the hostname, Some people might pass in odd-data:
 	$credentials['hostname'] = preg_replace('|\w+://|', '', $credentials['hostname']); //Strip any schemes off
@@ -974,8 +996,8 @@ function request_filesystem_credentials($form_post, $type = '', $error = false,
 		$credentials['connection_type'] = 'ssh';
 	else if ( (defined('FTP_SSL') && FTP_SSL) && 'ftpext' == $type ) //Only the FTP Extension understands SSL
 		$credentials['connection_type'] = 'ftps';
-	else if ( !empty($_POST['connection_type']) )
-		$credentials['connection_type'] = wp_unslash( $_POST['connection_type'] );
+	else if ( !empty($submitted_form['connection_type']) )
+		$credentials['connection_type'] = $submitted_form['connection_type'];
 	else if ( !isset($credentials['connection_type']) ) //All else fails (And it's not defaulted to something else saved), Default to FTP
 		$credentials['connection_type'] = 'ftp';
 
@@ -1099,11 +1121,14 @@ jQuery(function($){
 
 <?php
 foreach ( (array) $extra_fields as $field ) {
-	if ( isset( $_POST[ $field ] ) )
-		echo '<input type="hidden" name="' . esc_attr( $field ) . '" value="' . esc_attr( wp_unslash( $_POST[ $field ] ) ) . '" />';
+	if ( isset( $submitted_form[ $field ] ) )
+		echo '<input type="hidden" name="' . esc_attr( $field ) . '" value="' . esc_attr( $submitted_form[ $field ] ) . '" />';
 }
-submit_button( __( 'Proceed' ), 'button', 'upgrade' );
 ?>
+	<p class="request-filesystem-credentials-action-buttons">
+		<?php wp_nonce_field( 'filesystem-credentials', '_fs_nonce', false, true ); ?>
+		<?php submit_button( __( 'Proceed' ), 'button', 'upgrade', false ); ?>
+	</p>
 </div>
 </form>
 <?php

wp-admin/includes/image.php

@@ -314,6 +314,12 @@ function wp_read_image_metadata( $file ) {
 			$meta[ $key ] = utf8_encode( $meta[ $key ] );
 	}
 
+	foreach ( $meta as &$value ) {
+		if ( is_string( $value ) ) {
+			$value = wp_kses_post( $value );
+		}
+	}
+
 	return apply_filters( 'wp_read_image_metadata', $meta, $file, $sourceImageType );
 
 }

wp-admin/includes/media.php

@@ -221,7 +221,7 @@ function media_handle_upload($file_id, $post_id, $post_data = array(), $override
 	$url = $file['url'];
 	$type = $file['type'];
 	$file = $file['file'];
-	$title = $name;
+	$title = sanitize_text_field( $name );
 	$content = '';
 
 	if ( preg_match( '#^audio#', $type ) ) {
@@ -392,7 +392,7 @@ wp_enqueue_style( 'ie' );
 <script type="text/javascript">
 //<![CDATA[
 addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
-var ajaxurl = '<?php echo admin_url( 'admin-ajax.php', 'relative' ); ?>', pagenow = 'media-upload-popup', adminpage = 'media-upload-popup',
+var ajaxurl = '<?php echo esc_js( admin_url( 'admin-ajax.php', 'relative' ) ); ?>', pagenow = 'media-upload-popup', adminpage = 'media-upload-popup',
 isRtl = <?php echo (int) is_rtl(); ?>;
 //]]>
 </script>
@@ -1558,7 +1558,7 @@ $post_params = array(
 $post_params = apply_filters( 'upload_post_params', $post_params ); // hook change! old name: 'swfupload_post_params'
 
 $plupload_init = array(
-	'runtimes' => 'html5,silverlight,flash,html4',
+	'runtimes' => 'html5,silverlight,html4',
 	'browse_button' => 'plupload-browse-button',
 	'container' => 'plupload-upload-ui',
 	'drop_element' => 'drag-drop-area',
@@ -2407,7 +2407,7 @@ function edit_form_image_editor( $post ) {
 	?>
 
 	<label for="content"><strong><?php _e( 'Description' ); ?></strong></label>
-	<?php wp_editor( $post->post_content, 'attachment_content', $editor_args ); ?>
+	<?php wp_editor( format_to_edit( $post->post_content ), 'attachment_content', $editor_args ); ?>
 
 	</div>
 	<?php
@@ -2581,7 +2581,7 @@ function wp_add_id3_tag_data( &$metadata, $data ) {
 		if ( ! empty( $data[$version]['comments'] ) ) {
 			foreach ( $data[$version]['comments'] as $key => $list ) {
 				if ( ! empty( $list ) ) {
-					$metadata[$key] = reset( $list );
+					$metadata[$key] = wp_kses_post( reset( $list ) );
 					// fix bug in byte stream analysis
 					if ( 'terms_of_use' === $key && 0 === strpos( $metadata[$key], 'yright notice.' ) )
 						$metadata[$key] = 'Cop' . $metadata[$key];

wp-admin/includes/misc.php

@@ -390,7 +390,49 @@ function set_screen_options() {
 					return;
 				break;
 			default:
-				$value = apply_filters('set-screen-option', false, $option, $value);
+				$screen_option = false;
+
+				if ( '_page' === substr( $option, -5 ) || 'layout_columns' === $option ) {
+					/**
+					 * Filters a screen option value before it is set.
+					 *
+					 * The filter can also be used to modify non-standard [items]_per_page
+					 * settings. See the parent function for a full list of standard options.
+					 *
+					 * Returning false to the filter will skip saving the current option.
+					 *
+					 * @since 2.8.0
+					 * @since 5.4.2 Only applied to options ending with '_page',
+					 *              or the 'layout_columns' option.
+					 *
+					 * @see set_screen_options()
+					 *
+					 * @param mixed  $screen_option The value to save instead of the option value.
+					 *                              Default false (to skip saving the current option).
+					 * @param string $option        The option name.
+					 * @param int    $value         The option value.
+					 */
+					$screen_option = apply_filters( 'set-screen-option', $screen_option, $option, $value ); // phpcs:ignore WordPress.NamingConventions.ValidHookName.UseUnderscores
+				}
+
+				/**
+				 * Filter a screen option value before it is set.
+				 *
+				 * The dynamic portion of the hook, `$option`, refers to the option name.
+				 *
+				 * Returning false to the filter will skip saving the current option.
+				 *
+				 * @since 5.4.2
+				 *
+				 * @see set_screen_options()
+				 *
+				 * @param mixed   $screen_option The value to save instead of the option value.
+				 *                               Default false (to skip saving the current option).
+				 * @param string  $option        The option name.
+				 * @param int     $value         The option value.
+				 */
+				$value = apply_filters( "set_screen_option_{$option}", $screen_option, $option, $value );
+
 				if ( false === $value )
 					return;
 				break;

wp-admin/includes/post.php

@@ -154,9 +154,37 @@ function _wp_translate_postdata( $update = false, $post_data = null ) {
 		$post_data['post_date_gmt'] = get_gmt_from_date( $post_data['post_date'] );
 	}
 
+	if ( isset( $post_data['post_category'] ) ) {
+		$category_object = get_taxonomy( 'category' );
+		if ( ! current_user_can( $category_object->cap->assign_terms ) ) {
+			unset( $post_data['post_category'] );
+		}
+	}
+
 	return $post_data;
 }
 
+/**
+ * Returns only allowed post data fields
+ *
+ * @since 4.9.9
+ *
+ * @param array $post_data Array of post data. Defaults to the contents of $_POST.
+ * @return object|bool WP_Error on failure, true on success.
+ */
+function _wp_get_allowed_postdata( $post_data = null ) {
+	if ( empty( $post_data ) ) {
+		$post_data = $_POST;
+	}
+
+	// Pass through errors
+	if ( is_wp_error( $post_data ) ) {
+		return $post_data;
+	}
+
+	return array_diff_key( $post_data, array_flip( array( 'meta_input', 'file', 'guid' ) ) );
+}
+
 /**
  * Update an existing post with values provided in $_POST.
  *
@@ -166,6 +194,7 @@ function _wp_translate_postdata( $update = false, $post_data = null ) {
  * @return int Post ID.
  */
 function edit_post( $post_data = null ) {
+	global $wpdb;
 
 	if ( empty($post_data) )
 		$post_data = &$_POST;
@@ -203,10 +232,6 @@ function edit_post( $post_data = null ) {
 			_wp_upgrade_revisions_of_post( $post, wp_get_post_revisions( $post_ID ) );
 	}
 
-	if ( ( empty( $post_data['action'] ) || 'autosave' != $post_data['action'] ) && 'auto-draft' == $post_data['post_status'] ) {
-		$post_data['post_status'] = 'draft';
-	}
-
 	if ( isset($post_data['visibility']) ) {
 		switch ( $post_data['visibility'] ) {
 			case 'public' :
@@ -227,6 +252,12 @@ function edit_post( $post_data = null ) {
 	if ( is_wp_error($post_data) )
 		wp_die( $post_data->get_error_message() );
 
+	if ( ( empty( $post_data['action'] ) || 'autosave' != $post_data['action'] ) && 'auto-draft' == $post_data['post_status'] ) {
+		$post_data['post_status'] = 'draft';
+	}
+
+	$translated = _wp_get_allowed_postdata( $post_data );
+
 	// Post Formats
 	if ( isset( $post_data['post_format'] ) )
 		set_post_format( $post_ID, $post_data['post_format'] );
@@ -288,14 +319,26 @@ function edit_post( $post_data = null ) {
 
 		$attachment_data = isset( $post_data['attachments'][ $post_ID ] ) ? $post_data['attachments'][ $post_ID ] : array();
 		/** This filter is documented in wp-admin/includes/media.php */
-		$post_data = apply_filters( 'attachment_fields_to_save', $post_data, $attachment_data );
+		$translated = apply_filters( 'attachment_fields_to_save', $translated, $attachment_data );
 	}
 
 	add_meta( $post_ID );
 
 	update_post_meta( $post_ID, '_edit_last', get_current_user_id() );
 
-	wp_update_post( $post_data );
+	$success = wp_update_post( $translated );
+	// If the save failed, see if we can sanity check the main fields and try again
+	if ( ! $success && is_callable( array( $wpdb, 'strip_invalid_text_for_column' ) ) ) {
+		$fields = array( 'post_title', 'post_content', 'post_excerpt' );
+
+		foreach( $fields as $field ) {
+			if ( isset( $translated[ $field ] ) ) {
+				$translated[ $field ] = $wpdb->strip_invalid_text_for_column( $wpdb->posts, $field, $translated[ $field ] );
+			}
+		}
+
+		wp_update_post( $translated );
+	}
 
 	// Now that we have an ID we can fix any attachment anchor hrefs
 	_fix_attachment_links( $post_ID );
@@ -411,7 +454,12 @@ function bulk_edit_posts( $post_data = null ) {
 	}
 
 	$updated = $skipped = $locked = array();
+	$shared_post_data = $post_data;
+
 	foreach ( $post_IDs as $post_ID ) {
+		// Start with fresh post data with each iteration.
+		$post_data = $shared_post_data;
+
 		$post_type_object = get_post_type_object( get_post_type( $post_ID ) );
 
 		if ( !isset( $post_type_object ) || ( isset($children) && in_array($post_ID, $children) ) || !current_user_can( 'edit_post', $post_ID ) ) {
@@ -447,9 +495,9 @@ function bulk_edit_posts( $post_data = null ) {
 			unset( $post_data['tax_input']['category'] );
 		}
 
+		$post_data['post_ID']        = $post_ID;
 		$post_data['post_type'] = $post->post_type;
 		$post_data['post_mime_type'] = $post->post_mime_type;
-		$post_data['guid'] = $post->guid;
 
 		foreach ( array( 'comment_status', 'ping_status', 'post_author' ) as $field ) {
 			if ( ! isset( $post_data[ $field ] ) ) {
@@ -457,16 +505,14 @@ function bulk_edit_posts( $post_data = null ) {
 			}
 		}
 
-		$post_data['ID'] = $post_ID;
-		$post_data['post_ID'] = $post_ID;
-
-		$translated_post_data = _wp_translate_postdata( true, $post_data );
-		if ( is_wp_error( $translated_post_data ) ) {
+		$post_data = _wp_translate_postdata( true, $post_data );
+		if ( is_wp_error( $post_data ) ) {
 			$skipped[] = $post_ID;
 			continue;
 		}
+		$post_data = _wp_get_allowed_postdata( $post_data );
 
-		$updated[] = wp_update_post( $translated_post_data );
+		$updated[] = wp_update_post( $post_data );
 
 		if ( isset( $post_data['sticky'] ) && current_user_can( $ptype->cap->edit_others_posts ) ) {
 			if ( 'sticky' == $post_data['sticky'] )
@@ -475,8 +521,8 @@ function bulk_edit_posts( $post_data = null ) {
 				unstick_post( $post_ID );
 		}
 
-		if ( isset( $post_data['post_format'] ) )
-			set_post_format( $post_ID, $post_data['post_format'] );
+		if ( isset( $shared_post_data['post_format'] ) )
+			set_post_format( $post_ID, $shared_post_data['post_format'] );
 	}
 
 	return array( 'updated' => $updated, 'skipped' => $skipped, 'locked' => $locked );
@@ -628,9 +674,10 @@ function wp_write_post() {
 	$translated = _wp_translate_postdata( false );
 	if ( is_wp_error($translated) )
 		return $translated;
+	$translated = _wp_get_allowed_postdata( $translated );
 
 	// Create the post.
-	$post_ID = wp_insert_post( $_POST );
+	$post_ID = wp_insert_post( $translated );
 	if ( is_wp_error( $post_ID ) )
 		return $post_ID;
 
@@ -1129,11 +1176,11 @@ function get_sample_permalink_html( $id, $new_title = null, $new_slug = null ) {
 	}
 
 	if ( false === strpos($permalink, '%postname%') && false === strpos($permalink, '%pagename%') ) {
-		$return = '<strong>' . __('Permalink:') . "</strong>\n" . '<span id="sample-permalink" tabindex="-1">' . $permalink . "</span>\n";
+		$return = '<strong>' . __('Permalink:') . "</strong>\n" . '<span id="sample-permalink" tabindex="-1">' . esc_html( $permalink ) . "</span>\n";
 		if ( '' == get_option( 'permalink_structure' ) && current_user_can( 'manage_options' ) && !( 'page' == get_option('show_on_front') && $id == get_option('page_on_front') ) )
 			$return .= '<span id="change-permalinks"><a href="options-permalink.php" class="button button-small" target="_blank">' . __('Change Permalinks') . "</a></span>\n";
 		if ( isset( $view_post ) )
-			$return .= "<span id='view-post-btn'><a href='$permalink' class='button button-small'>$view_post</a></span>\n";
+			$return .= "<span id='view-post-btn'><a href='" . esc_url( $permalink ) . "' class='button button-small'>$view_post</a></span>\n";
 
 		$return = apply_filters('get_sample_permalink_html', $return, $id, $new_title, $new_slug);
 
@@ -1154,16 +1201,16 @@ function get_sample_permalink_html( $id, $new_title = null, $new_slug = null ) {
 		}
 	}
 
-	$post_name_html = '<span id="editable-post-name" title="' . $title . '">' . $post_name_abridged . '</span>';
-	$display_link = str_replace(array('%pagename%','%postname%'), $post_name_html, $permalink);
+	$post_name_html = '<span id="editable-post-name" title="' . $title . '">' . esc_html( $post_name_abridged ) . '</span>';
+	$display_link = str_replace(array('%pagename%','%postname%'), $post_name_html, esc_html( $permalink ) );
 	$view_link = str_replace(array('%pagename%','%postname%'), $post_name, $permalink);
 	$return =  '<strong>' . __('Permalink:') . "</strong>\n";
 	$return .= '<span id="sample-permalink" tabindex="-1">' . $display_link . "</span>\n";
 	$return .= '&lrm;'; // Fix bi-directional text display defect in RTL languages.
 	$return .= '<span id="edit-slug-buttons"><a href="#post_name" class="edit-slug button button-small hide-if-no-js" onclick="editPermalink(' . $id . '); return false;">' . __('Edit') . "</a></span>\n";
-	$return .= '<span id="editable-post-name-full">' . $post_name . "</span>\n";
+	$return .= '<span id="editable-post-name-full">' . esc_html( $post_name ) . "</span>\n";
 	if ( isset($view_post) )
-		$return .= "<span id='view-post-btn'><a href='$view_link' class='button button-small'>$view_post</a></span>\n";
+		$return .= "<span id='view-post-btn'><a href='" . esc_url( $view_link ) . "' class='button button-small'>$view_post</a></span>\n";
 
 	$return = apply_filters('get_sample_permalink_html', $return, $id, $new_title, $new_slug);
 
@@ -1336,7 +1383,7 @@ function _admin_notice_post_locked() {
 		// Allow plugins to prevent some users overriding the post lock
 		if ( $override ) {
 			?>
-			<a class="button button-primary wp-tab-last" href="<?php echo esc_url( add_query_arg( 'get-post-lock', '1', get_edit_post_link( $post->ID, 'url' ) ) ); ?>"><?php _e('Take over'); ?></a>
+			<a class="button button-primary wp-tab-last" href="<?php echo esc_url( add_query_arg( 'get-post-lock', '1', wp_nonce_url( get_edit_post_link( $post->ID, 'url' ), 'lock-post_' . $post->ID ) ) ); ?>"><?php _e('Take over'); ?></a>
 			<?php
 		}
 
@@ -1381,12 +1428,13 @@ function wp_create_post_autosave( $post_id ) {
 	$translated = _wp_translate_postdata( true );
 	if ( is_wp_error( $translated ) )
 		return $translated;
+	$translated = _wp_get_allowed_postdata( $translated );
 
 	$post_author = get_current_user_id();
 
 	// Store one autosave per author. If there is already an autosave, overwrite it.
 	if ( $old_autosave = wp_get_post_autosave( $post_id, $post_author ) ) {
-		$new_autosave = _wp_post_revision_fields( $_POST, true );
+		$new_autosave = _wp_post_revision_fields( $translated, true );
 		$new_autosave['ID'] = $old_autosave->ID;
 		$new_autosave['post_author'] = $post_author;
 
@@ -1409,7 +1457,7 @@ function wp_create_post_autosave( $post_id ) {
 	}
 
 	// _wp_put_post_revision() expects unescaped.
-	$post_data = wp_unslash( $_POST );
+	$post_data = wp_unslash( $translated );
 
 	// Otherwise create the new autosave as a special post revision
 	return _wp_put_post_revision( $post_data, true );

wp-admin/includes/screen.php

@@ -463,7 +463,9 @@ final class WP_Screen {
 
 			switch ( $base ) {
 				case 'post' :
-					if ( isset( $_GET['post'] ) )
+					if ( isset( $_GET['post'] ) && isset( $_POST['post_ID'] ) && (int) $_GET['post'] !== (int) $_POST['post_ID'] )
+						wp_die( __( 'A post ID mismatch has been detected.' ), __( 'Sorry, you are not allowed to edit this item.' ), 400 );
+					elseif ( isset( $_GET['post'] ) )
 						$post_id = (int) $_GET['post'];
 					elseif ( isset( $_POST['post_ID'] ) )
 						$post_id = (int) $_POST['post_ID'];
@@ -901,7 +903,8 @@ final class WP_Screen {
 
 		switch ( $this->id ) {
 			case 'widgets':
-				$this->_screen_settings = '<p><a id="access-on" href="widgets.php?widgets-access=on">' . __('Enable accessibility mode') . '</a><a id="access-off" href="widgets.php?widgets-access=off">' . __('Disable accessibility mode') . "</a></p>\n";
+				$nonce = wp_create_nonce( 'widgets-access' );
+				$this->_screen_settings = '<p><a id="access-on" href="widgets.php?widgets-access=on&_wpnonce=' . urlencode( $nonce ) . '">' . __('Enable accessibility mode') . '</a><a id="access-off" href="widgets.php?widgets-access=off&_wpnonce=' . urlencode( $nonce ) . '">' . __('Disable accessibility mode') . "</a></p>\n";
 				break;
 			default:
 				$this->_screen_settings = '';

wp-admin/includes/template.php

@@ -706,7 +706,7 @@ function page_template_dropdown( $default = '' ) {
 			$selected = " selected='selected'";
 		else
 			$selected = '';
-	echo "\n\t<option value='".$templates[$template]."' $selected>$template</option>";
+	echo "\n\t<option value='" . esc_attr( $templates[$template] ) ."' $selected>" . esc_html( $template ) . "</option>";
 	endforeach;
 }
 
@@ -1373,7 +1373,7 @@ function _draft_or_post_title( $post = 0 ) {
 	$title = get_the_title( $post );
 	if ( empty( $title ) )
 		$title = __( '(no title)' );
-	return $title;
+	return esc_html( $title );
 }
 
 /**
@@ -1416,12 +1416,12 @@ wp_enqueue_style( 'colors' );
 //<![CDATA[
 addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
 function tb_close(){var win=window.dialogArguments||opener||parent||top;win.tb_remove();}
-var ajaxurl = '<?php echo admin_url( 'admin-ajax.php', 'relative' ); ?>',
-	pagenow = '<?php echo $current_screen->id; ?>',
-	typenow = '<?php echo $current_screen->post_type; ?>',
-	adminpage = '<?php echo $admin_body_class; ?>',
-	thousandsSeparator = '<?php echo addslashes( $wp_locale->number_format['thousands_sep'] ); ?>',
-	decimalPoint = '<?php echo addslashes( $wp_locale->number_format['decimal_point'] ); ?>',
+var ajaxurl = '<?php echo esc_js( admin_url( 'admin-ajax.php', 'relative' ) ); ?>',
+	pagenow = '<?php echo esc_js( $current_screen->id ); ?>',
+	typenow = '<?php echo esc_js( $current_screen->post_type ); ?>',
+	adminpage = '<?php echo esc_js( $admin_body_class ); ?>',
+	thousandsSeparator = '<?php echo esc_js( $wp_locale->number_format['thousands_sep'] ); ?>',
+	decimalPoint = '<?php echo esc_js( $wp_locale->number_format['decimal_point'] ); ?>',
 	isRtl = <?php echo (int) is_rtl(); ?>;
 //]]>
 </script>

wp-admin/includes/update-core.php

@@ -562,6 +562,9 @@ $_old_files = array(
 'wp-admin/js/cat.js',
 'wp-admin/js/cat.min.js',
 'wp-includes/js/tinymce/plugins/wpeditimage/js/editimage.min.js',
+// 4.9.2
+'wp-includes/js/mediaelement/flashmediaelement.swf',
+'wp-includes/js/mediaelement/silverlightmediaelement.xap',
 );
 
 /**
@@ -878,9 +881,16 @@ function update_core($from, $to) {
 		$old_file = $to . $old_file;
 		if ( !$wp_filesystem->exists($old_file) )
 			continue;
-		$wp_filesystem->delete($old_file, true);
+
+		// If the file isn't deleted, try writing an empty string to the file instead.
+		if ( ! $wp_filesystem->delete( $old_file, true ) && $wp_filesystem->is_file( $old_file ) ) {
+			$wp_filesystem->put_contents( $old_file, '' );
+		}
 	}
 
+	// Remove any Genericons example.html's from the filesystem
+	_upgrade_422_remove_genericons();
+
 	// Upgrade DB with separate request
 	apply_filters('update_feedback', __('Upgrading database…'));
 	$db_upgrade_url = admin_url('upgrade.php?step=upgrade_db');
@@ -1009,3 +1019,67 @@ window.location = 'about.php?updated';
 	exit();
 }
 add_action( '_core_updated_successfully', '_redirect_to_about_wordpress' );
+
+/**
+ * Cleans up Genericons example files.
+ *
+ * @since 4.2.2
+ */
+function _upgrade_422_remove_genericons() {
+	global $wp_theme_directories, $wp_filesystem;
+
+	// A list of the affected files using the filesystem absolute paths.
+	$affected_files = array();
+
+	// Themes
+	foreach ( $wp_theme_directories as $directory ) {
+		$affected_theme_files = _upgrade_422_find_genericons_files_in_folder( $directory );
+		$affected_files       = array_merge( $affected_files, $affected_theme_files );
+	}
+
+	// Plugins
+	$affected_plugin_files = _upgrade_422_find_genericons_files_in_folder( WP_PLUGIN_DIR );
+	$affected_files        = array_merge( $affected_files, $affected_plugin_files );
+
+	foreach ( $affected_files as $file ) {
+		$gen_dir = $wp_filesystem->find_folder( trailingslashit( dirname( $file ) ) );
+		if ( empty( $gen_dir ) ) {
+			continue;
+		}
+
+		// The path when the file is accessed via WP_Filesystem may differ in the case of FTP
+		$remote_file = $gen_dir . basename( $file );
+
+		if ( ! $wp_filesystem->exists( $remote_file ) ) {
+			continue;
+		}
+
+		if ( ! $wp_filesystem->delete( $remote_file, false, 'f' ) ) {
+			$wp_filesystem->put_contents( $remote_file, '' );
+		}
+	}
+}
+
+/**
+ * Recursively find Genericons example files in a given folder.
+ *
+ * @ignore
+ * @since 4.2.2
+ *
+ * @param string $directory Directory path. Expects trailingslashed.
+ * @return array
+ */
+function _upgrade_422_find_genericons_files_in_folder( $directory ) {
+	$directory = trailingslashit( $directory );
+	$files     = array();
+
+	if ( file_exists( "{$directory}example.html" ) && false !== strpos( file_get_contents( "{$directory}example.html" ), '<title>Genericons</title>' ) ) {
+		$files[] = "{$directory}example.html";
+	}
+
+	foreach ( glob( $directory . '*', GLOB_ONLYDIR ) as $dir ) {
+		$files = array_merge( $files, _upgrade_422_find_genericons_files_in_folder( $dir ) );
+	}
+
+	return $files;
+}

wp-admin/includes/upgrade.php

@@ -408,6 +408,12 @@ function upgrade_all() {
 	if ( $wp_current_db_version < 26148 )
 		upgrade_372();
 
+	if ( $wp_current_db_version < 26149 )
+		upgrade_373();
+
+	if ( $wp_current_db_version < 26151 )
+		upgrade_379();
+
 	maybe_disable_link_manager();
 
 	maybe_disable_automattic_widgets();
@@ -1032,8 +1038,8 @@ function upgrade_280() {
 		$start = 0;
 		while( $rows = $wpdb->get_results( "SELECT option_name, option_value FROM $wpdb->options ORDER BY option_id LIMIT $start, 20" ) ) {
 			foreach( $rows as $row ) {
-				$value = $row->option_value;
-				if ( !@unserialize( $value ) )
+				$value = maybe_unserialize( $row->option_value );
+				if ( $value === $row->option_value )
 					$value = stripslashes( $value );
 				if ( $value !== $row->option_value ) {
 					update_option( $row->option_name, $value );
@@ -1237,6 +1243,91 @@ function upgrade_372() {
 		wp_clear_scheduled_hook( 'wp_maybe_auto_update' );
 }
 
+/**
+ * Execute changes made in WordPress 3.7.3.
+ *
+ * @since 3.7.3
+ */
+function upgrade_373() {
+	global $wp_current_db_version, $wpdb;
+	if ( $wp_current_db_version < 26149 ) {
+		// Find all lost Quick Draft auto-drafts and promote them to proper drafts.
+		$posts = $wpdb->get_results( "SELECT ID, post_title, post_content FROM $wpdb->posts WHERE post_type = 'post'
+			AND post_status = 'auto-draft' AND post_date >= '2014-04-08 00:00:00'" );
+
+		foreach ( $posts as $post ) {
+			// A regular auto-draft should never have content as that would mean it should have been promoted.
+			// If an auto-draft has content, it's from Quick Draft and it should be recovered.
+			if ( '' === $post->post_content ) {
+				// If it does not have content, we must evaluate whether the title should be recovered.
+				if ( 'Auto Draft' === $post->post_title || __( 'Auto Draft' ) === $post->post_title ) {
+					// This a plain old auto draft. Ignore it.
+					continue;
+				}
+			}
+
+			$wpdb->update( $wpdb->posts, array( 'post_status' => 'draft' ), array( 'ID' => $post->ID ) );
+			clean_post_cache( $post->ID );
+		}
+	}
+}
+
+/**
+ * Execute changes made in WordPress 3.7.8.
+ *
+ * @since 3.7.8
+ */
+function upgrade_378() {
+}
+
+/**
+ * Execute changes made in WordPress 3.7.9.
+ *
+ * @since 3.7.9
+ */
+function upgrade_379() {
+	global $wp_current_db_version, $wpdb;
+
+	if ( $wp_current_db_version < 26151 ) {
+		$content_length = $wpdb->get_col_length( $wpdb->comments, 'comment_content' );
+
+		if ( is_wp_error( $content_length ) ) {
+			return;
+		}
+
+		if ( false === $content_length ) {
+			$content_length = array(
+				'type'   => 'byte',
+				'length' => 65535,
+			);
+		} elseif ( ! is_array( $content_length ) ) {
+			$length = (int) $content_length > 0 ? (int) $content_length : 65535;
+			$content_length = array(
+				'type'	 => 'byte',
+				'length' => $length
+			);
+		}
+
+		if ( 'byte' !== $content_length['type'] || 0 === $content_length['length'] ) {
+			// Sites with malformed DB schemas are on their own.
+			return;
+		}
+
+		$allowed_length = intval( $content_length['length'] ) - 10;
+
+		$comments = $wpdb->get_results(
+			"SELECT `comment_ID` FROM `{$wpdb->comments}`
+				WHERE `comment_date_gmt` > '2015-04-26'
+				AND LENGTH( `comment_content` ) >= {$allowed_length}
+				AND ( `comment_content` LIKE '%<%' OR `comment_content` LIKE '%>%' )"
+		);
+
+		foreach ( $comments as $comment ) {
+			wp_delete_comment( $comment->comment_ID, true );
+		}
+	}
+}
+
 /**
  * Execute network level changes
  *
@@ -1553,9 +1644,9 @@ function dbDelta( $queries = '', $execute = true ) {
 			continue;
 
 		// Fetch the table column structure from the database
-		$wpdb->suppress_errors();
+		$suppress = $wpdb->suppress_errors();
 		$tablefields = $wpdb->get_results("DESCRIBE {$table};");
-		$wpdb->suppress_errors( false );
+		$wpdb->suppress_errors( $suppress );
 
 		if ( ! $tablefields )
 			continue;

wp-admin/js/about.min.js

@@ -1 +1 @@
-!function(a){function b(){var b;switch("undefined"==typeof j[g.val()]?(b=wp.passwordStrength.meter(g.val(),[],g.val()),j[g.val()]=b):b=j[g.val()],a("#pass-strength-result").removeClass("short bad good strong"),b){case 2:a("#pass-strength-result").addClass("bad").html(pwsL10n.bad);break;case 3:a("#pass-strength-result").addClass("good").html(pwsL10n.good);break;case 4:a("#pass-strength-result").addClass("strong").html(pwsL10n.strong);break;default:a("#pass-strength-result").addClass("short").html(pwsL10n["short"])}}function c(){g.val(""),a("#pass-strength-result").text(k),a("#pass-strength-result").removeClass("short bad good strong")}function d(){h!==!1&&(g.val().length<f.length?(g.val(f.substr(0,g.val().length+1)),b(),setTimeout(d,i[Math.floor(Math.random()*i.length)])):(c(),setTimeout(d,700)))}function e(){"undefined"!=typeof zxcvbn?d():setTimeout(e,800)}var f="Gosh, WordPress is grand.",g=a("#pass"),h=!0,i=[280,300,305,310,315,325,330,345,360,370,380,400,450,500,600],j={},k=a("#pass-strength-result").text();g.on("focus",function(){h=!1,c()}),g.on("keyup",function(){b()}),e()}(jQuery);
+!function(t){var s="Gosh, WordPress is grand.",e=t("#pass"),a=!0,n=[280,300,305,310,315,325,330,345,360,370,380,400,450,500,600],r={},o=t("#pass-strength-result").text();function l(){var s;switch(void 0===r[e.val()]?(s=wp.passwordStrength.meter(e.val(),[],e.val()),r[e.val()]=s):s=r[e.val()],t("#pass-strength-result").removeClass("short bad good strong"),s){case 2:t("#pass-strength-result").addClass("bad").html(pwsL10n.bad);break;case 3:t("#pass-strength-result").addClass("good").html(pwsL10n.good);break;case 4:t("#pass-strength-result").addClass("strong").html(pwsL10n.strong);break;default:t("#pass-strength-result").addClass("short").html(pwsL10n.short)}}function h(){e.val(""),t("#pass-strength-result").text(o),t("#pass-strength-result").removeClass("short bad good strong")}function d(){!1!==a&&(e.val().length<s.length?(e.val(s.substr(0,e.val().length+1)),l(),setTimeout(d,n[Math.floor(Math.random()*n.length)])):(h(),setTimeout(d,700)))}e.on("focus",function(){a=!1,h()}),e.on("keyup",function(){l()}),function s(){"undefined"!=typeof zxcvbn?d():setTimeout(s,800)}()}(jQuery);

wp-admin/js/accordion.min.js

@@ -1 +1 @@
-!function(a){function b(){d.removeClass("top bottom"),d.filter(":visible").first().addClass("top"),d.filter(":visible").last().addClass("bottom").find(e).addClass("bottom")}function c(a){var c=a.closest(".accordion-section"),d=c.closest(".accordion-container").find(".open"),f=c.find(e);c.hasClass("cannot-expand")||(c.hasClass("open")?(c.toggleClass("open"),f.toggle(!0).slideToggle(150)):(d.removeClass("open"),d.find(e).show().slideUp(150),f.toggle(!1).slideToggle(150),c.toggleClass("open")),b())}a(document).ready(function(){a(".accordion-container").on("click keydown",".accordion-section-title",function(b){("keydown"!==b.type||13===b.which)&&(b.preventDefault(),c(a(this)))}),a(".hide-postbox-tog").click(function(){b()})});var d=a(".accordion-container li.accordion-section"),e=a(".accordion-section-content");b()}(jQuery);
+!function(t){t(document).ready(function(){t(".accordion-container").on("click keydown",".accordion-section-title",function(o){var n,e;"keydown"===o.type&&13!==o.which||(o.preventDefault(),n=t(this),e=n.closest(".accordion-section"),o=e.closest(".accordion-container").find(".open"),n=e.find(i),e.hasClass("cannot-expand")||(e.hasClass("open")?(e.toggleClass("open"),n.toggle(!0).slideToggle(150)):(o.removeClass("open"),o.find(i).show().slideUp(150),n.toggle(!1).slideToggle(150),e.toggleClass("open")),s()))}),t(".hide-postbox-tog").click(function(){s()})});var o=t(".accordion-container li.accordion-section"),i=t(".accordion-section-content");function s(){o.removeClass("top bottom"),o.filter(":visible").first().addClass("top"),o.filter(":visible").last().addClass("bottom").find(i).addClass("bottom")}s()}(jQuery);

wp-admin/js/color-picker.min.js

@@ -1 +1 @@
-!function(a,b){var c='<a tabindex="0" class="wp-color-result" />',d='<div class="wp-picker-holder" />',e='<div class="wp-picker-container" />',f='<input type="button" class="button button-small hidden" />',g={options:{defaultColor:!1,change:!1,clear:!1,hide:!0,palettes:!0},_create:function(){if(a.support.iris){var b=this,g=b.element;a.extend(b.options,g.data()),b.initialValue=g.val(),g.addClass("wp-color-picker").hide().wrap(e),b.wrap=g.parent(),b.toggler=a(c).insertBefore(g).css({backgroundColor:b.initialValue}).attr("title",wpColorPickerL10n.pick).attr("data-current",wpColorPickerL10n.current),b.pickerContainer=a(d).insertAfter(g),b.button=a(f),b.options.defaultColor?b.button.addClass("wp-picker-default").val(wpColorPickerL10n.defaultString):b.button.addClass("wp-picker-clear").val(wpColorPickerL10n.clear),g.wrap('<span class="wp-picker-input-wrap" />').after(b.button),g.iris({target:b.pickerContainer,hide:!0,width:255,mode:"hsv",palettes:b.options.palettes,change:function(c,d){b.toggler.css({backgroundColor:d.color.toString()}),a.isFunction(b.options.change)&&b.options.change.call(this,c,d)}}),g.val(b.initialValue),b._addListeners(),b.options.hide||b.toggler.click()}},_addListeners:function(){var b=this;b.toggler.click(function(c){c.stopPropagation(),b.element.toggle().iris("toggle"),b.button.toggleClass("hidden"),b.toggler.toggleClass("wp-picker-open"),b.toggler.hasClass("wp-picker-open")?a("body").on("click",{wrap:b.wrap,toggler:b.toggler},b._bodyListener):a("body").off("click",b._bodyListener)}),b.element.change(function(c){var d=a(this),e=d.val();(""===e||"#"===e)&&(b.toggler.css("backgroundColor",""),a.isFunction(b.options.clear)&&b.options.clear.call(this,c))}),b.toggler.on("keyup",function(a){(13===a.keyCode||32===a.keyCode)&&(a.preventDefault(),b.toggler.trigger("click").next().focus())}),b.button.click(function(c){var d=a(this);d.hasClass("wp-picker-clear")?(b.element.val(""),b.toggler.css("backgroundColor",""),a.isFunction(b.options.clear)&&b.options.clear.call(this,c)):d.hasClass("wp-picker-default")&&b.element.val(b.options.defaultColor).change()})},_bodyListener:function(a){a.data.wrap.find(a.target).length||a.data.toggler.click()},color:function(a){return a===b?this.element.iris("option","color"):(this.element.iris("option","color",a),void 0)},defaultColor:function(a){return a===b?this.options.defaultColor:(this.options.defaultColor=a,void 0)}};a.widget("wp.wpColorPicker",g)}(jQuery);
+!function(i,e){var t={options:{defaultColor:!1,change:!1,clear:!1,hide:!0,palettes:!0},_create:function(){var o,t;i.support.iris&&(t=(o=this).element,i.extend(o.options,t.data()),o.initialValue=t.val(),t.addClass("wp-color-picker").hide().wrap('<div class="wp-picker-container" />'),o.wrap=t.parent(),o.toggler=i('<a tabindex="0" class="wp-color-result" />').insertBefore(t).css({backgroundColor:o.initialValue}).attr("title",wpColorPickerL10n.pick).attr("data-current",wpColorPickerL10n.current),o.pickerContainer=i('<div class="wp-picker-holder" />').insertAfter(t),o.button=i('<input type="button" class="button button-small hidden" />'),o.options.defaultColor?o.button.addClass("wp-picker-default").val(wpColorPickerL10n.defaultString):o.button.addClass("wp-picker-clear").val(wpColorPickerL10n.clear),t.wrap('<span class="wp-picker-input-wrap" />').after(o.button),t.iris({target:o.pickerContainer,hide:!0,width:255,mode:"hsv",palettes:o.options.palettes,change:function(t,e){o.toggler.css({backgroundColor:e.color.toString()}),i.isFunction(o.options.change)&&o.options.change.call(this,t,e)}}),t.val(o.initialValue),o._addListeners(),o.options.hide||o.toggler.click())},_addListeners:function(){var o=this;o.toggler.click(function(t){t.stopPropagation(),o.element.toggle().iris("toggle"),o.button.toggleClass("hidden"),o.toggler.toggleClass("wp-picker-open"),o.toggler.hasClass("wp-picker-open")?i("body").on("click",{wrap:o.wrap,toggler:o.toggler},o._bodyListener):i("body").off("click",o._bodyListener)}),o.element.change(function(t){var e=i(this).val();""!==e&&"#"!==e||(o.toggler.css("backgroundColor",""),i.isFunction(o.options.clear)&&o.options.clear.call(this,t))}),o.toggler.on("keyup",function(t){13!==t.keyCode&&32!==t.keyCode||(t.preventDefault(),o.toggler.trigger("click").next().focus())}),o.button.click(function(t){var e=i(this);e.hasClass("wp-picker-clear")?(o.element.val(""),o.toggler.css("backgroundColor",""),i.isFunction(o.options.clear)&&o.options.clear.call(this,t)):e.hasClass("wp-picker-default")&&o.element.val(o.options.defaultColor).change()})},_bodyListener:function(t){t.data.wrap.find(t.target).length||t.data.toggler.click()},color:function(t){if(t===e)return this.element.iris("option","color");this.element.iris("option","color",t)},defaultColor:function(t){if(t===e)return this.options.defaultColor;this.options.defaultColor=t}};i.widget("wp.wpColorPicker",t)}(jQuery);

wp-admin/js/comment.min.js

@@ -1 +1 @@
-jQuery(document).ready(function(a){postboxes.add_postbox_toggles("comment");var b=a("#timestamp").html();a(".edit-timestamp").click(function(){return a("#timestampdiv").is(":hidden")&&(a("#timestampdiv").slideDown("normal"),a(".edit-timestamp").hide()),!1}),a(".cancel-timestamp").click(function(){return a("#timestampdiv").slideUp("normal"),a("#mm").val(a("#hidden_mm").val()),a("#jj").val(a("#hidden_jj").val()),a("#aa").val(a("#hidden_aa").val()),a("#hh").val(a("#hidden_hh").val()),a("#mn").val(a("#hidden_mn").val()),a("#timestamp").html(b),a(".edit-timestamp").show(),!1}),a(".save-timestamp").click(function(){var b=a("#aa").val(),c=a("#mm").val(),d=a("#jj").val(),e=a("#hh").val(),f=a("#mn").val(),g=new Date(b,c-1,d,e,f);return g.getFullYear()!=b||1+g.getMonth()!=c||g.getDate()!=d||g.getMinutes()!=f?(a(".timestamp-wrap","#timestampdiv").addClass("form-invalid"),!1):(a(".timestamp-wrap","#timestampdiv").removeClass("form-invalid"),a("#timestampdiv").slideUp("normal"),a(".edit-timestamp").show(),a("#timestamp").html(commentL10n.submittedOn+" <b>"+a('#mm option[value="'+c+'"]').text()+" "+d+", "+b+" @ "+e+":"+f+"</b> "),!1)})});
+jQuery(document).ready(function(n){postboxes.add_postbox_toggles("comment");var t=n("#timestamp").html();n(".edit-timestamp").click(function(){return n("#timestampdiv").is(":hidden")&&(n("#timestampdiv").slideDown("normal"),n(".edit-timestamp").hide()),!1}),n(".cancel-timestamp").click(function(){return n("#timestampdiv").slideUp("normal"),n("#mm").val(n("#hidden_mm").val()),n("#jj").val(n("#hidden_jj").val()),n("#aa").val(n("#hidden_aa").val()),n("#hh").val(n("#hidden_hh").val()),n("#mn").val(n("#hidden_mn").val()),n("#timestamp").html(t),n(".edit-timestamp").show(),!1}),n(".save-timestamp").click(function(){var t=n("#aa").val(),m=n("#mm").val(),a=n("#jj").val(),e=n("#hh").val(),i=n("#mn").val(),l=new Date(t,m-1,a,e,i);return l.getFullYear()!=t||1+l.getMonth()!=m||l.getDate()!=a||l.getMinutes()!=i?n(".timestamp-wrap","#timestampdiv").addClass("form-invalid"):(n(".timestamp-wrap","#timestampdiv").removeClass("form-invalid"),n("#timestampdiv").slideUp("normal"),n(".edit-timestamp").show(),n("#timestamp").html(commentL10n.submittedOn+" <b>"+n('#mm option[value="'+m+'"]').text()+" "+a+", "+t+" @ "+e+":"+i+"</b> ")),!1})});

wp-admin/js/custom-background.js

@@ -55,11 +55,13 @@
 			frame.on( 'select', function() {
 				// Grab the selected attachment.
 				var attachment = frame.state().get('selection').first();
+				var nonceValue = $( '#_wpnonce' ).val() || '';
 
 				// Run an AJAX request to set the background image.
 				$.post( ajaxurl, {
 					action: 'set-background-image',
 					attachment_id: attachment.id,
+					_ajax_nonce: nonceValue,
 					size: 'full'
 				}).done( function() {
 					// When the request completes, reload the window.

wp-admin/js/custom-background.min.js

@@ -1 +1 @@
-!function(a){a(document).ready(function(){var b,c=a("#custom-background-image");a("#background-color").wpColorPicker({change:function(a,b){c.css("background-color",b.color.toString())},clear:function(){c.css("background-color","")}}),a('input[name="background-position-x"]').change(function(){c.css("background-position",a(this).val()+" top")}),a('input[name="background-repeat"]').change(function(){c.css("background-repeat",a(this).val())}),a("#choose-from-library-link").click(function(c){var d=a(this);return c.preventDefault(),b?(b.open(),void 0):(b=wp.media.frames.customBackground=wp.media({title:d.data("choose"),library:{type:"image"},button:{text:d.data("update"),close:!1}}),b.on("select",function(){var c=b.state().get("selection").first();a.post(ajaxurl,{action:"set-background-image",attachment_id:c.id,size:"full"}).done(function(){window.location.reload()})}),b.open(),void 0)})})}(jQuery);
+!function(c){c(document).ready(function(){var a,t=c("#custom-background-image");c("#background-color").wpColorPicker({change:function(o,n){t.css("background-color",n.color.toString())},clear:function(){t.css("background-color","")}}),c('input[name="background-position-x"]').change(function(){t.css("background-position",c(this).val()+" top")}),c('input[name="background-repeat"]').change(function(){t.css("background-repeat",c(this).val())}),c("#choose-from-library-link").click(function(o){var n=c(this);o.preventDefault(),a||(a=wp.media.frames.customBackground=wp.media({title:n.data("choose"),library:{type:"image"},button:{text:n.data("update"),close:!1}})).on("select",function(){var o=a.state().get("selection").first(),n=c("#_wpnonce").val()||"";c.post(ajaxurl,{action:"set-background-image",attachment_id:o.id,_ajax_nonce:n,size:"full"}).done(function(){window.location.reload()})}),a.open()})})}(jQuery);

wp-admin/js/customize-controls.js

@@ -777,6 +777,16 @@
 			}
 		});
 
+		// Ensure preview nonce is included with every customized request, to allow post data to be read.
+		$.ajaxPrefilter( function injectPreviewNonce( options ) {
+			if ( ! /wp_customize=on/.test( options.data ) ) {
+				return;
+			}
+			options.data += '&' + $.param({
+				customize_preview_nonce: api.settings.nonce.preview
+			});
+		});
+
 		// Refresh the nonces if the preview sends updated nonces over.
  		previewer.bind( 'nonce', function( nonce ) {
  			$.extend( this.nonce, nonce );

wp-admin/js/dashboard.min.js

@@ -1 +1 @@
-var ajaxWidgets,ajaxPopulateWidgets,quickPressLoad;jQuery(document).ready(function(a){var b=a("#welcome-panel"),c=a("#wp_welcome_panel-hide"),d=function(b){a.post(ajaxurl,{action:"update-welcome-panel",visible:b,welcomepanelnonce:a("#welcomepanelnonce").val()})};b.hasClass("hidden")&&c.prop("checked")&&b.removeClass("hidden"),a(".welcome-panel-close, .welcome-panel-dismiss a",b).click(function(c){c.preventDefault(),b.addClass("hidden"),d(0),a("#wp_welcome_panel-hide").prop("checked",!1)}),c.click(function(){b.toggleClass("hidden",!this.checked),d(this.checked?1:0)}),ajaxWidgets=["dashboard_incoming_links","dashboard_primary","dashboard_secondary","dashboard_plugins"],ajaxPopulateWidgets=function(b){function c(b,c){var d,e=a("#"+c+" div.inside:visible").find(".widget-loading");e.length&&(d=e.parent(),setTimeout(function(){d.load(ajaxurl+"?action=dashboard-widgets&widget="+c,"",function(){d.hide().slideDown("normal",function(){a(this).css("display","")})})},500*b))}b?(b=b.toString(),-1!=a.inArray(b,ajaxWidgets)&&c(0,b)):a.each(ajaxWidgets,c)},ajaxPopulateWidgets(),postboxes.add_postbox_toggles(pagenow,{pbshow:ajaxPopulateWidgets}),quickPressLoad=function(){var b,c=a("#quickpost-action");b=a("#quick-press").submit(function(){return a("#dashboard_quick_press #publishing-action .spinner").show(),a('#quick-press .submit input[type="submit"], #quick-press .submit input[type="reset"]').prop("disabled",!0),"post"==c.val()&&c.val("post-quickpress-publish"),a("#dashboard_quick_press div.inside").load(b.attr("action"),b.serializeArray(),function(){a("#dashboard_quick_press #publishing-action .spinner").hide(),a('#quick-press .submit input[type="submit"], #quick-press .submit input[type="reset"]').prop("disabled",!1),a("#dashboard_quick_press ul").next("p").remove(),a("#dashboard_quick_press ul").find("li").each(function(){a("#dashboard_recent_drafts ul").prepend(this)}).end().remove(),quickPressLoad()}),!1}),a("#publish").click(function(){c.val("post-quickpress-publish")}),a("#title, #tags-input").each(function(){var b=a(this),c=a("#"+this.id+"-prompt-text");""===this.value&&c.removeClass("screen-reader-text"),c.click(function(){a(this).addClass("screen-reader-text"),b.focus()}),b.blur(function(){""===this.value&&c.removeClass("screen-reader-text")}),b.focus(function(){c.addClass("screen-reader-text")})}),a("#quick-press").on("click focusin",function(){wpActiveEditor="content"})},quickPressLoad()});
+var ajaxWidgets,ajaxPopulateWidgets,quickPressLoad;jQuery(document).ready(function(t){function s(e){t.post(ajaxurl,{action:"update-welcome-panel",visible:e,welcomepanelnonce:t("#welcomepanelnonce").val()})}var i=t("#welcome-panel"),e=t("#wp_welcome_panel-hide");i.hasClass("hidden")&&e.prop("checked")&&i.removeClass("hidden"),t(".welcome-panel-close, .welcome-panel-dismiss a",i).click(function(e){e.preventDefault(),i.addClass("hidden"),s(0),t("#wp_welcome_panel-hide").prop("checked",!1)}),e.click(function(){i.toggleClass("hidden",!this.checked),s(this.checked?1:0)}),ajaxWidgets=["dashboard_incoming_links","dashboard_primary","dashboard_secondary","dashboard_plugins"],(ajaxPopulateWidgets=function(e){function s(e,s){var i,a=t("#"+s+" div.inside:visible").find(".widget-loading");a.length&&(i=a.parent(),setTimeout(function(){i.load(ajaxurl+"?action=dashboard-widgets&widget="+s,"",function(){i.hide().slideDown("normal",function(){t(this).css("display","")})})},500*e))}e?(e=e.toString(),-1!=t.inArray(e,ajaxWidgets)&&s(0,e)):t.each(ajaxWidgets,s)})(),postboxes.add_postbox_toggles(pagenow,{pbshow:ajaxPopulateWidgets}),(quickPressLoad=function(){var e=t("#quickpost-action"),s=t("#quick-press").submit(function(){return t("#dashboard_quick_press #publishing-action .spinner").show(),t('#quick-press .submit input[type="submit"], #quick-press .submit input[type="reset"]').prop("disabled",!0),"post"==e.val()&&e.val("post-quickpress-publish"),t("#dashboard_quick_press div.inside").load(s.attr("action"),s.serializeArray(),function(){t("#dashboard_quick_press #publishing-action .spinner").hide(),t('#quick-press .submit input[type="submit"], #quick-press .submit input[type="reset"]').prop("disabled",!1),t("#dashboard_quick_press ul").next("p").remove(),t("#dashboard_quick_press ul").find("li").each(function(){t("#dashboard_recent_drafts ul").prepend(this)}).end().remove(),quickPressLoad()}),!1});t("#publish").click(function(){e.val("post-quickpress-publish")}),t("#title, #tags-input").each(function(){var e=t(this),s=t("#"+this.id+"-prompt-text");""===this.value&&s.removeClass("screen-reader-text"),s.click(function(){t(this).addClass("screen-reader-text"),e.focus()}),e.blur(function(){""===this.value&&s.removeClass("screen-reader-text")}),e.focus(function(){s.addClass("screen-reader-text")})}),t("#quick-press").on("click focusin",function(){wpActiveEditor="content"})})()});

wp-admin/js/gallery.min.js

@@ -1 +1 @@
-jQuery(document).ready(function(a){var b,c,d,e=!1;c=function(){b=a("#media-items").sortable({items:"div.media-item",placeholder:"sorthelper",axis:"y",distance:2,handle:"div.filename",stop:function(){var b=a("#media-items").sortable("toArray"),c=b.length;a.each(b,function(b,d){var f=e?c-b:1+b;a("#"+d+" .menu_order input").val(f)})}})},sortIt=function(){var b=a(".menu_order_input"),c=b.length;b.each(function(b){var d=e?c-b:1+b;a(this).val(d)})},clearAll=function(b){b=b||0,a(".menu_order_input").each(function(){("0"==this.value||b)&&(this.value="")})},a("#asc").click(function(){return e=!1,sortIt(),!1}),a("#desc").click(function(){return e=!0,sortIt(),!1}),a("#clear").click(function(){return clearAll(1),!1}),a("#showall").click(function(){return a("#sort-buttons span a").toggle(),a("a.describe-toggle-on").hide(),a("a.describe-toggle-off, table.slidetoggle").show(),a("img.pinkynail").toggle(!1),!1}),a("#hideall").click(function(){return a("#sort-buttons span a").toggle(),a("a.describe-toggle-on").show(),a("a.describe-toggle-off, table.slidetoggle").hide(),a("img.pinkynail").toggle(!0),!1}),c(),clearAll(),a("#media-items>*").length>1&&(d=wpgallery.getWin(),a("#save-all, #gallery-settings").show(),"undefined"!=typeof d.tinyMCE&&d.tinyMCE.activeEditor&&!d.tinyMCE.activeEditor.isHidden()?(wpgallery.mcemode=!0,wpgallery.init()):a("#insert-gallery").show())}),jQuery(window).unload(function(){tinymce=tinyMCE=wpgallery=null});var tinymce=null,tinyMCE,wpgallery;wpgallery={mcemode:!1,editor:{},dom:{},is_update:!1,el:{},I:function(a){return document.getElementById(a)},init:function(){var a,b,c,d,e=this,f=e.getWin();if(e.mcemode){for(a=(""+document.location.search).replace(/^\?/,"").split("&"),b={},c=0;c<a.length;c++)d=a[c].split("="),b[unescape(d[0])]=unescape(d[1]);b.mce_rdomain&&(document.domain=b.mce_rdomain),tinymce=f.tinymce,tinyMCE=f.tinyMCE,e.editor=tinymce.EditorManager.activeEditor,e.setup()}},getWin:function(){return window.dialogArguments||opener||parent||top},setup:function(){var a,b,c,d,e,f,g=this,h=g.editor;if(g.mcemode){if(g.el=h.selection.getNode(),"IMG"!=g.el.nodeName||!h.dom.hasClass(g.el,"wpGallery")){if(!(b=h.dom.select("img.wpGallery"))||!b[0])return"1"==getUserSetting("galfile")&&(g.I("linkto-file").checked="checked"),"1"==getUserSetting("galdesc")&&(g.I("order-desc").checked="checked"),getUserSetting("galcols")&&(g.I("columns").value=getUserSetting("galcols")),getUserSetting("galord")&&(g.I("orderby").value=getUserSetting("galord")),jQuery("#insert-gallery").show(),void 0;g.el=b[0]}a=h.dom.getAttrib(g.el,"title"),a=h.dom.decode(a),a?(jQuery("#update-gallery").show(),g.is_update=!0,c=a.match(/columns=['"]([0-9]+)['"]/),d=a.match(/link=['"]([^'"]+)['"]/i),e=a.match(/order=['"]([^'"]+)['"]/i),f=a.match(/orderby=['"]([^'"]+)['"]/i),d&&d[1]&&(g.I("linkto-file").checked="checked"),e&&e[1]&&(g.I("order-desc").checked="checked"),c&&c[1]&&(g.I("columns").value=""+c[1]),f&&f[1]&&(g.I("orderby").value=f[1])):jQuery("#insert-gallery").show()}},update:function(){var a,b=this,c=b.editor,d="";return b.mcemode&&b.is_update?("IMG"==b.el.nodeName&&(d=c.dom.decode(c.dom.getAttrib(b.el,"title")),d=d.replace(/\s*(order|link|columns|orderby)=['"]([^'"]+)['"]/gi,""),d+=b.getSettings(),c.dom.setAttrib(b.el,"title",d),b.getWin().tb_remove()),void 0):(a="[gallery"+b.getSettings()+"]",b.getWin().send_to_editor(a),void 0)},getSettings:function(){var a=this.I,b="";return a("linkto-file").checked&&(b+=' link="file"',setUserSetting("galfile","1")),a("order-desc").checked&&(b+=' order="DESC"',setUserSetting("galdesc","1")),3!=a("columns").value&&(b+=' columns="'+a("columns").value+'"',setUserSetting("galcols",a("columns").value)),"menu_order"!=a("orderby").value&&(b+=' orderby="'+a("orderby").value+'"',setUserSetting("galord",a("orderby").value)),b}};
+jQuery(document).ready(function(l){var r=!1,e=function(){l("#media-items").sortable({items:"div.media-item",placeholder:"sorthelper",axis:"y",distance:2,handle:"div.filename",stop:function(e,t){var i=l("#media-items").sortable("toArray"),n=i.length;l.each(i,function(e,t){e=r?n-e:1+e;l("#"+t+" .menu_order input").val(e)})}})};sortIt=function(){var e=l(".menu_order_input"),t=e.length;e.each(function(e){e=r?t-e:1+e;l(this).val(e)})},clearAll=function(e){e=e||0,l(".menu_order_input").each(function(){"0"!=this.value&&!e||(this.value="")})},l("#asc").click(function(){return r=!1,sortIt(),!1}),l("#desc").click(function(){return r=!0,sortIt(),!1}),l("#clear").click(function(){return clearAll(1),!1}),l("#showall").click(function(){return l("#sort-buttons span a").toggle(),l("a.describe-toggle-on").hide(),l("a.describe-toggle-off, table.slidetoggle").show(),l("img.pinkynail").toggle(!1),!1}),l("#hideall").click(function(){return l("#sort-buttons span a").toggle(),l("a.describe-toggle-on").show(),l("a.describe-toggle-off, table.slidetoggle").hide(),l("img.pinkynail").toggle(!0),!1}),e(),clearAll(),1<l("#media-items>*").length&&(e=wpgallery.getWin(),l("#save-all, #gallery-settings").show(),void 0!==e.tinyMCE&&e.tinyMCE.activeEditor&&!e.tinyMCE.activeEditor.isHidden()?(wpgallery.mcemode=!0,wpgallery.init()):l("#insert-gallery").show())}),jQuery(window).unload(function(){tinymce=tinyMCE=wpgallery=null});var tinyMCE,tinymce=null,wpgallery={mcemode:!1,editor:{},dom:{},is_update:!1,el:{},I:function(e){return document.getElementById(e)},init:function(){var e,t,i,n,l=this,r=l.getWin();if(l.mcemode){for(e=(""+document.location.search).replace(/^\?/,"").split("&"),t={},i=0;i<e.length;i++)n=e[i].split("="),t[unescape(n[0])]=unescape(n[1]);t.mce_rdomain&&(document.domain=t.mce_rdomain),tinymce=r.tinymce,tinyMCE=r.tinyMCE,l.editor=tinymce.EditorManager.activeEditor,l.setup()}},getWin:function(){return window.dialogArguments||opener||parent||top},setup:function(){var e,t,i,n=this,l=n.editor;if(n.mcemode){if(n.el=l.selection.getNode(),"IMG"!=n.el.nodeName||!l.dom.hasClass(n.el,"wpGallery")){if(!(t=l.dom.select("img.wpGallery"))||!t[0])return"1"==getUserSetting("galfile")&&(n.I("linkto-file").checked="checked"),"1"==getUserSetting("galdesc")&&(n.I("order-desc").checked="checked"),getUserSetting("galcols")&&(n.I("columns").value=getUserSetting("galcols")),getUserSetting("galord")&&(n.I("orderby").value=getUserSetting("galord")),void jQuery("#insert-gallery").show();n.el=t[0]}i=l.dom.getAttrib(n.el,"title"),(i=l.dom.decode(i))?(jQuery("#update-gallery").show(),n.is_update=!0,e=i.match(/columns=['"]([0-9]+)['"]/),t=i.match(/link=['"]([^'"]+)['"]/i),l=i.match(/order=['"]([^'"]+)['"]/i),i=i.match(/orderby=['"]([^'"]+)['"]/i),t&&t[1]&&(n.I("linkto-file").checked="checked"),l&&l[1]&&(n.I("order-desc").checked="checked"),e&&e[1]&&(n.I("columns").value=""+e[1]),i&&i[1]&&(n.I("orderby").value=i[1])):jQuery("#insert-gallery").show()}},update:function(){var e,t=this,i=t.editor,n="";if(!t.mcemode||!t.is_update)return e="[gallery"+t.getSettings()+"]",void t.getWin().send_to_editor(e);"IMG"==t.el.nodeName&&(n=(n=i.dom.decode(i.dom.getAttrib(t.el,"title"))).replace(/\s*(order|link|columns|orderby)=['"]([^'"]+)['"]/gi,""),n+=t.getSettings(),i.dom.setAttrib(t.el,"title",n),t.getWin().tb_remove())},getSettings:function(){var e=this.I,t="";return e("linkto-file").checked&&(t+=' link="file"',setUserSetting("galfile","1")),e("order-desc").checked&&(t+=' order="DESC"',setUserSetting("galdesc","1")),3!=e("columns").value&&(t+=' columns="'+e("columns").value+'"',setUserSetting("galcols",e("columns").value)),"menu_order"!=e("orderby").value&&(t+=' orderby="'+e("orderby").value+'"',setUserSetting("galord",e("orderby").value)),t}};

wp-admin/js/inline-edit-tax.min.js

@@ -1 +1 @@
-!function(a){inlineEditTax={init:function(){var b=this,c=a("#inline-edit");b.type=a("#the-list").attr("data-wp-lists").substr(5),b.what="#"+b.type+"-",a("#the-list").on("click","a.editinline",function(){return inlineEditTax.edit(this),!1}),c.keyup(function(a){return 27==a.which?inlineEditTax.revert():void 0}),a("a.cancel",c).click(function(){return inlineEditTax.revert()}),a("a.save",c).click(function(){return inlineEditTax.save(this)}),a("input, select",c).keydown(function(a){return 13==a.which?inlineEditTax.save(this):void 0}),a('#posts-filter input[type="submit"]').mousedown(function(){b.revert()})},toggle:function(b){var c=this;"none"==a(c.what+c.getId(b)).css("display")?c.revert():c.edit(b)},edit:function(b){var c,d=this;return d.revert(),"object"==typeof b&&(b=d.getId(b)),c=a("#inline-edit").clone(!0),rowData=a("#inline_"+b),a("td",c).attr("colspan",a(".widefat:first thead th:visible").length),a(d.what+b).hasClass("alternate")&&a(c).addClass("alternate"),a(d.what+b).hide().after(c),a(':input[name="name"]',c).val(a(".name",rowData).text()),a(':input[name="slug"]',c).val(a(".slug",rowData).text()),a(c).attr("id","edit-"+b).addClass("inline-editor").show(),a(".ptitle",c).eq(0).focus(),!1},save:function(b){var c,d,e=a('input[name="taxonomy"]').val()||"";return"object"==typeof b&&(b=this.getId(b)),a("table.widefat .spinner").show(),c={action:"inline-save-tax",tax_type:this.type,tax_ID:b,taxonomy:e},d=a("#edit-"+b+" :input").serialize(),c=d+"&"+a.param(c),a.post(ajaxurl,c,function(c){var d,e;a("table.widefat .spinner").hide(),c?-1!=c.indexOf("<tr")?(a(inlineEditTax.what+b).remove(),e=a(c).attr("id"),a("#edit-"+b).before(c).remove(),d=e?a("#"+e):a(inlineEditTax.what+b),d.hide().fadeIn()):a("#edit-"+b+" .inline-edit-save .error").html(c).show():a("#edit-"+b+" .inline-edit-save .error").html(inlineEditL10n.error).show(),a(d).prev("tr").hasClass("alternate")&&a(d).removeClass("alternate")}),!1},revert:function(){var b=a("table.widefat tr.inline-editor").attr("id");return b&&(a("table.widefat .spinner").hide(),a("#"+b).remove(),b=b.substr(b.lastIndexOf("-")+1),a(this.what+b).show()),!1},getId:function(b){var c="TR"==b.tagName?b.id:a(b).parents("tr").attr("id"),d=c.split("-");return d[d.length-1]}},a(document).ready(function(){inlineEditTax.init()})}(jQuery);
+!function(n){inlineEditTax={init:function(){var e=this,t=n("#inline-edit");e.type=n("#the-list").attr("data-wp-lists").substr(5),e.what="#"+e.type+"-",n("#the-list").on("click","a.editinline",function(){return inlineEditTax.edit(this),!1}),t.keyup(function(t){if(27==t.which)return inlineEditTax.revert()}),n("a.cancel",t).click(function(){return inlineEditTax.revert()}),n("a.save",t).click(function(){return inlineEditTax.save(this)}),n("input, select",t).keydown(function(t){if(13==t.which)return inlineEditTax.save(this)}),n('#posts-filter input[type="submit"]').mousedown(function(t){e.revert()})},toggle:function(t){var e=this;"none"==n(e.what+e.getId(t)).css("display")?e.revert():e.edit(t)},edit:function(t){var e,i=this;return i.revert(),"object"==typeof t&&(t=i.getId(t)),e=n("#inline-edit").clone(!0),rowData=n("#inline_"+t),n("td",e).attr("colspan",n(".widefat:first thead th:visible").length),n(i.what+t).hasClass("alternate")&&n(e).addClass("alternate"),n(i.what+t).hide().after(e),n(':input[name="name"]',e).val(n(".name",rowData).text()),n(':input[name="slug"]',e).val(n(".slug",rowData).text()),n(e).attr("id","edit-"+t).addClass("inline-editor").show(),n(".ptitle",e).eq(0).focus(),!1},save:function(i){var t=n('input[name="taxonomy"]').val()||"";return"object"==typeof i&&(i=this.getId(i)),n("table.widefat .spinner").show(),t={action:"inline-save-tax",tax_type:this.type,tax_ID:i,taxonomy:t},t=n("#edit-"+i+" :input").serialize()+"&"+n.param(t),n.post(ajaxurl,t,function(t){var e;n("table.widefat .spinner").hide(),t?-1!=t.indexOf("<tr")?(n(inlineEditTax.what+i).remove(),e=n(t).attr("id"),n("#edit-"+i).before(t).remove(),(e=n(e?"#"+e:inlineEditTax.what+i)).hide().fadeIn()):n("#edit-"+i+" .inline-edit-save .error").html(t).show():n("#edit-"+i+" .inline-edit-save .error").html(inlineEditL10n.error).show(),n(e).prev("tr").hasClass("alternate")&&n(e).removeClass("alternate")}),!1},revert:function(){var t=n("table.widefat tr.inline-editor").attr("id");return t&&(n("table.widefat .spinner").hide(),n("#"+t).remove(),t=t.substr(t.lastIndexOf("-")+1),n(this.what+t).show()),!1},getId:function(t){t=("TR"==t.tagName?t.id:n(t).parents("tr").attr("id")).split("-");return t[t.length-1]}},n(document).ready(function(){inlineEditTax.init()})}(jQuery);

wp-admin/js/link.min.js

@@ -1 +1 @@
-jQuery(document).ready(function(a){var b,c,d,e=!1;a("#link_name").focus(),postboxes.add_postbox_toggles("link"),a("#category-tabs a").click(function(){var b=a(this).attr("href");return a(this).parent().addClass("tabs").siblings("li").removeClass("tabs"),a(".tabs-panel").hide(),a(b).show(),"#categories-all"==b?deleteUserSetting("cats"):setUserSetting("cats","pop"),!1}),getUserSetting("cats")&&a('#category-tabs a[href="#categories-pop"]').click(),b=a("#newcat").one("focus",function(){a(this).val("").removeClass("form-input-tip")}),a("#link-category-add-submit").click(function(){b.focus()}),c=function(){if(!e){e=!0;var b=a(this),c=b.is(":checked"),d=b.val().toString();a("#in-link-category-"+d+", #in-popular-link_category-"+d).prop("checked",c),e=!1}},d=function(b,d){a(d.what+" response_data",b).each(function(){var b=a(a(this).text());b.find("label").each(function(){var b,d=a(this),e=d.find("input").val(),f=d.find("input")[0].id,g=a.trim(d.text());a("#"+f).change(c),b=a('<option value="'+parseInt(e,10)+'"></option>').text(g)})})},a("#categorychecklist").wpList({alt:"",what:"link-category",response:"category-ajax-response",addAfter:d}),a('a[href="#categories-all"]').click(function(){deleteUserSetting("cats")}),a('a[href="#categories-pop"]').click(function(){setUserSetting("cats","pop")}),"pop"==getUserSetting("cats")&&a('a[href="#categories-pop"]').click(),a("#category-add-toggle").click(function(){return a(this).parents("div:first").toggleClass("wp-hidden-children"),a('#category-tabs a[href="#categories-all"]').click(),a("#newcategory").focus(),!1}),a(".categorychecklist :checkbox").change(c).filter(":checked").change()});
+jQuery(document).ready(function(c){var t,i,e,a=!1;c("#link_name").focus(),postboxes.add_postbox_toggles("link"),c("#category-tabs a").click(function(){var t=c(this).attr("href");return c(this).parent().addClass("tabs").siblings("li").removeClass("tabs"),c(".tabs-panel").hide(),c(t).show(),"#categories-all"==t?deleteUserSetting("cats"):setUserSetting("cats","pop"),!1}),getUserSetting("cats")&&c('#category-tabs a[href="#categories-pop"]').click(),t=c("#newcat").one("focus",function(){c(this).val("").removeClass("form-input-tip")}),c("#link-category-add-submit").click(function(){t.focus()}),i=function(){var t,e;a||(a=!0,t=(e=c(this)).is(":checked"),e=e.val().toString(),c("#in-link-category-"+e+", #in-popular-link_category-"+e).prop("checked",t),a=!1)},e=function(t,e){c(e.what+" response_data",t).each(function(){c(c(this).text()).find("label").each(function(){var t=c(this),e=t.find("input").val(),a=t.find("input")[0].id,t=c.trim(t.text());c("#"+a).change(i),c('<option value="'+parseInt(e,10)+'"></option>').text(t)})})},c("#categorychecklist").wpList({alt:"",what:"link-category",response:"category-ajax-response",addAfter:e}),c('a[href="#categories-all"]').click(function(){deleteUserSetting("cats")}),c('a[href="#categories-pop"]').click(function(){setUserSetting("cats","pop")}),"pop"==getUserSetting("cats")&&c('a[href="#categories-pop"]').click(),c("#category-add-toggle").click(function(){return c(this).parents("div:first").toggleClass("wp-hidden-children"),c('#category-tabs a[href="#categories-all"]').click(),c("#newcategory").focus(),!1}),c(".categorychecklist :checkbox").change(i).filter(":checked").change()});

wp-admin/js/media-gallery.js

@@ -1,6 +1,6 @@
 jQuery(function($){
 	$( 'body' ).bind( 'click.wp-gallery', function(e){
-		var target = $( e.target ), id, img_size;
+		var target = $( e.target ), id, img_size, nonceValue;
 
 		if ( target.hasClass( 'wp-set-header' ) ) {
 			( window.dialogArguments || opener || parent || top ).location.href = target.data( 'location' );
@@ -8,10 +8,12 @@ jQuery(function($){
 		} else if ( target.hasClass( 'wp-set-background' ) ) {
 			id = target.data( 'attachment-id' );
 			img_size = $( 'input[name="attachments[' + id + '][image-size]"]:checked').val();
+			nonceValue = $( '#_wpnonce' ).val() && '';
 
 			jQuery.post(ajaxurl, {
 				action: 'set-background-image',
 				attachment_id: id,
+				_ajax_nonce: nonceValue,
 				size: img_size
 			}, function(){
 				var win = window.dialogArguments || opener || parent || top;

wp-admin/js/media-gallery.min.js

@@ -1 +1 @@
-jQuery(function(a){a("body").bind("click.wp-gallery",function(b){var c,d,e=a(b.target);e.hasClass("wp-set-header")?((window.dialogArguments||opener||parent||top).location.href=e.data("location"),b.preventDefault()):e.hasClass("wp-set-background")&&(c=e.data("attachment-id"),d=a('input[name="attachments['+c+'][image-size]"]:checked').val(),jQuery.post(ajaxurl,{action:"set-background-image",attachment_id:c,size:d},function(){var a=window.dialogArguments||opener||parent||top;a.tb_remove(),a.location.reload()}),b.preventDefault())})});
+jQuery(function(o){o("body").bind("click.wp-gallery",function(a){var e,t,n=o(a.target);n.hasClass("wp-set-header")?((window.dialogArguments||opener||parent||top).location.href=n.data("location"),a.preventDefault()):n.hasClass("wp-set-background")&&(e=n.data("attachment-id"),t=o('input[name="attachments['+e+'][image-size]"]:checked').val(),n=o("#_wpnonce").val()&&"",jQuery.post(ajaxurl,{action:"set-background-image",attachment_id:e,_ajax_nonce:n,size:t},function(){var a=window.dialogArguments||opener||parent||top;a.tb_remove(),a.location.reload()}),a.preventDefault())})});

wp-admin/js/media-upload.min.js

@@ -1 +1 @@
-function send_to_editor(a){var b,c="undefined"!=typeof tinymce,d="undefined"!=typeof QTags;if(wpActiveEditor)c&&(b=!tinymce.activeEditor||"mce_fullscreen"!=tinymce.activeEditor.id&&"wp_mce_fullscreen"!=tinymce.activeEditor.id?tinymce.get(wpActiveEditor):tinymce.activeEditor);else if(c&&tinymce.activeEditor)b=tinymce.activeEditor,wpActiveEditor=b.id;else if(!d)return!1;b&&!b.isHidden()?(tinymce.isIE&&b.windowManager.insertimagebookmark&&b.selection.moveToBookmark(b.windowManager.insertimagebookmark),-1!==a.indexOf("[caption")?b.wpSetImgCaption&&(a=b.wpSetImgCaption(a)):-1!==a.indexOf("[gallery")?b.plugins.wpgallery&&(a=b.plugins.wpgallery._do_gallery(a)):0===a.indexOf("[embed")&&b.plugins.wordpress&&(a=b.plugins.wordpress._setEmbed(a)),b.execCommand("mceInsertContent",!1,a)):d?QTags.insertContent(a):document.getElementById(wpActiveEditor).value+=a;try{tb_remove()}catch(e){}}var wpActiveEditor,tb_position;!function(a){tb_position=function(){var b=a("#TB_window"),c=a(window).width(),d=a(window).height(),e=c>720?720:c,f=0;return a("body.admin-bar").length&&(f=28),b.size()&&(b.width(e-50).height(d-45-f),a("#TB_iframeContent").width(e-50).height(d-75-f),b.css({"margin-left":"-"+parseInt((e-50)/2,10)+"px"}),"undefined"!=typeof document.body.style.maxWidth&&b.css({top:20+f+"px","margin-top":"0"})),a("a.thickbox").each(function(){var b=a(this).attr("href");b&&(b=b.replace(/&width=[0-9]+/g,""),b=b.replace(/&height=[0-9]+/g,""),a(this).attr("href",b+"&width="+(e-80)+"&height="+(d-85-f)))})},a(window).resize(function(){tb_position()}),a(document).ready(function(a){a("a.thickbox").click(function(){var a;"undefined"!=typeof tinymce&&tinymce.isIE&&(a=tinymce.get(wpActiveEditor))&&!a.isHidden()&&(a.focus(),a.windowManager.insertimagebookmark=a.selection.getBookmark())})})}(jQuery);
+var wpActiveEditor,tb_position;function send_to_editor(e){var i,t="undefined"!=typeof tinymce,n="undefined"!=typeof QTags;if(wpActiveEditor)t&&(i=!tinymce.activeEditor||"mce_fullscreen"!=tinymce.activeEditor.id&&"wp_mce_fullscreen"!=tinymce.activeEditor.id?tinymce.get(wpActiveEditor):tinymce.activeEditor);else if(t&&tinymce.activeEditor)i=tinymce.activeEditor,wpActiveEditor=i.id;else if(!n)return!1;i&&!i.isHidden()?(tinymce.isIE&&i.windowManager.insertimagebookmark&&i.selection.moveToBookmark(i.windowManager.insertimagebookmark),-1!==e.indexOf("[caption")?i.wpSetImgCaption&&(e=i.wpSetImgCaption(e)):-1!==e.indexOf("[gallery")?i.plugins.wpgallery&&(e=i.plugins.wpgallery._do_gallery(e)):0===e.indexOf("[embed")&&i.plugins.wordpress&&(e=i.plugins.wordpress._setEmbed(e)),i.execCommand("mceInsertContent",!1,e)):n?QTags.insertContent(e):document.getElementById(wpActiveEditor).value+=e;try{tb_remove()}catch(e){}}!function(r){tb_position=function(){var e=r("#TB_window"),i=r(window).width(),t=r(window).height(),n=720<i?720:i,o=0;return r("body.admin-bar").length&&(o=28),e.size()&&(e.width(n-50).height(t-45-o),r("#TB_iframeContent").width(n-50).height(t-75-o),e.css({"margin-left":"-"+parseInt((n-50)/2,10)+"px"}),void 0!==document.body.style.maxWidth&&e.css({top:20+o+"px","margin-top":"0"})),r("a.thickbox").each(function(){var e=r(this).attr("href");e&&(e=(e=e.replace(/&width=[0-9]+/g,"")).replace(/&height=[0-9]+/g,""),r(this).attr("href",e+"&width="+(n-80)+"&height="+(t-85-o)))})},r(window).resize(function(){tb_position()}),r(document).ready(function(e){e("a.thickbox").click(function(){var e;"undefined"!=typeof tinymce&&tinymce.isIE&&(e=tinymce.get(wpActiveEditor))&&!e.isHidden()&&(e.focus(),e.windowManager.insertimagebookmark=e.selection.getBookmark())})})}(jQuery);

wp-admin/js/media.min.js

@@ -1 +1 @@
-var findPosts;!function(a){findPosts={open:function(b,c){var d=document.documentElement.scrollTop||a(document).scrollTop(),e=a(".ui-find-overlay");return 0==e.length&&(a("body").append('<div class="ui-find-overlay"></div>'),findPosts.overlay()),e.show(),b&&c&&a("#affected").attr("name",b).val(c),a("#find-posts").show().draggable({handle:"#find-posts-head"}).css({top:d+50+"px",left:"50%",marginLeft:"-328px"}),a("#find-posts-input").focus().keyup(function(a){27==a.which&&findPosts.close()}),findPosts.send(),!1},close:function(){a("#find-posts-response").html(""),a("#find-posts").draggable("destroy").hide(),a(".ui-find-overlay").hide()},overlay:function(){a(".ui-find-overlay").css({"z-index":"999",width:a(document).width()+"px",height:a(document).height()+"px"}).on("click",function(){findPosts.close()})},send:function(){var b={ps:a("#find-posts-input").val(),action:"find_posts",_ajax_nonce:a("#_ajax_nonce").val()},c=a(".find-box-search .spinner");c.show(),a.ajax({type:"POST",url:ajaxurl,data:b,success:function(a){findPosts.show(a),c.hide()},error:function(a){findPosts.error(a),c.hide()}})},show:function(b){if("string"==typeof b)return this.error({responseText:b}),void 0;var c=wpAjax.parseAjaxResponse(b);c.errors&&this.error({responseText:wpAjax.broken}),c=c.responses[0],a("#find-posts-response").html(c.data),a(".found-posts td").on("click",function(){a(this).parent().find(".found-radio input").prop("checked",!0)})},error:function(b){var c=b.statusText;b.responseText&&(c=b.responseText.replace(/<.[^<>]*?>/g,"")),c&&a("#find-posts-response").html(c)}},a(document).ready(function(){a("#find-posts-submit").click(function(b){""==a("#find-posts-response").html()&&b.preventDefault()}),a("#find-posts .find-box-search :input").keypress(function(a){return 13==a.which?(findPosts.send(),!1):void 0}),a("#find-posts-search").click(findPosts.send),a("#find-posts-close").click(findPosts.close),a("#doaction, #doaction2").click(function(b){a('select[name^="action"]').each(function(){"attach"==a(this).val()&&(b.preventDefault(),findPosts.open())})})}),a(window).resize(function(){findPosts.overlay()})}(jQuery);
+var findPosts;!function(t){findPosts={open:function(n,s){var o=document.documentElement.scrollTop||t(document).scrollTop(),e=t(".ui-find-overlay");return 0==e.length&&(t("body").append('<div class="ui-find-overlay"></div>'),findPosts.overlay()),e.show(),n&&s&&t("#affected").attr("name",n).val(s),t("#find-posts").show().draggable({handle:"#find-posts-head"}).css({top:o+50+"px",left:"50%",marginLeft:"-328px"}),t("#find-posts-input").focus().keyup(function(n){27==n.which&&findPosts.close()}),findPosts.send(),!1},close:function(){t("#find-posts-response").html(""),t("#find-posts").draggable("destroy").hide(),t(".ui-find-overlay").hide()},overlay:function(){t(".ui-find-overlay").css({"z-index":"999",width:t(document).width()+"px",height:t(document).height()+"px"}).on("click",function(){findPosts.close()})},send:function(){var n={ps:t("#find-posts-input").val(),action:"find_posts",_ajax_nonce:t("#_ajax_nonce").val()},s=t(".find-box-search .spinner");s.show(),t.ajax({type:"POST",url:ajaxurl,data:n,success:function(n){findPosts.show(n),s.hide()},error:function(n){findPosts.error(n),s.hide()}})},show:function(n){var s;"string"!=typeof n?((s=wpAjax.parseAjaxResponse(n)).errors&&this.error({responseText:wpAjax.broken}),s=s.responses[0],t("#find-posts-response").html(s.data),t(".found-posts td").on("click",function(){t(this).parent().find(".found-radio input").prop("checked",!0)})):this.error({responseText:n})},error:function(n){var s=n.statusText;(s=n.responseText?n.responseText.replace(/<.[^<>]*?>/g,""):s)&&t("#find-posts-response").html(s)}},t(document).ready(function(){t("#find-posts-submit").click(function(n){""==t("#find-posts-response").html()&&n.preventDefault()}),t("#find-posts .find-box-search :input").keypress(function(n){if(13==n.which)return findPosts.send(),!1}),t("#find-posts-search").click(findPosts.send),t("#find-posts-close").click(findPosts.close),t("#doaction, #doaction2").click(function(n){t('select[name^="action"]').each(function(){"attach"==t(this).val()&&(n.preventDefault(),findPosts.open())})})}),t(window).resize(function(){findPosts.overlay()})}(jQuery);

wp-admin/js/nav-menu.js

@@ -444,14 +444,14 @@ var wpNavMenu;
 				if ( ! isPrimaryMenuItem ) {
 					var thisLink = menuItem.find( '.menus-move-left' ),
 						thisLinkText = menus.outFrom.replace( '%s', prevItemNameLeft );
-					thisLink.prop( 'title', menus.moveOutFrom.replace( '%s', prevItemNameLeft ) ).html( thisLinkText ).css( 'display', 'inline' );
+					thisLink.prop( 'title', menus.moveOutFrom.replace( '%s', prevItemNameLeft ) ).text( thisLinkText ).css( 'display', 'inline' );
 				}
 
 				if ( 0 !== position ) {
 					if ( menuItem.find( '.menu-item-data-parent-id' ).val() !== menuItem.prev().find( '.menu-item-data-db-id' ).val() ) {
 						var thisLink = menuItem.find( '.menus-move-right' ),
 							thisLinkText = menus.under.replace( '%s', prevItemNameRight );
-						thisLink.prop( 'title', menus.moveUnder.replace( '%s', prevItemNameRight ) ).html( thisLinkText ).css( 'display', 'inline' );
+						thisLink.prop( 'title', menus.moveUnder.replace( '%s', prevItemNameRight ) ).text( thisLinkText ).css( 'display', 'inline' );
 					}
 				}
 
@@ -473,7 +473,7 @@ var wpNavMenu;
 						title = menus.subMenuFocus.replace( '%1$s', itemName ).replace( '%2$d', itemPosition ).replace( '%3$s', parentItemName );
 				}
 
-				$this.prop('title', title).html( title );
+				$this.prop('title', title).text( title );
 			});
 		},
 

wp-admin/js/password-strength-meter.min.js

@@ -1 +1 @@
-window.wp=window.wp||{};var passwordStrength;!function(a){wp.passwordStrength={meter:function(b,c,d){if(a.isArray(c)||(c=[c.toString()]),b!=d&&d&&d.length>0)return 5;var e=zxcvbn(b,c);return e.score},userInputBlacklist:function(){var b,c,d,e,f=[],g=[],h=["user_login","first_name","last_name","nickname","display_name","email","url","description","weblog_title","admin_email"];for(f.push(document.title),f.push(document.URL),c=h.length,b=0;c>b;b++)e=a("#"+h[b]),0!=e.length&&(f.push(e[0].defaultValue),f.push(e.val()));for(d=f.length,b=0;d>b;b++)f[b]&&(g=g.concat(f[b].replace(/\W/g," ").split(" ")));return g=a.grep(g,function(b,c){return""==b||4>b.length?!1:a.inArray(b,g)===c})}},passwordStrength=wp.passwordStrength.meter}(jQuery);
+var passwordStrength;window.wp=window.wp||{},function(l){wp.passwordStrength={meter:function(t,e,n){return l.isArray(e)||(e=[e.toString()]),t!=n&&n&&0<n.length?5:zxcvbn(t,e).score},userInputBlacklist:function(){var t,e,n,r,a=[],i=[],s=["user_login","first_name","last_name","nickname","display_name","email","url","description","weblog_title","admin_email"];for(a.push(document.title),a.push(document.URL),e=s.length,t=0;t<e;t++)0!=(r=l("#"+s[t])).length&&(a.push(r[0].defaultValue),a.push(r.val()));for(n=a.length,t=0;t<n;t++)a[t]&&(i=i.concat(a[t].replace(/\W/g," ").split(" ")));return i=l.grep(i,function(t,e){return!(""==t||t.length<4)&&l.inArray(t,i)===e})}},passwordStrength=wp.passwordStrength.meter}(jQuery);

wp-admin/js/plugin-install.min.js

@@ -1 +1 @@
-var tb_position;jQuery(document).ready(function(a){tb_position=function(){var b=a("#TB_window"),c=a(window).width(),d=a(window).height(),e=c>720?720:c,f=0;return a("body.admin-bar").length&&(f=28),b.size()&&(b.width(e-50).height(d-45-f),a("#TB_iframeContent").width(e-50).height(d-75-f),b.css({"margin-left":"-"+parseInt((e-50)/2,10)+"px"}),"undefined"!=typeof document.body.style.maxWidth&&b.css({top:20+f+"px","margin-top":"0"})),a("a.thickbox").each(function(){var b=a(this).attr("href");b&&(b=b.replace(/&width=[0-9]+/g,""),b=b.replace(/&height=[0-9]+/g,""),a(this).attr("href",b+"&width="+(e-80)+"&height="+(d-85-f)))})},a(window).resize(function(){tb_position()}),a("#dashboard_plugins, .plugins").on("click","a.thickbox",function(){return tb_click.call(this),a("#TB_title").css({"background-color":"#222",color:"#cfcfcf"}),a("#TB_ajaxWindowTitle").html("<strong>"+plugininstallL10n.plugin_information+"</strong>&nbsp;"+a(this).attr("title")),!1}),a("#plugin-information #sidemenu a").click(function(){var b=a(this).attr("name");return a("#plugin-information-header a.current").removeClass("current"),a(this).addClass("current"),a("#section-holder div.section").hide(),a("#section-"+b).show(),!1}),a("a.install-now").click(function(){return confirm(plugininstallL10n.ays)})});
+var tb_position;jQuery(document).ready(function(r){tb_position=function(){var t=r("#TB_window"),i=r(window).width(),n=r(window).height(),o=720<i?720:i,e=0;return r("body.admin-bar").length&&(e=28),t.size()&&(t.width(o-50).height(n-45-e),r("#TB_iframeContent").width(o-50).height(n-75-e),t.css({"margin-left":"-"+parseInt((o-50)/2,10)+"px"}),void 0!==document.body.style.maxWidth&&t.css({top:20+e+"px","margin-top":"0"})),r("a.thickbox").each(function(){var t=r(this).attr("href");t&&(t=(t=t.replace(/&width=[0-9]+/g,"")).replace(/&height=[0-9]+/g,""),r(this).attr("href",t+"&width="+(o-80)+"&height="+(n-85-e)))})},r(window).resize(function(){tb_position()}),r("#dashboard_plugins, .plugins").on("click","a.thickbox",function(){return tb_click.call(this),r("#TB_title").css({"background-color":"#222",color:"#cfcfcf"}),r("#TB_ajaxWindowTitle").html("<strong>"+plugininstallL10n.plugin_information+"</strong>&nbsp;"+r(this).attr("title")),!1}),r("#plugin-information #sidemenu a").click(function(){var t=r(this).attr("name");return r("#plugin-information-header a.current").removeClass("current"),r(this).addClass("current"),r("#section-holder div.section").hide(),r("#section-"+t).show(),!1}),r("a.install-now").click(function(){return confirm(plugininstallL10n.ays)})});

wp-admin/js/postbox.min.js

@@ -1 +1 @@
-var postboxes;!function(a){postboxes={add_postbox_toggles:function(b,c){var d=this;d.init(b,c),a(".postbox h3, .postbox .handlediv").bind("click.postboxes",function(){var c=a(this).parent(".postbox"),e=c.attr("id");"dashboard_browser_nag"!=e&&(c.toggleClass("closed"),"press-this"!=b&&d.save_state(b),e&&(!c.hasClass("closed")&&a.isFunction(postboxes.pbshow)?d.pbshow(e):c.hasClass("closed")&&a.isFunction(postboxes.pbhide)&&d.pbhide(e)))}),a(".postbox h3 a").click(function(a){a.stopPropagation()}),a(".postbox a.dismiss").bind("click.postboxes",function(){var b=a(this).parents(".postbox").attr("id")+"-hide";return a("#"+b).prop("checked",!1).triggerHandler("click"),!1}),a(".hide-postbox-tog").bind("click.postboxes",function(){var c=a(this).val();a(this).prop("checked")?(a("#"+c).show(),a.isFunction(postboxes.pbshow)&&d.pbshow(c)):(a("#"+c).hide(),a.isFunction(postboxes.pbhide)&&d.pbhide(c)),d.save_state(b),d._mark_area()}),a('.columns-prefs input[type="radio"]').bind("click.postboxes",function(){var c=parseInt(a(this).val(),10);c&&(d._pb_edit(c),d.save_order(b))})},init:function(b,c){var d=a(document.body).hasClass("mobile");a.extend(this,c||{}),a("#wpbody-content").css("overflow","hidden"),a(".meta-box-sortables").sortable({placeholder:"sortable-placeholder",connectWith:".meta-box-sortables",items:".postbox",handle:".hndle",cursor:"move",delay:d?200:0,distance:2,tolerance:"pointer",forcePlaceholderSize:!0,helper:"clone",opacity:.65,stop:function(){return a(this).find("#dashboard_browser_nag").is(":visible")&&"dashboard_browser_nag"!=this.firstChild.id?(a(this).sortable("cancel"),void 0):(postboxes.save_order(b),void 0)},receive:function(b,c){"dashboard_browser_nag"==c.item[0].id&&a(c.sender).sortable("cancel"),postboxes._mark_area()}}),d&&(a(document.body).bind("orientationchange.postboxes",function(){postboxes._pb_change()}),this._pb_change()),this._mark_area()},save_state:function(b){var c=a(".postbox").filter(".closed").map(function(){return this.id}).get().join(","),d=a(".postbox").filter(":hidden").map(function(){return this.id}).get().join(",");a.post(ajaxurl,{action:"closed-postboxes",closed:c,hidden:d,closedpostboxesnonce:jQuery("#closedpostboxesnonce").val(),page:b})},save_order:function(b){var c,d=a(".columns-prefs input:checked").val()||0;c={action:"meta-box-order",_ajax_nonce:a("#meta-box-order-nonce").val(),page_columns:d,page:b},a(".meta-box-sortables").each(function(){c["order["+this.id.split("-")[0]+"]"]=a(this).sortable("toArray").join(",")}),a.post(ajaxurl,c)},_mark_area:function(){var b=a("div.postbox:visible").length,c=a("#post-body #side-sortables");a("#dashboard-widgets .meta-box-sortables:visible").each(function(){var c=a(this);1==b||c.children(".postbox:visible").length?c.removeClass("empty-container"):c.addClass("empty-container")}),c.length&&(c.children(".postbox:visible").length?c.removeClass("empty-container"):"280px"==a("#postbox-container-1").css("width")&&c.addClass("empty-container"))},_pb_edit:function(b){var c=a(".metabox-holder").get(0);c.className=c.className.replace(/columns-\d+/,"columns-"+b)},_pb_change:function(){var b=a('label.columns-prefs-1 input[type="radio"]');switch(window.orientation){case 90:case-90:b.length&&b.is(":checked")||this._pb_edit(2);break;case 0:case 180:a("#poststuff").length?this._pb_edit(1):b.length&&b.is(":checked")||this._pb_edit(2)}},pbshow:!1,pbhide:!1}}(jQuery);
+var postboxes;!function(i){postboxes={add_postbox_toggles:function(s,e){var t=this;t.init(s,e),i(".postbox h3, .postbox .handlediv").bind("click.postboxes",function(){var e=i(this).parent(".postbox"),o=e.attr("id");"dashboard_browser_nag"!=o&&(e.toggleClass("closed"),"press-this"!=s&&t.save_state(s),o&&(!e.hasClass("closed")&&i.isFunction(postboxes.pbshow)?t.pbshow(o):e.hasClass("closed")&&i.isFunction(postboxes.pbhide)&&t.pbhide(o)))}),i(".postbox h3 a").click(function(e){e.stopPropagation()}),i(".postbox a.dismiss").bind("click.postboxes",function(e){var o=i(this).parents(".postbox").attr("id")+"-hide";return i("#"+o).prop("checked",!1).triggerHandler("click"),!1}),i(".hide-postbox-tog").bind("click.postboxes",function(){var e=i(this).val();i(this).prop("checked")?(i("#"+e).show(),i.isFunction(postboxes.pbshow)&&t.pbshow(e)):(i("#"+e).hide(),i.isFunction(postboxes.pbhide)&&t.pbhide(e)),t.save_state(s),t._mark_area()}),i('.columns-prefs input[type="radio"]').bind("click.postboxes",function(){var e=parseInt(i(this).val(),10);e&&(t._pb_edit(e),t.save_order(s))})},init:function(s,e){var o=i(document.body).hasClass("mobile");i.extend(this,e||{}),i("#wpbody-content").css("overflow","hidden"),i(".meta-box-sortables").sortable({placeholder:"sortable-placeholder",connectWith:".meta-box-sortables",items:".postbox",handle:".hndle",cursor:"move",delay:o?200:0,distance:2,tolerance:"pointer",forcePlaceholderSize:!0,helper:"clone",opacity:.65,stop:function(e,o){i(this).find("#dashboard_browser_nag").is(":visible")&&"dashboard_browser_nag"!=this.firstChild.id?i(this).sortable("cancel"):postboxes.save_order(s)},receive:function(e,o){"dashboard_browser_nag"==o.item[0].id&&i(o.sender).sortable("cancel"),postboxes._mark_area()}}),o&&(i(document.body).bind("orientationchange.postboxes",function(){postboxes._pb_change()}),this._pb_change()),this._mark_area()},save_state:function(e){var o=i(".postbox").filter(".closed").map(function(){return this.id}).get().join(","),s=i(".postbox").filter(":hidden").map(function(){return this.id}).get().join(",");i.post(ajaxurl,{action:"closed-postboxes",closed:o,hidden:s,closedpostboxesnonce:jQuery("#closedpostboxesnonce").val(),page:e})},save_order:function(e){var o=i(".columns-prefs input:checked").val()||0,s={action:"meta-box-order",_ajax_nonce:i("#meta-box-order-nonce").val(),page_columns:o,page:e};i(".meta-box-sortables").each(function(){s["order["+this.id.split("-")[0]+"]"]=i(this).sortable("toArray").join(",")}),i.post(ajaxurl,s)},_mark_area:function(){var t=i("div.postbox:visible").length,e=i("#post-body #side-sortables");i("#dashboard-widgets .meta-box-sortables:visible").each(function(e,o){var s=i(this);1==t||s.children(".postbox:visible").length?s.removeClass("empty-container"):s.addClass("empty-container")}),e.length&&(e.children(".postbox:visible").length?e.removeClass("empty-container"):"280px"==i("#postbox-container-1").css("width")&&e.addClass("empty-container"))},_pb_edit:function(e){var o=i(".metabox-holder").get(0);o.className=o.className.replace(/columns-\d+/,"columns-"+e)},_pb_change:function(){var e=i('label.columns-prefs-1 input[type="radio"]');switch(window.orientation){case 90:case-90:e.length&&e.is(":checked")||this._pb_edit(2);break;case 0:case 180:i("#poststuff").length?this._pb_edit(1):e.length&&e.is(":checked")||this._pb_edit(2)}},pbshow:!1,pbhide:!1}}(jQuery);

wp-admin/js/set-post-thumbnail.min.js

@@ -1 +1 @@
-function WPSetAsThumbnail(a,b){var c=jQuery("a#wp-post-thumbnail-"+a);c.text(setPostThumbnailL10n.saving),jQuery.post(ajaxurl,{action:"set-post-thumbnail",post_id:post_id,thumbnail_id:a,_ajax_nonce:b,cookie:encodeURIComponent(document.cookie)},function(b){var d=window.dialogArguments||opener||parent||top;c.text(setPostThumbnailL10n.setThumbnail),"0"==b?alert(setPostThumbnailL10n.error):(jQuery("a.wp-post-thumbnail").show(),c.text(setPostThumbnailL10n.done),c.fadeOut(2e3),d.WPSetThumbnailID(a),d.WPSetThumbnailHTML(b))})}
+function WPSetAsThumbnail(e,t){var o=jQuery("a#wp-post-thumbnail-"+e);o.text(setPostThumbnailL10n.saving),jQuery.post(ajaxurl,{action:"set-post-thumbnail",post_id:post_id,thumbnail_id:e,_ajax_nonce:t,cookie:encodeURIComponent(document.cookie)},function(t){var n=window.dialogArguments||opener||parent||top;o.text(setPostThumbnailL10n.setThumbnail),"0"==t?alert(setPostThumbnailL10n.error):(jQuery("a.wp-post-thumbnail").show(),o.text(setPostThumbnailL10n.done),o.fadeOut(2e3),n.WPSetThumbnailID(e),n.WPSetThumbnailHTML(t))})}

wp-admin/js/tags.min.js

@@ -1 +1 @@
-jQuery(document).ready(function(a){a("#the-list").on("click",".delete-tag",function(){var b,c=a(this),d=c.parents("tr"),e=!0;return"undefined"!=showNotice&&(e=showNotice.warn()),e&&(b=c.attr("href").replace(/[^?]*\?/,"").replace(/action=delete/,"action=delete-tag"),a.post(ajaxurl,b,function(c){"1"==c?(a("#ajax-response").empty(),d.fadeOut("normal",function(){d.remove()}),a('select#parent option[value="'+b.match(/tag_ID=(\d+)/)[1]+'"]').remove(),a("a.tag-link-"+b.match(/tag_ID=(\d+)/)[1]).remove()):"-1"==c?(a("#ajax-response").empty().append('<div class="error"><p>'+tagsl10n.noPerm+"</p></div>"),d.children().css("backgroundColor","")):(a("#ajax-response").empty().append('<div class="error"><p>'+tagsl10n.broken+"</p></div>"),d.children().css("backgroundColor",""))}),d.children().css("backgroundColor","#f33")),!1}),a("#submit").click(function(){var b=a(this).parents("form");return validateForm(b)?(a.post(ajaxurl,a("#addtag").serialize(),function(c){a("#ajax-response").empty();var d=wpAjax.parseAjaxResponse(c,"ajax-response");if(d&&!d.errors){var e=b.find("select#parent").val();if(e>0&&a("#tag-"+e).length>0?a(".tags #tag-"+e).after(d.responses[0].supplemental.noparents):a(".tags").prepend(d.responses[0].supplemental.parents),a(".tags .no-items").remove(),b.find("select#parent")){for(var f=d.responses[1].supplemental,g="",h=0;h<d.responses[1].position;h++)g+="&nbsp;&nbsp;&nbsp;";b.find("select#parent option:selected").after('<option value="'+f.term_id+'">'+g+f.name+"</option>")}a('input[type="text"]:visible, textarea:visible',b).val("")}}),!1):!1})});
+jQuery(document).ready(function(s){s("#the-list").on("click",".delete-tag",function(e){var t,a=s(this),n=a.parents("tr"),r=!0;return(r="undefined"!=showNotice?showNotice.warn():r)&&(t=a.attr("href").replace(/[^?]*\?/,"").replace(/action=delete/,"action=delete-tag"),s.post(ajaxurl,t,function(e){"1"==e?(s("#ajax-response").empty(),n.fadeOut("normal",function(){n.remove()}),s('select#parent option[value="'+t.match(/tag_ID=(\d+)/)[1]+'"]').remove(),s("a.tag-link-"+t.match(/tag_ID=(\d+)/)[1]).remove()):("-1"==e?s("#ajax-response").empty().append('<div class="error"><p>'+tagsl10n.noPerm+"</p></div>"):s("#ajax-response").empty().append('<div class="error"><p>'+tagsl10n.broken+"</p></div>"),n.children().css("backgroundColor",""))}),n.children().css("backgroundColor","#f33")),!1}),s("#submit").click(function(){var r=s(this).parents("form");return validateForm(r)&&s.post(ajaxurl,s("#addtag").serialize(),function(e){s("#ajax-response").empty();var t=wpAjax.parseAjaxResponse(e,"ajax-response");if(t&&!t.errors){e=r.find("select#parent").val();if(0<e&&0<s("#tag-"+e).length?s(".tags #tag-"+e).after(t.responses[0].supplemental.noparents):s(".tags").prepend(t.responses[0].supplemental.parents),s(".tags .no-items").remove(),r.find("select#parent")){for(var e=t.responses[1].supplemental,a="",n=0;n<t.responses[1].position;n++)a+="&nbsp;&nbsp;&nbsp;";r.find("select#parent option:selected").after('<option value="'+e.term_id+'">'+a+e.name+"</option>")}s('input[type="text"]:visible, textarea:visible',r).val("")}}),!1})});

wp-admin/js/theme-preview.min.js

@@ -1 +1 @@
-var thickDims,tbWidth,tbHeight;jQuery(document).ready(function(a){thickDims=function(){var b,c,d=a("#TB_window"),e=a(window).height(),f=a(window).width();b=tbWidth&&f-90>tbWidth?tbWidth:f-90,c=tbHeight&&e-60>tbHeight?tbHeight:e-60,d.size()&&(d.width(b).height(c),a("#TB_iframeContent").width(b).height(c-27),d.css({"margin-left":"-"+parseInt(b/2,10)+"px"}),"undefined"!=typeof document.body.style.maxWidth&&d.css({top:"30px","margin-top":"0"}))},thickDims(),a(window).resize(function(){thickDims()}),a("a.thickbox-preview").click(function(){tb_click.call(this);var b,c,d=a(this).parents(".available-theme").find(".activatelink"),e="",f=a(this).attr("href");return tbWidth=(tbWidth=f.match(/&tbWidth=[0-9]+/))?parseInt(tbWidth[0].replace(/[^0-9]+/g,""),10):a(window).width()-90,tbHeight=(tbHeight=f.match(/&tbHeight=[0-9]+/))?parseInt(tbHeight[0].replace(/[^0-9]+/g,""),10):a(window).height()-60,d.length?(b=d.attr("href")||"",c=d.attr("title")||"",e='&nbsp; <a href="'+b+'" target="_top" class="tb-theme-preview-link">'+c+"</a>"):(c=a(this).attr("title")||"",e='&nbsp; <span class="tb-theme-preview-link">'+c+"</span>"),a("#TB_title").css({"background-color":"#222",color:"#dfdfdf"}),a("#TB_closeAjaxWindow").css({"float":"left"}),a("#TB_ajaxWindowTitle").css({"float":"right"}).html(e),a("#TB_iframeContent").width("100%"),thickDims(),!1})});
+var thickDims,tbWidth,tbHeight;jQuery(document).ready(function(h){(thickDims=function(){var t=h("#TB_window"),i=h(window).height(),e=h(window).width(),e=tbWidth&&tbWidth<e-90?tbWidth:e-90,i=tbHeight&&tbHeight<i-60?tbHeight:i-60;t.size()&&(t.width(e).height(i),h("#TB_iframeContent").width(e).height(i-27),t.css({"margin-left":"-"+parseInt(e/2,10)+"px"}),void 0!==document.body.style.maxWidth&&t.css({top:"30px","margin-top":"0"}))})(),h(window).resize(function(){thickDims()}),h("a.thickbox-preview").click(function(){tb_click.call(this);var t=h(this).parents(".available-theme").find(".activatelink"),i="",e=h(this).attr("href");return tbWidth=(tbWidth=e.match(/&tbWidth=[0-9]+/))?parseInt(tbWidth[0].replace(/[^0-9]+/g,""),10):h(window).width()-90,tbHeight=(tbHeight=e.match(/&tbHeight=[0-9]+/))?parseInt(tbHeight[0].replace(/[^0-9]+/g,""),10):h(window).height()-60,i=t.length?'&nbsp; <a href="'+(t.attr("href")||"")+'" target="_top" class="tb-theme-preview-link">'+(t.attr("title")||"")+"</a>":'&nbsp; <span class="tb-theme-preview-link">'+(h(this).attr("title")||"")+"</span>",h("#TB_title").css({"background-color":"#222",color:"#dfdfdf"}),h("#TB_closeAjaxWindow").css({float:"left"}),h("#TB_ajaxWindowTitle").css({float:"right"}).html(i),h("#TB_iframeContent").width("100%"),thickDims(),!1})});

wp-admin/js/theme.min.js

@@ -1 +1 @@
-jQuery(function(a){a("#availablethemes").on("click",".theme-detail",function(b){var c=a(this).closest(".available-theme"),d=c.find(".themedetaildiv");d.length||(d=c.find(".install-theme-info .theme-details"),d=d.clone().addClass("themedetaildiv").appendTo(c).hide()),d.toggle(),b.preventDefault()})});var tb_position;jQuery(document).ready(function(a){tb_position=function(){var b=a("#TB_window"),c=a(window).width(),d=a(window).height(),e=c>1040?1040:c,f=0;a("body.admin-bar").length&&(f=28),b.size()&&(b.width(e-50).height(d-45-f),a("#TB_iframeContent").width(e-50).height(d-75-f),b.css({"margin-left":"-"+parseInt((e-50)/2,10)+"px"}),"undefined"!=typeof document.body.style.maxWidth&&b.css({top:20+f+"px","margin-top":"0"}))},a(window).resize(function(){tb_position()})}),jQuery(function(a){if(window.postMessage){var b=a("#theme-installer"),c=b.find(".install-theme-info"),d=b.find(".wp-full-overlay-main"),e=a(document.body);b.on("click",".close-full-overlay",function(a){b.fadeOut(200,function(){d.empty(),e.removeClass("theme-installer-active full-overlay-active")}),a.preventDefault()}),b.on("click",".collapse-sidebar",function(a){b.toggleClass("collapsed").toggleClass("expanded"),a.preventDefault()}),a("#availablethemes").on("click",".install-theme-preview",function(f){var g;c.html(a(this).closest(".installable-theme").find(".install-theme-info").html()),g=c.find(".theme-preview-url").val(),d.html('<iframe src="'+g+'" />'),b.fadeIn(200,function(){e.addClass("theme-installer-active full-overlay-active")}),f.preventDefault()})}});var ThemeViewer;!function(a){ThemeViewer=function(){function b(){a("#filter-click, #mini-filter-click").unbind("click").click(function(){return a("#filter-click").toggleClass("current"),a("#filter-box").slideToggle(),a("#current-theme").slideToggle(300),!1}),a("#filter-box :checkbox").unbind("click").click(function(){var b=a("#filter-box :checked").length,c=a("#filter-click").text();-1!=c.indexOf("(")&&(c=c.substr(0,c.indexOf("("))),0==b?a("#filter-click").text(c):a("#filter-click").text(c+" ("+b+")")})}var c={init:b};return c}}(jQuery),jQuery(document).ready(function(){theme_viewer=new ThemeViewer,theme_viewer.init()});var ThemeScroller;!function(a){ThemeScroller={querying:!1,scrollPollingDelay:500,failedRetryDelay:4e3,outListBottomThreshold:300,init:function(){var b=this;return"undefined"==typeof ajaxurl||"undefined"==typeof list_args||"undefined"==typeof theme_list_args?(a(".pagination-links").show(),void 0):(this.nonce=a("#_ajax_fetch_list_nonce").val(),this.nextPage=theme_list_args.paged+1,this.$outList=a("#availablethemes"),this.$spinner=a("div.tablenav.bottom").children(".spinner"),this.$window=a(window),this.$document=a(document),theme_list_args.total_pages>=this.nextPage&&(this.pollInterval=setInterval(function(){return b.poll()},this.scrollPollingDelay)),void 0)},poll:function(){var a=this.$document.scrollTop()+this.$window.innerHeight();this.querying||a<this.$outList.height()-this.outListBottomThreshold||this.ajax()},process:function(a){return void 0===a?(clearInterval(this.pollInterval),void 0):(this.nextPage>theme_list_args.total_pages&&clearInterval(this.pollInterval),this.nextPage<=theme_list_args.total_pages+1&&this.$outList.append(a.rows),void 0)},ajax:function(){var b=this;this.querying=!0;var c={action:"fetch-list",paged:this.nextPage,s:theme_list_args.search,tab:theme_list_args.tab,type:theme_list_args.type,_ajax_fetch_list_nonce:this.nonce,"features[]":theme_list_args.features,list_args:list_args};this.$spinner.show(),a.getJSON(ajaxurl,c).done(function(a){b.nextPage++,b.process(a),b.$spinner.hide(),b.querying=!1}).fail(function(){b.$spinner.hide(),b.querying=!1,setTimeout(function(){b.ajax()},b.failedRetryDelay)})}},a(document).ready(function(){ThemeScroller.init()})}(jQuery);
+var tb_position,ThemeViewer,ThemeScroller;jQuery(function(n){n("#availablethemes").on("click",".theme-detail",function(e){var t=n(this).closest(".available-theme"),i=t.find(".themedetaildiv");(i=!i.length?(i=t.find(".install-theme-info .theme-details")).clone().addClass("themedetaildiv").appendTo(t).hide():i).toggle(),e.preventDefault()})}),jQuery(document).ready(function(l){tb_position=function(){var e=l("#TB_window"),t=l(window).width(),i=l(window).height(),n=1040<t?1040:t,t=0;l("body.admin-bar").length&&(t=28),e.size()&&(e.width(n-50).height(i-45-t),l("#TB_iframeContent").width(n-50).height(i-75-t),e.css({"margin-left":"-"+parseInt((n-50)/2,10)+"px"}),void 0!==document.body.style.maxWidth&&e.css({top:20+t+"px","margin-top":"0"}))},l(window).resize(function(){tb_position()})}),jQuery(function(i){var n,l,a,s;window.postMessage&&(n=i("#theme-installer"),l=n.find(".install-theme-info"),a=n.find(".wp-full-overlay-main"),s=i(document.body),n.on("click",".close-full-overlay",function(e){n.fadeOut(200,function(){a.empty(),s.removeClass("theme-installer-active full-overlay-active")}),e.preventDefault()}),n.on("click",".collapse-sidebar",function(e){n.toggleClass("collapsed").toggleClass("expanded"),e.preventDefault()}),i("#availablethemes").on("click",".install-theme-preview",function(e){var t;l.html(i(this).closest(".installable-theme").find(".install-theme-info").html()),t=l.find(".theme-preview-url").val(),a.html('<iframe src="'+t+'" />'),n.fadeIn(200,function(){s.addClass("theme-installer-active full-overlay-active")}),e.preventDefault()}))}),function(i){ThemeViewer=function(e){return{init:function(){i("#filter-click, #mini-filter-click").unbind("click").click(function(){return i("#filter-click").toggleClass("current"),i("#filter-box").slideToggle(),i("#current-theme").slideToggle(300),!1}),i("#filter-box :checkbox").unbind("click").click(function(){var e=i("#filter-box :checked").length,t=i("#filter-click").text();-1!=t.indexOf("(")&&(t=t.substr(0,t.indexOf("("))),0==e?i("#filter-click").text(t):i("#filter-click").text(t+" ("+e+")")})}}}}(jQuery),jQuery(document).ready(function(e){theme_viewer=new ThemeViewer,theme_viewer.init()}),function(i){ThemeScroller={querying:!1,scrollPollingDelay:500,failedRetryDelay:4e3,outListBottomThreshold:300,init:function(){var e=this;"undefined"!=typeof ajaxurl&&"undefined"!=typeof list_args&&"undefined"!=typeof theme_list_args?(this.nonce=i("#_ajax_fetch_list_nonce").val(),this.nextPage=theme_list_args.paged+1,this.$outList=i("#availablethemes"),this.$spinner=i("div.tablenav.bottom").children(".spinner"),this.$window=i(window),this.$document=i(document),theme_list_args.total_pages>=this.nextPage&&(this.pollInterval=setInterval(function(){return e.poll()},this.scrollPollingDelay))):i(".pagination-links").show()},poll:function(){var e=this.$document.scrollTop()+this.$window.innerHeight();this.querying||e<this.$outList.height()-this.outListBottomThreshold||this.ajax()},process:function(e){void 0!==e?(this.nextPage>theme_list_args.total_pages&&clearInterval(this.pollInterval),this.nextPage<=theme_list_args.total_pages+1&&this.$outList.append(e.rows)):clearInterval(this.pollInterval)},ajax:function(){var t=this;this.querying=!0;var e={action:"fetch-list",paged:this.nextPage,s:theme_list_args.search,tab:theme_list_args.tab,type:theme_list_args.type,_ajax_fetch_list_nonce:this.nonce,"features[]":theme_list_args.features,list_args:list_args};this.$spinner.show(),i.getJSON(ajaxurl,e).done(function(e){t.nextPage++,t.process(e),t.$spinner.hide(),t.querying=!1}).fail(function(){t.$spinner.hide(),t.querying=!1,setTimeout(function(){t.ajax()},t.failedRetryDelay)})}},i(document).ready(function(e){ThemeScroller.init()})}(jQuery);

wp-admin/js/user-profile.min.js

@@ -1 +1 @@
-!function(a){function b(){var b,c=a("#pass1").val(),d=(a("#user_login").val(),a("#pass2").val());if(a("#pass-strength-result").removeClass("short bad good strong"),!c)return a("#pass-strength-result").html(pwsL10n.empty),void 0;switch(b=wp.passwordStrength.meter(c,wp.passwordStrength.userInputBlacklist(),d)){case 2:a("#pass-strength-result").addClass("bad").html(pwsL10n.bad);break;case 3:a("#pass-strength-result").addClass("good").html(pwsL10n.good);break;case 4:a("#pass-strength-result").addClass("strong").html(pwsL10n.strong);break;case 5:a("#pass-strength-result").addClass("short").html(pwsL10n.mismatch);break;default:a("#pass-strength-result").addClass("short").html(pwsL10n["short"])}}a(document).ready(function(){var c=a("#display_name");a("#pass1").val("").keyup(b),a("#pass2").val("").keyup(b),a("#pass-strength-result").show(),a(".color-palette").click(function(){a(this).siblings('input[name="admin_color"]').prop("checked",!0)}),c.length&&a("#first_name, #last_name, #nickname").bind("blur.user_profile",function(){var b=[],d={display_nickname:a("#nickname").val()||"",display_username:a("#user_login").val()||"",display_firstname:a("#first_name").val()||"",display_lastname:a("#last_name").val()||""};d.display_firstname&&d.display_lastname&&(d.display_firstlast=d.display_firstname+" "+d.display_lastname,d.display_lastfirst=d.display_lastname+" "+d.display_firstname),a.each(a("option",c),function(a,c){b.push(c.value)}),a.each(d,function(e,f){if(f){var g=f.replace(/<\/?[a-z][^>]*>/gi,"");d[e].length&&-1==a.inArray(g,b)&&(b.push(g),a("<option />",{text:g}).appendTo(c))}})})})}(jQuery);
+!function(l){function s(){var s=l("#pass1").val(),a=(l("#user_login").val(),l("#pass2").val());if(l("#pass-strength-result").removeClass("short bad good strong"),s)switch(wp.passwordStrength.meter(s,wp.passwordStrength.userInputBlacklist(),a)){case 2:l("#pass-strength-result").addClass("bad").html(pwsL10n.bad);break;case 3:l("#pass-strength-result").addClass("good").html(pwsL10n.good);break;case 4:l("#pass-strength-result").addClass("strong").html(pwsL10n.strong);break;case 5:l("#pass-strength-result").addClass("short").html(pwsL10n.mismatch);break;default:l("#pass-strength-result").addClass("short").html(pwsL10n.short)}else l("#pass-strength-result").html(pwsL10n.empty)}l(document).ready(function(){var n=l("#display_name");l("#pass1").val("").keyup(s),l("#pass2").val("").keyup(s),l("#pass-strength-result").show(),l(".color-palette").click(function(){l(this).siblings('input[name="admin_color"]').prop("checked",!0)}),n.length&&l("#first_name, #last_name, #nickname").bind("blur.user_profile",function(){var t=[],e={display_nickname:l("#nickname").val()||"",display_username:l("#user_login").val()||"",display_firstname:l("#first_name").val()||"",display_lastname:l("#last_name").val()||""};e.display_firstname&&e.display_lastname&&(e.display_firstlast=e.display_firstname+" "+e.display_lastname,e.display_lastfirst=e.display_lastname+" "+e.display_firstname),l.each(l("option",n),function(s,a){t.push(a.value)}),l.each(e,function(s,a){a&&(a=a.replace(/<\/?[a-z][^>]*>/gi,""),e[s].length&&-1==l.inArray(a,t)&&(t.push(a),l("<option />",{text:a}).appendTo(n)))})})})}(jQuery);

wp-admin/js/user-suggest.min.js

@@ -1 +1 @@
-!function(a){var b="undefined"!=typeof current_site_id?"&site_id="+current_site_id:"";a(document).ready(function(){a(".wp-suggest-user").autocomplete({source:ajaxurl+"?action=autocomplete-user&autocomplete_type=add"+b,delay:500,minLength:2,position:"undefined"!=typeof isRtl&&isRtl?{my:"right top",at:"right bottom",offset:"0, -1"}:{offset:"0, -1"},open:function(){a(this).addClass("open")},close:function(){a(this).removeClass("open")}})})}(jQuery);
+!function(e){var t="undefined"!=typeof current_site_id?"&site_id="+current_site_id:"";e(document).ready(function(){e(".wp-suggest-user").autocomplete({source:ajaxurl+"?action=autocomplete-user&autocomplete_type=add"+t,delay:500,minLength:2,position:"undefined"!=typeof isRtl&&isRtl?{my:"right top",at:"right bottom",offset:"0, -1"}:{offset:"0, -1"},open:function(){e(this).addClass("open")},close:function(){e(this).removeClass("open")}})})}(jQuery);

wp-admin/js/word-count.min.js

@@ -1 +1 @@
-!function(a,b){wpWordCount={settings:{strip:/<[a-zA-Z\/][^<>]*>/g,clean:/[0-9.(),;:!?%#$¿'"_+=\\/-]+/g,w:/\S\s+/g,c:/\S/g},block:0,wc:function(c,d){var e=this,f=a(".word-count"),g=0;d===b&&(d=wordCountL10n.type),"w"!==d&&"c"!==d&&(d="w"),e.block||(e.block=1,setTimeout(function(){c&&(c=c.replace(e.settings.strip," ").replace(/&nbsp;|&#160;/gi," "),c=c.replace(e.settings.clean,""),c.replace(e.settings[d],function(){g++})),f.html(g.toString()),setTimeout(function(){e.block=0},2e3)},1))}},a(document).bind("wpcountwords",function(a,b){wpWordCount.wc(b)})}(jQuery);
+!function(i){wpWordCount={settings:{strip:/<[a-zA-Z\/][^<>]*>/g,clean:/[0-9.(),;:!?%#$¿'"_+=\\/-]+/g,w:/\S\s+/g,c:/\S/g},block:0,wc:function(t,n){var o=this,c=i(".word-count"),e=0;"w"!==(n=void 0===n?wordCountL10n.type:n)&&"c"!==n&&(n="w"),o.block||(o.block=1,setTimeout(function(){t&&(t=(t=t.replace(o.settings.strip," ").replace(/&nbsp;|&#160;/gi," ")).replace(o.settings.clean,"")).replace(o.settings[n],function(){e++}),c.html(e.toString()),setTimeout(function(){o.block=0},2e3)},1))}},i(document).bind("wpcountwords",function(t,n){wpWordCount.wc(n)})}(jQuery);

wp-admin/js/xfn.min.js

@@ -1 +1 @@
-jQuery(document).ready(function(a){a("#link_rel").prop("readonly",!0),a("#linkxfndiv input").bind("click keyup",function(){var b=a("#me").is(":checked"),c="";a("input.valinp").each(function(){b?a(this).prop("disabled",!0).parent().addClass("disabled"):(a(this).removeAttr("disabled").parent().removeClass("disabled"),a(this).is(":checked")&&""!=a(this).val()&&(c+=a(this).val()+" "))}),a("#link_rel").val(b?"me":c.substr(0,c.length-1))})});
+jQuery(document).ready(function(n){n("#link_rel").prop("readonly",!0),n("#linkxfndiv input").bind("click keyup",function(){var e=n("#me").is(":checked"),i="";n("input.valinp").each(function(){e?n(this).prop("disabled",!0).parent().addClass("disabled"):(n(this).removeAttr("disabled").parent().removeClass("disabled"),n(this).is(":checked")&&""!=n(this).val()&&(i+=n(this).val()+" "))}),n("#link_rel").val(e?"me":i.substr(0,i.length-1))})});

wp-admin/media-new.php

@@ -73,9 +73,9 @@ if ( get_user_setting('uploader') || isset( $_GET['browser-uploader'] ) )
 	<?php media_upload_form(); ?>
 
 	<script type="text/javascript">
-	var post_id = <?php echo $post_id; ?>, shortform = 3;
+	var post_id = <?php echo absint( $post_id ); ?>, shortform = 3;
 	</script>
-	<input type="hidden" name="post_id" id="post_id" value="<?php echo $post_id; ?>" />
+	<input type="hidden" name="post_id" id="post_id" value="<?php echo absint( $post_id ); ?>" />
 	<?php wp_nonce_field('media-form'); ?>
 	<div id="media-items" class="hide-if-no-js"></div>
 	</form>

wp-admin/network/settings.php

@@ -224,7 +224,7 @@ if ( isset( $_GET['updated'] ) ) {
 			<tr valign="top">
 				<th scope="row"><label for="first_comment_author"><?php _e( 'First Comment Author' ) ?></label></th>
 				<td>
-					<input type="text" size="40" name="first_comment_author" id="first_comment_author" value="<?php echo get_site_option('first_comment_author') ?>" />
+					<input type="text" size="40" name="first_comment_author" id="first_comment_author" value="<?php echo esc_attr( get_site_option('first_comment_author') ); ?>" />
 					<br />
 					<?php _e( 'The author of the first comment on a new site.' ) ?>
 				</td>

wp-admin/network/site-users.php

@@ -171,7 +171,7 @@ require( ABSPATH . 'wp-admin/admin-header.php' ); ?>
 
 <script type='text/javascript'>
 /* <![CDATA[ */
-var current_site_id = <?php echo $id; ?>;
+var current_site_id = <?php echo absint( $id ); ?>;
 /* ]]> */
 </script>
 

wp-admin/plugin-editor.php

@@ -86,9 +86,9 @@ default:
 			wp_die( $error );
 
 		if ( ( ! empty( $_GET['networkwide'] ) && ! is_plugin_active_for_network($file) ) || ! is_plugin_active($file) )
-			activate_plugin($file, "plugin-editor.php?file=$file&phperror=1", ! empty( $_GET['networkwide'] ) ); // we'll override this later if the plugin can be included without fatal error
+			activate_plugin($file, "plugin-editor.php?file=" . urlencode( $file ) . "&phperror=1", ! empty( $_GET['networkwide'] ) ); // we'll override this later if the plugin can be included without fatal error
 
-		wp_redirect( self_admin_url("plugin-editor.php?file=$file&a=te&scrollto=$scrollto") );
+		wp_redirect( self_admin_url("plugin-editor.php?file=" . urlencode( $file ) . "&a=te&scrollto=$scrollto") );
 		exit;
 	}
 
@@ -175,14 +175,14 @@ default:
 <big><?php
 	if ( is_plugin_active($plugin) ) {
 		if ( is_writeable($real_file) )
-			echo sprintf(__('Editing <strong>%s</strong> (active)'), $file);
+			echo sprintf(__('Editing <strong>%s</strong> (active)'), esc_html( $file ) );
 		else
-			echo sprintf(__('Browsing <strong>%s</strong> (active)'), $file);
+			echo sprintf(__('Browsing <strong>%s</strong> (active)'), esc_html( $file ) );
 	} else {
 		if ( is_writeable($real_file) )
-			echo sprintf(__('Editing <strong>%s</strong> (inactive)'), $file);
+			echo sprintf(__('Editing <strong>%s</strong> (inactive)'), esc_html( $file ) );
 		else
-			echo sprintf(__('Browsing <strong>%s</strong> (inactive)'), $file);
+			echo sprintf(__('Browsing <strong>%s</strong> (inactive)'), esc_html( $file ) );
 	}
 	?></big>
 </div>
@@ -226,7 +226,7 @@ foreach ( $plugin_files as $plugin_file ) :
 		continue;
 	}
 ?>
-		<li<?php echo $file == $plugin_file ? ' class="highlight"' : ''; ?>><a href="plugin-editor.php?file=<?php echo urlencode( $plugin_file ) ?>&amp;plugin=<?php echo urlencode( $plugin ) ?>"><?php echo $plugin_file ?></a></li>
+		<li<?php echo $file == $plugin_file ? ' class="highlight"' : ''; ?>><a href="plugin-editor.php?file=<?php echo urlencode( $plugin_file ) ?>&amp;plugin=<?php echo urlencode( $plugin ) ?>"><?php echo esc_html( $plugin_file ); ?></a></li>
 <?php endforeach; ?>
 	</ul>
 </div>

wp-admin/plugins.php

@@ -17,7 +17,7 @@ $pagenum = $wp_list_table->get_pagenum();
 
 $action = $wp_list_table->current_action();
 
-$plugin = isset($_REQUEST['plugin']) ? $_REQUEST['plugin'] : '';
+$plugin = isset($_REQUEST['plugin']) ? wp_unslash( $_REQUEST['plugin'] ) : '';
 $s = isset($_REQUEST['s']) ? urlencode($_REQUEST['s']) : '';
 
 // Clean up request URI from temporary args for screen options/paging uri's to work as expected.
@@ -37,10 +37,10 @@ if ( $action ) {
 
 			check_admin_referer('activate-plugin_' . $plugin);
 
-			$result = activate_plugin($plugin, self_admin_url('plugins.php?error=true&plugin=' . $plugin), is_network_admin() );
+			$result = activate_plugin($plugin, self_admin_url('plugins.php?error=true&plugin=' . urlencode( $plugin ) ), is_network_admin() );
 			if ( is_wp_error( $result ) ) {
 				if ( 'unexpected_output' == $result->get_error_code() ) {
-					$redirect = self_admin_url('plugins.php?error=true&charsout=' . strlen($result->get_error_data()) . '&plugin=' . $plugin . "&plugin_status=$status&paged=$page&s=$s");
+					$redirect = self_admin_url('plugins.php?error=true&charsout=' . strlen($result->get_error_data()) . '&plugin=' . urlencode( $plugin ) . "&plugin_status=$status&paged=$page&s=$s");
 					wp_redirect(add_query_arg('_error_nonce', wp_create_nonce('plugin-activation-error_' . $plugin), $redirect));
 					exit;
 				} else {
@@ -67,7 +67,7 @@ if ( $action ) {
 
 			check_admin_referer('bulk-plugins');
 
-			$plugins = isset( $_POST['checked'] ) ? (array) $_POST['checked'] : array();
+			$plugins = isset( $_POST['checked'] ) ? (array) wp_unslash( $_POST['checked'] ) : array();
 
 			// Only activate plugins which are not already active.
 			if ( is_network_admin() ) {
@@ -104,9 +104,9 @@ if ( $action ) {
 			check_admin_referer( 'bulk-plugins' );
 
 			if ( isset( $_GET['plugins'] ) )
-				$plugins = explode( ',', $_GET['plugins'] );
+				$plugins = explode( ',', wp_unslash( $_GET['plugins'] ) );
 			elseif ( isset( $_POST['checked'] ) )
-				$plugins = (array) $_POST['checked'];
+				$plugins = (array) wp_unslash( $_POST['checked'] );
 			else
 				$plugins = array();
 
@@ -176,7 +176,7 @@ if ( $action ) {
 
 			check_admin_referer('bulk-plugins');
 
-			$plugins = isset( $_POST['checked'] ) ? (array) $_POST['checked'] : array();
+			$plugins = isset( $_POST['checked'] ) ? (array) wp_unslash( $_POST['checked'] ) : array();
 			// Do not deactivate plugins which are already deactivated.
 			if ( is_network_admin() ) {
 				$plugins = array_filter( $plugins, 'is_plugin_active_for_network' );
@@ -208,7 +208,7 @@ if ( $action ) {
 			check_admin_referer('bulk-plugins');
 
 			//$_POST = from the plugin form; $_GET = from the FTP details screen.
-			$plugins = isset( $_REQUEST['checked'] ) ? (array) $_REQUEST['checked'] : array();
+			$plugins = isset( $_REQUEST['checked'] ) ? (array) wp_unslash( $_REQUEST['checked'] ) : array();
 			if ( empty( $plugins ) ) {
 				wp_redirect( self_admin_url("plugins.php?plugin_status=$status&paged=$page&s=$s") );
 				exit;
@@ -220,6 +220,14 @@ if ( $action ) {
 				exit;
 			}
 
+			// Bail on all if any paths are invalid.
+			// validate_file() returns truthy for invalid files
+			$invalid_plugin_files = array_filter( $plugins, 'validate_file' );
+			if ( $invalid_plugin_files ) {
+				wp_redirect( self_admin_url("plugins.php?plugin_status=$status&paged=$page&s=$s") );
+				exit;
+			}
+
 			include(ABSPATH . 'wp-admin/update.php');
 
 			$parent_file = 'plugins.php';
@@ -364,7 +372,7 @@ require_once(ABSPATH . 'wp-admin/admin-header.php');
 $invalid = validate_active_plugins();
 if ( !empty($invalid) )
 	foreach ( $invalid as $plugin_file => $error )
-		echo '<div id="message" class="error"><p>' . sprintf(__('The plugin <code>%s</code> has been <strong>deactivated</strong> due to an error: %s'), esc_html($plugin_file), $error->get_error_message()) . '</p></div>';
+		echo '<div id="message" class="error"><p>' . sprintf(__('The plugin <code>%s</code> has been <strong>deactivated</strong> due to an error: %s'), esc_html($plugin_file), esc_html( $error->get_error_message() ) ) . '</p></div>';
 ?>
 
 <?php if ( isset($_GET['error']) ) :
@@ -389,7 +397,7 @@ if ( !empty($invalid) )
 		delete_transient('plugins_delete_result'); //Delete it once we're done.
 
 		if ( is_wp_error($delete_result) ) : ?>
-		<div id="message" class="updated"><p><?php printf( __('Plugin could not be deleted due to an error: %s'), $delete_result->get_error_message() ); ?></p></div>
+		<div id="message" class="updated"><p><?php printf( __('Plugin could not be deleted due to an error: %s'), esc_html( $delete_result->get_error_message() ) ); ?></p></div>
 		<?php else : ?>
 		<div id="message" class="updated"><p><?php _e('The selected plugins have been <strong>deleted</strong>.'); ?></p></div>
 		<?php endif; ?>

wp-admin/post.php

@@ -16,7 +16,9 @@ $submenu_file = 'edit.php';
 
 wp_reset_vars( array( 'action' ) );
 
-if ( isset( $_GET['post'] ) )
+if ( isset( $_GET['post'] ) && isset( $_POST['post_ID'] ) && (int) $_GET['post'] !== (int) $_POST['post_ID'] )
+	wp_die( __( 'A post ID mismatch has been detected.' ), __( 'Sorry, you are not allowed to edit this item.' ), 400 );
+elseif ( isset( $_GET['post'] ) )
  	$post_id = $post_ID = (int) $_GET['post'];
 elseif ( isset( $_POST['post_ID'] ) )
  	$post_id = $post_ID = (int) $_POST['post_ID'];
@@ -76,6 +78,10 @@ function redirect_post($post_id = '') {
 	exit;
 }
 
+if ( isset( $_POST['post_type'] ) && $post && $post_type !== $_POST['post_type'] ) {
+	wp_die( __( 'A post type mismatch has been detected.' ), __( 'Sorry, you are not allowed to edit this item.' ), 400 );
+}
+
 if ( isset( $_POST['deletepost'] ) )
 	$action = 'delete';
 elseif ( isset($_POST['wp-preview']) && 'dopreview' == $_POST['wp-preview'] )
@@ -146,6 +152,7 @@ case 'edit':
 		wp_die( __( 'You can’t edit this item because it is in the Trash. Please restore it and try again.' ) );
 
 	if ( ! empty( $_GET['get-post-lock'] ) ) {
+		check_admin_referer( 'lock-post_' . $post_id );
 		wp_set_post_lock( $post_id );
 		wp_redirect( get_edit_post_link( $post_id, 'url' ) );
 		exit();
@@ -208,7 +215,7 @@ case 'editattachment':
 
 	// Update the thumbnail filename
 	$newmeta = wp_get_attachment_metadata( $post_id, true );
-	$newmeta['thumb'] = $_POST['thumb'];
+	$newmeta['thumb'] = wp_basename( $_POST['thumb'] );
 
 	wp_update_attachment_metadata( $post_id, $newmeta );
 

wp-admin/press-this.php

@@ -34,8 +34,25 @@ function press_it() {
 	if ( !current_user_can('edit_post', $post_ID) )
 		wp_die(__('You are not allowed to edit this post.'));
 
-	$post['post_category'] = isset($_POST['post_category']) ? $_POST['post_category'] : '';
-	$post['tax_input'] = isset($_POST['tax_input']) ? $_POST['tax_input'] : '';
+	// Only accept categories if the user actually can assign
+	$category_tax = get_taxonomy( 'category' );
+	if ( current_user_can( $category_tax->cap->assign_terms ) ) {
+		$post['post_category'] = ( ! empty( $_POST['post_category'] ) ) ? $_POST['post_category'] : array();
+	}
+
+	// Only accept taxonomies if the user can actually assign
+	if ( ! empty( $_POST['tax_input'] ) ) {
+		$tax_input = $_POST['tax_input'];
+		foreach ( $tax_input as $tax => $_ti ) {
+			$tax_object = get_taxonomy( $tax );
+			if ( ! $tax_object || ! current_user_can( $tax_object->cap->assign_terms ) ) {
+				unset( $tax_input[ $tax ] );
+			}
+		}
+
+		$post['tax_input'] = $tax_input;
+	}
+
 	$post['post_title'] = isset($_POST['title']) ? $_POST['title'] : '';
 	$content = isset($_POST['content']) ? $_POST['content'] : '';
 
@@ -65,7 +82,7 @@ function press_it() {
 	// error handling for media_sideload
 	if ( is_wp_error($upload) ) {
 		wp_delete_post($post_ID);
-		wp_die($upload);
+		wp_die( esc_html( $upload->get_error_message() ) );
 	} else {
 		// Post formats
 		if ( isset( $_POST['post_format'] ) ) {
@@ -490,75 +507,81 @@ $admin_body_class .= ' locale-' . sanitize_html_class( strtolower( str_replace(
 				</div>
 			</div>
 
-			<?php $tax = get_taxonomy( 'category' ); ?>
-			<div id="categorydiv" class="postbox">
-				<div class="handlediv" title="<?php esc_attr_e( 'Click to toggle' ); ?>"><br /></div>
-				<h3 class="hndle"><?php _e('Categories') ?></h3>
-				<div class="inside">
-				<div id="taxonomy-category" class="categorydiv">
+			<?php
 
-					<ul id="category-tabs" class="category-tabs">
-						<li class="tabs"><a href="#category-all"><?php echo $tax->labels->all_items; ?></a></li>
-						<li class="hide-if-no-js"><a href="#category-pop"><?php _e( 'Most Used' ); ?></a></li>
-					</ul>
+			$tax = get_taxonomy( 'category' );
+			if ( current_user_can( $tax->cap->assign_terms ) ) :
+				?>
+				<div id="categorydiv" class="postbox">
+					<div class="handlediv" title="<?php esc_attr_e( 'Click to toggle' ); ?>"><br /></div>
+					<h3 class="hndle"><?php _e('Categories') ?></h3>
+					<div class="inside">
+					<div id="taxonomy-category" class="categorydiv">
 
-					<div id="category-pop" class="tabs-panel" style="display: none;">
-						<ul id="categorychecklist-pop" class="categorychecklist form-no-clear" >
-							<?php $popular_ids = wp_popular_terms_checklist( 'category' ); ?>
+						<ul id="category-tabs" class="category-tabs">
+							<li class="tabs"><a href="#category-all"><?php echo $tax->labels->all_items; ?></a></li>
+							<li class="hide-if-no-js"><a href="#category-pop"><?php _e( 'Most Used' ); ?></a></li>
 						</ul>
-					</div>
 
-					<div id="category-all" class="tabs-panel">
-						<ul id="categorychecklist" data-wp-lists="list:category" class="categorychecklist form-no-clear">
-							<?php wp_terms_checklist($post_ID, array( 'taxonomy' => 'category', 'popular_cats' => $popular_ids ) ) ?>
-						</ul>
-					</div>
-
-					<?php if ( !current_user_can($tax->cap->assign_terms) ) : ?>
-					<p><em><?php _e('You cannot modify this Taxonomy.'); ?></em></p>
-					<?php endif; ?>
-					<?php if ( current_user_can($tax->cap->edit_terms) ) : ?>
-						<div id="category-adder" class="wp-hidden-children">
-							<h4>
-								<a id="category-add-toggle" href="#category-add" class="hide-if-no-js">
-									<?php printf( __( '+ %s' ), $tax->labels->add_new_item ); ?>
-								</a>
-							</h4>
-							<p id="category-add" class="category-add wp-hidden-child">
-								<label class="screen-reader-text" for="newcategory"><?php echo $tax->labels->add_new_item; ?></label>
-								<input type="text" name="newcategory" id="newcategory" class="form-required form-input-tip" value="<?php echo esc_attr( $tax->labels->new_item_name ); ?>" aria-required="true"/>
-								<label class="screen-reader-text" for="newcategory_parent">
-									<?php echo $tax->labels->parent_item_colon; ?>
-								</label>
-								<?php wp_dropdown_categories( array( 'taxonomy' => 'category', 'hide_empty' => 0, 'name' => 'newcategory_parent', 'orderby' => 'name', 'hierarchical' => 1, 'show_option_none' => '&mdash; ' . $tax->labels->parent_item . ' &mdash;' ) ); ?>
-								<input type="button" id="category-add-submit" data-wp-lists="add:categorychecklist:category-add" class="button category-add-submit" value="<?php echo esc_attr( $tax->labels->add_new_item ); ?>" />
-								<?php wp_nonce_field( 'add-category', '_ajax_nonce-add-category', false ); ?>
-								<span id="category-ajax-response"></span>
-							</p>
+						<div id="category-pop" class="tabs-panel" style="display: none;">
+							<ul id="categorychecklist-pop" class="categorychecklist form-no-clear" >
+								<?php $popular_ids = wp_popular_terms_checklist( 'category' ); ?>
+							</ul>
 						</div>
-					<?php endif; ?>
-				</div>
-				</div>
-			</div>
 
-			<div id="tagsdiv-post_tag" class="postbox">
-				<div class="handlediv" title="<?php esc_attr_e( 'Click to toggle' ); ?>"><br /></div>
-				<h3><span><?php _e('Tags'); ?></span></h3>
-				<div class="inside">
-					<div class="tagsdiv" id="post_tag">
-						<div class="jaxtag">
-							<label class="screen-reader-text" for="newtag"><?php _e('Tags'); ?></label>
-							<input type="hidden" name="tax_input[post_tag]" class="the-tags" id="tax-input[post_tag]" value="" />
-							<div class="ajaxtag">
-								<input type="text" name="newtag[post_tag]" class="newtag form-input-tip" size="16" autocomplete="off" value="" />
-								<input type="button" class="button tagadd" value="<?php esc_attr_e('Add'); ?>" />
+						<div id="category-all" class="tabs-panel">
+							<ul id="categorychecklist" data-wp-lists="list:category" class="categorychecklist form-no-clear">
+								<?php wp_terms_checklist($post_ID, array( 'taxonomy' => 'category', 'popular_cats' => $popular_ids ) ) ?>
+							</ul>
+						</div>
+
+						<?php if ( current_user_can($tax->cap->edit_terms) ) : ?>
+							<div id="category-adder" class="wp-hidden-children">
+								<h4>
+									<a id="category-add-toggle" href="#category-add" class="hide-if-no-js">
+										<?php printf( __( '+ %s' ), $tax->labels->add_new_item ); ?>
+									</a>
+								</h4>
+								<p id="category-add" class="category-add wp-hidden-child">
+									<label class="screen-reader-text" for="newcategory"><?php echo $tax->labels->add_new_item; ?></label>
+									<input type="text" name="newcategory" id="newcategory" class="form-required form-input-tip" value="<?php echo esc_attr( $tax->labels->new_item_name ); ?>" aria-required="true"/>
+									<label class="screen-reader-text" for="newcategory_parent">
+										<?php echo $tax->labels->parent_item_colon; ?>
+									</label>
+									<?php wp_dropdown_categories( array( 'taxonomy' => 'category', 'hide_empty' => 0, 'name' => 'newcategory_parent', 'orderby' => 'name', 'hierarchical' => 1, 'show_option_none' => '&mdash; ' . $tax->labels->parent_item . ' &mdash;' ) ); ?>
+									<input type="button" id="category-add-submit" data-wp-lists="add:categorychecklist:category-add" class="button category-add-submit" value="<?php echo esc_attr( $tax->labels->add_new_item ); ?>" />
+									<?php wp_nonce_field( 'add-category', '_ajax_nonce-add-category', false ); ?>
+									<span id="category-ajax-response"></span>
+								</p>
 							</div>
-						</div>
-						<div class="tagchecklist"></div>
+						<?php endif; ?>
+					</div>
 					</div>
-					<p class="tagcloud-link"><a href="#titlediv" class="tagcloud-link" id="link-post_tag"><?php _e('Choose from the most used tags'); ?></a></p>
 				</div>
-			</div>
+			<?php endif;
+
+			$tax = get_taxonomy( 'post_tag' );
+			if ( current_user_can( $tax->cap->assign_terms ) ) :
+				?>
+				<div id="tagsdiv-post_tag" class="postbox">
+					<div class="handlediv" title="<?php esc_attr_e( 'Click to toggle' ); ?>"><br /></div>
+					<h3><span><?php _e('Tags'); ?></span></h3>
+					<div class="inside">
+						<div class="tagsdiv" id="post_tag">
+							<div class="jaxtag">
+								<label class="screen-reader-text" for="newtag"><?php _e('Tags'); ?></label>
+								<input type="hidden" name="tax_input[post_tag]" class="the-tags" id="tax-input[post_tag]" value="" />
+								<div class="ajaxtag">
+									<input type="text" name="newtag[post_tag]" class="newtag form-input-tip" size="16" autocomplete="off" value="" />
+									<input type="button" class="button tagadd" value="<?php esc_attr_e('Add'); ?>" />
+								</div>
+							</div>
+							<div class="tagchecklist"></div>
+						</div>
+						<p class="tagcloud-link"><a href="#titlediv" class="tagcloud-link" id="link-post_tag"><?php _e('Choose from the most used tags'); ?></a></p>
+					</div>
+				</div>
+			<?php endif; ?>
 		</div>
 	</div>
 	<div class="posting">

wp-admin/revision.php

@@ -63,7 +63,7 @@ default :
 	if ( ! $post = get_post( $revision->post_parent ) )
 		break;
 
-	if ( ! current_user_can( 'read_post', $revision->ID ) || ! current_user_can( 'read_post', $post->ID ) )
+	if ( ! current_user_can( 'read_post', $revision->ID ) || ! current_user_can( 'edit_post', $revision->post_parent ) )
 		break;
 
 	// Revisions disabled and we're not looking at an autosave

wp-admin/theme-editor.php

@@ -68,7 +68,7 @@ if ( empty( $file ) ) {
 	$relative_file = 'style.css';
 	$file = $allowed_files['style.css'];
 } else {
-	$relative_file = $file;
+	$relative_file = wp_unslash( $file );
 	$file = $theme->get_stylesheet_directory() . '/' . $relative_file;
 }
 
@@ -127,10 +127,12 @@ default:
  <div id="message" class="updated"><p><?php _e( 'File edited successfully.' ) ?></p></div>
 <?php endif;
 
-$description = get_file_description( $file );
+$file_description = get_file_description( $relative_file );
 $file_show = array_search( $file, array_filter( $allowed_files ) );
-if ( $description != $file_show )
-	$description .= ' <span>(' . $file_show . ')</span>';
+$description = esc_html( $file_description );
+if ( $file_description != $file_show ) {
+	$description .= ' <span>(' . esc_html( $file_show ) . ')</span>';
+}
 ?>
 <div class="wrap">
 <?php screen_icon(); ?>
@@ -180,9 +182,9 @@ if ( $allowed_files ) :
 		if ( 'style.css' == $filename )
 			echo "\t</ul>\n\t<h3>" . _x( 'Styles', 'Theme stylesheets in theme editor' ) . "</h3>\n\t<ul>\n";
 
-		$file_description = get_file_description( $absolute_filename );
+		$file_description = esc_html( get_file_description( $filename ) );
 		if ( $file_description != basename( $filename ) )
-			$file_description .= '<br /><span class="nonessential">(' . $filename . ')</span>';
+			$file_description .= '<br /><span class="nonessential">(' . esc_html( $filename ) . ')</span>';
 
 		if ( $absolute_filename == $file )
 			$file_description = '<span class="highlight">' . $file_description . '</span>';

wp-admin/themes.php

@@ -308,7 +308,7 @@ if ( ! is_multisite() && current_user_can('edit_themes') && $broken_themes = wp_
 	foreach ( $broken_themes as $broken_theme ) {
 		echo "
 		<tr>
-			 <td>" . $broken_theme->get('Name') ."</td>
+			 <td>" . ( $broken_theme->get( 'Name' ) ? $broken_theme->display( 'Name' ) : esc_html( $broken_theme->get_stylesheet() ) ) . "</td>
 			 <td>" . $broken_theme->errors()->get_error_message() . "</td>
 		</tr>";
 	}

wp-admin/update-core.php

@@ -237,6 +237,8 @@ function list_plugin_updates() {
 	<tbody class="plugins">
 <?php
 	foreach ( (array) $plugins as $plugin_file => $plugin_data) {
+		$plugin_data = (object) _get_plugin_data_markup_translate( $plugin_file, (array) $plugin_data, false, true );
+
 		$info = plugins_api('plugin_information', array('slug' => $plugin_data->update->slug ));
 		// Get plugin compat for running version of WordPress.
 		if ( isset($info->tested) && version_compare($info->tested, $cur_wp_version, '>=') ) {

wp-admin/user-edit.php

@@ -81,7 +81,7 @@ if ( is_multisite() && ! current_user_can( 'manage_network_users' ) && $user_id
 // Execute confirmed email change. See send_confirmation_on_profile_email().
 if ( is_multisite() && IS_PROFILE_PAGE && isset( $_GET[ 'newuseremail' ] ) && $current_user->ID ) {
 	$new_email = get_option( $current_user->ID . '_new_email' );
-	if ( $new_email[ 'hash' ] == $_GET[ 'newuseremail' ] ) {
+	if ( $new_email && hash_equals( $new_email[ 'hash' ], $_GET[ 'newuseremail' ] ) ) {
 		$user = new stdClass;
 		$user->ID = $current_user->ID;
 		$user->user_email = esc_html( trim( $new_email[ 'newemail' ] ) );
@@ -92,7 +92,8 @@ if ( is_multisite() && IS_PROFILE_PAGE && isset( $_GET[ 'newuseremail' ] ) && $c
 		wp_redirect( add_query_arg( array('updated' => 'true'), self_admin_url( 'profile.php' ) ) );
 		die();
 	}
-} elseif ( is_multisite() && IS_PROFILE_PAGE && !empty( $_GET['dismiss'] ) && $current_user->ID . '_new_email' == $_GET['dismiss'] ) {
+} elseif ( is_multisite() && IS_PROFILE_PAGE && !empty( $_GET['dismiss'] ) && $current_user->ID . '_new_email' === $_GET['dismiss'] ) {
+	check_admin_referer( 'dismiss-' . $current_user->ID . '_new_email' );
 	delete_option( $current_user->ID . '_new_email' );
 	wp_redirect( add_query_arg( array('updated' => 'true'), self_admin_url( 'profile.php' ) ) );
 	die();
@@ -167,7 +168,7 @@ include (ABSPATH . 'wp-admin/admin-header.php');
 	<p><strong><?php _e('User updated.') ?></strong></p>
 	<?php endif; ?>
 	<?php if ( $wp_http_referer && !IS_PROFILE_PAGE ) : ?>
-	<p><a href="<?php echo esc_url( $wp_http_referer ); ?>"><?php _e('&larr; Back to Users'); ?></a></p>
+	<p><a href="<?php echo esc_url( wp_validate_redirect( esc_url_raw( $wp_http_referer ), self_admin_url( 'users.php' ) ) ); ?>"><?php _e('&larr; Back to Users'); ?></a></p>
 	<?php endif; ?>
 </div>
 <?php endif; ?>
@@ -338,7 +339,7 @@ if ( is_multisite() && is_network_admin() && ! IS_PROFILE_PAGE && current_user_c
 	$new_email = get_option( $current_user->ID . '_new_email' );
 	if ( $new_email && $new_email['newemail'] != $current_user->user_email && $profileuser->ID == $current_user->ID ) : ?>
 	<div class="updated inline">
-	<p><?php printf( __('There is a pending change of your e-mail to <code>%1$s</code>. <a href="%2$s">Cancel</a>'), $new_email['newemail'], esc_url( self_admin_url( 'profile.php?dismiss=' . $current_user->ID . '_new_email' ) ) ); ?></p>
+	<p><?php printf( __('There is a pending change of your e-mail to <code>%1$s</code>. <a href="%2$s">Cancel</a>'), esc_html( $new_email['newemail'] ), esc_url( wp_nonce_url( self_admin_url( 'profile.php?dismiss=' . $current_user->ID . '_new_email' ), 'dismiss-' . $current_user->ID . '_new_email' ) ) ); ?></p>
 	</div>
 	<?php endif; ?>
 	</td>

wp-admin/user-new.php

@@ -72,7 +72,7 @@ if ( isset($_REQUEST['action']) && 'adduser' == $_REQUEST['action'] ) {
 			add_existing_user_to_blog( array( 'user_id' => $user_id, 'role' => $_REQUEST[ 'role' ] ) );
 			$redirect = add_query_arg( array('update' => 'addnoconfirmation'), 'user-new.php' );
 		} else {
-			$newuser_key = substr( md5( $user_id ), 0, 5 );
+			$newuser_key = wp_generate_password( 20, false );
 			add_option( 'new_user_' . $newuser_key, array( 'user_id' => $user_id, 'email' => $user_details->user_email, 'role' => $_REQUEST[ 'role' ] ) );
 
 			$roles = get_editable_roles();

wp-admin/widgets.php

@@ -17,6 +17,8 @@ if ( ! current_user_can('edit_theme_options') )
 
 $widgets_access = get_user_setting( 'widgets_access' );
 if ( isset($_GET['widgets-access']) ) {
+	check_admin_referer( 'widgets-access' );
+
 	$widgets_access = 'on' == $_GET['widgets-access'] ? 'on' : 'off';
 	set_user_setting( 'widgets_access', $widgets_access );
 }

wp-comments-post.php

@@ -102,6 +102,8 @@ if ( $user->exists() ) {
 		) {
 			kses_remove_filters(); // start with a clean slate
 			kses_init_filters(); // set up the filters
+			remove_filter( 'pre_comment_content', 'wp_filter_post_kses' );
+			add_filter( 'pre_comment_content', 'wp_filter_kses' );
 		}
 	}
 } else {

wp-includes/ID3/getid3.lib.php

@@ -519,11 +519,12 @@ class getid3_lib
 	}
 
 	public static function XML2array($XMLstring) {
-		if (function_exists('simplexml_load_string')) {
-			if (function_exists('get_object_vars')) {
-				$XMLobject = simplexml_load_string($XMLstring);
-				return self::SimpleXMLelement2array($XMLobject);
-			}
+		if ( function_exists( 'simplexml_load_string' ) && function_exists( 'libxml_disable_entity_loader' ) ) {
+			$loader = libxml_disable_entity_loader( true );
+			$XMLobject = simplexml_load_string( $XMLstring, 'SimpleXMLElement', LIBXML_NOENT );
+			$return = self::SimpleXMLelement2array( $XMLobject );
+			libxml_disable_entity_loader( $loader );
+			return $return;
 		}
 		return false;
 	}

wp-includes/bookmark.php

@@ -256,7 +256,7 @@ function get_bookmarks($args = '') {
 	$query .= " $exclusions $inclusions $search";
 	$query .= " ORDER BY $orderby $order";
 	if ($limit != -1)
-		$query .= " LIMIT $limit";
+		$query .= ' LIMIT ' . absint( $limit );
 
 	$results = $wpdb->get_results($query);
 

wp-includes/cache.php

@@ -588,7 +588,7 @@ class WP_Object_Cache {
 		echo "</p>";
 		echo '<ul>';
 		foreach ($this->cache as $group => $cache) {
-			echo "<li><strong>Group:</strong> $group - ( " . number_format( strlen( serialize( $cache ) ) / 1024, 2 ) . 'k )</li>';
+			echo '<li><strong>Group:</strong> ' . esc_html( $group ) . ' - ( ' . number_format( strlen( serialize( $cache ) ) / KB_IN_BYTES, 2 ) . 'k )</li>';
 		}
 		echo '</ul>';
 	}

wp-includes/capabilities.php

@@ -1073,8 +1073,10 @@ function map_meta_cap( $cap, $user_id ) {
 	case 'edit_post':
 	case 'edit_page':
 		$post = get_post( $args[0] );
-		if ( empty( $post ) )
+		if ( empty( $post ) ) {
+			$caps[] = 'do_not_allow';
 			break;
+		}
 
 		if ( 'revision' == $post->post_type ) {
 			$post = get_post( $post->post_parent );
@@ -1182,7 +1184,16 @@ function map_meta_cap( $cap, $user_id ) {
 		if ( empty( $comment ) )
 			break;
 		$post = get_post( $comment->comment_post_ID );
-		$caps = map_meta_cap( 'edit_post', $user_id, $post->ID );
+
+		/*
+		 * If the post doesn't exist, we have an orphaned comment.
+		 * Fall back to the edit_posts capability, instead.
+		 */
+		if ( $post ) {
+			$caps = map_meta_cap( 'edit_post', $user_id, $post->ID );
+		} else {
+			$caps = map_meta_cap( 'edit_posts', $user_id );
+		}
 		break;
 	case 'unfiltered_upload':
 		if ( defined('ALLOW_UNFILTERED_UPLOADS') && ALLOW_UNFILTERED_UPLOADS && ( !is_multisite() || is_super_admin( $user_id ) )  )
@@ -1304,21 +1315,25 @@ function current_user_can( $capability ) {
  * @return bool
  */
 function current_user_can_for_blog( $blog_id, $capability ) {
-	if ( is_multisite() )
-		switch_to_blog( $blog_id );
+	$switched = is_multisite() ? switch_to_blog( $blog_id ) : false;
 
 	$current_user = wp_get_current_user();
 
-	if ( empty( $current_user ) )
+	if ( empty( $current_user ) ) {
+		if ( $switched ) {
+			restore_current_blog();
+		}
 		return false;
+	}
 
 	$args = array_slice( func_get_args(), 2 );
 	$args = array_merge( array( $capability ), $args );
 
 	$can = call_user_func_array( array( $current_user, 'has_cap' ), $args );
 
-	if ( is_multisite() )
+	if ( $switched ) {
 		restore_current_blog();
+	}
 
 	return $can;
 }

wp-includes/class-IXR.php

@@ -203,11 +203,37 @@ class IXR_Message
     {
         // first remove the XML declaration
         // merged from WP #10698 - this method avoids the RAM usage of preg_replace on very large messages
-        $header = preg_replace( '/<\?xml.*?\?'.'>/', '', substr($this->message, 0, 100), 1);
-        $this->message = substr_replace($this->message, $header, 0, 100);
-        if (trim($this->message) == '') {
+        $header = preg_replace( '/<\?xml.*?\?'.'>/s', '', substr( $this->message, 0, 100 ), 1 );
+        $this->message = trim( substr_replace( $this->message, $header, 0, 100 ) );
+        if ( '' == $this->message ) {
             return false;
         }
+
+        // Then remove the DOCTYPE
+        $header = preg_replace( '/^<!DOCTYPE[^>]*+>/i', '', substr( $this->message, 0, 200 ), 1 );
+        $this->message = trim( substr_replace( $this->message, $header, 0, 200 ) );
+        if ( '' == $this->message ) {
+            return false;
+        }
+
+        // Check that the root tag is valid
+        $root_tag = substr( $this->message, 0, strcspn( substr( $this->message, 0, 20 ), "> \t\r\n" ) );
+        if ( '<!DOCTYPE' === strtoupper( $root_tag ) ) {
+            return false;
+        }
+        if ( ! in_array( $root_tag, array( '<methodCall', '<methodResponse', '<fault' ) ) ) {
+            return false;
+        }
+
+        // Bail if there are too many elements to parse
+        $element_limit = 30000;
+        if ( function_exists( 'apply_filters' ) ) {
+            $element_limit = apply_filters( 'xmlrpc_element_limit', $element_limit );
+        }
+        if ( $element_limit && 2 * $element_limit < substr_count( $this->message, '<' ) ) {
+            return false;
+        }
+
         $this->_parser = xml_parser_create();
         // Set XML parser to take the case of tags in to account
         xml_parser_set_option($this->_parser, XML_OPTION_CASE_FOLDING, false);

wp-includes/class-phpass.php

@@ -214,6 +214,10 @@ class PasswordHash {
 
 	function HashPassword($password)
 	{
+		if ( strlen( $password ) > 4096 ) {
+			return '*';
+		}
+
 		$random = '';
 
 		if (CRYPT_BLOWFISH == 1 && !$this->portable_hashes) {
@@ -249,6 +253,10 @@ class PasswordHash {
 
 	function CheckPassword($password, $stored_hash)
 	{
+		if ( strlen( $password ) > 4096 ) {
+			return false;
+		}
+
 		$hash = $this->crypt_private($password, $stored_hash);
 		if ($hash[0] == '*')
 			$hash = crypt($password, $stored_hash);

wp-includes/class-snoopy.php

@@ -999,20 +999,23 @@ class Snoopy
 		if(!empty($this->user) || !empty($this->pass))
 			$headers[] = "Authorization: BASIC ".base64_encode($this->user.":".$this->pass);
 
-		for($curr_header = 0; $curr_header < count($headers); $curr_header++) {
-			$safer_header = strtr( $headers[$curr_header], "\"", " " );
-			$cmdline_params .= " -H \"".$safer_header."\"";
+		$headerfile = tempnam( $this->temp_dir, "sno" );
+		$cmdline_params = '-k -D ' . escapeshellarg( $headerfile );
+
+		foreach ( $headers as $header ) {
+			$cmdline_params .= ' -H ' . escapeshellarg( $header );
 		}
 
-		if(!empty($body))
-			$cmdline_params .= " -d \"$body\"";
+		if ( ! empty( $body ) ) {
+			$cmdline_params .= ' -d ' . escapeshellarg( $body );
+		}
 
-		if($this->read_timeout > 0)
-			$cmdline_params .= " -m ".$this->read_timeout;
+		if ( $this->read_timeout > 0 ) {
+			$cmdline_params .= ' -m ' . escapeshellarg( $this->read_timeout );
+		}
 
-		$headerfile = tempnam($this->temp_dir, "sno");
 
-		exec($this->curl_path." -k -D \"$headerfile\"".$cmdline_params." \"".escapeshellcmd($URI)."\"",$results,$return);
+		exec( $this->curl_path . ' ' . $cmdline_params . ' ' . escapeshellarg( $URI ), $results, $return );
 
 		if($return)
 		{

wp-includes/class-wp-customize-manager.php

@@ -123,6 +123,24 @@ final class WP_Customize_Manager {
 
 		$this->theme = wp_get_theme( isset( $_REQUEST['theme'] ) ? $_REQUEST['theme'] : null );
 
+		/*
+		 * Clear incoming post data if the user lacks a CSRF token (nonce). Note that the customizer
+		 * application will inject the customize_preview_nonce query parameter into all Ajax requests.
+		 * For similar behavior elsewhere in WordPress, see rest_cookie_check_errors() which logs out
+		 * a user when a valid nonce isn't present.
+		 */
+		$has_post_data_nonce = (
+			check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'nonce', false )
+			||
+			check_ajax_referer( 'save-customize_' . $this->get_stylesheet(), 'nonce', false )
+			||
+			check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'customize_preview_nonce', false )
+		);
+		if ( ! $has_post_data_nonce ) {
+			unset( $_POST['customized'] );
+			unset( $_REQUEST['customized'] );
+		}
+
 		if ( $this->is_theme_active() ) {
 			// Once the theme is loaded, we'll validate it.
 			add_action( 'after_setup_theme', array( $this, 'after_setup_theme' ) );