WordPress 3.9.40.

Built from https://develop.svn.wordpress.org/branches/3.9@54906


git-svn-id: http://core.svn.wordpress.org/branches/3.9@54458 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-admin/about.php

@@ -39,7 +39,51 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
 </h2>
 
 <div class="changelog point-releases">
-	<h3><?php echo _n( 'Maintenance and Security Release', 'Maintenance and Security Releases', 37 ); ?></h3>
+	<h3><?php echo _n( 'Maintenance and Security Release', 'Maintenance and Security Releases', 40 ); ?></h3>
+	<p>
+		<?php
+		printf(
+			/* translators: %s: WordPress version number */
+			_n(
+				'<strong>Version %1$s</strong> addressed a security issue.',
+				'<strong>Version %1$s</strong> addressed some security issues.',
+				1
+			),
+			'3.9.40'
+		);
+		?>
+		<?php
+		printf(
+			/* translators: %s: HelpHub URL */
+			__( 'For more information, see <a href="%s">the release notes</a>.' ),
+			sprintf(
+				/* translators: %s: WordPress version */
+				esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+				sanitize_title( '3.9.40' )
+			)
+		);
+		?>
+	</p>
+	<p>
+		<?php
+		printf(
+			/* translators: %s: WordPress version number */
+			__( '<strong>Version %s</strong> addressed some security issues.' ),
+			'3.9.39'
+		);
+		?>
+		<?php
+		printf(
+			/* translators: %s: HelpHub URL */
+			__( 'For more information, see <a href="%s">the release notes</a>.' ),
+			sprintf(
+				/* translators: %s: WordPress version */
+				esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+				sanitize_title( '3.9.39' )
+			)
+		);
+		?>
+	</p>
 	<p>
 		<?php
 		printf(
@@ -603,3 +647,9 @@ _n_noop( '<strong>Version %1$s</strong> addressed some security issues and fixed
          '<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bugs.' );
 
 __( 'For more information, see <a href="%s">the release notes</a>.' );
+
+/* translators: 1: WordPress version number, 2: Link to update WordPress */
+__( 'Important! Your version of WordPress (%1$s) is no longer supported, you will not receive any security updates for your website. To keep your site secure, please <a href="%2$s">update to the latest version of WordPress</a>.' );
+
+/* translators: 1: WordPress version number, 2: Link to update WordPress */
+__( 'Important! Your version of WordPress (%1$s) will stop receiving security updates in the near future. To keep your site secure, please <a href="%2$s">update to the latest version of WordPress</a>.' );

wp-admin/css/common-rtl.css

@@ -937,6 +937,26 @@ th.action-links {
 	box-shadow: 0 1px 1px 0 rgba(0,0,0,0.1);
 }
 
+.update-nag-core-insecure {
+	color: #fff;
+	background-color: #ac1b1b;
+	border-right-color: #cd5a5a;
+	font-weight: bold;
+}
+
+.update-nag-core-insecure > p:first-child {
+	margin-top: 0;
+}
+
+.update-nag-core-insecure > p:last-child {
+	margin-bottom: 0;
+}
+
+.update-nag-core-insecure a {
+	color: #fff;
+	text-decoration: underline;
+}
+
 .update-message {
 	color: #000;
 }

wp-admin/css/common.css

@@ -937,6 +937,26 @@ th.action-links {
 	box-shadow: 0 1px 1px 0 rgba(0,0,0,0.1);
 }
 
+.update-nag-core-insecure {
+	color: #fff;
+	background-color: #ac1b1b;
+	border-left-color: #cd5a5a;
+	font-weight: bold;
+}
+
+.update-nag-core-insecure > p:first-child {
+	margin-top: 0;
+}
+
+.update-nag-core-insecure > p:last-child {
+	margin-bottom: 0;
+}
+
+.update-nag-core-insecure a {
+	color: #fff;
+	text-decoration: underline;
+}
+
 .update-message {
 	color: #000;
 }

wp-admin/includes/update.php

@@ -210,11 +210,23 @@ function update_nag() {
 		return false;
 
 	if ( current_user_can('update_core') ) {
-		$msg = sprintf( __('<a href="http://codex.wordpress.org/Version_%1$s">WordPress %1$s</a> is available! <a href="%2$s">Please update now</a>.'), $cur->current, network_admin_url( 'update-core.php' ) );
+		$msg       = sprintf( __('<a href="http://codex.wordpress.org/Version_%1$s">WordPress %1$s</a> is available! <a href="%2$s">Please update now</a>.'), $cur->current, network_admin_url( 'update-core.php' ) );
+		$msg_line2 = sprintf(
+			/* translators: 1: WordPress version number, 2: Link to update WordPress */
+			__( 'Important! Your version of WordPress (%1$s) is no longer supported, you will not receive any security updates for your website. To keep your site secure, please <a href="%2$s">update to the latest version of WordPress</a>.' ),
+			get_bloginfo( 'version', 'display' ),
+			network_admin_url( 'update-core.php' )
+		);
 	} else {
-		$msg = sprintf( __('<a href="http://codex.wordpress.org/Version_%1$s">WordPress %1$s</a> is available! Please notify the site administrator.'), $cur->current );
+		$msg       = sprintf( __('<a href="http://codex.wordpress.org/Version_%1$s">WordPress %1$s</a> is available! Please notify the site administrator.'), $cur->current );
+		$msg_line2 = sprintf(
+			/* translators: 1: WordPress version number, 2: Link to update WordPress */
+			__( 'Important! Your version of WordPress (%1$s) is no longer supported, you will not receive any security updates for your website. To keep your site secure, please <a href="%2$s">update to the latest version of WordPress</a>.' ),
+			get_bloginfo( 'version', 'display' ),
+			__( 'https://wordpress.org/download/' )
+		);
 	}
-	echo "<div class='update-nag'>$msg</div>";
+	echo "<div class='update-nag update-nag-core-insecure'><p>$msg</p><p>$msg_line2</p></div>";
 }
 add_action( 'admin_notices', 'update_nag', 3 );
 add_action( 'network_admin_notices', 'update_nag', 3 );

wp-includes/comment.php

@@ -1815,6 +1815,15 @@ function wp_update_comment($commentarr) {
 	if ( empty( $comment ) )
 		return 0;
 
+	$filter_comment = false;
+	if ( ! has_filter( 'pre_comment_content', 'wp_filter_kses' ) ) {
+		$filter_comment = ! user_can( isset( $comment['user_id'] ) ? $comment['user_id'] : 0, 'unfiltered_html' );
+	}
+
+	if ( $filter_comment ) {
+		add_filter( 'pre_comment_content', 'wp_filter_kses' );
+	}
+
 	// Escape data pulled from DB.
 	$comment = wp_slash($comment);
 
@@ -1825,6 +1834,10 @@ function wp_update_comment($commentarr) {
 
 	$commentarr = wp_filter_comment( $commentarr );
 
+	if ( $filter_comment ) {
+		remove_filter( 'pre_comment_content', 'wp_filter_kses' );
+	}
+
 	// Now extract the merged array.
 	extract(wp_unslash($commentarr), EXTR_SKIP);
 

wp-includes/default-widgets.php

@@ -1012,7 +1012,7 @@ function wp_widget_rss_output( $rss, $args = array() ) {
 
 	if ( is_wp_error($rss) ) {
 		if ( is_admin() || current_user_can('manage_options') )
-			echo '<p>' . sprintf( __('<strong>RSS Error</strong>: %s'), $rss->get_error_message() ) . '</p>';
+			echo '<p>' . sprintf( __('<strong>RSS Error</strong>: %s'), esc_html( $rss->get_error_message() ) ) . '</p>';
 		return;
 	}
 
@@ -1124,7 +1124,7 @@ function wp_widget_rss_form( $args, $inputs = null ) {
 	$show_date      = (int) $show_date;
 
 	if ( !empty($error) )
-		echo '<p class="widget-error"><strong>' . sprintf( __('RSS Error: %s'), $error) . '</strong></p>';
+		echo '<p class="widget-error"><strong>' . sprintf( __('RSS Error: %s'), esc_html( $error ) ) . '</strong></p>';
 
 	if ( $inputs['url'] ) :
 ?>

wp-includes/functions.php

@@ -2334,8 +2334,16 @@ function wp_nonce_ays( $action ) {
 		$html .= sprintf( __( "Do you really want to <a href='%s'>log out</a>?"), wp_logout_url( $redirect_to ) );
 	} else {
 		$html = __( 'Are you sure you want to do this?' );
-		if ( wp_get_referer() )
-			$html .= "</p><p><a href='" . esc_url( remove_query_arg( 'updated', wp_get_referer() ) ) . "'>" . __( 'Please try again.' ) . "</a>";
+		if ( wp_get_referer() ) {
+			$wp_http_referer = remove_query_arg( 'updated', wp_get_referer() );
+			$wp_http_referer = wp_validate_redirect( esc_url_raw( $wp_http_referer ) );
+			$html           .= '</p><p>';
+			$html           .= sprintf(
+				'<a href="%s">%s</a>',
+				esc_url( $wp_http_referer ),
+				__( 'Please try again.' )
+			);
+		}
 	}
 
 	wp_die( $html, $title, array('response' => 403) );

wp-includes/pluggable.php

@@ -330,6 +330,8 @@ function wp_mail( $to, $subject, $message, $headers = '', $attachments = array()
 	$phpmailer->ClearAttachments();
 	$phpmailer->ClearCustomHeaders();
 	$phpmailer->ClearReplyTos();
+	$phpmailer->Body    = '';
+	$phpmailer->AltBody = '';
 
 	// From email and name
 	// If we don't have a name from the input headers

wp-includes/version.php

@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '3.9.37';
+$wp_version = '3.9.40';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.

wp-mail.php

@@ -60,6 +60,9 @@ if( 0 === $count ) {
 	wp_die( __('There doesn’t seem to be any new mail.') );
 }
 
+// Always run as an unauthenticated user.
+wp_set_current_user( 0 );
+
 for ( $i = 1; $i <= $count; $i++ ) {
 
 	$message = $pop3->get($i);
@@ -123,7 +126,6 @@ for ( $i = 1; $i <= $count; $i++ ) {
 					$author = trim($line);
 				$author = sanitize_email($author);
 				if ( is_email($author) ) {
-					echo '<p>' . sprintf(__('Author is %s'), $author) . '</p>';
 					$userdata = get_user_by('email', $author);
 					if ( ! empty( $userdata ) ) {
 						$post_author = $userdata->ID;

wp-trackback.php

@@ -13,6 +13,9 @@ if (empty($wp)) {
 	wp( array( 'tb' => '1' ) );
 }
 
+// Always run as an unauthenticated user.
+wp_set_current_user( 0 );
+
 /**
  * Response to a trackback.
  *