Tag 3.5.1

git-svn-id: http://core.svn.wordpress.org/tags/3.5.1@23345 1a063a9b-81f0-0310-95a4-ce76da25c4cd

readme.html

@@ -8,7 +8,7 @@
 <body>
 <h1 id="logo">
 	<a href="http://wordpress.org/"><img alt="WordPress" src="wp-admin/images/wordpress-logo.png" /></a>
-	<br /> Version 3.5
+	<br /> Version 3.5.1
 </h1>
 <p style="text-align: center">Semantic Personal Publishing Platform</p>
 

wp-admin/about.php

@@ -33,6 +33,14 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
 	</a>
 </h2>
 
+<div class="changelog point-releases">
+	<h3><?php echo _n( 'Maintenance and Security Release', 'Maintenance and Security Releases', 1 ); ?></h3>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bug.',
+         '<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bugs.', 37 ), '3.5.1', number_format_i18n( 37 ) ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'http://codex.wordpress.org/Version_3.5.1' ); ?>
+ 	</p>
+</div>
+
 <div class="changelog">
 	<h3><?php _e( 'New Media Manager' ); ?></h3>
 

wp-admin/css/wp-admin.css

@@ -3533,14 +3533,6 @@ div.tabs-panel-inactive {
 	display:none;
 }
 
-.customlinkdiv ul,
-.posttypediv ul,
-.taxonomydiv ul {
-	list-style: none;
-	padding: 0;
-	margin: 0;
-}
-
 #front-page-warning,
 #front-static-pages ul,
 ul.export-filters,
@@ -8455,7 +8447,7 @@ a.widget-control-edit {
 	}
 
 	.sorting-indicator {
-		background-image: url('../images/sort-2x.gif');
+		background-image: url('../images/sort-2x.gif?ver=20130102');
 		background-size: 14px 4px;
 	}
 

wp-admin/includes/image-edit.php

@@ -692,7 +692,7 @@ function wp_save_image( $post_id ) {
 			$_sizes[ $size ] = array( 'width' => get_option("{$size}_size_w"), 'height' => get_option("{$size}_size_h"), 'crop' => $crop );
 		}
 
-		$meta['sizes'] = $img->multi_resize( $_sizes );
+		$meta['sizes'] = array_merge( $meta['sizes'], $img->multi_resize( $_sizes ) );
 	}
 
 	unset( $img );

wp-admin/includes/media.php

@@ -1417,6 +1417,9 @@ function get_compat_media_markup( $attachment_id, $args = null ) {
 		$item .= '<input type="hidden" name="' . esc_attr( $hidden_field ) . '" value="' . esc_attr( $value ) . '" />' . "\n";
 	}
 
+	if ( $item )
+		$item = '<input type="hidden" name="attachments[' . $attachment_id . '][menu_order]" value="' . esc_attr( $post->menu_order ) . '" />' . $item;
+
 	return array(
 		'item'   => $item,
 		'meta'   => $media_meta,

wp-admin/includes/update-core.php

@@ -535,6 +535,7 @@ $_old_files = array(
 'wp-includes/js/jquery/ui/jquery.effects.pulsate.min.js',
 'wp-includes/js/jquery/ui/jquery.effects.transfer.min.js',
 'wp-includes/js/jquery/ui/jquery.effects.fold.min.js',
+'wp-admin/options-privacy.php',
 );
 
 /**
@@ -630,7 +631,8 @@ function update_core($from, $to) {
 	}
 
 	// Import $wp_version, $required_php_version, and $required_mysql_version from the new version
-	$versions_file = $wp_filesystem->wp_content_dir() . 'upgrade/version-current.php';
+	// $wp_filesystem->wp_content_dir() returned unslashed pre-2.8
+	$versions_file = trailingslashit( $wp_filesystem->wp_content_dir() ) . 'upgrade/version-current.php';
 	if ( ! $wp_filesystem->copy( $from . $distro . 'wp-includes/version.php', $versions_file ) ) {
 		 $wp_filesystem->delete( $from, true );
 		 return new WP_Error( 'copy_failed', __('Could not copy file.') );
@@ -691,6 +693,15 @@ function update_core($from, $to) {
 		}
 	}
 
+	// 3.5 -> 3.5+ - an empty twentytwelve directory was created upon upgrade to 3.5 for some users, preventing installation of Twenty Twelve.
+	if ( '3.5' == $old_wp_version ) {
+		if ( is_dir( WP_CONTENT_DIR . '/themes/twentytwelve' ) && ! file_exists( WP_CONTENT_DIR . '/themes/twentytwelve/style.css' )  ) {
+			// Bumping the introduced version to 3.5.1 for the affected users causes Twenty Twelve to be installed for the first time
+			if ( $wp_filesystem->delete( $wp_filesystem->wp_themes_dir() . 'twentytwelve/' ) )
+				$_new_bundled_files[ 'themes/twentytwelve/' ] = '3.5.1';
+		}
+	}
+
 	// Copy New bundled plugins & themes
 	// This gives us the ability to install new plugins & themes bundled with future versions of WordPress whilst avoiding the re-install upon upgrade issue.
 	// $development_build controls us overwriting bundled themes and plugins when a non-stable release is being updated
@@ -701,6 +712,10 @@ function update_core($from, $to) {
 				$directory = ('/' == $file[ strlen($file)-1 ]);
 				list($type, $filename) = explode('/', $file, 2);
 
+				// Check to see if the bundled items exist before attempting to copy them
+				if ( ! $wp_filesystem->exists( $from . $distro . 'wp-content/' . $file ) )
+					continue;
+
 				if ( 'plugins' == $type )
 					$dest = $wp_filesystem->wp_plugins_dir();
 				elseif ( 'themes' == $type )

wp-admin/js/post.js

@@ -165,9 +165,11 @@ tagBox = {
 
 		// tag cloud
 		$('a.tagcloud-link').click(function(){
-			if ( ! $('.the-tagcloud').length )
-				tagBox.get( $(this).attr('id') );
-			$(this).siblings('.the-tagcloud').toggle();
+			tagBox.get( $(this).attr('id') );
+			$(this).unbind().click(function(){
+				$(this).siblings('.the-tagcloud').toggle();
+				return false;
+			});
 			return false;
 		});
 	}
@@ -685,7 +687,7 @@ jQuery(document).ready( function($) {
 	(function() {
 		var textarea = $('textarea#content'), offset = null, el;
 		// No point for touch devices
-		if ( 'ontouchstart' in window )
+		if ( !textarea.length || 'ontouchstart' in window )
 			return;
 
 		function dragging(e) {
@@ -694,14 +696,15 @@ jQuery(document).ready( function($) {
 		}
 
 		function endDrag(e) {
-			var height = $('#wp-content-editor-container').height();
+			var height;
 
 			textarea.focus();
 			$(document).unbind('mousemove', dragging).unbind('mouseup', endDrag);
 
-			height -= 33; // compensate for toolbars, padding...
+			height = parseInt( textarea.css('height'), 10 );
+
 			// sanity check
-			if ( height > 50 && height < 5000 && height != getUserSetting( 'ed_size' ) )
+			if ( height && height > 50 && height < 5000 )
 				setUserSetting( 'ed_size', height );
 		}
 
@@ -722,44 +725,67 @@ jQuery(document).ready( function($) {
 			if ( ed.id != 'content' || tinymce.isIOS5 )
 				return;
 
-			// resize TinyMCE to match the textarea height when switching Text -> Visual
-			ed.onLoadContent.add( function(ed, o) {
-				var ifr_height, height = parseInt( $('#content').css('height'), 10 ),
+			function getHeight() {
+				var height, node = document.getElementById('content_ifr'),
+					ifr_height = node ? parseInt( node.style.height, 10 ) : 0,
 					tb_height = $('#content_tbl tr.mceFirst').height();
 
-				if ( height && !isNaN(height) && tb_height ) {
-					ifr_height = (height - tb_height) + 12; // compensate for padding in the textarea
-					// sanity check
-					if ( ifr_height > 50 && ifr_height < 5000 ) {
-						$('#content_tbl').css('height', '' );
-						$('#content_ifr').css('height', ifr_height + 'px' );
-					}
+				if ( !ifr_height || !tb_height )
+					return false;
+
+				// total height including toolbar and statusbar
+				height = ifr_height + tb_height + 21;
+				// textarea height = total height - 33px toolbar
+				height -= 33;
+
+				return height;
+			}
+
+			// resize TinyMCE to match the textarea height when switching Text -> Visual
+			ed.onLoadContent.add( function(ed, o) {
+				var ifr_height, node = document.getElementById('content'),
+					height = node ? parseInt( node.style.height, 10 ) : 0,
+					tb_height = $('#content_tbl tr.mceFirst').height() || 33;
+
+				// height cannot be under 50 or over 5000
+				if ( !height || height < 50 || height > 5000 )
+					height = 360; // default height for the main editor
+
+				if ( getUserSetting( 'ed_size' ) > 5000  )
+					setUserSetting( 'ed_size', 360 );
+
+				// compensate for padding and toolbars
+				ifr_height = ( height - tb_height ) + 12;
+
+				// sanity check
+				if ( ifr_height > 50 && ifr_height < 5000 ) {
+					$('#content_tbl').css('height', '' );
+					$('#content_ifr').css('height', ifr_height + 'px' );
 				}
 			});
 
 			// resize the textarea to match TinyMCE's height when switching Visual -> Text
 			ed.onSaveContent.add( function(ed, o) {
-				var height = $('#content_tbl').height();
+				var height = getHeight();
 
-				if ( height && height > 83 && height < 5000 ) {
-					height -= 33;
+				if ( !height || height < 50 || height > 5000 )
+					return;
 
-					$('#content').css( 'height', height + 'px' );
-				}
+				$('textarea#content').css( 'height', height + 'px' );
 			});
 
 			// save on resizing TinyMCE
 			ed.onPostRender.add(function() {
 				$('#content_resize').on('mousedown.wp-mce-resize', function(e){
 					$(document).on('mouseup.wp-mce-resize', function(e){
-						var height = $('#wp-content-editor-container').height();
-
-						height -= 33;
-						// sanity check
-						if ( height > 50 && height < 5000 && height != getUserSetting( 'ed_size' ) )
-							setUserSetting( 'ed_size', height );
+						var height;
 
 						$(document).off('mouseup.wp-mce-resize');
+
+						height = getHeight();
+						// sanity check
+						if ( height && height > 50 && height < 5000 )
+							setUserSetting( 'ed_size', height );
 					});
 				});
 			});

wp-admin/network.php

@@ -312,11 +312,12 @@ function network_step2( $errors = false ) {
 	$hostname          = get_clean_basedomain();
 	$slashed_home      = trailingslashit( get_option( 'home' ) );
 	$base              = parse_url( $slashed_home, PHP_URL_PATH );
-	$wp_dir_from_root  = preg_replace( '#^' . preg_quote( $_SERVER['DOCUMENT_ROOT'], '#' ) . '#', '', ABSPATH );
-	$wp_siteurl_subdir = trailingslashit( '/' . preg_replace( '#^' . preg_quote( $base, '#' ) . '#', '', $wp_dir_from_root ) );
+	$document_root_fix = str_replace( '\\', '/', realpath( $_SERVER['DOCUMENT_ROOT'] ) );
+	$abspath_fix       = str_replace( '\\', '/', ABSPATH );
+	$home_path         = 0 === strpos( $abspath_fix, $document_root_fix ) ? $document_root_fix . $base : str_replace( '\\', '/', get_home_path() );
+	$wp_siteurl_subdir = preg_replace( '#^' . preg_quote( $home_path, '#' ) . '#', '', $abspath_fix );
 	$rewrite_base      = ! empty( $wp_siteurl_subdir ) ? ltrim( trailingslashit( $wp_siteurl_subdir ), '/' ) : '';
 
-	$home_path         = get_home_path();
 
 	$location_of_wp_config = ABSPATH;
 	if ( ! file_exists( ABSPATH . 'wp-config.php' ) && file_exists( dirname( ABSPATH ) . '/wp-config.php' ) )
@@ -411,8 +412,7 @@ define('BLOG_ID_CURRENT_SITE', 1);
 		$iis_rewrite_base = ltrim( $base, '/' ) . $rewrite_base;
 		$iis_subdir_replacement = $subdomain_install ? '' : '{R:1}';
 
-		$web_config_file = <<<EOF
-<?xml version="1.0" encoding="UTF-8"?>
+		$web_config_file = '<?xml version="1.0" encoding="UTF-8"?>
 <configuration>
     <system.webServer>
         <rewrite>
@@ -424,14 +424,14 @@ define('BLOG_ID_CURRENT_SITE', 1);
 				if ( is_multisite() && get_site_option( 'ms_files_rewriting' ) ) {
 					$web_config_file .= '
                 <rule name="WordPress Rule for Files" stopProcessing="true">
-                    <match url="^{$iis_subdir_match}files/(.+)" ignoreCase="false" />
-                    <action type="Rewrite" url="{$iis_rewrite_base}wp-includes/ms-files.php?file={R:1}" appendQueryString="false" />
+                    <match url="^' . $iis_subdir_match . 'files/(.+)" ignoreCase="false" />
+                    <action type="Rewrite" url="' . $iis_rewrite_base . 'wp-includes/ms-files.php?file={R:1}" appendQueryString="false" />
                 </rule>';
                 }
                 $web_config_file .= '
                 <rule name="WordPress Rule 2" stopProcessing="true">
-                    <match url="^{$iis_subdir_match}wp-admin$" ignoreCase="false" />
-                    <action type="Redirect" url="{$iis_subdir_replacement}wp-admin/" redirectType="Permanent" />
+                    <match url="^' . $iis_subdir_match . 'wp-admin$" ignoreCase="false" />
+                    <action type="Redirect" url="' . $iis_subdir_replacement . 'wp-admin/" redirectType="Permanent" />
                 </rule>
                 <rule name="WordPress Rule 3" stopProcessing="true">
                     <match url="^" ignoreCase="false" />
@@ -442,12 +442,12 @@ define('BLOG_ID_CURRENT_SITE', 1);
                     <action type="None" />
                 </rule>
                 <rule name="WordPress Rule 4" stopProcessing="true">
-                    <match url="^{$iis_subdir_match}(wp-(content|admin|includes).*)" ignoreCase="false" />
-                    <action type="Rewrite" url="{$iis_rewrite_base}{R:1}" />
+                    <match url="^' . $iis_subdir_match . '(wp-(content|admin|includes).*)" ignoreCase="false" />
+                    <action type="Rewrite" url="' . $iis_rewrite_base . '{R:1}" />
                 </rule>
                 <rule name="WordPress Rule 5" stopProcessing="true">
-                    <match url="^{$iis_subdir_match}([_0-9a-zA-Z-]+/)?(.*\.php)$" ignoreCase="false" />
-                    <action type="Rewrite" url="{$iis_rewrite_base}{R:2}" />
+                    <match url="^' . $iis_subdir_match . '([_0-9a-zA-Z-]+/)?(.*\.php)$" ignoreCase="false" />
+                    <action type="Rewrite" url="' . $iis_rewrite_base . '{R:2}" />
                 </rule>
                 <rule name="WordPress Rule 6" stopProcessing="true">
                     <match url="." ignoreCase="false" />
@@ -456,8 +456,7 @@ define('BLOG_ID_CURRENT_SITE', 1);
             </rules>
         </rewrite>
     </system.webServer>
-</configuration>
-EOF;
+</configuration>';
 
 	?>
 		<li><p><?php printf( __( 'Add the following to your <code>web.config</code> file in <code>%s</code>, replacing other WordPress rules:' ), $home_path ); ?></p>

wp-content/themes/twentyeleven/languages/twentyeleven.pot

@@ -1,14 +1,14 @@
-# Copyright (C) 2012 the WordPress team
+# Copyright (C) 2013 the WordPress team
 # This file is distributed under the GNU General Public License v2 or later.
 msgid ""
 msgstr ""
 "Project-Id-Version: Twenty Eleven 1.5\n"
 "Report-Msgid-Bugs-To: http://wordpress.org/tags/twentyeleven\n"
-"POT-Creation-Date: 2012-12-07 21:19:12+00:00\n"
+"POT-Creation-Date: 2013-01-01 00:19:40+00:00\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"PO-Revision-Date: 2012-MO-DA HO:MI+ZONE\n"
+"PO-Revision-Date: 2013-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
 

wp-content/themes/twentyten/languages/twentyten.pot

@@ -1,14 +1,14 @@
-# Copyright (C) 2012 the WordPress team
+# Copyright (C) 2013 the WordPress team
 # This file is distributed under the GNU General Public License v2 or later.
 msgid ""
 msgstr ""
 "Project-Id-Version: Twenty Ten 1.5\n"
 "Report-Msgid-Bugs-To: http://wordpress.org/tags/twentyten\n"
-"POT-Creation-Date: 2012-12-07 21:19:05+00:00\n"
+"POT-Creation-Date: 2013-01-01 00:19:29+00:00\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"PO-Revision-Date: 2012-MO-DA HO:MI+ZONE\n"
+"PO-Revision-Date: 2013-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
 

wp-content/themes/twentytwelve/languages/twentytwelve.pot

@@ -1,14 +1,14 @@
-# Copyright (C) 2012 the WordPress team
+# Copyright (C) 2013 the WordPress team
 # This file is distributed under the GNU General Public License v2 or later.
 msgid ""
 msgstr ""
 "Project-Id-Version: Twenty Twelve 1.1\n"
 "Report-Msgid-Bugs-To: http://wordpress.org/tags/twentytwelve\n"
-"POT-Creation-Date: 2012-12-07 21:19:18+00:00\n"
+"POT-Creation-Date: 2013-01-01 00:19:44+00:00\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"PO-Revision-Date: 2012-MO-DA HO:MI+ZONE\n"
+"PO-Revision-Date: 2013-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
 

wp-includes/class-http.php

@@ -141,7 +141,7 @@ class WP_Http {
 		// Force some settings if we are streaming to a file and check for existence and perms of destination directory
 		if ( $r['stream'] ) {
 			$r['blocking'] = true;
-			if ( ! is_writable( dirname( $r['filename'] ) ) )
+			if ( ! call_user_func( 'WIN' === strtoupper( substr( PHP_OS, 0, 3 ) ) ? 'win_is_writable' : 'is_writable', dirname( $r['filename'] ) ) )
 				return new WP_Error( 'http_request_failed', __( 'Destination directory for file streaming does not exist or is not writable.' ) );
 		}
 

wp-includes/class-oembed.php

@@ -216,20 +216,39 @@ class WP_oEmbed {
 	 * @access private
 	 */
 	function _parse_xml( $response_body ) {
-		if ( function_exists('simplexml_load_string') ) {
-			$errors = libxml_use_internal_errors( 'true' );
-			$data = simplexml_load_string( $response_body );
-			libxml_use_internal_errors( $errors );
-			if ( ! is_object( $data ) )
-				return false;
-
-			$return = new stdClass;
-			foreach ( $data as $key => $value )
-				$return->$key = (string) $value;
-
-			return $return;
+		if ( !function_exists('simplexml_load_string') ) {
+			return false;
 		}
-		return false;
+
+		if ( ! class_exists( 'DOMDocument' ) )
+			return false;
+
+		$errors = libxml_use_internal_errors( true );
+		$old_value = null;
+		if ( function_exists( 'libxml_disable_entity_loader' ) ) {
+			$old_value = libxml_disable_entity_loader( true );
+		}
+
+		$dom = new DOMDocument;
+		$success = $dom->loadXML( $response_body );
+
+		if ( ! is_null( $old_value ) ) {
+			libxml_disable_entity_loader( $old_value );
+		}
+		libxml_use_internal_errors( $errors );
+
+		if ( ! $success || isset( $dom->doctype ) ) {
+			return false;
+		}
+
+		$data = simplexml_import_dom( $dom );
+		if ( ! is_object( $data ) )
+			return false;
+
+		$return = new stdClass;
+		foreach ( $data as $key => $value )
+			$return->$key = (string) $value;
+		return $return;
 	}
 
 	/**

wp-includes/class-wp-embed.php

@@ -270,7 +270,7 @@ class WP_Embed {
 	 * @return string Linked URL or the original URL.
 	 */
 	function maybe_make_link( $url ) {
-		$output = ( $this->linkifunknown ) ? '<a href="' . esc_attr($url) . '">' . esc_html($url) . '</a>' : $url;
+		$output = ( $this->linkifunknown ) ? '<a href="' . esc_url($url) . '">' . esc_html($url) . '</a>' : $url;
 		return apply_filters( 'embed_maybe_make_link', $output, $url );
 	}
 }

wp-includes/class-wp-xmlrpc-server.php

@@ -5309,10 +5309,14 @@ class wp_xmlrpc_server extends IXR_Server {
 		$pagelinkedto = str_replace('&', '&', $pagelinkedto);
 		$pagelinkedto = str_replace('&', '&', $pagelinkedto);
 
+		$pagelinkedfrom = apply_filters( 'pingback_ping_source_uri', $pagelinkedfrom, $pagelinkedto );
+		if ( ! $pagelinkedfrom )
+			return $this->pingback_error( 0, __( 'A valid URL was not provided.' ) );
+
 		// Check if the page linked to is in our site
 		$pos1 = strpos($pagelinkedto, str_replace(array('http://www.','http://','https://www.','https://'), '', get_option('home')));
 		if ( !$pos1 )
-			return new IXR_Error(0, __('Is there no link to us?'));
+			return $this->pingback_error( 0, __( 'Is there no link to us?' ) );
 
 		// let's find which post is linked to
 		// FIXME: does url_to_postid() cover all these cases already?
@@ -5346,39 +5350,39 @@ class wp_xmlrpc_server extends IXR_Server {
 				$sql = $wpdb->prepare("SELECT ID FROM $wpdb->posts WHERE post_title RLIKE %s", like_escape( $title ) );
 				if (! ($post_ID = $wpdb->get_var($sql)) ) {
 					// returning unknown error '0' is better than die()ing
-			  		return new IXR_Error(0, '');
+			  		return $this->pingback_error( 0, '' );
 				}
 				$way = 'from the fragment (title)';
 			}
 		} else {
 			// TODO: Attempt to extract a post ID from the given URL
-	  		return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.'));
+	  		return $this->pingback_error( 33, __('The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.' ) );
 		}
 		$post_ID = (int) $post_ID;
 
 		$post = get_post($post_ID);
 
 		if ( !$post ) // Post_ID not found
-	  		return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.'));
+	  		return $this->pingback_error( 33, __( 'The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.' ) );
 
 		if ( $post_ID == url_to_postid($pagelinkedfrom) )
-			return new IXR_Error(0, __('The source URL and the target URL cannot both point to the same resource.'));
+			return $this->pingback_error( 0, __( 'The source URL and the target URL cannot both point to the same resource.' ) );
 
 		// Check if pings are on
 		if ( !pings_open($post) )
-	  		return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.'));
+	  		return $this->pingback_error( 33, __( 'The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.' ) );
 
 		// Let's check that the remote site didn't already pingback this entry
 		if ( $wpdb->get_results( $wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_author_url = %s", $post_ID, $pagelinkedfrom) ) )
-			return new IXR_Error( 48, __( 'The pingback has already been registered.' ) );
+			return $this->pingback_error( 48, __( 'The pingback has already been registered.' ) );
 
 		// very stupid, but gives time to the 'from' server to publish !
 		sleep(1);
 
 		// Let's check the remote site
-		$linea = wp_remote_fopen( $pagelinkedfrom );
+		$linea = wp_remote_retrieve_body( wp_remote_get( $pagelinkedfrom, array( 'timeout' => 10, 'redirection' => 0 ) ) );
 		if ( !$linea )
-	  		return new IXR_Error(16, __('The source URL does not exist.'));
+	  		return $this->pingback_error( 16, __( 'The source URL does not exist.' ) );
 
 		$linea = apply_filters('pre_remote_source', $linea, $pagelinkedto);
 
@@ -5390,7 +5394,7 @@ class wp_xmlrpc_server extends IXR_Server {
 		preg_match('|<title>([^<]*?)</title>|is', $linea, $matchtitle);
 		$title = $matchtitle[1];
 		if ( empty( $title ) )
-			return new IXR_Error(32, __('We cannot find a title on that page.'));
+			return $this->pingback_error( 32, __('We cannot find a title on that page.' ) );
 
 		$linea = strip_tags( $linea, '<a>' ); // just keep the tag we need
 
@@ -5426,7 +5430,7 @@ class wp_xmlrpc_server extends IXR_Server {
 		}
 
 		if ( empty($context) ) // Link to target not found
-			return new IXR_Error(17, __('The source URL does not contain a link to the target URL, and so cannot be used as a source.'));
+			return $this->pingback_error( 17, __( 'The source URL does not contain a link to the target URL, and so cannot be used as a source.' ) );
 
 		$pagelinkedfrom = str_replace('&', '&amp;', $pagelinkedfrom);
 
@@ -5473,14 +5477,14 @@ class wp_xmlrpc_server extends IXR_Server {
 		$post_ID = url_to_postid($url);
 		if ( !$post_ID ) {
 			// We aren't sure that the resource is available and/or pingback enabled
-	  		return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn&#8217;t exist, or it is not a pingback-enabled resource.'));
+	  		return $this->pingback_error( 33, __( 'The specified target URL cannot be used as a target. It either doesn&#8217;t exist, or it is not a pingback-enabled resource.' ) );
 		}
 
 		$actual_post = get_post($post_ID, ARRAY_A);
 
 		if ( !$actual_post ) {
 			// No such post = resource not found
-	  		return new IXR_Error(32, __('The specified target URL does not exist.'));
+	  		return $this->pingback_error( 32, __('The specified target URL does not exist.' ) );
 		}
 
 		$comments = $wpdb->get_results( $wpdb->prepare("SELECT comment_author_url, comment_content, comment_author_IP, comment_type FROM $wpdb->comments WHERE comment_post_ID = %d", $post_ID) );
@@ -5496,4 +5500,8 @@ class wp_xmlrpc_server extends IXR_Server {
 
 		return $pingbacks;
 	}
+
+	protected function pingback_error( $code, $message ) {
+		return apply_filters( 'xmlrpc_pingback_error', new IXR_Error( $code, $message ) );
+	}
 }

wp-includes/class-wp.php

@@ -378,12 +378,29 @@ class WP {
 
 		if ( ! empty( $status ) )
 			status_header( $status );
+
+		// If Last-Modified is set to false, it should not be sent (no-cache situation).
+		if ( isset( $headers['Last-Modified'] ) && false === $headers['Last-Modified'] ) {
+			unset( $headers['Last-Modified'] );
+
+			// In PHP 5.3+, make sure we are not sending a Last-Modified header.
+			if ( function_exists( 'header_remove' ) ) {
+				@header_remove( 'Last-Modified' );
+			} else {
+				// In PHP 5.2, send an empty Last-Modified header, but only as a
+				// last resort to override a header already sent. #WP23021
+				foreach ( headers_list() as $header ) {
+					if ( 0 === stripos( $header, 'Last-Modified' ) ) {
+						$headers['Last-Modified'] = '';
+						break;
+					}
+				}
+			}
+		}
+
 		foreach( (array) $headers as $name => $field_value )
 			@header("{$name}: {$field_value}");
 
-		if ( isset( $headers['Last-Modified'] ) && empty( $headers['Last-Modified'] ) && function_exists( 'header_remove' ) )
-			@header_remove( 'Last-Modified' );
-
 		if ( $exit_required )
 			exit();
 

wp-includes/comment.php

@@ -290,13 +290,13 @@ class WP_Comment_Query {
 				'user_id',
 			);
 			if ( ! empty( $this->query_vars['meta_key'] ) ) {
-				$allowed_keys[] = $q['meta_key'];
+				$allowed_keys[] = $this->query_vars['meta_key'];
 				$allowed_keys[] = 'meta_value';
 				$allowed_keys[] = 'meta_value_num';
 			}
 			$ordersby = array_intersect( $ordersby, $allowed_keys );
 			foreach ( $ordersby as $key => $value ) {
-				if ( $value == $q['meta_key'] || $value == 'meta_value' ) {
+				if ( $value == $this->query_vars['meta_key'] || $value == 'meta_value' ) {
 					$ordersby[ $key ] = "$wpdb->commentmeta.meta_value";
 				} elseif ( $value == 'meta_value_num' ) {
 					$ordersby[ $key ] = "$wpdb->commentmeta.meta_value+0";
@@ -1951,6 +1951,86 @@ function weblog_ping($server = '', $path = '') {
 		$client->query('weblogUpdates.ping', get_option('blogname'), $home);
 }
 
+/**
+ * Default filter attached to pingback_ping_source_uri to validate the pingback's Source URI
+ *
+ * @since 3.5.1
+ *
+ * @param string $source_uri
+ * @return string
+ */
+function pingback_ping_source_uri( $source_uri ) {
+	$uri = esc_url_raw( $source_uri, array( 'http', 'https' ) );
+	if ( ! $uri )
+		return '';
+
+	$parsed_url = @parse_url( $uri );
+	if ( ! $parsed_url )
+		return '';
+
+	if ( isset( $parsed_url['user'] ) || isset( $parsed_url['pass'] ) )
+		return '';
+
+	if ( false !== strpos( $parsed_url['host'], ':' ) )
+		return '';
+
+	$parsed_home = @parse_url( get_option( 'home' ) );
+
+	$same_host = strtolower( $parsed_home['host'] ) === strtolower( $parsed_url['host'] );
+
+	if ( ! $same_host ) {
+		$host = trim( $parsed_url['host'], '.' );
+		if ( preg_match( '#^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$#', $host ) ) {
+			$ip = $host;
+		} else {
+			$ip = gethostbyname( $host );
+			if ( $ip === $host ) // Error condition for gethostbyname()
+				$ip = false;
+		}
+		if ( $ip ) {
+			if ( '127.0.0.1' === $ip )
+				return '';
+			$parts = array_map( 'intval', explode( '.', $ip ) );
+			if ( 10 === $parts[0] )
+				return '';
+			if ( 172 === $parts[0] && 16 <= $parts[1] && 31 >= $parts[1] )
+				return '';
+			if ( 192 === $parts[0] && 168 === $parts[1] )
+				return '';
+		}
+	}
+
+	if ( empty( $parsed_url['port'] ) )
+		return $uri;
+
+	$port = $parsed_url['port'];
+	if ( 80 === $port || 443 === $port || 8080 === $port )
+		return $uri;
+
+	if ( $parsed_home && $same_host && $parsed_home['port'] === $port )
+		return $uri;
+
+	return '';
+}
+
+/**
+ * Default filter attached to xmlrpc_pingback_error.
+ *
+ * Returns a generic pingback error code unless the error code is 48,
+ * which reports that the pingback is already registered.
+ *
+ * @since 3.5.1
+ * @link http://www.hixie.ch/specs/pingback/pingback#TOC3
+ *
+ * @param IXR_Error $ixr_error
+ * @return IXR_Error
+ */
+function xmlrpc_pingback_error( $ixr_error ) {
+	if ( $ixr_error->code === 48 )
+		return $ixr_error;
+	return new IXR_Error( 0, '' );
+}
+
 //
 // Cache
 //

wp-includes/css/editor.css

@@ -1246,7 +1246,7 @@ html[dir="rtl"] .wp-switch-editor {
 
 #wp-link .link-search-field {
 	float: left;
-	margin-right: 5px;
+	width: 220px;
 }
 
 #wp-link .link-search-wrapper {
@@ -1260,13 +1260,7 @@ html[dir="rtl"] .wp-switch-editor {
 	margin-top: 4px;
 }
 
-#wp-link .link-search-wrapper input[type="text"] {
-	float: left;
-	width: 220px;
-}
-
 #wp-link .link-search-wrapper .spinner {
-	margin: 4px 2px 0 0;
 	display: none;
 	vertical-align: text-bottom;
 }
@@ -1341,7 +1335,7 @@ html[dir="rtl"] .wp-switch-editor {
 	display: none;
 }
 
-#wp-link  #search-panel {
+#wp-link #search-panel {
 	float: left;
 	width: 100%;
 }
@@ -1500,6 +1494,11 @@ html[dir="rtl"] .wp-switch-editor {
 	padding: 0;
 }
 
+.rtl .wp-dialog .ui-dialog-titlebar-close {
+	right: auto;
+	left: 6px;
+}
+
 .wp-dialog .ui-dialog-titlebar-close:hover,
 .wp-dialog .ui-dialog-titlebar-close:focus {
 	background-position: -87px -32px;
@@ -1519,22 +1518,25 @@ RTL
 	padding-left: 0;
 }
 
-.rtl #wp-link label span {
+.rtl #wp-link #link-options label span,
+.rtl #wp-link #search-panel label span.search-label {
 	text-align: left;
-	padding-left: 5px;
 	padding-right: 0;
+	padding-left: 5px;
 }
 
+.rtl #wp-link #link-options label #url-field {
+	direction: ltr;
+}
+
+.rtl #wp-link .link-search-field,
 .rtl #wp-link .link-search-wrapper span {
 	float: right;
 }
 
-.rtl #wp-link .link-search-wrapper input[type="text"] {
-	float: right;
-}
-
 .rtl #wp-link .link-target {
-	margin: 0 87px 0 0;
+	margin-right: 87px;
+	margin-left: 0;
 }
 
 .rtl #wp-link .item-info {
@@ -1574,7 +1576,7 @@ RTL
 }
 
 .rtl .mceListBoxMenu.mceNoIcons {
-	margin-left: -14px;
+	direction: rtl;
 }
 
 .clearlooks2 .mceFocus .mceTop .mceLeft {

wp-includes/default-filters.php

@@ -192,6 +192,8 @@ add_filter( 'pings_open',               '_close_comments_for_old_post', 10, 2 );
 add_filter( 'editable_slug',            'urldecode'                           );
 add_filter( 'editable_slug',            'esc_textarea'                        );
 add_filter( 'nav_menu_meta_box_object', '_wp_nav_menu_meta_box_object'        );
+add_filter( 'pingback_ping_source_uri', 'pingback_ping_source_uri'            );
+add_filter( 'xmlrpc_pingback_error',    'xmlrpc_pingback_error'               );
 
 // Actions
 add_action( 'wp_head',             'wp_enqueue_scripts',              1     );

wp-includes/functions.php

@@ -902,7 +902,6 @@ function status_header( $header ) {
 function wp_get_nocache_headers() {
 	$headers = array(
 		'Expires' => 'Wed, 11 Jan 1984 05:00:00 GMT',
-		'Last-Modified' => '',
 		'Cache-Control' => 'no-cache, must-revalidate, max-age=0',
 		'Pragma' => 'no-cache',
 	);
@@ -910,6 +909,7 @@ function wp_get_nocache_headers() {
 	if ( function_exists('apply_filters') ) {
 		$headers = (array) apply_filters('nocache_headers', $headers);
 	}
+	$headers['Last-Modified'] = false;
 	return $headers;
 }
 
@@ -924,10 +924,25 @@ function wp_get_nocache_headers() {
  */
 function nocache_headers() {
 	$headers = wp_get_nocache_headers();
+
+	unset( $headers['Last-Modified'] );
+
+	// In PHP 5.3+, make sure we are not sending a Last-Modified header.
+	if ( function_exists( 'header_remove' ) ) {
+		@header_remove( 'Last-Modified' );
+	} else {
+		// In PHP 5.2, send an empty Last-Modified header, but only as a
+		// last resort to override a header already sent. #WP23021
+		foreach ( headers_list() as $header ) {
+			if ( 0 === stripos( $header, 'Last-Modified' ) ) {
+				$headers['Last-Modified'] = '';
+				break;
+			}
+		}
+	}
+
 	foreach( $headers as $name => $field_value )
 		@header("{$name}: {$field_value}");
-	if ( empty( $headers['Last-Modified'] ) && function_exists( 'header_remove' ) )
-		@header_remove( 'Last-Modified' );
 }
 
 /**

wp-includes/js/media-editor.js

@@ -9,7 +9,8 @@
 		// outputting the proper object format based on the
 		// attachment's type.
 		props: function( props, attachment ) {
-			var link, linkUrl, size, sizes, fallbacks;
+			var link, linkUrl, size, sizes, fallbacks,
+				defaultProps = wp.media.view.settings.defaultProps;
 
 			// Final fallbacks run after all processing has been completed.
 			fallbacks = function( props ) {
@@ -17,6 +18,7 @@
 				if ( 'image' === props.type && ! props.alt ) {
 					props.alt = props.caption || props.title || '';
 					props.alt = props.alt.replace( /<\/?[^>]+>/g, '' );
+					props.alt = props.alt.replace( /[\r\n]+/g, ' ' );
 				}
 
 				return props;
@@ -29,8 +31,8 @@
 
 			if ( 'image' === props.type ) {
 				props = _.defaults( props || {}, {
-					align:   getUserSetting( 'align', 'none' ),
-					size:    getUserSetting( 'imgsize', 'medium' ),
+					align:   defaultProps.align || getUserSetting( 'align', 'none' ),
+					size:    defaultProps.size  || getUserSetting( 'imgsize', 'medium' ),
 					url:     '',
 					classes: []
 				});
@@ -42,7 +44,7 @@
 
 			props.title = props.title || attachment.title;
 
-			link = props.link || getUserSetting( 'urlbutton', 'post' );
+			link = props.link || defaultProps.link || getUserSetting( 'urlbutton', 'file' );
 			if ( 'file' === link )
 				linkUrl = attachment.url;
 			else if ( 'post' === link )
@@ -167,7 +169,7 @@
 				itemtag:    'dl',
 				icontag:    'dt',
 				captiontag: 'dd',
-				columns:    3,
+				columns:    '3',
 				size:       'thumbnail',
 				orderby:    'menu_order ID'
 			},

wp-includes/js/media-views.js

@@ -413,8 +413,6 @@
 
 			this.get('selection').on( 'add remove reset', this.refreshContent, this );
 
-			this.on( 'insert', this._insertDisplaySettings, this );
-
 			if ( this.get('contentUserSetting') ) {
 				this.frame.on( 'content:activate', this.saveContentMode, this );
 				this.set( 'content', getUserSetting( 'libraryContent', this.get('content') ) );
@@ -440,11 +438,12 @@
 		},
 
 		resetDisplays: function() {
+			var defaultProps = media.view.settings.defaultProps;
 			this._displays = [];
 			this._defaultDisplaySettings = {
-				align: getUserSetting( 'align', 'none' ),
-				size:  getUserSetting( 'imgsize', 'medium' ),
-				link:  getUserSetting( 'urlbutton', 'post' )
+				align: defaultProps.align || getUserSetting( 'align', 'none' ),
+				size:  defaultProps.size  || getUserSetting( 'imgsize', 'medium' ),
+				link:  defaultProps.link  || getUserSetting( 'urlbutton', 'file' )
 			};
 		},
 
@@ -457,22 +456,6 @@
 			return displays[ attachment.cid ];
 		},
 
-		_insertDisplaySettings: function() {
-			var selection = this.get('selection'),
-				display;
-
-			// If inserting one image, set those display properties as the
-			// default user setting.
-			if ( selection.length !== 1 )
-				return;
-
-			display = this.display( selection.first() ).toJSON();
-
-			setUserSetting( 'align', display.align );
-			setUserSetting( 'imgsize', display.size );
-			setUserSetting( 'urlbutton', display.link );
-		},
-
 		syncSelection: function() {
 			var selection = this.get('selection'),
 				manager = this.frame._selection;
@@ -522,7 +505,10 @@
 				router = frame.router.get(),
 				mode = frame.content.mode();
 
-			if ( this.active && ! selection.length && ! router.get( mode ) )
+			// If the state is active, no items are selected, and the current
+			// content mode is not an option in the state's router (provided
+			// the state has a router), reset the content mode to the default.
+			if ( this.active && ! selection.length && router && ! router.get( mode ) )
 				this.frame.content.render( this.get('content') );
 		},
 
@@ -533,10 +519,12 @@
 			if ( 'upload' === content.mode() )
 				this.frame.content.mode('browse');
 
-			// If we're in a workflow that supports multiple attachments,
-			// automatically select any uploading attachments.
-			if ( this.get('multiple') )
-				this.get('selection').add( attachment );
+			// Automatically select any uploading attachments.
+			//
+			// Selections that don't support multiple attachments automatically
+			// limit themselves to one attachment (in this case, the last
+			// attachment in the upload queue).
+			this.get('selection').add( attachment );
 		},
 
 		saveContentMode: function() {
@@ -673,6 +661,10 @@
 				return !! this.mirroring.getByCid( attachment.cid ) && ! edit.getByCid( attachment.cid ) && media.model.Selection.prototype.validator.apply( this, arguments );
 			};
 
+			// Reset the library to ensure that all attachments are re-added
+			// to the collection. Do so silently, as calling `observe` will
+			// trigger the `reset` event.
+			library.reset( library.mirroring.models, { silent: true });
 			library.observe( edit );
 			this.editLibrary = edit;
 
@@ -2854,7 +2846,9 @@
 		initialize: function() {
 			var selection = this.options.selection;
 
-			this.model.on( 'change:sizes change:uploading change:caption change:title', this.render, this );
+			this.model.on( 'change:sizes change:uploading', this.render, this );
+			this.model.on( 'change:title', this._syncTitle, this );
+			this.model.on( 'change:caption', this._syncCaption, this );
 			this.model.on( 'change:percent', this.progress, this );
 
 			// Update the selection.
@@ -3172,6 +3166,28 @@
 		}
 	});
 
+	// Ensure settings remain in sync between attachment views.
+	_.each({
+		caption: '_syncCaption',
+		title:   '_syncTitle'
+	}, function( method, setting ) {
+		media.view.Attachment.prototype[ method ] = function( model, value ) {
+			var $setting = this.$('[data-setting="' + setting + '"]');
+
+			if ( ! $setting.length )
+				return this;
+
+			// If the updated value is in sync with the value in the DOM, there
+			// is no need to re-render. If we're currently editing the value,
+			// it will automatically be in sync, suppressing the re-render for
+			// the view we're editing, while updating any others.
+			if ( value === $setting.find('input, textarea, select, [value]').val() )
+				return this;
+
+			return this.render();
+		};
+	});
+
 	/**
 	 * wp.media.view.Attachment.Library
 	 */
@@ -3900,10 +3916,11 @@
 				$value = $setting.find('[value="' + value + '"]');
 
 				if ( $value.length ) {
+					$setting.find('option').prop( 'selected', false );
 					$value.prop( 'selected', true );
 				} else {
 					// If we can't find the desired value, record what *is* selected.
-					this.model.set( $setting.data('setting'), $setting.find(':selected').val() );
+					this.model.set( key, $setting.find(':selected').val() );
 				}
 
 

wp-includes/js/plupload/changelog.txt

@@ -1,3 +1,12 @@
+Version 1.5.5 (2013-01-23)
+	UI Widget: Fix sortable feature, broken in jQuery UI 1.9.
+	Queue: Replace live() with delegate(), as live() was removed from jQuery 1.9.
+	HTML5: window.getComputedStyle in Firefox doesn't support dashed rulenames - use zIndex instead of z-index.
+	HTML5/Flash/Silverlight/Gears: Process JPEGs, if quality parameter is present, whatever the scale factor.
+	Flash: Survive invalid EXIF tag offsets.
+	Flash: Allow only letters, digits and underscore in runtime id to avoid script injection.
+	SilverLight: Prepend ampersand to the query string, for non multipart cases (as in Flash and HTML5).
+	Add mime types for m2v,3gp,3g2 extensions.
 Version 1.5.4 (2012-04-12)
 	Flash: Disable scripting if swf was loaded from another domain.
 Version 1.5.3 (2012-04-05)

wp-includes/js/plupload/wp-plupload.js

@@ -150,6 +150,10 @@ window.wp = window.wp || {};
 			_.each( files, function( file ) {
 				var attributes, image;
 
+				// Ignore failed uploads.
+				if ( plupload.FAILED === file.status )
+					return;
+
 				// Generate attributes for a new `Attachment` model.
 				attributes = _.extend({
 					file:      file,

wp-includes/js/plupload/wp-plupload.min.js

@@ -1 +1 @@
-window.wp=window.wp||{};(function(a,b){var c;if(typeof _wpPluploadSettings==="undefined"){return}c=function(f){var d=this,h={container:"container",browser:"browse_button",dropzone:"drop_element"},g,e;this.supports={upload:c.browser.supported};this.supported=this.supports.upload;if(!this.supported){return}this.plupload=b.extend(true,{multipart_params:{}},c.defaults);this.container=document.body;b.extend(true,this,f);for(g in this){if(b.isFunction(this[g])){this[g]=b.proxy(this[g],this)}}for(g in h){if(!this[g]){continue}this[g]=b(this[g]).first();if(!this[g].length){delete this[g];continue}if(!this[g].prop("id")){this[g].prop("id","__wp-uploader-id-"+c.uuid++)}this.plupload[h[g]]=this[g].prop("id")}if(!(this.browser&&this.browser.length)&&!(this.dropzone&&this.dropzone.length)){return}this.uploader=new plupload.Uploader(this.plupload);delete this.plupload;this.param(this.params||{});delete this.params;e=function(j,k,i){if(i.attachment){i.attachment.destroy()}c.errors.unshift({message:j||pluploadL10n.default_error,data:k,file:i});d.error(j,k,i)};this.uploader.init();this.supports.dragdrop=this.uploader.features.dragdrop&&!c.browser.mobile;(function(j,i){var l,k;if(!j){return}j.toggleClass("supports-drag-drop",!!i);if(!i){return j.unbind(".wp-uploader")}j.bind("dragover.wp-uploader",function(){if(l){clearTimeout(l)}if(k){return}j.trigger("dropzone:enter").addClass("drag-over");k=true});j.bind("dragleave.wp-uploader, drop.wp-uploader",function(){l=setTimeout(function(){k=false;j.trigger("dropzone:leave").removeClass("drag-over")},0)})}(this.dropzone,this.supports.dragdrop));if(this.browser){this.browser.on("mouseenter",this.refresh)}else{this.uploader.disableBrowse(true);b("#"+this.uploader.id+"_html5_container").hide()}this.uploader.bind("FilesAdded",function(i,j){_.each(j,function(l){var k,m;k=_.extend({file:l,uploading:true,date:new Date(),filename:l.name,menuOrder:0,uploadedTo:wp.media.model.settings.post.id},_.pick(l,"loaded","size","percent"));m=/(?:jpe?g|png|gif)$/i.exec(l.name);if(m){k.type="image";k.subtype=("jpg"===m[0])?"jpeg":m[0]}l.attachment=wp.media.model.Attachment.create(k);c.queue.add(l.attachment);d.added(l.attachment)});i.refresh();i.start()});this.uploader.bind("UploadProgress",function(i,j){j.attachment.set(_.pick(j,"loaded","percent"));d.progress(j.attachment)});this.uploader.bind("FileUploaded",function(i,l,k){var j;try{k=JSON.parse(k.response)}catch(m){return e(pluploadL10n.default_error,m,l)}if(!_.isObject(k)||_.isUndefined(k.success)){return e(pluploadL10n.default_error,null,l)}else{if(!k.success){return e(k.data&&k.data.message,k.data,l)}}_.each(["file","loaded","size","percent"],function(n){l.attachment.unset(n)});l.attachment.set(_.extend(k.data,{uploading:false}));wp.media.model.Attachment.get(k.data.id,l.attachment);j=c.queue.all(function(n){return !n.get("uploading")});if(j){c.queue.reset()}d.success(l.attachment)});this.uploader.bind("Error",function(i,l){var k=pluploadL10n.default_error,j;for(j in c.errorMap){if(l.code===plupload[j]){k=c.errorMap[j];if(_.isFunction(k)){k=k(l.file,l)}break}}e(k,l,l.file);i.refresh()});this.init()};b.extend(c,_wpPluploadSettings);c.uuid=0;c.errorMap={FAILED:pluploadL10n.upload_failed,FILE_EXTENSION_ERROR:pluploadL10n.invalid_filetype,IMAGE_FORMAT_ERROR:pluploadL10n.not_an_image,IMAGE_MEMORY_ERROR:pluploadL10n.image_memory_exceeded,IMAGE_DIMENSIONS_ERROR:pluploadL10n.image_dimensions_exceeded,GENERIC_ERROR:pluploadL10n.upload_failed,IO_ERROR:pluploadL10n.io_error,HTTP_ERROR:pluploadL10n.http_error,SECURITY_ERROR:pluploadL10n.security_error,FILE_SIZE_ERROR:function(d){return pluploadL10n.file_exceeds_size_limit.replace("%s",d.name)}};b.extend(c.prototype,{param:function(d,e){if(arguments.length===1&&typeof d==="string"){return this.uploader.settings.multipart_params[d]}if(arguments.length>1){this.uploader.settings.multipart_params[d]=e}else{b.extend(this.uploader.settings.multipart_params,d)}},init:function(){},error:function(){},success:function(){},added:function(){},progress:function(){},complete:function(){},refresh:function(){var f,e,d,g;if(this.browser){f=this.browser[0];while(f){if(f===document.body){e=true;break}f=f.parentNode}if(!e){g="wp-uploader-browser-"+this.uploader.id;d=b("#"+g);if(!d.length){d=b('<div class="wp-uploader-browser" />').css({position:"fixed",top:"-1000px",left:"-1000px",height:0,width:0}).attr("id","wp-uploader-browser-"+this.uploader.id).appendTo("body")}d.append(this.browser)}}this.uploader.refresh()}});c.queue=new wp.media.model.Attachments([],{query:false});c.errors=new Backbone.Collection();a.Uploader=c})(wp,jQuery);
+window.wp=window.wp||{};(function(a,b){var c;if(typeof _wpPluploadSettings==="undefined"){return}c=function(f){var d=this,h={container:"container",browser:"browse_button",dropzone:"drop_element"},g,e;this.supports={upload:c.browser.supported};this.supported=this.supports.upload;if(!this.supported){return}this.plupload=b.extend(true,{multipart_params:{}},c.defaults);this.container=document.body;b.extend(true,this,f);for(g in this){if(b.isFunction(this[g])){this[g]=b.proxy(this[g],this)}}for(g in h){if(!this[g]){continue}this[g]=b(this[g]).first();if(!this[g].length){delete this[g];continue}if(!this[g].prop("id")){this[g].prop("id","__wp-uploader-id-"+c.uuid++)}this.plupload[h[g]]=this[g].prop("id")}if(!(this.browser&&this.browser.length)&&!(this.dropzone&&this.dropzone.length)){return}this.uploader=new plupload.Uploader(this.plupload);delete this.plupload;this.param(this.params||{});delete this.params;e=function(j,k,i){if(i.attachment){i.attachment.destroy()}c.errors.unshift({message:j||pluploadL10n.default_error,data:k,file:i});d.error(j,k,i)};this.uploader.init();this.supports.dragdrop=this.uploader.features.dragdrop&&!c.browser.mobile;(function(j,i){var l,k;if(!j){return}j.toggleClass("supports-drag-drop",!!i);if(!i){return j.unbind(".wp-uploader")}j.bind("dragover.wp-uploader",function(){if(l){clearTimeout(l)}if(k){return}j.trigger("dropzone:enter").addClass("drag-over");k=true});j.bind("dragleave.wp-uploader, drop.wp-uploader",function(){l=setTimeout(function(){k=false;j.trigger("dropzone:leave").removeClass("drag-over")},0)})}(this.dropzone,this.supports.dragdrop));if(this.browser){this.browser.on("mouseenter",this.refresh)}else{this.uploader.disableBrowse(true);b("#"+this.uploader.id+"_html5_container").hide()}this.uploader.bind("FilesAdded",function(i,j){_.each(j,function(l){var k,m;if(plupload.FAILED===l.status){return}k=_.extend({file:l,uploading:true,date:new Date(),filename:l.name,menuOrder:0,uploadedTo:wp.media.model.settings.post.id},_.pick(l,"loaded","size","percent"));m=/(?:jpe?g|png|gif)$/i.exec(l.name);if(m){k.type="image";k.subtype=("jpg"===m[0])?"jpeg":m[0]}l.attachment=wp.media.model.Attachment.create(k);c.queue.add(l.attachment);d.added(l.attachment)});i.refresh();i.start()});this.uploader.bind("UploadProgress",function(i,j){j.attachment.set(_.pick(j,"loaded","percent"));d.progress(j.attachment)});this.uploader.bind("FileUploaded",function(i,l,k){var j;try{k=JSON.parse(k.response)}catch(m){return e(pluploadL10n.default_error,m,l)}if(!_.isObject(k)||_.isUndefined(k.success)){return e(pluploadL10n.default_error,null,l)}else{if(!k.success){return e(k.data&&k.data.message,k.data,l)}}_.each(["file","loaded","size","percent"],function(n){l.attachment.unset(n)});l.attachment.set(_.extend(k.data,{uploading:false}));wp.media.model.Attachment.get(k.data.id,l.attachment);j=c.queue.all(function(n){return !n.get("uploading")});if(j){c.queue.reset()}d.success(l.attachment)});this.uploader.bind("Error",function(i,l){var k=pluploadL10n.default_error,j;for(j in c.errorMap){if(l.code===plupload[j]){k=c.errorMap[j];if(_.isFunction(k)){k=k(l.file,l)}break}}e(k,l,l.file);i.refresh()});this.init()};b.extend(c,_wpPluploadSettings);c.uuid=0;c.errorMap={FAILED:pluploadL10n.upload_failed,FILE_EXTENSION_ERROR:pluploadL10n.invalid_filetype,IMAGE_FORMAT_ERROR:pluploadL10n.not_an_image,IMAGE_MEMORY_ERROR:pluploadL10n.image_memory_exceeded,IMAGE_DIMENSIONS_ERROR:pluploadL10n.image_dimensions_exceeded,GENERIC_ERROR:pluploadL10n.upload_failed,IO_ERROR:pluploadL10n.io_error,HTTP_ERROR:pluploadL10n.http_error,SECURITY_ERROR:pluploadL10n.security_error,FILE_SIZE_ERROR:function(d){return pluploadL10n.file_exceeds_size_limit.replace("%s",d.name)}};b.extend(c.prototype,{param:function(d,e){if(arguments.length===1&&typeof d==="string"){return this.uploader.settings.multipart_params[d]}if(arguments.length>1){this.uploader.settings.multipart_params[d]=e}else{b.extend(this.uploader.settings.multipart_params,d)}},init:function(){},error:function(){},success:function(){},added:function(){},progress:function(){},complete:function(){},refresh:function(){var f,e,d,g;if(this.browser){f=this.browser[0];while(f){if(f===document.body){e=true;break}f=f.parentNode}if(!e){g="wp-uploader-browser-"+this.uploader.id;d=b("#"+g);if(!d.length){d=b('<div class="wp-uploader-browser" />').css({position:"fixed",top:"-1000px",left:"-1000px",height:0,width:0}).attr("id","wp-uploader-browser-"+this.uploader.id).appendTo("body")}d.append(this.browser)}}this.uploader.refresh()}});c.queue=new wp.media.model.Attachments([],{query:false});c.errors=new Backbone.Collection();a.Uploader=c})(wp,jQuery);

wp-includes/js/tinymce/plugins/wordpress/editor_plugin_src.js

@@ -135,12 +135,6 @@
 				}
 			});
 
-			// Extend <object> and <embed> (#WP22790)
-			ed.onPreInit.add(function(ed) {
-				ed.schema.addValidElements('object[*],param[id|name|value|valuetype|type],embed[*]');
-				ed.schema.addValidChildren('object[*]');
-			});
-
 			ed.onInit.add(function(ed) {
 				var bodyClass = ed.getParam('body_class', ''), body = ed.getBody();
 

wp-includes/media-template.php

@@ -291,12 +291,12 @@ function wp_print_media_templates() {
 					<option value="custom">
 						<?php esc_attr_e('Custom URL'); ?>
 					</option>
-					<option value="post" selected>
-						<?php esc_attr_e('Attachment Page'); ?>
-					</option>
-					<option value="file">
+					<option value="file" selected>
 						<?php esc_attr_e('Media File'); ?>
 					</option>
+					<option value="post">
+						<?php esc_attr_e('Attachment Page'); ?>
+					</option>
 					<option value="none">
 						<?php esc_attr_e('None'); ?>
 					</option>
@@ -347,12 +347,12 @@ function wp_print_media_templates() {
 					data-user-setting="urlbutton"
 				<# } #>>
 
-				<option value="post" selected>
-					<?php esc_attr_e('Attachment Page'); ?>
-				</option>
-				<option value="file">
+				<option value="file" selected>
 					<?php esc_attr_e('Media File'); ?>
 				</option>
+				<option value="post">
+					<?php esc_attr_e('Attachment Page'); ?>
+				</option>
 			</select>
 		</label>
 

wp-includes/media.php

@@ -735,6 +735,15 @@ function gallery_shortcode($attr) {
 
 	$itemtag = tag_escape($itemtag);
 	$captiontag = tag_escape($captiontag);
+	$icontag = tag_escape($icontag);
+	$valid_tags = wp_kses_allowed_html( 'post' );
+	if ( ! isset( $valid_tags[ $itemtag ] ) )
+		$itemtag = 'dl';
+	if ( ! isset( $valid_tags[ $captiontag ] ) )
+		$captiontag = 'dd';
+	if ( ! isset( $valid_tags[ $icontag ] ) )
+		$icontag = 'dt';
+
 	$columns = intval($columns);
 	$itemwidth = $columns > 0 ? floor(100/$columns) : 100;
 	$float = is_rtl() ? 'right' : 'left';
@@ -1391,13 +1400,8 @@ function wp_prepare_attachment_for_js( $attachment ) {
 				$size_meta = $meta['sizes'][ $size ];
 
 				// We have the actual image size, but might need to further constrain it if content_width is narrower.
-				// This is not necessary for thumbnails and medium size.
-				if ( 'thumbnail' == $size || 'medium' == $size ) {
-					$width = $size_meta['width'];
-					$height = $size_meta['height'];
-				} else {
-					list( $width, $height ) = image_constrain_size_for_editor( $size_meta['width'], $size_meta['height'], $size, 'edit' );
-				}
+				// Thumbnail, medium, and full sizes are also checked against the site's height/width options.
+				list( $width, $height ) = image_constrain_size_for_editor( $size_meta['width'], $size_meta['height'], $size, 'edit' );
 
 				$sizes[ $size ] = array(
 					'height'      => $height,
@@ -1431,6 +1435,11 @@ function wp_prepare_attachment_for_js( $attachment ) {
  * @since 3.5.0
  */
 function wp_enqueue_media( $args = array() ) {
+
+	// Enqueue me just once per page, please.
+	if ( did_action( 'wp_enqueue_media' ) )
+		return;
+
 	$defaults = array(
 		'post' => null,
 	);
@@ -1449,6 +1458,12 @@ function wp_enqueue_media( $args = array() ) {
 	$tabs = apply_filters( 'media_upload_tabs', $tabs );
 	unset( $tabs['type'], $tabs['type_url'], $tabs['gallery'], $tabs['library'] );
 
+	$props = array(
+		'link'  => get_option( 'image_default_link_type' ), // db default is 'file'
+		'align' => get_option( 'image_default_align' ), // empty default
+		'size'  => get_option( 'image_default_size' ),  // empty default
+	);
+
 	$settings = array(
 		'tabs'      => $tabs,
 		'tabUrl'    => add_query_arg( array( 'chromeless' => true ), admin_url('media-upload.php') ),
@@ -1460,6 +1475,7 @@ function wp_enqueue_media( $args = array() ) {
 		'post'    => array(
 			'id' => 0,
 		),
+		'defaultProps' => $props,
 	);
 
 	$post = null;

wp-includes/post.php

@@ -682,7 +682,7 @@ final class WP_Post {
  */
 function get_post_ancestors( $post ) {
 	if ( ! $post )
-		return false;
+		return array();
 
 	$post = get_post( $post );
 
@@ -3010,18 +3010,31 @@ function wp_update_post( $postarr = array(), $wp_error = false ) {
  * Publish a post by transitioning the post status.
  *
  * @since 2.1.0
- * @uses wp_update_post()
+ * @uses $wpdb
+ * @uses do_action() Calls 'edit_post', 'save_post', and 'wp_insert_post' on post_id and post data.
  *
  * @param mixed $post Post ID or object.
  */
 function wp_publish_post( $post ) {
+	global $wpdb;
+
 	if ( ! $post = get_post( $post ) )
 		return;
+
 	if ( 'publish' == $post->post_status )
 		return;
 
+	$wpdb->update( $wpdb->posts, array( 'post_status' => 'publish' ), array( 'ID' => $post->ID ) );
+
+	clean_post_cache( $post->ID );
+
+	$old_status = $post->post_status;
 	$post->post_status = 'publish';
-	wp_update_post( $post );
+	wp_transition_post_status( 'publish', $old_status, $post );
+
+	do_action( 'edit_post', $post->ID, $post );
+	do_action( 'save_post', $post->ID, $post );
+	do_action( 'wp_insert_post', $post->ID, $post );
 }
 
 /**
@@ -3581,8 +3594,8 @@ function _page_traverse_name( $page_id, &$children, &$result ){
  * @return string Page URI.
  */
 function get_page_uri($page) {
-	if ( ! is_object($page) )
-		$page = get_post( $page );
+	$page = get_post( $page );
+
 	$uri = $page->post_name;
 
 	foreach ( $page->ancestors as $parent ) {

wp-includes/script-loader.php

@@ -226,14 +226,14 @@ function wp_default_scripts( &$scripts ) {
 		'error_uploading' => __('“%s” has failed to upload.')
 	);
 
-	$scripts->add( 'plupload', '/wp-includes/js/plupload/plupload.js', array(), '1.5.4' );
-	$scripts->add( 'plupload-html5', '/wp-includes/js/plupload/plupload.html5.js', array('plupload'), '1.5.4' );
-	$scripts->add( 'plupload-flash', '/wp-includes/js/plupload/plupload.flash.js', array('plupload'), '1.5.4' );
-	$scripts->add( 'plupload-silverlight', '/wp-includes/js/plupload/plupload.silverlight.js', array('plupload'), '1.5.4' );
-	$scripts->add( 'plupload-html4', '/wp-includes/js/plupload/plupload.html4.js', array('plupload'), '1.5.4' );
+	$scripts->add( 'plupload', '/wp-includes/js/plupload/plupload.js', array(), '1.5.5' );
+	$scripts->add( 'plupload-html5', '/wp-includes/js/plupload/plupload.html5.js', array('plupload'), '1.5.5' );
+	$scripts->add( 'plupload-flash', '/wp-includes/js/plupload/plupload.flash.js', array('plupload'), '1.5.5' );
+	$scripts->add( 'plupload-silverlight', '/wp-includes/js/plupload/plupload.silverlight.js', array('plupload'), '1.5.5' );
+	$scripts->add( 'plupload-html4', '/wp-includes/js/plupload/plupload.html4.js', array('plupload'), '1.5.5' );
 
 	// cannot use the plupload.full.js, as it loads browserplus init JS from Yahoo
-	$scripts->add( 'plupload-all', false, array('plupload', 'plupload-html5', 'plupload-flash', 'plupload-silverlight', 'plupload-html4'), '1.5.4' );
+	$scripts->add( 'plupload-all', false, array('plupload', 'plupload-html5', 'plupload-flash', 'plupload-silverlight', 'plupload-html4'), '1.5.5' );
 
 	$scripts->add( 'plupload-handlers', "/wp-includes/js/plupload/handlers$suffix.js", array('plupload-all', 'jquery') );
 	did_action( 'init' ) && $scripts->localize( 'plupload-handlers', 'pluploadL10n', $uploader_l10n );
@@ -700,7 +700,7 @@ function _print_scripts() {
 		}
 
 		$concat = str_split( $concat, 128 );
-		$concat = 'load[]=' . implode( '&load[]=', $concat );
+		$concat = 'load%5B%5D=' . implode( '&load%5B%5D=', $concat );
 
 		$src = $wp_scripts->base_url . "/wp-admin/load-scripts.php?c={$zip}&" . $concat . '&ver=' . $wp_scripts->default_version;
 		echo "<script type='text/javascript' src='" . esc_attr($src) . "'></script>\n";

wp-includes/template.php

@@ -59,12 +59,14 @@ function get_404_template() {
  * @return string
  */
 function get_archive_template() {
-	$post_types = get_query_var( 'post_type' );
+	$post_types = array_filter( (array) get_query_var( 'post_type' ) );
 
 	$templates = array();
 
-	foreach ( (array) $post_types as $post_type )
+	if ( count( $post_types ) == 1 ) {
+		$post_type = reset( $post_types );
 		$templates[] = "archive-{$post_type}.php";
+	}
 	$templates[] = 'archive.php';
 
 	return get_query_template( 'archive', $templates );

wp-includes/user.php

@@ -1452,6 +1452,8 @@ function wp_update_user($userdata) {
 
 	// First, get all of the original fields
 	$user_obj = get_userdata( $ID );
+	if ( ! $user_obj )
+		return new WP_Error( 'invalid_user_id', __( 'Invalid user ID' ) );
 
 	$user = $user_obj->to_array();
 

wp-includes/version.php

@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '3.5-RC5';
+$wp_version = '3.5.1';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
@@ -18,7 +18,7 @@ $wp_db_version = 22441;
  *
  * @global string $tinymce_version
  */
-$tinymce_version = '358-23121';
+$tinymce_version = '358-23224';
 
 /**
  * Holds the required PHP version

wp-includes/wp-db.php

@@ -987,10 +987,13 @@ class wpdb {
 	 * @return null|false|string Sanitized query string, null if there is no query, false if there is an error and string
 	 * 	if there was something to prepare
 	 */
-	function prepare( $query, $args ) {
+	function prepare( $query, $args = null ) {
 		if ( is_null( $query ) )
 			return;
 
+		if ( func_num_args() < 2 )
+			_doing_it_wrong( 'wpdb::prepare', 'wpdb::prepare() requires at least two arguments.', '3.5' );
+
 		$args = func_get_args();
 		array_shift( $args );
 		// If args were passed as an array (as in vsprintf), move them up