Tag 4.7.5

Built from https://develop.svn.wordpress.org/tags/4.7.5@40759


git-svn-id: http://core.svn.wordpress.org/tags/4.7.5@40617 1a063a9b-81f0-0310-95a4-ce76da25c4cd

license.txt

@@ -1,6 +1,6 @@
 WordPress - Web publishing software
 
-Copyright 2011-2016 by the contributors
+Copyright 2011-2017 by the contributors
 
 This program is free software; you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by

wp-admin/about.php

@@ -43,6 +43,29 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
 			<a href="freedoms.php" class="nav-tab"><?php _e( 'Freedoms' ); ?></a>
 		</h2>
 
+		<div class="changelog point-releases">
+			<h3><?php _e( 'Maintenance and Security Releases' ); ?></h3>
+			<p><?php printf( _n( '<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bug.',
+					'<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bugs.', 3 ), '4.7.5', number_format_i18n( 3 ) ); ?>
+				<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_4.7.5' ); ?>
+			</p>
+			<p><?php printf( _n( '<strong>Version %1$s</strong> addressed %2$s bug.',
+					'<strong>Version %1$s</strong> addressed %2$s bugs.', 47 ), '4.7.4', number_format_i18n( 47 ) ); ?>
+				<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_4.7.4' ); ?>
+			</p>
+			<p><?php printf( _n( '<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bug.',
+					'<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bugs.', 39 ), '4.7.3', number_format_i18n( 39 ) ); ?>
+				<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_4.7.3' ); ?>
+			</p>
+			<p><?php printf( __( '<strong>Version %s</strong> addressed some security issues.' ), '4.7.2' ); ?>
+				<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_4.7.2' ); ?>
+			</p>
+			<p><?php printf( _n( '<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bug.',
+					'<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bugs.', 62 ), '4.7.1', number_format_i18n( 62 ) ); ?>
+				<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_4.7.1' ); ?>
+			</p>
+		</div>
+
 		<div class="headline-feature feature-video">
 			<iframe width="1050" height="591" src="<?php echo esc_url( $video_url ); ?>" frameborder="0" allowfullscreen></iframe>
 			<script src="https://videopress.com/videopress-iframe.js"></script>
@@ -78,8 +101,6 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
 				echo wp_video_shortcode( array(
 					'mp4'      => 'https://s.w.org/images/core/4.7/starter-content-v1.mp4',
 					'poster'   => 'https://s.w.org/images/core/4.7/starter-content.jpg?v2',
-					'loop'     => true,
-					'autoplay' => true,
 					'width'    => 1140,
 					'height'   => 624,
 					// 'class'    => 'wp-video-shortcode feature-video',
@@ -95,8 +116,6 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
 				echo wp_video_shortcode( array(
 					'mp4'      => 'https://s.w.org/images/core/4.7/edit-shortcuts-v1.mp4',
 					'poster'   => 'https://s.w.org/images/core/4.7/edit-shortcuts.jpg?v2',
-					'loop'     => true,
-					'autoplay' => true,
 					'width'    => 2520,
 					'height'   => 1454,
 					// 'class'    => 'wp-video-shortcode feature-video',
@@ -110,8 +129,6 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
 				echo wp_video_shortcode( array(
 					'mp4'      => 'https://s.w.org/images/core/4.7/header-video-v1.mp4',
 					'poster'   => 'https://s.w.org/images/core/4.7/header-video.jpg?v2',
-					'loop'     => true,
-					'autoplay' => true,
 					'width'    => 2520,
 					'height'   => 1454,
 					// 'class'    => 'wp-video-shortcode feature-video',

wp-admin/css/customize-controls-rtl.css

@@ -294,6 +294,11 @@ body {
 	transition: 0.18s transform cubic-bezier(0.645, 0.045, 0.355, 1), 0.18s -webkit-transform cubic-bezier(0.645, 0.045, 0.355, 1); /* easeInOutCubic */
 }
 
+#customize-theme-controls .customize-pane-child.skip-transition {
+	-webkit-transition: none;
+	transition: none;
+}
+
 #customize-info,
 #customize-theme-controls .customize-pane-parent {
 	position: relative;

wp-admin/css/customize-controls.css

@@ -294,6 +294,11 @@ body {
 	transition: 0.18s transform cubic-bezier(0.645, 0.045, 0.355, 1), 0.18s -webkit-transform cubic-bezier(0.645, 0.045, 0.355, 1); /* easeInOutCubic */
 }
 
+#customize-theme-controls .customize-pane-child.skip-transition {
+	-webkit-transition: none;
+	transition: none;
+}
+
 #customize-info,
 #customize-theme-controls .customize-pane-parent {
 	position: relative;

wp-admin/css/customize-nav-menus-rtl.css

@@ -161,6 +161,7 @@
 	outline: none;
 	overflow: hidden;
 	cursor: pointer;
+	text-align: center;
 }
 
 .wp-customizer .menu-item.menu-item-edit-active .item-edit .toggle-indicator:after {
@@ -532,6 +533,7 @@
 	box-shadow: none;
 	outline: none;
 	cursor: pointer;
+	text-align: center;
 }
 
 #available-menu-items .accordion-section-title .no-items,
@@ -623,6 +625,7 @@
 	box-shadow: none;
 	outline: none;
 	cursor: pointer;
+	text-align: center;
 }
 
 #available-menu-items .menu-item-handle .item-add:focus {
@@ -811,7 +814,6 @@ li.assigned-to-menu-location .add-new-menu-item {
 .menu-delete:hover,
 .menu-delete:focus {
 	color: #f00;
-	text-decoration: none;
 }
 
 .menu-item-handle {

wp-admin/css/customize-nav-menus.css

@@ -161,6 +161,7 @@
 	outline: none;
 	overflow: hidden;
 	cursor: pointer;
+	text-align: center;
 }
 
 .wp-customizer .menu-item.menu-item-edit-active .item-edit .toggle-indicator:after {
@@ -532,6 +533,7 @@
 	box-shadow: none;
 	outline: none;
 	cursor: pointer;
+	text-align: center;
 }
 
 #available-menu-items .accordion-section-title .no-items,
@@ -623,6 +625,7 @@
 	box-shadow: none;
 	outline: none;
 	cursor: pointer;
+	text-align: center;
 }
 
 #available-menu-items .menu-item-handle .item-add:focus {
@@ -811,7 +814,6 @@ li.assigned-to-menu-location .add-new-menu-item {
 .menu-delete:hover,
 .menu-delete:focus {
 	color: #f00;
-	text-decoration: none;
 }
 
 .menu-item-handle {

wp-admin/css/edit-rtl.css

@@ -1229,6 +1229,7 @@ table.links-table {
 }
 
 .focus-on .wrap > h1,
+.focus-on .page-title-action,
 .focus-on #wpfooter,
 .focus-on .postbox-container > *,
 .focus-on div.updated,
@@ -1252,6 +1253,7 @@ table.links-table {
 }
 
 .focus-off .wrap > h1,
+.focus-off .page-title-action,
 .focus-off #wpfooter,
 .focus-off .postbox-container > *,
 .focus-off div.updated,

wp-admin/css/edit.css

@@ -1229,6 +1229,7 @@ table.links-table {
 }
 
 .focus-on .wrap > h1,
+.focus-on .page-title-action,
 .focus-on #wpfooter,
 .focus-on .postbox-container > *,
 .focus-on div.updated,
@@ -1252,6 +1253,7 @@ table.links-table {
 }
 
 .focus-off .wrap > h1,
+.focus-off .page-title-action,
 .focus-off #wpfooter,
 .focus-off .postbox-container > *,
 .focus-off div.updated,

wp-admin/customize.php

@@ -102,7 +102,7 @@ if ( $wp_customize->is_ios() ) {
 if ( is_rtl() ) {
 	$body_class .= ' rtl';
 }
-$body_class .= ' locale-' . sanitize_html_class( strtolower( str_replace( '_', '-', get_locale() ) ) );
+$body_class .= ' locale-' . sanitize_html_class( strtolower( str_replace( '_', '-', get_user_locale() ) ) );
 
 $admin_title = sprintf( $wp_customize->get_document_title_template(), __( 'Loading…' ) );
 
@@ -155,7 +155,7 @@ do_action( 'customize_controls_print_scripts' );
 			<div id="customize-info" class="accordion-section customize-info">
 				<div class="accordion-section-title">
 					<span class="preview-notice"><?php
-						echo sprintf( __( 'You are customizing %s' ), '<strong class="panel-title site-title">' . get_bloginfo( 'name' ) . '</strong>' );
+						echo sprintf( __( 'You are customizing %s' ), '<strong class="panel-title site-title">' . get_bloginfo( 'name', 'display' ) . '</strong>' );
 					?></span>
 					<button type="button" class="customize-help-toggle dashicons dashicons-editor-help" aria-expanded="false"><span class="screen-reader-text"><?php _e( 'Help' ); ?></span></button>
 				</div>

wp-admin/edit-tags.php

@@ -81,7 +81,7 @@ case 'add-tag':
 
 	$ret = wp_insert_term( $_POST['tag-name'], $taxonomy, $_POST );
 	if ( $ret && !is_wp_error( $ret ) )
-		$location = add_query_arg( 'message', 1, $location );
+		$location = add_query_arg( 'message', 1, $referer );
 	else
 		$location = add_query_arg( array( 'error' => true, 'message' => 4 ), $referer );
 

wp-admin/includes/class-wp-posts-list-table.php

@@ -955,7 +955,7 @@ class WP_Posts_List_Table extends WP_List_Table {
 		echo "</strong>\n";
 
 		if ( ! is_post_type_hierarchical( $this->screen->post_type ) && 'excerpt' === $mode && current_user_can( 'read_post', $post->ID ) ) {
-			the_excerpt();
+			echo esc_html( get_the_excerpt() );
 		}
 
 		get_inline_data( $post );

wp-admin/includes/class-wp-press-this.php

@@ -119,10 +119,28 @@ class WP_Press_This {
 			'post_type'     => 'post',
 			'post_status'   => 'draft',
 			'post_format'   => ( ! empty( $_POST['post_format'] ) ) ? sanitize_text_field( $_POST['post_format'] ) : '',
-			'tax_input'     => ( ! empty( $_POST['tax_input'] ) ) ? $_POST['tax_input'] : array(),
-			'post_category' => ( ! empty( $_POST['post_category'] ) ) ? $_POST['post_category'] : array(),
 		);
 
+		// Only accept categories if the user actually can assign
+		$category_tax = get_taxonomy( 'category' );
+		if ( current_user_can( $category_tax->cap->assign_terms ) ) {
+			$post_data['post_category'] = ( ! empty( $_POST['post_category'] ) ) ? $_POST['post_category'] : array();
+		}
+
+		// Only accept taxonomies if the user can actually assign
+		if ( ! empty( $_POST['tax_input'] ) ) {
+			$tax_input = $_POST['tax_input'];
+			foreach ( $tax_input as $tax => $_ti ) {
+				$tax_object = get_taxonomy( $tax );
+				if ( ! $tax_object || ! current_user_can( $tax_object->cap->assign_terms ) ) {
+					unset( $tax_input[ $tax ] );
+				}
+			}
+
+			$post_data['tax_input'] = $tax_input;
+		}
+
+		// Toggle status to pending if user cannot actually publish
 		if ( ! empty( $_POST['post_status'] ) && 'publish' === $_POST['post_status'] ) {
 			if ( current_user_can( 'publish_posts' ) ) {
 				$post_data['post_status'] = 'publish';
@@ -453,7 +471,7 @@ class WP_Press_This {
 	 * @since 4.2.0
 	 *
 	 * @param string $src Embed source URL.
-	 * @return string If not from a supported provider, an empty string. Otherwise, a reformattd embed URL.
+	 * @return string If not from a supported provider, an empty string. Otherwise, a reformatted embed URL.
 	 */
 	private function _limit_embed( $src ) {
 		$src = $this->_limit_url( $src );
@@ -700,7 +718,11 @@ class WP_Press_This {
 			 * making PT fully backward compatible with the older bookmarklet.
 			 */
 			if ( empty( $_POST ) && ! empty( $data['u'] ) ) {
-				$data = $this->source_data_fetch_fallback( $data['u'], $data );
+				if ( isset( $_GET['_wpnonce'] ) && wp_verify_nonce( $_GET['_wpnonce'], 'scan-site' ) ) {
+					$data = $this->source_data_fetch_fallback( $data['u'], $data );
+				} else {
+					$data['errors'] = 'missing nonce';
+				}
 			} else {
 				foreach ( array( '_images', '_embeds' ) as $type ) {
 					if ( empty( $_POST[ $type ] ) ) {
@@ -853,6 +875,12 @@ class WP_Press_This {
 	public function categories_html( $post ) {
 		$taxonomy = get_taxonomy( 'category' );
 
+		// Bail if user cannot assign terms
+		if ( ! current_user_can( $taxonomy->cap->assign_terms ) ) {
+			return;
+		}
+
+		// Only show "add" if user can edit terms
 		if ( current_user_can( $taxonomy->cap->edit_terms ) ) {
 			?>
 			<button type="button" class="add-cat-toggle button-link" aria-expanded="false">
@@ -1211,7 +1239,7 @@ class WP_Press_This {
 		$site_data = array(
 			'v' => ! empty( $data['v'] ) ? $data['v'] : '',
 			'u' => ! empty( $data['u'] ) ? $data['u'] : '',
-			'hasData' => ! empty( $data ),
+			'hasData' => ! empty( $data ) && ! isset( $data['errors'] ),
 		);
 
 		if ( ! empty( $images ) ) {
@@ -1272,6 +1300,12 @@ class WP_Press_This {
 		wp_enqueue_script( 'json2' );
 		wp_enqueue_script( 'editor' );
 
+		$categories_tax   = get_taxonomy( 'category' );
+		$show_categories  = current_user_can( $categories_tax->cap->assign_terms ) || current_user_can( $categories_tax->cap->edit_terms );
+
+		$tag_tax          = get_taxonomy( 'post_tag' );
+		$show_tags        = current_user_can( $tag_tax->cap->assign_terms );
+
 		$supports_formats = false;
 		$post_format      = 0;
 
@@ -1337,8 +1371,9 @@ class WP_Press_This {
 	<div id="scanbar" class="scan">
 		<form method="GET">
 			<label for="url-scan" class="screen-reader-text"><?php _e( 'Scan site for content' ); ?></label>
-			<input type="url" name="u" id="url-scan" class="scan-url" value="" placeholder="<?php esc_attr_e( 'Enter a URL to scan' ) ?>" />
+			<input type="url" name="u" id="url-scan" class="scan-url" value="<?php echo esc_attr( $site_data['u'] ) ?>" placeholder="<?php esc_attr_e( 'Enter a URL to scan' ) ?>" />
 			<input type="submit" name="url-scan-submit" id="url-scan-submit" class="scan-submit" value="<?php esc_attr_e( 'Scan' ) ?>" />
+			<?php wp_nonce_field( 'scan-site' ); ?>
 		</form>
 	</div>
 
@@ -1423,17 +1458,21 @@ class WP_Press_This {
 					</button>
 				<?php endif; ?>
 
-				<button type="button" class="button-link post-option">
-					<span class="dashicons dashicons-category"></span>
-					<span class="post-option-title"><?php _e( 'Categories' ); ?></span>
-					<span class="dashicons post-option-forward"></span>
-				</button>
+				<?php if ( $show_categories ) : ?>
+					<button type="button" class="button-link post-option">
+						<span class="dashicons dashicons-category"></span>
+						<span class="post-option-title"><?php _e( 'Categories' ); ?></span>
+						<span class="dashicons post-option-forward"></span>
+					</button>
+				<?php endif; ?>
 
-				<button type="button" class="button-link post-option">
-					<span class="dashicons dashicons-tag"></span>
-					<span class="post-option-title"><?php _e( 'Tags' ); ?></span>
-					<span class="dashicons post-option-forward"></span>
-				</button>
+				<?php if ( $show_tags ) : ?>
+					<button type="button" class="button-link post-option">
+						<span class="dashicons dashicons-tag"></span>
+						<span class="post-option-title"><?php _e( 'Tags' ); ?></span>
+						<span class="dashicons post-option-forward"></span>
+					</button>
+				<?php endif; ?>
 			</div>
 
 			<?php if ( $supports_formats ) : ?>
@@ -1447,23 +1486,27 @@ class WP_Press_This {
 				</div>
 			<?php endif; ?>
 
-			<div class="setting-modal is-off-screen is-hidden">
-				<button type="button" class="button-link modal-close">
-					<span class="dashicons post-option-back"></span>
-					<span class="setting-title" aria-hidden="true"><?php _e( 'Categories' ); ?></span>
-					<span class="screen-reader-text"><?php _e( 'Back to post options' ) ?></span>
-				</button>
-				<?php $this->categories_html( $post ); ?>
-			</div>
+			<?php if ( $show_categories ) : ?>
+				<div class="setting-modal is-off-screen is-hidden">
+					<button type="button" class="button-link modal-close">
+						<span class="dashicons post-option-back"></span>
+						<span class="setting-title" aria-hidden="true"><?php _e( 'Categories' ); ?></span>
+						<span class="screen-reader-text"><?php _e( 'Back to post options' ) ?></span>
+					</button>
+					<?php $this->categories_html( $post ); ?>
+				</div>
+			<?php endif; ?>
 
-			<div class="setting-modal tags is-off-screen is-hidden">
-				<button type="button" class="button-link modal-close">
-					<span class="dashicons post-option-back"></span>
-					<span class="setting-title" aria-hidden="true"><?php _e( 'Tags' ); ?></span>
-					<span class="screen-reader-text"><?php _e( 'Back to post options' ) ?></span>
-				</button>
-				<?php $this->tags_html( $post ); ?>
-			</div>
+			<?php if ( $show_tags ) : ?>
+				<div class="setting-modal tags is-off-screen is-hidden">
+					<button type="button" class="button-link modal-close">
+						<span class="dashicons post-option-back"></span>
+						<span class="setting-title" aria-hidden="true"><?php _e( 'Tags' ); ?></span>
+						<span class="screen-reader-text"><?php _e( 'Back to post options' ) ?></span>
+					</button>
+					<?php $this->tags_html( $post ); ?>
+				</div>
+			<?php endif; ?>
 		</div><!-- .options-panel -->
 	</div><!-- .wrapper -->
 

wp-admin/includes/class-wp-screen.php

@@ -915,7 +915,8 @@ final class WP_Screen {
 
 		switch ( $this->base ) {
 			case 'widgets':
-				$this->_screen_settings = '<p><a id="access-on" href="widgets.php?widgets-access=on">' . __('Enable accessibility mode') . '</a><a id="access-off" href="widgets.php?widgets-access=off">' . __('Disable accessibility mode') . "</a></p>\n";
+				$nonce = wp_create_nonce( 'widgets-access' );
+				$this->_screen_settings = '<p><a id="access-on" href="widgets.php?widgets-access=on&_wpnonce=' . urlencode( $nonce ) . '">' . __('Enable accessibility mode') . '</a><a id="access-off" href="widgets.php?widgets-access=off&_wpnonce=' . urlencode( $nonce ) . '">' . __('Disable accessibility mode') . "</a></p>\n";
 				break;
 			case 'post' :
 				$expand = '<fieldset class="editor-expand hidden"><legend>' . __( 'Additional settings' ) . '</legend><label for="editor-expand-toggle">';

wp-admin/includes/file.php

@@ -1091,14 +1091,28 @@ function request_filesystem_credentials( $form_post, $type = '', $error = false,
 
 	$credentials = get_option('ftp_credentials', array( 'hostname' => '', 'username' => ''));
 
+	$submitted_form = wp_unslash( $_POST );
+
+	// Verify nonce, or unset submitted form field values on failure
+	if ( ! isset( $_POST['_fs_nonce'] ) || ! wp_verify_nonce( $_POST['_fs_nonce'], 'filesystem-credentials' ) ) {
+		unset(
+			$submitted_form['hostname'],
+			$submitted_form['username'],
+			$submitted_form['password'],
+			$submitted_form['public_key'],
+			$submitted_form['private_key'],
+			$submitted_form['connection_type']
+		);
+	}
+
 	// If defined, set it to that, Else, If POST'd, set it to that, If not, Set it to whatever it previously was(saved details in option)
-	$credentials['hostname'] = defined('FTP_HOST') ? FTP_HOST : (!empty($_POST['hostname']) ? wp_unslash( $_POST['hostname'] ) : $credentials['hostname']);
-	$credentials['username'] = defined('FTP_USER') ? FTP_USER : (!empty($_POST['username']) ? wp_unslash( $_POST['username'] ) : $credentials['username']);
-	$credentials['password'] = defined('FTP_PASS') ? FTP_PASS : (!empty($_POST['password']) ? wp_unslash( $_POST['password'] ) : '');
+	$credentials['hostname'] = defined('FTP_HOST') ? FTP_HOST : (!empty($submitted_form['hostname']) ? $submitted_form['hostname'] : $credentials['hostname']);
+	$credentials['username'] = defined('FTP_USER') ? FTP_USER : (!empty($submitted_form['username']) ? $submitted_form['username'] : $credentials['username']);
+	$credentials['password'] = defined('FTP_PASS') ? FTP_PASS : (!empty($submitted_form['password']) ? $submitted_form['password'] : '');
 
 	// Check to see if we are setting the public/private keys for ssh
-	$credentials['public_key'] = defined('FTP_PUBKEY') ? FTP_PUBKEY : (!empty($_POST['public_key']) ? wp_unslash( $_POST['public_key'] ) : '');
-	$credentials['private_key'] = defined('FTP_PRIKEY') ? FTP_PRIKEY : (!empty($_POST['private_key']) ? wp_unslash( $_POST['private_key'] ) : '');
+	$credentials['public_key'] = defined('FTP_PUBKEY') ? FTP_PUBKEY : (!empty($submitted_form['public_key']) ? $submitted_form['public_key'] : '');
+	$credentials['private_key'] = defined('FTP_PRIKEY') ? FTP_PRIKEY : (!empty($submitted_form['private_key']) ? $submitted_form['private_key'] : '');
 
 	// Sanitize the hostname, Some people might pass in odd-data:
 	$credentials['hostname'] = preg_replace('|\w+://|', '', $credentials['hostname']); //Strip any schemes off
@@ -1115,8 +1129,8 @@ function request_filesystem_credentials( $form_post, $type = '', $error = false,
 		$credentials['connection_type'] = 'ssh';
 	} elseif ( ( defined( 'FTP_SSL' ) && FTP_SSL ) && 'ftpext' == $type ) { //Only the FTP Extension understands SSL
 		$credentials['connection_type'] = 'ftps';
-	} elseif ( ! empty( $_POST['connection_type'] ) ) {
-		$credentials['connection_type'] = wp_unslash( $_POST['connection_type'] );
+	} elseif ( ! empty( $submitted_form['connection_type'] ) ) {
+		$credentials['connection_type'] = $submitted_form['connection_type'];
 	} elseif ( ! isset( $credentials['connection_type'] ) ) { //All else fails (And it's not defaulted to something else saved), Default to FTP
 		$credentials['connection_type'] = 'ftp';
 	}
@@ -1255,11 +1269,12 @@ if ( isset( $types['ssh'] ) ) {
 }
 
 foreach ( (array) $extra_fields as $field ) {
-	if ( isset( $_POST[ $field ] ) )
-		echo '<input type="hidden" name="' . esc_attr( $field ) . '" value="' . esc_attr( wp_unslash( $_POST[ $field ] ) ) . '" />';
+	if ( isset( $submitted_form[ $field ] ) )
+		echo '<input type="hidden" name="' . esc_attr( $field ) . '" value="' . esc_attr( $submitted_form[ $field ] ) . '" />';
 }
 ?>
 	<p class="request-filesystem-credentials-action-buttons">
+		<?php wp_nonce_field( 'filesystem-credentials', '_fs_nonce', false, true ); ?>
 		<button class="button cancel-button" data-js-action="close" type="button"><?php _e( 'Cancel' ); ?></button>
 		<?php submit_button( __( 'Proceed' ), '', 'upgrade', false ); ?>
 	</p>

wp-admin/includes/image.php

@@ -221,14 +221,28 @@ function wp_generate_attachment_metadata( $attachment_id, $file ) {
 		$fallback_sizes = apply_filters( 'fallback_intermediate_image_sizes', $fallback_sizes, $metadata );
 
 		$sizes = array();
+		$_wp_additional_image_sizes = wp_get_additional_image_sizes();
 
 		foreach ( $fallback_sizes as $s ) {
-			$sizes[ $s ]['width']  = get_option( "{$s}_size_w" );
-			$sizes[ $s ]['height'] = get_option( "{$s}_size_h" );
+			if ( isset( $_wp_additional_image_sizes[ $s ]['width'] ) ) {
+				$sizes[ $s ]['width'] = intval( $_wp_additional_image_sizes[ $s ]['width'] );
+			} else {
+				$sizes[ $s ]['width'] = get_option( "{$s}_size_w" );
+			}
 
-			// Force thumbnails to be soft crops.
-			if ( ! 'thumbnail' === $s ) {
-				$sizes[ $s ]['crop'] = get_option( "{$s}_crop" );
+			if ( isset( $_wp_additional_image_sizes[ $s ]['height'] ) ) {
+				$sizes[ $s ]['height'] = intval( $_wp_additional_image_sizes[ $s ]['height'] );
+			} else {
+				$sizes[ $s ]['height'] = get_option( "{$s}_size_h" );
+			}
+
+			if ( isset( $_wp_additional_image_sizes[ $s ]['crop'] ) ) {
+				$sizes[ $s ]['crop'] = $_wp_additional_image_sizes[ $s ]['crop'];
+			} else {
+				// Force thumbnails to be soft crops.
+				if ( ! 'thumbnail' === $s ) {
+					$sizes[ $s ]['crop'] = get_option( "{$s}_crop" );
+				}
 			}
 		}
 
@@ -237,7 +251,15 @@ function wp_generate_attachment_metadata( $attachment_id, $file ) {
 			$editor = wp_get_image_editor( $file );
 
 			if ( ! is_wp_error( $editor ) ) { // No support for this type of file
-				$uploaded = $editor->save( $file, 'image/jpeg' );
+				/*
+				 * PDFs may have the same file filename as JPEGs.
+				 * Ensure the PDF preview image does not overwrite any JPEG images that already exist.
+				 */
+				$dirname = dirname( $file ) . '/';
+				$ext = '.' . pathinfo( $file, PATHINFO_EXTENSION );
+				$preview_file = $dirname . wp_unique_filename( $dirname, wp_basename( $file, $ext ) . '-pdf.jpg' );
+
+				$uploaded = $editor->save( $preview_file, 'image/jpeg' );
 				unset( $editor );
 
 				// Resize based on the full size image, rather than the source.

wp-admin/includes/media.php

@@ -2982,7 +2982,7 @@ function wp_add_id3_tag_data( &$metadata, $data ) {
 		if ( ! empty( $data[$version]['comments'] ) ) {
 			foreach ( $data[$version]['comments'] as $key => $list ) {
 				if ( 'length' !== $key && ! empty( $list ) ) {
-					$metadata[$key] = reset( $list );
+					$metadata[$key] = wp_kses_post( reset( $list ) );
 					// Fix bug in byte stream analysis.
 					if ( 'terms_of_use' === $key && 0 === strpos( $metadata[$key], 'yright notice.' ) )
 						$metadata[$key] = 'Cop' . $metadata[$key];

wp-admin/includes/post.php

@@ -1154,35 +1154,6 @@ function wp_edit_attachments_query_vars( $q = false ) {
 	return $q;
 }
 
-/**
- * Filter the SQL clauses of an attachment query to include filenames.
- *
- * @since 4.7.0
- * @access private
- *
- * @global wpdb $wpdb WordPress database abstraction object.
- *
- * @param array $clauses An array including WHERE, GROUP BY, JOIN, ORDER BY,
- *                       DISTINCT, fields (SELECT), and LIMITS clauses.
- * @return array The modified clauses.
- */
-function _filter_query_attachment_filenames( $clauses ) {
-	global $wpdb;
-	remove_filter( 'posts_clauses', __FUNCTION__ );
-
-	// Add a LEFT JOIN of the postmeta table so we don't trample existing JOINs.
-	$clauses['join'] .= " LEFT JOIN {$wpdb->postmeta} AS sq1 ON ( {$wpdb->posts}.ID = sq1.post_id AND sq1.meta_key = '_wp_attached_file' )";
-
-	$clauses['groupby'] = "{$wpdb->posts}.ID";
-
-	$clauses['where'] = preg_replace(
-		"/\({$wpdb->posts}.post_content (NOT LIKE|LIKE) (\'[^']+\')\)/",
-		"$0 OR ( sq1.meta_value $1 $2 )",
-		$clauses['where'] );
-
-	return $clauses;
-}
-
 /**
  * Executes a query for attachments. An array of WP_Query arguments
  * can be passed in, which will override the arguments set by this function.

wp-admin/includes/theme.php

@@ -578,7 +578,7 @@ function wp_prepare_themes_for_js( $themes = null ) {
 		if ( current_user_can( 'edit_theme_options' ) && current_user_can( 'customize' ) ) {
 			$customize_action = esc_url( add_query_arg(
 				array(
-					'return' => urlencode( esc_url_raw( wp_unslash( $_SERVER['REQUEST_URI'] ) ) ),
+					'return' => urlencode( esc_url_raw( remove_query_arg( wp_removable_query_args(), wp_unslash( $_SERVER['REQUEST_URI'] ) ) ) ),
 				),
 				wp_customize_url( $slug )
 			) );

wp-admin/install.php

@@ -334,6 +334,7 @@ switch($step) {
 
 		$scripts_to_print[] = 'user-profile';
 
+		display_header();
 		// Fill in the data we gathered
 		$weblog_title = isset( $_POST['weblog_title'] ) ? trim( wp_unslash( $_POST['weblog_title'] ) ) : '';
 		$user_name = isset($_POST['user_name']) ? trim( wp_unslash( $_POST['user_name'] ) ) : '';
@@ -346,26 +347,21 @@ switch($step) {
 		$error = false;
 		if ( empty( $user_name ) ) {
 			// TODO: poka-yoke
-			display_header();
 			display_setup_form( __( 'Please provide a valid username.' ) );
 			$error = true;
 		} elseif ( $user_name != sanitize_user( $user_name, true ) ) {
-			display_header();
 			display_setup_form( __( 'The username you provided has invalid characters.' ) );
 			$error = true;
 		} elseif ( $admin_password != $admin_password_check ) {
 			// TODO: poka-yoke
-			display_header();
 			display_setup_form( __( 'Your passwords do not match. Please try again.' ) );
 			$error = true;
 		} elseif ( empty( $admin_email ) ) {
 			// TODO: poka-yoke
-			display_header();
 			display_setup_form( __( 'You must provide an email address.' ) );
 			$error = true;
 		} elseif ( ! is_email( $admin_email ) ) {
 			// TODO: poka-yoke
-			display_header();
 			display_setup_form( __( 'Sorry, that isn&#8217;t a valid email address. Email addresses look like <code>username@example.com</code>.' ) );
 			$error = true;
 		}
@@ -373,16 +369,6 @@ switch($step) {
 		if ( $error === false ) {
 			$wpdb->show_errors();
 			$result = wp_install( $weblog_title, $user_name, $admin_email, $public, '', wp_slash( $admin_password ), $loaded_language );
-
-			// Log the user in and send them to wp-admin:
-			if ( ! headers_sent() ) {
-				wp_set_auth_cookie( $result['user_id'], true, is_ssl() );
-				wp_redirect( admin_url() );
-				exit;
-			}
-
-			// If headers have already been sent, fall back to a "Success!" message:
-			display_header();
 ?>
 
 <h1><?php _e( 'Success!' ); ?></h1>

wp-admin/js/common.js

@@ -418,7 +418,7 @@ $document.ready( function() {
 	screenMeta.init();
 
 	// This event needs to be delegated. Ticket #37973.
-	$body.on( 'click', 'tbody .check-column :checkbox', function( event ) {
+	$body.on( 'click', 'tbody > tr > .check-column :checkbox', function( event ) {
 		// Shift click to select a range of checkboxes.
 		if ( 'undefined' == event.shiftKey ) { return true; }
 		if ( event.shiftKey ) {

wp-admin/js/customize-controls.js

@@ -528,10 +528,11 @@
 		 *
 		 * @since 4.1.0
 		 *
-		 * @param {Boolean} active
-		 * @param {Object}  args
-		 * @param {Object}  args.duration
-		 * @param {Object}  args.completeCallback
+		 * @param {boolean}  active - The active state to transiution to.
+		 * @param {Object}   [args] - Args.
+		 * @param {Object}   [args.duration] - The duration for the slideUp/slideDown animation.
+		 * @param {boolean}  [args.unchanged] - Whether the state is already known to not be changed, and so short-circuit with calling completeCallback early.
+		 * @param {Function} [args.completeCallback] - Function to call when the slideUp/slideDown has completed.
 		 */
 		onChangeActive: function( active, args ) {
 			var construct = this,
@@ -564,24 +565,24 @@
 				}
 			}
 
-			if ( ! $.contains( document, headContainer ) ) {
-				// jQuery.fn.slideUp is not hiding an element if it is not in the DOM
+			if ( ! $.contains( document, headContainer.get( 0 ) ) ) {
+				// If the element is not in the DOM, then jQuery.fn.slideUp() does nothing. In this case, a hard toggle is required instead.
 				headContainer.toggle( active );
 				if ( args.completeCallback ) {
 					args.completeCallback();
 				}
 			} else if ( active ) {
-				headContainer.stop( true, true ).slideDown( duration, args.completeCallback );
+				headContainer.slideDown( duration, args.completeCallback );
 			} else {
 				if ( construct.expanded() ) {
 					construct.collapse({
 						duration: duration,
 						completeCallback: function() {
-							headContainer.stop( true, true ).slideUp( duration, args.completeCallback );
+							headContainer.slideUp( duration, args.completeCallback );
 						}
 					});
 				} else {
-					headContainer.stop( true, true ).slideUp( duration, args.completeCallback );
+					headContainer.slideUp( duration, args.completeCallback );
 				}
 			}
 		},
@@ -710,11 +711,19 @@
 			var construct = this,
 				content = construct.contentContainer,
 				overlay = content.closest( '.wp-full-overlay' ),
-				elements, transitionEndCallback;
+				elements, transitionEndCallback, transitionParentPane;
 
 			// Determine set of elements that are affected by the animation.
 			elements = overlay.add( content );
-			if ( _.isUndefined( construct.panel ) || '' === construct.panel() ) {
+
+			if ( ! construct.panel || '' === construct.panel() ) {
+				transitionParentPane = true;
+			} else if ( api.panel( construct.panel() ).contentContainer.hasClass( 'skip-transition' ) ) {
+				transitionParentPane = true;
+			} else {
+				transitionParentPane = false;
+			}
+			if ( transitionParentPane ) {
 				elements = elements.add( '#customize-info, .customize-pane-parent' );
 			}
 
@@ -995,7 +1004,7 @@
 				overlay = section.headContainer.closest( '.wp-full-overlay' ),
 				backBtn = content.find( '.customize-section-back' ),
 				sectionTitle = section.headContainer.find( '.accordion-section-title' ).first(),
-				expand;
+				expand, panel;
 
 			if ( expanded && ! content.hasClass( 'open' ) ) {
 
@@ -1043,6 +1052,12 @@
 				}
 
 			} else if ( ! expanded && content.hasClass( 'open' ) ) {
+				if ( section.panel() ) {
+					panel = api.panel( section.panel() );
+					if ( panel.contentContainer.hasClass( 'skip-transition' ) ) {
+						panel.collapse();
+					}
+				}
 				section._animateChangeExpanded( function() {
 					backBtn.attr( 'tabindex', '-1' );
 					sectionTitle.attr( 'tabindex', '0' );
@@ -1721,7 +1736,9 @@
 				overlay = accordionSection.closest( '.wp-full-overlay' ),
 				container = accordionSection.closest( '.wp-full-overlay-sidebar-content' ),
 				topPanel = panel.headContainer.find( '.accordion-section-title' ),
-				backBtn = accordionSection.find( '.customize-panel-back' );
+				backBtn = accordionSection.find( '.customize-panel-back' ),
+				childSections = panel.sections(),
+				skipTransition;
 
 			if ( expanded && ! accordionSection.hasClass( 'current-panel' ) ) {
 				// Collapse any sibling sections/panels
@@ -1736,35 +1753,50 @@
 					}
 				});
 
-				panel._animateChangeExpanded( function() {
-					topPanel.attr( 'tabindex', '-1' );
-					backBtn.attr( 'tabindex', '0' );
+				if ( panel.params.autoExpandSoleSection && 1 === childSections.length && childSections[0].active.get() ) {
+					accordionSection.addClass( 'current-panel skip-transition' );
+					overlay.addClass( 'in-sub-panel' );
 
-					backBtn.focus();
-					accordionSection.css( 'top', '' );
-					container.scrollTop( 0 );
+					childSections[0].expand( {
+						completeCallback: args.completeCallback
+					} );
+				} else {
+					panel._animateChangeExpanded( function() {
+						topPanel.attr( 'tabindex', '-1' );
+						backBtn.attr( 'tabindex', '0' );
 
-					if ( args.completeCallback ) {
-						args.completeCallback();
-					}
-				} );
+						backBtn.focus();
+						accordionSection.css( 'top', '' );
+						container.scrollTop( 0 );
+
+						if ( args.completeCallback ) {
+							args.completeCallback();
+						}
+					} );
+
+					accordionSection.addClass( 'current-panel' );
+					overlay.addClass( 'in-sub-panel' );
+				}
 
-				overlay.addClass( 'in-sub-panel' );
-				accordionSection.addClass( 'current-panel' );
 				api.state( 'expandedPanel' ).set( panel );
 
 			} else if ( ! expanded && accordionSection.hasClass( 'current-panel' ) ) {
-				panel._animateChangeExpanded( function() {
-					topPanel.attr( 'tabindex', '0' );
-					backBtn.attr( 'tabindex', '-1' );
+				skipTransition = accordionSection.hasClass( 'skip-transition' );
+				if ( ! skipTransition ) {
+					panel._animateChangeExpanded( function() {
+						topPanel.attr( 'tabindex', '0' );
+						backBtn.attr( 'tabindex', '-1' );
 
-					topPanel.focus();
-					accordionSection.css( 'top', '' );
+						topPanel.focus();
+						accordionSection.css( 'top', '' );
 
-					if ( args.completeCallback ) {
-						args.completeCallback();
-					}
-				} );
+						if ( args.completeCallback ) {
+							args.completeCallback();
+						}
+					} );
+				} else {
+					accordionSection.removeClass( 'skip-transition' );
+				}
 
 				overlay.removeClass( 'in-sub-panel' );
 				accordionSection.removeClass( 'current-panel' );
@@ -2266,9 +2298,9 @@
 				availableItem = new api.Menus.AvailableItemModel( {
 					'id': 'post-' + data.post_id, // Used for available menu item Backbone models.
 					'title': title,
-					'type': 'page',
+					'type': 'post_type',
 					'type_label': api.Menus.data.l10n.page_label,
-					'object': 'post_type',
+					'object': 'page',
 					'object_id': data.post_id,
 					'url': data.url
 				} );
@@ -4122,7 +4154,7 @@
 
 				// Remove notification errors that are no longer valid.
 				setting.notifications.each( function( notification ) {
-					if ( 'error' === notification.type && ( true === validity || ! validity[ notification.code ] ) ) {
+					if ( notification.fromServer && 'error' === notification.type && ( true === validity || ! validity[ notification.code ] ) ) {
 						setting.notifications.remove( notification.code );
 					}
 				} );
@@ -4547,6 +4579,16 @@
 			}
 		});
 
+		// Ensure preview nonce is included with every customized request, to allow post data to be read.
+		$.ajaxPrefilter( function injectPreviewNonce( options ) {
+			if ( ! /wp_customize=on/.test( options.data ) ) {
+				return;
+			}
+			options.data += '&' + $.param({
+				customize_preview_nonce: api.settings.nonce.preview
+			});
+		});
+
 		// Refresh the nonces if the preview sends updated nonces over.
 		api.previewer.bind( 'nonce', function( nonce ) {
 			$.extend( this.nonce, nonce );
@@ -4696,7 +4738,10 @@
 			editShortcutVisibility( 'visible' );
 
 			api.bind( 'change', function() {
-				state('saved').set( false );
+				if ( state( 'saved' ).get() ) {
+					state( 'saved' ).set( false );
+					populateChangesetUuidParam( true );
+				}
 			});
 
 			saving.bind( function( isSaving ) {
@@ -4727,6 +4772,12 @@
 			 */
 			populateChangesetUuidParam = function( isIncluded ) {
 				var urlParser, queryParams;
+
+				// Abort on IE9 which doesn't support history management.
+				if ( ! history.replaceState ) {
+					return;
+				}
+
 				urlParser = document.createElement( 'a' );
 				urlParser.href = location.href;
 				queryParams = api.utils.parseQueryString( urlParser.search.substr( 1 ) );
@@ -4745,11 +4796,9 @@
 				history.replaceState( {}, document.title, urlParser.href );
 			};
 
-			if ( history.replaceState ) {
-				changesetStatus.bind( function( newStatus ) {
-					populateChangesetUuidParam( '' !== newStatus && 'publish' !== newStatus );
-				} );
-			}
+			changesetStatus.bind( function( newStatus ) {
+				populateChangesetUuidParam( '' !== newStatus && 'publish' !== newStatus );
+			} );
 
 			// Expose states to the API.
 			api.state = state;
@@ -5300,7 +5349,7 @@
 				} );
 
 				$textarea.on( 'keydown', function onKeydown( event ) {
-					var selectionStart, selectionEnd, value, scroll, tabKeyCode = 9, escKeyCode = 27;
+					var selectionStart, selectionEnd, value, tabKeyCode = 9, escKeyCode = 27;
 
 					if ( escKeyCode === event.keyCode ) {
 						if ( ! $textarea.data( 'next-tab-blurs' ) ) {
@@ -5325,10 +5374,8 @@
 					value = textarea.value;
 
 					if ( selectionStart >= 0 ) {
-						scroll = $textarea.scrollTop;
 						textarea.value = value.substring( 0, selectionStart ).concat( '\t', value.substring( selectionEnd ) );
 						$textarea.selectionStart = textarea.selectionEnd = selectionStart + 1;
-						textarea.scrollTop = scroll;
 					}
 
 					event.stopPropagation();
@@ -5367,16 +5414,20 @@
 
 		// Focus on the control that is associated with the given setting.
 		api.previewer.bind( 'focus-control-for-setting', function( settingId ) {
-			var matchedControl;
+			var matchedControls = [];
 			api.control.each( function( control ) {
 				var settingIds = _.pluck( control.settings, 'id' );
 				if ( -1 !== _.indexOf( settingIds, settingId ) ) {
-					matchedControl = control;
+					matchedControls.push( control );
 				}
 			} );
 
-			if ( matchedControl ) {
-				matchedControl.focus();
+			// Focus on the matched control with the lowest priority (appearing higher).
+			if ( matchedControls.length ) {
+				matchedControls.sort( function( a, b ) {
+					return a.priority() - b.priority();
+				} );
+				matchedControls[0].focus();
 			}
 		} );
 

wp-admin/js/customize-nav-menus.js

@@ -1169,7 +1169,11 @@
 
 			// @todo It would be better if this was added directly on the setting itself, as opposed to the control.
 			control.setting.validate = function( value ) {
-				return parseInt( value, 10 );
+				if ( '' === value ) {
+					return 0;
+				} else {
+					return parseInt( value, 10 );
+				}
 			};
 
 			// Edit menu button.
@@ -1319,7 +1323,14 @@
 			this.container.find( '.menu-item-handle' ).on( 'click', function( e ) {
 				e.preventDefault();
 				e.stopPropagation();
-				var menuControl = control.getMenuControl();
+				var menuControl = control.getMenuControl(),
+					isDeleteBtn = $( e.target ).is( '.item-delete, .item-delete *' ),
+					isAddNewBtn = $( e.target ).is( '.add-new-menu-item, .add-new-menu-item *' );
+
+				if ( $( 'body' ).hasClass( 'adding-menu-items' ) && ! isDeleteBtn && ! isAddNewBtn ) {
+					api.Menus.availableMenuItemsPanel.close();
+				}
+
 				if ( menuControl.isReordering || menuControl.isSorting ) {
 					return;
 				}
@@ -1505,22 +1516,29 @@
 		 * Update item handle title when changed.
 		 */
 		_setupTitleUI: function() {
-			var control = this;
+			var control = this, titleEl;
 
+			// Ensure that whitespace is trimmed on blur so placeholder can be shown.
+			control.container.find( '.edit-menu-item-title' ).on( 'blur', function() {
+				$( this ).val( $.trim( $( this ).val() ) );
+			} );
+
+			titleEl = control.container.find( '.menu-item-title' );
 			control.setting.bind( function( item ) {
+				var trimmedTitle, titleText;
 				if ( ! item ) {
 					return;
 				}
+				trimmedTitle = $.trim( item.title );
 
-				var titleEl = control.container.find( '.menu-item-title' ),
-				    titleText = item.title || item.original_title || api.Menus.data.l10n.untitled;
+				titleText = trimmedTitle || item.original_title || api.Menus.data.l10n.untitled;
 
 				if ( item._invalid ) {
 					titleText = api.Menus.data.l10n.invalidTitleTpl.replace( '%s', titleText );
 				}
 
 				// Don't update to an empty title.
-				if ( item.title || item.original_title ) {
+				if ( trimmedTitle || item.original_title ) {
 					titleEl
 						.text( titleText )
 						.removeClass( 'no-title' );
@@ -2203,7 +2221,7 @@
 				}
 			} );
 
-			control.container.find( '.menu-delete' ).on( 'click', function( event ) {
+			control.container.find( '.menu-delete-item' ).on( 'click', function( event ) {
 				event.stopPropagation();
 				event.preventDefault();
 				control.setting.set( false );

wp-admin/js/editor.js

@@ -118,7 +118,7 @@
 
 		// Replace paragraphs with double line breaks
 		function removep( html ) {
-			var blocklist = 'blockquote|ul|ol|li|dl|dt|dd|table|thead|tbody|tfoot|tr|th|td|h[1-6]|fieldset',
+			var blocklist = 'blockquote|ul|ol|li|dl|dt|dd|table|thead|tbody|tfoot|tr|th|td|h[1-6]|fieldset|figure',
 				blocklist1 = blocklist + '|div|p',
 				blocklist2 = blocklist + '|pre',
 				preserve_linebreaks = false,
@@ -257,6 +257,11 @@
 				});
 			}
 
+			if ( text.indexOf( '<figcaption' ) !== -1 ) {
+				text = text.replace( /\s*(<figcaption[^>]*>)/g, '$1' );
+				text = text.replace( /<\/figcaption>\s*/g, '</figcaption>' );
+			}
+
 			// keep <br> tags inside captions and convert line breaks
 			if ( text.indexOf( '[caption' ) !== -1 ) {
 				preserve_br = true;

wp-admin/js/inline-edit-post.js

@@ -115,6 +115,15 @@ inlineEditPost = {
 		// enable autocomplete for tags
 		if ( 'post' === type ) {
 			$( 'tr.inline-editor textarea[data-wp-taxonomy]' ).each( function ( i, element ) {
+				/*
+				 * While Quick Edit clones the form each time, Bulk Edit always re-uses
+				 * the same form. Let's check if an autocomplete instance already exists.
+				 */
+				if ( $( element ).autocomplete( 'instance' ) ) {
+					// jQuery equivalent of `continue` within an `each()` loop.
+					return;
+				}
+
 				$( element ).wpTagsSuggest();
 			} );
 		}

wp-admin/js/tags-box.js

@@ -92,7 +92,7 @@ var tagBox, array_unique_noempty;
 					 */
 					xbutton = $( '<button type="button" id="' + id + '-check-num-' + key + '" class="ntdelbutton">' +
 						'<span class="remove-tag-icon" aria-hidden="true"></span>' +
-						'<span class="screen-reader-text">' + window.tagsSuggestL10n.removeTerm + ' ' + val + '</span>' +
+						'<span class="screen-reader-text">' + window.tagsSuggestL10n.removeTerm + ' ' + span.html() + '</span>' +
 						'</button>' );
 
 					xbutton.on( 'click keypress', function( e ) {

wp-admin/js/tags-box.min.js

@@ -1 +1 @@
-var tagBox,array_unique_noempty;!function(a){var b=window.tagsSuggestL10n&&window.tagsSuggestL10n.tagDelimiter||",";array_unique_noempty=function(b){var c=[];return a.each(b,function(b,d){d=a.trim(d),d&&a.inArray(d,c)===-1&&c.push(d)}),c},tagBox={clean:function(a){return","!==b&&(a=a.replace(new RegExp(b,"g"),",")),a=a.replace(/\s*,\s*/g,",").replace(/,+/g,",").replace(/[,\s]+$/,"").replace(/^[,\s]+/,""),","!==b&&(a=a.replace(/,/g,b)),a},parseTags:function(c){var d=c.id,e=d.split("-check-num-")[1],f=a(c).closest(".tagsdiv"),g=f.find(".the-tags"),h=g.val().split(b),i=[];return delete h[e],a.each(h,function(b,c){c=a.trim(c),c&&i.push(c)}),g.val(this.clean(i.join(b))),this.quickClicks(f),!1},quickClicks:function(c){var d,e,f=a(".the-tags",c),g=a(".tagchecklist",c),h=a(c).attr("id");f.length&&(e=f.prop("disabled"),d=f.val().split(b),g.empty(),a.each(d,function(b,c){var d,f;c=a.trim(c),c&&(d=a("<span />").text(c),e||(f=a('<button type="button" id="'+h+"-check-num-"+b+'" class="ntdelbutton"><span class="remove-tag-icon" aria-hidden="true"></span><span class="screen-reader-text">'+window.tagsSuggestL10n.removeTerm+" "+c+"</span></button>"),f.on("click keypress",function(b){"click"!==b.type&&13!==b.keyCode&&32!==b.keyCode||(13!==b.keyCode&&32!==b.keyCode||a(this).closest(".tagsdiv").find("input.newtag").focus(),tagBox.userAction="remove",tagBox.parseTags(this))}),d.prepend("&nbsp;").prepend(f)),g.append(d))}),tagBox.screenReadersMessage())},flushTags:function(c,d,e){var f,g,h,i=a(".the-tags",c),j=a("input.newtag",c);return d=d||!1,h=d?a(d).text():j.val(),"undefined"!=typeof h&&""!==h&&(f=i.val(),g=f?f+b+h:h,g=this.clean(g),g=array_unique_noempty(g.split(b)).join(b),i.val(g),this.quickClicks(c),d||j.val(""),"undefined"==typeof e&&j.focus(),!1)},get:function(b){var c=b.substr(b.indexOf("-")+1);a.post(ajaxurl,{action:"get-tagcloud",tax:c},function(d,e){0!==d&&"success"==e&&(d=a('<p id="tagcloud-'+c+'" class="the-tagcloud">'+d+"</p>"),a("a",d).click(function(){return tagBox.userAction="add",tagBox.flushTags(a("#"+c),this),!1}),a("#"+b).after(d))})},userAction:"",screenReadersMessage:function(){var a;switch(this.userAction){case"remove":a=window.tagsSuggestL10n.termRemoved;break;case"add":a=window.tagsSuggestL10n.termAdded;break;default:return}window.wp.a11y.speak(a,"assertive")},init:function(){var b=a("div.ajaxtag");a(".tagsdiv").each(function(){tagBox.quickClicks(this)}),a(".tagadd",b).click(function(){tagBox.userAction="add",tagBox.flushTags(a(this).closest(".tagsdiv"))}),a("input.newtag",b).keyup(function(b){13==b.which&&(tagBox.userAction="add",tagBox.flushTags(a(this).closest(".tagsdiv")),b.preventDefault(),b.stopPropagation())}).keypress(function(a){13==a.which&&(a.preventDefault(),a.stopPropagation())}).each(function(b,c){a(c).wpTagsSuggest()}),a("#post").submit(function(){a("div.tagsdiv").each(function(){tagBox.flushTags(this,!1,1)})}),a(".tagcloud-link").click(function(){tagBox.get(a(this).attr("id")),a(this).attr("aria-expanded","true").unbind().click(function(){a(this).attr("aria-expanded","false"===a(this).attr("aria-expanded")?"true":"false").siblings(".the-tagcloud").toggle()})})}}}(jQuery);
+var tagBox,array_unique_noempty;!function(a){var b=window.tagsSuggestL10n&&window.tagsSuggestL10n.tagDelimiter||",";array_unique_noempty=function(b){var c=[];return a.each(b,function(b,d){d=a.trim(d),d&&a.inArray(d,c)===-1&&c.push(d)}),c},tagBox={clean:function(a){return","!==b&&(a=a.replace(new RegExp(b,"g"),",")),a=a.replace(/\s*,\s*/g,",").replace(/,+/g,",").replace(/[,\s]+$/,"").replace(/^[,\s]+/,""),","!==b&&(a=a.replace(/,/g,b)),a},parseTags:function(c){var d=c.id,e=d.split("-check-num-")[1],f=a(c).closest(".tagsdiv"),g=f.find(".the-tags"),h=g.val().split(b),i=[];return delete h[e],a.each(h,function(b,c){c=a.trim(c),c&&i.push(c)}),g.val(this.clean(i.join(b))),this.quickClicks(f),!1},quickClicks:function(c){var d,e,f=a(".the-tags",c),g=a(".tagchecklist",c),h=a(c).attr("id");f.length&&(e=f.prop("disabled"),d=f.val().split(b),g.empty(),a.each(d,function(b,c){var d,f;c=a.trim(c),c&&(d=a("<span />").text(c),e||(f=a('<button type="button" id="'+h+"-check-num-"+b+'" class="ntdelbutton"><span class="remove-tag-icon" aria-hidden="true"></span><span class="screen-reader-text">'+window.tagsSuggestL10n.removeTerm+" "+d.html()+"</span></button>"),f.on("click keypress",function(b){"click"!==b.type&&13!==b.keyCode&&32!==b.keyCode||(13!==b.keyCode&&32!==b.keyCode||a(this).closest(".tagsdiv").find("input.newtag").focus(),tagBox.userAction="remove",tagBox.parseTags(this))}),d.prepend("&nbsp;").prepend(f)),g.append(d))}),tagBox.screenReadersMessage())},flushTags:function(c,d,e){var f,g,h,i=a(".the-tags",c),j=a("input.newtag",c);return d=d||!1,h=d?a(d).text():j.val(),"undefined"!=typeof h&&""!==h&&(f=i.val(),g=f?f+b+h:h,g=this.clean(g),g=array_unique_noempty(g.split(b)).join(b),i.val(g),this.quickClicks(c),d||j.val(""),"undefined"==typeof e&&j.focus(),!1)},get:function(b){var c=b.substr(b.indexOf("-")+1);a.post(ajaxurl,{action:"get-tagcloud",tax:c},function(d,e){0!==d&&"success"==e&&(d=a('<p id="tagcloud-'+c+'" class="the-tagcloud">'+d+"</p>"),a("a",d).click(function(){return tagBox.userAction="add",tagBox.flushTags(a("#"+c),this),!1}),a("#"+b).after(d))})},userAction:"",screenReadersMessage:function(){var a;switch(this.userAction){case"remove":a=window.tagsSuggestL10n.termRemoved;break;case"add":a=window.tagsSuggestL10n.termAdded;break;default:return}window.wp.a11y.speak(a,"assertive")},init:function(){var b=a("div.ajaxtag");a(".tagsdiv").each(function(){tagBox.quickClicks(this)}),a(".tagadd",b).click(function(){tagBox.userAction="add",tagBox.flushTags(a(this).closest(".tagsdiv"))}),a("input.newtag",b).keyup(function(b){13==b.which&&(tagBox.userAction="add",tagBox.flushTags(a(this).closest(".tagsdiv")),b.preventDefault(),b.stopPropagation())}).keypress(function(a){13==a.which&&(a.preventDefault(),a.stopPropagation())}).each(function(b,c){a(c).wpTagsSuggest()}),a("#post").submit(function(){a("div.tagsdiv").each(function(){tagBox.flushTags(this,!1,1)})}),a(".tagcloud-link").click(function(){tagBox.get(a(this).attr("id")),a(this).attr("aria-expanded","true").unbind().click(function(){a(this).attr("aria-expanded","false"===a(this).attr("aria-expanded")?"true":"false").siblings(".the-tagcloud").toggle()})})}}}(jQuery);

wp-admin/js/tags-suggest.js

@@ -120,7 +120,9 @@
 			},
 			minLength: 2,
 			position: {
-				my: 'left top+2'
+				my: 'left top+2',
+				at: 'left bottom',
+				collision: 'none'
 			},
 			messages: {
 				noResults: window.uiAutocompleteL10n.noResults,

wp-admin/js/tags-suggest.min.js

@@ -1 +1 @@
-!function(a){function b(a){return a.split(new RegExp(e+"\\s*"))}function c(a){return b(a).pop()}if("undefined"!=typeof window.tagsSuggestL10n&&"undefined"!=typeof window.uiAutocompleteL10n){var d=0,e=window.tagsSuggestL10n.tagDelimiter||",";a.fn.wpTagsSuggest=function(f){var g,h,i=a(this);f=f||{};var j=f.taxonomy||i.attr("data-wp-taxonomy")||"post_tag";return delete f.taxonomy,f=a.extend({source:function(b,e){var f;return h===b.term?void e(g):(f=c(b.term),a.get(window.ajaxurl,{action:"ajax-tag-search",tax:j,q:f}).always(function(){i.removeClass("ui-autocomplete-loading")}).done(function(a){var b,c=[];if(a){a=a.split("\n");for(b in a){var f=++d;c.push({id:f,name:a[b]})}g=c,e(c)}else e(c)}),void(h=b.term))},focus:function(a,b){i.attr("aria-activedescendant","wp-tags-autocomplete-"+b.item.id),a.preventDefault()},select:function(c,d){var f=b(i.val());return f.pop(),f.push(d.item.name,""),i.val(f.join(e+" ")),a.ui.keyCode.TAB===c.keyCode?(window.wp.a11y.speak(window.tagsSuggestL10n.termSelected,"assertive"),c.preventDefault()):a.ui.keyCode.ENTER===c.keyCode&&(c.preventDefault(),c.stopPropagation()),!1},open:function(){i.attr("aria-expanded","true")},close:function(){i.attr("aria-expanded","false")},minLength:2,position:{my:"left top+2"},messages:{noResults:window.uiAutocompleteL10n.noResults,results:function(a){return a>1?window.uiAutocompleteL10n.manyResults.replace("%d",a):window.uiAutocompleteL10n.oneResult}}},f),i.on("keydown",function(){i.removeAttr("aria-activedescendant")}).autocomplete(f).autocomplete("instance")._renderItem=function(b,c){return a('<li role="option" id="wp-tags-autocomplete-'+c.id+'">').text(c.name).appendTo(b)},i.attr({role:"combobox","aria-autocomplete":"list","aria-expanded":"false","aria-owns":i.autocomplete("widget").attr("id")}).on("focus",function(){var a=b(i.val()).pop();a&&i.autocomplete("search")}).autocomplete("widget").addClass("wp-tags-autocomplete").attr("role","listbox").removeAttr("tabindex").on("menufocus",function(a,b){b.item.attr("aria-selected","true")}).on("menublur",function(){a(this).find('[aria-selected="true"]').removeAttr("aria-selected")}),this}}}(jQuery);
+!function(a){function b(a){return a.split(new RegExp(e+"\\s*"))}function c(a){return b(a).pop()}if("undefined"!=typeof window.tagsSuggestL10n&&"undefined"!=typeof window.uiAutocompleteL10n){var d=0,e=window.tagsSuggestL10n.tagDelimiter||",";a.fn.wpTagsSuggest=function(f){var g,h,i=a(this);f=f||{};var j=f.taxonomy||i.attr("data-wp-taxonomy")||"post_tag";return delete f.taxonomy,f=a.extend({source:function(b,e){var f;return h===b.term?void e(g):(f=c(b.term),a.get(window.ajaxurl,{action:"ajax-tag-search",tax:j,q:f}).always(function(){i.removeClass("ui-autocomplete-loading")}).done(function(a){var b,c=[];if(a){a=a.split("\n");for(b in a){var f=++d;c.push({id:f,name:a[b]})}g=c,e(c)}else e(c)}),void(h=b.term))},focus:function(a,b){i.attr("aria-activedescendant","wp-tags-autocomplete-"+b.item.id),a.preventDefault()},select:function(c,d){var f=b(i.val());return f.pop(),f.push(d.item.name,""),i.val(f.join(e+" ")),a.ui.keyCode.TAB===c.keyCode?(window.wp.a11y.speak(window.tagsSuggestL10n.termSelected,"assertive"),c.preventDefault()):a.ui.keyCode.ENTER===c.keyCode&&(c.preventDefault(),c.stopPropagation()),!1},open:function(){i.attr("aria-expanded","true")},close:function(){i.attr("aria-expanded","false")},minLength:2,position:{my:"left top+2",at:"left bottom",collision:"none"},messages:{noResults:window.uiAutocompleteL10n.noResults,results:function(a){return a>1?window.uiAutocompleteL10n.manyResults.replace("%d",a):window.uiAutocompleteL10n.oneResult}}},f),i.on("keydown",function(){i.removeAttr("aria-activedescendant")}).autocomplete(f).autocomplete("instance")._renderItem=function(b,c){return a('<li role="option" id="wp-tags-autocomplete-'+c.id+'">').text(c.name).appendTo(b)},i.attr({role:"combobox","aria-autocomplete":"list","aria-expanded":"false","aria-owns":i.autocomplete("widget").attr("id")}).on("focus",function(){var a=b(i.val()).pop();a&&i.autocomplete("search")}).autocomplete("widget").addClass("wp-tags-autocomplete").attr("role","listbox").removeAttr("tabindex").on("menufocus",function(a,b){b.item.attr("aria-selected","true")}).on("menublur",function(){a(this).find('[aria-selected="true"]').removeAttr("aria-selected")}),this}}}(jQuery);

wp-admin/js/theme.js

@@ -806,7 +806,7 @@ themes.view.Details = wp.Backbone.View.extend({
 
 		$( document ).one( 'wp-theme-delete-success', function( event, response ) {
 			_this.$el.find( '.close' ).trigger( 'click' );
-			$( '[data-slug="' + response.slug + '"' ).css( { backgroundColor:'#faafaa' } ).fadeOut( 350, function() {
+			$( '[data-slug="' + response.slug + '"]' ).css( { backgroundColor:'#faafaa' } ).fadeOut( 350, function() {
 				$( this ).remove();
 				_themes.data.themes = _.without( _themes.data.themes, _.findWhere( _themes.data.themes, { id: response.slug } ) );
 

wp-admin/js/updates.js

@@ -94,6 +94,7 @@
 	 * @type {object} filesystemCredentials.ssh                Holds SSH credentials.
 	 * @type {string} filesystemCredentials.ssh.publicKey      The public key. Default empty string.
 	 * @type {string} filesystemCredentials.ssh.privateKey     The private key. Default empty string.
+	 * @type {string} filesystemCredentials.fsNonce            Filesystem credentials form nonce.
 	 * @type {bool}   filesystemCredentials.available          Whether filesystem credentials have been provided.
 	 *                                                         Default 'false'.
 	 */
@@ -108,6 +109,7 @@
 			publicKey:  '',
 			privateKey: ''
 		},
+		fsNonce: '',
 		available: false
 	};
 
@@ -225,6 +227,7 @@
 		options.data = _.extend( data, {
 			action:          action,
 			_ajax_nonce:     wp.updates.ajaxNonce,
+			_fs_nonce:       wp.updates.filesystemCredentials.fsNonce,
 			username:        wp.updates.filesystemCredentials.ftp.username,
 			password:        wp.updates.filesystemCredentials.ftp.password,
 			hostname:        wp.updates.filesystemCredentials.ftp.hostname,
@@ -1516,11 +1519,11 @@
 	 * @param {string} message Error message.
 	 */
 	wp.updates.showErrorInCredentialsForm = function( message ) {
-		var $modal = $( '#request-filesystem-credentials-form' );
+		var $filesystemForm = $( '#request-filesystem-credentials-form' );
 
 		// Remove any existing error.
-		$modal.find( '.notice' ).remove();
-		$modal.find( '#request-filesystem-credentials-title' ).after( '<div class="notice notice-alt notice-error"><p>' + message + '</p></div>' );
+		$filesystemForm.find( '.notice' ).remove();
+		$filesystemForm.find( '#request-filesystem-credentials-title' ).after( '<div class="notice notice-alt notice-error"><p>' + message + '</p></div>' );
 	};
 
 	/**
@@ -1670,6 +1673,7 @@
 	$( function() {
 		var $pluginFilter        = $( '#plugin-filter' ),
 			$bulkActionForm      = $( '#bulk-action-form' ),
+			$filesystemForm      = $( '#request-filesystem-credentials-form' ),
 			$filesystemModal     = $( '#request-filesystem-credentials-dialog' ),
 			$pluginSearch        = $( '.plugins-php .wp-filter-search' ),
 			$pluginInstallSearch = $( '.plugin-install-php .wp-filter-search' );
@@ -1704,6 +1708,7 @@
 			wp.updates.filesystemCredentials.ftp.connectionType = $( 'input[name="connection_type"]:checked' ).val();
 			wp.updates.filesystemCredentials.ssh.publicKey      = $( '#public_key' ).val();
 			wp.updates.filesystemCredentials.ssh.privateKey     = $( '#private_key' ).val();
+			wp.updates.filesystemCredentials.fsNonce            = $( '#_fs_nonce' ).val();
 			wp.updates.filesystemCredentials.available          = true;
 
 			// Unlock and invoke the queue.
@@ -1725,7 +1730,7 @@
 		 *
 		 * @since 4.2.0
 		 */
-		$filesystemModal.on( 'change', 'input[name="connection_type"]', function() {
+		$filesystemForm.on( 'change', 'input[name="connection_type"]', function() {
 			$( '#ssh-keys' ).toggleClass( 'hidden', ( 'ssh' !== $( this ).val() ) );
 		} ).change();
 

wp-admin/menu.php

@@ -156,7 +156,7 @@ $appearance_cap = current_user_can( 'switch_themes') ? 'switch_themes' : 'edit_t
 $menu[60] = array( __( 'Appearance' ), $appearance_cap, 'themes.php', '', 'menu-top menu-icon-appearance', 'menu-appearance', 'dashicons-admin-appearance' );
 	$submenu['themes.php'][5] = array( __( 'Themes' ), $appearance_cap, 'themes.php' );
 
-	$customize_url = add_query_arg( 'return', urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ), 'customize.php' );
+	$customize_url = add_query_arg( 'return', urlencode( remove_query_arg( wp_removable_query_args(), wp_unslash( $_SERVER['REQUEST_URI'] ) ) ), 'customize.php' );
 	$submenu['themes.php'][6] = array( __( 'Customize' ), 'customize', esc_url( $customize_url ), '', 'hide-if-no-customize' );
 
 	if ( current_theme_supports( 'menus' ) || current_theme_supports( 'widgets' ) ) {

wp-admin/nav-menus.php

@@ -584,7 +584,7 @@ require_once( ABSPATH . 'wp-admin/admin-header.php' );
 				' <a class="page-title-action hide-if-no-customize" href="%1$s">%2$s</a>',
 				esc_url( add_query_arg( array(
 					array( 'autofocus' => $focus ),
-					'return' => urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ),
+					'return' => urlencode( remove_query_arg( wp_removable_query_args(), wp_unslash( $_SERVER['REQUEST_URI'] ) ) ),
 				), admin_url( 'customize.php' ) ) ),
 				__( 'Manage with Live Preview' )
 			);

wp-admin/plugins.php

@@ -246,6 +246,14 @@ if ( $action ) {
 				exit;
 			}
 
+			// Bail on all if any paths are invalid.
+			// validate_file() returns truthy for invalid files
+			$invalid_plugin_files = array_filter( $plugins, 'validate_file' );
+			if ( $invalid_plugin_files ) {
+				wp_redirect( self_admin_url("plugins.php?plugin_status=$status&paged=$page&s=$s") );
+				exit;
+			}
+
 			include(ABSPATH . 'wp-admin/update.php');
 
 			$parent_file = 'plugins.php';

wp-admin/update-core.php

@@ -250,6 +250,8 @@ function list_plugin_updates() {
 	<tbody class="plugins">
 <?php
 	foreach ( (array) $plugins as $plugin_file => $plugin_data ) {
+		$plugin_data = (object) _get_plugin_data_markup_translate( $plugin_file, (array) $plugin_data, false, true );
+
 		// Get plugin compat for running version of WordPress.
 		if ( isset($plugin_data->update->tested) && version_compare($plugin_data->update->tested, $cur_wp_version, '>=') ) {
 			$compat = '<br />' . sprintf(__('Compatibility with WordPress %1$s: 100%% (according to its author)'), $cur_wp_version);

wp-admin/widgets.php

@@ -22,6 +22,8 @@ if ( ! current_user_can( 'edit_theme_options' ) ) {
 
 $widgets_access = get_user_setting( 'widgets_access' );
 if ( isset($_GET['widgets-access']) ) {
+	check_admin_referer( 'widgets-access' );
+
 	$widgets_access = 'on' == $_GET['widgets-access'] ? 'on' : 'off';
 	set_user_setting( 'widgets_access', $widgets_access );
 }
@@ -353,7 +355,7 @@ require_once( ABSPATH . 'wp-admin/admin-header.php' ); ?>
 			esc_url( add_query_arg(
 				array(
 					array( 'autofocus' => array( 'panel' => 'widgets' ) ),
-					'return' => urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) )
+					'return' => urlencode( remove_query_arg( wp_removable_query_args(), wp_unslash( $_SERVER['REQUEST_URI'] ) ) )
 				),
 				admin_url( 'customize.php' )
 			) ),

wp-content/themes/twentyseventeen/README.txt

@@ -1,8 +1,8 @@
 === Twenty Seventeen ===
 Contributors: the WordPress team
-Requires at least: WordPress 4.8-trunk
+Requires at least: WordPress 4.7
 Tested up to: WordPress 4.7
-Version: 1.0
+Version: 1.2
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 Tags: one-column, two-columns, right-sidebar, flexible-header, accessibility-ready, custom-colors, custom-header, custom-menu, custom-logo, editor-style, featured-images, footer-widgets, post-formats, rtl-language-support, sticky-post, theme-options, threaded-comments, translation-ready
@@ -60,6 +60,16 @@ Source: https://unsplash.com/@englr?photo=bIhpiQA009k
 
 == Changelog ==
 
+= 1.2 =
+* Released: April 18, 2017
+
+https://codex.wordpress.org/Twenty_Seventeen_Theme_Changelog#Version_1.2
+
+= 1.1 =
+* Released: January 6, 2017
+
+https://codex.wordpress.org/Twenty_Seventeen_Theme_Changelog#Version_1.1
+
 = 1.0 =
 * Released: December 6, 2016
 

wp-content/themes/twentyseventeen/assets/js/customize-controls.js

@@ -25,10 +25,12 @@
 		});
 
 		// Detect when the front page sections section is expanded (or closed) so we can adjust the preview accordingly.
-		wp.customize.section( 'theme_options' ).expanded.bind( function( isExpanding ) {
+		wp.customize.section( 'theme_options', function( section ) {
+			section.expanded.bind( function( isExpanding ) {
 
-			// Value of isExpanding will = true if you're entering the section, false if you're leaving it.
-			wp.customize.previewer.send( 'section-highlight', { expanded: isExpanding });
-		});
+				// Value of isExpanding will = true if you're entering the section, false if you're leaving it.
+				wp.customize.previewer.send( 'section-highlight', { expanded: isExpanding });
+			} );
+		} );
 	});
 })( jQuery );

wp-content/themes/twentyseventeen/footer.php

@@ -9,7 +9,7 @@
  * @package WordPress
  * @subpackage Twenty_Seventeen
  * @since 1.0
- * @version 1.0
+ * @version 1.2
  */
 
 ?>
@@ -22,7 +22,7 @@
 				get_template_part( 'template-parts/footer/footer', 'widgets' );
 
 				if ( has_nav_menu( 'social' ) ) : ?>
-					<nav class="social-navigation" role="navigation" aria-label="<?php _e( 'Footer Social Links Menu', 'twentyseventeen' ); ?>">
+					<nav class="social-navigation" role="navigation" aria-label="<?php esc_attr_e( 'Footer Social Links Menu', 'twentyseventeen' ); ?>">
 						<?php
 							wp_nav_menu( array(
 								'theme_location' => 'social',

wp-content/themes/twentyseventeen/functions.php

@@ -55,6 +55,9 @@ function twentyseventeen_setup() {
 
 	add_image_size( 'twentyseventeen-thumbnail-avatar', 100, 100, true );
 
+	// Set the default content width.
+	$GLOBALS['content_width'] = 525;
+
 	// This theme uses wp_nav_menu() in two locations.
 	register_nav_menus( array(
 		'top'    => __( 'Top Menu', 'twentyseventeen' ),
@@ -103,24 +106,29 @@ function twentyseventeen_setup() {
  	 */
 	add_editor_style( array( 'assets/css/editor-style.css', twentyseventeen_fonts_url() ) );
 
-	add_theme_support( 'starter-content', array(
+	// Define and register starter content to showcase the theme on new sites.
+	$starter_content = array(
 		'widgets' => array(
+			// Place three core-defined widgets in the sidebar area.
 			'sidebar-1' => array(
 				'text_business_info',
 				'search',
 				'text_about',
 			),
 
+			// Add the core-defined business info widget to the footer 1 area.
 			'sidebar-2' => array(
 				'text_business_info',
 			),
 
+			// Put two core-defined widgets in the footer 2 area.
 			'sidebar-3' => array(
 				'text_about',
 				'search',
 			),
 		),
 
+		// Specify the core-defined pages to create and add custom thumbnails to some of them.
 		'posts' => array(
 			'home',
 			'about' => array(
@@ -137,10 +145,11 @@ function twentyseventeen_setup() {
 			),
 		),
 
+		// Create the custom image attachments used as post thumbnails for pages.
 		'attachments' => array(
 			'image-espresso' => array(
 				'post_title' => _x( 'Espresso', 'Theme starter content', 'twentyseventeen' ),
-				'file' => 'assets/images/espresso.jpg',
+				'file' => 'assets/images/espresso.jpg', // URL relative to the template directory.
 			),
 			'image-sandwich' => array(
 				'post_title' => _x( 'Sandwich', 'Theme starter content', 'twentyseventeen' ),
@@ -152,12 +161,14 @@ function twentyseventeen_setup() {
 			),
 		),
 
+		// Default to a static front page and assign the front and posts pages.
 		'options' => array(
 			'show_on_front' => 'page',
 			'page_on_front' => '{{home}}',
 			'page_for_posts' => '{{blog}}',
 		),
 
+		// Set the front page section theme mods to the IDs of the core-registered pages.
 		'theme_mods' => array(
 			'panel_1' => '{{homepage-section}}',
 			'panel_2' => '{{about}}',
@@ -165,16 +176,20 @@ function twentyseventeen_setup() {
 			'panel_4' => '{{contact}}',
 		),
 
+		// Set up nav menus for each of the two areas registered in the theme.
 		'nav_menus' => array(
+			// Assign a menu to the "top" location.
 			'top' => array(
 				'name' => __( 'Top Menu', 'twentyseventeen' ),
 				'items' => array(
-					'page_home',
+					'link_home', // Note that the core "home" page is actually a link in case a static front page is not used.
 					'page_about',
 					'page_blog',
 					'page_contact',
 				),
 			),
+
+			// Assign a menu to the "social" location.
 			'social' => array(
 				'name' => __( 'Social Links Menu', 'twentyseventeen' ),
 				'items' => array(
@@ -186,7 +201,18 @@ function twentyseventeen_setup() {
 				),
 			),
 		),
-	) );
+	);
+
+	/**
+	 * Filters Twenty Seventeen array of starter content.
+	 *
+	 * @since Twenty Seventeen 1.1
+	 *
+	 * @param array $starter_content Array of starter content.
+	 */
+	$starter_content = apply_filters( 'twentyseventeen_starter_content', $starter_content );
+
+	add_theme_support( 'starter-content', $starter_content );
 }
 add_action( 'after_setup_theme', 'twentyseventeen_setup' );
 
@@ -199,10 +225,23 @@ add_action( 'after_setup_theme', 'twentyseventeen_setup' );
  */
 function twentyseventeen_content_width() {
 
-	$content_width = 700;
+	$content_width = $GLOBALS['content_width'];
 
-	if ( twentyseventeen_is_frontpage() ) {
-		$content_width = 1120;
+	// Get layout.
+	$page_layout = get_theme_mod( 'page_layout' );
+
+	// Check if layout is one column.
+	if ( 'one-column' === $page_layout ) {
+		if ( twentyseventeen_is_frontpage() ) {
+			$content_width = 644;
+		} elseif ( is_page() ) {
+			$content_width = 740;
+		}
+	}
+
+	// Check if is single post and there is no sidebar.
+	if ( is_single() && ! is_active_sidebar( 'sidebar-1' ) ) {
+		$content_width = 740;
 	}
 
 	/**
@@ -214,7 +253,7 @@ function twentyseventeen_content_width() {
 	 */
 	$GLOBALS['content_width'] = apply_filters( 'twentyseventeen_content_width', $content_width );
 }
-add_action( 'after_setup_theme', 'twentyseventeen_content_width', 0 );
+add_action( 'template_redirect', 'twentyseventeen_content_width', 0 );
 
 /**
  * Register custom fonts.
@@ -401,7 +440,7 @@ function twentyseventeen_scripts() {
 	);
 
 	if ( has_nav_menu( 'top' ) ) {
-		wp_enqueue_script( 'twentyseventeen-navigation', get_theme_file_uri( '/assets/js/navigation.js' ), array(), '1.0', true );
+		wp_enqueue_script( 'twentyseventeen-navigation', get_theme_file_uri( '/assets/js/navigation.js' ), array( 'jquery' ), '1.0', true );
 		$twentyseventeen_l10n['expand']         = __( 'Expand child menu', 'twentyseventeen' );
 		$twentyseventeen_l10n['collapse']       = __( 'Collapse child menu', 'twentyseventeen' );
 		$twentyseventeen_l10n['icon']           = twentyseventeen_get_svg( array( 'icon' => 'angle-down', 'fallback' => true ) );

wp-content/themes/twentyseventeen/style.css

@@ -4,7 +4,7 @@ Theme URI: https://wordpress.org/themes/twentyseventeen/
 Author: the WordPress team
 Author URI: https://wordpress.org/
 Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a focus on business sites, it features multiple sections on the front page as well as widgets, navigation and social menus, a logo, and more. Personalize its asymmetrical grid with a custom color scheme and showcase your multimedia content with post formats. Our default theme for 2017 works great in many languages, for any abilities, and on any device.
-Version: 1.0
+Version: 1.2
 License: GNU General Public License v2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 Text Domain: twentyseventeen
@@ -451,7 +451,8 @@ h1 {
 	font-weight: 300;
 }
 
-h2 {
+h2,
+.home.blog .entry-title {
 	color: #666;
 	font-size: 20px;
 	font-size: 1.25rem;
@@ -3145,6 +3146,7 @@ object {
 	}
 
 	h2,
+	.home.blog .entry-title,
 	.page .panel-content .recent-posts .entry-title {
 		font-size: 26px;
 		font-size: 1.625rem;

wp-content/themes/twentyseventeen/template-parts/navigation/navigation-top.php

@@ -5,11 +5,11 @@
  * @package WordPress
  * @subpackage Twenty_Seventeen
  * @since 1.0
- * @version 1.0
+ * @version 1.2
  */
 
 ?>
-<nav id="site-navigation" class="main-navigation" role="navigation" aria-label="<?php _e( 'Top Menu', 'twentyseventeen' ); ?>">
+<nav id="site-navigation" class="main-navigation" role="navigation" aria-label="<?php esc_attr_e( 'Top Menu', 'twentyseventeen' ); ?>">
 	<button class="menu-toggle" aria-controls="top-menu" aria-expanded="false"><?php echo twentyseventeen_get_svg( array( 'icon' => 'bars' ) ); echo twentyseventeen_get_svg( array( 'icon' => 'close' ) ); _e( 'Menu', 'twentyseventeen' ); ?></button>
 	<?php wp_nav_menu( array(
 		'theme_location' => 'top',

wp-content/themes/twentyseventeen/template-parts/post/content-audio.php

@@ -7,7 +7,7 @@
  * @package WordPress
  * @subpackage Twenty_Seventeen
  * @since 1.0
- * @version 1.0
+ * @version 1.2
  */
 
 ?>
@@ -33,6 +33,8 @@
 
 			if ( is_single() ) {
 				the_title( '<h1 class="entry-title">', '</h1>' );
+			} elseif ( is_front_page() && is_home() ) {
+				the_title( '<h3 class="entry-title"><a href="' . esc_url( get_permalink() ) . '" rel="bookmark">', '</a></h3>' );
 			} else {
 				the_title( '<h2 class="entry-title"><a href="' . esc_url( get_permalink() ) . '" rel="bookmark">', '</a></h2>' );
 			}

wp-content/themes/twentyseventeen/template-parts/post/content-excerpt.php

@@ -9,7 +9,7 @@
  * @package WordPress
  * @subpackage Twenty_Seventeen
  * @since 1.0
- * @version 1.0
+ * @version 1.2
  */
 
 ?>
@@ -30,7 +30,13 @@
 			</div><!-- .entry-meta -->
 		<?php endif; ?>
 
-		<?php the_title( sprintf( '<h2 class="entry-title"><a href="%s" rel="bookmark">', esc_url( get_permalink() ) ), '</a></h2>' ); ?>
+		<?php if ( is_front_page() && ! is_home() ) {
+
+			// The excerpt is being displayed within a front page section, so it's a lower hierarchy than h2.
+			the_title( sprintf( '<h3 class="entry-title"><a href="%s" rel="bookmark">', esc_url( get_permalink() ) ), '</a></h3>' );
+		} else {
+			the_title( sprintf( '<h2 class="entry-title"><a href="%s" rel="bookmark">', esc_url( get_permalink() ) ), '</a></h2>' );
+		} ?>
 	</header><!-- .entry-header -->
 
 	<div class="entry-summary">

wp-content/themes/twentyseventeen/template-parts/post/content-gallery.php

@@ -7,7 +7,7 @@
  * @package WordPress
  * @subpackage Twenty_Seventeen
  * @since 1.0
- * @version 1.0
+ * @version 1.2
  */
 ?>
 
@@ -32,6 +32,8 @@
 
 			if ( is_single() ) {
 				the_title( '<h1 class="entry-title">', '</h1>' );
+			} elseif ( is_front_page() && is_home() ) {
+				the_title( '<h3 class="entry-title"><a href="' . esc_url( get_permalink() ) . '" rel="bookmark">', '</a></h3>' );
 			} else {
 				the_title( '<h2 class="entry-title"><a href="' . esc_url( get_permalink() ) . '" rel="bookmark">', '</a></h2>' );
 			}

wp-content/themes/twentyseventeen/template-parts/post/content-image.php

@@ -7,7 +7,7 @@
  * @package WordPress
  * @subpackage Twenty_Seventeen
  * @since 1.0
- * @version 1.0
+ * @version 1.2
  */
 ?>
 
@@ -32,6 +32,8 @@
 
 			if ( is_single() ) {
 				the_title( '<h1 class="entry-title">', '</h1>' );
+			} elseif ( is_front_page() && is_home() ) {
+				the_title( '<h3 class="entry-title"><a href="' . esc_url( get_permalink() ) . '" rel="bookmark">', '</a></h3>' );
 			} else {
 				the_title( '<h2 class="entry-title"><a href="' . esc_url( get_permalink() ) . '" rel="bookmark">', '</a></h2>' );
 			}

wp-content/themes/twentyseventeen/template-parts/post/content-video.php

@@ -7,7 +7,7 @@
  * @package WordPress
  * @subpackage Twenty_Seventeen
  * @since 1.0
- * @version 1.0
+ * @version 1.2
  */
 ?>
 
@@ -32,6 +32,8 @@
 
 			if ( is_single() ) {
 				the_title( '<h1 class="entry-title">', '</h1>' );
+			} elseif ( is_front_page() && is_home() ) {
+				the_title( '<h3 class="entry-title"><a href="' . esc_url( get_permalink() ) . '" rel="bookmark">', '</a></h3>' );
 			} else {
 				the_title( '<h2 class="entry-title"><a href="' . esc_url( get_permalink() ) . '" rel="bookmark">', '</a></h2>' );
 			}

wp-content/themes/twentyseventeen/template-parts/post/content.php

@@ -7,7 +7,7 @@
  * @package WordPress
  * @subpackage Twenty_Seventeen
  * @since 1.0
- * @version 1.0
+ * @version 1.2
  */
 
 ?>
@@ -33,6 +33,8 @@
 
 			if ( is_single() ) {
 				the_title( '<h1 class="entry-title">', '</h1>' );
+			} elseif ( is_front_page() && is_home() ) {
+				the_title( '<h3 class="entry-title"><a href="' . esc_url( get_permalink() ) . '" rel="bookmark">', '</a></h3>' );
 			} else {
 				the_title( '<h2 class="entry-title"><a href="' . esc_url( get_permalink() ) . '" rel="bookmark">', '</a></h2>' );
 			}

wp-includes/class-http.php

@@ -306,6 +306,11 @@ class WP_Http {
 		// Ensure redirects follow browser behaviour.
 		$options['hooks']->register( 'requests.before_redirect', array( get_class(), 'browser_redirect_compatibility' ) );
 
+		// Validate redirected URLs.
+		if ( function_exists( 'wp_kses_bad_protocol' ) && $r['reject_unsafe_urls'] ) {
+			$options['hooks']->register( 'requests.before_redirect', array( get_class(), 'validate_redirects' ) );
+		}
+
 		if ( $r['stream'] ) {
 			$options['filename'] = $r['filename'];
 		}
@@ -466,6 +471,20 @@ class WP_Http {
 		}
 	}
 
+	/**
+	 * Validate redirected URLs.
+	 *
+	 * @since 4.7.5
+	 *
+	 * @throws Requests_Exception On unsuccessful URL validation
+	 * @param string $location URL to redirect to.
+	 */
+	public static function validate_redirects( $location ) {
+		if ( ! wp_http_validate_url( $location ) ) {
+			throw new Requests_Exception( __('A valid URL was not provided.'), 'wp_http.redirect_failed_validation' );
+		}
+	}
+
 	/**
 	 * Tests which transports are capable of supporting the request.
 	 *

wp-includes/class-phpmailer.php

@@ -31,7 +31,7 @@ class PHPMailer
      * The PHPMailer Version number.
      * @var string
      */
-    public $Version = '5.2.14';
+    public $Version = '5.2.22';
 
     /**
      * Email priority.
@@ -201,6 +201,9 @@ class PHPMailer
     /**
      * An ID to be used in the Message-ID header.
      * If empty, a unique id will be generated.
+     * You can set your own, but it must be in the format "<id@domain>",
+     * as defined in RFC5322 section 3.6.4 or it will be ignored.
+     * @see https://tools.ietf.org/html/rfc5322#section-3.6.4
      * @var string
      */
     public $MessageID = '';
@@ -285,7 +288,7 @@ class PHPMailer
 
     /**
      * SMTP auth type.
-     * Options are LOGIN (default), PLAIN, NTLM, CRAM-MD5
+     * Options are CRAM-MD5, LOGIN, PLAIN, attempted in that order if not specified
      * @var string
      */
     public $AuthType = '';
@@ -352,6 +355,7 @@ class PHPMailer
     /**
      * Whether to split multiple to addresses into multiple messages
      * or send them all in one message.
+     * Only supported in `mail` and `sendmail` transports, not in SMTP.
      * @var boolean
      */
     public $SingleTo = false;
@@ -394,7 +398,7 @@ class PHPMailer
 
     /**
      * DKIM Identity.
-     * Usually the email address used as the source of the email
+     * Usually the email address used as the source of the email.
      * @var string
      */
     public $DKIM_identity = '';
@@ -419,6 +423,13 @@ class PHPMailer
      */
     public $DKIM_private = '';
 
+    /**
+     * DKIM private key string.
+     * If set, takes precedence over `$DKIM_private`.
+     * @var string
+     */
+    public $DKIM_private_string = '';
+
     /**
      * Callback Action function name.
      *
@@ -446,6 +457,15 @@ class PHPMailer
      */
     public $XMailer = '';
 
+    /**
+     * Which validator to use by default when validating email addresses.
+     * May be a callable to inject your own validator, but there are several built-in validators.
+     * @see PHPMailer::validateAddress()
+     * @var string|callable
+     * @static
+     */
+    public static $validator = 'auto';
+
     /**
      * An instance of the SMTP sender class.
      * @var SMTP
@@ -634,9 +654,11 @@ class PHPMailer
      * Constructor.
      * @param boolean $exceptions Should we throw external exceptions?
      */
-    public function __construct($exceptions = false)
+    public function __construct($exceptions = null)
     {
-        $this->exceptions = (boolean)$exceptions;
+        if ($exceptions !== null) {
+            $this->exceptions = (boolean)$exceptions;
+        }
     }
 
     /**
@@ -645,9 +667,7 @@ class PHPMailer
     public function __destruct()
     {
         //Close any open SMTP connection nicely
-        if ($this->Mailer == 'smtp') {
-            $this->smtpClose();
-        }
+        $this->smtpClose();
     }
 
     /**
@@ -671,14 +691,16 @@ class PHPMailer
         } else {
             $subject = $this->encodeHeader($this->secureHeader($subject));
         }
-        if (ini_get('safe_mode') || !($this->UseSendmailOptions)) {
+
+        //Can't use additional_parameters in safe_mode, calling mail() with null params breaks
+        //@link http://php.net/manual/en/function.mail.php
+        if (ini_get('safe_mode') or !$this->UseSendmailOptions or is_null($params)) {
             $result = @mail($to, $subject, $body, $header);
         } else {
             $result = @mail($to, $subject, $body, $header, $params);
         }
         return $result;
     }
-
     /**
      * Output debugging info via user-defined method.
      * Only generates output if SMTP debug output is enabled (@see SMTP::$do_debug).
@@ -713,7 +735,7 @@ class PHPMailer
             case 'echo':
             default:
                 //Normalize line breaks
-                $str = preg_replace('/(\r\n|\r|\n)/ms', "\n", $str);
+                $str = preg_replace('/\r\n?/ms', "\n", $str);
                 echo gmdate('Y-m-d H:i:s') . "\t" . str_replace(
                     "\n",
                     "\n                   \t                  ",
@@ -850,7 +872,7 @@ class PHPMailer
         $name = trim(preg_replace('/[\r\n]+/', '', $name)); //Strip breaks and trim
         if (($pos = strrpos($address, '@')) === false) {
             // At-sign is misssing.
-            $error_message = $this->lang('invalid_address') . $address;
+            $error_message = $this->lang('invalid_address') . " (addAnAddress $kind): $address";
             $this->setError($error_message);
             $this->edebug($error_message);
             if ($this->exceptions) {
@@ -900,7 +922,7 @@ class PHPMailer
             return false;
         }
         if (!$this->validateAddress($address)) {
-            $error_message = $this->lang('invalid_address') . $address;
+            $error_message = $this->lang('invalid_address') . " (addAnAddress $kind): $address";
             $this->setError($error_message);
             $this->edebug($error_message);
             if ($this->exceptions) {
@@ -923,6 +945,61 @@ class PHPMailer
         return false;
     }
 
+    /**
+     * Parse and validate a string containing one or more RFC822-style comma-separated email addresses
+     * of the form "display name <address>" into an array of name/address pairs.
+     * Uses the imap_rfc822_parse_adrlist function if the IMAP extension is available.
+     * Note that quotes in the name part are removed.
+     * @param string $addrstr The address list string
+     * @param bool $useimap Whether to use the IMAP extension to parse the list
+     * @return array
+     * @link http://www.andrew.cmu.edu/user/agreen1/testing/mrbs/web/Mail/RFC822.php A more careful implementation
+     */
+    public function parseAddresses($addrstr, $useimap = true)
+    {
+        $addresses = array();
+        if ($useimap and function_exists('imap_rfc822_parse_adrlist')) {
+            //Use this built-in parser if it's available
+            $list = imap_rfc822_parse_adrlist($addrstr, '');
+            foreach ($list as $address) {
+                if ($address->host != '.SYNTAX-ERROR.') {
+                    if ($this->validateAddress($address->mailbox . '@' . $address->host)) {
+                        $addresses[] = array(
+                            'name' => (property_exists($address, 'personal') ? $address->personal : ''),
+                            'address' => $address->mailbox . '@' . $address->host
+                        );
+                    }
+                }
+            }
+        } else {
+            //Use this simpler parser
+            $list = explode(',', $addrstr);
+            foreach ($list as $address) {
+                $address = trim($address);
+                //Is there a separate name part?
+                if (strpos($address, '<') === false) {
+                    //No separate name, just use the whole thing
+                    if ($this->validateAddress($address)) {
+                        $addresses[] = array(
+                            'name' => '',
+                            'address' => $address
+                        );
+                    }
+                } else {
+                    list($name, $email) = explode('<', $address);
+                    $email = trim(str_replace('>', '', $email));
+                    if ($this->validateAddress($email)) {
+                        $addresses[] = array(
+                            'name' => trim(str_replace(array('"', "'"), '', $name)),
+                            'address' => $email
+                        );
+                    }
+                }
+            }
+        }
+        return $addresses;
+    }
+
     /**
      * Set the From and FromName properties.
      * @param string $address
@@ -939,7 +1016,7 @@ class PHPMailer
         if (($pos = strrpos($address, '@')) === false or
             (!$this->has8bitChars(substr($address, ++$pos)) or !$this->idnSupported()) and
             !$this->validateAddress($address)) {
-            $error_message = $this->lang('invalid_address') . $address;
+            $error_message = $this->lang('invalid_address') . " (setFrom) $address";
             $this->setError($error_message);
             $this->edebug($error_message);
             if ($this->exceptions) {
@@ -972,19 +1049,30 @@ class PHPMailer
     /**
      * Check that a string looks like an email address.
      * @param string $address The email address to check
-     * @param string $patternselect A selector for the validation pattern to use :
+     * @param string|callable $patternselect A selector for the validation pattern to use :
      * * `auto` Pick best pattern automatically;
      * * `pcre8` Use the squiloople.com pattern, requires PCRE > 8.0, PHP >= 5.3.2, 5.2.14;
      * * `pcre` Use old PCRE implementation;
      * * `php` Use PHP built-in FILTER_VALIDATE_EMAIL;
      * * `html5` Use the pattern given by the HTML5 spec for 'email' type form input elements.
      * * `noregex` Don't use a regex: super fast, really dumb.
+     * Alternatively you may pass in a callable to inject your own validator, for example:
+     * PHPMailer::validateAddress('user@example.com', function($address) {
+     *     return (strpos($address, '@') !== false);
+     * });
+     * You can also set the PHPMailer::$validator static to a callable, allowing built-in methods to use your validator.
      * @return boolean
      * @static
      * @access public
      */
-    public static function validateAddress($address, $patternselect = 'auto')
+    public static function validateAddress($address, $patternselect = null)
     {
+        if (is_null($patternselect)) {
+            $patternselect = self::$validator;
+        }
+        if (is_callable($patternselect)) {
+            return call_user_func($patternselect, $address);
+        }
         //Reject line breaks in addresses; it's valid RFC5322, but not RFC5321
         if (strpos($address, "\n") !== false or strpos($address, "\r") !== false) {
             return false;
@@ -1161,7 +1249,7 @@ class PHPMailer
                 }
                 $this->$address_kind = $this->punyencodeAddress($this->$address_kind);
                 if (!$this->validateAddress($this->$address_kind)) {
-                    $error_message = $this->lang('invalid_address') . $this->$address_kind;
+                    $error_message = $this->lang('invalid_address') . ' (punyEncode) ' . $this->$address_kind;
                     $this->setError($error_message);
                     $this->edebug($error_message);
                     if ($this->exceptions) {
@@ -1172,7 +1260,7 @@ class PHPMailer
             }
 
             // Set whether the message is multipart/alternative
-            if (!empty($this->AltBody)) {
+            if ($this->alternativeExists()) {
                 $this->ContentType = 'multipart/alternative';
             }
 
@@ -1206,9 +1294,11 @@ class PHPMailer
 
             // Sign with DKIM if enabled
             if (!empty($this->DKIM_domain)
-                && !empty($this->DKIM_private)
                 && !empty($this->DKIM_selector)
-                && file_exists($this->DKIM_private)) {
+                && (!empty($this->DKIM_private_string)
+                   || (!empty($this->DKIM_private) && file_exists($this->DKIM_private))
+                )
+            ) {
                 $header_dkim = $this->DKIM_Add(
                     $this->MIMEHeader . $this->mailHeader,
                     $this->encodeHeader($this->secureHeader($this->Subject)),
@@ -1274,19 +1364,24 @@ class PHPMailer
      */
     protected function sendmailSend($header, $body)
     {
-        if ($this->Sender != '') {
+        // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped.
+        if (!empty($this->Sender) and self::isShellSafe($this->Sender)) {
             if ($this->Mailer == 'qmail') {
-                $sendmail = sprintf('%s -f%s', escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
+                $sendmailFmt = '%s -f%s';
             } else {
-                $sendmail = sprintf('%s -oi -f%s -t', escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
+                $sendmailFmt = '%s -oi -f%s -t';
             }
         } else {
             if ($this->Mailer == 'qmail') {
-                $sendmail = sprintf('%s', escapeshellcmd($this->Sendmail));
+                $sendmailFmt = '%s';
             } else {
-                $sendmail = sprintf('%s -oi -t', escapeshellcmd($this->Sendmail));
+                $sendmailFmt = '%s -oi -t';
             }
         }
+
+        // TODO: If possible, this should be changed to escapeshellarg.  Needs thorough testing.
+        $sendmail = sprintf($sendmailFmt, escapeshellcmd($this->Sendmail), $this->Sender);
+
         if ($this->SingleTo) {
             foreach ($this->SingleToArray as $toAddr) {
                 if (!@$mail = popen($sendmail, 'w')) {
@@ -1332,6 +1427,40 @@ class PHPMailer
         return true;
     }
 
+    /**
+     * Fix CVE-2016-10033 and CVE-2016-10045 by disallowing potentially unsafe shell characters.
+     *
+     * Note that escapeshellarg and escapeshellcmd are inadequate for our purposes, especially on Windows.
+     * @param string $string The string to be validated
+     * @see https://github.com/PHPMailer/PHPMailer/issues/924 CVE-2016-10045 bug report
+     * @access protected
+     * @return boolean
+     */
+    protected static function isShellSafe($string)
+    {
+        // Future-proof
+        if (escapeshellcmd($string) !== $string
+            or !in_array(escapeshellarg($string), array("'$string'", "\"$string\""))
+        ) {
+            return false;
+        }
+
+        $length = strlen($string);
+
+        for ($i = 0; $i < $length; $i++) {
+            $c = $string[$i];
+
+            // All other characters have a special meaning in at least one common shell, including = and +.
+            // Full stop (.) has a special meaning in cmd.exe, but its impact should be negligible here.
+            // Note that this does permit non-Latin alphanumeric characters based on the current locale.
+            if (!ctype_alnum($c) && strpos('@_-.', $c) === false) {
+                return false;
+            }
+        }
+
+        return true;
+    }
+
     /**
      * Send mail using the PHP mail() function.
      * @param string $header The message headers
@@ -1349,17 +1478,20 @@ class PHPMailer
         }
         $to = implode(', ', $toArr);
 
-        if (empty($this->Sender)) {
-            $params = ' ';
-        } else {
-            $params = sprintf('-f%s', $this->Sender);
+        $params = null;
+        //This sets the SMTP envelope sender which gets turned into a return-path header by the receiver
+        if (!empty($this->Sender) and $this->validateAddress($this->Sender)) {
+            // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped.
+            if (self::isShellSafe($this->Sender)) {
+                $params = sprintf('-f%s', $this->Sender);
+            }
         }
-        if ($this->Sender != '' and !ini_get('safe_mode')) {
+        if (!empty($this->Sender) and !ini_get('safe_mode') and $this->validateAddress($this->Sender)) {
             $old_from = ini_get('sendmail_from');
             ini_set('sendmail_from', $this->Sender);
         }
         $result = false;
-        if ($this->SingleTo && count($toArr) > 1) {
+        if ($this->SingleTo and count($toArr) > 1) {
             foreach ($toArr as $toAddr) {
                 $result = $this->mailPassthru($toAddr, $this->Subject, $body, $header, $params);
                 $this->doCallback($result, array($toAddr), $this->cc, $this->bcc, $this->Subject, $body, $this->From);
@@ -1409,10 +1541,10 @@ class PHPMailer
         if (!$this->smtpConnect($this->SMTPOptions)) {
             throw new phpmailerException($this->lang('smtp_connect_failed'), self::STOP_CRITICAL);
         }
-        if ('' == $this->Sender) {
-            $smtp_from = $this->From;
-        } else {
+        if (!empty($this->Sender) and $this->validateAddress($this->Sender)) {
             $smtp_from = $this->Sender;
+        } else {
+            $smtp_from = $this->From;
         }
         if (!$this->smtp->mail($smtp_from)) {
             $this->setError($this->lang('from_failed') . $smtp_from . ' : ' . implode(',', $this->smtp->getError()));
@@ -1466,12 +1598,17 @@ class PHPMailer
      * @throws phpmailerException
      * @return boolean
      */
-    public function smtpConnect($options = array())
+    public function smtpConnect($options = null)
     {
         if (is_null($this->smtp)) {
             $this->smtp = $this->getSMTPInstance();
         }
 
+        //If no options are provided, use whatever is set in the instance
+        if (is_null($options)) {
+            $options = $this->SMTPOptions;
+        }
+
         // Already connected?
         if ($this->smtp->connected()) {
             return true;
@@ -1541,7 +1678,7 @@ class PHPMailer
                         if (!$this->smtp->startTLS()) {
                             throw new phpmailerException($this->lang('connect_host'));
                         }
-                        // We must resend HELO after tls negotiation
+                        // We must resend EHLO after TLS negotiation
                         $this->smtp->hello($hello);
                     }
                     if ($this->SMTPAuth) {
@@ -1580,7 +1717,7 @@ class PHPMailer
      */
     public function smtpClose()
     {
-        if ($this->smtp !== null) {
+        if (is_a($this->smtp, 'SMTP')) {
             if ($this->smtp->connected()) {
                 $this->smtp->quit();
                 $this->smtp->close();
@@ -1599,6 +1736,19 @@ class PHPMailer
      */
     public function setLanguage($langcode = 'en', $lang_path = '')
     {
+        // Backwards compatibility for renamed language codes
+        $renamed_langcodes = array(
+            'br' => 'pt_br',
+            'cz' => 'cs',
+            'dk' => 'da',
+            'no' => 'nb',
+            'se' => 'sv',
+        );
+
+        if (isset($renamed_langcodes[$langcode])) {
+            $langcode = $renamed_langcodes[$langcode];
+        }
+
         // Define full set of translatable strings in English
         $PHPMAILER_LANG = array(
             'authenticate' => 'SMTP Error: Could not authenticate.',
@@ -1625,6 +1775,10 @@ class PHPMailer
             // Calculate an absolute path so it can work if CWD is not here
             $lang_path = dirname(__FILE__). DIRECTORY_SEPARATOR . 'language'. DIRECTORY_SEPARATOR;
         }
+        //Validate $langcode
+        if (!preg_match('/^[a-z]{2}(?:_[a-zA-Z]{2})?$/', $langcode)) {
+            $langcode = 'en';
+        }
         $foundlang = true;
         $lang_file = $lang_path . 'phpmailer.lang-' . $langcode . '.php';
         // There is no English translation file
@@ -1918,7 +2072,9 @@ class PHPMailer
             $result .= $this->headerLine('Subject', $this->encodeHeader($this->secureHeader($this->Subject)));
         }
 
-        if ($this->MessageID != '') {
+        // Only allow a custom message ID if it conforms to RFC 5322 section 3.6.4
+        // https://tools.ietf.org/html/rfc5322#section-3.6.4
+        if ('' != $this->MessageID and preg_match('/^<.*@.*>$/', $this->MessageID)) {
             $this->lastMessageID = $this->MessageID;
         } else {
             $this->lastMessageID = sprintf('<%s@%s>', $this->uniqueid, $this->serverHostname());
@@ -2020,7 +2176,15 @@ class PHPMailer
      */
     public function getSentMIMEMessage()
     {
-        return $this->MIMEHeader . $this->mailHeader . self::CRLF . $this->MIMEBody;
+        return rtrim($this->MIMEHeader . $this->mailHeader, "\n\r") . self::CRLF . self::CRLF . $this->MIMEBody;
+    }
+
+    /**
+     * Create unique ID
+     * @return string
+     */
+    protected function generateId() {
+        return md5(uniqid(time()));
     }
 
     /**
@@ -2034,7 +2198,7 @@ class PHPMailer
     {
         $body = '';
         //Create unique IDs and preset boundaries
-        $this->uniqueid = md5(uniqid(time()));
+        $this->uniqueid = $this->generateId();
         $this->boundary[1] = 'b1_' . $this->uniqueid;
         $this->boundary[2] = 'b2_' . $this->uniqueid;
         $this->boundary[3] = 'b3_' . $this->uniqueid;
@@ -2050,11 +2214,12 @@ class PHPMailer
         //Can we do a 7-bit downgrade?
         if ($bodyEncoding == '8bit' and !$this->has8bitChars($this->Body)) {
             $bodyEncoding = '7bit';
+            //All ISO 8859, Windows codepage and UTF-8 charsets are ascii compatible up to 7-bit
             $bodyCharSet = 'us-ascii';
         }
-        //If lines are too long, change to quoted-printable transfer encoding
-        if (self::hasLineLongerThanMax($this->Body)) {
-            $this->Encoding = 'quoted-printable';
+        //If lines are too long, and we're not already using an encoding that will shorten them,
+        //change to quoted-printable transfer encoding for the body part only
+        if ('base64' != $this->Encoding and self::hasLineLongerThanMax($this->Body)) {
             $bodyEncoding = 'quoted-printable';
         }
 
@@ -2063,10 +2228,12 @@ class PHPMailer
         //Can we do a 7-bit downgrade?
         if ($altBodyEncoding == '8bit' and !$this->has8bitChars($this->AltBody)) {
             $altBodyEncoding = '7bit';
+            //All ISO 8859, Windows codepage and UTF-8 charsets are ascii compatible up to 7-bit
             $altBodyCharSet = 'us-ascii';
         }
-        //If lines are too long, change to quoted-printable transfer encoding
-        if (self::hasLineLongerThanMax($this->AltBody)) {
+        //If lines are too long, and we're not already using an encoding that will shorten them,
+        //change to quoted-printable transfer encoding for the alt body part only
+        if ('base64' != $altBodyEncoding and self::hasLineLongerThanMax($this->AltBody)) {
             $altBodyEncoding = 'quoted-printable';
         }
         //Use this as a preamble in all multipart message types
@@ -2169,8 +2336,10 @@ class PHPMailer
                 $body .= $this->attachAll('attachment', $this->boundary[1]);
                 break;
             default:
-                // catch case 'plain' and case ''
-                $body .= $this->encodeString($this->Body, $bodyEncoding);
+                // Catch case 'plain' and case '', applies to simple `text/plain` and `text/html` body content types
+                //Reset the `Encoding` property in case we changed it for line length reasons
+                $this->Encoding = $bodyEncoding;
+                $body .= $this->encodeString($this->Body, $this->Encoding);
                 break;
         }
 
@@ -2276,8 +2445,7 @@ class PHPMailer
 
     /**
      * Set the message type.
-     * PHPMailer only supports some preset message types,
-     * not arbitrary MIME structures.
+     * PHPMailer only supports some preset message types, not arbitrary MIME structures.
      * @access protected
      * @return void
      */
@@ -2295,6 +2463,7 @@ class PHPMailer
         }
         $this->message_type = implode('_', $type);
         if ($this->message_type == '') {
+            //The 'plain' message_type refers to the message having a single body element, not that it is plain-text
             $this->message_type = 'plain';
         }
     }
@@ -2324,6 +2493,7 @@ class PHPMailer
 
     /**
      * Add an attachment from a path on the filesystem.
+     * Never use a user-supplied path to a file!
      * Returns false if the file could not be found or read.
      * @param string $path Path to the attachment.
      * @param string $name Overrides the attachment name.
@@ -2849,6 +3019,7 @@ class PHPMailer
      * displayed inline with the message, not just attached for download.
      * This is used in HTML messages that embed the images
      * the HTML refers to using the $cid value.
+     * Never use a user-supplied path to a file!
      * @param string $path Path to the attachment.
      * @param string $cid Content ID of the attachment; Use this to reference
      *        the content when using an embedded image in HTML.
@@ -3209,21 +3380,29 @@ class PHPMailer
     }
 
     /**
-     * Create a message from an HTML string.
-     * Automatically makes modifications for inline images and backgrounds
-     * and creates a plain-text version by converting the HTML.
-     * Overwrites any existing values in $this->Body and $this->AltBody
+     * Create a message body from an HTML string.
+     * Automatically inlines images and creates a plain-text version by converting the HTML,
+     * overwriting any existing values in Body and AltBody.
+     * Do not source $message content from user input!
+     * $basedir is prepended when handling relative URLs, e.g. <img src="/images/a.png"> and must not be empty
+     * will look for an image file in $basedir/images/a.png and convert it to inline.
+     * If you don't provide a $basedir, relative paths will be left untouched (and thus probably break in email)
+     * If you don't want to apply these transformations to your HTML, just set Body and AltBody directly.
      * @access public
      * @param string $message HTML message string
-     * @param string $basedir baseline directory for path
+     * @param string $basedir Absolute path to a base directory to prepend to relative paths to images
      * @param boolean|callable $advanced Whether to use the internal HTML to text converter
      *    or your own custom converter @see PHPMailer::html2text()
-     * @return string $message
+     * @return string $message The transformed message Body
      */
     public function msgHTML($message, $basedir = '', $advanced = false)
     {
         preg_match_all('/(src|background)=["\'](.*)["\']/Ui', $message, $images);
         if (array_key_exists(2, $images)) {
+            if (strlen($basedir) > 1 && substr($basedir, -1) != '/') {
+                // Ensure $basedir has a trailing /
+                $basedir .= '/';
+            }
             foreach ($images[2] as $imgindex => $url) {
                 // Convert data URIs into embedded images
                 if (preg_match('#^data:(image[^;,]*)(;base64)?,#', $url, $match)) {
@@ -3241,18 +3420,24 @@ class PHPMailer
                             $message
                         );
                     }
-                } elseif (substr($url, 0, 4) !== 'cid:' && !preg_match('#^[A-z]+://#', $url)) {
-                    // Do not change urls for absolute images (thanks to corvuscorax)
+                    continue;
+                }
+                if (
+                    // Only process relative URLs if a basedir is provided (i.e. no absolute local paths)
+                    !empty($basedir)
+                    // Ignore URLs containing parent dir traversal (..)
+                    && (strpos($url, '..') === false)
                     // Do not change urls that are already inline images
+                    && substr($url, 0, 4) !== 'cid:'
+                    // Do not change absolute URLs, including anonymous protocol
+                    && !preg_match('#^[a-z][a-z0-9+.-]*:?//#i', $url)
+                ) {
                     $filename = basename($url);
                     $directory = dirname($url);
                     if ($directory == '.') {
                         $directory = '';
                     }
                     $cid = md5($url) . '@phpmailer.0'; // RFC2392 S 2
-                    if (strlen($basedir) > 1 && substr($basedir, -1) != '/') {
-                        $basedir .= '/';
-                    }
                     if (strlen($directory) > 1 && substr($directory, -1) != '/') {
                         $directory .= '/';
                     }
@@ -3277,7 +3462,7 @@ class PHPMailer
         // Convert all message body line breaks to CRLF, makes quoted-printable encoding work much better
         $this->Body = $this->normalizeBreaks($message);
         $this->AltBody = $this->normalizeBreaks($this->html2text($message, $advanced));
-        if (empty($this->AltBody)) {
+        if (!$this->alternativeExists()) {
             $this->AltBody = 'To view this email message, open it in a program that understands HTML!' .
                 self::CRLF . self::CRLF;
         }
@@ -3288,7 +3473,7 @@ class PHPMailer
      * Convert an HTML string into plain text.
      * This is used by msgHTML().
      * Note - older versions of this function used a bundled advanced converter
-     * which was been removed for license reasons in #232
+     * which was been removed for license reasons in #232.
      * Example usage:
      * <code>
      * // Use default conversion
@@ -3588,7 +3773,7 @@ class PHPMailer
      * @access public
      * @param string $signHeader
      * @throws phpmailerException
-     * @return string
+     * @return string The DKIM signature value
      */
     public function DKIM_Sign($signHeader)
     {
@@ -3598,15 +3783,35 @@ class PHPMailer
             }
             return '';
         }
-        $privKeyStr = file_get_contents($this->DKIM_private);
-        if ($this->DKIM_passphrase != '') {
+        $privKeyStr = !empty($this->DKIM_private_string) ? $this->DKIM_private_string : file_get_contents($this->DKIM_private);
+        if ('' != $this->DKIM_passphrase) {
             $privKey = openssl_pkey_get_private($privKeyStr, $this->DKIM_passphrase);
         } else {
-            $privKey = $privKeyStr;
+            $privKey = openssl_pkey_get_private($privKeyStr);
         }
-        if (openssl_sign($signHeader, $signature, $privKey)) {
-            return base64_encode($signature);
+        //Workaround for missing digest algorithms in old PHP & OpenSSL versions
+        //@link http://stackoverflow.com/a/11117338/333340
+        if (version_compare(PHP_VERSION, '5.3.0') >= 0 and
+            in_array('sha256WithRSAEncryption', openssl_get_md_methods(true))) {
+            if (openssl_sign($signHeader, $signature, $privKey, 'sha256WithRSAEncryption')) {
+                openssl_pkey_free($privKey);
+                return base64_encode($signature);
+            }
+        } else {
+            $pinfo = openssl_pkey_get_details($privKey);
+            $hash = hash('sha256', $signHeader);
+            //'Magic' constant for SHA256 from RFC3447
+            //@link https://tools.ietf.org/html/rfc3447#page-43
+            $t = '3031300d060960864801650304020105000420' . $hash;
+            $pslen = $pinfo['bits'] / 8 - (strlen($t) / 2 + 3);
+            $eb = pack('H*', '0001' . str_repeat('FF', $pslen) . '00' . $t);
+
+            if (openssl_private_encrypt($eb, $signature, $privKey, OPENSSL_NO_PADDING)) {
+                openssl_pkey_free($privKey);
+                return base64_encode($signature);
+            }
         }
+        openssl_pkey_free($privKey);
         return '';
     }
 
@@ -3623,7 +3828,7 @@ class PHPMailer
         foreach ($lines as $key => $line) {
             list($heading, $value) = explode(':', $line, 2);
             $heading = strtolower($heading);
-            $value = preg_replace('/\s+/', ' ', $value); // Compress useless spaces
+            $value = preg_replace('/\s{2,}/', ' ', $value); // Compress useless spaces
             $lines[$key] = $heading . ':' . trim($value); // Don't forget to remove WSP around the value
         }
         $signHeader = implode("\r\n", $lines);
@@ -3661,7 +3866,7 @@ class PHPMailer
      */
     public function DKIM_Add($headers_line, $subject, $body)
     {
-        $DKIMsignatureType = 'rsa-sha1'; // Signature & hash algorithms
+        $DKIMsignatureType = 'rsa-sha256'; // Signature & hash algorithms
         $DKIMcanonicalization = 'relaxed/simple'; // Canonicalization of header/body
         $DKIMquery = 'dns/txt'; // Query method
         $DKIMtime = time(); // Signature Timestamp = seconds since 00:00:00 - Jan 1, 1970 (UTC time zone)
@@ -3669,6 +3874,7 @@ class PHPMailer
         $headers = explode($this->LE, $headers_line);
         $from_header = '';
         $to_header = '';
+        $date_header = '';
         $current = '';
         foreach ($headers as $header) {
             if (strpos($header, 'From:') === 0) {
@@ -3677,6 +3883,9 @@ class PHPMailer
             } elseif (strpos($header, 'To:') === 0) {
                 $to_header = $header;
                 $current = 'to_header';
+            } elseif (strpos($header, 'Date:') === 0) {
+                $date_header = $header;
+                $current = 'date_header';
             } else {
                 if (!empty($$current) && strpos($header, ' =?') === 0) {
                     $$current .= $header;
@@ -3687,6 +3896,7 @@ class PHPMailer
         }
         $from = str_replace('|', '=7C', $this->DKIM_QP($from_header));
         $to = str_replace('|', '=7C', $this->DKIM_QP($to_header));
+        $date = str_replace('|', '=7C', $this->DKIM_QP($date_header));
         $subject = str_replace(
             '|',
             '=7C',
@@ -3694,7 +3904,7 @@ class PHPMailer
         ); // Copied header fields (dkim-quoted-printable)
         $body = $this->DKIM_BodyC($body);
         $DKIMlen = strlen($body); // Length of body
-        $DKIMb64 = base64_encode(pack('H*', sha1($body))); // Base64 of packed binary SHA-1 hash of body
+        $DKIMb64 = base64_encode(pack('H*', hash('sha256', $body))); // Base64 of packed binary SHA-256 hash of body
         if ('' == $this->DKIM_identity) {
             $ident = '';
         } else {
@@ -3707,16 +3917,18 @@ class PHPMailer
             $this->DKIM_selector .
             ";\r\n" .
             "\tt=" . $DKIMtime . '; c=' . $DKIMcanonicalization . ";\r\n" .
-            "\th=From:To:Subject;\r\n" .
+            "\th=From:To:Date:Subject;\r\n" .
             "\td=" . $this->DKIM_domain . ';' . $ident . "\r\n" .
             "\tz=$from\r\n" .
             "\t|$to\r\n" .
+            "\t|$date\r\n" .
             "\t|$subject;\r\n" .
             "\tbh=" . $DKIMb64 . ";\r\n" .
             "\tb=";
         $toSign = $this->DKIM_HeaderC(
             $from_header . "\r\n" .
             $to_header . "\r\n" .
+            $date_header . "\r\n" .
             $subject_header . "\r\n" .
             $dkimhdrs
         );

wp-includes/class-smtp.php

@@ -30,7 +30,7 @@ class SMTP
      * The PHPMailer SMTP version number.
      * @var string
      */
-    const VERSION = '5.2.14';
+    const VERSION = '5.2.22';
 
     /**
      * SMTP line break constant.
@@ -81,7 +81,7 @@ class SMTP
      * @deprecated Use the `VERSION` constant instead
      * @see SMTP::VERSION
      */
-    public $Version = '5.2.14';
+    public $Version = '5.2.22';
 
     /**
      * SMTP server port number.
@@ -150,6 +150,17 @@ class SMTP
      */
     public $Timelimit = 300;
 
+	/**
+	 * @var array patterns to extract smtp transaction id from smtp reply
+	 * Only first capture group will be use, use non-capturing group to deal with it
+	 * Extend this class to override this property to fulfil your needs.
+	 */
+	protected $smtp_transaction_id_patterns = array(
+		'exim' => '/[0-9]{3} OK id=(.*)/',
+		'sendmail' => '/[0-9]{3} 2.0.0 (.*) Message/',
+		'postfix' => '/[0-9]{3} 2.0.0 Ok: queued as (.*)/'
+	);
+
     /**
      * The socket for the server connection.
      * @var resource
@@ -206,7 +217,7 @@ class SMTP
         }
         //Avoid clash with built-in function names
         if (!in_array($this->Debugoutput, array('error_log', 'html', 'echo')) and is_callable($this->Debugoutput)) {
-            call_user_func($this->Debugoutput, $str, $this->do_debug);
+            call_user_func($this->Debugoutput, $str, $level);
             return;
         }
         switch ($this->Debugoutput) {
@@ -272,8 +283,8 @@ class SMTP
         $errstr = '';
         if ($streamok) {
             $socket_context = stream_context_create($options);
-            //Suppress errors; connection failures are handled at a higher level
-            $this->smtp_conn = @stream_socket_client(
+            set_error_handler(array($this, 'errorHandler'));
+            $this->smtp_conn = stream_socket_client(
                 $host . ":" . $port,
                 $errno,
                 $errstr,
@@ -281,12 +292,14 @@ class SMTP
                 STREAM_CLIENT_CONNECT,
                 $socket_context
             );
+            restore_error_handler();
         } else {
             //Fall back to fsockopen which should work in more places, but is missing some features
             $this->edebug(
                 "Connection: stream_socket_client not available, falling back to fsockopen",
                 self::DEBUG_CONNECTION
             );
+            set_error_handler(array($this, 'errorHandler'));
             $this->smtp_conn = fsockopen(
                 $host,
                 $port,
@@ -294,6 +307,7 @@ class SMTP
                 $errstr,
                 $timeout
             );
+            restore_error_handler();
         }
         // Verify we connected properly
         if (!is_resource($this->smtp_conn)) {
@@ -336,11 +350,22 @@ class SMTP
         if (!$this->sendCommand('STARTTLS', 'STARTTLS', 220)) {
             return false;
         }
+
+        //Allow the best TLS version(s) we can
+        $crypto_method = STREAM_CRYPTO_METHOD_TLS_CLIENT;
+
+        //PHP 5.6.7 dropped inclusion of TLS 1.1 and 1.2 in STREAM_CRYPTO_METHOD_TLS_CLIENT
+        //so add them back in manually if we can
+        if (defined('STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT')) {
+            $crypto_method |= STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT;
+            $crypto_method |= STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT;
+        }
+
         // Begin encrypted connection
         if (!stream_socket_enable_crypto(
             $this->smtp_conn,
             true,
-            STREAM_CRYPTO_METHOD_TLS_CLIENT
+            $crypto_method
         )) {
             return false;
         }
@@ -353,7 +378,7 @@ class SMTP
      * @see hello()
      * @param string $username The user name
      * @param string $password The password
-     * @param string $authtype The auth type (PLAIN, LOGIN, NTLM, CRAM-MD5, XOAUTH2)
+     * @param string $authtype The auth type (PLAIN, LOGIN, CRAM-MD5)
      * @param string $realm The auth realm for NTLM
      * @param string $workstation The auth workstation for NTLM
      * @param null|OAuth $OAuth An optional OAuth instance (@see PHPMailerOAuth)
@@ -389,7 +414,7 @@ class SMTP
             );
 
             if (empty($authtype)) {
-                foreach (array('LOGIN', 'CRAM-MD5', 'PLAIN') as $method) {
+                foreach (array('CRAM-MD5', 'LOGIN', 'PLAIN') as $method) {
                     if (in_array($method, $this->server_caps['AUTH'])) {
                         $authtype = $method;
                         break;
@@ -673,7 +698,7 @@ class SMTP
     protected function parseHelloFields($type)
     {
         $this->server_caps = array();
-        $lines = explode("\n", $this->last_reply);
+        $lines = explode("\n", $this->helo_rply);
 
         foreach ($lines as $n => $s) {
             //First 4 chars contain response code followed by - or space
@@ -1115,4 +1140,47 @@ class SMTP
     {
         return $this->Timeout;
     }
+
+    /**
+     * Reports an error number and string.
+     * @param integer $errno The error number returned by PHP.
+     * @param string $errmsg The error message returned by PHP.
+     */
+    protected function errorHandler($errno, $errmsg)
+    {
+        $notice = 'Connection: Failed to connect to server.';
+        $this->setError(
+            $notice,
+            $errno,
+            $errmsg
+        );
+        $this->edebug(
+            $notice . ' Error number ' . $errno . '. "Error notice: ' . $errmsg,
+            self::DEBUG_CONNECTION
+        );
+    }
+
+	/**
+	 * Will return the ID of the last smtp transaction based on a list of patterns provided
+	 * in SMTP::$smtp_transaction_id_patterns.
+	 * If no reply has been received yet, it will return null.
+	 * If no pattern has been matched, it will return false.
+	 * @return bool|null|string
+	 */
+	public function getLastTransactionID()
+	{
+		$reply = $this->getLastReply();
+
+		if (empty($reply)) {
+			return null;
+		}
+
+		foreach($this->smtp_transaction_id_patterns as $smtp_transaction_id_pattern) {
+			if(preg_match($smtp_transaction_id_pattern, $reply, $matches)) {
+				return $matches[1];
+			}
+		}
+
+		return false;
+    }
 }

wp-includes/class-walker-page.php

@@ -53,7 +53,7 @@ class Walker_Page extends Walker {
 	 *                       Default empty array.
 	 */
 	public function start_lvl( &$output, $depth = 0, $args = array() ) {
-		if ( 'preserve' === $args['item_spacing'] ) {
+		if ( isset( $args['item_spacing'] ) && 'preserve' === $args['item_spacing'] ) {
 			$t = "\t";
 			$n = "\n";
 		} else {
@@ -78,7 +78,7 @@ class Walker_Page extends Walker {
 	 *                       Default empty array.
 	 */
 	public function end_lvl( &$output, $depth = 0, $args = array() ) {
-		if ( 'preserve' === $args['item_spacing'] ) {
+		if ( isset( $args['item_spacing'] ) && 'preserve' === $args['item_spacing'] ) {
 			$t = "\t";
 			$n = "\n";
 		} else {
@@ -103,7 +103,7 @@ class Walker_Page extends Walker {
 	 * @param int     $current_page Optional. Page ID. Default 0.
 	 */
 	public function start_el( &$output, $page, $depth = 0, $args = array(), $current_page = 0 ) {
-		if ( 'preserve' === $args['item_spacing'] ) {
+		if ( isset( $args['item_spacing'] ) && 'preserve' === $args['item_spacing'] ) {
 			$t = "\t";
 			$n = "\n";
 		} else {
@@ -196,7 +196,7 @@ class Walker_Page extends Walker {
 	 * @param array   $args   Optional. Array of arguments. Default empty array.
 	 */
 	public function end_el( &$output, $page, $depth = 0, $args = array() ) {
-		if ( 'preserve' === $args['item_spacing'] ) {
+		if ( isset( $args['item_spacing'] ) && 'preserve' === $args['item_spacing'] ) {
 			$t = "\t";
 			$n = "\n";
 		} else {

wp-includes/class-wp-comment.php

@@ -191,12 +191,11 @@ final class WP_Comment {
 	public static function get_instance( $id ) {
 		global $wpdb;
 
-		if ( ! is_numeric( $id ) || $id != floor( $id ) || ! $id ) {
+		$comment_id = (int) $id;
+		if ( ! $comment_id ) {
 			return false;
 		}
 
-		$comment_id = (int) $id;
-
 		$_comment = wp_cache_get( $comment_id, 'comment' );
 
 		if ( ! $_comment ) {

wp-includes/class-wp-customize-manager.php

@@ -484,6 +484,24 @@ final class WP_Customize_Manager {
 			$this->wp_die( -1, __( 'Invalid changeset UUID' ) );
 		}
 
+		/*
+		 * Clear incoming post data if the user lacks a CSRF token (nonce). Note that the customizer
+		 * application will inject the customize_preview_nonce query parameter into all Ajax requests.
+		 * For similar behavior elsewhere in WordPress, see rest_cookie_check_errors() which logs out
+		 * a user when a valid nonce isn't present.
+		 */
+		$has_post_data_nonce = (
+			check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'nonce', false )
+			||
+			check_ajax_referer( 'save-customize_' . $this->get_stylesheet(), 'nonce', false )
+			||
+			check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'customize_preview_nonce', false )
+		);
+		if ( ! current_user_can( 'customize' ) || ! $has_post_data_nonce ) {
+			unset( $_POST['customized'] );
+			unset( $_REQUEST['customized'] );
+		}
+
 		/*
 		 * If unauthenticated then require a valid changeset UUID to load the preview.
 		 * In this way, the UUID serves as a secret key. If the messenger channel is present,
@@ -798,7 +816,8 @@ final class WP_Customize_Manager {
 			'no_found_rows' => true,
 			'cache_results' => true,
 			'update_post_meta_cache' => false,
-			'update_term_meta_cache' => false,
+			'update_post_term_cache' => false,
+			'lazy_load_term_meta' => false,
 		) );
 		if ( ! empty( $changeset_post_query->posts ) ) {
 			// Note: 'fields'=>'ids' is not being used in order to cache the post object as it will be needed.
@@ -996,13 +1015,19 @@ final class WP_Customize_Manager {
 			wp_list_pluck( $posts, 'post_name' )
 		);
 
+		/*
+		 * Obtain all post types referenced in starter content to use in query.
+		 * This is needed because 'any' will not account for post types not yet registered.
+		 */
+		$post_types = array_filter( array_merge( array( 'attachment' ), wp_list_pluck( $posts, 'post_type' ) ) );
+
 		// Re-use auto-draft starter content posts referenced in the current customized state.
 		$existing_starter_content_posts = array();
 		if ( ! empty( $starter_content_auto_draft_post_ids ) ) {
 			$existing_posts_query = new WP_Query( array(
 				'post__in' => $starter_content_auto_draft_post_ids,
 				'post_status' => 'auto-draft',
-				'post_type' => 'any',
+				'post_type' => $post_types,
 				'posts_per_page' => -1,
 			) );
 			foreach ( $existing_posts_query->posts as $existing_post ) {
@@ -1570,6 +1595,7 @@ final class WP_Customize_Manager {
 		add_filter( 'wp_redirect', array( $this, 'add_state_query_params' ) );
 
 		wp_enqueue_script( 'customize-preview' );
+		wp_enqueue_style( 'customize-preview' );
 		add_action( 'wp_head', array( $this, 'customize_preview_loading_style' ) );
 		add_action( 'wp_head', array( $this, 'remove_frameless_preview_messenger_channel' ) );
 		add_action( 'wp_footer', array( $this, 'customize_preview_settings' ), 20 );
@@ -1776,6 +1802,17 @@ final class WP_Customize_Manager {
 			}
 			$allowed_hosts[] = $host;
 		}
+
+		$switched_locale = switch_to_locale( get_user_locale() );
+		$l10n = array(
+			'shiftClickToEdit' => __( 'Shift-click to edit this element.' ),
+			'linkUnpreviewable' => __( 'This link is not live-previewable.' ),
+			'formUnpreviewable' => __( 'This form is not live-previewable.' ),
+		);
+		if ( $switched_locale ) {
+			restore_previous_locale();
+		}
+
 		$settings = array(
 			'changeset' => array(
 				'uuid' => $this->_changeset_uuid,
@@ -1800,11 +1837,7 @@ final class WP_Customize_Manager {
 			'activeControls' => array(),
 			'settingValidities' => $exported_setting_validities,
 			'nonce' => current_user_can( 'customize' ) ? $this->get_nonces() : array(),
-			'l10n' => array(
-				'shiftClickToEdit' => __( 'Shift-click to edit this element.' ),
-				'linkUnpreviewable' => __( 'This link is not live-previewable.' ),
-				'formUnpreviewable' => __( 'This form is not live-previewable.' ),
-			),
+			'l10n' => $l10n,
 			'_dirty' => array_keys( $post_values ),
 		);
 
@@ -2479,6 +2512,14 @@ final class WP_Customize_Manager {
 		} elseif ( $args['date_gmt'] ) {
 			$post_array['post_date_gmt'] = $args['date_gmt'];
 			$post_array['post_date'] = get_date_from_gmt( $args['date_gmt'] );
+		} elseif ( $changeset_post_id && 'auto-draft' === get_post_status( $changeset_post_id ) ) {
+			/*
+			 * Keep bumping the date for the auto-draft whenever it is modified;
+			 * this extends its life, preserving it from garbage-collection via
+			 * wp_delete_auto_drafts().
+			 */
+			$post_array['post_date'] = current_time( 'mysql' );
+			$post_array['post_date_gmt'] = '';
 		}
 
 		$this->store_changeset_revision = $allow_revision;
@@ -3889,7 +3930,7 @@ final class WP_Customize_Manager {
 		$this->add_setting( 'external_header_video', array(
 			'theme_supports'    => array( 'custom-header', 'video' ),
 			'transport'         => 'postMessage',
-			'sanitize_callback' => 'esc_url_raw',
+			'sanitize_callback' => array( $this, '_sanitize_external_header_video' ),
 			'validate_callback' => array( $this, '_validate_external_header_video' ),
 		) );
 
@@ -3934,7 +3975,7 @@ final class WP_Customize_Manager {
 			'type'           => 'url',
 			'description'    => __( 'Or, enter a YouTube URL:' ),
 			'section'        => 'header_image',
-			'active_callback'=> 'is_front_page',
+			'active_callback' => 'is_header_video_active',
 		) );
 
 		$this->add_control( new WP_Customize_Header_Image_Control( $this ) );
@@ -4311,6 +4352,18 @@ final class WP_Customize_Manager {
 		return $validity;
 	}
 
+	/**
+	 * Callback for sanitizing the external_header_video value.
+	 *
+	 * @since 4.7.1
+	 *
+	 * @param string $value URL.
+	 * @return string Sanitized URL.
+	 */
+	public function _sanitize_external_header_video( $value ) {
+		return esc_url_raw( trim( $value ) );
+	}
+
 	/**
 	 * Callback for rendering the custom logo, used in the custom_logo partial.
 	 *

wp-includes/class-wp-customize-nav-menus.php

@@ -531,10 +531,7 @@ final class WP_Customize_Nav_Menus {
 	 */
 	public function customize_register() {
 
-		/*
-		 * Preview settings for nav menus early so that the sections and controls will be added properly.
-		 * See https://github.com/xwp/wp-customize-snapshots/blob/962586659688a5b1fd9ae93618b7ce2d4e7a421c/php/class-customize-snapshot-manager.php#L506-L543
-		 */
+		// Preview settings for nav menus early so that the sections and controls will be added properly.
 		$nav_menus_setting_ids = array();
 		foreach ( array_keys( $this->manager->unsanitized_post_values() ) as $setting_id ) {
 			if ( preg_match( '/^(nav_menu_locations|nav_menu|nav_menu_item)\[/', $setting_id ) ) {
@@ -542,10 +539,12 @@ final class WP_Customize_Nav_Menus {
 			}
 		}
 		$this->manager->add_dynamic_settings( $nav_menus_setting_ids );
-		foreach ( $nav_menus_setting_ids as $setting_id ) {
-			$setting = $this->manager->get_setting( $setting_id );
-			if ( $setting ) {
-				$setting->preview();
+		if ( ! $this->manager->doing_ajax( 'customize_save' ) ) {
+			foreach ( $nav_menus_setting_ids as $setting_id ) {
+				$setting = $this->manager->get_setting( $setting_id );
+				if ( $setting ) {
+					$setting->preview();
+				}
 			}
 		}
 
@@ -787,7 +786,7 @@ final class WP_Customize_Nav_Menus {
 	 * @return WP_Post|WP_Error Inserted auto-draft post object or error.
 	 */
 	public function insert_auto_draft_post( $postarr ) {
-		if ( ! isset( $postarr['post_type'] ) || ! post_type_exists( $postarr['post_type'] )  ) {
+		if ( ! isset( $postarr['post_type'] ) ) {
 			return new WP_Error( 'unknown_post_type', __( 'Unknown post type' ) );
 		}
 		if ( empty( $postarr['post_title'] ) ) {
@@ -1328,7 +1327,6 @@ final class WP_Customize_Nav_Menus {
 	 */
 	public function customize_preview_enqueue_deps() {
 		wp_enqueue_script( 'customize-preview-nav-menus' ); // Note that we have overridden this.
-		wp_enqueue_style( 'customize-preview' );
 	}
 
 	/**

wp-includes/class-wp-customize-panel.php

@@ -103,6 +103,15 @@ class WP_Customize_Panel {
 	 */
 	public $description = '';
 
+	/**
+	 * Auto-expand a section in a panel when the panel is expanded when the panel only has the one section.
+	 *
+	 * @since 4.7.4
+	 * @access public
+	 * @var bool
+	 */
+	public $auto_expand_sole_section = false;
+
 	/**
 	 * Customizer sections for this panel.
 	 *
@@ -219,6 +228,7 @@ class WP_Customize_Panel {
 		$array['content'] = $this->get_content();
 		$array['active'] = $this->active();
 		$array['instanceNumber'] = $this->instance_number;
+		$array['autoExpandSoleSection'] = $this->auto_expand_sole_section;
 		return $array;
 	}
 

wp-includes/class-wp-customize-setting.php

@@ -585,7 +585,7 @@ class WP_Customize_Setting {
 		$id_base = $this->id_data['base'];
 		if ( 'option' === $this->type ) {
 			return get_option( $id_base, $default );
-		} else if ( 'theme_mod' ) {
+		} elseif ( 'theme_mod' === $this->type ) {
 			return get_theme_mod( $id_base, $default );
 		} else {
 			/*
@@ -614,7 +614,7 @@ class WP_Customize_Setting {
 				$autoload = self::$aggregated_multidimensionals[ $this->type ][ $this->id_data['base'] ]['autoload'];
 			}
 			return update_option( $id_base, $value, $autoload );
-		} else if ( 'theme_mod' ) {
+		} elseif ( 'theme_mod' === $this->type ) {
 			set_theme_mod( $id_base, $value );
 			return true;
 		} else {

wp-includes/class-wp-customize-widgets.php

@@ -422,6 +422,7 @@ final class WP_Customize_Widgets {
 			'description'     => __( 'Widgets are independent sections of content that can be placed into widgetized areas provided by your theme (commonly called sidebars).' ),
 			'priority'        => 110,
 			'active_callback' => array( $this, 'is_panel_active' ),
+			'auto_expand_sole_section' => true,
 		) );
 
 		foreach ( $sidebars_widgets as $sidebar_id => $sidebar_widget_ids ) {
@@ -1086,7 +1087,6 @@ final class WP_Customize_Widgets {
 	 */
 	public function customize_preview_enqueue() {
 		wp_enqueue_script( 'customize-preview-widgets' );
-		wp_enqueue_style( 'customize-preview' );
 	}
 
 	/**
@@ -1123,15 +1123,21 @@ final class WP_Customize_Widgets {
 	public function export_preview_data() {
 		global $wp_registered_sidebars, $wp_registered_widgets;
 
+		$switched_locale = switch_to_locale( get_user_locale() );
+		$l10n = array(
+			'widgetTooltip'  => __( 'Shift-click to edit this widget.' ),
+		);
+		if ( $switched_locale ) {
+			restore_previous_locale();
+		}
+
 		// Prepare Customizer settings to pass to JavaScript.
 		$settings = array(
 			'renderedSidebars'   => array_fill_keys( array_unique( $this->rendered_sidebars ), true ),
 			'renderedWidgets'    => array_fill_keys( array_keys( $this->rendered_widgets ), true ),
 			'registeredSidebars' => array_values( $wp_registered_sidebars ),
 			'registeredWidgets'  => $wp_registered_widgets,
-			'l10n'               => array(
-				'widgetTooltip'  => __( 'Shift-click to edit this widget.' ),
-			),
+			'l10n'               => $l10n,
 			'selectiveRefreshableWidgets' => $this->get_selective_refreshable_widgets(),
 		);
 		foreach ( $settings['registeredWidgets'] as &$registered_widget ) {

wp-includes/class-wp-editor.php

@@ -681,8 +681,10 @@ final class _WP_Editors {
 						$body_class .= ' post-format-standard';
 				}
 
-				if ( $page_template = get_page_template_slug( $post ) ) {
-					$page_template = str_replace( '.', '-', basename( $page_template, '.php' ) );
+				$page_template = get_page_template_slug( $post );
+
+				if ( $page_template !== false ) {
+					$page_template = empty( $page_template ) ? 'default' : str_replace( '.', '-', basename( $page_template, '.php' ) );
 					$body_class .= ' page-template-' . sanitize_html_class( $page_template );
 				}
 			}

wp-includes/class-wp-http-requests-hooks.php

@@ -54,7 +54,7 @@ class WP_HTTP_Requests_Hooks extends Requests_Hooks {
 		switch ( $hook ) {
 			case 'curl.before_send':
 				/** This action is documented in wp-includes/class-wp-http-curl.php */
-				do_action_ref_array( 'http_api_curl', array( $parameters[0], $this->request, $this->url ) );
+				do_action_ref_array( 'http_api_curl', array( &$parameters[0], $this->request, $this->url ) );
 				break;
 		}
 

wp-includes/class-wp-image-editor-imagick.php

@@ -146,10 +146,10 @@ class WP_Image_Editor_Imagick extends WP_Image_Editor {
 
 		try {
 			$this->image = new Imagick();
-			$file_parts = pathinfo( $this->file );
+			$file_extension = strtolower( pathinfo( $this->file, PATHINFO_EXTENSION ) );
 			$filename = $this->file;
 
-			if ( 'pdf' == strtolower( $file_parts['extension'] ) ) {
+			if ( 'pdf' == $file_extension ) {
 				$filename = $this->pdf_setup();
 			}
 
@@ -549,6 +549,11 @@ class WP_Image_Editor_Imagick extends WP_Image_Editor {
 		try {
 			$this->image->rotateImage( new ImagickPixel('none'), 360-$angle );
 
+			// Normalise Exif orientation data so that display is consistent across devices.
+			if ( is_callable( array( $this->image, 'setImageOrientation' ) ) && defined( 'Imagick::ORIENTATION_TOPLEFT' ) ) {
+				$this->image->setImageOrientation( Imagick::ORIENTATION_TOPLEFT );
+			}
+
 			// Since this changes the dimensions of the image, update the size.
 			$result = $this->update_size();
 			if ( is_wp_error( $result ) )

wp-includes/class-wp-post-type.php

@@ -333,6 +333,38 @@ final class WP_Post_Type {
 	 */
 	public $supports;
 
+	/**
+	 * Whether this post type should appear in the REST API.
+	 *
+	 * Default false. If true, standard endpoints will be registered with
+	 * respect to $rest_base and $rest_controller_class.
+	 *
+	 * @since 4.7.4
+	 * @access public
+	 * @var bool $show_in_rest
+	 */
+	public $show_in_rest;
+
+	/**
+	 * The base path for this post type's REST API endpoints.
+	 *
+	 * @since 4.7.4
+	 * @access public
+	 * @var string|bool $rest_base
+	 */
+	public $rest_base;
+
+	/**
+	 * The controller for this post type's REST API endpoints.
+	 *
+	 * Custom controllers must extend WP_REST_Controller.
+	 *
+	 * @since 4.7.4
+	 * @access public
+	 * @var string|bool $rest_controller_class
+	 */
+	public $rest_controller_class;
+
 	/**
 	 * Constructor.
 	 *
@@ -379,31 +411,34 @@ final class WP_Post_Type {
 
 		// Args prefixed with an underscore are reserved for internal use.
 		$defaults = array(
-			'labels'               => array(),
-			'description'          => '',
-			'public'               => false,
-			'hierarchical'         => false,
-			'exclude_from_search'  => null,
-			'publicly_queryable'   => null,
-			'show_ui'              => null,
-			'show_in_menu'         => null,
-			'show_in_nav_menus'    => null,
-			'show_in_admin_bar'    => null,
-			'menu_position'        => null,
-			'menu_icon'            => null,
-			'capability_type'      => 'post',
-			'capabilities'         => array(),
-			'map_meta_cap'         => null,
-			'supports'             => array(),
-			'register_meta_box_cb' => null,
-			'taxonomies'           => array(),
-			'has_archive'          => false,
-			'rewrite'              => true,
-			'query_var'            => true,
-			'can_export'           => true,
-			'delete_with_user'     => null,
-			'_builtin'             => false,
-			'_edit_link'           => 'post.php?post=%d',
+			'labels'                => array(),
+			'description'           => '',
+			'public'                => false,
+			'hierarchical'          => false,
+			'exclude_from_search'   => null,
+			'publicly_queryable'    => null,
+			'show_ui'               => null,
+			'show_in_menu'          => null,
+			'show_in_nav_menus'     => null,
+			'show_in_admin_bar'     => null,
+			'menu_position'         => null,
+			'menu_icon'             => null,
+			'capability_type'       => 'post',
+			'capabilities'          => array(),
+			'map_meta_cap'          => null,
+			'supports'              => array(),
+			'register_meta_box_cb'  => null,
+			'taxonomies'            => array(),
+			'has_archive'           => false,
+			'rewrite'               => true,
+			'query_var'             => true,
+			'can_export'            => true,
+			'delete_with_user'      => null,
+			'show_in_rest'          => false,
+			'rest_base'             => false,
+			'rest_controller_class' => false,
+			'_builtin'              => false,
+			'_edit_link'            => 'post.php?post=%d',
 		);
 
 		$args = array_merge( $defaults, $args );

wp-includes/class-wp-post.php

@@ -210,12 +210,11 @@ final class WP_Post {
 	public static function get_instance( $post_id ) {
 		global $wpdb;
 
-		if ( ! is_numeric( $post_id ) || $post_id != floor( $post_id ) || ! $post_id ) {
+		$post_id = (int) $post_id;
+		if ( ! $post_id ) {
 			return false;
 		}
 
-		$post_id = (int) $post_id;
-
 		$_post = wp_cache_get( $post_id, 'posts' );
 
 		if ( ! $_post ) {

wp-includes/class-wp-query.php

@@ -2255,12 +2255,12 @@ class WP_Query {
 			if ( empty( $in_search_post_types ) ) {
 				$where .= ' AND 1=0 ';
 			} else {
-				$where .= " AND {$wpdb->posts}.post_type IN ('" . join("', '", $in_search_post_types ) . "')";
+				$where .= " AND {$wpdb->posts}.post_type IN ('" . join( "', '", array_map( 'esc_sql', $in_search_post_types ) ) . "')";
 			}
 		} elseif ( !empty( $post_type ) && is_array( $post_type ) ) {
-			$where .= " AND {$wpdb->posts}.post_type IN ('" . join("', '", $post_type) . "')";
+			$where .= " AND {$wpdb->posts}.post_type IN ('" . join("', '", esc_sql( $post_type ) ) . "')";
 		} elseif ( ! empty( $post_type ) ) {
-			$where .= " AND {$wpdb->posts}.post_type = '$post_type'";
+			$where .= $wpdb->prepare( " AND {$wpdb->posts}.post_type = %s", $post_type );
 			$post_type_object = get_post_type_object ( $post_type );
 		} elseif ( $this->is_attachment ) {
 			$where .= " AND {$wpdb->posts}.post_type = 'attachment'";

wp-includes/class-wp-taxonomy.php

@@ -186,6 +186,38 @@ final class WP_Taxonomy {
 	 */
 	public $update_count_callback;
 
+	/**
+	 * Whether this taxonomy should appear in the REST API.
+	 *
+	 * Default false. If true, standard endpoints will be registered with
+	 * respect to $rest_base and $rest_controller_class.
+	 *
+	 * @since 4.7.4
+	 * @access public
+	 * @var bool $show_in_rest
+	 */
+	public $show_in_rest;
+
+	/**
+	 * The base path for this taxonomy's REST API endpoints.
+	 *
+	 * @since 4.7.4
+	 * @access public
+	 * @var string|bool $rest_base
+	 */
+	public $rest_base;
+
+	/**
+	 * The controller for this taxonomy's REST API endpoints.
+	 *
+	 * Custom controllers must extend WP_REST_Controller.
+	 *
+	 * @since 4.7.4
+	 * @access public
+	 * @var string|bool $rest_controller_class
+	 */
+	public $rest_controller_class;
+
 	/**
 	 * Whether it is a built-in taxonomy.
 	 *
@@ -254,6 +286,9 @@ final class WP_Taxonomy {
 			'rewrite'               => true,
 			'query_var'             => $this->name,
 			'update_count_callback' => '',
+			'show_in_rest'          => false,
+			'rest_base'             => false,
+			'rest_controller_class' => false,
 			'_builtin'              => false,
 		);
 
@@ -333,6 +368,8 @@ final class WP_Taxonomy {
 			}
 		}
 
+		$args['name'] = $this->name;
+
 		foreach ( $args as $property_name => $property_value ) {
 			$this->$property_name = $property_value;
 		}

wp-includes/class-wp-term.php

@@ -125,12 +125,11 @@ final class WP_Term {
 	public static function get_instance( $term_id, $taxonomy = null ) {
 		global $wpdb;
 
-		if ( ! is_numeric( $term_id ) || $term_id != floor( $term_id ) || ! $term_id ) {
+		$term_id = (int) $term_id;
+		if ( ! $term_id ) {
 			return false;
 		}
 
-		$term_id = (int) $term_id;
-
 		$_term = wp_cache_get( $term_id, 'terms' );
 
 		// If there isn't a cached version, hit the database.

wp-includes/class-wp-theme.php

@@ -721,8 +721,9 @@ final class WP_Theme implements ArrayAccess {
 	private function markup_header( $header, $value, $translate ) {
 		switch ( $header ) {
 			case 'Name' :
-				if ( empty( $value ) )
-					$value = $this->get_stylesheet();
+				if ( empty( $value ) ) {
+					$value = esc_html( $this->get_stylesheet() );
+				}
 				break;
 			case 'Description' :
 				$value = wptexturize( $value );
@@ -1138,11 +1139,21 @@ final class WP_Theme implements ArrayAccess {
 		$results = scandir( $path );
 		$files = array();
 
+		/**
+		 * Filters the array of excluded directories and files while scanning theme folder.
+		 *
+ 		 * @since 4.7.4
+		 *
+		 * @param array $exclusions Array of excluded directories and files.
+		 */
+		$exclusions = (array) apply_filters( 'theme_scandir_exclusions', array( 'CVS', 'node_modules' ) );
+
 		foreach ( $results as $result ) {
-			if ( '.' == $result[0] )
+			if ( '.' == $result[0] || in_array( $result, $exclusions, true ) ) {
 				continue;
+			}
 			if ( is_dir( $path . '/' . $result ) ) {
-				if ( ! $depth || 'CVS' == $result )
+				if ( ! $depth )
 					continue;
 				$found = self::scandir( $path . '/' . $result, $extensions, $depth - 1 , $relative_path . $result );
 				$files = array_merge_recursive( $files, $found );

wp-includes/class-wp-xmlrpc-server.php

@@ -382,6 +382,11 @@ class wp_xmlrpc_server extends IXR_Server {
 			if ( isset($meta['id']) ) {
 				$meta['id'] = (int) $meta['id'];
 				$pmeta = get_metadata_by_mid( 'post', $meta['id'] );
+
+				if ( ! $pmeta || $pmeta->post_id != $post_id ) {
+					continue;
+				}
+
 				if ( isset($meta['key']) ) {
 					$meta['key'] = wp_unslash( $meta['key'] );
 					if ( $meta['key'] !== $pmeta->meta_key )
@@ -1295,10 +1300,31 @@ class wp_xmlrpc_server extends IXR_Server {
 	 * @return IXR_Error|string
 	 */
 	protected function _insert_post( $user, $content_struct ) {
-		$defaults = array( 'post_status' => 'draft', 'post_type' => 'post', 'post_author' => 0,
-			'post_password' => '', 'post_excerpt' => '', 'post_content' => '', 'post_title' => '' );
+		$defaults = array(
+			'post_status'    => 'draft',
+			'post_type'      => 'post',
+			'post_author'    => null,
+			'post_password'  => null,
+			'post_excerpt'   => null,
+			'post_content'   => null,
+			'post_title'     => null,
+			'post_date'      => null,
+			'post_date_gmt'  => null,
+			'post_format'    => null,
+			'post_name'      => null,
+			'post_thumbnail' => null,
+			'post_parent'    => null,
+			'ping_status'    => null,
+			'comment_status' => null,
+			'custom_fields'  => null,
+			'terms_names'    => null,
+			'terms'          => null,
+			'sticky'         => null,
+			'enclosure'      => null,
+			'ID'             => null,
+		);
 
-		$post_data = wp_parse_args( $content_struct, $defaults );
+		$post_data = wp_parse_args( array_intersect_key( $content_struct, $defaults ), $defaults );
 
 		$post_type = get_post_type_object( $post_data['post_type'] );
 		if ( ! $post_type )
@@ -1488,9 +1514,6 @@ class wp_xmlrpc_server extends IXR_Server {
 
 			$post_data['tax_input'] = $terms;
 			unset( $post_data['terms'], $post_data['terms_names'] );
-		} else {
-			// Do not allow direct submission of 'tax_input', clients must use 'terms' and/or 'terms_names'.
-			unset( $post_data['tax_input'], $post_data['post_category'], $post_data['tags_input'] );
 		}
 
 		if ( isset( $post_data['post_format'] ) ) {

wp-includes/comment.php

@@ -1003,12 +1003,6 @@ function get_page_of_comment( $comment_ID, $args = array() ) {
 		if ( $args['max_depth'] > 1 && 0 != $comment->comment_parent )
 			return get_page_of_comment( $comment->comment_parent, $args );
 
-		if ( 'desc' === get_option( 'comment_order' ) ) {
-			$compare = 'after';
-		} else {
-			$compare = 'before';
-		}
-
 		$comment_args = array(
 			'type'       => $args['type'],
 			'post_id'    => $comment->comment_post_ID,
@@ -1019,7 +1013,7 @@ function get_page_of_comment( $comment_ID, $args = array() ) {
 			'date_query' => array(
 				array(
 					'column' => "$wpdb->comments.comment_date_gmt",
-					$compare => $comment->comment_date_gmt,
+					'before' => $comment->comment_date_gmt,
 				)
 			),
 		);
@@ -2186,8 +2180,6 @@ function wp_update_comment($commentarr) {
 
 	$comment_ID = $data['comment_ID'];
 	$comment_post_ID = $data['comment_post_ID'];
-	$keys = array( 'comment_post_ID', 'comment_content', 'comment_author', 'comment_author_email', 'comment_approved', 'comment_karma', 'comment_author_url', 'comment_date', 'comment_date_gmt', 'comment_type', 'comment_parent', 'user_id', 'comment_agent', 'comment_author_IP' );
-	$data = wp_array_slice_assoc( $data, $keys );
 
 	/**
 	 * Filters the comment data immediately before it is updated in the database.
@@ -2202,6 +2194,9 @@ function wp_update_comment($commentarr) {
 	 */
 	$data = apply_filters( 'wp_update_comment_data', $data, $comment, $commentarr );
 
+	$keys = array( 'comment_post_ID', 'comment_content', 'comment_author', 'comment_author_email', 'comment_approved', 'comment_karma', 'comment_author_url', 'comment_date', 'comment_date_gmt', 'comment_type', 'comment_parent', 'user_id', 'comment_agent', 'comment_author_IP' );
+	$data = wp_array_slice_assoc( $data, $keys );
+
 	$rval = $wpdb->update( $wpdb->comments, $data, compact( 'comment_ID' ) );
 
 	clean_comment_cache( $comment_ID );

wp-includes/css/buttons-rtl.css

@@ -378,6 +378,11 @@ TABLE OF CONTENTS:
 		vertical-align: inherit;
 	}
 
+	.media-modal-content .media-toolbar-primary .media-button {
+		margin-top: 10px;
+		margin-right: 5px;
+	}
+
 	/* Reset responsive styles on Log in button on iframed login form */
 
 	.interim-login .button.button-large {

wp-includes/css/buttons.css

@@ -378,6 +378,11 @@ TABLE OF CONTENTS:
 		vertical-align: inherit;
 	}
 
+	.media-modal-content .media-toolbar-primary .media-button {
+		margin-top: 10px;
+		margin-left: 5px;
+	}
+
 	/* Reset responsive styles on Log in button on iframed login form */
 
 	.interim-login .button.button-large {

wp-includes/css/customize-preview-rtl.css

@@ -252,14 +252,6 @@ body.customize-partial-edit-shortcuts-hidden .customize-partial-edit-shortcut bu
 }
 
 @media screen and (max-width:320px) {
-	body.customize-partial-edit-shortcuts-shown .site-title {
-		padding-right: 10px;
-	}
-
-	body.customize-partial-edit-shortcuts-shown .widget-area .widget {
-		padding-right: 10px;
-	}
-
 	.widget .customize-partial-edit-shortcut button,
 	.customize-partial-edit-shortcut button {
 		right: -30px;

wp-includes/css/customize-preview.css

@@ -252,14 +252,6 @@ body.customize-partial-edit-shortcuts-hidden .customize-partial-edit-shortcut bu
 }
 
 @media screen and (max-width:320px) {
-	body.customize-partial-edit-shortcuts-shown .site-title {
-		padding-left: 10px;
-	}
-
-	body.customize-partial-edit-shortcuts-shown .widget-area .widget {
-		padding-left: 10px;
-	}
-
 	.widget .customize-partial-edit-shortcut button,
 	.customize-partial-edit-shortcut button {
 		left: -30px;

wp-includes/css/media-views-rtl.css

@@ -183,15 +183,28 @@
 	left: 0;
 	width: 50px;
 	height: 50px;
+	margin: 0;
 	padding: 0;
+	border: 1px solid transparent;
+	background: none;
+	color: #666;
 	z-index: 1000;
+	cursor: pointer;
+	outline: none;
 	-webkit-transition: color .1s ease-in-out, background .1s ease-in-out;
 	transition: color .1s ease-in-out, background .1s ease-in-out;
 }
 
+.media-modal-close:hover,
 .media-modal-close:active {
-	-webkit-box-shadow: none;
-	box-shadow: none;
+	color: #00a0d2;
+}
+
+.media-modal-close:focus {
+	color: #00a0d2;
+	border-color: #5b9dd9;
+	-webkit-box-shadow: 0 0 3px rgba( 0, 115, 170, .8 );
+	box-shadow: 0 0 3px rgba( 0, 115, 170, .8 );
 }
 
 .media-modal-close span.media-modal-icon {
@@ -205,15 +218,6 @@
 	vertical-align: middle;
 	-webkit-font-smoothing: antialiased;
 	-moz-osx-font-smoothing: grayscale;
-	color: #666;
-}
-
-.media-modal-close:hover .media-modal-icon:before {
-	color: #00a0d2;
-}
-
-.media-modal-close:active {
-	outline: 0;
 }
 
 .media-modal-content {
@@ -238,14 +242,6 @@
 	width: calc(48% - 12px);
 }
 
-.media-modal-content .attachments-browser .media-toolbar-secondary {
-	width: 66%;
-}
-
-.media-modal-content .media-toolbar-primary.search-form {
-	width: 33%;
-}
-
 .media-modal-content .media-toolbar-primary .media-button {
 	float: left;
 }
@@ -275,6 +271,20 @@
 	overflow: hidden;
 }
 
+.media-frame-toolbar .media-toolbar {
+	top: initial;
+	bottom: -45px;
+	height: auto;
+	overflow: initial;
+	border-top: 1px solid #ddd;
+}
+
+@media screen and (max-width: 782px) {
+	.media-frame-toolbar .media-toolbar {
+		bottom: -48px;
+	}
+}
+
 .media-toolbar-primary {
 	float: left;
 	height: 100%;
@@ -682,7 +692,6 @@
 	overflow: auto;
 	background: #fff;
 	border-top: 1px solid #ddd;
-	border-bottom: 1px solid #ddd;
 }
 
 .media-frame-toolbar {
@@ -692,6 +701,8 @@
 	bottom: 0;
 	height: 60px;
 	z-index: 100;
+	bottom: 60px;
+	height: auto;
 }
 
 .media-frame.hide-menu .media-frame-title,

wp-includes/css/media-views.css

@@ -183,15 +183,28 @@
 	right: 0;
 	width: 50px;
 	height: 50px;
+	margin: 0;
 	padding: 0;
+	border: 1px solid transparent;
+	background: none;
+	color: #666;
 	z-index: 1000;
+	cursor: pointer;
+	outline: none;
 	-webkit-transition: color .1s ease-in-out, background .1s ease-in-out;
 	transition: color .1s ease-in-out, background .1s ease-in-out;
 }
 
+.media-modal-close:hover,
 .media-modal-close:active {
-	-webkit-box-shadow: none;
-	box-shadow: none;
+	color: #00a0d2;
+}
+
+.media-modal-close:focus {
+	color: #00a0d2;
+	border-color: #5b9dd9;
+	-webkit-box-shadow: 0 0 3px rgba( 0, 115, 170, .8 );
+	box-shadow: 0 0 3px rgba( 0, 115, 170, .8 );
 }
 
 .media-modal-close span.media-modal-icon {
@@ -205,15 +218,6 @@
 	vertical-align: middle;
 	-webkit-font-smoothing: antialiased;
 	-moz-osx-font-smoothing: grayscale;
-	color: #666;
-}
-
-.media-modal-close:hover .media-modal-icon:before {
-	color: #00a0d2;
-}
-
-.media-modal-close:active {
-	outline: 0;
 }
 
 .media-modal-content {
@@ -238,14 +242,6 @@
 	width: calc(48% - 12px);
 }
 
-.media-modal-content .attachments-browser .media-toolbar-secondary {
-	width: 66%;
-}
-
-.media-modal-content .media-toolbar-primary.search-form {
-	width: 33%;
-}
-
 .media-modal-content .media-toolbar-primary .media-button {
 	float: right;
 }
@@ -275,6 +271,20 @@
 	overflow: hidden;
 }
 
+.media-frame-toolbar .media-toolbar {
+	top: initial;
+	bottom: -45px;
+	height: auto;
+	overflow: initial;
+	border-top: 1px solid #ddd;
+}
+
+@media screen and (max-width: 782px) {
+	.media-frame-toolbar .media-toolbar {
+		bottom: -48px;
+	}
+}
+
 .media-toolbar-primary {
 	float: right;
 	height: 100%;
@@ -682,7 +692,6 @@
 	overflow: auto;
 	background: #fff;
 	border-top: 1px solid #ddd;
-	border-bottom: 1px solid #ddd;
 }
 
 .media-frame-toolbar {
@@ -692,6 +701,8 @@
 	bottom: 0;
 	height: 60px;
 	z-index: 100;
+	bottom: 60px;
+	height: auto;
 }
 
 .media-frame.hide-menu .media-frame-title,

wp-includes/css/wp-auth-check-rtl.css

@@ -92,6 +92,7 @@
 	height: 22px;
 	width: 22px;
 	color: #72777c;
+	text-align: center;
 }
 
 #wp-auth-check-wrap .wp-auth-check-close:before {

wp-includes/css/wp-auth-check-rtl.min.css

@@ -1 +1 @@
-#wp-auth-check-wrap.hidden{display:none}#wp-auth-check-wrap #wp-auth-check-bg{position:fixed;top:0;bottom:0;right:0;left:0;background:#000;opacity:.7;filter:alpha(opacity=70);z-index:1000010}#wp-auth-check-wrap #wp-auth-check{position:fixed;right:50%;overflow:hidden;top:40px;bottom:20px;max-height:415px;width:380px;margin:0 -190px 0 0;padding:30px 0 0;background-color:#f1f1f1;z-index:1000011;-webkit-box-shadow:0 3px 6px rgba(0,0,0,.3);box-shadow:0 3px 6px rgba(0,0,0,.3)}@media screen and (max-width:380px){#wp-auth-check-wrap #wp-auth-check{right:0;width:100%;margin:0}}#wp-auth-check-wrap.fallback #wp-auth-check{max-height:180px;overflow:auto}#wp-auth-check-wrap #wp-auth-check-form{height:100%;position:relative;overflow:auto;-webkit-overflow-scrolling:touch}#wp-auth-check-form.loading:before{content:"";display:block;width:20px;height:20px;position:absolute;right:50%;top:50%;margin:-10px -10px 0 0;background:url(../images/spinner.gif) center no-repeat;-webkit-background-size:20px 20px;background-size:20px 20px;-webkit-transform:translateZ(0);transform:translateZ(0)}@media print,(-webkit-min-device-pixel-ratio:1.25),(min-resolution:120dpi){#wp-auth-check-form.loading:before{background-image:url(../images/spinner-2x.gif)}}#wp-auth-check-wrap #wp-auth-check-form iframe{height:98%;width:100%}#wp-auth-check-wrap .wp-auth-check-close{position:absolute;top:5px;left:5px;height:22px;width:22px;color:#72777c}#wp-auth-check-wrap .wp-auth-check-close:before{content:"\f158";font:400 20px/22px dashicons;speak:none;-webkit-font-smoothing:antialiased!important;-moz-osx-font-smoothing:grayscale}#wp-auth-check-wrap .wp-auth-check-close:focus,#wp-auth-check-wrap .wp-auth-check-close:hover{color:#0073aa}#wp-auth-check-wrap .wp-auth-fallback-expired{outline:0}#wp-auth-check-wrap .wp-auth-fallback{font-size:14px;line-height:21px;padding:0 25px;display:none}#wp-auth-check-wrap.fallback .wp-auth-check-close,#wp-auth-check-wrap.fallback .wp-auth-fallback{display:block}
+#wp-auth-check-wrap.hidden{display:none}#wp-auth-check-wrap #wp-auth-check-bg{position:fixed;top:0;bottom:0;right:0;left:0;background:#000;opacity:.7;filter:alpha(opacity=70);z-index:1000010}#wp-auth-check-wrap #wp-auth-check{position:fixed;right:50%;overflow:hidden;top:40px;bottom:20px;max-height:415px;width:380px;margin:0 -190px 0 0;padding:30px 0 0;background-color:#f1f1f1;z-index:1000011;-webkit-box-shadow:0 3px 6px rgba(0,0,0,.3);box-shadow:0 3px 6px rgba(0,0,0,.3)}@media screen and (max-width:380px){#wp-auth-check-wrap #wp-auth-check{right:0;width:100%;margin:0}}#wp-auth-check-wrap.fallback #wp-auth-check{max-height:180px;overflow:auto}#wp-auth-check-wrap #wp-auth-check-form{height:100%;position:relative;overflow:auto;-webkit-overflow-scrolling:touch}#wp-auth-check-form.loading:before{content:"";display:block;width:20px;height:20px;position:absolute;right:50%;top:50%;margin:-10px -10px 0 0;background:url(../images/spinner.gif) center no-repeat;-webkit-background-size:20px 20px;background-size:20px 20px;-webkit-transform:translateZ(0);transform:translateZ(0)}@media print,(-webkit-min-device-pixel-ratio:1.25),(min-resolution:120dpi){#wp-auth-check-form.loading:before{background-image:url(../images/spinner-2x.gif)}}#wp-auth-check-wrap #wp-auth-check-form iframe{height:98%;width:100%}#wp-auth-check-wrap .wp-auth-check-close{position:absolute;top:5px;left:5px;height:22px;width:22px;color:#72777c;text-align:center}#wp-auth-check-wrap .wp-auth-check-close:before{content:"\f158";font:400 20px/22px dashicons;speak:none;-webkit-font-smoothing:antialiased!important;-moz-osx-font-smoothing:grayscale}#wp-auth-check-wrap .wp-auth-check-close:focus,#wp-auth-check-wrap .wp-auth-check-close:hover{color:#0073aa}#wp-auth-check-wrap .wp-auth-fallback-expired{outline:0}#wp-auth-check-wrap .wp-auth-fallback{font-size:14px;line-height:21px;padding:0 25px;display:none}#wp-auth-check-wrap.fallback .wp-auth-check-close,#wp-auth-check-wrap.fallback .wp-auth-fallback{display:block}

wp-includes/css/wp-auth-check.css

@@ -92,6 +92,7 @@
 	height: 22px;
 	width: 22px;
 	color: #72777c;
+	text-align: center;
 }
 
 #wp-auth-check-wrap .wp-auth-check-close:before {

wp-includes/css/wp-auth-check.min.css

@@ -1 +1 @@
-#wp-auth-check-wrap.hidden{display:none}#wp-auth-check-wrap #wp-auth-check-bg{position:fixed;top:0;bottom:0;left:0;right:0;background:#000;opacity:.7;filter:alpha(opacity=70);z-index:1000010}#wp-auth-check-wrap #wp-auth-check{position:fixed;left:50%;overflow:hidden;top:40px;bottom:20px;max-height:415px;width:380px;margin:0 0 0 -190px;padding:30px 0 0;background-color:#f1f1f1;z-index:1000011;-webkit-box-shadow:0 3px 6px rgba(0,0,0,.3);box-shadow:0 3px 6px rgba(0,0,0,.3)}@media screen and (max-width:380px){#wp-auth-check-wrap #wp-auth-check{left:0;width:100%;margin:0}}#wp-auth-check-wrap.fallback #wp-auth-check{max-height:180px;overflow:auto}#wp-auth-check-wrap #wp-auth-check-form{height:100%;position:relative;overflow:auto;-webkit-overflow-scrolling:touch}#wp-auth-check-form.loading:before{content:"";display:block;width:20px;height:20px;position:absolute;left:50%;top:50%;margin:-10px 0 0 -10px;background:url(../images/spinner.gif) center no-repeat;-webkit-background-size:20px 20px;background-size:20px 20px;-webkit-transform:translateZ(0);transform:translateZ(0)}@media print,(-webkit-min-device-pixel-ratio:1.25),(min-resolution:120dpi){#wp-auth-check-form.loading:before{background-image:url(../images/spinner-2x.gif)}}#wp-auth-check-wrap #wp-auth-check-form iframe{height:98%;width:100%}#wp-auth-check-wrap .wp-auth-check-close{position:absolute;top:5px;right:5px;height:22px;width:22px;color:#72777c}#wp-auth-check-wrap .wp-auth-check-close:before{content:"\f158";font:400 20px/22px dashicons;speak:none;-webkit-font-smoothing:antialiased!important;-moz-osx-font-smoothing:grayscale}#wp-auth-check-wrap .wp-auth-check-close:focus,#wp-auth-check-wrap .wp-auth-check-close:hover{color:#0073aa}#wp-auth-check-wrap .wp-auth-fallback-expired{outline:0}#wp-auth-check-wrap .wp-auth-fallback{font-size:14px;line-height:21px;padding:0 25px;display:none}#wp-auth-check-wrap.fallback .wp-auth-check-close,#wp-auth-check-wrap.fallback .wp-auth-fallback{display:block}
+#wp-auth-check-wrap.hidden{display:none}#wp-auth-check-wrap #wp-auth-check-bg{position:fixed;top:0;bottom:0;left:0;right:0;background:#000;opacity:.7;filter:alpha(opacity=70);z-index:1000010}#wp-auth-check-wrap #wp-auth-check{position:fixed;left:50%;overflow:hidden;top:40px;bottom:20px;max-height:415px;width:380px;margin:0 0 0 -190px;padding:30px 0 0;background-color:#f1f1f1;z-index:1000011;-webkit-box-shadow:0 3px 6px rgba(0,0,0,.3);box-shadow:0 3px 6px rgba(0,0,0,.3)}@media screen and (max-width:380px){#wp-auth-check-wrap #wp-auth-check{left:0;width:100%;margin:0}}#wp-auth-check-wrap.fallback #wp-auth-check{max-height:180px;overflow:auto}#wp-auth-check-wrap #wp-auth-check-form{height:100%;position:relative;overflow:auto;-webkit-overflow-scrolling:touch}#wp-auth-check-form.loading:before{content:"";display:block;width:20px;height:20px;position:absolute;left:50%;top:50%;margin:-10px 0 0 -10px;background:url(../images/spinner.gif) center no-repeat;-webkit-background-size:20px 20px;background-size:20px 20px;-webkit-transform:translateZ(0);transform:translateZ(0)}@media print,(-webkit-min-device-pixel-ratio:1.25),(min-resolution:120dpi){#wp-auth-check-form.loading:before{background-image:url(../images/spinner-2x.gif)}}#wp-auth-check-wrap #wp-auth-check-form iframe{height:98%;width:100%}#wp-auth-check-wrap .wp-auth-check-close{position:absolute;top:5px;right:5px;height:22px;width:22px;color:#72777c;text-align:center}#wp-auth-check-wrap .wp-auth-check-close:before{content:"\f158";font:400 20px/22px dashicons;speak:none;-webkit-font-smoothing:antialiased!important;-moz-osx-font-smoothing:grayscale}#wp-auth-check-wrap .wp-auth-check-close:focus,#wp-auth-check-wrap .wp-auth-check-close:hover{color:#0073aa}#wp-auth-check-wrap .wp-auth-fallback-expired{outline:0}#wp-auth-check-wrap .wp-auth-fallback{font-size:14px;line-height:21px;padding:0 25px;display:none}#wp-auth-check-wrap.fallback .wp-auth-check-close,#wp-auth-check-wrap.fallback .wp-auth-fallback{display:block}

wp-includes/customize/class-wp-customize-custom-css-setting.php

@@ -191,13 +191,7 @@ final class WP_Customize_Custom_CSS_Setting extends WP_Customize_Setting {
 			$imbalanced = true;
 		}
 
-		// Ensure single quotes are equal.
-		if ( ! $this->validate_equal_characters( '\'', $css ) ) {
-			$validity->add( 'unequal_single_quotes', __( 'Your single quotes <code>\'</code> are uneven. Make sure there is a closing <code>\'</code> for every opening <code>\'</code>.' ) );
-			$imbalanced = true;
-		}
-
-		// Ensure single quotes are equal.
+		// Ensure double quotes are equal.
 		if ( ! $this->validate_equal_characters( '"', $css ) ) {
 			$validity->add( 'unequal_double_quotes', __( 'Your double quotes <code>"</code> are uneven. Make sure there is a closing <code>"</code> for every opening <code>"</code>.' ) );
 			$imbalanced = true;

wp-includes/customize/class-wp-customize-selective-refresh.php

@@ -179,18 +179,24 @@ final class WP_Customize_Selective_Refresh {
 			}
 		}
 
+		$switched_locale = switch_to_locale( get_user_locale() );
+		$l10n = array(
+			'shiftClickToEdit' => __( 'Shift-click to edit this element.' ),
+			'clickEditMenu' => __( 'Click to edit this menu.' ),
+			'clickEditWidget' => __( 'Click to edit this widget.' ),
+			'clickEditTitle' => __( 'Click to edit the site title.' ),
+			'clickEditMisc' => __( 'Click to edit this element.' ),
+			/* translators: %s: document.write() */
+			'badDocumentWrite' => sprintf( __( '%s is forbidden' ), 'document.write()' ),
+		);
+		if ( $switched_locale ) {
+			restore_previous_locale();
+		}
+
 		$exports = array(
 			'partials'       => $partials,
 			'renderQueryVar' => self::RENDER_QUERY_VAR,
-			'l10n'           => array(
-				'shiftClickToEdit' => __( 'Shift-click to edit this element.' ),
-				'clickEditMenu' => __( 'Click to edit this menu.' ),
-				'clickEditWidget' => __( 'Click to edit this widget.' ),
-				'clickEditTitle' => __( 'Click to edit the site title.' ),
-				'clickEditMisc' => __( 'Click to edit this element.' ),
-				/* translators: %s: document.write() */
-				'badDocumentWrite' => sprintf( __( '%s is forbidden' ), 'document.write()' ),
-			),
+			'l10n'           => $l10n,
 		);
 
 		// Export data to JS.
@@ -318,10 +324,13 @@ final class WP_Customize_Selective_Refresh {
 		 */
 		if ( ! is_customize_preview() ) {
 			wp_send_json_error( 'expected_customize_preview', 403 );
-		} else if ( ! isset( $_POST['partials'] ) ) {
+		} elseif ( ! isset( $_POST['partials'] ) ) {
 			wp_send_json_error( 'missing_partials', 400 );
 		}
 
+		// Ensure that doing selective refresh on 404 template doesn't result in fallback rendering behavior (full refreshes).
+		status_header( 200 );
+
 		$partials = json_decode( wp_unslash( $_POST['partials'] ), true );
 
 		if ( ! is_array( $partials ) ) {

wp-includes/customize/class-wp-customize-site-icon-control.php

@@ -67,11 +67,11 @@ class WP_Customize_Site_Icon_Control extends WP_Customize_Cropped_Image_Control
 							<img src="<?php echo esc_url( admin_url( 'images/' . ( is_rtl() ? 'browser-rtl.png' : 'browser.png' ) ) ); ?>" class="browser-preview" width="182" alt="" />
 
 							<div class="favicon">
-								<img src="{{ data.attachment.sizes.full.url }}" alt="<?php esc_attr_e( 'Preview as a browser icon' ); ?>"/>
+								<img src="{{ data.attachment.sizes.full ? data.attachment.sizes.full.url : data.attachment.url }}" alt="<?php esc_attr_e( 'Preview as a browser icon' ); ?>"/>
 							</div>
 							<span class="browser-title" aria-hidden="true"><?php bloginfo( 'name' ); ?></span>
 						</div>
-						<img class="app-icon-preview" src="{{ data.attachment.sizes.full.url }}" alt="<?php esc_attr_e( 'Preview as an app icon' ); ?>"/>
+						<img class="app-icon-preview" src="{{ data.attachment.sizes.full ? data.attachment.sizes.full.url : data.attachment.url }}" alt="<?php esc_attr_e( 'Preview as an app icon' ); ?>"/>
 					</div>
 				<# } #>
 				<div class="actions">