Compare commits
49 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
8d87e4a8b8 | ||
|
|
21095bb883 | ||
|
ed38a616b1 | ||
|
298af5bcf2 | ||
|
|
6559bdf187 | ||
|
39710dcb5a | ||
|
|
070403f1c7 | ||
|
|
498a6acb14 | ||
|
|
59a3c2199c | ||
|
fe76b0206d | ||
|
b5b4d771ae | ||
|
|
6863424407 | ||
|
|
3769f76ca6 | ||
|
|
f6edca7a9e | ||
|
|
b1f105e400 | ||
|
|
639b5f6ed8 | ||
|
|
6c98f19ad2 | ||
|
|
319971e3ed | ||
|
|
7bb7707e9d | ||
|
081d0ebbc8 | ||
|
b250096446 | ||
|
|
1963afa5ff | ||
|
47fdbd4add | ||
|
|
a5c8e5caa3 | ||
|
|
6793aad486 | ||
|
|
f0001b7423 | ||
|
|
1c7d7b7c15 | ||
|
|
3941885dc0 | ||
|
|
f18b19bac9 | ||
|
|
f2dc2970ba | ||
|
|
c04ce8198b | ||
|
|
7296f063d7 | ||
|
|
197fe91d39 | ||
|
|
9016ffbafa | ||
|
|
934d7cf523 | ||
|
|
a3ff44115b | ||
|
|
86d55bcfeb | ||
|
|
74ee7ba44a | ||
|
|
a69b052f3f | ||
|
|
ad1bdb7e98 | ||
|
|
b28946e62c | ||
|
|
cb0da304a4 | ||
|
|
fcfa34bd6c | ||
|
|
02b1ba4744 | ||
|
e052467e89 | ||
|
|
e92c6a2817 | ||
|
|
f4f66b96b1 | ||
|
26ba67787c | ||
|
f165c75d01 |
112
wp-activate.php
112
wp-activate.php
@@ -18,6 +18,50 @@ if ( !is_multisite() ) {
|
||||
die();
|
||||
}
|
||||
|
||||
$valid_error_codes = array( 'already_active', 'blog_taken' );
|
||||
|
||||
list( $activate_path ) = explode( '?', wp_unslash( $_SERVER['REQUEST_URI'] ) );
|
||||
$activate_cookie = 'wp-activate-' . COOKIEHASH;
|
||||
|
||||
$key = '';
|
||||
$result = null;
|
||||
|
||||
if ( isset( $_GET['key'] ) && isset( $_POST['key'] ) && $_GET['key'] !== $_POST['key'] ) {
|
||||
wp_die( __( 'A key value mismatch has been detected. Please follow the link provided in your activation email.' ), __( 'An error occurred during the activation' ), 400 );
|
||||
} elseif ( ! empty( $_GET['key'] ) ) {
|
||||
$key = $_GET['key'];
|
||||
} elseif ( ! empty( $_POST['key'] ) ) {
|
||||
$key = $_POST['key'];
|
||||
}
|
||||
|
||||
if ( $key ) {
|
||||
$redirect_url = remove_query_arg( 'key' );
|
||||
|
||||
if ( $redirect_url !== remove_query_arg( false ) ) {
|
||||
setcookie( $activate_cookie, $key, 0, $activate_path, COOKIE_DOMAIN, is_ssl(), true );
|
||||
wp_safe_redirect( $redirect_url );
|
||||
exit;
|
||||
} else {
|
||||
$result = wpmu_activate_signup( $key );
|
||||
}
|
||||
}
|
||||
|
||||
if ( $result === null && isset( $_COOKIE[ $activate_cookie ] ) ) {
|
||||
$key = $_COOKIE[ $activate_cookie ];
|
||||
$result = wpmu_activate_signup( $key );
|
||||
setcookie( $activate_cookie, ' ', time() - YEAR_IN_SECONDS, $activate_path, COOKIE_DOMAIN, is_ssl(), true );
|
||||
}
|
||||
|
||||
if ( $result === null || ( is_wp_error( $result ) && 'invalid_key' === $result->get_error_code() ) ) {
|
||||
status_header( 404 );
|
||||
} elseif ( is_wp_error( $result ) ) {
|
||||
$error_code = $result->get_error_code();
|
||||
|
||||
if ( ! in_array( $error_code, $valid_error_codes ) ) {
|
||||
status_header( 400 );
|
||||
}
|
||||
}
|
||||
|
||||
nocache_headers();
|
||||
|
||||
if ( is_object( $wp_object_cache ) )
|
||||
@@ -69,13 +113,14 @@ function wpmu_activate_stylesheet() {
|
||||
<?php
|
||||
}
|
||||
add_action( 'wp_head', 'wpmu_activate_stylesheet' );
|
||||
add_action( 'wp_head', 'wp_sensitive_page_meta' );
|
||||
|
||||
get_header( 'wp-activate' );
|
||||
?>
|
||||
|
||||
<div id="signup-content" class="widecolumn">
|
||||
<div class="wp-activate-container">
|
||||
<?php if ( empty($_GET['key']) && empty($_POST['key']) ) { ?>
|
||||
<?php if ( ! $key ) { ?>
|
||||
|
||||
<h2><?php _e('Activation Key Required') ?></h2>
|
||||
<form name="activateform" id="activateform" method="post" action="<?php echo network_site_url('wp-activate.php'); ?>">
|
||||
@@ -89,42 +134,39 @@ get_header( 'wp-activate' );
|
||||
</form>
|
||||
|
||||
<?php } else {
|
||||
|
||||
$key = !empty($_GET['key']) ? $_GET['key'] : $_POST['key'];
|
||||
$result = wpmu_activate_signup( $key );
|
||||
if ( is_wp_error($result) ) {
|
||||
if ( 'already_active' == $result->get_error_code() || 'blog_taken' == $result->get_error_code() ) {
|
||||
$signup = $result->get_error_data();
|
||||
?>
|
||||
<h2><?php _e('Your account is now active!'); ?></h2>
|
||||
<?php
|
||||
echo '<p class="lead-in">';
|
||||
if ( $signup->domain . $signup->path == '' ) {
|
||||
printf(
|
||||
/* translators: 1: login URL, 2: username, 3: user email, 4: lost password URL */
|
||||
__( 'Your account has been activated. You may now <a href="%1$s">log in</a> to the site using your chosen username of “%2$s”. Please check your email inbox at %3$s for your password and login instructions. If you do not receive an email, please check your junk or spam folder. If you still do not receive an email within an hour, you can <a href="%4$s">reset your password</a>.' ),
|
||||
network_site_url( 'wp-login.php', 'login' ),
|
||||
$signup->user_login,
|
||||
$signup->user_email,
|
||||
wp_lostpassword_url()
|
||||
);
|
||||
} else {
|
||||
printf(
|
||||
/* translators: 1: site URL, 2: username, 3: user email, 4: lost password URL */
|
||||
__( 'Your site at %1$s is active. You may now log in to your site using your chosen username of “%2$s”. Please check your email inbox at %3$s for your password and login instructions. If you do not receive an email, please check your junk or spam folder. If you still do not receive an email within an hour, you can <a href="%4$s">reset your password</a>.' ),
|
||||
sprintf( '<a href="http://%1$s">%1$s</a>', $signup->domain ),
|
||||
$signup->user_login,
|
||||
$signup->user_email,
|
||||
wp_lostpassword_url()
|
||||
);
|
||||
}
|
||||
echo '</p>';
|
||||
if ( is_wp_error( $result ) && in_array( $result->get_error_code(), $valid_error_codes ) ) {
|
||||
$signup = $result->get_error_data();
|
||||
?>
|
||||
<h2><?php _e( 'Your account is now active!' ); ?></h2>
|
||||
<?php
|
||||
echo '<p class="lead-in">';
|
||||
if ( $signup->domain . $signup->path == '' ) {
|
||||
printf(
|
||||
/* translators: 1: login URL, 2: username, 3: user email, 4: lost password URL */
|
||||
__( 'Your account has been activated. You may now <a href="%1$s">log in</a> to the site using your chosen username of “%2$s”. Please check your email inbox at %3$s for your password and login instructions. If you do not receive an email, please check your junk or spam folder. If you still do not receive an email within an hour, you can <a href="%4$s">reset your password</a>.' ),
|
||||
network_site_url( 'wp-login.php', 'login' ),
|
||||
$signup->user_login,
|
||||
$signup->user_email,
|
||||
wp_lostpassword_url()
|
||||
);
|
||||
} else {
|
||||
?>
|
||||
<h2><?php _e( 'An error occurred during the activation' ); ?></h2>
|
||||
<p><?php echo $result->get_error_message(); ?></p>
|
||||
<?php
|
||||
printf(
|
||||
/* translators: 1: site URL, 2: username, 3: user email, 4: lost password URL */
|
||||
__( 'Your site at %1$s is active. You may now log in to your site using your chosen username of “%2$s”. Please check your email inbox at %3$s for your password and login instructions. If you do not receive an email, please check your junk or spam folder. If you still do not receive an email within an hour, you can <a href="%4$s">reset your password</a>.' ),
|
||||
sprintf( '<a href="http://%1$s">%1$s</a>', $signup->domain ),
|
||||
$signup->user_login,
|
||||
$signup->user_email,
|
||||
wp_lostpassword_url()
|
||||
);
|
||||
}
|
||||
echo '</p>';
|
||||
} elseif ( $result === null || is_wp_error( $result ) ) {
|
||||
?>
|
||||
<h2><?php _e( 'An error occurred during the activation' ); ?></h2>
|
||||
<?php if ( is_wp_error( $result ) ) : ?>
|
||||
<p><?php echo $result->get_error_message(); ?></p>
|
||||
<?php endif; ?>
|
||||
<?php
|
||||
} else {
|
||||
$url = isset( $result['blog_id'] ) ? get_home_url( (int) $result['blog_id'] ) : '';
|
||||
$user = get_userdata( (int) $result['user_id'] );
|
||||
|
||||
@@ -33,6 +33,16 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
|
||||
|
||||
<div class="changelog point-releases">
|
||||
<h3><?php _e( 'Maintenance and Security Releases' ); ?></h3>
|
||||
<p>
|
||||
<?php
|
||||
/* translators: %s: WordPress version number */
|
||||
printf( __( '<strong>Version %s</strong> addressed some security issues.' ), '4.9.9' );
|
||||
?>
|
||||
<?php
|
||||
/* translators: %s: Codex URL */
|
||||
printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_4.9.9' );
|
||||
?>
|
||||
</p>
|
||||
<p>
|
||||
<?php
|
||||
printf(
|
||||
@@ -45,12 +55,10 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
|
||||
'4.9.8',
|
||||
number_format_i18n( 46 )
|
||||
);
|
||||
|
||||
printf(
|
||||
/* translators: %s: Codex URL */
|
||||
__( 'For more information, see <a href="%s">the release notes</a>.' ),
|
||||
'https://codex.wordpress.org/Version_4.9.8'
|
||||
);
|
||||
?>
|
||||
<?php
|
||||
/* translators: %s: Codex URL */
|
||||
printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_4.9.8' );
|
||||
?>
|
||||
</p>
|
||||
<p>
|
||||
|
||||
@@ -226,18 +226,54 @@
|
||||
}
|
||||
|
||||
.try-gutenberg-panel .try-gutenberg-panel-column-container {
|
||||
display: -ms-grid;
|
||||
display: grid;
|
||||
-ms-grid-columns: 36% 32% 32%;
|
||||
grid-template-columns: 36% 32% 32%;
|
||||
display: flex;
|
||||
margin-bottom: 13px;
|
||||
}
|
||||
|
||||
@supports (display: grid) {
|
||||
.try-gutenberg-panel .try-gutenberg-panel-column-container {
|
||||
display: -ms-grid;
|
||||
display: grid;
|
||||
-ms-grid-columns: 36% 32% 32%;
|
||||
grid-template-columns: 36% 32% 32%;
|
||||
}
|
||||
}
|
||||
|
||||
.try-gutenberg-panel .try-gutenberg-panel-image-column {
|
||||
width: 36%;
|
||||
}
|
||||
|
||||
@supports (display: grid) {
|
||||
.try-gutenberg-panel .try-gutenberg-panel-image-column {
|
||||
width: auto;
|
||||
}
|
||||
}
|
||||
|
||||
.try-gutenberg-panel .try-gutenberg-panel-column:not(.try-gutenberg-panel-image-column) {
|
||||
display: -ms-grid;
|
||||
display: grid;
|
||||
-ms-grid-rows: auto 100px;
|
||||
grid-template-rows: auto 100px;
|
||||
display: flex;
|
||||
flex-direction: column;
|
||||
justify-content: space-between;
|
||||
width: 32%;
|
||||
}
|
||||
|
||||
@supports (display: grid) {
|
||||
.try-gutenberg-panel .try-gutenberg-panel-column:not(.try-gutenberg-panel-image-column) {
|
||||
display: -ms-grid;
|
||||
display: grid;
|
||||
-ms-grid-rows: auto 100px;
|
||||
grid-template-rows: auto 100px;
|
||||
width: auto;
|
||||
}
|
||||
}
|
||||
|
||||
.try-gutenberg-panel .try-gutenberg-action {
|
||||
height: 100px;
|
||||
}
|
||||
|
||||
@supports (display: grid) {
|
||||
.try-gutenberg-panel .try-gutenberg-action {
|
||||
height: auto;
|
||||
}
|
||||
}
|
||||
|
||||
.welcome-panel-column p.hide-if-no-customize {
|
||||
@@ -255,7 +291,7 @@
|
||||
}
|
||||
|
||||
.welcome-panel .welcome-panel-column ul {
|
||||
margin: 0.8em 0 1em 1em;
|
||||
margin: 0.8em 0 1em 1em;
|
||||
}
|
||||
|
||||
.welcome-panel .welcome-panel-column li {
|
||||
@@ -1269,6 +1305,16 @@ a.rsswidget {
|
||||
.try-gutenberg-panel .try-gutenberg-panel-image-column {
|
||||
display: none;
|
||||
}
|
||||
|
||||
.try-gutenberg-panel .try-gutenberg-panel-column:not(.try-gutenberg-panel-image-column) {
|
||||
width: 50%;
|
||||
}
|
||||
|
||||
@supports (display: grid) {
|
||||
.try-gutenberg-panel .try-gutenberg-panel-column:not(.try-gutenberg-panel-image-column) {
|
||||
width: auto;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@media screen and (max-width: 870px) {
|
||||
@@ -1280,8 +1326,18 @@ a.rsswidget {
|
||||
}
|
||||
|
||||
.try-gutenberg-panel .try-gutenberg-panel-column-container {
|
||||
-ms-grid-columns: 100%;
|
||||
grid-template-columns: 100%;
|
||||
flex-wrap: wrap;
|
||||
}
|
||||
|
||||
@supports (display: grid) {
|
||||
.try-gutenberg-panel .try-gutenberg-panel-column-container {
|
||||
-ms-grid-columns: 100%;
|
||||
grid-template-columns: 100%;
|
||||
}
|
||||
}
|
||||
|
||||
.try-gutenberg-panel .try-gutenberg-panel-column:not(.try-gutenberg-panel-image-column) {
|
||||
width: 100%;
|
||||
}
|
||||
|
||||
.welcome-panel .welcome-panel-column li {
|
||||
|
||||
2
wp-admin/css/dashboard-rtl.min.css
vendored
2
wp-admin/css/dashboard-rtl.min.css
vendored
File diff suppressed because one or more lines are too long
@@ -226,18 +226,54 @@
|
||||
}
|
||||
|
||||
.try-gutenberg-panel .try-gutenberg-panel-column-container {
|
||||
display: -ms-grid;
|
||||
display: grid;
|
||||
-ms-grid-columns: 36% 32% 32%;
|
||||
grid-template-columns: 36% 32% 32%;
|
||||
display: flex;
|
||||
margin-bottom: 13px;
|
||||
}
|
||||
|
||||
@supports (display: grid) {
|
||||
.try-gutenberg-panel .try-gutenberg-panel-column-container {
|
||||
display: -ms-grid;
|
||||
display: grid;
|
||||
-ms-grid-columns: 36% 32% 32%;
|
||||
grid-template-columns: 36% 32% 32%;
|
||||
}
|
||||
}
|
||||
|
||||
.try-gutenberg-panel .try-gutenberg-panel-image-column {
|
||||
width: 36%;
|
||||
}
|
||||
|
||||
@supports (display: grid) {
|
||||
.try-gutenberg-panel .try-gutenberg-panel-image-column {
|
||||
width: auto;
|
||||
}
|
||||
}
|
||||
|
||||
.try-gutenberg-panel .try-gutenberg-panel-column:not(.try-gutenberg-panel-image-column) {
|
||||
display: -ms-grid;
|
||||
display: grid;
|
||||
-ms-grid-rows: auto 100px;
|
||||
grid-template-rows: auto 100px;
|
||||
display: flex;
|
||||
flex-direction: column;
|
||||
justify-content: space-between;
|
||||
width: 32%;
|
||||
}
|
||||
|
||||
@supports (display: grid) {
|
||||
.try-gutenberg-panel .try-gutenberg-panel-column:not(.try-gutenberg-panel-image-column) {
|
||||
display: -ms-grid;
|
||||
display: grid;
|
||||
-ms-grid-rows: auto 100px;
|
||||
grid-template-rows: auto 100px;
|
||||
width: auto;
|
||||
}
|
||||
}
|
||||
|
||||
.try-gutenberg-panel .try-gutenberg-action {
|
||||
height: 100px;
|
||||
}
|
||||
|
||||
@supports (display: grid) {
|
||||
.try-gutenberg-panel .try-gutenberg-action {
|
||||
height: auto;
|
||||
}
|
||||
}
|
||||
|
||||
.welcome-panel-column p.hide-if-no-customize {
|
||||
@@ -255,7 +291,7 @@
|
||||
}
|
||||
|
||||
.welcome-panel .welcome-panel-column ul {
|
||||
margin: 0.8em 1em 1em 0;
|
||||
margin: 0.8em 1em 1em 0;
|
||||
}
|
||||
|
||||
.welcome-panel .welcome-panel-column li {
|
||||
@@ -1269,6 +1305,16 @@ a.rsswidget {
|
||||
.try-gutenberg-panel .try-gutenberg-panel-image-column {
|
||||
display: none;
|
||||
}
|
||||
|
||||
.try-gutenberg-panel .try-gutenberg-panel-column:not(.try-gutenberg-panel-image-column) {
|
||||
width: 50%;
|
||||
}
|
||||
|
||||
@supports (display: grid) {
|
||||
.try-gutenberg-panel .try-gutenberg-panel-column:not(.try-gutenberg-panel-image-column) {
|
||||
width: auto;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@media screen and (max-width: 870px) {
|
||||
@@ -1280,8 +1326,18 @@ a.rsswidget {
|
||||
}
|
||||
|
||||
.try-gutenberg-panel .try-gutenberg-panel-column-container {
|
||||
-ms-grid-columns: 100%;
|
||||
grid-template-columns: 100%;
|
||||
flex-wrap: wrap;
|
||||
}
|
||||
|
||||
@supports (display: grid) {
|
||||
.try-gutenberg-panel .try-gutenberg-panel-column-container {
|
||||
-ms-grid-columns: 100%;
|
||||
grid-template-columns: 100%;
|
||||
}
|
||||
}
|
||||
|
||||
.try-gutenberg-panel .try-gutenberg-panel-column:not(.try-gutenberg-panel-image-column) {
|
||||
width: 100%;
|
||||
}
|
||||
|
||||
.welcome-panel .welcome-panel-column li {
|
||||
|
||||
2
wp-admin/css/dashboard.min.css
vendored
2
wp-admin/css/dashboard.min.css
vendored
File diff suppressed because one or more lines are too long
@@ -2105,7 +2105,11 @@ function wp_ajax_upload_attachment() {
|
||||
$post_id = null;
|
||||
}
|
||||
|
||||
$post_data = isset( $_REQUEST['post_data'] ) ? $_REQUEST['post_data'] : array();
|
||||
$post_data = ! empty( $_REQUEST['post_data'] ) ? _wp_get_allowed_postdata( _wp_translate_postdata( false, (array) $_REQUEST['post_data'] ) ) : array();
|
||||
|
||||
if ( is_wp_error( $post_data ) ) {
|
||||
wp_die( $post_data->get_error_message() );
|
||||
}
|
||||
|
||||
// If the context is custom header or background, make sure the uploaded file is an image.
|
||||
if ( isset( $post_data['context'] ) && in_array( $post_data['context'], array( 'custom-header', 'custom-background' ) ) ) {
|
||||
|
||||
@@ -270,7 +270,9 @@ final class WP_Screen {
|
||||
|
||||
switch ( $base ) {
|
||||
case 'post' :
|
||||
if ( isset( $_GET['post'] ) )
|
||||
if ( isset( $_GET['post'] ) && isset( $_POST['post_ID'] ) && (int) $_GET['post'] !== (int) $_POST['post_ID'] )
|
||||
wp_die( __( 'A post ID mismatch has been detected.' ), __( 'Sorry, you are not allowed to edit this item.' ), 400 );
|
||||
elseif ( isset( $_GET['post'] ) )
|
||||
$post_id = (int) $_GET['post'];
|
||||
elseif ( isset( $_POST['post_ID'] ) )
|
||||
$post_id = (int) $_POST['post_ID'];
|
||||
|
||||
@@ -1271,7 +1271,7 @@ final class WP_Privacy_Policy_Content {
|
||||
*
|
||||
* Intended for use from `wp_add_privacy_policy_content()`.
|
||||
*
|
||||
* $since 4.9.6
|
||||
* @since 4.9.6
|
||||
*
|
||||
* @param string $plugin_name The name of the plugin or theme that is suggesting content for the site's privacy policy.
|
||||
* @param string $policy_text The suggested content for inclusion in the policy.
|
||||
@@ -1541,7 +1541,7 @@ final class WP_Privacy_Policy_Content {
|
||||
*
|
||||
* @since 4.9.6
|
||||
*
|
||||
* @param $post WP_Post The currently edited post.
|
||||
* @param WP_Post $post The currently edited post.
|
||||
*/
|
||||
public static function notice( $post ) {
|
||||
if ( ! ( $post instanceof WP_Post ) ) {
|
||||
|
||||
@@ -174,6 +174,27 @@ function _wp_translate_postdata( $update = false, $post_data = null ) {
|
||||
return $post_data;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns only allowed post data fields
|
||||
*
|
||||
* @since 4.9.9
|
||||
*
|
||||
* @param array $post_data Array of post data. Defaults to the contents of $_POST.
|
||||
* @return object|bool WP_Error on failure, true on success.
|
||||
*/
|
||||
function _wp_get_allowed_postdata( $post_data = null ) {
|
||||
if ( empty( $post_data ) ) {
|
||||
$post_data = $_POST;
|
||||
}
|
||||
|
||||
// Pass through errors
|
||||
if ( is_wp_error( $post_data ) ) {
|
||||
return $post_data;
|
||||
}
|
||||
|
||||
return array_diff_key( $post_data, array_flip( array( 'meta_input', 'file', 'guid' ) ) );
|
||||
}
|
||||
|
||||
/**
|
||||
* Update an existing post with values provided in $_POST.
|
||||
*
|
||||
@@ -242,6 +263,7 @@ function edit_post( $post_data = null ) {
|
||||
$post_data = _wp_translate_postdata( true, $post_data );
|
||||
if ( is_wp_error($post_data) )
|
||||
wp_die( $post_data->get_error_message() );
|
||||
$translated = _wp_get_allowed_postdata( $post_data );
|
||||
|
||||
// Post Formats
|
||||
if ( isset( $post_data['post_format'] ) )
|
||||
@@ -321,7 +343,7 @@ function edit_post( $post_data = null ) {
|
||||
$attachment_data = isset( $post_data['attachments'][ $post_ID ] ) ? $post_data['attachments'][ $post_ID ] : array();
|
||||
|
||||
/** This filter is documented in wp-admin/includes/media.php */
|
||||
$post_data = apply_filters( 'attachment_fields_to_save', $post_data, $attachment_data );
|
||||
$translated = apply_filters( 'attachment_fields_to_save', $translated, $attachment_data );
|
||||
}
|
||||
|
||||
// Convert taxonomy input to term IDs, to avoid ambiguity.
|
||||
@@ -366,7 +388,7 @@ function edit_post( $post_data = null ) {
|
||||
}
|
||||
}
|
||||
|
||||
$post_data['tax_input'][ $taxonomy ] = $clean_terms;
|
||||
$translated['tax_input'][ $taxonomy ] = $clean_terms;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -374,18 +396,18 @@ function edit_post( $post_data = null ) {
|
||||
|
||||
update_post_meta( $post_ID, '_edit_last', get_current_user_id() );
|
||||
|
||||
$success = wp_update_post( $post_data );
|
||||
$success = wp_update_post( $translated );
|
||||
// If the save failed, see if we can sanity check the main fields and try again
|
||||
if ( ! $success && is_callable( array( $wpdb, 'strip_invalid_text_for_column' ) ) ) {
|
||||
$fields = array( 'post_title', 'post_content', 'post_excerpt' );
|
||||
|
||||
foreach ( $fields as $field ) {
|
||||
if ( isset( $post_data[ $field ] ) ) {
|
||||
$post_data[ $field ] = $wpdb->strip_invalid_text_for_column( $wpdb->posts, $field, $post_data[ $field ] );
|
||||
if ( isset( $translated[ $field ] ) ) {
|
||||
$translated[ $field ] = $wpdb->strip_invalid_text_for_column( $wpdb->posts, $field, $translated[ $field ] );
|
||||
}
|
||||
}
|
||||
|
||||
wp_update_post( $post_data );
|
||||
wp_update_post( $translated );
|
||||
}
|
||||
|
||||
// Now that we have an ID we can fix any attachment anchor hrefs
|
||||
@@ -545,9 +567,9 @@ function bulk_edit_posts( $post_data = null ) {
|
||||
unset( $post_data['tax_input']['category'] );
|
||||
}
|
||||
|
||||
$post_data['post_ID'] = $post_ID;
|
||||
$post_data['post_type'] = $post->post_type;
|
||||
$post_data['post_mime_type'] = $post->post_mime_type;
|
||||
$post_data['guid'] = $post->guid;
|
||||
|
||||
foreach ( array( 'comment_status', 'ping_status', 'post_author' ) as $field ) {
|
||||
if ( ! isset( $post_data[ $field ] ) ) {
|
||||
@@ -555,17 +577,15 @@ function bulk_edit_posts( $post_data = null ) {
|
||||
}
|
||||
}
|
||||
|
||||
$post_data['ID'] = $post_ID;
|
||||
$post_data['post_ID'] = $post_ID;
|
||||
|
||||
$post_data = _wp_translate_postdata( true, $post_data );
|
||||
if ( is_wp_error( $post_data ) ) {
|
||||
$skipped[] = $post_ID;
|
||||
continue;
|
||||
}
|
||||
$post_data = _wp_get_allowed_postdata( $post_data );
|
||||
|
||||
if ( isset( $post_data['post_format'] ) ) {
|
||||
set_post_format( $post_ID, $post_data['post_format'] );
|
||||
if ( isset( $shared_post_data['post_format'] ) ) {
|
||||
set_post_format( $post_ID, $shared_post_data['post_format'] );
|
||||
unset( $post_data['tax_input']['post_format'] );
|
||||
}
|
||||
|
||||
@@ -757,9 +777,10 @@ function wp_write_post() {
|
||||
$translated = _wp_translate_postdata( false );
|
||||
if ( is_wp_error($translated) )
|
||||
return $translated;
|
||||
$translated = _wp_get_allowed_postdata( $translated );
|
||||
|
||||
// Create the post.
|
||||
$post_ID = wp_insert_post( $_POST );
|
||||
$post_ID = wp_insert_post( $translated );
|
||||
if ( is_wp_error( $post_ID ) )
|
||||
return $post_ID;
|
||||
|
||||
@@ -1685,6 +1706,7 @@ function wp_create_post_autosave( $post_data ) {
|
||||
$post_data = _wp_translate_postdata( true, $post_data );
|
||||
if ( is_wp_error( $post_data ) )
|
||||
return $post_data;
|
||||
$post_data = _wp_get_allowed_postdata( $post_data );
|
||||
|
||||
$post_author = get_current_user_id();
|
||||
|
||||
|
||||
@@ -28,8 +28,6 @@ require( ABSPATH . 'wp-admin/includes/noop.php' );
|
||||
require( ABSPATH . WPINC . '/script-loader.php' );
|
||||
require( ABSPATH . WPINC . '/version.php' );
|
||||
|
||||
$compress = ( isset($_GET['c']) && $_GET['c'] );
|
||||
$force_gzip = ( $compress && 'gzip' == $_GET['c'] );
|
||||
$expires_offset = 31536000; // 1 year
|
||||
$out = '';
|
||||
|
||||
@@ -58,16 +56,5 @@ header('Content-Type: application/javascript; charset=UTF-8');
|
||||
header('Expires: ' . gmdate( "D, d M Y H:i:s", time() + $expires_offset ) . ' GMT');
|
||||
header("Cache-Control: public, max-age=$expires_offset");
|
||||
|
||||
if ( $compress && ! ini_get('zlib.output_compression') && 'ob_gzhandler' != ini_get('output_handler') && isset($_SERVER['HTTP_ACCEPT_ENCODING']) ) {
|
||||
header('Vary: Accept-Encoding'); // Handle proxies
|
||||
if ( false !== stripos($_SERVER['HTTP_ACCEPT_ENCODING'], 'deflate') && function_exists('gzdeflate') && ! $force_gzip ) {
|
||||
header('Content-Encoding: deflate');
|
||||
$out = gzdeflate( $out, 3 );
|
||||
} elseif ( false !== stripos($_SERVER['HTTP_ACCEPT_ENCODING'], 'gzip') && function_exists('gzencode') ) {
|
||||
header('Content-Encoding: gzip');
|
||||
$out = gzencode( $out, 3 );
|
||||
}
|
||||
}
|
||||
|
||||
echo $out;
|
||||
exit;
|
||||
|
||||
@@ -28,8 +28,6 @@ $load = array_unique( explode( ',', $load ) );
|
||||
if ( empty($load) )
|
||||
exit;
|
||||
|
||||
$compress = ( isset($_GET['c']) && $_GET['c'] );
|
||||
$force_gzip = ( $compress && 'gzip' == $_GET['c'] );
|
||||
$rtl = ( isset($_GET['dir']) && 'rtl' == $_GET['dir'] );
|
||||
$expires_offset = 31536000; // 1 year
|
||||
$out = '';
|
||||
@@ -80,16 +78,5 @@ header('Content-Type: text/css; charset=UTF-8');
|
||||
header('Expires: ' . gmdate( "D, d M Y H:i:s", time() + $expires_offset ) . ' GMT');
|
||||
header("Cache-Control: public, max-age=$expires_offset");
|
||||
|
||||
if ( $compress && ! ini_get('zlib.output_compression') && 'ob_gzhandler' != ini_get('output_handler') && isset($_SERVER['HTTP_ACCEPT_ENCODING']) ) {
|
||||
header('Vary: Accept-Encoding'); // Handle proxies
|
||||
if ( false !== stripos($_SERVER['HTTP_ACCEPT_ENCODING'], 'deflate') && function_exists('gzdeflate') && ! $force_gzip ) {
|
||||
header('Content-Encoding: deflate');
|
||||
$out = gzdeflate( $out, 3 );
|
||||
} elseif ( false !== stripos($_SERVER['HTTP_ACCEPT_ENCODING'], 'gzip') && function_exists('gzencode') ) {
|
||||
header('Content-Encoding: gzip');
|
||||
$out = gzencode( $out, 3 );
|
||||
}
|
||||
}
|
||||
|
||||
echo $out;
|
||||
exit;
|
||||
|
||||
@@ -16,7 +16,9 @@ $submenu_file = 'edit.php';
|
||||
|
||||
wp_reset_vars( array( 'action' ) );
|
||||
|
||||
if ( isset( $_GET['post'] ) )
|
||||
if ( isset( $_GET['post'] ) && isset( $_POST['post_ID'] ) && (int) $_GET['post'] !== (int) $_POST['post_ID'] )
|
||||
wp_die( __( 'A post ID mismatch has been detected.' ), __( 'Sorry, you are not allowed to edit this item.' ), 400 );
|
||||
elseif ( isset( $_GET['post'] ) )
|
||||
$post_id = $post_ID = (int) $_GET['post'];
|
||||
elseif ( isset( $_POST['post_ID'] ) )
|
||||
$post_id = $post_ID = (int) $_POST['post_ID'];
|
||||
@@ -38,6 +40,10 @@ if ( $post ) {
|
||||
$post_type_object = get_post_type_object( $post_type );
|
||||
}
|
||||
|
||||
if ( isset( $_POST['post_type'] ) && $post && $post_type !== $_POST['post_type'] ) {
|
||||
wp_die( __( 'A post type mismatch has been detected.' ), __( 'Sorry, you are not allowed to edit this item.' ), 400 );
|
||||
}
|
||||
|
||||
if ( isset( $_POST['deletepost'] ) )
|
||||
$action = 'delete';
|
||||
elseif ( isset($_POST['wp-preview']) && 'dopreview' == $_POST['wp-preview'] )
|
||||
@@ -184,7 +190,7 @@ case 'editattachment':
|
||||
|
||||
// Update the thumbnail filename
|
||||
$newmeta = wp_get_attachment_metadata( $post_id, true );
|
||||
$newmeta['thumb'] = $_POST['thumb'];
|
||||
$newmeta['thumb'] = wp_basename( $_POST['thumb'] );
|
||||
|
||||
wp_update_attachment_metadata( $post_id, $newmeta );
|
||||
|
||||
|
||||
@@ -406,8 +406,10 @@ abstract class WP_Image_Editor {
|
||||
|
||||
$fp = fopen( $filename, 'w' );
|
||||
|
||||
if ( ! $fp )
|
||||
if ( ! $fp ) {
|
||||
ob_end_clean();
|
||||
return false;
|
||||
}
|
||||
|
||||
fwrite( $fp, $contents );
|
||||
fclose( $fp );
|
||||
|
||||
@@ -172,8 +172,8 @@ class WP_Term_Query {
|
||||
* Can be used in conjunction with `$meta_value`. Default empty.
|
||||
* @type string $meta_value Limit terms to those matching a specific metadata value.
|
||||
* Usually used in conjunction with `$meta_key`. Default empty.
|
||||
* @type string $meta_type Type of object metadata is for (e.g., comment, post, or user).
|
||||
* Default empty.
|
||||
* @type string $meta_type MySQL data type that the `$meta_value` will be CAST to for
|
||||
* comparisons. Default empty.
|
||||
* @type string $meta_compare Comparison operator to test the 'meta_value'. Default empty.
|
||||
* }
|
||||
*/
|
||||
|
||||
@@ -289,6 +289,8 @@ class WP {
|
||||
foreach ( $this->public_query_vars as $wpvar ) {
|
||||
if ( isset( $this->extra_query_vars[$wpvar] ) )
|
||||
$this->query_vars[$wpvar] = $this->extra_query_vars[$wpvar];
|
||||
elseif ( isset( $_GET[ $wpvar ] ) && isset( $_POST[ $wpvar ] ) && $_GET[ $wpvar ] !== $_POST[ $wpvar ] )
|
||||
wp_die( __( 'A variable mismatch has been detected.' ), __( 'Sorry, you are not allowed to view this item.' ), 400 );
|
||||
elseif ( isset( $_POST[$wpvar] ) )
|
||||
$this->query_vars[$wpvar] = $_POST[$wpvar];
|
||||
elseif ( isset( $_GET[$wpvar] ) )
|
||||
|
||||
@@ -450,7 +450,7 @@ function get_post_embed_html( $width, $height, $post = null ) {
|
||||
* and edit wp-embed.js directly.
|
||||
*/
|
||||
$output .=<<<JS
|
||||
!function(a,b){"use strict";function c(){if(!e){e=!0;var a,c,d,f,g=-1!==navigator.appVersion.indexOf("MSIE 10"),h=!!navigator.userAgent.match(/Trident.*rv:11\./),i=b.querySelectorAll("iframe.wp-embedded-content");for(c=0;c<i.length;c++){if(d=i[c],!d.getAttribute("data-secret"))f=Math.random().toString(36).substr(2,10),d.src+="#?secret="+f,d.setAttribute("data-secret",f);if(g||h)a=d.cloneNode(!0),a.removeAttribute("security"),d.parentNode.replaceChild(a,d)}}}var d=!1,e=!1;if(b.querySelector)if(a.addEventListener)d=!0;if(a.wp=a.wp||{},!a.wp.receiveEmbedMessage)if(a.wp.receiveEmbedMessage=function(c){var d=c.data;if(d.secret||d.message||d.value)if(!/[^a-zA-Z0-9]/.test(d.secret)){var e,f,g,h,i,j=b.querySelectorAll('iframe[data-secret="'+d.secret+'"]'),k=b.querySelectorAll('blockquote[data-secret="'+d.secret+'"]');for(e=0;e<k.length;e++)k[e].style.display="none";for(e=0;e<j.length;e++)if(f=j[e],c.source===f.contentWindow){if(f.removeAttribute("style"),"height"===d.message){if(g=parseInt(d.value,10),g>1e3)g=1e3;else if(~~g<200)g=200;f.height=g}if("link"===d.message)if(h=b.createElement("a"),i=b.createElement("a"),h.href=f.getAttribute("src"),i.href=d.value,i.host===h.host)if(b.activeElement===f)a.top.location.href=d.value}else;}},d)a.addEventListener("message",a.wp.receiveEmbedMessage,!1),b.addEventListener("DOMContentLoaded",c,!1),a.addEventListener("load",c,!1)}(window,document);
|
||||
!function(a,b){"use strict";function c(){if(!e){e=!0;var a,c,d,f,g=-1!==navigator.appVersion.indexOf("MSIE 10"),h=!!navigator.userAgent.match(/Trident.*rv:11\./),i=b.querySelectorAll("iframe.wp-embedded-content");for(c=0;c<i.length;c++){if(d=i[c],!d.getAttribute("data-secret"))f=Math.random().toString(36).substr(2,10),d.src+="#?secret="+f,d.setAttribute("data-secret",f);if(g||h)a=d.cloneNode(!0),a.removeAttribute("security"),d.parentNode.replaceChild(a,d)}}}var d=!1,e=!1;if(b.querySelector)if(a.addEventListener)d=!0;if(a.wp=a.wp||{},!a.wp.receiveEmbedMessage)if(a.wp.receiveEmbedMessage=function(c){var d=c.data;if(d)if(d.secret||d.message||d.value)if(!/[^a-zA-Z0-9]/.test(d.secret)){var e,f,g,h,i,j=b.querySelectorAll('iframe[data-secret="'+d.secret+'"]'),k=b.querySelectorAll('blockquote[data-secret="'+d.secret+'"]');for(e=0;e<k.length;e++)k[e].style.display="none";for(e=0;e<j.length;e++)if(f=j[e],c.source===f.contentWindow){if(f.removeAttribute("style"),"height"===d.message){if(g=parseInt(d.value,10),g>1e3)g=1e3;else if(~~g<200)g=200;f.height=g}if("link"===d.message)if(h=b.createElement("a"),i=b.createElement("a"),h.href=f.getAttribute("src"),i.href=d.value,i.host===h.host)if(b.activeElement===f)a.top.location.href=d.value}else;}},d)a.addEventListener("message",a.wp.receiveEmbedMessage,!1),b.addEventListener("DOMContentLoaded",c,!1),a.addEventListener("load",c,!1)}(window,document);
|
||||
JS;
|
||||
}
|
||||
$output .= "\n//--><!]]>";
|
||||
|
||||
@@ -2341,17 +2341,52 @@ function wp_check_filetype_and_ext( $file, $filename, $mimes = null ) {
|
||||
$real_mime = finfo_file( $finfo, $file );
|
||||
finfo_close( $finfo );
|
||||
|
||||
/*
|
||||
* If $real_mime doesn't match what we're expecting, we need to do some extra
|
||||
* vetting of application mime types to make sure this type of file is allowed.
|
||||
* Other mime types are assumed to be safe, but should be considered unverified.
|
||||
*/
|
||||
if ( $real_mime && ( $real_mime !== $type ) && ( 0 === strpos( $real_mime, 'application' ) ) ) {
|
||||
$allowed = get_allowed_mime_types();
|
||||
// fileinfo often misidentifies obscure files as one of these types
|
||||
$nonspecific_types = array(
|
||||
'application/octet-stream',
|
||||
'application/encrypted',
|
||||
'application/CDFV2-encrypted',
|
||||
'application/zip',
|
||||
);
|
||||
|
||||
if ( ! in_array( $real_mime, $allowed ) ) {
|
||||
/*
|
||||
* If $real_mime doesn't match the content type we're expecting from the file's extension,
|
||||
* we need to do some additional vetting. Media types and those listed in $nonspecific_types are
|
||||
* allowed some leeway, but anything else must exactly match the real content type.
|
||||
*/
|
||||
if ( in_array( $real_mime, $nonspecific_types, true ) ) {
|
||||
// File is a non-specific binary type. That's ok if it's a type that generally tends to be binary.
|
||||
if ( !in_array( substr( $type, 0, strcspn( $type, '/' ) ), array( 'application', 'video', 'audio' ) ) ) {
|
||||
$type = $ext = false;
|
||||
}
|
||||
} elseif ( 0 === strpos( $real_mime, 'video/' ) || 0 === strpos( $real_mime, 'audio/' ) ) {
|
||||
/*
|
||||
* For these types, only the major type must match the real value.
|
||||
* This means that common mismatches are forgiven: application/vnd.apple.numbers is often misidentified as application/zip,
|
||||
* and some media files are commonly named with the wrong extension (.mov instead of .mp4)
|
||||
*/
|
||||
|
||||
if ( substr( $real_mime, 0, strcspn( $real_mime, '/' ) ) !== substr( $type, 0, strcspn( $type, '/' ) ) ) {
|
||||
$type = $ext = false;
|
||||
}
|
||||
} else {
|
||||
if ( $type !== $real_mime ) {
|
||||
/*
|
||||
* Everything else including image/* and application/*:
|
||||
* If the real content type doesn't match the file extension, assume it's dangerous.
|
||||
*/
|
||||
$type = $ext = false;
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
// The mime type must be allowed
|
||||
if ( $type ) {
|
||||
$allowed = get_allowed_mime_types();
|
||||
|
||||
if ( ! in_array( $type, $allowed ) ) {
|
||||
$type = $ext = false;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -5244,7 +5279,7 @@ function wp_is_stream( $path ) {
|
||||
*
|
||||
* @since 3.5.0
|
||||
*
|
||||
* @see checkdate()
|
||||
* @link https://secure.php.net/manual/en/function.checkdate.php
|
||||
*
|
||||
* @param int $month Month number.
|
||||
* @param int $day Day number.
|
||||
|
||||
@@ -2812,6 +2812,24 @@ function wp_no_robots() {
|
||||
echo "<meta name='robots' content='noindex,follow' />\n";
|
||||
}
|
||||
|
||||
/**
|
||||
* Display a noindex,noarchive meta tag and referrer origin-when-cross-origin meta tag.
|
||||
*
|
||||
* Outputs a noindex,noarchive meta tag that tells web robots not to index or cache the page content.
|
||||
* Outputs a referrer origin-when-cross-origin meta tag that tells the browser not to send the full
|
||||
* url as a referrer to other sites when cross-origin assets are loaded.
|
||||
*
|
||||
* Typical usage is as a wp_head callback. add_action( 'wp_head', 'wp_sensitive_page_meta' );
|
||||
*
|
||||
* @since 5.0.0
|
||||
*/
|
||||
function wp_sensitive_page_meta() {
|
||||
?>
|
||||
<meta name='robots' content='noindex,noarchive' />
|
||||
<meta name='referrer' content='strict-origin-when-cross-origin' />
|
||||
<?php
|
||||
}
|
||||
|
||||
/**
|
||||
* Display site icon meta tags.
|
||||
*
|
||||
|
||||
@@ -28,6 +28,11 @@
|
||||
|
||||
window.wp.receiveEmbedMessage = function( e ) {
|
||||
var data = e.data;
|
||||
|
||||
if ( ! data ) {
|
||||
return;
|
||||
}
|
||||
|
||||
if ( ! ( data.secret || data.message || data.value ) ) {
|
||||
return;
|
||||
}
|
||||
|
||||
2
wp-includes/js/wp-embed.min.js
vendored
2
wp-includes/js/wp-embed.min.js
vendored
@@ -1 +1 @@
|
||||
!function(a,b){"use strict";function c(){if(!e){e=!0;var a,c,d,f,g=-1!==navigator.appVersion.indexOf("MSIE 10"),h=!!navigator.userAgent.match(/Trident.*rv:11\./),i=b.querySelectorAll("iframe.wp-embedded-content");for(c=0;c<i.length;c++){if(d=i[c],!d.getAttribute("data-secret"))f=Math.random().toString(36).substr(2,10),d.src+="#?secret="+f,d.setAttribute("data-secret",f);if(g||h)a=d.cloneNode(!0),a.removeAttribute("security"),d.parentNode.replaceChild(a,d)}}}var d=!1,e=!1;if(b.querySelector)if(a.addEventListener)d=!0;if(a.wp=a.wp||{},!a.wp.receiveEmbedMessage)if(a.wp.receiveEmbedMessage=function(c){var d=c.data;if(d.secret||d.message||d.value)if(!/[^a-zA-Z0-9]/.test(d.secret)){var e,f,g,h,i,j=b.querySelectorAll('iframe[data-secret="'+d.secret+'"]'),k=b.querySelectorAll('blockquote[data-secret="'+d.secret+'"]');for(e=0;e<k.length;e++)k[e].style.display="none";for(e=0;e<j.length;e++)if(f=j[e],c.source===f.contentWindow){if(f.removeAttribute("style"),"height"===d.message){if(g=parseInt(d.value,10),g>1e3)g=1e3;else if(~~g<200)g=200;f.height=g}if("link"===d.message)if(h=b.createElement("a"),i=b.createElement("a"),h.href=f.getAttribute("src"),i.href=d.value,i.host===h.host)if(b.activeElement===f)a.top.location.href=d.value}else;}},d)a.addEventListener("message",a.wp.receiveEmbedMessage,!1),b.addEventListener("DOMContentLoaded",c,!1),a.addEventListener("load",c,!1)}(window,document);
|
||||
!function(a,b){"use strict";function c(){if(!e){e=!0;var a,c,d,f,g=-1!==navigator.appVersion.indexOf("MSIE 10"),h=!!navigator.userAgent.match(/Trident.*rv:11\./),i=b.querySelectorAll("iframe.wp-embedded-content");for(c=0;c<i.length;c++){if(d=i[c],!d.getAttribute("data-secret"))f=Math.random().toString(36).substr(2,10),d.src+="#?secret="+f,d.setAttribute("data-secret",f);if(g||h)a=d.cloneNode(!0),a.removeAttribute("security"),d.parentNode.replaceChild(a,d)}}}var d=!1,e=!1;if(b.querySelector)if(a.addEventListener)d=!0;if(a.wp=a.wp||{},!a.wp.receiveEmbedMessage)if(a.wp.receiveEmbedMessage=function(c){var d=c.data;if(d)if(d.secret||d.message||d.value)if(!/[^a-zA-Z0-9]/.test(d.secret)){var e,f,g,h,i,j=b.querySelectorAll('iframe[data-secret="'+d.secret+'"]'),k=b.querySelectorAll('blockquote[data-secret="'+d.secret+'"]');for(e=0;e<k.length;e++)k[e].style.display="none";for(e=0;e<j.length;e++)if(f=j[e],c.source===f.contentWindow){if(f.removeAttribute("style"),"height"===d.message){if(g=parseInt(d.value,10),g>1e3)g=1e3;else if(~~g<200)g=200;f.height=g}if("link"===d.message)if(h=b.createElement("a"),i=b.createElement("a"),h.href=f.getAttribute("src"),i.href=d.value,i.host===h.host)if(b.activeElement===f)a.top.location.href=d.value}else;}},d)a.addEventListener("message",a.wp.receiveEmbedMessage,!1),b.addEventListener("DOMContentLoaded",c,!1),a.addEventListener("load",c,!1)}(window,document);
|
||||
@@ -184,15 +184,6 @@ if ( ! CUSTOM_TAGS ) {
|
||||
'lang' => true,
|
||||
'xml:lang' => true,
|
||||
),
|
||||
'form' => array(
|
||||
'action' => true,
|
||||
'accept' => true,
|
||||
'accept-charset' => true,
|
||||
'enctype' => true,
|
||||
'method' => true,
|
||||
'name' => true,
|
||||
'target' => true,
|
||||
),
|
||||
'h1' => array(
|
||||
'align' => true,
|
||||
),
|
||||
@@ -545,7 +536,7 @@ function wp_kses( $string, $allowed_html, $allowed_protocols = array() ) {
|
||||
* @return string Filtered attribute.
|
||||
*/
|
||||
function wp_kses_one_attr( $string, $element ) {
|
||||
$uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');
|
||||
$uris = wp_kses_uri_attributes();
|
||||
$allowed_html = wp_kses_allowed_html( 'post' );
|
||||
$allowed_protocols = wp_allowed_protocols();
|
||||
$string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );
|
||||
@@ -610,6 +601,7 @@ function wp_kses_one_attr( $string, $element ) {
|
||||
* Return a list of allowed tags and attributes for a given context.
|
||||
*
|
||||
* @since 3.5.0
|
||||
* @since 5.0.1 `form` removed as allowable HTML tag.
|
||||
*
|
||||
* @global array $allowedposttags
|
||||
* @global array $allowedtags
|
||||
@@ -638,7 +630,27 @@ function wp_kses_allowed_html( $context = '' ) {
|
||||
switch ( $context ) {
|
||||
case 'post':
|
||||
/** This filter is documented in wp-includes/kses.php */
|
||||
return apply_filters( 'wp_kses_allowed_html', $allowedposttags, $context );
|
||||
$tags = apply_filters( 'wp_kses_allowed_html', $allowedposttags, $context );
|
||||
|
||||
// 5.0.1 removed the `<form>` tag, allow it if a filter is allowing it's sub-elements `<input>` or `<select>`.
|
||||
if ( ! CUSTOM_TAGS && ! isset( $tags['form'] ) && ( isset( $tags['input'] ) || isset( $tags['select'] ) ) ) {
|
||||
$tags = $allowedposttags;
|
||||
|
||||
$tags['form'] = array(
|
||||
'action' => true,
|
||||
'accept' => true,
|
||||
'accept-charset' => true,
|
||||
'enctype' => true,
|
||||
'method' => true,
|
||||
'name' => true,
|
||||
'target' => true,
|
||||
);
|
||||
|
||||
/** This filter is documented in wp-includes/kses.php */
|
||||
$tags = apply_filters( 'wp_kses_allowed_html', $tags, $context );
|
||||
}
|
||||
|
||||
return $tags;
|
||||
|
||||
case 'user_description':
|
||||
case 'pre_user_description':
|
||||
@@ -721,6 +733,56 @@ function wp_kses_split( $string, $allowed_html, $allowed_protocols ) {
|
||||
return preg_replace_callback( '%(<!--.*?(-->|$))|(<[^>]*(>|$)|>)%', '_wp_kses_split_callback', $string );
|
||||
}
|
||||
|
||||
/**
|
||||
* Helper function listing HTML attributes containing a URL.
|
||||
*
|
||||
* This function returns a list of all HTML attributes that must contain
|
||||
* a URL according to the HTML specification.
|
||||
*
|
||||
* This list includes URI attributes both allowed and disallowed by KSES.
|
||||
*
|
||||
* @link https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes
|
||||
*
|
||||
* @since 5.0.1
|
||||
*
|
||||
* @return array HTML attributes that must include a URL.
|
||||
*/
|
||||
function wp_kses_uri_attributes() {
|
||||
$uri_attributes = array(
|
||||
'action',
|
||||
'archive',
|
||||
'background',
|
||||
'cite',
|
||||
'classid',
|
||||
'codebase',
|
||||
'data',
|
||||
'formaction',
|
||||
'href',
|
||||
'icon',
|
||||
'longdesc',
|
||||
'manifest',
|
||||
'poster',
|
||||
'profile',
|
||||
'src',
|
||||
'usemap',
|
||||
'xmlns',
|
||||
);
|
||||
|
||||
/**
|
||||
* Filters the list of attributes that are required to contain a URL.
|
||||
*
|
||||
* Use this filter to add any `data-` attributes that are required to be
|
||||
* validated as a URL.
|
||||
*
|
||||
* @since 5.0.1
|
||||
*
|
||||
* @param array $uri_attributes HTML attributes requiring validation as a URL.
|
||||
*/
|
||||
$uri_attributes = apply_filters( 'wp_kses_uri_attributes', $uri_attributes );
|
||||
|
||||
return $uri_attributes;
|
||||
}
|
||||
|
||||
/**
|
||||
* Callback for wp_kses_split.
|
||||
*
|
||||
@@ -918,7 +980,7 @@ function wp_kses_hair($attr, $allowed_protocols) {
|
||||
$attrarr = array();
|
||||
$mode = 0;
|
||||
$attrname = '';
|
||||
$uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');
|
||||
$uris = wp_kses_uri_attributes();
|
||||
|
||||
// Loop through the whole attribute list
|
||||
|
||||
|
||||
@@ -17,7 +17,7 @@
|
||||
*
|
||||
* @global wpdb $wpdb WordPress database abstraction object.
|
||||
*
|
||||
* @param string $meta_type Type of object metadata is for (e.g., comment, post, or user)
|
||||
* @param string $meta_type Type of object metadata is for (e.g., comment, post, term, or user).
|
||||
* @param int $object_id ID of the object metadata is for
|
||||
* @param string $meta_key Metadata key
|
||||
* @param mixed $meta_value Metadata value. Must be serializable if non-scalar.
|
||||
@@ -57,7 +57,7 @@ function add_metadata($meta_type, $object_id, $meta_key, $meta_value, $unique =
|
||||
* Filters whether to add metadata of a specific type.
|
||||
*
|
||||
* The dynamic portion of the hook, `$meta_type`, refers to the meta
|
||||
* object type (comment, post, or user). Returning a non-null value
|
||||
* object type (comment, post, term, or user). Returning a non-null value
|
||||
* will effectively short-circuit the function.
|
||||
*
|
||||
* @since 3.1.0
|
||||
@@ -85,7 +85,7 @@ function add_metadata($meta_type, $object_id, $meta_key, $meta_value, $unique =
|
||||
* Fires immediately before meta of a specific type is added.
|
||||
*
|
||||
* The dynamic portion of the hook, `$meta_type`, refers to the meta
|
||||
* object type (comment, post, or user).
|
||||
* object type (comment, post, term, or user).
|
||||
*
|
||||
* @since 3.1.0
|
||||
*
|
||||
@@ -112,7 +112,7 @@ function add_metadata($meta_type, $object_id, $meta_key, $meta_value, $unique =
|
||||
* Fires immediately after meta of a specific type is added.
|
||||
*
|
||||
* The dynamic portion of the hook, `$meta_type`, refers to the meta
|
||||
* object type (comment, post, or user).
|
||||
* object type (comment, post, term, or user).
|
||||
*
|
||||
* @since 2.9.0
|
||||
*
|
||||
@@ -134,7 +134,7 @@ function add_metadata($meta_type, $object_id, $meta_key, $meta_value, $unique =
|
||||
*
|
||||
* @global wpdb $wpdb WordPress database abstraction object.
|
||||
*
|
||||
* @param string $meta_type Type of object metadata is for (e.g., comment, post, or user)
|
||||
* @param string $meta_type Type of object metadata is for (e.g., comment, post, term, or user).
|
||||
* @param int $object_id ID of the object metadata is for
|
||||
* @param string $meta_key Metadata key
|
||||
* @param mixed $meta_value Metadata value. Must be serializable if non-scalar.
|
||||
@@ -175,7 +175,7 @@ function update_metadata($meta_type, $object_id, $meta_key, $meta_value, $prev_v
|
||||
* Filters whether to update metadata of a specific type.
|
||||
*
|
||||
* The dynamic portion of the hook, `$meta_type`, refers to the meta
|
||||
* object type (comment, post, or user). Returning a non-null value
|
||||
* object type (comment, post, term, or user). Returning a non-null value
|
||||
* will effectively short-circuit the function.
|
||||
*
|
||||
* @since 3.1.0
|
||||
@@ -222,7 +222,7 @@ function update_metadata($meta_type, $object_id, $meta_key, $meta_value, $prev_v
|
||||
* Fires immediately before updating metadata of a specific type.
|
||||
*
|
||||
* The dynamic portion of the hook, `$meta_type`, refers to the meta
|
||||
* object type (comment, post, or user).
|
||||
* object type (comment, post, term, or user).
|
||||
*
|
||||
* @since 2.9.0
|
||||
*
|
||||
@@ -259,7 +259,7 @@ function update_metadata($meta_type, $object_id, $meta_key, $meta_value, $prev_v
|
||||
* Fires immediately after updating metadata of a specific type.
|
||||
*
|
||||
* The dynamic portion of the hook, `$meta_type`, refers to the meta
|
||||
* object type (comment, post, or user).
|
||||
* object type (comment, post, term, or user).
|
||||
*
|
||||
* @since 2.9.0
|
||||
*
|
||||
@@ -295,7 +295,7 @@ function update_metadata($meta_type, $object_id, $meta_key, $meta_value, $prev_v
|
||||
*
|
||||
* @global wpdb $wpdb WordPress database abstraction object.
|
||||
*
|
||||
* @param string $meta_type Type of object metadata is for (e.g., comment, post, or user)
|
||||
* @param string $meta_type Type of object metadata is for (e.g., comment, post, term, or user).
|
||||
* @param int $object_id ID of the object metadata is for
|
||||
* @param string $meta_key Metadata key
|
||||
* @param mixed $meta_value Optional. Metadata value. Must be serializable if non-scalar. If specified, only delete
|
||||
@@ -335,7 +335,7 @@ function delete_metadata($meta_type, $object_id, $meta_key, $meta_value = '', $d
|
||||
* Filters whether to delete metadata of a specific type.
|
||||
*
|
||||
* The dynamic portion of the hook, `$meta_type`, refers to the meta
|
||||
* object type (comment, post, or user). Returning a non-null value
|
||||
* object type (comment, post, term, or user). Returning a non-null value
|
||||
* will effectively short-circuit the function.
|
||||
*
|
||||
* @since 3.1.0
|
||||
@@ -379,7 +379,7 @@ function delete_metadata($meta_type, $object_id, $meta_key, $meta_value = '', $d
|
||||
* Fires immediately before deleting metadata of a specific type.
|
||||
*
|
||||
* The dynamic portion of the hook, `$meta_type`, refers to the meta
|
||||
* object type (comment, post, or user).
|
||||
* object type (comment, post, term, or user).
|
||||
*
|
||||
* @since 3.1.0
|
||||
*
|
||||
@@ -421,7 +421,7 @@ function delete_metadata($meta_type, $object_id, $meta_key, $meta_value = '', $d
|
||||
* Fires immediately after deleting metadata of a specific type.
|
||||
*
|
||||
* The dynamic portion of the hook name, `$meta_type`, refers to the meta
|
||||
* object type (comment, post, or user).
|
||||
* object type (comment, post, term, or user).
|
||||
*
|
||||
* @since 2.9.0
|
||||
*
|
||||
@@ -452,7 +452,7 @@ function delete_metadata($meta_type, $object_id, $meta_key, $meta_value = '', $d
|
||||
*
|
||||
* @since 2.9.0
|
||||
*
|
||||
* @param string $meta_type Type of object metadata is for (e.g., comment, post, or user)
|
||||
* @param string $meta_type Type of object metadata is for (e.g., comment, post, term, or user).
|
||||
* @param int $object_id ID of the object metadata is for
|
||||
* @param string $meta_key Optional. Metadata key. If not specified, retrieve all metadata for
|
||||
* the specified object.
|
||||
@@ -475,7 +475,7 @@ function get_metadata($meta_type, $object_id, $meta_key = '', $single = false) {
|
||||
* Filters whether to retrieve metadata of a specific type.
|
||||
*
|
||||
* The dynamic portion of the hook, `$meta_type`, refers to the meta
|
||||
* object type (comment, post, or user). Returning a non-null value
|
||||
* object type (comment, post, term, or user). Returning a non-null value
|
||||
* will effectively short-circuit the function.
|
||||
*
|
||||
* @since 3.1.0
|
||||
@@ -523,7 +523,7 @@ function get_metadata($meta_type, $object_id, $meta_key = '', $single = false) {
|
||||
*
|
||||
* @since 3.3.0
|
||||
*
|
||||
* @param string $meta_type Type of object metadata is for (e.g., comment, post, or user)
|
||||
* @param string $meta_type Type of object metadata is for (e.g., comment, post, term, or user).
|
||||
* @param int $object_id ID of the object metadata is for
|
||||
* @param string $meta_key Metadata key.
|
||||
* @return bool True of the key is set, false if not.
|
||||
@@ -604,7 +604,7 @@ function get_metadata_by_mid( $meta_type, $meta_id ) {
|
||||
*
|
||||
* @global wpdb $wpdb WordPress database abstraction object.
|
||||
*
|
||||
* @param string $meta_type Type of object metadata is for (e.g., comment, post, or user)
|
||||
* @param string $meta_type Type of object metadata is for (e.g., comment, post, term, or user).
|
||||
* @param int $meta_id ID for a specific meta row
|
||||
* @param string $meta_value Metadata value
|
||||
* @param string $meta_key Optional, you can provide a meta key to update it
|
||||
@@ -786,7 +786,7 @@ function delete_metadata_by_mid( $meta_type, $meta_id ) {
|
||||
*
|
||||
* @global wpdb $wpdb WordPress database abstraction object.
|
||||
*
|
||||
* @param string $meta_type Type of object metadata is for (e.g., comment, post, or user)
|
||||
* @param string $meta_type Type of object metadata is for (e.g., comment, post, term, or user).
|
||||
* @param int|array $object_ids Array or comma delimited list of object IDs to update cache for
|
||||
* @return array|false Metadata cache for the specified objects, or false on failure.
|
||||
*/
|
||||
@@ -899,7 +899,7 @@ function get_meta_sql( $meta_query, $type, $primary_table, $primary_id_column, $
|
||||
*
|
||||
* @global wpdb $wpdb WordPress database abstraction object.
|
||||
*
|
||||
* @param string $type Type of object to get metadata table for (e.g., comment, post, or user)
|
||||
* @param string $type Type of object to get metadata table for (e.g., comment, post, term, or user).
|
||||
* @return string|false Metadata table name, or false if no metadata table exists
|
||||
*/
|
||||
function _get_meta_table($type) {
|
||||
@@ -918,8 +918,9 @@ function _get_meta_table($type) {
|
||||
*
|
||||
* @since 3.1.3
|
||||
*
|
||||
* @param string $meta_key Meta key
|
||||
* @param string|null $meta_type
|
||||
* @param string $meta_key Meta key
|
||||
* @param string|null $meta_type Optional. Type of object metadata is for (e.g., comment, post,
|
||||
* term, or user).
|
||||
* @return bool True if the key is protected, false otherwise.
|
||||
*/
|
||||
function is_protected_meta( $meta_key, $meta_type = null ) {
|
||||
@@ -932,7 +933,7 @@ function is_protected_meta( $meta_key, $meta_type = null ) {
|
||||
*
|
||||
* @param bool $protected Whether the key is protected. Default false.
|
||||
* @param string $meta_key Meta key.
|
||||
* @param string $meta_type Meta type.
|
||||
* @param string $meta_type Type of object metadata is for (e.g., comment, post, term, or user).
|
||||
*/
|
||||
return apply_filters( 'is_protected_meta', $protected, $meta_key, $meta_type );
|
||||
}
|
||||
@@ -973,7 +974,7 @@ function sanitize_meta( $meta_key, $meta_value, $object_type, $object_subtype =
|
||||
* Filters the sanitization of a specific meta key of a specific meta type.
|
||||
*
|
||||
* The dynamic portions of the hook name, `$meta_type`, and `$meta_key`,
|
||||
* refer to the metadata object type (comment, post, or user) and the meta
|
||||
* refer to the metadata object type (comment, post, term, or user) and the meta
|
||||
* key value, respectively.
|
||||
*
|
||||
* @since 3.3.0
|
||||
|
||||
@@ -271,10 +271,13 @@ function wpmu_admin_do_redirect( $url = '' ) {
|
||||
_deprecated_function( __FUNCTION__, '3.3.0', 'wp_redirect()' );
|
||||
|
||||
$ref = '';
|
||||
if ( isset( $_GET['ref'] ) )
|
||||
$ref = $_GET['ref'];
|
||||
if ( isset( $_POST['ref'] ) )
|
||||
$ref = $_POST['ref'];
|
||||
if ( isset( $_GET['ref'] ) && isset( $_POST['ref'] ) && $_GET['ref'] !== $_POST['ref'] ) {
|
||||
wp_die( __( 'A variable mismatch has been detected.' ), __( 'Sorry, you are not allowed to view this item.' ), 400 );
|
||||
} elseif ( isset( $_POST['ref'] ) ) {
|
||||
$ref = $_POST[ 'ref' ];
|
||||
} elseif ( isset( $_GET['ref'] ) ) {
|
||||
$ref = $_GET[ 'ref' ];
|
||||
}
|
||||
|
||||
if ( $ref ) {
|
||||
$ref = wpmu_admin_redirect_add_updated_param( $ref );
|
||||
@@ -287,7 +290,9 @@ function wpmu_admin_do_redirect( $url = '' ) {
|
||||
}
|
||||
|
||||
$url = wpmu_admin_redirect_add_updated_param( $url );
|
||||
if ( isset( $_GET['redirect'] ) ) {
|
||||
if ( isset( $_GET['redirect'] ) && isset( $_POST['redirect'] ) && $_GET['redirect'] !== $_POST['redirect'] ) {
|
||||
wp_die( __( 'A variable mismatch has been detected.' ), __( 'Sorry, you are not allowed to view this item.' ), 400 );
|
||||
} elseif ( isset( $_GET['redirect'] ) ) {
|
||||
if ( substr( $_GET['redirect'], 0, 2 ) == 's_' )
|
||||
$url .= '&action=blogs&s='. esc_html( substr( $_GET['redirect'], 2 ) );
|
||||
} elseif ( isset( $_POST['redirect'] ) ) {
|
||||
|
||||
@@ -207,7 +207,7 @@ class Plural_Forms {
|
||||
$span = strspn( $str, self::NUM_CHARS, $pos );
|
||||
$output[] = array( 'value', intval( substr( $str, $pos, $span ) ) );
|
||||
$pos += $span;
|
||||
continue;
|
||||
break;
|
||||
}
|
||||
|
||||
throw new Exception( sprintf( 'Unknown symbol "%s"', $next ) );
|
||||
|
||||
@@ -775,7 +775,7 @@ function get_page_statuses() {
|
||||
/**
|
||||
* Return statuses for privacy requests.
|
||||
*
|
||||
* @since 5.0.0
|
||||
* @since 4.9.6
|
||||
*
|
||||
* @return array
|
||||
*/
|
||||
|
||||
@@ -441,7 +441,7 @@ class WP_REST_Terms_Controller extends WP_REST_Controller {
|
||||
|
||||
$schema = $this->get_item_schema();
|
||||
if ( ! empty( $schema['properties']['meta'] ) && isset( $request['meta'] ) ) {
|
||||
$meta_update = $this->meta->update_value( $request['meta'], (int) $request['id'] );
|
||||
$meta_update = $this->meta->update_value( $request['meta'], $term->term_id );
|
||||
|
||||
if ( is_wp_error( $meta_update ) ) {
|
||||
return $meta_update;
|
||||
|
||||
@@ -4,7 +4,7 @@
|
||||
*
|
||||
* @global string $wp_version
|
||||
*/
|
||||
$wp_version = '4.9.8';
|
||||
$wp_version = '4.9.9';
|
||||
|
||||
/**
|
||||
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
|
||||
|
||||
@@ -34,7 +34,7 @@ function login_header( $title = 'Log In', $message = '', $wp_error = null ) {
|
||||
global $error, $interim_login, $action;
|
||||
|
||||
// Don't index any of these forms
|
||||
add_action( 'login_head', 'wp_no_robots' );
|
||||
add_action( 'login_head', 'wp_sensitive_page_meta' );
|
||||
|
||||
add_action( 'login_head', 'wp_login_viewport_meta' );
|
||||
|
||||
|
||||
Reference in New Issue
Block a user