Tag 5.0.8

Built from https://develop.svn.wordpress.org/tags/5.0.8@46940


git-svn-id: http://core.svn.wordpress.org/tags/5.0.8@46740 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-admin/about.php

@@ -62,6 +62,66 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
 
 		<div class="changelog point-releases">
 			<h3><?php _e( 'Maintenance and Security Releases' ); ?></h3>
+			<p>
+				<?php
+				printf(
+				/* translators: %s: WordPress version number */
+					__( '<strong>Version %s</strong> addressed some security issues.' ),
+					'5.0.8'
+				);
+				?>
+				<?php
+				printf(
+				/* translators: %s: HelpHub URL */
+					__( 'For more information, see <a href="%s">the release notes</a>.' ),
+					sprintf(
+					/* translators: %s: WordPress version */
+						esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+						sanitize_title( '5.0.8' )
+					)
+				);
+				?>
+			</p>
+			<p>
+				<?php
+				printf(
+				/* translators: %s: WordPress version number */
+					__( '<strong>Version %s</strong> addressed some security issues.' ),
+					'5.0.7'
+				);
+				?>
+				<?php
+				printf(
+				/* translators: %s: HelpHub URL */
+					__( 'For more information, see <a href="%s">the release notes</a>.' ),
+					sprintf(
+					/* translators: %s: WordPress version */
+						esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+						sanitize_title( '5.0.7' )
+					)
+				);
+				?>
+			</p>
+			<p>
+				<?php
+				printf(
+				/* translators: %s: WordPress version number */
+					__( '<strong>Version %s</strong> addressed some security issues.' ),
+					'5.0.6'
+				);
+				?>
+				<?php
+				printf(
+				/* translators: %s: HelpHub URL */
+					__( 'For more information, see <a href="%s">the release notes</a>.' ),
+					sprintf(
+					/* translators: %s: WordPress version */
+						esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+						sanitize_title( '5.0.6' )
+					)
+				);
+				?>
+			</p>
 			<p>
 				<?php
 				printf(

wp-admin/async-upload.php

@@ -22,7 +22,7 @@ if ( defined( 'ABSPATH' ) ) {
 
 require_once( ABSPATH . 'wp-admin/admin.php' );
 
-header( 'Content-Type: text/html; charset=' . get_option( 'blog_charset' ) );
+header( 'Content-Type: text/plain; charset=' . get_option( 'blog_charset' ) );
 
 if ( isset( $_REQUEST['action'] ) && 'upload-attachment' === $_REQUEST['action'] ) {
 	include( ABSPATH . 'wp-admin/includes/ajax-actions.php' );

wp-admin/includes/ajax-actions.php

@@ -2068,7 +2068,7 @@ function wp_ajax_upload_attachment() {
 			'success' => false,
 			'data'    => array(
 				'message'  => __( 'Sorry, you are not allowed to upload files.' ),
-				'filename' => $_FILES['async-upload']['name'],
+				'filename' => esc_html( $_FILES['async-upload']['name'] ),
 			)
 		) );
 
@@ -2082,7 +2082,7 @@ function wp_ajax_upload_attachment() {
 				'success' => false,
 				'data'    => array(
 					'message'  => __( 'Sorry, you are not allowed to attach files to this post.' ),
-					'filename' => $_FILES['async-upload']['name'],
+					'filename' => esc_html( $_FILES['async-upload']['name'] ),
 				)
 			) );
 
@@ -2106,7 +2106,7 @@ function wp_ajax_upload_attachment() {
 				'success' => false,
 				'data'    => array(
 					'message'  => __( 'The uploaded file is not a valid image. Please try again.' ),
-					'filename' => $_FILES['async-upload']['name'],
+					'filename' => esc_html( $_FILES['async-upload']['name'] ),
 				)
 			) );
 
@@ -2121,7 +2121,7 @@ function wp_ajax_upload_attachment() {
 			'success' => false,
 			'data'    => array(
 				'message'  => $attachment_id->get_error_message(),
-				'filename' => $_FILES['async-upload']['name'],
+				'filename' => esc_html( $_FILES['async-upload']['name'] ),
 			)
 		) );
 

wp-includes/blocks.php

@@ -74,11 +74,11 @@ function has_blocks( $post = null ) {
  * @since 5.0.0
  * @see parse_blocks()
  *
- * @param string                  $block_type Full Block type to look for.
+ * @param string                  $block_name Full Block type to look for.
  * @param int|string|WP_Post|null $post Optional. Post content, post ID, or post object. Defaults to global $post.
  * @return bool Whether the post content contains the specified block.
  */
-function has_block( $block_type, $post = null ) {
+function has_block( $block_name, $post = null ) {
 	if ( ! has_blocks( $post ) ) {
 		return false;
 	}
@@ -90,7 +90,30 @@ function has_block( $block_type, $post = null ) {
 		}
 	}
 
-	return false !== strpos( $post, '<!-- wp:' . $block_type . ' ' );
+	/*
+	 * Normalize block name to include namespace, if provided as non-namespaced.
+	 * This matches behavior for WordPress 5.0.0 - 5.3.0 in matching blocks by
+	 * their serialized names.
+	 */
+	if ( false === strpos( $block_name, '/' ) ) {
+		$block_name = 'core/' . $block_name;
+	}
+
+	// Test for existence of block by its fully qualified name.
+	$has_block = false !== strpos( $post, '<!-- wp:' . $block_name . ' ' );
+
+	if ( ! $has_block ) {
+		/*
+		 * If the given block name would serialize to a different name, test for
+		 * existence by the serialized form.
+		 */
+		$serialized_block_name = strip_core_block_namespace( $block_name );
+		if ( $serialized_block_name !== $block_name ) {
+			$has_block = false !== strpos( $post, '<!-- wp:' . $serialized_block_name . ' ' );
+		}
+	}
+
+	return $has_block;
 }
 
 /**
@@ -113,6 +136,207 @@ function get_dynamic_block_names() {
 	return $dynamic_block_names;
 }
 
+/**
+ * Given an array of attributes, returns a string in the serialized attributes
+ * format prepared for post content.
+ *
+ * The serialized result is a JSON-encoded string, with unicode escape sequence
+ * substitution for characters which might otherwise interfere with embedding
+ * the result in an HTML comment.
+ *
+ * @since 5.3.1
+ *
+ * @param array $attributes Attributes object.
+ * @return string Serialized attributes.
+ */
+function serialize_block_attributes( $block_attributes ) {
+	$encoded_attributes = json_encode( $block_attributes );
+	$encoded_attributes = preg_replace( '/--/', '\\u002d\\u002d', $encoded_attributes );
+	$encoded_attributes = preg_replace( '/</', '\\u003c', $encoded_attributes );
+	$encoded_attributes = preg_replace( '/>/', '\\u003e', $encoded_attributes );
+	$encoded_attributes = preg_replace( '/&/', '\\u0026', $encoded_attributes );
+	// Regex: /\\"/
+	$encoded_attributes = preg_replace( '/\\\\"/', '\\u0022', $encoded_attributes );
+
+	return $encoded_attributes;
+}
+
+/**
+ * Returns the block name to use for serialization. This will remove the default
+ * "core/" namespace from a block name.
+ *
+ * @since 5.3.1
+ *
+ * @param string $block_name Original block name.
+ * @return string Block name to use for serialization.
+ */
+function strip_core_block_namespace( $block_name = null ) {
+	if ( is_string( $block_name ) && 0 === strpos( $block_name, 'core/' ) ) {
+		return substr( $block_name, 5 );
+	}
+
+	return $block_name;
+}
+
+/**
+ * Returns the content of a block, including comment delimiters.
+ *
+ * @since 5.3.1
+ *
+ * @param string $block_name Block name.
+ * @param array  $attributes Block attributes.
+ * @param string $content    Block save content.
+ * @return string Comment-delimited block content.
+ */
+function get_comment_delimited_block_content( $block_name = null, $block_attributes, $block_content ) {
+	if ( is_null( $block_name ) ) {
+		return $block_content;
+	}
+
+	$serialized_block_name = strip_core_block_namespace( $block_name );
+	$serialized_attributes = empty( $block_attributes ) ? '' : serialize_block_attributes( $block_attributes ) . ' ';
+
+	if ( empty( $block_content ) ) {
+		return sprintf( '<!-- wp:%s %s/-->', $serialized_block_name, $serialized_attributes );
+	}
+
+	return sprintf(
+		'<!-- wp:%s %s-->%s<!-- /wp:%s -->',
+		$serialized_block_name,
+		$serialized_attributes,
+		$block_content,
+		$serialized_block_name
+	);
+}
+
+/**
+ * Returns the content of a block, including comment delimiters, serializing all
+ * attributes from the given parsed block.
+ *
+ * This should be used when preparing a block to be saved to post content.
+ * Prefer `render_block` when preparing a block for display. Unlike
+ * `render_block`, this does not evaluate a block's `render_callback`, and will
+ * instead preserve the markup as parsed.
+ *
+ * @since 5.3.1
+ *
+ * @param WP_Block_Parser_Block $block A single parsed block object.
+ * @return string String of rendered HTML.
+ */
+function serialize_block( $block ) {
+	$block_content = '';
+
+	$index = 0;
+	foreach ( $block['innerContent'] as $chunk ) {
+		$block_content .= is_string( $chunk ) ? $chunk : serialize_block( $block['innerBlocks'][ $index++ ] );
+	}
+
+	if ( ! is_array( $block['attrs'] ) ) {
+		$block['attrs'] = array();
+	}
+
+	return get_comment_delimited_block_content(
+		$block['blockName'],
+		$block['attrs'],
+		$block_content
+	);
+}
+
+/**
+ * Returns a joined string of the aggregate serialization of the given parsed
+ * blocks.
+ *
+ * @since 5.3.1
+ *
+ * @param WP_Block_Parser_Block[] $blocks Parsed block objects.
+ * @return string String of rendered HTML.
+ */
+function serialize_blocks( $blocks ) {
+	return implode( '', array_map( 'serialize_block', $blocks ) );
+}
+
+/**
+ * Filters and sanitizes block content to remove non-allowable HTML from
+ * parsed block attribute values.
+ *
+ * @since 5.3.1
+ *
+ * @param string         $text              Text that may contain block content.
+ * @param array[]|string $allowed_html      An array of allowed HTML elements
+ *                                          and attributes, or a context name
+ *                                          such as 'post'.
+ * @param string[]       $allowed_protocols Array of allowed URL protocols.
+ * @return string The filtered and sanitized content result.
+ */
+function filter_block_content( $text, $allowed_html = 'post', $allowed_protocols = array() ) {
+	$result = '';
+
+	$blocks = parse_blocks( $text );
+	foreach ( $blocks as $block ) {
+		$block   = filter_block_kses( $block, $allowed_html, $allowed_protocols );
+		$result .= serialize_block( $block );
+	}
+
+	return $result;
+}
+
+/**
+ * Filters and sanitizes a parsed block to remove non-allowable HTML from block
+ * attribute values.
+ *
+ * @since 5.3.1
+ *
+ * @param WP_Block_Parser_Block $block             The parsed block object.
+ * @param array[]|string        $allowed_html      An array of allowed HTML
+ *                                                 elements and attributes, or a
+ *                                                 context name such as 'post'.
+ * @param string[]              $allowed_protocols Allowed URL protocols.
+ * @return array The filtered and sanitized block object result.
+ */
+function filter_block_kses( $block, $allowed_html, $allowed_protocols = array() ) {
+	$block['attrs'] = filter_block_kses_value( $block['attrs'], $allowed_html, $allowed_protocols );
+
+	if ( is_array( $block['innerBlocks'] ) ) {
+		foreach ( $block['innerBlocks'] as $i => $inner_block ) {
+			$block['innerBlocks'][ $i ] = filter_block_kses( $inner_block, $allowed_html, $allowed_protocols );
+		}
+	}
+
+	return $block;
+}
+
+/**
+ * Filters and sanitizes a parsed block attribute value to remove non-allowable
+ * HTML.
+ *
+ * @since 5.3.1
+ *
+ * @param mixed          $value             The attribute value to filter.
+ * @param array[]|string $allowed_html      An array of allowed HTML elements
+ *                                          and attributes, or a context name
+ *                                          such as 'post'.
+ * @param string[]       $allowed_protocols Array of allowed URL protocols.
+ * @return array The filtered and sanitized result.
+ */
+function filter_block_kses_value( $value, $allowed_html, $allowed_protocols = array() ) {
+	if ( is_array( $value ) ) {
+		foreach ( $value as $key => $inner_value ) {
+			$filtered_key   = filter_block_kses_value( $key, $allowed_html, $allowed_protocols );
+			$filtered_value = filter_block_kses_value( $inner_value, $allowed_html, $allowed_protocols );
+
+			if ( $filtered_key !== $key ) {
+				unset( $value[ $key ] );
+			}
+
+			$value[ $filtered_key ] = $filtered_value;
+		}
+	} elseif ( is_string( $value ) ) {
+		return wp_kses( $value, $allowed_html, $allowed_protocols );
+	}
+
+	return $value;
+}
+
 /**
  * Parses blocks out of a content string, and renders those appropriate for the excerpt.
  *

wp-includes/class-wp-query.php

@@ -529,7 +529,6 @@ class WP_Query {
 			, 'attachment'
 			, 'attachment_id'
 			, 'name'
-			, 'static'
 			, 'pagename'
 			, 'page_id'
 			, 'second'
@@ -764,7 +763,7 @@ class WP_Query {
 			// If year, month, day, hour, minute, and second are set, a single
 			// post is being queried.
 			$this->is_single = true;
-		} elseif ( '' != $qv['static'] || '' != $qv['pagename'] || !empty($qv['page_id']) ) {
+		} elseif ( '' != $qv['pagename'] || !empty($qv['page_id']) ) {
 			$this->is_page = true;
 			$this->is_single = false;
 		} else {

wp-includes/class-wp.php

@@ -14,7 +14,7 @@ class WP {
 	 * @since 2.0.0
 	 * @var array
 	 */
-	public $public_query_vars = array('m', 'p', 'posts', 'w', 'cat', 'withcomments', 'withoutcomments', 's', 'search', 'exact', 'sentence', 'calendar', 'page', 'paged', 'more', 'tb', 'pb', 'author', 'order', 'orderby', 'year', 'monthnum', 'day', 'hour', 'minute', 'second', 'name', 'category_name', 'tag', 'feed', 'author_name', 'static', 'pagename', 'page_id', 'error', 'attachment', 'attachment_id', 'subpost', 'subpost_id', 'preview', 'robots', 'taxonomy', 'term', 'cpage', 'post_type', 'embed' );
+	public $public_query_vars = array( 'm', 'p', 'posts', 'w', 'cat', 'withcomments', 'withoutcomments', 's', 'search', 'exact', 'sentence', 'calendar', 'page', 'paged', 'more', 'tb', 'pb', 'author', 'order', 'orderby', 'year', 'monthnum', 'day', 'hour', 'minute', 'second', 'name', 'category_name', 'tag', 'feed', 'author_name', 'pagename', 'page_id', 'error', 'attachment', 'attachment_id', 'subpost', 'subpost_id', 'preview', 'robots', 'taxonomy', 'term', 'cpage', 'post_type', 'embed' );
 
 	/**
 	 * Private query variables.

wp-includes/default-filters.php

@@ -224,30 +224,31 @@ foreach ( array( 'publish_post', 'publish_page', 'wp_ajax_save-widget', 'wp_ajax
 }
 
 // Misc filters
-add_filter( 'option_ping_sites',        'privacy_ping_filter'                 );
-add_filter( 'option_blog_charset',      '_wp_specialchars'                    ); // IMPORTANT: This must not be wp_specialchars() or esc_html() or it'll cause an infinite loop
-add_filter( 'option_blog_charset',      '_canonical_charset'                  );
-add_filter( 'option_home',              '_config_wp_home'                     );
-add_filter( 'option_siteurl',           '_config_wp_siteurl'                  );
-add_filter( 'tiny_mce_before_init',     '_mce_set_direction'                  );
-add_filter( 'teeny_mce_before_init',    '_mce_set_direction'                  );
-add_filter( 'pre_kses',                 'wp_pre_kses_less_than'               );
-add_filter( 'sanitize_title',           'sanitize_title_with_dashes',   10, 3 );
-add_action( 'check_comment_flood',      'check_comment_flood_db',       10, 4 );
-add_filter( 'comment_flood_filter',     'wp_throttle_comment_flood',    10, 3 );
-add_filter( 'pre_comment_content',      'wp_rel_nofollow',              15    );
-add_filter( 'comment_email',            'antispambot'                         );
-add_filter( 'option_tag_base',          '_wp_filter_taxonomy_base'            );
-add_filter( 'option_category_base',     '_wp_filter_taxonomy_base'            );
-add_filter( 'the_posts',                '_close_comments_for_old_posts', 10, 2);
-add_filter( 'comments_open',            '_close_comments_for_old_post', 10, 2 );
-add_filter( 'pings_open',               '_close_comments_for_old_post', 10, 2 );
-add_filter( 'editable_slug',            'urldecode'                           );
-add_filter( 'editable_slug',            'esc_textarea'                        );
-add_filter( 'nav_menu_meta_box_object', '_wp_nav_menu_meta_box_object'        );
-add_filter( 'pingback_ping_source_uri', 'pingback_ping_source_uri'            );
-add_filter( 'xmlrpc_pingback_error',    'xmlrpc_pingback_error'               );
-add_filter( 'title_save_pre',           'trim'                                );
+add_filter( 'option_ping_sites', 'privacy_ping_filter' );
+add_filter( 'option_blog_charset', '_wp_specialchars' ); // IMPORTANT: This must not be wp_specialchars() or esc_html() or it'll cause an infinite loop
+add_filter( 'option_blog_charset', '_canonical_charset' );
+add_filter( 'option_home', '_config_wp_home' );
+add_filter( 'option_siteurl', '_config_wp_siteurl' );
+add_filter( 'tiny_mce_before_init', '_mce_set_direction' );
+add_filter( 'teeny_mce_before_init', '_mce_set_direction' );
+add_filter( 'pre_kses', 'wp_pre_kses_less_than' );
+add_filter( 'pre_kses', 'wp_pre_kses_block_attributes', 10, 3 );
+add_filter( 'sanitize_title', 'sanitize_title_with_dashes', 10, 3 );
+add_action( 'check_comment_flood', 'check_comment_flood_db', 10, 4 );
+add_filter( 'comment_flood_filter', 'wp_throttle_comment_flood', 10, 3 );
+add_filter( 'pre_comment_content', 'wp_rel_nofollow', 15 );
+add_filter( 'comment_email', 'antispambot' );
+add_filter( 'option_tag_base', '_wp_filter_taxonomy_base' );
+add_filter( 'option_category_base', '_wp_filter_taxonomy_base' );
+add_filter( 'the_posts', '_close_comments_for_old_posts', 10, 2 );
+add_filter( 'comments_open', '_close_comments_for_old_post', 10, 2 );
+add_filter( 'pings_open', '_close_comments_for_old_post', 10, 2 );
+add_filter( 'editable_slug', 'urldecode' );
+add_filter( 'editable_slug', 'esc_textarea' );
+add_filter( 'nav_menu_meta_box_object', '_wp_nav_menu_meta_box_object' );
+add_filter( 'pingback_ping_source_uri', 'pingback_ping_source_uri' );
+add_filter( 'xmlrpc_pingback_error', 'xmlrpc_pingback_error' );
+add_filter( 'title_save_pre', 'trim' );
 
 add_action( 'transition_comment_status', '_clear_modified_cache_on_transition_comment_status', 10, 2 );
 

wp-includes/formatting.php

@@ -2747,19 +2747,19 @@ function wp_rel_nofollow( $text ) {
  */
 function wp_rel_nofollow_callback( $matches ) {
 	$text = $matches[1];
-	$atts = shortcode_parse_atts( $matches[1] );
+	$atts = wp_kses_hair( $matches[1], wp_allowed_protocols() );
 	$rel  = 'nofollow';
 
 	if ( ! empty( $atts['href'] ) ) {
-		if ( in_array( strtolower( wp_parse_url( $atts['href'], PHP_URL_SCHEME ) ), array( 'http', 'https' ), true ) ) {
-			if ( strtolower( wp_parse_url( $atts['href'], PHP_URL_HOST ) ) === strtolower( wp_parse_url( home_url(), PHP_URL_HOST ) ) ) {
+		if ( in_array( strtolower( wp_parse_url( $atts['href']['value'], PHP_URL_SCHEME ) ), array( 'http', 'https' ), true ) ) {
+			if ( strtolower( wp_parse_url( $atts['href']['value'], PHP_URL_HOST ) ) === strtolower( wp_parse_url( home_url(), PHP_URL_HOST ) ) ) {
 				return "<a $text>";
 			}
 		}
 	}
 
 	if ( ! empty( $atts['rel'] ) ) {
-		$parts = array_map( 'trim', explode( ' ', $atts['rel'] ) );
+		$parts = array_map( 'trim', explode( ' ', $atts['rel']['value'] ) );
 		if ( false === array_search( 'nofollow', $parts ) ) {
 			$parts[] = 'nofollow';
 		}
@@ -2768,7 +2768,11 @@ function wp_rel_nofollow_callback( $matches ) {
 
 		$html = '';
 		foreach ( $atts as $name => $value ) {
-			$html .= "{$name}=\"" . esc_attr( $value ) . "\" ";
+			if ( isset( $value['vless'] ) && 'y' === $value['vless'] ) {
+				$html .= $name . ' ';
+			} else {
+				$html .= "{$name}=\"" . esc_attr( $value['value'] ) . '" ';
+			}
 		}
 		$text = trim( $html );
 	}
@@ -4398,6 +4402,31 @@ function wp_pre_kses_less_than_callback( $matches ) {
 	return $matches[0];
 }
 
+/**
+ * Remove non-allowable HTML from parsed block attribute values when filtering
+ * in the post context.
+ *
+ * @since 5.3.1
+ *
+ * @param string         $string            Content to be run through KSES.
+ * @param array[]|string $allowed_html      An array of allowed HTML elements
+ *                                          and attributes, or a context name
+ *                                          such as 'post'.
+ * @param string[]       $allowed_protocols Array of allowed URL protocols.
+ * @return string Filtered text to run through KSES.
+ */
+function wp_pre_kses_block_attributes( $string, $allowed_html, $allowed_protocols ) {
+	/*
+	 * `filter_block_content` is expected to call `wp_kses`. Temporarily remove
+	 * the filter to avoid recursion.
+	 */
+	remove_filter( 'pre_kses', 'wp_pre_kses_block_attributes', 10 );
+	$string = filter_block_content( $string, $allowed_html, $allowed_protocols );
+	add_filter( 'pre_kses', 'wp_pre_kses_block_attributes', 10, 3 );
+
+	return $string;
+}
+
 /**
  * WordPress implementation of PHP sprintf() with filters.
  *

wp-includes/functions.php

@@ -1621,6 +1621,11 @@ function wp_mkdir_p( $target ) {
 	if ( file_exists( $target ) )
 		return @is_dir( $target );
 
+	// Do not allow path traversals.
+	if ( false !== strpos( $target, '../' ) || false !== strpos( $target, '..' . DIRECTORY_SEPARATOR ) ) {
+		return false;
+	}
+
 	// We need to find the permissions of the parent folder that exists and inherit that.
 	$target_parent = dirname( $target );
 	while ( '.' != $target_parent && ! is_dir( $target_parent ) && dirname( $target_parent ) !== $target_parent ) {

wp-includes/http.php

@@ -541,8 +541,9 @@ function wp_http_validate_url( $url ) {
 			$ip = $host;
 		} else {
 			$ip = gethostbyname( $host );
-			if ( $ip === $host ) // Error condition for gethostbyname()
-				$ip = false;
+			if ( $ip === $host ) { // Error condition for gethostbyname()
+				return false;
+			}
 		}
 		if ( $ip ) {
 			$parts = array_map( 'intval', explode( '.', $ip ) );

wp-includes/js/dist/block-library.js

@@ -11602,7 +11602,7 @@ var shortcode_settings = {
   attributes: {
     text: {
       type: 'string',
-      source: 'text'
+      source: 'html'
     }
   },
   transforms: {

wp-includes/kses.php

@@ -1407,9 +1407,10 @@ function wp_kses_html_error($string) {
  * @return string Sanitized content
  */
 function wp_kses_bad_protocol_once($string, $allowed_protocols, $count = 1 ) {
-	$string2 = preg_split( '/:|&#0*58;|&#x0*3a;/i', $string, 2 );
-	if ( isset($string2[1]) && ! preg_match('%/\?%', $string2[0]) ) {
-		$string = trim( $string2[1] );
+	$string  = preg_replace( '/(&#0*58(?![;0-9])|&#x0*3a(?![;a-f0-9]))/i', '$1;', $string );
+	$string2 = preg_split( '/:|&#0*58;|&#x0*3a;|:/i', $string, 2 );
+	if ( isset( $string2[1] ) && ! preg_match( '%/\?%', $string2[0] ) ) {
+		$string   = trim( $string2[1] );
 		$protocol = wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols );
 		if ( 'feed:' == $protocol ) {
 			if ( $count > 2 )

wp-includes/pluggable.php

@@ -1083,7 +1083,7 @@ if ( !function_exists('check_admin_referer') ) :
  *                   0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago.
  */
 function check_admin_referer( $action = -1, $query_arg = '_wpnonce' ) {
-	if ( -1 == $action )
+	if ( -1 === $action )
 		_doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2.0' );
 
 	$adminurl = strtolower(admin_url());
@@ -1101,7 +1101,7 @@ function check_admin_referer( $action = -1, $query_arg = '_wpnonce' ) {
 	 */
 	do_action( 'check_admin_referer', $action, $result );
 
-	if ( ! $result && ! ( -1 == $action && strpos( $referer, $adminurl ) === 0 ) ) {
+	if ( ! $result && ! ( -1 === $action && strpos( $referer, $adminurl ) === 0 ) ) {
 		wp_nonce_ays( $action );
 		die();
 	}
@@ -1346,6 +1346,14 @@ function wp_validate_redirect($location, $default = '') {
 	if ( isset($lp['scheme']) && !('http' == $lp['scheme'] || 'https' == $lp['scheme']) )
 		return $default;
 
+	if ( ! isset( $lp['host'] ) && ! empty( $lp['path'] ) && '/' !== $lp['path'][0] ) {
+		$path = '';
+		if ( ! empty( $_SERVER['REQUEST_URI'] ) ) {
+			$path = dirname( parse_url( 'http://placeholder' . $_SERVER['REQUEST_URI'], PHP_URL_PATH ) . '?' );
+		}
+		$location = '/' . ltrim( $path . '/', '/' ) . $location;
+	}
+
 	// Reject if certain components are set but host is not. This catches urls like https:host.com for which parse_url does not set the host field.
 	if ( ! isset( $lp['host'] ) && ( isset( $lp['scheme'] ) || isset( $lp['user'] ) || isset( $lp['pass'] ) || isset( $lp['port'] ) ) ) {
 		return $default;
@@ -2641,4 +2649,3 @@ function wp_text_diff( $left_string, $right_string, $args = null ) {
 	return $r;
 }
 endif;
-

wp-includes/post-template.php

@@ -324,25 +324,9 @@ function get_the_content( $more_link_text = null, $strip_teaser = false ) {
 		}
 	}
 
-	if ( $preview ) // Preview fix for JavaScript bug with foreign languages.
-		$output =	preg_replace_callback( '/\%u([0-9A-F]{4})/', '_convert_urlencoded_to_entities', $output );
-
 	return $output;
 }
 
-/**
- * Preview fix for JavaScript bug with foreign languages.
- *
- * @since 3.1.0
- * @access private
- *
- * @param array $match Match array from preg_replace_callback.
- * @return string
- */
-function _convert_urlencoded_to_entities( $match ) {
-	return '&#' . base_convert( $match[1], 16, 10 ) . ';';
-}
-
 /**
  * Display the post excerpt.
  *

wp-includes/rest-api.php

@@ -210,7 +210,7 @@ function create_initial_rest_routes() {
 	$controller->register_routes();
 
 	// Taxonomies.
-	$controller = new WP_REST_Taxonomies_Controller;
+	$controller = new WP_REST_Taxonomies_Controller();
 	$controller->register_routes();
 
 	// Terms.
@@ -573,7 +573,9 @@ function rest_send_cors_headers( $value ) {
 		header( 'Access-Control-Allow-Origin: ' . $origin );
 		header( 'Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE' );
 		header( 'Access-Control-Allow-Credentials: true' );
-		header( 'Vary: Origin' );
+		header( 'Vary: Origin', false );
+	} elseif ( ! headers_sent() && 'GET' === $_SERVER['REQUEST_METHOD'] && ! is_user_logged_in() ) {
+		header( 'Vary: Origin', false );
 	}
 
 	return $value;

wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php

@@ -491,7 +491,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
 			return new WP_Error( 'rest_cannot_edit_others', __( 'Sorry, you are not allowed to create posts as this user.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
-		if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) ) {
+		if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) && ! current_user_can( $post_type->cap->publish_posts ) ) {
 			return new WP_Error( 'rest_cannot_assign_sticky', __( 'Sorry, you are not allowed to make posts sticky.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
@@ -646,7 +646,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
 			return new WP_Error( 'rest_cannot_edit_others', __( 'Sorry, you are not allowed to update posts as this user.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
-		if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) ) {
+		if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) && ! current_user_can( $post_type->cap->publish_posts ) ) {
 			return new WP_Error( 'rest_cannot_assign_sticky', __( 'Sorry, you are not allowed to make posts sticky.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
@@ -944,7 +944,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
 	 * @return stdClass|WP_Error Post object or WP_Error.
 	 */
 	protected function prepare_item_for_database( $request ) {
-		$prepared_post = new stdClass;
+		$prepared_post = new stdClass();
 
 		// Post ID.
 		if ( isset( $request['id'] ) ) {

wp-includes/script-loader.php

@@ -229,7 +229,7 @@ function wp_default_packages_scripts( &$scripts ) {
 		'annotations' => '1.0.5',
 		'autop' => '2.0.2',
 		'blob' => '2.1.0',
-		'block-library' => '2.2.12',
+		'block-library' => '2.2.17',
 		'block-serialization-default-parser' => '2.0.3',
 		'blocks' => '6.0.5',
 		'components' => '7.0.5',

wp-includes/version.php

@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '5.0.5';
+$wp_version = '5.0.8';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
@@ -33,4 +33,3 @@ $required_php_version = '5.2.4';
  * @global string $required_mysql_version
  */
 $required_mysql_version = '5.0';
-