Tag 5.1.3

Built from https://develop.svn.wordpress.org/tags/5.1.3@46525


git-svn-id: http://core.svn.wordpress.org/tags/5.1.3@46322 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-admin/about.php

@@ -34,6 +34,80 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
 			<a href="freedoms.php?privacy-notice" class="nav-tab"><?php _e( 'Privacy' ); ?></a>
 		</h2>
 
+		<div class="changelog point-releases">
+			<h3><?php _e( 'Maintenance and Security Releases' ); ?></h3>
+			<p>
+				<?php
+				printf(
+				/* translators: %s: WordPress version number */
+					__( '<strong>Version %s</strong> addressed some security issues.' ),
+					'5.1.3'
+				);
+				?>
+				<?php
+				printf(
+				/* translators: %s: HelpHub URL */
+					__( 'For more information, see <a href="%s">the release notes</a>.' ),
+					sprintf(
+					/* translators: %s: WordPress version */
+						esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+						sanitize_title( '5.1.3' )
+					)
+				);
+				?>
+			</p>
+			<p>
+				<?php
+				printf(
+					/* translators: 1: WordPress version number, 2: plural number of bugs. */
+					_n(
+						'<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bug.',
+						'<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bugs.',
+						2
+					),
+					'5.1.2',
+					number_format_i18n( 2 )
+				);
+				?>
+				<?php
+				printf(
+					/* translators: %s: HelpHub URL */
+					__( 'For more information, see <a href="%s">the release notes</a>.' ),
+					sprintf(
+						/* translators: %s: WordPress version */
+						esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+						sanitize_title( '5.1.2' )
+					)
+				);
+				?>
+			</p>
+			<p>
+				<?php
+				printf(
+					/* translators: 1: WordPress version number, 2: plural number of bugs. */
+					_n(
+						'<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bug.',
+						'<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bugs.',
+						14
+					),
+					'5.1.1',
+					number_format_i18n( 14 )
+				);
+				?>
+				<?php
+				printf(
+					/* translators: %s: HelpHub URL */
+					__( 'For more information, see <a href="%s">the release notes</a>.' ),
+					sprintf(
+						/* translators: %s: WordPress version */
+						esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+						sanitize_title( '5.1.1' )
+					)
+				);
+				?>
+			</p>
+		</div>
+
 		<h2 class="feature-section-header"><?php _e( 'A Little Better Every Day' ); ?></h2>
 
 		<div class="feature-section headline-feature one-col">
@@ -47,7 +121,7 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
 
 		<div class="feature-section one-col is-wide wp-clearfix">
 			<div class="col">
-				<h3><?php _e( 'Site Health' ); ?></h2>
+				<h3><?php _e( 'Site Health' ); ?></h3>
 				<div class="inline-svg alignright">
 					<img src="https://s.w.org/images/core/5.1/site-health.svg" alt="">
 				</div>
@@ -68,7 +142,7 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
 
 		<div class="feature-section one-col is-wide wp-clearfix">
 			<div class="col">
-				<h3><?php _e( 'Editor Performance' ); ?></h2>
+				<h3><?php _e( 'Editor Performance' ); ?></h3>
 				<div class="inline-svg alignright">
 					<img src="https://s.w.org/images/core/5.1/editor-performance.svg" alt="">
 				</div>

wp-admin/async-upload.php

@@ -22,7 +22,7 @@ if ( defined( 'ABSPATH' ) ) {
 
 require_once( ABSPATH . 'wp-admin/admin.php' );
 
-header( 'Content-Type: text/html; charset=' . get_option( 'blog_charset' ) );
+header( 'Content-Type: text/plain; charset=' . get_option( 'blog_charset' ) );
 
 if ( isset( $_REQUEST['action'] ) && 'upload-attachment' === $_REQUEST['action'] ) {
 	include( ABSPATH . 'wp-admin/includes/ajax-actions.php' );

wp-admin/css/nav-menus-rtl.css

@@ -161,7 +161,6 @@ ul.add-menu-item-tabs li {
 	margin-left: 20px;
 	margin-top: -3px;
 	width: 100%;
-	background: #f5f5f5;
 }
 
 #menu-management .menu-edit {
@@ -178,6 +177,7 @@ ul.add-menu-item-tabs li {
 #nav-menu-header,
 #nav-menu-footer {
 	padding: 0 10px;
+	background: #f5f5f5;
 }
 
 #nav-menu-header {

wp-admin/css/nav-menus.css

@@ -161,7 +161,6 @@ ul.add-menu-item-tabs li {
 	margin-right: 20px;
 	margin-top: -3px;
 	width: 100%;
-	background: #f5f5f5;
 }
 
 #menu-management .menu-edit {
@@ -178,6 +177,7 @@ ul.add-menu-item-tabs li {
 #nav-menu-header,
 #nav-menu-footer {
 	padding: 0 10px;
+	background: #f5f5f5;
 }
 
 #nav-menu-header {

wp-admin/includes/ajax-actions.php

@@ -1214,6 +1214,8 @@ function wp_ajax_replyto_comment( $action ) {
 			if ( wp_create_nonce( 'unfiltered-html-comment' ) != $_POST['_wp_unfiltered_html_comment'] ) {
 				kses_remove_filters(); // start with a clean slate
 				kses_init_filters(); // set up the filters
+				remove_filter( 'pre_comment_content', 'wp_filter_post_kses' );
+				add_filter( 'pre_comment_content', 'wp_filter_kses' );
 			}
 		}
 	} else {
@@ -2301,7 +2303,7 @@ function wp_ajax_upload_attachment() {
 				'success' => false,
 				'data'    => array(
 					'message'  => __( 'Sorry, you are not allowed to upload files.' ),
-					'filename' => $_FILES['async-upload']['name'],
+					'filename' => esc_html( $_FILES['async-upload']['name'] ),
 				),
 			)
 		);
@@ -2317,7 +2319,7 @@ function wp_ajax_upload_attachment() {
 					'success' => false,
 					'data'    => array(
 						'message'  => __( 'Sorry, you are not allowed to attach files to this post.' ),
-						'filename' => $_FILES['async-upload']['name'],
+						'filename' => esc_html( $_FILES['async-upload']['name'] ),
 					),
 				)
 			);
@@ -2343,7 +2345,7 @@ function wp_ajax_upload_attachment() {
 					'success' => false,
 					'data'    => array(
 						'message'  => __( 'The uploaded file is not a valid image. Please try again.' ),
-						'filename' => $_FILES['async-upload']['name'],
+						'filename' => esc_html( $_FILES['async-upload']['name'] ),
 					),
 				)
 			);
@@ -2360,7 +2362,7 @@ function wp_ajax_upload_attachment() {
 				'success' => false,
 				'data'    => array(
 					'message'  => $attachment_id->get_error_message(),
-					'filename' => $_FILES['async-upload']['name'],
+					'filename' => esc_html( $_FILES['async-upload']['name'] ),
 				),
 			)
 		);

wp-admin/includes/class-wp-plugin-install-list-table.php

@@ -634,11 +634,11 @@ class WP_Plugin_Install_List_Table extends WP_List_Table {
 			if ( ! $compatible_php || ! $compatible_wp ) {
 				echo '<div class="notice inline notice-error notice-alt"><p>';
 				if ( ! $compatible_php && ! $compatible_wp ) {
-					_e( 'This plugin doesn&#8217;t work with your versions of WordPress and PHP. ' );
+					_e( 'This plugin doesn&#8217;t work with your versions of WordPress and PHP.' );
 					if ( current_user_can( 'update_core' ) && current_user_can( 'update_php' ) ) {
 						printf(
 							/* translators: 1: "Update WordPress" screen URL, 2: "Update PHP" page URL */
-							__( '<a href="%1$s">Please update WordPress</a>, and then <a href="%2$s">learn more about updating PHP</a>.' ),
+							' ' . __( '<a href="%1$s">Please update WordPress</a>, and then <a href="%2$s">learn more about updating PHP</a>.' ),
 							self_admin_url( 'update-core.php' ),
 							esc_url( wp_get_update_php_url() )
 						);
@@ -646,32 +646,32 @@ class WP_Plugin_Install_List_Table extends WP_List_Table {
 					} elseif ( current_user_can( 'update_core' ) ) {
 						printf(
 							/* translators: %s: "Update WordPress" screen URL */
-							__( '<a href="%s">Please update WordPress</a>.' ),
+							' ' . __( '<a href="%s">Please update WordPress</a>.' ),
 							self_admin_url( 'update-core.php' )
 						);
 					} elseif ( current_user_can( 'update_php' ) ) {
 						printf(
 							/* translators: %s: "Update PHP" page URL */
-							__( '<a href="%s">Learn more about updating PHP</a>.' ),
+							' ' . __( '<a href="%s">Learn more about updating PHP</a>.' ),
 							esc_url( wp_get_update_php_url() )
 						);
 						wp_update_php_annotation();
 					}
 				} elseif ( ! $compatible_wp ) {
-					_e( 'This plugin doesn&#8217;t work with your version of WordPress. ' );
+					_e( 'This plugin doesn&#8217;t work with your version of WordPress.' );
 					if ( current_user_can( 'update_core' ) ) {
 						printf(
 							/* translators: %s: "Update WordPress" screen URL */
-							__( '<a href="%s">Please update WordPress</a>.' ),
+							' ' . __( '<a href="%s">Please update WordPress</a>.' ),
 							self_admin_url( 'update-core.php' )
 						);
 					}
 				} elseif ( ! $compatible_php ) {
-					_e( 'This plugin doesn&#8217;t work with your version of PHP. ' );
+					_e( 'This plugin doesn&#8217;t work with your version of PHP.' );
 					if ( current_user_can( 'update_php' ) ) {
 						printf(
 							/* translators: %s: "Update PHP" page URL */
-							__( '<a href="%s">Learn more about updating PHP</a>.' ),
+							' ' . __( '<a href="%s">Learn more about updating PHP</a>.' ),
 							esc_url( wp_get_update_php_url() )
 						);
 						wp_update_php_annotation();

wp-admin/includes/dashboard.php

@@ -1646,6 +1646,7 @@ function wp_dashboard_php_nag() {
 	<?php
 
 	wp_update_php_annotation();
+	wp_direct_php_update_button();
 }
 
 /**

wp-admin/includes/misc.php

@@ -2016,6 +2016,7 @@ final class WP_Privacy_Policy_Content {
  * Checks if the user needs to update PHP.
  *
  * @since 5.1.0
+ * @since 5.1.1 Added the {@see 'wp_is_php_version_acceptable'} filter.
  *
  * @return array|false $response Array of PHP version data. False on failure.
  */
@@ -2054,5 +2055,22 @@ function wp_check_php_version() {
 		set_site_transient( 'php_check_' . $key, $response, WEEK_IN_SECONDS );
 	}
 
+	if ( isset( $response['is_acceptable'] ) && $response['is_acceptable'] ) {
+		/**
+		 * Filters whether the active PHP version is considered acceptable by WordPress.
+		 *
+		 * Returning false will trigger a PHP version warning to show up in the admin dashboard to administrators.
+		 *
+		 * This filter is only run if the wordpress.org Serve Happy API considers the PHP version acceptable, ensuring
+		 * that this filter can only make this check stricter, but not loosen it.
+		 *
+		 * @since 5.1.1
+		 *
+		 * @param bool   $is_acceptable Whether the PHP version is considered acceptable. Default true.
+		 * @param string $version       PHP version checked.
+		 */
+		$response['is_acceptable'] = (bool) apply_filters( 'wp_is_php_version_acceptable', true, $version );
+	}
+
 	return $response;
 }

wp-admin/js/widgets/custom-html-widgets.js

@@ -115,7 +115,7 @@ wp.customHtmlWidgets = ( function( $ ) {
 			control.contentUpdateBypassed = control.fields.content.is( document.activeElement ) || control.editor && control.editor.codemirror.state.focused || 0 !== control.currentErrorAnnotations.length;
 			if ( ! control.contentUpdateBypassed ) {
 				syncInput = control.syncContainer.find( '.sync-input.content' );
-				control.fields.content.val( syncInput.val() ).trigger( 'change' );
+				control.fields.content.val( syncInput.val() );
 			}
 		},
 

wp-admin/network/upgrade.php

@@ -57,15 +57,16 @@ switch ( $action ) {
 
 		$site_ids = get_sites(
 			array(
-				'spam'       => 0,
-				'deleted'    => 0,
-				'archived'   => 0,
-				'network_id' => get_current_network_id(),
-				'number'     => 5,
-				'offset'     => $n,
-				'fields'     => 'ids',
-				'order'      => 'DESC',
-				'orderby'    => 'id',
+				'spam'                   => 0,
+				'deleted'                => 0,
+				'archived'               => 0,
+				'network_id'             => get_current_network_id(),
+				'number'                 => 5,
+				'offset'                 => $n,
+				'fields'                 => 'ids',
+				'order'                  => 'DESC',
+				'orderby'                => 'id',
+				'update_site_meta_cache' => false,
 			)
 		);
 		if ( empty( $site_ids ) ) {

wp-includes/class-wp-query.php

@@ -529,7 +529,6 @@ class WP_Query {
 			'attachment',
 			'attachment_id',
 			'name',
-			'static',
 			'pagename',
 			'page_id',
 			'second',
@@ -793,7 +792,7 @@ class WP_Query {
 			// If year, month, day, hour, minute, and second are set, a single
 			// post is being queried.
 			$this->is_single = true;
-		} elseif ( '' != $qv['static'] || '' != $qv['pagename'] || ! empty( $qv['page_id'] ) ) {
+		} elseif ( '' != $qv['pagename'] || ! empty( $qv['page_id'] ) ) {
 			$this->is_page   = true;
 			$this->is_single = false;
 		} else {

wp-includes/class-wp.php

@@ -14,7 +14,7 @@ class WP {
 	 * @since 2.0.0
 	 * @var string[]
 	 */
-	public $public_query_vars = array( 'm', 'p', 'posts', 'w', 'cat', 'withcomments', 'withoutcomments', 's', 'search', 'exact', 'sentence', 'calendar', 'page', 'paged', 'more', 'tb', 'pb', 'author', 'order', 'orderby', 'year', 'monthnum', 'day', 'hour', 'minute', 'second', 'name', 'category_name', 'tag', 'feed', 'author_name', 'static', 'pagename', 'page_id', 'error', 'attachment', 'attachment_id', 'subpost', 'subpost_id', 'preview', 'robots', 'taxonomy', 'term', 'cpage', 'post_type', 'embed' );
+	public $public_query_vars = array( 'm', 'p', 'posts', 'w', 'cat', 'withcomments', 'withoutcomments', 's', 'search', 'exact', 'sentence', 'calendar', 'page', 'paged', 'more', 'tb', 'pb', 'author', 'order', 'orderby', 'year', 'monthnum', 'day', 'hour', 'minute', 'second', 'name', 'category_name', 'tag', 'feed', 'author_name', 'pagename', 'page_id', 'error', 'attachment', 'attachment_id', 'subpost', 'subpost_id', 'preview', 'robots', 'taxonomy', 'term', 'cpage', 'post_type', 'embed' );
 
 	/**
 	 * Private query variables.

wp-includes/comment.php

@@ -3243,6 +3243,8 @@ function wp_handle_comment_submission( $comment_data ) {
 			) {
 				kses_remove_filters(); // start with a clean slate
 				kses_init_filters(); // set up the filters
+				remove_filter( 'pre_comment_content', 'wp_filter_post_kses' );
+				add_filter( 'pre_comment_content', 'wp_filter_kses' );
 			}
 		}
 	} else {

wp-includes/css/dist/block-library/editor-rtl.css

@@ -78,6 +78,8 @@
     width: 36px; }
   .block-library-button__inline-link .dashicon {
     color: #8f98a1; }
+  .block-library-button__inline-link .editor-url-input input[type="text"]::-webkit-input-placeholder {
+    color: #8f98a1; }
   .block-library-button__inline-link .editor-url-input input[type="text"]:-ms-input-placeholder {
     color: #8f98a1; }
   .block-library-button__inline-link .editor-url-input input[type="text"]::-ms-input-placeholder {

wp-includes/css/dist/block-library/editor.css

@@ -79,6 +79,8 @@
     width: 36px; }
   .block-library-button__inline-link .dashicon {
     color: #8f98a1; }
+  .block-library-button__inline-link .editor-url-input input[type="text"]::-webkit-input-placeholder {
+    color: #8f98a1; }
   .block-library-button__inline-link .editor-url-input input[type="text"]:-ms-input-placeholder {
     color: #8f98a1; }
   .block-library-button__inline-link .editor-url-input input[type="text"]::-ms-input-placeholder {

wp-includes/embed.php

@@ -586,8 +586,9 @@ function get_oembed_response_data_for_url( $url, $args ) {
 		);
 
 		$qv = array(
-			'domain' => $url_parts['host'],
-			'path'   => '/',
+			'domain'                 => $url_parts['host'],
+			'path'                   => '/',
+			'update_site_meta_cache' => false,
 		);
 
 		// In case of subdirectory configs, set the path.

wp-includes/formatting.php

@@ -3001,17 +3001,19 @@ function wp_rel_nofollow( $text ) {
  */
 function wp_rel_nofollow_callback( $matches ) {
 	$text = $matches[1];
-	$atts = shortcode_parse_atts( $matches[1] );
+	$atts = wp_kses_hair( $matches[1], wp_allowed_protocols() );
 	$rel  = 'nofollow';
 
-	if ( preg_match( '%href=["\'](' . preg_quote( set_url_scheme( home_url(), 'http' ) ) . ')%i', $text ) ||
-		preg_match( '%href=["\'](' . preg_quote( set_url_scheme( home_url(), 'https' ) ) . ')%i', $text ) ) {
-
-		return "<a $text>";
+	if ( ! empty( $atts['href'] ) ) {
+		if ( in_array( strtolower( wp_parse_url( $atts['href']['value'], PHP_URL_SCHEME ) ), array( 'http', 'https' ), true ) ) {
+			if ( strtolower( wp_parse_url( $atts['href']['value'], PHP_URL_HOST ) ) === strtolower( wp_parse_url( home_url(), PHP_URL_HOST ) ) ) {
+				return "<a $text>";
+			}
+		}
 	}
 
 	if ( ! empty( $atts['rel'] ) ) {
-		$parts = array_map( 'trim', explode( ' ', $atts['rel'] ) );
+		$parts = array_map( 'trim', explode( ' ', $atts['rel']['value'] ) );
 		if ( false === array_search( 'nofollow', $parts ) ) {
 			$parts[] = 'nofollow';
 		}
@@ -3020,11 +3022,15 @@ function wp_rel_nofollow_callback( $matches ) {
 
 		$html = '';
 		foreach ( $atts as $name => $value ) {
-			$html .= "{$name}=\"$value\" ";
+			if ( isset( $value['vless'] ) && 'y' === $value['vless'] ) {
+				$html .= $name . ' ';
+			} else {
+				$html .= "{$name}=\"" . esc_attr( $value['value'] ) . '" ';
+			}
 		}
 		$text = trim( $html );
 	}
-	return "<a $text rel=\"$rel\">";
+	return "<a $text rel=\"" . esc_attr( $rel ) . '">';
 }
 
 /**

wp-includes/functions.php

@@ -1787,6 +1787,11 @@ function wp_mkdir_p( $target ) {
 		return @is_dir( $target );
 	}
 
+	// Do not allow path traversals.
+	if ( false !== strpos( $target, '../' ) || false !== strpos( $target, '..' . DIRECTORY_SEPARATOR ) ) {
+		return false;
+	}
+
 	// We need to find the permissions of the parent folder that exists and inherit that.
 	$target_parent = dirname( $target );
 	while ( '.' != $target_parent && ! is_dir( $target_parent ) && dirname( $target_parent ) !== $target_parent ) {
@@ -6830,3 +6835,60 @@ function wp_update_php_annotation() {
 	);
 	echo'</p>';
 }
+
+/**
+ * Gets the URL for directly updating the PHP version the site is running on.
+ *
+ * A URL will only be returned if the `WP_DIRECT_UPDATE_PHP_URL` environment variable is specified or
+ * by using the {@see 'wp_direct_php_update_url'} filter. This allows hosts to send users directly to
+ * the page where they can update PHP to a newer version.
+ *
+ * @since 5.1.1
+ *
+ * @return string URL for directly updating PHP or empty string.
+ */
+function wp_get_direct_php_update_url() {
+	$direct_update_url = '';
+
+	if ( false !== getenv( 'WP_DIRECT_UPDATE_PHP_URL' ) ) {
+		$direct_update_url = getenv( 'WP_DIRECT_UPDATE_PHP_URL' );
+	}
+
+	/**
+	 * Filters the URL for directly updating the PHP version the site is running on from the host.
+	 *
+	 * @since 5.1.1
+	 *
+	 * @param string $direct_update_url URL for directly updating PHP.
+	 */
+	$direct_update_url = apply_filters( 'wp_direct_php_update_url', $direct_update_url );
+
+	return $direct_update_url;
+}
+
+/**
+ * Display a button directly linking to a PHP update process.
+ *
+ * This provides hosts with a way for users to be sent directly to their PHP update process.
+ *
+ * The button is only displayed if a URL is returned by `wp_get_direct_php_update_url()`.
+ *
+ * @since 5.1.1
+ */
+function wp_direct_php_update_button() {
+	$direct_update_url = wp_get_direct_php_update_url();
+
+	if ( empty( $direct_update_url ) ) {
+		return;
+	}
+
+	echo '<p class="button-container">';
+	printf(
+		'<a class="button button-primary" href="%1$s" target="_blank" rel="noopener noreferrer">%2$s <span class="screen-reader-text">%3$s</span><span aria-hidden="true" class="dashicons dashicons-external"></span></a>',
+		esc_url( $direct_update_url ),
+		__( 'Update PHP' ),
+		/* translators: accessibility text */
+		__( '(opens in a new tab)' )
+	);
+	echo '</p>';
+}

wp-includes/http.php

@@ -555,7 +555,7 @@ function wp_http_validate_url( $url ) {
 		} else {
 			$ip = gethostbyname( $host );
 			if ( $ip === $host ) { // Error condition for gethostbyname()
-				$ip = false;
+				return false;
 			}
 		}
 		if ( $ip ) {

wp-includes/js/comment-reply.js

@@ -32,7 +32,7 @@ window.addComment = ( function( window ) {
 	 * Check browser supports dataset.
 	 * !! sets the variable to true if the property exists.
 	 */
-	var supportsDataset = !! document.body.dataset;
+	var supportsDataset = !! document.documentElement.dataset;
 
 	// For holding the cancel element.
 	var cancelElement;
@@ -46,11 +46,24 @@ window.addComment = ( function( window ) {
 	// The mutation observer.
 	var observer;
 
-	// Initialise the events.
-	init();
+	if ( cutsTheMustard && document.readyState !== 'loading' ) {
+		ready();
+	} else if ( cutsTheMustard ) {
+		window.addEventListener( 'DOMContentLoaded', ready, false );
+	}
 
-	// Set up a MutationObserver to check for comments loaded late.
-	observeChanges();
+	/**
+	 * Sets up object variables after the DOM is ready.
+	 *
+	 * @since 5.1.1
+	 */
+	function ready() {
+		// Initialise the events.
+		init();
+
+		// Set up a MutationObserver to check for comments loaded late.
+		observeChanges();
+	}
 
 	/**
 	 * Add events to links classed .comment-reply-link.
@@ -163,6 +176,14 @@ window.addComment = ( function( window ) {
 			postId    = getDataAttribute( replyLink, 'postid'),
 			follow;
 
+		if ( ! commId || ! parentId || ! respondId || ! postId ) {
+			/*
+			 * Theme or plugin defines own link via custom `wp_list_comments()` callback
+			 * and calls `moveForm()` either directly or via a custom event hook.
+			 */
+			return;
+		}
+
 		/*
 		 * Third party comments systems can hook into this function via the global scope,
 		 * therefore the click event needs to reference the global scope.

wp-includes/js/comment-reply.min.js

@@ -1 +1 @@
-window.addComment=function(a){function b(a){if(s&&(l=i(q.cancelReplyId),m=i(q.commentFormId),l)){l.addEventListener("touchstart",d),l.addEventListener("click",d);for(var b,f=c(a),g=0,h=f.length;g<h;g++)b=f[g],b.addEventListener("touchstart",e),b.addEventListener("click",e)}}function c(a){var b,c=q.commentReplyClass;return a&&a.childNodes||(a=p),b=p.getElementsByClassName?a.getElementsByClassName(c):a.querySelectorAll("."+c)}function d(a){var b=this,c=q.temporaryFormId,d=i(c);d&&n&&(i(q.parentIdFieldId).value="0",d.parentNode.replaceChild(n,d),b.style.display="none",a.preventDefault())}function e(b){var c,d=this,e=h(d,"belowelement"),f=h(d,"commentid"),g=h(d,"respondelement"),i=h(d,"postid");c=a.addComment.moveForm(e,f,g,i),!1===c&&b.preventDefault()}function f(){if(r){var a={childList:!0,subTree:!0};o=new r(g),o.observe(p.body,a)}}function g(a){for(var c=a.length;c--;)if(a[c].addedNodes.length)return void b()}function h(a,b){return t?a.dataset[b]:a.getAttribute("data-"+b)}function i(a){return p.getElementById(a)}function j(b,c,d,e){var f=i(b);n=i(d);var g,h,j,o=i(q.parentIdFieldId),r=i(q.postIdFieldId);if(f&&n&&o){k(n),e&&r&&(r.value=e),o.value=c,l.style.display="",f.parentNode.insertBefore(n,f.nextSibling),l.onclick=function(){return!1};try{for(var s=0;s<m.elements.length;s++)if(g=m.elements[s],h=!1,"getComputedStyle"in a?j=a.getComputedStyle(g):p.documentElement.currentStyle&&(j=g.currentStyle),(g.offsetWidth<=0&&g.offsetHeight<=0||"hidden"===j.visibility)&&(h=!0),"hidden"!==g.type&&!g.disabled&&!h){g.focus();break}}catch(t){}return!1}}function k(a){var b=q.temporaryFormId,c=i(b);c||(c=p.createElement("div"),c.id=b,c.style.display="none",a.parentNode.insertBefore(c,a))}var l,m,n,o,p=a.document,q={commentReplyClass:"comment-reply-link",cancelReplyId:"cancel-comment-reply-link",commentFormId:"commentform",temporaryFormId:"wp-temp-form-div",parentIdFieldId:"comment_parent",postIdFieldId:"comment_post_ID"},r=a.MutationObserver||a.WebKitMutationObserver||a.MozMutationObserver,s="querySelector"in p&&"addEventListener"in a,t=!!p.body.dataset;return b(),f(),{init:b,moveForm:j}}(window);
+window.addComment=function(a){function b(){c(),g()}function c(a){if(t&&(m=j(r.cancelReplyId),n=j(r.commentFormId),m)){m.addEventListener("touchstart",e),m.addEventListener("click",e);for(var b,c=d(a),g=0,h=c.length;g<h;g++)b=c[g],b.addEventListener("touchstart",f),b.addEventListener("click",f)}}function d(a){var b,c=r.commentReplyClass;return a&&a.childNodes||(a=q),b=q.getElementsByClassName?a.getElementsByClassName(c):a.querySelectorAll("."+c)}function e(a){var b=this,c=r.temporaryFormId,d=j(c);d&&o&&(j(r.parentIdFieldId).value="0",d.parentNode.replaceChild(o,d),b.style.display="none",a.preventDefault())}function f(b){var c,d=this,e=i(d,"belowelement"),f=i(d,"commentid"),g=i(d,"respondelement"),h=i(d,"postid");e&&f&&g&&h&&(c=a.addComment.moveForm(e,f,g,h),!1===c&&b.preventDefault())}function g(){if(s){var a={childList:!0,subTree:!0};p=new s(h),p.observe(q.body,a)}}function h(a){for(var b=a.length;b--;)if(a[b].addedNodes.length)return void c()}function i(a,b){return u?a.dataset[b]:a.getAttribute("data-"+b)}function j(a){return q.getElementById(a)}function k(b,c,d,e){var f=j(b);o=j(d);var g,h,i,k=j(r.parentIdFieldId),p=j(r.postIdFieldId);if(f&&o&&k){l(o),e&&p&&(p.value=e),k.value=c,m.style.display="",f.parentNode.insertBefore(o,f.nextSibling),m.onclick=function(){return!1};try{for(var s=0;s<n.elements.length;s++)if(g=n.elements[s],h=!1,"getComputedStyle"in a?i=a.getComputedStyle(g):q.documentElement.currentStyle&&(i=g.currentStyle),(g.offsetWidth<=0&&g.offsetHeight<=0||"hidden"===i.visibility)&&(h=!0),"hidden"!==g.type&&!g.disabled&&!h){g.focus();break}}catch(t){}return!1}}function l(a){var b=r.temporaryFormId,c=j(b);c||(c=q.createElement("div"),c.id=b,c.style.display="none",a.parentNode.insertBefore(c,a))}var m,n,o,p,q=a.document,r={commentReplyClass:"comment-reply-link",cancelReplyId:"cancel-comment-reply-link",commentFormId:"commentform",temporaryFormId:"wp-temp-form-div",parentIdFieldId:"comment_parent",postIdFieldId:"comment_post_ID"},s=a.MutationObserver||a.WebKitMutationObserver||a.MozMutationObserver,t="querySelector"in q&&"addEventListener"in a,u=!!q.documentElement.dataset;return t&&"loading"!==q.readyState?b():t&&a.addEventListener("DOMContentLoaded",b,!1),{init:c,moveForm:k}}(window);

wp-includes/js/dist/block-library.js

@@ -11639,7 +11639,7 @@ var shortcode_settings = {
   attributes: {
     text: {
       type: 'string',
-      source: 'text'
+      source: 'html'
     }
   },
   transforms: {

wp-includes/kses.php

@@ -1657,6 +1657,7 @@ function wp_kses_html_error( $string ) {
  * @return string Sanitized content.
  */
 function wp_kses_bad_protocol_once( $string, $allowed_protocols, $count = 1 ) {
+	$string  = preg_replace( '/(&#0*58(?![;0-9])|&#x0*3a(?![;a-f0-9]))/i', '$1;', $string );
 	$string2 = preg_split( '/:|&#0*58;|&#x0*3a;/i', $string, 2 );
 	if ( isset( $string2[1] ) && ! preg_match( '%/\?%', $string2[0] ) ) {
 		$string   = trim( $string2[1] );

wp-includes/ms-blogs.php

@@ -97,10 +97,11 @@ function get_id_from_blogname( $slug ) {
 
 	$site_ids = get_sites(
 		array(
-			'number' => 1,
-			'fields' => 'ids',
-			'domain' => $domain,
-			'path'   => $path,
+			'number'                 => 1,
+			'fields'                 => 'ids',
+			'domain'                 => $domain,
+			'path'                   => $path,
+			'update_site_meta_cache' => false,
 		)
 	);
 

wp-includes/ms-functions.php

@@ -345,10 +345,11 @@ function get_blog_id_from_url( $domain, $path = '/' ) {
 	}
 
 	$args   = array(
-		'domain' => $domain,
-		'path'   => $path,
-		'fields' => 'ids',
-		'number' => 1,
+		'domain'                 => $domain,
+		'path'                   => $path,
+		'fields'                 => 'ids',
+		'number'                 => 1,
+		'update_site_meta_cache' => false,
 	);
 	$result = get_sites( $args );
 	$id     = array_shift( $result );
@@ -1473,11 +1474,12 @@ Disable these notifications: %3$s'
 function domain_exists( $domain, $path, $network_id = 1 ) {
 	$path   = trailingslashit( $path );
 	$args   = array(
-		'network_id' => $network_id,
-		'domain'     => $domain,
-		'path'       => $path,
-		'fields'     => 'ids',
-		'number'     => 1,
+		'network_id'             => $network_id,
+		'domain'                 => $domain,
+		'path'                   => $path,
+		'fields'                 => 'ids',
+		'number'                 => 1,
+		'update_site_meta_cache' => false,
 	);
 	$result = get_sites( $args );
 	$result = array_shift( $result );
@@ -2433,11 +2435,12 @@ function wp_update_network_site_counts( $network_id = null ) {
 
 	$count = get_sites(
 		array(
-			'network_id' => $network_id,
-			'spam'       => 0,
-			'deleted'    => 0,
-			'archived'   => 0,
-			'count'      => true,
+			'network_id'             => $network_id,
+			'spam'                   => 0,
+			'deleted'                => 0,
+			'archived'               => 0,
+			'count'                  => true,
+			'update_site_meta_cache' => false,
 		)
 	);
 

wp-includes/ms-load.php

@@ -235,7 +235,8 @@ function get_site_by_path( $domain, $path, $segments = null ) {
 	}
 
 	$args = array(
-		'number' => 1,
+		'number'                 => 1,
+		'update_site_meta_cache' => false,
 	);
 
 	if ( count( $domains ) > 1 ) {

wp-includes/ms-site.php

@@ -52,23 +52,21 @@ function wp_insert_site( array $data ) {
 		'lang_id'      => 0,
 	);
 
-	// Extract the passed arguments that may be relevant for site initialization.
-	$args = array_diff_key( $data, $defaults );
-	if ( isset( $args['site_id'] ) ) {
-		unset( $args['site_id'] );
+	$prepared_data = wp_prepare_site_data( $data, $defaults );
+	if ( is_wp_error( $prepared_data ) ) {
+		return $prepared_data;
 	}
 
-	$data = wp_prepare_site_data( $data, $defaults );
-	if ( is_wp_error( $data ) ) {
-		return $data;
-	}
-
-	if ( false === $wpdb->insert( $wpdb->blogs, $data ) ) {
+	if ( false === $wpdb->insert( $wpdb->blogs, $prepared_data ) ) {
 		return new WP_Error( 'db_insert_error', __( 'Could not insert site into the database.' ), $wpdb->last_error );
 	}
 
 	$new_site = get_site( $wpdb->insert_id );
 
+	if ( ! $new_site ) {
+		return new WP_Error( 'get_site_error', __( 'Could not retrieve site data.' ) );
+	}
+
 	clean_blog_cache( $new_site );
 
 	/**
@@ -80,6 +78,12 @@ function wp_insert_site( array $data ) {
 	 */
 	do_action( 'wp_insert_site', $new_site );
 
+	// Extract the passed arguments that may be relevant for site initialization.
+	$args = array_diff_key( $data, $defaults );
+	if ( isset( $args['site_id'] ) ) {
+		unset( $args['site_id'] );
+	}
+
 	/**
 	 * Fires when a site's initialization routine should be executed.
 	 *
@@ -95,6 +99,16 @@ function wp_insert_site( array $data ) {
 		$user_id = ! empty( $args['user_id'] ) ? $args['user_id'] : 0;
 		$meta    = ! empty( $args['options'] ) ? $args['options'] : array();
 
+		// WPLANG was passed with `$meta` to the `wpmu_new_blog` hook prior to 5.1.0.
+		if ( ! array_key_exists( 'WPLANG', $meta ) ) {
+			$meta['WPLANG'] = get_network_option( $new_site->network_id, 'WPLANG' );
+		}
+
+		// Rebuild the data expected by the `wpmu_new_blog` hook prior to 5.1.0 using whitelisted keys.
+		// The `$site_data_whitelist` matches the one used in `wpmu_create_blog()`.
+		$site_data_whitelist = array( 'public', 'archived', 'mature', 'spam', 'deleted', 'lang_id' );
+		$meta                = array_merge( array_intersect_key( $data, array_flip( $site_data_whitelist ) ), $meta );
+
 		/**
 		 * Fires immediately after a new site is created.
 		 *
@@ -366,6 +380,10 @@ function update_site_cache( $sites, $update_meta_cache = true ) {
  * @return array|false Returns false if there is nothing to update. Returns an array of metadata on success.
  */
 function update_sitemeta_cache( $site_ids ) {
+	// Ensure this filter is hooked in even if the function is called early.
+	if ( ! has_filter( 'update_blog_metadata_cache', 'wp_check_site_meta_support_prefilter' ) ) {
+		add_filter( 'update_blog_metadata_cache', 'wp_check_site_meta_support_prefilter' );
+	}
 	return update_meta_cache( 'blog', $site_ids );
 }
 

wp-includes/pluggable.php

@@ -1092,7 +1092,7 @@ if ( ! function_exists( 'check_admin_referer' ) ) :
 	 *                   0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago.
 	 */
 	function check_admin_referer( $action = -1, $query_arg = '_wpnonce' ) {
-		if ( -1 == $action ) {
+		if ( -1 === $action ) {
 			_doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2.0' );
 		}
 
@@ -1111,7 +1111,7 @@ if ( ! function_exists( 'check_admin_referer' ) ) :
 		 */
 		do_action( 'check_admin_referer', $action, $result );
 
-		if ( ! $result && ! ( -1 == $action && strpos( $referer, $adminurl ) === 0 ) ) {
+		if ( ! $result && ! ( -1 === $action && strpos( $referer, $adminurl ) === 0 ) ) {
 			wp_nonce_ays( $action );
 			die();
 		}
@@ -1396,6 +1396,14 @@ if ( ! function_exists( 'wp_validate_redirect' ) ) :
 			return $default;
 		}
 
+		if ( ! isset( $lp['host'] ) && ! empty( $lp['path'] ) && '/' !== $lp['path'][0] ) {
+			$path = '';
+			if ( ! empty( $_SERVER['REQUEST_URI'] ) ) {
+				$path = dirname( parse_url( 'http://placeholder' . $_SERVER['REQUEST_URI'], PHP_URL_PATH ) . '?' );
+			}
+			$location = '/' . ltrim( $path . '/', '/' ) . $location;
+		}
+
 		// Reject if certain components are set but host is not. This catches urls like https:host.com for which parse_url does not set the host field.
 		if ( ! isset( $lp['host'] ) && ( isset( $lp['scheme'] ) || isset( $lp['user'] ) || isset( $lp['pass'] ) || isset( $lp['port'] ) ) ) {
 			return $default;

wp-includes/post-template.php

@@ -338,26 +338,9 @@ function get_the_content( $more_link_text = null, $strip_teaser = false ) {
 		}
 	}
 
-	if ( $preview ) { // Preview fix for JavaScript bug with foreign languages.
-		$output = preg_replace_callback( '/\%u([0-9A-F]{4})/', '_convert_urlencoded_to_entities', $output );
-	}
-
 	return $output;
 }
 
-/**
- * Preview fix for JavaScript bug with foreign languages.
- *
- * @since 3.1.0
- * @access private
- *
- * @param array $match Match array from preg_replace_callback.
- * @return string
- */
-function _convert_urlencoded_to_entities( $match ) {
-	return '&#' . base_convert( $match[1], 16, 10 ) . ';';
-}
-
 /**
  * Display the post excerpt.
  *

wp-includes/rest-api.php

@@ -587,7 +587,9 @@ function rest_send_cors_headers( $value ) {
 		header( 'Access-Control-Allow-Origin: ' . $origin );
 		header( 'Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE' );
 		header( 'Access-Control-Allow-Credentials: true' );
-		header( 'Vary: Origin' );
+		header( 'Vary: Origin', false );
+	} elseif ( ! headers_sent() && 'GET' === $_SERVER['REQUEST_METHOD'] && ! is_user_logged_in() ) {
+		header( 'Vary: Origin', false );
 	}
 
 	return $value;

wp-includes/script-loader.php

@@ -229,7 +229,7 @@ function wp_default_packages_scripts( &$scripts ) {
 		'annotations'                        => '1.0.8',
 		'autop'                              => '2.0.2',
 		'blob'                               => '2.1.0',
-		'block-library'                      => '2.2.16',
+		'block-library'                      => '2.2.18',
 		'block-serialization-default-parser' => '2.0.5',
 		'blocks'                             => '6.0.6',
 		'components'                         => '7.0.8',

wp-includes/user.php

@@ -680,8 +680,9 @@ function get_blogs_of_user( $user_id, $all = false ) {
 
 	if ( ! empty( $site_ids ) ) {
 		$args = array(
-			'number'   => '',
-			'site__in' => $site_ids,
+			'number'                 => '',
+			'site__in'               => $site_ids,
+			'update_site_meta_cache' => false,
 		);
 		if ( ! $all ) {
 			$args['archived'] = 0;

wp-includes/version.php

@@ -13,7 +13,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '5.1';
+$wp_version = '5.1.3';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.