Tag 5.3.4

Built from https://develop.svn.wordpress.org/tags/5.3.4@48008


git-svn-id: http://core.svn.wordpress.org/tags/5.3.4@47776 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-admin/about.php

@@ -51,6 +51,56 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
 		<div class="about__section changelog">
 			<div class="column">
 				<h2><?php _e( 'Maintenance and Security Releases' ); ?></h2>
+				<p>
+					<?php
+					printf(
+						/* translators: 1: WordPress version number, 2: plural number of bugs. More than one security issue. */
+						_n(
+							'<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bug.',
+							'<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bugs.',
+							2
+						),
+						'5.3.4',
+						number_format_i18n( 2 )
+					);
+					?>
+					<?php
+					printf(
+						/* translators: %s: HelpHub URL */
+						__( 'For more information, see <a href="%s">the release notes</a>.' ),
+						sprintf(
+							/* translators: %s: WordPress version */
+							esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+							sanitize_title( '5.3.4' )
+						)
+					);
+					?>
+				</p>
+				<p>
+					<?php
+					printf(
+						/* translators: 1: WordPress version number, 2: plural number of bugs. More than one security issue. */
+						_n(
+							'<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bug.',
+							'<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bugs.',
+							10
+						),
+						'5.3.3',
+						number_format_i18n( 10 )
+					);
+					?>
+					<?php
+					printf(
+						/* translators: %s: HelpHub URL */
+						__( 'For more information, see <a href="%s">the release notes</a>.' ),
+						sprintf(
+							/* translators: %s: WordPress version */
+							esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+							sanitize_title( '5.3.3' )
+						)
+					);
+					?>
+				</p>
 				<p>
 					<?php
 					printf(

wp-admin/css/common-rtl.css

@@ -3922,7 +3922,7 @@ img {
 
 	.fileedit-sub input[type="submit"] {
 		margin-bottom: 0px;
-		padding: 4px 18px;
+		padding: 0px 18px;
 	}
 
 	#documentation label[for="docs-list"] {

wp-admin/css/common.css

@@ -3922,7 +3922,7 @@ img {
 
 	.fileedit-sub input[type="submit"] {
 		margin-bottom: 0px;
-		padding: 4px 18px;
+		padding: 0px 18px;
 	}
 
 	#documentation label[for="docs-list"] {

wp-admin/css/edit-rtl.css

@@ -421,7 +421,7 @@ form#tags-filter {
 #timestampdiv select {
 	vertical-align: top;
 	font-size: 12px;
-	line-height: 1.5; /* 18px */
+	line-height: 2.33333333; /* 28px */
 }
 
 #aa, #jj, #hh, #mn {
@@ -1387,6 +1387,40 @@ table.links-table {
 	}
 }
 
+/* one column on the attachment editor screen */
+@media only screen and (max-width: 1200px) {
+	.post-type-attachment #poststuff {
+		min-width: 0;
+	}
+
+	.post-type-attachment #wpbody-content #poststuff #post-body {
+		margin: 0;
+	}
+
+	.post-type-attachment #wpbody-content #post-body.columns-2 #postbox-container-1 {
+		margin-left: 0;
+		width: 100%;
+	}
+
+	.post-type-attachment #poststuff #postbox-container-1 .empty-container,
+	.post-type-attachment #poststuff #postbox-container-1 #side-sortables:empty {
+		border: 0 none;
+		height: 0;
+		min-height: 0;
+	}
+
+	.post-type-attachment #poststuff #post-body.columns-2 #side-sortables {
+		min-height: 0;
+		width: auto;
+	}
+
+	/* hide the radio buttons for column prefs */
+	.post-type-attachment .screen-layout,
+	.post-type-attachment .columns-prefs {
+		display: none;
+	}
+}
+
 /* one column on the post write/edit screen */
 @media only screen and (max-width: 850px) {
 	#poststuff {

wp-admin/css/edit.css

@@ -421,7 +421,7 @@ form#tags-filter {
 #timestampdiv select {
 	vertical-align: top;
 	font-size: 12px;
-	line-height: 1.5; /* 18px */
+	line-height: 2.33333333; /* 28px */
 }
 
 #aa, #jj, #hh, #mn {
@@ -1387,6 +1387,40 @@ table.links-table {
 	}
 }
 
+/* one column on the attachment editor screen */
+@media only screen and (max-width: 1200px) {
+	.post-type-attachment #poststuff {
+		min-width: 0;
+	}
+
+	.post-type-attachment #wpbody-content #poststuff #post-body {
+		margin: 0;
+	}
+
+	.post-type-attachment #wpbody-content #post-body.columns-2 #postbox-container-1 {
+		margin-right: 0;
+		width: 100%;
+	}
+
+	.post-type-attachment #poststuff #postbox-container-1 .empty-container,
+	.post-type-attachment #poststuff #postbox-container-1 #side-sortables:empty {
+		border: 0 none;
+		height: 0;
+		min-height: 0;
+	}
+
+	.post-type-attachment #poststuff #post-body.columns-2 #side-sortables {
+		min-height: 0;
+		width: auto;
+	}
+
+	/* hide the radio buttons for column prefs */
+	.post-type-attachment .screen-layout,
+	.post-type-attachment .columns-prefs {
+		display: none;
+	}
+}
+
 /* one column on the post write/edit screen */
 @media only screen and (max-width: 850px) {
 	#poststuff {

wp-admin/css/forms-rtl.css

@@ -396,6 +396,10 @@ input[type="radio"].disabled:checked:before {
 	max-width: 100%;
 }
 
+.meta-box-sortables input {
+	vertical-align: middle;
+}
+
 .misc-pub-post-status select {
 	margin-top: 0;
 }

wp-admin/css/forms.css

@@ -396,6 +396,10 @@ input[type="radio"].disabled:checked:before {
 	max-width: 100%;
 }
 
+.meta-box-sortables input {
+	vertical-align: middle;
+}
+
 .misc-pub-post-status select {
 	margin-top: 0;
 }

wp-admin/css/install-rtl.css

@@ -115,10 +115,7 @@ label {
 	padding: 0;
 }
 .language-chooser.wp-core-ui .step .button.button-large {
-	height: 36px;
 	font-size: 14px;
-	line-height: 2.35714285;
-	vertical-align: middle;
 }
 textarea {
 	border: 1px solid #ddd;

wp-admin/css/install.css

@@ -115,10 +115,7 @@ label {
 	padding: 0;
 }
 .language-chooser.wp-core-ui .step .button.button-large {
-	height: 36px;
 	font-size: 14px;
-	line-height: 2.35714285;
-	vertical-align: middle;
 }
 textarea {
 	border: 1px solid #ddd;

wp-admin/css/media-rtl.css

@@ -852,6 +852,8 @@ border color while dragging a file over the uploader drop area */
 .wp_attachment_holder .imgedit-wrap .imgedit-panel-content {
 	float: right;
 	padding: 3px 0 0 16px;
+	min-width: 400px;
+	max-width: calc( 100% - 266px );
 }
 
 .wp_attachment_holder .imgedit-wrap .imgedit-settings {
@@ -1207,6 +1209,7 @@ audio, video {
 	.wp_attachment_holder .imgedit-wrap .imgedit-settings {
 		float: none;
 		width: auto;
+		max-width: none;
 	}
 }
 

wp-admin/css/media.css

@@ -852,6 +852,8 @@ border color while dragging a file over the uploader drop area */
 .wp_attachment_holder .imgedit-wrap .imgedit-panel-content {
 	float: left;
 	padding: 3px 16px 0 0;
+	min-width: 400px;
+	max-width: calc( 100% - 266px );
 }
 
 .wp_attachment_holder .imgedit-wrap .imgedit-settings {
@@ -1207,6 +1209,7 @@ audio, video {
 	.wp_attachment_holder .imgedit-wrap .imgedit-settings {
 		float: none;
 		width: auto;
+		max-width: none;
 	}
 }
 

wp-admin/includes/media.php

@@ -3212,7 +3212,7 @@ function edit_form_image_editor( $post ) {
 
 	?>
 	</label>
-	<?php wp_editor( $post->post_content, 'attachment_content', $editor_args ); ?>
+	<?php wp_editor( format_to_edit( $post->post_content ), 'attachment_content', $editor_args ); ?>
 
 	</div>
 	<?php

wp-admin/includes/misc.php

@@ -679,23 +679,46 @@ function set_screen_options() {
 				}
 				break;
 			default:
+				if ( '_page' === substr( $option, -5 ) || 'layout_columns' === $option ) {
+					/**
+					 * Filters a screen option value before it is set.
+					 *
+					 * The filter can also be used to modify non-standard [items]_per_page
+					 * settings. See the parent function for a full list of standard options.
+					 *
+					 * Returning false to the filter will skip saving the current option.
+					 *
+					 * @since 2.8.0
+					 * @since 5.4.2 Only applied to options ending with '_page',
+					 *              or the 'layout_columns' option.
+					 *
+					 * @see set_screen_options()
+					 *
+					 * @param bool   $keep   Whether to save or skip saving the screen option value.
+					 *                       Default false.
+					 * @param string $option The option name.
+					 * @param int    $value  The number of rows to use.
+					 */
+					$value = apply_filters( 'set-screen-option', false, $option, $value ); // phpcs:ignore WordPress.NamingConventions.ValidHookName.UseUnderscores
+				}
+
 				/**
 				 * Filters a screen option value before it is set.
 				 *
-				 * The filter can also be used to modify non-standard [items]_per_page
-				 * settings. See the parent function for a full list of standard options.
+				 * The dynamic portion of the hook, `$option`, refers to the option name.
 				 *
 				 * Returning false to the filter will skip saving the current option.
 				 *
-				 * @since 2.8.0
+				 * @since 5.4.2
 				 *
 				 * @see set_screen_options()
 				 *
-				 * @param bool     $keep   Whether to save or skip saving the screen option value. Default false.
-				 * @param string   $option The option name.
-				 * @param int      $value  The number of rows to use.
+				 * @param bool   $keep   Whether to save or skip saving the screen option value.
+				 *                       Default false.
+				 * @param string $option The option name.
+				 * @param int    $value  The number of rows to use.
 				 */
-				$value = apply_filters( 'set-screen-option', false, $option, $value );  // phpcs:ignore WordPress.NamingConventions.ValidHookName.UseUnderscores
+				$value = apply_filters( "set_screen_option_{$option}", false, $option, $value );
 
 				if ( false === $value ) {
 					return;

wp-admin/includes/theme.php

@@ -277,6 +277,7 @@ function get_theme_feature_list( $api = true ) {
 
 		__( 'Features' ) => array(
 			'accessibility-ready'   => __( 'Accessibility Ready' ),
+			'block-styles'          => __( 'Block Editor Styles' ),
 			'custom-background'     => __( 'Custom Background' ),
 			'custom-colors'         => __( 'Custom Colors' ),
 			'custom-header'         => __( 'Custom Header' ),
@@ -299,6 +300,7 @@ function get_theme_feature_list( $api = true ) {
 			'four-columns'  => __( 'Four Columns' ),
 			'left-sidebar'  => __( 'Left Sidebar' ),
 			'right-sidebar' => __( 'Right Sidebar' ),
+			'wide-blocks'   => __( 'Wide Blocks' ),
 		),
 
 	);

wp-admin/options-general.php

@@ -276,34 +276,20 @@ if ( empty( $tzstring ) ) { // Create a UTC+- zone if no timezone string exists
 	?>
 	<br />
 	<?php
-	$allowed_zones = timezone_identifiers_list();
+	if ( in_array( $tzstring, timezone_identifiers_list() ) ) {
+		$transitions = timezone_transitions_get( timezone_open( $tzstring ), time() );
 
-	if ( in_array( $tzstring, $allowed_zones ) ) {
-		$found                   = false;
-		$date_time_zone_selected = new DateTimeZone( $tzstring );
-		$tz_offset               = timezone_offset_get( $date_time_zone_selected, date_create() );
-		$right_now               = time();
-		foreach ( timezone_transitions_get( $date_time_zone_selected ) as $tr ) {
-			if ( $tr['ts'] > $right_now ) {
-				$found = true;
-				break;
-			}
-		}
-
-		if ( $found ) {
+		// 0 index is the state at current time, 1 index is the next transition, if any.
+		if ( ! empty( $transitions[1] ) ) {
 			echo ' ';
-			$message = $tr['isdst'] ?
+			$message = $transitions[1]['isdst'] ?
 				/* translators: %s: Date and time. */
 				__( 'Daylight saving time begins on: %s.' ) :
 				/* translators: %s: Date and time. */
 				__( 'Standard time begins on: %s.' );
-			// Add the difference between the current offset and the new offset to ts to get the correct transition time from date_i18n().
 			printf(
 				$message,
-				'<code>' . date_i18n(
-					__( 'F j, Y' ) . ' ' . __( 'g:i a' ),
-					$tr['ts'] + ( $tz_offset - $tr['offset'] )
-				) . '</code>'
+				'<code>' . wp_date( __( 'F j, Y' ) . ' ' . __( 'g:i a' ), $transitions[1]['ts'] ) . '</code>'
 			);
 		} else {
 			_e( 'This timezone does not observe daylight saving time.' );

wp-admin/themes.php

@@ -408,7 +408,7 @@ if ( ! is_multisite() && current_user_can( 'edit_themes' ) && $broken_themes ) {
 	</tr>
 	<?php foreach ( $broken_themes as $broken_theme ) : ?>
 		<tr>
-			<td><?php echo $broken_theme->get( 'Name' ) ? $broken_theme->display( 'Name' ) : $broken_theme->get_stylesheet(); ?></td>
+			<td><?php echo $broken_theme->get( 'Name' ) ? $broken_theme->display( 'Name' ) : esc_html( $broken_theme->get_stylesheet() ); ?></td>
 			<td><?php echo $broken_theme->errors()->get_error_message(); ?></td>
 			<?php
 			if ( $can_resume ) {

wp-admin/tools.php

@@ -18,24 +18,27 @@ if ( isset( $_GET['page'] ) && ! empty( $_POST ) ) {
 	}
 }
 
-/** WordPress Administration Bootstrap */
-require_once( dirname( __FILE__ ) . '/admin.php' );
-
 // The privacy policy guide used to be outputted from here. Since WP 5.3 it is in wp-admin/privacy-policy-guide.php.
 if ( isset( $_GET['wp-privacy-policy-guide'] ) ) {
+	require_once dirname( __DIR__ ) . '/wp-load.php';
 	wp_redirect( admin_url( 'privacy-policy-guide.php' ), 301 );
 	exit;
 } elseif ( isset( $_GET['page'] ) ) {
 	// These were also moved to files in WP 5.3.
 	if ( $_GET['page'] === 'export_personal_data' ) {
+		require_once dirname( __DIR__ ) . '/wp-load.php';
 		wp_redirect( admin_url( 'export-personal-data.php' ), 301 );
 		exit;
 	} elseif ( $_GET['page'] === 'remove_personal_data' ) {
+		require_once dirname( __DIR__ ) . '/wp-load.php';
 		wp_redirect( admin_url( 'erase-personal-data.php' ), 301 );
 		exit;
 	}
 }
 
+/** WordPress Administration Bootstrap */
+require_once( dirname( __FILE__ ) . '/admin.php' );
+
 $title = __( 'Tools' );
 
 get_current_screen()->add_help_tab(

wp-comments-post.php

@@ -56,8 +56,8 @@ do_action( 'set_comment_cookies', $comment, $user, $cookies_consent );
 
 $location = empty( $_POST['redirect_to'] ) ? get_comment_link( $comment ) : $_POST['redirect_to'] . '#comment-' . $comment->comment_ID;
 
-// Add specific query arguments to display the awaiting moderation message.
-if ( 'unapproved' === wp_get_comment_status( $comment ) && ! empty( $comment->comment_author_email ) ) {
+// If user didn't consent to cookies, add specific query arguments to display the awaiting moderation message.
+if ( ! $cookies_consent && 'unapproved' === wp_get_comment_status( $comment ) && ! empty( $comment->comment_author_email ) ) {
 	$location = add_query_arg(
 		array(
 			'unapproved'      => $comment->comment_ID,

wp-content/themes/twentynineteen/style-rtl.css

@@ -2786,7 +2786,8 @@ body.page .main-navigation {
   background: transparent;
   color: inherit;
   cursor: pointer;
-  transition: background 250ms ease-in-out, transform 150ms ease;
+  transition: background 250ms ease-in-out,
+ transform 150ms ease;
   -webkit-appearance: none;
   -moz-appearance: none;
 }

wp-content/themes/twentynineteen/style.css

@@ -5,7 +5,8 @@ Theme URI: https://wordpress.org/themes/twentynineteen/
 Author: the WordPress team
 Author URI: https://wordpress.org/
 Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom styles for all the default blocks, and is built so that what you see in the editor looks like what you'll see on your website. Twenty Nineteen is designed to be adaptable to a wide range of websites, whether you’re running a photo blog, launching a new business, or supporting a non-profit. Featuring ample whitespace and modern sans-serif headlines paired with classic serif body text, it's built to be beautiful on all screen sizes.
-Requires at least: WordPress 4.9.6
+Requires at least: 4.9.6
+Requires PHP: 5.2.4
 Version: 1.4
 License: GNU General Public License v2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -2785,7 +2786,8 @@ body.page .main-navigation {
   background: transparent;
   color: inherit;
   cursor: pointer;
-  transition: background 250ms ease-in-out, transform 150ms ease;
+  transition: background 250ms ease-in-out,
+ transform 150ms ease;
   -webkit-appearance: none;
   -moz-appearance: none;
 }

wp-content/themes/twentynineteen/style.scss

@@ -4,7 +4,8 @@ Theme URI: https://wordpress.org/themes/twentynineteen/
 Author: the WordPress team
 Author URI: https://wordpress.org/
 Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom styles for all the default blocks, and is built so that what you see in the editor looks like what you'll see on your website. Twenty Nineteen is designed to be adaptable to a wide range of websites, whether you’re running a photo blog, launching a new business, or supporting a non-profit. Featuring ample whitespace and modern sans-serif headlines paired with classic serif body text, it's built to be beautiful on all screen sizes.
-Requires at least: WordPress 4.9.6
+Requires at least: 4.9.6
+Requires PHP: 5.2.4
 Version: 1.4
 License: GNU General Public License v2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html

wp-includes/blocks/rss.php

@@ -96,7 +96,7 @@ function render_block_core_rss( $attributes ) {
 		$class .= ' ' . $attributes['className'];
 	}
 
-	$list_items_markup = "<ul class='{$class}'>{$list_items}</ul>";
+	$list_items_markup = sprintf( "<ul class='%s'>%s</ul>", esc_attr( $class ), $list_items );
 
 	// PHP 5.2 compatibility. See: http://simplepie.org/wiki/faq/i_m_getting_memory_leaks.
 	$rss->__destruct();

wp-includes/blocks/search.php

@@ -52,7 +52,7 @@ function render_block_core_search( $attributes ) {
 
 	return sprintf(
 		'<form class="%s" role="search" method="get" action="%s">%s</form>',
-		$class,
+		esc_attr( $class ),
 		esc_url( home_url( '/' ) ),
 		$label_markup . $input_markup . $button_markup
 	);

wp-includes/cache.php

@@ -695,7 +695,7 @@ class WP_Object_Cache {
 		echo '</p>';
 		echo '<ul>';
 		foreach ( $this->cache as $group => $cache ) {
-			echo "<li><strong>Group:</strong> $group - ( " . number_format( strlen( serialize( $cache ) ) / KB_IN_BYTES, 2 ) . 'k )</li>';
+			echo '<li><strong>Group:</strong> ' . esc_html( $group ) . ' - ( ' . number_format( strlen( serialize( $cache ) ) / KB_IN_BYTES, 2 ) . 'k )</li>';
 		}
 		echo '</ul>';
 	}

wp-includes/class-walker-comment.php

@@ -181,7 +181,11 @@ class Walker_Comment extends Walker {
 			return;
 		}
 
-		if ( ( 'pingback' == $comment->comment_type || 'trackback' == $comment->comment_type ) && $args['short_ping'] ) {
+		if ( 'comment' === $comment->comment_type ) {
+			add_filter( 'comment_text', array( $this, 'filter_comment_text' ), 40, 2 );
+		}
+
+		if ( ( 'pingback' === $comment->comment_type || 'trackback' === $comment->comment_type ) && $args['short_ping'] ) {
 			ob_start();
 			$this->ping( $comment, $depth, $args );
 			$output .= ob_get_clean();
@@ -194,6 +198,10 @@ class Walker_Comment extends Walker {
 			$this->comment( $comment, $depth, $args );
 			$output .= ob_get_clean();
 		}
+
+		if ( 'comment' === $comment->comment_type ) {
+			remove_filter( 'comment_text', array( $this, 'filter_comment_text' ), 40, 2 );
+		}
 	}
 
 	/**
@@ -244,6 +252,29 @@ class Walker_Comment extends Walker {
 		<?php
 	}
 
+	/**
+	 * Filters the comment text.
+	 *
+	 * Removes links from the pending comment's text if the commenter did not consent
+	 * to the comment cookies.
+	 *
+	 * @since 5.4.2
+	 *
+	 * @param string          $comment_text Text of the current comment.
+	 * @param WP_Comment|null $comment      The comment object. Null if not found.
+	 * @return string Filtered text of the current comment.
+	 */
+	public function filter_comment_text( $comment_text, $comment ) {
+		$commenter          = wp_get_current_commenter();
+		$show_pending_links = ! empty( $commenter['comment_author'] );
+
+		if ( $comment && '0' == $comment->comment_approved && ! $show_pending_links ) {
+			$comment_text = wp_kses( $comment_text, array() );
+		}
+
+		return $comment_text;
+	}
+
 	/**
 	 * Outputs a single comment.
 	 *
@@ -264,13 +295,14 @@ class Walker_Comment extends Walker {
 			$add_below = 'div-comment';
 		}
 
-		$commenter = wp_get_current_commenter();
+		$commenter          = wp_get_current_commenter();
+		$show_pending_links = isset( $commenter['comment_author'] ) && $commenter['comment_author'];
+
 		if ( $commenter['comment_author_email'] ) {
 			$moderation_note = __( 'Your comment is awaiting moderation.' );
 		} else {
 			$moderation_note = __( 'Your comment is awaiting moderation. This is a preview, your comment will be visible after it has been approved.' );
 		}
-
 		?>
 		<<?php echo $tag; ?> <?php comment_class( $this->has_children ? 'parent' : '', $comment ); ?> id="comment-<?php comment_ID(); ?>">
 		<?php if ( 'div' != $args['style'] ) : ?>
@@ -279,14 +311,21 @@ class Walker_Comment extends Walker {
 		<div class="comment-author vcard">
 			<?php
 			if ( 0 != $args['avatar_size'] ) {
-				echo get_avatar( $comment, $args['avatar_size'] );}
+				echo get_avatar( $comment, $args['avatar_size'] );
+			}
 			?>
 			<?php
-				printf(
-					/* translators: %s: Comment author link. */
-					__( '%s <span class="says">says:</span>' ),
-					sprintf( '<cite class="fn">%s</cite>', get_comment_author_link( $comment ) )
-				);
+			$comment_author = get_comment_author_link( $comment );
+
+			if ( '0' == $comment->comment_approved && ! $show_pending_links ) {
+				$comment_author = get_comment_author( $comment );
+			}
+
+			printf(
+				/* translators: %s: Comment author link. */
+				__( '%s <span class="says">says:</span>' ),
+				sprintf( '<cite class="fn">%s</cite>', $comment_author )
+			);
 			?>
 		</div>
 		<?php if ( '0' == $comment->comment_approved ) : ?>
@@ -354,13 +393,14 @@ class Walker_Comment extends Walker {
 	protected function html5_comment( $comment, $depth, $args ) {
 		$tag = ( 'div' === $args['style'] ) ? 'div' : 'li';
 
-		$commenter = wp_get_current_commenter();
+		$commenter          = wp_get_current_commenter();
+		$show_pending_links = ! empty( $commenter['comment_author'] );
+
 		if ( $commenter['comment_author_email'] ) {
 			$moderation_note = __( 'Your comment is awaiting moderation.' );
 		} else {
 			$moderation_note = __( 'Your comment is awaiting moderation. This is a preview, your comment will be visible after it has been approved.' );
 		}
-
 		?>
 		<<?php echo $tag; ?> id="comment-<?php comment_ID(); ?>" <?php comment_class( $this->has_children ? 'parent' : '', $comment ); ?>>
 			<article id="div-comment-<?php comment_ID(); ?>" class="comment-body">
@@ -372,11 +412,17 @@ class Walker_Comment extends Walker {
 						}
 						?>
 						<?php
-							printf(
-								/* translators: %s: Comment author link. */
-								__( '%s <span class="says">says:</span>' ),
-								sprintf( '<b class="fn">%s</b>', get_comment_author_link( $comment ) )
-							);
+						$comment_author = get_comment_author_link( $comment );
+
+						if ( '0' == $comment->comment_approved && ! $show_pending_links ) {
+							$comment_author = get_comment_author( $comment );
+						}
+
+						printf(
+							/* translators: %s: Comment author link. */
+							__( '%s <span class="says">says:</span>' ),
+							sprintf( '<b class="fn">%s</b>', $comment_author )
+						);
 						?>
 					</div><!-- .comment-author -->
 
@@ -402,18 +448,20 @@ class Walker_Comment extends Walker {
 				</div><!-- .comment-content -->
 
 				<?php
-				comment_reply_link(
-					array_merge(
-						$args,
-						array(
-							'add_below' => 'div-comment',
-							'depth'     => $depth,
-							'max_depth' => $args['max_depth'],
-							'before'    => '<div class="reply">',
-							'after'     => '</div>',
+				if ( '1' == $comment->comment_approved || $show_pending_links ) {
+					comment_reply_link(
+						array_merge(
+							$args,
+							array(
+								'add_below' => 'div-comment',
+								'depth'     => $depth,
+								'max_depth' => $args['max_depth'],
+								'before'    => '<div class="reply">',
+								'after'     => '</div>',
+							)
 						)
-					)
-				);
+					);
+				}
 				?>
 			</article><!-- .comment-body -->
 		<?php

wp-includes/class-wp-comment-query.php

@@ -553,10 +553,15 @@ class WP_Comment_Query {
 				// Numeric values are assumed to be user ids.
 				if ( is_numeric( $unapproved_identifier ) ) {
 					$approved_clauses[] = $wpdb->prepare( "( user_id = %d AND comment_approved = '0' )", $unapproved_identifier );
-
-					// Otherwise we match against email addresses.
 				} else {
-					$approved_clauses[] = $wpdb->prepare( "( comment_author_email = %s AND comment_approved = '0' )", $unapproved_identifier );
+					// Otherwise we match against email addresses.
+					if ( ! empty( $_GET['unapproved'] ) && ! empty( $_GET['moderation-hash'] ) ) {
+						// Only include requested comment.
+						$approved_clauses[] = $wpdb->prepare( "( comment_author_email = %s AND comment_approved = '0' AND comment_ID = %d )", $unapproved_identifier, (int) $_GET['unapproved'] );
+					} else {
+						// Include all of the author's unapproved comments.
+						$approved_clauses[] = $wpdb->prepare( "( comment_author_email = %s AND comment_approved = '0' )", $unapproved_identifier );
+					}
 				}
 			}
 		}

wp-includes/class-wp-customize-manager.php

@@ -2923,22 +2923,11 @@ final class WP_Customize_Manager {
 		add_filter( 'wp_save_post_revision_post_has_changed', array( $this, '_filter_revision_post_has_changed' ), 5, 3 );
 
 		/*
-		 * Update the changeset post. The publish_customize_changeset action
-		 * will cause the settings in the changeset to be saved via
-		 * WP_Customize_Setting::save().
+		 * Update the changeset post. The publish_customize_changeset action will cause the settings in the
+		 * changeset to be saved via WP_Customize_Setting::save(). Updating a post with publish status will
+		 * trigger WP_Customize_Manager::publish_changeset_values().
 		 */
-
-		// Prevent content filters from corrupting JSON in post_content.
-		$has_kses = ( false !== has_filter( 'content_save_pre', 'wp_filter_post_kses' ) );
-		if ( $has_kses ) {
-			kses_remove_filters();
-		}
-		$has_targeted_link_rel_filters = ( false !== has_filter( 'content_save_pre', 'wp_targeted_link_rel' ) );
-		if ( $has_targeted_link_rel_filters ) {
-			wp_remove_targeted_link_rel_filters();
-		}
-
-		// Note that updating a post with publish status will trigger WP_Customize_Manager::publish_changeset_values().
+		add_filter( 'wp_insert_post_data', array( $this, 'preserve_insert_changeset_post_content' ), 5, 3 );
 		if ( $changeset_post_id ) {
 			if ( $args['autosave'] && 'auto-draft' !== get_post_status( $changeset_post_id ) ) {
 				// See _wp_translate_postdata() for why this is required as it will use the edit_post meta capability.
@@ -2965,14 +2954,7 @@ final class WP_Customize_Manager {
 				$this->_changeset_post_id = $r; // Update cached post ID for the loaded changeset.
 			}
 		}
-
-		// Restore removed content filters.
-		if ( $has_kses ) {
-			kses_init_filters();
-		}
-		if ( $has_targeted_link_rel_filters ) {
-			wp_init_targeted_link_rel_filters();
-		}
+		remove_filter( 'wp_insert_post_data', array( $this, 'preserve_insert_changeset_post_content' ), 5 );
 
 		$this->_changeset_data = null; // Reset so WP_Customize_Manager::changeset_data() will re-populate with updated contents.
 
@@ -2990,6 +2972,51 @@ final class WP_Customize_Manager {
 		return $response;
 	}
 
+	/**
+	 * Preserve the initial JSON post_content passed to save into the post.
+	 *
+	 * This is needed to prevent KSES and other {@see 'content_save_pre'} filters
+	 * from corrupting JSON data.
+	 *
+	 * Note that WP_Customize_Manager::validate_setting_values() have already
+	 * run on the setting values being serialized as JSON into the post content
+	 * so it is pre-sanitized.
+	 *
+	 * Also, the sanitization logic is re-run through the respective
+	 * WP_Customize_Setting::sanitize() method when being read out of the
+	 * changeset, via WP_Customize_Manager::post_value(), and this sanitized
+	 * value will also be sent into WP_Customize_Setting::update() for
+	 * persisting to the DB.
+	 *
+	 * Multiple users can collaborate on a single changeset, where one user may
+	 * have the unfiltered_html capability but another may not. A user with
+	 * unfiltered_html may add a script tag to some field which needs to be kept
+	 * intact even when another user updates the changeset to modify another field
+	 * when they do not have unfiltered_html.
+	 *
+	 * @since 5.4.1
+	 *
+	 * @param array $data                An array of slashed and processed post data.
+	 * @param array $postarr             An array of sanitized (and slashed) but otherwise unmodified post data.
+	 * @param array $unsanitized_postarr An array of slashed yet *unsanitized* and unprocessed post data as originally passed to wp_insert_post().
+	 * @return array Filtered post data.
+	 */
+	public function preserve_insert_changeset_post_content( $data, $postarr, $unsanitized_postarr ) {
+		if (
+			isset( $data['post_type'] ) &&
+			isset( $unsanitized_postarr['post_content'] ) &&
+			'customize_changeset' === $data['post_type'] ||
+			(
+				'revision' === $data['post_type'] &&
+				! empty( $data['post_parent'] ) &&
+				'customize_changeset' === get_post_type( $data['post_parent'] )
+			)
+		) {
+			$data['post_content'] = $unsanitized_postarr['post_content'];
+		}
+		return $data;
+	}
+
 	/**
 	 * Trash or delete a changeset post.
 	 *

wp-includes/class-wp-query.php

@@ -800,10 +800,6 @@ class WP_Query {
 			$this->is_single = true;
 		} elseif ( $qv['p'] ) {
 			$this->is_single = true;
-		} elseif ( ( '' !== $qv['hour'] ) && ( '' !== $qv['minute'] ) && ( '' !== $qv['second'] ) && ( '' != $qv['year'] ) && ( '' != $qv['monthnum'] ) && ( '' != $qv['day'] ) ) {
-			// If year, month, day, hour, minute, and second are set, a single
-			// post is being queried.
-			$this->is_single = true;
 		} elseif ( '' != $qv['pagename'] || ! empty( $qv['page_id'] ) ) {
 			$this->is_page   = true;
 			$this->is_single = false;

wp-includes/class-wp.php

@@ -403,6 +403,10 @@ class WP {
 
 		if ( is_user_logged_in() ) {
 			$headers = array_merge( $headers, wp_get_nocache_headers() );
+		} elseif ( ! empty( $_GET['unapproved'] ) && ! empty( $_GET['moderation-hash'] ) ) {
+			// Unmoderated comments are only visible for one minute via the moderation hash.
+			$headers['Expires']       = gmdate( 'D, d M Y H:i:s', time() + MINUTE_IN_SECONDS );
+			$headers['Cache-Control'] = 'max-age=60, must-revalidate';
 		}
 		if ( ! empty( $this->query_vars['error'] ) ) {
 			$status = (int) $this->query_vars['error'];

wp-includes/comment-template.php

@@ -593,8 +593,13 @@ function comment_date( $d = '', $comment_ID = 0 ) {
  * @return string The possibly truncated comment excerpt.
  */
 function get_comment_excerpt( $comment_ID = 0 ) {
-	$comment      = get_comment( $comment_ID );
-	$comment_text = strip_tags( str_replace( array( "\n", "\r" ), ' ', $comment->comment_content ) );
+	$comment = get_comment( $comment_ID );
+
+	if ( ! post_password_required( $comment->comment_post_ID ) ) {
+		$comment_text = strip_tags( str_replace( array( "\n", "\r" ), ' ', $comment->comment_content ) );
+	} else {
+		$comment_text = __( 'Password protected' );
+	}
 
 	/* translators: Maximum number of words used in a comment excerpt. */
 	$comment_excerpt_length = intval( _x( '20', 'comment_excerpt_length' ) );
@@ -997,7 +1002,7 @@ function comment_text( $comment_ID = 0, $args = array() ) {
 	 * @see Walker_Comment::comment()
 	 *
 	 * @param string          $comment_text Text of the current comment.
-	 * @param WP_Comment|null $comment      The comment object.
+	 * @param WP_Comment|null $comment      The comment object. Null if not found.
 	 * @param array           $args         An array of arguments.
 	 */
 	echo apply_filters( 'comment_text', $comment_text, $comment, $args );

wp-includes/comment.php

@@ -1831,7 +1831,12 @@ function wp_get_unapproved_comment_author_email() {
 		$comment    = get_comment( $comment_id );
 
 		if ( $comment && hash_equals( $_GET['moderation-hash'], wp_hash( $comment->comment_date_gmt ) ) ) {
-			$commenter_email = $comment->comment_author_email;
+			// The comment will only be viewable by the comment author for 1 minute.
+			$comment_preview_expires = strtotime( $comment->comment_date_gmt . '+1 minute' );
+
+			if ( time() < $comment_preview_expires ) {
+				$commenter_email = $comment->comment_author_email;
+			}
 		}
 	}
 

wp-includes/css/dist/block-library/editor-rtl.css

@@ -180,7 +180,7 @@ div[data-type="core/button"] div[data-block] {
       display: flex;
       flex-direction: column;
       flex: 1 1 auto; }
-      @supports ((position: -webkit-sticky) or (position: sticky)) {
+      @supports (position: sticky) {
         .wp-block-columns > .editor-inner-blocks > .editor-block-list__layout > [data-type="core/column"],
         .wp-block-columns > .editor-inner-blocks > .editor-block-list__layout > [data-type="core/column"] > .editor-block-list__block-edit,
         .wp-block-columns > .editor-inner-blocks > .editor-block-list__layout > [data-type="core/column"] > .editor-block-list__block-edit > div[data-block],
@@ -600,7 +600,6 @@ div[data-type="core/freeform"].is-selected .block-library-rich-text__tinymce::af
   display: none;
   width: auto;
   margin: 0 -14px;
-  position: -webkit-sticky;
   position: sticky;
   z-index: 10;
   top: 14px;
@@ -698,7 +697,7 @@ body.admin-color-light .blocks-gallery-item figure.is-selected {
   max-height: 100%;
   overflow-y: auto; }
 
-@supports ((position: -webkit-sticky) or (position: sticky)) {
+@supports (position: sticky) {
   .blocks-gallery-item .is-selected .block-editor-rich-text {
     left: 0;
     right: 0;
@@ -1135,7 +1134,6 @@ figure.block-library-media-text__media-container {
 .wp-block-navigation-menu {
   display: -ms-grid;
   display: grid;
-  grid-auto-columns: -webkit-min-content;
   grid-auto-columns: min-content;
   grid-auto-flow: column;
   align-items: center;
@@ -1148,7 +1146,6 @@ figure.block-library-media-text__media-container {
 .wp-block-navigation-menu-item__edit-container {
   display: -ms-grid;
   display: grid;
-  grid-auto-columns: -webkit-min-content;
   grid-auto-columns: min-content;
   grid-auto-flow: column;
   align-items: center;

wp-includes/css/dist/block-library/editor.css

@@ -181,7 +181,7 @@ div[data-type="core/button"] div[data-block] {
       display: flex;
       flex-direction: column;
       flex: 1 1 auto; }
-      @supports ((position: -webkit-sticky) or (position: sticky)) {
+      @supports (position: sticky) {
         .wp-block-columns > .editor-inner-blocks > .editor-block-list__layout > [data-type="core/column"],
         .wp-block-columns > .editor-inner-blocks > .editor-block-list__layout > [data-type="core/column"] > .editor-block-list__block-edit,
         .wp-block-columns > .editor-inner-blocks > .editor-block-list__layout > [data-type="core/column"] > .editor-block-list__block-edit > div[data-block],
@@ -605,7 +605,6 @@ div[data-type="core/freeform"].is-selected .block-library-rich-text__tinymce::af
   display: none;
   width: auto;
   margin: 0 -14px;
-  position: -webkit-sticky;
   position: sticky;
   z-index: 10;
   top: 14px;
@@ -703,7 +702,7 @@ body.admin-color-light .blocks-gallery-item figure.is-selected {
   max-height: 100%;
   overflow-y: auto; }
 
-@supports ((position: -webkit-sticky) or (position: sticky)) {
+@supports (position: sticky) {
   .blocks-gallery-item .is-selected .block-editor-rich-text {
     right: 0;
     left: 0;
@@ -1140,7 +1139,6 @@ figure.block-library-media-text__media-container {
 .wp-block-navigation-menu {
   display: -ms-grid;
   display: grid;
-  grid-auto-columns: -webkit-min-content;
   grid-auto-columns: min-content;
   grid-auto-flow: column;
   align-items: center;
@@ -1153,7 +1151,6 @@ figure.block-library-media-text__media-container {
 .wp-block-navigation-menu-item__edit-container {
   display: -ms-grid;
   display: grid;
-  grid-auto-columns: -webkit-min-content;
   grid-auto-columns: min-content;
   grid-auto-flow: column;
   align-items: center;

wp-includes/css/dist/block-library/style-rtl.css

@@ -238,7 +238,7 @@
     content: "";
     font-size: 0;
     min-height: inherit; }
-    @supports ((position: -webkit-sticky) or (position: sticky)) {
+    @supports (position: sticky) {
       .wp-block-cover-image::after,
       .wp-block-cover::after {
         content: none; } }
@@ -442,7 +442,7 @@ section.wp-block-cover-image > h2,
     .blocks-gallery-grid .blocks-gallery-item figure {
       margin: 0;
       height: 100%; }
-      @supports ((position: -webkit-sticky) or (position: sticky)) {
+      @supports (position: sticky) {
         .wp-block-gallery .blocks-gallery-image figure,
         .wp-block-gallery .blocks-gallery-item figure,
         .blocks-gallery-grid .blocks-gallery-image figure,
@@ -462,7 +462,7 @@ section.wp-block-cover-image > h2,
     .blocks-gallery-grid .blocks-gallery-image img,
     .blocks-gallery-grid .blocks-gallery-item img {
       width: 100%; }
-      @supports ((position: -webkit-sticky) or (position: sticky)) {
+      @supports (position: sticky) {
         .wp-block-gallery .blocks-gallery-image img,
         .wp-block-gallery .blocks-gallery-item img,
         .blocks-gallery-grid .blocks-gallery-image img,
@@ -496,7 +496,7 @@ section.wp-block-cover-image > h2,
   .blocks-gallery-grid.is-cropped .blocks-gallery-item a,
   .blocks-gallery-grid.is-cropped .blocks-gallery-item img {
     width: 100%; }
-    @supports ((position: -webkit-sticky) or (position: sticky)) {
+    @supports (position: sticky) {
       .wp-block-gallery.is-cropped .blocks-gallery-image a,
       .wp-block-gallery.is-cropped .blocks-gallery-image img,
       .wp-block-gallery.is-cropped .blocks-gallery-item a,
@@ -688,19 +688,15 @@ section.wp-block-cover-image > h2,
 
 .is-style-circle-mask img {
   border-radius: 9999px; }
-  @supports ((-webkit-mask-image: none) or (mask-image: none)) or (-webkit-mask-image: none) {
+  @supports (mask-image: none) or (-webkit-mask-image: none) {
     .is-style-circle-mask img {
       /* stylelint-disable */
-      -webkit-mask-image: url('data:image/svg+xml;utf8,<svg viewBox="0 0 100 100" xmlns="http://www.w3.org/2000/svg"><circle cx="50" cy="50" r="50"/></svg>');
-              mask-image: url('data:image/svg+xml;utf8,<svg viewBox="0 0 100 100" xmlns="http://www.w3.org/2000/svg"><circle cx="50" cy="50" r="50"/></svg>');
+      mask-image: url('data:image/svg+xml;utf8,<svg viewBox="0 0 100 100" xmlns="http://www.w3.org/2000/svg"><circle cx="50" cy="50" r="50"/></svg>');
       /* stylelint-enable */
       mask-mode: alpha;
-      -webkit-mask-repeat: no-repeat;
-              mask-repeat: no-repeat;
-      -webkit-mask-size: contain;
-              mask-size: contain;
-      -webkit-mask-position: center;
-              mask-position: center;
+      mask-repeat: no-repeat;
+      mask-size: contain;
+      mask-position: center;
       border-radius: none; } }
 
 .wp-block-latest-comments__comment {
@@ -1415,7 +1411,7 @@ pre.wp-block-verse {
   margin-left: 0; }
   .wp-block-video video {
     max-width: 100%; }
-  @supports ((position: -webkit-sticky) or (position: sticky)) {
+  @supports (position: sticky) {
     .wp-block-video [poster] {
       -o-object-fit: cover;
          object-fit: cover; } }

wp-includes/css/dist/block-library/style.css

@@ -241,7 +241,7 @@
     content: "";
     font-size: 0;
     min-height: inherit; }
-    @supports ((position: -webkit-sticky) or (position: sticky)) {
+    @supports (position: sticky) {
       .wp-block-cover-image::after,
       .wp-block-cover::after {
         content: none; } }
@@ -446,7 +446,7 @@ section.wp-block-cover-image > h2,
     .blocks-gallery-grid .blocks-gallery-item figure {
       margin: 0;
       height: 100%; }
-      @supports ((position: -webkit-sticky) or (position: sticky)) {
+      @supports (position: sticky) {
         .wp-block-gallery .blocks-gallery-image figure,
         .wp-block-gallery .blocks-gallery-item figure,
         .blocks-gallery-grid .blocks-gallery-image figure,
@@ -466,7 +466,7 @@ section.wp-block-cover-image > h2,
     .blocks-gallery-grid .blocks-gallery-image img,
     .blocks-gallery-grid .blocks-gallery-item img {
       width: 100%; }
-      @supports ((position: -webkit-sticky) or (position: sticky)) {
+      @supports (position: sticky) {
         .wp-block-gallery .blocks-gallery-image img,
         .wp-block-gallery .blocks-gallery-item img,
         .blocks-gallery-grid .blocks-gallery-image img,
@@ -500,7 +500,7 @@ section.wp-block-cover-image > h2,
   .blocks-gallery-grid.is-cropped .blocks-gallery-item a,
   .blocks-gallery-grid.is-cropped .blocks-gallery-item img {
     width: 100%; }
-    @supports ((position: -webkit-sticky) or (position: sticky)) {
+    @supports (position: sticky) {
       .wp-block-gallery.is-cropped .blocks-gallery-image a,
       .wp-block-gallery.is-cropped .blocks-gallery-image img,
       .wp-block-gallery.is-cropped .blocks-gallery-item a,
@@ -696,19 +696,15 @@ section.wp-block-cover-image > h2,
 
 .is-style-circle-mask img {
   border-radius: 9999px; }
-  @supports ((-webkit-mask-image: none) or (mask-image: none)) or (-webkit-mask-image: none) {
+  @supports (mask-image: none) or (-webkit-mask-image: none) {
     .is-style-circle-mask img {
       /* stylelint-disable */
-      -webkit-mask-image: url('data:image/svg+xml;utf8,<svg viewBox="0 0 100 100" xmlns="http://www.w3.org/2000/svg"><circle cx="50" cy="50" r="50"/></svg>');
-              mask-image: url('data:image/svg+xml;utf8,<svg viewBox="0 0 100 100" xmlns="http://www.w3.org/2000/svg"><circle cx="50" cy="50" r="50"/></svg>');
+      mask-image: url('data:image/svg+xml;utf8,<svg viewBox="0 0 100 100" xmlns="http://www.w3.org/2000/svg"><circle cx="50" cy="50" r="50"/></svg>');
       /* stylelint-enable */
       mask-mode: alpha;
-      -webkit-mask-repeat: no-repeat;
-              mask-repeat: no-repeat;
-      -webkit-mask-size: contain;
-              mask-size: contain;
-      -webkit-mask-position: center;
-              mask-position: center;
+      mask-repeat: no-repeat;
+      mask-size: contain;
+      mask-position: center;
       border-radius: none; } }
 
 .wp-block-latest-comments__comment {
@@ -1427,7 +1423,7 @@ pre.wp-block-verse {
   margin-right: 0; }
   .wp-block-video video {
     max-width: 100%; }
-  @supports ((position: -webkit-sticky) or (position: sticky)) {
+  @supports (position: sticky) {
     .wp-block-video [poster] {
       -o-object-fit: cover;
          object-fit: cover; } }

wp-includes/css/dist/edit-post/style-rtl.css

@@ -82,7 +82,6 @@
     .edit-post-header {
       height: 56px;
       top: 0;
-      position: -webkit-sticky;
       position: sticky;
       flex-wrap: nowrap; } }
   @media (min-width: 600px) {
@@ -97,7 +96,7 @@
         top: 0; } }
   .edit-post-header > .edit-post-header__settings {
     order: 1; }
-    @supports ((position: -webkit-sticky) or (position: sticky)) {
+    @supports (position: sticky) {
       .edit-post-header > .edit-post-header__settings {
         order: initial; } }
 
@@ -439,7 +438,7 @@ body.is-fullscreen-mode .edit-post-layout__content .components-editor-notices__s
       overscroll-behavior-y: none; } }
   .edit-post-layout__content .edit-post-visual-editor {
     flex: 1 1 auto; }
-    @supports ((position: -webkit-sticky) or (position: sticky)) {
+    @supports (position: sticky) {
       .edit-post-layout__content .edit-post-visual-editor {
         flex-basis: 100%; } }
   .edit-post-layout__content .edit-post-layout__metaboxes {
@@ -578,7 +577,6 @@ body.is-fullscreen-mode .edit-post-layout__content .components-editor-notices__s
   margin: 0 0 2rem 0; }
 
 .edit-post-manage-blocks-modal__category-title {
-  position: -webkit-sticky;
   position: sticky;
   top: 0;
   padding: 16px 0;
@@ -871,7 +869,7 @@ body.is-fullscreen-mode .edit-post-layout__content .components-editor-notices__s
 .editor-post-author__select {
   margin: -5px 0;
   width: 100%; }
-  @supports ((position: -webkit-sticky) or (position: sticky)) {
+  @supports (position: sticky) {
     .editor-post-author__select {
       width: auto; } }
 
@@ -940,7 +938,6 @@ body.is-fullscreen-mode .edit-post-layout__content .components-editor-notices__s
   padding-right: 0;
   padding-left: 4px;
   border-top: 0;
-  position: -webkit-sticky;
   position: sticky;
   z-index: -1;
   top: 0; }

wp-includes/css/dist/edit-post/style.css

@@ -82,7 +82,6 @@
     .edit-post-header {
       height: 56px;
       top: 0;
-      position: -webkit-sticky;
       position: sticky;
       flex-wrap: nowrap; } }
   @media (min-width: 600px) {
@@ -97,7 +96,7 @@
         top: 0; } }
   .edit-post-header > .edit-post-header__settings {
     order: 1; }
-    @supports ((position: -webkit-sticky) or (position: sticky)) {
+    @supports (position: sticky) {
       .edit-post-header > .edit-post-header__settings {
         order: initial; } }
 
@@ -439,7 +438,7 @@ body.is-fullscreen-mode .edit-post-layout__content .components-editor-notices__s
       overscroll-behavior-y: none; } }
   .edit-post-layout__content .edit-post-visual-editor {
     flex: 1 1 auto; }
-    @supports ((position: -webkit-sticky) or (position: sticky)) {
+    @supports (position: sticky) {
       .edit-post-layout__content .edit-post-visual-editor {
         flex-basis: 100%; } }
   .edit-post-layout__content .edit-post-layout__metaboxes {
@@ -578,7 +577,6 @@ body.is-fullscreen-mode .edit-post-layout__content .components-editor-notices__s
   margin: 0 0 2rem 0; }
 
 .edit-post-manage-blocks-modal__category-title {
-  position: -webkit-sticky;
   position: sticky;
   top: 0;
   padding: 16px 0;
@@ -871,7 +869,7 @@ body.is-fullscreen-mode .edit-post-layout__content .components-editor-notices__s
 .editor-post-author__select {
   margin: -5px 0;
   width: 100%; }
-  @supports ((position: -webkit-sticky) or (position: sticky)) {
+  @supports (position: sticky) {
     .editor-post-author__select {
       width: auto; } }
 
@@ -944,7 +942,6 @@ body.is-fullscreen-mode .edit-post-layout__content .components-editor-notices__s
   padding-left: 0;
   padding-right: 4px;
   border-top: 0;
-  position: -webkit-sticky;
   position: sticky;
   z-index: -1;
   top: 0; }

wp-includes/default-filters.php

@@ -574,8 +574,8 @@ add_filter( 'the_excerpt_embed', 'wpautop' );
 add_filter( 'the_excerpt_embed', 'shortcode_unautop' );
 add_filter( 'the_excerpt_embed', 'wp_embed_excerpt_attachment' );
 
+add_filter( 'oembed_dataparse', 'wp_filter_oembed_iframe_title_attribute', 5, 3 );
 add_filter( 'oembed_dataparse', 'wp_filter_oembed_result', 10, 3 );
-add_filter( 'oembed_dataparse', 'wp_filter_oembed_iframe_title_attribute', 20, 3 );
 add_filter( 'oembed_response_data', 'get_oembed_response_data_rich', 10, 4 );
 add_filter( 'pre_oembed_result', 'wp_filter_pre_oembed_result', 10, 3 );
 

wp-includes/embed.php

@@ -797,11 +797,24 @@ function wp_filter_oembed_iframe_title_attribute( $result, $data, $url ) {
 
 	$title = ! empty( $data->title ) ? $data->title : '';
 
-	$pattern        = '`<iframe[^>]*?title=(\\\\\'|\\\\"|[\'"])([^>]*?)\1`i';
-	$has_title_attr = preg_match( $pattern, $result, $matches );
+	$pattern = '`<iframe([^>]*)>`i';
+	if ( preg_match( $pattern, $result, $matches ) ) {
+		$attrs = wp_kses_hair( $matches[1], wp_allowed_protocols() );
 
-	if ( $has_title_attr && ! empty( $matches[2] ) ) {
-		$title = $matches[2];
+		foreach ( $attrs as $attr => $item ) {
+			$lower_attr = strtolower( $attr );
+			if ( $lower_attr === $attr ) {
+				continue;
+			}
+			if ( ! isset( $attrs[ $lower_attr ] ) ) {
+				$attrs[ $lower_attr ] = $item;
+				unset( $attrs[ $attr ] );
+			}
+		}
+	}
+
+	if ( ! empty( $attrs['title']['value'] ) ) {
+		$title = $attrs['title']['value'];
 	}
 
 	/**
@@ -820,11 +833,11 @@ function wp_filter_oembed_iframe_title_attribute( $result, $data, $url ) {
 		return $result;
 	}
 
-	if ( $has_title_attr ) {
-		// Remove the old title, $matches[1]: quote, $matches[2]: title attribute value.
-		$result = str_replace( ' title=' . $matches[1] . $matches[2] . $matches[1], '', $result );
+	if ( isset( $attrs['title'] ) ) {
+		unset( $attrs['title'] );
+		$attr_string = join( ' ', wp_list_pluck( $attrs, 'whole' ) );
+		$result      = str_replace( $matches[0], '<iframe ' . trim( $attr_string ) . '>', $result );
 	}
-
 	return str_ireplace( '<iframe ', sprintf( '<iframe title="%s" ', esc_attr( $title ) ), $result );
 }
 

wp-includes/formatting.php

@@ -2003,6 +2003,24 @@ function remove_accents( $string ) {
 function sanitize_file_name( $filename ) {
 	$filename_raw  = $filename;
 	$special_chars = array( '?', '[', ']', '/', '\\', '=', '<', '>', ':', ';', ',', "'", '"', '&', '$', '#', '*', '(', ')', '|', '~', '`', '!', '{', '}', '%', '+', chr( 0 ) );
+
+	// Check for support for utf8 in the installed PCRE library once and store the result in a static.
+	static $utf8_pcre = null;
+	if ( ! isset( $utf8_pcre ) ) {
+		// phpcs:ignore WordPress.PHP.NoSilencedErrors.Discouraged
+		$utf8_pcre = @preg_match( '/^./u', 'a' );
+	}
+
+	if ( ! seems_utf8( $filename ) ) {
+		$_ext     = pathinfo( $filename, PATHINFO_EXTENSION );
+		$_name    = pathinfo( $filename, PATHINFO_FILENAME );
+		$filename = sanitize_title_with_dashes( $_name ) . '.' . $_ext;
+	}
+
+	if ( $utf8_pcre ) {
+		$filename = preg_replace( "#\x{00a0}#siu", ' ', $filename );
+	}
+
 	/**
 	 * Filters the list of characters to remove from a filename.
 	 *
@@ -2012,7 +2030,6 @@ function sanitize_file_name( $filename ) {
 	 * @param string $filename_raw  Filename as it was passed into sanitize_file_name().
 	 */
 	$special_chars = apply_filters( 'sanitize_file_name_chars', $special_chars, $filename_raw );
-	$filename      = preg_replace( "#\x{00a0}#siu", ' ', $filename );
 	$filename      = str_replace( $special_chars, '', $filename );
 	$filename      = str_replace( array( '%20', '+' ), '-', $filename );
 	$filename      = preg_replace( '/[\r\n\t -]+/', '-', $filename );

wp-includes/js/dist/data-controls.js

@@ -82,7 +82,7 @@ this["wp"] = this["wp"] || {}; this["wp"]["dataControls"] =
 /******/
 /******/
 /******/ 	// Load entry module and return exports
-/******/ 	return __webpack_require__(__webpack_require__.s = 317);
+/******/ 	return __webpack_require__(__webpack_require__.s = 318);
 /******/ })
 /************************************************************************/
 /******/ ({
@@ -131,7 +131,7 @@ function _iterableToArray(iter) {
 
 /***/ }),
 
-/***/ 317:
+/***/ 318:
 /***/ (function(module, __webpack_exports__, __webpack_require__) {
 
 "use strict";

wp-includes/js/dist/data-controls.min.js

@@ -1 +1 @@
-this.wp=this.wp||{},this.wp.dataControls=function(t){var e={};function r(n){if(e[n])return e[n].exports;var o=e[n]={i:n,l:!1,exports:{}};return t[n].call(o.exports,o,o.exports,r),o.l=!0,o.exports}return r.m=t,r.c=e,r.d=function(t,e,n){r.o(t,e)||Object.defineProperty(t,e,{enumerable:!0,get:n})},r.r=function(t){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(t,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(t,"__esModule",{value:!0})},r.t=function(t,e){if(1&e&&(t=r(t)),8&e)return t;if(4&e&&"object"==typeof t&&t&&t.__esModule)return t;var n=Object.create(null);if(r.r(n),Object.defineProperty(n,"default",{enumerable:!0,value:t}),2&e&&"string"!=typeof t)for(var o in t)r.d(n,o,function(e){return t[e]}.bind(null,o));return n},r.n=function(t){var e=t&&t.__esModule?function(){return t.default}:function(){return t};return r.d(e,"a",e),e},r.o=function(t,e){return Object.prototype.hasOwnProperty.call(t,e)},r.p="",r(r.s=317)}({17:function(t,e,r){"use strict";var n=r(30);function o(t){return function(t){if(Array.isArray(t)){for(var e=0,r=new Array(t.length);e<t.length;e++)r[e]=t[e];return r}}(t)||Object(n.a)(t)||function(){throw new TypeError("Invalid attempt to spread non-iterable instance")}()}r.d(e,"a",(function(){return o}))},30:function(t,e,r){"use strict";function n(t){if(Symbol.iterator in Object(t)||"[object Arguments]"===Object.prototype.toString.call(t))return Array.from(t)}r.d(e,"a",(function(){return n}))},317:function(t,e,r){"use strict";r.r(e),r.d(e,"apiFetch",(function(){return c})),r.d(e,"select",(function(){return a})),r.d(e,"dispatch",(function(){return s})),r.d(e,"controls",(function(){return f}));var n=r(17),o=r(34),u=r.n(o),i=r(4),c=function(t){return{type:"API_FETCH",request:t}};function a(t,e){for(var r=arguments.length,n=new Array(r>2?r-2:0),o=2;o<r;o++)n[o-2]=arguments[o];return{type:"SELECT",storeKey:t,selectorName:e,args:n}}function s(t,e){for(var r=arguments.length,n=new Array(r>2?r-2:0),o=2;o<r;o++)n[o-2]=arguments[o];return{type:"DISPATCH",storeKey:t,actionName:e,args:n}}var f={API_FETCH:function(t){var e=t.request;return u()(e)},SELECT:Object(i.createRegistryControl)((function(t){return function(e){var r,o=e.storeKey,u=e.selectorName,i=e.args;return t.select(o)[u].hasResolver?function(t,e){var r=e.storeKey,n=e.selectorName,o=e.args;return new Promise((function(e){var u=function(){return t.select("core/data").hasFinishedResolution(r,n,o)},i=function(){return t.select(r)[n].apply(null,o)},c=i();if(u())return e(c);var a=t.subscribe((function(){u()&&(a(),e(i()))}))}))}(t,{storeKey:o,selectorName:u,args:i}):(r=t.select(o))[u].apply(r,Object(n.a)(i))}})),DISPATCH:Object(i.createRegistryControl)((function(t){return function(e){var r,o=e.storeKey,u=e.actionName,i=e.args;return(r=t.dispatch(o))[u].apply(r,Object(n.a)(i))}}))}},34:function(t,e){!function(){t.exports=this.wp.apiFetch}()},4:function(t,e){!function(){t.exports=this.wp.data}()}});
+this.wp=this.wp||{},this.wp.dataControls=function(t){var e={};function r(n){if(e[n])return e[n].exports;var o=e[n]={i:n,l:!1,exports:{}};return t[n].call(o.exports,o,o.exports,r),o.l=!0,o.exports}return r.m=t,r.c=e,r.d=function(t,e,n){r.o(t,e)||Object.defineProperty(t,e,{enumerable:!0,get:n})},r.r=function(t){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(t,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(t,"__esModule",{value:!0})},r.t=function(t,e){if(1&e&&(t=r(t)),8&e)return t;if(4&e&&"object"==typeof t&&t&&t.__esModule)return t;var n=Object.create(null);if(r.r(n),Object.defineProperty(n,"default",{enumerable:!0,value:t}),2&e&&"string"!=typeof t)for(var o in t)r.d(n,o,function(e){return t[e]}.bind(null,o));return n},r.n=function(t){var e=t&&t.__esModule?function(){return t.default}:function(){return t};return r.d(e,"a",e),e},r.o=function(t,e){return Object.prototype.hasOwnProperty.call(t,e)},r.p="",r(r.s=318)}({17:function(t,e,r){"use strict";var n=r(30);function o(t){return function(t){if(Array.isArray(t)){for(var e=0,r=new Array(t.length);e<t.length;e++)r[e]=t[e];return r}}(t)||Object(n.a)(t)||function(){throw new TypeError("Invalid attempt to spread non-iterable instance")}()}r.d(e,"a",(function(){return o}))},30:function(t,e,r){"use strict";function n(t){if(Symbol.iterator in Object(t)||"[object Arguments]"===Object.prototype.toString.call(t))return Array.from(t)}r.d(e,"a",(function(){return n}))},318:function(t,e,r){"use strict";r.r(e),r.d(e,"apiFetch",(function(){return c})),r.d(e,"select",(function(){return a})),r.d(e,"dispatch",(function(){return s})),r.d(e,"controls",(function(){return f}));var n=r(17),o=r(34),u=r.n(o),i=r(4),c=function(t){return{type:"API_FETCH",request:t}};function a(t,e){for(var r=arguments.length,n=new Array(r>2?r-2:0),o=2;o<r;o++)n[o-2]=arguments[o];return{type:"SELECT",storeKey:t,selectorName:e,args:n}}function s(t,e){for(var r=arguments.length,n=new Array(r>2?r-2:0),o=2;o<r;o++)n[o-2]=arguments[o];return{type:"DISPATCH",storeKey:t,actionName:e,args:n}}var f={API_FETCH:function(t){var e=t.request;return u()(e)},SELECT:Object(i.createRegistryControl)((function(t){return function(e){var r,o=e.storeKey,u=e.selectorName,i=e.args;return t.select(o)[u].hasResolver?function(t,e){var r=e.storeKey,n=e.selectorName,o=e.args;return new Promise((function(e){var u=function(){return t.select("core/data").hasFinishedResolution(r,n,o)},i=function(){return t.select(r)[n].apply(null,o)},c=i();if(u())return e(c);var a=t.subscribe((function(){u()&&(a(),e(i()))}))}))}(t,{storeKey:o,selectorName:u,args:i}):(r=t.select(o))[u].apply(r,Object(n.a)(i))}})),DISPATCH:Object(i.createRegistryControl)((function(t){return function(e){var r,o=e.storeKey,u=e.actionName,i=e.args;return(r=t.dispatch(o))[u].apply(r,Object(n.a)(i))}}))}},34:function(t,e){!function(){t.exports=this.wp.apiFetch}()},4:function(t,e){!function(){t.exports=this.wp.data}()}});

wp-includes/js/dist/data.js

@@ -198,7 +198,7 @@ if (typeof self !== 'undefined') {
 var result = Object(_ponyfill_js__WEBPACK_IMPORTED_MODULE_0__[/* default */ "a"])(root);
 /* harmony default export */ __webpack_exports__["a"] = (result);
 
-/* WEBPACK VAR INJECTION */}.call(this, __webpack_require__(65), __webpack_require__(318)(module)))
+/* WEBPACK VAR INJECTION */}.call(this, __webpack_require__(65), __webpack_require__(317)(module)))
 
 /***/ }),
 
@@ -374,7 +374,7 @@ function _iterableToArray(iter) {
 
 /***/ }),
 
-/***/ 318:
+/***/ 317:
 /***/ (function(module, exports) {
 
 module.exports = function(originalModule) {

wp-includes/media.php

@@ -4255,11 +4255,26 @@ function attachment_url_to_postid( $url ) {
 	}
 
 	$sql = $wpdb->prepare(
-		"SELECT post_id FROM $wpdb->postmeta WHERE meta_key = '_wp_attached_file' AND meta_value = %s",
+		"SELECT post_id, meta_value FROM $wpdb->postmeta WHERE meta_key = '_wp_attached_file' AND meta_value = %s",
 		$path
 	);
 
-	$post_id = $wpdb->get_var( $sql );
+	$results = $wpdb->get_results( $sql );
+	$post_id = null;
+
+	if ( $results ) {
+		// Use the first available result, but prefer a case-sensitive match, if exists.
+		$post_id = reset( $results )->post_id;
+
+		if ( count( $results ) > 1 ) {
+			foreach ( $results as $result ) {
+				if ( $path === $result->meta_value ) {
+					$post_id = $result->post_id;
+					break;
+				}
+			}
+		}
+	}
 
 	/**
 	 * Filters an attachment id found by URL.

wp-includes/pluggable.php

@@ -1391,9 +1391,9 @@ if ( ! function_exists( 'wp_validate_redirect' ) ) :
 	 * @return string redirect-sanitized URL
 	 */
 	function wp_validate_redirect( $location, $default = '' ) {
-		$location = trim( $location, " \t\n\r\0\x08\x0B" );
-		// browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//'
-		if ( substr( $location, 0, 2 ) == '//' ) {
+		$location = wp_sanitize_redirect( trim( $location, " \t\n\r\0\x08\x0B" ) );
+		// Browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//'.
+		if ( '//' === substr( $location, 0, 2 ) ) {
 			$location = 'http:' . $location;
 		}
 

wp-includes/post.php

@@ -3554,6 +3554,9 @@ function wp_get_recent_posts( $args = array(), $output = ARRAY_A ) {
 function wp_insert_post( $postarr, $wp_error = false ) {
 	global $wpdb;
 
+	// Capture original pre-sanitized array for passing into filters.
+	$unsanitized_postarr = $postarr;
+
 	$user_id = get_current_user_id();
 
 	$defaults = array(
@@ -3865,21 +3868,27 @@ function wp_insert_post( $postarr, $wp_error = false ) {
 		 * Filters attachment post data before it is updated in or added to the database.
 		 *
 		 * @since 3.9.0
+		 * @since 5.4.1 `$unsanitized_postarr` argument added.
 		 *
-		 * @param array $data    An array of sanitized attachment post data.
-		 * @param array $postarr An array of unsanitized attachment post data.
+		 * @param array $data                An array of slashed, sanitized, and processed attachment post data.
+		 * @param array $postarr             An array of slashed and sanitized attachment post data, but not processed.
+		 * @param array $unsanitized_postarr An array of slashed yet *unsanitized* and unprocessed attachment post data
+		 *                                   as originally passed to wp_insert_post().
 		 */
-		$data = apply_filters( 'wp_insert_attachment_data', $data, $postarr );
+		$data = apply_filters( 'wp_insert_attachment_data', $data, $postarr, $unsanitized_postarr );
 	} else {
 		/**
 		 * Filters slashed post data just before it is inserted into the database.
 		 *
 		 * @since 2.7.0
+		 * @since 5.4.1 `$unsanitized_postarr` argument added.
 		 *
-		 * @param array $data    An array of slashed post data.
-		 * @param array $postarr An array of sanitized, but otherwise unmodified post data.
+		 * @param array $data                An array of slashed, sanitized, and processed post data.
+		 * @param array $postarr             An array of sanitized (and slashed) but otherwise unmodified post data.
+		 * @param array $unsanitized_postarr An array of slashed yet *unsanitized* and unprocessed post data as
+		 *                                   originally passed to wp_insert_post().
 		 */
-		$data = apply_filters( 'wp_insert_post_data', $data, $postarr );
+		$data = apply_filters( 'wp_insert_post_data', $data, $postarr, $unsanitized_postarr );
 	}
 	$data  = wp_unslash( $data );
 	$where = array( 'ID' => $post_ID );

wp-includes/script-loader.php

@@ -1621,6 +1621,7 @@ function wp_default_scripts( &$scripts ) {
 	// To enqueue media-views or media-editor, call wp_enqueue_media().
 	// Both rely on numerous settings, styles, and templates to operate correctly.
 	$scripts->add( 'media-views', "/wp-includes/js/media-views$suffix.js", array( 'utils', 'media-models', 'wp-plupload', 'jquery-ui-sortable', 'wp-mediaelement', 'wp-api-request', 'wp-a11y', 'wp-i18n' ), false, 1 );
+	$scripts->set_translations( 'media-views' );
 	$scripts->add( 'media-editor', "/wp-includes/js/media-editor$suffix.js", array( 'shortcode', 'media-views' ), false, 1 );
 	$scripts->add( 'media-audiovideo', "/wp-includes/js/media-audiovideo$suffix.js", array( 'media-editor' ), false, 1 );
 	$scripts->add( 'mce-view', "/wp-includes/js/mce-view$suffix.js", array( 'shortcode', 'jquery', 'media-views', 'media-audiovideo' ), false, 1 );

wp-includes/user.php

@@ -1793,7 +1793,7 @@ function wp_insert_user( $userdata ) {
 	}
 
 	if ( $update ) {
-		if ( $user_email !== $old_user_data->user_email ) {
+		if ( $user_email !== $old_user_data->user_email || $user_pass !== $old_user_data->user_pass ) {
 			$data['user_activation_key'] = '';
 		}
 		$wpdb->update( $wpdb->users, $data, compact( 'ID' ) );
@@ -3063,7 +3063,11 @@ function _wp_privacy_send_request_confirmation_notification( $request_id ) {
 		return;
 	}
 
-	$manage_url         = add_query_arg( 'page', $request->action_name, admin_url( 'tools.php' ) );
+	if ( 'export_personal_data' === $request->action_name ) {
+		$manage_url = admin_url( 'export-personal-data.php' );
+	} elseif ( 'remove_personal_data' === $request->action_name ) {
+		$manage_url = admin_url( 'erase-personal-data.php' );
+	}
 	$action_description = wp_user_request_action_description( $request->action_name );
 
 	/**

wp-includes/version.php

@@ -13,7 +13,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '5.3.2';
+$wp_version = '5.3.4';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.