Update Akismet externals

git-svn-id: http://core.svn.wordpress.org/branches/3.4@35107 1a063a9b-81f0-0310-95a4-ce76da25c4cd

readme.html

@@ -8,7 +8,7 @@
 <body>
 <h1 id="logo">
 	<a href="http://wordpress.org/"><img alt="WordPress" src="wp-admin/images/wordpress-logo.png" /></a>
-	<br /> Version 3.4
+	<br /> Version 3.4.2
 </h1>
 <p style="text-align: center">Semantic Personal Publishing Platform</p>
 

wp-admin/about.php

@@ -33,6 +33,19 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
 	</a>
 </h2>
 
+<div class="changelog point-releases">
+	<h3><?php echo _n( 'Maintenance and Security Release', 'Maintenance and Security Releases', 2 ); ?></h3>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bug.',
+         '<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bugs.', 20 ), '3.4.2', number_format_i18n( 20 ) ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'http://codex.wordpress.org/Version_3.4.2' ); ?>
+ 	</p>
+
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bug.',
+         '<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bugs.', 21 ), '3.4.1', number_format_i18n( 21 ) ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'http://codex.wordpress.org/Version_3.4.1' ); ?>
+ 	</p>
+</div>
+
 <div class="changelog">
 	<h3><?php _e( 'Live Theme Previews' ); ?></h3>
 

wp-admin/async-upload.php

@@ -49,7 +49,14 @@ if ( isset($_REQUEST['attachment_id']) && ($id = intval($_REQUEST['attachment_id
 
 check_admin_referer('media-form');
 
-$id = media_handle_upload('async-upload', $_REQUEST['post_id']);
+$post_id = 0;
+if ( isset( $_REQUEST['post_id'] ) ) {
+	$post_id = absint( $_REQUEST['post_id'] );
+	if ( ! get_post( $post_id ) || ! current_user_can( 'edit_post', $post_id ) )
+		$post_id = 0;
+}
+
+$id = media_handle_upload( 'async-upload', $post_id );
 if ( is_wp_error($id) ) {
 	echo '<div class="error-div">
 	<a class="dismiss" href="#" onclick="jQuery(this).parents(\'div.media-item\').slideUp(200, function(){jQuery(this).remove();});">' . __('Dismiss') . '</a>

wp-admin/css/wp-admin.dev.css

@@ -1968,13 +1968,7 @@ html.wp-toolbar {
 	box-sizing: border-box;
 }
 
-.postbox-container .meta-box-sortables:empty {
-	min-height: 0;
-	height: 0;
-}
-
-.metabox-holder .postbox-container .empty-container,
-#post-body.columns-2 #side-sortables:empty {
+.metabox-holder .postbox-container .empty-container {
 	border: 3px dashed #CCCCCC;
 	height: 250px;
 }
@@ -2045,7 +2039,6 @@ html.wp-toolbar {
 		width: 50.5%;
 	}
 
-	#dashboard-widgets.metabox-holder .postbox-container .empty-container,
 	#dashboard-widgets #postbox-container-3 .empty-container,
 	#dashboard-widgets #postbox-container-4 .empty-container {
 		border: 0 none;

wp-admin/customize.php

@@ -7,6 +7,8 @@
  * @since 3.4.0
  */
 
+define( 'IFRAME_REQUEST', true );
+
 require_once( './admin.php' );
 if ( ! current_user_can( 'edit_theme_options' ) )
 	wp_die( __( 'Cheatin’ uh?' ) );
@@ -65,7 +67,6 @@ do_action( 'customize_controls_print_scripts' );
 <body class="<?php echo esc_attr( $body_class ); ?>">
 <div class="wp-full-overlay expanded">
 	<form id="customize-controls" class="wrap wp-full-overlay-sidebar">
-		<?php wp_nonce_field( 'customize_controls-' . $wp_customize->get_stylesheet() ); ?>
 		<div id="customize-header-actions" class="wp-full-overlay-header">
 			<?php
 				$save_text = $wp_customize->is_theme_active() ? __( 'Save &amp; Publish' ) : __( 'Save &amp; Activate' );
@@ -175,6 +176,10 @@ do_action( 'customize_controls_print_scripts' );
 		),
 		'settings' => array(),
 		'controls' => array(),
+		'nonce'    => array(
+ 			'save'    => wp_create_nonce( 'save-customize_' . $wp_customize->get_stylesheet() ),
+ 			'preview' => wp_create_nonce( 'preview-customize_' . $wp_customize->get_stylesheet() )
+ 		),
 	);
 
 	foreach ( $wp_customize->settings() as $id => $setting ) {

wp-admin/includes/class-wp-ms-themes-list-table.php

@@ -293,7 +293,7 @@ class WP_MS_Themes_List_Table extends WP_List_Table {
 		}
 
 		if ( current_user_can('edit_themes') )
-			$actions['edit'] = '<a href="' . esc_url('theme-editor.php?theme=' .  $theme_key ) . '" title="' . esc_attr__('Open this theme in the Theme Editor') . '" class="edit">' . __('Edit') . '</a>';
+			$actions['edit'] = '<a href="' . esc_url('theme-editor.php?theme=' . urlencode( $theme_key ) ) . '" title="' . esc_attr__('Open this theme in the Theme Editor') . '" class="edit">' . __('Edit') . '</a>';
 
 		if ( ! $allowed && current_user_can( 'delete_themes' ) && ! $this->is_site_themes && $theme_key != get_option( 'stylesheet' ) && $theme_key != get_option( 'template' ) )
 			$actions['delete'] = '<a href="' . esc_url( wp_nonce_url( 'themes.php?action=delete-selected&amp;checked[]=' . $theme_key . '&amp;theme_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'bulk-themes' ) ) . '" title="' . esc_attr__( 'Delete this theme' ) . '" class="delete">' . __( 'Delete' ) . '</a>';

wp-admin/includes/class-wp-plugins-list-table.php

@@ -90,7 +90,9 @@ class WP_Plugins_List_Table extends WP_List_Table {
 
 		foreach ( (array) $plugins['all'] as $plugin_file => $plugin_data ) {
 			// Filter into individual sections
-			if ( ! $screen->is_network && is_plugin_active_for_network( $plugin_file ) ) {
+			if ( is_multisite() && ! $screen->is_network && is_network_only_plugin( $plugin_file ) ) {
+				unset( $plugins['all'][ $plugin_file ] );
+			} elseif ( ! $screen->is_network && is_plugin_active_for_network( $plugin_file ) ) {
 				unset( $plugins['all'][ $plugin_file ] );
 			} elseif ( ( ! $screen->is_network && is_plugin_active( $plugin_file ) )
 				|| ( $screen->is_network && is_plugin_active_for_network( $plugin_file ) ) ) {

wp-admin/includes/class-wp-themes-list-table.php

@@ -128,7 +128,7 @@ class WP_Themes_List_Table extends WP_List_Table {
 			$activate_link = wp_nonce_url( "themes.php?action=activate&template=" . urlencode( $template ) . "&stylesheet=" . urlencode( $stylesheet ), 'switch-theme_' . $stylesheet );
 
 			$preview_link = esc_url( add_query_arg(
-				array( 'preview' => 1, 'template' => $template, 'stylesheet' => $stylesheet, 'preview_iframe' => true, 'TB_iframe' => 'true' ),
+				array( 'preview' => 1, 'template' => urlencode( $template ), 'stylesheet' => urlencode( $stylesheet ), 'preview_iframe' => true, 'TB_iframe' => 'true' ),
 				home_url( '/' ) ) );
 
 			$actions = array();

wp-admin/includes/class-wp-upgrader.php

@@ -1507,14 +1507,14 @@ class Theme_Installer_Skin extends WP_Upgrader_Skin {
 
 		$preview_link = add_query_arg( array(
 			'preview'    => 1,
-			'template'   => $template,
-			'stylesheet' => $stylesheet,
+			'template'   => urlencode( $template ),
+			'stylesheet' => urlencode( $stylesheet ),
 		), trailingslashit( get_home_url() ) );
 
 		$activate_link = add_query_arg( array(
 			'action'     => 'activate',
-			'template'   => $template,
-			'stylesheet' => $stylesheet,
+			'template'   => urlencode( $template ),
+			'stylesheet' => urlencode( $stylesheet ),
 		), admin_url('themes.php') );
 		$activate_link = wp_nonce_url( $activate_link, 'switch-theme_' . $stylesheet );
 
@@ -1571,14 +1571,14 @@ class Theme_Upgrader_Skin extends WP_Upgrader_Skin {
 
 			$preview_link = add_query_arg( array(
 				'preview'    => 1,
-				'template'   => $template,
-				'stylesheet' => $stylesheet,
+				'template'   => urlencode( $template ),
+				'stylesheet' => urlencode( $stylesheet ),
 			), trailingslashit( get_home_url() ) );
 
 			$activate_link = add_query_arg( array(
 				'action'     => 'activate',
-				'template'   => $template,
-				'stylesheet' => $stylesheet,
+				'template'   => urlencode( $template ),
+				'stylesheet' => urlencode( $stylesheet ),
 			), admin_url('themes.php') );
 			$activate_link = wp_nonce_url( $activate_link, 'switch-theme_' . $stylesheet );
 

wp-admin/includes/dashboard.php

@@ -131,6 +131,7 @@ function wp_dashboard_setup() {
 	}
 
 	if ( 'POST' == $_SERVER['REQUEST_METHOD'] && isset($_POST['widget_id']) ) {
+		check_admin_referer( 'edit-dashboard-widget_' . $_POST['widget_id'], 'dashboard-widget-nonce' );
 		ob_start(); // hack - but the same hack wp-admin/widgets.php uses
 		wp_dashboard_trigger_widget_control( $_POST['widget_id'] );
 		ob_end_clean();
@@ -182,6 +183,7 @@ function wp_add_dashboard_widget( $widget_id, $widget_name, $callback, $control_
 function _wp_dashboard_control_callback( $dashboard, $meta_box ) {
 	echo '<form action="" method="post" class="dashboard-widget-control-form">';
 	wp_dashboard_trigger_widget_control( $meta_box['id'] );
+	wp_nonce_field( 'edit-dashboard-widget_' . $meta_box['id'], 'dashboard-widget-nonce' );
 	echo '<input type="hidden" name="widget_id" value="' . esc_attr($meta_box['id']) . '" />';
 	submit_button( __('Submit') );
 	echo '</form>';

wp-admin/includes/meta-boxes.php

@@ -483,17 +483,17 @@ function post_comment_meta_box($post) {
 	if ( 1 > $total ) {
 		echo '<p id="no-comments">' . __('No comments yet.') . '</p>';
 	} else {
-		$hidden = get_hidden_meta_boxes('post');
+		$hidden = get_hidden_meta_boxes( get_current_screen() );
 		if ( ! in_array('commentsdiv', $hidden) ) {
 			?>
 			<script type="text/javascript">jQuery(document).ready(function(){commentsBox.get(<?php echo $total; ?>, 10);});</script>
 			<?php
 		}
-	}
 
-	?>
-	<p class="hide-if-no-js hidden" id="show-comments"><a href="#commentstatusdiv" onclick="commentsBox.get(<?php echo $total; ?>);return false;"><?php _e('Show comments'); ?></a> <img class="waiting" style="display:none;" src="<?php echo esc_url( admin_url( 'images/wpspin_light.gif' ) ); ?>" alt="" /></p>
-	<?php
+		?>
+		<p class="hide-if-no-js" id="show-comments"><a href="#commentstatusdiv" onclick="commentsBox.get(<?php echo $total; ?>);return false;"><?php _e('Show comments'); ?></a> <img class="waiting" style="display:none;" src="<?php echo esc_url( admin_url( 'images/wpspin_light.gif' ) ); ?>" alt="" /></p>
+		<?php
+	}
 
 	wp_comment_trashnotice();
 }
@@ -688,7 +688,7 @@ function link_categories_meta_box($link) {
 		<p id="link-category-add" class="wp-hidden-child">
 			<label class="screen-reader-text" for="newcat"><?php _e( '+ Add New Category' ); ?></label>
 			<input type="text" name="newcat" id="newcat" class="form-required form-input-tip" value="<?php esc_attr_e( 'New category name' ); ?>" aria-required="true" />
-			<input type="button" id="category-add-submit" class="add:categorychecklist:linkcategorydiv button" value="<?php esc_attr_e( 'Add' ); ?>" />
+			<input type="button" id="link-category-add-submit" class="add:categorychecklist:link-category-add button" value="<?php esc_attr_e( 'Add' ); ?>" />
 			<?php wp_nonce_field( 'add-link-category', '_ajax_nonce', false ); ?>
 			<span id="category-ajax-response"></span>
 		</p>

wp-admin/includes/plugin.php

@@ -521,6 +521,7 @@ function activate_plugin( $plugin, $redirect = '', $network_wide = false, $silen
 	if ( is_multisite() && ( $network_wide || is_network_only_plugin($plugin) ) ) {
 		$network_wide = true;
 		$current = get_site_option( 'active_sitewide_plugins', array() );
+		$_GET['networkwide'] = 1; // Back compat for plugins looking for this value.
 	} else {
 		$current = get_option( 'active_plugins', array() );
 	}

wp-admin/includes/template.php

@@ -494,7 +494,7 @@ function _list_meta_row( $entry, &$count ) {
 	$r .= "\n\t\t<div class='submit'>";
 	$r .= get_submit_button( __( 'Delete' ), "delete:the-list:meta-{$entry['meta_id']}::_ajax_nonce=$delete_nonce deletemeta", "deletemeta[{$entry['meta_id']}]", false, array( 'tabindex' => '6' ) );
 	$r .= "\n\t\t";
-	$r .= get_submit_button( __( 'Update' ), "add:the-list:meta-{$entry['meta_id']}::_ajax_nonce-add-meta=$update_nonce updatemeta" , 'updatemeta', false, array( 'tabindex' => '6' ) );
+	$r .= get_submit_button( __( 'Update' ), "add:the-list:meta-{$entry['meta_id']}::_ajax_nonce-add-meta=$update_nonce updatemeta" , "meta-{$entry['meta_id']}-submit", false, array( 'tabindex' => '6' ) );
 	$r .= "</div>";
 	$r .= wp_nonce_field( 'change-meta', '_ajax_nonce', false, false );
 	$r .= "</td>";
@@ -555,7 +555,7 @@ function meta_form() {
 </tr>
 
 <tr><td colspan="2" class="submit">
-<?php submit_button( __( 'Add Custom Field' ), 'add:the-list:newmeta', 'addmeta', false, array( 'id' => 'addmetasub', 'tabindex' => '9' ) ); ?>
+<?php submit_button( __( 'Add Custom Field' ), 'add:the-list:newmeta', 'addmeta', false, array( 'id' => 'newmeta-submit', 'tabindex' => '9' ) ); ?>
 <?php wp_nonce_field( 'add-meta', '_ajax_nonce-add-meta', false ); ?>
 </td></tr>
 </tbody>

wp-admin/includes/update-core.php

@@ -477,7 +477,7 @@ function update_core($from, $to) {
 	$mysql_version  = $wpdb->db_version();
 	$required_php_version = '5.2.4';
 	$required_mysql_version = '5.0';
-	$wp_version = '3.4';
+	$wp_version = '3.4.2';
 	$php_compat     = version_compare( $php_version, $required_php_version, '>=' );
 	if ( file_exists( WP_CONTENT_DIR . '/db.php' ) && empty( $wpdb->is_mysql ) )
 		$mysql_compat = true;
@@ -680,7 +680,7 @@ function _copy_dir($from, $to, $skip_list = array() ) {
 function _redirect_to_about_wordpress( $new_version ) {
 	global $wp_version, $pagenow, $action;
 
-	if ( version_compare( $wp_version, '3.4-RC1', '>=' ) )
+	if ( version_compare( $wp_version, '3.5-alpha', '>=' ) )
 		return;
 
 	// Ensure we only run this on the update-core.php page. wp_update_core() could be called in other contexts.
@@ -695,12 +695,17 @@ function _redirect_to_about_wordpress( $new_version ) {
 
 	// See do_core_upgrade()
 	show_message( __('WordPress updated successfully') );
-	show_message( '<span class="hide-if-no-js">' . sprintf( __( 'Welcome to WordPress %1$s. You will be redirected to the About WordPress screen. If not, click <a href="%s">here</a>.' ), $new_version, esc_url( self_admin_url( 'about.php?updated' ) ) ) . '</span>' );
-	show_message( '<span class="hide-if-js">' . sprintf( __( 'Welcome to WordPress %1$s. <a href="%2$s">Learn more</a>.' ), $new_version, esc_url( self_admin_url( 'about.php?updated' ) ) ) . '</span>' );
+
+	$js_message = __( 'Welcome to WordPress %1$s. You will be redirected to the About WordPress screen. If not, click <a href="%s">here</a>.' );
+	$js_message = str_replace( '"%s"', '"%2$s"', $js_message ); // in lieu of breaking the string.
+
+	// self_admin_url() won't exist when upgrading from <= 3.0, so relative URLs are intentional.
+	show_message( '<span class="hide-if-no-js">' . sprintf( $js_message, $new_version, 'about.php?updated' ) . '</span>' );
+	show_message( '<span class="hide-if-js">' . sprintf( __( 'Welcome to WordPress %1$s. <a href="%2$s">Learn more</a>.' ), $new_version, 'about.php?updated' ) . '</span>' );
 	echo '</div>';
 	?>
 <script type="text/javascript">
-window.location = '<?php echo self_admin_url( 'about.php?updated' ); ?>';
+window.location = 'about.php?updated';
 </script>
 	<?php
 

wp-admin/includes/update.php

@@ -264,7 +264,7 @@ function wp_theme_update_row( $theme_key, $theme ) {
 	$themes_allowedtags = array('a' => array('href' => array(),'title' => array()),'abbr' => array('title' => array()),'acronym' => array('title' => array()),'code' => array(),'em' => array(),'strong' => array());
 	$theme_name = wp_kses( $theme['Name'], $themes_allowedtags );
 
-	$details_url = self_admin_url("theme-install.php?tab=theme-information&theme=$theme_key&TB_iframe=true&width=600&height=400");
+	$details_url = add_query_arg( array( 'TB_iframe' => 'true', 'width' => 1024, 'height' => 800 ), $current->response[ $theme_key ]['url'] );
 
 	$wp_list_table = _get_list_table('WP_MS_Themes_List_Table');
 

wp-admin/index.php

@@ -2,6 +2,8 @@
 /**
  * Dashboard Administration Screen
  *
+ * @internal This file should be parseable by PHP4.
+ *
  * @package WordPress
  * @subpackage Administration
  */
@@ -32,7 +34,10 @@ else
 
 $help = '<p>' . __( 'Welcome to your WordPress Dashboard! This is the screen you will see when you log in to your site, and gives you access to all the site management features of WordPress. You can get help for any screen by clicking the Help tab in the upper corner.' ) . '</p>';
 
-get_current_screen()->add_help_tab( array(
+// Not using chaining here, so as to be parseable by PHP4.
+$screen = get_current_screen();
+
+$screen->add_help_tab( array(
 	'id'      => 'overview',
 	'title'   => __( 'Overview' ),
 	'content' => $help,
@@ -43,7 +48,7 @@ get_current_screen()->add_help_tab( array(
 $help  = '<p>' . __('The left-hand navigation menu provides links to all of the WordPress administration screens, with submenu items displayed on hover. You can minimize this menu to a narrow icon strip by clicking on the Collapse Menu arrow at the bottom.') . '</p>';
 $help .= '<p>' . __('Links in the Toolbar at the top of the screen connect your dashboard and the front end of your site, and provide access to your profile and helpful WordPress information.') . '</p>';
 
-get_current_screen()->add_help_tab( array(
+$screen->add_help_tab( array(
 	'id'      => 'help-navigation',
 	'title'   => __('Navigation'),
 	'content' => $help,
@@ -54,7 +59,7 @@ $help .= '<p>' . __('<strong>Screen Options</strong> - Use the Screen Options ta
 $help .= '<p>' . __('<strong>Drag and Drop</strong> - To rearrange the boxes, drag and drop by clicking on the title bar of the selected box and releasing when you see a gray dotted-line rectangle appear in the location you want to place the box.') . '</p>';
 $help .= '<p>' . __('<strong>Box Controls</strong> - Click the title bar of the box to expand or collapse it. In addition, some box have configurable content, and will show a &#8220;Configure&#8221; link in the title bar if you hover over it.') . '</p>';
 
-get_current_screen()->add_help_tab( array(
+$screen->add_help_tab( array(
 	'id'      => 'help-layout',
 	'title'   => __('Layout'),
 	'content' => $help,
@@ -78,7 +83,7 @@ if ( ! is_multisite() && current_user_can( 'install_plugins' ) )
 if ( current_user_can( 'edit_theme_options' ) )
 	$help .= '<p>' . __('<strong>Welcome</strong> - Shows links for some of the most common tasks when setting up a new site.') . '</p>';
 
-get_current_screen()->add_help_tab( array(
+$screen->add_help_tab( array(
 	'id'      => 'help-content',
 	'title'   => __('Content'),
 	'content' => $help,
@@ -86,7 +91,7 @@ get_current_screen()->add_help_tab( array(
 
 unset( $help );
 
-get_current_screen()->set_help_sidebar(
+$screen->set_help_sidebar(
 	'<p><strong>' . __( 'For more information:' ) . '</strong></p>' .
 	'<p>' . __( '<a href="http://codex.wordpress.org/Dashboard_Screen" target="_blank">Documentation on Dashboard</a>' ) . '</p>' .
 	'<p>' . __( '<a href="http://wordpress.org/support/" target="_blank">Support Forums</a>' ) . '</p>'

wp-admin/js/common.dev.js

@@ -216,7 +216,7 @@ $(document).ready( function() {
 			m.addClass('sub-open');
 		},
 		out: function(){
-			$(this).find('.wp-submenu').removeClass('sub-open');
+			$(this).find('.wp-submenu').removeClass('sub-open').css('margin-top', '');
 		},
 		timeout: 200,
 		sensitivity: 7,

wp-admin/js/customize-controls.dev.js

@@ -220,10 +220,6 @@
 				};
 			});
 
-			// Select a tab
-			this.selected = this.tabs[ panels.first().data('customizeTab') ];
-			this.selected.both.addClass('library-selected');
-
 			// Bind tab switch events
 			this.library.children('ul').on( 'click', 'li', function( event ) {
 				var id  = $(this).data('customizeTab'),
@@ -255,6 +251,18 @@
 					this.tabs.uploaded.both.addClass('hidden');
 			}
 
+			// Select a tab
+			panels.each( function() {
+				var tab = control.tabs[ $(this).data('customizeTab') ];
+
+				// Select the first visible tab.
+				if ( ! tab.link.hasClass('hidden') ) {
+					control.selected = tab;
+					tab.both.addClass('library-selected');
+					return false;
+				}
+			});
+
 			this.dropdownInit();
 		},
 		success: function( attachment ) {
@@ -294,7 +302,8 @@
 			// This is the promise object.
 			deferred.promise( this );
 
-			this.previewer = params.previewer;
+			this.container = params.container;
+			this.signature = params.signature;
 
 			$.extend( params, { channel: api.PreviewFrame.uuid() });
 
@@ -338,7 +347,7 @@
 
 			this.request.done( function( response ) {
 				var location = self.request.getResponseHeader('Location'),
-					signature = 'WP_CUSTOMIZER_SIGNATURE',
+					signature = self.signature,
 					index;
 
 				// Check if the location response header differs from the current URL.
@@ -371,7 +380,7 @@
 				response = response.slice( 0, index ) + response.slice( index + signature.length );
 
 				// Create the iframe and inject the html content.
-				self.iframe = $('<iframe />').appendTo( self.previewer.container );
+				self.iframe = $('<iframe />').appendTo( self.container );
 
 				// Bind load event after the iframe has been added to the page;
 				// otherwise it will fire when injected into the DOM.
@@ -416,7 +425,7 @@
 					reject();
 
 				iframe = $('<iframe src="' + self.previewUrl() + '" />').hide();
-				iframe.appendTo( self.previewer.container );
+				iframe.appendTo( self.container );
 				iframe.load( function() {
 					self.triedLogin = true;
 
@@ -497,6 +506,7 @@
 
 			this.container   = api.ensure( params.container );
 			this.allowedUrls = params.allowedUrls;
+			this.signature   = params.signature;
 
 			params.url = window.location.href;
 
@@ -570,7 +580,8 @@
 				url:        this.url(),
 				previewUrl: this.previewUrl(),
 				query:      this.query() || {},
-				previewer:  this
+				container:  this.container,
+				signature:  this.signature
 			});
 
 			this.loading.done( function() {
@@ -583,6 +594,8 @@
 
 					self.targetWindow( this.targetWindow() );
 					self.channel( this.channel() );
+
+					self.send( 'active' );
 				});
 
 				this.send( 'sync', {
@@ -683,23 +696,26 @@
 			container:   '#customize-preview',
 			form:        '#customize-controls',
 			previewUrl:  api.settings.url.preview,
-			allowedUrls: api.settings.url.allowed
+			allowedUrls: api.settings.url.allowed,
+			signature:   'WP_CUSTOMIZER_SIGNATURE'
 		}, {
+
+			nonce: api.settings.nonce,
+
 			query: function() {
 				return {
 					wp_customize: 'on',
 					theme:        api.settings.theme.stylesheet,
-					customized:   JSON.stringify( api.get() )
+					customized:   JSON.stringify( api.get() ),
+					nonce:        this.nonce.preview
 				};
 			},
 
-			nonce: $('#_wpnonce').val(),
-
 			save: function() {
 				var self  = this,
 					query = $.extend( this.query(), {
 						action: 'customize_save',
-						nonce:  this.nonce
+						nonce:  this.nonce.save
 					}),
 					request = $.post( api.settings.url.ajax, query );
 
@@ -733,6 +749,11 @@
 			}
 		});
 
+		// Refresh the nonces if the preview sends updated nonces over.
+ 		previewer.bind( 'nonce', function( nonce ) {
+ 			$.extend( this.nonce, nonce );
+ 		});
+
 		$.each( api.settings.settings, function( id, data ) {
 			api.create( id, id, data.value, {
 				transport: data.transport,

wp-admin/js/inline-edit-post.dev.js

@@ -97,7 +97,7 @@ inlineEditPost = {
 			if ( $(this).prop('checked') ) {
 				c = false;
 				var id = $(this).val(), theTitle;
-				theTitle = $('#inline_'+id+' .post_title').text() || inlineEditL10n.notitle;
+				theTitle = $('#inline_'+id+' .post_title').html() || inlineEditL10n.notitle;
 				te += '<div id="ttle'+id+'"><a id="_'+id+'" class="ntdelbutton" title="'+inlineEditL10n.ntdeltitle+'">X</a>'+theTitle+'</div>';
 			}
 		});

wp-admin/js/link.dev.js

@@ -23,7 +23,7 @@ jQuery(document).ready( function($) {
 
 	// Ajax Cat
 	newCat = $('#newcat').one( 'focus', function() { $(this).val( '' ).removeClass( 'form-input-tip' ) } );
-	$('#category-add-submit').click( function() { newCat.focus(); } );
+	$('#link-category-add-submit').click( function() { newCat.focus(); } );
 	syncChecks = function() {
 		if ( noSyncChecks )
 			return;

wp-admin/js/link.js

@@ -1 +1 @@
-jQuery(document).ready(function(c){var b,a=false,d,e;c("#link_name").focus();postboxes.add_postbox_toggles("link");c("#category-tabs a").click(function(){var f=c(this).attr("href");c(this).parent().addClass("tabs").siblings("li").removeClass("tabs");c(".tabs-panel").hide();c(f).show();if("#categories-all"==f){deleteUserSetting("cats")}else{setUserSetting("cats","pop")}return false});if(getUserSetting("cats")){c('#category-tabs a[href="#categories-pop"]').click()}b=c("#newcat").one("focus",function(){c(this).val("").removeClass("form-input-tip")});c("#category-add-submit").click(function(){b.focus()});d=function(){if(a){return}a=true;var f=c(this),h=f.is(":checked"),g=f.val().toString();c("#in-link-category-"+g+", #in-popular-category-"+g).prop("checked",h);a=false};e=function(g,f){c(f.what+" response_data",g).each(function(){var h=c(c(this).text());h.find("label").each(function(){var j=c(this),l=j.find("input").val(),m=j.find("input")[0].id,i=c.trim(j.text()),k;c("#"+m).change(d);k=c('<option value="'+parseInt(l,10)+'"></option>').text(i)})})};c("#categorychecklist").wpList({alt:"",what:"link-category",response:"category-ajax-response",addAfter:e});c('a[href="#categories-all"]').click(function(){deleteUserSetting("cats")});c('a[href="#categories-pop"]').click(function(){setUserSetting("cats","pop")});if("pop"==getUserSetting("cats")){c('a[href="#categories-pop"]').click()}c("#category-add-toggle").click(function(){c(this).parents("div:first").toggleClass("wp-hidden-children");c('#category-tabs a[href="#categories-all"]').click();c("#newcategory").focus();return false});c(".categorychecklist :checkbox").change(d).filter(":checked").change()});
+jQuery(document).ready(function(c){var b,a=false,d,e;c("#link_name").focus();postboxes.add_postbox_toggles("link");c("#category-tabs a").click(function(){var f=c(this).attr("href");c(this).parent().addClass("tabs").siblings("li").removeClass("tabs");c(".tabs-panel").hide();c(f).show();if("#categories-all"==f){deleteUserSetting("cats")}else{setUserSetting("cats","pop")}return false});if(getUserSetting("cats")){c('#category-tabs a[href="#categories-pop"]').click()}b=c("#newcat").one("focus",function(){c(this).val("").removeClass("form-input-tip")});c("#link-category-add-submit").click(function(){b.focus()});d=function(){if(a){return}a=true;var f=c(this),h=f.is(":checked"),g=f.val().toString();c("#in-link-category-"+g+", #in-popular-category-"+g).prop("checked",h);a=false};e=function(g,f){c(f.what+" response_data",g).each(function(){var h=c(c(this).text());h.find("label").each(function(){var j=c(this),l=j.find("input").val(),m=j.find("input")[0].id,i=c.trim(j.text()),k;c("#"+m).change(d);k=c('<option value="'+parseInt(l,10)+'"></option>').text(i)})})};c("#categorychecklist").wpList({alt:"",what:"link-category",response:"category-ajax-response",addAfter:e});c('a[href="#categories-all"]').click(function(){deleteUserSetting("cats")});c('a[href="#categories-pop"]').click(function(){setUserSetting("cats","pop")});if("pop"==getUserSetting("cats")){c('a[href="#categories-pop"]').click()}c("#category-add-toggle").click(function(){c(this).parents("div:first").toggleClass("wp-hidden-children");c('#category-tabs a[href="#categories-all"]').click();c("#newcategory").focus();return false});c(".categorychecklist :checkbox").change(d).filter(":checked").change()});

wp-admin/js/post.dev.js

@@ -342,7 +342,7 @@ jQuery(document).ready( function($) {
 			return false;
 		});
 
-		$('#' + taxonomy + 'checklist li.popular-category :checkbox, #' + taxonomy + 'checklist-pop :checkbox').live( 'click', function(){
+		$('#' + taxonomy + 'checklist li.popular-category input[type="checkbox"], #' + taxonomy + 'checklist-pop input[type="checkbox"]').live( 'click', function(){
 			var t = $(this), c = t.is(':checked'), id = t.val();
 			if ( id && t.parents('#taxonomy-'+taxonomy).length )
 				$('#in-' + taxonomy + '-' + id + ', #in-popular-' + taxonomy + '-' + id).prop( 'checked', c );

wp-admin/load-scripts.php

@@ -51,6 +51,11 @@ function is_lighttpd_before_150() {}
  */
 function add_action() {}
 
+/**
+ * @ignore
+ */
+function did_action() {}
+
 /**
  * @ignore
  */

wp-admin/plugins.php

@@ -37,6 +37,11 @@ if ( $action ) {
 			if ( ! current_user_can('activate_plugins') )
 				wp_die(__('You do not have sufficient permissions to activate plugins for this site.'));
 
+			if ( is_multisite() && ! is_network_admin() && is_network_only_plugin( $plugin ) ) {
+				wp_redirect( self_admin_url("plugins.php?plugin_status=$status&paged=$page&s=$s") );
+				exit;
+			}
+
 			check_admin_referer('activate-plugin_' . $plugin);
 
 			$result = activate_plugin($plugin, self_admin_url('plugins.php?error=true&plugin=' . $plugin), is_network_admin() );
@@ -72,10 +77,17 @@ if ( $action ) {
 			$plugins = isset( $_POST['checked'] ) ? (array) $_POST['checked'] : array();
 
 			// Only activate plugins which are not already active.
-			$check = is_network_admin() ? 'is_plugin_active_for_network' : 'is_plugin_active';
-			foreach ( $plugins as $i => $plugin )
-				if ( $check( $plugin ) )
-					unset( $plugins[ $i ] );
+			if ( is_network_admin() ) {
+				foreach ( $plugins as $i => $plugin ) {
+					if ( is_plugin_active_for_network( $plugin ) )
+						unset( $plugins[ $i ] );
+				}
+			} else {
+				foreach ( $plugins as $i => $plugin ) {
+					if ( is_plugin_active( $plugin ) || is_network_only_plugin( $plugin ) )
+						unset( $plugins[ $i ] );
+				}
+			}
 
 			if ( empty($plugins) ) {
 				wp_redirect( self_admin_url("plugins.php?plugin_status=$status&paged=$page&s=$s") );

wp-admin/setup-config.php

@@ -44,12 +44,14 @@ define('WP_DEBUG', false);
 require(ABSPATH . WPINC . '/load.php');
 require(ABSPATH . WPINC . '/version.php');
 
-// Also loads functions.php, plugin.php, l10n.php, pomo/mo.php (all required by setup-config.php)
-wp_load_translations_early();
-
 // Check for the required PHP version and for the MySQL extension or a database drop-in.
 wp_check_php_mysql_versions();
 
+require_once(ABSPATH . WPINC . '/functions.php');
+
+// Also loads plugin.php, l10n.php, pomo/mo.php (all required by setup-config.php)
+wp_load_translations_early();
+
 // Turn register_globals off.
 wp_unregister_GLOBALS();
 
@@ -217,9 +219,10 @@ switch($step) {
 	}
 
 	$key = 0;
-	foreach ( $config_file as &$line ) {
+	// Not a PHP5-style by-reference foreach, as this file must be parseable by PHP4.
+	foreach ( $config_file as $line_num => $line ) {
 		if ( '$table_prefix  =' == substr( $line, 0, 16 ) ) {
-			$line = '$table_prefix  = \'' . addcslashes( $prefix, "\\'" ) . "';\r\n";
+			$config_file[ $line_num ] = '$table_prefix  = \'' . addcslashes( $prefix, "\\'" ) . "';\r\n";
 			continue;
 		}
 
@@ -234,7 +237,7 @@ switch($step) {
 			case 'DB_USER'     :
 			case 'DB_PASSWORD' :
 			case 'DB_HOST'     :
-				$line = "define('" . $constant . "'," . $padding . "'" . addcslashes( constant( $constant ), "\\'" ) . "');\r\n";
+				$config_file[ $line_num ] = "define('" . $constant . "'," . $padding . "'" . addcslashes( constant( $constant ), "\\'" ) . "');\r\n";
 				break;
 			case 'AUTH_KEY'         :
 			case 'SECURE_AUTH_KEY'  :
@@ -244,7 +247,7 @@ switch($step) {
 			case 'SECURE_AUTH_SALT' :
 			case 'LOGGED_IN_SALT'   :
 			case 'NONCE_SALT'       :
-				$line = "define('" . $constant . "'," . $padding . "'" . $secret_keys[$key++] . "');\r\n";
+				$config_file[ $line_num ] = "define('" . $constant . "'," . $padding . "'" . $secret_keys[$key++] . "');\r\n";
 				break;
 		}
 	}

wp-admin/themes.php

@@ -20,7 +20,7 @@ if ( current_user_can( 'switch_themes' ) && isset($_GET['action'] ) ) {
 		$theme = wp_get_theme( $_GET['stylesheet'] );
 		if ( ! $theme->exists() || ! $theme->is_allowed() )
 			wp_die( __( 'Cheatin’ uh?' ) );
-		switch_theme($_GET['template'], $_GET['stylesheet']);
+		switch_theme( $theme->get_template(), $theme->get_stylesheet() );
 		wp_redirect( admin_url('themes.php?activated=true') );
 		exit;
 	} elseif ( 'delete' == $_GET['action'] ) {
@@ -64,6 +64,8 @@ if ( current_user_can( 'install_themes' ) ) {
 	) );
 }
 
+add_thickbox();
+
 endif; // switch_themes
 
 if ( current_user_can( 'edit_theme_options' ) ) {
@@ -191,9 +193,11 @@ $customize_title = sprintf( __( 'Customize “%s”' ), $ct->display('Na
 				<li><?php echo $option; ?></li>
 			<?php endforeach; ?>
 		</ul>
+		<?php
+		endif; // options
+		?>
 	</div>
 	<?php
-		endif; // options
 	endif; // options || edit_theme_options
 	?>
 

wp-content/themes/twentyeleven/languages/twentyeleven.pot

@@ -1,14 +1,14 @@
-# Copyright (C) 2012 the WordPress team
+# Copyright (C) 2013 the WordPress team
 # This file is distributed under the GNU General Public License v2 or later.
 msgid ""
 msgstr ""
 "Project-Id-Version: Twenty Eleven 1.4\n"
 "Report-Msgid-Bugs-To: http://wordpress.org/tags/twentyeleven\n"
-"POT-Creation-Date: 2012-06-10 15:18:15+00:00\n"
+"POT-Creation-Date: 2013-04-26 13:58:41+00:00\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"PO-Revision-Date: 2012-MO-DA HO:MI+ZONE\n"
+"PO-Revision-Date: 2013-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
 
@@ -253,8 +253,8 @@ msgstr ""
 
 #: content-single.php:39
 msgid ""
-"This entry was posted by <a href=\"%6$s\">%5$s</a>. Bookmark the <a href=\"%3"
-"$s\" title=\"Permalink to %4$s\" rel=\"bookmark\">permalink</a>."
+"This entry was posted by <a href=\"%6$s\">%5$s</a>. Bookmark the <a href="
+"\"%3$s\" title=\"Permalink to %4$s\" rel=\"bookmark\">permalink</a>."
 msgstr ""
 
 #: content-single.php:64
@@ -651,15 +651,6 @@ msgstr ""
 msgid "the WordPress team"
 msgstr ""
 
-#. Tags of the plugin/theme
-msgid ""
-"dark, light, white, black, gray, one-column, two-columns, left-sidebar, "
-"right-sidebar, fixed-width, flexible-width, custom-background, custom-"
-"colors, custom-header, custom-menu, editor-style, featured-image-header, "
-"featured-images, full-width-template, microformats, post-formats, rtl-"
-"language-support, sticky-post, theme-options, translation-ready"
-msgstr ""
-
 #. Template Name of the plugin/theme
 msgid "Showcase Template"
 msgstr ""

wp-content/themes/twentyten/languages/twentyten.pot

@@ -1,14 +1,14 @@
-# Copyright (C) 2012 the WordPress team
+# Copyright (C) 2013 the WordPress team
 # This file is distributed under the GNU General Public License v2 or later.
 msgid ""
 msgstr ""
 "Project-Id-Version: Twenty Ten 1.4\n"
 "Report-Msgid-Bugs-To: http://wordpress.org/tags/twentyten\n"
-"POT-Creation-Date: 2012-06-10 15:18:09+00:00\n"
+"POT-Creation-Date: 2013-01-01 00:19:27+00:00\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"PO-Revision-Date: 2012-MO-DA HO:MI+ZONE\n"
+"PO-Revision-Date: 2013-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
 
@@ -410,13 +410,6 @@ msgstr ""
 msgid "the WordPress team"
 msgstr ""
 
-#. Tags of the plugin/theme
-msgid ""
-"black, blue, white, two-columns, fixed-width, custom-header, custom-"
-"background, threaded-comments, sticky-post, translation-ready, microformats, "
-"rtl-language-support, editor-style, custom-menu"
-msgstr ""
-
 #. Template Name of the plugin/theme
 msgid "One column, no sidebar"
 msgstr ""

wp-includes/canonical.php

@@ -100,7 +100,7 @@ function redirect_canonical( $requested_url = null, $do_redirect = true ) {
 		}
 
 		if ( ! $redirect_url ) {
-			if ( $redirect_url = redirect_guess_404_permalink( $requested_url ) ) {
+			if ( $redirect_url = redirect_guess_404_permalink() ) {
 				$redirect['query'] = _remove_qs_args_if_not_in_url( $redirect['query'], array( 'page', 'feed', 'p', 'page_id', 'attachment_id', 'pagename', 'name', 'post_type' ), $redirect_url );
 			}
 		}
@@ -461,31 +461,16 @@ function _remove_qs_args_if_not_in_url( $query_string, Array $args_to_check, $ur
 }
 
 /**
- * Attempts to guess the correct URL from the current URL (that produced a 404) or
- * the current query variables.
+ * Attempts to guess the correct URL based on query vars
  *
  * @since 2.3.0
  * @uses $wpdb
  *
- * @param string $current_url Optional. The URL that has 404'd.
  * @return bool|string The correct URL if one is found. False on failure.
  */
-function redirect_guess_404_permalink( $current_url = '' ) {
+function redirect_guess_404_permalink() {
 	global $wpdb, $wp_rewrite;
 
-	if ( ! empty( $current_url ) )
-		$parsed_url = @parse_url( $current_url );
-
-	// Attempt to redirect bare category slugs if the permalink structure starts
-	// with the %category% tag.
-	if ( isset( $parsed_url['path'] )
-		&& preg_match( '#^[^%]+%category%#', $wp_rewrite->permalink_structure )
-		&& $cat = get_category_by_path( $parsed_url['path'] )
-	) {
-		if ( ! is_wp_error( $cat ) )
-			return get_term_link( $cat );
-	}
-
 	if ( get_query_var('name') ) {
 		$where = $wpdb->prepare("post_name LIKE %s", like_escape( get_query_var('name') ) . '%');
 

wp-includes/capabilities.php

@@ -1130,6 +1130,8 @@ function map_meta_cap( $cap, $user_id ) {
 		// Disallow unfiltered_html for all users, even admins and super admins.
 		if ( defined( 'DISALLOW_UNFILTERED_HTML' ) && DISALLOW_UNFILTERED_HTML )
 			$caps[] = 'do_not_allow';
+		elseif ( is_multisite() && ! is_super_admin( $user_id ) )
+			$caps[] = 'do_not_allow';
 		else
 			$caps[] = $cap;
 		break;

wp-includes/class-oembed.php

@@ -213,8 +213,14 @@ class WP_oEmbed {
 			$errors = libxml_use_internal_errors( 'true' );
 			$data = simplexml_load_string( $response_body );
 			libxml_use_internal_errors( $errors );
-			if ( is_object( $data ) )
-				return $data;
+			if ( ! is_object( $data ) )
+				return false;
+
+			$return = new stdClass;
+			foreach ( $data as $key => $value )
+				$return->$key = (string) $value;
+
+			return $return;
 		}
 		return false;
 	}

wp-includes/class-phpmailer.php

@@ -760,13 +760,13 @@ class PHPMailer {
     } else {
       if ($this->SingleTo === true && count($toArr) > 1) {
         foreach ($toArr as $key => $val) {
-          $rt = @mail($val, $this->EncodeHeader($this->SecureHeader($this->Subject)), $body, $header, $params);
+          $rt = @mail($val, $this->EncodeHeader($this->SecureHeader($this->Subject)), $body, $header);
           // implement call back function if it exists
           $isSent = ($rt == 1) ? 1 : 0;
           $this->doCallback($isSent, $val, $this->cc, $this->bcc, $this->Subject, $body);
         }
       } else {
-        $rt = @mail($to, $this->EncodeHeader($this->SecureHeader($this->Subject)), $body, $header, $params);
+        $rt = @mail($to, $this->EncodeHeader($this->SecureHeader($this->Subject)), $body, $header);
         // implement call back function if it exists
         $isSent = ($rt == 1) ? 1 : 0;
         $this->doCallback($isSent, $to, $this->cc, $this->bcc, $this->Subject, $body);

wp-includes/class-wp-atom-server.php

@@ -167,9 +167,7 @@ class wp_atom_server {
 				array('GET' => 'get_attachment',
 						'POST' => 'create_attachment'),
 			'@/attachment/file/(\d+)$@' =>
-				array('GET' => 'get_file',
-						'PUT' => 'put_file',
-						'DELETE' => 'delete_file'),
+				array('GET' => 'get_file'),
 			'@/attachment/(\d+)$@' =>
 				array('GET' => 'get_attachment',
 						'PUT' => 'put_attachment',
@@ -315,6 +313,12 @@ EOD;
 
 		$entry = array_pop($parser->feed->entries);
 
+		$publish = ! ( isset( $entry->draft ) && 'yes' == trim( $entry->draft ) );
+		$cap = ($publish) ? 'publish_posts' : 'edit_posts';
+
+		if ( !current_user_can($cap) )
+			$this->auth_required(__('Sorry, you do not have the right to edit/publish new posts.'));
+
 		$catnames = array();
 		if ( !empty( $entry->categories ) ) {
 			foreach ( $entry->categories as $cat ) {
@@ -331,13 +335,6 @@ EOD;
 				array_push($post_category, $cat->term_id);
 		}
 
-		$publish = ! ( isset( $entry->draft ) && 'yes' == trim( $entry->draft ) );
-
-		$cap = ($publish) ? 'publish_posts' : 'edit_posts';
-
-		if ( !current_user_can($cap) )
-			$this->auth_required(__('Sorry, you do not have the right to edit/publish new posts.'));
-
 		$blog_ID = get_current_blog_id();
 		$post_status = ($publish) ? 'publish' : 'draft';
 		$post_author = (int) $user_ID;
@@ -398,7 +395,7 @@ EOD;
 	function get_post($postID) {
 		global $entry;
 
-		if ( !current_user_can( 'edit_post', $postID ) )
+		if ( ! get_post( $postID ) || ! current_user_can( 'edit_post', $postID ) )
 			$this->auth_required( __( 'Sorry, you do not have the right to access this post.' ) );
 
 		$this->set_current_entry($postID);
@@ -429,10 +426,14 @@ EOD;
 		global $entry;
 		$this->set_current_entry($postID);
 
-		if ( !current_user_can('edit_post', $entry['ID']) )
+		if ( !current_user_can('edit_post', $postID) )
 			$this->auth_required(__('Sorry, you do not have the right to edit this post.'));
 
 		$publish = ! ( isset($parsed->draft) && 'yes' == trim($parsed->draft) );
+
+		if ( $publish && ! current_user_can( 'publish_posts' ) )
+			$this->auth_required( __( 'Sorry, you do not have the right to publish this post.' ) );
+
 		$post_status = ($publish) ? 'publish' : 'draft';
 
 		extract($entry);
@@ -473,7 +474,7 @@ EOD;
 		global $entry;
 		$this->set_current_entry($postID);
 
-		if ( !current_user_can('edit_post', $postID) )
+		if ( !current_user_can('delete_post', $postID) )
 			$this->auth_required(__('Sorry, you do not have the right to delete this post.'));
 
 		if ( $entry['post_type'] == 'attachment' ) {
@@ -504,6 +505,9 @@ EOD;
 		if ( !isset($postID) ) {
 			$this->get_attachments();
 		} else {
+			if ( ! current_user_can( 'edit_post', $postID ) )
+				$this->auth_required( __( 'Sorry, you do not have the right to edit this post.' ) );
+
 			$this->set_current_entry($postID);
 			$output = $this->get_entry($postID, 'attachment');
 			$this->output($output);
@@ -589,7 +593,7 @@ EOD;
 		global $entry;
 		$this->set_current_entry($postID);
 
-		if ( !current_user_can('edit_post', $entry['ID']) )
+		if ( !current_user_can('edit_post', $entry['ID']) || 'attachment' != $entry['post_type'] )
 			$this->auth_required(__('Sorry, you do not have the right to edit this post.'));
 
 		extract($entry);
@@ -624,7 +628,7 @@ EOD;
 		global $entry;
 		$this->set_current_entry($postID);
 
-		if ( !current_user_can('edit_post', $postID) )
+		if ( !current_user_can('delete_post', $postID) )
 			$this->auth_required(__('Sorry, you do not have the right to delete this post.'));
 
 		$location = get_post_meta($entry['ID'], '_wp_attached_file', true);
@@ -633,11 +637,8 @@ EOD;
 		if ( !isset($location) || 'attachment' != $entry['post_type'] || empty($filetype['ext']) )
 			$this->internal_error(__('Error occurred while accessing post metadata for file location.'));
 
-		// delete file
-		@unlink($location);
-
 		// delete attachment
-		$result = wp_delete_post($postID);
+		$result = wp_delete_attachment($postID);
 
 		if ( !$result )
 			$this->internal_error(__('For some strange yet very annoying reason, this post could not be deleted.'));
@@ -970,7 +971,7 @@ EOD;
 
 		$count = get_option('posts_per_rss');
 
-		wp('posts_per_page=' . $count . '&offset=' . ($count * ($page-1)) . '&orderby=modified&post_status=any');
+		wp('posts_per_page=' . $count . '&offset=' . ($count * ($page-1)) . '&orderby=modified&perm=readable');
 
 		$post = $GLOBALS['post'];
 		$posts = $GLOBALS['posts'];

wp-includes/class-wp-customize-control.php

@@ -321,6 +321,21 @@ class WP_Customize_Image_Control extends WP_Customize_Upload_Control {
 
 		$this->add_tab( 'upload-new', __('Upload New'), array( $this, 'tab_upload_new' ) );
 		$this->add_tab( 'uploaded',   __('Uploaded'),   array( $this, 'tab_uploaded' ) );
+
+		// Early priority to occur before $this->manager->prepare_controls();
+		add_action( 'customize_controls_init', array( $this, 'prepare_control' ), 5 );
+	}
+
+	/**
+	 * Prepares the control.
+	 *
+	 * If no tabs exist, removes the control from the manager.
+	 *
+	 * @since 3.4.2
+	 */
+	public function prepare_control() {
+		if ( ! $this->tabs )
+			$this->manager->remove_control( $this->id );
 	}
 
 	public function to_json() {
@@ -455,6 +470,20 @@ class WP_Customize_Background_Image_Control extends WP_Customize_Image_Control {
 }
 
 class WP_Customize_Header_Image_Control extends WP_Customize_Image_Control {
+	/**
+	 * The processed default headers.
+	 * @since 3.4.2
+	 * @var array
+	 */
+	protected $default_headers;
+
+	/**
+	 * The uploaded headers.
+	 * @since 3.4.2
+	 * @var array
+	 */
+	protected $uploaded_headers;
+
 	public function __construct( $manager ) {
 		parent::__construct( $manager, 'header_image', array(
 			'label'    => __( 'Header Image' ),
@@ -474,7 +503,34 @@ class WP_Customize_Header_Image_Control extends WP_Customize_Image_Control {
 			)
 		) );
 
-		$this->add_tab( 'default',  __('Default'),  array( $this, 'tab_default_headers' ) );
+		// Remove the upload tab.
+		$this->remove_tab( 'upload-new' );
+	}
+
+	/**
+	 * Prepares the control.
+	 *
+	 * If no tabs exist, removes the control from the manager.
+	 *
+	 * @since 3.4.2
+	 */
+	public function prepare_control() {
+		global $custom_image_header;
+		if ( empty( $custom_image_header ) )
+			return parent::prepare_control();
+
+		// Process default headers and uploaded headers.
+		$custom_image_header->process_default_headers();
+		$this->default_headers = $custom_image_header->default_headers;
+		$this->uploaded_headers = get_uploaded_header_images();
+
+		if ( $this->default_headers )
+			$this->add_tab( 'default',  __('Default'),  array( $this, 'tab_default_headers' ) );
+
+		if ( ! $this->uploaded_headers )
+			$this->remove_tab( 'uploaded' );
+
+		return parent::prepare_control();
 	}
 
 	public function print_header_image( $choice, $header ) {
@@ -498,19 +554,14 @@ class WP_Customize_Header_Image_Control extends WP_Customize_Image_Control {
 	}
 
 	public function tab_uploaded() {
-		$headers = get_uploaded_header_images();
-
 		?><div class="uploaded-target"></div><?php
 
-		foreach ( $headers as $choice => $header )
+		foreach ( $this->uploaded_headers as $choice => $header )
 			$this->print_header_image( $choice, $header );
 	}
 
 	public function tab_default_headers() {
-		global $custom_image_header;
-		$custom_image_header->process_default_headers();
-
-		foreach ( $custom_image_header->default_headers as $choice => $header )
+		foreach ( $this->default_headers as $choice => $header )
 			$this->print_header_image( $choice, $header );
 	}
 }

wp-includes/class-wp-customize-manager.php

@@ -17,6 +17,8 @@ final class WP_Customize_Manager {
 	protected $sections = array();
 	protected $controls = array();
 
+	protected $nonce_tick;
+
 	protected $customized;
 
 	private $_post_values;
@@ -308,6 +310,8 @@ final class WP_Customize_Manager {
 	 * @since 3.4.0
 	 */
 	public function customize_preview_init() {
+		$this->nonce_tick = check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'nonce' );
+
 		$this->prepare_controls();
 
 		wp_enqueue_script( 'customize-preview' );
@@ -362,6 +366,13 @@ final class WP_Customize_Manager {
 			'channel' => esc_js( $_POST['customize_messenger_channel'] ),
 		);
 
+		if ( 2 == $this->nonce_tick ) {
+ 			$settings['nonce'] = array(
+ 				'save' => wp_create_nonce( 'save-customize_' . $this->get_stylesheet() ),
+ 				'preview' => wp_create_nonce( 'preview-customize_' . $this->get_stylesheet() )
+ 			);
+ 		}
+
 		foreach ( $this->settings as $id => $setting ) {
 			$settings['values'][ $id ] = $setting->js_value();
 		}
@@ -468,7 +479,7 @@ final class WP_Customize_Manager {
 		if ( ! $this->is_preview() )
 			die;
 
-		check_ajax_referer( 'customize_controls-' . $this->get_stylesheet(), 'nonce' );
+		check_ajax_referer( 'save-customize_' . $this->get_stylesheet(), 'nonce' );
 
 		// Do we have to switch themes?
 		if ( ! $this->is_theme_active() ) {

wp-includes/class-wp-editor.php

@@ -337,7 +337,6 @@ final class _WP_Editors {
 						foreach ( $editor_styles as $key => $file ) {
 							if ( $file && file_exists( "$template_dir/$file" ) ) {
 								$mce_css[] = "$template_uri/$file";
-								$editor_styles[$key] = '';
 							}
 						}
 					}
@@ -784,7 +783,7 @@ final class _WP_Editors {
 			<div class="link-search-wrapper">
 				<label>
 					<span><?php _e( 'Search' ); ?></span>
-					<input type="search" id="search-field" class="link-search-field" tabindex="60" autocomplete="off" />
+					<input type="text" id="search-field" class="link-search-field" tabindex="60" autocomplete="off" />
 					<img class="waiting" src="<?php echo esc_url( admin_url( 'images/wpspin_light.gif' ) ); ?>" alt="" />
 				</label>
 			</div>

wp-includes/class-wp-theme.php

@@ -253,6 +253,7 @@ final class WP_Theme implements ArrayAccess {
 				// Parent theme is missing.
 				$this->errors = new WP_Error( 'theme_no_parent', sprintf( __( 'The parent theme is missing. Please install the "%s" parent theme.' ), $this->template ) );
 				$this->cache_add( 'theme', array( 'headers' => $this->headers, 'errors' => $this->errors, 'stylesheet' => $this->stylesheet, 'template' => $this->template ) );
+				$this->parent = new WP_Theme( $this->template, $this->theme_root, $this );
 				return;
 			}
 		}
@@ -794,7 +795,7 @@ final class WP_Theme implements ArrayAccess {
 	 * @return string URL to the stylesheet directory.
 	 */
 	public function get_stylesheet_directory_uri() {
-		return $this->get_theme_root_uri() . '/' . $this->stylesheet;
+		return $this->get_theme_root_uri() . '/' . str_replace( '%2F', '/', rawurlencode( $this->stylesheet ) );
 	}
 
 	/**
@@ -814,7 +815,7 @@ final class WP_Theme implements ArrayAccess {
 		else
 			$theme_root_uri = $this->get_theme_root_uri();
 
-		return $theme_root . '/' . $this->template;
+		return $theme_root_uri . '/' . str_replace( '%2F', '/', rawurlencode( $this->template ) );
 	}
 
 	/**
@@ -930,10 +931,9 @@ final class WP_Theme implements ArrayAccess {
 			$files = (array) $this->get_files( 'php', 1 );
 
 			foreach ( $files as $file => $full_path ) {
-				$headers = get_file_data( $full_path, array( 'Template Name' => 'Template Name' ) );
-				if ( empty( $headers['Template Name'] ) )
+				if ( ! preg_match( '|Template Name:(.*)$|mi', file_get_contents( $full_path ), $header ) )
 					continue;
-				$page_templates[ $file ] = $headers['Template Name'];
+				$page_templates[ $file ] = _cleanup_header_comment( $header[1] );
 			}
 
 			$this->cache_add( 'page_templates', $page_templates );
@@ -1072,7 +1072,8 @@ final class WP_Theme implements ArrayAccess {
 	 * @return array Array of stylesheet names.
 	 */
 	public static function get_allowed( $blog_id = null ) {
-		return self::get_allowed_on_network() + self::get_allowed_on_site( $blog_id );
+		$network = (array) apply_filters( 'allowed_themes', self::get_allowed_on_network() );
+		return $network + self::get_allowed_on_site( $blog_id );
 	}
 
 	/**

wp-includes/class-wp-xmlrpc-server.php

@@ -622,7 +622,11 @@ class wp_xmlrpc_server extends IXR_Server {
 			'post_password'     => $post['post_password'],
 			'post_excerpt'      => $post['post_excerpt'],
 			'post_content'      => $post['post_content'],
+			'post_parent'       => strval( $post['post_parent'] ),
+			'post_mime_type'    => $post['post_mime_type'],
 			'link'              => post_permalink( $post['ID'] ),
+			'guid'              => $post['guid'],
+			'menu_order'        => intval( $post['menu_order'] ),
 			'comment_status'    => $post['comment_status'],
 			'ping_status'       => $post['ping_status'],
 			'sticky'            => ( $post['post_type'] === 'post' && is_sticky( $post['ID'] ) ),
@@ -1337,7 +1341,7 @@ class wp_xmlrpc_server extends IXR_Server {
 			return new IXR_Error( 404, __( 'Invalid post ID.' ) );
 
 		$post_type = get_post_type_object( $post['post_type'] );
-		if ( ! current_user_can( $post_type->cap->edit_posts, $post_id ) )
+		if ( ! current_user_can( $post_type->cap->edit_post, $post_id ) )
 			return new IXR_Error( 401, __( 'Sorry, you cannot edit this post.' ) );
 
 		return $this->_prepare_post( $post, $fields );
@@ -1394,13 +1398,15 @@ class wp_xmlrpc_server extends IXR_Server {
 			$post_type = get_post_type_object( $filter['post_type'] );
 			if ( ! ( (bool) $post_type ) )
 				return new IXR_Error( 403, __( 'The post type specified is not valid' ) );
-
-			if ( ! current_user_can( $post_type->cap->edit_posts ) )
-				return new IXR_Error( 401, __( 'Sorry, you are not allowed to edit posts in this post type' ));
-
-			$query['post_type'] = $filter['post_type'];
+		} else {
+			$post_type = get_post_type_object( 'post' );
 		}
 
+		if ( ! current_user_can( $post_type->cap->edit_posts ) )
+			return new IXR_Error( 401, __( 'Sorry, you are not allowed to edit posts in this post type' ));
+
+		$query['post_type'] = $post_type->name;
+
 		if ( isset( $filter['post_status'] ) )
 			$query['post_status'] = $filter['post_status'];
 
@@ -1427,7 +1433,7 @@ class wp_xmlrpc_server extends IXR_Server {
 
 		foreach ( $posts_list as $post ) {
 			$post_type = get_post_type_object( $post['post_type'] );
-			if ( ! current_user_can( $post_type->cap->edit_posts, $post['ID'] ) )
+			if ( ! current_user_can( $post_type->cap->edit_post, $post['ID'] ) )
 				continue;
 
 			$struct[] = $this->_prepare_post( $post, $fields );
@@ -4912,10 +4918,14 @@ class wp_xmlrpc_server extends IXR_Server {
 		$pagelinkedto = str_replace('&', '&', $pagelinkedto);
 		$pagelinkedto = str_replace('&', '&', $pagelinkedto);
 
+		$pagelinkedfrom = apply_filters( 'pingback_ping_source_uri', $pagelinkedfrom, $pagelinkedto );
+		if ( ! $pagelinkedfrom )
+			return $this->pingback_error( 0, __( 'A valid URL was not provided.' ) );
+
 		// Check if the page linked to is in our site
 		$pos1 = strpos($pagelinkedto, str_replace(array('http://www.','http://','https://www.','https://'), '', get_option('home')));
 		if ( !$pos1 )
-			return new IXR_Error(0, __('Is there no link to us?'));
+			return $this->pingback_error( 0, __( 'Is there no link to us?' ) );
 
 		// let's find which post is linked to
 		// FIXME: does url_to_postid() cover all these cases already?
@@ -4949,39 +4959,39 @@ class wp_xmlrpc_server extends IXR_Server {
 				$sql = $wpdb->prepare("SELECT ID FROM $wpdb->posts WHERE post_title RLIKE %s", like_escape( $title ) );
 				if (! ($post_ID = $wpdb->get_var($sql)) ) {
 					// returning unknown error '0' is better than die()ing
-			  		return new IXR_Error(0, '');
+			  		return $this->pingback_error( 0, '' );
 				}
 				$way = 'from the fragment (title)';
 			}
 		} else {
 			// TODO: Attempt to extract a post ID from the given URL
-	  		return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.'));
+	  		return $this->pingback_error( 33, __('The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.' ) );
 		}
 		$post_ID = (int) $post_ID;
 
 		$post = get_post($post_ID);
 
 		if ( !$post ) // Post_ID not found
-	  		return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.'));
+	  		return $this->pingback_error( 33, __( 'The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.' ) );
 
 		if ( $post_ID == url_to_postid($pagelinkedfrom) )
-			return new IXR_Error(0, __('The source URL and the target URL cannot both point to the same resource.'));
+			return $this->pingback_error( 0, __( 'The source URL and the target URL cannot both point to the same resource.' ) );
 
 		// Check if pings are on
 		if ( !pings_open($post) )
-	  		return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.'));
+	  		return $this->pingback_error( 33, __( 'The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.' ) );
 
 		// Let's check that the remote site didn't already pingback this entry
 		if ( $wpdb->get_results( $wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_author_url = %s", $post_ID, $pagelinkedfrom) ) )
-			return new IXR_Error( 48, __( 'The pingback has already been registered.' ) );
+			return $this->pingback_error( 48, __( 'The pingback has already been registered.' ) );
 
 		// very stupid, but gives time to the 'from' server to publish !
 		sleep(1);
 
 		// Let's check the remote site
-		$linea = wp_remote_fopen( $pagelinkedfrom );
+		$linea = wp_remote_retrieve_body( wp_remote_get( $pagelinkedfrom, array( 'timeout' => 10, 'redirection' => 0 ) ) );
 		if ( !$linea )
-	  		return new IXR_Error(16, __('The source URL does not exist.'));
+	  		return $this->pingback_error( 16, __( 'The source URL does not exist.' ) );
 
 		$linea = apply_filters('pre_remote_source', $linea, $pagelinkedto);
 
@@ -4993,7 +5003,7 @@ class wp_xmlrpc_server extends IXR_Server {
 		preg_match('|<title>([^<]*?)</title>|is', $linea, $matchtitle);
 		$title = $matchtitle[1];
 		if ( empty( $title ) )
-			return new IXR_Error(32, __('We cannot find a title on that page.'));
+			return $this->pingback_error( 32, __('We cannot find a title on that page.' ) );
 
 		$linea = strip_tags( $linea, '<a>' ); // just keep the tag we need
 
@@ -5029,7 +5039,7 @@ class wp_xmlrpc_server extends IXR_Server {
 		}
 
 		if ( empty($context) ) // Link to target not found
-			return new IXR_Error(17, __('The source URL does not contain a link to the target URL, and so cannot be used as a source.'));
+			return $this->pingback_error( 17, __( 'The source URL does not contain a link to the target URL, and so cannot be used as a source.' ) );
 
 		$pagelinkedfrom = str_replace('&', '&amp;', $pagelinkedfrom);
 
@@ -5076,14 +5086,14 @@ class wp_xmlrpc_server extends IXR_Server {
 		$post_ID = url_to_postid($url);
 		if ( !$post_ID ) {
 			// We aren't sure that the resource is available and/or pingback enabled
-	  		return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn&#8217;t exist, or it is not a pingback-enabled resource.'));
+	  		return $this->pingback_error( 33, __( 'The specified target URL cannot be used as a target. It either doesn&#8217;t exist, or it is not a pingback-enabled resource.' ) );
 		}
 
 		$actual_post = wp_get_single_post($post_ID, ARRAY_A);
 
 		if ( !$actual_post ) {
 			// No such post = resource not found
-	  		return new IXR_Error(32, __('The specified target URL does not exist.'));
+	  		return $this->pingback_error( 32, __('The specified target URL does not exist.' ) );
 		}
 
 		$comments = $wpdb->get_results( $wpdb->prepare("SELECT comment_author_url, comment_content, comment_author_IP, comment_type FROM $wpdb->comments WHERE comment_post_ID = %d", $post_ID) );
@@ -5099,4 +5109,8 @@ class wp_xmlrpc_server extends IXR_Server {
 
 		return $pingbacks;
 	}
+
+	protected function pingback_error( $code, $message ) {
+		return apply_filters( 'xmlrpc_pingback_error', new IXR_Error( $code, $message ) );
+	}
 }

wp-includes/class.wp-scripts.php

@@ -31,10 +31,8 @@ class WP_Scripts extends WP_Dependencies {
 	var $default_dirs;
 
 	function __construct() {
-		if ( ! function_exists( 'did_action' ) || did_action( 'init' ) )
-			$this->init();
-		else
-			add_action( 'init', array( $this, 'init' ), 0 );
+		$this->init();
+		add_action( 'init', array( $this, 'init' ), 0 );
 	}
 
 	function init() {

wp-includes/comment.php

@@ -1912,6 +1912,86 @@ function weblog_ping($server = '', $path = '') {
 		$client->query('weblogUpdates.ping', get_option('blogname'), $home);
 }
 
+/**
+ * Default filter attached to pingback_ping_source_uri to validate the pingback's Source URI
+ *
+ * @since 3.5.1
+ *
+ * @param string $source_uri
+ * @return string
+ */
+function pingback_ping_source_uri( $source_uri ) {
+	$uri = esc_url_raw( $source_uri, array( 'http', 'https' ) );
+	if ( ! $uri )
+		return '';
+
+	$parsed_url = @parse_url( $uri );
+	if ( ! $parsed_url )
+		return '';
+
+	if ( isset( $parsed_url['user'] ) || isset( $parsed_url['pass'] ) )
+		return '';
+
+	if ( false !== strpos( $parsed_url['host'], ':' ) )
+		return '';
+
+	$parsed_home = @parse_url( get_option( 'home' ) );
+
+	$same_host = strtolower( $parsed_home['host'] ) === strtolower( $parsed_url['host'] );
+
+	if ( ! $same_host ) {
+		$host = trim( $parsed_url['host'], '.' );
+		if ( preg_match( '#^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$#', $host ) ) {
+			$ip = $host;
+		} else {
+			$ip = gethostbyname( $host );
+			if ( $ip === $host ) // Error condition for gethostbyname()
+				$ip = false;
+		}
+		if ( $ip ) {
+			if ( '127.0.0.1' === $ip )
+				return '';
+			$parts = array_map( 'intval', explode( '.', $ip ) );
+			if ( 10 === $parts[0] )
+				return '';
+			if ( 172 === $parts[0] && 16 <= $parts[1] && 31 >= $parts[1] )
+				return '';
+			if ( 192 === $parts[0] && 168 === $parts[1] )
+				return '';
+		}
+	}
+
+	if ( empty( $parsed_url['port'] ) )
+		return $uri;
+
+	$port = $parsed_url['port'];
+	if ( 80 === $port || 443 === $port || 8080 === $port )
+		return $uri;
+
+	if ( $parsed_home && $same_host && $parsed_home['port'] === $port )
+		return $uri;
+
+	return '';
+}
+
+/**
+ * Default filter attached to xmlrpc_pingback_error.
+ *
+ * Returns a generic pingback error code unless the error code is 48,
+ * which reports that the pingback is already registered.
+ *
+ * @since 3.5.1
+ * @link http://www.hixie.ch/specs/pingback/pingback#TOC3
+ *
+ * @param IXR_Error $ixr_error
+ * @return IXR_Error
+ */
+function xmlrpc_pingback_error( $ixr_error ) {
+	if ( $ixr_error->code === 48 )
+		return $ixr_error;
+	return new IXR_Error( 0, '' );
+}
+
 //
 // Cache
 //

wp-includes/css/editor.dev.css

@@ -1237,7 +1237,7 @@ html[dir="rtl"] .wp-switch-editor {
 
 #wp-link .link-search-wrapper span {
 	float: left;
-	margin-top: 6px;
+	margin-top: 9px;
 }
 
 #wp-link .link-search-wrapper input[type="text"] {

wp-includes/default-filters.php

@@ -192,6 +192,8 @@ add_filter( 'pings_open',               '_close_comments_for_old_post', 10, 2 );
 add_filter( 'editable_slug',            'urldecode'                           );
 add_filter( 'editable_slug',            'esc_textarea'                        );
 add_filter( 'nav_menu_meta_box_object', '_wp_nav_menu_meta_box_object'        );
+add_filter( 'pingback_ping_source_uri', 'pingback_ping_source_uri'            );
+add_filter( 'xmlrpc_pingback_error',    'xmlrpc_pingback_error'               );
 
 // Actions
 add_action( 'wp_head',             'wp_enqueue_scripts',              1     );

wp-includes/formatting.php

@@ -3236,7 +3236,7 @@ function sanitize_mime_type( $mime_type ) {
  * @return string URLs starting with the http or https protocol, separated by a carriage return.
  */
 function sanitize_trackback_urls( $to_ping ) {
-	$urls_to_ping = preg_split( '/\r\n\t /', trim( $to_ping ), -1, PREG_SPLIT_NO_EMPTY );
+	$urls_to_ping = preg_split( '/[\r\n\t ]/', trim( $to_ping ), -1, PREG_SPLIT_NO_EMPTY );
 	foreach ( $urls_to_ping as $k => $url ) {
 		if ( !preg_match( '#^https?://.#i', $url ) )
 			unset( $urls_to_ping[$k] );

wp-includes/functions.php

@@ -1486,7 +1486,12 @@ function wp_upload_dir( $time = null ) {
 
 	// Make sure we have an uploads dir
 	if ( ! wp_mkdir_p( $uploads['path'] ) ) {
-		$message = sprintf( __( 'Unable to create directory %s. Is its parent directory writable by the server?' ), $uploads['path'] );
+		if ( 0 === strpos( $uploads['basedir'], ABSPATH ) )
+			$error_path = str_replace( ABSPATH, '', $uploads['basedir'] ) . $uploads['subdir'];
+		else
+			$error_path = basename( $uploads['basedir'] ) . $uploads['subdir'];
+
+		$message = sprintf( __( 'Unable to create directory %s. Is its parent directory writable by the server?' ), $error_path );
 		return array( 'error' => $message );
 	}
 
@@ -1604,7 +1609,12 @@ function wp_upload_bits( $name, $deprecated, $bits, $time = null ) {
 
 	$new_file = $upload['path'] . "/$filename";
 	if ( ! wp_mkdir_p( dirname( $new_file ) ) ) {
-		$message = sprintf( __( 'Unable to create directory %s. Is its parent directory writable by the server?' ), dirname( $new_file ) );
+		if ( 0 === strpos( $upload['basedir'], ABSPATH ) )
+			$error_path = str_replace( ABSPATH, '', $upload['basedir'] ) . $upload['subdir'];
+		else
+			$error_path = basename( $upload['basedir'] ) . $upload['subdir'];
+
+		$message = sprintf( __( 'Unable to create directory %s. Is its parent directory writable by the server?' ), $error_path );
 		return array( 'error' => $message );
 	}
 
@@ -1835,99 +1845,19 @@ function get_allowed_mime_types() {
 /**
  * Retrieve nonce action "Are you sure" message.
  *
- * The action is split by verb and noun. The action format is as follows:
- * verb-action_extra. The verb is before the first dash and has the format of
- * letters and no spaces and numbers. The noun is after the dash and before the
- * underscore, if an underscore exists. The noun is also only letters.
+ * Deprecated in 3.4.1 and 3.5.0. Backported to 3.3.3.
  *
- * The filter will be called for any action, which is not defined by WordPress.
- * You may use the filter for your plugin to explain nonce actions to the user,
- * when they get the "Are you sure?" message. The filter is in the format of
- * 'explain_nonce_$verb-$noun' with the $verb replaced by the found verb and the
- * $noun replaced by the found noun. The two parameters that are given to the
- * hook are the localized "Are you sure you want to do this?" message with the
- * extra text (the text after the underscore).
- *
- * @package WordPress
- * @subpackage Security
  * @since 2.0.4
+ * @deprecated 3.4.1
+ * @deprecated Use wp_nonce_ays()
+ * @see wp_nonce_ays()
  *
  * @param string $action Nonce action.
  * @return string Are you sure message.
  */
 function wp_explain_nonce( $action ) {
-	if ( $action !== -1 && preg_match( '/([a-z]+)-([a-z]+)(_(.+))?/', $action, $matches ) ) {
-		$verb = $matches[1];
-		$noun = $matches[2];
-
-		$trans = array();
-		$trans['update']['attachment'] = array( __( 'Your attempt to edit this attachment: “%s” has failed.' ), 'get_the_title' );
-
-		$trans['add']['category']      = array( __( 'Your attempt to add this category has failed.' ), false );
-		$trans['delete']['category']   = array( __( 'Your attempt to delete this category: “%s” has failed.' ), 'get_cat_name' );
-		$trans['update']['category']   = array( __( 'Your attempt to edit this category: “%s” has failed.' ), 'get_cat_name' );
-
-		$trans['delete']['comment']    = array( __( 'Your attempt to delete this comment: “%s” has failed.' ), 'use_id' );
-		$trans['unapprove']['comment'] = array( __( 'Your attempt to unapprove this comment: “%s” has failed.' ), 'use_id' );
-		$trans['approve']['comment']   = array( __( 'Your attempt to approve this comment: “%s” has failed.' ), 'use_id' );
-		$trans['update']['comment']    = array( __( 'Your attempt to edit this comment: “%s” has failed.' ), 'use_id' );
-		$trans['bulk']['comments']     = array( __( 'Your attempt to bulk modify comments has failed.' ), false );
-		$trans['moderate']['comments'] = array( __( 'Your attempt to moderate comments has failed.' ), false );
-
-		$trans['add']['bookmark']      = array( __( 'Your attempt to add this link has failed.' ), false );
-		$trans['delete']['bookmark']   = array( __( 'Your attempt to delete this link: “%s” has failed.' ), 'use_id' );
-		$trans['update']['bookmark']   = array( __( 'Your attempt to edit this link: “%s” has failed.' ), 'use_id' );
-		$trans['bulk']['bookmarks']    = array( __( 'Your attempt to bulk modify links has failed.' ), false );
-
-		$trans['add']['page']          = array( __( 'Your attempt to add this page has failed.' ), false );
-		$trans['delete']['page']       = array( __( 'Your attempt to delete this page: “%s” has failed.' ), 'get_the_title' );
-		$trans['update']['page']       = array( __( 'Your attempt to edit this page: “%s” has failed.' ), 'get_the_title' );
-
-		$trans['edit']['plugin']       = array( __( 'Your attempt to edit this plugin file: “%s” has failed.' ), 'use_id' );
-		$trans['activate']['plugin']   = array( __( 'Your attempt to activate this plugin: “%s” has failed.' ), 'use_id' );
-		$trans['deactivate']['plugin'] = array( __( 'Your attempt to deactivate this plugin: “%s” has failed.' ), 'use_id' );
-		$trans['upgrade']['plugin']    = array( __( 'Your attempt to update this plugin: “%s” has failed.' ), 'use_id' );
-
-		$trans['add']['post']          = array( __( 'Your attempt to add this post has failed.' ), false );
-		$trans['delete']['post']       = array( __( 'Your attempt to delete this post: “%s” has failed.' ), 'get_the_title' );
-		$trans['update']['post']       = array( __( 'Your attempt to edit this post: “%s” has failed.' ), 'get_the_title' );
-
-		$trans['add']['user']          = array( __( 'Your attempt to add this user has failed.' ), false );
-		$trans['delete']['users']      = array( __( 'Your attempt to delete users has failed.' ), false );
-		$trans['bulk']['users']        = array( __( 'Your attempt to bulk modify users has failed.' ), false );
-		$trans['update']['user']       = array( __( 'Your attempt to edit this user: “%s” has failed.' ), 'get_the_author_meta', 'display_name' );
-		$trans['update']['profile']    = array( __( 'Your attempt to modify the profile for: “%s” has failed.' ), 'get_the_author_meta', 'display_name' );
-
-		$trans['update']['options']    = array( __( 'Your attempt to edit your settings has failed.' ), false );
-		$trans['update']['permalink']  = array( __( 'Your attempt to change your permalink structure to: %s has failed.' ), 'use_id' );
-		$trans['edit']['file']         = array( __( 'Your attempt to edit this file: “%s” has failed.' ), 'use_id' );
-		$trans['edit']['theme']        = array( __( 'Your attempt to edit this theme file: “%s” has failed.' ), 'use_id' );
-		$trans['switch']['theme']      = array( __( 'Your attempt to switch to this theme: “%s” has failed.' ), 'use_id' );
-
-		$trans['log']['out']           = array( sprintf( __( 'You are attempting to log out of %s' ), get_bloginfo( 'sitename' ) ), false );
-
-		if ( isset( $trans[$verb][$noun] ) ) {
-			if ( !empty( $trans[$verb][$noun][1] ) ) {
-				$lookup = $trans[$verb][$noun][1];
-				if ( isset($trans[$verb][$noun][2]) )
-					$lookup_value = $trans[$verb][$noun][2];
-				$object = $matches[4];
-				if ( 'use_id' != $lookup ) {
-					if ( isset( $lookup_value ) )
-						$object = call_user_func( $lookup, $lookup_value, $object );
-					else
-						$object = call_user_func( $lookup, $object );
-				}
-				return sprintf( $trans[$verb][$noun][0], esc_html($object) );
-			} else {
-				return $trans[$verb][$noun][0];
-			}
-		}
-
-		return apply_filters( 'explain_nonce_' . $verb . '-' . $noun, __( 'Are you sure you want to do this?' ), isset($matches[4]) ? $matches[4] : '' );
-	} else {
-		return apply_filters( 'explain_nonce_' . $action, __( 'Are you sure you want to do this?' ) );
-	}
+	_deprecated_function( __FUNCTION__, '3.4.1', 'wp_nonce_ays()' );
+	return __( 'Are you sure you want to do this?' );
 }
 
 /**
@@ -1944,11 +1874,14 @@ function wp_explain_nonce( $action ) {
  */
 function wp_nonce_ays( $action ) {
 	$title = __( 'WordPress Failure Notice' );
-	$html = esc_html( wp_explain_nonce( $action ) );
-	if ( 'log-out' == $action )
-		$html .= "</p><p>" . sprintf( __( "Do you really want to <a href='%s'>log out</a>?"), wp_logout_url() );
-	elseif ( wp_get_referer() )
-		$html .= "</p><p><a href='" . esc_url( remove_query_arg( 'updated', wp_get_referer() ) ) . "'>" . __( 'Please try again.' ) . "</a>";
+	if ( 'log-out' == $action ) {
+		$html = sprintf( __( 'You are attempting to log out of %s' ), get_bloginfo( 'name' ) ) . '</p><p>';
+		$html .= sprintf( __( "Do you really want to <a href='%s'>log out</a>?"), wp_logout_url() );
+	} else {
+		$html = __( 'Are you sure you want to do this?' );
+		if ( wp_get_referer() )
+			$html .= "</p><p><a href='" . esc_url( remove_query_arg( 'updated', wp_get_referer() ) ) . "'>" . __( 'Please try again.' ) . "</a>";
+	}
 
 	wp_die( $html, $title, array('response' => 403) );
 }
@@ -3622,7 +3555,11 @@ function wp_allowed_protocols() {
  * @return string|array Either a string containing a reversed comma separated trace or an array of individual calls.
  */
 function wp_debug_backtrace_summary( $ignore_class = null, $skip_frames = 0, $pretty = true ) {
-	$trace  = debug_backtrace( false );
+	if ( version_compare( PHP_VERSION, '5.2.5', '>=' ) )
+		$trace = debug_backtrace( false );
+	else
+		$trace = debug_backtrace();
+
 	$caller = array();
 	$check_class = ! is_null( $ignore_class );
 	$skip_frames++; // skip this function
@@ -3690,7 +3627,7 @@ function _device_can_upload() {
 	if ( strpos($ua, 'iPhone') !== false
 		|| strpos($ua, 'iPad') !== false
 		|| strpos($ua, 'iPod') !== false ) {
-			return false;
+			return preg_match( '#OS ([\d_]+) like Mac OS X#', $ua, $version ) && version_compare( $version[1], '6', '>=' );
 	} else {
 		return true;
 	}

wp-includes/js/customize-preview.dev.js

@@ -88,7 +88,12 @@
 				preview.trigger( event, args );
 			});
 			preview.send( 'synced' );
-		})
+		});
+
+	 	preview.bind( 'active', function() {
+	 		if ( api.settings.nonce )
+	 			preview.send( 'nonce', api.settings.nonce );
+	 	});
 
 		preview.send( 'ready' );
 

wp-includes/js/customize-preview.js

@@ -1 +1 @@
-(function(b,d){var c=wp.customize,a;a=function(g,e,f){var h;return function(){var i=arguments;f=f||this;clearTimeout(h);h=setTimeout(function(){h=null;g.apply(f,i)},e)}};c.Preview=c.Messenger.extend({initialize:function(g,f){var e=this;c.Messenger.prototype.initialize.call(this,g,f);this.body=d(document.body);this.body.on("click.preview","a",function(h){h.preventDefault();e.send("scroll",0);e.send("url",d(this).prop("href"))});this.body.on("submit.preview","form",function(h){h.preventDefault()});this.window=d(window);this.window.on("scroll.preview",a(function(){e.send("scroll",e.window.scrollTop())},200));this.bind("scroll",function(h){e.window.scrollTop(h)})}});d(function(){c.settings=window._wpCustomizeSettings;if(!c.settings){return}var f,e;f=new c.Preview({url:window.location.href,channel:c.settings.channel});f.bind("settings",function(g){d.each(g,function(i,h){if(c.has(i)){c(i).set(h)}else{c.create(i,h)}})});f.trigger("settings",c.settings.values);f.bind("setting",function(g){var h;g=g.slice();if(h=c(g.shift())){h.set.apply(h,g)}});f.bind("sync",function(g){d.each(g,function(i,h){f.trigger(i,h)});f.send("synced")});f.send("ready");e=d.map(["color","image","position_x","repeat","attachment"],function(g){return"background_"+g});c.when.apply(c,e).done(function(j,i,m,h,l){var n=d(document.body),o=d("head"),g=d("#custom-background-css"),k;if(n.hasClass("custom-background")&&!g.length){return}k=function(){var p="";n.toggleClass("custom-background",!!(j()||i()));if(j()){p+="background-color: "+j()+";"}if(i()){p+='background-image: url("'+i()+'");';p+="background-position: top "+m()+";";p+="background-repeat: "+h()+";";p+="background-position: top "+l()+";"}g.remove();g=d('<style type="text/css" id="custom-background-css">body.custom-background { '+p+" }</style>").appendTo(o)};d.each(arguments,function(){this.bind(k)})})})})(wp,jQuery);
+(function(b,d){var c=wp.customize,a;a=function(g,e,f){var h;return function(){var i=arguments;f=f||this;clearTimeout(h);h=setTimeout(function(){h=null;g.apply(f,i)},e)}};c.Preview=c.Messenger.extend({initialize:function(g,f){var e=this;c.Messenger.prototype.initialize.call(this,g,f);this.body=d(document.body);this.body.on("click.preview","a",function(h){h.preventDefault();e.send("scroll",0);e.send("url",d(this).prop("href"))});this.body.on("submit.preview","form",function(h){h.preventDefault()});this.window=d(window);this.window.on("scroll.preview",a(function(){e.send("scroll",e.window.scrollTop())},200));this.bind("scroll",function(h){e.window.scrollTop(h)})}});d(function(){c.settings=window._wpCustomizeSettings;if(!c.settings){return}var f,e;f=new c.Preview({url:window.location.href,channel:c.settings.channel});f.bind("settings",function(g){d.each(g,function(i,h){if(c.has(i)){c(i).set(h)}else{c.create(i,h)}})});f.trigger("settings",c.settings.values);f.bind("setting",function(g){var h;g=g.slice();if(h=c(g.shift())){h.set.apply(h,g)}});f.bind("sync",function(g){d.each(g,function(i,h){f.trigger(i,h)});f.send("synced")});f.bind("active",function(){if(c.settings.nonce){f.send("nonce",c.settings.nonce)}});f.send("ready");e=d.map(["color","image","position_x","repeat","attachment"],function(g){return"background_"+g});c.when.apply(c,e).done(function(j,i,m,h,l){var n=d(document.body),o=d("head"),g=d("#custom-background-css"),k;if(n.hasClass("custom-background")&&!g.length){return}k=function(){var p="";n.toggleClass("custom-background",!!(j()||i()));if(j()){p+="background-color: "+j()+";"}if(i()){p+='background-image: url("'+i()+'");';p+="background-position: top "+m()+";";p+="background-repeat: "+h()+";";p+="background-position: top "+l()+";"}g.remove();g=d('<style type="text/css" id="custom-background-css">body.custom-background { '+p+" }</style>").appendTo(o)};d.each(arguments,function(){this.bind(k)})})})})(wp,jQuery);

wp-includes/js/imgareaselect/jquery.imgareaselect.dev.js

@@ -1,6 +1,6 @@
 /*
  * imgAreaSelect jQuery plugin
- * version 0.9.8
+ * version 0.9.9
  *
  * Copyright (c) 2008-2011 Michal Wojciechowski (odyniec.net)
  *
@@ -706,7 +706,7 @@ $.imgAreaSelect = function (img, options) {
         setSelection(selX(x1), selY(y1), selX(x1), selY(y1));
 
         /* If this is an API call, callback functions should not be triggered */
-        if (!this instanceof $.imgAreaSelect) {
+        if (!(this instanceof $.imgAreaSelect)) {
             options.onSelectChange(img, getSelection());
             options.onSelectEnd(img, getSelection());
         }
@@ -866,7 +866,7 @@ $.imgAreaSelect = function (img, options) {
      *            properties
      */
     function styleOptions($elem, props) {
-        for (option in props)
+        for (var option in props)
             if (options[option] !== undefined)
                 $elem.css(props[option], options[option]);
     }
@@ -1143,7 +1143,7 @@ $.imgAreaSelect = function (img, options) {
      * attribute seems to trigger it. The check is for version 7 and above to
      * accommodate for MSIE 9 running in compatibility mode.
      */
-   if ($.browser.msie && $.browser.version >= 7)
+   if (!imgLoaded && $.browser.msie && $.browser.version >= 7)
         img.src = img.src;
 };
 

wp-includes/js/plupload/wp-plupload.dev.js

@@ -73,6 +73,10 @@ if ( typeof wp === 'undefined' )
 			this.plupload[ elements[ key ] ] = this[ key ].prop('id');
 		}
 
+		// If the uploader has neither a browse button nor a dropzone, bail.
+		if ( ! ( this.browser && this.browser.length ) && ! ( this.dropzone && this.dropzone.length ) )
+			return;
+
 		this.uploader = new plupload.Uploader( this.plupload );
 		delete this.plupload;
 
@@ -113,7 +117,13 @@ if ( typeof wp === 'undefined' )
 			});
 		}( this.dropzone, this.supports.dragdrop ));
 
-		this.browser.on( 'mouseenter', this.refresh );
+		if ( this.browser ) {
+			this.browser.on( 'mouseenter', this.refresh );
+		} else {
+			this.uploader.disableBrowse( true );
+			// If HTML5 mode, hide the auto-created file container.
+			$('#' + this.uploader.id + '_html5_container').hide();
+		}
 
 		this.uploader.bind( 'UploadProgress', this.progress );
 

wp-includes/js/plupload/wp-plupload.js

@@ -1 +1 @@
-if(typeof wp==="undefined"){var wp={}}(function(a,b){var c;if(typeof _wpPluploadSettings==="undefined"){return}c=function(e){var d=this,g={container:"container",browser:"browse_button",dropzone:"drop_element"},f;this.supports={upload:c.browser.supported};this.supported=this.supports.upload;if(!this.supported){return}this.plupload=b.extend(true,{multipart_params:{}},c.defaults);this.container=document.body;b.extend(true,this,e);for(f in this){if(b.isFunction(this[f])){this[f]=b.proxy(this[f],this)}}for(f in g){if(!this[f]){continue}this[f]=b(this[f]).first();if(!this[f].length){delete this[f];continue}if(!this[f].prop("id")){this[f].prop("id","__wp-uploader-id-"+c.uuid++)}this.plupload[g[f]]=this[f].prop("id")}this.uploader=new plupload.Uploader(this.plupload);delete this.plupload;this.param(this.params||{});delete this.params;this.uploader.init();this.supports.dragdrop=this.uploader.features.dragdrop&&!c.browser.mobile;(function(j,h){var i=50,k;if(!j){return}j.toggleClass("supports-drag-drop",!!h);if(!h){return j.unbind(".wp-uploader")}j.bind("dragover.wp-uploader",function(){if(k){return}j.addClass("drag-over");k=true});j.bind("dragleave.wp-uploader, drop.wp-uploader",function(){k=false;j.removeClass("drag-over")})}(this.dropzone,this.supports.dragdrop));this.browser.on("mouseenter",this.refresh);this.uploader.bind("UploadProgress",this.progress);this.uploader.bind("FileUploaded",function(h,j,i){try{i=JSON.parse(i.response)}catch(k){return d.error(pluploadL10n.default_error,k)}if(!i||!i.type||!i.data){return d.error(pluploadL10n.default_error)}if("error"===i.type){return d.error(i.data.message,i.data)}if("success"===i.type){return d.success(i.data)}});this.uploader.bind("Error",function(h,i){var k=pluploadL10n.default_error,j;for(j in c.errorMap){if(i.code===plupload[j]){k=c.errorMap[j];break}}d.error(k,i);h.refresh()});this.uploader.bind("FilesAdded",function(h,i){b.each(i,function(){d.added(this)});h.refresh();h.start()});this.init()};b.extend(c,_wpPluploadSettings);c.uuid=0;c.errorMap={FAILED:pluploadL10n.upload_failed,FILE_EXTENSION_ERROR:pluploadL10n.invalid_filetype,IMAGE_FORMAT_ERROR:pluploadL10n.not_an_image,IMAGE_MEMORY_ERROR:pluploadL10n.image_memory_exceeded,IMAGE_DIMENSIONS_ERROR:pluploadL10n.image_dimensions_exceeded,GENERIC_ERROR:pluploadL10n.upload_failed,IO_ERROR:pluploadL10n.io_error,HTTP_ERROR:pluploadL10n.http_error,SECURITY_ERROR:pluploadL10n.security_error};b.extend(c.prototype,{param:function(d,e){if(arguments.length===1&&typeof d==="string"){return this.uploader.settings.multipart_params[d]}if(arguments.length>1){this.uploader.settings.multipart_params[d]=e}else{b.extend(this.uploader.settings.multipart_params,d)}},init:function(){},error:function(){},success:function(){},added:function(){},progress:function(){},complete:function(){},refresh:function(){this.uploader.refresh()}});a.Uploader=c})(wp,jQuery);
+if(typeof wp==="undefined"){var wp={}}(function(a,b){var c;if(typeof _wpPluploadSettings==="undefined"){return}c=function(e){var d=this,g={container:"container",browser:"browse_button",dropzone:"drop_element"},f;this.supports={upload:c.browser.supported};this.supported=this.supports.upload;if(!this.supported){return}this.plupload=b.extend(true,{multipart_params:{}},c.defaults);this.container=document.body;b.extend(true,this,e);for(f in this){if(b.isFunction(this[f])){this[f]=b.proxy(this[f],this)}}for(f in g){if(!this[f]){continue}this[f]=b(this[f]).first();if(!this[f].length){delete this[f];continue}if(!this[f].prop("id")){this[f].prop("id","__wp-uploader-id-"+c.uuid++)}this.plupload[g[f]]=this[f].prop("id")}if(!(this.browser&&this.browser.length)&&!(this.dropzone&&this.dropzone.length)){return}this.uploader=new plupload.Uploader(this.plupload);delete this.plupload;this.param(this.params||{});delete this.params;this.uploader.init();this.supports.dragdrop=this.uploader.features.dragdrop&&!c.browser.mobile;(function(j,h){var i=50,k;if(!j){return}j.toggleClass("supports-drag-drop",!!h);if(!h){return j.unbind(".wp-uploader")}j.bind("dragover.wp-uploader",function(){if(k){return}j.addClass("drag-over");k=true});j.bind("dragleave.wp-uploader, drop.wp-uploader",function(){k=false;j.removeClass("drag-over")})}(this.dropzone,this.supports.dragdrop));if(this.browser){this.browser.on("mouseenter",this.refresh)}else{this.uploader.disableBrowse(true);b("#"+this.uploader.id+"_html5_container").hide()}this.uploader.bind("UploadProgress",this.progress);this.uploader.bind("FileUploaded",function(h,j,i){try{i=JSON.parse(i.response)}catch(k){return d.error(pluploadL10n.default_error,k)}if(!i||!i.type||!i.data){return d.error(pluploadL10n.default_error)}if("error"===i.type){return d.error(i.data.message,i.data)}if("success"===i.type){return d.success(i.data)}});this.uploader.bind("Error",function(h,i){var k=pluploadL10n.default_error,j;for(j in c.errorMap){if(i.code===plupload[j]){k=c.errorMap[j];break}}d.error(k,i);h.refresh()});this.uploader.bind("FilesAdded",function(h,i){b.each(i,function(){d.added(this)});h.refresh();h.start()});this.init()};b.extend(c,_wpPluploadSettings);c.uuid=0;c.errorMap={FAILED:pluploadL10n.upload_failed,FILE_EXTENSION_ERROR:pluploadL10n.invalid_filetype,IMAGE_FORMAT_ERROR:pluploadL10n.not_an_image,IMAGE_MEMORY_ERROR:pluploadL10n.image_memory_exceeded,IMAGE_DIMENSIONS_ERROR:pluploadL10n.image_dimensions_exceeded,GENERIC_ERROR:pluploadL10n.upload_failed,IO_ERROR:pluploadL10n.io_error,HTTP_ERROR:pluploadL10n.http_error,SECURITY_ERROR:pluploadL10n.security_error};b.extend(c.prototype,{param:function(d,e){if(arguments.length===1&&typeof d==="string"){return this.uploader.settings.multipart_params[d]}if(arguments.length>1){this.uploader.settings.multipart_params[d]=e}else{b.extend(this.uploader.settings.multipart_params,d)}},init:function(){},error:function(){},success:function(){},added:function(){},progress:function(){},complete:function(){},refresh:function(){this.uploader.refresh()}});a.Uploader=c})(wp,jQuery);

wp-includes/js/tinymce/langs/wp-langs.php

@@ -8,6 +8,9 @@ function mce_escape($text) {
 	return esc_js($text);
 }
 
+if ( ! class_exists( '_WP_Editors' ) )
+	require( ABSPATH . WPINC . '/class-wp-editor.php' );
+
 function wp_mce_translation() {
 
 	$default = array(

wp-includes/js/tinymce/plugins/spellchecker/classes/GoogleSpell.php

@@ -50,7 +50,9 @@ class GoogleSpell extends SpellChecker {
 		return $osug;
 	}
 
-	function &_getMatches($lang, $str) {
+	protected function &_getMatches($lang, $str) {
+		$lang = preg_replace('/[^a-z\-]/i', '', $lang);
+		$str = preg_replace('/[\x00-\x1F\x7F]/', '', $str);
 		$server = "www.google.com";
 		$port = 443;
 		$path = "/tbproxy/spell?lang=" . $lang . "&hl=en";
@@ -105,7 +107,7 @@ class GoogleSpell extends SpellChecker {
 		return $matches;
 	}
 
-	function _unhtmlentities($string) {
+	protected function _unhtmlentities($string) {
 		$string = preg_replace('~&#x([0-9a-f]+);~ei', 'chr(hexdec("\\1"))', $string);
 		$string = preg_replace('~&#([0-9]+);~e', 'chr(\\1)', $string);
 

wp-includes/js/tinymce/plugins/wpeditimage/editor_plugin_src.js

@@ -142,13 +142,16 @@
 				var id, cls, w, cap, div_cls, img, trim = tinymce.trim;
 
 				id = b.match(/id=['"]([^'"]*)['"] ?/);
-				b = b.replace(id[0], '');
+				if ( id )
+					b = b.replace(id[0], '');
 
 				cls = b.match(/align=['"]([^'"]*)['"] ?/);
-				b = b.replace(cls[0], '');
+				if ( cls )
+					b = b.replace(cls[0], '');
 
 				w = b.match(/width=['"]([0-9]*)['"] ?/);
-				b = b.replace(w[0], '');
+				if ( w )
+					b = b.replace(w[0], '');
 
 				c = trim(c);
 				img = c.match(/((?:<a [^>]+>)?<img [^>]+>(?:<\/a>)?)([\s\S]*)/i);

wp-includes/js/wp-lists.dev.js

@@ -78,7 +78,7 @@ wpList = {
 		if ( !s )
 			return false;
 
-		if ( !e.is('[class^="add:' + list.id + ':"]') )
+		if ( !e.is('[id="' + s.element + '-submit"]') )
 			return !wpList.add.call( list, e, s );
 
 		if ( !s.element )
@@ -397,7 +397,7 @@ wpList = {
 			return list.wpList.add(this);
 		});
 
-		$el.delegate( '[class^="add:' + list.id + ':"]:not(form)', 'click', function(){
+		$el.delegate( 'a[class^="add:' + list.id + ':"], input[class^="add:' + list.id + ':"]', 'click', function(){
 			return list.wpList.add(this);
 		});
 

wp-includes/l10n.php

@@ -392,7 +392,7 @@ function load_default_textdomain() {
 		return;
 	}
 
-	if ( is_admin()  )
+	if ( is_admin() || ( defined( 'WP_REPAIRING' ) && WP_REPAIRING ) )
 		load_textdomain( 'default', WP_LANG_DIR . "/admin-$locale.mo" );
 
 	if ( is_network_admin() || ( defined( 'WP_INSTALLING_NETWORK' ) && WP_INSTALLING_NETWORK ) )

wp-includes/load.php

@@ -105,12 +105,12 @@ function wp_check_php_mysql_versions() {
 	$php_version = phpversion();
 	if ( version_compare( $required_php_version, $php_version, '>' ) ) {
 		wp_load_translations_early();
-		wp_die( sprintf( __( 'Your server is running PHP version %1$s but WordPress %2$s requires at least %3$s.' ), $php_version, $wp_version, $required_php_version ) );
+		die( sprintf( __( 'Your server is running PHP version %1$s but WordPress %2$s requires at least %3$s.' ), $php_version, $wp_version, $required_php_version ) );
 	}
 
 	if ( ! extension_loaded( 'mysql' ) && ! file_exists( WP_CONTENT_DIR . '/db.php' ) ) {
 		wp_load_translations_early();
-		wp_die( __( 'Your PHP installation appears to be missing the MySQL extension which is required by WordPress.' ) );
+		die( __( 'Your PHP installation appears to be missing the MySQL extension which is required by WordPress.' ) );
 	}
 }
 
@@ -685,7 +685,6 @@ function wp_load_translations_early() {
 	require_once ABSPATH . WPINC . '/locale.php';
 
 	// General libraries
-	require_once ABSPATH . WPINC . '/functions.php';
 	require_once ABSPATH . WPINC . '/plugin.php';
 
 	$locales = $locations = array();

wp-includes/media.php

@@ -836,6 +836,15 @@ function gallery_shortcode($attr) {
 
 	$itemtag = tag_escape($itemtag);
 	$captiontag = tag_escape($captiontag);
+	$icontag = tag_escape($icontag);
+	$valid_tags = $GLOBALS['allowedposttags'];
+	if ( ! isset( $valid_tags[ $itemtag ] ) )
+		$itemtag = 'dl';
+	if ( ! isset( $valid_tags[ $captiontag ] ) )
+		$captiontag = 'dd';
+	if ( ! isset( $valid_tags[ $icontag ] ) )
+		$icontag = 'dt';
+
 	$columns = intval($columns);
 	$itemwidth = $columns > 0 ? floor(100/$columns) : 100;
 	$float = is_rtl() ? 'right' : 'left';
@@ -1303,7 +1312,7 @@ class WP_Embed {
 	 * @return string Linked URL or the original URL.
 	 */
 	function maybe_make_link( $url ) {
-		$output = ( $this->linkifunknown ) ? '<a href="' . esc_attr($url) . '">' . esc_html($url) . '</a>' : $url;
+		$output = ( $this->linkifunknown ) ? '<a href="' . esc_url($url) . '">' . esc_html($url) . '</a>' : $url;
 		return apply_filters( 'embed_maybe_make_link', $output, $url );
 	}
 }

wp-includes/post-template.php

@@ -1220,7 +1220,7 @@ function get_the_password_form() {
 	$output = '<form action="' . esc_url( site_url( 'wp-login.php?action=postpass', 'login_post' ) ) . '" method="post">
 	<p>' . __("This post is password protected. To view it please enter your password below:") . '</p>
 	<p><label for="' . $label . '">' . __("Password:") . ' <input name="post_password" id="' . $label . '" type="password" size="20" /></label> <input type="submit" name="Submit" value="' . esc_attr__("Submit") . '" /></p>
-	</form>
+</form>
 	';
 	return apply_filters('the_password_form', $output);
 }

wp-includes/rewrite.php

@@ -1537,7 +1537,7 @@ class WP_Rewrite {
 		$registration_pages['.*wp-register.php$'] = $this->index . '?register=true'; // Deprecated
 
 		// Post
-		$post_rewrite = $this->generate_rewrite_rules( $this->permalink_structure, EP_PERMALINK, false, true, false, false );
+		$post_rewrite = $this->generate_rewrite_rules( $this->permalink_structure, EP_PERMALINK );
 		$post_rewrite = apply_filters('post_rewrite_rules', $post_rewrite);
 
 		// Date

wp-includes/script-loader.php

@@ -62,14 +62,14 @@ function wp_default_scripts( &$scripts ) {
 	$scripts->add( 'utils', "/wp-admin/js/utils$suffix.js" );
 
 	$scripts->add( 'common', "/wp-admin/js/common$suffix.js", array('jquery', 'hoverIntent', 'utils'), false, 1 );
-	$scripts->localize( 'common', 'commonL10n', array(
+	did_action( 'init' ) && $scripts->localize( 'common', 'commonL10n', array(
 		'warnDelete' => __("You are about to permanently delete the selected items.\n  'Cancel' to stop, 'OK' to delete.")
 	) );
 
 	$scripts->add( 'sack', "/wp-includes/js/tw-sack$suffix.js", array(), '1.6.1', 1 );
 
 	$scripts->add( 'quicktags', "/wp-includes/js/quicktags$suffix.js", array(), false, 1 );
-	$scripts->localize( 'quicktags', 'quicktagsL10n', array(
+	did_action( 'init' ) && $scripts->localize( 'quicktags', 'quicktagsL10n', array(
 		'wordLookup' => __('Enter a word to look up:'),
 		'dictionaryLookup' => esc_attr(__('Dictionary lookup')),
 		'lookup' => esc_attr(__('lookup')),
@@ -93,13 +93,13 @@ function wp_default_scripts( &$scripts ) {
 	$scripts->add( 'prototype', '/wp-includes/js/prototype.js', array(), '1.6.1');
 
 	$scripts->add( 'wp-ajax-response', "/wp-includes/js/wp-ajax-response$suffix.js", array('jquery'), false, 1 );
-	$scripts->localize( 'wp-ajax-response', 'wpAjax', array(
+	did_action( 'init' ) && $scripts->localize( 'wp-ajax-response', 'wpAjax', array(
 		'noPerm' => __('You do not have permission to do that.'),
 		'broken' => __('An unidentified error has occurred.')
 	) );
 
 	$scripts->add( 'wp-pointer', "/wp-includes/js/wp-pointer$suffix.js", array( 'jquery-ui-widget', 'jquery-ui-position' ), '20111129a', 1 );
-	$scripts->localize( 'wp-pointer', 'wpPointerL10n', array(
+	did_action( 'init' ) && $scripts->localize( 'wp-pointer', 'wpPointerL10n', array(
 		'dismiss' => __('Dismiss'),
 	) );
 
@@ -170,7 +170,7 @@ function wp_default_scripts( &$scripts ) {
 	$scripts->add( 'jquery-touch-punch', "/wp-includes/js/jquery/jquery.ui.touch-punch.js", array('jquery-ui-widget', 'jquery-ui-mouse'), '0.2.2', 1 );
 
 	$scripts->add( 'thickbox', "/wp-includes/js/thickbox/thickbox.js", array('jquery'), '3.1-20111117', 1 );
-	$scripts->localize( 'thickbox', 'thickboxL10n', array(
+	did_action( 'init' ) && $scripts->localize( 'thickbox', 'thickboxL10n', array(
 			'next' => __('Next >'),
 			'prev' => __('< Prev'),
 			'image' => __('Image'),
@@ -227,10 +227,10 @@ function wp_default_scripts( &$scripts ) {
 	$scripts->add( 'plupload-all', false, array('plupload', 'plupload-html5', 'plupload-flash', 'plupload-silverlight', 'plupload-html4'), '1.5.4' );
 
 	$scripts->add( 'plupload-handlers', "/wp-includes/js/plupload/handlers$suffix.js", array('plupload-all', 'jquery') );
-	$scripts->localize( 'plupload-handlers', 'pluploadL10n', $uploader_l10n );
+	did_action( 'init' ) && $scripts->localize( 'plupload-handlers', 'pluploadL10n', $uploader_l10n );
 
 	$scripts->add( 'wp-plupload', "/wp-includes/js/plupload/wp-plupload$suffix.js", array('plupload-all', 'jquery', 'json2') );
-	$scripts->localize( 'wp-plupload', 'pluploadL10n', $uploader_l10n );
+	did_action( 'init' ) && $scripts->localize( 'wp-plupload', 'pluploadL10n', $uploader_l10n );
 
 	// keep 'swfupload' for back-compat.
 	$scripts->add( 'swfupload', '/wp-includes/js/swfupload/swfupload.js', array(), '2201-20110113');
@@ -246,7 +246,7 @@ function wp_default_scripts( &$scripts ) {
 	}
 
 	$scripts->add( 'swfupload-handlers', "/wp-includes/js/swfupload/handlers$suffix.js", array('swfupload-all', 'jquery'), '2201-20110524');
-	$scripts->localize( 'swfupload-handlers', 'swfuploadL10n', $uploader_l10n );
+	did_action( 'init' ) && $scripts->localize( 'swfupload-handlers', 'swfuploadL10n', $uploader_l10n );
 
 	$scripts->add( 'comment-reply', "/wp-includes/js/comment-reply$suffix.js" );
 
@@ -255,7 +255,7 @@ function wp_default_scripts( &$scripts ) {
 	$scripts->add( 'imgareaselect', "/wp-includes/js/imgareaselect/jquery.imgareaselect$suffix.js", array('jquery'), '0.9.8', 1 );
 
 	$scripts->add( 'password-strength-meter', "/wp-admin/js/password-strength-meter$suffix.js", array('jquery'), false, 1 );
-	$scripts->localize( 'password-strength-meter', 'pwsL10n', array(
+	did_action( 'init' ) && $scripts->localize( 'password-strength-meter', 'pwsL10n', array(
 		'empty' => __('Strength indicator'),
 		'short' => __('Very weak'),
 		'bad' => __('Weak'),
@@ -272,7 +272,7 @@ function wp_default_scripts( &$scripts ) {
 	$scripts->add( 'admin-bar', "/wp-includes/js/admin-bar$suffix.js", array(), false, 1 );
 
 	$scripts->add( 'wplink', "/wp-includes/js/wplink$suffix.js", array( 'jquery', 'wpdialogs' ), false, 1 );
-	$scripts->localize( 'wplink', 'wpLinkL10n', array(
+	did_action( 'init' ) && $scripts->localize( 'wplink', 'wpLinkL10n', array(
 		'title' => __('Insert/edit link'),
 		'update' => __('Update'),
 		'save' => __('Add Link'),
@@ -285,7 +285,7 @@ function wp_default_scripts( &$scripts ) {
 	$scripts->add( 'wpdialogs-popup', "/wp-includes/js/tinymce/plugins/wpdialogs/js/popup$suffix.js", array( 'wpdialogs' ), false, 1 );
 
 	$scripts->add( 'word-count', "/wp-admin/js/word-count$suffix.js", array( 'jquery' ), false, 1 );
-	$scripts->localize( 'word-count', 'wordCountL10n', array(
+	did_action( 'init' ) && $scripts->localize( 'word-count', 'wordCountL10n', array(
 		/* translators: If your word count is based on single characters (East Asian characters),
 		   enter 'characters'. Otherwise, enter 'words'. Do not translate into your own language. */
 		'type' => 'characters' == _x( 'words', 'word count: words or characters?' ) ? 'c' : 'w',
@@ -299,7 +299,7 @@ function wp_default_scripts( &$scripts ) {
 	$scripts->add( 'customize-loader',   "/wp-includes/js/customize-loader$suffix.js",   array( 'customize-base' ), false, 1 );
 	$scripts->add( 'customize-preview',  "/wp-includes/js/customize-preview$suffix.js",  array( 'customize-base' ), false, 1 );
 	$scripts->add( 'customize-controls', "/wp-admin/js/customize-controls$suffix.js", array( 'customize-base' ), false, 1 );
-	$scripts->localize( 'customize-controls', '_wpCustomizeControlsL10n', array(
+	did_action( 'init' ) && $scripts->localize( 'customize-controls', '_wpCustomizeControlsL10n', array(
 		'activate'  => __( 'Save & Activate' ),
 		'save'      => __( 'Save & Publish' ),
 		'saved'     => __( 'Saved' ),
@@ -311,7 +311,7 @@ function wp_default_scripts( &$scripts ) {
 	if ( is_admin() ) {
 		$scripts->add( 'ajaxcat', "/wp-admin/js/cat$suffix.js", array( 'wp-lists' ) );
 		$scripts->add_data( 'ajaxcat', 'group', 1 );
-		$scripts->localize( 'ajaxcat', 'catL10n', array(
+		did_action( 'init' ) && $scripts->localize( 'ajaxcat', 'catL10n', array(
 			'add' => esc_attr(__('Add')),
 			'how' => __('Separate multiple categories with commas.')
 		) );
@@ -319,7 +319,7 @@ function wp_default_scripts( &$scripts ) {
 		$scripts->add( 'admin-categories', "/wp-admin/js/categories$suffix.js", array('wp-lists'), false, 1 );
 
 		$scripts->add( 'admin-tags', "/wp-admin/js/tags$suffix.js", array('jquery', 'wp-ajax-response'), false, 1 );
-		$scripts->localize( 'admin-tags', 'tagsl10n', array(
+		did_action( 'init' ) && $scripts->localize( 'admin-tags', 'tagsl10n', array(
 			'noPerm' => __('You do not have permission to do that.'),
 			'broken' => __('An unidentified error has occurred.')
 		));
@@ -327,7 +327,7 @@ function wp_default_scripts( &$scripts ) {
 		$scripts->add( 'admin-custom-fields', "/wp-admin/js/custom-fields$suffix.js", array('wp-lists'), false, 1 );
 
 		$scripts->add( 'admin-comments', "/wp-admin/js/edit-comments$suffix.js", array('wp-lists', 'quicktags', 'jquery-query'), false, 1 );
-		$scripts->localize( 'admin-comments', 'adminCommentsL10n', array(
+		did_action( 'init' ) && $scripts->localize( 'admin-comments', 'adminCommentsL10n', array(
 			'hotkeys_highlight_first' => isset($_GET['hotkeys_highlight_first']),
 			'hotkeys_highlight_last' => isset($_GET['hotkeys_highlight_last']),
 			'replyApprove' => __( 'Approve and Reply' ),
@@ -339,7 +339,7 @@ function wp_default_scripts( &$scripts ) {
 		$scripts->add( 'postbox', "/wp-admin/js/postbox$suffix.js", array('jquery-ui-sortable'), false, 1 );
 
 		$scripts->add( 'post', "/wp-admin/js/post$suffix.js", array('suggest', 'wp-lists', 'postbox'), false, 1 );
-		$scripts->localize( 'post', 'postL10n', array(
+		did_action( 'init' ) && $scripts->localize( 'post', 'postL10n', array(
 			'ok' => __('OK'),
 			'cancel' => __('Cancel'),
 			'publishOn' => __('Publish on:'),
@@ -365,7 +365,7 @@ function wp_default_scripts( &$scripts ) {
 
 		$scripts->add( 'comment', "/wp-admin/js/comment$suffix.js", array('jquery') );
 		$scripts->add_data( 'comment', 'group', 1 );
-		$scripts->localize( 'comment', 'commentL10n', array(
+		did_action( 'init' ) && $scripts->localize( 'comment', 'commentL10n', array(
 			'submittedOn' => __('Submitted on:')
 		) );
 
@@ -379,7 +379,7 @@ function wp_default_scripts( &$scripts ) {
 		$scripts->add( 'theme-preview', "/wp-admin/js/theme-preview$suffix.js", array( 'thickbox', 'jquery' ), false, 1 );
 
 		$scripts->add( 'inline-edit-post', "/wp-admin/js/inline-edit-post$suffix.js", array( 'jquery', 'suggest' ), false, 1 );
-		$scripts->localize( 'inline-edit-post', 'inlineEditL10n', array(
+		did_action( 'init' ) && $scripts->localize( 'inline-edit-post', 'inlineEditL10n', array(
 			'error' => __('Error while saving the changes.'),
 			'ntdeltitle' => __('Remove From Bulk Edit'),
 			'notitle' => __('(no title)'),
@@ -387,12 +387,12 @@ function wp_default_scripts( &$scripts ) {
 		) );
 
 		$scripts->add( 'inline-edit-tax', "/wp-admin/js/inline-edit-tax$suffix.js", array( 'jquery' ), false, 1 );
-		$scripts->localize( 'inline-edit-tax', 'inlineEditL10n', array(
+		did_action( 'init' ) && $scripts->localize( 'inline-edit-tax', 'inlineEditL10n', array(
 			'error' => __('Error while saving the changes.')
 		) );
 
 		$scripts->add( 'plugin-install', "/wp-admin/js/plugin-install$suffix.js", array( 'jquery', 'thickbox' ), false, 1 );
-		$scripts->localize( 'plugin-install', 'plugininstallL10n', array(
+		did_action( 'init' ) && $scripts->localize( 'plugin-install', 'plugininstallL10n', array(
 			'plugin_information' => __('Plugin Information:'),
 			'ays' => __('Are you sure you want to install this plugin?')
 		) );
@@ -406,12 +406,12 @@ function wp_default_scripts( &$scripts ) {
 		$scripts->add( 'media', "/wp-admin/js/media$suffix.js", array( 'jquery-ui-draggable' ), false, 1 );
 
 		$scripts->add( 'image-edit', "/wp-admin/js/image-edit$suffix.js", array('jquery', 'json2', 'imgareaselect'), false, 1 );
-		$scripts->localize( 'image-edit', 'imageEditL10n', array(
+		did_action( 'init' ) && $scripts->localize( 'image-edit', 'imageEditL10n', array(
 			'error' => __( 'Could not load the preview image. Please reload the page and try again.' )
 		));
 
 		$scripts->add( 'set-post-thumbnail', "/wp-admin/js/set-post-thumbnail$suffix.js", array( 'jquery' ), false, 1 );
-		$scripts->localize( 'set-post-thumbnail', 'setPostThumbnailL10n', array(
+		did_action( 'init' ) && $scripts->localize( 'set-post-thumbnail', 'setPostThumbnailL10n', array(
 			'setThumbnail' => __( 'Use as featured image' ),
 			'saving' => __( 'Saving...' ),
 			'error' => __( 'Could not set that as the thumbnail image. Try a different attachment.' ),
@@ -420,7 +420,7 @@ function wp_default_scripts( &$scripts ) {
 
 		// Navigation Menus
 		$scripts->add( 'nav-menu', "/wp-admin/js/nav-menu$suffix.js", array('jquery-ui-sortable') );
-		$scripts->localize( 'nav-menu', 'navMenuL10n', array(
+		did_action( 'init' ) && $scripts->localize( 'nav-menu', 'navMenuL10n', array(
 			'noResultsFound' => _x('No results found.', 'search results'),
 			'warnDeleteMenu' => __( "You are about to permanently delete this menu. \n 'Cancel' to stop, 'OK' to delete." ),
 			'saveAlert' => __('The changes you made will be lost if you navigate away from this page.')

wp-includes/taxonomy.php

@@ -1926,6 +1926,10 @@ function wp_get_object_terms($object_ids, $taxonomies, $args = array()) {
 	if ( !empty($orderby) )
 		$orderby = "ORDER BY $orderby";
 
+	$order = strtoupper( $order );
+	if ( '' !== $order && ! in_array( $order, array( 'ASC', 'DESC' ) ) )
+		$order = 'ASC';
+
 	$taxonomies = "'" . implode("', '", $taxonomies) . "'";
 	$object_ids = implode(', ', $object_ids);
 

wp-includes/theme.php

@@ -381,7 +381,7 @@ function search_theme_directories( $force = false ) {
 				if ( ! $sub_dirs )
 					return false;
 				foreach ( $sub_dirs as $sub_dir ) {
-					if ( ! is_dir( $theme_root . '/' . $dir ) || $dir[0] == '.' || $dir == 'CVS' )
+					if ( ! is_dir( $theme_root . '/' . $dir . '/' . $sub_dir ) || $dir[0] == '.' || $dir == 'CVS' )
 						continue;
 					if ( ! file_exists( $theme_root . '/' . $dir . '/' . $sub_dir . '/style.css' ) )
 						continue;
@@ -1629,11 +1629,12 @@ add_action( 'admin_enqueue_scripts', '_wp_customize_loader_settings' );
  * @since 3.4.0
  *
  * @param string $stylesheet Optional. Theme to customize. Defaults to current theme.
+ * 	The theme's stylesheet will be urlencoded if necessary.
  */
 function wp_customize_url( $stylesheet = null ) {
 	$url = admin_url( 'customize.php' );
 	if ( $stylesheet )
-		$url .= '?theme=' . $stylesheet;
+		$url .= '?theme=' . urlencode( $stylesheet );
 	return esc_url( $url );
 }
 

wp-includes/update.php

@@ -58,6 +58,7 @@ function wp_version_check() {
 		$multisite_enabled = 1;
 	} else {
 		$user_count = count_users( );
+		$user_count = $user_count['total_users'];
 		$multisite_enabled = 0;
 		$num_blogs = 1;
 		$wp_install = home_url( '/' );
@@ -70,7 +71,7 @@ function wp_version_check() {
 		'mysql'             => $mysql_version,
 		'local_package'     => isset( $wp_local_package ) ? $wp_local_package : '',
 		'blogs'             => $num_blogs,
-		'users'             => $user_count['total_users'],
+		'users'             => $user_count,
 		'multisite_enabled' => $multisite_enabled
 	);
 

wp-includes/version.php

@@ -4,21 +4,21 @@
  *
  * @global string $wp_version
  */
-$wp_version = '3.4';
+$wp_version = '3.4.3-beta1';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
  *
  * @global int $wp_db_version
  */
-$wp_db_version = 20596;
+$wp_db_version = 21707;
 
 /**
  * Holds the TinyMCE version
  *
  * @global string $tinymce_version
  */
-$tinymce_version = '349-20805';
+$tinymce_version = '349-21274';
 
 /**
  * Holds the cache manifest version

wp-load.php

@@ -48,8 +48,10 @@ if ( file_exists( ABSPATH . 'wp-config.php') ) {
 	require_once( ABSPATH . WPINC . '/load.php' );
 	require_once( ABSPATH . WPINC . '/version.php' );
 
-	wp_load_translations_early();
 	wp_check_php_mysql_versions();
+	wp_load_translations_early();
+
+	require_once( ABSPATH . WPINC . '/functions.php' );
 
 	// Die with an error message
 	$die  = __( "There doesn't seem to be a <code>wp-config.php</code> file. I need this before we can get started." ) . '</p>';

wp-login.php

@@ -39,7 +39,7 @@ if ( force_ssl_admin() && !is_ssl() ) {
  * @param WP_Error $wp_error Optional. WordPress Error Object
  */
 function login_header($title = 'Log In', $message = '', $wp_error = '') {
-	global $error, $interim_login, $current_site, $customize_login;
+	global $error, $interim_login, $current_site;
 
 	// Don't index any of these forms
 	add_action( 'login_head', 'wp_no_robots' );
@@ -68,9 +68,6 @@ function login_header($title = 'Log In', $message = '', $wp_error = '') {
 		<meta name="viewport" content="width=320; initial-scale=0.9; maximum-scale=1.0; user-scalable=0;" /><?php
 	}
 
-	if ( $customize_login )
-		wp_enqueue_script( 'customize-base' );
-
 	do_action( 'login_enqueue_scripts' );
 	do_action( 'login_head' );
 
@@ -568,6 +565,8 @@ default:
 	$secure_cookie = '';
 	$interim_login = isset($_REQUEST['interim-login']);
 	$customize_login = isset( $_REQUEST['customize-login'] );
+	if ( $customize_login )
+		wp_enqueue_script( 'customize-base' );
 
 	// If the user wants ssl but the session is not ssl, force a secure cookie.
 	if ( !empty($_POST['log']) && !force_ssl_admin() ) {
@@ -604,21 +603,18 @@ default:
 	if ( !is_wp_error($user) && !$reauth ) {
 		if ( $interim_login ) {
 			$message = '<p class="message">' . __('You have logged in successfully.') . '</p>';
-			login_header( '', $message );
+			login_header( '', $message ); ?>
 
-			if ( ! $customize_login ) : ?>
-				<script type="text/javascript">setTimeout( function(){window.close()}, 8000);</script>
-				<p class="alignright">
-				<input type="button" class="button-primary" value="<?php esc_attr_e('Close'); ?>" onclick="window.close()" /></p>
-<?php		endif;
-
-			?></div><?php
-
-			do_action('login_footer');
-
-			if ( $customize_login ) : ?>
+			<?php if ( ! $customize_login ) : ?>
+			<script type="text/javascript">setTimeout( function(){window.close()}, 8000);</script>
+			<p class="alignright">
+			<input type="button" class="button-primary" value="<?php esc_attr_e('Close'); ?>" onclick="window.close()" /></p>
+			<?php endif; ?>
+			</div>
+			<?php do_action( 'login_footer' ); ?>
+			<?php if ( $customize_login ) : ?>
 				<script type="text/javascript">setTimeout( function(){ new wp.customize.Messenger({ url: '<?php echo wp_customize_url(); ?>', channel: 'login' }).send('login') }, 1000 );</script>
-<?php		endif; ?>
+			<?php endif; ?>
 			</body></html>
 <?php		exit;
 		}