Tag 5.1.5

Built from https://develop.svn.wordpress.org/tags/5.1.5@47710


git-svn-id: http://core.svn.wordpress.org/tags/5.1.5@47487 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-admin/about.php

@@ -25,34 +25,6 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
 
 		<p class="about-text"><?php printf( __( 'Thank you for updating to the latest version!' ), $display_version ); ?></p>
 
-		<?php
-		if (
-			// Was the Gutenberg plugin installed before upgrading to 5.0.x?
-			get_option( 'upgrade_500_was_gutenberg_active' ) == '1' &&
-			current_user_can( 'activate_plugins' ) &&
-			// Has it not been reactivated since?
-			is_plugin_inactive( 'gutenberg/gutenberg.php' ) &&
-			// Is it still installed?
-			file_exists( WP_PLUGIN_DIR . '/gutenberg/gutenberg.php' )
-		) :
-			?>
-			<div class="about-text" style="font-style:italic;">
-				<?php
-				printf(
-					/* translators: 1: WordPress version, 2: HTML start tag of link, 3: HTML end tag of link */
-					__( 'The Gutenberg plugin has been deactivated, as the features are now included in WordPress %1$s by default. If you&#8217;d like to continue to test the upcoming changes in the WordPress editing experience, please %2$sreactivate the Gutenberg plugin%3$s.' ),
-					$display_version,
-					'<a href="' . esc_url( self_admin_url( 'plugins.php?s=gutenberg&plugin_status=all' ) ) . '">',
-					'</a>'
-				);
-				?>
-			</div>
-		<?php elseif ( ! file_exists( WP_PLUGIN_DIR . '/classic-editor/classic-editor.php' ) ) : ?>
-			<p class="about-text">
-				&#x2139; <a href="#classic-editor"><?php _e( 'Learn how to keep using the old editor.' ); ?></a>
-			</p>
-		<?php endif; ?>
-
 		<div class="wp-badge"><?php printf( __( 'Version %s' ), $display_version ); ?></div>
 
 		<h2 class="nav-tab-wrapper wp-clearfix">
@@ -62,70 +34,172 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
 			<a href="freedoms.php?privacy-notice" class="nav-tab"><?php _e( 'Privacy' ); ?></a>
 		</h2>
 
-		<div class="feature-section one-col">
-			<div class="col">
-				<h2><?php _e( 'A Little Better Every Day' ); ?></h2>
-			</div>
+		<div class="changelog point-releases">
+			<h3><?php _e( 'Maintenance and Security Releases' ); ?></h3>
+			<p>
+				<?php
+				printf(
+					/* translators: %s: WordPress version number */
+					__( '<strong>Version %s</strong> addressed some security issues.' ),
+					'5.1.5'
+				);
+				?>
+				<?php
+				printf(
+					/* translators: %s: HelpHub URL */
+					__( 'For more information, see <a href="%s">the release notes</a>.' ),
+					sprintf(
+						/* translators: %s: WordPress version */
+						esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+						sanitize_title( '5.1.5' )
+					)
+				);
+				?>
+			</p>
+			<p>
+				<?php
+				printf(
+					/* translators: %s: WordPress version number */
+					__( '<strong>Version %s</strong> addressed some security issues.' ),
+					'5.1.4'
+				);
+				?>
+				<?php
+				printf(
+					/* translators: %s: HelpHub URL */
+					__( 'For more information, see <a href="%s">the release notes</a>.' ),
+					sprintf(
+						/* translators: %s: WordPress version */
+						esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+						sanitize_title( '5.1.4' )
+					)
+				);
+				?>
+			</p>
+			<p>
+				<?php
+				printf(
+					/* translators: %s: WordPress version number */
+					__( '<strong>Version %s</strong> addressed some security issues.' ),
+					'5.1.3'
+				);
+				?>
+				<?php
+				printf(
+					/* translators: %s: HelpHub URL */
+					__( 'For more information, see <a href="%s">the release notes</a>.' ),
+					sprintf(
+						/* translators: %s: WordPress version */
+						esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+						sanitize_title( '5.1.3' )
+					)
+				);
+				?>
+			</p>
+			<p>
+				<?php
+				printf(
+					/* translators: 1: WordPress version number, 2: plural number of bugs. */
+					_n(
+						'<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bug.',
+						'<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bugs.',
+						2
+					),
+					'5.1.2',
+					number_format_i18n( 2 )
+				);
+				?>
+				<?php
+				printf(
+					/* translators: %s: HelpHub URL */
+					__( 'For more information, see <a href="%s">the release notes</a>.' ),
+					sprintf(
+						/* translators: %s: WordPress version */
+						esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+						sanitize_title( '5.1.2' )
+					)
+				);
+				?>
+			</p>
+			<p>
+				<?php
+				printf(
+					/* translators: 1: WordPress version number, 2: plural number of bugs. */
+					_n(
+						'<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bug.',
+						'<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bugs.',
+						14
+					),
+					'5.1.1',
+					number_format_i18n( 14 )
+				);
+				?>
+				<?php
+				printf(
+					/* translators: %s: HelpHub URL */
+					__( 'For more information, see <a href="%s">the release notes</a>.' ),
+					sprintf(
+						/* translators: %s: WordPress version */
+						esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+						sanitize_title( '5.1.1' )
+					)
+				);
+				?>
+			</p>
 		</div>
 
-		<div class="feature-section one-col">
+		<h2 class="feature-section-header"><?php _e( 'A Little Better Every Day' ); ?></h2>
+
+		<div class="feature-section headline-feature one-col">
 			<div class="col">
-				<picture>
-					<img src="https://make.wordpress.org/core/files/2019/01/Servehappy-Notice-with-custom-link.png" alt="" width="200">
-				</picture>
+				<div class="inline-svg">
+					<img src="https://s.w.org/images/core/5.1/update.svg" alt="">
+				</div>
 				<p><?php _e( 'You&#8217;ve successfully upgraded to WordPress 5.1! Following WordPress 5.0&#8212;a major release which introduced the new block editor&#8212;5.1 focuses on polish, in particular by improving overall performance of the editor. In addition, this release paves the way for a better, faster, and more secure WordPress with some essential tools for site administrators and developers.' ); ?></p>
 			</div>
 		</div>
 
-		<div class="feature-section one-col">
+		<div class="feature-section one-col is-wide wp-clearfix">
 			<div class="col">
-				<h2><?php _e( 'Site Health' ); ?></h2>
+				<h3><?php _e( 'Site Health' ); ?></h3>
+				<div class="inline-svg alignright">
+					<img src="https://s.w.org/images/core/5.1/site-health.svg" alt="">
+				</div>
 				<p><?php printf( __( 'With security and speed in mind, this release introduces WordPress&#8217;s first <a href="%s">Site Health</a> features. WordPress will start showing notices to administrators of sites that run long-outdated versions of PHP, which is the programming language that powers WordPress.' ), 'https://make.wordpress.org/core/2019/01/14/php-site-health-mechanisms-in-5-1/' ); ?></p>
 
 				<p><?php _e( 'When installing new plugins, WordPress&#8217;s Site Health features will check whether a plugin requires a version of PHP incompatible with your site. If so, WordPress will prevent you from installing that plugin.' ); ?></p>
+
+				<?php
+				$response = wp_check_php_version();
+				if ( $response && isset( $response['is_acceptable'] ) && ! $response['is_acceptable'] && current_user_can( 'update_php' ) ) :
+					?>
+					<p><em><?php _e( 'WordPress has detected your site is running an outdated version of PHP. You will see this notice on your dashboard with instructions for contacting your host.' ); ?></em></p>
+				<?php endif; ?>
+
+				<p><a class="button button-default button-hero" href="<?php echo esc_url( wp_get_update_php_url() ); ?>"><?php _e( 'Learn more about updating PHP' ); ?></a></p>
 			</div>
 		</div>
 
-
-		<div class="feature-section one-col cta">
-			<?php
-			$response = wp_check_php_version();
-			if ( $response && isset( $response['is_acceptable'] ) && ! $response['is_acceptable'] && current_user_can( 'update_php' ) ) :
-				?>
-				<p><em><?php _e( 'WordPress has detected your site is running an outdated version of PHP. You will see this notice on your dashboard with instructions for contacting your host.' ); ?></em></p>
-			<?php endif; ?>
-
+		<div class="feature-section one-col is-wide wp-clearfix">
 			<div class="col">
-				<a class="button button-primary button-hero" href=""><?php _e( 'Learn more about updating PHP' ); ?></a>
-			</div>
-		</div>
-
-		<div class="feature-section one-col">
-			<div class="col">
-				<h2><?php _e( 'Editor Performance' ); ?></h2>
-				<p><?php _e( 'Introduced in WordPress 5.0, the new block editor continues to improve. Most significantly, WordPress 5.1 includes solid performance improvements within the editor. The editor should feel a little quicker to start, and typing should feel smoother. Nevertheless, expect more performance improvements in the next releases.' ); ?></p>
-			</div>
-		</div>
-
-		<?php if ( current_user_can( 'edit_posts' ) ) { ?>
-			<div class="feature-section one-col cta">
-				<div class="col">
-					<a class="button button-primary button-hero" href="<?php echo esc_url( admin_url( 'post-new.php' ) ); ?>"><?php _e( 'Build your first post' ); ?></a>
+				<h3><?php _e( 'Editor Performance' ); ?></h3>
+				<div class="inline-svg alignright">
+					<img src="https://s.w.org/images/core/5.1/editor-performance.svg" alt="">
 				</div>
+				<p><?php _e( 'Introduced in WordPress 5.0, the new block editor continues to improve. Most significantly, WordPress 5.1 includes solid performance improvements within the editor. The editor should feel a little quicker to start, and typing should feel smoother. Nevertheless, expect more performance improvements in the next releases.' ); ?></p>
+				<?php if ( current_user_can( 'edit_posts' ) ) : ?>
+					<p><a class="button button-default button-hero" href="<?php echo esc_url( admin_url( 'post-new.php' ) ); ?>"><?php _e( 'Build your first post' ); ?></a></p>
+				<?php endif; ?>
 			</div>
-		<?php } ?>
+		</div>
 
 		<hr />
 
-		<div class="under-the-hood feature-section">
-			<div class="col">
-				<h2><?php _e( 'Developer Happiness' ); ?></h2>
-			</div>
-		</div>
+		<h3 class="under-the-hood-header"><?php _e( 'Developer Happiness' ); ?></h3>
 
 		<div class="under-the-hood feature-section three-col">
 			<div class="col">
-				<h3><?php _e( 'Multisite Metadata' ); ?></h3>
+				<h4><?php _e( 'Multisite Metadata' ); ?></h4>
 				<p>
 					<?php _e( '5.1 introduces a new database table to store metadata associated with sites and allows for the storage of arbitrary site data relevant in a multisite / network context.' ); ?>
 					<br>
@@ -133,7 +207,7 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
 				</p>
 			</div>
 			<div class="col">
-				<h3><?php _e( 'Cron API' ); ?></h3>
+				<h4><?php _e( 'Cron API' ); ?></h4>
 				<p>
 					<?php _e( 'The Cron API has been updated with new functions to assist with returning data and includes new filters for modifying cron storage. Other changes in behavior affect cron spawning on servers running FastCGI and PHP-FPM versions 7.0.16 and above.' ); ?>
 					<br>
@@ -141,48 +215,40 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
 				</p>
 			</div>
 			<div class="col">
-				<h3><?php _e( 'New JS Build Processes' ); ?></h3>
+				<h4><?php _e( 'New JS Build Processes' ); ?></h4>
 				<p>
 					<?php _e( 'WordPress 5.1 features a new JavaScript build option, following the large reorganization of code started in the 5.0 release.' ); ?>
 					<br>
 					<?php printf( __( '<a href="%s">Read more.</a>' ), 'https://make.wordpress.org/core/2018/05/16/preparing-wordpress-for-a-javascript-future-part-1-build-step-and-folder-reorganization/' ); ?>
 				</p>
 			</div>
-			<div class="col">
-				<h3><?php _e( 'Other Developer Goodness' ); ?></h3>
+		</div>
+
+		<div class="under-the-hood feature-section two-col">
+			<div class="col is-span-two">
+				<h4><?php _e( 'Other Developer Goodness' ); ?></h4>
 				<p>
 					<?php _e( 'Miscellaneous improvements include updates to values for the <code>WP_DEBUG_LOG</code> constant, new test config file constant in the test suite, new plugin action hooks, short-circuit filters for <code>wp_unique_post_slug()</code> and <code>WP_User_Query</code> and <code>count_users()</code>, a new <code>human_readable_duration</code> function, improved taxonomy metabox sanitization, limited <code>LIKE</code> support for meta keys when using <code>WP_Meta_Query</code>, a new “doing it wrong” notice when registering REST API endpoints, and more!' ); ?>
 					<br>
 					<?php printf( __( '<a href="%s">Read more.</a>' ), 'https://make.wordpress.org/core/2019/01/23/miscellaneous-developer-focused-changes-in-5-1/' ); ?>
 				</p>
+				<p>
+					<a class="button button-default button-hero" href="<?php echo esc_url( 'https://developer.wordpress.org/' ); ?>"><?php _e( 'Learn how to get started' ); ?></a>
+				</p>
 			</div>
-		</div>
-
-		<div class="under-the-hood feature-section one-col cta">
 			<div class="col">
-				<a class="button button-primary button-hero" href="<?php echo esc_url( 'https://developer.wordpress.org/' ); ?>"><?php _e( 'Learn how to get started' ); ?></a>
+				<div class="inline-svg">
+					<img src="https://s.w.org/images/core/5.1/under-the-hood.svg" alt="">
+				</div>
 			</div>
 		</div>
 
 		<hr />
 
 		<?php if ( ! file_exists( WP_PLUGIN_DIR . '/classic-editor/classic-editor.php' ) ) : ?>
+			<h2 class="feature-section-header"><?php _e( 'Keep it Classic' ); ?></h2>
+
 			<div class="feature-section one-col" id="classic-editor">
-				<div class="col">
-					<h2><?php _e( 'Keep it Classic' ); ?></h2>
-				</div>
-			</div>
-
-			<div class="full-width">
-				<picture>
-					<source type="image/webp" media="(max-width: 782px)" srcset="https://s.w.org/images/core/5.0/classic/Classic%20Mobile1x.webp 1x, https://s.w.org/images/core/5.0/classic/Classic%20Mobile.webp 2x" />
-					<source media="(max-width: 782px)" srcset="https://s.w.org/images/core/5.0/classic/Classic%20Mobile1x.jpg 1x, https://s.w.org/images/core/5.0/classic/Classic%20Mobile.jpg 2x" />
-					<source type="image/webp" srcset="https://s.w.org/images/core/5.0/classic/Classic@1x.webp 1x, https://s.w.org/images/core/5.0/classic/Classic.webp 2x" />
-					<img src="https://s.w.org/images/core/5.0/classic/Classic@1x.jpg" srcset="https://s.w.org/images/core/5.0/classic/Classic@1x.jpg 1x, https://s.w.org/images/core/5.0/header/Classic.jpg 2x" alt="">
-				</picture>
-			</div>
-
-			<div class="feature-section one-col">
 				<div class="col">
 					<p><?php _e( 'Prefer to stick with the familiar Classic Editor? No problem! Support for the Classic Editor plugin will remain in WordPress through 2021.' ); ?></p>
 					<p><?php _e( 'The Classic Editor plugin restores the previous WordPress editor and the Edit Post screen. It lets you keep using plugins that extend it, add old-style meta boxes, or otherwise depend on the previous editor. To install, visit your plugins page and click the &#8220;Install Now&#8221; button next to &#8220;Classic Editor&#8221;. After the plugin finishes installing, click &#8220;Activate&#8221;. That’s it!' ); ?></p>
@@ -207,100 +273,6 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
 			<a href="<?php echo esc_url( self_admin_url() ); ?>"><?php is_blog_admin() ? _e( 'Go to Dashboard &rarr; Home' ) : _e( 'Go to Dashboard' ); ?></a>
 		</div>
 	</div>
-
-	<script>
-		(function( $ ) {
-			$( function() {
-				var $window = $( window );
-				var $adminbar = $( '#wpadminbar' );
-				var $sections = $( '.floating-header-section' );
-				var offset = 0;
-
-				// Account for Admin bar.
-				if ( $adminbar.length ) {
-					offset += $adminbar.height();
-				}
-
-				function setup() {
-					$sections.each( function( i, section ) {
-						var $section = $( section );
-						// If the title is long, switch the layout
-						var $title = $section.find( 'h2' );
-						if ( $title.innerWidth() > 300 ) {
-							$section.addClass( 'has-long-title' );
-						}
-					} );
-				}
-
-				var adjustScrollPosition = _.throttle( function adjustScrollPosition() {
-					$sections.each( function( i, section ) {
-						var $section = $( section );
-						var $header = $section.find( 'h2' );
-						var width = $header.innerWidth();
-						var height = $header.innerHeight();
-
-						if ( $section.hasClass( 'has-long-title' ) ) {
-							return;
-						}
-
-						var sectionStart = $section.offset().top - offset;
-						var sectionEnd = sectionStart + $section.innerHeight();
-						var scrollPos = $window.scrollTop();
-
-						// If we're scrolled into a section, stick the header
-						if ( scrollPos >= sectionStart && scrollPos < sectionEnd - height ) {
-							$header.css( {
-								position: 'fixed',
-								top: offset + 'px',
-								bottom: 'auto',
-								width: width + 'px'
-							} );
-						// If we're at the end of the section, stick the header to the bottom
-						} else if ( scrollPos >= sectionEnd - height && scrollPos < sectionEnd ) {
-							$header.css( {
-								position: 'absolute',
-								top: 'auto',
-								bottom: 0,
-								width: width + 'px'
-							} );
-						// Unstick the header
-						} else {
-							$header.css( {
-								position: 'static',
-								top: 'auto',
-								bottom: 'auto',
-								width: 'auto'
-							} );
-						}
-					} );
-				}, 100 );
-
-				function enableFixedHeaders() {
-					if ( $window.width() > 782 ) {
-						setup();
-						adjustScrollPosition();
-						$window.on( 'scroll', adjustScrollPosition );
-					} else {
-						$window.off( 'scroll', adjustScrollPosition );
-						$sections.find( '.section-header' )
-							.css( {
-								width: 'auto'
-							} );
-						$sections.find( 'h2' )
-							.css( {
-								position: 'static',
-								top: 'auto',
-								bottom: 'auto',
-								width: 'auto'
-							} );
-					}
-				}
-				$( window ).resize( enableFixedHeaders );
-				enableFixedHeaders();
-			} );
-		})( jQuery );
-	</script>
-
 <?php
 
 include( ABSPATH . 'wp-admin/admin-footer.php' );

wp-admin/async-upload.php

@@ -22,7 +22,7 @@ if ( defined( 'ABSPATH' ) ) {
 
 require_once( ABSPATH . 'wp-admin/admin.php' );
 
-header( 'Content-Type: text/html; charset=' . get_option( 'blog_charset' ) );
+header( 'Content-Type: text/plain; charset=' . get_option( 'blog_charset' ) );
 
 if ( isset( $_REQUEST['action'] ) && 'upload-attachment' === $_REQUEST['action'] ) {
 	include( ABSPATH . 'wp-admin/includes/ajax-actions.php' );

wp-admin/css/about-rtl.css

@@ -149,6 +149,11 @@
 	line-height: 1.5;
 }
 
+.about-wrap .under-the-hood-header {
+	margin: 40px 0 0;
+	text-align: center;
+}
+
 .about-wrap h4 {
 	color: #23282d;
 }
@@ -187,11 +192,20 @@
 	flex-wrap: wrap;
 }
 
-.about-wrap .feature-section.one-col {
+.about-wrap .one-col {
 	margin: 0 auto;
 	max-width: 680px;
 }
 
+.about-wrap .one-col.is-wide {
+	max-width: 760px;
+}
+
+.about-wrap .under-the-hood {
+	margin: auto;
+	max-width: 1020px;
+}
+
 .about-wrap .inline-svg img {
 	max-width: 100%;
 	width: 100%;
@@ -202,44 +216,31 @@
 	margin-bottom: 120px;
 }
 
+.about-wrap .under-the-hood .inline-svg {
+	margin-right: 100px;
+}
+
 .about-wrap [class$="-col"] .col {
 	flex: 1;
-}
-
-.about-wrap .two-col .col {
-	min-width: 47%;
-	max-width: 47%;
-}
-
-.about-wrap .three-col,
-.about-wrap .four-col {
-	margin: auto;
-	max-width: 1020px;
-}
-
-.about-wrap .three-col .col {
 	align-self: flex-start;
-	min-width: 31%;
-	max-width: 31%;
 }
 
-.about-wrap .four-col .col {
-	align-self: flex-start;
-	min-width: 23%;
-	max-width: 23%;
+.about-wrap [class$="-col"] .col + .col {
+	margin-right: 20px;
 }
 
-.about-wrap .feature-section.eight-col .col {
-	align-self: flex-start;
-	margin-top: 6px;
-	min-width: 12%;
-	max-width: 12%;
+.about-wrap [class$="-col"] .is-span-two {
+	flex: 2;
 }
 
 .about-wrap .one-col img {
 	margin: 1em 0 2em;
 }
 
+.about-wrap .one-col .alignright img {
+	margin-top: 0;
+}
+
 .about-wrap .two-col img {
 	margin-bottom: 1.5em;
 }
@@ -256,14 +257,24 @@
 	margin: 1.5em auto;
 }
 
+.about-wrap .inline-svg.alignright {
+	margin-right: 80px;
+}
+
 .about-wrap .cta {
 	text-align: center;
 }
+
 .about-wrap .cta .button {
 	margin: 0 auto 5px;
 	font-weight: 600;
 }
 
+.about-wrap .feature-section .button {
+	margin-top: 1.5em;
+	font-weight: 600;
+}
+
 /* 1.3 - Point Releases */
 
 .about-wrap .point-releases {
@@ -285,6 +296,10 @@
 
 /* 2.1 - Typography */
 
+.about-wrap .feature-section-header {
+	margin: 50px 0 0;
+}
+
 .about-wrap .feature-section.two-col h3 {
 	margin-top: 0;
 }
@@ -323,22 +338,8 @@
 
 /* 2.2 - Structure */
 
-.about-wrap .headline-feature.feature-video {
-	position: relative;
-	margin: 40px 0;
-	padding-bottom: 56.25%;
-	width: 100%;
-	max-width: 100%;
-	height: 0;
-	text-align: center;
-}
-
-.about-wrap .feature-video embed {
-	position: absolute;
-	top: 0;
-	right: 0;
-	width: 100%;
-	height: 100%;
+.about-wrap .headline-feature {
+	margin-bottom: 40px;
 }
 
 .about-wrap .featured-image {
@@ -500,32 +501,22 @@
   4.0 - Media Queries
 ------------------------------------------------------------------------------*/
 
-@media screen and (max-width: 1250px) {
-	.about-wrap .floating-header-section.has-long-title .section-item:nth-child(1),
-	.about-wrap .floating-header-section.has-long-title .section-item:nth-child(2) {
-		margin: 0 0 60px;
-	}
-
-	.about-wrap .floating-header-section.has-long-title .section-item:nth-child(3),
-	.about-wrap .floating-header-section.has-long-title .section-item:nth-child(4) {
-		margin: 0;
-	}
-
-	.about-wrap .floating-header-section.has-long-title .section-item:nth-child(2),
-	.about-wrap .floating-header-section.has-long-title .section-item:nth-child(4) {
-		margin-right: 60px;
-	}
-}
-
 @media screen and (max-width: 782px) {
 	.about-wrap .two-col-text {
 		column-count: 1;
 	}
 
+	.about-wrap .one-col .alignright {
+		margin-right: 20px;
+		max-width: 150px;
+	}
+
 	.about-wrap .two-col .col,
 	.about-wrap .three-col .col,
 	.about-wrap .four-col .col {
 		min-width: 48% !important;
+		max-width: 48% !important;
+		margin-right: 0 !important;
 	}
 
 	.about-wrap .eight-col .col {
@@ -549,18 +540,8 @@
 		text-shadow: none;
 	}
 
-	.about-wrap .floating-header-section {
-		display: block;
-	}
-
-	.about-wrap .floating-header-section .section-header,
-	.about-wrap .floating-header-section .section-content {
-		max-width: 100%;
-	}
-
-	.about-wrap .floating-header-section h2 {
-		position: static;
-		margin-bottom: 60px;
+	.about-wrap .under-the-hood .inline-svg {
+		margin-right: 40px;
 	}
 }
 
@@ -585,6 +566,10 @@
 		width: 100%;
 	}
 
+	.about-wrap .one-col .alignright {
+		max-width: 120px;
+	}
+
 	.about-wrap .feature-section .col {
 		margin-top: 1em;
 	}
@@ -616,24 +601,21 @@
 		margin-top: 1.25em;
 	}
 
-	.about-wrap .floating-header-section {
-		margin-bottom: 60px;
-		grid-gap: 30px 0;
+	.about-wrap .under-the-hood .inline-svg {
+		display: none;
 	}
 
 	.about-wrap .inline-svg.full-width {
 		margin-bottom: 60px;
 	}
+}
 
-	.about-wrap .floating-header-section h2 {
-		word-break: break-all;
-		-webkit-hyphens: auto;
-		-ms-hyphens: auto;
-		hyphens: auto;
+@media only screen and (max-width: 320px) {
+	.about-wrap .one-col .alignright {
+		float: none;
+		margin: 0 auto;
 	}
-
-	.about-wrap .floating-header-section .section-content .section-item {
-		max-width: 100%;
-		margin: 0 0 60px;
+	.about-wrap .one-col .alignright img {
+		margin: 0 0 1em;
 	}
 }

wp-admin/css/about.css

@@ -149,6 +149,11 @@
 	line-height: 1.5;
 }
 
+.about-wrap .under-the-hood-header {
+	margin: 40px 0 0;
+	text-align: center;
+}
+
 .about-wrap h4 {
 	color: #23282d;
 }
@@ -187,11 +192,20 @@
 	flex-wrap: wrap;
 }
 
-.about-wrap .feature-section.one-col {
+.about-wrap .one-col {
 	margin: 0 auto;
 	max-width: 680px;
 }
 
+.about-wrap .one-col.is-wide {
+	max-width: 760px;
+}
+
+.about-wrap .under-the-hood {
+	margin: auto;
+	max-width: 1020px;
+}
+
 .about-wrap .inline-svg img {
 	max-width: 100%;
 	width: 100%;
@@ -202,44 +216,31 @@
 	margin-bottom: 120px;
 }
 
+.about-wrap .under-the-hood .inline-svg {
+	margin-left: 100px;
+}
+
 .about-wrap [class$="-col"] .col {
 	flex: 1;
-}
-
-.about-wrap .two-col .col {
-	min-width: 47%;
-	max-width: 47%;
-}
-
-.about-wrap .three-col,
-.about-wrap .four-col {
-	margin: auto;
-	max-width: 1020px;
-}
-
-.about-wrap .three-col .col {
 	align-self: flex-start;
-	min-width: 31%;
-	max-width: 31%;
 }
 
-.about-wrap .four-col .col {
-	align-self: flex-start;
-	min-width: 23%;
-	max-width: 23%;
+.about-wrap [class$="-col"] .col + .col {
+	margin-left: 20px;
 }
 
-.about-wrap .feature-section.eight-col .col {
-	align-self: flex-start;
-	margin-top: 6px;
-	min-width: 12%;
-	max-width: 12%;
+.about-wrap [class$="-col"] .is-span-two {
+	flex: 2;
 }
 
 .about-wrap .one-col img {
 	margin: 1em 0 2em;
 }
 
+.about-wrap .one-col .alignright img {
+	margin-top: 0;
+}
+
 .about-wrap .two-col img {
 	margin-bottom: 1.5em;
 }
@@ -256,14 +257,24 @@
 	margin: 1.5em auto;
 }
 
+.about-wrap .inline-svg.alignright {
+	margin-left: 80px;
+}
+
 .about-wrap .cta {
 	text-align: center;
 }
+
 .about-wrap .cta .button {
 	margin: 0 auto 5px;
 	font-weight: 600;
 }
 
+.about-wrap .feature-section .button {
+	margin-top: 1.5em;
+	font-weight: 600;
+}
+
 /* 1.3 - Point Releases */
 
 .about-wrap .point-releases {
@@ -285,6 +296,10 @@
 
 /* 2.1 - Typography */
 
+.about-wrap .feature-section-header {
+	margin: 50px 0 0;
+}
+
 .about-wrap .feature-section.two-col h3 {
 	margin-top: 0;
 }
@@ -323,22 +338,8 @@
 
 /* 2.2 - Structure */
 
-.about-wrap .headline-feature.feature-video {
-	position: relative;
-	margin: 40px 0;
-	padding-bottom: 56.25%;
-	width: 100%;
-	max-width: 100%;
-	height: 0;
-	text-align: center;
-}
-
-.about-wrap .feature-video embed {
-	position: absolute;
-	top: 0;
-	left: 0;
-	width: 100%;
-	height: 100%;
+.about-wrap .headline-feature {
+	margin-bottom: 40px;
 }
 
 .about-wrap .featured-image {
@@ -500,32 +501,22 @@
   4.0 - Media Queries
 ------------------------------------------------------------------------------*/
 
-@media screen and (max-width: 1250px) {
-	.about-wrap .floating-header-section.has-long-title .section-item:nth-child(1),
-	.about-wrap .floating-header-section.has-long-title .section-item:nth-child(2) {
-		margin: 0 0 60px;
-	}
-
-	.about-wrap .floating-header-section.has-long-title .section-item:nth-child(3),
-	.about-wrap .floating-header-section.has-long-title .section-item:nth-child(4) {
-		margin: 0;
-	}
-
-	.about-wrap .floating-header-section.has-long-title .section-item:nth-child(2),
-	.about-wrap .floating-header-section.has-long-title .section-item:nth-child(4) {
-		margin-left: 60px;
-	}
-}
-
 @media screen and (max-width: 782px) {
 	.about-wrap .two-col-text {
 		column-count: 1;
 	}
 
+	.about-wrap .one-col .alignright {
+		margin-left: 20px;
+		max-width: 150px;
+	}
+
 	.about-wrap .two-col .col,
 	.about-wrap .three-col .col,
 	.about-wrap .four-col .col {
 		min-width: 48% !important;
+		max-width: 48% !important;
+		margin-left: 0 !important;
 	}
 
 	.about-wrap .eight-col .col {
@@ -549,18 +540,8 @@
 		text-shadow: none;
 	}
 
-	.about-wrap .floating-header-section {
-		display: block;
-	}
-
-	.about-wrap .floating-header-section .section-header,
-	.about-wrap .floating-header-section .section-content {
-		max-width: 100%;
-	}
-
-	.about-wrap .floating-header-section h2 {
-		position: static;
-		margin-bottom: 60px;
+	.about-wrap .under-the-hood .inline-svg {
+		margin-left: 40px;
 	}
 }
 
@@ -585,6 +566,10 @@
 		width: 100%;
 	}
 
+	.about-wrap .one-col .alignright {
+		max-width: 120px;
+	}
+
 	.about-wrap .feature-section .col {
 		margin-top: 1em;
 	}
@@ -616,24 +601,21 @@
 		margin-top: 1.25em;
 	}
 
-	.about-wrap .floating-header-section {
-		margin-bottom: 60px;
-		grid-gap: 30px 0;
+	.about-wrap .under-the-hood .inline-svg {
+		display: none;
 	}
 
 	.about-wrap .inline-svg.full-width {
 		margin-bottom: 60px;
 	}
+}
 
-	.about-wrap .floating-header-section h2 {
-		word-break: break-all;
-		-webkit-hyphens: auto;
-		-ms-hyphens: auto;
-		hyphens: auto;
+@media only screen and (max-width: 320px) {
+	.about-wrap .one-col .alignright {
+		float: none;
+		margin: 0 auto;
 	}
-
-	.about-wrap .floating-header-section .section-content .section-item {
-		max-width: 100%;
-		margin: 0 0 60px;
+	.about-wrap .one-col .alignright img {
+		margin: 0 0 1em;
 	}
 }

wp-admin/css/deprecated-media-rtl.css

@@ -206,6 +206,22 @@ span.required {
 	margin: 8px 0;
 }
 
+#media-upload .tablenav-pages a,
+#media-upload .tablenav-pages .current {
+	display: inline-block;
+	padding: 4px 5px 6px;
+	font-size: 16px;
+	line-height: 1;
+	text-align: center;
+	text-decoration: none;
+}
+
+#media-upload .tablenav-pages a {
+	min-width: 17px;
+	border: 1px solid #ccc;
+	background: #f7f7f7;
+}
+
 #filter .tablenav select {
 	border-style: solid;
 	border-width: 1px;

wp-admin/css/deprecated-media.css

@@ -206,6 +206,22 @@ span.required {
 	margin: 8px 0;
 }
 
+#media-upload .tablenav-pages a,
+#media-upload .tablenav-pages .current {
+	display: inline-block;
+	padding: 4px 5px 6px;
+	font-size: 16px;
+	line-height: 1;
+	text-align: center;
+	text-decoration: none;
+}
+
+#media-upload .tablenav-pages a {
+	min-width: 17px;
+	border: 1px solid #ccc;
+	background: #f7f7f7;
+}
+
 #filter .tablenav select {
 	border-style: solid;
 	border-width: 1px;

wp-admin/css/nav-menus-rtl.css

@@ -161,7 +161,6 @@ ul.add-menu-item-tabs li {
 	margin-left: 20px;
 	margin-top: -3px;
 	width: 100%;
-	background: #f5f5f5;
 }
 
 #menu-management .menu-edit {
@@ -178,6 +177,7 @@ ul.add-menu-item-tabs li {
 #nav-menu-header,
 #nav-menu-footer {
 	padding: 0 10px;
+	background: #f5f5f5;
 }
 
 #nav-menu-header {

wp-admin/css/nav-menus.css

@@ -161,7 +161,6 @@ ul.add-menu-item-tabs li {
 	margin-right: 20px;
 	margin-top: -3px;
 	width: 100%;
-	background: #f5f5f5;
 }
 
 #menu-management .menu-edit {
@@ -178,6 +177,7 @@ ul.add-menu-item-tabs li {
 #nav-menu-header,
 #nav-menu-footer {
 	padding: 0 10px;
+	background: #f5f5f5;
 }
 
 #nav-menu-header {

wp-admin/includes/ajax-actions.php

@@ -1214,6 +1214,8 @@ function wp_ajax_replyto_comment( $action ) {
 			if ( wp_create_nonce( 'unfiltered-html-comment' ) != $_POST['_wp_unfiltered_html_comment'] ) {
 				kses_remove_filters(); // start with a clean slate
 				kses_init_filters(); // set up the filters
+				remove_filter( 'pre_comment_content', 'wp_filter_post_kses' );
+				add_filter( 'pre_comment_content', 'wp_filter_kses' );
 			}
 		}
 	} else {
@@ -2301,7 +2303,7 @@ function wp_ajax_upload_attachment() {
 				'success' => false,
 				'data'    => array(
 					'message'  => __( 'Sorry, you are not allowed to upload files.' ),
-					'filename' => $_FILES['async-upload']['name'],
+					'filename' => esc_html( $_FILES['async-upload']['name'] ),
 				),
 			)
 		);
@@ -2317,7 +2319,7 @@ function wp_ajax_upload_attachment() {
 					'success' => false,
 					'data'    => array(
 						'message'  => __( 'Sorry, you are not allowed to attach files to this post.' ),
-						'filename' => $_FILES['async-upload']['name'],
+						'filename' => esc_html( $_FILES['async-upload']['name'] ),
 					),
 				)
 			);
@@ -2343,7 +2345,7 @@ function wp_ajax_upload_attachment() {
 					'success' => false,
 					'data'    => array(
 						'message'  => __( 'The uploaded file is not a valid image. Please try again.' ),
-						'filename' => $_FILES['async-upload']['name'],
+						'filename' => esc_html( $_FILES['async-upload']['name'] ),
 					),
 				)
 			);
@@ -2360,7 +2362,7 @@ function wp_ajax_upload_attachment() {
 				'success' => false,
 				'data'    => array(
 					'message'  => $attachment_id->get_error_message(),
-					'filename' => $_FILES['async-upload']['name'],
+					'filename' => esc_html( $_FILES['async-upload']['name'] ),
 				),
 			)
 		);

wp-admin/includes/class-wp-plugin-install-list-table.php

@@ -634,11 +634,11 @@ class WP_Plugin_Install_List_Table extends WP_List_Table {
 			if ( ! $compatible_php || ! $compatible_wp ) {
 				echo '<div class="notice inline notice-error notice-alt"><p>';
 				if ( ! $compatible_php && ! $compatible_wp ) {
-					_e( 'This plugin doesn&#8217;t work with your versions of WordPress and PHP. ' );
+					_e( 'This plugin doesn&#8217;t work with your versions of WordPress and PHP.' );
 					if ( current_user_can( 'update_core' ) && current_user_can( 'update_php' ) ) {
 						printf(
 							/* translators: 1: "Update WordPress" screen URL, 2: "Update PHP" page URL */
-							__( '<a href="%1$s">Please update WordPress</a>, and then <a href="%2$s">learn more about updating PHP</a>.' ),
+							' ' . __( '<a href="%1$s">Please update WordPress</a>, and then <a href="%2$s">learn more about updating PHP</a>.' ),
 							self_admin_url( 'update-core.php' ),
 							esc_url( wp_get_update_php_url() )
 						);
@@ -646,32 +646,32 @@ class WP_Plugin_Install_List_Table extends WP_List_Table {
 					} elseif ( current_user_can( 'update_core' ) ) {
 						printf(
 							/* translators: %s: "Update WordPress" screen URL */
-							__( '<a href="%s">Please update WordPress</a>.' ),
+							' ' . __( '<a href="%s">Please update WordPress</a>.' ),
 							self_admin_url( 'update-core.php' )
 						);
 					} elseif ( current_user_can( 'update_php' ) ) {
 						printf(
 							/* translators: %s: "Update PHP" page URL */
-							__( '<a href="%s">Learn more about updating PHP</a>.' ),
+							' ' . __( '<a href="%s">Learn more about updating PHP</a>.' ),
 							esc_url( wp_get_update_php_url() )
 						);
 						wp_update_php_annotation();
 					}
 				} elseif ( ! $compatible_wp ) {
-					_e( 'This plugin doesn&#8217;t work with your version of WordPress. ' );
+					_e( 'This plugin doesn&#8217;t work with your version of WordPress.' );
 					if ( current_user_can( 'update_core' ) ) {
 						printf(
 							/* translators: %s: "Update WordPress" screen URL */
-							__( '<a href="%s">Please update WordPress</a>.' ),
+							' ' . __( '<a href="%s">Please update WordPress</a>.' ),
 							self_admin_url( 'update-core.php' )
 						);
 					}
 				} elseif ( ! $compatible_php ) {
-					_e( 'This plugin doesn&#8217;t work with your version of PHP. ' );
+					_e( 'This plugin doesn&#8217;t work with your version of PHP.' );
 					if ( current_user_can( 'update_php' ) ) {
 						printf(
 							/* translators: %s: "Update PHP" page URL */
-							__( '<a href="%s">Learn more about updating PHP</a>.' ),
+							' ' . __( '<a href="%s">Learn more about updating PHP</a>.' ),
 							esc_url( wp_get_update_php_url() )
 						);
 						wp_update_php_annotation();

wp-admin/includes/dashboard.php

@@ -1646,6 +1646,7 @@ function wp_dashboard_php_nag() {
 	<?php
 
 	wp_update_php_annotation();
+	wp_direct_php_update_button();
 }
 
 /**

wp-admin/includes/misc.php

@@ -2016,6 +2016,7 @@ final class WP_Privacy_Policy_Content {
  * Checks if the user needs to update PHP.
  *
  * @since 5.1.0
+ * @since 5.1.1 Added the {@see 'wp_is_php_version_acceptable'} filter.
  *
  * @return array|false $response Array of PHP version data. False on failure.
  */
@@ -2054,5 +2055,22 @@ function wp_check_php_version() {
 		set_site_transient( 'php_check_' . $key, $response, WEEK_IN_SECONDS );
 	}
 
+	if ( isset( $response['is_acceptable'] ) && $response['is_acceptable'] ) {
+		/**
+		 * Filters whether the active PHP version is considered acceptable by WordPress.
+		 *
+		 * Returning false will trigger a PHP version warning to show up in the admin dashboard to administrators.
+		 *
+		 * This filter is only run if the wordpress.org Serve Happy API considers the PHP version acceptable, ensuring
+		 * that this filter can only make this check stricter, but not loosen it.
+		 *
+		 * @since 5.1.1
+		 *
+		 * @param bool   $is_acceptable Whether the PHP version is considered acceptable. Default true.
+		 * @param string $version       PHP version checked.
+		 */
+		$response['is_acceptable'] = (bool) apply_filters( 'wp_is_php_version_acceptable', true, $version );
+	}
+
 	return $response;
 }

wp-admin/includes/update-core.php

@@ -783,6 +783,7 @@ $_old_files = array(
 	// 5.0
 	'wp-includes/js/codemirror/jshint.js',
 	// 5.1
+	'wp-includes/random_compat/random_bytes_openssl.php',
 	'wp-includes/js/tinymce/wp-tinymce.js.gz',
 );
 

wp-admin/js/widgets/custom-html-widgets.js

@@ -115,7 +115,7 @@ wp.customHtmlWidgets = ( function( $ ) {
 			control.contentUpdateBypassed = control.fields.content.is( document.activeElement ) || control.editor && control.editor.codemirror.state.focused || 0 !== control.currentErrorAnnotations.length;
 			if ( ! control.contentUpdateBypassed ) {
 				syncInput = control.syncContainer.find( '.sync-input.content' );
-				control.fields.content.val( syncInput.val() ).trigger( 'change' );
+				control.fields.content.val( syncInput.val() );
 			}
 		},
 

wp-admin/network/upgrade.php

@@ -57,15 +57,16 @@ switch ( $action ) {
 
 		$site_ids = get_sites(
 			array(
-				'spam'       => 0,
-				'deleted'    => 0,
-				'archived'   => 0,
-				'network_id' => get_current_network_id(),
-				'number'     => 5,
-				'offset'     => $n,
-				'fields'     => 'ids',
-				'order'      => 'DESC',
-				'orderby'    => 'id',
+				'spam'                   => 0,
+				'deleted'                => 0,
+				'archived'               => 0,
+				'network_id'             => get_current_network_id(),
+				'number'                 => 5,
+				'offset'                 => $n,
+				'fields'                 => 'ids',
+				'order'                  => 'DESC',
+				'orderby'                => 'id',
+				'update_site_meta_cache' => false,
 			)
 		);
 		if ( empty( $site_ids ) ) {

wp-content/themes/twentynineteen/inc/color-patterns.php

@@ -132,14 +132,20 @@ function twentynineteen_custom_colors_css() {
 		}
 
 		/*
-		 * Set border color for:
+		 * Set left border color for:
 		 * wp block quote
-		 * :focus
 		 */
 		blockquote,
 		.entry .entry-content blockquote,
 		.entry .entry-content .wp-block-quote:not(.is-large),
-		.entry .entry-content .wp-block-quote:not(.is-style-large),
+		.entry .entry-content .wp-block-quote:not(.is-style-large) {
+			border-left-color: hsl( ' . $primary_color . ', ' . $saturation . ', ' . $lightness . ' ); /* base: #0073a8; */
+		}
+
+		/*
+		 * Set border color for:
+		 * :focus
+		 */
 		input[type="text"]:focus,
 		input[type="email"]:focus,
 		input[type="url"]:focus,
@@ -225,7 +231,7 @@ function twentynineteen_custom_colors_css() {
 
 		.editor-block-list__layout .editor-block-list__block .wp-block-quote:not(.is-large):not(.is-style-large),
 		.editor-styles-wrapper .editor-block-list__layout .wp-block-freeform blockquote {
-			border-color: hsl( ' . $primary_color . ', ' . $saturation . ', ' . $lightness . ' ); /* base: #0073a8; */
+			border-left: 2px solid hsl( ' . $primary_color . ', ' . $saturation . ', ' . $lightness . ' ); /* base: #0073a8; */
 		}
 
 		.editor-block-list__layout .editor-block-list__block .wp-block-pullquote.is-style-solid-color:not(.has-background-color) {

wp-content/themes/twentynineteen/sass/blocks/_blocks.scss

@@ -452,8 +452,7 @@
 
 		&:not(.is-large),
 		&:not(.is-style-large) {
-			border-width: 2px;
-			border-color: $color__link;
+			border-left: 2px solid $color__link;
 			padding-top: 0;
 			padding-bottom: 0;
 		}

wp-content/themes/twentynineteen/style-editor.css

@@ -940,8 +940,7 @@ figcaption,
 
 /** === Blockquote === */
 .wp-block-quote:not(.is-large):not(.is-style-large) {
-  border-width: 2px;
-  border-color: #0073aa;
+  border-left: 2px solid #0073aa;
 }
 
 .wp-block-quote.is-large, .wp-block-quote.is-style-large {

wp-content/themes/twentynineteen/style-editor.scss

@@ -391,8 +391,7 @@ figcaption,
 .wp-block-quote {
 
 	&:not(.is-large):not(.is-style-large) {
-		border-width: 2px;
-		border-color: $color__link;
+		border-left: 2px solid $color__link;
 	}
 
 	&.is-large,

wp-content/themes/twentynineteen/style-rtl.css

@@ -5477,8 +5477,7 @@ body.page .main-navigation {
 }
 
 .entry .entry-content .wp-block-quote:not(.is-large), .entry .entry-content .wp-block-quote:not(.is-style-large) {
-  border-width: 2px;
-  border-color: #0073aa;
+  border-right: 2px solid #0073aa;
   padding-top: 0;
   padding-bottom: 0;
 }

wp-content/themes/twentynineteen/style.css

@@ -5663,8 +5663,7 @@ body.page .main-navigation {
 }
 
 .entry .entry-content .wp-block-quote:not(.is-large), .entry .entry-content .wp-block-quote:not(.is-style-large) {
-  border-width: 2px;
-  border-color: #0073aa;
+  border-left: 2px solid #0073aa;
   padding-top: 0;
   padding-bottom: 0;
 }

wp-includes/blocks.php

@@ -74,11 +74,11 @@ function has_blocks( $post = null ) {
  * @since 5.0.0
  * @see parse_blocks()
  *
- * @param string                  $block_type Full Block type to look for.
+ * @param string                  $block_name Full Block type to look for.
  * @param int|string|WP_Post|null $post Optional. Post content, post ID, or post object. Defaults to global $post.
  * @return bool Whether the post content contains the specified block.
  */
-function has_block( $block_type, $post = null ) {
+function has_block( $block_name, $post = null ) {
 	if ( ! has_blocks( $post ) ) {
 		return false;
 	}
@@ -90,7 +90,30 @@ function has_block( $block_type, $post = null ) {
 		}
 	}
 
-	return false !== strpos( $post, '<!-- wp:' . $block_type . ' ' );
+	/*
+	 * Normalize block name to include namespace, if provided as non-namespaced.
+	 * This matches behavior for WordPress 5.0.0 - 5.3.0 in matching blocks by
+	 * their serialized names.
+	 */
+	if ( false === strpos( $block_name, '/' ) ) {
+		$block_name = 'core/' . $block_name;
+	}
+
+	// Test for existence of block by its fully qualified name.
+	$has_block = false !== strpos( $post, '<!-- wp:' . $block_name . ' ' );
+
+	if ( ! $has_block ) {
+		/*
+		 * If the given block name would serialize to a different name, test for
+		 * existence by the serialized form.
+		 */
+		$serialized_block_name = strip_core_block_namespace( $block_name );
+		if ( $serialized_block_name !== $block_name ) {
+			$has_block = false !== strpos( $post, '<!-- wp:' . $serialized_block_name . ' ' );
+		}
+	}
+
+	return $has_block;
 }
 
 /**
@@ -113,6 +136,207 @@ function get_dynamic_block_names() {
 	return $dynamic_block_names;
 }
 
+/**
+ * Given an array of attributes, returns a string in the serialized attributes
+ * format prepared for post content.
+ *
+ * The serialized result is a JSON-encoded string, with unicode escape sequence
+ * substitution for characters which might otherwise interfere with embedding
+ * the result in an HTML comment.
+ *
+ * @since 5.3.1
+ *
+ * @param array $attributes Attributes object.
+ * @return string Serialized attributes.
+ */
+function serialize_block_attributes( $block_attributes ) {
+	$encoded_attributes = json_encode( $block_attributes );
+	$encoded_attributes = preg_replace( '/--/', '\\u002d\\u002d', $encoded_attributes );
+	$encoded_attributes = preg_replace( '/</', '\\u003c', $encoded_attributes );
+	$encoded_attributes = preg_replace( '/>/', '\\u003e', $encoded_attributes );
+	$encoded_attributes = preg_replace( '/&/', '\\u0026', $encoded_attributes );
+	// Regex: /\\"/
+	$encoded_attributes = preg_replace( '/\\\\"/', '\\u0022', $encoded_attributes );
+
+	return $encoded_attributes;
+}
+
+/**
+ * Returns the block name to use for serialization. This will remove the default
+ * "core/" namespace from a block name.
+ *
+ * @since 5.3.1
+ *
+ * @param string $block_name Original block name.
+ * @return string Block name to use for serialization.
+ */
+function strip_core_block_namespace( $block_name = null ) {
+	if ( is_string( $block_name ) && 0 === strpos( $block_name, 'core/' ) ) {
+		return substr( $block_name, 5 );
+	}
+
+	return $block_name;
+}
+
+/**
+ * Returns the content of a block, including comment delimiters.
+ *
+ * @since 5.3.1
+ *
+ * @param string $block_name Block name.
+ * @param array  $attributes Block attributes.
+ * @param string $content    Block save content.
+ * @return string Comment-delimited block content.
+ */
+function get_comment_delimited_block_content( $block_name = null, $block_attributes, $block_content ) {
+	if ( is_null( $block_name ) ) {
+		return $block_content;
+	}
+
+	$serialized_block_name = strip_core_block_namespace( $block_name );
+	$serialized_attributes = empty( $block_attributes ) ? '' : serialize_block_attributes( $block_attributes ) . ' ';
+
+	if ( empty( $block_content ) ) {
+		return sprintf( '<!-- wp:%s %s/-->', $serialized_block_name, $serialized_attributes );
+	}
+
+	return sprintf(
+		'<!-- wp:%s %s-->%s<!-- /wp:%s -->',
+		$serialized_block_name,
+		$serialized_attributes,
+		$block_content,
+		$serialized_block_name
+	);
+}
+
+/**
+ * Returns the content of a block, including comment delimiters, serializing all
+ * attributes from the given parsed block.
+ *
+ * This should be used when preparing a block to be saved to post content.
+ * Prefer `render_block` when preparing a block for display. Unlike
+ * `render_block`, this does not evaluate a block's `render_callback`, and will
+ * instead preserve the markup as parsed.
+ *
+ * @since 5.3.1
+ *
+ * @param WP_Block_Parser_Block $block A single parsed block object.
+ * @return string String of rendered HTML.
+ */
+function serialize_block( $block ) {
+	$block_content = '';
+
+	$index = 0;
+	foreach ( $block['innerContent'] as $chunk ) {
+		$block_content .= is_string( $chunk ) ? $chunk : serialize_block( $block['innerBlocks'][ $index++ ] );
+	}
+
+	if ( ! is_array( $block['attrs'] ) ) {
+		$block['attrs'] = array();
+	}
+
+	return get_comment_delimited_block_content(
+		$block['blockName'],
+		$block['attrs'],
+		$block_content
+	);
+}
+
+/**
+ * Returns a joined string of the aggregate serialization of the given parsed
+ * blocks.
+ *
+ * @since 5.3.1
+ *
+ * @param WP_Block_Parser_Block[] $blocks Parsed block objects.
+ * @return string String of rendered HTML.
+ */
+function serialize_blocks( $blocks ) {
+	return implode( '', array_map( 'serialize_block', $blocks ) );
+}
+
+/**
+ * Filters and sanitizes block content to remove non-allowable HTML from
+ * parsed block attribute values.
+ *
+ * @since 5.3.1
+ *
+ * @param string         $text              Text that may contain block content.
+ * @param array[]|string $allowed_html      An array of allowed HTML elements
+ *                                          and attributes, or a context name
+ *                                          such as 'post'.
+ * @param string[]       $allowed_protocols Array of allowed URL protocols.
+ * @return string The filtered and sanitized content result.
+ */
+function filter_block_content( $text, $allowed_html = 'post', $allowed_protocols = array() ) {
+	$result = '';
+
+	$blocks = parse_blocks( $text );
+	foreach ( $blocks as $block ) {
+		$block   = filter_block_kses( $block, $allowed_html, $allowed_protocols );
+		$result .= serialize_block( $block );
+	}
+
+	return $result;
+}
+
+/**
+ * Filters and sanitizes a parsed block to remove non-allowable HTML from block
+ * attribute values.
+ *
+ * @since 5.3.1
+ *
+ * @param WP_Block_Parser_Block $block             The parsed block object.
+ * @param array[]|string        $allowed_html      An array of allowed HTML
+ *                                                 elements and attributes, or a
+ *                                                 context name such as 'post'.
+ * @param string[]              $allowed_protocols Allowed URL protocols.
+ * @return array The filtered and sanitized block object result.
+ */
+function filter_block_kses( $block, $allowed_html, $allowed_protocols = array() ) {
+	$block['attrs'] = filter_block_kses_value( $block['attrs'], $allowed_html, $allowed_protocols );
+
+	if ( is_array( $block['innerBlocks'] ) ) {
+		foreach ( $block['innerBlocks'] as $i => $inner_block ) {
+			$block['innerBlocks'][ $i ] = filter_block_kses( $inner_block, $allowed_html, $allowed_protocols );
+		}
+	}
+
+	return $block;
+}
+
+/**
+ * Filters and sanitizes a parsed block attribute value to remove non-allowable
+ * HTML.
+ *
+ * @since 5.3.1
+ *
+ * @param mixed          $value             The attribute value to filter.
+ * @param array[]|string $allowed_html      An array of allowed HTML elements
+ *                                          and attributes, or a context name
+ *                                          such as 'post'.
+ * @param string[]       $allowed_protocols Array of allowed URL protocols.
+ * @return array The filtered and sanitized result.
+ */
+function filter_block_kses_value( $value, $allowed_html, $allowed_protocols = array() ) {
+	if ( is_array( $value ) ) {
+		foreach ( $value as $key => $inner_value ) {
+			$filtered_key   = filter_block_kses_value( $key, $allowed_html, $allowed_protocols );
+			$filtered_value = filter_block_kses_value( $inner_value, $allowed_html, $allowed_protocols );
+
+			if ( $filtered_key !== $key ) {
+				unset( $value[ $key ] );
+			}
+
+			$value[ $filtered_key ] = $filtered_value;
+		}
+	} elseif ( is_string( $value ) ) {
+		return wp_kses( $value, $allowed_html, $allowed_protocols );
+	}
+
+	return $value;
+}
+
 /**
  * Parses blocks out of a content string, and renders those appropriate for the excerpt.
  *

wp-includes/cache.php

@@ -695,7 +695,7 @@ class WP_Object_Cache {
 		echo '</p>';
 		echo '<ul>';
 		foreach ( $this->cache as $group => $cache ) {
-			echo "<li><strong>Group:</strong> $group - ( " . number_format( strlen( serialize( $cache ) ) / KB_IN_BYTES, 2 ) . 'k )</li>';
+			echo '<li><strong>Group:</strong> ' . esc_html( $group ) . ' - ( ' . number_format( strlen( serialize( $cache ) ) / KB_IN_BYTES, 2 ) . 'k )</li>';
 		}
 		echo '</ul>';
 	}

wp-includes/class-wp-customize-manager.php

@@ -2886,22 +2886,11 @@ final class WP_Customize_Manager {
 		add_filter( 'wp_save_post_revision_post_has_changed', array( $this, '_filter_revision_post_has_changed' ), 5, 3 );
 
 		/*
-		 * Update the changeset post. The publish_customize_changeset action
-		 * will cause the settings in the changeset to be saved via
-		 * WP_Customize_Setting::save().
+		 * Update the changeset post. The publish_customize_changeset action will cause the settings in the
+		 * changeset to be saved via WP_Customize_Setting::save(). Updating a post with publish status will
+		 * trigger WP_Customize_Manager::publish_changeset_values().
 		 */
-
-		// Prevent content filters from corrupting JSON in post_content.
-		$has_kses = ( false !== has_filter( 'content_save_pre', 'wp_filter_post_kses' ) );
-		if ( $has_kses ) {
-			kses_remove_filters();
-		}
-		$has_targeted_link_rel_filters = ( false !== has_filter( 'content_save_pre', 'wp_targeted_link_rel' ) );
-		if ( $has_targeted_link_rel_filters ) {
-			wp_remove_targeted_link_rel_filters();
-		}
-
-		// Note that updating a post with publish status will trigger WP_Customize_Manager::publish_changeset_values().
+		add_filter( 'wp_insert_post_data', array( $this, 'preserve_insert_changeset_post_content' ), 5, 3 );
 		if ( $changeset_post_id ) {
 			if ( $args['autosave'] && 'auto-draft' !== get_post_status( $changeset_post_id ) ) {
 				// See _wp_translate_postdata() for why this is required as it will use the edit_post meta capability.
@@ -2928,14 +2917,7 @@ final class WP_Customize_Manager {
 				$this->_changeset_post_id = $r; // Update cached post ID for the loaded changeset.
 			}
 		}
-
-		// Restore removed content filters.
-		if ( $has_kses ) {
-			kses_init_filters();
-		}
-		if ( $has_targeted_link_rel_filters ) {
-			wp_init_targeted_link_rel_filters();
-		}
+		remove_filter( 'wp_insert_post_data', array( $this, 'preserve_insert_changeset_post_content' ), 5 );
 
 		$this->_changeset_data = null; // Reset so WP_Customize_Manager::changeset_data() will re-populate with updated contents.
 
@@ -2953,6 +2935,51 @@ final class WP_Customize_Manager {
 		return $response;
 	}
 
+	/**
+	 * Preserve the initial JSON post_content passed to save into the post.
+	 *
+	 * This is needed to prevent KSES and other {@see 'content_save_pre'} filters
+	 * from corrupting JSON data.
+	 *
+	 * Note that WP_Customize_Manager::validate_setting_values() have already
+	 * run on the setting values being serialized as JSON into the post content
+	 * so it is pre-sanitized.
+	 *
+	 * Also, the sanitization logic is re-run through the respective
+	 * WP_Customize_Setting::sanitize() method when being read out of the
+	 * changeset, via WP_Customize_Manager::post_value(), and this sanitized
+	 * value will also be sent into WP_Customize_Setting::update() for
+	 * persisting to the DB.
+	 *
+	 * Multiple users can collaborate on a single changeset, where one user may
+	 * have the unfiltered_html capability but another may not. A user with
+	 * unfiltered_html may add a script tag to some field which needs to be kept
+	 * intact even when another user updates the changeset to modify another field
+	 * when they do not have unfiltered_html.
+	 *
+	 * @since 5.4.1
+	 *
+	 * @param array $data                An array of slashed and processed post data.
+	 * @param array $postarr             An array of sanitized (and slashed) but otherwise unmodified post data.
+	 * @param array $unsanitized_postarr An array of slashed yet *unsanitized* and unprocessed post data as originally passed to wp_insert_post().
+	 * @return array Filtered post data.
+	 */
+	public function preserve_insert_changeset_post_content( $data, $postarr, $unsanitized_postarr ) {
+		if (
+			isset( $data['post_type'] ) &&
+			isset( $unsanitized_postarr['post_content'] ) &&
+			'customize_changeset' === $data['post_type'] ||
+			(
+				'revision' === $data['post_type'] &&
+				! empty( $data['post_parent'] ) &&
+				'customize_changeset' === get_post_type( $data['post_parent'] )
+			)
+		) {
+			$data['post_content'] = $unsanitized_postarr['post_content'];
+		}
+		return $data;
+	}
+
 	/**
 	 * Trash or delete a changeset post.
 	 *

wp-includes/class-wp-query.php

@@ -529,7 +529,6 @@ class WP_Query {
 			'attachment',
 			'attachment_id',
 			'name',
-			'static',
 			'pagename',
 			'page_id',
 			'second',
@@ -789,11 +788,7 @@ class WP_Query {
 			$this->is_single = true;
 		} elseif ( $qv['p'] ) {
 			$this->is_single = true;
-		} elseif ( ( '' !== $qv['hour'] ) && ( '' !== $qv['minute'] ) && ( '' !== $qv['second'] ) && ( '' != $qv['year'] ) && ( '' != $qv['monthnum'] ) && ( '' != $qv['day'] ) ) {
-			// If year, month, day, hour, minute, and second are set, a single
-			// post is being queried.
-			$this->is_single = true;
-		} elseif ( '' != $qv['static'] || '' != $qv['pagename'] || ! empty( $qv['page_id'] ) ) {
+		} elseif ( '' != $qv['pagename'] || ! empty( $qv['page_id'] ) ) {
 			$this->is_page   = true;
 			$this->is_single = false;
 		} else {

wp-includes/class-wp.php

@@ -14,7 +14,7 @@ class WP {
 	 * @since 2.0.0
 	 * @var string[]
 	 */
-	public $public_query_vars = array( 'm', 'p', 'posts', 'w', 'cat', 'withcomments', 'withoutcomments', 's', 'search', 'exact', 'sentence', 'calendar', 'page', 'paged', 'more', 'tb', 'pb', 'author', 'order', 'orderby', 'year', 'monthnum', 'day', 'hour', 'minute', 'second', 'name', 'category_name', 'tag', 'feed', 'author_name', 'static', 'pagename', 'page_id', 'error', 'attachment', 'attachment_id', 'subpost', 'subpost_id', 'preview', 'robots', 'taxonomy', 'term', 'cpage', 'post_type', 'embed' );
+	public $public_query_vars = array( 'm', 'p', 'posts', 'w', 'cat', 'withcomments', 'withoutcomments', 's', 'search', 'exact', 'sentence', 'calendar', 'page', 'paged', 'more', 'tb', 'pb', 'author', 'order', 'orderby', 'year', 'monthnum', 'day', 'hour', 'minute', 'second', 'name', 'category_name', 'tag', 'feed', 'author_name', 'pagename', 'page_id', 'error', 'attachment', 'attachment_id', 'subpost', 'subpost_id', 'preview', 'robots', 'taxonomy', 'term', 'cpage', 'post_type', 'embed' );
 
 	/**
 	 * Private query variables.

wp-includes/comment.php

@@ -3243,6 +3243,8 @@ function wp_handle_comment_submission( $comment_data ) {
 			) {
 				kses_remove_filters(); // start with a clean slate
 				kses_init_filters(); // set up the filters
+				remove_filter( 'pre_comment_content', 'wp_filter_post_kses' );
+				add_filter( 'pre_comment_content', 'wp_filter_kses' );
 			}
 		}
 	} else {

wp-includes/css/dist/block-library/editor-rtl.css

@@ -78,6 +78,8 @@
     width: 36px; }
   .block-library-button__inline-link .dashicon {
     color: #8f98a1; }
+  .block-library-button__inline-link .editor-url-input input[type="text"]::-webkit-input-placeholder {
+    color: #8f98a1; }
   .block-library-button__inline-link .editor-url-input input[type="text"]:-ms-input-placeholder {
     color: #8f98a1; }
   .block-library-button__inline-link .editor-url-input input[type="text"]::-ms-input-placeholder {

wp-includes/css/dist/block-library/editor.css

@@ -79,6 +79,8 @@
     width: 36px; }
   .block-library-button__inline-link .dashicon {
     color: #8f98a1; }
+  .block-library-button__inline-link .editor-url-input input[type="text"]::-webkit-input-placeholder {
+    color: #8f98a1; }
   .block-library-button__inline-link .editor-url-input input[type="text"]:-ms-input-placeholder {
     color: #8f98a1; }
   .block-library-button__inline-link .editor-url-input input[type="text"]::-ms-input-placeholder {

wp-includes/default-filters.php

@@ -245,6 +245,7 @@ add_filter( 'option_siteurl', '_config_wp_siteurl' );
 add_filter( 'tiny_mce_before_init', '_mce_set_direction' );
 add_filter( 'teeny_mce_before_init', '_mce_set_direction' );
 add_filter( 'pre_kses', 'wp_pre_kses_less_than' );
+add_filter( 'pre_kses', 'wp_pre_kses_block_attributes', 10, 3 );
 add_filter( 'sanitize_title', 'sanitize_title_with_dashes', 10, 3 );
 add_action( 'check_comment_flood', 'check_comment_flood_db', 10, 4 );
 add_filter( 'comment_flood_filter', 'wp_throttle_comment_flood', 10, 3 );

wp-includes/embed.php

@@ -586,8 +586,9 @@ function get_oembed_response_data_for_url( $url, $args ) {
 		);
 
 		$qv = array(
-			'domain' => $url_parts['host'],
-			'path'   => '/',
+			'domain'                 => $url_parts['host'],
+			'path'                   => '/',
+			'update_site_meta_cache' => false,
 		);
 
 		// In case of subdirectory configs, set the path.

wp-includes/formatting.php

@@ -1998,6 +1998,24 @@ function remove_accents( $string ) {
 function sanitize_file_name( $filename ) {
 	$filename_raw  = $filename;
 	$special_chars = array( '?', '[', ']', '/', '\\', '=', '<', '>', ':', ';', ',', "'", '"', '&', '$', '#', '*', '(', ')', '|', '~', '`', '!', '{', '}', '%', '+', chr( 0 ) );
+
+	// Check for support for utf8 in the installed PCRE library once and store the result in a static.
+	static $utf8_pcre = null;
+	if ( ! isset( $utf8_pcre ) ) {
+		// phpcs:ignore WordPress.PHP.NoSilencedErrors.Discouraged
+		$utf8_pcre = @preg_match( '/^./u', 'a' );
+	}
+
+	if ( ! seems_utf8( $filename ) ) {
+		$_ext     = pathinfo( $filename, PATHINFO_EXTENSION );
+		$_name    = pathinfo( $filename, PATHINFO_FILENAME );
+		$filename = sanitize_title_with_dashes( $_name ) . '.' . $_ext;
+	}
+
+	if ( $utf8_pcre ) {
+		$filename = preg_replace( "#\x{00a0}#siu", ' ', $filename );
+	}
+
 	/**
 	 * Filters the list of characters to remove from a filename.
 	 *
@@ -2007,7 +2025,6 @@ function sanitize_file_name( $filename ) {
 	 * @param string $filename_raw  Filename as it was passed into sanitize_file_name().
 	 */
 	$special_chars = apply_filters( 'sanitize_file_name_chars', $special_chars, $filename_raw );
-	$filename      = preg_replace( "#\x{00a0}#siu", ' ', $filename );
 	$filename      = str_replace( $special_chars, '', $filename );
 	$filename      = str_replace( array( '%20', '+' ), '-', $filename );
 	$filename      = preg_replace( '/[\r\n\t -]+/', '-', $filename );
@@ -3001,17 +3018,19 @@ function wp_rel_nofollow( $text ) {
  */
 function wp_rel_nofollow_callback( $matches ) {
 	$text = $matches[1];
-	$atts = shortcode_parse_atts( $matches[1] );
+	$atts = wp_kses_hair( $matches[1], wp_allowed_protocols() );
 	$rel  = 'nofollow';
 
-	if ( preg_match( '%href=["\'](' . preg_quote( set_url_scheme( home_url(), 'http' ) ) . ')%i', $text ) ||
-		preg_match( '%href=["\'](' . preg_quote( set_url_scheme( home_url(), 'https' ) ) . ')%i', $text ) ) {
-
-		return "<a $text>";
+	if ( ! empty( $atts['href'] ) ) {
+		if ( in_array( strtolower( wp_parse_url( $atts['href']['value'], PHP_URL_SCHEME ) ), array( 'http', 'https' ), true ) ) {
+			if ( strtolower( wp_parse_url( $atts['href']['value'], PHP_URL_HOST ) ) === strtolower( wp_parse_url( home_url(), PHP_URL_HOST ) ) ) {
+				return "<a $text>";
+			}
+		}
 	}
 
 	if ( ! empty( $atts['rel'] ) ) {
-		$parts = array_map( 'trim', explode( ' ', $atts['rel'] ) );
+		$parts = array_map( 'trim', explode( ' ', $atts['rel']['value'] ) );
 		if ( false === array_search( 'nofollow', $parts ) ) {
 			$parts[] = 'nofollow';
 		}
@@ -3020,11 +3039,15 @@ function wp_rel_nofollow_callback( $matches ) {
 
 		$html = '';
 		foreach ( $atts as $name => $value ) {
-			$html .= "{$name}=\"$value\" ";
+			if ( isset( $value['vless'] ) && 'y' === $value['vless'] ) {
+				$html .= $name . ' ';
+			} else {
+				$html .= "{$name}=\"" . esc_attr( $value['value'] ) . '" ';
+			}
 		}
 		$text = trim( $html );
 	}
-	return "<a $text rel=\"$rel\">";
+	return "<a $text rel=\"" . esc_attr( $rel ) . '">';
 }
 
 /**
@@ -3035,8 +3058,26 @@ function wp_rel_nofollow_callback( $matches ) {
  */
 function wp_targeted_link_rel( $text ) {
 	// Don't run (more expensive) regex if no links with targets.
-	if ( stripos( $text, 'target' ) !== false && stripos( $text, '<a ' ) !== false ) {
-		$text = preg_replace_callback( '|<a\s([^>]*target\s*=[^>]*)>|i', 'wp_targeted_link_rel_callback', $text );
+	if ( stripos( $text, 'target' ) === false || stripos( $text, '<a ' ) === false || is_serialized( $text ) ) {
+		return $text;
+	}
+
+	$script_and_style_regex = '/<(script|style).*?<\/\\1>/si';
+
+	preg_match_all( $script_and_style_regex, $text, $matches );
+	$extra_parts = $matches[0];
+	$html_parts  = preg_split( $script_and_style_regex, $text );
+
+	foreach ( $html_parts as &$part ) {
+		$part = preg_replace_callback( '|<a\s([^>]*target\s*=[^>]*)>|i', 'wp_targeted_link_rel_callback', $part );
+	}
+
+	$text = '';
+	for ( $i = 0; $i < count( $html_parts ); $i++ ) {
+		$text .= $html_parts[ $i ];
+		if ( isset( $extra_parts[ $i ] ) ) {
+			$text .= $extra_parts[ $i ];
+		}
 	}
 
 	return $text;
@@ -3052,8 +3093,17 @@ function wp_targeted_link_rel( $text ) {
  * @return string HTML A Element with rel noreferrer noopener in addition to any existing values
  */
 function wp_targeted_link_rel_callback( $matches ) {
-	$link_html = $matches[1];
-	$rel_match = array();
+	$link_html          = $matches[1];
+	$original_link_html = $link_html;
+
+	// Consider the html escaped if there are no unescaped quotes
+	$is_escaped = ! preg_match( '/(^|[^\\\\])[\'"]/', $link_html );
+	if ( $is_escaped ) {
+		// Replace only the quotes so that they are parsable by wp_kses_hair, leave the rest as is
+		$link_html = preg_replace( '/\\\\([\'"])/', '$1', $link_html );
+	}
+
+	$atts = wp_kses_hair( $link_html, wp_allowed_protocols() );
 
 	/**
 	 * Filters the rel values that are added to links with `target` attribute.
@@ -3065,31 +3115,21 @@ function wp_targeted_link_rel_callback( $matches ) {
 	 */
 	$rel = apply_filters( 'wp_targeted_link_rel', 'noopener noreferrer', $link_html );
 
-	// Avoid additional regex if the filter removes rel values.
-	if ( ! $rel ) {
-		return "<a $link_html>";
+	// Return early if no rel values to be added or if no actual target attribute
+	if ( ! $rel || ! isset( $atts['target'] ) ) {
+		return "<a $original_link_html>";
 	}
 
-	// Value with delimiters, spaces around are optional.
-	$attr_regex = '|rel\s*=\s*?(\\\\{0,1}["\'])(.*?)\\1|i';
-	preg_match( $attr_regex, $link_html, $rel_match );
-
-	if ( empty( $rel_match[0] ) ) {
-		// No delimiters, try with a single value and spaces, because `rel =  va"lue` is totally fine...
-		$attr_regex = '|rel\s*=(\s*)([^\s]*)|i';
-		preg_match( $attr_regex, $link_html, $rel_match );
+	if ( isset( $atts['rel'] ) ) {
+		$all_parts = preg_split( '/\s/', "{$atts['rel']['value']} $rel", -1, PREG_SPLIT_NO_EMPTY );
+		$rel       = implode( ' ', array_unique( $all_parts ) );
 	}
 
-	if ( ! empty( $rel_match[0] ) ) {
-		$parts     = preg_split( '|\s+|', strtolower( $rel_match[2] ) );
-		$parts     = array_map( 'esc_attr', $parts );
-		$needed    = explode( ' ', $rel );
-		$parts     = array_unique( array_merge( $parts, $needed ) );
-		$delimiter = trim( $rel_match[1] ) ? $rel_match[1] : '"';
-		$rel       = 'rel=' . $delimiter . trim( implode( ' ', $parts ) ) . $delimiter;
-		$link_html = str_replace( $rel_match[0], $rel, $link_html );
-	} else {
-		$link_html .= " rel=\"$rel\"";
+	$atts['rel']['whole'] = 'rel="' . esc_attr( $rel ) . '"';
+	$link_html            = join( ' ', wp_list_pluck( $atts, 'whole' ) );
+
+	if ( $is_escaped ) {
+		$link_html = preg_replace( '/[\'"]/', '\\\\$0', $link_html );
 	}
 
 	return "<a $link_html>";
@@ -4790,6 +4830,31 @@ function wp_pre_kses_less_than_callback( $matches ) {
 	return $matches[0];
 }
 
+/**
+ * Remove non-allowable HTML from parsed block attribute values when filtering
+ * in the post context.
+ *
+ * @since 5.3.1
+ *
+ * @param string         $string            Content to be run through KSES.
+ * @param array[]|string $allowed_html      An array of allowed HTML elements
+ *                                          and attributes, or a context name
+ *                                          such as 'post'.
+ * @param string[]       $allowed_protocols Array of allowed URL protocols.
+ * @return string Filtered text to run through KSES.
+ */
+function wp_pre_kses_block_attributes( $string, $allowed_html, $allowed_protocols ) {
+	/*
+	 * `filter_block_content` is expected to call `wp_kses`. Temporarily remove
+	 * the filter to avoid recursion.
+	 */
+	remove_filter( 'pre_kses', 'wp_pre_kses_block_attributes', 10 );
+	$string = filter_block_content( $string, $allowed_html, $allowed_protocols );
+	add_filter( 'pre_kses', 'wp_pre_kses_block_attributes', 10, 3 );
+
+	return $string;
+}
+
 /**
  * WordPress implementation of PHP sprintf() with filters.
  *

wp-includes/functions.php

@@ -1787,6 +1787,11 @@ function wp_mkdir_p( $target ) {
 		return @is_dir( $target );
 	}
 
+	// Do not allow path traversals.
+	if ( false !== strpos( $target, '../' ) || false !== strpos( $target, '..' . DIRECTORY_SEPARATOR ) ) {
+		return false;
+	}
+
 	// We need to find the permissions of the parent folder that exists and inherit that.
 	$target_parent = dirname( $target );
 	while ( '.' != $target_parent && ! is_dir( $target_parent ) && dirname( $target_parent ) !== $target_parent ) {
@@ -6830,3 +6835,60 @@ function wp_update_php_annotation() {
 	);
 	echo'</p>';
 }
+
+/**
+ * Gets the URL for directly updating the PHP version the site is running on.
+ *
+ * A URL will only be returned if the `WP_DIRECT_UPDATE_PHP_URL` environment variable is specified or
+ * by using the {@see 'wp_direct_php_update_url'} filter. This allows hosts to send users directly to
+ * the page where they can update PHP to a newer version.
+ *
+ * @since 5.1.1
+ *
+ * @return string URL for directly updating PHP or empty string.
+ */
+function wp_get_direct_php_update_url() {
+	$direct_update_url = '';
+
+	if ( false !== getenv( 'WP_DIRECT_UPDATE_PHP_URL' ) ) {
+		$direct_update_url = getenv( 'WP_DIRECT_UPDATE_PHP_URL' );
+	}
+
+	/**
+	 * Filters the URL for directly updating the PHP version the site is running on from the host.
+	 *
+	 * @since 5.1.1
+	 *
+	 * @param string $direct_update_url URL for directly updating PHP.
+	 */
+	$direct_update_url = apply_filters( 'wp_direct_php_update_url', $direct_update_url );
+
+	return $direct_update_url;
+}
+
+/**
+ * Display a button directly linking to a PHP update process.
+ *
+ * This provides hosts with a way for users to be sent directly to their PHP update process.
+ *
+ * The button is only displayed if a URL is returned by `wp_get_direct_php_update_url()`.
+ *
+ * @since 5.1.1
+ */
+function wp_direct_php_update_button() {
+	$direct_update_url = wp_get_direct_php_update_url();
+
+	if ( empty( $direct_update_url ) ) {
+		return;
+	}
+
+	echo '<p class="button-container">';
+	printf(
+		'<a class="button button-primary" href="%1$s" target="_blank" rel="noopener noreferrer">%2$s <span class="screen-reader-text">%3$s</span><span aria-hidden="true" class="dashicons dashicons-external"></span></a>',
+		esc_url( $direct_update_url ),
+		__( 'Update PHP' ),
+		/* translators: accessibility text */
+		__( '(opens in a new tab)' )
+	);
+	echo '</p>';
+}

wp-includes/http.php

@@ -555,7 +555,7 @@ function wp_http_validate_url( $url ) {
 		} else {
 			$ip = gethostbyname( $host );
 			if ( $ip === $host ) { // Error condition for gethostbyname()
-				$ip = false;
+				return false;
 			}
 		}
 		if ( $ip ) {

wp-includes/js/comment-reply.js

@@ -22,6 +22,9 @@ window.addComment = ( function( window ) {
 		postIdFieldId     : 'comment_post_ID'
 	};
 
+	// Cross browser MutationObserver.
+	var MutationObserver = window.MutationObserver || window.WebKitMutationObserver || window.MozMutationObserver;
+
 	// Check browser cuts the mustard.
 	var cutsTheMustard = 'querySelector' in document && 'addEventListener' in window;
 
@@ -29,7 +32,7 @@ window.addComment = ( function( window ) {
 	 * Check browser supports dataset.
 	 * !! sets the variable to true if the property exists.
 	 */
-	var supportsDataset = !! document.body.dataset;
+	var supportsDataset = !! document.documentElement.dataset;
 
 	// For holding the cancel element.
 	var cancelElement;
@@ -40,8 +43,27 @@ window.addComment = ( function( window ) {
 	// The respond element.
 	var respondElement;
 
-	// Initialise the events.
-	init();
+	// The mutation observer.
+	var observer;
+
+	if ( cutsTheMustard && document.readyState !== 'loading' ) {
+		ready();
+	} else if ( cutsTheMustard ) {
+		window.addEventListener( 'DOMContentLoaded', ready, false );
+	}
+
+	/**
+	 * Sets up object variables after the DOM is ready.
+	 *
+	 * @since 5.1.1
+	 */
+	function ready() {
+		// Initialise the events.
+		init();
+
+		// Set up a MutationObserver to check for comments loaded late.
+		observeChanges();
+	}
 
 	/**
 	 * Add events to links classed .comment-reply-link.
@@ -57,7 +79,7 @@ window.addComment = ( function( window ) {
 	 * @param {HTMLElement} context The parent DOM element to search for links.
 	 */
 	function init( context ) {
-		if ( true !== cutsTheMustard ) {
+		if ( ! cutsTheMustard ) {
 			return;
 		}
 
@@ -154,6 +176,14 @@ window.addComment = ( function( window ) {
 			postId    = getDataAttribute( replyLink, 'postid'),
 			follow;
 
+		if ( ! commId || ! parentId || ! respondId || ! postId ) {
+			/*
+			 * Theme or plugin defines own link via custom `wp_list_comments()` callback
+			 * and calls `moveForm()` either directly or via a custom event hook.
+			 */
+			return;
+		}
+
 		/*
 		 * Third party comments systems can hook into this function via the global scope,
 		 * therefore the click event needs to reference the global scope.
@@ -164,6 +194,44 @@ window.addComment = ( function( window ) {
 		}
 	}
 
+	/**
+	 * Creates a mutation observer to check for newly inserted comments.
+	 *
+	 * @since 5.1.0
+	 */
+	function observeChanges() {
+		if ( ! MutationObserver ) {
+			return;
+		}
+
+		var observerOptions = {
+			childList: true,
+			subTree: true
+		};
+
+		observer = new MutationObserver( handleChanges );
+		observer.observe( document.body, observerOptions );
+	}
+
+	/**
+	 * Handles DOM changes, calling init() if any new nodes are added.
+	 *
+	 * @since 5.1.0
+	 *
+	 * @param {Array} mutationRecords Array of MutationRecord objects.
+	 */
+	function handleChanges( mutationRecords ) {
+		var i = mutationRecords.length;
+
+		while ( i-- ) {
+			// Call init() once if any record in this set adds nodes.
+			if ( mutationRecords[ i ].addedNodes.length ) {
+				init();
+				return;
+			}
+		}
+	}
+
 	/**
 	 * Backward compatible getter of data-* attribute.
 	 *

wp-includes/js/comment-reply.min.js

@@ -1 +1 @@
-window.addComment=function(a){function b(a){if(!0===o&&(j=g(n.cancelReplyId),k=g(n.commentFormId),j)){j.addEventListener("touchstart",d),j.addEventListener("click",d);for(var b,f=c(a),h=0,i=f.length;h<i;h++)b=f[h],b.addEventListener("touchstart",e),b.addEventListener("click",e)}}function c(a){var b,c=n.commentReplyClass;return a&&a.childNodes||(a=m),b=m.getElementsByClassName?a.getElementsByClassName(c):a.querySelectorAll("."+c)}function d(a){var b=this,c=n.temporaryFormId,d=g(c);d&&l&&(g(n.parentIdFieldId).value="0",d.parentNode.replaceChild(l,d),b.style.display="none",a.preventDefault())}function e(b){var c,d=this,e=f(d,"belowelement"),g=f(d,"commentid"),h=f(d,"respondelement"),i=f(d,"postid");c=a.addComment.moveForm(e,g,h,i),!1===c&&b.preventDefault()}function f(a,b){return p?a.dataset[b]:a.getAttribute("data-"+b)}function g(a){return m.getElementById(a)}function h(b,c,d,e){var f=g(b);l=g(d);var h,o,p,q=g(n.parentIdFieldId),r=g(n.postIdFieldId);if(f&&l&&q){i(l),e&&r&&(r.value=e),q.value=c,j.style.display="",f.parentNode.insertBefore(l,f.nextSibling),j.onclick=function(){return!1};try{for(var s=0;s<k.elements.length;s++)if(h=k.elements[s],o=!1,"getComputedStyle"in a?p=a.getComputedStyle(h):m.documentElement.currentStyle&&(p=h.currentStyle),(h.offsetWidth<=0&&h.offsetHeight<=0||"hidden"===p.visibility)&&(o=!0),"hidden"!==h.type&&!h.disabled&&!o){h.focus();break}}catch(t){}return!1}}function i(a){var b=n.temporaryFormId,c=g(b);c||(c=m.createElement("div"),c.id=b,c.style.display="none",a.parentNode.insertBefore(c,a))}var j,k,l,m=a.document,n={commentReplyClass:"comment-reply-link",cancelReplyId:"cancel-comment-reply-link",commentFormId:"commentform",temporaryFormId:"wp-temp-form-div",parentIdFieldId:"comment_parent",postIdFieldId:"comment_post_ID"},o="querySelector"in m&&"addEventListener"in a,p=!!m.body.dataset;return b(),{init:b,moveForm:h}}(window);
+window.addComment=function(a){function b(){c(),g()}function c(a){if(t&&(m=j(r.cancelReplyId),n=j(r.commentFormId),m)){m.addEventListener("touchstart",e),m.addEventListener("click",e);for(var b,c=d(a),g=0,h=c.length;g<h;g++)b=c[g],b.addEventListener("touchstart",f),b.addEventListener("click",f)}}function d(a){var b,c=r.commentReplyClass;return a&&a.childNodes||(a=q),b=q.getElementsByClassName?a.getElementsByClassName(c):a.querySelectorAll("."+c)}function e(a){var b=this,c=r.temporaryFormId,d=j(c);d&&o&&(j(r.parentIdFieldId).value="0",d.parentNode.replaceChild(o,d),b.style.display="none",a.preventDefault())}function f(b){var c,d=this,e=i(d,"belowelement"),f=i(d,"commentid"),g=i(d,"respondelement"),h=i(d,"postid");e&&f&&g&&h&&(c=a.addComment.moveForm(e,f,g,h),!1===c&&b.preventDefault())}function g(){if(s){var a={childList:!0,subTree:!0};p=new s(h),p.observe(q.body,a)}}function h(a){for(var b=a.length;b--;)if(a[b].addedNodes.length)return void c()}function i(a,b){return u?a.dataset[b]:a.getAttribute("data-"+b)}function j(a){return q.getElementById(a)}function k(b,c,d,e){var f=j(b);o=j(d);var g,h,i,k=j(r.parentIdFieldId),p=j(r.postIdFieldId);if(f&&o&&k){l(o),e&&p&&(p.value=e),k.value=c,m.style.display="",f.parentNode.insertBefore(o,f.nextSibling),m.onclick=function(){return!1};try{for(var s=0;s<n.elements.length;s++)if(g=n.elements[s],h=!1,"getComputedStyle"in a?i=a.getComputedStyle(g):q.documentElement.currentStyle&&(i=g.currentStyle),(g.offsetWidth<=0&&g.offsetHeight<=0||"hidden"===i.visibility)&&(h=!0),"hidden"!==g.type&&!g.disabled&&!h){g.focus();break}}catch(t){}return!1}}function l(a){var b=r.temporaryFormId,c=j(b);c||(c=q.createElement("div"),c.id=b,c.style.display="none",a.parentNode.insertBefore(c,a))}var m,n,o,p,q=a.document,r={commentReplyClass:"comment-reply-link",cancelReplyId:"cancel-comment-reply-link",commentFormId:"commentform",temporaryFormId:"wp-temp-form-div",parentIdFieldId:"comment_parent",postIdFieldId:"comment_post_ID"},s=a.MutationObserver||a.WebKitMutationObserver||a.MozMutationObserver,t="querySelector"in q&&"addEventListener"in a,u=!!q.documentElement.dataset;return t&&"loading"!==q.readyState?b():t&&a.addEventListener("DOMContentLoaded",b,!1),{init:c,moveForm:k}}(window);

wp-includes/js/dist/block-library.js

@@ -11639,7 +11639,7 @@ var shortcode_settings = {
   attributes: {
     text: {
       type: 'string',
-      source: 'text'
+      source: 'html'
     }
   },
   transforms: {

wp-includes/kses.php

@@ -1657,7 +1657,8 @@ function wp_kses_html_error( $string ) {
  * @return string Sanitized content.
  */
 function wp_kses_bad_protocol_once( $string, $allowed_protocols, $count = 1 ) {
-	$string2 = preg_split( '/:|&#0*58;|&#x0*3a;/i', $string, 2 );
+	$string  = preg_replace( '/(&#0*58(?![;0-9])|&#x0*3a(?![;a-f0-9]))/i', '$1;', $string );
+	$string2 = preg_split( '/:|&#0*58;|&#x0*3a;|:/i', $string, 2 );
 	if ( isset( $string2[1] ) && ! preg_match( '%/\?%', $string2[0] ) ) {
 		$string   = trim( $string2[1] );
 		$protocol = wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols );

wp-includes/ms-blogs.php

@@ -97,10 +97,11 @@ function get_id_from_blogname( $slug ) {
 
 	$site_ids = get_sites(
 		array(
-			'number' => 1,
-			'fields' => 'ids',
-			'domain' => $domain,
-			'path'   => $path,
+			'number'                 => 1,
+			'fields'                 => 'ids',
+			'domain'                 => $domain,
+			'path'                   => $path,
+			'update_site_meta_cache' => false,
 		)
 	);
 

wp-includes/ms-functions.php

@@ -345,10 +345,11 @@ function get_blog_id_from_url( $domain, $path = '/' ) {
 	}
 
 	$args   = array(
-		'domain' => $domain,
-		'path'   => $path,
-		'fields' => 'ids',
-		'number' => 1,
+		'domain'                 => $domain,
+		'path'                   => $path,
+		'fields'                 => 'ids',
+		'number'                 => 1,
+		'update_site_meta_cache' => false,
 	);
 	$result = get_sites( $args );
 	$id     = array_shift( $result );
@@ -1473,11 +1474,12 @@ Disable these notifications: %3$s'
 function domain_exists( $domain, $path, $network_id = 1 ) {
 	$path   = trailingslashit( $path );
 	$args   = array(
-		'network_id' => $network_id,
-		'domain'     => $domain,
-		'path'       => $path,
-		'fields'     => 'ids',
-		'number'     => 1,
+		'network_id'             => $network_id,
+		'domain'                 => $domain,
+		'path'                   => $path,
+		'fields'                 => 'ids',
+		'number'                 => 1,
+		'update_site_meta_cache' => false,
 	);
 	$result = get_sites( $args );
 	$result = array_shift( $result );
@@ -2433,11 +2435,12 @@ function wp_update_network_site_counts( $network_id = null ) {
 
 	$count = get_sites(
 		array(
-			'network_id' => $network_id,
-			'spam'       => 0,
-			'deleted'    => 0,
-			'archived'   => 0,
-			'count'      => true,
+			'network_id'             => $network_id,
+			'spam'                   => 0,
+			'deleted'                => 0,
+			'archived'               => 0,
+			'count'                  => true,
+			'update_site_meta_cache' => false,
 		)
 	);
 

wp-includes/ms-load.php

@@ -235,7 +235,8 @@ function get_site_by_path( $domain, $path, $segments = null ) {
 	}
 
 	$args = array(
-		'number' => 1,
+		'number'                 => 1,
+		'update_site_meta_cache' => false,
 	);
 
 	if ( count( $domains ) > 1 ) {

wp-includes/ms-site.php

@@ -52,23 +52,21 @@ function wp_insert_site( array $data ) {
 		'lang_id'      => 0,
 	);
 
-	// Extract the passed arguments that may be relevant for site initialization.
-	$args = array_diff_key( $data, $defaults );
-	if ( isset( $args['site_id'] ) ) {
-		unset( $args['site_id'] );
+	$prepared_data = wp_prepare_site_data( $data, $defaults );
+	if ( is_wp_error( $prepared_data ) ) {
+		return $prepared_data;
 	}
 
-	$data = wp_prepare_site_data( $data, $defaults );
-	if ( is_wp_error( $data ) ) {
-		return $data;
-	}
-
-	if ( false === $wpdb->insert( $wpdb->blogs, $data ) ) {
+	if ( false === $wpdb->insert( $wpdb->blogs, $prepared_data ) ) {
 		return new WP_Error( 'db_insert_error', __( 'Could not insert site into the database.' ), $wpdb->last_error );
 	}
 
 	$new_site = get_site( $wpdb->insert_id );
 
+	if ( ! $new_site ) {
+		return new WP_Error( 'get_site_error', __( 'Could not retrieve site data.' ) );
+	}
+
 	clean_blog_cache( $new_site );
 
 	/**
@@ -80,6 +78,12 @@ function wp_insert_site( array $data ) {
 	 */
 	do_action( 'wp_insert_site', $new_site );
 
+	// Extract the passed arguments that may be relevant for site initialization.
+	$args = array_diff_key( $data, $defaults );
+	if ( isset( $args['site_id'] ) ) {
+		unset( $args['site_id'] );
+	}
+
 	/**
 	 * Fires when a site's initialization routine should be executed.
 	 *
@@ -95,6 +99,16 @@ function wp_insert_site( array $data ) {
 		$user_id = ! empty( $args['user_id'] ) ? $args['user_id'] : 0;
 		$meta    = ! empty( $args['options'] ) ? $args['options'] : array();
 
+		// WPLANG was passed with `$meta` to the `wpmu_new_blog` hook prior to 5.1.0.
+		if ( ! array_key_exists( 'WPLANG', $meta ) ) {
+			$meta['WPLANG'] = get_network_option( $new_site->network_id, 'WPLANG' );
+		}
+
+		// Rebuild the data expected by the `wpmu_new_blog` hook prior to 5.1.0 using whitelisted keys.
+		// The `$site_data_whitelist` matches the one used in `wpmu_create_blog()`.
+		$site_data_whitelist = array( 'public', 'archived', 'mature', 'spam', 'deleted', 'lang_id' );
+		$meta                = array_merge( array_intersect_key( $data, array_flip( $site_data_whitelist ) ), $meta );
+
 		/**
 		 * Fires immediately after a new site is created.
 		 *
@@ -366,6 +380,10 @@ function update_site_cache( $sites, $update_meta_cache = true ) {
  * @return array|false Returns false if there is nothing to update. Returns an array of metadata on success.
  */
 function update_sitemeta_cache( $site_ids ) {
+	// Ensure this filter is hooked in even if the function is called early.
+	if ( ! has_filter( 'update_blog_metadata_cache', 'wp_check_site_meta_support_prefilter' ) ) {
+		add_filter( 'update_blog_metadata_cache', 'wp_check_site_meta_support_prefilter' );
+	}
 	return update_meta_cache( 'blog', $site_ids );
 }
 

wp-includes/pluggable.php

@@ -1092,7 +1092,7 @@ if ( ! function_exists( 'check_admin_referer' ) ) :
 	 *                   0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago.
 	 */
 	function check_admin_referer( $action = -1, $query_arg = '_wpnonce' ) {
-		if ( -1 == $action ) {
+		if ( -1 === $action ) {
 			_doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2.0' );
 		}
 
@@ -1111,7 +1111,7 @@ if ( ! function_exists( 'check_admin_referer' ) ) :
 		 */
 		do_action( 'check_admin_referer', $action, $result );
 
-		if ( ! $result && ! ( -1 == $action && strpos( $referer, $adminurl ) === 0 ) ) {
+		if ( ! $result && ! ( -1 === $action && strpos( $referer, $adminurl ) === 0 ) ) {
 			wp_nonce_ays( $action );
 			die();
 		}
@@ -1396,6 +1396,14 @@ if ( ! function_exists( 'wp_validate_redirect' ) ) :
 			return $default;
 		}
 
+		if ( ! isset( $lp['host'] ) && ! empty( $lp['path'] ) && '/' !== $lp['path'][0] ) {
+			$path = '';
+			if ( ! empty( $_SERVER['REQUEST_URI'] ) ) {
+				$path = dirname( parse_url( 'http://placeholder' . $_SERVER['REQUEST_URI'], PHP_URL_PATH ) . '?' );
+			}
+			$location = '/' . ltrim( $path . '/', '/' ) . $location;
+		}
+
 		// Reject if certain components are set but host is not. This catches urls like https:host.com for which parse_url does not set the host field.
 		if ( ! isset( $lp['host'] ) && ( isset( $lp['scheme'] ) || isset( $lp['user'] ) || isset( $lp['pass'] ) || isset( $lp['port'] ) ) ) {
 			return $default;

wp-includes/post-template.php

@@ -338,26 +338,9 @@ function get_the_content( $more_link_text = null, $strip_teaser = false ) {
 		}
 	}
 
-	if ( $preview ) { // Preview fix for JavaScript bug with foreign languages.
-		$output = preg_replace_callback( '/\%u([0-9A-F]{4})/', '_convert_urlencoded_to_entities', $output );
-	}
-
 	return $output;
 }
 
-/**
- * Preview fix for JavaScript bug with foreign languages.
- *
- * @since 3.1.0
- * @access private
- *
- * @param array $match Match array from preg_replace_callback.
- * @return string
- */
-function _convert_urlencoded_to_entities( $match ) {
-	return '&#' . base_convert( $match[1], 16, 10 ) . ';';
-}
-
 /**
  * Display the post excerpt.
  *

wp-includes/post.php

@@ -3385,6 +3385,9 @@ function wp_get_recent_posts( $args = array(), $output = ARRAY_A ) {
 function wp_insert_post( $postarr, $wp_error = false ) {
 	global $wpdb;
 
+	// Capture original pre-sanitized array for passing into filters.
+	$unsanitized_postarr = $postarr;
+
 	$user_id = get_current_user_id();
 
 	$defaults = array(
@@ -3696,21 +3699,27 @@ function wp_insert_post( $postarr, $wp_error = false ) {
 		 * Filters attachment post data before it is updated in or added to the database.
 		 *
 		 * @since 3.9.0
+		 * @since 5.4.1 `$unsanitized_postarr` argument added.
 		 *
-		 * @param array $data    An array of sanitized attachment post data.
-		 * @param array $postarr An array of unsanitized attachment post data.
+		 * @param array $data                An array of slashed, sanitized, and processed attachment post data.
+		 * @param array $postarr             An array of slashed and sanitized attachment post data, but not processed.
+		 * @param array $unsanitized_postarr An array of slashed yet *unsanitized* and unprocessed attachment post data
+		 *                                   as originally passed to wp_insert_post().
 		 */
-		$data = apply_filters( 'wp_insert_attachment_data', $data, $postarr );
+		$data = apply_filters( 'wp_insert_attachment_data', $data, $postarr, $unsanitized_postarr );
 	} else {
 		/**
 		 * Filters slashed post data just before it is inserted into the database.
 		 *
 		 * @since 2.7.0
+		 * @since 5.4.1 `$unsanitized_postarr` argument added.
 		 *
-		 * @param array $data    An array of slashed post data.
-		 * @param array $postarr An array of sanitized, but otherwise unmodified post data.
+		 * @param array $data                An array of slashed, sanitized, and processed post data.
+		 * @param array $postarr             An array of sanitized (and slashed) but otherwise unmodified post data.
+		 * @param array $unsanitized_postarr An array of slashed yet *unsanitized* and unprocessed post data as
+		 *                                   originally passed to wp_insert_post().
 		 */
-		$data = apply_filters( 'wp_insert_post_data', $data, $postarr );
+		$data = apply_filters( 'wp_insert_post_data', $data, $postarr, $unsanitized_postarr );
 	}
 	$data  = wp_unslash( $data );
 	$where = array( 'ID' => $post_ID );

wp-includes/rest-api.php

@@ -587,7 +587,9 @@ function rest_send_cors_headers( $value ) {
 		header( 'Access-Control-Allow-Origin: ' . $origin );
 		header( 'Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE' );
 		header( 'Access-Control-Allow-Credentials: true' );
-		header( 'Vary: Origin' );
+		header( 'Vary: Origin', false );
+	} elseif ( ! headers_sent() && 'GET' === $_SERVER['REQUEST_METHOD'] && ! is_user_logged_in() ) {
+		header( 'Vary: Origin', false );
 	}
 
 	return $value;

wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php

@@ -499,7 +499,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
 			return new WP_Error( 'rest_cannot_edit_others', __( 'Sorry, you are not allowed to create posts as this user.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
-		if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) ) {
+		if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) && ! current_user_can( $post_type->cap->publish_posts ) ) {
 			return new WP_Error( 'rest_cannot_assign_sticky', __( 'Sorry, you are not allowed to make posts sticky.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
@@ -654,7 +654,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
 			return new WP_Error( 'rest_cannot_edit_others', __( 'Sorry, you are not allowed to update posts as this user.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
-		if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) ) {
+		if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) && ! current_user_can( $post_type->cap->publish_posts ) ) {
 			return new WP_Error( 'rest_cannot_assign_sticky', __( 'Sorry, you are not allowed to make posts sticky.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
@@ -956,7 +956,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
 	 * @return stdClass|WP_Error Post object or WP_Error.
 	 */
 	protected function prepare_item_for_database( $request ) {
-		$prepared_post = new stdClass;
+		$prepared_post = new stdClass();
 
 		// Post ID.
 		if ( isset( $request['id'] ) ) {

wp-includes/script-loader.php

@@ -229,7 +229,7 @@ function wp_default_packages_scripts( &$scripts ) {
 		'annotations'                        => '1.0.8',
 		'autop'                              => '2.0.2',
 		'blob'                               => '2.1.0',
-		'block-library'                      => '2.2.16',
+		'block-library'                      => '2.2.18',
 		'block-serialization-default-parser' => '2.0.5',
 		'blocks'                             => '6.0.6',
 		'components'                         => '7.0.8',
@@ -1256,7 +1256,8 @@ function wp_default_scripts( &$scripts ) {
 
 	$scripts->add( 'wp-codemirror', '/wp-includes/js/codemirror/codemirror.min.js', array(), '5.29.1-alpha-ee20357' );
 	$scripts->add( 'csslint', '/wp-includes/js/codemirror/csslint.js', array(), '1.0.5' );
-	$scripts->add( 'jshint', '/wp-includes/js/codemirror/jshint.js', array(), '2.9.5.999' );
+	$scripts->add( 'esprima', '/wp-includes/js/codemirror/esprima.js', array(), '4.0.0' );
+	$scripts->add( 'jshint', '/wp-includes/js/codemirror/fakejshint.js', array( 'esprima' ), '2.9.5' );
 	$scripts->add( 'jsonlint', '/wp-includes/js/codemirror/jsonlint.js', array(), '1.6.2' );
 	$scripts->add( 'htmlhint', '/wp-includes/js/codemirror/htmlhint.js', array(), '0.9.14-xwp' );
 	$scripts->add( 'htmlhint-kses', '/wp-includes/js/codemirror/htmlhint-kses.js', array( 'htmlhint' ) );

wp-includes/user.php

@@ -680,8 +680,9 @@ function get_blogs_of_user( $user_id, $all = false ) {
 
 	if ( ! empty( $site_ids ) ) {
 		$args = array(
-			'number'   => '',
-			'site__in' => $site_ids,
+			'number'                 => '',
+			'site__in'               => $site_ids,
+			'update_site_meta_cache' => false,
 		);
 		if ( ! $all ) {
 			$args['archived'] = 0;
@@ -1776,7 +1777,7 @@ function wp_insert_user( $userdata ) {
 	$data = apply_filters( 'wp_pre_insert_user_data', $data, $update, $update ? (int) $ID : null );
 
 	if ( $update ) {
-		if ( $user_email !== $old_user_data->user_email ) {
+		if ( $user_email !== $old_user_data->user_email || $user_pass !== $old_user_data->user_pass ) {
 			$data['user_activation_key'] = '';
 		}
 		$wpdb->update( $wpdb->users, $data, compact( 'ID' ) );

wp-includes/version.php

@@ -13,7 +13,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '5.1-RC1-44740';
+$wp_version = '5.1.5';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.