Tag 3.6.1.

Built from https://develop.svn.wordpress.org/branches/3.6@25359

git-svn-id: http://core.svn.wordpress.org/tags/3.6.1@25316 1a063a9b-81f0-0310-95a4-ce76da25c4cd

readme.html

@@ -8,7 +8,7 @@
 <body>
 <h1 id="logo">
 	<a href="http://wordpress.org/"><img alt="WordPress" src="wp-admin/images/wordpress-logo.png" /></a>
-	<br /> Version 3.6
+	<br /> Version 3.6.1
 </h1>
 <p style="text-align: center">Semantic Personal Publishing Platform</p>
 

wp-admin/about.php

@@ -33,11 +33,19 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
 	</a>
 </h2>
 
+<div class="changelog point-releases">
+	<h3><?php echo _n( 'Maintenance and Security Release', 'Maintenance and Security Releases', 1 ); ?></h3>
+	<p><?php printf( _n( '<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bug.',
+         '<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bugs.', 13 ), '3.6.1', number_format_i18n( 13 ) ); ?>
+		<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'http://codex.wordpress.org/Version_3.6.1' ); ?>
+ 	</p>
+</div>
+
 <div class="changelog">
 	<h3><?php _e( 'Colorful New Theme' ); ?></h3>
 
 	<div class="feature-section images-stagger-right">
-		<img alt="" src="<?php echo esc_url( admin_url( 'images/screenshots/about-twenty-twelve.png' ) ); ?>" class="image-66" />
+		<img alt="" src="<?php echo is_ssl() ? 'https://' : '//s.'; ?>wordpress.org/images/core/3.6/twentythirteen.png" class="image-66" />
 		<h4><?php _e( 'Introducing Twenty Thirteen' ); ?></h4>
 		<p><?php printf( __( "The new default theme puts focus on your content with a colorful, single-column design made for media-rich blogging." ) ); ?></p>
 		<p><?php _e( 'Inspired by modern art, Twenty Thirteen features quirky details, beautiful typography, and bold, high-contrast colors &mdash; all with a flexible layout that looks great on any device, big or small.' ); ?></p>
@@ -48,17 +56,13 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
 	<h3><?php _e( 'Write with Confidence' ); ?></h3>
 
 	<div class="feature-section images-stagger-right">
-		<img alt="" src="<?php echo esc_url( admin_url( 'images/screenshots/about-retina.png' ) ); ?>" class="image-66" />
+		<img alt="" src="<?php echo is_ssl() ? 'https://' : '//s.'; ?>wordpress.org/images/core/3.6/revisions.png" class="image-66" />
 		<h4><?php _e( 'Explore Revisions' ); ?></h4>
 		<p></p>
 		<p><?php _e( 'From the first word you write, WordPress saves every change. Each revision is always at your fingertips. Text is highlighted as you scroll through revisions at lightning speed, so you can see what changes have been made along the way.' ); ?></p>
 		<p><?php _e( 'It&#8217;s easy to compare two revisions from any point in time, and to restore a revision and go back to writing. Now you can be confident that no mistake is permanent.' ); ?></p>
-
-		
-
-
 	</div>
-	
+
 	<div class="feature-section col two-col">
 		<div>
 			<h4><?php _e( 'Improved Autosaves' ); ?></h4>
@@ -69,14 +73,28 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
 			<p><?php _e( 'Always know who&#8217;s editing with live updates that appear in the list of posts. And if someone leaves for lunch with a post open, you can take over where they left off.' ); ?></p>
 		</div>
 	</div>
-	
 </div>
 
 <div class="changelog">
 	<h3><?php _e( 'Support for Audio and Video' ); ?></h3>
 
 	<div class="feature-section images-stagger-right">
-		<img alt="" src="<?php echo esc_url( admin_url( 'images/screenshots/about-color-picker.png' ) ); ?>" class="image-30" />
+		<div class="video image-66"><?php
+			$sample_video = ( is_ssl() ? 'https://' : 'http://s.' ) . 'wordpress.org/images/core/3.6/sample-video';
+			$args = array(
+				'mp4' => "$sample_video.mp4",
+				'ogv' => "$sample_video.ogv",
+				'width' => 625,
+				'height' => 360,
+			);
+			// Opera 12 (Presto, pre-Chromium) fails to load ogv properly
+			// when combined with ME.js. Works fine in Opera 15.
+			// Don't serve ogv to Opera 12 to avoid complete brokeness.
+			if ( $GLOBALS['is_opera'] )
+				unset( $args['ogv'] );
+			// Our current ME.js API is limited to shortcodes in posts.
+			echo wp_video_shortcode( $args );
+		?></div>
 		<h4><?php _e( 'New Media Player' ); ?></h4>
 		<p><?php _e( 'Share your audio and video with the new built-in HTML5 media player. Upload files using the media manager and embed them in your posts.' ); ?></p>
 
@@ -91,31 +109,33 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
 
 	<div class="feature-section col three-col">
 		<div>
-			<h4><?php echo ( 'Shortcode Improvements' ); ?></h4>
-			<p><?php echo ( 'New shortcode utility functions and shortcode_atts_$shortcode filter' ); ?></p>
+			<h4><?php _e( 'Audio/Video API' ); ?></h4>
+			<p><?php _e( 'The new audio/video APIs give developers access to powerful media metadata, like ID3 tags.' ); ?></p>
 		</div>
 		<div>
-			<h4><?php echo ( 'Revision Control' ); ?></h4>
-			<p><?php echo ( 'New fine-grained revision controls (wp_revisions_to_keep(), etc.  — filters instead of constants)' ); ?></p>
+			<h4><?php _e( 'Semantic Markup' ); ?></h4>
+			<p><?php _e( 'Themes can now choose improved HTML5 markup for comment forms, search forms, and comment lists.' ); ?></p>
 		</div>
 		<div class="last-feature">
-			<h4><?php echo ( 'Audio/Video API' ); ?></h4>
-			<p><?php echo ( 'New audio/video API, including access to file metadata' ); ?></p>
+			<h4><?php _e( 'JavaScript Utilities' ); ?></h4>
+			<p><?php _e( 'Handy JavaScript utilities ease common tasks like Ajax requests, templating, and Backbone view management.' ); ?></p>
 		</div>
 	</div>
 
 	<div class="feature-section col three-col">
 		<div>
-			<h4><?php echo ( 'Markup Updates' ); ?></h4>
-			<p><?php echo ( 'Improved markup for comment forms, search forms, and comment lists, including HTML5 markup support' ); ?></p>
+			<h4><?php _e( 'Shortcode Improvements' ); ?></h4>
+			<p><?php _e( 'Search content for shortcodes with <code>has_shortcode()</code> and adjust shortcode attributes with a new filter.' ); ?></p>
 		</div>
 		<div>
-			<h4><?php echo ( 'JS Utilities' ); ?></h4>
-			<p><?php echo ( 'Handy JavaScript utilities for things like Ajax, templating, and Backbone view management' ); ?></p>
+			<h4><?php _e( 'Revision Control' ); ?></h4>
+			<p><?php _e( 'Fine-grained revision controls allow you to keep a different number of revisions for each post type.' ); ?></p>
 		</div>
 		<div class="last-feature">
 			<h4><?php _e( 'External Libraries' ); ?></h4>
-			<p><?php echo ( 'New and updated libraries: MediaElement.js, jQuery 1.10, jQuery UI 1.10.3, jQuery Migrate, Backbone 1.0' ); ?></p>
+			<p><?php
+				/* translators: placeholders 2, 3 and 4 are version numbers */
+				printf( __( 'New and updated libraries: <a href="%1$s">MediaElement.js</a>, jQuery %2$s, jQuery UI %3$s, jQuery Migrate, Backbone %4$s.' ), 'http://mediaelementjs.com/', '1.10.2', '1.10.3', '1.0' ); ?></p>
 		</div>
 	</div>
 </div>

wp-admin/credits.php

@@ -52,7 +52,7 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
 
 <h1><?php printf( __( 'Welcome to WordPress %s' ), $display_version ); ?></h1>
 
-<div class="about-text"><?php printf( __( 'Thank you for updating to the latest version! WordPress %s is more polished and enjoyable than ever before. We hope you like it.' ), $display_version ); ?></div>
+<div class="about-text"><?php printf( __( 'Thank you for updating to the latest version. WordPress %s makes your writing experience even better.' ), $display_version ); ?></div>
 
 <div class="wp-badge"><?php printf( __( 'Version %s' ), $display_version ); ?></div>
 

wp-admin/css/wp-admin-rtl.css

@@ -691,20 +691,29 @@ form.upgrade .hint {
 .fixed .column-comments {
 	text-align: right;
 }
+
 .fixed .column-comments .vers {
 	padding-left: 0;
 	padding-right: 3px;
 }
+
 .fixed .column-comments a {
 	float: right;
 }
+
 .fixed .column-menus {
 	text-align: right;
 }
+
 .sorting-indicator {
 	margin-left: 0;
 	margin-right: 7px;
 }
+
+tr.wp-locked .locked-indicator {
+	margin: -2px 6px 0 0;
+}
+
 th.sortable a span,
 th.sorted a span {
 	float: right;
@@ -945,6 +954,23 @@ th.sorted a span {
 	padding-left: 10px;
 }
 
+#post-lock-dialog .post-locked-message a.button {
+	margin-right: 0;
+	margin-left: 10px;
+}
+
+#post-lock-dialog .post-locked-avatar {
+	float: right;
+	margin: 0 0 20px 20px;
+}
+
+#post-lock-dialog .locked-saving img {
+	float: right;
+	margin-right: 0;
+	margin-left: 3px;
+}
+
+
 /*------------------------------------------------------------------------------
   11.1 - Custom Fields
 ------------------------------------------------------------------------------*/
@@ -1703,7 +1729,8 @@ h2 .nav-tab {
 	margin: 0 0 10px 0.7%;
 }
 
-.about-wrap .feature-section.images-stagger-right img {
+.about-wrap .feature-section.images-stagger-right img,
+.about-wrap .feature-section.images-stagger-right .video {
 	float: left;
 	margin: 0 2em 12px 5px;
 }
@@ -1720,16 +1747,22 @@ h2 .nav-tab {
 	margin-left: 10px;
 }
 
+@media only screen and (max-width: 900px) {
+	.about-wrap .feature-section.images-stagger-right .video.image-66 {
+		margin-right: 3px;
+	}
+}
+
 @media only screen and (max-width: 768px) {
-	.about-wrap .feature-section img.image-66 {
+	.about-wrap .feature-section .image-66 {
 		float: none;
 	}
 
-	.about-wrap .feature-section.images-stagger-right img.image-66 {
+	.about-wrap .feature-section.images-stagger-right .image-66 {
 		margin-right: 3px;
 	}
 
-	.about-wrap .feature-section.images-stagger-left img.image-66 {
+	.about-wrap .feature-section.images-stagger-left .image-66 {
 		margin-left: 3px;
 	}
 }

wp-admin/css/wp-admin.css

@@ -2552,7 +2552,7 @@ tr .locked-info {
 }
 
 tr.wp-locked .locked-info {
-	height: 22px;
+	height: auto;
 	opacity: 1;
 }
 
@@ -3681,8 +3681,10 @@ body.folded .revisions .loading-indicator {
 }
 
 table.diff {
+	table-layout: fixed;
 	width: 100%;
 	white-space: pre-wrap;
+	word-wrap: break-word;
 }
 
 table.diff col.content {
@@ -5823,13 +5825,18 @@ h2 .nav-tab {
 
 /* Changelog / Update screen */
 
-.about-wrap .feature-section img {
+.about-wrap .feature-section img,
+.about-wrap .feature-section .video {
 	border: none;
 	margin: 0 1.94% 10px 0;
 	-webkit-border-radius: 3px;
 	border-radius: 3px;
 }
 
+.about-wrap .feature-section .video video {
+	max-width: 100%;
+}
+
 .about-wrap .feature-section.three-col img {
 	margin: 0.5em 0 0.5em 5px;
 	max-width: 100%;
@@ -5840,7 +5847,8 @@ h2 .nav-tab {
 	margin-left: 0;
 }
 
-.about-wrap .feature-section.images-stagger-right img {
+.about-wrap .feature-section.images-stagger-right img,
+.about-wrap .feature-section.images-stagger-right .video {
 	float: right;
 	margin: 0 5px 12px 2em;
 }
@@ -5850,16 +5858,20 @@ h2 .nav-tab {
 	margin: 0 2em 12px 5px;
 }
 
-.about-wrap .feature-section img.image-100 {
+.about-wrap .feature-section .image-100 {
 	margin: 0 0 2em 0;
 	width: 100%;
 }
 
-.about-wrap .feature-section img.image-66 {
+.about-wrap .feature-section .image-66 {
 	width: 65%;
 }
 
-.about-wrap .feature-section img.image-50 {
+.about-wrap .feature-section .image-66.video {
+	max-width: 600px;
+}
+
+.about-wrap .feature-section .image-50 {
 	max-width: 50%;
 }
 
@@ -5927,23 +5939,34 @@ h2 .nav-tab {
 
 @media only screen and (max-width: 900px) {
 	.about-wrap .feature-section.images-stagger-left img,
-	.about-wrap .feature-section.images-stagger-right img {
+	.about-wrap .feature-section.images-stagger-right img,
+	.about-wrap .feature-section.images-stagger-right .video {
 		clear: both;
 	}
-}
 
-@media only screen and (max-width: 768px) {
-	.about-wrap .feature-section img.image-66 {
+	.about-wrap .feature-section .video.image-66 {
 		float: none;
 		width: 98%;
 		max-width: 98%;
 	}
 
-	.about-wrap .feature-section.images-stagger-right img.image-66 {
+	.about-wrap .feature-section.images-stagger-right .video.image-66 {
+		margin-left: 3px;
+	}
+}
+
+@media only screen and (max-width: 768px) {
+	.about-wrap .feature-section .image-66 {
+		float: none;
+		width: 98%;
+		max-width: 98%;
+	}
+
+	.about-wrap .feature-section.images-stagger-right .image-66 {
 		margin-left: 3px;
 	}
 
-	.about-wrap .feature-section.images-stagger-left img.image-66 {
+	.about-wrap .feature-section.images-stagger-left .image-66 {
 		margin-right: 3px;
 	}
 }
@@ -5970,7 +5993,7 @@ h2 .nav-tab {
 
 .about-wrap ul.wp-people-group {
 	overflow: hidden;
-	padding: 5px;
+	padding: 0 5px;
 	margin: 0 -15px 0 -5px;
 }
 

wp-admin/edit-form-advanced.php

@@ -122,7 +122,7 @@ if ( post_type_supports($post_type, 'revisions') && 'auto-draft' != $post->post_
 	if ( count( $revisions ) > 1 ) {
 		reset( $revisions ); // Reset pointer for key()
 		$publish_callback_args = array( 'revisions_count' => count( $revisions ), 'revision_id' => key( $revisions ) );
-		// add_meta_box('revisionsdiv', __('Revisions'), 'post_revisions_meta_box', null, 'normal', 'core');
+		add_meta_box('revisionsdiv', __('Revisions'), 'post_revisions_meta_box', null, 'normal', 'core');
 	}
 }
 

wp-admin/freedoms.php

@@ -19,7 +19,7 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
 
 <h1><?php printf( __( 'Welcome to WordPress %s' ), $display_version ); ?></h1>
 
-<div class="about-text"><?php printf( __( 'Thank you for updating to the latest version! WordPress %s is more polished and enjoyable than ever before. We hope you like it.' ), $display_version ); ?></div>
+<div class="about-text"><?php printf( __( 'Thank you for updating to the latest version. WordPress %s makes your writing experience even better.' ), $display_version ); ?></div>
 
 <div class="wp-badge"><?php printf( __( 'Version %s' ), $display_version ); ?></div>
 

wp-admin/includes/ajax-actions.php

@@ -9,6 +9,12 @@
 /*
  * No-privilege Ajax handlers.
  */
+
+/**
+ * Heartbeat API (experimental)
+ *
+ * Runs when the user is not logged in.
+ */
 function wp_ajax_nopriv_heartbeat() {
 	$response = array();
 
@@ -2052,6 +2058,11 @@ function wp_ajax_send_link_to_editor() {
 	wp_send_json_success( $html );
 }
 
+/**
+ * Heartbeat API (experimental)
+ *
+ * Runs when the user is logged in.
+ */
 function wp_ajax_heartbeat() {
 	if ( empty( $_POST['_nonce'] ) )
 		wp_send_json_error();
@@ -2072,9 +2083,6 @@ function wp_ajax_heartbeat() {
 
 	if ( ! empty($_POST['data']) ) {
 		$data = (array) $_POST['data'];
-
-		// todo: separate filters: 'heartbeat_[action]' so we call different callbacks only when there is data for them,
-		// or all callbacks listen to one filter and run when there is something for them in $data?
 		$response = apply_filters( 'heartbeat_received', $response, $data, $screen_id );
 	}
 

wp-admin/includes/class-wp-importer.php

@@ -183,7 +183,6 @@ class WP_Importer {
 
 		$headers = array();
 		$args = array();
-		$args['reject_unsafe_urls'] = true;
 		if ( true === $head )
 			$args['method'] = 'HEAD';
 		if ( !empty( $username ) && !empty( $password ) )
@@ -191,7 +190,7 @@ class WP_Importer {
 
 		$args['headers'] = $headers;
 
-		return wp_remote_request( $url, $args );
+		return wp_safe_remote_request( $url, $args );
 	}
 
 	/**

wp-admin/includes/file.php

@@ -497,7 +497,7 @@ function download_url( $url, $timeout = 300 ) {
 	if ( ! $tmpfname )
 		return new WP_Error('http_no_file', __('Could not create Temporary file.'));
 
-	$response = wp_remote_get( $url, array( 'timeout' => $timeout, 'stream' => true, 'filename' => $tmpfname, 'reject_unsafe_urls' => true ) );
+	$response = wp_safe_remote_get( $url, array( 'timeout' => $timeout, 'stream' => true, 'filename' => $tmpfname ) );
 
 	if ( is_wp_error( $response ) ) {
 		unlink( $tmpfname );

wp-admin/includes/meta-boxes.php

@@ -182,7 +182,7 @@ if ( ! empty( $args['args']['revisions_count'] ) ) :
 		printf( __( 'Revisions: %s' ), '<b>' . number_format_i18n( $args['args']['revisions_count'] ) . '+</b>' );
 		echo '</span>';
 	} else {
-		printf( 'Revisions: %s', '<b>' . number_format_i18n( $args['args']['revisions_count'] ) . '</b>' );
+		printf( __( 'Revisions: %s' ), '<b>' . number_format_i18n( $args['args']['revisions_count'] ) . '</b>' );
 	}
 ?>
 	<a class="hide-if-no-js" href="<?php echo esc_url( get_edit_post_link( $args['args']['revision_id'] ) ); ?>"><?php _ex( 'Browse', 'revisions' ); ?></a>

wp-admin/includes/ms.php

@@ -371,7 +371,7 @@ function update_user_status( $id, $pref, $value, $deprecated = null ) {
 	if ( null !== $deprecated )
 		_deprecated_argument( __FUNCTION__, '3.1' );
 
-	$wpdb->update( $wpdb->users, array( $pref => $value ), array( 'ID' => $id ) );
+	$wpdb->update( $wpdb->users, array( sanitize_key( $pref ) => $value ), array( 'ID' => $id ) );
 
 	$user = new WP_User( $id );
 	clean_user_cache( $user );

wp-admin/includes/post.php

@@ -52,8 +52,7 @@ function _wp_translate_postdata( $update = false, $post_data = null ) {
 	if ( isset($post_data['trackback_url']) )
 		$post_data['to_ping'] = $post_data['trackback_url'];
 
-	if ( !isset($post_data['user_ID']) )
-		$post_data['user_ID'] = $GLOBALS['user_ID'];
+	$post_data['user_ID'] = $GLOBALS['user_ID'];
 
 	if (!empty ( $post_data['post_author_override'] ) ) {
 		$post_data['post_author'] = (int) $post_data['post_author_override'];
@@ -1207,8 +1206,15 @@ function _admin_notice_post_locked() {
 	if ( ! $post = get_post() )
 		return;
 
-	if ( ( $user_id = wp_check_post_lock( $post->ID ) ) && ( $user = get_userdata( $user_id ) ) ) {
-		$locked = apply_filters( 'show_post_locked_dialog', true, $post, $user );
+	$user = null;
+	if (  $user_id = wp_check_post_lock( $post->ID ) )
+		$user = get_userdata( $user_id );
+
+	if ( $user ) {
+		if ( ! apply_filters( 'show_post_locked_dialog', true, $post, $user ) )
+			return;
+
+		$locked = true;
 	} else {
 		$locked = false;
 	}
@@ -1254,8 +1260,8 @@ function _admin_notice_post_locked() {
 		?>
 		<div class="post-locked-message">
 		<div class="post-locked-avatar"><?php echo get_avatar( $user->ID, 64 ); ?></div>
-		<p class="currently-editing wp-tab-first" tabindex="0"><?php esc_html_e( sprintf( __( 'This content is currently locked. If you take over, %s will be blocked from continuing to edit.' ), $user->display_name ) ); ?></p>
-		<?php do_action( 'post_lock_text', $post ); ?>
+		<p class="currently-editing wp-tab-first" tabindex="0"><?php echo esc_html( sprintf( __( 'This content is currently locked. If you take over, %s will be blocked from continuing to edit.' ), $user->display_name ) ); ?></p>
+		<?php do_action( 'post_locked_dialog', $post ); ?>
 		<p>
 		<a class="button" href="<?php echo esc_url( $sendback ); ?>"><?php echo $sendback_text; ?></a>
 		<?php if ( $preview_link ) { ?>
@@ -1283,7 +1289,7 @@ function _admin_notice_post_locked() {
 			<span class="locked-saving hidden"><img src="images/wpspin_light-2x.gif" width="16" height="16" /> <?php _e('Saving revision...'); ?></span>
 			<span class="locked-saved hidden"><?php _e('Your latest changes were saved as a revision.'); ?></span>
 			</p>
-			<?php do_action( 'post_lock_text', $post ); ?>
+			<?php do_action( 'post_lock_lost_dialog', $post ); ?>
 			<p><a class="button button-primary wp-tab-last" href="<?php echo esc_url( $sendback ); ?>"><?php echo $sendback_text; ?></a></p>
 		</div>
 		<?php
@@ -1320,14 +1326,29 @@ function wp_create_post_autosave( $post_id ) {
 		$new_autosave['ID'] = $old_autosave->ID;
 		$new_autosave['post_author'] = $post_author;
 
+		// If the new autosave is the same content as the post, delete the old autosave.
+		$post = get_post( $post_id );
+		$autosave_is_different = false;
+		foreach ( array_keys( _wp_post_revision_fields() ) as $field ) {
+			if ( normalize_whitespace( $new_autosave[ $field ] ) != normalize_whitespace( $post->$field ) ) {
+				$autosave_is_different = true;
+				break;
+			}
+		}
+
+		if ( ! $autosave_is_different ) {
+			wp_delete_post_revision( $old_autosave->ID );
+			return;
+		}
+
 		return wp_update_post( $new_autosave );
 	}
 
 	// _wp_put_post_revision() expects unescaped.
-	$_POST = wp_unslash($_POST);
+	$post_data = wp_unslash( $_POST );
 
 	// Otherwise create the new autosave as a special post revision
-	return _wp_put_post_revision( $_POST, true );
+	return _wp_put_post_revision( $post_data, true );
 }
 
 /**

wp-admin/includes/revision.php

@@ -55,8 +55,8 @@ function wp_get_revision_ui_diff( $post, $compare_from, $compare_to ) {
 	$return = array();
 
 	foreach ( _wp_post_revision_fields() as $field => $name ) {
-		$content_from = $compare_from ? apply_filters( "_wp_post_revision_field_$field", $compare_from->$field, $field, $compare_from, 'left' ) : '';
-		$content_to = apply_filters( "_wp_post_revision_field_$field", $compare_to->$field, $field, $compare_to, 'right' );
+		$content_from = $compare_from ? apply_filters( "_wp_post_revision_field_$field", $compare_from->$field, $field, $compare_from, 'from' ) : '';
+		$content_to = apply_filters( "_wp_post_revision_field_$field", $compare_to->$field, $field, $compare_to, 'to' );
 
 		$diff = wp_text_diff( $content_from, $content_to, array( 'show_split_view' => true ) );
 
@@ -179,8 +179,13 @@ function wp_prepare_revisions_for_js( $post, $selected_revision_id, $from = null
 	// Now, grab the initial diff
 	$compare_two_mode = is_numeric( $from );
 	if ( ! $compare_two_mode ) {
-		$from = array_keys( array_slice( $revisions, array_search( $selected_revision_id, array_keys( $revisions ) ) - 1, 1, true ) );
-		$from = $from[0];
+		$found = array_search( $selected_revision_id, array_keys( $revisions ) );
+		if ( $found ) {
+			$from = array_keys( array_slice( $revisions, $found - 1, 1, true ) );
+			$from = reset( $from );
+		} else {
+			$from = 0;
+		}
 	}
 
 	$from = absint( $from );

wp-admin/includes/template.php

@@ -1734,7 +1734,8 @@ final class WP_Internal_Pointers {
 		$registered_pointers = array(
 			'index.php'    => 'wp330_toolbar',
 			'post-new.php' => 'wp350_media',
-			'post.php'     => 'wp350_media',
+			'post.php'     => array( 'wp350_media', 'wp360_revisions' ),
+			'edit.php'     => 'wp360_locks',
 			'themes.php'   => array( 'wp330_saving_widgets', 'wp340_customize_current_theme_link' ),
 			'appearance_page_custom-header' => 'wp340_choose_image_from_library',
 			'appearance_page_custom-background' => 'wp340_choose_image_from_library',
@@ -1810,7 +1811,7 @@ final class WP_Internal_Pointers {
 			});
 
 			setup = function() {
-				$('<?php echo $selector; ?>').pointer( options ).pointer('open');
+				$('<?php echo $selector; ?>').first().pointer( options ).pointer('open');
 			};
 
 			if ( options.position && options.position.defer_loading )
@@ -1900,13 +1901,36 @@ final class WP_Internal_Pointers {
 		) );
 	}
 
+	public static function pointer_wp360_revisions() {
+		$content  = '<h3>' . __( 'Compare Revisions' ) . '</h3>';
+		$content .= '<p>' . __( 'View, compare, and restore other versions of this content on the improved revisions screen.' ) . '</p>';
+
+		self::print_js( 'wp360_revisions', '.misc-pub-section.num-revisions', array(
+			'content' => $content,
+			'position' => array( 'edge' => is_rtl() ? 'left' : 'right', 'align' => 'center', 'my' => is_rtl() ? 'left' : 'right-14px' ),
+		) );
+	}
+
+	public static function pointer_wp360_locks() {
+		$content  = '<h3>' . __( 'Edit Lock' ) . '</h3>';
+		$content .= '<p>' . __( 'Someone else is editing this. No need to refresh; the lock will disappear when they&#8217;re done.' ) . '</p>';
+
+		if ( ! is_multi_author() )
+			return;
+
+		self::print_js( 'wp360_locks', 'tr.wp-locked .locked-indicator', array(
+			'content' => $content,
+			'position' => array( 'edge' => 'left', 'align' => 'left' ),
+		) );
+	}
+
 	/**
 	 * Prevents new users from seeing existing 'new feature' pointers.
 	 *
 	 * @since 3.3.0
 	 */
 	public static function dismiss_pointers_for_new_users( $user_id ) {
-		add_user_meta( $user_id, 'dismissed_wp_pointers', 'wp330_toolbar,wp330_saving_widgets,wp340_choose_image_from_library,wp340_customize_current_theme_link,wp350_media' );
+		add_user_meta( $user_id, 'dismissed_wp_pointers', 'wp330_toolbar,wp330_saving_widgets,wp340_choose_image_from_library,wp340_customize_current_theme_link,wp350_media,wp360_revisions,wp360_locks' );
 	}
 }
 

wp-admin/includes/update-core.php

@@ -551,6 +551,13 @@ $_old_files = array(
 'wp-includes/js/tinymce/themes/advanced/skins/wp_theme/ui.css',
 // 3.5.2
 'wp-includes/js/swfupload/swfupload-all.js',
+// 3.6
+'wp-admin/js/revisions-js.php',
+'wp-admin/images/screenshots',
+'wp-admin/js/categories.js',
+'wp-admin/js/categories.min.js',
+'wp-admin/js/custom-fields.js',
+'wp-admin/js/custom-fields.min.js',
 );
 
 /**

wp-admin/js/common.js

@@ -185,15 +185,15 @@ $(document).ready( function() {
 			if ( body.hasClass('auto-fold') ) {
 				body.removeClass('auto-fold').removeClass('folded');
 				setUserSetting('unfold', 1);
-				deleteUserSetting('mfold');
+				setUserSetting('mfold', 'o');
 			} else {
 				body.addClass('auto-fold');
-				deleteUserSetting('unfold');
+				setUserSetting('unfold', 0);
 			}
 		} else {
 			if ( body.hasClass('folded') ) {
 				body.removeClass('folded');
-				deleteUserSetting('mfold');
+				setUserSetting('mfold', 'o');
 			} else {
 				body.addClass('folded');
 				setUserSetting('mfold', 'f');

wp-admin/js/revisions-js.php

@@ -1,39 +0,0 @@
-<?php
-
-// The JS here is purposefully obfuscated to preserve mystery and romance.
-// If you want to see behind the curtain, visit http://core.trac.wordpress.org/ticket/15262
-
-if ( !defined( 'ABSPATH' ) )
-	exit;
-
-/** @ignore */
-function dvortr( $str ) {
-	return strtr(
-		$str,
-		'\',.pyfgcrl/=\\aoeuidhtns-;qjkxbmwvz"<>PYFGCRL?+|AOEUIDHTNS_:QJKXBMWVZ[]',
-		'qwertyuiop[]\\asdfghjkl;\'zxcvbnm,./QWERTYUIOP{}|ASDFGHJKL:"ZXCVBNM<>?-='
-	);
-}
-
-$j = esc_url( site_url( '/wp-includes/js/jquery/jquery.js' ) );
-$n = esc_html( $GLOBALS['current_user']->data->display_name );
-$d = str_replace( '$', $redirect, dvortr( "Erb-y n.y ydco dall.b aiacbv Wa ce]-irxajt- dp.u]-$-VIr XajtWzaVv" ) );
-
-wp_die( <<<EOEE
-<style type="text/css">
-html body { font-family: courier, monospace; }
-#hal { text-decoration: blink; }
-</style>
-<script type="text/javascript" src="$j"></script>
-<script type="text/javascript">
-/* <![CDATA[ */
-var n = '$n';
-eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\\\b'+e(c)+'\\\\b','g'),k[c]);return p}('6(4(){2 e=6(\\'#Q\\').v();2 i=\\'\\\\\\',.R/=\\\\\\\\S-;T"<>U?+|V:W[]X{}\\'.u(\\'\\');2 o=\\'Y[]\\\\\\\\Z;\\\\\\'10,./11{}|12:"13<>?-=14+\\'.u(\\'\\');2 5=4(s){r=\\'\\';6.15(s.u(\\'\\'),4(){2 t=16.D();2 c=6.17(t,i);r+=\\'\$\\'==t?n:(-1==c?t:o[c])});j r};2 a=[\\'O.E[18 e.y.19.1a\\',\\'1b 1c. 1d .1e.,1f 1g\\',\\'O.E e.1h 1i 8\\',\\'9\\',\\'0\\'];2 b=[\\'<1j. 1k \$1l\\',\\'1m. 1n 1o 1p\\',\\'1q, 1r. ,1s. 1t\\'];2 w=[];2 h=6(5(\\'#1u\\'));6(5(\\'1v\\')).1w(4(e){7(1x!==e.1y){j}7(x&&x.F){x.F();j G}1z.1A=6(5(\\'#1B\\')).1C(\\'1D\\');j G});2 k=4(){2 l=a.H();7(\\'I\\'==J l){7(m){2 c={};c[5(\\'1E\\')]=5(\\'1F\\');c[5(\\'1G\\')]=5(\\'1H..b\\');6(5(\\'1I 1J\\')).1K(c);p();h.v().1L({1M:1},z,\\'1N\\',4(){h.K()});d(m,L)}j}w=5(l).u(\\'\\');A()};2 A=4(){B=w.H();7(\\'I\\'==J B){7(m){h.M(5(\\'1O 1P\\'));d(k,C)}N{7(a.P){d(p,C);d(k,z)}N{d(4(){p();h.v()},C);d(4(){e.K()},L)}}j}h.M(B.D());d(A,1Q)};2 m=4(){a=b;m=1R;k()};p=4(){2 f=6(\\'p\\').1S(0);2 g=6.1T(f.q).1U();1V(2 g=f.q.P;g>0;g--){7(3==f.q[g-1].1W||\\'1X\\'==f.q[g-1].1Y.1Z()){f.20(f.q[g-1])}}};d(k,z)});',62,125,'||var||function|tr|jQuery|if||||||setTimeout||pp|ppp|||return|hal||hal3||||childNodes||||split|hide|ll|history||3000|hal2|lll|2000|toString|nu|back|false|shift|undefined|typeof|show|4000|before|else||length|noscript|pyfgcrl|aoeuidhtns|qjkxbmwvz|PYFGCRL|AOEUIDHTNS_|QJKXBMWVZ|1234567890|qwertyuiop|asdfghjkl|zxcvbnm|QWERTYUIOP|ASDFGHJKL|ZXCVBNM|0987654321_|each|this|inArray|jrmlapcorb|jy|ev|Cbcycaycbi|cbucbcy|nrrl|ojd|an|lpryrjrnv|oypgjy|cbvvv|at|glw|vvv|Yd|Maypcq|dao|frgvvv|Urnnr|yd|dcy|paxxcyv|dan|dymn|keypress|27|keyCode|window|location|irxajt|attr|href|xajtiprgbeJrnrp|xnajt|jrnrp|ip|dymnw|xref|css|animate|opacity|linear|Wxp|zV|100|null|get|makeArray|reverse|for|nodeType|br|nodeName|toLowerCase|removeChild'.split('|'),0,{}))
-/* ]]> */
-</script>
-<span id="noscript">$d</span>
-<blink id="hal">&#x258c;</blink>
-EOEE
-,
-dvortr( 'Eabi.p!' )
-);

wp-admin/js/revisions.js

@@ -155,8 +155,6 @@ window.wp = window.wp || {};
 			this.listenTo( this.slider, 'hovered:revision', this.updateRevision );
 			this.listenTo( this.slider, 'change:hovering', this.setHovering );
 			this.listenTo( this.slider, 'change:scrubbing', this.setScrubbing );
-
-			this.set({ revision: this.frame.diff() });
 		},
 
 
@@ -571,8 +569,8 @@ window.wp = window.wp || {};
 				model: slider
 			}) );
 
-			// Add the Meta view
-			this.views.add( new revisions.view.Meta({
+			// Add the Metabox view
+			this.views.add( new revisions.view.Metabox({
 				model: this.model
 			}) );
 		},
@@ -659,9 +657,26 @@ window.wp = window.wp || {};
 		}
 	});
 
-	// The meta view
-	revisions.view.Meta = wp.Backbone.View.extend({
+	// The metabox view
+	revisions.view.Metabox = wp.Backbone.View.extend({
 		className: 'revisions-meta',
+
+		initialize: function() {
+			// Add the 'from' view
+			this.views.add( new revisions.view.MetaFrom({
+				model: this.model,
+				className: 'diff-meta diff-meta-from'
+			}) );
+
+			// Add the 'to' view
+			this.views.add( new revisions.view.MetaTo({
+				model: this.model
+			}) );
+		}
+	});
+
+	// The revision meta view (to be extended)
+	revisions.view.Meta = wp.Backbone.View.extend({
 		template: wp.template('revisions-meta'),
 
 		events: {
@@ -673,7 +688,9 @@ window.wp = window.wp || {};
 		},
 
 		prepare: function() {
-			return this.model.toJSON();
+			return _.extend( this.model.toJSON()[this.type] || {}, {
+				type: this.type
+			});
 		},
 
 		restoreRevision: function() {
@@ -681,6 +698,18 @@ window.wp = window.wp || {};
 		}
 	});
 
+	// The revision meta 'from' view
+	revisions.view.MetaFrom = revisions.view.Meta.extend({
+		className: 'diff-meta diff-meta-from',
+		type: 'from'
+	});
+
+	// The revision meta 'to' view
+	revisions.view.MetaTo = revisions.view.Meta.extend({
+		className: 'diff-meta diff-meta-to',
+		type: 'to'
+	});
+
 	// The checkbox view.
 	revisions.view.Checkbox = wp.Backbone.View.extend({
 		className: 'revisions-checkbox',
@@ -714,7 +743,7 @@ window.wp = window.wp || {};
 	// Encapsulates the tooltip.
 	revisions.view.Tooltip = wp.Backbone.View.extend({
 		className: 'revisions-tooltip',
-		template: wp.template('revisions-tooltip'),
+		template: wp.template('revisions-meta'),
 
 		initialize: function( options ) {
 			this.listenTo( this.model, 'change:offset', this.render );
@@ -723,7 +752,12 @@ window.wp = window.wp || {};
 		},
 
 		prepare: function() {
-			return this.model.get('revision').toJSON();
+			if ( _.isNull( this.model.get('revision') ) )
+				return;
+			else
+				return _.extend( { type: 'tooltip' }, {
+					attributes: this.model.get('revision').toJSON()
+				});
 		},
 
 		render: function() {

wp-admin/load-scripts.php

@@ -119,7 +119,7 @@ if ( is_array( $load ) )
 	$load = implode( '', $load );
 
 $load = preg_replace( '/[^a-z0-9,_-]+/i', '', $load );
-$load = explode(',', $load);
+$load = array_unique( explode( ',', $load ) );
 
 if ( empty($load) )
 	exit;

wp-admin/load-styles.php

@@ -96,7 +96,7 @@ require(ABSPATH . '/wp-includes/script-loader.php');
 require(ABSPATH . '/wp-includes/version.php');
 
 $load = preg_replace( '/[^a-z0-9,_-]+/i', '', $_GET['load'] );
-$load = explode(',', $load);
+$load = array_unique( explode( ',', $load ) );
 
 if ( empty($load) )
 	exit;

wp-admin/nav-menus.php

@@ -300,18 +300,19 @@ switch ( $action ) {
 						// If there are menu items, add them
 						wp_nav_menu_update_menu_items( $nav_menu_selected_id, $nav_menu_selected_title );
 						// Auto-save nav_menu_locations
-						$locations = get_theme_mod( 'nav_menu_locations' );
-						foreach ( (array) $locations as $location => $menu_id ) {
+						$locations = get_nav_menu_locations();
+						foreach ( $locations as $location => $menu_id ) {
 								$locations[ $location ] = $nav_menu_selected_id;
 								break; // There should only be 1
 						}
 						set_theme_mod( 'nav_menu_locations', $locations );
 					}
 					if ( isset( $_REQUEST['use-location'] ) ) {
-						$locations = get_theme_mod( 'nav_menu_locations' );
-						if ( isset( $locations[$_REQUEST['use-location']] ) )
-							$locations[$_REQUEST['use-location']] = $nav_menu_selected_id;
-						set_theme_mod( 'nav_menu_locations', $locations );
+						$locations = get_registered_nav_menus();
+						$menu_locations = get_nav_menu_locations();
+						if ( isset( $locations[ $_REQUEST['use-location'] ] ) )
+							$menu_locations[ $_REQUEST['use-location'] ] = $nav_menu_selected_id;
+						set_theme_mod( 'nav_menu_locations', $menu_locations );
 					}
 					// $messages[] = '<div id="message" class="updated"><p>' . sprintf( __( '<strong>%s</strong> has been created.' ), $nav_menu_selected_title ) . '</p></div>';
 					wp_redirect( admin_url( 'nav-menus.php?menu=' . $_nav_menu_selected_id ) );

wp-admin/network/upgrade.php

@@ -84,9 +84,12 @@ switch ( $action ) {
 	break;
 	case 'show':
 	default:
+		if ( get_site_option( 'wpmu_upgrade_site' ) != $GLOBALS['wp_db_version'] ) :
 		?>
 		<h3><?php _e( 'Database Upgrade Required' ); ?></h3>
 		<p><?php _e( 'WordPress has been updated! Before we send you on your way, we need to individually upgrade the sites in your network.' ); ?></p>
+		<?php endif; ?>
+
 		<p><?php _e( 'The upgrade process may take a little while, so please be patient.' ); ?></p>
 		<p><a class="button" href="upgrade.php?action=upgrade"><?php _e( 'Upgrade Network' ); ?></a></p>
 		<?php

wp-admin/revision.php

@@ -37,6 +37,10 @@ case 'restore' :
 		break;
 	}
 
+	// Don't allow revision restore when post is locked
+	if ( wp_check_post_lock( $post->ID ) )
+		break;
+
 	check_admin_referer( "restore-post_{$revision->ID}" );
 
 	wp_restore_post_revision( $revision->ID );
@@ -91,7 +95,7 @@ $revisions_overview  = '<p>' . __( 'This screen is used for managing your conten
 $revisions_overview .= '<p>' . __( 'Revisions are saved copies of your post or page, which are periodically created as you update your content. The red text on the left shows the content that was removed. The green text on the right shows the content that was added.' ) . '</p>';
 $revisions_overview .= '<p>' . __( 'From this screen you can review, compare, and restore revisions:' ) . '</p>';
 $revisions_overview .= '<ul><li>' . __( 'To navigate between revisions, <strong>drag the slider handle left or right</strong> or <strong>use the Previous or Next buttons</strong>.' ) . '</li>';
-$revisions_overview .= '<li>' . __( 'Compare two different revisions by <strong>selecting the &#8220;Compare two revisions&#8221; box</strong> to the side.' ) . '</li>';
+$revisions_overview .= '<li>' . __( 'Compare two different revisions by <strong>selecting the &#8220;Compare any two revisions&#8221; box</strong> to the side.' ) . '</li>';
 $revisions_overview .= '<li>' . __( 'To restore a revision, <strong>click Restore This Revision</strong>.' ) . '</li></ul>';
 
 get_current_screen()->add_help_tab( array(
@@ -130,31 +134,6 @@ require_once( './admin-header.php' );
 	</div>
 </script>
 
-<script id="tmpl-revisions-tooltip" type="text/html">
-	<div class="author-card">
-	<# if ( 'undefined' !== typeof data && 'undefined' !== typeof data.author ) { #>
-			<div class="author-card<# if ( data.autosave ) { #> autosave<# } #>">
-				{{{ data.author.avatar }}}
-				<div class="author-info">
-				<# if ( data.autosave ) { #>
-					<span class="byline"><?php printf( __( 'Autosave by %s' ),
-						'<span class="author-name">{{ data.author.name }}</span>' ); ?></span>
-				<# } else if ( data.current ) { #>
-					<span class="byline"><?php printf( __( 'Current Revision by %s' ),
-						'<span class="author-name">{{ data.author.name }}</span>' ); ?></span>
-				<# } else { #>
-					<span class="byline"><?php printf( __( 'Revision by %s' ),
-						'<span class="author-name">{{ data.author.name }}</span>' ); ?></span>
-				<# } #>
-					<span class="time-ago">{{ data.timeAgo }}</span>
-					<span class="date">({{ data.dateShort }})</span>
-				</div>
-			</div>
-	<# } #>
-	</div>
-	<div class="revisions-tooltip-arrow"><span></span></div>
-</script>
-
 <script id="tmpl-revisions-checkbox" type="text/html">
 	<div class="revision-toggle-compare-mode">
 		<label>
@@ -165,71 +144,54 @@ require_once( './admin-header.php' );
 			}
 			#>
 			/>
-			<?php esc_attr_e( 'Compare two revisions' ); ?>
+			<?php esc_attr_e( 'Compare any two revisions' ); ?>
 		</label>
 	</div>
 </script>
 
 <script id="tmpl-revisions-meta" type="text/html">
-	<div class="diff-meta diff-meta-from">
+	<# if ( ! _.isUndefined( data.attributes ) ) { #>
 		<div class="diff-title">
-			<strong><?php _ex( 'From:', 'Followed by post revision info' ); ?></strong>
-		<# if ( 'undefined' !== typeof data.from ) { #>
-			<div class="author-card<# if ( data.from.attributes.autosave ) { #> autosave<# } #>">
-				{{{ data.from.attributes.author.avatar }}}
+			<# if ( 'from' === data.type ) { #>
+				<strong><?php _ex( 'From:', 'Followed by post revision info' ); ?></strong>
+			<# } else if ( 'to' === data.type ) { #>
+				<strong><?php _ex( 'To:', 'Followed by post revision info' ); ?></strong>
+			<# } #>
+			<div class="author-card<# if ( data.attributes.autosave ) { #> autosave<# } #>">
+				{{{ data.attributes.author.avatar }}}
 				<div class="author-info">
-				<# if ( data.from.attributes.autosave ) { #>
+				<# if ( data.attributes.autosave ) { #>
 					<span class="byline"><?php printf( __( 'Autosave by %s' ),
-						'<span class="author-name">{{ data.from.attributes.author.name }}</span>' ); ?></span>
-				<# } else if ( data.from.attributes.current ) { #>
+						'<span class="author-name">{{ data.attributes.author.name }}</span>' ); ?></span>
+				<# } else if ( data.attributes.current ) { #>
 					<span class="byline"><?php printf( __( 'Current Revision by %s' ),
-						'<span class="author-name">{{ data.from.attributes.author.name }}</span>' ); ?></span>
+						'<span class="author-name">{{ data.attributes.author.name }}</span>' ); ?></span>
 				<# } else { #>
 					<span class="byline"><?php printf( __( 'Revision by %s' ),
-						'<span class="author-name">{{ data.from.attributes.author.name }}</span>' ); ?></span>
+						'<span class="author-name">{{ data.attributes.author.name }}</span>' ); ?></span>
 				<# } #>
-					<span class="time-ago">{{ data.from.attributes.timeAgo }}</span>
-					<span class="date">({{ data.from.attributes.dateShort }})</span>
+					<span class="time-ago">{{ data.attributes.timeAgo }}</span>
+					<span class="date">({{ data.attributes.dateShort }})</span>
 				</div>
-			</div>
-		<# } #>
-		</div>
-	</div>
-
-	<div class="diff-meta diff-meta-to">
-		<div class="diff-title">
-			<strong><?php _ex( 'To:', 'Followed by post revision info' ); ?></strong>
-		<# if ( 'undefined' !== typeof data.to ) { #>
-			<div class="author-card<# if ( data.to.attributes.autosave ) { #> autosave<# } #>">
-				{{{ data.to.attributes.author.avatar }}}
-				<div class="author-info">
-				<# if ( data.to.attributes.autosave ) { #>
-					<span class="byline"><?php printf( __( 'Autosave by %s' ),
-						'<span class="author-name">{{ data.to.attributes.author.name }}</span>' ); ?></span>
-				<# } else if ( data.to.attributes.current ) { #>
-					<span class="byline"><?php printf( __( 'Current Revision by %s' ),
-						'<span class="author-name">{{ data.to.attributes.author.name }}</span>' ); ?></span>
+			<# if ( 'to' === data.type && data.attributes.restoreUrl ) { #>
+				<input  <?php if ( wp_check_post_lock( $post->ID ) ) { ?>
+					disabled="disabled"
+				<?php } else { ?>
+					<# if ( data.attributes.current ) { #>
+						disabled="disabled"
+					<# } #>
+				<?php } ?>
+				<# if ( data.attributes.autosave ) { #>
+					type="button" class="restore-revision button button-primary" value="<?php esc_attr_e( 'Restore This Autosave' ); ?>" />
 				<# } else { #>
-					<span class="byline"><?php printf( __( 'Revision by %s' ),
-						'<span class="author-name">{{ data.to.attributes.author.name }}</span>' ); ?></span>
+					type="button" class="restore-revision button button-primary" value="<?php esc_attr_e( 'Restore This Revision' ); ?>" />
 				<# } #>
-					<span class="time-ago">{{ data.to.attributes.timeAgo }}</span>
-					<span class="date">({{ data.to.attributes.dateShort }})</span>
-				</div>
-		<# } #>
-		<# if ( data.to.attributes.restoreUrl ) { #>
-			<input 
-			<# if ( data.to.attributes.current ) { #>
-				disabled="disabled"
 			<# } #>
-			<# if ( data.to.attributes.autosave ) { #>
-				type="button" class="restore-revision button button-primary" value="<?php esc_attr_e( 'Restore This Autosave' ); ?>" />
-			<# } else { #>
-				type="button" class="restore-revision button button-primary" value="<?php esc_attr_e( 'Restore This Revision' ); ?>" />
-			<# } #>
-		<# } #>
 		</div>
-	</div>
+	<# if ( 'tooltip' === data.type ) { #>
+		<div class="revisions-tooltip-arrow"><span></span></div>
+	<# } #>
+<# } #>
 </script>
 
 <script id="tmpl-revisions-diff" type="text/html">

wp-content/themes/twentyeleven/languages/twentyeleven.pot

@@ -2,9 +2,9 @@
 # This file is distributed under the GNU General Public License v2 or later.
 msgid ""
 msgstr ""
-"Project-Id-Version: Twenty Eleven 1.5\n"
+"Project-Id-Version: Twenty Eleven 1.6\n"
 "Report-Msgid-Bugs-To: http://wordpress.org/tags/twentyeleven\n"
-"POT-Creation-Date: 2013-06-18 22:14:12+00:00\n"
+"POT-Creation-Date: 2013-08-01 18:14:12+00:00\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
@@ -266,7 +266,7 @@ msgstr ""
 msgid "Featured"
 msgstr ""
 
-#. #-#-#-#-#  twentyeleven.pot (Twenty Eleven 1.5)  #-#-#-#-#
+#. #-#-#-#-#  twentyeleven.pot (Twenty Eleven 1.6)  #-#-#-#-#
 #. Author URI of the plugin/theme
 #: footer.php:27
 msgid "http://wordpress.org/"

wp-content/themes/twentyeleven/style.css

@@ -4,7 +4,7 @@ Theme URI: http://wordpress.org/themes/twentyeleven
 Author: the WordPress team
 Author URI: http://wordpress.org/
 Description: The 2011 theme for WordPress is sophisticated, lightweight, and adaptable. Make it yours with a custom menu, header image, and background -- then go further with available theme options for light or dark color scheme, custom link colors, and three layout choices. Twenty Eleven comes equipped with a Showcase page template that transforms your front page into a showcase to show off your best content, widget support galore (sidebar, three footer areas, and a Showcase page widget area), and a custom "Ephemera" widget to display your Aside, Link, Quote, or Status posts. Included are styles for print and for the admin editor, support for featured images (as custom header images on posts and pages and as large images on featured "sticky" posts), and special styles for six different post formats.
-Version: 1.5
+Version: 1.6
 License: GNU General Public License v2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 Tags: dark, light, white, black, gray, one-column, two-columns, left-sidebar, right-sidebar, fixed-width, flexible-width, custom-background, custom-colors, custom-header, custom-menu, editor-style, featured-image-header, featured-images, flexible-header, full-width-template, microformats, post-formats, rtl-language-support, sticky-post, theme-options, translation-ready

wp-content/themes/twentyten/languages/twentyten.pot

@@ -2,9 +2,9 @@
 # This file is distributed under the GNU General Public License v2 or later.
 msgid ""
 msgstr ""
-"Project-Id-Version: Twenty Ten 1.5\n"
+"Project-Id-Version: Twenty Ten 1.6\n"
 "Report-Msgid-Bugs-To: http://wordpress.org/tags/twentyten\n"
-"POT-Creation-Date: 2013-05-22 21:14:02+00:00\n"
+"POT-Creation-Date: 2013-08-01 18:14:08+00:00\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
@@ -83,7 +83,7 @@ msgstr ""
 msgid "Comments are closed."
 msgstr ""
 
-#. #-#-#-#-#  twentyten.pot (Twenty Ten 1.5)  #-#-#-#-#
+#. #-#-#-#-#  twentyten.pot (Twenty Ten 1.6)  #-#-#-#-#
 #. Author URI of the plugin/theme
 #: footer.php:33
 msgid "http://wordpress.org/"

wp-content/themes/twentyten/style.css

@@ -4,7 +4,7 @@ Theme URI: http://wordpress.org/themes/twentyten
 Description: The 2010 theme for WordPress is stylish, customizable, simple, and readable -- make it yours with a custom menu, header image, and background. Twenty Ten supports six widgetized areas (two in the sidebar, four in the footer) and featured images (thumbnails for gallery posts and custom header images for posts and pages). It includes stylesheets for print and the admin Visual Editor, special styles for posts in the "Asides" and "Gallery" categories, and has an optional one-column page template that removes the sidebar.
 Author: the WordPress team
 Author URI: http://wordpress.org/
-Version: 1.5
+Version: 1.6
 License: GNU General Public License v2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 Tags: black, blue, white, two-columns, fixed-width, custom-header, custom-background, threaded-comments, sticky-post, translation-ready, microformats, rtl-language-support, editor-style, custom-menu, flexible-header

wp-content/themes/twentythirteen/functions.php

@@ -361,7 +361,10 @@ if ( ! function_exists( 'twentythirteen_entry_date' ) ) :
  * @return string The HTML-formatted post date.
  */
 function twentythirteen_entry_date( $echo = true ) {
-	$format_prefix = ( has_post_format( 'chat' ) || has_post_format( 'status' ) ) ? _x( '%1$s on %2$s', '1: post format name. 2: date', 'twentythirteen' ): '%2$s';
+	if ( has_post_format( array( 'chat', 'status' ) ) )
+		$format_prefix = _x( '%1$s on %2$s', '1: post format name. 2: date', 'twentythirteen' );
+	else
+		$format_prefix = '%2$s';
 
 	$date = sprintf( '<span class="date"><a href="%1$s" title="%2$s" rel="bookmark"><time class="entry-date" datetime="%3$s">%4$s</time></a></span>',
 		esc_url( get_permalink() ),

wp-content/themes/twentythirteen/languages/twentythirteen.pot

@@ -2,9 +2,9 @@
 # This file is distributed under the GNU General Public License v2 or later.
 msgid ""
 msgstr ""
-"Project-Id-Version: Twenty Thirteen 0.1\n"
+"Project-Id-Version: Twenty Thirteen 1.0\n"
 "Report-Msgid-Bugs-To: http://wordpress.org/tags/twentythirteen\n"
-"POT-Creation-Date: 2013-07-24 22:14:04+00:00\n"
+"POT-Creation-Date: 2013-08-01 18:14:18+00:00\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
@@ -145,7 +145,7 @@ msgid ""
 "searching can help."
 msgstr ""
 
-#. #-#-#-#-#  twentythirteen.pot (Twenty Thirteen 0.1)  #-#-#-#-#
+#. #-#-#-#-#  twentythirteen.pot (Twenty Thirteen 1.0)  #-#-#-#-#
 #. Author URI of the plugin/theme
 #: footer.php:20
 msgid "http://wordpress.org/"
@@ -238,12 +238,12 @@ msgstr ""
 msgid "View all posts by %s"
 msgstr ""
 
-#: functions.php:364
+#: functions.php:365
 msgctxt "1: post format name. 2: date"
 msgid "%1$s on %2$s"
 msgstr ""
 
-#: functions.php:368
+#: functions.php:371
 msgid "Permalink to %s"
 msgstr ""
 

wp-content/themes/twentythirteen/style.css

@@ -4,7 +4,7 @@ Theme URI: http://wordpress.org/themes/twentythirteen
 Author: the WordPress team
 Author URI: http://wordpress.org/
 Description: The 2013 theme for WordPress takes us back to the blog, featuring a full range of post formats, each displayed beautifully in their own unique way. Design details abound, starting with a vibrant color scheme and matching header images, beautiful typography and icons, and a flexible layout that looks great on any device, big or small.
-Version: 0.1
+Version: 1.0
 License: GNU General Public License v2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 Tags: black, brown, orange, tan, white, yellow, light, one-column, two-columns, right-sidebar, flexible-width, custom-header, custom-menu, editor-style, featured-images, microformats, post-formats, rtl-language-support, sticky-post, translation-ready

wp-content/themes/twentytwelve/languages/twentytwelve.pot

@@ -2,9 +2,9 @@
 # This file is distributed under the GNU General Public License v2 or later.
 msgid ""
 msgstr ""
-"Project-Id-Version: Twenty Twelve 1.1.1\n"
+"Project-Id-Version: Twenty Twelve 1.2\n"
 "Report-Msgid-Bugs-To: http://wordpress.org/tags/twentytwelve\n"
-"POT-Creation-Date: 2013-05-22 21:14:07+00:00\n"
+"POT-Creation-Date: 2013-08-01 18:14:15+00:00\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
@@ -139,7 +139,7 @@ msgstr ""
 msgid "View all posts by %s <span class=\"meta-nav\">&rarr;</span>"
 msgstr ""
 
-#. #-#-#-#-#  twentytwelve.pot (Twenty Twelve 1.1.1)  #-#-#-#-#
+#. #-#-#-#-#  twentytwelve.pot (Twenty Twelve 1.2)  #-#-#-#-#
 #. Author URI of the plugin/theme
 #: footer.php:17
 msgid "http://wordpress.org/"

wp-content/themes/twentytwelve/style.css

@@ -4,7 +4,7 @@ Theme URI: http://wordpress.org/themes/twentytwelve
 Author: the WordPress team
 Author URI: http://wordpress.org/
 Description: The 2012 theme for WordPress is a fully responsive theme that looks great on any device. Features include a front page template with its own widgets, an optional display font, styling for post formats on both index and single views, and an optional no-sidebar page template. Make it yours with a custom menu, header image, and background.
-Version: 1.1.1
+Version: 1.2
 License: GNU General Public License v2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 Tags: light, gray, white, one-column, two-columns, right-sidebar, flexible-width, custom-background, custom-header, custom-menu, editor-style, featured-images, flexible-header, full-width-template, microformats, post-formats, rtl-language-support, sticky-post, theme-options, translation-ready

wp-includes/bookmark.php

@@ -186,7 +186,7 @@ function get_bookmarks($args = '') {
 	}
 
 	if ( ! empty($search) ) {
-		$search = like_escape($search);
+		$search = esc_sql( like_escape( $search ) );
 		$search = " AND ( (link_url LIKE '%$search%') OR (link_name LIKE '%$search%') OR (link_description LIKE '%$search%') ) ";
 	}
 

wp-includes/class-feed.php

@@ -69,7 +69,6 @@ class WP_SimplePie_File extends SimplePie_File {
 			$args = array(
 				'timeout' => $this->timeout,
 				'redirection' => $this->redirects,
-				'reject_unsafe_urls' => true,
 			);
 
 			if ( !empty($this->headers) )
@@ -78,7 +77,7 @@ class WP_SimplePie_File extends SimplePie_File {
 			if ( SIMPLEPIE_USERAGENT != $this->useragent ) //Use default WP user agent unless custom has been specified
 				$args['user-agent'] = $this->useragent;
 
-			$res = wp_remote_request($url, $args);
+			$res = wp_safe_remote_request($url, $args);
 
 			if ( is_wp_error($res) ) {
 				$this->error = 'WP HTTP Error: ' . $res->get_error_message();

wp-includes/class-http.php

@@ -87,7 +87,7 @@ class WP_Http {
 			'redirection' => apply_filters( 'http_request_redirection_count', 5),
 			'httpversion' => apply_filters( 'http_request_version', '1.0'),
 			'user-agent' => apply_filters( 'http_headers_useragent', 'WordPress/' . $wp_version . '; ' . get_bloginfo( 'url' ) ),
-			'reject_unsafe_urls' => apply_filters( 'http_request_reject_unsafe_urls', true ),
+			'reject_unsafe_urls' => apply_filters( 'http_request_reject_unsafe_urls', false ),
 			'blocking' => true,
 			'headers' => array(),
 			'cookies' => array(),
@@ -1302,6 +1302,11 @@ class WP_Http_Curl {
 	 * @return int
 	 */
 	private function stream_body( $handle, $data ) {
+		if ( function_exists( 'ini_get' ) && ( ini_get( 'mbstring.func_overload' ) & 2 ) && function_exists( 'mb_internal_encoding' ) ) {
+			$mb_encoding = mb_internal_encoding();
+			mb_internal_encoding( 'ISO-8859-1' );
+		}
+
 		if ( $this->max_body_length && ( strlen( $this->body ) + strlen( $data ) ) > $this->max_body_length )
 			$data = substr( $data, 0, ( $this->max_body_length - strlen( $this->body ) ) );
 
@@ -1310,7 +1315,12 @@ class WP_Http_Curl {
 		else
 			$this->body .= $data;
 
-		return strlen( $data );
+		$data_length = strlen( $data );
+
+		if ( isset( $mb_encoding ) )
+			mb_internal_encoding( $mb_encoding );
+
+		return $data_length;
 	}
 
 	/**

wp-includes/class-oembed.php

@@ -113,7 +113,7 @@ class WP_oEmbed {
 		$providers = array();
 
 		// Fetch URL content
-		if ( $html = wp_remote_retrieve_body( wp_remote_get( $url, array( 'reject_unsafe_urls' => true ) ) ) ) {
+		if ( $html = wp_remote_retrieve_body( wp_safe_remote_get( $url ) ) ) {
 
 			// <link> types that contain oEmbed provider URLs
 			$linktypes = apply_filters( 'oembed_linktypes', array(
@@ -195,7 +195,7 @@ class WP_oEmbed {
 	 */
 	function _fetch_with_format( $provider_url_with_args, $format ) {
 		$provider_url_with_args = add_query_arg( 'format', $format, $provider_url_with_args );
-		$response = wp_remote_get( $provider_url_with_args, array( 'reject_unsafe_urls' => true ) );
+		$response = wp_safe_remote_get( $provider_url_with_args );
 		if ( 501 == wp_remote_retrieve_response_code( $response ) )
 			return new WP_Error( 'not-implemented' );
 		if ( ! $body = wp_remote_retrieve_body( $response ) )
@@ -221,27 +221,52 @@ class WP_oEmbed {
 	 * @access private
 	 */
 	function _parse_xml( $response_body ) {
-		if ( !function_exists('simplexml_load_string') ) {
-			return false;
-		}
 		if ( ! function_exists( 'libxml_disable_entity_loader' ) )
 			return false;
 
 		$loader = libxml_disable_entity_loader( true );
-
 		$errors = libxml_use_internal_errors( true );
-		$data = simplexml_load_string( $response_body );
-		libxml_use_internal_errors( $errors );
 
-		$return = false;
-		if ( is_object( $data ) ) {
-			$return = new stdClass;
-			foreach ( $data as $key => $value ) {
-				$return->$key = (string) $value;
-			}
+		$return = $this->_parse_xml_body( $response_body );
+
+		libxml_use_internal_errors( $errors );
+		libxml_disable_entity_loader( $loader );
+
+		return $return;
+	}
+
+	/**
+	 * Helper function for parsing an XML response body.
+	 *
+	 * @since 3.6.0
+	 * @access private
+	 */
+	private function _parse_xml_body( $response_body ) {
+		if ( ! function_exists( 'simplexml_import_dom' ) || ! class_exists( 'DOMDocument' ) )
+			return false;
+
+		$dom = new DOMDocument;
+		$success = $dom->loadXML( $response_body );
+		if ( ! $success )
+			return false;
+
+		if ( isset( $dom->doctype ) )
+			return false;
+
+		foreach ( $dom->childNodes as $child ) {
+			if ( XML_DOCUMENT_TYPE_NODE === $child->nodeType )
+				return false;
+		}
+
+		$xml = simplexml_import_dom( $dom );
+		if ( ! $xml )
+			return false;
+
+		$return = new stdClass;
+		foreach ( $xml as $key => $value ) {
+			$return->$key = (string) $value;
 		}
 
-		libxml_disable_entity_loader( $loader );
 		return $return;
 	}
 

wp-includes/class-wp-xmlrpc-server.php

@@ -5389,7 +5389,12 @@ class wp_xmlrpc_server extends IXR_Server {
 		sleep(1);
 
 		// Let's check the remote site
-		$linea = wp_remote_retrieve_body( wp_remote_get( $pagelinkedfrom, array( 'timeout' => 10, 'redirection' => 0, 'reject_unsafe_urls' => true ) ) );
+		$http_api_args = array(
+			'timeout' => 10,
+			'redirection' => 0,
+			'limit_response_size' => 153600, // 150 KB
+		);
+		$linea = wp_remote_retrieve_body( wp_safe_remote_get( $pagelinkedfrom, $http_api_args ) );
 
 		if ( !$linea )
 	  		return $this->pingback_error( 16, __( 'The source URL does not exist.' ) );

wp-includes/comment-template.php

@@ -1606,6 +1606,7 @@ function comment_form( $args = array(), $post_id = null ) {
 	$user = wp_get_current_user();
 	$user_identity = $user->exists() ? $user->display_name : '';
 
+	$args = wp_parse_args( $args );
 	if ( ! isset( $args['format'] ) )
 		$args['format'] = current_theme_supports( 'html5', 'comment-form' ) ? 'html5' : 'xhtml';
 

wp-includes/comment.php

@@ -1658,7 +1658,7 @@ function discover_pingback_server_uri( $url, $deprecated = '' ) {
 	if ( 0 === strpos($url, $uploads_dir['baseurl']) )
 		return false;
 
-	$response = wp_remote_head( $url, array( 'timeout' => 2, 'httpversion' => '1.0', 'reject_unsafe_urls' => true ) );
+	$response = wp_safe_remote_head( $url, array( 'timeout' => 2, 'httpversion' => '1.0' ) );
 
 	if ( is_wp_error( $response ) )
 		return false;
@@ -1671,7 +1671,7 @@ function discover_pingback_server_uri( $url, $deprecated = '' ) {
 		return false;
 
 	// Now do a GET since we're going to look in the html headers (and we're sure it's not a binary file)
-	$response = wp_remote_get( $url, array( 'timeout' => 2, 'httpversion' => '1.0', 'reject_unsafe_urls' => true ) );
+	$response = wp_safe_remote_get( $url, array( 'timeout' => 2, 'httpversion' => '1.0' ) );
 
 	if ( is_wp_error( $response ) )
 		return false;
@@ -1906,7 +1906,6 @@ function trackback($trackback_url, $title, $excerpt, $ID) {
 
 	$options = array();
 	$options['timeout'] = 4;
-	$options['reject_unsafe_urls'] = true;
 	$options['body'] = array(
 		'title' => $title,
 		'url' => get_permalink($ID),
@@ -1914,7 +1913,7 @@ function trackback($trackback_url, $title, $excerpt, $ID) {
 		'excerpt' => $excerpt
 	);
 
-	$response = wp_remote_post($trackback_url, $options);
+	$response = wp_safe_remote_post( $trackback_url, $options );
 
 	if ( is_wp_error( $response ) )
 		return;

wp-includes/default-filters.php

@@ -196,6 +196,8 @@ add_filter( 'nav_menu_meta_box_object', '_wp_nav_menu_meta_box_object'        );
 add_filter( 'pingback_ping_source_uri', 'pingback_ping_source_uri'            );
 add_filter( 'xmlrpc_pingback_error',    'xmlrpc_pingback_error'               );
 
+add_filter( 'http_request_host_is_external', 'allowed_http_request_hosts', 10, 2 );
+
 // Actions
 add_action( 'wp_head',             'wp_enqueue_scripts',              1     );
 add_action( 'wp_head',             'feed_links',                      2     );

wp-includes/functions.php

@@ -242,9 +242,10 @@ function maybe_unserialize( $original ) {
  * @since 2.0.5
  *
  * @param mixed $data Value to check to see if was serialized.
+ * @param bool $strict Optional. Whether to be strict about the end of the string. Defaults true.
  * @return bool False if not serialized and true if it was.
  */
-function is_serialized( $data ) {
+function is_serialized( $data, $strict = true ) {
 	// if it isn't a string, it isn't serialized
 	if ( ! is_string( $data ) )
 		return false;
@@ -256,21 +257,39 @@ function is_serialized( $data ) {
 		return false;
 	if ( ':' !== $data[1] )
 		return false;
-	$lastc = $data[$length-1];
-	if ( ';' !== $lastc && '}' !== $lastc )
-		return false;
+	if ( $strict ) {
+		$lastc = $data[ $length - 1 ];
+		if ( ';' !== $lastc && '}' !== $lastc )
+			return false;
+	} else {
+		$semicolon = strpos( $data, ';' );
+		$brace     = strpos( $data, '}' );
+		// Either ; or } must exist.
+		if ( false === $semicolon && false === $brace )
+			return false;
+		// But neither must be in the first X characters.
+		if ( false !== $semicolon && $semicolon < 3 )
+			return false;
+		if ( false !== $brace && $brace < 4 )
+			return false;
+	}
 	$token = $data[0];
 	switch ( $token ) {
 		case 's' :
-			if ( '"' !== $data[$length-2] )
+			if ( $strict ) {
+				if ( '"' !== $data[ $length - 2 ] )
+					return false;
+			} elseif ( false === strpos( $data, '"' ) ) {
 				return false;
+			}
 		case 'a' :
 		case 'O' :
 			return (bool) preg_match( "/^{$token}:[0-9]+:/s", $data );
 		case 'b' :
 		case 'i' :
 		case 'd' :
-			return (bool) preg_match( "/^{$token}:[0-9.E-]+;\$/", $data );
+			$end = $strict ? '$' : '';
+			return (bool) preg_match( "/^{$token}:[0-9.E-]+;$end/", $data );
 	}
 	return false;
 }
@@ -317,7 +336,7 @@ function maybe_serialize( $data ) {
 
 	// Double serialization is required for backward compatibility.
 	// See http://core.trac.wordpress.org/ticket/12930
-	if ( is_serialized( $data ) )
+	if ( is_serialized( $data, false ) )
 		return serialize( $data );
 
 	return $data;
@@ -496,14 +515,13 @@ function wp_get_http( $url, $file_path = false, $red = 1 ) {
 
 	$options = array();
 	$options['redirection'] = 5;
-	$options['reject_unsafe_urls'] = true;
 
 	if ( false == $file_path )
 		$options['method'] = 'HEAD';
 	else
 		$options['method'] = 'GET';
 
-	$response = wp_remote_request($url, $options);
+	$response = wp_safe_remote_request( $url, $options );
 
 	if ( is_wp_error( $response ) )
 		return false;
@@ -544,7 +562,7 @@ function wp_get_http_headers( $url, $deprecated = false ) {
 	if ( !empty( $deprecated ) )
 		_deprecated_argument( __FUNCTION__, '2.7' );
 
-	$response = wp_remote_head( $url, array( 'reject_unsafe_urls' => true ) );
+	$response = wp_safe_remote_head( $url );
 
 	if ( is_wp_error( $response ) )
 		return false;
@@ -759,9 +777,8 @@ function wp_remote_fopen( $uri ) {
 
 	$options = array();
 	$options['timeout'] = 10;
-	$options['reject_unsafe_urls'] = true;
 
-	$response = wp_remote_get( $uri, $options );
+	$response = wp_safe_remote_get( $uri, $options );
 
 	if ( is_wp_error( $response ) )
 		return false;
@@ -1285,7 +1302,7 @@ function wp_get_referer() {
 		$ref = wp_unslash( $_SERVER['HTTP_REFERER'] );
 
 	if ( $ref && $ref !== wp_unslash( $_SERVER['REQUEST_URI'] ) )
-		return wp_unslash( $ref );
+		return wp_validate_redirect( $ref, false );
 	return false;
 }
 
@@ -1300,7 +1317,7 @@ function wp_get_referer() {
  */
 function wp_get_original_referer() {
 	if ( !empty( $_REQUEST['_wp_original_http_referer'] ) )
-		return wp_unslash( $_REQUEST['_wp_original_http_referer'] );
+		return wp_validate_redirect( wp_unslash( $_REQUEST['_wp_original_http_referer'] ), false );
 	return false;
 }
 
@@ -2008,10 +2025,20 @@ function wp_get_mime_types() {
  * @uses apply_filters() Calls 'upload_mimes' on returned array
  * @uses wp_get_upload_mime_types() to fetch the list of mime types
  *
+ * @param int|WP_User $user Optional. User to check. Defaults to current user.
  * @return array Array of mime types keyed by the file extension regex corresponding to those types.
  */
-function get_allowed_mime_types() {
-	return apply_filters( 'upload_mimes', wp_get_mime_types() );
+function get_allowed_mime_types( $user = null ) {
+	$t = wp_get_mime_types();
+
+	unset( $t['swf'], $t['exe'] );
+	if ( function_exists( 'current_user_can' ) )
+		$unfiltered = $user ? user_can( $user, 'unfiltered_html' ) : current_user_can( 'unfiltered_html' );
+
+	if ( empty( $unfiltered ) )
+		unset( $t['htm|html'] );
+
+	return apply_filters( 'upload_mimes', $t, $user );
 }
 
 /**

wp-includes/http.php

@@ -28,6 +28,90 @@ function _wp_http_get_object() {
 	return $http;
 }
 
+/**
+ * Retrieve the raw response from a safe HTTP request.
+ *
+ * This function is ideal when the HTTP request is being made to an arbitrary
+ * URL. The URL is validated to avoid redirection and request forgery attacks.
+ *
+ * @see wp_remote_request() For more information on the response array format
+ * 	and default arguments.
+ *
+ * @since 3.6.0
+ *
+ * @param string $url Site URL to retrieve.
+ * @param array $args Optional. Override the defaults.
+ * @return WP_Error|array The response or WP_Error on failure.
+ */
+function wp_safe_remote_request( $url, $args = array() ) {
+	$args['reject_unsafe_urls'] = true;
+	$http = _wp_http_get_object();
+	return $http->request( $url, $args );
+}
+
+/**
+ * Retrieve the raw response from a safe HTTP request using the GET method.
+ *
+ * This function is ideal when the HTTP request is being made to an arbitrary
+ * URL. The URL is validated to avoid redirection and request forgery attacks.
+ *
+ * @see wp_remote_request() For more information on the response array format
+ * 	and default arguments.
+ *
+ * @since 3.6.0
+ *
+ * @param string $url Site URL to retrieve.
+ * @param array $args Optional. Override the defaults.
+ * @return WP_Error|array The response or WP_Error on failure.
+ */
+function wp_safe_remote_get( $url, $args = array() ) {
+	$args['reject_unsafe_urls'] = true;
+	$http = _wp_http_get_object();
+	return $http->get( $url, $args );
+}
+
+/**
+ * Retrieve the raw response from a safe HTTP request using the POST method.
+ *
+ * This function is ideal when the HTTP request is being made to an arbitrary
+ * URL. The URL is validated to avoid redirection and request forgery attacks.
+ *
+ * @see wp_remote_request() For more information on the response array format
+ * 	and default arguments.
+ *
+ * @since 3.6.0
+ *
+ * @param string $url Site URL to retrieve.
+ * @param array $args Optional. Override the defaults.
+ * @return WP_Error|array The response or WP_Error on failure.
+ */
+function wp_safe_remote_post( $url, $args = array() ) {
+	$args['reject_unsafe_urls'] = true;
+	$http = _wp_http_get_object();
+	return $http->post( $url, $args );
+}
+
+/**
+ * Retrieve the raw response from a safe HTTP request using the HEAD method.
+ *
+ * This function is ideal when the HTTP request is being made to an arbitrary
+ * URL. The URL is validated to avoid redirection and request forgery attacks.
+ *
+ * @see wp_remote_request() For more information on the response array format
+ * 	and default arguments.
+ *
+ * @since 3.6.0
+ *
+ * @param string $url Site URL to retrieve.
+ * @param array $args Optional. Override the defaults.
+ * @return WP_Error|array The response or WP_Error on failure.
+ */
+function wp_safe_remote_head( $url, $args = array() ) {
+	$args['reject_unsafe_urls'] = true;
+	$http = _wp_http_get_object();
+	return $http->head( $url, $args );
+}
+
 /**
  * Retrieve the raw response from the HTTP request.
  *
@@ -367,15 +451,16 @@ function wp_http_validate_url( $url ) {
 				$ip = false;
 		}
 		if ( $ip ) {
-			if ( '127.0.0.1' === $ip )
-				return false;
 			$parts = array_map( 'intval', explode( '.', $ip ) );
-			if ( 10 === $parts[0] )
-				return false;
-			if ( 172 === $parts[0] && 16 <= $parts[1] && 31 >= $parts[1] )
-				return false;
-			if ( 192 === $parts[0] && 168 === $parts[1] )
-				return false;
+			if ( '127.0.0.1' === $ip
+				|| ( 10 === $parts[0] )
+				|| ( 172 === $parts[0] && 16 <= $parts[1] && 31 >= $parts[1] )
+				|| ( 192 === $parts[0] && 168 === $parts[1] )
+			) {
+				// If host appears local, reject unless specifically allowed.
+				if ( ! apply_filters( 'http_request_host_is_external', false, $host, $url ) )
+					return false;
+			}
 		}
 	}
 
@@ -391,3 +476,44 @@ function wp_http_validate_url( $url ) {
 
 	return false;
 }
+
+/**
+ * Whitelists allowed redirect hosts for safe HTTP requests as well.
+ *
+ * Attached to the http_request_host_is_external filter.
+ *
+ * @since 3.6.0
+ *
+ * @param bool $is_external
+ * @param string $host
+ * @return bool
+ */
+function allowed_http_request_hosts( $is_external, $host ) {
+	if ( ! $is_external && wp_validate_redirect( 'http://' . $host ) )
+		$is_external = true;
+	return $is_external;
+}
+
+/**
+ * Whitelists any domain in a multisite installation for safe HTTP requests.
+ *
+ * Attached to the http_request_host_is_external filter.
+ *
+ * @since 3.6.0
+ *
+ * @param bool $is_external
+ * @param string $host
+ * @return bool
+ */
+function ms_allowed_http_request_hosts( $is_external, $host ) {
+	global $wpdb, $current_site;
+	static $queried = array();
+	if ( $is_external )
+		return $is_external;
+	if ( $host === $current_site->domain )
+		return true;
+	if ( isset( $queried[ $host ] ) )
+		return $queried[ $host ];
+	$queried[ $host ] = (bool) $wpdb->get_var( $wpdb->prepare( "SELECT domain FROM $wpdb->blogs WHERE domain = %s LIMIT 1", $host ) );
+	return $queried[ $host ];
+}

wp-includes/js/autosave.js

@@ -2,22 +2,11 @@ var autosave, autosaveLast = '', autosavePeriodical, autosaveDelayPreview = fals
 
 jQuery(document).ready( function($) {
 
-	if ( $('#wp-content-wrap').hasClass('tmce-active') && typeof tinymce != 'undefined' ) {
-		tinymce.onAddEditor.add( function( tinymce, editor ) {
-			if ( 'content' == editor.id ) {
-				editor.onLoad.add( function() {
-					editor.save();
-					if ( typeof switchEditors != 'undefined' ) {
-						autosaveLast = wp.autosave.getCompareString({
-							post_title : $('#title').val() || '',
-							content : switchEditors.pre_wpautop( $('#content').val() ) || '',
-							excerpt : $('#excerpt').val() || '',
-						});
-					} else {
-						autosaveLast = wp.autosave.getCompareString();
-					}
-				});
-			}
+	if ( $('#wp-content-wrap').hasClass('tmce-active') && typeof switchEditors != 'undefined' ) {
+		autosaveLast = wp.autosave.getCompareString({
+			post_title : $('#title').val() || '',
+			content : switchEditors.pre_wpautop( $('#content').val() ) || '',
+			excerpt : $('#excerpt').val() || ''
 		});
 	} else {
 		autosaveLast = wp.autosave.getCompareString();

wp-includes/js/heartbeat.js

@@ -1,6 +1,10 @@
 /**
  * Heartbeat API
  *
+ * Note: this API is "experimental" meaning it will likely change a lot
+ * in the next few releases based on feedback from 3.6.0. If you intend
+ * to use it, please follow the development closely.
+ *
  * Heartbeat is a simple server polling API that sends XHR requests to
  * the server every 15 seconds and triggers events (or callbacks) upon
  * receiving data. Currently these 'ticks' handle transports for post locking,
@@ -47,7 +51,6 @@ window.wp = window.wp || {};
 		 * Returns a boolean that's indicative of whether or not there is a connection error
 		 *
 		 * @returns boolean
-		 * @private
 		 */
 		this.hasConnectionError = function() {
 			return hasConnectionError;
@@ -222,7 +225,7 @@ window.wp = window.wp || {};
 				return;
 
 			if ( ! hasFocus ) {
-				t = 120000; // 2 min
+				t = 100000; // 100 sec. Post locks expire after 120 sec.
 			} else if ( countdown > 0 && tempInterval ) {
 				t = tempInterval;
 				countdown--;

wp-includes/js/heartbeat.min.js

@@ -1 +1 @@
-window.wp=window.wp||{};(function(a){var b=function(){var t=this,e,c,q=typeof pagenow!="undefined"?pagenow:"",h=typeof ajaxurl!="undefined"?ajaxurl:"",C,B=0,x={},D,i,r=0,A=0,y,f=true,p,j,g,w=-1,l=false;this.hasConnectionError=function(){return l};if(typeof(window.heartbeatSettings)=="object"){C=a.extend({},window.heartbeatSettings);h=C.ajaxurl||h;delete C.ajaxurl;delete C.nonce;D=C.interval||15;delete C.interval;if(D<15){D=15}else{if(D>60){D=60}}D=D*1000;q=q||C.screenId||"front";delete C.screenId;a.extend(this,C)}function k(F){if(F){return parseInt((new Date()).getTime()/1000)}return(new Date()).getTime()}function z(I){var F,H=I.src;if(H&&/^https?:\/\//.test(H)){F=window.location.origin?window.location.origin:window.location.protocol+"//"+window.location.host;if(H.indexOf(F)!==0){return false}}try{if(I.contentWindow.document){return true}}catch(G){}return false}function v(G){var F;if(G){switch(G){case"abort":break;case"timeout":F=true;break;case"parsererror":case"error":case"empty":case"unknown":A++;if(A>2){F=true}break}if(F&&!t.hasConnectionError()){l=true;a(document).trigger("heartbeat-connection-lost",[G])}}else{if(t.hasConnectionError()){A=0;l=false;a(document).trigger("heartbeat-connection-restored")}}}function d(){var J={},I,F,H=true,G=typeof window.heartbeatSettings=="object"?window.heartbeatSettings.nonce:"";B=k();I=a.extend({},x);x={};a(document).trigger("heartbeat-send",[I]);for(F in I){if(I.hasOwnProperty(F)){H=false;break}}if(H&&!t.hasConnectionError()){i=false;u();return}J.data=I;J.interval=D/1000;J._nonce=G;J.action="heartbeat";J.screen_id=q;J.has_focus=f;i=true;t.xhr=a.ajax({url:h,type:"post",timeout:30000,data:J,dataType:"json"}).done(function(K,N,L){var M;if(!K){return v("empty")}if(t.hasConnectionError()){v()}if(K.nonces_expired){a(document).trigger("heartbeat-nonces-expired");return}if(K.heartbeat_interval){M=K.heartbeat_interval;delete K.heartbeat_interval}t.tick(K,N,L);if(M){t.interval.call(t,M)}}).always(function(){i=false;u()}).fail(function(L,M,K){v(M||"unknown");t.error(L,M,K)})}function u(){var G=k()-B,F=D;if(!e){return}if(!f){F=120000}else{if(r>0&&y){F=y;r--}}window.clearTimeout(c);if(G<F){c=window.setTimeout(function(){if(e){d()}},F-G)}else{d()}}function o(){window.clearTimeout(g);window.clearTimeout(w);g=w=0;f=false}function n(){window.clearTimeout(g);window.clearTimeout(w);g=w=0;p=k();if(f){return}f=true;window.clearTimeout(c);if(!i){u()}}function s(){a("iframe").each(function(F,G){if(!z(G)){return}if(a.data(G,"wp-heartbeat-focus")){return}a.data(G,"wp-heartbeat-focus",1);a(G.contentWindow).on("focus.wp-heartbeat-focus",function(H){n()}).on("blur.wp-heartbeat-focus",function(H){s();w=window.setTimeout(function(){o()},500)})})}a(window).on("blur.wp-heartbeat-focus",function(F){s();g=window.setTimeout(function(){o()},500)}).on("focus.wp-heartbeat-focus",function(){a("iframe").each(function(F,G){if(!z(G)){return}a.removeData(G,"wp-heartbeat-focus");a(G.contentWindow).off(".wp-heartbeat-focus")});n()});function E(){j=false;a(document).off(".wp-heartbeat-active");a("iframe").each(function(F,G){if(!z(G)){return}a(G.contentWindow).off(".wp-heartbeat-active")});n()}function m(){var F=p?k()-p:0;if(F>300000&&f){o()}if(!j){a(document).on("mouseover.wp-heartbeat-active keyup.wp-heartbeat-active",function(){E()});a("iframe").each(function(G,H){if(!z(H)){return}a(H.contentWindow).on("mouseover.wp-heartbeat-active keyup.wp-heartbeat-active",function(){E()})});j=true}}window.setInterval(function(){m()},30000);a(document).ready(function(){e=true;B=k();u()});this.hasFocus=function(){return f};this.interval=function(H,G){var F,I;G=parseInt(G,10)||30;G=G<1||G>30?30:G;if(H){switch(H){case"fast":I=5;r=G;break;case"slow":I=60;r=0;break;case"long-polling":D=0;return 0;break;default:I=15;r=0}F=I*1000<D;if(r>0){y=I*1000}else{D=I*1000;y=0}if(F){u()}}if(!f){return 120}return y?y/1000:D/1000};this.enqueue=function(H,G,F){if(H){if(x.hasOwnProperty(H)&&F){return false}x[H]=G;return true}return false};this.isQueued=function(F){return x[F]}};a.extend(b.prototype,{tick:function(d,e,c){a(document).trigger("heartbeat-tick",[d,e,c])},error:function(d,e,c){a(document).trigger("heartbeat-error",[d,e,c])}});wp.heartbeat=new b()}(jQuery));
+window.wp=window.wp||{};(function(a){var b=function(){var t=this,e,c,q=typeof pagenow!="undefined"?pagenow:"",h=typeof ajaxurl!="undefined"?ajaxurl:"",C,B=0,x={},D,i,r=0,A=0,y,f=true,p,j,g,w=-1,l=false;this.hasConnectionError=function(){return l};if(typeof(window.heartbeatSettings)=="object"){C=a.extend({},window.heartbeatSettings);h=C.ajaxurl||h;delete C.ajaxurl;delete C.nonce;D=C.interval||15;delete C.interval;if(D<15){D=15}else{if(D>60){D=60}}D=D*1000;q=q||C.screenId||"front";delete C.screenId;a.extend(this,C)}function k(F){if(F){return parseInt((new Date()).getTime()/1000)}return(new Date()).getTime()}function z(I){var F,H=I.src;if(H&&/^https?:\/\//.test(H)){F=window.location.origin?window.location.origin:window.location.protocol+"//"+window.location.host;if(H.indexOf(F)!==0){return false}}try{if(I.contentWindow.document){return true}}catch(G){}return false}function v(G){var F;if(G){switch(G){case"abort":break;case"timeout":F=true;break;case"parsererror":case"error":case"empty":case"unknown":A++;if(A>2){F=true}break}if(F&&!t.hasConnectionError()){l=true;a(document).trigger("heartbeat-connection-lost",[G])}}else{if(t.hasConnectionError()){A=0;l=false;a(document).trigger("heartbeat-connection-restored")}}}function d(){var J={},I,F,H=true,G=typeof window.heartbeatSettings=="object"?window.heartbeatSettings.nonce:"";B=k();I=a.extend({},x);x={};a(document).trigger("heartbeat-send",[I]);for(F in I){if(I.hasOwnProperty(F)){H=false;break}}if(H&&!t.hasConnectionError()){i=false;u();return}J.data=I;J.interval=D/1000;J._nonce=G;J.action="heartbeat";J.screen_id=q;J.has_focus=f;i=true;t.xhr=a.ajax({url:h,type:"post",timeout:30000,data:J,dataType:"json"}).done(function(K,N,L){var M;if(!K){return v("empty")}if(t.hasConnectionError()){v()}if(K.nonces_expired){a(document).trigger("heartbeat-nonces-expired");return}if(K.heartbeat_interval){M=K.heartbeat_interval;delete K.heartbeat_interval}t.tick(K,N,L);if(M){t.interval.call(t,M)}}).always(function(){i=false;u()}).fail(function(L,M,K){v(M||"unknown");t.error(L,M,K)})}function u(){var G=k()-B,F=D;if(!e){return}if(!f){F=100000}else{if(r>0&&y){F=y;r--}}window.clearTimeout(c);if(G<F){c=window.setTimeout(function(){if(e){d()}},F-G)}else{d()}}function o(){window.clearTimeout(g);window.clearTimeout(w);g=w=0;f=false}function n(){window.clearTimeout(g);window.clearTimeout(w);g=w=0;p=k();if(f){return}f=true;window.clearTimeout(c);if(!i){u()}}function s(){a("iframe").each(function(F,G){if(!z(G)){return}if(a.data(G,"wp-heartbeat-focus")){return}a.data(G,"wp-heartbeat-focus",1);a(G.contentWindow).on("focus.wp-heartbeat-focus",function(H){n()}).on("blur.wp-heartbeat-focus",function(H){s();w=window.setTimeout(function(){o()},500)})})}a(window).on("blur.wp-heartbeat-focus",function(F){s();g=window.setTimeout(function(){o()},500)}).on("focus.wp-heartbeat-focus",function(){a("iframe").each(function(F,G){if(!z(G)){return}a.removeData(G,"wp-heartbeat-focus");a(G.contentWindow).off(".wp-heartbeat-focus")});n()});function E(){j=false;a(document).off(".wp-heartbeat-active");a("iframe").each(function(F,G){if(!z(G)){return}a(G.contentWindow).off(".wp-heartbeat-active")});n()}function m(){var F=p?k()-p:0;if(F>300000&&f){o()}if(!j){a(document).on("mouseover.wp-heartbeat-active keyup.wp-heartbeat-active",function(){E()});a("iframe").each(function(G,H){if(!z(H)){return}a(H.contentWindow).on("mouseover.wp-heartbeat-active keyup.wp-heartbeat-active",function(){E()})});j=true}}window.setInterval(function(){m()},30000);a(document).ready(function(){e=true;B=k();u()});this.hasFocus=function(){return f};this.interval=function(H,G){var F,I;G=parseInt(G,10)||30;G=G<1||G>30?30:G;if(H){switch(H){case"fast":I=5;r=G;break;case"slow":I=60;r=0;break;case"long-polling":D=0;return 0;break;default:I=15;r=0}F=I*1000<D;if(r>0){y=I*1000}else{D=I*1000;y=0}if(F){u()}}if(!f){return 120}return y?y/1000:D/1000};this.enqueue=function(H,G,F){if(H){if(x.hasOwnProperty(H)&&F){return false}x[H]=G;return true}return false};this.isQueued=function(F){return x[F]}};a.extend(b.prototype,{tick:function(d,e,c){a(document).trigger("heartbeat-tick",[d,e,c])},error:function(d,e,c){a(document).trigger("heartbeat-error",[d,e,c])}});wp.heartbeat=new b()}(jQuery));

wp-includes/js/mediaelement/mediaelement-and-player.min.js

@@ -10,7 +10,7 @@
 * Copyright 2010-2013, John Dyer (http://j.hn)
 * License: MIT
 *
-*/var mejs=mejs||{};mejs.version="2.12.1";mejs.meIndex=0;
+*/var mejs=mejs||{};mejs.version="2.13.0";mejs.meIndex=0;
 mejs.plugins={silverlight:[{version:[3,0],types:["video/mp4","video/m4v","video/mov","video/wmv","audio/wma","audio/m4a","audio/mp3","audio/wav","audio/mpeg"]}],flash:[{version:[9,0,124],types:["video/mp4","video/m4v","video/mov","video/flv","video/rtmp","video/x-flv","audio/flv","audio/x-flv","audio/mp3","audio/m4a","audio/mpeg","video/youtube","video/x-youtube"]}],youtube:[{version:null,types:["video/youtube","video/x-youtube","audio/youtube","audio/x-youtube"]}],vimeo:[{version:null,types:["video/vimeo",
 "video/x-vimeo"]}]};
 mejs.Utility={encodeUrl:function(a){return encodeURIComponent(a)},escapeHTML:function(a){return a.toString().split("&").join("&amp;").split("<").join("&lt;").split('"').join("&quot;")},absolutizeUrl:function(a){var b=document.createElement("div");b.innerHTML='<a href="'+this.escapeHTML(a)+'">x</a>';return b.firstChild.href},getScriptPath:function(a){for(var b=0,c,d="",e="",f,g,h=document.getElementsByTagName("script"),l=h.length,j=a.length;b<l;b++){f=h[b].src;c=f.lastIndexOf("/");if(c>-1){g=f.substring(c+

wp-includes/js/mediaelement/wp-mediaelement.css

@@ -8,4 +8,8 @@
 
 .mejs-controls .mejs-time-rail .mejs-time-current {
 	background: #d54e21;
-}
+}
+
+.me-cannotplay {
+	width: auto !important;
+}

wp-includes/js/mediaelement/wp-mediaelement.js

@@ -3,8 +3,13 @@
 	mejs.plugins.silverlight[0].types.push('video/x-ms-wmv');
 	mejs.plugins.silverlight[0].types.push('audio/x-ms-wma');
 
-    $(function () {
-		$('.wp-audio-shortcode, .wp-video-shortcode').mediaelementplayer();
+	$(function () {
+		var settings = {};
+
+		if ( typeof _wpmejsSettings !== 'undefined' )
+			settings.pluginPath = _wpmejsSettings.pluginPath;
+
+		$('.wp-audio-shortcode, .wp-video-shortcode').mediaelementplayer( settings );
 	});
 
-}(jQuery));
+}(jQuery));

wp-includes/js/tinymce/plugins/wordpress/editor_plugin_src.js

@@ -228,6 +228,16 @@
 				o.content = o.content.replace(/<p>(<br ?\/?>|\u00a0|\uFEFF)?<\/p>/g, '<p>&nbsp;</p>');
 			});
 
+			// Fix bug in iOS Safari where it's impossible to type after a touchstart event on the parent document.
+			// Happens after zooming in or out while the keyboard is open. See #25131.
+			if ( tinymce.isIOS5 ) {
+				ed.onKeyDown.add( function() {
+					if ( document.activeElement == document.body ) {
+						ed.getWin().focus();
+					}
+				});
+			}
+
 			ed.onSaveContent.add(function(ed, o) {
 				// If editor is hidden, we just want the textarea's value to be saved
 				if ( ed.isHidden() )

wp-includes/link-template.php

@@ -2020,10 +2020,11 @@ function get_admin_url( $blog_id = null, $path = '', $scheme = 'admin' ) {
  * @since 2.6.0
  *
  * @param string $path Optional. Path relative to the includes url.
+ * @param string $scheme Optional. Scheme to give the includes url context.
  * @return string Includes url link with optional path appended.
 */
-function includes_url($path = '') {
-	$url = site_url() . '/' . WPINC . '/';
+function includes_url( $path = '', $scheme = null ) {
+	$url = site_url( '/' . WPINC . '/', $scheme );
 
 	if ( $path && is_string( $path ) )
 		$url .= ltrim($path, '/');
@@ -2237,10 +2238,17 @@ function set_url_scheme( $url, $scheme = null ) {
 			$scheme = ( is_ssl() ? 'https' : 'http' );
 	}
 
-	if ( 'relative' == $scheme )
-		$url = preg_replace( '#^.+://[^/]*#', '', $url );
-	else
-		$url = preg_replace( '#^.+://#', $scheme . '://', $url );
+	$url = trim( $url );
+	if ( substr( $url, 0, 2 ) === '//' )
+		$url = 'http:' . $url;
+
+	if ( 'relative' == $scheme ) {
+		$url = ltrim( preg_replace( '#^\w+://[^/]*#', '', $url ) );
+		if ( $url !== '' && $url[0] === '/' )
+			$url = '/' . ltrim($url , "/ \t\n\r\0\x0B" );
+	} else {
+		$url = preg_replace( '#^\w+://#', $scheme . '://', $url );
+	}
 
 	return apply_filters( 'set_url_scheme', $url, $scheme, $orig_scheme );
 }

wp-includes/locale.php

@@ -334,7 +334,7 @@ class WP_Locale {
 	 *
 	 * @since 3.6.0
 	 */
-	private function strings_for_pot() {
+	function _strings_for_pot() {
 		/* translators: localized date format, see http://php.net/date */
 		__( 'F j, Y' );
 		/* translators: localized time format, see http://php.net/date */

wp-includes/media.php

@@ -860,7 +860,7 @@ function wp_audio_shortcode( $attr ) {
 		'src'      => '',
 		'loop'     => '',
 		'autoplay' => '',
-		'preload' => 'none'
+		'preload'  => 'none'
 	);
 	foreach ( $default_types as $type )
 		$defaults_atts[$type] = '';
@@ -870,15 +870,15 @@ function wp_audio_shortcode( $attr ) {
 
 	$primary = false;
 	if ( ! empty( $src ) ) {
-		$type = wp_check_filetype( $src );
+		$type = wp_check_filetype( $src, wp_get_mime_types() );
 		if ( ! in_array( $type['ext'], $default_types ) )
-			return sprintf( '<a class="wp-post-format-link-audio" href="%s">%s</a>', esc_url( $src ), esc_html( $src ) );
+			return sprintf( '<a class="wp-embedded-audio" href="%s">%s</a>', esc_url( $src ), esc_html( $src ) );
 		$primary = true;
 		array_unshift( $default_types, 'src' );
 	} else {
 		foreach ( $default_types as $ext ) {
 			if ( ! empty( $$ext ) ) {
-				$type = wp_check_filetype( $$ext );
+				$type = wp_check_filetype( $$ext, wp_get_mime_types() );
 				if ( $type['ext'] === $ext )
 					$primary = true;
 			}
@@ -910,6 +910,7 @@ function wp_audio_shortcode( $attr ) {
 		'loop'     => $loop,
 		'autoplay' => $autoplay,
 		'preload'  => $preload,
+		'style'    => 'width: 100%',
 	);
 
 	// These ones should just be omitted altogether if they are blank
@@ -923,7 +924,10 @@ function wp_audio_shortcode( $attr ) {
 		$attr_strings[] = $k . '="' . esc_attr( $v ) . '"';
 	}
 
-	$html = sprintf( '<audio %s controls="controls">', join( ' ', $attr_strings ) );
+	$html = '';
+	if ( 'mediaelement' === $library && 1 === $instances )
+		$html .= "<!--[if lt IE 9]><script>document.createElement('audio');</script><![endif]-->\n";
+	$html .= sprintf( '<audio %s controls="controls">', join( ' ', $attr_strings ) );
 
 	$fileurl = '';
 	$source = '<source type="%s" src="%s" />';
@@ -931,7 +935,7 @@ function wp_audio_shortcode( $attr ) {
 		if ( ! empty( $$fallback ) ) {
 			if ( empty( $fileurl ) )
 				$fileurl = $$fallback;
-			$type = wp_check_filetype( $$fallback );
+			$type = wp_check_filetype( $$fallback, wp_get_mime_types() );
 			$html .= sprintf( $source, $type['type'], esc_url( $$fallback ) );
 		}
 	}
@@ -940,7 +944,7 @@ function wp_audio_shortcode( $attr ) {
 		$html .= wp_mediaelement_fallback( $fileurl );
 	$html .= '</audio>';
 
-	return apply_filters( 'wp_audio_shortcode', $html, $atts, $audio, $post_id );
+	return apply_filters( 'wp_audio_shortcode', $html, $atts, $audio, $post_id, $library );
 }
 add_shortcode( 'audio', apply_filters( 'wp_audio_shortcode_handler', 'wp_audio_shortcode' ) );
 
@@ -1005,15 +1009,15 @@ function wp_video_shortcode( $attr ) {
 
 	$primary = false;
 	if ( ! empty( $src ) ) {
-		$type = wp_check_filetype( $src );
+		$type = wp_check_filetype( $src, wp_get_mime_types() );
 		if ( ! in_array( $type['ext'], $default_types ) )
-			return sprintf( '<a class="wp-post-format-link-video" href="%s">%s</a>', esc_url( $src ), esc_html( $src ) );
+			return sprintf( '<a class="wp-embedded-video" href="%s">%s</a>', esc_url( $src ), esc_html( $src ) );
 		$primary = true;
 		array_unshift( $default_types, 'src' );
 	} else {
 		foreach ( $default_types as $ext ) {
 			if ( ! empty( $$ext ) ) {
-				$type = wp_check_filetype( $$ext );
+				$type = wp_check_filetype( $$ext, wp_get_mime_types() );
 				if ( $type['ext'] === $ext )
 					$primary = true;
 			}
@@ -1061,7 +1065,10 @@ function wp_video_shortcode( $attr ) {
 		$attr_strings[] = $k . '="' . esc_attr( $v ) . '"';
 	}
 
-	$html = sprintf( '<video %s controls="controls">', join( ' ', $attr_strings ) );
+	$html = '';
+	if ( 'mediaelement' === $library && 1 === $instances )
+		$html .= "<!--[if lt IE 9]><script>document.createElement('video');</script><![endif]-->\n";
+	$html .= sprintf( '<video %s controls="controls">', join( ' ', $attr_strings ) );
 
 	$fileurl = '';
 	$source = '<source type="%s" src="%s" />';
@@ -1069,7 +1076,7 @@ function wp_video_shortcode( $attr ) {
 		if ( ! empty( $$fallback ) ) {
 			if ( empty( $fileurl ) )
 				$fileurl = $$fallback;
-			$type = wp_check_filetype( $$fallback );
+			$type = wp_check_filetype( $$fallback, wp_get_mime_types() );
 			// m4v sometimes shows up as video/mpeg which collides with mp4
 			if ( 'm4v' === $type['ext'] )
 				$type['type'] = 'video/m4v';
@@ -1081,7 +1088,7 @@ function wp_video_shortcode( $attr ) {
 	$html .= '</video>';
 
 	$html = sprintf( '<div style="width: %dpx; max-width: 100%%;">%s</div>', $width, $html );
-	return apply_filters( 'wp_video_shortcode', $html, $atts, $video, $post_id );
+	return apply_filters( 'wp_video_shortcode', $html, $atts, $video, $post_id, $library );
 }
 add_shortcode( 'video', apply_filters( 'wp_video_shortcode_handler', 'wp_video_shortcode' ) );
 
@@ -2017,6 +2024,6 @@ function get_post_galleries_images( $post = 0 ) {
  * @return array A list of a gallery's image srcs in order
  */
 function get_post_gallery_images( $post = 0 ) {
-	$galleries = get_post_gallery( $post, false );
+	$gallery = get_post_gallery( $post, false );
 	return empty( $gallery['src'] ) ? array() : $gallery['src'];
 }

wp-includes/ms-default-filters.php

@@ -63,4 +63,7 @@ remove_filter( 'option_siteurl', '_config_wp_siteurl' );
 remove_filter( 'option_home',    '_config_wp_home'    );
 
 // If the network upgrade hasn't run yet, assume ms-files.php rewriting is used.
-add_filter( 'default_site_option_ms_files_rewriting', '__return_true' );
+add_filter( 'default_site_option_ms_files_rewriting', '__return_true' );
+
+// Whitelist multisite domains for HTTP requests
+add_filter( 'http_request_host_is_external', 'ms_allowed_http_request_hosts', 20, 2 );

wp-includes/ms-functions.php

@@ -378,7 +378,10 @@ function is_email_address_unsafe( $user_email ) {
 	$is_email_address_unsafe = false;
 
 	if ( $banned_names && is_array( $banned_names ) ) {
-		list( $email_local_part, $email_domain ) = explode( '@', $user_email );
+		$banned_names = array_map( 'strtolower', $banned_names );
+		$normalized_email = strtolower( $user_email );
+
+		list( $email_local_part, $email_domain ) = explode( '@', $normalized_email );
 
 		foreach ( $banned_names as $banned_domain ) {
 			if ( ! $banned_domain )
@@ -390,7 +393,7 @@ function is_email_address_unsafe( $user_email ) {
 			}
 
 			$dotted_domain = ".$banned_domain";
-			if ( $dotted_domain === substr( $user_email, -strlen( $dotted_domain ) ) ) {
+			if ( $dotted_domain === substr( $normalized_email, -strlen( $dotted_domain ) ) ) {
 				$is_email_address_unsafe = true;
 				break;
 			}
@@ -898,10 +901,8 @@ function wpmu_create_user( $user_name, $password, $email ) {
 	if ( is_wp_error( $user_id ) )
 		return false;
 
-	$user = new WP_User( $user_id );
-
 	// Newly created users have no roles or caps until they are added to a blog.
-	delete_user_option( $user_id, $user->cap_key );
+	delete_user_option( $user_id, 'capabilities' );
 	delete_user_option( $user_id, 'user_level' );
 
 	do_action( 'wpmu_new_user', $user_id );

wp-includes/pluggable.php

@@ -942,6 +942,7 @@ if ( !function_exists('wp_validate_redirect') ) :
  * @return string redirect-sanitized URL
  **/
 function wp_validate_redirect($location, $default = '') {
+	$location = trim( $location );
 	// browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//'
 	if ( substr($location, 0, 2) == '//' )
 		$location = 'http:' . $location;

wp-includes/post-formats.php

@@ -38,12 +38,20 @@ function get_post_format( $post = null ) {
  *
  * @uses has_term()
  *
- * @param string $format The format to check for.
- * @param object|int $post The post to check. If not supplied, defaults to the current post if used in the loop.
+ * @param string|array $format The format or formats to check.
+ * @param object|int   $post   The post to check. If not supplied, defaults to the current post if used in the loop.
  * @return bool True if the post has the format, false otherwise.
  */
 function has_post_format( $format, $post = null ) {
-	return has_term('post-format-' . sanitize_key($format), 'post_format', $post);
+	if ( ! is_array( $format ) )
+		$format = array( $format );
+
+	$prefixed = array();
+	foreach( $format as $single ) {
+		$prefixed[] = 'post-format-' . sanitize_key( $single );
+	}
+
+	return has_term( $prefixed, 'post_format', $post );
 }
 
 /**

wp-includes/post-template.php

@@ -1428,31 +1428,5 @@ function wp_list_post_revisions( $post_id = 0, $type = 'all' ) {
 
 	echo "<ul class='post-revisions hide-if-no-js'>\n";
 	echo $rows;
-
-	// if the post was previously restored from a revision
-	// show the restore event details
-	if ( $restored_from_meta = get_post_meta( $post->ID, '_post_restored_from', true ) ) {
-		$author = get_user_by( 'id', $restored_from_meta[ 'restored_by_user' ] );
-		/* translators: revision date format, see http://php.net/date */
-		$datef = _x( 'j F, Y @ G:i:s', 'revision date format');
-		$date = date_i18n( $datef, strtotime( $restored_from_meta[ 'restored_time' ] ) );
-		$time_diff = human_time_diff( $restored_from_meta[ 'restored_time' ] ) ;
-		?>
-		<hr />
-		<div id="revisions-meta-restored">
-			<?php
-			printf(
-				/* translators: restored revision details: 1: gravatar image, 2: author name, 3: time ago, 4: date */
-				__( 'Previously restored by %1$s %2$s, %3$s ago (%4$s)' ),
-				get_avatar( $author->ID, 24 ),
-				$author->display_name,
-				$time_diff,
-				$date
-			);
-			?>
-		</div>
-		<?php
-		echo "</ul>";
-	}
-
+	echo "</ul>";
 }

wp-includes/rss.php

@@ -536,7 +536,7 @@ endif;
  * @return Snoopy style response
  */
 function _fetch_remote_file($url, $headers = "" ) {
-	$resp = wp_remote_request($url, array('headers' => $headers, 'timeout' => MAGPIE_FETCH_TIME_OUT, 'reject_unsafe_urls' => true ));
+	$resp = wp_safe_remote_request( $url, array( 'headers' => $headers, 'timeout' => MAGPIE_FETCH_TIME_OUT ) );
 	if ( is_wp_error($resp) ) {
 		$error = array_shift($resp->errors);
 

wp-includes/script-loader.php

@@ -281,7 +281,7 @@ function wp_default_scripts( &$scripts ) {
 
 	$scripts->add( 'imgareaselect', "/wp-includes/js/imgareaselect/jquery.imgareaselect$suffix.js", array('jquery'), '0.9.8', 1 );
 
-	$scripts->add( 'mediaelement', "/wp-includes/js/mediaelement/mediaelement-and-player.min.js", array('jquery'), '2.12.1-20130724', 1 );
+	$scripts->add( 'mediaelement', "/wp-includes/js/mediaelement/mediaelement-and-player.min.js", array('jquery'), '2.13.0', 1 );
 	did_action( 'init' ) && $scripts->localize( 'mediaelement', 'mejsL10n', array(
 		'language' => get_bloginfo( 'language' ),
 		'strings'  => array(
@@ -302,6 +302,9 @@ function wp_default_scripts( &$scripts ) {
 
 
 	$scripts->add( 'wp-mediaelement', "/wp-includes/js/mediaelement/wp-mediaelement.js", array('mediaelement'), false, 1 );
+	did_action( 'init' ) && $scripts->localize( 'wp-mediaelement', '_wpmejsSettings', array(
+		'pluginPath' => includes_url( 'js/mediaelement/', 'relative' ),
+	) );
 
 	$scripts->add( 'password-strength-meter', "/wp-admin/js/password-strength-meter$suffix.js", array('jquery'), false, 1 );
 	did_action( 'init' ) && $scripts->localize( 'password-strength-meter', 'pwsL10n', array(
@@ -568,7 +571,7 @@ function wp_default_styles( &$styles ) {
 	$styles->add( 'buttons', "/wp-includes/css/buttons$suffix.css" );
 	$styles->add( 'wp-auth-check', "/wp-includes/css/wp-auth-check$suffix.css" );
 
-	$styles->add( 'mediaelement', "/wp-includes/js/mediaelement/mediaelementplayer.min.css", array(), '2.12.1-20130724' );
+	$styles->add( 'mediaelement', "/wp-includes/js/mediaelement/mediaelementplayer.min.css", array(), '2.13.0' );
 	$styles->add( 'wp-mediaelement', "/wp-includes/js/mediaelement/wp-mediaelement.css", array( 'mediaelement' ) );
 
 	foreach ( $rtl_styles as $rtl_style ) {

wp-includes/theme.php

@@ -1264,6 +1264,20 @@ function add_theme_support( $feature ) {
 				$args[0] = array_intersect( $args[0], array_keys( get_post_format_slugs() ) );
 			break;
 
+		case 'html5' :
+			// You can't just pass 'html5', you need to pass an array of types.
+			if ( empty( $args[0] ) ) {
+				$args = array( 0 => array( 'comment-list', 'comment-form', 'search-form' ) );
+			} elseif ( ! is_array( $args[0] ) ) {
+				_doing_it_wrong( "add_theme_support( 'html5' )", 'You need to pass an array of types.', '3.6.1' );
+				return false;
+			}
+
+			// Calling 'html5' again merges, rather than overwrites.
+			if ( isset( $_wp_theme_features['html5'] ) )
+				$args[0] = array_merge( $_wp_theme_features['html5'][0], $args[0] );
+			break;
+
 		case 'custom-header-uploads' :
 			return add_theme_support( 'custom-header', array( 'uploads' => true ) );
 			break;
@@ -1547,11 +1561,15 @@ function current_theme_supports( $feature ) {
 			return in_array( $content_type, $_wp_theme_features[$feature][0] );
 			break;
 
+		case 'html5':
 		case 'post-formats':
 			// specific post formats can be registered by passing an array of types to
 			// add_theme_support()
-			$post_format = $args[0];
-			return in_array( $post_format, $_wp_theme_features[$feature][0] );
+
+			// Specific areas of HTML5 support *must* be passed via an array to add_theme_support()
+
+			$type = $args[0];
+			return in_array( $type, $_wp_theme_features[$feature][0] );
 			break;
 
 		case 'custom-header':

wp-includes/version.php

@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '3.6-RC2-24803';
+$wp_version = '3.6.1';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
@@ -18,7 +18,7 @@ $wp_db_version = 24448;
  *
  * @global string $tinymce_version
  */
-$tinymce_version = '358-24485';
+$tinymce_version = '358-25336';
 
 /**
  * Holds the required PHP version

wp-includes/wp-db.php

@@ -1204,6 +1204,10 @@ class wpdb {
 
 		// If there is an error then take note of it..
 		if ( $this->last_error = mysql_error( $this->dbh ) ) {
+			// Clear insert_id on a subsequent failed insert.
+			if ( $this->insert_id && preg_match( '/^\s*(insert|replace)\s/i', $query ) )
+				$this->insert_id = 0;
+
 			$this->print_error();
 			return false;
 		}