IntenseWebs/WordPress
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
1ec392175ce5f0320072e7b195a8d091bccddefb
WordPress/wp-includes
History
Andrew Nacin 1ec392175c Additional checks when evaluating the safety of an HTTP request, to avoid false negatives. 
* Check if the host is considered a safe redirect host.
 * Check if the host is another domain in a multisite installation.
 * Add a filter to control this.

This only occurs when the DNS resolution of a domain points elsewhere in an internal network, but only internally (and has its own public IP outside the network). This could be considered a bad configuration.

fixes #24646.



git-svn-id: http://core.svn.wordpress.org/trunk@24915 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-07-31 06:44:57 +00:00
..
css
Compress scripts/styles: 3.6-beta4-24697.
2013-07-13 00:58:52 +00:00
ID3
ID3 1.9.7.
2013-07-13 00:37:36 +00:00
images
Copy wpspin_light to wp-includes as wpspin.gif. Use it in media views. see #22728.
2012-12-04 16:18:53 +00:00
js
Compress scripts/styles: 3.7-alpha-24912.
2013-07-31 04:58:59 +00:00
pomo
Avoid 'Only variables should be passed by reference' warning. fixes #23232.
2013-01-31 01:01:19 +00:00
SimplePie
SimplePie: Merge 5e046a3 from upstream. props rlerdorf, see #24210.
2013-07-08 17:10:16 +00:00
Text
Declare Text_Diff::trimNewlines() as static. Upstream is not back compat. props aaroncampbell. fixes #24372.
2013-05-25 22:10:53 +00:00
theme-compat
Don't return encoded ampersands from get_post_comments_feed_link() to avoid canonical redirect issues. Apply esc_url() when appropriate.
2012-11-07 19:56:10 +00:00
admin-bar.php
Use meta caps edit_post, read_post, and delete_post directly, rather than consulting the post type object. map_meta_cap() handles that for us. props markjaquith, kovshenin. fixes #23226.
2013-07-08 20:05:42 +00:00
atomlib.php
Use correct variable in atomlib library, inside an error message. props rlerdorf, see #24110.
2013-05-07 16:37:21 +00:00
author-template.php
Switch to a transient for is_multi_author(). props markjaquith, fixes #24445.
2013-07-10 04:20:41 +00:00
bookmark-template.php
In wp_list_bookmarks(), don't stomp the categorize argument. Fixes categorized display in the links widget.
2012-11-28 23:19:03 +00:00
bookmark.php
Fix potential SQLi through improper use of API functions.
2013-07-29 18:16:47 +00:00
cache.php
Correct inline docs for cache.php. props ocean90. fixes #23058.
2013-01-22 20:44:30 +00:00
canonical.php
Support IIS 8 and above.
2013-07-08 20:27:06 +00:00
capabilities.php
Use meta caps edit_post, read_post, and delete_post directly, rather than consulting the post type object. map_meta_cap() handles that for us. props markjaquith, kovshenin. fixes #23226.
2013-07-08 20:05:42 +00:00
category-template.php
PHPDoc fixes and additions. fixes #24616.
2013-06-21 12:45:11 +00:00
category.php
Pinking shears
2012-11-17 15:11:29 +00:00
class-feed.php
Better validation of the URL used in core HTTP requests.
2013-06-21 06:07:47 +00:00
class-http.php
Introduce wp_safe_remote_request(). Also wp_safe_remote_head(), wp_safe_remote_get(), wp_safe_remote_post().
2013-07-30 15:37:01 +00:00
class-IXR.php
Specify the encoding in IXR_Server::output(). Props solarissmoke, sergey.s.betke@novgaro.ru, SergeyBiryukov. fixes #4794
2012-08-15 20:12:00 +00:00
class-json.php
Patch Services_JSON to use the proper function name and avoid a fatal error. see #24210.
2013-07-08 16:55:34 +00:00
class-oembed.php
Improved XML handling for oEmbed.
2013-07-30 21:57:27 +00:00
class-phpass.php
Add strict check to phpass's CheckPassword() method to avoid issues when the method is improperly called.
2013-06-21 01:21:12 +00:00
class-phpmailer.php
Update to PHPMailer 5.2.4. props bpetty. fixes #21074.
2013-02-28 18:33:13 +00:00
class-pop3.php
Update pop3 class. Props aaroncampbell. fixes #17064
2011-04-21 20:40:32 +00:00
class-simplepie.php
Update SimplePie to 1.3.1. Props rmccue, ocean90. fixes #22321
2012-11-05 14:25:25 +00:00
class-smtp.php
Update to PHPMailer 5.2.4. props bpetty. fixes #21074.
2013-02-28 18:33:13 +00:00
class-snoopy.php
Use correct variable in the deprecated and abandoned Snoopy HTTP client. see #24210.
2013-07-08 17:17:46 +00:00
class-wp-admin-bar.php
Don't render the screen reader shortcut 'Log Out' link in the toolbar when the user is not logged in.
2013-06-19 08:15:04 +00:00
class-wp-ajax-response.php
Specify the charset in WP_Ajax_Response::send(). Props sergey.s.betke@novgaro.ru, SergeyBiryukov. fixes #19448
2012-08-15 18:17:21 +00:00
class-wp-customize-control.php
Remove /extend/ from URLs to wordpress.org/plugins, /themes, and /mobile, as those are all now top-level. see #24389.
2013-05-22 21:01:57 +00:00
class-wp-customize-manager.php
Avoid empty header color after enabling header text via Customizer. props obenland, fixes #23761.
2013-07-12 20:41:46 +00:00
class-wp-customize-section.php
Refactor the Customizer accordion so that it can be used in other locations.
2013-02-14 22:58:04 +00:00
class-wp-customize-setting.php
Use wp_unslash() instead of stripslashes() and stripslashes_deep(). Use wp_slash() instead of add_magic_quotes().
2013-03-03 16:30:38 +00:00
class-wp-editor.php
Remove the Spellchecker button from TinyMCE.
2013-07-18 22:44:40 +00:00
class-wp-embed.php
Use correct escaping function. props duck_.
2013-01-22 16:37:54 +00:00
class-wp-error.php
Correct inline docs for is_wp_error(). props johnbillion. fixes #24637.
2013-06-24 18:23:45 +00:00
class-wp-http-ixr-client.php
Lose EOF ?>. Clean up EOF newlines. fixes #12307
2012-01-08 17:01:11 +00:00
class-wp-image-editor-gd.php
Fix editing images with GD when using streams.
2013-07-17 21:16:44 +00:00
class-wp-image-editor-imagick.php
Remove debug.
2013-07-22 17:13:41 +00:00
class-wp-image-editor.php
Fix editing images with GD when using streams.
2013-07-17 21:16:44 +00:00
class-wp-theme.php
Revert [23394] until there is a consensus on target="_blank" (or not) for these external links. see #20839.
2013-07-08 13:04:07 +00:00
class-wp-walker.php
Fix E_STRICT notices in walkers. props dvarga. see #24356.
2013-05-28 03:29:15 +00:00
class-wp-xmlrpc-server.php
Limit pingback response size. fixes #4137. for trunk.
2013-07-29 18:00:06 +00:00
class-wp.php
Remove double-strip on HTTP_IF_NONE_MATCH, which was done years ago (in #2597). see #21767.
2013-03-01 17:51:16 +00:00
class.wp-dependencies.php
Revert [21420] and [21481]. Accepting a string caused back compat problems including the possibility of revealing previously hidden circular dependencies resulting in infinite loops.
2012-10-23 20:32:12 +00:00
class.wp-scripts.php
If someone tries to localize 'jquery', which is now an alias with jquery-core and jquery-migrate dependencies, add the data to jquery-core.
2013-07-10 05:38:17 +00:00
class.wp-styles.php
WP Styles: Correctly print 'after' data when scripts are concatenated. props stephenh1988. fixes #20836.
2013-04-22 19:22:09 +00:00
comment-template.php
Remove pattern="" in the comment form (HTML5 mode) to avoid mistaken :invalid styles.
2013-07-05 21:59:10 +00:00
comment.php
Use wp_slash() in places where we improperly used the DB API instead. see #21767.
2013-07-16 14:19:03 +00:00
compat.php
Restore compat for json_decode and json_encode. fixes #18015 for trunk.
2011-07-06 23:33:05 +00:00
cron.php
Use wp_unslash() instead of stripslashes() and stripslashes_deep(). Use wp_slash() instead of add_magic_quotes().
2013-03-03 16:30:38 +00:00
default-constants.php
Make Twenty Thirteen the default theme.
2013-02-28 19:01:07 +00:00
default-filters.php
Additional checks when evaluating the safety of an HTTP request, to avoid false negatives.
2013-07-31 06:44:57 +00:00
default-widgets.php
Avoid an undefined index notice in WP_Widget_Recent_Posts::update(). props jrf. fixes #24577.
2013-06-23 08:20:08 +00:00
deprecated.php
Fix context for get_post() in the deprecated wp_get_single_post(). fixes #24602.
2013-06-19 07:58:28 +00:00
feed-atom-comments.php
its <=> it's in documentation, along with a rogue the, The, and looses. props trepmal. fixes #22665.
2012-12-20 15:55:32 +00:00
feed-atom.php
Don't return encoded ampersands from get_post_comments_feed_link() to avoid canonical redirect issues. Apply esc_url() when appropriate.
2012-11-07 19:56:10 +00:00
feed-rdf.php
Add the generator element in feeds through the {rss2|atom|rdf|rss|opml}_head hooks. Fixes #6947 props sivel.
2010-02-13 16:45:16 +00:00
feed-rss2-comments.php
Use get_search_query() in feed-rss2-comments.php. Props SergeyBiryukov. fixes #21365
2012-07-25 18:04:17 +00:00
feed-rss2.php
Use the_content_feed() when looking for zero-length post content for RSS2 feeds. Now you can have blank posts with content generated by the_content filters. props SergeyBiryukov. fixes #15604
2012-07-09 03:33:01 +00:00
feed-rss.php
Use the site's locale for the feed language. Provides the same result as language_attributes(). Removes the rss_language option. fixes #13440. see #5517.
2012-01-29 19:56:33 +00:00
feed.php
Fix typos in phpdoc. props TheLastCicada. fixes #24302.
2013-05-10 01:39:30 +00:00
formatting.php
Deprecate wpdb::escape() in favor of wpdb::prepare() and esc_sql(). fixes #24774.
2013-07-16 17:44:42 +00:00
functions.php
Allow HTTPS URL enclosures.
2013-07-28 19:07:43 +00:00
functions.wp-scripts.php
Fix typo in phpdoc. props fanquake. fixes #23737.
2013-03-11 09:39:55 +00:00
functions.wp-styles.php
Introduce wp_style_add_data() as a wrapper for $wp_styles->add_data().
2013-07-18 19:46:38 +00:00
general-template.php
Have get_footer() match get_header() etc in [24616]. fixes #24714.
2013-07-09 20:48:02 +00:00
http.php
Additional checks when evaluating the safety of an HTTP request, to avoid false negatives.
2013-07-31 06:44:57 +00:00
kses.php
Revert 23416, 23419, 23445 except for wp_reset_vars() changes. We are going a different direction with the slashing cleanup, so resetting to a clean slate. see #21767
2013-03-01 16:28:40 +00:00
l10n.php
Inline documentation for esc_attr_x() and esc_html_x(). props fjarrett, fixes #24212.
2013-07-28 21:26:10 +00:00
link-template.php
If wp-login.php is accessed over HTTPS, get_home_url() should not return HTTPS. This is the same assumption we use in the admin.
2013-07-29 01:21:27 +00:00
load.php
Documentation for [24564]. see #23811.
2013-07-08 12:59:10 +00:00
locale.php
Add some localized date/time strings to the main wordpress.pot. These strings appear in the admin only but can be leveraged outside of the admin by design. fixes #22916.
2013-06-20 14:27:37 +00:00
media-template.php
Media: Fix embedding of audio/video players when the file was just uploaded.
2013-07-23 17:29:55 +00:00
media.php
Update HTML classes in the audio and video shortcodes. props rfair404. fixes #24820.
2013-07-29 06:51:46 +00:00
meta.php
Use sanitize_key() instead of esc_sql() when 'escaping' variable DB field names. see #21767.
2013-07-16 14:21:05 +00:00
ms-blogs.php
Fix typo in phpdoc. props belloswan. fixes #24217.
2013-04-29 12:49:33 +00:00
ms-default-constants.php
Multisite in a subdirectory: For subdomain installs, use a root admin cookie path, not a wp-admin specific one.
2012-12-04 00:51:02 +00:00
ms-default-filters.php
Additional checks when evaluating the safety of an HTTP request, to avoid false negatives.
2013-07-31 06:44:57 +00:00
ms-deprecated.php
Deprecate get_user_id_from_string() in favor of get_user_by( $field ) where $field is 'email' or 'login'. props SergeyBiryukov. fixes #23190.
2013-02-16 03:02:15 +00:00
ms-files.php
Use stripslashes() instead of wp_unslash() in ms-files.php to avoid formatting.php dependency. props devesine, fixes #24374.
2013-05-20 20:20:22 +00:00
ms-functions.php
Remove "special" multisite spam check in the authentication API.
2013-07-29 03:23:51 +00:00
ms-load.php
Remove some old debug cruft left by yours truly. fixes #24462.
2013-06-26 19:33:58 +00:00
ms-settings.php
Resurrect the switched global. Some are still using it. see #21459
2012-08-22 03:34:00 +00:00
nav-menu-template.php
If a nav menu has no items, wait until after the wp_nav_menu_items filter before deciding whether to print nothing.
2013-07-10 05:14:43 +00:00
nav-menu.php
Keep the Nav Menu walker from blowing up the layout on empty-titled items.
2013-07-05 15:41:46 +00:00
option.php
Make update_option() consistent with add_option() for how serializable data is stored in the object cache.
2013-07-22 04:24:13 +00:00
pluggable-deprecated.php
Remove /extend/ from URLs to wordpress.org/plugins, /themes, and /mobile, as those are all now top-level. see #24389.
2013-05-22 21:01:57 +00:00
pluggable.php
Do not notify the post author about comments if they are no longer a member of the blog.
2013-07-10 22:01:12 +00:00
plugin.php
Close an HTML tag inside the add_filter() inline doc. props johnbillion, fixes #24772.
2013-07-16 13:59:43 +00:00
post-formats.php
Allow has_post_format() to accept an array of formats to check. props ericmann. fixes #17320.
2013-07-28 20:48:09 +00:00
post-template.php
Allow the_title_attribute() to receive a post argument, and use this in get_adjacent_post_rel_link() to make sure tags are stripped from the title output there.
2013-07-23 16:05:40 +00:00
post-thumbnail-template.php
Fix the PHPDoc for the_post_thumbnail(). props georgestephanis. fixes #22885
2012-12-29 17:59:08 +00:00
post.php
When registering a post type, pass the correct argument for feeds to add_permastruct().
2013-07-28 22:28:18 +00:00
query.php
Avoid getting tripped up on post content that starts with <!--nextpage-->. props SergeyBiryukov. fixes #16746.
2013-07-09 05:23:53 +00:00
registration-functions.php
Lose EOF ?>. Clean up EOF newlines. fixes #12307
2012-01-08 17:01:11 +00:00
registration.php
Lose EOF ?>. Clean up EOF newlines. fixes #12307
2012-01-08 17:01:11 +00:00
revision.php
Revisions changes.
2013-07-24 06:08:14 +00:00
rewrite.php
Introduce a new endpoint mask for all archives, fixes #16303.
2013-07-28 19:18:19 +00:00
rss-functions.php
Lose EOF ?>. Clean up EOF newlines. fixes #12307
2012-01-08 17:01:11 +00:00
rss.php
Better validation of the URL used in core HTTP requests.
2013-06-21 06:07:47 +00:00
script-loader.php
Update MediaElement.js to a new 2.12.1 (untagged) build. see #24183.
2013-07-24 05:35:17 +00:00
shortcodes.php
Variables passed by reference do not need to be set first.
2013-04-29 14:48:31 +00:00
taxonomy.php
Add description argument to register_taxonomy().
2013-07-28 23:01:56 +00:00
template-loader.php
Clean up [22347] a bit. see #14348
2012-10-31 23:01:13 +00:00
template.php
Improve punctuation in phpdoc. see #23090.
2013-03-12 09:30:13 +00:00
theme.php
Revert [23467]. Removes structured-post-format theme support.
2013-05-30 17:55:14 +00:00
update.php
Tighten our braces. Fixes #23118 props evansolomon.
2013-01-04 10:13:51 +00:00
user.php
Don't override an existing WP_Error object in wp_authenticate_username_password().
2013-07-29 03:43:22 +00:00
vars.php
Support IIS 8 and above.
2013-07-08 20:27:06 +00:00
version.php
Compress scripts/styles: 3.7-alpha-24912.
2013-07-31 04:58:59 +00:00
widgets.php
Move the PHP4 constructor below the PHP5 one to avoid E_STRICT message. props uuf6429, iandunn. fixes #20801.
2013-05-19 12:32:20 +00:00
wlwmanifest.xml
Lose EOF ?>. Clean up EOF newlines. fixes #12307
2012-01-08 17:01:11 +00:00
wp-db.php
Reset $wpdb->insert_id on a failed INSERT or REPLACE. See [24459] [24494].
2013-07-29 18:14:05 +00:00
wp-diff.php
Go back to plain text diffs between revisions instead of attempting partial rendering.
2013-05-07 20:34:58 +00:00