Get WordPress

Make WordPress Core

Changeset 47644

Timestamp:
04/29/2020 04:04:20 PM (4 years ago)
Author:
whyisjake
Message:

Customize: Add additional filters to Customizer to prevent JSON corruption.
User: Invalidate user_activation_key on password update.
Query: Ensure that only a single post can be returned on date/time based queries.
Block Editor: Coding standards, properly escape class names.
Cache API: Ensure proper escaping around the stats method in the cache API.
Formatting: Expand sanitize_file_name to have better support for utf8 characters.

Brings the changes in [47633], [47634], [47635], [47636], [47637], and [47638] to the 5.4 branch.

Props: aduth, batmoo, ehti, ellatrix, jorgefilipecosta, nickdaugherty, noisysocks, pento, peterwilsoncc, sergeybiryukov, sstoqnov, talldanwp, westi, westonruter, whyisjake, whyisjake, xknown.

Location:
branches/5.3
Files:
12 edited

Legend:

Unmodified
Added
Removed

  • branches/5.3

  • branches/5.3/src/wp-includes/blocks/rss.php

    r46189 r47644  
    9797    }
    9898
    99     $list_items_markup = "<ul class='{$class}'>{$list_items}</ul>";
     99    $list_items_markup = ;
    100100
    101101    // PHP 5.2 compatibility. See: http://simplepie.org/wiki/faq/i_m_getting_memory_leaks.

  • branches/5.3/src/wp-includes/blocks/search.php

    r46189 r47644  
    5353    return sprintf(
    5454        '<form class="%s" role="search" method="get" action="%s">%s</form>',
    55         $class,
     55        ,
    5656        esc_url( home_url( '/' ) ),
    5757        $label_markup . $input_markup . $button_markup

  • branches/5.3/src/wp-includes/cache.php

    r45161 r47644  
    696696        echo '<ul>';
    697697        foreach ( $this->cache as $group => $cache ) {
    698             echo "<li><strong>Group:</strong> $group - ( " . number_format( strlen( serialize( $cache ) ) / KB_IN_BYTES, 2 ) . 'k )</li>';
     698            echo . number_format( strlen( serialize( $cache ) ) / KB_IN_BYTES, 2 ) . 'k )</li>';
    699699        }
    700700        echo '</ul>';

  • branches/5.3/src/wp-includes/class-wp-customize-manager.php

    r46548 r47644  
    29242924
    29252925        /*
    2926          * Update the changeset post. The publish_customize_changeset action
    2927          * will cause the settings in the changeset to be saved via
    2928          * WP_Customize_Setting::save().
     2926         * Update the changeset post. The publish_customize_changeset action
     2927         *
     2928         * ().
    29292929         */
    2930 
    2931         // Prevent content filters from corrupting JSON in post_content.
    2932         $has_kses = ( false !== has_filter( 'content_save_pre', 'wp_filter_post_kses' ) );
    2933         if ( $has_kses ) {
    2934             kses_remove_filters();
    2935         }
    2936         $has_targeted_link_rel_filters = ( false !== has_filter( 'content_save_pre', 'wp_targeted_link_rel' ) );
    2937         if ( $has_targeted_link_rel_filters ) {
    2938             wp_remove_targeted_link_rel_filters();
    2939         }
    2940 
    2941         // Note that updating a post with publish status will trigger WP_Customize_Manager::publish_changeset_values().
     2930        add_filter( 'wp_insert_post_data', array( $this, 'preserve_insert_changeset_post_content' ), 5, 3 );
    29422931        if ( $changeset_post_id ) {
    29432932            if ( $args['autosave'] && 'auto-draft' !== get_post_status( $changeset_post_id ) ) {
     
    29662955            }
    29672956        }
    2968 
    2969         // Restore removed content filters.
    2970         if ( $has_kses ) {
    2971             kses_init_filters();
    2972         }
    2973         if ( $has_targeted_link_rel_filters ) {
    2974             wp_init_targeted_link_rel_filters();
    2975         }
     2957        remove_filter( 'wp_insert_post_data', array( $this, 'preserve_insert_changeset_post_content' ), 5 );
    29762958
    29772959        $this->_changeset_data = null; // Reset so WP_Customize_Manager::changeset_data() will re-populate with updated contents.
     
    29892971
    29902972        return $response;
     2973
     2974
     2975
     2976
     2977
     2978
     2979
     2980
     2981
     2982
     2983
     2984
     2985
     2986
     2987
     2988
     2989
     2990
     2991
     2992
     2993
     2994
     2995
     2996
     2997
     2998
     2999
     3000
     3001
     3002
     3003
     3004
     3005
     3006
     3007
     3008
     3009
     3010
     3011
     3012
     3013
     3014
     3015
     3016
     3017
    29913018    }
    29923019

  • branches/5.3/src/wp-includes/class-wp-query.php

    r46474 r47644  
    801801        } elseif ( $qv['p'] ) {
    802802            $this->is_single = true;
    803         } elseif ( ( '' !== $qv['hour'] ) && ( '' !== $qv['minute'] ) && ( '' !== $qv['second'] ) && ( '' != $qv['year'] ) && ( '' != $qv['monthnum'] ) && ( '' != $qv['day'] ) ) {
    804             // If year, month, day, hour, minute, and second are set, a single
    805             // post is being queried.
    806             $this->is_single = true;
    807803        } elseif ( '' != $qv['pagename'] || ! empty( $qv['page_id'] ) ) {
    808804            $this->is_page   = true;

  • branches/5.3/src/wp-includes/formatting.php

    r46900 r47644  
    20042004    $filename_raw  = $filename;
    20052005    $special_chars = array( '?', '[', ']', '/', '\\', '=', '<', '>', ':', ';', ',', "'", '"', '&', '$', '#', '*', '(', ')', '|', '~', '`', '!', '{', '}', '%', '+', chr( 0 ) );
     2006
     2007
     2008
     2009
     2010
     2011
     2012
     2013
     2014
     2015
     2016
     2017
     2018
     2019
     2020
     2021
     2022
     2023
    20062024    /**
    20072025     * Filters the list of characters to remove from a filename.
     
    20132031     */
    20142032    $special_chars = apply_filters( 'sanitize_file_name_chars', $special_chars, $filename_raw );
    2015     $filename      = preg_replace( "#\x{00a0}#siu", ' ', $filename );
    20162033    $filename      = str_replace( $special_chars, '', $filename );
    20172034    $filename      = str_replace( array( '%20', '+' ), '-', $filename );

  • branches/5.3/src/wp-includes/post.php

    r46977 r47644  
    35553555    global $wpdb;
    35563556
     3557
     3558
     3559
    35573560    $user_id = get_current_user_id();
    35583561
     
    38663869         *
    38673870         * @since 3.9.0
     3871
    38683872         *
    3869          * @param array $data    An array of sanitized attachment post data.
    3870          * @param array $postarr An array of unsanitized attachment post data.
     3873         * @param array $data                An array of slashed, sanitized, and processed attachment post data.
     3874         * @param array $postarr             An array of slashed and sanitized attachment post data, but not processed.
     3875         * @param array $unsanitized_postarr An array of slashed yet *unsanitized* and unprocessed attachment post data
     3876         *                                   as originally passed to wp_insert_post().
    38713877         */
    3872         $data = apply_filters( 'wp_insert_attachment_data', $data, $postarr );
     3878        $data = apply_filters( 'wp_insert_attachment_data', $data, $postarr );
    38733879    } else {
    38743880        /**
     
    38763882         *
    38773883         * @since 2.7.0
     3884
    38783885         *
    3879          * @param array $data    An array of slashed post data.
    3880          * @param array $postarr An array of sanitized, but otherwise unmodified post data.
     3886         * @param array $data                An array of slashed, sanitized, and processed post data.
     3887         * @param array $postarr             An array of sanitized (and slashed) but otherwise unmodified post data.
     3888         * @param array $unsanitized_postarr An array of slashed yet *unsanitized* and unprocessed post data as
     3889         *                                   originally passed to wp_insert_post().
    38813890         */
    3882         $data = apply_filters( 'wp_insert_post_data', $data, $postarr );
     3891        $data = apply_filters( 'wp_insert_post_data', $data, $postarr );
    38833892    }
    38843893    $data  = wp_unslash( $data );

  • branches/5.3/src/wp-includes/user.php

    r47417 r47644  
    17941794
    17951795    if ( $update ) {
    1796         if ( $user_email !== $old_user_data->user_email ) {
     1796        if ( $user_email !== $old_user_data->user_email ) {
    17971797            $data['user_activation_key'] = '';
    17981798        }

  • branches/5.3/tests/phpunit/tests/customize/manager.php

    r46548 r47644  
    12421242
    12431243    /**
     1244
     1245
     1246
     1247
     1248
     1249
     1250
     1251
     1252
     1253
     1254
     1255
     1256
     1257
     1258
     1259
     1260
     1261
     1262
     1263
     1264
     1265
     1266
     1267
     1268
     1269
     1270
     1271
     1272
     1273
     1274
     1275
     1276
     1277
     1278
     1279
     1280
     1281
     1282
     1283
     1284
     1285
     1286
     1287
     1288
     1289
     1290
     1291
     1292
     1293
     1294
     1295
     1296
     1297
     1298
     1299
     1300
     1301
     1302
     1303
     1304
     1305
     1306
     1307
     1308
     1309
     1310
     1311
     1312
     1313
     1314
     1315
     1316
     1317
     1318
     1319
     1320
     1321
     1322
     1323
     1324
     1325
     1326
     1327
     1328
     1329
     1330
     1331
     1332
     1333
     1334
     1335
     1336
     1337
     1338
     1339
     1340
     1341
     1342
     1343
     1344
     1345
     1346
     1347
     1348
     1349
     1350
     1351
     1352
     1353
     1354
     1355
     1356
     1357
     1358
     1359
     1360
     1361
     1362
     1363
     1364
     1365
     1366
     1367
     1368
     1369
     1370
     1371
     1372
     1373
     1374
     1375
     1376
     1377
     1378
     1379
     1380
     1381
     1382
     1383
     1384
     1385
     1386
     1387
     1388
     1389
     1390
     1391
     1392
     1393
     1394
     1395
     1396
     1397
     1398
     1399
     1400
     1401
     1402
     1403
     1404
     1405
     1406
     1407
     1408
    12441409     * Call count for customize_changeset_save_data filter.
    12451410     *

  • branches/5.3/tests/phpunit/tests/formatting/SanitizeFileName.php

    r42343 r47644  
    6969        $this->assertEquals( 'no-extension', sanitize_file_name( '_.no-extension' ) );
    7070    }
     71
     72
     73
     74
     75
     76
     77
     78
     79
     80
     81
     82
     83
     84
     85
     86
    7187}

  • branches/5.3/tests/phpunit/tests/user.php

    r45874 r47644  
    10261026    }
    10271027
    1028     function test_changing_email_invalidates_password_reset_key() {
     1028    function test_changing_email_invalidates_password_reset_key() {
    10291029        global $wpdb;
    10301030
     
    10511051            'user_nicename' => 'cat',
    10521052            'user_email'    => 'foo@bar.dev',
     1053
     1054
     1055
     1056
     1057
     1058
     1059
     1060
     1061
     1062
     1063
     1064
     1065
     1066
     1067
     1068
     1069
     1070
     1071
     1072
    10531073        );
    10541074        wp_update_user( $userdata );
Note: See TracChangeset for help on using the changeset viewer.