Changeset 47645

Timestamp:

04/29/2020 04:05:32 PM (4 years ago)

Author:

whyisjake

Message:

Customize: Add additional filters to Customizer to prevent JSON corruption.
User: Invalidate user_activation_key on password update.
Query: Ensure that only a single post can be returned on date/time based queries.
Block Editor: Coding standards, properly escape class names.
Cache API: Ensure proper escaping around the stats method in the cache API.
Formatting: Expand sanitize_file_name to have better support for utf8 characters.

Brings the changes in [47633], [47634], [47635], [47636], [47637], and [47638] to the 5.2 branch.

Props: aduth, batmoo, ehti, ellatrix, jorgefilipecosta, nickdaugherty, noisysocks, pento, peterwilsoncc, sergeybiryukov, sstoqnov, talldanwp, westi, westonruter, whyisjake, whyisjake, xknown.

Location:

branches/5.2

Files:

• . (modified) (1 prop)
• src/wp-includes/blocks/rss.php (modified) (2 diffs)
• src/wp-includes/blocks/search.php (modified) (1 diff)
• src/wp-includes/cache.php (modified) (1 diff)
• src/wp-includes/class-wp-customize-manager.php (modified) (3 diffs)
• src/wp-includes/class-wp-query.php (modified) (1 diff)
• src/wp-includes/formatting.php (modified) (2 diffs)
• src/wp-includes/post.php (modified) (3 diffs)
• src/wp-includes/user.php (modified) (1 diff)
• tests/phpunit/tests/customize/manager.php (modified) (1 diff)
• tests/phpunit/tests/formatting/SanitizeFileName.php (modified) (1 diff)
• tests/phpunit/tests/user.php (modified) (2 diffs)

branches/5.2/src/wp-includes/blocks/rss.php

@@ -81 +81 @@
 
     $classes           = 'grid' === $attributes['blockLayout'] ? ' is-grid columns-' . $attributes['columns'] : '';
-    $list_items_markup = "<ul class='wp-block-rss{$classes}'>{$list_items}</ul>";
+    $list_items_markup = ;
 
     // PHP 5.2 compatibility. See: http://simplepie.org/wiki/faq/i_m_getting_memory_leaks.
@@ -94 +94 @@
  */
 function register_block_core_rss() {
-    register_block_type( 'core/rss',
+    register_block_type(
+        'core/rss',
         array(
             'attributes'      => array(

branches/5.2/src/wp-includes/blocks/search.php

@@ -47 +47 @@
     return sprintf(
         '<form class="%s" role="search" method="get" action="%s">%s</form>',
-        $class,
+        ,
         esc_url( home_url( '/' ) ),
         $label_markup . $input_markup . $button_markup

branches/5.2/src/wp-includes/cache.php

@@ -696 +696 @@
         echo '<ul>';
         foreach ( $this->cache as $group => $cache ) {
-            echo "<li><strong>Group:</strong> $group - ( " . number_format( strlen( serialize( $cache ) ) / KB_IN_BYTES, 2 ) . 'k )</li>';
+            echo  . number_format( strlen( serialize( $cache ) ) / KB_IN_BYTES, 2 ) . 'k )</li>';
         }
         echo '</ul>';

branches/5.2/src/wp-includes/class-wp-customize-manager.php

@@ -2887 +2887 @@
 
         /*
-         * Update the changeset post. The publish_customize_changeset action
-         * will cause the settings in the changeset to be saved via
-         * WP_Customize_Setting::save().
+         * Update the changeset post. The publish_customize_changeset action
+         * 
+         * ().
          */
-
-        // Prevent content filters from corrupting JSON in post_content.
-        $has_kses = ( false !== has_filter( 'content_save_pre', 'wp_filter_post_kses' ) );
-        if ( $has_kses ) {
-            kses_remove_filters();
-        }
-        $has_targeted_link_rel_filters = ( false !== has_filter( 'content_save_pre', 'wp_targeted_link_rel' ) );
-        if ( $has_targeted_link_rel_filters ) {
-            wp_remove_targeted_link_rel_filters();
-        }
-
-        // Note that updating a post with publish status will trigger WP_Customize_Manager::publish_changeset_values().
+        add_filter( 'wp_insert_post_data', array( $this, 'preserve_insert_changeset_post_content' ), 5, 3 );
         if ( $changeset_post_id ) {
             if ( $args['autosave'] && 'auto-draft' !== get_post_status( $changeset_post_id ) ) {
@@ -2929 +2918 @@
             }
         }
-
-        // Restore removed content filters.
-        if ( $has_kses ) {
-            kses_init_filters();
-        }
-        if ( $has_targeted_link_rel_filters ) {
-            wp_init_targeted_link_rel_filters();
-        }
+        remove_filter( 'wp_insert_post_data', array( $this, 'preserve_insert_changeset_post_content' ), 5 );
 
         $this->_changeset_data = null; // Reset so WP_Customize_Manager::changeset_data() will re-populate with updated contents.
@@ -2952 +2934 @@
 
         return $response;
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
     }
 

branches/5.2/src/wp-includes/class-wp-query.php

@@ -798 +798 @@
         } elseif ( $qv['p'] ) {
             $this->is_single = true;
-        } elseif ( ( '' !== $qv['hour'] ) && ( '' !== $qv['minute'] ) && ( '' !== $qv['second'] ) && ( '' != $qv['year'] ) && ( '' != $qv['monthnum'] ) && ( '' != $qv['day'] ) ) {
-            // If year, month, day, hour, minute, and second are set, a single
-            // post is being queried.
-            $this->is_single = true;
         } elseif ( '' != $qv['pagename'] || ! empty( $qv['page_id'] ) ) {
             $this->is_page   = true;

branches/5.2/src/wp-includes/formatting.php

@@ -1999 +1999 @@
     $filename_raw  = $filename;
     $special_chars = array( '?', '[', ']', '/', '\\', '=', '<', '>', ':', ';', ',', "'", '"', '&', '$', '#', '*', '(', ')', '|', '~', '`', '!', '{', '}', '%', '+', chr( 0 ) );
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
     /**
      * Filters the list of characters to remove from a filename.
@@ -2008 +2026 @@
      */
     $special_chars = apply_filters( 'sanitize_file_name_chars', $special_chars, $filename_raw );
-    $filename      = preg_replace( "#\x{00a0}#siu", ' ', $filename );
     $filename      = str_replace( $special_chars, '', $filename );
     $filename      = str_replace( array( '%20', '+' ), '-', $filename );

branches/5.2/src/wp-includes/post.php

@@ -3386 +3386 @@
     global $wpdb;
 
+
+
+
     $user_id = get_current_user_id();
 
@@ -3697 +3700 @@
          *
          * @since 3.9.0
+
          *
-         * @param array $data    An array of sanitized attachment post data.
-         * @param array $postarr An array of unsanitized attachment post data.
+         * @param array $data                An array of slashed, sanitized, and processed attachment post data.
+         * @param array $postarr             An array of slashed and sanitized attachment post data, but not processed.
+         * @param array $unsanitized_postarr An array of slashed yet *unsanitized* and unprocessed attachment post data
+         *                                   as originally passed to wp_insert_post().
          */
-        $data = apply_filters( 'wp_insert_attachment_data', $data, $postarr );
+        $data = apply_filters( 'wp_insert_attachment_data', $data, $postarr );
     } else {
         /**
@@ -3707 +3713 @@
          *
          * @since 2.7.0
+
          *
-         * @param array $data    An array of slashed post data.
-         * @param array $postarr An array of sanitized, but otherwise unmodified post data.
+         * @param array $data                An array of slashed, sanitized, and processed post data.
+         * @param array $postarr             An array of sanitized (and slashed) but otherwise unmodified post data.
+         * @param array $unsanitized_postarr An array of slashed yet *unsanitized* and unprocessed post data as
+         *                                   originally passed to wp_insert_post().
          */
-        $data = apply_filters( 'wp_insert_post_data', $data, $postarr );
+        $data = apply_filters( 'wp_insert_post_data', $data, $postarr );
     }
     $data  = wp_unslash( $data );

branches/5.2/src/wp-includes/user.php

@@ -1774 +1774 @@
 
     if ( $update ) {
-        if ( $user_email !== $old_user_data->user_email ) {
+        if ( $user_email !== $old_user_data->user_email ) {
             $data['user_activation_key'] = '';
         }

branches/5.2/tests/phpunit/tests/customize/manager.php

@@ -1162 +1162 @@
 
     /**
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
      * Call count for customize_changeset_save_data filter.
      *

branches/5.2/tests/phpunit/tests/formatting/SanitizeFileName.php

@@ -69 +69 @@
         $this->assertEquals( 'no-extension', sanitize_file_name( '_.no-extension' ) );
     }
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
 }

branches/5.2/tests/phpunit/tests/user.php

@@ -978 +978 @@
     }
 
-    function test_changing_email_invalidates_password_reset_key() {
+    function test_changing_email_invalidates_password_reset_key() {
         global $wpdb;
 
@@ -1003 +1003 @@
             'user_nicename' => 'cat',
             'user_email'    => 'foo@bar.dev',
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
         );
         wp_update_user( $userdata );