Themes: Add support for Update URI header.

This allows third-party themes to avoid accidentally being overwritten with an update of a theme of a similar name from the WordPress.org Theme Directory.

Additionally, introduce the `update_themes_{$hostname}` filter, which third-party themes can use to offer updates for a given hostname.

If set, the `Update URI` header field should be a URI and have a unique hostname.

Some examples include:

* `https://wordpress.org/themes/example-theme/`
* `https://example.com/my-theme/`
* `my-custom-theme-name`

`Update URI: false` also works, and unless there is code handling the `false` hostname, the theme will never get an update notification.

If the header is present, the WordPress.org API will currently only return updates for the theme if it matches the following format:

* `https://wordpress.org/themes/{$slug}/`
* `w.org/theme/{$slug}`

If the header has any other value, the API will not return a result and will ignore the theme for update purposes.

Follow-up to [50921].

Props dd32, meloniq, costdev, audrasjb, DavidAnderson, markjaquith, DrewAPicture, mweichert, design_dolphin, filosofo, sean212, nhuja, JeroenReumkens, infolu, dingdang, joyously, earnjam, williampatton, grapplerulrich, markparnell, apedog, afragen, miqrogroove, rmccue, crazycoders, jdgrimes, damonganto, joostdevalk, jorbin, georgestephanis, khromov, GeekStreetWP, jb510, Rarst, juliobox, Ipstenu, mikejolley, Otto42, gMagicScott, TJNowell, GaryJ, knutsp, mordauk, nvartolomei, aspexi, chriscct7, benoitchantre, ryno267, lev0, gregorlove, dougwollison, leemon, SergeyBiryukov.
See #14179, #23318, #32101.

git-svn-id: https://develop.svn.wordpress.org/trunk@53933 602fd350-edb4-49c9-b593-d223f7449a82

tests/phpunit/data/themedir1/update-uri-theme/index.php

@@ -0,0 +1,4 @@
+<?php
+/**
+ * A theme with the Update URI header.
+ */

tests/phpunit/data/themedir1/update-uri-theme/style.css

@@ -0,0 +1,9 @@
+/*
+Theme Name:  A theme with the Update URI header
+Theme URI:   http://example.com/
+Description: This theme has the Update URI header.
+Version:     6.1
+Author:      WordPress Contributors
+Author URI:  http://example.net/
+Update URI:  http://example.org/update-uri-theme/
+*/

tests/phpunit/tests/theme/themeDir.php

@@ -182,6 +182,7 @@ class Tests_Theme_ThemeDir extends WP_UnitTestCase {
 			'Block Theme Deprecated Path',
 			'Webfonts theme',
 			'Empty `fontFace` in theme.json - no webfonts defined',
+			'A theme with the Update URI header',
 		);
 
 		$this->assertSameSets( $expected, $theme_names );

tests/phpunit/tests/theme/wpTheme.php

@@ -405,4 +405,50 @@ class Tests_Theme_wpTheme extends WP_UnitTestCase {
 			),
 		);
 	}
+
+	/**
+	 * Tests that the UpdateURI header is retrieved.
+	 *
+	 * @ticket 14179
+	 *
+	 * @covers WP_Theme::get
+	 */
+	public function test_theme_get_update_uri_header() {
+		$theme = new WP_Theme( 'update-uri-theme', $this->theme_root );
+
+		$this->assertTrue(
+			$theme->exists(),
+			'The update-uri-theme does not exist.'
+		);
+
+		$update_uri = $theme->get( 'UpdateURI' );
+
+		$this->assertIsString(
+			$update_uri,
+			'The UpdateURI header was not returned as a string.'
+		);
+
+		$this->assertSame(
+			'http://example.org/update-uri-theme/',
+			$update_uri,
+			'The UpdateURI header did not match the expected value.'
+		);
+	}
+
+	/**
+	 * Tests that WP_Theme::sanitize_header() strips tags from the UpdateURI header.
+	 *
+	 * @ticket 14179
+	 *
+	 * @covers WP_Theme::sanitize_header
+	 */
+	public function test_should_strip_tags_from_update_uri_header() {
+		$theme           = new WP_Theme( 'twentytwentytwo', $this->theme_root );
+		$sanitize_header = new ReflectionMethod( $theme, 'sanitize_header' );
+		$sanitize_header->setAccessible( true );
+
+		$actual = $sanitize_header->invoke( $theme, 'UpdateURI', '<?php?><a href="http://example.org">http://example.org</a>' );
+
+		$this->assertSame( 'http://example.org', $actual );
+	}
 }