On some servers, consecutive periods in a filename can cause a 403 Forbidden response.
This changeset replaces consecutive periods with a single period, and adds related unit tests.
Props ArtZ91, costdev, SergeyBiryukov, arthurshlain, mukesh27.
Fixes#57242.
git-svn-id: https://develop.svn.wordpress.org/trunk@55209 602fd350-edb4-49c9-b593-d223f7449a82
While using reserved PHP keywords as parameter name labels is allowed, in the context of function calls using named parameters in PHP 8.0+, this will easily lead to confusion. To avoid that, it is recommended not to use reserved keywords as function parameter names.
This commit renames the `$class` parameter to `$classname` in `sanitize_html_class()`.
Follow-up to [54927].
See also: [search:?q=code+modernization+rename+parameters+that+use+reserved+keywords&changeset=on equivalent commits for other files].
Props jrf, aristath, poena, justinahinon, SergeyBiryukov.
See #56788.
git-svn-id: https://develop.svn.wordpress.org/trunk@55162 602fd350-edb4-49c9-b593-d223f7449a82
This changeset updates the use of "-ise" suffix to American English "-ize" in various files.
Follow-up to [54663], [54664], [55043], [55044].
Props kebbet, mukesh27.
See #56811, #56792.
git-svn-id: https://develop.svn.wordpress.org/trunk@55051 602fd350-edb4-49c9-b593-d223f7449a82
While using reserved PHP keywords as parameter name labels is allowed, in the context of function calls using named parameters in PHP 8.0+, this will easily lead to confusion. To avoid that, it is recommended not to use reserved keywords as function parameter names.
This commit:
* Renames the `$echo` parameter to `$display` in:
* `wp_nonce_field()`
* `wp_referer_field()`
* `wp_original_referer_field()`
* Renames the `$string` parameter to `$input_string` in
* `_wp_json_convert_string()`
* `_wp_to_kebab_case()`
* Renames the `$list` parameter to `$input_list` in:
* `wp_parse_list()`
* `wp_parse_id_list()`
* `wp_parse_slug_list()`
* `wp_filter_object_list()`
* `wp_list_filter()`
* `wp_list_pluck()`
* `wp_list_sort()`
* Renames the `$array` parameter to `$input_array` in:
* `add_magic_quotes()`
* `wp_array_slice_assoc()`
* `_wp_array_get()`
* `_wp_array_set()`
* Renames the `$function` parameter to `$function_name` in:
* `_deprecated_function()`
* `_deprecated_argument()`
* `_doing_it_wrong()`
* Renames the `$class` parameter to `$class_name` in `_deprecated_constructor()`.
* Renames the `$default` parameter to `$default_value` in `apache_mod_loaded()`.
* Renames the `$var` parameter to `$value` in `wp_validate_boolean()`.
* Amends the `$input` parameter in `wp_parse_str()` for consistency.
Follow-up to [52946], [52996], [52997], [52998], [53003], [53014], [53029], [53039], [53116], [53117], [53137], [53174], [53184], [53185], [53192], [53193], [53198], [53203], [53207], [53215], [53216], [53220], [53230], [53232], [53236], [53239], [53240], [53242], [53243], [53245], [53246], [53257], [53269], [53270], [53271], [53272], [53273], [53274], [53275], [53276], [53277], [53281], [53283], [53284], [53285], [53287], [53364], [53365], [54927].
Props jrf, aristath, poena, justinahinon, SergeyBiryukov.
See #56788.
git-svn-id: https://develop.svn.wordpress.org/trunk@54929 602fd350-edb4-49c9-b593-d223f7449a82
While using reserved PHP keywords as parameter name labels is allowed, in the context of function calls using named parameters in PHP 8.0+, this will easily lead to confusion. To avoid that, it is recommended not to use reserved keywords as function parameter names.
This commit:
* Renames the `$string` parameter to `$text` in:
* `_wp_specialchars()`
* `wp_specialchars_decode()`
* `wp_check_invalid_utf8()`
* `remove_accents()`
* `_split_str_by_whitespace()`
* `wp_strip_all_tags()`
* Renames the `$string` parameter to `$value` in:
* `backslashit()`
* `trailingslashit()`
* `untrailingslashit()`
* Renames the `$string` parameter to `$subject` in `wp_iso_descrambler()`.
* Renames the `$match` parameter to `$matches` in `_wp_iso_convert()`.
* Renames the `$string` parameter to `$date_string` in:
* `get_gmt_from_date()`
* `get_date_from_gmt()`
* Renames the `$string` parameter to`$input` in `wp_parse_str()`.
* Renames the `$string` parameter to `$content` in `wp_pre_kses_block_attributes()`.
* Amends the `$text` parameter in `wp_pre_kses_less_than()` for consistency.
Follow-up to [52946], [52996], [52997], [52998], [53003], [53014], [53029], [53039], [53116], [53117], [53137], [53174], [53184], [53185], [53192], [53193], [53198], [53203], [53207], [53215], [53216], [53220], [53230], [53232], [53236], [53239], [53240], [53242], [53243], [53245], [53246], [53257], [53269], [53270], [53271], [53272], [53273], [53274], [53275], [53276], [53277], [53281], [53283], [53284], [53285], [53287], [53364], [53365].
Props jrf, aristath, poena, justinahinon, SergeyBiryukov.
See #56788.
git-svn-id: https://develop.svn.wordpress.org/trunk@54927 602fd350-edb4-49c9-b593-d223f7449a82
This applies to:
* `normalizer_is_normalized()`
* `normalizer_normalize()`
Includes removing the `Normalizer::FORM_C` constant as a parameter, since it is the default value for both functions and does not need to be explicitly passed. This avoids a fatal error if a plugin includes polyfill for any of the functions but the `Normalizer` class has a different namespace, for example when using the Symfony polyfill.
Follow-up to [53754].
Props hellofromTonya, costdev, desrosj, mukesh27, zodiac1978, jchambo, gisgeo, SergeyBiryukov.
Fixes#56980.
git-svn-id: https://develop.svn.wordpress.org/trunk@54813 602fd350-edb4-49c9-b593-d223f7449a82
This changeset fixes a potential fatal error, for example when "Max upload file size" setting is set to an empty value. It also adds unit tests for `upload_size_limit_filter`.
Props mjkhajeh, bhrugesh12, SergeyBiryukov, kebbet, audrasjb, felipeelia.
Fixes#55926.
git-svn-id: https://develop.svn.wordpress.org/trunk@54482 602fd350-edb4-49c9-b593-d223f7449a82
This changeset prevents object replacement characters – UTF-8 `%ef%bf%bc`, used as a placeholder in text for an otherwise unspecified object – from being added to slugs.
Props cantuaria, costdev, audrasjb, SergeyBiryukov, archon810, maciejmackowiak, BaneD, markparnell, ironprogrammer, dmsnell, nikkigagency, webprom.
Fixes#55117.
git-svn-id: https://develop.svn.wordpress.org/trunk@54474 602fd350-edb4-49c9-b593-d223f7449a82
The current coding standards note that the name of the class files should be based on the class name with `class-` prepended, and the underscores replaced by hyphens (see the [https://developer.wordpress.org/coding-standards/wordpress-coding-standards/php/#naming-conventions Naming Conventions] section in the handbook), except for the three legacy files: `class.wp-dependencies.php`, `class.wp-scripts.php`, `class.wp-styles.php`.
To bring more consistency to the codebase and make it easier to implement autoloading in the future, this commit renames those three legacy files to conform to the coding standards:
* `wp-includes/class.wp-dependencies.php` → `wp-includes/class-wp-dependencies.php`
* `wp-includes/class.wp-scripts.php` → `wp-includes/class-wp-scripts.php`
* `wp-includes/class.wp-styles.php` → `wp-includes/class-wp-styles.php`
Includes:
* Loading the new files from the old ones, for anyone that may have been including the files directly.
* Replacing references to the old filenames with the new filenames.
Follow-up to [7970], [45654], [45662], [45663], [45678], [47197], [52026], [53749].
Props afragen, schlessera, swissspidy, dingo_d, hellofromTonya, SergeyBiryukov.
Fixes#37861. See #55647.
git-svn-id: https://develop.svn.wordpress.org/trunk@54254 602fd350-edb4-49c9-b593-d223f7449a82
This fixes a bug where if the `timezone_string` is set to a timezone name which has since been deprecated, the option value would be “lost” when saving the value again, as the comparison being done to verify whether it is a valid timezone name would only take “current” timezone names into account and would invalidate deprecated timezone names.
By passing the `DateTimeZone::ALL_WITH_BC` constant as the `$timezoneGroup` parameter to the PHP native `timezone_identifiers_list()` function, a timezone name list is retrieved containing both current and deprecated timezone names, preventing the invalidation of the option value.
See the extensive write-up about this in ticket #56468.
Also see: [https://www.php.net/manual/en/datetimezone.listidentifiers.php PHP Manual: timezone_identifiers_list()].
Includes adding a dedicated test to the data provider used in the `Tests_Option_SanitizeOption` test class.
Note: The new data set is ''named'', even though the other data sets are unnamed, to make sure it is clear what this data set is testing. Adding test names for the original data sets in this data provider would be a great future improvement, but is outside of the scope of this commit.
Follow-up to [18323], [33119], [54207], [54217], [54227].
Props jrf, costdev.
See #56468.
git-svn-id: https://develop.svn.wordpress.org/trunk@54229 602fd350-edb4-49c9-b593-d223f7449a82
- Usage of `get_magic_quotes_gpc()` was removed from `addslashes_gpc()` in [46105] / #47783.
- A similar description fragment was removed from `wp_parse_str()` in that changeset, but this one was missed.
- The `get_magic_quotes_gpc()` function itself was deprecated in PHP 7.4 and removed in PHP 8.0.
Props mitweka, audrasjb, SergeyBiryukov.
Fixes#56233.
See #55646.
git-svn-id: https://develop.svn.wordpress.org/trunk@53776 602fd350-edb4-49c9-b593-d223f7449a82
This changeset adds Unicode sequence normalization from NFD to NFC, via the `normalizer_normalize()` PHP function which is available with the recommended `intl` PHP extension.
This fixes an issue where NFD characters were not properly sanitized. It also provides a unit test for NFD sequences (alternate Unicode representations of the same characters).
Props NumidWasNotAvailable, targz, nacin, nunomorgadinho, p_enrique, gitlost, SergeyBiryukov, markoheijnen, mikeschroder, ocean90, pento, helen, rodrigosevero, zodiac1978, ironprogrammer, audrasjb, azaozz, laboiteare, nuryko, virgar, dxd5001, onnimonni, johnbillion.
Fixes#24661, #47763, #35951.
See #30130, #52654.
git-svn-id: https://develop.svn.wordpress.org/trunk@53754 602fd350-edb4-49c9-b593-d223f7449a82
This aims to improve performance by calling `sanitize_url()` directly, instead of the `esc_url_raw()` wrapper. As of WordPress 6.1, `sanitize_url()` is the recommended function for sanitizing a URL for database or redirect usage.
Follow-up to [11383], [13096], [51597], [53452].
Props benjgrolleau, peterwilsoncc, SergeyBiryukov.
Fixes#55852.
git-svn-id: https://develop.svn.wordpress.org/trunk@53455 602fd350-edb4-49c9-b593-d223f7449a82
A general security rule is "Sanitize when you save, escape when you echo".
In WordPress 5.9, `sanitize_url()` was un-deprecated in order to better align with the naming of other sanitizing functions, while still being an alias for `esc_url_raw()`.
This commit reverses the order and turns `esc_url_raw()` into a wrapper for `sanitize_url()`, making the latter the canonical function call and aiming to improve performance by reducing the number of function calls required when using the recommended technique.
Follow-up to [11383], [13096], [51597].
Props benjgrolleau, peterwilsoncc, SergeyBiryukov.
See #55852.
git-svn-id: https://develop.svn.wordpress.org/trunk@53452 602fd350-edb4-49c9-b593-d223f7449a82
This changeset replaces a link to the outdated W3C specs on Custom Elements with a link to the corresponding WhatWG specification.
See #54729.
git-svn-id: https://develop.svn.wordpress.org/trunk@53204 602fd350-edb4-49c9-b593-d223f7449a82
This version introduces support for the latest Emoji added in Emoji 14.
"Insert witty comment newly supported emoji."
Props kraftbj, desrosj, dd32, milana_cap.
Fixes#55395.
git-svn-id: https://develop.svn.wordpress.org/trunk@53150 602fd350-edb4-49c9-b593-d223f7449a82
This change improves the `esc_xml()` function by replacing two `empty()` checks with `isset()` to cover values that are not equal to `''` but still returning `true` when checked with `empty()`, like `'0'`, `0` or `false`. It also updates the related unit tests accordingly.
Props rumpel2116, pbiron.
Fixes#55399.
git-svn-id: https://develop.svn.wordpress.org/trunk@53144 602fd350-edb4-49c9-b593-d223f7449a82
This aims to clarify the list of characters that are stripped from URLs or converted to a hyphen.
Follow-up to [51984].
See #47912, #54729.
git-svn-id: https://develop.svn.wordpress.org/trunk@52821 602fd350-edb4-49c9-b593-d223f7449a82
This highlights the fact that `remove_accents()` is locale-aware and makes it easier to utilize the function with different locales without having to use `switch_to_locale()` or the `locale` filter.
Additionally, this commit relaxes the check for character replacements in German locales to include formal and informal variants of any `de_*` locale, even if WordPress does not have a native translation for some of them yet.
Props malthert, johnbillion, knutsp, ocean90, SergeyBiryukov.
Fixes#54415.
git-svn-id: https://develop.svn.wordpress.org/trunk@52809 602fd350-edb4-49c9-b593-d223f7449a82
The developer facing humor in these functions were from a different era of WordPress. Tolerance for in-jokes and other developer facing humor has decreased over the years. Terms like "pee" and "tinkle" may make some folks chuckle while for others it makes them uncomfortable.
Terminology of the past is being (or has been) re-evaluated to transform words into a language that are inclusive and welcome for all. This commit is part of that effort as it replaces.
Follow-up [13], [9255].
Props ricomoorman, tzipporahwitty, ironprogrammer, peterwilsoncc, jeremyfelt, Viper007Bond, rmccue, SergeyBiryukov, hellofromTonya.
Fixes#25615.
git-svn-id: https://develop.svn.wordpress.org/trunk@52789 602fd350-edb4-49c9-b593-d223f7449a82
This is a follow-up to [52292] which introduced `is_string()` to check the given key is a string to be sanitized, else the key is set to an empty string.
`sanitize_key()` is clearly identified (in the documentation) to only work with ''string'' keys. However, it had a bug in it that allowed non-strings to pass through it:
* A non-scalar "key" would throw a PHP Warning (which was resolved in [52292].
* A non-string scalar "key" was handled by the PHP native `strtolower()` which converted it into a string.
While `is_string()` is valid, non-string scalar types passed as the key to be sanitized were being set to an empty string. Given that `strtolower()` handles these without error or deprecation as of PHP 8.1, `is_scalar()` protects the website from issues while retaining the past behavior of converting integer keys (for example) into a string.
Changes include:
* Using `is_scalar()` instead of `is_string()`
* Refactor for readability and less code
* More tests
Please note, this does not change the behavior of the function, nor redefine it to now accept non-string scalars.
References:
* https://developer.wordpress.org/reference/functions/sanitize_key/
* https://www.php.net/manual/en/function.strtolower.php
Follow-up [52292].
Props wppunk, hellofromTonya, costdev, jrf.
Fixes#54160.
git-svn-id: https://develop.svn.wordpress.org/trunk@52370 602fd350-edb4-49c9-b593-d223f7449a82
The task was previously used to ensure that `/*! This file is auto-generated */` comment is not included on front end as part of the inline emoji detection script.
As the `wp-emoji-loader.js` script is now included via `file_get_contents()` and `wp_print_inline_script_tag()` instead of `grunt-include` to simplify the logic, the task does not find anything to replace and is no longer necessary.
Additionally, include a line break before the `wp-emoji-loader.js` script content for better line wrapping.
Follow-up to [48096], [50651], [52132].
See #44632, #44306, #53363.
git-svn-id: https://develop.svn.wordpress.org/trunk@52325 602fd350-edb4-49c9-b593-d223f7449a82
To prevent potential false negatives, set `$error` to `null` initially, so we can better tell if it was ever changed during the sanitization and be able to better react if an empty string is added to it.
Additionally, and mainly for the sake of the Settings API at this point, add error messages to some `WP_Error` objects returned from `wpdb` methods that were previously causing the issues here.
Follow-up to [32791].
Props iCaleb, audrasjb, hellofromTonya, SergeyBiryukov.
Fixes#53986.
git-svn-id: https://develop.svn.wordpress.org/trunk@52294 602fd350-edb4-49c9-b593-d223f7449a82
`sanitize_key()` expects a string type for the given `key`. Passing any other data type to `strtolower()` can result in `E_WARNING: strtolower() expects parameter 1 to be string, array given`.
A check is added that if the key is not a string, the key is set to an empty string. For performance, the additional string processing is skipped if the key is an empty string.
This change maintains backwards-compatibility for valid string keys while fixing the bug of non-string keys.
Props costdev, dd32.
Fixes#54160.
git-svn-id: https://develop.svn.wordpress.org/trunk@52292 602fd350-edb4-49c9-b593-d223f7449a82
Adds `track` and `wbr` support for single tags.
Adds `article`, `aside`, `details`, `figure`, and `section` for nestable tags.
Updates tests.
Follow-up to [5805], [21828], [45929].
Props glendaviesnz, costdev, talldanwp, ramonopoly, sergeybiryukov.
Fixes#50225.
git-svn-id: https://develop.svn.wordpress.org/trunk@52188 602fd350-edb4-49c9-b593-d223f7449a82
* Prevent loading `wp-embed` script unconditionally on every page in favor of conditionally enqueueing when a post embed is detected. The `wp-embed` script is also explicitly marked as being in the footer group. Sites which currently disable post embed scripts from being enqueued via `remove_action( 'wp_head', 'wp_oembed_add_host_js' )` will continue to do so.
* Send a `ready` message from the host page to each post embed window in case the `iframe` loads before the `wp-embed` script does. When the `ready` message is received by the post embed window, it sends the same `height` message as it sends when it loads.
* Eliminate use of `grunt-include` to inject emoji script and the post embed script. Instead obtain the script contents via `file_get_contents()` (as is done elsewhere in core) and utilize `wp_print_inline_script_tag()`/`wp_get_inline_script_tag()` to construct out the script. This simplifies the logic and allows the running of src without `SCRIPT_DEBUG` enabled.
* For the embed code that users are provided to copy for embedding outside of WP, add the `secret` on the `blockquote` and `iframe`. This ensures the `blockquote` will be hidden when the `iframe` loads. The embed code in question is accessed here via `get_post_embed_html()`.
Props westonruter, swissspidy, pento, flixos90, ocean90.
Fixes#44632, #44306.
git-svn-id: https://develop.svn.wordpress.org/trunk@52132 602fd350-edb4-49c9-b593-d223f7449a82
This change prevents non-visible characters in titles from creating encoded values in permalinks, opting instead for the following replacement strategy:
* Non-visible non-zero-width characters are replaced with hyphens
* Non-visible zero-width characters are removed entirely
Included with this change are 64 additional PHPUnit assertions to confirm that only the targeted non-visible characters are sanitized as intended.
Before this change, URLs would unintentionally contain encoded values where these non-visible characters were. After this change, URLs intentionally strip out or hyphenate these non-visible characters.
Props costdev, dhanendran, hellofromtonya, paaljoachim, peterwilsoncc, poena, sergeybiryukov.
Fixes#47912.
git-svn-id: https://develop.svn.wordpress.org/trunk@51984 602fd350-edb4-49c9-b593-d223f7449a82
When a closure does not use `$this`, it can be made `static` for improved performance.
Static closures are supported in PHP since PHP 5.4.
Props jrf, hellofromTonya, swissspidy, SergeyBiryukov.
See #53359.
git-svn-id: https://develop.svn.wordpress.org/trunk@51657 602fd350-edb4-49c9-b593-d223f7449a82
This fixes `parse_str(): Passing null to parameter #1 ($string) of type string is deprecated` notices on PHP 8.1, without change in behaviour.
Impact: 311 of the pre-existing tests are affected by this issue.
The PHP native `parse_str()` function expects a string, however, based on the failing tests, it is clear there are functions in WordPress which passes a non-string – including `null` – value to the `wp_parse_str()` function, which would subsequently pass it onto the PHP native function without further input validation.
Most notable offender is the `wp_parse_args()` function which special cases arrays and objects, but passes everything else off to `wp_parse_str()`.
Several ways to fix this issue have been explored, including checking the received value with `is_string()` or `is_scalar()` before passing it off to the PHP native `parse_str()` function.
In the end it was decided against these in favor of a string cast as:
* `is_string()` would significantly change the behavior for anything non-string.
* `is_scalar()` up to a point as well, as it does not take objects with a `__toString()` method into account.
Executing a string cast on the received value before passing it on maintains the pre-existing behavior while still preventing the deprecation notice coming from PHP 8.1.
Reference: [https://www.php.net/manual/en/function.parse-str.php PHP Manual: parse_str()]
Follow-up to [5709].
Props jrf, hellofromTonya, lucatume, SergeyBiryukov.
See #53635.
git-svn-id: https://develop.svn.wordpress.org/trunk@51624 602fd350-edb4-49c9-b593-d223f7449a82
The filter was introduced along with the `wp_parse_str()` function in WordPress 2.2.1.
Follow-up to [5709], [8662], [26485].
See #53399.
git-svn-id: https://develop.svn.wordpress.org/trunk@51609 602fd350-edb4-49c9-b593-d223f7449a82
A general security rule is "Sanitize when you save, escape when you echo", and for the most part WordPress has well-named functions like `sanitize_email()` and others, with `esc_url_raw()` being a single exception that does not follow the naming.
This commit restores the previously deprecated `sanitize_url()` function as a valid alias of `esc_url_raw()`.
This better aligns with the naming with other `sanitize_*()` functions:
* `sanitize_bookmark()`
* `sanitize_bookmark_field()`
* `sanitize_category()`
* `sanitize_category_field()`
* `sanitize_comment_cookies()`
* `sanitize_email()`
* `sanitize_file_name()`
* `sanitize_hex_color()`
* `sanitize_hex_color_no_hash()`
* `sanitize_html_class()`
* `sanitize_key()`
* `sanitize_meta()`
* `sanitize_mime_type()`
* `sanitize_option()`
* `sanitize_post()`
* `sanitize_post_field()`
* `sanitize_sql_orderby()`
* `sanitize_term()`
* `sanitize_term_field()`
* `sanitize_text_field()`
* `sanitize_textarea_field()`
* `sanitize_title()`
* `sanitize_title_for_query()`
* `sanitize_title_with_dashes()`
* `sanitize_trackback_urls()`
* `sanitize_user()`
* `sanitize_user_field()`
Follow-up to [11383], [13096].
Props Ipstenu, aadilali.
Fixes#53876.
git-svn-id: https://develop.svn.wordpress.org/trunk@51597 602fd350-edb4-49c9-b593-d223f7449a82
This version introduces support for the latest Emoji added in version Emoji 13.1, which includes “face in clouds”, “face exhaling”, and of course, “face with spiral eyes”.
A new corresponding folder has been pushed to WordPress.org in [dotorg:17419].
Rages deep within, ❤️🔥.
Props kraftbj., desrosj.
Fixes#52852.
git-svn-id: https://develop.svn.wordpress.org/trunk@51113 602fd350-edb4-49c9-b593-d223f7449a82
Add support for uploading, editing and saving WebP images when supported by the server.
Add 'image/webp' to supported mime types. Correctly identify WebP images and sizes even when PHP doesn't support WebP. Resize uploaded WebP files (when supported) and use for front end markup.
Props markoheijne, blobfolio, Clorith, joemcgill, atjn, desrosj, spacedmonkey, marylauc, mikeschroder, hellofromtonya, flixos90.
Fixes#35725.
git-svn-id: https://develop.svn.wordpress.org/trunk@50810 602fd350-edb4-49c9-b593-d223f7449a82
The array received or returned by these functions is not always an array of strings, for example when slashing or unslashing an array of arrays.
Follow-up to [47400], [48441], [49926].
Props johnbillion.
See #51800.
git-svn-id: https://develop.svn.wordpress.org/trunk@49968 602fd350-edb4-49c9-b593-d223f7449a82
