Changeset 47968 for branches/4.0

Timestamp:

06/10/2020 06:28:04 PM (4 years ago)

Author:

whyisjake

Message:

General: Backport several commits for release.

• Embeds: Ensure that the title attribute is set correctly on embeds.
• Editor: Prevent HTML decoding on by setting the proper editor context.
• Formatting: Ensure that wp_validate_redirect() sanitizes a wider variety of characters.
• Themes: Ensure a broken theme name is returned properly.
• Administration: Add a new filter to extend set-screen-option.

Merges [47947-47951] to the 4.0 branch.
Props xknown, sstoqnov, vortfu, SergeyBiryukov, whyisjake.

Location:

branches/4.0

Files:

• . (modified) (1 prop)
• src/wp-admin/includes/media.php (modified) (1 diff)
• src/wp-admin/includes/misc.php (modified) (1 diff)
• src/wp-admin/themes.php (modified) (1 diff)
• src/wp-includes/pluggable.php (modified) (2 diffs)
• tests/phpunit/tests/formatting/redirect.php (modified) (1 diff)

branches/4.0/src/wp-admin/includes/media.php

@@ -2690 +2690 @@
     if ( preg_match( '#^(audio|video)/#', $post->post_mime_type ) ) {
         echo ': ' . __( 'Displayed on attachment pages.' );
-    } ?></label>
-    <?php wp_editor( $post->post_content, 'attachment_content', $editor_args ); ?>
+    }
+
+    ?>
+    </label>
+    <?php wp_editor( format_to_edit( $post->post_content ), 'attachment_content', $editor_args ); ?>
 
     </div>

branches/4.0/src/wp-admin/includes/misc.php

@@ -406 +406 @@
                 break;
             default:
+                if ( '_page' === substr( $option, -5 ) || 'layout_columns' === $option ) {
+                    /**
+                     * Filters a screen option value before it is set.
+                     *
+                     * The filter can also be used to modify non-standard [items]_per_page
+                     * settings. See the parent function for a full list of standard options.
+                     *
+                     * Returning false to the filter will skip saving the current option.
+                     *
+                     * @since 2.8.0
+                     * @since 5.4.2 Only applied to options ending with '_page',
+                     *              or the 'layout_columns' option.
+                     *
+                     * @see set_screen_options()
+                     *
+                     * @param bool   $keep   Whether to save or skip saving the screen option value.
+                     *                       Default false.
+                     * @param string $option The option name.
+                     * @param int    $value  The number of rows to use.
+                     */
+                    $value = apply_filters( 'set-screen-option', false, $option, $value ); // phpcs:ignore WordPress.NamingConventions.ValidHookName.UseUnderscores
+                }
 
                 /**
                  * Filter a screen option value before it is set.
                  *
-                 * The filter can also be used to modify non-standard [items]_per_page
-                 * settings. See the parent function for a full list of standard options.
+                 * The dynamic portion of the hook, `$option`, refers to the option name.
                  *
                  * Returning false to the filter will skip saving the current option.
                  *
-                 * @since 2.8.0
+                 * @since 5.4.2
                  *
                  * @see set_screen_options()
                  *
-                 * @param bool|int $value  Screen option value. Default false to skip.
-                 * @param string   $option The option name.
-                 * @param int      $value  The number of rows to use.
+                 * @param bool   $keep   Whether to save or skip saving the screen option value.
+                 *                       Default false.
+                 * @param string $option The option name.
+                 * @param int    $value  The number of rows to use.
                  */
-                $value = apply_filters( 'set-screen-option', false, $option, $value );
+                $value = apply_filters( "set_screen_option_{$option}", false, $option, $value );
 
                 if ( false === $value )

branches/4.0/src/wp-admin/themes.php

@@ -256 +256 @@
         echo "
         <tr>
-             <td>" . ( $broken_theme->get( 'Name' ) ? $broken_theme->get( 'Name' ) : $broken_theme->get_stylesheet() ) . "</td>
+             <td><?php echo $broken_theme->get( 'Name' ) ? $broken_theme->display( 'Name' ) : esc_html( $broken_theme->get_stylesheet() ); ?></td>
              <td>" . $broken_theme->errors()->get_error_message() . "</td>
         </tr>";

branches/4.0/src/wp-includes/pluggable.php

@@ -1197 +1197 @@
  **/
 function wp_sanitize_redirect($location) {
-    $location = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%!*]|i', '', $location);
+    $location = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%!*@]|i', '', $location);
     $location = wp_kses_no_null($location);
 
@@ -1253 +1253 @@
  **/
 function wp_validate_redirect($location, $default = '') {
-    $location = trim( $location, " \t\n\r\0\x08\x0B" );
+    $location = wp_sanitize_redirect( trim( $location, " \t\n\r\0\x08\x0B" ) );
     // browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//'
     if ( substr($location, 0, 2) == '//' )

branches/4.0/tests/phpunit/tests/formatting/redirect.php

@@ -28 +28 @@
         $this->assertEquals('http://example.com/watchthecarriagereturngo', wp_sanitize_redirect('http://example.com/watchthecarriagereturn%0%0ddgo'));
         $this->assertEquals('http://example.com/watchthecarriagereturngo', wp_sanitize_redirect('http://example.com/watchthecarriagereturn%0%0DDgo'));
+        $this->assertEquals('http://example.com/@username', wp_sanitize_redirect('http://example.com/@username'));
     }