Make WordPress Core

Changeset 54561 for branches/4.6


Ignore:
Timestamp:
10/17/2022 06:03:41 PM (19 months ago)
Author:
SergeyBiryukov
Message:

Grouped backports to the 4.6 branch.

  • Posts, Post types: Apply KSES to post-by-email content,
  • General: Validate host on "Are you sure?" screen,
  • Posts, Post types: Remove emails from post-by-email logs,
  • Pings/trackbacks: Apply KSES to all trackbacks,
  • Comments: Apply kses when editing comments,
  • Customize: Escape blogname option in underscores templates,
  • Mail: Reset PHPMailer properties between use,
  • Query: Validate relation in WP_Date_Query,
  • Widgets: Escape RSS error messages for display.

Merges [54521], [54522], [54523], [54525], [54526], [54527], [54529], [54530], [54541] to the 4.6 branch.
Props voldemortensen, johnbillion, paulkevan, peterwilsoncc, xknown, dd32, audrasjb, martinkrcho, davidbaumwald, tykoted, johnjamesjacoby, ehtis, matveb, talldanwp.

Location:
branches/4.6
Files:
11 edited

Legend:

Unmodified
Added
Removed
  • branches/4.6

  • branches/4.6/src/wp-includes/comment.php

    r44848 r54561  
    19901990    }
    19911991
     1992    $filter_comment = false;
     1993    if ( ! has_filter( 'pre_comment_content', 'wp_filter_kses' ) ) {
     1994        $filter_comment = ! user_can( isset( $comment['user_id'] ) ? $comment['user_id'] : 0, 'unfiltered_html' );
     1995    }
     1996
     1997    if ( $filter_comment ) {
     1998        add_filter( 'pre_comment_content', 'wp_filter_kses' );
     1999    }
     2000
    19922001    // Escape data pulled from DB.
    19932002    $comment = wp_slash($comment);
     
    19992008
    20002009    $commentarr = wp_filter_comment( $commentarr );
     2010
     2011    if ( $filter_comment ) {
     2012        remove_filter( 'pre_comment_content', 'wp_filter_kses' );
     2013    }
    20012014
    20022015    // Now extract the merged array.
  • branches/4.6/src/wp-includes/customize/class-wp-customize-header-image-control.php

    r37426 r54561  
    108108
    109109            <button type="button" class="choice thumbnail"
    110                 data-customize-image-value="{{{data.header.url}}}"
     110                data-customize-image-value="{{data.header.url}}"
    111111                data-customize-header-image-data="{{JSON.stringify(data.header)}}">
    112112                <span class="screen-reader-text"><?php _e( 'Set image' ); ?></span>
    113                 <img src="{{{data.header.thumbnail_url}}}" alt="{{{data.header.alt_text || data.header.description}}}">
     113                <img src="{{data.header.thumbnail_url}}" alt="{{data.header.alt_text || data.header.description}}" />
    114114            </button>
    115115
  • branches/4.6/src/wp-includes/customize/class-wp-customize-site-icon-control.php

    r37964 r54561  
    7070                                <img src="{{ data.attachment.sizes.full.url }}" alt="<?php esc_attr_e( 'Preview as a browser icon' ); ?>"/>
    7171                            </div>
    72                             <span class="browser-title" aria-hidden="true"><?php bloginfo( 'name' ); ?></span>
     72                            <span class="browser-title" aria-hidden="true"><?php echo esc_js( get_bloginfo( 'name' ) ); ?></span>
    7373                        </div>
    7474                        <img class="app-icon-preview" src="{{ data.attachment.sizes.full.url }}" alt="<?php esc_attr_e( 'Preview as an app icon' ); ?>"/>
  • branches/4.6/src/wp-includes/date.php

    r37518 r54561  
    153153    public function __construct( $date_query, $default_column = 'post_date' ) {
    154154
    155         if ( isset( $date_query['relation'] ) && 'OR' === strtoupper( $date_query['relation'] ) ) {
    156             $this->relation = 'OR';
     155        if ( isset( $date_query['relation'] ) ) {
     156            $this->relation = $this->sanitize_relation( $date_query['relation'] );
    157157        } else {
    158158            $this->relation = 'AND';
     
    233233            $this->validate_date_values( $queries );
    234234        }
     235
     236        // Sanitize the relation parameter.
     237        $queries['relation'] = $this->sanitize_relation( $queries['relation'] );
    235238
    236239        foreach ( $queries as $key => $q ) {
     
    10161019        return $wpdb->prepare( "DATE_FORMAT( $column, %s ) $compare %f", $format, $time );
    10171020    }
     1021
     1022    /**
     1023     * Sanitizes a 'relation' operator.
     1024     *
     1025     * @since 6.0.3
     1026     *
     1027     * @param string $relation Raw relation key from the query argument.
     1028     * @return string Sanitized relation ('AND' or 'OR').
     1029     */
     1030    public function sanitize_relation( $relation ) {
     1031        if ( 'OR' === strtoupper( $relation ) ) {
     1032            return 'OR';
     1033        } else {
     1034            return 'AND';
     1035        }
     1036    }
    10181037}
  • branches/4.6/src/wp-includes/functions.php

    r46496 r54561  
    26282628    } else {
    26292629        $html = __( 'Are you sure you want to do this?' );
    2630         if ( wp_get_referer() )
    2631             $html .= "</p><p><a href='" . esc_url( remove_query_arg( 'updated', wp_get_referer() ) ) . "'>" . __( 'Please try again.' ) . "</a>";
     2630        if ( wp_get_referer() ) {
     2631            $wp_http_referer = remove_query_arg( 'updated', wp_get_referer() );
     2632            $wp_http_referer = wp_validate_redirect( esc_url_raw( $wp_http_referer ) );
     2633            $html           .= '</p><p>';
     2634            $html           .= sprintf(
     2635                '<a href="%s">%s</a>',
     2636                esc_url( $wp_http_referer ),
     2637                __( 'Please try again.' )
     2638            );
     2639        }
    26322640    }
    26332641
  • branches/4.6/src/wp-includes/media-template.php

    r37963 r54561  
    12461246                <img id="preview-favicon" src="{{ data.url }}" alt="<?php esc_attr_e( 'Preview as a browser icon' ); ?>"/>
    12471247            </div>
    1248             <span class="browser-title" aria-hidden="true"><?php bloginfo( 'name' ); ?></span>
     1248            <span class="browser-title" aria-hidden="true"><?php echo esc_js( get_bloginfo( 'name' ) ); ?></span>
    12491249        </div>
    12501250
  • branches/4.6/src/wp-includes/pluggable.php

    r47974 r54561  
    309309    $phpmailer->ClearCustomHeaders();
    310310    $phpmailer->ClearReplyTos();
     311    $phpmailer->Body    = '';
     312    $phpmailer->AltBody = '';
    311313
    312314    // From email and name
  • branches/4.6/src/wp-includes/widgets.php

    r37544 r54561  
    12341234    if ( is_wp_error($rss) ) {
    12351235        if ( is_admin() || current_user_can('manage_options') )
    1236             echo '<p>' . sprintf( __('<strong>RSS Error</strong>: %s'), $rss->get_error_message() ) . '</p>';
     1236            echo '<p>' . sprintf( __('<strong>RSS Error</strong>: %s'), esc_html( $rss->get_error_message() ) ) . '</p>';
    12371237        return;
    12381238    }
     
    13431343
    13441344    if ( ! empty( $args['error'] ) ) {
    1345         echo '<p class="widget-error"><strong>' . sprintf( __( 'RSS Error: %s' ), $args['error'] ) . '</strong></p>';
     1345        echo '<p class="widget-error"><strong>' . sprintf( __( 'RSS Error: %s' ), esc_html( $args['error'] ) ) . '</strong></p>';
    13461346    }
    13471347
  • branches/4.6/src/wp-mail.php

    r39774 r54561  
    6060    wp_die( __('There doesn&#8217;t seem to be any new mail.') );
    6161}
     62
     63// Always run as an unauthenticated user.
     64wp_set_current_user( 0 );
    6265
    6366for ( $i = 1; $i <= $count; $i++ ) {
     
    125128                $author = sanitize_email($author);
    126129                if ( is_email($author) ) {
    127                     echo '<p>' . sprintf(__('Author is %s'), $author) . '</p>';
    128130                    $userdata = get_user_by('email', $author);
    129131                    if ( ! empty( $userdata ) ) {
  • branches/4.6/src/wp-trackback.php

    r30662 r54561  
    1313    wp( array( 'tb' => '1' ) );
    1414}
     15
     16// Always run as an unauthenticated user.
     17wp_set_current_user( 0 );
    1518
    1619/**
Note: See TracChangeset for help on using the changeset viewer.