Make WordPress Core

Changeset 54562


Ignore:
Timestamp:
10/17/2022 06:03:55 PM (18 months ago)
Author:
audrasjb
Message:

Grouped backports to the 5.3 branch.

  • Editor: Bump @wordpress packages for the branch,
  • Media: Refactor search by filename within the admin,
  • REST API: Lockdown post parameter of the terms endpoint,
  • Customize: Escape blogname option in underscores templates,
  • Query: Validate relation in WP_Date_Query,
  • Posts, Post types: Apply KSES to post-by-email content,
  • General: Validate host on "Are you sure?" screen,
  • Posts, Post types: Remove emails from post-by-email logs,
  • Pings/trackbacks: Apply KSES to all trackbacks,
  • Mail: Reset PHPMailer properties between use,
  • Comments: Apply kses when editing comments,
  • Widgets: Escape RSS error messages for display.

Merges [54521-54530] to the 5.3 branch.
Props audrasjb, costdev, cu121, dd32, davidbaumwald, ehtis, johnbillion, johnjamesjacoby, martinkrcho, matveb, oztaser, paulkevan, peterwilsoncc, ravipatel, SergeyBiryukov, talldanwp, timothyblynjacobs, tykoted, voldemortensen, vortfu, xknown.

Location:
branches/5.3
Files:
20 edited

Legend:

Unmodified
Added
Removed
  • branches/5.3

  • branches/5.3/src/wp-admin/includes/ajax-actions.php

    r46421 r54562  
    29472947    // Filter query clauses to include filenames.
    29482948    if ( isset( $query['s'] ) ) {
    2949         add_filter( 'posts_clauses', '_filter_query_attachment_filenames' );
     2949        add_filter( 'wp_allow_query_attachment_by_filename', '__return_true' );
    29502950    }
    29512951
  • branches/5.3/src/wp-admin/includes/post.php

    r46091 r54562  
    12511251    // Filter query clauses to include filenames.
    12521252    if ( isset( $q['s'] ) ) {
    1253         add_filter( 'posts_clauses', '_filter_query_attachment_filenames' );
     1253        add_filter( 'wp_allow_query_attachment_by_filename', '__return_true' );
    12541254    }
    12551255
  • branches/5.3/src/wp-includes/class-wp-date-query.php

    r45932 r54562  
    150150        }
    151151
    152         if ( isset( $date_query['relation'] ) && 'OR' === strtoupper( $date_query['relation'] ) ) {
    153             $this->relation = 'OR';
     152        if ( isset( $date_query['relation'] ) ) {
     153            $this->relation = $this->sanitize_relation( $date_query['relation'] );
    154154        } else {
    155155            $this->relation = 'AND';
     
    221221            $this->validate_date_values( $queries );
    222222        }
     223
     224        // Sanitize the relation parameter.
     225        $queries['relation'] = $this->sanitize_relation( $queries['relation'] );
    223226
    224227        foreach ( $queries as $key => $q ) {
     
    10401043        return $wpdb->prepare( "DATE_FORMAT( $column, %s ) $compare %f", $format, $time );
    10411044    }
     1045
     1046    /**
     1047     * Sanitizes a 'relation' operator.
     1048     *
     1049     * @since 6.0.3
     1050     *
     1051     * @param string $relation Raw relation key from the query argument.
     1052     * @return string Sanitized relation ('AND' or 'OR').
     1053     */
     1054    public function sanitize_relation( $relation ) {
     1055        if ( 'OR' === strtoupper( $relation ) ) {
     1056            return 'OR';
     1057        } else {
     1058            return 'AND';
     1059        }
     1060    }
    10421061}
  • branches/5.3/src/wp-includes/class-wp-query.php

    r47644 r54562  
    434434    public $thumbnails_cached = false;
    435435
     436    /**
     437     * Controls whether an attachment query should include filenames or not.
     438     *
     439     * @since 6.0.3
     440     * @var bool
     441     */
     442    protected $allow_query_attachment_by_filename = false;
    436443    /**
    437444     * Cached list of search stopwords.
     
    13741381            }
    13751382
    1376             $like      = $n . $wpdb->esc_like( $term ) . $n;
    1377             $search   .= $wpdb->prepare( "{$searchand}(({$wpdb->posts}.post_title $like_op %s) $andor_op ({$wpdb->posts}.post_excerpt $like_op %s) $andor_op ({$wpdb->posts}.post_content $like_op %s))", $like, $like, $like );
     1383            $like = $n . $wpdb->esc_like( $term ) . $n;
     1384
     1385            if ( ! empty( $this->allow_query_attachment_by_filename ) ) {
     1386                $search .= $wpdb->prepare( "{$searchand}(({$wpdb->posts}.post_title $like_op %s) $andor_op ({$wpdb->posts}.post_excerpt $like_op %s) $andor_op ({$wpdb->posts}.post_content $like_op %s) $andor_op (sq1.meta_value $like_op %s))", $like, $like, $like, $like );
     1387            } else {
     1388                $search .= $wpdb->prepare( "{$searchand}(({$wpdb->posts}.post_title $like_op %s) $andor_op ({$wpdb->posts}.post_excerpt $like_op %s) $andor_op ({$wpdb->posts}.post_content $like_op %s))", $like, $like, $like );
     1389            }
    13781390            $searchand = ' AND ';
    13791391        }
     
    17591771        $q = $this->fill_query_vars( $q );
    17601772
     1773        /**
     1774         * Filters whether an attachment query should include filenames or not.
     1775         *
     1776         * @since 6.0.3
     1777         *
     1778         * @param bool $allow_query_attachment_by_filename Whether or not to include filenames.
     1779         */
     1780        $this->allow_query_attachment_by_filename = apply_filters( 'wp_allow_query_attachment_by_filename', false );
     1781        remove_all_filters( 'wp_allow_query_attachment_by_filename' );
     1782
    17611783        // Parse meta query
    17621784        $this->meta_query = new WP_Meta_Query();
     
    21902212        }
    21912213
    2192         if ( ! empty( $this->tax_query->queries ) || ! empty( $this->meta_query->queries ) ) {
     2214        if ( ! empty( $this->tax_query->queries ) || ! empty( $this->meta_query->queries ) || ! empty( $this->allow_query_attachment_by_filename ) ) {
    21932215            $groupby = "{$wpdb->posts}.ID";
    21942216        }
     
    22662288        }
    22672289        $where .= $search . $whichauthor . $whichmimetype;
     2290
     2291        if ( ! empty( $this->allow_query_attachment_by_filename ) ) {
     2292            $join .= " LEFT JOIN {$wpdb->postmeta} AS sq1 ON ( {$wpdb->posts}.ID = sq1.post_id AND sq1.meta_key = '_wp_attached_file' )";
     2293        }
    22682294
    22692295        if ( ! empty( $this->meta_query->queries ) ) {
  • branches/5.3/src/wp-includes/comment.php

    r47916 r54562  
    23322332    }
    23332333
     2334    $filter_comment = false;
     2335    if ( ! has_filter( 'pre_comment_content', 'wp_filter_kses' ) ) {
     2336        $filter_comment = ! user_can( isset( $comment['user_id'] ) ? $comment['user_id'] : 0, 'unfiltered_html' );
     2337    }
     2338
     2339    if ( $filter_comment ) {
     2340        add_filter( 'pre_comment_content', 'wp_filter_kses' );
     2341    }
     2342
    23342343    // Escape data pulled from DB.
    23352344    $comment = wp_slash( $comment );
     
    23412350
    23422351    $commentarr = wp_filter_comment( $commentarr );
     2352
     2353    if ( $filter_comment ) {
     2354        remove_filter( 'pre_comment_content', 'wp_filter_kses' );
     2355    }
    23432356
    23442357    // Now extract the merged array.
  • branches/5.3/src/wp-includes/customize/class-wp-customize-header-image-control.php

    r45932 r54562  
    131131
    132132            <button type="button" class="choice thumbnail"
    133                 data-customize-image-value="{{{data.header.url}}}"
     133                data-customize-image-value="{{data.header.url}}"
    134134                data-customize-header-image-data="{{JSON.stringify(data.header)}}">
    135135                <span class="screen-reader-text"><?php _e( 'Set image' ); ?></span>
    136                 <img src="{{{data.header.thumbnail_url}}}" alt="{{{data.header.alt_text || data.header.description}}}">
     136                <img src="{{data.header.thumbnail_url}}" alt="{{data.header.alt_text || data.header.description}}" />
    137137            </button>
    138138
  • branches/5.3/src/wp-includes/customize/class-wp-customize-site-icon-control.php

    r46389 r54562  
    6565                                <img src="{{ data.attachment.sizes.full ? data.attachment.sizes.full.url : data.attachment.url }}" alt="<?php esc_attr_e( 'Preview as a browser icon' ); ?>"/>
    6666                            </div>
    67                             <span class="browser-title" aria-hidden="true"><# print( '<?php bloginfo( 'name' ); ?>' ) #></span>
     67                            <span class="browser-title" aria-hidden="true"><# print( '<?php echo esc_js( get_bloginfo( 'name' ) ); ?>' ) #></span>
    6868                        </div>
    6969                        <img class="app-icon-preview" src="{{ data.attachment.sizes.full ? data.attachment.sizes.full.url : data.attachment.url }}" alt="<?php esc_attr_e( 'Preview as an app icon' ); ?>"/>
  • branches/5.3/src/wp-includes/deprecated.php

    r46290 r54562  
    39543954    }
    39553955}
     3956
     3957/**
     3958 * Filter the SQL clauses of an attachment query to include filenames.
     3959 *
     3960 * @since 4.7.0
     3961 * @deprecated 6.0.3
     3962 * @access private
     3963 *
     3964 * @param array $clauses An array including WHERE, GROUP BY, JOIN, ORDER BY,
     3965 *                       DISTINCT, fields (SELECT), and LIMITS clauses.
     3966 * @return array The unmodified clauses.
     3967 */
     3968function _filter_query_attachment_filenames( $clauses ) {
     3969    _deprecated_function( __FUNCTION__, '6.0.3', 'add_filter( "wp_allow_query_attachment_by_filename", "__return_true" )');
     3970    remove_filter( 'posts_clauses', __FUNCTION__ );
     3971    return $clauses;
     3972}
     3973
  • branches/5.3/src/wp-includes/functions.php

    r51746 r54562  
    31653165        $html = __( 'The link you followed has expired.' );
    31663166        if ( wp_get_referer() ) {
    3167             $html .= '</p><p>';
    3168             $html .= sprintf(
     3167            $wp_http_referer = remove_query_arg( 'updated', wp_get_referer() );
     3168            $wp_http_referer = wp_validate_redirect( esc_url_raw( $wp_http_referer ) );
     3169            $html           .= '</p><p>';
     3170            $html           .= sprintf(
    31693171                '<a href="%s">%s</a>',
    3170                 esc_url( remove_query_arg( 'updated', wp_get_referer() ) ),
     3172                esc_url( $wp_http_referer ),
    31713173                __( 'Please try again.' )
    31723174            );
  • branches/5.3/src/wp-includes/media-template.php

    r46777 r54562  
    14371437                <img id="preview-favicon" src="{{ data.url }}" alt="<?php esc_attr_e( 'Preview as a browser icon' ); ?>"/>
    14381438            </div>
    1439             <span class="browser-title" aria-hidden="true"><# print( '<?php bloginfo( 'name' ); ?>' ) #></span>
     1439            <span class="browser-title" aria-hidden="true"><# print( '<?php echo esc_js( get_bloginfo( 'name' ) ); ?>' ) #></span>
    14401440        </div>
    14411441
  • branches/5.3/src/wp-includes/pluggable.php

    r47959 r54562  
    312312        $phpmailer->clearCustomHeaders();
    313313        $phpmailer->clearReplyTos();
     314        $phpmailer->Body    = '';
     315        $phpmailer->AltBody = '';
    314316
    315317        // From email and name
  • branches/5.3/src/wp-includes/post.php

    r52470 r54562  
    19621962 * @since 4.5.0 Added the ability to pass a post type name in addition to object.
    19631963 * @since 4.6.0 Converted the `$post_type` parameter to accept a `WP_Post_Type` object.
     1964 * @since 5.9.0 Added `is_post_type_viewable` hook to filter the result.
    19641965 *
    19651966 * @param string|WP_Post_Type $post_type Post type name or object.
     
    19691970    if ( is_scalar( $post_type ) ) {
    19701971        $post_type = get_post_type_object( $post_type );
     1972
    19711973        if ( ! $post_type ) {
    19721974            return false;
     
    19741976    }
    19751977
    1976     return $post_type->publicly_queryable || ( $post_type->_builtin && $post_type->public );
     1978    if ( ! is_object( $post_type ) ) {
     1979        return false;
     1980    }
     1981
     1982    $is_viewable = $post_type->publicly_queryable || ( $post_type->_builtin && $post_type->public );
     1983
     1984    /**
     1985     * Filters whether a post type is considered "viewable".
     1986     *
     1987     * The returned filtered value must be a boolean type to ensure
     1988     * `is_post_type_viewable()` only returns a boolean. This strictness
     1989     * is by design to maintain backwards-compatibility and guard against
     1990     * potential type errors in PHP 8.1+. Non-boolean values (even falsey
     1991     * and truthy values) will result in the function returning false.
     1992     *
     1993     * @since 5.9.0
     1994     *
     1995     * @param bool         $is_viewable Whether the post type is "viewable" (strict type).
     1996     * @param WP_Post_Type $post_type   Post type object.
     1997     */
     1998    return true === apply_filters( 'is_post_type_viewable', $is_viewable, $post_type );
     1999}
     2000
     2001/**
     2002 * Determines whether a post status is considered "viewable".
     2003 *
     2004 * For built-in post statuses such as publish and private, the 'public' value will be evaluated.
     2005 * For all others, the 'publicly_queryable' value will be used.
     2006 *
     2007 * @since 5.7.0
     2008 * @since 5.9.0 Added `is_post_status_viewable` hook to filter the result.
     2009 *
     2010 * @param string|stdClass $post_status Post status name or object.
     2011 * @return bool Whether the post status should be considered viewable.
     2012 */
     2013function is_post_status_viewable( $post_status ) {
     2014    if ( is_scalar( $post_status ) ) {
     2015        $post_status = get_post_status_object( $post_status );
     2016
     2017        if ( ! $post_status ) {
     2018            return false;
     2019        }
     2020    }
     2021
     2022    if (
     2023        ! is_object( $post_status ) ||
     2024        $post_status->internal ||
     2025        $post_status->protected
     2026    ) {
     2027        return false;
     2028    }
     2029
     2030    $is_viewable = $post_status->publicly_queryable || ( $post_status->_builtin && $post_status->public );
     2031
     2032    /**
     2033     * Filters whether a post status is considered "viewable".
     2034     *
     2035     * The returned filtered value must be a boolean type to ensure
     2036     * `is_post_status_viewable()` only returns a boolean. This strictness
     2037     * is by design to maintain backwards-compatibility and guard against
     2038     * potential type errors in PHP 8.1+. Non-boolean values (even falsey
     2039     * and truthy values) will result in the function returning false.
     2040     *
     2041     * @since 5.9.0
     2042     *
     2043     * @param bool     $is_viewable Whether the post status is "viewable" (strict type).
     2044     * @param stdClass $post_status Post status object.
     2045     */
     2046    return true === apply_filters( 'is_post_status_viewable', $is_viewable, $post_status );
     2047}
     2048
     2049/**
     2050 * Determines whether a post is publicly viewable.
     2051 *
     2052 * Posts are considered publicly viewable if both the post status and post type
     2053 * are viewable.
     2054 *
     2055 * @since 5.7.0
     2056 *
     2057 * @param int|WP_Post|null $post Optional. Post ID or post object. Defaults to global $post.
     2058 * @return bool Whether the post is publicly viewable.
     2059 */
     2060function is_post_publicly_viewable( $post = null ) {
     2061    $post = get_post( $post );
     2062
     2063    if ( ! $post ) {
     2064        return false;
     2065    }
     2066
     2067    $post_type   = get_post_type( $post );
     2068    $post_status = get_post_status( $post );
     2069
     2070    return is_post_type_viewable( $post_type ) && is_post_status_viewable( $post_status );
    19772071}
    19782072
     
    71007194
    71017195/**
    7102  * Filter the SQL clauses of an attachment query to include filenames.
    7103  *
    7104  * @since 4.7.0
    7105  * @access private
    7106  *
    7107  * @global wpdb $wpdb WordPress database abstraction object.
    7108  *
    7109  * @param array $clauses An array including WHERE, GROUP BY, JOIN, ORDER BY,
    7110  *                       DISTINCT, fields (SELECT), and LIMITS clauses.
    7111  * @return array The modified clauses.
    7112  */
    7113 function _filter_query_attachment_filenames( $clauses ) {
    7114     global $wpdb;
    7115     remove_filter( 'posts_clauses', __FUNCTION__ );
    7116 
    7117     // Add a LEFT JOIN of the postmeta table so we don't trample existing JOINs.
    7118     $clauses['join'] .= " LEFT JOIN {$wpdb->postmeta} AS sq1 ON ( {$wpdb->posts}.ID = sq1.post_id AND sq1.meta_key = '_wp_attached_file' )";
    7119 
    7120     $clauses['groupby'] = "{$wpdb->posts}.ID";
    7121 
    7122     $clauses['where'] = preg_replace(
    7123         "/\({$wpdb->posts}.post_content (NOT LIKE|LIKE) (\'[^']+\')\)/",
    7124         '$0 OR ( sq1.meta_value $1 $2 )',
    7125         $clauses['where']
    7126     );
    7127 
    7128     return $clauses;
    7129 }
    7130 
    7131 /**
    71327196 * Sets the last changed time for the 'posts' cache group.
    71337197 *
  • branches/5.3/src/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php

    r46422 r54562  
    7373        // Filter query clauses to include filenames.
    7474        if ( isset( $query_args['s'] ) ) {
    75             add_filter( 'posts_clauses', '_filter_query_attachment_filenames' );
     75            add_filter( 'wp_allow_query_attachment_by_filename', '__return_true' );
    7676        }
    7777
  • branches/5.3/src/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php

    r46469 r54562  
    136136
    137137    /**
     138     * Checks if the terms for a post can be read.
     139     *
     140     * @since 6.0.3
     141     *
     142     * @param WP_Post         $post    Post object.
     143     * @param WP_REST_Request $request Full details about the request.
     144     * @return bool Whether the terms for the post can be read.
     145     */
     146    public function check_read_terms_permission_for_post( $post, $request ) {
     147        // If the requested post isn't associated with this taxonomy, deny access.
     148        if ( ! is_object_in_taxonomy( $post->post_type, $this->taxonomy ) ) {
     149            return false;
     150        }
     151
     152        // Grant access if the post is publicly viewable.
     153        if ( is_post_publicly_viewable( $post ) ) {
     154            return true;
     155        }
     156
     157        // Otherwise grant access if the post is readable by the logged in user.
     158        if ( current_user_can( 'read_post', $post->ID ) ) {
     159            return true;
     160        }
     161
     162        // Otherwise, deny access.
     163        return false;
     164    }
     165
     166    /**
    138167     * Checks if a request has access to read terms in the specified taxonomy.
    139168     *
     
    145174    public function get_items_permissions_check( $request ) {
    146175        $tax_obj = get_taxonomy( $this->taxonomy );
     176
    147177        if ( ! $tax_obj || ! $this->check_is_taxonomy_allowed( $this->taxonomy ) ) {
    148178            return false;
    149179        }
     180
    150181        if ( 'edit' === $request['context'] && ! current_user_can( $tax_obj->cap->edit_terms ) ) {
    151             return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to edit terms in this taxonomy.' ), array( 'status' => rest_authorization_required_code() ) );
    152         }
     182            return new WP_Error(
     183                'rest_forbidden_context',
     184                __( 'Sorry, you are not allowed to edit terms in this taxonomy.' ),
     185                array( 'status' => rest_authorization_required_code() )
     186            );
     187        }
     188
     189        if ( ! empty( $request['post'] ) ) {
     190            $post = get_post( $request['post'] );
     191
     192            if ( ! $post ) {
     193                return new WP_Error(
     194                    'rest_post_invalid_id',
     195                    __( 'Invalid post ID.' ),
     196                    array(
     197                        'status' => 400,
     198                    )
     199                );
     200            }
     201
     202            if ( ! $this->check_read_terms_permission_for_post( $post, $request ) ) {
     203                return new WP_Error(
     204                    'rest_forbidden_context',
     205                    __( 'Sorry, you are not allowed to view terms for this post.' ),
     206                    array(
     207                        'status' => rest_authorization_required_code(),
     208                    )
     209                );
     210            }
     211        }
     212
    153213        return true;
    154214    }
  • branches/5.3/src/wp-includes/widgets.php

    r46451 r54562  
    14971497    if ( is_wp_error( $rss ) ) {
    14981498        if ( is_admin() || current_user_can( 'manage_options' ) ) {
    1499             echo '<p><strong>' . __( 'RSS Error:' ) . '</strong> ' . $rss->get_error_message() . '</p>';
     1499            echo '<p><strong>' . __( 'RSS Error:' ) . '</strong> ' . esc_html( $rss->get_error_message() ) . '</p>';
    15001500        }
    15011501        return;
     
    16201620
    16211621    if ( ! empty( $args['error'] ) ) {
    1622         echo '<p class="widget-error"><strong>' . __( 'RSS Error:' ) . '</strong> ' . $args['error'] . '</p>';
     1622        echo '<p class="widget-error"><strong>' . __( 'RSS Error:' ) . '</strong> ' . esc_html( $args['error'] ) . '</p>';
    16231623    }
    16241624
  • branches/5.3/src/wp-mail.php

    r45932 r54562  
    6565    wp_die( __( 'There doesn&#8217;t seem to be any new mail.' ) );
    6666}
     67
     68// Always run as an unauthenticated user.
     69wp_set_current_user( 0 );
    6770
    6871for ( $i = 1; $i <= $count; $i++ ) {
     
    132135                $author = sanitize_email( $author );
    133136                if ( is_email( $author ) ) {
    134                     /* translators: %s: Post author email address. */
    135                     echo '<p>' . sprintf( __( 'Author is %s' ), $author ) . '</p>';
    136137                    $userdata = get_user_by( 'email', $author );
    137138                    if ( ! empty( $userdata ) ) {
  • branches/5.3/src/wp-trackback.php

    r42343 r54562  
    1313    wp( array( 'tb' => '1' ) );
    1414}
     15
     16// Always run as an unauthenticated user.
     17wp_set_current_user( 0 );
    1518
    1619/**
  • branches/5.3/tests/phpunit/tests/query/search.php

    r43571 r54562  
    456456
    457457        add_post_meta( $attachment, '_wp_attached_file', 'some-image1.png', true );
    458         add_filter( 'posts_clauses', '_filter_query_attachment_filenames' );
     458        add_filter( 'wp_allow_query_attachment_by_filename', '__return_true' );
    459459
    460460        // Pass post_type a string value.
     
    486486
    487487        add_post_meta( $attachment, '_wp_attached_file', 'some-image2.png', true );
    488         add_filter( 'posts_clauses', '_filter_query_attachment_filenames' );
     488        add_filter( 'wp_allow_query_attachment_by_filename', '__return_true' );
    489489
    490490        // Pass post_type an array value.
     
    545545        add_post_meta( $attachment, '_wp_attached_file', 'some-image4.png', true );
    546546        add_post_meta( $attachment, '_test_meta_key', 'value', true );
    547         add_filter( 'posts_clauses', '_filter_query_attachment_filenames' );
     547        add_filter( 'wp_allow_query_attachment_by_filename', '__return_true' );
    548548
    549549        // Pass post_type a string value.
     
    585585
    586586        add_post_meta( $attachment, '_wp_attached_file', 'some-image5.png', true );
    587         add_filter( 'posts_clauses', '_filter_query_attachment_filenames' );
     587        add_filter( 'wp_allow_query_attachment_by_filename', '__return_true' );
    588588
    589589        // Pass post_type a string value.
     
    610610     * @ticket 22744
    611611     */
    612     public function test_filter_query_attachment_filenames_unhooks_itself() {
    613         add_filter( 'posts_clauses', '_filter_query_attachment_filenames' );
    614 
    615         apply_filters(
    616             'posts_clauses',
    617             array(
    618                 'where'    => '',
    619                 'groupby'  => '',
    620                 'join'     => '',
    621                 'orderby'  => '',
    622                 'distinct' => '',
    623                 'fields'   => '',
    624                 'limit'    => '',
    625             )
    626         );
    627 
    628         $result = has_filter( 'posts_clauses', '_filter_query_attachment_filenames' );
    629 
    630         $this->assertFalse( $result );
     612    public function test_wp_query_removes_filter_wp_allow_query_attachment_by_filename() {
     613        $attachment = self::factory()->post->create(
     614            array(
     615                'post_type'    => 'attachment',
     616                'post_status'  => 'publish',
     617                'post_title'   => 'bar foo',
     618                'post_content' => 'foo bar',
     619                'post_excerpt' => 'This post has foo',
     620            )
     621        );
     622
     623        add_post_meta( $attachment, '_wp_attached_file', 'some-image1.png', true );
     624        add_filter( 'wp_allow_query_attachment_by_filename', '__return_true' );
     625
     626        $q = new WP_Query(
     627            array(
     628                's'           => 'image1',
     629                'fields'      => 'ids',
     630                'post_type'   => 'attachment',
     631                'post_status' => 'inherit',
     632            )
     633        );
     634
     635        $this->assertSame( array( $attachment ), $q->posts );
     636
     637        /*
     638         * WP_Query should have removed the wp_allow_query_attachment_by_filename filter
     639         * and thus not match the attachment created above
     640         */
     641        $q->get_posts();
     642        $this->assertEmpty( $q->posts );
    631643    }
    632644
  • branches/5.3/tests/phpunit/tests/rest-api/rest-comments-controller.php

    r46433 r54562  
    27392739                    'author_name'       => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
    27402740                    'author_user_agent' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
     2741                    'author'            => self::$editor_id,
    27412742                ),
    27422743                array(
     
    27472748                    'author_name'       => 'div strong',
    27482749                    'author_user_agent' => 'div strong',
     2750                    'author'            => self::$editor_id,
    27492751                )
    27502752            );
     
    27562758                    'author_name'       => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
    27572759                    'author_user_agent' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
     2760                    'author'            => self::$editor_id,
    27582761                ),
    27592762                array(
     
    27642767                    'author_name'       => 'div strong',
    27652768                    'author_user_agent' => 'div strong',
     2769                    'author'            => self::$editor_id,
    27662770                )
    27672771            );
     
    27772781                'author_name'       => '\\\&\\\ &amp; &invalid; < &lt; &amp;lt;',
    27782782                'author_user_agent' => '\\\&\\\ &amp; &invalid; < &lt; &amp;lt;',
     2783                'author'            => self::$superadmin_id,
    27792784            ),
    27802785            array(
     
    27852790                'author_name'       => '\\\&amp;\\\ &amp; &amp;invalid; &lt; &lt; &amp;lt;',
    27862791                'author_user_agent' => '\\\&\\\ &amp; &invalid; &lt; &lt; &amp;lt;',
     2792                'author'            => self::$superadmin_id,
    27872793            )
    27882794        );
     
    27972803                'author_name'       => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
    27982804                'author_user_agent' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
     2805                'author'            => self::$superadmin_id,
    27992806            ),
    28002807            array(
     
    28052812                'author_name'       => 'div strong',
    28062813                'author_user_agent' => 'div strong',
     2814                'author'            => self::$superadmin_id,
    28072815            )
    28082816        );
Note: See TracChangeset for help on using the changeset viewer.