Make WordPress Core

Changeset 54566


Ignore:
Timestamp:
10/17/2022 06:08:39 PM (21 months ago)
Author:
SergeyBiryukov
Message:

Grouped backports to the 4.7 branch.

  • Posts, Post types: Apply KSES to post-by-email content,
  • General: Validate host on "Are you sure?" screen,
  • Posts, Post types: Remove emails from post-by-email logs,
  • Media: Refactor search by filename within the admin,
  • Pings/trackbacks: Apply KSES to all trackbacks,
  • Comments: Apply kses when editing comments,
  • Customize: Escape blogname option in underscores templates,
  • REST API: Lockdown post parameter of the terms endpoint,
  • Mail: Reset PHPMailer properties between use,
  • Query: Validate relation in WP_Date_Query,
  • Widgets: Escape RSS error messages for display.

Merges [54521], [54522], [54523], [54524], [54525], [54526], [54527], [54528], [54529], [54530], [54541] to the 4.7 branch.
Props voldemortensen, johnbillion, paulkevan, peterwilsoncc, xknown, dd32, audrasjb, martinkrcho, vortfu, davidbaumwald, tykoted, timothyblynjacobs, johnjamesjacoby, ehtis, matveb, talldanwp.

Location:
branches/4.7
Files:
20 edited

Legend:

Unmodified
Added
Removed
  • branches/4.7

  • branches/4.7/src/wp-admin/includes/ajax-actions.php

    r45947 r54566  
    24102410    // Filter query clauses to include filenames.
    24112411    if ( isset( $query['s'] ) ) {
    2412         add_filter( 'posts_clauses', '_filter_query_attachment_filenames' );
     2412        add_filter( 'wp_allow_query_attachment_by_filename', '__return_true' );
    24132413    }
    24142414
  • branches/4.7/src/wp-admin/includes/post.php

    r44056 r54566  
    11701170    // Filter query clauses to include filenames.
    11711171    if ( isset( $q['s'] ) ) {
    1172         add_filter( 'posts_clauses', '_filter_query_attachment_filenames' );
     1172        add_filter( 'wp_allow_query_attachment_by_filename', '__return_true' );
    11731173    }
    11741174
  • branches/4.7/src/wp-includes/class-wp-query.php

    r47650 r54566  
    487487    private $compat_methods = array( 'init_query_flags', 'parse_tax_query' );
    488488
     489    /**
     490     * Controls whether an attachment query should include filenames or not.
     491     *
     492     * @since 6.0.3
     493     * @var bool
     494     */
     495    protected $allow_query_attachment_by_filename = false;
    489496    /**
    490497     * Resets query flags to false.
     
    13451352
    13461353            $like = $n . $wpdb->esc_like( $term ) . $n;
    1347             $search .= $wpdb->prepare( "{$searchand}(({$wpdb->posts}.post_title $like_op %s) $andor_op ({$wpdb->posts}.post_excerpt $like_op %s) $andor_op ({$wpdb->posts}.post_content $like_op %s))", $like, $like, $like );
     1354
     1355            if ( ! empty( $this->allow_query_attachment_by_filename ) ) {
     1356                $search .= $wpdb->prepare( "{$searchand}(({$wpdb->posts}.post_title $like_op %s) $andor_op ({$wpdb->posts}.post_excerpt $like_op %s) $andor_op ({$wpdb->posts}.post_content $like_op %s) $andor_op (sq1.meta_value $like_op %s))", $like, $like, $like, $like );
     1357            } else {
     1358                $search .= $wpdb->prepare( "{$searchand}(({$wpdb->posts}.post_title $like_op %s) $andor_op ({$wpdb->posts}.post_excerpt $like_op %s) $andor_op ({$wpdb->posts}.post_content $like_op %s))", $like, $like, $like );
     1359            }
    13481360            $searchand = ' AND ';
    13491361        }
     
    16821694        $q = $this->fill_query_vars($q);
    16831695
     1696        /**
     1697         * Filters whether an attachment query should include filenames or not.
     1698         *
     1699         * @since 6.0.3
     1700         *
     1701         * @param bool $allow_query_attachment_by_filename Whether or not to include filenames.
     1702         */
     1703        $this->allow_query_attachment_by_filename = apply_filters( 'wp_allow_query_attachment_by_filename', false );
     1704        remove_all_filters( 'wp_allow_query_attachment_by_filename' );
     1705
    16841706        // Parse meta query
    16851707        $this->meta_query = new WP_Meta_Query();
     
    20782100        }
    20792101
    2080         if ( !empty( $this->tax_query->queries ) || !empty( $this->meta_query->queries ) ) {
     2102        if ( ! empty( $this->tax_query->queries ) || ! empty( $this->meta_query->queries ) || ! empty( $this->allow_query_attachment_by_filename ) ) {
    20812103            $groupby = "{$wpdb->posts}.ID";
    20822104        }
     
    21262148        }
    21272149        $where .= $search . $whichauthor . $whichmimetype;
     2150
     2151        if ( ! empty( $this->allow_query_attachment_by_filename ) ) {
     2152            $join .= " LEFT JOIN {$wpdb->postmeta} AS sq1 ON ( {$wpdb->posts}.ID = sq1.post_id AND sq1.meta_key = '_wp_attached_file' )";
     2153        }
    21282154
    21292155        if ( ! empty( $this->meta_query->queries ) ) {
  • branches/4.7/src/wp-includes/comment.php

    r44847 r54566  
    21472147    }
    21482148
     2149    $filter_comment = false;
     2150    if ( ! has_filter( 'pre_comment_content', 'wp_filter_kses' ) ) {
     2151        $filter_comment = ! user_can( isset( $comment['user_id'] ) ? $comment['user_id'] : 0, 'unfiltered_html' );
     2152    }
     2153
     2154    if ( $filter_comment ) {
     2155        add_filter( 'pre_comment_content', 'wp_filter_kses' );
     2156    }
     2157
    21492158    // Escape data pulled from DB.
    21502159    $comment = wp_slash($comment);
     
    21562165
    21572166    $commentarr = wp_filter_comment( $commentarr );
     2167
     2168    if ( $filter_comment ) {
     2169        remove_filter( 'pre_comment_content', 'wp_filter_kses' );
     2170    }
    21582171
    21592172    // Now extract the merged array.
  • branches/4.7/src/wp-includes/customize/class-wp-customize-header-image-control.php

    r39145 r54566  
    104104
    105105            <button type="button" class="choice thumbnail"
    106                 data-customize-image-value="{{{data.header.url}}}"
     106                data-customize-image-value="{{data.header.url}}"
    107107                data-customize-header-image-data="{{JSON.stringify(data.header)}}">
    108108                <span class="screen-reader-text"><?php _e( 'Set image' ); ?></span>
    109                 <img src="{{{data.header.thumbnail_url}}}" alt="{{{data.header.alt_text || data.header.description}}}">
     109                <img src="{{data.header.thumbnail_url}}" alt="{{data.header.alt_text || data.header.description}}" />
    110110            </button>
    111111
  • branches/4.7/src/wp-includes/customize/class-wp-customize-site-icon-control.php

    r40332 r54566  
    7070                                <img src="{{ data.attachment.sizes.full ? data.attachment.sizes.full.url : data.attachment.url }}" alt="<?php esc_attr_e( 'Preview as a browser icon' ); ?>"/>
    7171                            </div>
    72                             <span class="browser-title" aria-hidden="true"><?php bloginfo( 'name' ); ?></span>
     72                            <span class="browser-title" aria-hidden="true"><?php echo esc_js( get_bloginfo( 'name' ) ); ?></span>
    7373                        </div>
    7474                        <img class="app-icon-preview" src="{{ data.attachment.sizes.full ? data.attachment.sizes.full.url : data.attachment.url }}" alt="<?php esc_attr_e( 'Preview as an app icon' ); ?>"/>
  • branches/4.7/src/wp-includes/date.php

    r38768 r54566  
    152152     */
    153153    public function __construct( $date_query, $default_column = 'post_date' ) {
    154         if ( isset( $date_query['relation'] ) && 'OR' === strtoupper( $date_query['relation'] ) ) {
    155             $this->relation = 'OR';
     154        if ( isset( $date_query['relation'] ) ) {
     155            $this->relation = $this->sanitize_relation( $date_query['relation'] );
    156156        } else {
    157157            $this->relation = 'AND';
     
    232232            $this->validate_date_values( $queries );
    233233        }
     234
     235        // Sanitize the relation parameter.
     236        $queries['relation'] = $this->sanitize_relation( $queries['relation'] );
    234237
    235238        foreach ( $queries as $key => $q ) {
     
    10151018        return $wpdb->prepare( "DATE_FORMAT( $column, %s ) $compare %f", $format, $time );
    10161019    }
     1020
     1021    /**
     1022     * Sanitizes a 'relation' operator.
     1023     *
     1024     * @since 6.0.3
     1025     *
     1026     * @param string $relation Raw relation key from the query argument.
     1027     * @return string Sanitized relation ('AND' or 'OR').
     1028     */
     1029    public function sanitize_relation( $relation ) {
     1030        if ( 'OR' === strtoupper( $relation ) ) {
     1031            return 'OR';
     1032        } else {
     1033            return 'AND';
     1034        }
     1035    }
    10171036}
  • branches/4.7/src/wp-includes/deprecated.php

    r39051 r54566  
    38793879        return strcmp( $a->$_menu_item_sort_prop, $b->$_menu_item_sort_prop );
    38803880}
     3881
     3882/**
     3883 * Filter the SQL clauses of an attachment query to include filenames.
     3884 *
     3885 * @since 4.7.0
     3886 * @deprecated 6.0.3
     3887 * @access private
     3888 *
     3889 * @param array $clauses An array including WHERE, GROUP BY, JOIN, ORDER BY,
     3890 *                       DISTINCT, fields (SELECT), and LIMITS clauses.
     3891 * @return array The unmodified clauses.
     3892 */
     3893function _filter_query_attachment_filenames( $clauses ) {
     3894    _deprecated_function( __FUNCTION__, '6.0.3', 'add_filter( "wp_allow_query_attachment_by_filename", "__return_true" )');
     3895    remove_filter( 'posts_clauses', __FUNCTION__ );
     3896    return $clauses;
     3897}
     3898
  • branches/4.7/src/wp-includes/functions.php

    r46495 r54566  
    23692369            if ( $type !== $real_mime ) {
    23702370                /*
    2371                  * Everything else including image/* and application/*: 
     2371                 * Everything else including image/* and application/*:
    23722372                 * If the real content type doesn't match the file extension, assume it's dangerous.
    23732373                 */
     
    23782378    }
    23792379
    2380     // The mime type must be allowed 
     2380    // The mime type must be allowed
    23812381    if ( $type ) {
    23822382        $allowed = get_allowed_mime_types();
     
    26502650        $html = __( 'Are you sure you want to do this?' );
    26512651        if ( wp_get_referer() ) {
    2652             $html .= '</p><p>';
    2653             $html .= sprintf( '<a href="%s">%s</a>',
    2654                 esc_url( remove_query_arg( 'updated', wp_get_referer() ) ),
     2652            $wp_http_referer = remove_query_arg( 'updated', wp_get_referer() );
     2653            $wp_http_referer = wp_validate_redirect( esc_url_raw( $wp_http_referer ) );
     2654            $html           .= '</p><p>';
     2655            $html           .= sprintf(
     2656                '<a href="%s">%s</a>',
     2657                esc_url( $wp_http_referer ),
    26552658                __( 'Please try again.' )
    26562659            );
  • branches/4.7/src/wp-includes/media-template.php

    r40367 r54566  
    12501250                <img id="preview-favicon" src="{{ data.url }}" alt="<?php esc_attr_e( 'Preview as a browser icon' ); ?>"/>
    12511251            </div>
    1252             <span class="browser-title" aria-hidden="true"><?php bloginfo( 'name' ); ?></span>
     1252            <span class="browser-title" aria-hidden="true"><?php echo esc_js( get_bloginfo( 'name' ) ); ?></span>
    12531253        </div>
    12541254
  • branches/4.7/src/wp-includes/pluggable.php

    r47978 r54566  
    309309    $phpmailer->ClearCustomHeaders();
    310310    $phpmailer->ClearReplyTos();
     311    $phpmailer->Body    = '';
     312    $phpmailer->AltBody = '';
    311313
    312314    // From email and name
  • branches/4.7/src/wp-includes/post.php

    r52476 r54566  
    16321632    }
    16331633
    1634     return $post_type->publicly_queryable || ( $post_type->_builtin && $post_type->public );
     1634    if ( ! is_object( $post_type ) ) {
     1635        return false;
     1636    }
     1637
     1638    $is_viewable = $post_type->publicly_queryable || ( $post_type->_builtin && $post_type->public );
     1639
     1640    /**
     1641     * Filters whether a post type is considered "viewable".
     1642     *
     1643     * The returned filtered value must be a boolean type to ensure
     1644     * `is_post_type_viewable()` only returns a boolean. This strictness
     1645     * is by design to maintain backwards-compatibility and guard against
     1646     * potential type errors in PHP 8.1+. Non-boolean values (even falsey
     1647     * and truthy values) will result in the function returning false.
     1648     *
     1649     * @since 5.9.0
     1650     *
     1651     * @param bool         $is_viewable Whether the post type is "viewable" (strict type).
     1652     * @param WP_Post_Type $post_type   Post type object.
     1653     */
     1654    return true === apply_filters( 'is_post_type_viewable', $is_viewable, $post_type );
     1655}
     1656
     1657/**
     1658 * Determines whether a post status is considered "viewable".
     1659 *
     1660 * For built-in post statuses such as publish and private, the 'public' value will be evaluated.
     1661 * For all others, the 'publicly_queryable' value will be used.
     1662 *
     1663 * @since 5.7.0
     1664 * @since 5.9.0 Added `is_post_status_viewable` hook to filter the result.
     1665 *
     1666 * @param string|stdClass $post_status Post status name or object.
     1667 * @return bool Whether the post status should be considered viewable.
     1668 */
     1669function is_post_status_viewable( $post_status ) {
     1670    if ( is_scalar( $post_status ) ) {
     1671        $post_status = get_post_status_object( $post_status );
     1672
     1673        if ( ! $post_status ) {
     1674            return false;
     1675        }
     1676    }
     1677
     1678    if (
     1679        ! is_object( $post_status ) ||
     1680        $post_status->internal ||
     1681        $post_status->protected
     1682    ) {
     1683        return false;
     1684    }
     1685
     1686    $is_viewable = $post_status->publicly_queryable || ( $post_status->_builtin && $post_status->public );
     1687
     1688    /**
     1689     * Filters whether a post status is considered "viewable".
     1690     *
     1691     * The returned filtered value must be a boolean type to ensure
     1692     * `is_post_status_viewable()` only returns a boolean. This strictness
     1693     * is by design to maintain backwards-compatibility and guard against
     1694     * potential type errors in PHP 8.1+. Non-boolean values (even falsey
     1695     * and truthy values) will result in the function returning false.
     1696     *
     1697     * @since 5.9.0
     1698     *
     1699     * @param bool     $is_viewable Whether the post status is "viewable" (strict type).
     1700     * @param stdClass $post_status Post status object.
     1701     */
     1702    return true === apply_filters( 'is_post_status_viewable', $is_viewable, $post_status );
     1703}
     1704
     1705/**
     1706 * Determines whether a post is publicly viewable.
     1707 *
     1708 * Posts are considered publicly viewable if both the post status and post type
     1709 * are viewable.
     1710 *
     1711 * @since 5.7.0
     1712 *
     1713 * @param int|WP_Post|null $post Optional. Post ID or post object. Defaults to global $post.
     1714 * @return bool Whether the post is publicly viewable.
     1715 */
     1716function is_post_publicly_viewable( $post = null ) {
     1717    $post = get_post( $post );
     1718
     1719    if ( ! $post ) {
     1720        return false;
     1721    }
     1722
     1723    $post_type   = get_post_type( $post );
     1724    $post_status = get_post_status( $post );
     1725
     1726    return is_post_type_viewable( $post_type ) && is_post_status_viewable( $post_status );
    16351727}
    16361728
     
    62356327    return $post_name;
    62366328}
    6237 
    6238 /**
    6239  * Filter the SQL clauses of an attachment query to include filenames.
    6240  *
    6241  * @since 4.7.0
    6242  * @access private
    6243  *
    6244  * @global wpdb $wpdb WordPress database abstraction object.
    6245  *
    6246  * @param array $clauses An array including WHERE, GROUP BY, JOIN, ORDER BY,
    6247  *                       DISTINCT, fields (SELECT), and LIMITS clauses.
    6248  * @return array The modified clauses.
    6249  */
    6250 function _filter_query_attachment_filenames( $clauses ) {
    6251     global $wpdb;
    6252     remove_filter( 'posts_clauses', __FUNCTION__ );
    6253 
    6254     // Add a LEFT JOIN of the postmeta table so we don't trample existing JOINs.
    6255     $clauses['join'] .= " LEFT JOIN {$wpdb->postmeta} AS sq1 ON ( {$wpdb->posts}.ID = sq1.post_id AND sq1.meta_key = '_wp_attached_file' )";
    6256 
    6257     $clauses['groupby'] = "{$wpdb->posts}.ID";
    6258 
    6259     $clauses['where'] = preg_replace(
    6260         "/\({$wpdb->posts}.post_content (NOT LIKE|LIKE) (\'[^']+\')\)/",
    6261         "$0 OR ( sq1.meta_value $1 $2 )",
    6262         $clauses['where'] );
    6263 
    6264     return $clauses;
    6265 }
  • branches/4.7/src/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php

    r39629 r54566  
    5050        // Filter query clauses to include filenames.
    5151        if ( isset( $query_args['s'] ) ) {
    52             add_filter( 'posts_clauses', '_filter_query_attachment_filenames' );
     52            add_filter( 'wp_allow_query_attachment_by_filename', '__return_true' );
    5353        }
    5454
  • branches/4.7/src/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php

    r40427 r54566  
    134134
    135135    /**
     136     * Checks if the terms for a post can be read.
     137     *
     138     * @since 6.0.3
     139     *
     140     * @param WP_Post         $post    Post object.
     141     * @param WP_REST_Request $request Full details about the request.
     142     * @return bool Whether the terms for the post can be read.
     143     */
     144    public function check_read_terms_permission_for_post( $post, $request ) {
     145        // If the requested post isn't associated with this taxonomy, deny access.
     146        if ( ! is_object_in_taxonomy( $post->post_type, $this->taxonomy ) ) {
     147            return false;
     148        }
     149
     150        // Grant access if the post is publicly viewable.
     151        if ( is_post_publicly_viewable( $post ) ) {
     152            return true;
     153        }
     154
     155        // Otherwise grant access if the post is readable by the logged in user.
     156        if ( current_user_can( 'read_post', $post->ID ) ) {
     157            return true;
     158        }
     159
     160        // Otherwise, deny access.
     161        return false;
     162    }
     163
     164    /**
    136165     * Checks if a request has access to read terms in the specified taxonomy.
    137166     *
     
    144173    public function get_items_permissions_check( $request ) {
    145174        $tax_obj = get_taxonomy( $this->taxonomy );
     175
    146176        if ( ! $tax_obj || ! $this->check_is_taxonomy_allowed( $this->taxonomy ) ) {
    147177            return false;
    148178        }
     179
    149180        if ( 'edit' === $request['context'] && ! current_user_can( $tax_obj->cap->edit_terms ) ) {
    150             return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to edit terms in this taxonomy.' ), array( 'status' => rest_authorization_required_code() ) );
    151         }
     181            return new WP_Error(
     182                'rest_forbidden_context',
     183                __( 'Sorry, you are not allowed to edit terms in this taxonomy.' ),
     184                array( 'status' => rest_authorization_required_code() )
     185            );
     186        }
     187
     188        if ( ! empty( $request['post'] ) ) {
     189            $post = get_post( $request['post'] );
     190
     191            if ( ! $post ) {
     192                return new WP_Error(
     193                    'rest_post_invalid_id',
     194                    __( 'Invalid post ID.' ),
     195                    array(
     196                        'status' => 400,
     197                    )
     198                );
     199            }
     200
     201            if ( ! $this->check_read_terms_permission_for_post( $post, $request ) ) {
     202                return new WP_Error(
     203                    'rest_forbidden_context',
     204                    __( 'Sorry, you are not allowed to view terms for this post.' ),
     205                    array(
     206                        'status' => rest_authorization_required_code(),
     207                    )
     208                );
     209            }
     210        }
     211
    152212        return true;
    153213    }
  • branches/4.7/src/wp-includes/widgets.php

    r39311 r54566  
    12341234    if ( is_wp_error($rss) ) {
    12351235        if ( is_admin() || current_user_can('manage_options') )
    1236             echo '<p><strong>' . __( 'RSS Error:' ) . '</strong> ' . $rss->get_error_message() . '</p>';
     1236            echo '<p><strong>' . __( 'RSS Error:' ) . '</strong> ' . esc_html( $rss->get_error_message() ) . '</p>';
    12371237        return;
    12381238    }
     
    13431343
    13441344    if ( ! empty( $args['error'] ) ) {
    1345         echo '<p class="widget-error"><strong>' . __( 'RSS Error:' ) . '</strong> ' . $args['error'] . '</p>';
     1345        echo '<p class="widget-error"><strong>' . __( 'RSS Error:' ) . '</strong> ' . esc_html( $args['error'] ) . '</p>';
    13461346    }
    13471347
  • branches/4.7/src/wp-mail.php

    r39773 r54566  
    6060    wp_die( __('There doesn&#8217;t seem to be any new mail.') );
    6161}
     62
     63// Always run as an unauthenticated user.
     64wp_set_current_user( 0 );
    6265
    6366for ( $i = 1; $i <= $count; $i++ ) {
     
    125128                $author = sanitize_email($author);
    126129                if ( is_email($author) ) {
    127                     /* translators: Post author email address */
    128                     echo '<p>' . sprintf(__('Author is %s'), $author) . '</p>';
    129130                    $userdata = get_user_by('email', $author);
    130131                    if ( ! empty( $userdata ) ) {
  • branches/4.7/src/wp-trackback.php

    r38791 r54566  
    1313    wp( array( 'tb' => '1' ) );
    1414}
     15
     16// Always run as an unauthenticated user.
     17wp_set_current_user( 0 );
    1518
    1619/**
  • branches/4.7/tests/phpunit/tests/query/search.php

    r38844 r54566  
    371371
    372372        add_post_meta( $attachment, '_wp_attached_file', 'some-image1.png', true );
    373         add_filter( 'posts_clauses', '_filter_query_attachment_filenames' );
     373        add_filter( 'wp_allow_query_attachment_by_filename', '__return_true' );
    374374
    375375        // Pass post_type a string value.
     
    397397
    398398        add_post_meta( $attachment, '_wp_attached_file', 'some-image2.png', true );
    399         add_filter( 'posts_clauses', '_filter_query_attachment_filenames' );
     399        add_filter( 'wp_allow_query_attachment_by_filename', '__return_true' );
    400400
    401401        // Pass post_type an array value.
     
    448448        add_post_meta( $attachment, '_wp_attached_file', 'some-image4.png', true );
    449449        add_post_meta( $attachment, '_test_meta_key', 'value', true );
    450         add_filter( 'posts_clauses', '_filter_query_attachment_filenames' );
     450        add_filter( 'wp_allow_query_attachment_by_filename', '__return_true' );
    451451
    452452        // Pass post_type a string value.
     
    484484
    485485        add_post_meta( $attachment, '_wp_attached_file', 'some-image5.png', true );
    486         add_filter( 'posts_clauses', '_filter_query_attachment_filenames' );
     486        add_filter( 'wp_allow_query_attachment_by_filename', '__return_true' );
    487487
    488488        // Pass post_type a string value.
     
    507507     * @ticket 22744
    508508     */
    509     public function test_filter_query_attachment_filenames_unhooks_itself() {
    510         add_filter( 'posts_clauses', '_filter_query_attachment_filenames' );
    511 
    512         apply_filters( 'posts_clauses', array(
    513             'where'    => '',
    514             'groupby'  => '',
    515             'join'     => '',
    516             'orderby'  => '',
    517             'distinct' => '',
    518             'fields'   => '',
    519             'limit'    => '',
    520         ) );
    521 
    522         $result = has_filter( 'posts_clauses', '_filter_query_attachment_filenames' );
    523 
    524         $this->assertFalse( $result );
     509    public function test_wp_query_removes_filter_wp_allow_query_attachment_by_filename() {
     510        $attachment = self::factory()->post->create(
     511            array(
     512                'post_type'    => 'attachment',
     513                'post_status'  => 'publish',
     514                'post_title'   => 'bar foo',
     515                'post_content' => 'foo bar',
     516                'post_excerpt' => 'This post has foo',
     517            )
     518        );
     519
     520        add_post_meta( $attachment, '_wp_attached_file', 'some-image1.png', true );
     521        add_filter( 'wp_allow_query_attachment_by_filename', '__return_true' );
     522
     523        $q = new WP_Query(
     524            array(
     525                's'           => 'image1',
     526                'fields'      => 'ids',
     527                'post_type'   => 'attachment',
     528                'post_status' => 'inherit',
     529            )
     530        );
     531
     532        $this->assertSame( array( $attachment ), $q->posts );
     533
     534        /*
     535         * WP_Query should have removed the wp_allow_query_attachment_by_filename filter
     536         * and thus not match the attachment created above
     537         */
     538        $q->get_posts();
     539        $this->assertEmpty( $q->posts );
    525540    }
    526541
  • branches/4.7/tests/phpunit/tests/rest-api/rest-comments-controller.php

    r40114 r54566  
    25632563                'author_name'       => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
    25642564                'author_user_agent' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
     2565                'author'            => self::$editor_id,
    25652566            ), array(
    25662567                'content' => array(
     
    25702571                'author_name'       => 'div strong',
    25712572                'author_user_agent' => 'div strong',
     2573                'author'            => self::$editor_id,
    25722574            ) );
    25732575        } else {
     
    25772579                'author_name'       => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
    25782580                'author_user_agent' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
     2581                'author'            => self::$editor_id,
    25792582            ), array(
    25802583                'content' => array(
     
    25842587                'author_name'       => 'div strong',
    25852588                'author_user_agent' => 'div strong',
     2589                'author'            => self::$editor_id,
    25862590            ) );
    25872591        }
     
    25952599            'author_name'       => '\\\&\\\ &amp; &invalid; < &lt; &amp;lt;',
    25962600            'author_user_agent' => '\\\&\\\ &amp; &invalid; < &lt; &amp;lt;',
     2601            'author'            => self::$superadmin_id,
    25972602        ), array(
    25982603            'content' => array(
     
    26022607            'author_name'       => '\\\&amp;\\\ &amp; &amp;invalid; &lt; &lt; &amp;lt;',
    26032608            'author_user_agent' => '\\\&\\\ &amp; &invalid; &lt; &lt; &amp;lt;',
     2609            'author'            => self::$superadmin_id,
    26042610        ) );
    26052611    }
     
    26122618            'author_name'       => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
    26132619            'author_user_agent' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
     2620            'author'            => self::$superadmin_id,
    26142621        ), array(
    26152622            'content' => array(
     
    26192626            'author_name'       => 'div strong',
    26202627            'author_user_agent' => 'div strong',
     2628            'author'            => self::$superadmin_id,
    26212629        ) );
    26222630    }
Note: See TracChangeset for help on using the changeset viewer.