Make WordPress Core

Changeset 54571


Ignore:
Timestamp:
10/17/2022 06:13:25 PM (2 years ago)
Author:
SergeyBiryukov
Message:

Grouped backports to the 5.0 branch.

  • Posts, Post types: Apply KSES to post-by-email content,
  • General: Validate host on "Are you sure?" screen,
  • Posts, Post types: Remove emails from post-by-email logs,
  • Media: Refactor search by filename within the admin,
  • Pings/trackbacks: Apply KSES to all trackbacks,
  • Comments: Apply kses when editing comments,
  • Customize: Escape blogname option in underscores templates,
  • REST API: Lockdown post parameter of the terms endpoint,
  • Mail: Reset PHPMailer properties between use,
  • Query: Validate relation in WP_Date_Query,
  • Widgets: Escape RSS error messages for display.

Merges [54521], [54522], [54523], [54524], [54525], [54526], [54527], [54528], [54529], [54530], [54541] to the 5.0 branch.
Props voldemortensen, johnbillion, paulkevan, peterwilsoncc, xknown, dd32, audrasjb, martinkrcho, vortfu, davidbaumwald, tykoted, timothyblynjacobs, johnjamesjacoby, ehtis, matveb, talldanwp.

Location:
branches/5.0
Files:
20 edited

Legend:

Unmodified
Added
Removed
  • branches/5.0

  • branches/5.0/src/wp-admin/includes/ajax-actions.php

    r45941 r54571  
    24702470    // Filter query clauses to include filenames.
    24712471    if ( isset( $query['s'] ) ) {
    2472         add_filter( 'posts_clauses', '_filter_query_attachment_filenames' );
     2472        add_filter( 'wp_allow_query_attachment_by_filename', '__return_true' );
    24732473    }
    24742474
  • branches/5.0/src/wp-admin/includes/post.php

    r44339 r54571  
    11811181    // Filter query clauses to include filenames.
    11821182    if ( isset( $q['s'] ) ) {
    1183         add_filter( 'posts_clauses', '_filter_query_attachment_filenames' );
     1183        add_filter( 'wp_allow_query_attachment_by_filename', '__return_true' );
    11841184    }
    11851185
  • branches/5.0/src/wp-includes/class-wp-query.php

    r47647 r54571  
    438438    private $compat_methods = array( 'init_query_flags', 'parse_tax_query' );
    439439
     440    /**
     441     * Controls whether an attachment query should include filenames or not.
     442     *
     443     * @since 6.0.3
     444     * @var bool
     445     */
     446    protected $allow_query_attachment_by_filename = false;
    440447    /**
    441448     * Resets query flags to false.
     
    12991306
    13001307            $like = $n . $wpdb->esc_like( $term ) . $n;
    1301             $search .= $wpdb->prepare( "{$searchand}(({$wpdb->posts}.post_title $like_op %s) $andor_op ({$wpdb->posts}.post_excerpt $like_op %s) $andor_op ({$wpdb->posts}.post_content $like_op %s))", $like, $like, $like );
     1308
     1309            if ( ! empty( $this->allow_query_attachment_by_filename ) ) {
     1310                $search .= $wpdb->prepare( "{$searchand}(({$wpdb->posts}.post_title $like_op %s) $andor_op ({$wpdb->posts}.post_excerpt $like_op %s) $andor_op ({$wpdb->posts}.post_content $like_op %s) $andor_op (sq1.meta_value $like_op %s))", $like, $like, $like, $like );
     1311            } else {
     1312                $search .= $wpdb->prepare( "{$searchand}(({$wpdb->posts}.post_title $like_op %s) $andor_op ({$wpdb->posts}.post_excerpt $like_op %s) $andor_op ({$wpdb->posts}.post_content $like_op %s))", $like, $like, $like );
     1313            }
    13021314            $searchand = ' AND ';
    13031315        }
     
    16351647        $q = $this->fill_query_vars($q);
    16361648
     1649        /**
     1650         * Filters whether an attachment query should include filenames or not.
     1651         *
     1652         * @since 6.0.3
     1653         *
     1654         * @param bool $allow_query_attachment_by_filename Whether or not to include filenames.
     1655         */
     1656        $this->allow_query_attachment_by_filename = apply_filters( 'wp_allow_query_attachment_by_filename', false );
     1657        remove_all_filters( 'wp_allow_query_attachment_by_filename' );
     1658
    16371659        // Parse meta query
    16381660        $this->meta_query = new WP_Meta_Query();
     
    20392061        }
    20402062
    2041         if ( !empty( $this->tax_query->queries ) || !empty( $this->meta_query->queries ) ) {
     2063        if ( ! empty( $this->tax_query->queries ) || ! empty( $this->meta_query->queries ) || ! empty( $this->allow_query_attachment_by_filename ) ) {
    20422064            $groupby = "{$wpdb->posts}.ID";
    20432065        }
     
    21112133        }
    21122134        $where .= $search . $whichauthor . $whichmimetype;
     2135
     2136        if ( ! empty( $this->allow_query_attachment_by_filename ) ) {
     2137            $join .= " LEFT JOIN {$wpdb->postmeta} AS sq1 ON ( {$wpdb->posts}.ID = sq1.post_id AND sq1.meta_key = '_wp_attached_file' )";
     2138        }
    21132139
    21142140        if ( ! empty( $this->meta_query->queries ) ) {
  • branches/5.0/src/wp-includes/comment.php

    r44844 r54571  
    21842184    }
    21852185
     2186    $filter_comment = false;
     2187    if ( ! has_filter( 'pre_comment_content', 'wp_filter_kses' ) ) {
     2188        $filter_comment = ! user_can( isset( $comment['user_id'] ) ? $comment['user_id'] : 0, 'unfiltered_html' );
     2189    }
     2190
     2191    if ( $filter_comment ) {
     2192        add_filter( 'pre_comment_content', 'wp_filter_kses' );
     2193    }
     2194
    21862195    // Escape data pulled from DB.
    21872196    $comment = wp_slash($comment);
     
    21932202
    21942203    $commentarr = wp_filter_comment( $commentarr );
     2204
     2205    if ( $filter_comment ) {
     2206        remove_filter( 'pre_comment_content', 'wp_filter_kses' );
     2207    }
    21952208
    21962209    // Now extract the merged array.
  • branches/5.0/src/wp-includes/customize/class-wp-customize-header-image-control.php

    r41935 r54571  
    104104
    105105            <button type="button" class="choice thumbnail"
    106                 data-customize-image-value="{{{data.header.url}}}"
     106                data-customize-image-value="{{data.header.url}}"
    107107                data-customize-header-image-data="{{JSON.stringify(data.header)}}">
    108108                <span class="screen-reader-text"><?php _e( 'Set image' ); ?></span>
    109                 <img src="{{{data.header.thumbnail_url}}}" alt="{{{data.header.alt_text || data.header.description}}}">
     109                <img src="{{data.header.thumbnail_url}}" alt="{{data.header.alt_text || data.header.description}}" />
    110110            </button>
    111111
  • branches/5.0/src/wp-includes/customize/class-wp-customize-site-icon-control.php

    r41162 r54571  
    6767                                <img src="{{ data.attachment.sizes.full ? data.attachment.sizes.full.url : data.attachment.url }}" alt="<?php esc_attr_e( 'Preview as a browser icon' ); ?>"/>
    6868                            </div>
    69                             <span class="browser-title" aria-hidden="true"><?php bloginfo( 'name' ); ?></span>
     69                            <span class="browser-title" aria-hidden="true"><?php echo esc_js( get_bloginfo( 'name' ) ); ?></span>
    7070                        </div>
    7171                        <img class="app-icon-preview" src="{{ data.attachment.sizes.full ? data.attachment.sizes.full.url : data.attachment.url }}" alt="<?php esc_attr_e( 'Preview as an app icon' ); ?>"/>
  • branches/5.0/src/wp-includes/date.php

    r41162 r54571  
    146146     */
    147147    public function __construct( $date_query, $default_column = 'post_date' ) {
    148         if ( isset( $date_query['relation'] ) && 'OR' === strtoupper( $date_query['relation'] ) ) {
    149             $this->relation = 'OR';
     148        if ( isset( $date_query['relation'] ) ) {
     149            $this->relation = $this->sanitize_relation( $date_query['relation'] );
    150150        } else {
    151151            $this->relation = 'AND';
     
    225225            $this->validate_date_values( $queries );
    226226        }
     227
     228        // Sanitize the relation parameter.
     229        $queries['relation'] = $this->sanitize_relation( $queries['relation'] );
    227230
    228231        foreach ( $queries as $key => $q ) {
     
    9991002        return $wpdb->prepare( "DATE_FORMAT( $column, %s ) $compare %f", $format, $time );
    10001003    }
     1004
     1005    /**
     1006     * Sanitizes a 'relation' operator.
     1007     *
     1008     * @since 6.0.3
     1009     *
     1010     * @param string $relation Raw relation key from the query argument.
     1011     * @return string Sanitized relation ('AND' or 'OR').
     1012     */
     1013    public function sanitize_relation( $relation ) {
     1014        if ( 'OR' === strtoupper( $relation ) ) {
     1015            return 'OR';
     1016        } else {
     1017            return 'AND';
     1018        }
     1019    }
    10011020}
  • branches/5.0/src/wp-includes/deprecated.php

    r43827 r54571  
    39533953    }
    39543954}
     3955
     3956/**
     3957 * Filter the SQL clauses of an attachment query to include filenames.
     3958 *
     3959 * @since 4.7.0
     3960 * @deprecated 6.0.3
     3961 * @access private
     3962 *
     3963 * @param array $clauses An array including WHERE, GROUP BY, JOIN, ORDER BY,
     3964 *                       DISTINCT, fields (SELECT), and LIMITS clauses.
     3965 * @return array The unmodified clauses.
     3966 */
     3967function _filter_query_attachment_filenames( $clauses ) {
     3968    _deprecated_function( __FUNCTION__, '6.0.3', 'add_filter( "wp_allow_query_attachment_by_filename", "__return_true" )');
     3969    remove_filter( 'posts_clauses', __FUNCTION__ );
     3970    return $clauses;
     3971}
     3972
  • branches/5.0/src/wp-includes/functions.php

    r46492 r54571  
    657657 * Determines whether the publish date of the current post in the loop is different
    658658 * from the publish date of the previous post in the loop.
    659  * 
     659 *
    660660 * For more information on this and similar theme functions, check out
    661  * the {@link https://developer.wordpress.org/themes/basics/conditional-tags/ 
     661 * the {@link https://developer.wordpress.org/themes/basics/conditional-tags/
    662662 * Conditional Tags} article in the Theme Developer Handbook.
    663  * 
     663 *
    664664 * @since 0.71
    665665 *
     
    13521352 *
    13531353 * Checks for the 'siteurl' option for whether WordPress is installed.
    1354  * 
     1354 *
    13551355 * For more information on this and similar theme functions, check out
    1356  * the {@link https://developer.wordpress.org/themes/basics/conditional-tags/ 
     1356 * the {@link https://developer.wordpress.org/themes/basics/conditional-tags/
    13571357 * Conditional Tags} article in the Theme Developer Handbook.
    13581358 *
     
    24132413            if ( $type !== $real_mime ) {
    24142414                /*
    2415                  * Everything else including image/* and application/*: 
     2415                 * Everything else including image/* and application/*:
    24162416                 * If the real content type doesn't match the file extension, assume it's dangerous.
    24172417                 */
     
    24222422    }
    24232423
    2424     // The mime type must be allowed 
     2424    // The mime type must be allowed
    24252425    if ( $type ) {
    24262426        $allowed = get_allowed_mime_types();
     
    26962696        $html = __( 'The link you followed has expired.' );
    26972697        if ( wp_get_referer() ) {
    2698             $html .= '</p><p>';
    2699             $html .= sprintf( '<a href="%s">%s</a>',
    2700                 esc_url( remove_query_arg( 'updated', wp_get_referer() ) ),
     2698            $wp_http_referer = remove_query_arg( 'updated', wp_get_referer() );
     2699            $wp_http_referer = wp_validate_redirect( esc_url_raw( $wp_http_referer ) );
     2700            $html           .= '</p><p>';
     2701            $html           .= sprintf(
     2702                '<a href="%s">%s</a>',
     2703                esc_url( $wp_http_referer ),
    27012704                __( 'Please try again.' )
    27022705            );
  • branches/5.0/src/wp-includes/media-template.php

    r43829 r54571  
    12521252                <img id="preview-favicon" src="{{ data.url }}" alt="<?php esc_attr_e( 'Preview as a browser icon' ); ?>"/>
    12531253            </div>
    1254             <span class="browser-title" aria-hidden="true"><?php bloginfo( 'name' ); ?></span>
     1254            <span class="browser-title" aria-hidden="true"><?php echo esc_js( get_bloginfo( 'name' ) ); ?></span>
    12551255        </div>
    12561256
  • branches/5.0/src/wp-includes/pluggable.php

    r47964 r54571  
    313313    $phpmailer->clearCustomHeaders();
    314314    $phpmailer->clearReplyTos();
     315    $phpmailer->Body    = '';
     316    $phpmailer->AltBody = '';
    315317
    316318    // From email and name
  • branches/5.0/src/wp-includes/post.php

    r52473 r54571  
    10191019/**
    10201020 * Determines whether a post type is registered.
    1021  * 
     1021 *
    10221022 * For more information on this and similar theme functions, check out
    1023  * the {@link https://developer.wordpress.org/themes/basics/conditional-tags/ 
     1023 * the {@link https://developer.wordpress.org/themes/basics/conditional-tags/
    10241024 * Conditional Tags} article in the Theme Developer Handbook.
    10251025 *
     
    17791779    }
    17801780
    1781     return $post_type->publicly_queryable || ( $post_type->_builtin && $post_type->public );
     1781    if ( ! is_object( $post_type ) ) {
     1782        return false;
     1783    }
     1784
     1785    $is_viewable = $post_type->publicly_queryable || ( $post_type->_builtin && $post_type->public );
     1786
     1787    /**
     1788     * Filters whether a post type is considered "viewable".
     1789     *
     1790     * The returned filtered value must be a boolean type to ensure
     1791     * `is_post_type_viewable()` only returns a boolean. This strictness
     1792     * is by design to maintain backwards-compatibility and guard against
     1793     * potential type errors in PHP 8.1+. Non-boolean values (even falsey
     1794     * and truthy values) will result in the function returning false.
     1795     *
     1796     * @since 5.9.0
     1797     *
     1798     * @param bool         $is_viewable Whether the post type is "viewable" (strict type).
     1799     * @param WP_Post_Type $post_type   Post type object.
     1800     */
     1801    return true === apply_filters( 'is_post_type_viewable', $is_viewable, $post_type );
     1802}
     1803
     1804/**
     1805 * Determines whether a post status is considered "viewable".
     1806 *
     1807 * For built-in post statuses such as publish and private, the 'public' value will be evaluated.
     1808 * For all others, the 'publicly_queryable' value will be used.
     1809 *
     1810 * @since 5.7.0
     1811 * @since 5.9.0 Added `is_post_status_viewable` hook to filter the result.
     1812 *
     1813 * @param string|stdClass $post_status Post status name or object.
     1814 * @return bool Whether the post status should be considered viewable.
     1815 */
     1816function is_post_status_viewable( $post_status ) {
     1817    if ( is_scalar( $post_status ) ) {
     1818        $post_status = get_post_status_object( $post_status );
     1819
     1820        if ( ! $post_status ) {
     1821            return false;
     1822        }
     1823    }
     1824
     1825    if (
     1826        ! is_object( $post_status ) ||
     1827        $post_status->internal ||
     1828        $post_status->protected
     1829    ) {
     1830        return false;
     1831    }
     1832
     1833    $is_viewable = $post_status->publicly_queryable || ( $post_status->_builtin && $post_status->public );
     1834
     1835    /**
     1836     * Filters whether a post status is considered "viewable".
     1837     *
     1838     * The returned filtered value must be a boolean type to ensure
     1839     * `is_post_status_viewable()` only returns a boolean. This strictness
     1840     * is by design to maintain backwards-compatibility and guard against
     1841     * potential type errors in PHP 8.1+. Non-boolean values (even falsey
     1842     * and truthy values) will result in the function returning false.
     1843     *
     1844     * @since 5.9.0
     1845     *
     1846     * @param bool     $is_viewable Whether the post status is "viewable" (strict type).
     1847     * @param stdClass $post_status Post status object.
     1848     */
     1849    return true === apply_filters( 'is_post_status_viewable', $is_viewable, $post_status );
     1850}
     1851
     1852/**
     1853 * Determines whether a post is publicly viewable.
     1854 *
     1855 * Posts are considered publicly viewable if both the post status and post type
     1856 * are viewable.
     1857 *
     1858 * @since 5.7.0
     1859 *
     1860 * @param int|WP_Post|null $post Optional. Post ID or post object. Defaults to global $post.
     1861 * @return bool Whether the post is publicly viewable.
     1862 */
     1863function is_post_publicly_viewable( $post = null ) {
     1864    $post = get_post( $post );
     1865
     1866    if ( ! $post ) {
     1867        return false;
     1868    }
     1869
     1870    $post_type   = get_post_type( $post );
     1871    $post_status = get_post_status( $post );
     1872
     1873    return is_post_type_viewable( $post_type ) && is_post_status_viewable( $post_status );
    17821874}
    17831875
     
    20452137 * Sticky posts should remain at the top of The Loop. If the post ID is not
    20462138 * given, then The Loop ID for the current post will be used.
    2047  * 
     2139 *
    20482140 * For more information on this and similar theme functions, check out
    2049  * the {@link https://developer.wordpress.org/themes/basics/conditional-tags/ 
     2141 * the {@link https://developer.wordpress.org/themes/basics/conditional-tags/
    20502142 * Conditional Tags} article in the Theme Developer Handbook.
    2051  * 
     2143 *
    20522144 * @since 2.7.0
    20532145 *
     
    50275119/**
    50285120 * Determines whether an attachment URI is local and really an attachment.
    5029  * 
     5121 *
    50305122 * For more information on this and similar theme functions, check out
    5031  * the {@link https://developer.wordpress.org/themes/basics/conditional-tags/ 
     5123 * the {@link https://developer.wordpress.org/themes/basics/conditional-tags/
    50325124 * Conditional Tags} article in the Theme Developer Handbook.
    5033  * 
     5125 *
    50345126 * @since 2.0.0
    50355127 *
     
    55285620/**
    55295621 * Determines whether an attachment is an image.
    5530  * 
     5622 *
    55315623 * For more information on this and similar theme functions, check out
    5532  * the {@link https://developer.wordpress.org/themes/basics/conditional-tags/ 
     5624 * the {@link https://developer.wordpress.org/themes/basics/conditional-tags/
    55335625 * Conditional Tags} article in the Theme Developer Handbook.
    55345626 *
     
    65406632
    65416633/**
    6542  * Filter the SQL clauses of an attachment query to include filenames.
    6543  *
    6544  * @since 4.7.0
    6545  * @access private
    6546  *
    6547  * @global wpdb $wpdb WordPress database abstraction object.
    6548  *
    6549  * @param array $clauses An array including WHERE, GROUP BY, JOIN, ORDER BY,
    6550  *                       DISTINCT, fields (SELECT), and LIMITS clauses.
    6551  * @return array The modified clauses.
    6552  */
    6553 function _filter_query_attachment_filenames( $clauses ) {
    6554     global $wpdb;
    6555     remove_filter( 'posts_clauses', __FUNCTION__ );
    6556 
    6557     // Add a LEFT JOIN of the postmeta table so we don't trample existing JOINs.
    6558     $clauses['join'] .= " LEFT JOIN {$wpdb->postmeta} AS sq1 ON ( {$wpdb->posts}.ID = sq1.post_id AND sq1.meta_key = '_wp_attached_file' )";
    6559 
    6560     $clauses['groupby'] = "{$wpdb->posts}.ID";
    6561 
    6562     $clauses['where'] = preg_replace(
    6563         "/\({$wpdb->posts}.post_content (NOT LIKE|LIKE) (\'[^']+\')\)/",
    6564         "$0 OR ( sq1.meta_value $1 $2 )",
    6565         $clauses['where'] );
    6566 
    6567     return $clauses;
    6568 }
    6569 
    6570 /**
    65716634 * Sets the last changed time for the 'posts' cache group.
    65726635 *
  • branches/5.0/src/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php

    r44206 r54571  
    4949        // Filter query clauses to include filenames.
    5050        if ( isset( $query_args['s'] ) ) {
    51             add_filter( 'posts_clauses', '_filter_query_attachment_filenames' );
     51            add_filter( 'wp_allow_query_attachment_by_filename', '__return_true' );
    5252        }
    5353
  • branches/5.0/src/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php

    r43756 r54571  
    128128
    129129    /**
     130     * Checks if the terms for a post can be read.
     131     *
     132     * @since 6.0.3
     133     *
     134     * @param WP_Post         $post    Post object.
     135     * @param WP_REST_Request $request Full details about the request.
     136     * @return bool Whether the terms for the post can be read.
     137     */
     138    public function check_read_terms_permission_for_post( $post, $request ) {
     139        // If the requested post isn't associated with this taxonomy, deny access.
     140        if ( ! is_object_in_taxonomy( $post->post_type, $this->taxonomy ) ) {
     141            return false;
     142        }
     143
     144        // Grant access if the post is publicly viewable.
     145        if ( is_post_publicly_viewable( $post ) ) {
     146            return true;
     147        }
     148
     149        // Otherwise grant access if the post is readable by the logged in user.
     150        if ( current_user_can( 'read_post', $post->ID ) ) {
     151            return true;
     152        }
     153
     154        // Otherwise, deny access.
     155        return false;
     156    }
     157
     158    /**
    130159     * Checks if a request has access to read terms in the specified taxonomy.
    131160     *
     
    137166    public function get_items_permissions_check( $request ) {
    138167        $tax_obj = get_taxonomy( $this->taxonomy );
     168
    139169        if ( ! $tax_obj || ! $this->check_is_taxonomy_allowed( $this->taxonomy ) ) {
    140170            return false;
    141171        }
     172
    142173        if ( 'edit' === $request['context'] && ! current_user_can( $tax_obj->cap->edit_terms ) ) {
    143             return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to edit terms in this taxonomy.' ), array( 'status' => rest_authorization_required_code() ) );
    144         }
     174            return new WP_Error(
     175                'rest_forbidden_context',
     176                __( 'Sorry, you are not allowed to edit terms in this taxonomy.' ),
     177                array( 'status' => rest_authorization_required_code() )
     178            );
     179        }
     180
     181        if ( ! empty( $request['post'] ) ) {
     182            $post = get_post( $request['post'] );
     183
     184            if ( ! $post ) {
     185                return new WP_Error(
     186                    'rest_post_invalid_id',
     187                    __( 'Invalid post ID.' ),
     188                    array(
     189                        'status' => 400,
     190                    )
     191                );
     192            }
     193
     194            if ( ! $this->check_read_terms_permission_for_post( $post, $request ) ) {
     195                return new WP_Error(
     196                    'rest_forbidden_context',
     197                    __( 'Sorry, you are not allowed to view terms for this post.' ),
     198                    array(
     199                        'status' => rest_authorization_required_code(),
     200                    )
     201                );
     202            }
     203        }
     204
    145205        return true;
    146206    }
  • branches/5.0/src/wp-includes/widgets.php

    r43827 r54571  
    14091409    if ( is_wp_error($rss) ) {
    14101410        if ( is_admin() || current_user_can('manage_options') )
    1411             echo '<p><strong>' . __( 'RSS Error:' ) . '</strong> ' . $rss->get_error_message() . '</p>';
     1411            echo '<p><strong>' . __( 'RSS Error:' ) . '</strong> ' . esc_html( $rss->get_error_message() ) . '</p>';
    14121412        return;
    14131413    }
     
    15181518
    15191519    if ( ! empty( $args['error'] ) ) {
    1520         echo '<p class="widget-error"><strong>' . __( 'RSS Error:' ) . '</strong> ' . $args['error'] . '</p>';
     1520        echo '<p class="widget-error"><strong>' . __( 'RSS Error:' ) . '</strong> ' . esc_html( $args['error'] ) . '</p>';
    15211521    }
    15221522
  • branches/5.0/src/wp-mail.php

    r39772 r54571  
    6060    wp_die( __('There doesn&#8217;t seem to be any new mail.') );
    6161}
     62
     63// Always run as an unauthenticated user.
     64wp_set_current_user( 0 );
    6265
    6366for ( $i = 1; $i <= $count; $i++ ) {
     
    125128                $author = sanitize_email($author);
    126129                if ( is_email($author) ) {
    127                     /* translators: Post author email address */
    128                     echo '<p>' . sprintf(__('Author is %s'), $author) . '</p>';
    129130                    $userdata = get_user_by('email', $author);
    130131                    if ( ! empty( $userdata ) ) {
    131                         $post_author = $userdata->ID;
     132                        $post_author  = $userdata->ID;
    132133                        $author_found = true;
    133134                    }
  • branches/5.0/src/wp-trackback.php

    r41980 r54571  
    1313    wp( array( 'tb' => '1' ) );
    1414}
     15
     16// Always run as an unauthenticated user.
     17wp_set_current_user( 0 );
    1518
    1619/**
  • branches/5.0/tests/phpunit/tests/query/search.php

    r38844 r54571  
    371371
    372372        add_post_meta( $attachment, '_wp_attached_file', 'some-image1.png', true );
    373         add_filter( 'posts_clauses', '_filter_query_attachment_filenames' );
     373        add_filter( 'wp_allow_query_attachment_by_filename', '__return_true' );
    374374
    375375        // Pass post_type a string value.
     
    397397
    398398        add_post_meta( $attachment, '_wp_attached_file', 'some-image2.png', true );
    399         add_filter( 'posts_clauses', '_filter_query_attachment_filenames' );
     399        add_filter( 'wp_allow_query_attachment_by_filename', '__return_true' );
    400400
    401401        // Pass post_type an array value.
     
    448448        add_post_meta( $attachment, '_wp_attached_file', 'some-image4.png', true );
    449449        add_post_meta( $attachment, '_test_meta_key', 'value', true );
    450         add_filter( 'posts_clauses', '_filter_query_attachment_filenames' );
     450        add_filter( 'wp_allow_query_attachment_by_filename', '__return_true' );
    451451
    452452        // Pass post_type a string value.
     
    484484
    485485        add_post_meta( $attachment, '_wp_attached_file', 'some-image5.png', true );
    486         add_filter( 'posts_clauses', '_filter_query_attachment_filenames' );
     486        add_filter( 'wp_allow_query_attachment_by_filename', '__return_true' );
    487487
    488488        // Pass post_type a string value.
     
    507507     * @ticket 22744
    508508     */
    509     public function test_filter_query_attachment_filenames_unhooks_itself() {
    510         add_filter( 'posts_clauses', '_filter_query_attachment_filenames' );
    511 
    512         apply_filters( 'posts_clauses', array(
    513             'where'    => '',
    514             'groupby'  => '',
    515             'join'     => '',
    516             'orderby'  => '',
    517             'distinct' => '',
    518             'fields'   => '',
    519             'limit'    => '',
    520         ) );
    521 
    522         $result = has_filter( 'posts_clauses', '_filter_query_attachment_filenames' );
    523 
    524         $this->assertFalse( $result );
     509    public function test_wp_query_removes_filter_wp_allow_query_attachment_by_filename() {
     510        $attachment = self::factory()->post->create(
     511            array(
     512                'post_type'    => 'attachment',
     513                'post_status'  => 'publish',
     514                'post_title'   => 'bar foo',
     515                'post_content' => 'foo bar',
     516                'post_excerpt' => 'This post has foo',
     517            )
     518        );
     519
     520        add_post_meta( $attachment, '_wp_attached_file', 'some-image1.png', true );
     521        add_filter( 'wp_allow_query_attachment_by_filename', '__return_true' );
     522
     523        $q = new WP_Query(
     524            array(
     525                's'           => 'image1',
     526                'fields'      => 'ids',
     527                'post_type'   => 'attachment',
     528                'post_status' => 'inherit',
     529            )
     530        );
     531
     532        $this->assertSame( array( $attachment ), $q->posts );
     533
     534        /*
     535         * WP_Query should have removed the wp_allow_query_attachment_by_filename filter
     536         * and thus not match the attachment created above
     537         */
     538        $q->get_posts();
     539        $this->assertEmpty( $q->posts );
    525540    }
    526541
  • branches/5.0/tests/phpunit/tests/rest-api/rest-comments-controller.php

    r43445 r54571  
    26052605                'author_name'       => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
    26062606                'author_user_agent' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
     2607                'author'            => self::$editor_id,
    26072608            ), array(
    26082609                'content' => array(
     
    26122613                'author_name'       => 'div strong',
    26132614                'author_user_agent' => 'div strong',
     2615                'author'            => self::$editor_id,
    26142616            ) );
    26152617        } else {
     
    26192621                'author_name'       => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
    26202622                'author_user_agent' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
     2623                'author'            => self::$editor_id,
    26212624            ), array(
    26222625                'content' => array(
     
    26262629                'author_name'       => 'div strong',
    26272630                'author_user_agent' => 'div strong',
     2631                'author'            => self::$editor_id,
    26282632            ) );
    26292633        }
     
    26372641            'author_name'       => '\\\&\\\ &amp; &invalid; < &lt; &amp;lt;',
    26382642            'author_user_agent' => '\\\&\\\ &amp; &invalid; < &lt; &amp;lt;',
     2643            'author'            => self::$superadmin_id,
    26392644        ), array(
    26402645            'content' => array(
     
    26442649            'author_name'       => '\\\&amp;\\\ &amp; &amp;invalid; &lt; &lt; &amp;lt;',
    26452650            'author_user_agent' => '\\\&\\\ &amp; &invalid; &lt; &lt; &amp;lt;',
     2651            'author'            => self::$superadmin_id,
    26462652        ) );
    26472653    }
     
    26542660            'author_name'       => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
    26552661            'author_user_agent' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
     2662            'author'            => self::$superadmin_id,
    26562663        ), array(
    26572664            'content' => array(
     
    26612668            'author_name'       => 'div strong',
    26622669            'author_user_agent' => 'div strong',
     2670            'author'            => self::$superadmin_id,
    26632671        ) );
    26642672    }
Note: See TracChangeset for help on using the changeset viewer.