Changeset 55771
- Timestamp:
- 05/16/2023 03:13:50 PM (16 months ago)
- Location:
- branches/6.1
- Files:
-
- 1 added
- 11 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/6.1/src/js/_enqueues/wp/embed.js
r52132 r55771 50 50 var iframes = document.querySelectorAll( 'iframe[data-secret="' + data.secret + '"]' ), 51 51 blockquotes = document.querySelectorAll( 'blockquote[data-secret="' + data.secret + '"]' ), 52 allowedProtocols = new RegExp( '^https?:$', 'i' ), 52 53 i, source, height, sourceURL, targetURL; 53 54 … … 84 85 sourceURL.href = source.getAttribute( 'src' ); 85 86 targetURL.href = data.value; 87 88 /* Only follow link if the protocol is in the allow list. */ 89 if ( ! allowedProtocols.test( targetURL.protocol ) ) { 90 continue; 91 } 86 92 87 93 /* Only continue if link hostname matches iframe's hostname. */ -
branches/6.1/src/js/media/views/frame/video-details.js
r43309 r55771 107 107 wp.ajax.send( 'set-attachment-thumbnail', { 108 108 data : { 109 _ajax_nonce: wp.media.view.settings.nonce.setAttachmentThumbnail, 109 110 urls: urls, 110 111 thumbnail_id: attachment.get( 'id' ) -
branches/6.1/src/wp-admin/about.php
r55371 r55771 46 46 <div class="column"> 47 47 <h2><?php _e( 'Maintenance and Security Releases' ); ?></h2> 48 <p> 49 <?php 50 printf( 51 __( '<strong>Version %s</strong> addressed some security issues.' ), 52 '6.1.2' 53 ); 54 ?> 55 <?php 56 printf( 57 /* translators: %s: HelpHub URL. */ 58 __( 'For more information, see <a href="%s">the release notes</a>.' ), 59 sprintf( 60 /* translators: %s: WordPress version. */ 61 esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ), 62 sanitize_title( '6.1.2' ) 63 ) 64 ); 65 ?> 66 </p> 67 48 68 <p> 49 69 <?php -
branches/6.1/src/wp-admin/includes/ajax-actions.php
r54524 r55771 2772 2772 } 2773 2773 2774 if ( false === check_ajax_referer( 'set-attachment-thumbnail', '_ajax_nonce', false ) ) { 2775 wp_send_json_error(); 2776 } 2777 2774 2778 $post_ids = array(); 2775 2779 // For each URL, try to find its corresponding post ID. -
branches/6.1/src/wp-includes/block-template.php
r54818 r55771 241 241 $content = wptexturize( $content ); 242 242 $content = convert_smilies( $content ); 243 $content = shortcode_unautop( $content );244 243 $content = wp_filter_content_tags( $content ); 245 $content = do_shortcode( $content );246 244 $content = str_replace( ']]>', ']]>', $content ); 247 245 -
branches/6.1/src/wp-includes/blocks.php
r54520 r55771 795 795 $result = ''; 796 796 797 if ( false !== strpos( $text, '<!--' ) && false !== strpos( $text, '--->' ) ) { 798 $text = preg_replace_callback( '%<!--(.*?)--->%', '_filter_block_content_callback', $text ); 799 } 800 797 801 $blocks = parse_blocks( $text ); 798 802 foreach ( $blocks as $block ) { … … 802 806 803 807 return $result; 808 } 809 810 /** 811 * Callback used for regular expression replacement in filter_block_content(). 812 * 813 * @private 814 * @since 6.2.1 815 * 816 * @param array $matches Array of preg_replace_callback matches. 817 * @return string Replacement string. 818 */ 819 function _filter_block_content_callback( $matches ) { 820 return '<!--' . rtrim( $matches[1], '-' ) . '-->'; 804 821 } 805 822 -
branches/6.1/src/wp-includes/formatting.php
r54814 r55771 2434 2434 2435 2435 /** 2436 * Strips out all characters not allowed in a locale name. 2437 * 2438 * @since 6.2.1 2439 * 2440 * @param string $locale_name The locale name to be sanitized. 2441 * @return string The sanitized value. 2442 */ 2443 function sanitize_locale_name( $locale_name ) { 2444 // Limit to A-Z, a-z, 0-9, '_', '-'. 2445 $sanitized = preg_replace( '/[^A-Za-z0-9_-]/', '', $locale_name ); 2446 2447 /** 2448 * Filters a sanitized locale name string. 2449 * 2450 * @since 6.2.1 2451 * 2452 * @param string $sanitized The sanitized locale name. 2453 * @param string $locale_name The locale name before sanitization. 2454 */ 2455 return apply_filters( 'sanitize_locale_name', $sanitized, $locale_name ); 2456 } 2457 2458 /** 2436 2459 * Converts lone & characters into `&` (a.k.a. `&`) 2437 2460 * -
branches/6.1/src/wp-includes/l10n.php
r54682 r55771 150 150 151 151 if ( ! empty( $_GET['wp_lang'] ) ) { 152 $wp_lang = sanitize_ text_field( $_GET['wp_lang']);152 $wp_lang = sanitize_locale_name( wp_unslash( $_GET['wp_lang'] ) ); 153 153 } elseif ( ! empty( $_COOKIE['wp_lang'] ) ) { 154 $wp_lang = sanitize_ text_field( $_COOKIE['wp_lang']);154 $wp_lang = sanitize_locale_name( wp_unslash( $_COOKIE['wp_lang'] ) ); 155 155 } 156 156 -
branches/6.1/src/wp-includes/media.php
r54807 r55771 4517 4517 'captions' => ! apply_filters( 'disable_captions', '' ), 4518 4518 'nonce' => array( 4519 'sendToEditor' => wp_create_nonce( 'media-send-to-editor' ), 4519 'sendToEditor' => wp_create_nonce( 'media-send-to-editor' ), 4520 'setAttachmentThumbnail' => wp_create_nonce( 'set-attachment-thumbnail' ), 4520 4521 ), 4521 4522 'post' => array( -
branches/6.1/src/wp-includes/version.php
r54847 r55771 17 17 * @global string $wp_version 18 18 */ 19 $wp_version = '6.1.2- alpha-54847-src';19 $wp_version = '6.1.2-src'; 20 20 21 21 /** -
branches/6.1/tests/phpunit/tests/ajax/Attachments.php
r53701 r55771 104 104 $this->assertSame( $expected, $response['data'] ); 105 105 } 106 107 public function test_wp_ajax_set_attachment_thumbnail_success() { 108 // Become an administrator. 109 $post = $_POST; 110 $user_id = self::factory()->user->create( 111 array( 112 'role' => 'administrator', 113 'user_login' => 'user_36578_administrator', 114 'user_email' => 'user_36578_administrator@example.com', 115 ) 116 ); 117 wp_set_current_user( $user_id ); 118 $_POST = array_merge( $_POST, $post ); 119 120 // Upload the attachment itself. 121 $filename = DIR_TESTDATA . '/uploads/small-audio.mp3'; 122 $contents = file_get_contents( $filename ); 123 124 $upload = wp_upload_bits( wp_basename( $filename ), null, $contents ); 125 $attachment = $this->_make_attachment( $upload ); 126 127 // Upload the thumbnail. 128 $filename = DIR_TESTDATA . '/images/waffles.jpg'; 129 $contents = file_get_contents( $filename ); 130 131 $upload = wp_upload_bits( wp_basename( $filename ), null, $contents ); 132 $thumbnail = $this->_make_attachment( $upload ); 133 134 // Set up a default request. 135 $_POST['_ajax_nonce'] = wp_create_nonce( 'set-attachment-thumbnail' ); 136 $_POST['thumbnail_id'] = $thumbnail; 137 $_POST['urls'] = array( wp_get_attachment_url( $attachment ) ); 138 139 // Make the request. 140 try { 141 $this->_handleAjax( 'set-attachment-thumbnail' ); 142 } catch ( WPAjaxDieContinueException $e ) { 143 unset( $e ); 144 } 145 146 // Get the response. 147 $response = json_decode( $this->_last_response, true ); 148 149 // Ensure everything is correct. 150 $this->assertTrue( $response['success'] ); 151 } 152 153 public function test_wp_ajax_set_attachment_thumbnail_missing_nonce() { 154 // Become an administrator. 155 $post = $_POST; 156 $user_id = self::factory()->user->create( 157 array( 158 'role' => 'administrator', 159 'user_login' => 'user_36578_administrator', 160 'user_email' => 'user_36578_administrator@example.com', 161 ) 162 ); 163 wp_set_current_user( $user_id ); 164 $_POST = array_merge( $_POST, $post ); 165 166 // Upload the attachment itself. 167 $filename = DIR_TESTDATA . '/uploads/small-audio.mp3'; 168 $contents = file_get_contents( $filename ); 169 170 $upload = wp_upload_bits( wp_basename( $filename ), null, $contents ); 171 $attachment = $this->_make_attachment( $upload ); 172 173 // Upload the thumbnail. 174 $filename = DIR_TESTDATA . '/images/waffles.jpg'; 175 $contents = file_get_contents( $filename ); 176 177 $upload = wp_upload_bits( wp_basename( $filename ), null, $contents ); 178 $thumbnail = $this->_make_attachment( $upload ); 179 180 // Set up a default request. 181 $_POST['thumbnail_id'] = $thumbnail; 182 $_POST['urls'] = array( wp_get_attachment_url( $attachment ) ); 183 184 // Make the request. 185 try { 186 $this->_handleAjax( 'set-attachment-thumbnail' ); 187 } catch ( WPAjaxDieContinueException $e ) { 188 unset( $e ); 189 } 190 191 // Get the response. 192 $response = json_decode( $this->_last_response, true ); 193 194 // Check that success is false without sending nonce. 195 $this->assertFalse( $response['success'] ); 196 } 106 197 }
Note: See TracChangeset
for help on using the changeset viewer.