WordPress.org
Get WordPress

Make WordPress Core


Ignore:
Timestamp:
03/12/2026 01:58:20 AM (2 months ago)
Author:
peterwilsoncc
Message:

Grouped backports for the 5.9 branch.

  • XML-RPC: Switch to wp_safe_remote() when fetching a pingback URL.
  • HTML API: Prevent WP_HTML_Tag_Processor instances being unserialized and add some extra logic for validating pattern and template file paths.
  • KSES: Optimize PCRE pattern detecting numeric character references.
  • Customize: Improve escaping approach used for nav menu attributes.
  • Media: Ensure the attachment parent is accessible to the user before showing a link to it in the media manager.
  • Administration: Ensure client-side templates are only detected when they're correctly associated with a script tag.
  • Filesystem API: Don't attempt to extract invalid files from a zip when using the PclZip library.

Merges [61879-61885,61887,61890,61913] to the 5.9 branch.

Props johnbillion, xknown, dmsnell, jorbin, peterwilson, desrosj, westonruter, jonsurrell, aurdasjb.

Location:
branches/5.9
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • branches/5.9

  • branches/5.9/src/wp-includes/kses.php

    r54764 r61951  
    18861886        $string = preg_replace_callback( '/&([A-Za-z]{2,8}[0-9]{0,2});/', 'wp_kses_named_entities', $string );
    18871887    }
    1888     $string = preg_replace_callback( '/&#(0*[0-9]{1,7});/', 'wp_kses_normalize_entities2', $string );
    1889     $string = preg_replace_callback( '/&#[Xx](0*[0-9A-Fa-f]{1,6});/', 'wp_kses_normalize_entities3', $string );
     1888    $string = preg_replace_callback( '/&#(0*[1-9][0-9]{0,6});/', 'wp_kses_normalize_entities2', $string );
     1889    $string = preg_replace_callback( '/&#[Xx](0*[1-9A-Fa-f][0-9A-Fa-f]{0,5});/', 'wp_kses_normalize_entities3', $string );
    18901890
    18911891    return $string;
Note: See TracChangeset for help on using the changeset viewer.