Changeset 61955 for branches/5.5/src/wp-includes/media.php

Timestamp:

03/12/2026 02:15:58 AM (3 months ago)

Author:

peterwilsoncc

Message:

Grouped backports for the 5.5 branch.

• XML-RPC: Switch to wp_safe_remote() when fetching a pingback URL.
• HTML API: Prevent WP_HTML_Tag_Processor instances being unserialized and add some extra logic for validating pattern and template file paths.
• KSES: Optimize PCRE pattern detecting numeric character references.
• Customize: Improve escaping approach used for nav menu attributes.
• Media: Ensure the attachment parent is accessible to the user before showing a link to it in the media manager.
• Administration: Ensure client-side templates are only detected when they're correctly associated with a script tag.
• Filesystem API: Don't attempt to extract invalid files from a zip when using the PclZip library.

Merges [61879-61885,61887,61890,61913] to the 5.5 branch.

Props johnbillion, xknown, dmsnell, jorbin, peterwilson, desrosj, westonruter, jonsurrell, aurdasjb.

Location:

branches/5.5

Files:

• . (modified) (1 prop)
• src/wp-includes/media.php (modified) (2 diffs)

branches/5.5/src/wp-includes/media.php

@@ -3813 +3813 @@
     }
 
-    if ( $post_parent ) {
+    if ( $post_parent && current_user_can( 'read_post', $attachment->post_parent ) ) {
         $parent_type = get_post_type_object( $post_parent->post_type );
 
@@ -3820 +3820 @@
         }
 
-        if ( $parent_type && current_user_can( 'read_post', $attachment->post_parent ) ) {
+        if ( $parent_type ) {
             $response['uploadedToTitle'] = $post_parent->post_title ? $post_parent->post_title : __( '(no title)' );
         }