Changes from tags/4.0 at r58128 to tags/4.0.1 at r58128

Location:

tags/4.0.1

Files:

• package.json (modified) (1 diff)
• src/readme.html (modified) (1 diff)
• src/wp-admin/about.php (modified) (1 diff)
• src/wp-admin/includes/class-wp-plugin-install-list-table.php (modified) (1 diff)
• src/wp-admin/includes/image.php (modified) (1 diff)
• src/wp-admin/includes/plugin-install.php (modified) (1 diff)
• src/wp-admin/includes/post.php (modified) (1 diff)
• src/wp-admin/js/editor-expand.js (modified) (7 diffs)
• src/wp-admin/js/media.js (modified) (1 diff)
• src/wp-admin/plugin-install.php (modified) (1 diff)
• src/wp-admin/press-this.php (modified) (1 diff)
• src/wp-admin/upload.php (modified) (1 diff)
• src/wp-includes/canonical.php (modified) (3 diffs)
• src/wp-includes/class-phpass.php (modified) (2 diffs)
• src/wp-includes/css/media-views.css (modified) (2 diffs)
• src/wp-includes/formatting.php (modified) (4 diffs)
• src/wp-includes/http.php (modified) (3 diffs)
• src/wp-includes/js/media-grid.js (modified) (1 diff)
• src/wp-includes/js/media-views.js (modified) (2 diffs)
• src/wp-includes/js/mediaelement/flashmediaelement.swf (modified) (previous)
• src/wp-includes/js/mediaelement/mediaelement-and-player.min.js (modified) (3 diffs)
• src/wp-includes/js/quicktags.js (modified) (2 diffs)
• src/wp-includes/js/tinymce/plugins/wpeditimage/plugin.js (modified) (6 diffs)
• src/wp-includes/js/tinymce/plugins/wpview/plugin.js (modified) (4 diffs)
• src/wp-includes/kses.php (modified) (1 diff)
• src/wp-includes/link-template.php (modified) (2 diffs)
• src/wp-includes/media-template.php (modified) (4 diffs)
• src/wp-includes/media.php (modified) (4 diffs)
• src/wp-includes/ms-functions.php (modified) (1 diff)
• src/wp-includes/pluggable.php (modified) (3 diffs)
• src/wp-includes/post.php (modified) (1 diff)
• src/wp-includes/session.php (modified) (1 diff)
• src/wp-includes/user.php (modified) (1 diff)
• src/wp-includes/version.php (modified) (1 diff)
• src/wp-login.php (modified) (2 diffs)
• tests/phpunit/tests/auth.php (modified) (2 diffs)
• tests/phpunit/tests/formatting/WPTexturize.php (modified) (6 diffs)
• tests/phpunit/tests/link (added)
• tests/phpunit/tests/link.php (modified) (1 diff)
• tests/phpunit/tests/link/getAdjacentPostLink.php (added)
• tests/phpunit/tests/post/attachments.php (modified) (1 diff)
• tests/phpunit/tests/query/results.php (modified) (1 diff)
• tests/phpunit/tests/user.php (modified) (1 diff)
• tests/phpunit/tests/xmlrpc/wp/uploadFile.php (modified) (1 diff)

tags/4.0.1/package.json

@@ -1 +1 @@
 {
   "name": "WordPress",
-  "version": "4.0.0",
+  "version": "4.0.1",
   "description": "WordPress is web software you can use to create a beautiful website or blog.",
   "repository": {

tags/4.0.1/src/readme.html

@@ -10 +10 @@
 <h1 id="logo">
     <a href="https://wordpress.org/"><img alt="WordPress" src="wp-admin/images/wordpress-logo.png" /></a>
-    <br /> Version 4.0
+    <br /> Version 4.0.1
 </h1>
 <p style="text-align: center">Semantic Personal Publishing Platform</p>

tags/4.0.1/src/wp-admin/about.php

@@ -41 +41 @@
     </a>
 </h2>
+
+<div class="changelog point-releases">
+    <h3><?php echo _n( 'Maintenance and Security Release', 'Maintenance and Security Releases', 1 ); ?></h3>
+    <p><?php printf( _n( '<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bug.',
+         '<strong>Version %1$s</strong> addressed some security issues and fixed %2$s bugs.', 23 ), '4.0.1', number_format_i18n( 23 ) ); ?>
+        <?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'http://codex.wordpress.org/Version_4.0.1' ); ?>
+    </p>
+</div>
 
 <div class="changelog">

tags/4.0.1/src/wp-admin/includes/class-wp-plugin-install-list-table.php

@@ -274 +274 @@
         }
 
-        if ( 'top' ==  $which ) { ?>
+        if ( 'top' ==  $which ) {
+            wp_referer_field();
+        ?>
             <div class="tablenav top">
                 <div class="alignleft actions">

tags/4.0.1/src/wp-admin/includes/image.php

@@ -402 +402 @@
     }
 
+    foreach ( $meta as &$value ) {
+        if ( is_string( $value ) ) {
+            $value = wp_kses_post( $value );
+        }
+    }
+
     /**
      * Filter the array of meta data read from an image's exif data.

tags/4.0.1/src/wp-admin/includes/plugin-install.php

@@ -236 +236 @@
     global $wp_list_table;
 
-    if ( current_filter() == 'install_plugins_favorites' && empty( $_GET['user'] ) && ! get_user_option( 'wporg_favorites' ) )
-            return;
-
-    $wp_list_table->display();
+    if ( current_filter() == 'install_plugins_favorites' && empty( $_GET['user'] ) && ! get_user_option( 'wporg_favorites' ) ) {
+        return;
+    }
+
+    ?>
+    <form id="plugin-filter" action="" method="post">
+        <?php $wp_list_table->display(); ?>
+    </form>
+    <?php
 }
 add_action( 'install_plugins_search',    'display_plugins_table' );

tags/4.0.1/src/wp-admin/includes/post.php

@@ -1206 +1206 @@
         }
     } else {
-        if ( function_exists( 'mb_strlen' ) && mb_strlen( $post_name ) > 30 ) {
-            $post_name_abridged = mb_substr( $post_name, 0, 14 ) . '…' . mb_substr( $post_name, -14 );
-        } elseif ( strlen( $post_name ) > 30 ) {
-            $post_name_abridged = substr( $post_name, 0, 14 ) . '…' . substr( $post_name, -14 );
+        if ( function_exists( 'mb_strlen' ) ) {
+            if ( mb_strlen( $post_name ) > 30 ) {
+                $post_name_abridged = mb_substr( $post_name, 0, 14 ) . '…' . mb_substr( $post_name, -14 );
+            } else {
+                $post_name_abridged = $post_name;
+            }
         } else {
-            $post_name_abridged = $post_name;
+            if ( strlen( $post_name ) > 30 ) {
+                $post_name_abridged = substr( $post_name, 0, 14 ) . '…' . substr( $post_name, -14 );
+            } else {
+                $post_name_abridged = $post_name;
+            }
         }
 

tags/4.0.1/src/wp-admin/js/editor-expand.js

@@ -3 +3 @@
 window.wp = window.wp || {};
 
-jQuery( document ).ready( function($) {
+jQuery( document ).ready( function( $ ) {
     var $window = $( window ),
         $document = $( document ),
@@ -149 +149 @@
     // We need to wait for TinyMCE to initialize.
     $document.on( 'tinymce-editor-init.editor-expand', function( event, editor ) {
+        var hideFloatPanels = _.debounce( function() {
+            ! $( '.mce-floatpanel:hover' ).length && tinymce.ui.FloatPanel.hideAll();
+            $( '.mce-tooltip' ).hide();
+        }, 1000, true );
+
         // Make sure it's the main editor.
         if ( editor.id !== 'content' ) {
@@ -225 +230 @@
         // Adjust when switching editor modes.
         function mceShow() {
+            $window.on( 'scroll.mce-float-panels', hideFloatPanels );
+
             setTimeout( function() {
                 editor.execCommand( 'wpAutoResize' );
@@ -232 +239 @@
 
         function mceHide() {
+            $window.off( 'scroll.mce-float-panels' );
+
             setTimeout( function() {
                 var top = $contentWrap.offset().top;
@@ -252 +261 @@
             // Adjust when the editor resizes.
             editor.on( 'setcontent wp-autoresize wp-toolbar-toggle', adjust );
+
+            $window.off( 'scroll.mce-float-panels' ).on( 'scroll.mce-float-panels', hideFloatPanels );
         };
 
@@ -259 +270 @@
             editor.off( 'hide', mceHide );
             editor.off( 'setcontent wp-autoresize wp-toolbar-toggle', adjust );
+
+            $window.off( 'scroll.mce-float-panels' );
         };
 
@@ -591 +604 @@
 
                 adjust();
+            }).on( 'wp-window-resized.editor-expand', function() {
+                if ( mceEditor && ! mceEditor.isHidden() ) {
+                    mceEditor.execCommand( 'wpAutoResize' );
+                } else {
+                    textEditorResize();
+                }
             });
 

tags/4.0.1/src/wp-admin/js/media.js

@@ -73 +73 @@
 
     $( document ).ready( function() {
+        var $mediaGridWrap = $( '#wp-media-grid' );
+
         // Open up a manage media frame into the grid.
-        wp.media && wp.media({
-            frame: 'manage',
-            container: $('#wpbody-content > .wrap')
-        }).open();
+        if ( $mediaGridWrap.length && window.wp && window.wp.media ) {
+            window.wp.media({
+                frame: 'manage',
+                container: $mediaGridWrap
+            }).open();
+        }
 
         $( '#find-posts-submit' ).click( function( event ) {

tags/4.0.1/src/wp-admin/plugin-install.php

@@ -25 +25 @@
 $wp_list_table = _get_list_table('WP_Plugin_Install_List_Table');
 $pagenum = $wp_list_table->get_pagenum();
+
+if ( ! empty( $_REQUEST['_wp_http_referer'] ) ) {
+    $location = remove_query_arg( '_wp_http_referer', wp_unslash( $_SERVER['REQUEST_URI'] ) );
+
+    if ( ! empty( $_REQUEST['paged'] ) ) {
+        $location = add_query_arg( 'paged', (int) $_REQUEST['paged'], $location );
+    }
+
+    wp_redirect( $location );
+    exit;
+}
+
 $wp_list_table->prepare_items();
+
+$total_pages = $wp_list_table->get_pagination_arg( 'total_pages' );
+
+if ( $pagenum > $total_pages && $total_pages > 0 ) {
+    wp_redirect( add_query_arg( 'paged', $total_pages ) );
+    exit;
+}
 
 $title = __( 'Add Plugins' );

tags/4.0.1/src/wp-admin/press-this.php

@@ -64 +64 @@
     if ( is_wp_error($upload) ) {
         wp_delete_post($post_ID);
-        wp_die($upload);
+        wp_die( esc_html( $upload->get_error_message() ) );
     } else {
         // Post formats.

tags/4.0.1/src/wp-admin/upload.php

@@ -58 +58 @@
     require_once( ABSPATH . 'wp-admin/admin-header.php' );
     ?>
-    <div class="wrap">
+    <div class="wrap" id="wp-media-grid">
         <h2>
         <?php

tags/4.0.1/src/wp-includes/canonical.php

@@ -361 +361 @@
         unset($redirect['port']);
 
-    if ( ! empty( $user_home['scheme'] ) && $user_home['scheme'] === 'https' ) {
-        $redirect['scheme'] = 'https';
-    }
-
     // trailing /index.php
     $redirect['path'] = preg_replace('|/' . preg_quote( $wp_rewrite->index, '|' ) . '/*?$|', '/', $redirect['path']);
@@ -422 +418 @@
         $redirect['host'] = $original['host'];
 
-    $compare_original = array( $original['scheme'], $original['host'], $original['path'] );
+    $compare_original = array( $original['host'], $original['path'] );
 
     if ( !empty( $original['port'] ) )
@@ -430 +426 @@
         $compare_original[] = $original['query'];
 
-    $compare_redirect = array( $redirect['scheme'], $redirect['host'], $redirect['path'] );
+    $compare_redirect = array( $redirect['host'], $redirect['path'] );
 
     if ( !empty( $redirect['port'] ) )

tags/4.0.1/src/wp-includes/class-phpass.php

@@ -215 +215 @@
     function HashPassword($password)
     {
+        if ( strlen( $password ) > 4096 ) {
+            return '*';
+        }
+
         $random = '';
 
@@ -250 +254 @@
     function CheckPassword($password, $stored_hash)
     {
+        if ( strlen( $password ) > 4096 ) {
+            return false;
+        }
+
         $hash = $this->crypt_private($password, $stored_hash);
         if ($hash[0] == '*')

tags/4.0.1/src/wp-includes/css/media-views.css

@@ -6 +6 @@
     -moz-box-sizing: content-box;
     box-sizing: content-box;
+}
+
+.media-frame input,
+.media-frame select,
+.media-frame textarea {
+    -webkit-box-sizing: border-box;
+    -moz-box-sizing: border-box;
+    box-sizing: border-box;
 }
 
@@ -57 +65 @@
     font-family: "Open Sans", sans-serif;
     font-size: 12px;
-    -webkit-box-sizing: border-box;
-    -moz-box-sizing: border-box;
-    box-sizing: border-box;
     border-width: 1px;
     border-style: solid;

tags/4.0.1/src/wp-includes/formatting.php

@@ -29 +29 @@
  */
 function wptexturize($text, $reset = false) {
-    global $wp_cockneyreplace;
+    global $wp_cockneyreplace, $shortcode_tags;
     static $static_characters, $static_replacements, $dynamic_characters, $dynamic_replacements,
         $default_no_texturize_tags, $default_no_texturize_shortcodes, $run_texturize = true;
@@ -206 +206 @@
     // Look for shortcodes and HTML elements.
 
+    $tagnames = array_keys( $shortcode_tags );
+    $tagregexp = join( '|', array_map( 'preg_quote', $tagnames ) );
+    $tagregexp = "(?:$tagregexp)(?![\\w-])"; // Excerpt of get_shortcode_regex().
+
+    $comment_regex =
+          '!'           // Start of comment, after the <.
+        . '(?:'         // Unroll the loop: Consume everything until --> is found.
+        .     '-(?!->)' // Dash not followed by end of comment.
+        .     '[^\-]*+' // Consume non-dashes.
+        . ')*+'         // Loop possessively.
+        . '-->';        // End of comment.
+
     $regex =  '/('          // Capture the entire match.
         .   '<'     // Find start of element.
         .   '(?(?=!--)' // Is this a comment?
-        .       '.+?--\s*>' // Find end of comment
+        .       $comment_regex  // Find end of comment
         .   '|'
         .       '[^>]+>'    // Find end of element
@@ -215 +227 @@
         . '|'
         .   '\['        // Find start of shortcode.
-        .   '\[?'       // Shortcodes may begin with [[
+        .   '[\/\[]?'   // Shortcodes may begin with [/ or [[
+        .   $tagregexp  // Only match registered shortcodes, because performance.
         .   '(?:'
-        .       '[^\[\]<>]' // Shortcodes do not contain other shortcodes.
+        .       '[^\[\]<>]+'    // Shortcodes do not contain other shortcodes. Quantifier critical.
         .   '|'
-        .       '<[^>]+>'   // HTML elements permitted. Prevents matching ] before >.
-        .   ')++'
+        .       '<[^\[\]>]*>'   // HTML elements permitted. Prevents matching ] before >.
+        .   ')*+'       // Possessive critical.
         .   '\]'        // Find end of shortcode.
         .   '\]?'       // Shortcodes may end with ]]
@@ -242 +255 @@
             continue;
 
-        } elseif ( '[' === $first && 1 === preg_match( '/^\[(?:[^\[\]<>]|<[^>]+>)++\]$/', $curl ) ) {
+        } elseif ( '[' === $first && 1 === preg_match( '/^\[\/?' . $tagregexp . '(?:[^\[\]<>]+|<[^\[\]>]*>)*+\]$/', $curl ) ) {
             // This is a shortcode delimiter.
 
             _wptexturize_pushpop_element( $curl, $no_texturize_shortcodes_stack, $no_texturize_shortcodes );
 
-        } elseif ( '[' === $first && 1 === preg_match( '/^\[\[?(?:[^\[\]<>]|<[^>]+>)++\]\]?$/', $curl ) ) {
+        } elseif ( '[' === $first && 1 === preg_match( '/^\[[\/\[]?' . $tagregexp . '(?:[^\[\]<>]+|<[^\[\]>]*>)*+\]\]?$/', $curl ) ) {
             // This is an escaped shortcode delimiter.
 

tags/4.0.1/src/wp-includes/http.php

@@ -445 +445 @@
  */
 function wp_http_validate_url( $url ) {
+    $original_url = $url;
     $url = wp_kses_bad_protocol( $url, array( 'http', 'https' ) );
-    if ( ! $url )
+    if ( ! $url || strtolower( $url ) !== strtolower( $original_url ) )
         return false;
 
@@ -456 +457 @@
         return false;
 
-    if ( false !== strpos( $parsed_url['host'], ':' ) )
+    if ( false !== strpbrk( $parsed_url['host'], ':#?[]' ) )
         return false;
 
@@ -474 +475 @@
         if ( $ip ) {
             $parts = array_map( 'intval', explode( '.', $ip ) );
-            if ( '127.0.0.1' === $ip
-                || ( 10 === $parts[0] )
+            if ( 127 === $parts[0] || 10 === $parts[0]
                 || ( 172 === $parts[0] && 16 <= $parts[1] && 31 >= $parts[1] )
                 || ( 192 === $parts[0] && 168 === $parts[1] )

tags/4.0.1/src/wp-includes/js/media-grid.js

@@ -578 +578 @@
         },
         /**
-         * Respond to the keyboard events: right arrow, left arrow, escape.
+         * Respond to the keyboard events: right arrow, left arrow, except when
+         * focus is in a textarea or input field.
          */
         keyEvent: function( event ) {
-            if ( 'INPUT' === event.target.tagName && ! ( event.target.readOnly || event.target.disabled ) ) {
+            if ( ( 'INPUT' === event.target.nodeName || 'TEXTAREA' === event.target.nodeName ) && ! ( event.target.readOnly || event.target.disabled ) ) {
                 return;
             }

tags/4.0.1/src/wp-includes/js/media-views.js

@@ -5851 +5851 @@
                     priority: -60,
                     click: function() {
-                        var model, changed = [], self = this,
+                        var changed = [], removed = [], self = this,
                             selection = this.controller.state().get( 'selection' ),
                             library = this.controller.state().get( 'library' );
@@ -5870 +5870 @@
                         }
 
-                        while ( selection.length > 0 ) {
-                            model = selection.at( 0 );
+                        selection.each( function( model ) {
+                            if ( ! model.get( 'nonces' )['delete'] ) {
+                                removed.push( model );
+                                return;
+                            }
+
                             if ( media.view.settings.mediaTrash && 'trash' === model.get( 'status' ) ) {
                                 model.set( 'status', 'inherit' );
                                 changed.push( model.save() );
-                                selection.remove( model );
+                                removed.push( model );
                             } else if ( media.view.settings.mediaTrash ) {
                                 model.set( 'status', 'trash' );
                                 changed.push( model.save() );
-                                selection.remove( model );
+                                removed.push( model );
                             } else {
                                 model.destroy();
                             }
-                        }
+                        } );
 
                         if ( changed.length ) {
+                            selection.remove( removed );
+
                             $.when.apply( null, changed ).then( function() {
                                 library._requery( true );

tags/4.0.1/src/wp-includes/js/mediaelement/mediaelement-and-player.min.js

@@ -11 +11 @@
 * License: MIT
 *
-*/var mejs=mejs||{};mejs.version="2.15.0";mejs.meIndex=0;
+*/var mejs=mejs||{};mejs.version="2.15.1";mejs.meIndex=0;
 mejs.plugins={silverlight:[{version:[3,0],types:["video/mp4","video/m4v","video/mov","video/wmv","audio/wma","audio/m4a","audio/mp3","audio/wav","audio/mpeg"]}],flash:[{version:[9,0,124],types:["video/mp4","video/m4v","video/mov","video/flv","video/rtmp","video/x-flv","audio/flv","audio/x-flv","audio/mp3","audio/m4a","audio/mpeg","video/youtube","video/x-youtube","application/x-mpegURL"]}],youtube:[{version:null,types:["video/youtube","video/x-youtube","audio/youtube","audio/x-youtube"]}],vimeo:[{version:null,
 types:["video/vimeo","video/x-vimeo"]}]};
@@ -102 +102 @@
 c.updateCurrent();if(!c.isFullScreen){c.setPlayerSize(c.width,c.height);c.setControlsSize()}},false);setTimeout(function(){c.setPlayerSize(c.width,c.height);c.setControlsSize()},50);c.globalBind("resize",function(){c.isFullScreen||mejs.MediaFeatures.hasTrueNativeFullScreen&&document.webkitIsFullScreen||c.setPlayerSize(c.width,c.height);c.setControlsSize()});c.media.pluginType=="youtube"&&c.options.autoplay&&c.container.find(".mejs-overlay-play").hide()}d&&a.pluginType=="native"&&c.play();if(c.options.success)typeof c.options.success==
 "string"?window[c.options.success](c.media,c.domNode,c):c.options.success(c.media,c.domNode,c)}},handleError:function(a){this.controls.hide();this.options.error&&this.options.error(a)},setPlayerSize:function(a,b){if(!this.options.setDimensions)return false;if(typeof a!="undefined")this.width=a;if(typeof b!="undefined")this.height=b;if(this.height.toString().indexOf("%")>0||this.$node.css("max-width")==="100%"||this.$node[0].currentStyle&&this.$node[0].currentStyle.maxWidth==="100%"){var c=this.isVideo?
-this.media.videoWidth&&this.media.videoWidth>0?this.media.videoWidth:this.media.getAttribute("width")!==null?this.media.getAttribute("width"):this.options.defaultVideoWidth:this.options.defaultAudioHeight,e=this.isVideo?this.media.videoHeight&&this.media.videoHeight>0?this.media.videoHeight:this.media.getAttribute("height")!==null?this.media.getAttribute("height"):this.options.defaultVideoHeight:this.options.defaultAudioHeight,d=this.container.parent().closest(":visible").width();c=this.isVideo||
-!this.options.autosizeProgress?parseInt(d*e/c,10)>this.container.parent().closest(":visible").height()?this.container.parent().closest(":visible").height():parseInt(d*e/c,10):e;if(isNaN(c))c=this.container.parent().closest(":visible").height();if(this.container.parent()[0].tagName.toLowerCase()==="body"){d=f(window).width();c=f(window).height()}if(c!=0&&d!=0){this.container.width(d).height(c);this.$media.add(this.container.find(".mejs-shim")).width("100%").height("100%");this.isVideo&&this.media.setVideoSize&&
-this.media.setVideoSize(d,c);this.layers.children(".mejs-layer").width("100%").height("100%")}}else{this.container.width(this.width).height(this.height);this.layers.children(".mejs-layer").width(this.width).height(this.height)}d=this.layers.find(".mejs-overlay-play");c=d.find(".mejs-overlay-button");d.height(this.container.height()-this.controls.height());c.css("margin-top","-"+(c.height()/2-this.controls.height()/2).toString()+"px")},setControlsSize:function(){var a=0,b=0,c=this.controls.find(".mejs-time-rail"),
-e=this.controls.find(".mejs-time-total");this.controls.find(".mejs-time-current");this.controls.find(".mejs-time-loaded");var d=c.siblings(),g=d.last(),k=null;if(!(!this.container.is(":visible")||!c.length||!c.is(":visible"))){if(this.options&&!this.options.autosizeProgress)b=parseInt(c.css("width"));if(b===0||!b){d.each(function(){var j=f(this);if(j.css("position")!="absolute"&&j.is(":visible"))a+=f(this).outerWidth(true)});b=this.controls.width()-a-(c.outerWidth(true)-c.width())}do{c.width(b);e.width(b-
-(e.outerWidth(true)-e.width()));if(g.css("position")!="absolute"){k=g.position();b--}}while(k!=null&&k.top>0&&b>0);this.setProgressRail&&this.setProgressRail();this.setCurrentRail&&this.setCurrentRail()}},buildposter:function(a,b,c,e){var d=f('<div class="mejs-poster mejs-layer"></div>').appendTo(c);b=a.$media.attr("poster");if(a.options.poster!=="")b=a.options.poster;b!==""&&b!=null?this.setPoster(b):d.hide();e.addEventListener("play",function(){d.hide()},false);a.options.showPosterWhenEnded&&a.options.autoRewind&&
-e.addEventListener("ended",function(){d.show()},false)},setPoster:function(a){var b=this.container.find(".mejs-poster"),c=b.find("img");if(c.length==0)c=f('<img width="100%" height="100%" />').appendTo(b);c.attr("src",a);b.css({"background-image":"url("+a+")"})},buildoverlays:function(a,b,c,e){var d=this;if(a.isVideo){var g=f('<div class="mejs-overlay mejs-layer"><div class="mejs-overlay-loading"><span></span></div></div>').hide().appendTo(c),k=f('<div class="mejs-overlay mejs-layer"><div class="mejs-overlay-error"></div></div>').hide().appendTo(c),
-j=f('<div class="mejs-overlay mejs-layer mejs-overlay-play"><div class="mejs-overlay-button"></div></div>').appendTo(c).bind("click",function(){d.options.clickToPlayPause&&e.paused&&e.play()});e.addEventListener("play",function(){j.hide();g.hide();b.find(".mejs-time-buffering").hide();k.hide()},false);e.addEventListener("playing",function(){j.hide();g.hide();b.find(".mejs-time-buffering").hide();k.hide()},false);e.addEventListener("seeking",function(){g.show();b.find(".mejs-time-buffering").show()},
-false);e.addEventListener("seeked",function(){g.hide();b.find(".mejs-time-buffering").hide()},false);e.addEventListener("pause",function(){mejs.MediaFeatures.isiPhone||j.show()},false);e.addEventListener("waiting",function(){g.show();b.find(".mejs-time-buffering").show()},false);e.addEventListener("loadeddata",function(){g.show();b.find(".mejs-time-buffering").show()},false);e.addEventListener("canplay",function(){g.hide();b.find(".mejs-time-buffering").hide()},false);e.addEventListener("error",function(){g.hide();
-b.find(".mejs-time-buffering").hide();k.show();k.find("mejs-overlay-error").html("Error loading this resource")},false);e.addEventListener("keydown",function(m){d.onkeydown(a,e,m)},false)}},buildkeyboard:function(a,b,c,e){var d=this;d.globalBind("keydown",function(g){return d.onkeydown(a,e,g)});d.globalBind("click",function(g){a.hasFocus=f(g.target).closest(".mejs-container").length!=0})},onkeydown:function(a,b,c){if(a.hasFocus&&a.options.enableKeyboard)for(var e=0,d=a.options.keyActions.length;e<
-d;e++)for(var g=a.options.keyActions[e],k=0,j=g.keys.length;k<j;k++)if(c.keyCode==g.keys[k]){typeof c.preventDefault=="function"&&c.preventDefault();g.action(a,b,c.keyCode);return false}return true},findTracks:function(){var a=this,b=a.$media.find("track");a.tracks=[];b.each(function(c,e){e=f(e);a.tracks.push({srclang:e.attr("srclang")?e.attr("srclang").toLowerCase():"",src:e.attr("src"),kind:e.attr("kind"),label:e.attr("label")||"",entries:[],isLoaded:false})})},changeSkin:function(a){this.container[0].className=
-"mejs-container "+a;this.setPlayerSize(this.width,this.height);this.setControlsSize()},play:function(){this.load();this.media.play()},pause:function(){try{this.media.pause()}catch(a){}},load:function(){this.isLoaded||this.media.load();this.isLoaded=true},setMuted:function(a){this.media.setMuted(a)},setCurrentTime:function(a){this.media.setCurrentTime(a)},getCurrentTime:function(){return this.media.currentTime},setVolume:function(a){this.media.setVolume(a)},getVolume:function(){return this.media.volume},
-setSrc:function(a){this.media.setSrc(a)},remove:function(){var a,b;for(a in this.options.features){b=this.options.features[a];if(this["clean"+b])try{this["clean"+b](this)}catch(c){}}if(this.isDynamic)this.$node.insertBefore(this.container);else{this.$media.prop("controls",true);this.$node.clone().insertBefore(this.container).show();this.$node.remove()}this.media.pluginType!=="native"&&this.media.remove();delete mejs.players[this.id];typeof this.container=="object"&&this.container.remove();this.globalUnbind();
-delete this.node.player}};(function(){function a(c,e){var d={d:[],w:[]};f.each((c||"").split(" "),function(g,k){var j=k+"."+e;if(j.indexOf(".")===0){d.d.push(j);d.w.push(j)}else d[b.test(k)?"w":"d"].push(j)});d.d=d.d.join(" ");d.w=d.w.join(" ");return d}var b=/^((after|before)print|(before)?unload|hashchange|message|o(ff|n)line|page(hide|show)|popstate|resize|storage)\b/;mejs.MediaElementPlayer.prototype.globalBind=function(c,e,d){c=a(c,this.id);c.d&&f(document).bind(c.d,e,d);c.w&&f(window).bind(c.w,
-e,d)};mejs.MediaElementPlayer.prototype.globalUnbind=function(c,e){c=a(c,this.id);c.d&&f(document).unbind(c.d,e);c.w&&f(window).unbind(c.w,e)}})();if(typeof f!="undefined"){f.fn.mediaelementplayer=function(a){a===false?this.each(function(){var b=f(this).data("mediaelementplayer");b&&b.remove();f(this).removeData("mediaelementplayer")}):this.each(function(){f(this).data("mediaelementplayer",new mejs.MediaElementPlayer(this,a))});return this};f(document).ready(function(){f(".mejs-player").mediaelementplayer()})}window.MediaElementPlayer=
-mejs.MediaElementPlayer})(mejs.$);
+this.media.videoWidth&&this.media.videoWidth>0?this.media.videoWidth:this.media.getAttribute("width")!==null?this.media.getAttribute("width"):this.options.defaultVideoWidth:this.options.defaultAudioWidth,e=this.isVideo?this.media.videoHeight&&this.media.videoHeight>0?this.media.videoHeight:this.media.getAttribute("height")!==null?this.media.getAttribute("height"):this.options.defaultVideoHeight:this.options.defaultAudioHeight,d=this.container.parent().closest(":visible").width(),g=this.container.parent().closest(":visible").height();
+c=this.isVideo||!this.options.autosizeProgress?parseInt(d*e/c,10):e;if(isNaN(c)||g!=0&&c>g)c=g;if(this.container.parent()[0].tagName.toLowerCase()==="body"){d=f(window).width();c=f(window).height()}if(c!=0&&d!=0){this.container.width(d).height(c);this.$media.add(this.container.find(".mejs-shim")).width("100%").height("100%");this.isVideo&&this.media.setVideoSize&&this.media.setVideoSize(d,c);this.layers.children(".mejs-layer").width("100%").height("100%")}}else{this.container.width(this.width).height(this.height);
+this.layers.children(".mejs-layer").width(this.width).height(this.height)}d=this.layers.find(".mejs-overlay-play");g=d.find(".mejs-overlay-button");d.height(this.container.height()-this.controls.height());g.css("margin-top","-"+(g.height()/2-this.controls.height()/2).toString()+"px")},setControlsSize:function(){var a=0,b=0,c=this.controls.find(".mejs-time-rail"),e=this.controls.find(".mejs-time-total");this.controls.find(".mejs-time-current");this.controls.find(".mejs-time-loaded");var d=c.siblings(),
+g=d.last(),k=null;if(!(!this.container.is(":visible")||!c.length||!c.is(":visible"))){if(this.options&&!this.options.autosizeProgress)b=parseInt(c.css("width"));if(b===0||!b){d.each(function(){var j=f(this);if(j.css("position")!="absolute"&&j.is(":visible"))a+=f(this).outerWidth(true)});b=this.controls.width()-a-(c.outerWidth(true)-c.width())}do{c.width(b);e.width(b-(e.outerWidth(true)-e.width()));if(g.css("position")!="absolute"){k=g.position();b--}}while(k!=null&&k.top>0&&b>0);this.setProgressRail&&
+this.setProgressRail();this.setCurrentRail&&this.setCurrentRail()}},buildposter:function(a,b,c,e){var d=f('<div class="mejs-poster mejs-layer"></div>').appendTo(c);b=a.$media.attr("poster");if(a.options.poster!=="")b=a.options.poster;b!==""&&b!=null?this.setPoster(b):d.hide();e.addEventListener("play",function(){d.hide()},false);a.options.showPosterWhenEnded&&a.options.autoRewind&&e.addEventListener("ended",function(){d.show()},false)},setPoster:function(a){var b=this.container.find(".mejs-poster"),
+c=b.find("img");if(c.length==0)c=f('<img width="100%" height="100%" />').appendTo(b);c.attr("src",a);b.css({"background-image":"url("+a+")"})},buildoverlays:function(a,b,c,e){var d=this;if(a.isVideo){var g=f('<div class="mejs-overlay mejs-layer"><div class="mejs-overlay-loading"><span></span></div></div>').hide().appendTo(c),k=f('<div class="mejs-overlay mejs-layer"><div class="mejs-overlay-error"></div></div>').hide().appendTo(c),j=f('<div class="mejs-overlay mejs-layer mejs-overlay-play"><div class="mejs-overlay-button"></div></div>').appendTo(c).bind("click",
+function(){d.options.clickToPlayPause&&e.paused&&e.play()});e.addEventListener("play",function(){j.hide();g.hide();b.find(".mejs-time-buffering").hide();k.hide()},false);e.addEventListener("playing",function(){j.hide();g.hide();b.find(".mejs-time-buffering").hide();k.hide()},false);e.addEventListener("seeking",function(){g.show();b.find(".mejs-time-buffering").show()},false);e.addEventListener("seeked",function(){g.hide();b.find(".mejs-time-buffering").hide()},false);e.addEventListener("pause",function(){mejs.MediaFeatures.isiPhone||
+j.show()},false);e.addEventListener("waiting",function(){g.show();b.find(".mejs-time-buffering").show()},false);e.addEventListener("loadeddata",function(){g.show();b.find(".mejs-time-buffering").show()},false);e.addEventListener("canplay",function(){g.hide();b.find(".mejs-time-buffering").hide()},false);e.addEventListener("error",function(){g.hide();b.find(".mejs-time-buffering").hide();k.show();k.find("mejs-overlay-error").html("Error loading this resource")},false);e.addEventListener("keydown",
+function(m){d.onkeydown(a,e,m)},false)}},buildkeyboard:function(a,b,c,e){var d=this;d.globalBind("keydown",function(g){return d.onkeydown(a,e,g)});d.globalBind("click",function(g){a.hasFocus=f(g.target).closest(".mejs-container").length!=0})},onkeydown:function(a,b,c){if(a.hasFocus&&a.options.enableKeyboard)for(var e=0,d=a.options.keyActions.length;e<d;e++)for(var g=a.options.keyActions[e],k=0,j=g.keys.length;k<j;k++)if(c.keyCode==g.keys[k]){typeof c.preventDefault=="function"&&c.preventDefault();
+g.action(a,b,c.keyCode);return false}return true},findTracks:function(){var a=this,b=a.$media.find("track");a.tracks=[];b.each(function(c,e){e=f(e);a.tracks.push({srclang:e.attr("srclang")?e.attr("srclang").toLowerCase():"",src:e.attr("src"),kind:e.attr("kind"),label:e.attr("label")||"",entries:[],isLoaded:false})})},changeSkin:function(a){this.container[0].className="mejs-container "+a;this.setPlayerSize(this.width,this.height);this.setControlsSize()},play:function(){this.load();this.media.play()},
+pause:function(){try{this.media.pause()}catch(a){}},load:function(){this.isLoaded||this.media.load();this.isLoaded=true},setMuted:function(a){this.media.setMuted(a)},setCurrentTime:function(a){this.media.setCurrentTime(a)},getCurrentTime:function(){return this.media.currentTime},setVolume:function(a){this.media.setVolume(a)},getVolume:function(){return this.media.volume},setSrc:function(a){this.media.setSrc(a)},remove:function(){var a,b;for(a in this.options.features){b=this.options.features[a];if(this["clean"+
+b])try{this["clean"+b](this)}catch(c){}}if(this.isDynamic)this.$node.insertBefore(this.container);else{this.$media.prop("controls",true);this.$node.clone().insertBefore(this.container).show();this.$node.remove()}this.media.pluginType!=="native"&&this.media.remove();delete mejs.players[this.id];typeof this.container=="object"&&this.container.remove();this.globalUnbind();delete this.node.player}};(function(){function a(c,e){var d={d:[],w:[]};f.each((c||"").split(" "),function(g,k){var j=k+"."+e;if(j.indexOf(".")===
+0){d.d.push(j);d.w.push(j)}else d[b.test(k)?"w":"d"].push(j)});d.d=d.d.join(" ");d.w=d.w.join(" ");return d}var b=/^((after|before)print|(before)?unload|hashchange|message|o(ff|n)line|page(hide|show)|popstate|resize|storage)\b/;mejs.MediaElementPlayer.prototype.globalBind=function(c,e,d){c=a(c,this.id);c.d&&f(document).bind(c.d,e,d);c.w&&f(window).bind(c.w,e,d)};mejs.MediaElementPlayer.prototype.globalUnbind=function(c,e){c=a(c,this.id);c.d&&f(document).unbind(c.d,e);c.w&&f(window).unbind(c.w,e)}})();
+if(typeof f!="undefined"){f.fn.mediaelementplayer=function(a){a===false?this.each(function(){var b=f(this).data("mediaelementplayer");b&&b.remove();f(this).removeData("mediaelementplayer")}):this.each(function(){f(this).data("mediaelementplayer",new mejs.MediaElementPlayer(this,a))});return this};f(document).ready(function(){f(".mejs-player").mediaelementplayer()})}window.MediaElementPlayer=mejs.MediaElementPlayer})(mejs.$);
 (function(f){f.extend(mejs.MepDefaults,{playpauseText:mejs.i18n.t("Play/Pause")});f.extend(MediaElementPlayer.prototype,{buildplaypause:function(a,b,c,e){var d=f('<div class="mejs-button mejs-playpause-button mejs-play" ><button type="button" aria-controls="'+this.id+'" title="'+this.options.playpauseText+'" aria-label="'+this.options.playpauseText+'"></button></div>').appendTo(b).click(function(g){g.preventDefault();e.paused?e.play():e.pause();return false});e.addEventListener("play",function(){d.removeClass("mejs-play").addClass("mejs-pause")},
 false);e.addEventListener("playing",function(){d.removeClass("mejs-play").addClass("mejs-pause")},false);e.addEventListener("pause",function(){d.removeClass("mejs-pause").addClass("mejs-play")},false);e.addEventListener("paused",function(){d.removeClass("mejs-pause").addClass("mejs-play")},false)}})})(mejs.$);
@@ -150 +149 @@
 (mejs.MediaFeatures.isFullScreen()||this.isFullScreen))mejs.MediaFeatures.cancelFullScreen();f(document.documentElement).removeClass("mejs-fullscreen");this.container.removeClass("mejs-container-fullscreen").width(normalWidth).height(normalHeight);if(this.media.pluginType==="native")this.$media.width(normalWidth).height(normalHeight);else{this.container.find(".mejs-shim").width(normalWidth).height(normalHeight);this.media.setVideoSize(normalWidth,normalHeight)}this.layers.children("div").width(normalWidth).height(normalHeight);
 this.fullscreenBtn.removeClass("mejs-unfullscreen").addClass("mejs-fullscreen");this.setControlsSize();this.isFullScreen=false;this.container.find(".mejs-captions-text").css("font-size","");this.container.find(".mejs-captions-position").css("bottom","")}}})})(mejs.$);
-(function(f){f.extend(mejs.MepDefaults,{speeds:["1.50","1.25","1.00","0.75"],defaultSpeed:"1.00"});f.extend(MediaElementPlayer.prototype,{buildspeed:function(a,b,c,e){if(a.isVideo)if(this.media.pluginType=="native"){c='<div class="mejs-button mejs-speed-button"><button type="button">'+this.options.defaultSpeed+'x</button><div class="mejs-speed-selector"><ul>';var d;f.inArray(this.options.defaultSpeed,this.options.speeds)===-1&&this.options.speeds.push(this.options.defaultSpeed);this.options.speeds.sort(function(g,
+(function(f){f.extend(mejs.MepDefaults,{speeds:["1.50","1.25","1.00","0.75"],defaultSpeed:"1.00"});f.extend(MediaElementPlayer.prototype,{buildspeed:function(a,b,c,e){if(this.media.pluginType=="native"){c='<div class="mejs-button mejs-speed-button"><button type="button">'+this.options.defaultSpeed+'x</button><div class="mejs-speed-selector"><ul>';var d;f.inArray(this.options.defaultSpeed,this.options.speeds)===-1&&this.options.speeds.push(this.options.defaultSpeed);this.options.speeds.sort(function(g,
 k){return parseFloat(k)-parseFloat(g)});for(d=0;d<this.options.speeds.length;d++){c+='<li><input type="radio" name="speed" value="'+this.options.speeds[d]+'" id="'+this.options.speeds[d]+'" ';if(this.options.speeds[d]==this.options.defaultSpeed){c+="checked=true ";c+='/><label for="'+this.options.speeds[d]+'" class="mejs-speed-selected">'+this.options.speeds[d]+"x</label></li>"}else c+='/><label for="'+this.options.speeds[d]+'">'+this.options.speeds[d]+"x</label></li>"}c+="</ul></div></div>";a.speedButton=
 f(c).appendTo(b);a.playbackspeed=this.options.defaultSpeed;a.speedButton.on("click","input[type=radio]",function(){a.playbackspeed=f(this).attr("value");e.playbackRate=parseFloat(a.playbackspeed);a.speedButton.find("button").text(a.playbackspeed+"x");a.speedButton.find(".mejs-speed-selected").removeClass("mejs-speed-selected");a.speedButton.find("input[type=radio]:checked").next().addClass("mejs-speed-selected")});b=a.speedButton.find(".mejs-speed-selector");b.height(this.speedButton.find(".mejs-speed-selector ul").outerHeight(true)+

tags/4.0.1/src/wp-includes/js/quicktags.js

@@ -385 +385 @@
             canvas.value = text.substring(0, startPos) + content + text.substring(endPos, text.length);
 
-            canvas.focus();
             canvas.selectionStart = startPos + content.length;
             canvas.selectionEnd = startPos + content.length;
             canvas.scrollTop = scrollTop;
+            canvas.focus();
         } else {
             canvas.value += content;
@@ -510 +510 @@
             }
 
-            canvas.focus();
             canvas.selectionStart = cursorPos;
             canvas.selectionEnd = cursorPos;
             canvas.scrollTop = scrollTop;
+            canvas.focus();
         } else { // other browsers?
             if ( !endTag ) {

tags/4.0.1/src/wp-includes/js/tinymce/plugins/wpeditimage/plugin.js

@@ -1 +1 @@
 /* global tinymce */
 tinymce.PluginManager.add( 'wpeditimage', function( editor ) {
-    var toolbarActive = false,
+    var serializer,
+        toolbarActive = false,
         editingImage = false;
 
@@ -83 +84 @@
             }
 
-            out = b.replace( /<dl ([^>]+)>\s*<dt [^>]+>([\s\S]+?)<\/dt>\s*<dd [^>]+>([\s\S]*?)<\/dd>\s*<\/dl>/gi, function( a, b, c, caption ) {
+            out = b.replace( /\s*<dl ([^>]+)>\s*<dt [^>]+>([\s\S]+?)<\/dt>\s*<dd [^>]+>([\s\S]*?)<\/dd>\s*<\/dl>\s*/gi, function( a, b, c, caption ) {
                 var id, classes, align, width;
 
@@ -117 +118 @@
             });
 
-            if ( out.indexOf('[caption') !== 0 ) {
+            if ( out.indexOf('[caption') === -1 ) {
                 // the caption html seems broken, try to find the image that may be wrapped in a link
                 // and may be followed by <p> with the caption text.
@@ -227 +228 @@
     }
 
+    // Verify HTML in captions
+    function verifyHTML( caption ) {
+        if ( ! caption || ( caption.indexOf( '<' ) === -1 && caption.indexOf( '>' ) === -1 ) ) {
+            return caption;
+        }
+
+        if ( ! serializer ) {
+            serializer = new tinymce.html.Serializer( {}, editor.schema );
+        }
+
+        return serializer.serialize( editor.parser.parse( caption, { forced_root_block: false } ) );
+    }
+
     function updateImage( imageNode, imageData ) {
         var classes, className, node, html, parent, wrap, linkNode,
@@ -304 +318 @@
 
         if ( imageData.caption ) {
+            imageData.caption = verifyHTML( imageData.caption );
 
             id = imageData.attachment_id ? 'attachment_' + imageData.attachment_id : null;
@@ -646 +661 @@
                 // Convert remaining line breaks to <br>
                 caption = caption.replace( /(<br[^>]*>)\s*\n\s*/g, '$1' ).replace( /\s*\n\s*/g, '<br />' );
+                caption = verifyHTML( caption );
             }
 

tags/4.0.1/src/wp-includes/js/tinymce/plugins/wpview/plugin.js

@@ -13 +13 @@
         _noop = function() { return false; },
         isios = /iPad|iPod|iPhone/.test( navigator.userAgent ),
-        cursorInterval, lastKeyDownNode, setViewCursorTries, focus, execCommandView;
+        cursorInterval, lastKeyDownNode, setViewCursorTries, focus, execCommandView, execCommandBefore;
 
     function getView( node ) {
@@ -369 +369 @@
     function isSpecialKey( key ) {
         return ( ( key <= 47 && key !== VK.SPACEBAR && key !== VK.ENTER && key !== VK.DELETE && key !== VK.BACKSPACE && ( key < 37 || key > 40 ) ) ||
-            key >= 224 || // OEM or non-printable 
+            key >= 224 || // OEM or non-printable
             ( key >= 144 && key <= 150 ) || // Num Lock, Scroll Lock, OEM
             ( key >= 91 && key <= 93 ) || // Windows keys
@@ -650 +650 @@
             view;
 
-        if ( node && ( node.className === 'wpview-selection-before' || node.className === 'wpview-selection-after' ) && ( view = getView( node ) ) ) {
-            handleEnter( view );
+        if ( node && ( ( execCommandBefore = node.className === 'wpview-selection-before' ) || node.className === 'wpview-selection-after' ) && ( view = getView( node ) ) ) {
+            handleEnter( view, execCommandBefore );
             execCommandView = view;
         }
@@ -666 +666 @@
 
         if ( execCommandView ) {
-            node = execCommandView.nextSibling;
+            node = execCommandView[ execCommandBefore ? 'previousSibling' : 'nextSibling' ];
 
             if ( node && node.nodeName === 'P' && editor.dom.isEmpty( node ) ) {
                 editor.dom.remove( node );
-                setViewCursor( false, execCommandView );
+                setViewCursor( execCommandBefore, execCommandView );
             }
 

tags/4.0.1/src/wp-includes/kses.php

@@ -1441 +1441 @@
     $css = str_replace(array("\n","\r","\t"), '', $css);
 
-    if ( preg_match( '%[\\(&=}]|/\*%', $css ) ) // remove any inline css containing \ ( & } = or comments
+    if ( preg_match( '%[\\\\(&=}]|/\*%', $css ) ) // remove any inline css containing \ ( & } = or comments
         return '';
 

tags/4.0.1/src/wp-includes/link-template.php

@@ -258 +258 @@
     $post_type = get_post_type_object($post->post_type);
 
+    if ( $post_type->hierarchical ) {
+        $slug = get_page_uri( $id );
+    }
+
     if ( !empty($post_link) && ( !$draft_or_pending || $sample ) ) {
         if ( ! $leavename ) {
-            if ( $post_type->hierarchical )
-                $slug = get_page_uri($id);
             $post_link = str_replace("%$post->post_type%", $slug, $post_link);
         }
@@ -1512 +1514 @@
 
         if ( ! empty( $excluded_terms ) ) {
-            $where .= " AND p.ID NOT IN ( SELECT object_id FROM $wpdb->term_relationships WHERE term_taxonomy_id IN (" . implode( $excluded_terms, ',' ) . ') )';
+            $where .= " AND p.ID NOT IN ( SELECT tr.object_id FROM $wpdb->term_relationships tr LEFT JOIN $wpdb->term_taxonomy tt ON (tr.term_taxonomy_id = tt.term_taxonomy_id) WHERE tt.term_id IN (" . implode( $excluded_terms, ',' ) . ') )';
         }
     }

tags/4.0.1/src/wp-includes/media-template.php

@@ -313 +313 @@
 
                 <div class="attachment-actions">
-                    <# if ( 'image' === data.type && ! data.uploading && data.sizes ) { #>
+                    <# if ( 'image' === data.type && ! data.uploading && data.sizes && data.can.save ) { #>
                         <a class="button edit-attachment" href="#"><?php _e( 'Edit Image' ); ?></a>
                     <# } #>
@@ -395 +395 @@
                     <span class="value">{{ data.authorName }}</span>
                 </label>
-                <# if ( data.uploadedTo ) { #>
+                <# if ( data.uploadedToTitle ) { #>
                     <label class="setting">
                         <span class="name"><?php _e( 'Uploaded To' ); ?></span>
@@ -409 +409 @@
 
             <div class="actions">
-                <a class="view-attachment" href="{{ data.link }}"><?php _e( 'View attachment page' ); ?></a> |
-                <a href="post.php?post={{ data.id }}&action=edit"><?php _e( 'Edit more details' ); ?></a>
+                <a class="view-attachment" href="{{ data.link }}"><?php _e( 'View attachment page' ); ?></a>
+                <# if ( data.can.save ) { #> |
+                    <a href="post.php?post={{ data.id }}&action=edit"><?php _e( 'Edit more details' ); ?></a>
+                <# } #>
                 <# if ( ! data.uploading && data.can.remove ) { #> |
-                        <?php if ( MEDIA_TRASH ): ?>
+                    <?php if ( MEDIA_TRASH ): ?>
                         <# if ( 'trash' === data.status ) { #>
                             <a class="untrash-attachment" href="#"><?php _e( 'Untrash' ); ?></a>
@@ -418 +420 @@
                             <a class="trash-attachment" href="#"><?php _e( 'Trash' ); ?></a>
                         <# } #>
-                        <?php else: ?>
-                            <a class="delete-attachment" href="#"><?php _e( 'Delete Permanently' ); ?></a>
-                        <?php endif; ?>
-                    <# } #>
+                    <?php else: ?>
+                        <a class="delete-attachment" href="#"><?php _e( 'Delete Permanently' ); ?></a>
+                    <?php endif; ?>
+                <# } #>
             </div>
 

tags/4.0.1/src/wp-includes/media.php

@@ -1248 +1248 @@
     }
 
+    if ( $atts['type'] !== 'audio' ) {
+        $atts['type'] = 'video';
+    }
+
     $args = array(
         'post_status' => 'inherit',
@@ -1597 +1601 @@
         'class'    => apply_filters( 'wp_audio_shortcode_class', 'wp-audio-shortcode' ),
         'id'       => sprintf( 'audio-%d-%d', $post_id, $instances ),
-        'loop'     => $atts['loop'],
-        'autoplay' => $atts['autoplay'],
+        'loop'     => wp_validate_boolean( $atts['loop'] ),
+        'autoplay' => wp_validate_boolean( $atts['autoplay'] ),
         'preload'  => $atts['preload'],
         'style'    => 'width: 100%; visibility: hidden;',
@@ -1823 +1827 @@
         'height'   => absint( $atts['height'] ),
         'poster'   => esc_url( $atts['poster'] ),
-        'loop'     => $atts['loop'],
-        'autoplay' => $atts['autoplay'],
+        'loop'     => wp_validate_boolean( $atts['loop'] ),
+        'autoplay' => wp_validate_boolean( $atts['autoplay'] ),
         'preload'  => $atts['preload'],
     );
@@ -2644 +2648 @@
     if ( $attachment->post_parent ) {
         $post_parent = get_post( $attachment->post_parent );
+    } else {
+        $post_parent = false;
+    }
+
+    if ( $post_parent ) {
         $parent_type = get_post_type_object( $post_parent->post_type );
         if ( $parent_type && $parent_type->show_ui && current_user_can( 'edit_post', $attachment->post_parent ) ) {

tags/4.0.1/src/wp-includes/ms-functions.php

@@ -1380 +1380 @@
     populate_options();
     populate_roles();
-    $wp_roles->_init();
+
+    // populate_roles() clears previous role definitions so we start over.
+    $wp_roles = new WP_Roles();
 
     $url = untrailingslashit( $url );

tags/4.0.1/src/wp-includes/pluggable.php

@@ -670 +670 @@
 
     $key = wp_hash( $username . '|' . $pass_frag . '|' . $expiration . '|' . $token, $scheme );
-    $hash = hash_hmac( 'sha256', $username . '|' . $expiration . '|' . $token, $key );
+
+    // If ext/hash is not present, compat.php's hash_hmac() does not support sha256.
+    $algo = function_exists( 'hash' ) ? 'sha256' : 'sha1';
+    $hash = hash_hmac( $algo, $username . '|' . $expiration . '|' . $token, $key );
 
     if ( ! hash_equals( $hash, $hmac ) ) {
@@ -735 +738 @@
 
     $key = wp_hash( $user->user_login . '|' . $pass_frag . '|' . $expiration . '|' . $token, $scheme );
-    $hash = hash_hmac( 'sha256', $user->user_login . '|' . $expiration . '|' . $token, $key );
+
+    // If ext/hash is not present, compat.php's hash_hmac() does not support sha256.
+    $algo = function_exists( 'hash' ) ? 'sha256' : 'sha1';
+    $hash = hash_hmac( $algo, $user->user_login . '|' . $expiration . '|' . $token, $key );
 
     $cookie = $user->user_login . '|' . $expiration . '|' . $token . '|' . $hash;
@@ -1934 +1940 @@
     // If the hash is still md5...
     if ( strlen($hash) <= 32 ) {
-        $check = ( $hash == md5($password) );
+        $check = hash_equals( $hash, md5( $password ) );
         if ( $check && $user_id ) {
             // Rehash using new hash.

tags/4.0.1/src/wp-includes/post.php

@@ -4720 +4720 @@
     $defaults = array(
         'file'        => $file,
-        'post_parent' => $parent
+        'post_parent' => 0
     );
+
     $data = wp_parse_args( $args, $defaults );
+
+    if ( ! empty( $parent ) ) {
+        $data['post_parent'] = $parent;
+    }
 
     $data['post_type'] = 'attachment';

tags/4.0.1/src/wp-includes/session.php

@@ -62 +62 @@
      */
     final private function hash_token( $token ) {
-        return hash( 'sha256', $token );
+        // If ext/hash is not present, use sha1() instead.
+        if ( function_exists( 'hash' ) ) {
+            return hash( 'sha256', $token );
+        } else {
+            return sha1( $token );
+        }
     }
 

tags/4.0.1/src/wp-includes/user.php

@@ -1819 +1819 @@
 
     if ( $update ) {
+        if ( $user_email !== $old_user_data->user_email ) {
+            $data['user_activation_key'] = '';
+        }
         $wpdb->update( $wpdb->users, $data, compact( 'ID' ) );
         $user_id = (int) $ID;

tags/4.0.1/src/wp-includes/version.php

@@ -5 +5 @@
  * @global string $wp_version
  */
-$wp_version = '4.0-src';
+$wp_version = '4.0.1-src';
 
 /**

tags/4.0.1/src/wp-login.php

@@ -572 +572 @@
         list( $rp_login, $rp_key ) = explode( ':', wp_unslash( $_COOKIE[ $rp_cookie ] ), 2 );
         $user = check_password_reset_key( $rp_key, $rp_login );
+        if ( isset( $_POST['pass1'] ) && ! hash_equals( $rp_key, $_POST['rp_key'] ) ) {
+            $user = false;
+        }
     } else {
         $user = false;
@@ -641 +644 @@
     do_action( 'resetpass_form', $user );
     ?>
+    <input type="hidden" name="rp_key" value="<?php echo esc_attr( $rp_key ); ?>" />
     <p class="submit"><input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="<?php esc_attr_e('Reset Password'); ?>" /></p>
 </form>

tags/4.0.1/tests/phpunit/tests/auth.php

@@ -3 +3 @@
 /**
  * @group pluggable
+ * @group auth
  */
 class Tests_Auth extends WP_UnitTestCase {
@@ -100 +101 @@
         $this->assertFalse( wp_verify_nonce( null ) );
     }
+
+    function test_password_length_limit() {
+        $passwords = array(
+            str_repeat( 'a', 4095 ), // short
+            str_repeat( 'a', 4096 ), // limit
+            str_repeat( 'a', 4097 ), // long
+        );
+
+        $user_id = $this->factory->user->create( array( 'user_login' => 'password-length-test' ) );
+
+        wp_set_password( $passwords[1], $user_id );
+        $user = get_user_by( 'id', $user_id );
+        // phpass hashed password
+        $this->assertStringStartsWith( '$P$', $user->data->user_pass );
+
+        $user = wp_authenticate( 'password-length-test', $passwords[0] );
+        // Wrong Password
+        $this->assertInstanceOf( 'WP_Error', $user );
+
+        $user = wp_authenticate( 'password-length-test', $passwords[1] );
+        $this->assertInstanceOf( 'WP_User', $user );
+        $this->assertEquals( $user_id, $user->ID );
+
+        $user = wp_authenticate( 'password-length-test', $passwords[2] );
+        // Wrong Password
+        $this->assertInstanceOf( 'WP_Error', $user );
+
+
+        wp_set_password( $passwords[2], $user_id );
+        $user = get_user_by( 'id', $user_id );
+        // Password broken by setting it to be too long.
+        $this->assertEquals( '*', $user->data->user_pass );
+
+        $user = wp_authenticate( 'password-length-test', $passwords[0] );
+        // Wrong Password
+        $this->assertInstanceOf( 'WP_Error', $user );
+
+        $user = wp_authenticate( 'password-length-test', $passwords[1] );
+        // Wrong Password
+        $this->assertInstanceOf( 'WP_Error', $user );
+
+        $user = wp_authenticate( 'password-length-test', $passwords[2] );
+        // Password broken by setting it to be too long.
+        $this->assertInstanceOf( 'WP_Error', $user );
+    }
 }

tags/4.0.1/tests/phpunit/tests/formatting/WPTexturize.php

@@ -12 +12 @@
     function test_disable() {
         $this->assertEquals('<pre>---</pre>', wptexturize('<pre>---</pre>'));
-        $this->assertEquals('[a]a&#8211;b[code]---[/code]a&#8211;b[/a]', wptexturize('[a]a--b[code]---[/code]a--b[/a]'));
         $this->assertEquals('<pre><code></code>--</pre>', wptexturize('<pre><code></code>--</pre>'));
 
@@ -1194 +1193 @@
             ),
             array(
+                '[is it wise to <a title="allow user content ] here? hmm"> maybe </a> ]',
+                '[is it wise to <a title="allow user content ] here? hmm"> maybe </a> ]',
+            ),
+            array(
+                '[caption - is it wise to <a title="allow user content ] here? hmm"> maybe </a> ]',
+                '[caption &#8211; is it wise to <a title="allow user content ] here? hmm"> maybe </a> ]',
+            ),
+            array(
+                '[caption - is it wise to <a title="allow user content here? hmm"> ] maybe </a> ]',
+                '[caption - is it wise to <a title="allow user content here? hmm"> ] maybe </a> ]',
+            ),
+            array(
+                '[caption - is it wise to <a title="allow user content here? hmm"> maybe </a> ]',
+                '[caption - is it wise to <a title="allow user content here? hmm"> maybe </a> ]',
+            ),
+            array(
+                '[caption compare=">"]',
+                '[caption compare=&#8221;>&#8221;]',
+            ),
+            array(
+                '[caption compare="<>"]',
+                '[caption compare="<>"]',
+            ),
+            array(
+                '[caption compare="<" attr2="value" <!-->/]',
+                '[caption compare="<" attr2="value" <!-->/]',
+            ),
+            array(
+                '[caption compare="<"]',
+                '[caption compare=&#8221;<&#8221;]',
+            ),
+            array(
+                '[caption compare="<"]<br />',
+                '[caption compare=&#8221;<"]<br />',
+            ),
+            array(
                 '[ photos by <a href="http://example.com/?a[]=1&a[]=2"> this guy </a> ]',
                 '[ photos by <a href="http://example.com/?a[]=1&#038;a[]=2"> this guy </a> ]',
@@ -1211 +1246 @@
             array(
                 '[/...]', // This would actually be ignored by the shortcode system.  The decision to not texturize it is intentional, if not correct.
-                '[/...]',
+                '[/&#8230;]',
             ),
             array(
                 '[...]...[/...]', // These are potentially usable shortcodes.
-                '[...]&#8230;[/...]',
+                '[&#8230;]&#8230;[/&#8230;]',
             ),
             array(
                 '[[...]]...[[/...]]', // Shortcode parsing will ignore the inner ]...[ part and treat this as a single escaped shortcode.
-                '[[...]]&#8230;[[/...]]',
+                '[[&#8230;]]&#8230;[[/&#8230;]]',
             ),
             array(
                 '[[[...]]]...[[[/...]]]', // Again, shortcode parsing matches, but only the [[...] and [/...]] parts.
-                '[[[...]]]&#8230;[[[/...]]]',
+                '[[[&#8230;]]]&#8230;[[[/&#8230;]]]',
             ),
             array(
@@ -1231 +1266 @@
             array(
                 '[code]...[/code]]...', // These are potentially usable shortcodes.  Unfortunately, the meaning of [/code]] is ambiguous unless we run the entire shortcode regexp.
-                '[code]...[/code]]...', // This test would not pass in 3.9 because the extra brace was always ignored by texturize.
+                '[code]&#8230;[/code]]&#8230;', // This test would not pass in 3.9 because the extra brace was always ignored by texturize.
             ),
             array(
@@ -1346 +1381 @@
             ),
             array(
-                '[Let\'s get crazy<input>[plugin code="<a href=\'?a[]=100\'>hello</a>"]</input>world]',
-                '[Let&#8217;s get crazy<input>[plugin code="<a href=\'?a[]=100\'>hello</a>"]</input>world]',
+                '[Let\'s get crazy<input>[caption code="<a href=\'?a[]=100\'>hello</a>"]</input>world]', // caption shortcode is invalid here because it contains [] chars.
+                '[Let&#8217;s get crazy<input>[caption code=&#8221;<a href=\'?a[]=100\'>hello</a>&#8220;]</input>world]',
             ),
         );
@@ -1716 +1751 @@
             array(
                 '<span>hello[code]---</span>',
-                '<span>hello[code]---</span>',
+                '<span>hello[code]&#8212;</span>',
             ),
             array(
                 '[code]hello<span>---</span>',
-                '[code]hello<span>---</span>',
+                '[code]hello<span>&#8212;</span>',
             ),
             array(
                 '[code]hello</span>---</span>',
-                '[code]hello</span>---</span>',
+                '[code]hello</span>&#8212;</span>',
+            ),
+        );
+    }
+
+    /**
+     * Test disabling shortcode texturization.
+     *
+     * @ticket 29557
+     * @dataProvider data_unregistered_shortcodes
+     */
+    function test_unregistered_shortcodes( $input, $output ) {
+        add_filter( 'no_texturize_shortcodes', array( $this, 'filter_shortcodes' ), 10, 1 );
+    
+        $output = $this->assertEquals( $output, wptexturize( $input ) );
+    
+        remove_filter( 'no_texturize_shortcodes', array( $this, 'filter_shortcodes' ), 10, 1 );
+        return $output;
+    }
+    
+    function filter_shortcodes( $disabled ) {
+        $disabled[] = 'audio';
+        return $disabled;
+    }
+
+    function data_unregistered_shortcodes() {
+        return array(
+            array(
+                '[a]a--b[code]---[/code]a--b[/a]', // code is not a registered shortcode.
+                '[a]a&#8211;b[code]&#8212;[/code]a&#8211;b[/a]',
+            ),
+            array(
+                '[a]a--b[audio]---[/audio]a--b[/a]',
+                '[a]a&#8211;b[audio]---[/audio]a&#8211;b[/a]',
+            ),
+            array(
+                '[code ...]...[/code]', // code is not a registered shortcode.
+                '[code &#8230;]&#8230;[/code]',
+            ),
+            array(
+                '[hello ...]...[/hello]', // hello is not a registered shortcode.
+                '[hello &#8230;]&#8230;[/hello]',
+            ),
+            array(
+                '[...]...[/...]', // These are potentially usable shortcodes.
+                '[&#8230;]&#8230;[/&#8230;]',
+            ),
+            array(
+                '[gal>ery ...]',
+                '[gal>ery &#8230;]',
+            ),
+            array(
+                '[randomthing param="test"]',
+                '[randomthing param=&#8221;test&#8221;]',
+            ),
+            array(
+                '[[audio]...[/audio]...', // These are potentially usable shortcodes.  Unfortunately, the meaning of [[audio] is ambiguous unless we run the entire shortcode regexp.
+                '[[audio]&#8230;[/audio]&#8230;',
+            ),
+            array(
+                '[audio]...[/audio]]...', // These are potentially usable shortcodes.  Unfortunately, the meaning of [/audio]] is ambiguous unless we run the entire shortcode regexp.
+                '[audio]...[/audio]]...', // This test would not pass in 3.9 because the extra brace was always ignored by texturize.
+            ),
+            array(
+                '<span>hello[/audio]---</span>',
+                '<span>hello[/audio]&#8212;</span>',
+            ),
+            array(
+                '[/audio]hello<span>---</span>',
+                '[/audio]hello<span>&#8212;</span>',
+            ),
+            array(
+                '[audio]hello[/audio]---</span>',
+                '[audio]hello[/audio]&#8212;</span>',
+            ),
+            array(
+                '<span>hello</span>---[audio]',
+                '<span>hello</span>&#8212;[audio]',
+            ),
+            array(
+                '<span>hello[audio]---</span>',
+                '<span>hello[audio]---</span>',
+            ),
+            array(
+                '[audio]hello<span>---</span>',
+                '[audio]hello<span>---</span>',
+            ),
+            array(
+                '[audio]hello</span>---</span>',
+                '[audio]hello</span>---</span>',
             ),
         );

tags/4.0.1/tests/phpunit/tests/link.php

@@ -191 +191 @@
 
     /**
-    * @ticket 22112
-    */
+     * @ticket 22112
+     */
     function test_get_adjacent_post_exclude_self_term() {
-        $include = $this->factory->category->create();
+        // Bump term_taxonomy to mimic shared term offsets.
+        global $wpdb;
+        $wpdb->insert( $wpdb->term_taxonomy, array( 'taxonomy' => 'foo', 'term_id' => 12345, 'description' => '' ) );
+
+        $include = $this->factory->term->create( array(
+            'taxonomy' => 'category',
+            'name' => 'Include',
+        ) );
         $exclude = $this->factory->category->create();
 

tags/4.0.1/tests/phpunit/tests/post/attachments.php

@@ -255 +255 @@
     }
 
+    /**
+     * @ticket 29646
+     */
+    function test_update_orphan_attachment_parent() {
+        $filename = ( DIR_TESTDATA . '/images/test-image.jpg' );
+        $contents = file_get_contents( $filename );
+
+        $upload = wp_upload_bits( basename( $filename ), null, $contents );
+        $this->assertTrue( empty( $upload['error'] ) );
+
+        $attachment_id = $this->_make_attachment( $upload );
+
+        // Assert that the attachment is an orphan
+        $attachment = get_post( $attachment_id );
+        $this->assertEquals( $attachment->post_parent, 0 );
+
+        $post_id = wp_insert_post( array( 'post_content' => rand_str(), 'post_title' => rand_str() ) );
+
+        // Assert that the attachment has a parent
+        wp_insert_attachment( $attachment, '', $post_id );
+        $attachment = get_post( $attachment_id );
+        $this->assertEquals( $attachment->post_parent, $post_id );
+    }
+
 }

tags/4.0.1/tests/phpunit/tests/query/results.php

@@ -652 +652 @@
     }
 
+    /**
+     * @ticket 29615
+     */
+    function test_child_post_in_hierarchical_post_type_with_default_permalinks() {
+        global $wp_rewrite;
+
+        $old_permastruct = get_option( 'permalink_structure' );
+        $wp_rewrite->set_permalink_structure( '' );
+        $wp_rewrite->flush_rules();
+
+        register_post_type( 'handbook', array( 'hierarchical' => true ) );
+
+        $post_1 = $this->factory->post->create( array( 'post_title' => 'Contributing to the WordPress Codex', 'post_type' => 'handbook' ) );
+        $post_2 = $this->factory->post->create( array( 'post_title' => 'Getting Started', 'post_parent' => $post_1, 'post_type' => 'handbook' ) );
+
+        $this->assertContains( 'contributing-to-the-wordpress-codex/getting-started', get_permalink( $post_2 ) );
+
+        $result = $this->q->query( array( 'handbook' => 'contributing-to-the-wordpress-codex/getting-started', 'post_type' => 'handbook' ) );
+        $this->assertCount( 1, $result );
+
+        $wp_rewrite->set_permalink_structure( $old_permastruct );
+        $wp_rewrite->flush_rules();
+    }
+
 }

tags/4.0.1/tests/phpunit/tests/user.php

@@ -655 +655 @@
         $this->assertNotContains( 'key', $metas );
     }
+
+    function test_changing_email_invalidates_password_reset_key() {
+        global $wpdb;
+
+        $user = $this->factory->user->create_and_get();
+        $wpdb->update( $wpdb->users, array( 'user_activation_key' => 'key' ), array( 'ID' => $user->ID ) );
+        clean_user_cache( $user );
+
+        $user = get_userdata( $user->ID );
+        $this->assertEquals( 'key', $user->user_activation_key );
+
+        // Check that changing something other than the email doesn't remove the key.
+        $userdata = array(
+            'ID'            => $user->ID,
+            'user_nicename' => 'wat',
+        );
+        wp_update_user( $userdata );
+
+        $user = get_userdata( $user->ID );
+        $this->assertEquals( 'key', $user->user_activation_key );
+
+        // Now check that changing the email does remove it.
+        $userdata = array(
+            'ID'            => $user->ID,
+            'user_nicename' => 'cat',
+            'user_email'    => 'foo@bar.dev',
+        );
+        wp_update_user( $userdata );
+
+        $user = get_userdata( $user->ID );
+        $this->assertEmpty( $user->user_activation_key );
+    }
 }

tags/4.0.1/tests/phpunit/tests/xmlrpc/wp/uploadFile.php

@@ -56 +56 @@
     }
 
-    /**
-     * @ticket 11946
-     */
-    function test_valid_mime() {
-        $this->make_user_by_role( 'editor' );
-
-        // create attachment
-        $filename = ( DIR_TESTDATA . '/images/test-image-mime-jpg.png' );
-        $contents = file_get_contents( $filename );
-        $data = array(
-            'name' => 'test-image-mime-jpg.png',
-            'type' => 'image/png',
-            'bits' => $contents
-        );
-
-        $result = $this->myxmlrpcserver->mw_newMediaObject( array( 0, 'editor', 'editor', $data ) );
-
-        $this->assertNotInstanceOf( 'IXR_Error', $result );
-
-        $this->assertEquals( 'image/jpeg', $result['type'] );
-    }
 }