Changeset 55790

Timestamp:

05/16/2023 04:01:50 PM (15 months ago)

Author:

audrasjb

Message:

Grouped backports to the 5.1 branch.

• Media: Prevent CSRF setting attachment thumbnails.
• Embeds: Add protocol validation for WordPress Embed code.
• I18N: Introduce sanitization function for locale.
• Editor: Ensure block comments are of a valid form.

Merges [55760-55764] to the 5.1 branch.
Props dd32, isabel_brison, martinkrcho, matveb, ocean90, paulkevan, peterwilsoncc, timothyblynjacobs, xknown, youknowriad.

Location:

branches/5.1

Files:

• package-lock.json (modified) (1 diff)
• package.json (modified) (1 diff)
• src/js/_enqueues/wp/embed.js (modified) (2 diffs)
• src/js/media/views/frame/video-details.js (modified) (1 diff)
• src/wp-admin/about.php (modified) (1 diff)
• src/wp-admin/includes/ajax-actions.php (modified) (1 diff)
• src/wp-includes/blocks.php (modified) (2 diffs)
• src/wp-includes/formatting.php (modified) (1 diff)
• src/wp-includes/l10n.php (modified) (1 diff)
• src/wp-includes/media.php (modified) (1 diff)
• src/wp-includes/version.php (modified) (1 diff)
• tests/phpunit/tests/ajax/Attachments.php (modified) (1 diff)
• tests/phpunit/tests/formatting/sanitizeLocaleName.php (added)

branches/5.1/package-lock.json

@@ -1 +1 @@
 {
     "name": "WordPress",
-    "version": "5.1.15",
+    "version": "5.1.1",
     "lockfileVersion": 1,
     "requires": true,

branches/5.1/package.json

@@ -1 +1 @@
 {
     "name": "WordPress",
-    "version": "5.1.15",
+    "version": "5.1.1",
     "description": "WordPress is open source software you can use to create a beautiful website, blog, or app.",
     "repository": {

branches/5.1/src/js/_enqueues/wp/embed.js

@@ -45 +45 @@
         var iframes = document.querySelectorAll( 'iframe[data-secret="' + data.secret + '"]' ),
             blockquotes = document.querySelectorAll( 'blockquote[data-secret="' + data.secret + '"]' ),
+
             i, source, height, sourceURL, targetURL;
 
@@ -79 +80 @@
                 sourceURL.href = source.getAttribute( 'src' );
                 targetURL.href = data.value;
+
+
+
+
+
 
                 /* Only continue if link hostname matches iframe's hostname. */

branches/5.1/src/js/media/views/frame/video-details.js

@@ -107 +107 @@
             wp.ajax.send( 'set-attachment-thumbnail', {
                 data : {
+
                     urls: urls,
                     thumbnail_id: attachment.get( 'id' )

branches/5.1/src/wp-admin/about.php

@@ -37 +37 @@
         <div class="changelog point-releases">
             <h3><?php _e( 'Maintenance and Security Releases' ); ?></h3>
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
             <p>
                 <?php

branches/5.1/src/wp-admin/includes/ajax-actions.php

@@ -2508 +2508 @@
     }
 
+
+
+
+
     $post_ids = array();
     // For each URL, try to find its corresponding post ID.

branches/5.1/src/wp-includes/blocks.php

@@ -272 +272 @@
     $result = '';
 
+
+
+
+
     $blocks = parse_blocks( $text );
     foreach ( $blocks as $block ) {
@@ -279 +283 @@
 
     return $result;
+
+
+
+
+
+
+
+
+
+
+
+
+
 }
 

branches/5.1/src/wp-includes/formatting.php

@@ -2367 +2367 @@
 
 /**
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
  * Converts lone & characters into `&` (a.k.a. `&`)
  *

branches/5.1/src/wp-includes/l10n.php

@@ -140 +140 @@
 
     if ( ! empty( $_GET['wp_lang'] ) && ! empty( $GLOBALS['pagenow'] ) && 'wp-login.php' === $GLOBALS['pagenow'] ) {
-        $determined_locale = sanitize_text_field( $_GET['wp_lang'] );
+        $determined_locale = sanitize_ );
     }
 

branches/5.1/src/wp-includes/media.php

@@ -3584 +3584 @@
         'captions'         => ! apply_filters( 'disable_captions', '' ),
         'nonce'            => array(
-            'sendToEditor' => wp_create_nonce( 'media-send-to-editor' ),
+            'sendToEditor'           => wp_create_nonce( 'media-send-to-editor' ),
+            'setAttachmentThumbnail' => wp_create_nonce( 'set-attachment-thumbnail' ),
         ),
         'post'             => array(

branches/5.1/src/wp-includes/version.php

@@ -14 +14 @@
  * @global string $wp_version
  */
-$wp_version = '5.1.15-src';
+$wp_version = '5.1.1-src';
 
 /**

branches/5.1/tests/phpunit/tests/ajax/Attachments.php

@@ -114 +114 @@
         $this->assertEquals( $expected, $response['data'] );
     }
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
 }