<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[50131] trunk: Security, Site Health: Make migrating a site to HTTPS a one-click interaction.</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { white-space: pre-line; overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta" style="font-size: 105%">
<dt style="float: left; width: 6em; font-weight: bold">Revision</dt> <dd><a style="font-weight: bold" href="https://core.trac.wordpress.org/changeset/50131">50131</a><script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","description":"Review this Commit","action":{"@type":"ViewAction","url":"https://core.trac.wordpress.org/changeset/50131","name":"Review Commit"}}</script></dd>
<dt style="float: left; width: 6em; font-weight: bold">Author</dt> <dd>flixos90</dd>
<dt style="float: left; width: 6em; font-weight: bold">Date</dt> <dd>2021-02-02 00:08:01 +0000 (Tue, 02 Feb 2021)</dd>
</dl>

<pre style='padding-left: 1em; margin: 2em 0; border-left: 2px solid #ccc; line-height: 1.25; font-size: 105%; font-family: sans-serif'>Security, Site Health: Make migrating a site to HTTPS a one-click interaction.

Switching a WordPress site from HTTP to HTTPS has historically been a tedious task. While on the surface the Site Address and WordPress Address have to be updated, existing content still remains using HTTP URLs where hard-coded in the database. Furthermore, updating _two_ URLs to migrate to HTTPS is still a fairly unintuitive step which is not clearly explained.

This changeset simplifies migration from HTTP to HTTPS and, where possible, makes it a one-click interaction.

* Automatically replace insecure versions of the Site Address (`home_url()`) with its HTTPS counterpart on the fly if the site has been migrated from HTTP to HTTPS. This is accomplished by introducing a `https_migration_required` option and enabling it when the `home_url()` is accordingly changed.
    * A new `wp_replace_insecure_home_url()` function is hooked into various pieces of content to replace URLs accordingly.
    * The migration only kicks in when the Site Address (`home_url()`) and WordPress Address (`site_url()`) match, which is the widely common case. Configurations where these differ are often maintained by more advanced users, where this migration routine would be less essential - something to potentially iterate on in the future though.
    * The migration does not actually update content in the database. More savvy users that prefer to do that can prevent the migration logic from running by either deleting the `https_migration_required` option or using the new `wp_should_replace_insecure_home_url` filter.
    * For fresh sites that do not have any content yet at the point of changing the URLs to HTTPS, the migration will also be skipped since it would not be relevant.
* Expose a primary action in the Site Health recommendation, if HTTPS is already supported by the environment, built on top of the HTTPS detection mechanism from <a href="https://core.trac.wordpress.org/changeset/49904">[49904]</a>. When clicked, the default behavior is to update `home_url()` and `site_url()` in one go to their HTTPS counterpart.
    * A new `wp_update_urls_to_https()` function takes care of the update routine.
    * A new `update_https` meta capability is introduced to control access.
    * If the site's URLs are controlled by constants, this update is not automatically possible, so in these scenarios the user is informed about that in the HTTPS status check in Site Health.
* Allow hosting providers to modify the URLs linked to in the HTTPS status check in Site Health, similar to how that is possible for the URLs around updating the PHP version.
    * A `WP_UPDATE_HTTPS_URL` environment variable or `wp_update_https_url` filter can be used to provide a custom URL with guidance about updating the site to use HTTPS.
    * A `WP_DIRECT_UPDATE_HTTPS_URL` environment variable or `wp_direct_update_https_url` filter can be used to provide a custom URL for the primary CTA to update the site to use HTTPS.

Props flixos90, timothyblynjacobs.
Fixes <a href="https://core.trac.wordpress.org/ticket/51437">#51437</a>.</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunksrcwpadminincludesclasswpsitehealthphp">trunk/src/wp-admin/includes/class-wp-site-health.php</a></li>
<li><a href="#trunksrcwpadminsitehealthphp">trunk/src/wp-admin/site-health.php</a></li>
<li><a href="#trunksrcwpincludescapabilitiesphp">trunk/src/wp-includes/capabilities.php</a></li>
<li><a href="#trunksrcwpincludesdefaultfiltersphp">trunk/src/wp-includes/default-filters.php</a></li>
<li><a href="#trunksrcwpincludesfunctionsphp">trunk/src/wp-includes/functions.php</a></li>
<li><a href="#trunksrcwpsettingsphp">trunk/src/wp-settings.php</a></li>
<li><a href="#trunktestsphpunittestsusercapabilitiesphp">trunk/tests/phpunit/tests/user/capabilities.php</a></li>
</ul>

<h3>Added Paths</h3>
<ul>
<li><a href="#trunksrcwpincludeshttpsmigrationphp">trunk/src/wp-includes/https-migration.php</a></li>
<li><a href="#trunktestsphpunittestshttpsmigrationphp">trunk/tests/phpunit/tests/https-migration.php</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunksrcwpadminincludesclasswpsitehealthphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/src/wp-admin/includes/class-wp-site-health.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-admin/includes/class-wp-site-health.php      2021-02-01 23:31:54 UTC (rev 50130)
+++ trunk/src/wp-admin/includes/class-wp-site-health.php        2021-02-02 00:08:01 UTC (rev 50131)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -1502,6 +1502,8 @@
</span><span class="cx" style="display: block; padding: 0 10px">                // always rely on the latest results.
</span><span class="cx" style="display: block; padding: 0 10px">                wp_update_https_detection_errors();
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+                $default_update_url = wp_get_default_update_https_url();
+
</ins><span class="cx" style="display: block; padding: 0 10px">                 $result = array(
</span><span class="cx" style="display: block; padding: 0 10px">                        'label'       => __( 'Your website is using an active HTTPS connection' ),
</span><span class="cx" style="display: block; padding: 0 10px">                        'status'      => 'good',
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -1514,9 +1516,8 @@
</span><span class="cx" style="display: block; padding: 0 10px">                                __( 'An HTTPS connection is a more secure way of browsing the web. Many services now have HTTPS as a requirement. HTTPS allows you to take advantage of new features that can increase site speed, improve search rankings, and gain the trust of your visitors by helping to protect their online privacy.' )
</span><span class="cx" style="display: block; padding: 0 10px">                        ),
</span><span class="cx" style="display: block; padding: 0 10px">                        'actions'     => sprintf(
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-                                '<p><a href="%s" target="_blank" rel="noopener">%s <span class="screen-reader-text">%s</span><span aria-hidden="true" class="dashicons dashicons-external"></span></a></p>',
-                               /* translators: Documentation explaining HTTPS and why it should be used. */
-                               esc_url( __( 'https://wordpress.org/support/article/why-should-i-use-https/' ) ),
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+                         '<p><a href="%s" target="_blank" rel="noopener">%s<span class="screen-reader-text"> %s</span><span aria-hidden="true" class="dashicons dashicons-external"></span></a></p>',
+                               esc_url( $default_update_url ),
</ins><span class="cx" style="display: block; padding: 0 10px">                                 __( 'Learn more about why you should use HTTPS' ),
</span><span class="cx" style="display: block; padding: 0 10px">                                /* translators: Accessibility text. */
</span><span class="cx" style="display: block; padding: 0 10px">                                __( '(opens in a new tab)' )
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -1580,16 +1581,54 @@
</span><span class="cx" style="display: block; padding: 0 10px">                                        __( 'HTTPS is already supported for your website.' )
</span><span class="cx" style="display: block; padding: 0 10px">                                );
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-                                $result['actions'] = sprintf(
-                                       '<p><a href="%s">%s</a></p>',
-                                       esc_url( admin_url( 'options-general.php' ) ),
-                                       __( 'Update your site addresses' )
-                               );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+                         if ( defined( 'WP_HOME' ) || defined( 'WP_SITEURL' ) ) {
+                                       $result['description'] .= sprintf(
+                                               '<p>%s</p>',
+                                               sprintf(
+                                                       /* translators: 1: wp-config.php, 2: WP_HOME, 3: WP_SITEURL */
+                                                       __( 'However, your WordPress Address is currently controlled by a PHP constant and therefore cannot be updated. You need to edit your %1$s and remove or update the definitions of %2$s and %3$s.' ),
+                                                       '<code>wp-config.php</code>',
+                                                       '<code>WP_HOME</code>',
+                                                       '<code>WP_SITEURL</code>'
+                                               )
+                                       );
+                               } elseif ( current_user_can( 'update_https' ) ) {
+                                       $default_direct_update_url = add_query_arg( 'action', 'update_https', wp_nonce_url( admin_url( 'site-health.php' ), 'wp_update_https' ) );
+                                       $direct_update_url         = wp_get_direct_update_https_url();
+
+                                       if ( ! empty( $direct_update_url ) ) {
+                                               $result['actions'] = sprintf(
+                                                       '<p class="button-container"><a class="button button-primary" href="%1$s" target="_blank" rel="noopener">%2$s<span class="screen-reader-text"> %3$s</span><span aria-hidden="true" class="dashicons dashicons-external"></span></a></p>',
+                                                       esc_url( $direct_update_url ),
+                                                       __( 'Update your site to use HTTPS' ),
+                                                       /* translators: Accessibility text. */
+                                                       __( '(opens in a new tab)' )
+                                               );
+                                       } else {
+                                               $result['actions'] = sprintf(
+                                                       '<p class="button-container"><a class="button button-primary" href="%1$s">%2$s</a></p>',
+                                                       esc_url( $default_direct_update_url ),
+                                                       __( 'Update your site to use HTTPS' )
+                                               );
+                                       }
+                               }
</ins><span class="cx" style="display: block; padding: 0 10px">                         } else {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-                                $result['description'] .= sprintf(
-                                       '<p>%s</p>',
-                                       __( 'Talk to your web host about supporting HTTPS for your website.' )
-                               );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+                         // If host-specific "Update HTTPS" URL is provided, include a link.
+                               $update_url = wp_get_update_https_url();
+                               if ( $update_url !== $default_update_url ) {
+                                       $result['description'] .= sprintf(
+                                               '<p><a href="%s" target="_blank" rel="noopener">%s<span class="screen-reader-text"> %s</span><span aria-hidden="true" class="dashicons dashicons-external"></span></a></p>',
+                                               esc_url( $update_url ),
+                                               __( 'Talk to your web host about supporting HTTPS for your website.' ),
+                                               /* translators: Accessibility text. */
+                                               __( '(opens in a new tab)' )
+                                       );
+                               } else {
+                                       $result['description'] .= sprintf(
+                                               '<p>%s</p>',
+                                               __( 'Talk to your web host about supporting HTTPS for your website.' )
+                                       );
+                               }
</ins><span class="cx" style="display: block; padding: 0 10px">                         }
</span><span class="cx" style="display: block; padding: 0 10px">                } elseif ( ! wp_is_https_supported() ) {
</span><span class="cx" style="display: block; padding: 0 10px">                        // If the website is using HTTPS, but HTTPS is actually not supported, inform the user about the potential
</span></span></pre></div>
<a id="trunksrcwpadminsitehealthphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/src/wp-admin/site-health.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-admin/site-health.php        2021-02-01 23:31:54 UTC (rev 50130)
+++ trunk/src/wp-admin/site-health.php  2021-02-02 00:08:01 UTC (rev 50131)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -14,6 +14,8 @@
</span><span class="cx" style="display: block; padding: 0 10px"> /** WordPress Administration Bootstrap */
</span><span class="cx" style="display: block; padding: 0 10px"> require_once __DIR__ . '/admin.php';
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+wp_reset_vars( array( 'action' ) );
+
</ins><span class="cx" style="display: block; padding: 0 10px"> $title = __( 'Site Health Status' );
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><span class="cx" style="display: block; padding: 0 10px"> if ( ! current_user_can( 'view_site_health_checks' ) ) {
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -27,6 +29,23 @@
</span><span class="cx" style="display: block; padding: 0 10px">        require_once ABSPATH . 'wp-admin/includes/class-wp-site-health.php';
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+if ( 'update_https' === $action ) {
+       check_admin_referer( 'wp_update_https' );
+
+       if ( ! current_user_can( 'update_https' ) ) {
+               wp_die( __( 'Sorry, you are not allowed to update this site to HTTPS.' ), 403 );
+       }
+
+       if ( ! wp_is_https_supported() ) {
+               wp_die( __( 'It looks like HTTPS is not supported for your website at this point.' ) );
+       }
+
+       $result = wp_update_urls_to_https();
+
+       wp_redirect( add_query_arg( 'https_updated', (int) $result, wp_get_referer() ) );
+       exit;
+}
+
</ins><span class="cx" style="display: block; padding: 0 10px"> $health_check_site_status = WP_Site_Health::get_instance();
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><span class="cx" style="display: block; padding: 0 10px"> // Start by checking if this is a special request checking for the existence of certain filters.
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -41,6 +60,20 @@
</span><span class="cx" style="display: block; padding: 0 10px">                </h1>
</span><span class="cx" style="display: block; padding: 0 10px">        </div>
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+        <?php
+       if ( isset( $_GET['https_updated'] ) ) {
+               if ( $_GET['https_updated'] ) {
+                       ?>
+                       <div id="message" class="notice notice-success is-dismissible"><p><?php _e( 'Site URLs switched to HTTPS.' ); ?></p></div>
+                       <?php
+               } else {
+                       ?>
+                       <div id="message" class="notice notice-error is-dismissible"><p><?php _e( 'Site URLs could not be switched to HTTPS.' ); ?></p></div>
+                       <?php
+               }
+       }
+       ?>
+
</ins><span class="cx" style="display: block; padding: 0 10px">         <div class="health-check-title-section site-health-progress-wrapper loading hide-if-no-js">
</span><span class="cx" style="display: block; padding: 0 10px">                <div class="site-health-progress">
</span><span class="cx" style="display: block; padding: 0 10px">                        <svg role="img" aria-hidden="true" focusable="false" width="100%" height="100%" viewBox="0 0 200 200" version="1.1" xmlns="http://www.w3.org/2000/svg">
</span></span></pre></div>
<a id="trunksrcwpincludescapabilitiesphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/src/wp-includes/capabilities.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-includes/capabilities.php    2021-02-01 23:31:54 UTC (rev 50130)
+++ trunk/src/wp-includes/capabilities.php      2021-02-02 00:08:01 UTC (rev 50131)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -593,6 +593,14 @@
</span><span class="cx" style="display: block; padding: 0 10px">                                $caps[] = 'update_core';
</span><span class="cx" style="display: block; padding: 0 10px">                        }
</span><span class="cx" style="display: block; padding: 0 10px">                        break;
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+                case 'update_https':
+                       if ( is_multisite() && ! is_super_admin( $user_id ) ) {
+                               $caps[] = 'do_not_allow';
+                       } else {
+                               $caps[] = 'manage_options';
+                               $caps[] = 'update_core';
+                       }
+                       break;
</ins><span class="cx" style="display: block; padding: 0 10px">                 case 'export_others_personal_data':
</span><span class="cx" style="display: block; padding: 0 10px">                case 'erase_others_personal_data':
</span><span class="cx" style="display: block; padding: 0 10px">                case 'manage_privacy_options':
</span></span></pre></div>
<a id="trunksrcwpincludesdefaultfiltersphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/src/wp-includes/default-filters.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-includes/default-filters.php 2021-02-01 23:31:54 UTC (rev 50130)
+++ trunk/src/wp-includes/default-filters.php   2021-02-02 00:08:01 UTC (rev 50131)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -176,6 +176,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> add_filter( 'the_content', 'shortcode_unautop' );
</span><span class="cx" style="display: block; padding: 0 10px"> add_filter( 'the_content', 'prepend_attachment' );
</span><span class="cx" style="display: block; padding: 0 10px"> add_filter( 'the_content', 'wp_filter_content_tags' );
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+add_filter( 'the_content', 'wp_replace_insecure_home_url' );
</ins><span class="cx" style="display: block; padding: 0 10px"> 
</span><span class="cx" style="display: block; padding: 0 10px"> add_filter( 'the_excerpt', 'wptexturize' );
</span><span class="cx" style="display: block; padding: 0 10px"> add_filter( 'the_excerpt', 'convert_smilies' );
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -183,6 +184,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> add_filter( 'the_excerpt', 'wpautop' );
</span><span class="cx" style="display: block; padding: 0 10px"> add_filter( 'the_excerpt', 'shortcode_unautop' );
</span><span class="cx" style="display: block; padding: 0 10px"> add_filter( 'the_excerpt', 'wp_filter_content_tags' );
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+add_filter( 'the_excerpt', 'wp_replace_insecure_home_url' );
</ins><span class="cx" style="display: block; padding: 0 10px"> add_filter( 'get_the_excerpt', 'wp_trim_excerpt', 10, 2 );
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><span class="cx" style="display: block; padding: 0 10px"> add_filter( 'the_post_thumbnail_caption', 'wptexturize' );
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -209,8 +211,11 @@
</span><span class="cx" style="display: block; padding: 0 10px"> add_filter( 'widget_text_content', 'wpautop' );
</span><span class="cx" style="display: block; padding: 0 10px"> add_filter( 'widget_text_content', 'shortcode_unautop' );
</span><span class="cx" style="display: block; padding: 0 10px"> add_filter( 'widget_text_content', 'wp_filter_content_tags' );
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+add_filter( 'widget_text_content', 'wp_replace_insecure_home_url' );
</ins><span class="cx" style="display: block; padding: 0 10px"> add_filter( 'widget_text_content', 'do_shortcode', 11 ); // Runs after wpautop(); note that $post global will be null when shortcodes run.
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+add_filter( 'wp_get_custom_css', 'wp_replace_insecure_home_url' );
+
</ins><span class="cx" style="display: block; padding: 0 10px"> // RSS filters.
</span><span class="cx" style="display: block; padding: 0 10px"> add_filter( 'the_title_rss', 'strip_tags' );
</span><span class="cx" style="display: block; padding: 0 10px"> add_filter( 'the_title_rss', 'ent2ncr', 8 );
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -347,6 +352,9 @@
</span><span class="cx" style="display: block; padding: 0 10px"> add_action( 'wp_https_detection', 'wp_update_https_detection_errors' );
</span><span class="cx" style="display: block; padding: 0 10px"> add_filter( 'cron_request', 'wp_cron_conditionally_prevent_sslverify', 9999 );
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+// HTTPS migration.
+add_action( 'update_option_home', 'wp_update_https_migration_required', 10, 2 );
+
</ins><span class="cx" style="display: block; padding: 0 10px"> // 2 Actions 2 Furious.
</span><span class="cx" style="display: block; padding: 0 10px"> add_action( 'do_feed_rdf', 'do_feed_rdf', 10, 0 );
</span><span class="cx" style="display: block; padding: 0 10px"> add_action( 'do_feed_rss', 'do_feed_rss', 10, 0 );
</span></span></pre></div>
<a id="trunksrcwpincludesfunctionsphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/src/wp-includes/functions.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-includes/functions.php       2021-02-01 23:31:54 UTC (rev 50130)
+++ trunk/src/wp-includes/functions.php 2021-02-02 00:08:01 UTC (rev 50131)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -7581,6 +7581,91 @@
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><span class="cx" style="display: block; padding: 0 10px"> /**
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * Gets the URL to learn more about updating the site to use HTTPS.
+ *
+ * This URL can be overridden by specifying an environment variable `WP_UPDATE_HTTPS_URL` or by using the
+ * {@see 'wp_update_https_url'} filter. Providing an empty string is not allowed and will result in the
+ * default URL being used. Furthermore the page the URL links to should preferably be localized in the
+ * site language.
+ *
+ * @since 5.7.0
+ *
+ * @return string URL to learn more about updating to HTTPS.
+ */
+function wp_get_update_https_url() {
+       $default_url = wp_get_default_update_https_url();
+
+       $update_url = $default_url;
+       if ( false !== getenv( 'WP_UPDATE_HTTPS_URL' ) ) {
+               $update_url = getenv( 'WP_UPDATE_HTTPS_URL' );
+       }
+
+       /**
+        * Filters the URL to learn more about updating the HTTPS version the site is running on.
+        *
+        * Providing an empty string is not allowed and will result in the default URL being used. Furthermore
+        * the page the URL links to should preferably be localized in the site language.
+        *
+        * @since 5.7.0
+        *
+        * @param string $update_url URL to learn more about updating HTTPS.
+        */
+       $update_url = apply_filters( 'wp_update_https_url', $update_url );
+       if ( empty( $update_url ) ) {
+               $update_url = $default_url;
+       }
+
+       return $update_url;
+}
+
+/**
+ * Gets the default URL to learn more about updating the site to use HTTPS.
+ *
+ * Do not use this function to retrieve this URL. Instead, use {@see wp_get_update_https_url()} when relying on the URL.
+ * This function does not allow modifying the returned URL, and is only used to compare the actually used URL with the
+ * default one.
+ *
+ * @since 5.7.0
+ * @access private
+ *
+ * @return string Default URL to learn more about updating to HTTPS.
+ */
+function wp_get_default_update_https_url() {
+       /* translators: Documentation explaining HTTPS and why it should be used. */
+       return __( 'https://wordpress.org/support/article/why-should-i-use-https/' );
+}
+
+/**
+ * Gets the URL for directly updating the site to use HTTPS.
+ *
+ * A URL will only be returned if the `WP_DIRECT_UPDATE_HTTPS_URL` environment variable is specified or
+ * by using the {@see 'wp_direct_update_https_url'} filter. This allows hosts to send users directly to
+ * the page where they can update their site to use HTTPS.
+ *
+ * @since 5.7.0
+ *
+ * @return string URL for directly updating to HTTPS or empty string.
+ */
+function wp_get_direct_update_https_url() {
+       $direct_update_url = '';
+
+       if ( false !== getenv( 'WP_DIRECT_UPDATE_HTTPS_URL' ) ) {
+               $direct_update_url = getenv( 'WP_DIRECT_UPDATE_HTTPS_URL' );
+       }
+
+       /**
+        * Filters the URL for directly updating the PHP version the site is running on from the host.
+        *
+        * @since 5.7.0
+        *
+        * @param string $direct_update_url URL for directly updating PHP.
+        */
+       $direct_update_url = apply_filters( 'wp_direct_update_https_url', $direct_update_url );
+
+       return $direct_update_url;
+}
+
+/**
</ins><span class="cx" style="display: block; padding: 0 10px">  * Get the size of a directory.
</span><span class="cx" style="display: block; padding: 0 10px">  *
</span><span class="cx" style="display: block; padding: 0 10px">  * A helper function that is used primarily to check whether
</span></span></pre></div>
<a id="trunksrcwpincludeshttpsmigrationphp"></a>
<div class="addfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Added: trunk/src/wp-includes/https-migration.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-includes/https-migration.php                         (rev 0)
+++ trunk/src/wp-includes/https-migration.php   2021-02-02 00:08:01 UTC (rev 50131)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -0,0 +1,140 @@
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+<?php
+/**
+ * HTTPS migration functions.
+ *
+ * @package WordPress
+ * @since 5.7.0
+ */
+
+/**
+ * Checks whether WordPress should replace old HTTP URLs to the site with their HTTPS counterpart.
+ *
+ * If a WordPress site had its URL changed from HTTP to HTTPS, by default this will return `true`, causing WordPress to
+ * add frontend filters to replace insecure site URLs that may be present in older database content. The
+ * {@see 'wp_should_replace_insecure_home_url'} filter can be used to modify that behavior.
+ *
+ * @since 5.7.0
+ *
+ * @return bool True if insecure URLs should replaced, false otherwise.
+ */
+function wp_should_replace_insecure_home_url() {
+       $should_replace_insecure_home_url = wp_is_using_https()
+               && get_option( 'https_migration_required' )
+               // For automatic replacement, both 'home' and 'siteurl' need to not only use HTTPS, they also need to be using
+               // the same domain.
+               && wp_parse_url( home_url(), PHP_URL_HOST ) === wp_parse_url( site_url(), PHP_URL_HOST );
+
+       /**
+        * Filters whether WordPress should replace old HTTP URLs to the site with their HTTPS counterpart.
+        *
+        * If a WordPress site had its URL changed from HTTP to HTTPS, by default this will return `true`. This filter can
+        * be used to disable that behavior, e.g. after having replaced URLs manually in the database.
+        *
+        * @since 5.7.0
+        *
+        * @param bool $should_replace_insecure_home_url Whether insecure HTTP URLs to the site should be replaced.
+        */
+       return apply_filters( 'wp_should_replace_insecure_home_url', $should_replace_insecure_home_url );
+}
+
+/**
+ * Replaces insecure HTTP URLs to the site in the given content, if configured to do so.
+ *
+ * This function replaces all occurrences of the HTTP version of the site's URL with its HTTPS counterpart, if
+ * determined via {@see wp_should_replace_insecure_home_url()}.
+ *
+ * @since 5.7.0
+ *
+ * @param string $content Content to replace URLs in.
+ * @return string Filtered content.
+ */
+function wp_replace_insecure_home_url( $content ) {
+       if ( ! wp_should_replace_insecure_home_url() ) {
+               return $content;
+       }
+
+       $https_url = home_url( '', 'https' );
+       $http_url  = str_replace( 'https://', 'http://', $https_url );
+
+       // Also replace potentially escaped URL.
+       $escaped_https_url = str_replace( '/', '\/', $https_url );
+       $escaped_http_url  = str_replace( '/', '\/', $http_url );
+
+       return str_replace(
+               array(
+                       $http_url,
+                       $escaped_http_url,
+               ),
+               array(
+                       $https_url,
+                       $escaped_https_url,
+               ),
+               $content
+       );
+}
+
+/**
+ * Update the 'home' and 'siteurl' option to use the HTTPS variant of their URL.
+ *
+ * If this update does not result in WordPress recognizing that the site is now using HTTPS (e.g. due to constants
+ * overriding the URLs used), the changes will be reverted. In such a case the function will return false.
+ *
+ * @since 5.7.0
+ *
+ * @return bool True on success, false on failure.
+ */
+function wp_update_urls_to_https() {
+       // Get current URL options.
+       $orig_home    = get_option( 'home' );
+       $orig_siteurl = get_option( 'siteurl' );
+
+       // Get current URL options, replacing HTTP with HTTPS.
+       $home    = str_replace( 'http://', 'https://', $orig_home );
+       $siteurl = str_replace( 'http://', 'https://', $orig_siteurl );
+
+       // Update the options.
+       update_option( 'home', $home );
+       update_option( 'siteurl', $siteurl );
+
+       if ( ! wp_is_using_https() ) {
+               // If this did not result in the site recognizing HTTPS as being used,
+               // revert the change and return false.
+               update_option( 'home', $orig_home );
+               update_option( 'siteurl', $orig_siteurl );
+               return false;
+       }
+
+       // Otherwise the URLs were successfully changed to use HTTPS.
+       return true;
+}
+
+/**
+ * Updates the 'https_migration_required' option if needed when the given URL has been updated from HTTP to HTTPS.
+ *
+ * If this is a fresh site, a migration will not be required, so the option will be set as `false`.
+ *
+ * This is hooked into the {@see 'update_option_home'} action.
+ *
+ * @since 5.7.0
+ * @access private
+ *
+ * @param mixed $old_url Previous value of the URL option.
+ * @param mixed $new_url New value of the URL option.
+ */
+function wp_update_https_migration_required( $old_url, $new_url ) {
+       // Do nothing if WordPress is being installed.
+       if ( wp_installing() ) {
+               return;
+       }
+
+       // Delete/reset the option if the new URL is not the HTTPS version of the old URL.
+       if ( untrailingslashit( (string) $old_url ) !== str_replace( 'https://', 'http://', untrailingslashit( (string) $new_url ) ) ) {
+               delete_option( 'https_migration_required' );
+               return;
+       }
+
+       // If this is a fresh site, there is no content to migrate, so do not require migration.
+       $https_migration_required = get_option( 'fresh_site' ) ? false : true;
+
+       update_option( 'https_migration_required', $https_migration_required );
+}
</ins><span class="cx" style="display: block; padding: 0 10px">Property changes on: trunk/src/wp-includes/https-migration.php
</span><span class="cx" style="display: block; padding: 0 10px">___________________________________________________________________
</span></span></pre></div>
<a id="svneolstyle"></a>
<div class="addfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Added: svn:eol-style</h4></div>
<ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+native
</ins><span class="cx" style="display: block; padding: 0 10px">\ No newline at end of property
</span><a id="trunksrcwpsettingsphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/src/wp-settings.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-settings.php 2021-02-01 23:31:54 UTC (rev 50130)
+++ trunk/src/wp-settings.php   2021-02-02 00:08:01 UTC (rev 50131)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -172,6 +172,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> require ABSPATH . WPINC . '/class-wp-theme.php';
</span><span class="cx" style="display: block; padding: 0 10px"> require ABSPATH . WPINC . '/template.php';
</span><span class="cx" style="display: block; padding: 0 10px"> require ABSPATH . WPINC . '/https-detection.php';
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+require ABSPATH . WPINC . '/https-migration.php';
</ins><span class="cx" style="display: block; padding: 0 10px"> require ABSPATH . WPINC . '/class-wp-user-request.php';
</span><span class="cx" style="display: block; padding: 0 10px"> require ABSPATH . WPINC . '/user.php';
</span><span class="cx" style="display: block; padding: 0 10px"> require ABSPATH . WPINC . '/class-wp-user-query.php';
</span></span></pre></div>
<a id="trunktestsphpunittestshttpsmigrationphp"></a>
<div class="addfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Added: trunk/tests/phpunit/tests/https-migration.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/tests/phpunit/tests/https-migration.php                             (rev 0)
+++ trunk/tests/phpunit/tests/https-migration.php       2021-02-02 00:08:01 UTC (rev 50131)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -0,0 +1,180 @@
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+<?php
+
+/**
+ * @group https-migration
+ */
+class Tests_HTTPS_Migration extends WP_UnitTestCase {
+
+       /**
+        * @ticket 51437
+        */
+       public function test_wp_should_replace_insecure_home_url() {
+               // Should return false because site is not using HTTPS.
+               $this->force_wp_is_using_https( false );
+               $this->assertFalse( wp_should_replace_insecure_home_url() );
+
+               // Should still return false because HTTPS migration flag is not set.
+               $this->force_wp_is_using_https( true );
+               $this->assertFalse( wp_should_replace_insecure_home_url() );
+
+               // Should return false because HTTPS migration flag is marked as not required.
+               update_option( 'https_migration_required', '0' );
+               $this->assertFalse( wp_should_replace_insecure_home_url() );
+
+               // Should return true because HTTPS migration flag is marked as required.
+               update_option( 'https_migration_required', '1' );
+               $this->assertTrue( wp_should_replace_insecure_home_url() );
+
+               // Should be overridable via filter.
+               add_filter( 'wp_should_replace_insecure_home_url', '__return_false' );
+               $this->assertFalse( wp_should_replace_insecure_home_url() );
+       }
+
+       /**
+        * @ticket 51437
+        */
+       public function test_wp_replace_insecure_home_url() {
+               $http_url  = home_url( '', 'http' );
+               $https_url = home_url( '', 'https' );
+
+               $http_block_data  = array(
+                       'id'  => 3,
+                       'url' => $http_url . '/wp-content/uploads/2021/01/image.jpg',
+               );
+               $https_block_data = array(
+                       'id'  => 3,
+                       'url' => $https_url . '/wp-content/uploads/2021/01/image.jpg',
+               );
+
+               $content = '
+                       <!-- wp:paragraph -->
+                       <p><a href="%1$s">This is a link.</a></p>
+                       <!-- /wp:paragraph -->
+
+                       <!-- wp:custom-media %2$s -->
+                       <img src="%3$s" alt="">
+                       <!-- /wp:custom-media -->
+                       ';
+
+               $http_content  = sprintf( $content, $http_url, wp_json_encode( $http_block_data ), $http_block_data['url'] );
+               $https_content = sprintf( $content, $https_url, wp_json_encode( $https_block_data ), $https_block_data['url'] );
+
+               // Replaces URLs, including its encoded variant.
+               add_filter( 'wp_should_replace_insecure_home_url', '__return_true' );
+               $this->assertEquals( $https_content, wp_replace_insecure_home_url( $http_content ) );
+
+               // Does not replace anything if determined as unnecessary.
+               add_filter( 'wp_should_replace_insecure_home_url', '__return_false' );
+               $this->assertEquals( $http_content, wp_replace_insecure_home_url( $http_content ) );
+       }
+
+       /**
+        * @ticket 51437
+        */
+       public function test_wp_update_urls_to_https() {
+               remove_all_filters( 'option_home' );
+               remove_all_filters( 'option_siteurl' );
+               remove_all_filters( 'home_url' );
+               remove_all_filters( 'site_url' );
+
+               $http_url  = 'http://example.org';
+               $https_url = 'https://example.org';
+
+               // Set up options to use HTTP URLs.
+               update_option( 'home', $http_url );
+               update_option( 'siteurl', $http_url );
+
+               // Update URLs to HTTPS (successfully).
+               $this->assertTrue( wp_update_urls_to_https() );
+               $this->assertEquals( $https_url, get_option( 'home' ) );
+               $this->assertEquals( $https_url, get_option( 'siteurl' ) );
+
+               // Switch options back to use HTTP URLs, but now add filter to
+               // force option value which will make the update irrelevant.
+               update_option( 'home', $http_url );
+               update_option( 'siteurl', $http_url );
+               $this->force_option( 'home', $http_url );
+
+               // Update URLs to HTTPS. While the update technically succeeds, it does not take effect due to the enforced
+               // option. Therefore the change is expected to be reverted.
+               $this->assertFalse( wp_update_urls_to_https() );
+               $this->assertEquals( $http_url, get_option( 'home' ) );
+               $this->assertEquals( $http_url, get_option( 'siteurl' ) );
+       }
+
+       /**
+        * @ticket 51437
+        */
+       public function test_wp_update_https_migration_required() {
+               // Changing HTTP to HTTPS on a site with content should result in flag being set, requiring migration.
+               update_option( 'fresh_site', '0' );
+               wp_update_https_migration_required( 'http://example.org', 'https://example.org' );
+               $this->assertEquals( '1', get_option( 'https_migration_required' ) );
+
+               // Changing another part than the scheme should delete/reset the flag because changing those parts (e.g. the
+               // domain) can have further implications.
+               wp_update_https_migration_required( 'http://example.org', 'https://another-example.org' );
+               $this->assertFalse( get_option( 'https_migration_required' ) );
+
+               // Changing HTTP to HTTPS on a site without content should result in flag being set, but not requiring migration.
+               update_option( 'fresh_site', '1' );
+               wp_update_https_migration_required( 'http://example.org', 'https://example.org' );
+               $this->assertEquals( '', get_option( 'https_migration_required' ) );
+
+               // Changing (back) from HTTPS to HTTP should delete/reset the flag.
+               wp_update_https_migration_required( 'https://example.org', 'http://example.org' );
+               $this->assertFalse( get_option( 'https_migration_required' ) );
+       }
+
+       /**
+        * @ticket 51437
+        */
+       public function test_wp_should_replace_insecure_home_url_integration() {
+               // Setup (a site on HTTP, with existing content).
+               remove_all_filters( 'option_home' );
+               remove_all_filters( 'option_siteurl' );
+               remove_all_filters( 'home_url' );
+               remove_all_filters( 'site_url' );
+               $http_url  = 'http://example.org';
+               $https_url = 'https://example.org';
+               update_option( 'home', $http_url );
+               update_option( 'siteurl', $http_url );
+               update_option( 'fresh_site', '0' );
+
+               // Should return false when URLs are HTTP.
+               $this->assertFalse( wp_should_replace_insecure_home_url() );
+
+               // Should still return false because only one of the two URLs was updated to its HTTPS counterpart.
+               update_option( 'home', $https_url );
+               $this->assertFalse( wp_should_replace_insecure_home_url() );
+
+               // Should return true because now both URLs are updated to their HTTPS counterpart.
+               update_option( 'siteurl', $https_url );
+               $this->assertTrue( wp_should_replace_insecure_home_url() );
+
+               // Should return false because the domains of 'home' and 'siteurl' do not match, and we shouldn't make any
+               // assumptions about such special cases.
+               update_option( 'siteurl', 'https://wp.example.org' );
+               $this->assertFalse( wp_should_replace_insecure_home_url() );
+       }
+
+       private function force_wp_is_using_https( $enabled ) {
+               $scheme = $enabled ? 'https' : 'http';
+
+               $replace_scheme = function( $url ) use ( $scheme ) {
+                       return str_replace( array( 'http://', 'https://' ), $scheme . '://', $url );
+               };
+
+               add_filter( 'home_url', $replace_scheme, 99 );
+               add_filter( 'site_url', $replace_scheme, 99 );
+       }
+
+       private function force_option( $option, $value ) {
+               add_filter(
+                       "option_$option",
+                       function() use ( $value ) {
+                               return $value;
+                       }
+               );
+       }
+}
</ins><span class="cx" style="display: block; padding: 0 10px">Property changes on: trunk/tests/phpunit/tests/https-migration.php
</span><span class="cx" style="display: block; padding: 0 10px">___________________________________________________________________
</span></span></pre></div>
<a id="svneolstyle"></a>
<div class="addfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Added: svn:eol-style</h4></div>
<ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+native
</ins><span class="cx" style="display: block; padding: 0 10px">\ No newline at end of property
</span><a id="trunktestsphpunittestsusercapabilitiesphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/tests/phpunit/tests/user/capabilities.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/tests/phpunit/tests/user/capabilities.php   2021-02-01 23:31:54 UTC (rev 50130)
+++ trunk/tests/phpunit/tests/user/capabilities.php     2021-02-02 00:08:01 UTC (rev 50131)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -270,6 +270,7 @@
</span><span class="cx" style="display: block; padding: 0 10px">                        'update_languages'            => array( 'administrator' ),
</span><span class="cx" style="display: block; padding: 0 10px">                        'deactivate_plugins'          => array( 'administrator' ),
</span><span class="cx" style="display: block; padding: 0 10px">                        'update_php'                  => array( 'administrator' ),
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+                        'update_https'                => array( 'administrator' ),
</ins><span class="cx" style="display: block; padding: 0 10px">                         'export_others_personal_data' => array( 'administrator' ),
</span><span class="cx" style="display: block; padding: 0 10px">                        'erase_others_personal_data'  => array( 'administrator' ),
</span><span class="cx" style="display: block; padding: 0 10px">                        'manage_privacy_options'      => array( 'administrator' ),
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -305,6 +306,7 @@
</span><span class="cx" style="display: block; padding: 0 10px">                        'update_languages'            => array(),
</span><span class="cx" style="display: block; padding: 0 10px">                        'deactivate_plugins'          => array(),
</span><span class="cx" style="display: block; padding: 0 10px">                        'update_php'                  => array(),
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+                        'update_https'                => array(),
</ins><span class="cx" style="display: block; padding: 0 10px">                         'export_others_personal_data' => array( '' ),
</span><span class="cx" style="display: block; padding: 0 10px">                        'erase_others_personal_data'  => array( '' ),
</span><span class="cx" style="display: block; padding: 0 10px">                        'manage_privacy_options'      => array(),
</span></span></pre>
</div>
</div>

</body>
</html>