<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[56875] branches/5.9/src: Grouped backports to the 5.9 branch.</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { white-space: pre-line; overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta" style="font-size: 105%">
<dt style="float: left; width: 6em; font-weight: bold">Revision</dt> <dd><a style="font-weight: bold" href="https://core.trac.wordpress.org/changeset/56875">56875</a><script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","description":"Review this Commit","action":{"@type":"ViewAction","url":"https://core.trac.wordpress.org/changeset/56875","name":"Review Commit"}}</script></dd>
<dt style="float: left; width: 6em; font-weight: bold">Author</dt> <dd>joemcgill</dd>
<dt style="float: left; width: 6em; font-weight: bold">Date</dt> <dd>2023-10-12 15:03:26 +0000 (Thu, 12 Oct 2023)</dd>
</dl>
<pre style='padding-left: 1em; margin: 2em 0; border-left: 2px solid #ccc; line-height: 1.25; font-size: 105%; font-family: sans-serif'>Grouped backports to the 5.9 branch.
- REST API: Limit `search_columns` for users without `list_users`.
- Comments: Prevent users who can not see a post from seeing comments on it.
- Application Passwords: Prevent the use of some pseudo protocols in application passwords.
- Restrict media shortcode ajax to certain type
- REST API: Ensure no-cache headers are sent when methods are overriden.
- Prevent unintended behavior when certain objects are unserialized.
Merges <a href="https://core.trac.wordpress.org/changeset/56833">[56833]</a>, <a href="https://core.trac.wordpress.org/changeset/56834">[56834]</a>, <a href="https://core.trac.wordpress.org/changeset/56835">[56835]</a>, <a href="https://core.trac.wordpress.org/changeset/56836">[56836]</a>, <a href="https://core.trac.wordpress.org/changeset/56837">[56837]</a>, and <a href="https://core.trac.wordpress.org/changeset/56838">[56838]</a> to the 5.9 branch.
Props xknown, jorbin, Vortfu, joehoyle, timothyblynjacobs, peterwilsoncc, ehtis, tykoted, martinkrcho, paulkevan, dd32, antpb, rmccue.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#branches59srcwpadminincludesajaxactionsphp">branches/5.9/src/wp-admin/includes/ajax-actions.php</a></li>
<li><a href="#branches59srcwpadminincludesclasswpcommentslisttablephp">branches/5.9/src/wp-admin/includes/class-wp-comments-list-table.php</a></li>
<li><a href="#branches59srcwpadminincludesclasswplisttablephp">branches/5.9/src/wp-admin/includes/class-wp-list-table.php</a></li>
<li><a href="#branches59srcwpadminincludesdashboardphp">branches/5.9/src/wp-admin/includes/dashboard.php</a></li>
<li><a href="#branches59srcwpadminincludesuserphp">branches/5.9/src/wp-admin/includes/user.php</a></li>
<li><a href="#branches59srcwpincludesRequestsHooksphp">branches/5.9/src/wp-includes/Requests/Hooks.php</a></li>
<li><a href="#branches59srcwpincludesRequestsIRIphp">branches/5.9/src/wp-includes/Requests/IRI.php</a></li>
<li><a href="#branches59srcwpincludesRequestsSessionphp">branches/5.9/src/wp-includes/Requests/Session.php</a></li>
<li><a href="#branches59srcwpincludesclasswpblockpatternsregistryphp">branches/5.9/src/wp-includes/class-wp-block-patterns-registry.php</a></li>
<li><a href="#branches59srcwpincludesclasswpblocktyperegistryphp">branches/5.9/src/wp-includes/class-wp-block-type-registry.php</a></li>
<li><a href="#branches59srcwpincludesclasswpthemephp">branches/5.9/src/wp-includes/class-wp-theme.php</a></li>
<li><a href="#branches59srcwpincludesmediaphp">branches/5.9/src/wp-includes/media.php</a></li>
<li><a href="#branches59srcwpincludesrestapiclasswprestserverphp">branches/5.9/src/wp-includes/rest-api/class-wp-rest-server.php</a></li>
<li><a href="#branches59srcwpincludesrestapiendpointsclasswprestuserscontrollerphp">branches/5.9/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php</a></li>
<li><a href="#branches59srcwpincludesrestapiphp">branches/5.9/src/wp-includes/rest-api.php</a></li>
<li><a href="#branches59srcwpincludesshortcodesphp">branches/5.9/src/wp-includes/shortcodes.php</a></li>
</ul>
<h3>Property Changed</h3>
<ul>
<li><a href="#branches59">branches/5.9/</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<span class="cx" style="display: block; padding: 0 10px">Index: branches/5.9
</span><span class="cx" style="display: block; padding: 0 10px">===================================================================
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">--- branches/5.9 2023-10-12 15:02:50 UTC (rev 56874)
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+++ branches/5.9 2023-10-12 15:03:26 UTC (rev 56875)
</ins><a id="branches59"></a>
<div class="propset"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Property changes: branches/5.9</h4>
<pre class="diff"><span>
</span></pre></div>
<a id="svnmergeinfo"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: svn:mergeinfo</h4></div>
<span class="cx" style="display: block; padding: 0 10px"> /branches/5.0:43681-43682,43684-43688,43719-43720,43723,43726-43727,43729-43731,43734-43744,43747,43751-43754,43758,43760-43765,43767-43770,43772,43774-43781,43783,43785,43790-43806,43808-43821,43825,43828,43830-43834,43836-43843,43846-43863,43867-43889,43891-43894,43897-43905,43908-43909,43911-43929,43931-43942,43946-43947,43949-43956,43959-43964,43967-43969,43988,43994,44014,44017,44047,44183,44185,44187-44206,44208-44213,44231-44232,44235,44248,44284,44287-44288
</span><span class="cx" style="display: block; padding: 0 10px"> /branches/5.5:49373-49379,49381
</span><span class="cx" style="display: block; padding: 0 10px"> /branches/5.8:51889
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-/trunk:52453-52457,52535-52536,52547,52555,52558,52562-52563,52574,52589,52612-52613,52618,52626,52628,52631,52633,52637,52644,52648,52651,52656,52658,52662,52664,52668,52672-52673,52675-52677,52679,52681-52682,52686,52692,52694-52695,52697,52726,52730,52733-52735,52738,52741,52743-52744,52750,52752,52754,52757,52760,52763,52765,52768,52781,52791,52797,52802,52807,52819,52844,52895,52939,52995,53012,53015,53020,53024-53025,53112,53349,53581-53582,53592,53665,53736-53737,53940,53947,53958-53960,54039,54096,54108,54217,54293,54313,54322,54342-54343,54373,54397,54511,54521-54530,54541,54650-54651,54674-54675,54750,54852,54968,55152,55350,55462,55487,55828
</del><span class="cx" style="display: block; padding: 0 10px">\ No newline at end of property
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+/trunk:52453-52457,52535-52536,52547,52555,52558,52562-52563,52574,52589,52612-52613,52618,52626,52628,52631,52633,52637,52644,52648,52651,52656,52658,52662,52664,52668,52672-52673,52675-52677,52679,52681-52682,52686,52692,52694-52695,52697,52726,52730,52733-52735,52738,52741,52743-52744,52750,52752,52754,52757,52760,52763,52765,52768,52781,52791,52797,52802,52807,52819,52844,52895,52939,52995,53012,53015,53020,53024-53025,53112,53349,53581-53582,53592,53665,53736-53737,53940,53947,53958-53960,54039,54096,54108,54217,54293,54313,54322,54342-54343,54373,54397,54511,54521-54530,54541,54650-54651,54674-54675,54750,54852,54968,55152,55350,55462,55487,55828,56833-56838
</ins><span class="cx" style="display: block; padding: 0 10px">\ No newline at end of property
</span><a id="branches59srcwpadminincludesajaxactionsphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: branches/5.9/src/wp-admin/includes/ajax-actions.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- branches/5.9/src/wp-admin/includes/ajax-actions.php 2023-10-12 15:02:50 UTC (rev 56874)
+++ branches/5.9/src/wp-admin/includes/ajax-actions.php 2023-10-12 15:03:26 UTC (rev 56875)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -3812,6 +3812,22 @@
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> $shortcode = wp_unslash( $_POST['shortcode'] );
</span><span class="cx" style="display: block; padding: 0 10px">
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ // Only process previews for media related shortcodes:
+ $found_shortcodes = get_shortcode_tags_in_content( $shortcode );
+ $media_shortcodes = array(
+ 'audio',
+ 'embed',
+ 'playlist',
+ 'video',
+ 'gallery',
+ );
+
+ $other_shortcodes = array_diff( $found_shortcodes, $media_shortcodes );
+
+ if ( ! empty( $other_shortcodes ) ) {
+ wp_send_json_error();
+ }
+
</ins><span class="cx" style="display: block; padding: 0 10px"> if ( ! empty( $_POST['post_ID'] ) ) {
</span><span class="cx" style="display: block; padding: 0 10px"> $post = get_post( (int) $_POST['post_ID'] );
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -3818,7 +3834,7 @@
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> // The embed shortcode requires a post.
</span><span class="cx" style="display: block; padding: 0 10px"> if ( ! $post || ! current_user_can( 'edit_post', $post->ID ) ) {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- if ( 'embed' === $shortcode ) {
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( in_array( 'embed', $found_shortcodes, true ) ) {
</ins><span class="cx" style="display: block; padding: 0 10px"> wp_send_json_error();
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px"> } else {
</span></span></pre></div>
<a id="branches59srcwpadminincludesclasswpcommentslisttablephp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: branches/5.9/src/wp-admin/includes/class-wp-comments-list-table.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- branches/5.9/src/wp-admin/includes/class-wp-comments-list-table.php 2023-10-12 15:02:50 UTC (rev 56874)
+++ branches/5.9/src/wp-admin/includes/class-wp-comments-list-table.php 2023-10-12 15:03:26 UTC (rev 56875)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -640,6 +640,19 @@
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> $this->user_can = current_user_can( 'edit_comment', $comment->comment_ID );
</span><span class="cx" style="display: block; padding: 0 10px">
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $edit_post_cap = $post ? 'edit_post' : 'edit_posts';
+ if (
+ current_user_can( $edit_post_cap, $comment->comment_post_ID ) ||
+ (
+ empty( $post->post_password ) &&
+ current_user_can( 'read_post', $comment->comment_post_ID )
+ )
+ ) {
+ // The user has access to the post
+ } else {
+ return false;
+ }
+
</ins><span class="cx" style="display: block; padding: 0 10px"> echo "<tr id='comment-$comment->comment_ID' class='$the_comment_class'>";
</span><span class="cx" style="display: block; padding: 0 10px"> $this->single_row_columns( $comment );
</span><span class="cx" style="display: block; padding: 0 10px"> echo "</tr>\n";
</span></span></pre></div>
<a id="branches59srcwpadminincludesclasswplisttablephp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: branches/5.9/src/wp-admin/includes/class-wp-list-table.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- branches/5.9/src/wp-admin/includes/class-wp-list-table.php 2023-10-12 15:02:50 UTC (rev 56874)
+++ branches/5.9/src/wp-admin/includes/class-wp-list-table.php 2023-10-12 15:03:26 UTC (rev 56875)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -739,6 +739,20 @@
</span><span class="cx" style="display: block; padding: 0 10px"> $pending_comments_number
</span><span class="cx" style="display: block; padding: 0 10px"> );
</span><span class="cx" style="display: block; padding: 0 10px">
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $post_object = get_post( $post_id );
+ $edit_post_cap = $post_object ? 'edit_post' : 'edit_posts';
+ if (
+ current_user_can( $edit_post_cap, $post_id ) ||
+ (
+ empty( $post_object->post_password ) &&
+ current_user_can( 'read_post', $post_id )
+ )
+ ) {
+ // The user has access to the post and thus can see comments
+ } else {
+ return false;
+ }
+
</ins><span class="cx" style="display: block; padding: 0 10px"> if ( ! $approved_comments && ! $pending_comments ) {
</span><span class="cx" style="display: block; padding: 0 10px"> // No comments at all.
</span><span class="cx" style="display: block; padding: 0 10px"> printf(
</span></span></pre></div>
<a id="branches59srcwpadminincludesdashboardphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: branches/5.9/src/wp-admin/includes/dashboard.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- branches/5.9/src/wp-admin/includes/dashboard.php 2023-10-12 15:02:50 UTC (rev 56874)
+++ branches/5.9/src/wp-admin/includes/dashboard.php 2023-10-12 15:03:26 UTC (rev 56875)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -1085,7 +1085,17 @@
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> echo '<ul id="the-comment-list" data-wp-lists="list:comment">';
</span><span class="cx" style="display: block; padding: 0 10px"> foreach ( $comments as $comment ) {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- _wp_dashboard_recent_comments_row( $comment );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+
+ $comment_post = get_post( $comment->comment_post_ID );
+ if (
+ current_user_can( 'edit_post', $comment->comment_post_ID ) ||
+ (
+ empty( $comment_post->post_password ) &&
+ current_user_can( 'read_post', $comment->comment_post_ID )
+ )
+ ) {
+ _wp_dashboard_recent_comments_row( $comment );
+ }
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px"> echo '</ul>';
</span><span class="cx" style="display: block; padding: 0 10px">
</span></span></pre></div>
<a id="branches59srcwpadminincludesuserphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: branches/5.9/src/wp-admin/includes/user.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- branches/5.9/src/wp-admin/includes/user.php 2023-10-12 15:02:50 UTC (rev 56874)
+++ branches/5.9/src/wp-admin/includes/user.php 2023-10-12 15:03:26 UTC (rev 56875)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -599,6 +599,8 @@
</span><span class="cx" style="display: block; padding: 0 10px"> * Checks if the Authorize Application Password request is valid.
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><span class="cx" style="display: block; padding: 0 10px"> * @since 5.6.0
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * @since 6.2.0 Allow insecure HTTP connections for the local environment.
+ * @since 6.3.2 Validates the success and reject URLs to prevent javascript pseudo protocol being executed.
</ins><span class="cx" style="display: block; padding: 0 10px"> *
</span><span class="cx" style="display: block; padding: 0 10px"> * @param array $request {
</span><span class="cx" style="display: block; padding: 0 10px"> * The array of request data. All arguments are optional and may be empty.
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -614,24 +616,22 @@
</span><span class="cx" style="display: block; padding: 0 10px"> function wp_is_authorize_application_password_request_valid( $request, $user ) {
</span><span class="cx" style="display: block; padding: 0 10px"> $error = new WP_Error();
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- if ( ! empty( $request['success_url'] ) ) {
- $scheme = wp_parse_url( $request['success_url'], PHP_URL_SCHEME );
-
- if ( 'http' === $scheme ) {
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( isset( $request['success_url'] ) ) {
+ $validated_success_url = wp_is_authorize_application_redirect_url_valid( $request['success_url'] );
+ if ( is_wp_error( $validated_success_url ) ) {
</ins><span class="cx" style="display: block; padding: 0 10px"> $error->add(
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- 'invalid_redirect_scheme',
- __( 'The success URL must be served over a secure connection.' )
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $validated_success_url->get_error_code(),
+ $validated_success_url->get_error_message()
</ins><span class="cx" style="display: block; padding: 0 10px"> );
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- if ( ! empty( $request['reject_url'] ) ) {
- $scheme = wp_parse_url( $request['reject_url'], PHP_URL_SCHEME );
-
- if ( 'http' === $scheme ) {
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( isset( $request['reject_url'] ) ) {
+ $validated_reject_url = wp_is_authorize_application_redirect_url_valid( $request['reject_url'] );
+ if ( is_wp_error( $validated_reject_url ) ) {
</ins><span class="cx" style="display: block; padding: 0 10px"> $error->add(
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- 'invalid_redirect_scheme',
- __( 'The rejection URL must be served over a secure connection.' )
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $validated_reject_url->get_error_code(),
+ $validated_reject_url->get_error_message()
</ins><span class="cx" style="display: block; padding: 0 10px"> );
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -660,3 +660,59 @@
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> return true;
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+
+/**
+ * Validates the redirect URL protocol scheme. The protocol can be anything except http and javascript.
+ *
+ * @since 6.3.2
+ *
+ * @param string $url - The redirect URL to be validated.
+ *
+ * @return true|WP_Error True if the redirect URL is valid, a WP_Error object otherwise.
+ */
+function wp_is_authorize_application_redirect_url_valid( $url ) {
+ $bad_protocols = array( 'javascript', 'data' );
+ if ( empty( $url ) ) {
+ return true;
+ }
+
+ // Based on https://www.rfc-editor.org/rfc/rfc2396#section-3.1
+ $valid_scheme_regex = '/^[a-zA-Z][a-zA-Z0-9+.-]*:/';
+ if ( ! preg_match( $valid_scheme_regex, $url ) ) {
+ return new WP_Error(
+ 'invalid_redirect_url_format',
+ __( 'Invalid URL format.' )
+ );
+ }
+
+ /**
+ * Filters the list of invalid protocols used in applications redirect URLs.
+ *
+ * @since 6.3.2
+ *
+ * @param string[] $bad_protocols Array of invalid protocols.
+ * @param string $url The redirect URL to be validated.
+ */
+ $invalid_protocols = array_map( 'strtolower', apply_filters( 'wp_authorize_application_redirect_url_invalid_protocols', $bad_protocols, $url ) );
+
+ $scheme = wp_parse_url( $url, PHP_URL_SCHEME );
+ $host = wp_parse_url( $url, PHP_URL_HOST );
+ $is_local = 'local' === wp_get_environment_type();
+
+ // validates if the proper URI format is applied to the $url
+ if ( empty( $host ) || empty( $scheme ) || in_array( strtolower( $scheme ), $invalid_protocols, true ) ) {
+ return new WP_Error(
+ 'invalid_redirect_url_format',
+ __( 'Invalid URL format.' )
+ );
+ }
+
+ if ( 'http' === $scheme && ! $is_local ) {
+ return new WP_Error(
+ 'invalid_redirect_scheme',
+ __( 'The URL must be served over a secure connection.' )
+ );
+ }
+
+ return true;
+}
</ins></span></pre></div>
<a id="branches59srcwpincludesRequestsHooksphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: branches/5.9/src/wp-includes/Requests/Hooks.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- branches/5.9/src/wp-includes/Requests/Hooks.php 2023-10-12 15:02:50 UTC (rev 56874)
+++ branches/5.9/src/wp-includes/Requests/Hooks.php 2023-10-12 15:03:26 UTC (rev 56875)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -65,4 +65,8 @@
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> return true;
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+
+ public function __wakeup() {
+ throw new \LogicException( __CLASS__ . ' should never be unserialized' );
+ }
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span></span></pre></div>
<a id="branches59srcwpincludesRequestsIRIphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: branches/5.9/src/wp-includes/Requests/IRI.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- branches/5.9/src/wp-includes/Requests/IRI.php 2023-10-12 15:02:50 UTC (rev 56874)
+++ branches/5.9/src/wp-includes/Requests/IRI.php 2023-10-12 15:03:26 UTC (rev 56875)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -705,6 +705,20 @@
</span><span class="cx" style="display: block; padding: 0 10px"> return true;
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ public function __wakeup() {
+ $class_props = get_class_vars( __CLASS__ );
+ $string_props = array( 'scheme', 'iuserinfo', 'ihost', 'port', 'ipath', 'iquery', 'ifragment' );
+ $array_props = array( 'normalization' );
+ foreach ( $class_props as $prop => $default_value ) {
+ if ( in_array( $prop, $string_props, true ) && ! is_string( $this->$prop ) ) {
+ throw new UnexpectedValueException();
+ } elseif ( in_array( $prop, $array_props, true ) && ! is_array( $this->$prop ) ) {
+ throw new UnexpectedValueException();
+ }
+ $this->$prop = null;
+ }
+ }
+
</ins><span class="cx" style="display: block; padding: 0 10px"> /**
</span><span class="cx" style="display: block; padding: 0 10px"> * Set the entire IRI. Returns true on success, false on failure (if there
</span><span class="cx" style="display: block; padding: 0 10px"> * are any invalid characters).
</span></span></pre></div>
<a id="branches59srcwpincludesRequestsSessionphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: branches/5.9/src/wp-includes/Requests/Session.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- branches/5.9/src/wp-includes/Requests/Session.php 2023-10-12 15:02:50 UTC (rev 56874)
+++ branches/5.9/src/wp-includes/Requests/Session.php 2023-10-12 15:03:26 UTC (rev 56875)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -229,6 +229,10 @@
</span><span class="cx" style="display: block; padding: 0 10px"> return Requests::request_multiple($requests, $options);
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ public function __wakeup() {
+ throw new \LogicException( __CLASS__ . ' should never be unserialized' );
+ }
+
</ins><span class="cx" style="display: block; padding: 0 10px"> /**
</span><span class="cx" style="display: block; padding: 0 10px"> * Merge a request's data with the default data
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span></span></pre></div>
<a id="branches59srcwpincludesclasswpblockpatternsregistryphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: branches/5.9/src/wp-includes/class-wp-block-patterns-registry.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- branches/5.9/src/wp-includes/class-wp-block-patterns-registry.php 2023-10-12 15:02:50 UTC (rev 56874)
+++ branches/5.9/src/wp-includes/class-wp-block-patterns-registry.php 2023-10-12 15:03:26 UTC (rev 56875)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -156,6 +156,21 @@
</span><span class="cx" style="display: block; padding: 0 10px"> return isset( $this->registered_patterns[ $pattern_name ] );
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ public function __wakeup() {
+ if ( ! $this->registered_patterns ) {
+ return;
+ }
+ if ( ! is_array( $this->registered_patterns ) ) {
+ throw new UnexpectedValueException();
+ }
+ foreach ( $this->registered_patterns as $value ) {
+ if ( ! is_array( $value ) ) {
+ throw new UnexpectedValueException();
+ }
+ }
+ $this->registered_patterns_outside_init = array();
+ }
+
</ins><span class="cx" style="display: block; padding: 0 10px"> /**
</span><span class="cx" style="display: block; padding: 0 10px"> * Utility method to retrieve the main instance of the class.
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span></span></pre></div>
<a id="branches59srcwpincludesclasswpblocktyperegistryphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: branches/5.9/src/wp-includes/class-wp-block-type-registry.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- branches/5.9/src/wp-includes/class-wp-block-type-registry.php 2023-10-12 15:02:50 UTC (rev 56874)
+++ branches/5.9/src/wp-includes/class-wp-block-type-registry.php 2023-10-12 15:03:26 UTC (rev 56875)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -167,6 +167,20 @@
</span><span class="cx" style="display: block; padding: 0 10px"> return isset( $this->registered_block_types[ $name ] );
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ public function __wakeup() {
+ if ( ! $this->registered_block_types ) {
+ return;
+ }
+ if ( ! is_array( $this->registered_block_types ) ) {
+ throw new UnexpectedValueException();
+ }
+ foreach ( $this->registered_block_types as $value ) {
+ if ( ! $value instanceof WP_Block_Type ) {
+ throw new UnexpectedValueException();
+ }
+ }
+ }
+
</ins><span class="cx" style="display: block; padding: 0 10px"> /**
</span><span class="cx" style="display: block; padding: 0 10px"> * Utility method to retrieve the main instance of the class.
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span></span></pre></div>
<a id="branches59srcwpincludesclasswpthemephp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: branches/5.9/src/wp-includes/class-wp-theme.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- branches/5.9/src/wp-includes/class-wp-theme.php 2023-10-12 15:02:50 UTC (rev 56874)
+++ branches/5.9/src/wp-includes/class-wp-theme.php 2023-10-12 15:03:26 UTC (rev 56875)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -705,6 +705,28 @@
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> /**
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * Perform reinitialization tasks.
+ *
+ * Prevents a callback from being injected during unserialization of an object.
+ *
+ * @return void
+ */
+ public function __wakeup() {
+ if ( $this->parent && ! $this->parent instanceof self ) {
+ throw new UnexpectedValueException();
+ }
+ if ( $this->headers && ! is_array( $this->headers ) ) {
+ throw new UnexpectedValueException();
+ }
+ foreach ( $this->headers as $value ) {
+ if ( ! is_string( $value ) ) {
+ throw new UnexpectedValueException();
+ }
+ }
+ $this->headers_sanitized = array();
+ }
+
+ /**
</ins><span class="cx" style="display: block; padding: 0 10px"> * Adds theme data to cache.
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><span class="cx" style="display: block; padding: 0 10px"> * Cache entries keyed by the theme and the type of data.
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -1763,4 +1785,16 @@
</span><span class="cx" style="display: block; padding: 0 10px"> private static function _name_sort_i18n( $a, $b ) {
</span><span class="cx" style="display: block; padding: 0 10px"> return strnatcasecmp( $a->name_translated, $b->name_translated );
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+
+ private static function _check_headers_property_has_correct_type( $headers ) {
+ if ( ! is_array( $headers ) ) {
+ return false;
+ }
+ foreach ( $headers as $key => $value ) {
+ if ( ! is_string( $key ) || ! is_string( $value ) ) {
+ return false;
+ }
+ }
+ return true;
+ }
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span></span></pre></div>
<a id="branches59srcwpincludesmediaphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: branches/5.9/src/wp-includes/media.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- branches/5.9/src/wp-includes/media.php 2023-10-12 15:02:50 UTC (rev 56874)
+++ branches/5.9/src/wp-includes/media.php 2023-10-12 15:03:26 UTC (rev 56875)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -2354,6 +2354,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> $attachments[ $val->ID ] = $_attachments[ $key ];
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px"> } elseif ( ! empty( $atts['exclude'] ) ) {
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $post_parent_id = $id;
</ins><span class="cx" style="display: block; padding: 0 10px"> $attachments = get_children(
</span><span class="cx" style="display: block; padding: 0 10px"> array(
</span><span class="cx" style="display: block; padding: 0 10px"> 'post_parent' => $id,
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -2366,6 +2367,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> )
</span><span class="cx" style="display: block; padding: 0 10px"> );
</span><span class="cx" style="display: block; padding: 0 10px"> } else {
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $post_parent_id = $id;
</ins><span class="cx" style="display: block; padding: 0 10px"> $attachments = get_children(
</span><span class="cx" style="display: block; padding: 0 10px"> array(
</span><span class="cx" style="display: block; padding: 0 10px"> 'post_parent' => $id,
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -2378,6 +2380,17 @@
</span><span class="cx" style="display: block; padding: 0 10px"> );
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( ! empty( $post_parent_id ) ) {
+ $post_parent = get_post( $post_parent_id );
+
+ // terminate the shortcode execution if user cannot read the post or password-protected
+ if (
+ ( ! is_post_publicly_viewable( $post_parent->ID ) && ! current_user_can( 'read_post', $post_parent->ID ) )
+ || post_password_required( $post_parent ) ) {
+ return '';
+ }
+ }
+
</ins><span class="cx" style="display: block; padding: 0 10px"> if ( empty( $attachments ) ) {
</span><span class="cx" style="display: block; padding: 0 10px"> return '';
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -2704,6 +2717,15 @@
</span><span class="cx" style="display: block; padding: 0 10px"> $attachments = get_children( $args );
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( ! empty( $args['post_parent'] ) ) {
+ $post_parent = get_post( $id );
+
+ // terminate the shortcode execution if user cannot read the post or password-protected
+ if ( ! current_user_can( 'read_post', $post_parent->ID ) || post_password_required( $post_parent ) ) {
+ return '';
+ }
+ }
+
</ins><span class="cx" style="display: block; padding: 0 10px"> if ( empty( $attachments ) ) {
</span><span class="cx" style="display: block; padding: 0 10px"> return '';
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span></span></pre></div>
<a id="branches59srcwpincludesrestapiclasswprestserverphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: branches/5.9/src/wp-includes/rest-api/class-wp-rest-server.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- branches/5.9/src/wp-includes/rest-api/class-wp-rest-server.php 2023-10-12 15:02:50 UTC (rev 56874)
+++ branches/5.9/src/wp-includes/rest-api/class-wp-rest-server.php 2023-10-12 15:03:26 UTC (rev 56875)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -331,24 +331,6 @@
</span><span class="cx" style="display: block; padding: 0 10px"> $this->send_header( 'Access-Control-Allow-Headers', implode( ', ', $allow_headers ) );
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> /**
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- * Filters whether to send nocache headers on a REST API request.
- *
- * @since 4.4.0
- *
- * @param bool $rest_send_nocache_headers Whether to send no-cache headers.
- */
- $send_no_cache_headers = apply_filters( 'rest_send_nocache_headers', is_user_logged_in() );
- if ( $send_no_cache_headers ) {
- foreach ( wp_get_nocache_headers() as $header => $header_value ) {
- if ( empty( $header_value ) ) {
- $this->remove_header( $header );
- } else {
- $this->send_header( $header, $header_value );
- }
- }
- }
-
- /**
</del><span class="cx" style="display: block; padding: 0 10px"> * Filters whether the REST API is enabled.
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><span class="cx" style="display: block; padding: 0 10px"> * @since 4.4.0
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -402,10 +384,12 @@
</span><span class="cx" style="display: block; padding: 0 10px"> * $_GET['_method']. If that is not set, we check for the HTTP_X_HTTP_METHOD_OVERRIDE
</span><span class="cx" style="display: block; padding: 0 10px"> * header.
</span><span class="cx" style="display: block; padding: 0 10px"> */
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $method_overridden = false;
</ins><span class="cx" style="display: block; padding: 0 10px"> if ( isset( $_GET['_method'] ) ) {
</span><span class="cx" style="display: block; padding: 0 10px"> $request->set_method( $_GET['_method'] );
</span><span class="cx" style="display: block; padding: 0 10px"> } elseif ( isset( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ) ) {
</span><span class="cx" style="display: block; padding: 0 10px"> $request->set_method( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] );
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $method_overridden = true;
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> $result = $this->check_authentication();
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -464,6 +448,28 @@
</span><span class="cx" style="display: block; padding: 0 10px"> */
</span><span class="cx" style="display: block; padding: 0 10px"> $served = apply_filters( 'rest_pre_serve_request', false, $result, $request, $this );
</span><span class="cx" style="display: block; padding: 0 10px">
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ /**
+ * Filters whether to send nocache headers on a REST API request.
+ *
+ * @since 4.4.0
+ * @since 6.x.x Moved the block to catch the filter added on rest_cookie_check_errors() from rest-api.php
+ *
+ * @param bool $rest_send_nocache_headers Whether to send no-cache headers.
+ */
+ $send_no_cache_headers = apply_filters( 'rest_send_nocache_headers', is_user_logged_in() );
+
+ // send no cache headers if the $send_no_cache_headers is true
+ // OR if the HTTP_X_HTTP_METHOD_OVERRIDE is used but resulted a 4xx response code.
+ if ( $send_no_cache_headers || ( true === $method_overridden && strpos( $code, '4' ) === 0 ) ) {
+ foreach ( wp_get_nocache_headers() as $header => $header_value ) {
+ if ( empty( $header_value ) ) {
+ $this->remove_header( $header );
+ } else {
+ $this->send_header( $header, $header_value );
+ }
+ }
+ }
+
</ins><span class="cx" style="display: block; padding: 0 10px"> if ( ! $served ) {
</span><span class="cx" style="display: block; padding: 0 10px"> if ( 'HEAD' === $request->get_method() ) {
</span><span class="cx" style="display: block; padding: 0 10px"> return null;
</span></span></pre></div>
<a id="branches59srcwpincludesrestapiendpointsclasswprestuserscontrollerphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: branches/5.9/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- branches/5.9/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php 2023-10-12 15:02:50 UTC (rev 56874)
+++ branches/5.9/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php 2023-10-12 15:03:26 UTC (rev 56875)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -318,6 +318,9 @@
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> if ( ! empty( $prepared_args['search'] ) ) {
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( ! current_user_can( 'list_users' ) ) {
+ $prepared_args['search_columns'] = array( 'ID', 'user_login', 'user_nicename', 'display_name' );
+ }
</ins><span class="cx" style="display: block; padding: 0 10px"> $prepared_args['search'] = '*' . $prepared_args['search'] . '*';
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px"> /**
</span></span></pre></div>
<a id="branches59srcwpincludesrestapiphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: branches/5.9/src/wp-includes/rest-api.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- branches/5.9/src/wp-includes/rest-api.php 2023-10-12 15:02:50 UTC (rev 56874)
+++ branches/5.9/src/wp-includes/rest-api.php 2023-10-12 15:03:26 UTC (rev 56875)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -1044,6 +1044,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> $result = wp_verify_nonce( $nonce, 'wp_rest' );
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> if ( ! $result ) {
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ add_filter( 'rest_send_nocache_headers', '__return_true', 20 );
</ins><span class="cx" style="display: block; padding: 0 10px"> return new WP_Error( 'rest_cookie_invalid_nonce', __( 'Cookie check failed' ), array( 'status' => 403 ) );
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span></span></pre></div>
<a id="branches59srcwpincludesshortcodesphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: branches/5.9/src/wp-includes/shortcodes.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- branches/5.9/src/wp-includes/shortcodes.php 2023-10-12 15:02:50 UTC (rev 56874)
+++ branches/5.9/src/wp-includes/shortcodes.php 2023-10-12 15:03:26 UTC (rev 56875)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -170,8 +170,46 @@
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> /**
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- * Search content for shortcodes and filter shortcodes through their hooks.
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * Returns a list of registered shortcode names found in the given content.
</ins><span class="cx" style="display: block; padding: 0 10px"> *
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * Example usage:
+ *
+ * get_shortcode_tags_in_content( '[audio src="file.mp3"][/audio] [foo] [gallery ids="1,2,3"]' );
+ * // array( 'audio', 'gallery' )
+ *
+ * @since 6.3.2
+ *
+ * @param string $content The content to check.
+ * @return string[] An array of registered shortcode names found in the content.
+ */
+function get_shortcode_tags_in_content( $content ) {
+ if ( false === strpos( $content, '[' ) ) {
+ return array();
+ }
+
+ preg_match_all( '/' . get_shortcode_regex() . '/', $content, $matches, PREG_SET_ORDER );
+ if ( empty( $matches ) ) {
+ return array();
+ }
+
+ $tags = array();
+ foreach ( $matches as $shortcode ) {
+ $tags[] = $shortcode[2];
+
+ if ( ! empty( $shortcode[5] ) ) {
+ $deep_tags = get_shortcode_tags_in_content( $shortcode[5] );
+ if ( ! empty( $deep_tags ) ) {
+ $tags = array_merge( $tags, $deep_tags );
+ }
+ }
+ }
+
+ return $tags;
+}
+
+/**
+ * Searches content for shortcodes and filter shortcodes through their hooks.
+ *
</ins><span class="cx" style="display: block; padding: 0 10px"> * This function is an alias for do_shortcode().
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><span class="cx" style="display: block; padding: 0 10px"> * @since 5.4.0
</span></span></pre>
</div>
</div>
</body>
</html>