Merge branch 'release/1.5.3'

ClassicPress · May 17, 2023 · 1ed2982 · 1ed2982
2 parents ee470bc + 6d23378
commit 1ed2982
Show file tree

Hide file tree

Showing 10 changed files with 40 additions and 8 deletions.
diff --git a/wp-admin/about.php b/wp-admin/about.php
@@ -156,7 +156,27 @@ classicpress_version()
 				<?php
 				printf(
 					/* translators: %s: WordPress version number */
-					__( '<strong>WordPress version %s</strong> addressed one security issue.' ),
+					__( '<strong>WordPress Version %s</strong> addressed some security issues.' ),
+					'4.9.23'
+				);
+				?>
+				<?php
+				printf(
+					/* translators: %s: HelpHub URL */
+					__( 'For more information, see <a href="%s">the release notes</a>.' ),
+					sprintf(
+						/* translators: %s: WordPress version */
+						esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+						sanitize_title( '4.9.23' )
+					)
+				);
+				?>
+			</p>
+			<p>
+				<?php
+				printf(
+					/* translators: %s: WordPress version number */
+					__( '<strong>WordPress Version %s</strong> addressed some security issues.' ),
 					'4.9.22'
 				);
 				?>
@@ -176,7 +196,7 @@ classicpress_version()
 				<?php
 				printf(
 					/* translators: %s: WordPress version number */
-					__( '<strong>WordPressVersion %s</strong> addressed some security issues.' ),
+					__( '<strong>WordPress Version %s</strong> addressed some security issues.' ),
 					'4.9.21'
 				);
 				?>

diff --git a/wp-admin/includes/ajax-actions.php b/wp-admin/includes/ajax-actions.php
@@ -2487,6 +2487,10 @@ function wp_ajax_set_attachment_thumbnail() {
 		wp_send_json_error();
 	}
 
+	if ( false === check_ajax_referer( 'set-attachment-thumbnail', '_ajax_nonce', false ) ) {
+		wp_send_json_error();
+	}
+
 	$post_ids = array();
 	// For each URL, try to find its corresponding post ID.
 	foreach ( $_POST['urls'] as $url ) {

diff --git a/wp-includes/embed.php b/wp-includes/embed.php
@@ -455,7 +455,7 @@ function get_post_embed_html( $width, $height, $post = null ) {
 		 * and edit wp-embed.js directly.
 		 */
 		$output .= <<<JS
-		!function(e,t){"use strict";var r=!1,a=!1;if(t.querySelector)if(e.addEventListener)r=!0;if(e.wp=e.wp||{},!e.wp.receiveEmbedMessage)if(e.wp.receiveEmbedMessage=function(r){var a=r.data;if(a)if(a.secret||a.message||a.value)if(!/[^a-zA-Z0-9]/.test(a.secret)){var i,s,n,o,c,d=t.querySelectorAll('iframe[data-secret="'+a.secret+'"]'),l=t.querySelectorAll('blockquote[data-secret="'+a.secret+'"]');for(i=0;i<l.length;i++)l[i].style.display="none";for(i=0;i<d.length;i++)if(s=d[i],r.source===s.contentWindow){if(s.removeAttribute("style"),"height"===a.message){if((n=parseInt(a.value,10))>1e3)n=1e3;else if(~~n<200)n=200;s.height=n}if("link"===a.message)if(o=t.createElement("a"),c=t.createElement("a"),o.href=s.getAttribute("src"),c.href=a.value,c.host===o.host)if(t.activeElement===s)e.top.location.href=a.value}}},r)e.addEventListener("message",e.wp.receiveEmbedMessage,!1),t.addEventListener("DOMContentLoaded",i,!1),e.addEventListener("load",i,!1);function i(){if(!a){a=!0;var e,r,i,s,n=-1!==navigator.appVersion.indexOf("MSIE 10"),o=!!navigator.userAgent.match(/Trident.*rv:11\./),c=t.querySelectorAll("iframe.wp-embedded-content");for(r=0;r<c.length;r++){if(!(i=c[r]).getAttribute("data-secret"))s=Math.random().toString(36).substr(2,10),i.src+="#?secret="+s,i.setAttribute("data-secret",s);if(n||o)(e=i.cloneNode(!0)).removeAttribute("security"),i.parentNode.replaceChild(e,i)}}}}(window,document);
+		!function(e,t){"use strict";var r=!1,i=!1;if(t.querySelector)if(e.addEventListener)r=!0;if(e.wp=e.wp||{},!e.wp.receiveEmbedMessage)if(e.wp.receiveEmbedMessage=function(r){var i=r.data;if(i)if(i.secret||i.message||i.value)if(!/[^a-zA-Z0-9]/.test(i.secret)){var a,s,n,o,c,d=t.querySelectorAll('iframe[data-secret="'+i.secret+'"]'),l=t.querySelectorAll('blockquote[data-secret="'+i.secret+'"]'),f=new RegExp("^https?:$","i");for(a=0;a<l.length;a++)l[a].style.display="none";for(a=0;a<d.length;a++)if(s=d[a],r.source===s.contentWindow){if(s.removeAttribute("style"),"height"===i.message){if((n=parseInt(i.value,10))>1e3)n=1e3;else if(~~n<200)n=200;s.height=n}if("link"===i.message){if(o=t.createElement("a"),c=t.createElement("a"),o.href=s.getAttribute("src"),c.href=i.value,!f.test(c.protocol))continue;if(c.host===o.host)if(t.activeElement===s)e.top.location.href=i.value}}}},r)e.addEventListener("message",e.wp.receiveEmbedMessage,!1),t.addEventListener("DOMContentLoaded",a,!1),e.addEventListener("load",a,!1);function a(){if(!i){i=!0;var e,r,a,s,n=-1!==navigator.appVersion.indexOf("MSIE 10"),o=!!navigator.userAgent.match(/Trident.*rv:11\./),c=t.querySelectorAll("iframe.wp-embedded-content");for(r=0;r<c.length;r++){if(!(a=c[r]).getAttribute("data-secret"))s=Math.random().toString(36).substr(2,10),a.src+="#?secret="+s,a.setAttribute("data-secret",s);if(n||o)(e=a.cloneNode(!0)).removeAttribute("security"),a.parentNode.replaceChild(e,a)}}}}(window,document);
 JS;
 	}
 	$output .= "\n//--><!]]>";

diff --git a/wp-includes/js/media-audiovideo.js b/wp-includes/js/media-audiovideo.js
@@ -449,6 +449,7 @@
 
 				wp.ajax.send( 'set-attachment-thumbnail', {
 					data : {
+						_ajax_nonce: wp.media.view.settings.nonce.setAttachmentThumbnail,
 						urls: urls,
 						thumbnail_id: attachment.get( 'id' )
 					}

diff --git a/wp-includes/js/media-audiovideo.min.js b/wp-includes/js/media-audiovideo.min.js
diff --git a/wp-includes/js/wp-embed.js b/wp-includes/js/wp-embed.js
@@ -43,6 +43,7 @@
 
 		var iframes = document.querySelectorAll( 'iframe[data-secret="' + data.secret + '"]' ),
 			blockquotes = document.querySelectorAll( 'blockquote[data-secret="' + data.secret + '"]' ),
+			allowedProtocols = new RegExp( '^https?:$', 'i' ),
 			i, source, height, sourceURL, targetURL;
 
 		for ( i = 0; i < blockquotes.length; i++ ) {
@@ -78,6 +79,11 @@
 				sourceURL.href = source.getAttribute( 'src' );
 				targetURL.href = data.value;
 
+				/* Only follow link if the protocol is in the allow list. */
+				if ( ! allowedProtocols.test( targetURL.protocol ) ) {
+					continue;
+				}
+
 				/* Only continue if link hostname matches iframe's hostname. */
 				if ( targetURL.host === sourceURL.host ) {
 					if ( document.activeElement === source ) {

diff --git a/wp-includes/js/wp-embed.min.js b/wp-includes/js/wp-embed.min.js
diff --git a/wp-includes/media.php b/wp-includes/media.php
@@ -3962,6 +3962,7 @@ function wp_enqueue_media( $args = array() ) {
 		'captions'         => ! apply_filters( 'disable_captions', '' ),
 		'nonce'            => array(
 			'sendToEditor' => wp_create_nonce( 'media-send-to-editor' ),
+			'setAttachmentThumbnail' => wp_create_nonce( 'set-attachment-thumbnail' ),
 		),
 		'post'             => array(
 			'id' => 0,

diff --git a/wp-includes/script-loader.php b/wp-includes/script-loader.php
@@ -53,7 +53,7 @@ function classicpress_asset_version( $type = 'script', $handle = null ) {
 	static $default_version;
 
 	if ( empty( $default_version ) ) {
-		$default_version = 'cp_d11ce89b';
+		$default_version = 'cp_8a8887e6';
 	}
 
 	/**

diff --git a/wp-includes/version.php b/wp-includes/version.php
@@ -27,7 +27,7 @@
  *
  * @global string $cp_version
  */
-$cp_version = '1.5.2';
+$cp_version = '1.5.3';
 
 /**
  * The WordPress version string
@@ -40,7 +40,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '4.9.22';
+$wp_version = '4.9.23';
 
 /**
  * Holds the ClassicPress DB revision, increments when changes are made to the ClassicPress DB schema.