Merge branch 'trunk' into html-api/add-html-processor

Author: dmsnell

package-lock.json

@@ -78,61 +78,61 @@
 	},
 	"dependencies": {
 		"@wordpress/a11y": "3.26.1",
-		"@wordpress/annotations": "2.26.3",
+		"@wordpress/annotations": "2.26.4",
 		"@wordpress/api-fetch": "6.23.1",
 		"@wordpress/autop": "3.26.1",
 		"@wordpress/blob": "3.26.1",
-		"@wordpress/block-directory": "4.3.11",
-		"@wordpress/block-editor": "11.3.9",
-		"@wordpress/block-library": "8.3.11",
+		"@wordpress/block-directory": "4.3.12",
+		"@wordpress/block-editor": "11.3.10",
+		"@wordpress/block-library": "8.3.12",
 		"@wordpress/block-serialization-default-parser": "4.26.1",
 		"@wordpress/blocks": "12.3.3",
-		"@wordpress/components": "23.3.6",
+		"@wordpress/components": "23.3.7",
 		"@wordpress/compose": "6.3.3",
 		"@wordpress/core-data": "6.3.3",
-		"@wordpress/customize-widgets": "4.3.11",
+		"@wordpress/customize-widgets": "4.3.12",
 		"@wordpress/data": "8.3.3",
 		"@wordpress/data-controls": "2.26.3",
 		"@wordpress/date": "4.26.2",
 		"@wordpress/deprecated": "3.26.1",
 		"@wordpress/dom": "3.26.1",
 		"@wordpress/dom-ready": "3.26.1",
-		"@wordpress/edit-post": "7.3.11",
-		"@wordpress/edit-site": "5.3.11",
-		"@wordpress/edit-widgets": "5.3.11",
-		"@wordpress/editor": "13.3.9",
+		"@wordpress/edit-post": "7.3.12",
+		"@wordpress/edit-site": "5.3.12",
+		"@wordpress/edit-widgets": "5.3.12",
+		"@wordpress/editor": "13.3.10",
 		"@wordpress/element": "5.3.2",
 		"@wordpress/escape-html": "2.26.1",
-		"@wordpress/format-library": "4.3.9",
+		"@wordpress/format-library": "4.3.10",
 		"@wordpress/hooks": "3.26.1",
 		"@wordpress/html-entities": "3.26.1",
 		"@wordpress/i18n": "4.26.1",
 		"@wordpress/icons": "9.17.2",
-		"@wordpress/interface": "5.3.7",
+		"@wordpress/interface": "5.3.8",
 		"@wordpress/is-shallow-equal": "4.26.1",
 		"@wordpress/keyboard-shortcuts": "4.3.3",
 		"@wordpress/keycodes": "3.26.2",
-		"@wordpress/list-reusable-blocks": "4.3.6",
+		"@wordpress/list-reusable-blocks": "4.3.7",
 		"@wordpress/media-utils": "4.17.2",
 		"@wordpress/notices": "3.26.3",
 		"@wordpress/nux": "6.0.0",
 		"@wordpress/plugins": "5.3.3",
-		"@wordpress/preferences": "3.3.6",
+		"@wordpress/preferences": "3.3.7",
 		"@wordpress/preferences-persistence": "1.18.1",
 		"@wordpress/primitives": "3.24.2",
 		"@wordpress/priority-queue": "2.26.1",
 		"@wordpress/private-apis": "0.8.1",
 		"@wordpress/redux-routine": "4.26.1",
-		"@wordpress/reusable-blocks": "4.3.9",
-		"@wordpress/rich-text": "6.3.3",
-		"@wordpress/server-side-render": "4.3.6",
+		"@wordpress/reusable-blocks": "4.3.10",
+		"@wordpress/rich-text": "6.3.4",
+		"@wordpress/server-side-render": "4.3.7",
 		"@wordpress/shortcode": "3.26.1",
 		"@wordpress/style-engine": "1.9.1",
 		"@wordpress/token-list": "2.26.1",
 		"@wordpress/url": "3.27.1",
 		"@wordpress/viewport": "5.3.3",
 		"@wordpress/warning": "2.26.1",
-		"@wordpress/widgets": "3.3.9",
+		"@wordpress/widgets": "3.3.10",
 		"@wordpress/wordcount": "3.26.1",
 		"backbone": "1.4.1",
 		"clipboard": "2.0.11",

package.json

@@ -49,6 +49,7 @@
 
 		var iframes = document.querySelectorAll( 'iframe[data-secret="' + data.secret + '"]' ),
 			blockquotes = document.querySelectorAll( 'blockquote[data-secret="' + data.secret + '"]' ),
+			allowedProtocols = new RegExp( '^https?:$', 'i' ),
 			i, source, height, sourceURL, targetURL;
 
 		for ( i = 0; i < blockquotes.length; i++ ) {
@@ -84,6 +85,11 @@
 				sourceURL.href = source.getAttribute( 'src' );
 				targetURL.href = data.value;
 
+				/* Only follow link if the protocol is in the allow list. */
+				if ( ! allowedProtocols.test( targetURL.protocol ) ) {
+					continue;
+				}
+
 				/* Only continue if link hostname matches iframe's hostname. */
 				if ( targetURL.host === sourceURL.host ) {
 					if ( document.activeElement === source ) {

src/js/_enqueues/wp/embed.js

@@ -106,6 +106,7 @@ VideoDetails = MediaDetails.extend(/** @lends wp.media.view.MediaFrame.VideoDeta
 
 			wp.ajax.send( 'set-attachment-thumbnail', {
 				data : {
+					_ajax_nonce: wp.media.view.settings.nonce.setAttachmentThumbnail,
 					urls: urls,
 					thumbnail_id: attachment.get( 'id' )
 				}

src/js/media/views/frame/video-details.js

@@ -87,7 +87,7 @@
  */
 function do_activate_header() {
 	/**
-	 * Fires before the Site Activation page is loaded.
+	 * Fires within the `<head>` section of the Site Activation page.
 	 *
 	 * Fires on the {@see 'wp_head'} action.
 	 *

src/wp-activate.php

@@ -121,7 +121,7 @@
 <div id="addressdiv" class="postbox">
 <h2 class="postbox-header"><label for="link_url"><?php _e( 'Web Address' ); ?></label></h2>
 <div class="inside">
-	<input type="text" name="link_url" size="30" maxlength="255" class="code" value="<?php echo esc_attr( $link->link_url ); ?>" id="link_url" />
+	<input type="text" name="link_url" size="30" maxlength="255" class="code" value="<?php echo esc_url( $link->link_url ); ?>" id="link_url" />
 	<p><?php _e( 'Example: <code>https://wordpress.org/</code> &#8212; do not forget the <code>https://</code>' ); ?></p>
 </div>
 </div>

src/wp-admin/edit-link-form.php

@@ -2771,6 +2771,10 @@ function wp_ajax_set_attachment_thumbnail() {
 		wp_send_json_error();
 	}
 
+	if ( false === check_ajax_referer( 'set-attachment-thumbnail', '_ajax_nonce', false ) ) {
+		wp_send_json_error();
+	}
+
 	$post_ids = array();
 	// For each URL, try to find its corresponding post ID.
 	foreach ( $_POST['urls'] as $url ) {

src/wp-admin/includes/ajax-actions.php

@@ -34,8 +34,8 @@ public function upgrade_strings() {
 		$this->strings['unpack_package']        = __( 'Unpacking the update…' );
 		$this->strings['copy_failed']           = __( 'Could not copy files.' );
 		$this->strings['copy_failed_space']     = __( 'Could not copy files. You may have run out of disk space.' );
-		$this->strings['start_rollback']        = __( 'Attempting to roll back to previous version.' );
-		$this->strings['rollback_was_required'] = __( 'Due to an error during updating, WordPress has rolled back to your previous version.' );
+		$this->strings['start_rollback']        = __( 'Attempting to restore the previous version.' );
+		$this->strings['rollback_was_required'] = __( 'Due to an error during updating, WordPress has been restored to your previous version.' );
 	}
 
 	/**

src/wp-admin/includes/class-core-upgrader.php

@@ -1170,8 +1170,8 @@ function duplicate($p_archive)
     // ----- Reset the error handler
     $this->privErrorReset();
 
-    // ----- Look if the $p_archive is a PclZip object
-    if (is_object($p_archive) && $p_archive instanceof pclzip)
+    // ----- Look if the $p_archive is an instantiated PclZip object
+    if ($p_archive instanceof pclzip)
     {
 
       // ----- Duplicate the archive
@@ -1234,8 +1234,8 @@ function merge($p_archive_to_add)
       return(0);
     }
 
-    // ----- Look if the $p_archive_to_add is a PclZip object
-    if (is_object($p_archive_to_add) && $p_archive_to_add instanceof pclzip)
+    // ----- Look if the $p_archive_to_add is an instantiated PclZip object
+    if ($p_archive_to_add instanceof pclzip)
     {
 
       // ----- Merge the archive

src/wp-admin/includes/class-pclzip.php

@@ -21,7 +21,7 @@ class WP_Application_Passwords_List_Table extends WP_List_Table {
 	 *
 	 * @since 5.6.0
 	 *
-	 * @return array
+	 * @return string[] Array of column titles keyed by their column name.
 	 */
 	public function get_columns() {
 		return array(