Add SVG presentation attributes to the list of CSS properties allowed by `safecss_filter_attr()`, so inline SVG markup can be styled via the `style` attribute.
This ports Gutenberg PR #79172 to Core.
Props afercia, westonruter, wildworks.
Fixes#65457.
Built from https://develop.svn.wordpress.org/trunk@62530
git-svn-id: http://core.svn.wordpress.org/trunk@61811 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This eliminates over 400 PHPStan errors from the core codebase.
* Clarify the inline documentation for the four `wpdb` query methods — `get_results()`, `get_row()`, `get_col()`, and `get_var()`.
* Add `@phpstan-return` conditional types that mirror each method's runtime dispatch on `$query` and `$output`.
* Add `@phpstan-param` tags narrowing `$output` to the documented constants.
* Document that `get_var()` returns `null` both on failure and when the matched cell value is an empty string, directing consumers to `$this->last_error` to distinguish the two cases.
* Tighten the `@return` in `get_results()` from `array|object|null` to `array|null`, since the method never returns a bare `stdClass`; the `object` was a copy/paste artifact from `get_row()`.
* Fix a deprecated use of `null` as an array offset (PHP 8.5) in the `OBJECT_K` branch when a row's first column is SQL `NULL`.
* Gather `get_col()` data as a true list.
* Suggest `ext-mysqli` in `composer.json`, which `wpdb` requires at runtime.
Developed in https://github.com/WordPress/wordpress-develop/pull/11855.
Props apermo, westonruter.
See #30257, #64898.
Fixes#65261.
Built from https://develop.svn.wordpress.org/trunk@62529
git-svn-id: http://core.svn.wordpress.org/trunk@61810 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Instead of crowding the row, actions added by extenders should wrap to new lines. This change has been tested in both the classic editor plugin and hotfix plugin.
Follow-up to [61645].
Props abhishekfdd, masteradhoc, rlucian, sabernhardt, cogdesign, threadi, darshitrajyaguru97, desrosj, davidbaumwald, jorbin.
Fixes#65286.
Built from https://develop.svn.wordpress.org/trunk@62526
git-svn-id: http://core.svn.wordpress.org/trunk@61807 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Block editor-related files can currently become stale or are not always deleted from `src` through the relevant `grunt clean` commands reliably. In the past, this primarily caused issues locally when a CSS file was copied from the `@wordpress/block-library` npm package into `src` and later removed from the package entirely. The result was a failing `grunt verify:old-files` task until the `grunt clean` command was run with the `--dev` flag.
After [61438] this issue presented in new ways. Mainly, files would remain in the core.svn.wordpress.org build repository indefinitely unless explicitly deleted. [62051] brought the `grunt clean` tasks up to date, but there are still paths where files remain unexpectedly or have outdated contents after rebuilding. This can cause incomplete or inaccurate commits where built files subject to version control are not updated correctly, especially when changing the `gutenberg.sha` value in `package.json`.
This change improves the build script to ensure that all files sourced from the zip file with assets built by the Gutenberg repository are always fresh and up to date, and any files that are deleted from the built zip file are also deleted from version control appropriately (in both the `develop` and `core` repositories).
A handful of changes were required to accomplish this:
- All Gutenberg-sourced outputs are written to `src/` regardless of `--dev`. In production builds, `build:gutenberg` runs before `build:files`, and `copy:files` propagates the tree to `build/`.
- `gutenbergFiles` has been split into two different arrays: `gutenbergUnversionedFiles` and `gutenbergVersionedFiles`. The `src` argument for the `clean:gutenberg` task is dynamically populated at run time with a bare `grunt clean` cleaning only the unversioned subset (so version-controlled files are not unexpectedly deleted), and explicit `clean:gutenberg` (or any chain through `build:gutenberg`) cleans both, removing files deleted upstream from version control.
- `clean:gutenberg` no longer wipes non-Gutenberg sourced files from `wp-includes/js/`. All file/path lists have been updated to only match files the related tasks are directly responsible for managing.
- `tools/gutenberg/copy.js` has been added to `tsconfig.json` and brought under `tsc --build` strict-mode checking. The large `copyBlockAssets()` function was broken into one named function per asset type, each typed against the relevant `COPY_CONFIG` slice. The split is a code-clarity improvement, not a bug fix.
Props desrosj, westonruter, jorbin, adamsilverstein.
Fixes#65452.
Built from https://develop.svn.wordpress.org/trunk@62525
git-svn-id: http://core.svn.wordpress.org/trunk@61806 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When a trace of allocations revealed that `wp_is_numeric_array()`
accounted for a significant fraction of the allocations in a page
render, it was observed that the function eagerly allocates and copies
array keys and then filters them when all it wants to know is whether a
single key in the array meets a condition.
In this patch the `array_filter( array_keys() )` invocation is replaced
with early-aborting iteration to avoid the memory allocation and
copying.
This patch was prepared as part of WCEU 2026 Contributor Day.
Developed in: https://github.com/WordPress/wordpress-develop/pull/12100
Discussed in: https://core.trac.wordpress.org/ticket/65467
Follow-up to [34927].
Props dmsnell, westonruter, yusufmudagal.
Fixes#65467.
Built from https://develop.svn.wordpress.org/trunk@62524
git-svn-id: http://core.svn.wordpress.org/trunk@61805 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The ASCII fast-path in `_wp_scan_utf8()` uses `strspn()` to skip past ASCII bytes. When a code point limit was provided without a byte limit, the scan would include the rest of the input even when there was a code point limit. Because ASCII characters are single-byte code points, the fast-path scan length can be bounded by the number of remaining code points. This improves performance when working with some large documents.
Developed in https://github.com/WordPress/wordpress-develop/pull/12214.
Follow-up to [60768].
Props jonsurrell, dmsnell, zieladam.
Fixes#65483. See #63863.
Built from https://develop.svn.wordpress.org/trunk@62523
git-svn-id: http://core.svn.wordpress.org/trunk@61804 1a063a9b-81f0-0310-95a4-ce76da25c4cd
`WP_Block::replace_html()` replaced the entire element matched by a rich-text attribute's selector, dropping any markup produced by inner blocks rendered inside that element (e.g. a List nested inside a List Item).
Props cbravobernal, jonsurrell.
Fixes#65406.
Built from https://develop.svn.wordpress.org/trunk@62522
git-svn-id: http://core.svn.wordpress.org/trunk@61803 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Adds gray WordPress logo image files (`w-logo-gray-white-bg.png` and `w-logo-gray-white-bg.svg`) to `wp-includes/images/`, and updates `the_embed_site_title()` and `do_favicon()` to use the new images as the fallback site icon, maintaining visual consistency with the login screen logo updated in r61989.
Replaces CSS custom property references for focus styles in the embed template (`--wp-admin-theme-color` and `--wp-admin-border-width-focus`) with their literal values, as these admin-theme variables are not defined in the oEmbed template context.
Developed in https://github.com/WordPress/wordpress-develop/pull/11293.
Follow-up to r61652, r61989, r62502.
Props sabernhardt, huzaifaalmesbah, westonruter, jamesbregenzer.
See #64708.
Fixes#64877.
Built from https://develop.svn.wordpress.org/trunk@62521
git-svn-id: http://core.svn.wordpress.org/trunk@61802 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The `wp_get_elements_class_name()` function previously generated CSS class names by hashing the serialized block data via `md5()`. Identical blocks received the same `wp-elements-*` class name and the Style Engine deduplicated their CSS rules into one, causing a parent block's element style (e.g. link color) to cascade down and override a child block's identical style due to CSS source order.
The function is updated to use `wp_unique_prefixed_id()` instead, generating sequential unique class names (`wp-elements-1`, `wp-elements-2`, etc.) that match the block editor's JavaScript implementation. The now-unused `$parsed_block` parameter is removed from the function signature.
PHPStan rule level 10 errors are also resolved in the related code. See #64898.
Developed in https://github.com/WordPress/wordpress-develop/pull/12126.
Follow-up to r53260, r58074.
Props tusharbharti, westonruter, wildworks.
Fixes#65435.
Built from https://develop.svn.wordpress.org/trunk@62520
git-svn-id: http://core.svn.wordpress.org/trunk@61801 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Add `core/list-item` to the block attributes supported by block bindings so its `content` rich text can be bound, and cover the basic (non-nested) case in the render tests.
This is a clean enablement with no render-side changes. A List Item that contains a nested List keeps both inside the same `<li>`; preserving that nested list when `content` is bound is handled separately by the `WP_Block::replace_html()` inner-block fix.
Props sauliusv, cbravobernal.
See #65406.
Built from https://develop.svn.wordpress.org/trunk@62518
git-svn-id: http://core.svn.wordpress.org/trunk@61799 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Includes:
* Standardizing default values on `null` vs. `false`.
* Updating the documentation to correct parameter types.
* Adding missing parameter descriptions.
Follow-up to [22094].
Props Soean, mukesh27, SergeyBiryukov.
See #64897.
Built from https://develop.svn.wordpress.org/trunk@62517
git-svn-id: http://core.svn.wordpress.org/trunk@61798 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Give interactive elements a consistent 40px height in the admin mobile viewport on the Add Plugins, Media Library grid, Settings > General, and Add Themes screens.
Follow-up to [61645].
Props abcd95, wildworks.
Fixes#64999.
Built from https://develop.svn.wordpress.org/trunk@62516
git-svn-id: http://core.svn.wordpress.org/trunk@61797 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Reverts the update to cache busting strings in r62423 to restore them to `ver=7.0`. As the images will not change in WordPress 7.0.1 there is no need to deal with stale caches.
Follow-up to r62423.
Props peterwilsoncc, mukesh27, wildworks.
See #65352.
Built from https://develop.svn.wordpress.org/trunk@62512
git-svn-id: http://core.svn.wordpress.org/trunk@61793 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The `touchstart` event on comment reply and cancel links fired before the browser could distinguish a tap from a scroll gesture, causing the reply form to open unexpectedly during scrolling. Since touchscreen users tapping a link already generate a `click` event, the `touchstart` listeners are unnecessary. Prior to ~2015 a `touchstart` event may have been useful to eliminate a 300ms delay for event handlers on tap, but this is long obsolete.
Developed in https://github.com/WordPress/wordpress-develop/pull/12168.
Follow-up to r42360.
Props edent, szandman, SergeyBiryukov, westonruter, afercia, peterwilsoncc, janpaulkleijn, madhazelnut, joostdevalk, pbearne, eherman24, Znuff.
See #47510, #31590.
Fixes#46713.
Built from https://develop.svn.wordpress.org/trunk@62511
git-svn-id: http://core.svn.wordpress.org/trunk@61792 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The `postcss.config.js` file in Twenty Ninteen currently has two `module.exports` asignments configuring two plugins: `autoprefixer` (for ensuring browser-specific CSS nuances are accounted for) and `postcss-focus-within` (ensures `:fucs-within` rules are duplicated as `[focus-within]` attribute selectors).
The first assignment is being ignored entirely, which means `autoprefixer` never runs against generated CSS files.
This updates the `postcss.config.js` file to contain only one `modules.export` statement, which restores the behavior of `autoprefixer`. The dependencies related to browser usage statistics have also been updated, and the resulting changes to built CSS files subject to version control are also included:
- Browser-specific prefixes for the `hyphens` property have been removed.
- The `::-moz-selection` is no longer required for the `::selection` psuedo-element.
- Brower-specific prefixes are no longer required for `min-content` and `max-content` values.
- Webkit browsers no longer require a `-webkit-` prefix for `user-select: none`.
- The `-webkit-` prefix is no longer required for the `filter` property.
- The `text-decoration` property no longer requires browser prefixes.
Fixes#65452.
Built from https://develop.svn.wordpress.org/trunk@62510
git-svn-id: http://core.svn.wordpress.org/trunk@61791 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The list of routes to be copied by the `copy:routes` Grunt task is configured dynamically by the `routes:setup` task, which parses the `gutenberg/build/routes/registry.php` file included in the built asset from the `gutenberg` repository.
The task currently produces ouitput only when an error is encountered, such as a missing `registry.php` file or invalide route name.
This adjusts the task to produce output so that the list of routes being processed is clear.
See #65471.
Built from https://develop.svn.wordpress.org/trunk@62508
git-svn-id: http://core.svn.wordpress.org/trunk@61789 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Previously, `get_site_icon_url()` overwrote a caller-supplied fallback URL with the return value of `wp_get_attachment_image_url()` even when that lookup returned `false`, so a defined fallback (such as the bundled WordPress logo) was silently discarded whenever the assigned site icon attachment could not be resolved. Only update the URL when a non-empty attachment URL is returned.
Additionally, `the_embed_site_title()` now renders the site icon `<img>` only when a URL is available, and omits the `srcset` attribute when the 2x URL is missing or identical to the 1x URL. This avoids the malformed markup (an empty `src` and a bare ` 2x` `srcset`) that produced a broken image and spurious requests in oEmbed cards.
Developed in https://github.com/WordPress/wordpress-develop/pull/11601.
Follow-up to r35571, r36693, r47832.
Props sukhendu2002, sabernhardt, mukesh27, westonruter, pontocinza, mohamedahamed, abcd95, manhar, rollybueno.
Fixes#65098.
Built from https://develop.svn.wordpress.org/trunk@62502
git-svn-id: http://core.svn.wordpress.org/trunk@61783 1a063a9b-81f0-0310-95a4-ce76da25c4cd
A plugin may register an oEmbed provider through the `oembed_providers` filter using a malformed structure, such as an associative array rather than the expected tuple of a provider endpoint URL string at index 0 and an optional boolean regex flag at index 1. This previously produced `Undefined array key` PHP warnings when `WP_oEmbed::get_provider()` destructured the entry.
Introduce a private `sanitize_provider()` method that validates the match pattern and provider data, normalizing the optional regex flag to a boolean. The constructor now skips malformed entries and reports each one via `_doing_it_wrong()`, and `get_provider()` likewise ignores any invalid entries it encounters at runtime.
Developed in https://github.com/WordPress/wordpress-develop/pull/11568.
Props sukhendu2002, westonruter, bradshawtm, rollybueno.
Fixes#65068.
Built from https://develop.svn.wordpress.org/trunk@62501
git-svn-id: http://core.svn.wordpress.org/trunk@61782 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This updates the `@param` and `@return` descriptions to state that `build_query()` does **not** URL-encode, unlike PHP's native `http_build_query()`, and that callers are responsible for encoding the values beforehand or late-escaping the output with `esc_url()`.
Follow-up to [8215].
Props nimeshatxecurify, johnbillion.
Fixes#65453.
Built from https://develop.svn.wordpress.org/trunk@62497
git-svn-id: http://core.svn.wordpress.org/trunk@61778 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This updates `codecov/codecov-action` from `v5.5.3` to `v7.0.0`, which includes a change in Keybase account being used by the action to one that Codecov is able to update going forward. Coverage reports are currently failing because of an inability to verify GPG signature integrity.
See #64893.
Built from https://develop.svn.wordpress.org/trunk@62496
git-svn-id: http://core.svn.wordpress.org/trunk@61777 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The "Download file" link in `attachment_submitbox_metadata()` escaped its `href` with `esc_attr()`, which only HTML-encodes the value. Use `esc_url()` instead, the correct function for a URL in an `href` attribute, since `$att_url` comes from `wp_get_attachment_url()`. This applies the same escaping method for the Download link in the media list table output by `WP_Media_List_Table::_get_row_actions()`.
Apply the same correction to `wp_prepare_attachment_for_js()`, wrapping the attachment, intermediate size, full-size, original image, and image source URLs in `esc_url_raw()` so the Backbone-rendered media UI emits URLs filtered through `clean_url` just like the server-rendered templates.
Developed in https://github.com/WordPress/wordpress-develop/pull/12062.
Follow-up to r21680, r47202, r55156, r55198, r55221.
Props thisismyurl, westonruter, sabernhardt, gazipress, jamesbregenzer, manhar, sanayasir, freewebmentor.
See #57574, #41474.
Fixes#65397.
Built from https://develop.svn.wordpress.org/trunk@62494
git-svn-id: http://core.svn.wordpress.org/trunk@61775 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Improve the PHPDoc docblocks in `WP_List_Table` and `WP_Plugins_List_Table` for accuracy, completeness, and consistency with WordPress core documentation standards. Adds missing `@since` tags and corrects several existing versions, adds summary descriptions to all previously bare method and property docblocks, and refines type annotations with precise generic array types.
Developed in https://github.com/WordPress/wordpress-develop/pull/10989.
Follow-up to r30679, r31127, r32642, r32654.
Props huzaifaalmesbah, westonruter, noruzzaman.
See #64896.
Built from https://develop.svn.wordpress.org/trunk@62491
git-svn-id: http://core.svn.wordpress.org/trunk@61772 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This was brought up during fuzz testing of the HTML API. After
polyfilling `mb_chr()` and relying on it in the HTML decoder, it became
possible that for sites with a non-UTF-8 charset selected, then the
creation of text from code points when decoding numeric character
references might produce corrupted text, or text which encodes to
non-UTF-8 bytes.
While for these sites, there are broader issues with non-UTF-8 support,
this change ensures that code point encoding remains deterministic.
Developed in: https://github.com/WordPress/wordpress-develop/pull/12155
Discussed in: https://core.trac.wordpress.org/ticket/65372
Follow-up to [62424].
Props dmsnell, jonsurrell.
See #65372.
Built from https://develop.svn.wordpress.org/trunk@62487
git-svn-id: http://core.svn.wordpress.org/trunk@61768 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The `wow-actions/welcome` action has not been updated for over 2 years and is currently configured to run on `Node20`. With GitHub now actively removing support for Node.js 20.x within the GitHub Actions environment, any action explicitly using `Node20` will break.
This replaces `wow-actions/welcome` with the `actions/first-interaction` action, which is an action officially maintained by GitHub and offers the same functionality.
Props khokansardar, mukesh27, desrosj.
Fixes#65432.
Built from https://develop.svn.wordpress.org/trunk@62486
git-svn-id: http://core.svn.wordpress.org/trunk@61767 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Found during fuzzing work on the HTML API and adjacent code. The previous version of this function used a Unicode PCRE to detect noncharacter code points, but that invocation failed if the input string contained sequences of invalid UTF-8 bytes.
This patch replaces the Unicode PCRE with a mapped sequence of raw bytes. This version works in environments without Unicode support and it works when invalid bytes are present, making it possible to remove the fallback function as well.
Developed in: https://github.com/WordPress/wordpress-develop/pull/12148
Discussed in: https://core.trac.wordpress.org/ticket/65372
Follow-up to [61000].
Props dmsnell, jonsurrell.
See #65372.
Built from https://develop.svn.wordpress.org/trunk@62485
git-svn-id: http://core.svn.wordpress.org/trunk@61766 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This adds support for the unicode address extensions in RFC 6530-3 and refactors the code so there are fewer long regexes and less duplication between sanitize_email and is_email. A new class, WP_Email_Address, provides the shared parts.
Opting out of unicode support is easy, default-filters.php adds unicode support by adding filters, which can be removed.
`sanitize_email` no longer does major changes like removing an entire subdomain from someone's address, it only cleans up things like soft hyphens and whitespace — changes that happen when coping an email address from text.
Developed in: https://github.com/WordPress/wordpress-develop/pull/5237
Discussed in: https://core.trac.wordpress.org/ticket/31992
Props agulbra, akirk, benniledl, dmsnell, ironprogrammer, justlevine, mdawaffe, mukeshpanchal27, SirLouen, tusharbharti.
Fixes#31992.
Built from https://develop.svn.wordpress.org/trunk@62482
git-svn-id: http://core.svn.wordpress.org/trunk@61763 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The image editor help toggle icon used a hardcoded classic blue color. Replace it with a CSS custom property so the icon follows the user's admin color scheme.
Props dervishov, huzaifaalmesbah, jamesbregenzer, mukesh27, ozgursar, wildworks.
Fixes#64937.
Built from https://develop.svn.wordpress.org/trunk@62481
git-svn-id: http://core.svn.wordpress.org/trunk@61762 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The spinner that appeared during filtering was positioned beneath the fields, causing a scrollbar in the filter wrapper container. While only visible during scrolling on MacOS, it was persistently visible on Windows.
Fixes the alignment of the toolbar to appear with predictable alignment to the select fields without generating a scrollbar.
Follow up to [61757].
Props luismulinari, yogeshbhutkar, dhruvang21, r1k0, sabernhardt, wildworks, audrasjb, joedolson.
Fixes#65275. See #23562.
Built from https://develop.svn.wordpress.org/trunk@62480
git-svn-id: http://core.svn.wordpress.org/trunk@61761 1a063a9b-81f0-0310-95a4-ce76da25c4cd
wildworks