The "Download file" link in `attachment_submitbox_metadata()` escaped its `href` with `esc_attr()`, which only HTML-encodes the value. Use `esc_url()` instead, the correct function for a URL in an `href` attribute, since `$att_url` comes from `wp_get_attachment_url()`. This applies the same escaping method for the Download link in the media list table output by `WP_Media_List_Table::_get_row_actions()`.
Apply the same correction to `wp_prepare_attachment_for_js()`, wrapping the attachment, intermediate size, full-size, original image, and image source URLs in `esc_url_raw()` so the Backbone-rendered media UI emits URLs filtered through `clean_url` just like the server-rendered templates.
Developed in https://github.com/WordPress/wordpress-develop/pull/12062.
Follow-up to r21680, r47202, r55156, r55198, r55221.
Props thisismyurl, westonruter, sabernhardt, gazipress, jamesbregenzer, manhar, sanayasir, freewebmentor.
See #57574, #41474.
Fixes#65397.
Built from https://develop.svn.wordpress.org/trunk@62494
git-svn-id: http://core.svn.wordpress.org/trunk@61775 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Note that the `gallery_style` filter receives the opening HTML `DIV` container in addition to the default CSS.
* Point to the `use_default_gallery_style` filter as the way to remove the styles entirely.
* Add the missing `@since` changelog entries describing how the filtered markup has evolved.
Developed in https://github.com/WordPress/wordpress-develop/pull/12060.
Follow-up to r16865, r27396, r46164, r61411.
Props sabernhardt, ov3rfly, westonruter.
See #64442.
Fixes#65317.
Built from https://develop.svn.wordpress.org/trunk@62455
git-svn-id: http://core.svn.wordpress.org/trunk@61736 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Reverts the removal in [62081] now that WordPress 7.1 has forked. Restores all PHP functions, REST API endpoints, cross-origin isolation infrastructure, VIPS script module handling, build configuration, and associated tests.
Follow-up to [62081].
Props adamsilverstein, jorbin, westonruter.
Fixes#64919.
See #64906.
Built from https://develop.svn.wordpress.org/trunk@62428
git-svn-id: http://core.svn.wordpress.org/trunk@61709 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In PHP's type system, `void` means a function does not return a value and cannot be part of a union type. Many functions in core were documented as returning e.g. `string|void` while actually returning `null` implicitly via bare `return;` statements. This replaces `void` with `null` in union return types, adds explicit `return null;` statements, and updates `@return` annotations across 22 files in `wp-includes`.
Additionally:
* Adds `@return never` for `WP_Recovery_Mode::redirect_protected()`.
* Fixes `WP_Theme_JSON::set_spacing_sizes()` to use `@return void` instead of `@return null|void`.
* Removes `void` from return types where the function always returns a value or dies: `remove_theme_support()`, `WP_Recovery_Mode::handle_error()`.
* Fixes `wp_die()` return type from `never|void` to `void` with clarified description.
* Initializes `$primary` variable in `get_active_blog_for_user()` to prevent a possible undefined variable notice.
Developed in https://github.com/WordPress/wordpress-develop/pull/11012
Follow-up to r62177, r61766, r61719.
Props apermo, xateman, westonruter, parthvataliya, nimeshatxecurify.
See #64704.
Built from https://develop.svn.wordpress.org/trunk@62178
git-svn-id: http://core.svn.wordpress.org/trunk@61460 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Add `is_array()` checks before accessing return values from `wp_get_attachment_image_src()` in `get_oembed_response_data_rich()`, `wp_playlist_shortcode()`, and `wp_prepare_attachment_for_js()`.
* Guard `wp_getimagesize()` calls within `wp_get_attachment_image_src()` itself.
* Ensure `wp_get_attachment_image_src()` always returns the expected `array{0: string, 1: int, 2: int, 3: bool}` type or `false` by normalizing the filter result with explicit type casting and default values.
* Add `@phpstan-return` annotations to both `wp_get_attachment_image_src()` and `wp_getimagesize()` for the specific array shapes.
Developed in https://github.com/WordPress/wordpress-develop/pull/11073
Props hbhalodia, westonruter, mukesh27, edent, ozgursar, roshniahuja14.
Fixes#64742.
Built from https://develop.svn.wordpress.org/trunk@62176
git-svn-id: http://core.svn.wordpress.org/trunk@61458 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Punt the wasm-vips client-side media processing feature to a future release when it can include more features. The VIPS WASM worker adds too much build size overhead for the current value provided. Removes all PHP functions, REST API endpoints, cross-origin isolation infrastructure, VIPS script module handling, build configuration, and associated tests.
Props adamsilverstein, jorbin.
Fixes#64906.
Built from https://develop.svn.wordpress.org/trunk@62081
git-svn-id: http://core.svn.wordpress.org/trunk@61363 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Under `Document-Isolation-Policy: isolate-and-credentialless`, the browser's credentialless mode already handles cross-origin image loading without requiring CORS headers. Explicitly adding `crossorigin="anonymous"` to `<img>` elements overrides this behavior and forces a CORS preflight request, breaking images from servers that don't include `Access-Control-Allow-Origin` in their response headers.
This also removes the related `imagesrcset` handling from `LINK` elements, which had the same issue for `<link>` preload tags for images.
See related Gutenberg issue: https://github.com/WordPress/gutenberg/issues/76476.
Follow-up to [61844], [61846].
Props adamsilverstein, swissspidy.
Fixes#64886.
Built from https://develop.svn.wordpress.org/trunk@62048
git-svn-id: http://core.svn.wordpress.org/trunk@61330 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Document-Isolation-Policy (DIP) isolates the document and blocks same-origin iframe access that page builders rely on. Skip DIP setup when a third-party page builder overrides the block editor via a custom `action` query parameter.
Also gates `wp_is_client_side_media_processing_enabled()` on a secure context check, since `SharedArrayBuffer` requires a secure context (HTTPS or localhost).
Props adamsilverstein, westonruter, mukesh27, louiswol94, manhar, illuminea.
Fixes#64803.
Built from https://develop.svn.wordpress.org/trunk@61947
git-svn-id: http://core.svn.wordpress.org/trunk@61229 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This updates `wp_get_loading_optimization_attributes()` and `wp_maybe_add_fetchpriority_high_attr()` to account for cases where an `IMG` has `fetchpriority=low` or `fetchpriority=auto`:
* `IMG` tags with `fetchpriority=low` are not lazy-loaded since they may be in a Navigation overlay, Details block, or Accordion Item block and need to be loaded the instant the user toggles the block.
* `IMG` tags with `fetchpriority=auto` do not increase the media count since they may be hidden in a viewport by block visibility settings.
* Blocks with conditional visibility (such as hidden on mobile or desktop) now automatically add `fetchpriority="auto"` to their contained `IMG` tags to prevent them from erroneously receiving `fetchpriority=high` or affecting the lazy-loading of subsequent images.
* An `IMG` with `fetchpriority=auto` which also surpasses the `wp_min_priority_img_pixels` threshold will prevent a subsequent image from getting `fetchpriority=high`.
Developed in https://github.com/WordPress/wordpress-develop/pull/11196
Includes backport of [https://github.com/WordPress/gutenberg/pull/76302 Gutenberg#76302].
See related Gutenberg issues:
- [https://github.com/WordPress/gutenberg/issues/76181 76181]: Image in navigation overlay can get `fetchpriority=high` and degrade LCP metric for page.
- [https://github.com/WordPress/gutenberg/issues/76268 76268]: Image in collapsed Details block may erroneously get `fetchpriority=high` even though hidden.
- [https://github.com/WordPress/gutenberg/issues/76301 76301]: Block Visibility: `IMG` in viewport-conditional block may get `fetchpriority=high` even when not displayed.
- [https://github.com/WordPress/gutenberg/issues/76335 76335]: Image in collapsed Accordion block may erroneously get `fetchpriority=high` even though hidden.
Follow-up to r56347, r56037.
Props westonruter, mukesh27, ramonopoly, wildworks.
See #58235.
Fixes#64823.
Built from https://develop.svn.wordpress.org/trunk@61934
git-svn-id: http://core.svn.wordpress.org/trunk@61216 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Replace COEP/COOP headers with Document-Isolation-Policy (DIP) for cross-origin isolation in the block editor. DIP enables sharedBufferArray while avoiding the breakage COEP/COOP caused for third-party plugins whose iframes lost credentials and DOM access. Non supporting browsers have the client-side media feature disabled by default - falling back to the existing server side processing - to avoid a degraded editor experience.
Developed in https://github.com/WordPress/wordpress-develop/pull/11098
Props adamsilverstein, westonruter, manhar, swissspidy, mukesh27.
Fixes#64766.
Built from https://develop.svn.wordpress.org/trunk@61844
git-svn-id: http://core.svn.wordpress.org/trunk@61131 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Bring over the changes required to implement client side media in core. This feature recently graduated from experiments and is ready for testing in beta.
Props adamsilverstein, westonruter, mamaduka, mukesh27, swissspidy, andrewserong, ellatrix, ramonjd.
Fixes#62243.
Built from https://develop.svn.wordpress.org/trunk@61703
git-svn-id: http://core.svn.wordpress.org/trunk@61011 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This change introduces PHPStan static analysis configured at [https://phpstan.org/user-guide/rule-levels rule level 0], which includes: "basic checks, unknown classes, unknown functions, unknown methods called on `$this`, wrong number of arguments passed to those methods and functions, always undefined variables". Contributors may elect for a higher PHPStan rule level by creating a `phpstan.neon` which overrides `phpstan.neon.dist`.
* Fix various PHPStan level 0 errors by adding `@phpstan-ignore` comments, updating PHPDoc types, and adding missing return values.
* Remove existing `@phpstan-ignore` comments that are now obsolete or inapplicable for level 0.
* Add a new GitHub Actions workflow for PHPStan Static Analysis. Reports are currently provided as warnings with inline annotations in pull requests and do not fail the build.
* Add a `phpstan` Grunt task and include it in the `precommit:php` task to run before `phpunit`.
* Introduce a `typecheck:php` npm script and a `composer phpstan` script to run analysis in local development environments.
* Add documentation for PHPStan usage in `tests/phpstan/README.md`.
Developed in https://github.com/WordPress/wordpress-develop/pull/10419
Props justlevine, westonruter, johnbillion, desrosj, SirLouen, dmsnell, oglekler, joehoyle, jorbin.
See #64238, #63268, #52217, #51423.
Fixes#61175.
Built from https://develop.svn.wordpress.org/trunk@61699
git-svn-id: http://core.svn.wordpress.org/trunk@61007 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Now that a version of `imagick` with support for PHP 8.5 has been released and the containers maintained by the project for the local development environemnt have been updated to include it, there are some new PHP 8.5 compatibility issues that have surfaced related to HEIF/HEIC image format.
PHP 8.5 added support for the HEIF/HEIC image format in `getimagesize()`. To properly support this in a cross-version way, a few changes are necessary.
Since [58849], WordPress has supported this format and the `IMAGETYPE_HEIC` constant was introduced as a placeholder until proper support was added in PHP. Since that has now happened, this constant needs to be changed to contain a value of `20` instead of `99`, and the name upstream was added as `IMAGETYPE_HEIF`. The constant in Core is being changed to match those included in PHP.
The implementation for this image format in `getimagesize()` also follows a similar pattern to that of AVIF where additional information such as the image `bits` and `channels` are also returned. This additional information is causing unit tests to fail. The tests have been updated to account for different versions of PHP returning a different level of detail.
Props westonruter, skithund, johnbillion, adamsilverstein.
Fixes#64322.
Built from https://develop.svn.wordpress.org/trunk@61328
git-svn-id: http://core.svn.wordpress.org/trunk@60640 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This deprecates the `wp_print_auto_sizes_contain_css_fix()` function running at `wp_head` priority 1, in favor of a `wp_enqueue_img_auto_sizes_contain_css_fix()` function which runs just before at `wp_head` priority 0. The latter function unhooks the former while also enqueueing an inline style to be printed with all other styles but up front to preserve the cascade. This eliminates directly printing the `STYLE` tag, which was a change done similarly before for the emoji styles. See #58775.
For backwards compatibility, the CSS can still be prevented from being enqueued/printed via:
remove_action( 'wp_head', 'wp_print_auto_sizes_contain_css_fix', 1 );
This change ensures that all styles are printed together using the correct API for emitting styles.
Developed in https://github.com/WordPress/wordpress-develop/pull/8954.
Follow-up to [59435].
Props westonruter, sabernhardt, SirLouen, flixos90, joemcgill, SergeyBiryukov, superpoincare.
See #62413.
Fixes#62731.
Built from https://develop.svn.wordpress.org/trunk@60910
git-svn-id: http://core.svn.wordpress.org/trunk@60246 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The playlist shortcode has a base set of JavaScript that should only be loaded once. Previously, this JS was only loaded the first time a playlist shortcode was processed. If the first playlist was broken, because the media file was missing for instance, this would break all other playlists on the page.
This commit introduces a new static variable to keep track of whether the necessary JavaScript has been loaded instead.
Props iamadisingh, abcd95, justlevine, jorbin, rollybueno, Guido07111975.
Fixes#63583.
Built from https://develop.svn.wordpress.org/trunk@60678
git-svn-id: http://core.svn.wordpress.org/trunk@60014 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Fix a bug introduced in WordPress 6.8.2 (r60415) that led to user supplied values for width and height in the $attr array passed to `wp_get_attachment_image` to be overwritten.
Props rainbowgeek, ocean90, rollybueno, shreya0shrivastava, heybran, mukesh27.
Fixes#63714.
Built from https://develop.svn.wordpress.org/trunk@60641
git-svn-id: http://core.svn.wordpress.org/trunk@59977 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Include the image height and width in the attributes passed to the 'wp_get_attachment_image_attributes' filter. Developers can use this to adjust the width and height attributes returned from the 'wp_get_attachment_image_attributes' function.
Props divinenephron, nacin, Sam_a, wpsmith, anatolbroder, ericlewis, puggan, SergeyBiryukov, spacedmonkey, adamsilverstein, flixos90, sandeepdahiya, SirLouen.
Fixes#14110.
Built from https://develop.svn.wordpress.org/trunk@60415
git-svn-id: http://core.svn.wordpress.org/trunk@59751 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In #24902, an inline script was introduced to `wp_playlist_scripts()`, `wp_audio_shortcode()`, and `wp_video_shortcode()` for HTML5 compatibility in browsers running IE 8 and earlier.
These browsers have long been unsupported by WordPress, and unsupported by Microsoft for 9 years or more. So this compatibility code is no longer necessary and can safely be removed.
Hit the road, Jack, and don't ya come back no more, no more, no more, no more!
Props aslamdoctor, mindctrl, nigelnelles, joedolson.
Fixes#63471.
Built from https://develop.svn.wordpress.org/trunk@60285
git-svn-id: http://core.svn.wordpress.org/trunk@59621 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Add the 'muted' attribute to the audio shortcode. Fix boolean attributes to meet HTML5 standards. Replaces instances like `attr="1"` with `attr` for `loop`, `autoplay`, and `muted`, and improves handling of the `preload` attribute to only output valid values.
Props shub07, dmsnell, debarghyabanerjee, audrasjb, narenin, apermo, joedolson.
Fixes#61515.
Built from https://develop.svn.wordpress.org/trunk@59987
git-svn-id: http://core.svn.wordpress.org/trunk@59329 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset updates `wp_video_shortcode()` to improve boolean attributes handling in accordance with HTML5 standards. Technically, it replaces `attr="1"` with `attr` for the `loop`, `autoplay` and `muted` attributes. The `preload` attribute is also updated to accept only allowed values: `none`, `metadata`, and `auto`. If a value outside of this list is provided, it will be ignored, preventing invalid attribute outputs.
Props jongycastillo, sabernhardt, joedolson, audrasjb, shub07, debarghyabanerjee.
Fixes#60178.
Built from https://develop.svn.wordpress.org/trunk@59954
git-svn-id: http://core.svn.wordpress.org/trunk@59296 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Based on the user agent stylesheet rules outlined in https://html.spec.whatwg.org/multipage/rendering.html#img-contain-size, images that have `sizes=auto` while applying `width: auto` or `width: fit-content` would be constrained to only 300px width.
This changeset overrides said user agent stylesheet rule with a much larger constraint, to avoid the problem.
Additionally, it introduces a filter `wp_img_tag_add_auto_sizes` which can be used to opt out of the functionality, as an additional measure.
Props joemcgill, flixos90, dooperweb, SirLouen, azaozz, mukesh27, apermo.
Fixes#62413.
See #61847, #62345.
Built from https://develop.svn.wordpress.org/trunk@59415
git-svn-id: http://core.svn.wordpress.org/trunk@58801 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This saves the `WP_Image_Editor` implementation that supports the queried options to a cache to avoid performing redundant compatibility checks, which can be expensive. For example, `WP_Image_Editor_Imagick::supports_mime_type()` can get called in the editor multiple times to determine which image formats can be supported during `wp_plupload_default_settings()`.
With this cache, the support will be stored for 1 day, speeding up loading times for the editor. This also introduces a new global caching group, `image_editor` to manage any subsequent caches that are related to image editor optimizations.
Props joemcgill, desrosj, westonruter, flixos90, adamsilverstein, mukesh27, joehoyle.
Fixes#61532.
Built from https://develop.svn.wordpress.org/trunk@59189
git-svn-id: http://core.svn.wordpress.org/trunk@58584 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Introduces the filter `pre_attachment_url_to_postid` to allow developers to short-circuit the function `attachment_url_to_postid()`.
The return values are expected to be an attachment ID, zero (`0`) to indicate no attachment was found or `null` to indicate the function should proceed as usual.
The function performs an expensive database query so developers making use of the function frequently may wish to use a custom table with appropriate indexes to reduce the load on their database server.
Props antpb, apermo, audrasjb, joedolson.
Fixes#61383.
Built from https://develop.svn.wordpress.org/trunk@59118
git-svn-id: http://core.svn.wordpress.org/trunk@58514 1a063a9b-81f0-0310-95a4-ce76da25c4cd
A common use-case for the 'wp_get_loading_optimization_attributes' filter is to modify attributes based on the 'src' attribute. However, the `wp_img_tag_add_loading_optimization_attrs()` was not passing that attribute to the function as expected, which would make such usage of the filter unreliable. This changeset ensures the 'src' attribute is also passed in this scenario. All other calls to `wp_get_loading_optimization_attributes()` already included the attribute.
Props deepakrohilla, prestonwordsworth, mukesh27, adamsilverstein, joemcgill, flixos90.
Fixes#61436.
See #58893.
Built from https://develop.svn.wordpress.org/trunk@58974
git-svn-id: http://core.svn.wordpress.org/trunk@58370 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Automatically create a JPEG version of uploaded HEIC images if the server has
a version of Imagick that supports HEIC. Conversion is done silently through
the existing `WP_Image_Editor` infrastructure that creates multiple sizes of
uploaded images.
This allows users to view HEIC images in WP Admin and use them in their posts
and pages regardless of whether their browser supports HEIC. Browser support
for HEIC is relatively low (only Safari) while the occurrence of HEIC images is
relatively common. The original HEIC image can be downloaded via a link on
the attachment page.
Props adamsilverstein, noisysocks, swissspidy, spacedmonkey, peterwilsoncc.
Fixes#53645.
Built from https://develop.svn.wordpress.org/trunk@58849
git-svn-id: http://core.svn.wordpress.org/trunk@58245 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Add visible labels to inputs that are using placeholder attributes as a substitute for visible labeling.
Labels added or made visible on the customizer theme search, customizer widget search, customizer menu item search, customizer new page UI, the search plugins screens, the media search screens, and the classic editor link inserter.
Props afercia, joedolson, rcreators, sabernhardt.
See #40331.
Built from https://develop.svn.wordpress.org/trunk@58146
git-svn-id: http://core.svn.wordpress.org/trunk@57611 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Weston Ruter