Reverts the removal in [62081] now that WordPress 7.1 has forked. Restores all PHP functions, REST API endpoints, cross-origin isolation infrastructure, VIPS script module handling, build configuration, and associated tests.
Follow-up to [62081].
Props adamsilverstein, jorbin, westonruter.
Fixes#64919.
See #64906.
Built from https://develop.svn.wordpress.org/trunk@62428
git-svn-id: http://core.svn.wordpress.org/trunk@61709 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Merge `normalize_schema_empty_object_defaults()` and `strip_internal_schema_keywords()` into a single recursive `prepare_schema_for_response()` helper on `WP_REST_Abilities_V1_List_Controller`. Empty object defaults now normalize to `stdClass` at every depth — not just the top level — so nested `{}` defaults serialize consistently alongside the existing internal-keyword stripping.
Follow-up to [62221], [61244].
Props gziolo, westonruter.
See #64955.
Built from https://develop.svn.wordpress.org/trunk@62427
git-svn-id: http://core.svn.wordpress.org/trunk@61708 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Align `core/get-site-info`, `core/get-user-info`, and `core/get-environment-info` on a shared blueprint: every output property carries a Title Case `title` and a `description`, `core/get-environment-info` gains the optional `fields` input parameter the other two already accept, and `core/get-user-info` is exposed via REST. Descriptions are also tightened for programmatic consumers, and registration tests now lock the exact ordered set of property keys.
Props gziolo, westonruter.
Fixes#65355.
Built from https://develop.svn.wordpress.org/trunk@62426
git-svn-id: http://core.svn.wordpress.org/trunk@61707 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In preparation for handling Unicode email addresses (non-US-ASCII
characters in the mailbox name), the `antispambot()` function needs to
be multi-byte aware so that it creates proper HTML numeric character
references and percent-encoded strings.
Previously it has been scanning the input email address byte-by-byte,
but with multibyte characters this will produce invalid sequences of the
transformations by encoding individual bytes of a multi-byte sequence as
if they were whole characters on their own.
This patch relies on the newly-polyfilled `mb_ord()` function and the
`_wp_scan_utf8()` function to crawl through an input email by code
point, assuming UTF-8 encoding. This ensures proper transformation.
Developed in: https://github.com/WordPress/wordpress-develop/pull/11567
Discussed in: https://core.trac.wordpress.org/ticket/31992
Props agulbra, akirk, benniledl, dmsnell, siliconforks.
See #65342.
Built from https://develop.svn.wordpress.org/trunk@62425
git-svn-id: http://core.svn.wordpress.org/trunk@61706 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The `gutenberg.sha` property in the `package.json` file expects a full-length SHA value to be specified in order to download the built assets from the Gutenberg repository and include the files through the build script.
After https://github.com/WordPress/gutenberg/pull/78211, assets are now published for `pull_request` events in addition to `push` so long as the `HEAD` branch of the pull request exists in the repository and not in a fork. This makes the built assets for pull requests available for testing within `wordpress-develop` before they are merged through a `pr-###` tag on the GHCR package.
To test a given pull request, just set the `gutenberg.sha` value to the corresponding `pr-###` tag. In addition to pull request-specific tags, each `wp/X.Y`, `release/X.Y`, and `trunk` now have a tag that can be used to test the latest changes. Each time `build` or `build:dev` is called the script will attempt to confirm the latest version of the assets are present locally, pulling down the latest changes when an update is available.
All of the tags described in this changeset are mutable, so they should never be committed. Only immutable SHA values should be used for `gutenberg.sha` in commits to this repository.
This commit also adds the related JavaScript files to the TypeScript configuration file.
Props westonruter, jorbin, manhar.
Fixes#65224.
Built from https://develop.svn.wordpress.org/trunk@62422
git-svn-id: http://core.svn.wordpress.org/trunk@61703 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The variables `$mm` and `$md` had their `substr()` positions and inline comments swapped — `$mm` was extracting the day digits (position 8) while `$md` was extracting the month digits (position 5), contrary to what the comments indicated.
The output was accidentally correct because the two mistakes cancelled each other out in the `mktime()` call, but the misleading naming posed a future maintenance risk.
This commit corrects the `substr()` positions and `mktime()` argument order so that variable names, comments, and logic are all consistent.
Follow-up to [8598], [28918].
Props saratheonline, westonruter.
Fixes#65046.
Built from https://develop.svn.wordpress.org/trunk@62421
git-svn-id: http://core.svn.wordpress.org/trunk@61702 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Extends `wp_get_abilities()` with an optional `$args` array, giving callers a shared primitive for filtering registered abilities by `category`, `namespace`, or `meta`. Two callback slots — `item_include_callback` (per ability) and `result_callback` (on the full matched array) — round out the caller-scoped pipeline.
Two new filters, `wp_get_abilities_item_include` and `wp_get_abilities_result`, expose ecosystem-scoped extension points so plugins can participate in ability resolution without monkey-patching call sites. This replaces the ad-hoc `array_filter` passes that consumers (the REST list controller, the MCP adapter, WooCommerce) had each implemented independently.
The REST list controller now delegates to the new primitive instead of running its own post-retrieval filtering, and gains a `namespace` query parameter alongside the existing `category` filter.
Called without arguments, `wp_get_abilities()` behaves exactly as before — no backward compatibility break.
Props sheldorofazeroth, gziolo.
Fixes#64990.
Built from https://develop.svn.wordpress.org/trunk@62420
git-svn-id: http://core.svn.wordpress.org/trunk@61701 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Extends the `core/get-user-info` ability with additional profile fields (`first_name`, `last_name`, `nickname`, `description`, `user_url`) and a new optional `fields` input parameter that lets callers limit the response to a specific subset.
The output schema now documents each property with a `title` and `description`, mirroring the user profile form labels where they apply and aligning the descriptions with the WP REST API user schema voice.
Also ensures `roles` is encoded as a JSON array regardless of the underlying PHP array keys.
Props sukhendu2002, apermo, gziolo.
Fixes#65234.
Built from https://develop.svn.wordpress.org/trunk@62419
git-svn-id: http://core.svn.wordpress.org/trunk@61700 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Introduces a new `wp_ability_invoked` action that fires at the start of `WP_Ability::execute()`, before input normalization, validation, or permission checks. This gives observers a reliable entry point for every invocation regardless of outcome (short-circuit, validation failure, permission denial, or successful execution).
Also extends the existing `wp_before_execute_ability` and `wp_after_execute_ability` actions with a new `$ability` parameter exposing the `WP_Ability` instance.
Follow-up for #64989.
Props sukhendu2002, peterwilsoncc, gziolo.
Fixes#65248.
Built from https://develop.svn.wordpress.org/trunk@62418
git-svn-id: http://core.svn.wordpress.org/trunk@61699 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When WP_ENVIRONMENT_TYPE is not `production`, disable pingbacks and trackbacks.
Otherwise, when `WP_ENVIRONMENT_TYPE` is `local`, `development`, or `staging`, pingbacks and trackbacks are sent when posts are published. This creates confusion on the receiving end and is unnecessary for testing workflows.
Props arcangelini, cagrimmett, ramonopoly, tyxla, khushipatel15.
Fixes #64837.
Built from https://develop.svn.wordpress.org/trunk@62417
git-svn-id: http://core.svn.wordpress.org/trunk@61698 1a063a9b-81f0-0310-95a4-ce76da25c4cd
`to_ruleset` used string concatenation (`$element['name'] . ': ' . $element['value'] . ';'`), so PHP implicitly coerced non-string values (e.g. booleans → `'1'`/`''`, arrays → `'Array'`). That could emit invalid or misleading CSS.
At the same time, pass a `style` theme.json path in `test_get_styles_with_appearance_tools()` to simulate a style node. Before it was `settings`.
Props ramonopoly, andrewserong, isabel_brison.
Fixes#64848.
--This line, and those below, will be ignored--
M src/wp-includes/class-wp-theme-json.php
M tests/phpunit/tests/theme/wpThemeJson.php
Built from https://develop.svn.wordpress.org/trunk@62415
git-svn-id: http://core.svn.wordpress.org/trunk@61696 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This brings the QUnit tests inline with the e2e and performance tests that switched to Playwright in #59517.
This removes the `puppeteer` dependency, but `puppeteer-core` remains a transitive dependency due to `wp-scripts` and `lighthouse`.
See #64894
Built from https://develop.svn.wordpress.org/trunk@62411
git-svn-id: http://core.svn.wordpress.org/trunk@61692 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This corrects an oversight in an optimization made to `print_emoji_detection_script()` which moved the emoji detection script to the `wp_print_footer_scripts` action. Since this action doesn't fire in the admin, no script was printed. Now in the admin, the script is printed at the `admin_print_footer_scripts` action. Existing sites that wish to omit emoji can continue to do `remove_action( 'admin_print_scripts', 'print_emoji_detection_script' )`.
Tests are added covering all four branches of `print_emoji_detection_script()`: hooking the script onto the appropriate footer action, and printing it directly when that action has already fired, in both the admin and the frontend.
Missing parameter and return types are added to the `get_echo()` test helper.
Developed in https://github.com/WordPress/wordpress-develop/pull/11931.
Follow-up to r60902.
Props westonruter, jonsurrell.
See #64076, #65260.
Fixes#65310.
Built from https://develop.svn.wordpress.org/trunk@62410
git-svn-id: http://core.svn.wordpress.org/trunk@61691 1a063a9b-81f0-0310-95a4-ce76da25c4cd
PCOV is a dedicated coverage reporting tool that performs significantly faster than Xdebug in coverage mode. This reduces the time that tests with coverage enabled take to run by around 50%.
This also removes the HTML report generation which was producing unusable artifacts in excess of 7 GB in size.
Props johnbillion, desrosj, swissspidy
See #64893
Built from https://develop.svn.wordpress.org/trunk@62409
git-svn-id: http://core.svn.wordpress.org/trunk@61690 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Also use `spl_object_id()` similarly when registering and unregistering classic widgets.
* Improve typing and phpdoc in `_wp_filter_build_unique_id()`. Return `null` for malformed callbacks.
* Add tests for `_wp_filter_build_unique_id()`.
* Improve type safety of `WP_Hook::add_filter()` in case an invalid callback is provided for parity with `::has_filter()` and `::remove_filter()`.
Developed in https://github.com/WordPress/wordpress-develop/pull/11865
Follow-up to r46220, r46801, r60179.
Props bor0, westonruter, SergeyBiryukov, schlessera, arshidkv12, knutsp, spacedmonkey, swissspidy.
See #64898.
Fixes#58291.
Built from https://develop.svn.wordpress.org/trunk@62408
git-svn-id: http://core.svn.wordpress.org/trunk@61689 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Recent attempts to change the `BASE_TAG` version in the Performance Testing workflows in [60324] and [62402] have failed due to memory exhaustion errors when trying to download the version using WP-CLI in the local Docker environment.
While the. performance tests are run within the Docker environment, there’s no hard requirement for the `wp core download` command to happen through the `wordpressdevelop/cli` conatiner. This adjusts the workflow to perform the failing WP-CLI call within the GitHub Action runner and outside of Docker to avoid the memory exhaustion issue.
Props westonruter, swissspidy.
Fixes#65289.
Built from https://develop.svn.wordpress.org/trunk@62406
git-svn-id: http://core.svn.wordpress.org/trunk@61687 1a063a9b-81f0-0310-95a4-ce76da25c4cd
These are redundant: `WP_UnitTestCase_Base::tear_down()` runs `::_restore_hooks()`, which restores `$wp_filter`/`$wp_actions` to a pre-test baseline, so hooks added during a test are removed automatically.
Follow-up to [61032].
Props mohamedahamed, gziolo, westonruter, SergeyBiryukov.
Fixes#65301.
Built from https://develop.svn.wordpress.org/trunk@62405
git-svn-id: http://core.svn.wordpress.org/trunk@61686 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This updates the following GitHub Actions to their latest versions:
- `actions/upload-artifact` from `7.0.0` to ` 7.0.1`
- `shivammathur/setup-php` from `2.37.0` to ` 2.37.1`
- `actions/setup-node` from `6.3.0` to ` 6.4.0`
- `actions/cache` from `5.0.4` to ` 5.0.5`
- `github/codeql-action` from `4.33.0` to ` 4.35.4`
- `slackapi/slack-github-action` from `3.0.1` to ` 3.0.3`
See #64893.
Built from https://develop.svn.wordpress.org/trunk@62404
git-svn-id: http://core.svn.wordpress.org/trunk@61685 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Ability names are pattern-validated at registration, so `esc_html()` on them is always a no-op. Drop it from the `WP_Error` messages, which are commonly serialized to JSON where the escaping would be incorrect.
Follow-up to [62398].
See #64311.
Built from https://develop.svn.wordpress.org/trunk@62401
git-svn-id: http://core.svn.wordpress.org/trunk@61682 1a063a9b-81f0-0310-95a4-ce76da25c4cd
he REST run controller for the Abilities API already preserves a custom
HTTP status returned by `wp_ability_normalize_input` filter errors. Apply
the same behavior to validation errors from `wp_ability_validate_input`:
a `WP_Error` is only defaulted to a 400 status when it does not already
include one.
The shared defaulting logic is extracted into a new private
`ensure_error_status()` helper and reused for both normalization and
validation errors.
Follow-up to [62398].
See #64311.
Built from https://develop.svn.wordpress.org/trunk@62399
git-svn-id: http://core.svn.wordpress.org/trunk@61680 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Introduce the `wp_ability_validate_input` and `wp_ability_validate_output` filters so developers can layer custom validation on top of the default JSON
Schema checks, either augmenting an existing WP_Error or rejecting otherwise valid data.
Props priethor, gziolo, westonruter, enej.
Fixes#64311.
Built from https://develop.svn.wordpress.org/trunk@62398
git-svn-id: http://core.svn.wordpress.org/trunk@61679 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Introduce four filters that give plugins hook points across the ability execution lifecycle, complementing the existing observation-only actions
(`wp_before_execute_ability`, `wp_after_execute_ability`):
- `wp_pre_execute_ability`: short-circuits `execute()` when it returns a value other than the supplied default.
- `wp_ability_normalize_input`: transforms input inside `normalize_input()`, and returning `WP_Error` halts execution.
- `wp_ability_permission_result`: overrides the `permission_callback` result inside `check_permissions()`, consistently for `execute()` and direct callers.
- `wp_ability_execute_result`: transforms the result inside `do_execute()` before output validation, and can recover from execute callback failures.
The input and result filters fire before their respective schema validation steps, so `validate_input()` and `validate_output()` remain the final integrity gates. Only `wp_pre_execute_ability` can bypass validation, with the caller owning the returned value's shape.
Add `WP_Filter_Sentinel`, a reusable marker class loaded alongside `WP_Hook`, whose per-instance identity lets a filter default be distinguished from any
user value — including `null`, `false`, or arbitrary objects — via `===`.
Update `WP_REST_Abilities_V1_Run_Controller::check_ability_permissions()` to propagate `WP_Error` results from `normalize_input()` directly, defaulting to
status 400 while preserving filter-set statuses (e.g. 422, 429).
Props gziolo, westonruter, migueluy.
Fixes#64989.
Built from https://develop.svn.wordpress.org/trunk@62397
git-svn-id: http://core.svn.wordpress.org/trunk@61678 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The `core/get-site-info` ability resolved the `language` field via `get_bloginfo( 'language' )`, which runs through `determine_locale()` and can return the current user's locale in the admin context. As a site-level ability, the `language` field should consistently represent the site locale. Use `get_locale()` (with `_` normalized to `-`) instead so the value reflects the site locale regardless of the requesting user.
Props iamadisingh, afercia, audrasjb, yusufmudagal, r1k0, gziolo.
Fixes#64977.
Built from https://develop.svn.wordpress.org/trunk@62396
git-svn-id: http://core.svn.wordpress.org/trunk@61677 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset reverts a negative `-4px` margin on `#poststuff #post-body` introduced in [61646].
Follow-up to [61646], [61759], [62284].
Props TobiasBg, umeshnevase, audrasjb, jadavsanjay, khokansardar, darshitrajyaguru97, gaurangsondagar.
Fixes#65141.
Built from https://develop.svn.wordpress.org/trunk@62377
git-svn-id: http://core.svn.wordpress.org/trunk@61658 1a063a9b-81f0-0310-95a4-ce76da25c4cd
A classic script with `module_dependencies` may be evaluated before the script modules import map is printed if it loads blocking in the document head, causing a "Failed to resolve module specifier" error on dynamic imports.
* Trigger `_doing_it_wrong()` from `_wp_scripts_add_args_data()` when a classic script provides `module_dependencies` without setting `in_footer` to `true` or using a `defer` loading `strategy`, and document this requirement in the `wp_register_script()` and `wp_enqueue_script()` docblocks.
* Remove the `module_dependencies` arg from the `wp-codemirror` script registration in favor of passing the espree module URL directly through `wp_get_code_editor_settings()`. This avoids registering `espree` as a publicly-available script module when it is only ever used internally as a private implementation detail of the code editor.
* Add a `console.warn()` in `wp.codeEditor.initialize()` when invoked before `DOMContentLoaded`, so developers are alerted if the function is called too early for the import map to have been parsed.
* Add PHPStan types which were missing when `module_dependencies` were initially introduced.
* Harden `WP_Scripts::add_data()` against non-string `strategy` values being passed to `sprintf()`.
Developed in https://github.com/WordPress/wordpress-develop/pull/11788
Follow-up to r61587.
Props khokansardar, westonruter, jonsurrell, jorbin.
See #61500, #64238.
Fixes#65165.
Built from https://develop.svn.wordpress.org/trunk@62368
git-svn-id: http://core.svn.wordpress.org/trunk@61649 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Short-circuits the custom CSS support filter before the more expensive lookups so blocks without custom CSS return faster.
Replaces the regex class name parsing in `wp_render_custom_css_class_name()` with a cheap `str_contains()` guard followed by an HTML spec-compliant `strtok()` walk over the className tokens. This avoids the regex engine for the common case where no `wp-custom-css-` class is present, and correctly handles tab/form-feed/CR/LF separators as well as classes such as `my-wp-custom-css-*` that merely contain the prefix as a substring after a hyphen.
Also hardens both functions against malformed parsed blocks (non-string `className`, missing keys), tightens `@phpstan-param` array shapes, and corrects the `block_has_support()` `@param` to allow `WP_Block_Type|null`. Lastly, a `@return Generator<int, non-empty-string>` phpdoc tag is added to `WP_HTML_Tag_Processor::class_list()`.
Developed in https://github.com/WordPress/wordpress-develop/pull/11686 and https://github.com/WordPress/gutenberg/pull/78217
Follow-up to r61678.
Props mukesh27, westonruter, ramonopoly, jonsurrell.
See #64544, #64238.
Built from https://develop.svn.wordpress.org/trunk@62359
git-svn-id: http://core.svn.wordpress.org/trunk@61640 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Adam Silverstein