Wordpress 4.6
[autoinstalls/wordpress.git] / wp-includes / class-wp-customize-manager.php
index 9f15d31f577149c4d546e16530e54c4206e2cd3c..09e48b290cc11ed7a33d51002abcf7054a78b0e0 100644 (file)
@@ -66,6 +66,15 @@ final class WP_Customize_Manager {
         */
        public $nav_menus;
 
+       /**
+        * Methods and properties dealing with selective refresh in the Customizer preview.
+        *
+        * @since 4.5.0
+        * @access public
+        * @var WP_Customize_Selective_Refresh
+        */
+       public $selective_refresh;
+
        /**
         * Registered instances of WP_Customize_Setting.
         *
@@ -93,6 +102,15 @@ final class WP_Customize_Manager {
         */
        protected $panels = array();
 
+       /**
+        * List of core components.
+        *
+        * @since 4.5.0
+        * @access protected
+        * @var array
+        */
+       protected $components = array( 'widgets', 'nav_menus' );
+
        /**
         * Registered instances of WP_Customize_Section.
         *
@@ -224,11 +242,11 @@ final class WP_Customize_Manager {
                require_once( ABSPATH . WPINC . '/customize/class-wp-customize-nav-menu-setting.php' );
 
                /**
-                * Filter the core Customizer components to load.
+                * Filters the core Customizer components to load.
                 *
                 * This allows Core components to be excluded from being instantiated by
                 * filtering them out of the array. Note that this filter generally runs
-                * during the <code>plugins_loaded</code> action, so it cannot be added
+                * during the {@see 'plugins_loaded'} action, so it cannot be added
                 * in a theme.
                 *
                 * @since 4.4.0
@@ -238,13 +256,17 @@ final class WP_Customize_Manager {
                 * @param array                $components List of core components to load.
                 * @param WP_Customize_Manager $this       WP_Customize_Manager instance.
                 */
-               $components = apply_filters( 'customize_loaded_components', array( 'widgets', 'nav_menus' ), $this );
+               $components = apply_filters( 'customize_loaded_components', $this->components, $this );
+
+               require_once( ABSPATH . WPINC . '/customize/class-wp-customize-selective-refresh.php' );
+               $this->selective_refresh = new WP_Customize_Selective_Refresh( $this );
 
-               if ( in_array( 'widgets', $components ) ) {
+               if ( in_array( 'widgets', $components, true ) ) {
                        require_once( ABSPATH . WPINC . '/class-wp-customize-widgets.php' );
                        $this->widgets = new WP_Customize_Widgets( $this );
                }
-               if ( in_array( 'nav_menus', $components ) ) {
+
+               if ( in_array( 'nav_menus', $components, true ) ) {
                        require_once( ABSPATH . WPINC . '/class-wp-customize-nav-menus.php' );
                        $this->nav_menus = new WP_Customize_Nav_Menus( $this );
                }
@@ -283,14 +305,14 @@ final class WP_Customize_Manager {
        }
 
        /**
-        * Return true if it's an AJAX request.
+        * Return true if it's an Ajax request.
         *
         * @since 3.4.0
         * @since 4.2.0 Added `$action` param.
         * @access public
         *
-        * @param string|null $action Whether the supplied AJAX action is being run.
-        * @return bool True if it's an AJAX request, false otherwise.
+        * @param string|null $action Whether the supplied Ajax action is being run.
+        * @return bool True if it's an Ajax request, false otherwise.
         */
        public function doing_ajax( $action = null ) {
                $doing_ajax = ( defined( 'DOING_AJAX' ) && DOING_AJAX );
@@ -311,11 +333,11 @@ final class WP_Customize_Manager {
 
        /**
         * Custom wp_die wrapper. Returns either the standard message for UI
-        * or the AJAX message.
+        * or the Ajax message.
         *
         * @since 3.4.0
         *
-        * @param mixed $ajax_message AJAX return
+        * @param mixed $ajax_message Ajax return
         * @param mixed $message UI message
         */
        protected function wp_die( $ajax_message, $message = null ) {
@@ -331,7 +353,7 @@ final class WP_Customize_Manager {
        }
 
        /**
-        * Return the AJAX wp_die() handler if it's a customized request.
+        * Return the Ajax wp_die() handler if it's a customized request.
         *
         * @since 3.4.0
         *
@@ -365,7 +387,7 @@ final class WP_Customize_Manager {
                show_admin_bar( false );
 
                if ( ! current_user_can( 'customize' ) ) {
-                       $this->wp_die( -1, __( 'You are not allowed to customize the appearance of this site.' ) );
+                       $this->wp_die( -1, __( 'Sorry, you are not allowed to customize this site.' ) );
                }
 
                $this->original_stylesheet = get_stylesheet();
@@ -379,7 +401,7 @@ final class WP_Customize_Manager {
                        // If the requested theme is not the active theme and the user doesn't have the
                        // switch_themes cap, bail.
                        if ( ! current_user_can( 'switch_themes' ) ) {
-                               $this->wp_die( -1, __( 'You are not allowed to edit theme options on this site.' ) );
+                               $this->wp_die( -1, __( 'Sorry, you are not allowed to edit theme options on this site.' ) );
                        }
 
                        // If the theme has errors while loading, bail.
@@ -402,7 +424,7 @@ final class WP_Customize_Manager {
         * @since 3.4.0
         */
        public function after_setup_theme() {
-               $doing_ajax_or_is_customized = ( $this->doing_ajax() || isset( $_SERVER['customized'] ) );
+               $doing_ajax_or_is_customized = ( $this->doing_ajax() || isset( $_POST['customized'] ) );
                if ( ! $doing_ajax_or_is_customized && ! validate_current_theme() ) {
                        wp_redirect( 'themes.php?broken=true' );
                        exit;
@@ -587,7 +609,7 @@ final class WP_Customize_Manager {
        }
 
        /**
-        * Prevents AJAX requests from following redirects when previewing a theme
+        * Prevents Ajax requests from following redirects when previewing a theme
         * by issuing a 200 response instead of a 30x.
         *
         * Instead, the JS will sniff out the location header.
@@ -629,22 +651,37 @@ final class WP_Customize_Manager {
        }
 
        /**
-        * Return the sanitized value for a given setting from the request's POST data.
+        * Returns the sanitized value for a given setting from the request's POST data.
         *
         * @since 3.4.0
-        * @since 4.1.1 Introduced 'default' parameter.
+        * @since 4.1.1 Introduced the `$default` parameter.
+        * @since 4.6.0 `$default` is now returned early when the setting post value is invalid.
+        * @access public
+        *
+        * @see WP_REST_Server::dispatch()
+        * @see WP_Rest_Request::sanitize_params()
+        * @see WP_Rest_Request::has_valid_params()
         *
-        * @param WP_Customize_Setting $setting A WP_Customize_Setting derived object
-        * @param mixed $default value returned $setting has no post value (added in 4.2.0).
-        * @return string|mixed $post_value Sanitized value or the $default provided
+        * @param WP_Customize_Setting $setting A WP_Customize_Setting derived object.
+        * @param mixed                $default Value returned $setting has no post value (added in 4.2.0)
+        *                                      or the post value is invalid (added in 4.6.0).
+        * @return string|mixed $post_value Sanitized value or the $default provided.
         */
        public function post_value( $setting, $default = null ) {
                $post_values = $this->unsanitized_post_values();
-               if ( array_key_exists( $setting->id, $post_values ) ) {
-                       return $setting->sanitize( $post_values[ $setting->id ] );
-               } else {
+               if ( ! array_key_exists( $setting->id, $post_values ) ) {
+                       return $default;
+               }
+               $value = $post_values[ $setting->id ];
+               $valid = $setting->validate( $value );
+               if ( is_wp_error( $valid ) ) {
                        return $default;
                }
+               $value = $setting->sanitize( $value );
+               if ( is_null( $value ) || is_wp_error( $value ) ) {
+                       return $default;
+               }
+               return $value;
        }
 
        /**
@@ -663,7 +700,7 @@ final class WP_Customize_Manager {
                /**
                 * Announce when a specific setting's unsanitized post value has been set.
                 *
-                * Fires when the {@see WP_Customize_Manager::set_post_value()} method is called.
+                * Fires when the WP_Customize_Manager::set_post_value() method is called.
                 *
                 * The dynamic portion of the hook name, `$setting_id`, refers to the setting ID.
                 *
@@ -677,9 +714,9 @@ final class WP_Customize_Manager {
                /**
                 * Announce when any setting's unsanitized post value has been set.
                 *
-                * Fires when the {@see WP_Customize_Manager::set_post_value()} method is called.
+                * Fires when the WP_Customize_Manager::set_post_value() method is called.
                 *
-                * This is useful for <code>WP_Customize_Setting</code> instances to watch
+                * This is useful for `WP_Customize_Setting` instances to watch
                 * in order to update a cached previewed value.
                 *
                 * @since 4.4.0
@@ -727,7 +764,7 @@ final class WP_Customize_Manager {
 
        /**
         * Prevent sending a 404 status when returning the response for the customize
-        * preview, since it causes the jQuery AJAX to fail. Send 200 instead.
+        * preview, since it causes the jQuery Ajax to fail. Send 200 instead.
         *
         * @since 4.0.0
         * @access public
@@ -791,20 +828,29 @@ final class WP_Customize_Manager {
         * @since 3.4.0
         */
        public function customize_preview_settings() {
+               $setting_validities = $this->validate_setting_values( $this->unsanitized_post_values() );
+               $exported_setting_validities = array_map( array( $this, 'prepare_setting_validity_for_js' ), $setting_validities );
+
                $settings = array(
+                       'theme' => array(
+                               'stylesheet' => $this->get_stylesheet(),
+                               'active'     => $this->is_theme_active(),
+                       ),
+                       'url' => array(
+                               'self' => empty( $_SERVER['REQUEST_URI'] ) ? home_url( '/' ) : esc_url_raw( wp_unslash( $_SERVER['REQUEST_URI'] ) ),
+                       ),
                        'channel' => wp_unslash( $_POST['customize_messenger_channel'] ),
                        'activePanels' => array(),
                        'activeSections' => array(),
                        'activeControls' => array(),
+                       'settingValidities' => $exported_setting_validities,
+                       'nonce' => $this->get_nonces(),
+                       'l10n' => array(
+                               'shiftClickToEdit' => __( 'Shift-click to edit this element.' ),
+                       ),
+                       '_dirty' => array_keys( $this->unsanitized_post_values() ),
                );
 
-               if ( 2 == $this->nonce_tick ) {
-                       $settings['nonce'] = array(
-                               'save' => wp_create_nonce( 'save-customize_' . $this->get_stylesheet() ),
-                               'preview' => wp_create_nonce( 'preview-customize_' . $this->get_stylesheet() )
-                       );
-               }
-
                foreach ( $this->panels as $panel_id => $panel ) {
                        if ( $panel->check_capabilities() ) {
                                $settings['activePanels'][ $panel_id ] = $panel->active();
@@ -866,8 +912,8 @@ final class WP_Customize_Manager {
         *
         * @since 3.4.0
         *
-        * @param mixed $return Value passed through for wp_die_handler filter.
-        * @return mixed Value passed through for wp_die_handler filter.
+        * @param mixed $return Value passed through for {@see 'wp_die_handler'} filter.
+        * @return mixed Value passed through for {@see 'wp_die_handler'} filter.
         */
        public function remove_preview_signature( $return = null ) {
                remove_action( 'shutdown', array( $this, 'customize_preview_signature' ), 1000 );
@@ -931,7 +977,7 @@ final class WP_Customize_Manager {
        }
 
        /**
-        * Filter the current theme and return the name of the previewed theme.
+        * Filters the current theme and return the name of the previewed theme.
         *
         * @since 3.4.0
         *
@@ -942,6 +988,83 @@ final class WP_Customize_Manager {
                return $this->theme()->display('Name');
        }
 
+       /**
+        * Validates setting values.
+        *
+        * Sanitization is applied to the values before being passed for validation.
+        * Validation is skipped for unregistered settings or for values that are
+        * already null since they will be skipped anyway.
+        *
+        * @since 4.6.0
+        * @access public
+        *
+        * @see WP_REST_Request::has_valid_params()
+        * @see WP_Customize_Setting::validate()
+        *
+        * @param array $setting_values Mapping of setting IDs to values to sanitize and validate.
+        * @return array Mapping of setting IDs to return value of validate method calls, either `true` or `WP_Error`.
+        */
+       public function validate_setting_values( $setting_values ) {
+               $validities = array();
+               foreach ( $setting_values as $setting_id => $unsanitized_value ) {
+                       $setting = $this->get_setting( $setting_id );
+                       if ( ! $setting || is_null( $unsanitized_value ) ) {
+                               continue;
+                       }
+                       $validity = $setting->validate( $unsanitized_value );
+                       if ( ! is_wp_error( $validity ) ) {
+                               $value = $setting->sanitize( $unsanitized_value );
+                               if ( is_null( $value ) ) {
+                                       $validity = false;
+                               } elseif ( is_wp_error( $value ) ) {
+                                       $validity = $value;
+                               }
+                       }
+                       if ( false === $validity ) {
+                               $validity = new WP_Error( 'invalid_value', __( 'Invalid value.' ) );
+                       }
+                       $validities[ $setting_id ] = $validity;
+               }
+               return $validities;
+       }
+
+       /**
+        * Prepares setting validity for exporting to the client (JS).
+        *
+        * Converts `WP_Error` instance into array suitable for passing into the
+        * `wp.customize.Notification` JS model.
+        *
+        * @since 4.6.0
+        * @access public
+        *
+        * @param true|WP_Error $validity Setting validity.
+        * @return true|array If `$validity` was a WP_Error, the error codes will be array-mapped
+        *                    to their respective `message` and `data` to pass into the
+        *                    `wp.customize.Notification` JS model.
+        */
+       public function prepare_setting_validity_for_js( $validity ) {
+               if ( is_wp_error( $validity ) ) {
+                       $notification = array();
+                       foreach ( $validity->errors as $error_code => $error_messages ) {
+                               $error_data = $validity->get_error_data( $error_code );
+                               if ( is_null( $error_data ) ) {
+                                       $error_data = array();
+                               }
+                               $error_data = array_merge(
+                                       $error_data,
+                                       array( 'from_server' => true )
+                               );
+                               $notification[ $error_code ] = array(
+                                       'message' => join( ' ', $error_messages ),
+                                       'data' => $error_data,
+                               );
+                       }
+                       return $notification;
+               } else {
+                       return true;
+               }
+       }
+
        /**
         * Switch the theme and trigger the save() method on each setting.
         *
@@ -957,6 +1080,34 @@ final class WP_Customize_Manager {
                        wp_send_json_error( 'invalid_nonce' );
                }
 
+               /**
+                * Fires before save validation happens.
+                *
+                * Plugins can add just-in-time {@see 'customize_validate_{$this->ID}'} filters
+                * at this point to catch any settings registered after `customize_register`.
+                * The dynamic portion of the hook name, `$this->ID` refers to the setting ID.
+                *
+                * @since 4.6.0
+                *
+                * @param WP_Customize_Manager $this WP_Customize_Manager instance.
+                */
+               do_action( 'customize_save_validation_before', $this );
+
+               // Validate settings.
+               $setting_validities = $this->validate_setting_values( $this->unsanitized_post_values() );
+               $invalid_setting_count = count( array_filter( $setting_validities, 'is_wp_error' ) );
+               $exported_setting_validities = array_map( array( $this, 'prepare_setting_validity_for_js' ), $setting_validities );
+               if ( $invalid_setting_count > 0 ) {
+                       $response = array(
+                               'setting_validities' => $exported_setting_validities,
+                               'message' => sprintf( _n( 'There is %s invalid setting.', 'There are %s invalid settings.', $invalid_setting_count ), number_format_i18n( $invalid_setting_count ) ),
+                       );
+
+                       /** This filter is documented in wp-includes/class-wp-customize-manager.php */
+                       $response = apply_filters( 'customize_save_response', $response, $this );
+                       wp_send_json_error( $response );
+               }
+
                // Do we have to switch themes?
                if ( ! $this->is_theme_active() ) {
                        // Temporarily stop previewing the theme to allow switch_themes()
@@ -990,8 +1141,12 @@ final class WP_Customize_Manager {
                 */
                do_action( 'customize_save_after', $this );
 
+               $data = array(
+                       'setting_validities' => $exported_setting_validities,
+               );
+
                /**
-                * Filter response data for a successful customize_save AJAX request.
+                * Filters response data for a successful customize_save Ajax request.
                 *
                 * This filter does not apply if there was a nonce or authentication failure.
                 *
@@ -1001,7 +1156,7 @@ final class WP_Customize_Manager {
                 *                                   event on `wp.customize`.
                 * @param WP_Customize_Manager $this WP_Customize_Manager instance.
                 */
-               $response = apply_filters( 'customize_save_response', array(), $this );
+               $response = apply_filters( 'customize_save_response', $data, $this );
                wp_send_json_success( $response );
        }
 
@@ -1015,40 +1170,38 @@ final class WP_Customize_Manager {
                        wp_send_json_error( 'not_preview' );
                }
 
-               $nonces = array(
-                       'save'    => wp_create_nonce( 'save-customize_' . $this->get_stylesheet() ),
-                       'preview' => wp_create_nonce( 'preview-customize_' . $this->get_stylesheet() ),
-               );
-
-               /**
-                * Filter nonces for a customize_refresh_nonces AJAX request.
-                *
-                * @since 4.2.0
-                *
-                * @param array                $nonces Array of refreshed nonces for save and
-                *                                     preview actions.
-                * @param WP_Customize_Manager $this   WP_Customize_Manager instance.
-                */
-               $nonces = apply_filters( 'customize_refresh_nonces', $nonces, $this );
-               wp_send_json_success( $nonces );
+               wp_send_json_success( $this->get_nonces() );
        }
 
        /**
         * Add a customize setting.
         *
         * @since 3.4.0
+        * @since 4.5.0 Return added WP_Customize_Setting instance.
+        * @access public
         *
-        * @param WP_Customize_Setting|string $id Customize Setting object, or ID.
-        * @param array $args                     Setting arguments; passed to WP_Customize_Setting
-        *                                        constructor.
+        * @param WP_Customize_Setting|string $id   Customize Setting object, or ID.
+        * @param array                       $args Setting arguments; passed to WP_Customize_Setting
+        *                                          constructor.
+        * @return WP_Customize_Setting             The instance of the setting that was added.
         */
        public function add_setting( $id, $args = array() ) {
                if ( $id instanceof WP_Customize_Setting ) {
                        $setting = $id;
                } else {
-                       $setting = new WP_Customize_Setting( $this, $id, $args );
+                       $class = 'WP_Customize_Setting';
+
+                       /** This filter is documented in wp-includes/class-wp-customize-manager.php */
+                       $args = apply_filters( 'customize_dynamic_setting_args', $args, $id );
+
+                       /** This filter is documented in wp-includes/class-wp-customize-manager.php */
+                       $class = apply_filters( 'customize_dynamic_setting_class', $class, $id, $args );
+
+                       $setting = new $class( $this, $id, $args );
                }
+
                $this->settings[ $setting->id ] = $setting;
+               return $setting;
        }
 
        /**
@@ -1056,11 +1209,12 @@ final class WP_Customize_Manager {
         * that have no corresponding setting created.
         *
         * This is a mechanism to "wake up" settings that have been dynamically created
-        * on the frontend and have been sent to WordPress in `$_POST['customized']`. When WP
+        * on the front end and have been sent to WordPress in `$_POST['customized']`. When WP
         * loads, the dynamically-created settings then will get created and previewed
         * even though they are not directly created statically with code.
         *
         * @since 4.2.0
+        * @access public
         *
         * @param array $setting_ids The setting IDs to add.
         * @return array The WP_Customize_Setting objects added.
@@ -1077,7 +1231,7 @@ final class WP_Customize_Manager {
                        $setting_class = 'WP_Customize_Setting';
 
                        /**
-                        * Filter a dynamic setting's constructor args.
+                        * Filters a dynamic setting's constructor args.
                         *
                         * For a dynamic setting to be registered, this filter must be employed
                         * to override the default false value with an array of args to pass to
@@ -1141,10 +1295,13 @@ final class WP_Customize_Manager {
         * Add a customize panel.
         *
         * @since 4.0.0
+        * @since 4.5.0 Return added WP_Customize_Panel instance.
         * @access public
         *
         * @param WP_Customize_Panel|string $id   Customize Panel object, or Panel ID.
         * @param array                     $args Optional. Panel arguments. Default empty array.
+        *
+        * @return WP_Customize_Panel             The instance of the panel that was added.
         */
        public function add_panel( $id, $args = array() ) {
                if ( $id instanceof WP_Customize_Panel ) {
@@ -1154,6 +1311,7 @@ final class WP_Customize_Manager {
                }
 
                $this->panels[ $panel->id ] = $panel;
+               return $panel;
        }
 
        /**
@@ -1180,6 +1338,16 @@ final class WP_Customize_Manager {
         * @param string $id Panel ID to remove.
         */
        public function remove_panel( $id ) {
+               // Removing core components this way is _doing_it_wrong().
+               if ( in_array( $id, $this->components, true ) ) {
+                       /* translators: 1: panel id, 2: link to 'customize_loaded_components' filter reference */
+                       $message = sprintf( __( 'Removing %1$s manually will cause PHP warnings. Use the %2$s filter instead.' ),
+                               $id,
+                               '<a href="' . esc_url( 'https://developer.wordpress.org/reference/hooks/customize_loaded_components/' ) . '"><code>customize_loaded_components</code></a>'
+                       );
+
+                       _doing_it_wrong( __METHOD__, $message, '4.5.0' );
+               }
                unset( $this->panels[ $id ] );
        }
 
@@ -1216,9 +1384,13 @@ final class WP_Customize_Manager {
         * Add a customize section.
         *
         * @since 3.4.0
+        * @since 4.5.0 Return added WP_Customize_Section instance.
+        * @access public
         *
         * @param WP_Customize_Section|string $id   Customize Section object, or Section ID.
         * @param array                       $args Section arguments.
+        *
+        * @return WP_Customize_Section             The instance of the section that was added.
         */
        public function add_section( $id, $args = array() ) {
                if ( $id instanceof WP_Customize_Section ) {
@@ -1226,7 +1398,9 @@ final class WP_Customize_Manager {
                } else {
                        $section = new WP_Customize_Section( $this, $id, $args );
                }
+
                $this->sections[ $section->id ] = $section;
+               return $section;
        }
 
        /**
@@ -1286,10 +1460,13 @@ final class WP_Customize_Manager {
         * Add a customize control.
         *
         * @since 3.4.0
+        * @since 4.5.0 Return added WP_Customize_Control instance.
+        * @access public
         *
         * @param WP_Customize_Control|string $id   Customize Control object, or ID.
         * @param array                       $args Control arguments; passed to WP_Customize_Control
         *                                          constructor.
+        * @return WP_Customize_Control             The instance of the control that was added.
         */
        public function add_control( $id, $args = array() ) {
                if ( $id instanceof WP_Customize_Control ) {
@@ -1297,7 +1474,9 @@ final class WP_Customize_Manager {
                } else {
                        $control = new WP_Customize_Control( $this, $id, $args );
                }
+
                $this->controls[ $control->id ] = $control;
+               return $control;
        }
 
        /**
@@ -1333,7 +1512,7 @@ final class WP_Customize_Manager {
         * @access public
         *
         * @param string $control Name of a custom control which is a subclass of
-        *                        {@see WP_Customize_Control}.
+        *                        WP_Customize_Control.
         */
        public function register_control_type( $control ) {
                $this->registered_control_types[] = $control;
@@ -1347,9 +1526,20 @@ final class WP_Customize_Manager {
         */
        public function render_control_templates() {
                foreach ( $this->registered_control_types as $control_type ) {
-                       $control = new $control_type( $this, 'temp', array() );
+                       $control = new $control_type( $this, 'temp', array(
+                               'settings' => array(),
+                       ) );
                        $control->print_template();
                }
+               ?>
+               <script type="text/html" id="tmpl-customize-control-notifications">
+                       <ul>
+                               <# _.each( data.notifications, function( notification ) { #>
+                                       <li class="notice notice-{{ notification.type || 'info' }} {{ data.altNotice ? 'notice-alt' : '' }}" data-code="{{ notification.code }}" data-type="{{ notification.type }}">{{ notification.message || notification.code }}</li>
+                               <# } ); #>
+                       </ul>
+               </script>
+               <?php
        }
 
        /**
@@ -1489,6 +1679,7 @@ final class WP_Customize_Manager {
         * @param string $preview_url URL to be previewed.
         */
        public function set_preview_url( $preview_url ) {
+               $preview_url = esc_url_raw( $preview_url );
                $this->preview_url = wp_validate_redirect( $preview_url, home_url( '/' ) );
        }
 
@@ -1520,6 +1711,7 @@ final class WP_Customize_Manager {
         * @param string $return_url URL for return link.
         */
        public function set_return_url( $return_url ) {
+               $return_url = esc_url_raw( $return_url );
                $return_url = remove_query_arg( wp_removable_query_args(), $return_url );
                $return_url = wp_validate_redirect( $return_url );
                $this->return_url = $return_url;
@@ -1535,9 +1727,11 @@ final class WP_Customize_Manager {
         */
        public function get_return_url() {
                $referer = wp_get_referer();
+               $excluded_referer_basenames = array( 'customize.php', 'wp-login.php' );
+
                if ( $this->return_url ) {
                        $return_url = $this->return_url;
-               } else if ( $referer && 'customize.php' !== basename( parse_url( $referer, PHP_URL_PATH ) ) ) {
+               } else if ( $referer && ! in_array( basename( parse_url( $referer, PHP_URL_PATH ) ), $excluded_referer_basenames, true ) ) {
                        $return_url = $referer;
                } else if ( $this->preview_url ) {
                        $return_url = $this->preview_url;
@@ -1583,6 +1777,32 @@ final class WP_Customize_Manager {
                return $this->autofocus;
        }
 
+       /**
+        * Get nonces for the Customizer.
+        *
+        * @since 4.5.0
+        * @return array Nonces.
+        */
+       public function get_nonces() {
+               $nonces = array(
+                       'save' => wp_create_nonce( 'save-customize_' . $this->get_stylesheet() ),
+                       'preview' => wp_create_nonce( 'preview-customize_' . $this->get_stylesheet() ),
+               );
+
+               /**
+                * Filters nonces for Customizer.
+                *
+                * @since 4.2.0
+                *
+                * @param array                $nonces Array of refreshed nonces for save and
+                *                                     preview actions.
+                * @param WP_Customize_Manager $this   WP_Customize_Manager instance.
+                */
+               $nonces = apply_filters( 'customize_refresh_nonces', $nonces, $this );
+
+               return $nonces;
+       }
+
        /**
         * Print JavaScript settings for parent window.
         *
@@ -1590,10 +1810,10 @@ final class WP_Customize_Manager {
         */
        public function customize_pane_settings() {
                /*
-                * If the frontend and the admin are served from the same domain, load the
+                * If the front end and the admin are served from the same domain, load the
                 * preview over ssl if the Customizer is being loaded over ssl. This avoids
-                * insecure content warnings. This is not attempted if the admin and frontend
-                * are on different domains to avoid the case where the frontend doesn't have
+                * insecure content warnings. This is not attempted if the admin and front end
+                * are on different domains to avoid the case where the front end doesn't have
                 * ssl certs. Domain mapping plugins can allow other urls in these conditions
                 * using the customize_allowed_urls filter.
                 */
@@ -1608,7 +1828,7 @@ final class WP_Customize_Manager {
                }
 
                /**
-                * Filter the list of URLs allowed to be clicked and followed in the Customizer preview.
+                * Filters the list of URLs allowed to be clicked and followed in the Customizer preview.
                 *
                 * @since 3.4.0
                 *
@@ -1643,12 +1863,10 @@ final class WP_Customize_Manager {
                        ),
                        'panels'   => array(),
                        'sections' => array(),
-                       'nonce'    => array(
-                               'save'    => wp_create_nonce( 'save-customize_' . $this->get_stylesheet() ),
-                               'preview' => wp_create_nonce( 'preview-customize_' . $this->get_stylesheet() ),
-                       ),
-                       'autofocus' => array(),
+                       'nonce'    => $this->get_nonces(),
+                       'autofocus' => $this->get_autofocus(),
                        'documentTitleTmpl' => $this->get_document_title_template(),
+                       'previewableDevices' => $this->get_previewable_devices(),
                );
 
                // Prepare Customize Section objects to pass to JavaScript.
@@ -1670,20 +1888,6 @@ final class WP_Customize_Manager {
                        }
                }
 
-               // Pass to frontend the Customizer construct being deeplinked.
-               foreach ( $this->get_autofocus() as $type => $id ) {
-                       $can_autofocus = (
-                               ( 'control' === $type && $this->get_control( $id ) && $this->get_control( $id )->check_capabilities() )
-                               ||
-                               ( 'section' === $type && isset( $settings['sections'][ $id ] ) )
-                               ||
-                               ( 'panel' === $type && isset( $settings['panels'][ $id ] ) )
-                       );
-                       if ( $can_autofocus ) {
-                               $settings['autofocus'][ $type ] = $id;
-                       }
-               }
-
                ?>
                <script type="text/javascript">
                        var _wpCustomizeSettings = <?php echo wp_json_encode( $settings ); ?>;
@@ -1698,11 +1902,7 @@ final class WP_Customize_Manager {
                                        printf(
                                                "s[%s] = %s;\n",
                                                wp_json_encode( $setting->id ),
-                                               wp_json_encode( array(
-                                                       'value'     => $setting->js_value(),
-                                                       'transport' => $setting->transport,
-                                                       'dirty'     => $setting->dirty,
-                                               ) )
+                                               wp_json_encode( $setting->json() )
                                        );
                                }
                        }
@@ -1725,6 +1925,42 @@ final class WP_Customize_Manager {
                <?php
        }
 
+       /**
+        * Returns a list of devices to allow previewing.
+        *
+        * @access public
+        * @since 4.5.0
+        *
+        * @return array List of devices with labels and default setting.
+        */
+       public function get_previewable_devices() {
+               $devices = array(
+                       'desktop' => array(
+                               'label' => __( 'Enter desktop preview mode' ),
+                               'default' => true,
+                       ),
+                       'tablet' => array(
+                               'label' => __( 'Enter tablet preview mode' ),
+                       ),
+                       'mobile' => array(
+                               'label' => __( 'Enter mobile preview mode' ),
+                       ),
+               );
+
+               /**
+                * Filters the available devices to allow previewing in the Customizer.
+                *
+                * @since 4.5.0
+                *
+                * @see WP_Customize_Manager::get_previewable_devices()
+                *
+                * @param array $devices List of devices with labels and default setting.
+                */
+               $devices = apply_filters( 'customize_previewable_devices', $devices );
+
+               return $devices;
+       }
+
        /**
         * Register some default controls.
         *
@@ -1818,6 +2054,22 @@ final class WP_Customize_Manager {
                        'section'    => 'title_tagline',
                ) );
 
+               // Add a setting to hide header text if the theme doesn't support custom headers.
+               if ( ! current_theme_supports( 'custom-header', 'header-text' ) ) {
+                       $this->add_setting( 'header_text', array(
+                               'theme_supports'    => array( 'custom-logo', 'header-text' ),
+                               'default'           => 1,
+                               'sanitize_callback' => 'absint',
+                       ) );
+
+                       $this->add_control( 'header_text', array(
+                               'label'    => __( 'Display Site Title and Tagline' ),
+                               'section'  => 'title_tagline',
+                               'settings' => 'header_text',
+                               'type'     => 'checkbox',
+                       ) );
+               }
+
                $this->add_setting( 'site_icon', array(
                        'type'       => 'option',
                        'capability' => 'manage_options',
@@ -1826,13 +2078,49 @@ final class WP_Customize_Manager {
 
                $this->add_control( new WP_Customize_Site_Icon_Control( $this, 'site_icon', array(
                        'label'       => __( 'Site Icon' ),
-                       'description' => __( 'The Site Icon is used as a browser and app icon for your site. Icons must be square, and at least 512px wide and tall.' ),
+                       'description' => sprintf(
+                               /* translators: %s: site icon size in pixels */
+                               __( 'The Site Icon is used as a browser and app icon for your site. Icons must be square, and at least %s pixels wide and tall.' ),
+                               '<strong>512</strong>'
+                       ),
                        'section'     => 'title_tagline',
                        'priority'    => 60,
                        'height'      => 512,
                        'width'       => 512,
                ) ) );
 
+               $this->add_setting( 'custom_logo', array(
+                       'theme_supports' => array( 'custom-logo' ),
+                       'transport'      => 'postMessage',
+               ) );
+
+               $custom_logo_args = get_theme_support( 'custom-logo' );
+               $this->add_control( new WP_Customize_Cropped_Image_Control( $this, 'custom_logo', array(
+                       'label'         => __( 'Logo' ),
+                       'section'       => 'title_tagline',
+                       'priority'      => 8,
+                       'height'        => $custom_logo_args[0]['height'],
+                       'width'         => $custom_logo_args[0]['width'],
+                       'flex_height'   => $custom_logo_args[0]['flex-height'],
+                       'flex_width'    => $custom_logo_args[0]['flex-width'],
+                       'button_labels' => array(
+                               'select'       => __( 'Select logo' ),
+                               'change'       => __( 'Change logo' ),
+                               'remove'       => __( 'Remove' ),
+                               'default'      => __( 'Default' ),
+                               'placeholder'  => __( 'No logo selected' ),
+                               'frame_title'  => __( 'Select logo' ),
+                               'frame_button' => __( 'Choose logo' ),
+                       ),
+               ) ) );
+
+               $this->selective_refresh->add_partial( 'custom_logo', array(
+                       'settings'            => array( 'custom_logo' ),
+                       'selector'            => '.custom-logo-link',
+                       'render_callback'     => array( $this, '_render_custom_logo_partial' ),
+                       'container_inclusive' => true,
+               ) );
+
                /* Colors */
 
                $this->add_section( 'colors', array(
@@ -1852,7 +2140,7 @@ final class WP_Customize_Manager {
                // With custom value
                $this->add_control( 'display_header_text', array(
                        'settings' => 'header_textcolor',
-                       'label'    => __( 'Display Header Text' ),
+                       'label'    => __( 'Display Site Title and Tagline' ),
                        'section'  => 'title_tagline',
                        'type'     => 'checkbox',
                        'priority' => 40,
@@ -2062,65 +2350,24 @@ final class WP_Customize_Manager {
 
                return $color;
        }
-}
-
-/**
- * Sanitizes a hex color.
- *
- * Returns either '', a 3 or 6 digit hex color (with #), or nothing.
- * For sanitizing values without a #, see sanitize_hex_color_no_hash().
- *
- * @since 3.4.0
- *
- * @param string $color
- * @return string|void
- */
-function sanitize_hex_color( $color ) {
-       if ( '' === $color )
-               return '';
-
-       // 3 or 6 hex digits, or the empty string.
-       if ( preg_match('|^#([A-Fa-f0-9]{3}){1,2}$|', $color ) )
-               return $color;
-}
-
-/**
- * Sanitizes a hex color without a hash. Use sanitize_hex_color() when possible.
- *
- * Saving hex colors without a hash puts the burden of adding the hash on the
- * UI, which makes it difficult to use or upgrade to other color types such as
- * rgba, hsl, rgb, and html color names.
- *
- * Returns either '', a 3 or 6 digit hex color (without a #), or null.
- *
- * @since 3.4.0
- *
- * @param string $color
- * @return string|null
- */
-function sanitize_hex_color_no_hash( $color ) {
-       $color = ltrim( $color, '#' );
-
-       if ( '' === $color )
-               return '';
-
-       return sanitize_hex_color( '#' . $color ) ? $color : null;
-}
-
-/**
- * Ensures that any hex color is properly hashed.
- * Otherwise, returns value untouched.
- *
- * This method should only be necessary if using sanitize_hex_color_no_hash().
- *
- * @since 3.4.0
- *
- * @param string $color
- * @return string
- */
-function maybe_hash_hex_color( $color ) {
-       if ( $unhashed = sanitize_hex_color_no_hash( $color ) )
-               return '#' . $unhashed;
 
-       return $color;
+       /**
+        * Callback for rendering the custom logo, used in the custom_logo partial.
+        *
+        * This method exists because the partial object and context data are passed
+        * into a partial's render_callback so we cannot use get_custom_logo() as
+        * the render_callback directly since it expects a blog ID as the first
+        * argument. When WP no longer supports PHP 5.3, this method can be removed
+        * in favor of an anonymous function.
+        *
+        * @see WP_Customize_Manager::register_controls()
+        *
+        * @since 4.5.0
+        * @access private
+        *
+        * @return string Custom logo.
+        */
+       public function _render_custom_logo_partial() {
+               return get_custom_logo();
+       }
 }