WordPress 4.6.3-scripts wordpress-4.6.3-scripts
authorEdward Z. Yang <ezyang@cs.stanford.edu>
Thu, 26 Jan 2017 23:07:44 +0000 (15:07 -0800)
committerEdward Z. Yang <ezyang@cs.stanford.edu>
Thu, 26 Jan 2017 23:07:44 +0000 (15:07 -0800)
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
readme.html
wp-admin/about.php
wp-admin/includes/class-wp-posts-list-table.php
wp-admin/includes/class-wp-press-this.php
wp-includes/query.php
wp-includes/version.php

index b3ef500801e4649f9b1de5e3d0d43c24e33c3231..c4dee1816493bb98f05673c65d80a8245c60bb9d 100644 (file)
@@ -9,7 +9,7 @@
 <body>
 <h1 id="logo">
        <a href="https://wordpress.org/"><img alt="WordPress" src="wp-admin/images/wordpress-logo.png" /></a>
-       <br /> Version 4.6.2
+       <br /> Version 4.6.3
 </h1>
 <p style="text-align: center">Semantic Personal Publishing Platform</p>
 
index f43006c7a4ccf19bd85ecb91d6234af4777e639a..5cb979df2736486e8a3aee8e667e4e20a51218e7 100644 (file)
@@ -60,6 +60,9 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
 
                <div class="changelog point-releases">
                        <h3><?php _e( 'Maintenance and Security Releases' ); ?></h3>
+                       <p><?php printf( __( '<strong>Version %s</strong> addressed some security issues.' ), '4.6.3' ); ?>
+                               <?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_4.6.3' ); ?>
+                       </p>
                        <p><?php printf( __( '<strong>Version %s</strong> addressed some security issues.' ), '4.6.2' ); ?>
                                <?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_4.6.2' ); ?>
                        </p>
index 7ef790e31a252f0e06d7ed98b72e599eab1785d0..39c2d682680cf5ef7d284d8e242a8685be37bf14 100644 (file)
@@ -939,7 +939,7 @@ class WP_Posts_List_Table extends WP_List_Table {
                }
 
                if ( ! is_post_type_hierarchical( $this->screen->post_type ) && 'excerpt' === $mode && current_user_can( 'read_post', $post->ID ) ) {
-                       the_excerpt();
+                       echo esc_html( get_the_excerpt() );
                }
 
                get_inline_data( $post );
index a00bbaa40e7e7ff142f4437c51dd052b864e3ae3..e4e03c7c5068825b5ce82047782521384bfc1b5a 100644 (file)
@@ -119,10 +119,28 @@ class WP_Press_This {
                        'post_type'     => 'post',
                        'post_status'   => 'draft',
                        'post_format'   => ( ! empty( $_POST['post_format'] ) ) ? sanitize_text_field( $_POST['post_format'] ) : '',
-                       'tax_input'     => ( ! empty( $_POST['tax_input'] ) ) ? $_POST['tax_input'] : array(),
-                       'post_category' => ( ! empty( $_POST['post_category'] ) ) ? $_POST['post_category'] : array(),
                );
 
+               // Only accept categories if the user actually can assign
+               $category_tax = get_taxonomy( 'category' );
+               if ( current_user_can( $category_tax->cap->assign_terms ) ) {
+                       $post_data['post_category'] = ( ! empty( $_POST['post_category'] ) ) ? $_POST['post_category'] : array();
+               }
+
+               // Only accept taxonomies if the user can actually assign
+               if ( ! empty( $_POST['tax_input'] ) ) {
+                       $tax_input = $_POST['tax_input'];
+                       foreach ( $tax_input as $tax => $_ti ) {
+                               $tax_object = get_taxonomy( $tax );
+                               if ( ! $tax_object || ! current_user_can( $tax_object->cap->assign_terms ) ) {
+                                       unset( $tax_input[ $tax ] );
+                               }
+                       }
+
+                       $post_data['tax_input'] = $tax_input;
+               }
+
+               // Toggle status to pending if user cannot actually publish
                if ( ! empty( $_POST['post_status'] ) && 'publish' === $_POST['post_status'] ) {
                        if ( current_user_can( 'publish_posts' ) ) {
                                $post_data['post_status'] = 'publish';
@@ -455,7 +473,7 @@ class WP_Press_This {
         * @since 4.2.0
         *
         * @param string $src Embed source URL.
-        * @return string If not from a supported provider, an empty string. Otherwise, a reformattd embed URL.
+        * @return string If not from a supported provider, an empty string. Otherwise, a reformatted embed URL.
         */
        private function _limit_embed( $src ) {
                $src = $this->_limit_url( $src );
@@ -856,6 +874,12 @@ class WP_Press_This {
        public function categories_html( $post ) {
                $taxonomy = get_taxonomy( 'category' );
 
+               // Bail if user cannot assign terms
+               if ( ! current_user_can( $taxonomy->cap->assign_terms ) ) {
+                       return;
+               }
+
+               // Only show "add" if user can edit terms
                if ( current_user_can( $taxonomy->cap->edit_terms ) ) {
                        ?>
                        <button type="button" class="add-cat-toggle button-link" aria-expanded="false">
@@ -1274,6 +1298,12 @@ class WP_Press_This {
                wp_enqueue_script( 'json2' );
                wp_enqueue_script( 'editor' );
 
+               $categories_tax   = get_taxonomy( 'category' );
+               $show_categories  = current_user_can( $categories_tax->cap->assign_terms ) || current_user_can( $categories_tax->cap->edit_terms );
+
+               $tag_tax          = get_taxonomy( 'post_tag' );
+               $show_tags        = current_user_can( $tag_tax->cap->assign_terms );
+
                $supports_formats = false;
                $post_format      = 0;
 
@@ -1425,17 +1455,21 @@ class WP_Press_This {
                                        </button>
                                <?php endif; ?>
 
-                               <button type="button" class="button-link post-option">
-                                       <span class="dashicons dashicons-category"></span>
-                                       <span class="post-option-title"><?php _e( 'Categories' ); ?></span>
-                                       <span class="dashicons post-option-forward"></span>
-                               </button>
-
-                               <button type="button" class="button-link post-option">
-                                       <span class="dashicons dashicons-tag"></span>
-                                       <span class="post-option-title"><?php _e( 'Tags' ); ?></span>
-                                       <span class="dashicons post-option-forward"></span>
-                               </button>
+                               <?php if ( $show_categories ) : ?>
+                                       <button type="button" class="button-link post-option">
+                                               <span class="dashicons dashicons-category"></span>
+                                               <span class="post-option-title"><?php _e( 'Categories' ); ?></span>
+                                               <span class="dashicons post-option-forward"></span>
+                                       </button>
+                               <?php endif; ?>
+
+                               <?php if ( $show_tags ) : ?>
+                                       <button type="button" class="button-link post-option">
+                                               <span class="dashicons dashicons-tag"></span>
+                                               <span class="post-option-title"><?php _e( 'Tags' ); ?></span>
+                                               <span class="dashicons post-option-forward"></span>
+                                       </button>
+                               <?php endif; ?>
                        </div>
 
                        <?php if ( $supports_formats ) : ?>
@@ -1449,23 +1483,27 @@ class WP_Press_This {
                                </div>
                        <?php endif; ?>
 
-                       <div class="setting-modal is-off-screen is-hidden">
-                               <button type="button" class="button-link modal-close">
-                                       <span class="dashicons post-option-back"></span>
-                                       <span class="setting-title" aria-hidden="true"><?php _e( 'Categories' ); ?></span>
-                                       <span class="screen-reader-text"><?php _e( 'Back to post options' ) ?></span>
-                               </button>
-                               <?php $this->categories_html( $post ); ?>
-                       </div>
+                       <?php if ( $show_categories ) : ?>
+                               <div class="setting-modal is-off-screen is-hidden">
+                                       <button type="button" class="button-link modal-close">
+                                               <span class="dashicons post-option-back"></span>
+                                               <span class="setting-title" aria-hidden="true"><?php _e( 'Categories' ); ?></span>
+                                               <span class="screen-reader-text"><?php _e( 'Back to post options' ) ?></span>
+                                       </button>
+                                       <?php $this->categories_html( $post ); ?>
+                               </div>
+                       <?php endif; ?>
 
-                       <div class="setting-modal tags is-off-screen is-hidden">
-                               <button type="button" class="button-link modal-close">
-                                       <span class="dashicons post-option-back"></span>
-                                       <span class="setting-title" aria-hidden="true"><?php _e( 'Tags' ); ?></span>
-                                       <span class="screen-reader-text"><?php _e( 'Back to post options' ) ?></span>
-                               </button>
-                               <?php $this->tags_html( $post ); ?>
-                       </div>
+                       <?php if ( $show_tags ) : ?>
+                               <div class="setting-modal tags is-off-screen is-hidden">
+                                       <button type="button" class="button-link modal-close">
+                                               <span class="dashicons post-option-back"></span>
+                                               <span class="setting-title" aria-hidden="true"><?php _e( 'Tags' ); ?></span>
+                                               <span class="screen-reader-text"><?php _e( 'Back to post options' ) ?></span>
+                                       </button>
+                                       <?php $this->tags_html( $post ); ?>
+                               </div>
+                       <?php endif; ?>
                </div><!-- .options-panel -->
        </div><!-- .wrapper -->
 
index c5c1ae657ec0db81b56b099a24e78d3a8b9fe23a..053bd4cac3c7900ae6b13c357ae78cdf4c5fca8c 100644 (file)
@@ -3069,14 +3069,15 @@ class WP_Query {
 
                if ( 'any' == $post_type ) {
                        $in_search_post_types = get_post_types( array('exclude_from_search' => false) );
-                       if ( empty( $in_search_post_types ) )
+                       if ( empty( $in_search_post_types ) ) {
                                $where .= ' AND 1=0 ';
-                       else
-                               $where .= " AND $wpdb->posts.post_type IN ('" . join("', '", $in_search_post_types ) . "')";
+                       } else {
+                               $where .= " AND {$wpdb->posts}.post_type IN ('" . join( "', '", array_map( 'esc_sql', $in_search_post_types ) ) . "')";
+                       }
                } elseif ( !empty( $post_type ) && is_array( $post_type ) ) {
-                       $where .= " AND $wpdb->posts.post_type IN ('" . join("', '", $post_type) . "')";
+                       $where .= " AND {$wpdb->posts}.post_type IN ('" . join("', '", esc_sql( $post_type ) ) . "')";
                } elseif ( ! empty( $post_type ) ) {
-                       $where .= " AND $wpdb->posts.post_type = '$post_type'";
+                       $where .= $wpdb->prepare( " AND {$wpdb->posts}.post_type = %s", $post_type );
                        $post_type_object = get_post_type_object ( $post_type );
                } elseif ( $this->is_attachment ) {
                        $where .= " AND $wpdb->posts.post_type = 'attachment'";
index 8c11d3ea4b556ee250085532b80f51f06a9bc2d2..cf05918443d0467c69e30eedaed918d13a82d0e7 100644 (file)
@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '4.6.2';
+$wp_version = '4.6.3';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.