Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HTML API: Add normalization functions. #7331

Closed
wants to merge 22 commits into from

Conversation

dmsnell
Copy link
Member

@dmsnell dmsnell commented Sep 11, 2024

Trac ticket: Core-62036.

See also dmsnell#20
See also dmsnell#21

The HTML Processor understands HTML regardless of how it's written, but
many other functions are unable to do so. There are all sorts of syntax
peculiarities and semantics that would be helpful to eliminate using the
knowledge contained in the HTML Processor.

This patch introduces WP_HTML_Processor::normalize( $html ) as a
method which takes a fragment of HTML as input and then returns a
serialized version of the input, "cleaning it up" by balancing all
tags, providing all missing optional tags, re-encoding all text,
removing all duplicate attributes, and double-quote-escaping all
attribute values.

php > var_dump( WP_HTML_Processor::normalize('<a href=#anchor v=5 href="/" enabled>One</a another v=5><!--') );
string(39) "<a href="#anchor" v="5" enabled>One</a>"

php > var_dump( WP_HTML_Processor::normalize( '<![CDATA[invalid comment]]> syntax < <> "oddities"' ) );
string(64) "<!--[CDATA[invalid comment]]--> syntax &lt; &lt;&gt; &quot;oddities&quot;"

php > var_dump( WP_HTML_Processor::normalize( '<textarea>use a &lt;/textarea></textarea>' ) );
string(44) "<textarea>use a &lt;/textarea&gt;</textarea>"

php > var_dump( ( WP_HTML_Processor::create_full_parser( '<p>Test<p>again' ) )->serialize() );
string(62) "<html><head></head><body><p>Test</p><p>again</p></body></html>"

The HTML Processor understands HTML regardless of how it's written, but
many other functions are unable to do so. There are all sorts of syntax
peculiarities and semantics that would be helpful to eliminate using the
knowledge contained in the HTML Processor.

This patch introduces `WP_HTML_Processor::normalize( $html )` as a
method which takes a fragment of HTML as input and then returns a
serialized version of the input, "cleaning it up" by balancing all
tags, providing all missing optional tags, re-encoding all text,
removing all duplicate attributes, and double-quote-escaping all
attribute values.

Core-62036
Copy link

github-actions bot commented Sep 11, 2024

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Core Committers: Use this line as a base for the props when committing in SVN:

Props dmsnell, westonruter, jonsurrell.

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

Copy link

Test using WordPress Playground

The changes in this pull request can previewed and tested using a WordPress Playground instance.

WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Some things to be aware of

  • The Plugin and Theme Directories cannot be accessed within Playground.
  • All changes will be lost when closing a tab with a Playground instance.
  • All changes will be lost when refreshing the page.
  • A fresh instance is created each time the link below is clicked.
  • Every time this pull request is updated, a new ZIP file containing all changes is created. If changes are not reflected in the Playground instance,
    it's possible that the most recent build failed, or has not completed. Check the list of workflow runs to be sure.

For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation.

Test this pull request with WordPress Playground.

Copy link
Member

@westonruter westonruter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice: force_balance_tags(): The Next Generation

src/wp-includes/html-api/class-wp-html-processor.php Outdated Show resolved Hide resolved
src/wp-includes/html-api/class-wp-html-processor.php Outdated Show resolved Hide resolved
*/
public function serialize(): ?string {
if ( WP_HTML_Tag_Processor::STATE_READY !== $this->parser_state ) {
return null;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would this make sense to throw an exception?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've tried to avoid throwing exceptions in use code. Tell me more about the value of potentially crashing vs. returning null

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, I guess to give more information about why it is returning null. Maybe _doing_it_wrong() then would be better? It would be helpful to get feedback in code for what is documented:

	 * This differs from {@see WP_HTML_Processor::normalize} in that it starts with
	 * a specific HTML Processor, which _must_ not have already started scanning;
	 * it must be in the initial ready state and will be in the completed state once
	 * serialization is complete.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah okay I see now. another thought I had was resetting to the beginning, parsing, and returning to the previous location, which involves double-parsing if already mid-way through a document.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've called wp_trigger_error() in these cases.

while ( $this->next_token() ) {
$token_type = $this->get_token_type();

switch ( $token_type ) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about processing instructions? Shouldn't they get a special treatment?

For example, <html><body><?php foo(); ?> is interpreted as:

image

Seems like it should get serialized back in the same way? Maybe not since the browser serializes this as <!--?php foo(); ?-->. But maybe that should be an option?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah good catch: it should also serialize the PI node tag name, which would match what you wrote. looks like this needs a review of all of the invalid comment syntax

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

these should all be updated now. if something lingers I'd like to fix it, but ultimately if we botch an invalid comment, I'm guessing it's not the end of the world.

these will go into test cases.

src/wp-includes/html-api/class-wp-html-processor.php Outdated Show resolved Hide resolved
}

if ( ! $in_html && $this->has_self_closing_flag() ) {
$html .= '/';
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While not required, it seems a space is usually added here in the wild, right? (e.g. Prettier does this)

Suggested change
$html .= '/';
$html .= ' /';

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a good thought. with double-quoted attributes it's not relevant, but with unquoted attribute values it becomes relevant. we don't need that since we control quoting. maybe it's best to add it in anyway for the same of other tools.

Comment on lines 1199 to 1201
if ( null !== $this->get_last_error() ) {
return null;
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similarly here, it would be helpful to know why it returned null.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is a tougher question because it would conflate the basic ?string return value. practically I think this can only occur if the HTML is unsupported (in which case we really shouldn't return any processed string) or we've run out of bookmarks (which should be unrealistically rare - and that reminds me, I found 2500 bookmarks sufficient to parse everything in my set of ~300k HTML documents, and I intend on upping the default value to support that for 6.7).

suppose you know why this failed: what would you do in response?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It could also use _doing_it_wrong() here too to communicate that information, I suppose. Or rather, wp_trigger_error() would be the more relevant function. If I knew why it failed then I wouldn't have to figure out why it failed. True it probably wouldn't impact the result in the end, but for debugging it would be useful.

Looking at where last_error is set, it seems to always coincide with throwing an exception anyway. So in practice would this if statement ever be entered?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the exceptions thrown internally are caught and shut down parsing, but does not crash. unsupported content exceptions are returned via get_unsupported_exception()

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've called wp_trigger_error() in these cases.

dmsnell and others added 7 commits September 11, 2024 11:11
Co-authored-by: Weston Ruter <westonruter@git.wordpress.org>
If code later in the processing pipeline adds unquoted attributes
and doesn't add the requisite space following that, then another
parser might find that the solidus is part of the attribute value
instead of serving as a self-closing flag.

Co-authored-by: Weston Ruter <westonruter@git.wordpress.org>
Co-authored-by: Weston Ruter <westonruter@git.wordpress.org>
Co-authored-by: Weston Ruter <westonruter@git.wordpress.org>
Co-authored-by: Weston Ruter <westonruter@git.wordpress.org>
Copy link
Member

@sirreal sirreal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is pretty exciting, I'd like to start adding tests for it.

I just added it to the html api debugger when supported.

I'd love to start adding tests for this. One good test will be idempotency, where after an initial normalization, subsequent normalizations will be identical.

This mentions null bytes here specifically:

Text will be re-encoded, null bytes handled, and invalid UTF-8 replaced with U+FFFD.

I think that's working correctly in text. Should it also be handled in tag names, attribute names, and attribute values?

Input (null bytes replaces for clarity)

<div␀-nb nb-att-␀-="nb-val-␀-">

Normalized output:

<div␀-nb nb-att-␀-="nb-val-␀-"></div␀-nb>

Expected:

<div�-nb nb-att-�-="nb-val-�-"></div�-nb>

src/wp-includes/html-api/class-wp-html-processor.php Outdated Show resolved Hide resolved
@sirreal
Copy link
Member

sirreal commented Sep 12, 2024

There are some known issues from HTML5lib tests similar to the PI problems mentioned here: #7331 (comment)

'comments01/line0155' => 'Unimplemented: Need to access raw comment text on non-normative comments.',
'comments01/line0169' => 'Unimplemented: Need to access raw comment text on non-normative comments.',
'html5test-com/line0129' => 'Unimplemented: Need to access raw comment text on non-normative comments.',

There's no good way to read the comment under some circumstances and something like a get_raw_comment_content() method would be helpful.



<?import namespace="foo" implementation="#bar">

Each of these does not satisfy the PI constraint (missing ? before the > closer) so they're treated as invalid HTML comments. The initial ? isn't accessible through get_modifiable_text(), modifying that character could change the token to something completely different.

There are a couple of cases like this, I think they're all <? or <!-started strings triggering the bogus comment state.

CORRECTION:

I've edited it, it was initially incorrect. The bogus comments starting with <! do ignore the ! in their contents. Only <? seem to be mishandled.

Input Expected Actual Correct
<?xml foo > <!--?xml foo --> <!--xml foo --> ⛔️
<!> <!----> <!---->
<! more stuff > <!-- more stuff --> <!-- more stuff -->

@sirreal
Copy link
Member

sirreal commented Sep 12, 2024

We'd talked about a method to really inspect different types of comment text content. I've proposed a method in #7342. That would be helpful here.

Copy link
Member

@sirreal sirreal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This method is nice and it seems like it's in a good place. I'm happy to see it getting tests.

I'd like it if null bytes were normalized in more places (tag names, attribute names and values) before this lands.

src/wp-includes/html-api/class-wp-html-processor.php Outdated Show resolved Hide resolved
pento pushed a commit that referenced this pull request Sep 20, 2024
HTML often appears in ways that are unexpected. It may be missing implicit tags, may have unquoted, single-quoted, or double-quoted attributes, may contain duplicate attributes, may contain unescaped text content, or any number of other possible invalid constructions. The HTML API understands all fo these inputs, but downline parsers may not, and HTML snippets which are safe on their own may introduce problems when joined with other HTML snippets.

This patch introduces the `serialize()` method on the HTML Processor, which prints a fully-normative HTML output, eliminating invalid markup along the way. It produces a string which contains every missing tag, double-quoted attributes, and no duplicates. A `normalize()` static method on the HTML Processor provides a convenient wrapper for constructing a fragment parser and immediately serializing.

Subclasses relying on the `serialize_token()` method may perform structural HTML modifications with as much security as the upcoming `\Dom\HTMLDocument()` parser will, though these are not
able to provide the full safety that will eventually appear with `set_inner_html()`.

Further work may explore serializing to XML (which involves a number of other important transformations) and adding constraints to serialization (such as only allowing inline/flow/formatting elements and text).

Developed in #7331
Discussed in https://core.trac.wordpress.org/ticket/62036

Props dmsnell, jonsurrell, westonruter.
Fixes #62036.


git-svn-id: https://develop.svn.wordpress.org/trunk@59076 602fd350-edb4-49c9-b593-d223f7449a82
markjaquith pushed a commit to markjaquith/WordPress that referenced this pull request Sep 20, 2024
HTML often appears in ways that are unexpected. It may be missing implicit tags, may have unquoted, single-quoted, or double-quoted attributes, may contain duplicate attributes, may contain unescaped text content, or any number of other possible invalid constructions. The HTML API understands all fo these inputs, but downline parsers may not, and HTML snippets which are safe on their own may introduce problems when joined with other HTML snippets.

This patch introduces the `serialize()` method on the HTML Processor, which prints a fully-normative HTML output, eliminating invalid markup along the way. It produces a string which contains every missing tag, double-quoted attributes, and no duplicates. A `normalize()` static method on the HTML Processor provides a convenient wrapper for constructing a fragment parser and immediately serializing.

Subclasses relying on the `serialize_token()` method may perform structural HTML modifications with as much security as the upcoming `\Dom\HTMLDocument()` parser will, though these are not
able to provide the full safety that will eventually appear with `set_inner_html()`.

Further work may explore serializing to XML (which involves a number of other important transformations) and adding constraints to serialization (such as only allowing inline/flow/formatting elements and text).

Developed in WordPress/wordpress-develop#7331
Discussed in https://core.trac.wordpress.org/ticket/62036

Props dmsnell, jonsurrell, westonruter.
Fixes #62036.

Built from https://develop.svn.wordpress.org/trunk@59076


git-svn-id: http://core.svn.wordpress.org/trunk@58472 1a063a9b-81f0-0310-95a4-ce76da25c4cd
github-actions bot pushed a commit to platformsh/wordpress-performance that referenced this pull request Sep 20, 2024
HTML often appears in ways that are unexpected. It may be missing implicit tags, may have unquoted, single-quoted, or double-quoted attributes, may contain duplicate attributes, may contain unescaped text content, or any number of other possible invalid constructions. The HTML API understands all fo these inputs, but downline parsers may not, and HTML snippets which are safe on their own may introduce problems when joined with other HTML snippets.

This patch introduces the `serialize()` method on the HTML Processor, which prints a fully-normative HTML output, eliminating invalid markup along the way. It produces a string which contains every missing tag, double-quoted attributes, and no duplicates. A `normalize()` static method on the HTML Processor provides a convenient wrapper for constructing a fragment parser and immediately serializing.

Subclasses relying on the `serialize_token()` method may perform structural HTML modifications with as much security as the upcoming `\Dom\HTMLDocument()` parser will, though these are not
able to provide the full safety that will eventually appear with `set_inner_html()`.

Further work may explore serializing to XML (which involves a number of other important transformations) and adding constraints to serialization (such as only allowing inline/flow/formatting elements and text).

Developed in WordPress/wordpress-develop#7331
Discussed in https://core.trac.wordpress.org/ticket/62036

Props dmsnell, jonsurrell, westonruter.
Fixes #62036.

Built from https://develop.svn.wordpress.org/trunk@59076


git-svn-id: https://core.svn.wordpress.org/trunk@58472 1a063a9b-81f0-0310-95a4-ce76da25c4cd
@dmsnell
Copy link
Member Author

dmsnell commented Sep 20, 2024

Merged in [59076]
03b12dc

@dmsnell dmsnell closed this Sep 20, 2024
apermo added a commit to apermo/wordpress-develop that referenced this pull request Sep 27, 2024
commit 835f864d4ea376eb79844eb6a941250762de3c12
Author: Dennis Snell <dmsnell@git.wordpress.org>
Date:   Fri Sep 27 05:56:50 2024 +0000

    WP_Debug_Data: Extract `wp-dropins` data into separate method.

    This is the seventh part in a larger modularization of the data in `WP_Debug_Data`. Previously this was a single massive method drawing in debug data from various groups of related data, where the groups were independent from each other.

    This patch separates the seventh of twelve groups, the `wp-dropins` info, into a separate method focused on that data.

    This work precedes changes to make the `WP_Debug_Data` class more extensible for better use by plugin and theme code.

    Developed in https://github.com/wordpress/wordpress-develop/pull/7418
    Discussed in https://core.trac.wordpress.org/ticket/61648

    Props apermo.
    See #61648.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59100 602fd350-edb4-49c9-b593-d223f7449a82

commit 1e21ecedf19f1b97360949a9e509a3c04ac1f34e
Author: Dennis Snell <dmsnell@git.wordpress.org>
Date:   Fri Sep 27 00:42:47 2024 +0000

    HTML API: Switch to HTML namespace when entering Integration Points.

    When encountering inline SVG and MathML content in an HTML document, there are certain "integration points" which transition back into the HTML parsing ruleset. Previously, the HTML API was incorrectly switching into the namespace of the element transitioning into that ruleset.

    In this patch, the correct transition is made, where all integration points refer to HTML rules, while non-integration points refer to the rules of the namespace corresponding to the token itself.

    Developed in https://github.com/wordpress/wordpress-develop/pull/7425
    Discussed in https://core.trac.wordpress.org/ticket/61576

    Props dmsnell, jonsurrell.
    See #61576.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59099 602fd350-edb4-49c9-b593-d223f7449a82

commit bbec266c74fc47ce2919faa4cf3c6d43044588cb
Author: Michal Czaplinski <czapla@git.wordpress.org>
Date:   Thu Sep 26 19:35:26 2024 +0000

    Revert [59097] because it was renaming a public method that should be deprecated instead.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59098 602fd350-edb4-49c9-b593-d223f7449a82

commit ad1fabe41719f853ec5cdbdde5a9fba97444ff03
Author: Michal Czaplinski <czapla@git.wordpress.org>
Date:   Thu Sep 26 17:53:11 2024 +0000

    Interactivity API: Move interactivity-router i18n strings to Script Module data.

    Moves the 'loading' and 'loaded' i18n strings for the `interactivity-router` to the script module data via the `script_module_data_@wordpress/interactivity-router` filter.

    Key changes:

    - Add the `filter_script_module_interactivity_router_data()` method, hooked into the `script_module_data_@wordpress/interactivity-router` filter, to set the `i18n` data with the 'loading' and 'loaded' messages.
    - Rename the `print_router_loading_and_screen_reader_markup()` method to `print_router_markup()` and remove the screen reader markup from it because it's no longer needed.
    - Remove the `loading` and `loaded` strings from the `core/router` store state because they're no longer needed.
    - Initialize the `core/router` store with a minimal navigation object to prevent errors in the interactivity-router script module when the store is not properly initialized.
    - Update corresponding unit tests to reflect these changes.

    This change ensures that the `interactivity-router` i18n messages are localized in a single place and removes the need to initialize them in the `core/router` store state.

    Props jonsurrell, swissspidy, czapla.
    See #60647.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59097 602fd350-edb4-49c9-b593-d223f7449a82

commit 66afbbdb519d4b21a2ed486de64e32eda3f5adde
Author: Sergey Biryukov <sergeybiryukov@git.wordpress.org>
Date:   Thu Sep 26 15:39:06 2024 +0000

    Administration: Escape the WordPress.org URL in `wp-admin/admin-footer.php`.

    Follow-up to [5892], [5955], [10976], [17879], [21366], [27469], [45927].

    Props ramswarup, narenin, swissspidy.
    Fixes #62118.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59096 602fd350-edb4-49c9-b593-d223f7449a82

commit d9cb6e7e9de61e36ba286aafcacc5d6dba2fc559
Author: Carlos Bravo <cbravobernal@git.wordpress.org>
Date:   Thu Sep 26 14:49:13 2024 +0000

    Block bindings: Ensure block receives __default bindings when render.

    Fixes an issue with the image block when using pattern overrides, where the image block with overrides enabled was not outputting all the expected image attributes. Ensures that the `process_block_bindings` method returns any updates to the block's binding metadata along with other computed attributes.

    Props talldanwp, cbravobernal, santosguillamot, mukesh27, gziolo.

    Fixes #62069.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59095 602fd350-edb4-49c9-b593-d223f7449a82

commit 8dd9ca0402745af44c6f2d018a8a8251e63b9764
Author: Jb Audras <audrasjb@git.wordpress.org>
Date:   Thu Sep 26 13:48:06 2024 +0000

    Help/About: Add plugin dependencies help tab on Plugins screen.

    This changeset adds a help tab added about plugin dependencies on the Plugins screen.

    Follow-up to [57545].

    Fixes #60466.
    See #22316.
    Props desrosj, swissspidy, adarshposimyth, audrasjb, NekoJonez, DorZki, Boniu91, Ankit-K-Gupta, sigurdwatt.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59094 602fd350-edb4-49c9-b593-d223f7449a82

commit 7d0e751ffbea99583e2dda8518ff5cc915bf0bd9
Author: Greg Ziółkowski <gziolo@git.wordpress.org>
Date:   Thu Sep 26 12:45:41 2024 +0000

    Editor: Default attribute value not used with `get_block_wrapper_attributes`

    Ensures that the default values defined in the schema for block attributes are used when rendering the output of the block with `get_block_wrapper_attributes` helper.

    Props gziolo, jonsurrell, youknowriad, ryelle.
    Fixes #62114.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59093 602fd350-edb4-49c9-b593-d223f7449a82

commit b071c28f8b6be06e464ccf582877e66c02859679
Author: Andrew Ozz <azaozz@git.wordpress.org>
Date:   Wed Sep 25 20:49:21 2024 +0000

    Administration: Fix increasing of the frequency of Heartbeat API requests.

    Props peterwilsoncc, azaozz.
    Fixes #61960.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59092 602fd350-edb4-49c9-b593-d223f7449a82

commit 9e290835d6f006997d59ebaf063df113bb15a363
Author: Tonya Mork <hellofromtonya@git.wordpress.org>
Date:   Wed Sep 25 19:35:20 2024 +0000

    Canonical: Redirect when front page's paginated states not found.

    Perform a canonical redirect for an invalid pagination request of a static front page.

    When a site has a static front page assigned and that page has a `<!--nextpage-->` within its content, previously accessing non-existing pages (e.g. `example.com/page/3/`) did not redirect or return a 404 or 301. This changeset resolves that issue by performing a canonical redirect.

    Unit tests are also included for this specific use case and to ensure the fix does not affect a blog listing home page.

    Follow-up to [47738], [47727], [34492].

    Props dd32, audrasjb, chaion07, hellofromTonya, joemcgill, lukecarbis, Mte90, mukesh27, peterwilsoncc, rajinsharwar, SergeyBiryukov.
    Fixes #50163.
    See meta#5184.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59091 602fd350-edb4-49c9-b593-d223f7449a82

commit b275b38768fc2c2208e44bf6e9121a117c8ce119
Author: Sergey Biryukov <sergeybiryukov@git.wordpress.org>
Date:   Wed Sep 25 18:06:27 2024 +0000

    Twenty Nineteen: Add missing documentation for helper function parameters.

    Follow-up to [43808], [44149], [47214], [47242].

    Props pitamdey.
    Fixes #62112.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59090 602fd350-edb4-49c9-b593-d223f7449a82

commit 34c861b6a53cb82721ce0e82a3e2024d91c6ef7e
Author: Michal Czaplinski <czapla@git.wordpress.org>
Date:   Wed Sep 25 16:49:01 2024 +0000

    Script Loader: Add `@wordpress/a11y` as a Script Module.

    The Script Module has the same API as the `wp-a11y` WP Script.

    Key changes:
    - Add `@wordpress/a11y` to the list of Script and Module dual packages.
    - Update `script-modules-packages.min.php` to include the a11y module.
    - Modify `WP_Script_Modules` class to track and handle a11y module availability.
    - Add method to print required HTML markup for a11y `speak()` functionality.

    See #60647.
    Props jonsurrell, gziolo, czapla.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59089 602fd350-edb4-49c9-b593-d223f7449a82

commit 9fc6fa134df8976b4144b0f67c22b23ed97b639a
Author: Michal Czaplinski <czapla@git.wordpress.org>
Date:   Wed Sep 25 16:32:23 2024 +0000

    Revert [59087] due to empty commit message

    git-svn-id: https://develop.svn.wordpress.org/trunk@59088 602fd350-edb4-49c9-b593-d223f7449a82

commit 6df7ce67ca2fa9a1058cf25a599b1007416973a2
Author: Michal Czaplinski <czapla@git.wordpress.org>
Date:   Wed Sep 25 15:55:56 2024 +0000

    git-svn-id: https://develop.svn.wordpress.org/trunk@59087 602fd350-edb4-49c9-b593-d223f7449a82

commit 7f4fd30dffdfe8d7d817c2cdb4ab98408f1c0add
Author: Sergey Biryukov <sergeybiryukov@git.wordpress.org>
Date:   Tue Sep 24 19:15:33 2024 +0000

    Build/Test Tools: Only require the WordPress Importer plugin when running core tests.

    This allows other users of the WordPress unit test suite framework to run their own unit tests without needing the WordPress Importer plugin, which should only be a requirement if running core tests.

    Follow-up to [59085].

    Props bjorsch.
    Fixes #62106.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59086 602fd350-edb4-49c9-b593-d223f7449a82

commit 60a66de6ece69de829b12305f5d84b216a41b6b6
Author: Sergey Biryukov <sergeybiryukov@git.wordpress.org>
Date:   Tue Sep 24 18:09:41 2024 +0000

    Build/Test Tools: Check if the WordPress Importer plugin is installed in test bootstrap.

    If a hard requirement for the test suite is not fulfilled, running the tests should be blocked from the test bootstrap. A test should only fail when it doesn't produce the expected result.

    Since the WordPress Importer plugin is considered a hard requirement for the test suite at this time, this commit moves the check whether the plugin is installed from individual tests to the test bootstrap.

    Includes defining a global constant for the path to the file for reuse in the tests.

    Reference: [https://make.wordpress.org/core/handbook/contribute/git/#unit-tests Core Contributor Handbook: The Code Repository (Git): Unit Tests].

    Follow-up to [40531], [40532], [41090], [41169], [48592], [49535], [49571].

    Props jrf, hellofromTonya.
    See #61530.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59085 602fd350-edb4-49c9-b593-d223f7449a82

commit ec80646878bfe96cd14d9b5b49e2d51283206762
Author: Timothy Jacobs <timothyblynjacobs@git.wordpress.org>
Date:   Tue Sep 24 16:38:36 2024 +0000

    App Passwords: Don't prevent non-unique App Password names.

    In [50030] we enforced that Application Passwords have unique names. This was done with the assumption that applications would not connect to a user multiple times. However, in practice we've seen applications run into issues with the unique name constraint. Depending on the app, they may not know if they've been authorized before, or they may intentionally allow connecting multiple times. To prevent friction, App developers need to make their App Name unique, and in doing so often include things like the current date & time, which is already included in the App Passwords list table.

    This commit removes this requirement to simplify usage of the Authorize Application flow.

    Props mark-k, Boniu91, timothyblynjacobs, peterwilsoncc.
    Fixes #54213.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59084 602fd350-edb4-49c9-b593-d223f7449a82

commit 0b8b80449fb25e0242ad53262fcbabc08ea3ecb9
Author: Greg Ziółkowski <gziolo@git.wordpress.org>
Date:   Tue Sep 24 07:33:55 2024 +0000

    Build: Prepare for more Script Modules

    This is a companion to https://github.com/WordPress/gutenberg/pull/65460 that requires syncing in WordPress Core. Namely, the block-library changes require registration with their updated script module IDs so that the blocks continue to work correctly.

    They key improvement is script modules registration is handled in one central place, and a combined asset file is used to improve the performance by avoiding multiple disk operations for every individual file.

    Props jonsurrell, gziolo, wildworks, noisysocks.
    See #60647, #59462.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59083 602fd350-edb4-49c9-b593-d223f7449a82

commit a39079946ae6388083885df0198ddb0aeb6b5141
Author: Sergey Biryukov <sergeybiryukov@git.wordpress.org>
Date:   Mon Sep 23 22:15:11 2024 +0000

    Build/Test Tools: Prevent Composer lock file from being created.

    Composer 1.10.0 introduced a `lock` config option, which, when set to `false` will prevent a `composer.lock` file from being created and will ignore it when one exists.

    This is a useful option for packages like WordPress where the `lock` file has no meaning.

    It also makes life more straightforward for contributors as they don't have to remember that for this repo they should use `composer update` instead of `composer install`. Both will now work the same.

    Reference: [https://getcomposer.org/doc/06-config.md#lock Composer Documentation: Config: lock].

    Follow-up to [51543].

    Props jrf.
    See #61530.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59082 602fd350-edb4-49c9-b593-d223f7449a82

commit fd104aed1427167a8273bc6dc8dc43c1dd66ae02
Author: Greg Ziółkowski <gziolo@git.wordpress.org>
Date:   Mon Sep 23 12:48:32 2024 +0000

    Comments: Pass $page as argument to comments functions

    Removes query alteration from `build_comment_query_vars_from_block` by introducing a new way to pass the `$page` as argument to functions handling pagination for the comments.

    Props cybr, santosguillamot, bernhard-reiter, gziolo.
    Fixes #60806.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59081 602fd350-edb4-49c9-b593-d223f7449a82

commit 805b9333f2de80c3db981e1a2a5755045d9e7782
Author: Greg Ziółkowski <gziolo@git.wordpress.org>
Date:   Mon Sep 23 12:33:14 2024 +0000

    Block Bindings: Adds context needed by sources during its processing

     Extends block context during block bindings processing. This implies that the context is extended ONLY for the blocks where bindings are defined and only when rendered on the page.

    Props santosguillamot, gziolo, artemiosans, cbravobernal.
    Fixes #61642.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59080 602fd350-edb4-49c9-b593-d223f7449a82

commit d2f4251fb1cd335f9ad91d295d7f35dca680e2e8
Author: Robert Anderson <noisysocks@git.wordpress.org>
Date:   Mon Sep 23 06:50:27 2024 +0000

    Editor: Update packages for 6.7 Beta 1.

    Syncs `@wordpress/*` packages to the `wp-6.7` npm tag.

    See #61906.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59079 602fd350-edb4-49c9-b593-d223f7449a82

commit e2d9ffcf1e7d96e1e7b89db96b992cf0e6c8fcf7
Author: Sergey Biryukov <sergeybiryukov@git.wordpress.org>
Date:   Sun Sep 22 22:48:04 2024 +0000

    Editor: Respect `show_avatars` option in block editor and Customizer.

    This adds checks for the `show_avatars` option before setting the avatar for post lock modals in the block editor and the Customizer.

    Follow-up to [41839], [53070].

    Props ffffelix.
    Fixes #62081.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59078 602fd350-edb4-49c9-b593-d223f7449a82

commit f49909e97225f9b2aa4ab19b1c25037f2f35167d
Author: Sergey Biryukov <sergeybiryukov@git.wordpress.org>
Date:   Sat Sep 21 14:39:52 2024 +0000

    Editor: Optimize `is_callable()` checks in `traverse_and_serialize_blocks()`.

    This aims to improve performance by reducing the number of function calls.

    Follow-up to [56644].

    Props welcher, Cybr, mukesh27, aristath.
    Fixes #62063.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59077 602fd350-edb4-49c9-b593-d223f7449a82

commit 03b12dc3117737b8960bc4144102ef5cca346547
Author: Dennis Snell <dmsnell@git.wordpress.org>
Date:   Fri Sep 20 22:30:04 2024 +0000

    HTML API: Add `normalize()` to give us the HTML we always wanted.

    HTML often appears in ways that are unexpected. It may be missing implicit tags, may have unquoted, single-quoted, or double-quoted attributes, may contain duplicate attributes, may contain unescaped text content, or any number of other possible invalid constructions. The HTML API understands all fo these inputs, but downline parsers may not, and HTML snippets which are safe on their own may introduce problems when joined with other HTML snippets.

    This patch introduces the `serialize()` method on the HTML Processor, which prints a fully-normative HTML output, eliminating invalid markup along the way. It produces a string which contains every missing tag, double-quoted attributes, and no duplicates. A `normalize()` static method on the HTML Processor provides a convenient wrapper for constructing a fragment parser and immediately serializing.

    Subclasses relying on the `serialize_token()` method may perform structural HTML modifications with as much security as the upcoming `\Dom\HTMLDocument()` parser will, though these are not
    able to provide the full safety that will eventually appear with `set_inner_html()`.

    Further work may explore serializing to XML (which involves a number of other important transformations) and adding constraints to serialization (such as only allowing inline/flow/formatting elements and text).

    Developed in https://github.com/wordpress/wordpress-develop/pull/7331
    Discussed in https://core.trac.wordpress.org/ticket/62036

    Props dmsnell, jonsurrell, westonruter.
    Fixes #62036.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59076 602fd350-edb4-49c9-b593-d223f7449a82

commit 675a1aa5e5583a465e452c13d4d631666a486b5f
Author: Dennis Snell <dmsnell@git.wordpress.org>
Date:   Fri Sep 20 20:21:59 2024 +0000

    HTML API: Add `get_full_comment_text()` method.

    Previously, there were a few cases where the modifiable text read from an HTML comment differs slightly from the parsed value of its inner text in a browser. This is due to the specific way that invalid HTML syntax tokens become "bogus comments."

    This patch introduces a new method to the Tag Processor to allow differentiating these specific cases, such as when copying or serializing HTML from one source to another. Similar code has already been in use in the html5lib tests, and this patch simplifies the test runner, evidencing the fact that this method was already needed.

    Developed in https://github.com/wordpress/wordpress-develop/pull/7342
    Discussed in https://core.trac.wordpress.org/ticket/62036

    Props dmsnell, jonsurrell.
    See #62036.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59075 602fd350-edb4-49c9-b593-d223f7449a82

commit 1eb5f61c9e5c36a5e587010bf8e4d1e811da56e0
Author: Sergey Biryukov <sergeybiryukov@git.wordpress.org>
Date:   Fri Sep 20 14:07:11 2024 +0000

    Editor: Restore the merging of TinyMCE settings in `wp_tinymce_inline_scripts()`.

    This ensures that the function applies the `wp_editor_settings` filter and merges the resulting array with the rest of TinyMCE init settings.

    Includes a unit test to verify that the settings are merged correctly after adding the assignment of `array_merge()` result that was missed in the initial commit.

    Follow-up to [44265], [59033].

    Props kkmuffme, akshat2802, davidbaumwald, SergeyBiryukov.
    Fixes #61754.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59074 602fd350-edb4-49c9-b593-d223f7449a82

commit 35907da95151b45d197102ea4d69e10ad019cab9
Author: Robert Anderson <noisysocks@git.wordpress.org>
Date:   Fri Sep 20 02:05:50 2024 +0000

    Editor: Add plugin template registration API and improve theme overrides for plugin-registered templates

    This commit introduces a new API to allow plugins to easily register block
    templates with `wp_register_block_template()` and the
    `WP_Block_Templates_Registry` class, addressing the complexity of hooking into
    multiple filters. It also ensures plugin-registered templates overridden by
    themes fall back to the plugin-provided title and description when the theme
    doesn't define them.

    See https://github.com/WordPress/gutenberg/pull/61577.
    See https://github.com/WordPress/gutenberg/pull/64610.

    Fixes #61804.
    Props aljullu, peterwilsoncc, antonvlasenko, azaozz, youknowriad, noisysocks.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59073 602fd350-edb4-49c9-b593-d223f7449a82

commit 1ad25bb1432c788c8084fe832a7f13e646a28b62
Author: Robert Anderson <noisysocks@git.wordpress.org>
Date:   Fri Sep 20 01:53:52 2024 +0000

    Editor: Update packages for 6.7 Beta 1.

    Syncs `@wordpress/*` packages to the `wp-6.7` npm tag.

    Fixes #61906.
    Props peterwilsoncc, gziolo, kevin940726.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59072 602fd350-edb4-49c9-b593-d223f7449a82

commit d46067a77628797897a8c853fabbefc4cc2b1790
Author: Peter Wilson <peterwilsoncc@git.wordpress.org>
Date:   Fri Sep 20 00:50:51 2024 +0000

    External Libraries: Test registered script versions match package.json.

    Expands tests to ensure the version number of packages updated via NPM matches the version number used for registering the script in the script loader.

    This adds tests for (by their registered name in WordPress):

    * backbone
    * clipboard
    * hoverIntent
    * hoverintent-js
    * imagesloaded
    * jquery-color
    * jquery-core
    * jquery-form
    * masonry
    * react-jsx-runtime
    * underscore
    * wp-polyfill-dom-rect
    * wp-polyfill-element-closest
    * wp-polyfill-fetch
    * wp-polyfill-formdata
    * wp-polyfill-inert
    * wp-polyfill-node-contains
    * wp-polyfill-object-fit
    * wp-polyfill-url

    This expands on the earlier tests introduced for:

    * lodash
    * moment
    * react
    * react-dom
    * regenerator-runtime

    An additional test is added to ensure that the data provider for these tests is maintained as libraries are added via package.json.

    `@wordpress/*` scripts are excluded from these tests as wp-scripts generates a version number automatically based on the file's contents.

    Additionally, the version of element-closest listed in package.json is updated to use a fixed version rather than a range. This reflects the current practice of WordPress to define the specific version in core. For the avoidance of doubt, this does not affect the version shipped in WordPress.

    Follow up to [57185].

    Props peterwilsoncc, jorbin.
    Fixes #61855.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59071 602fd350-edb4-49c9-b593-d223f7449a82

commit 951f887f8a874e9c183bb990b0aa767d3ebb835b
Author: Tonya Mork <hellofromtonya@git.wordpress.org>
Date:   Thu Sep 19 20:20:30 2024 +0000

    External Libraries: Skip instanceof check when null in Text_Diff::_check().

    On the first `foreach` loop in Text_Diff::_check()`, `$prevtype` is `null`. As `instanceof` requires the class name term to be an object or string, a fatal error is thrown:

    >Fatal error: Uncaught Error: Class name must be a valid object or a string on line 279

    This change:
    * Adds a simple test for the `Text_Diff::_check()` method, which is how the bug was discovered as the test could never pass with the code as-is.

    * Adds a defensive guard to protect against the fatal. It checks if `$prevtype` is not `null` as a pre-condition to for checking the instance. This bugfix also resolves the failing test.

    Follow-up to [49194], [7747].

    Props jrf, hellofromTonya.
    See #62083.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59070 602fd350-edb4-49c9-b593-d223f7449a82

commit 1e608149f92886723d7d162df3014c7ba970030e
Author: Tonya Mork <hellofromtonya@git.wordpress.org>
Date:   Thu Sep 19 18:55:00 2024 +0000

    Code Modernization: handle mysqli_ping() deprecation in wpdb::check_connection().

    The `mysqli_ping()` function is deprecated as of PHP 8.4, though, in reality, the function wasn't working according to spec anymore since PHP 8.2 when the `libmysql` driver was dropped in favour of `libmysqlnd`, which was already the default (and recommended) driver since PHP 5.4.

    The `mysqli_ping()` method was also not really correctly named as its functionality was to reconnect to the database, not just ping.

    The alternative is to "manually" ping the database by sending a `DO 1` query (the cheapest possible SQL query).

    Adding a PHP version based toggle was considered, but as mentioned above, the default driver has been `libmysqlnd` since PHP 5.4 and in that case, the function never worked anyway, so in reality `mysqli_ping()` was only really functional for the odd custom PHP compilation where `mysqli` was build against `libmysql` AND `reconnect` was not disabled.

    With this in mind, this change replaces the call to `mysqli_ping()` with the `DO 1` query completely. If that query succeeds, it concludes the database connection is still alive. This solution should be the most stable as it will work for both PHP 7.2 <= 8.1, independently of which driver `mysqli` was compiled with, as well as for PHP 8.2+.

    Note: It could also be considered to remove the function call to `mysqli_ping()` completely and rely on standard error handling in case the connection would have dropped, as after all, the fact that the connection existed at the moment the "ping" happened, is no guarantee that the connection will still exist when the next query is send.... this approach was not chosen so as WP has custom error handling and does not use the PHP native mysqli exceptions for this, which would make implementing this more awkward.

    Includes a test to verify that the connection check works when there is a valid connection (this was previously not covered by tests).

    Refs:
    * https://wiki.php.net/rfc/deprecations_php_8_4#mysqli_ping_and_mysqliping
    * https://github.com/php/php-src/pull/11912#issuecomment-1671762583
    * https://stackoverflow.com/questions/2546868/cheapest-way-to-determine-if-a-mysql-connection-is-still-alive/2546922#2546922
    * php/php-src#11945
    * https://wiki.php.net/rfc/mysqli_support_for_libmysql
    * https://www.php.net/mysqli_ping

    Follow-up to [56475], [27250], [27075].

    Props jrf, hellofromTonya.
    See #62061.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59069 602fd350-edb4-49c9-b593-d223f7449a82

commit de346c606d9756bcaec8d0d69fe7aac3a86731fe
Author: Tonya Mork <hellofromtonya@git.wordpress.org>
Date:   Thu Sep 19 18:12:36 2024 +0000

    Tests: Remove use of E_STRICT.

    The `E_STRICT` constant is deprecated as of PHP 8.4 and will be removed in PHP 9.0.

    The error level hasn't been in use since PHP 8.0 anyway, so removing the exclusion from the `error_reporting()` setting in the `install.php` script used in the tests should make no difference in practice.

    Ref:
    * https://wiki.php.net/rfc/deprecations_php_8_4#remove_e_strict_error_level_and_deprecate_e_strict_constant

    Follow-up to [25002].

    Props jrf.
    See #62061.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59068 602fd350-edb4-49c9-b593-d223f7449a82

commit ceedcb5ae956b92288cd370a6e67789c196c95d1
Author: Sergey Biryukov <sergeybiryukov@git.wordpress.org>
Date:   Thu Sep 19 12:38:35 2024 +0000

    Coding Standards: Update PHPCS to version 3.10.3.

    PHPCS has seen several new releases since the last update, which means more bugs have been fixed, syntax support for PHP 8.3 was added, more sniff documentation is available, performance improvements, a new Help screen, etc.

    References:
    * [https://github.com/PHPCSStandards/PHP_CodeSniffer/releases/tag/3.10.3 PHP_CodeSniffer 3.10.3 release notes]
    * [https://github.com/PHPCSStandards/PHP_CodeSniffer/releases/tag/3.10.2 PHP_CodeSniffer 3.10.2 release notes]
    * [https://github.com/PHPCSStandards/PHP_CodeSniffer/releases/tag/3.10.1 PHP_CodeSniffer 3.10.1 release notes]
    * [https://github.com/PHPCSStandards/PHP_CodeSniffer/releases/tag/3.10.0 PHP_CodeSniffer 3.10.0 release notes]
    * [https://github.com/PHPCSStandards/PHP_CodeSniffer/releases/tag/3.9.2 PHP_CodeSniffer 3.9.2 release notes]
    * [https://github.com/PHPCSStandards/PHP_CodeSniffer/releases/tag/3.9.1 PHP_CodeSniffer 3.9.1 release notes]

    Follow-up to [56695], [56799], [57378], [57986].

    Props jrf.
    Fixes #62076.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59067 602fd350-edb4-49c9-b593-d223f7449a82

commit e060ee3eb715d18e4a2cb8ce7eb29d1fd0a29842
Author: Sergey Biryukov <sergeybiryukov@git.wordpress.org>
Date:   Thu Sep 19 12:10:19 2024 +0000

    Coding Standards: Remove unused return value for `WP_Object_Cache::__set()`.

    This resolves a WPCS warning:
    {{{
    Assignments must be the first block of code on a line
    }}}

    Note: This is enforced by PHPCS 3.10.3.

    Follow-up to [28521], [29146].

    Props jrf.
    See #62076, #61607.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59066 602fd350-edb4-49c9-b593-d223f7449a82

commit b36055bef3c7e0359a3c4cf1760d17b259c3234d
Author: Carolina Nymark <poena@git.wordpress.org>
Date:   Thu Sep 19 10:32:34 2024 +0000

    Bundled Themes: Make text strings translatable.

    This changeset updates Twenty Twenty-Three and Twenty Twenty-Four and replaces text strings in HTML files with patterns to make the strings translatable.

    Follow-up to [58459].

    Props sabernhardt, karmatosed, iflairwebtechnologies, poena.
    Fixes #61951.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59065 602fd350-edb4-49c9-b593-d223f7449a82

commit bf09fe506620678fb82c3b872309edda0ed8ce61
Author: Peter Wilson <peterwilsoncc@git.wordpress.org>
Date:   Wed Sep 18 22:35:35 2024 +0000

    Date/Time, PHP Compat: Prevent type errors using GMT offset option.

    Prevents a potential type errors when making use of the `gmt_offset` option by casting the value to a float prior to performing calculations with the value.

    This mainly accounts for incorrect storage of values, such as an empty string or city name.

    Follow up to [58923].

    Props chaion07, hellofromtonya, kirasong, mhshohel, mukesh27, nicolefurlan, nihar007, nurielmeni, oglekler, peterwilsoncc, prionkor, rajinsharwar, rarst, rleeson, sabernhardt, SergeyBiryukov, swissspidy, toastercookie, verygoode.
    Fixes #56358, #58986, #60629.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59064 602fd350-edb4-49c9-b593-d223f7449a82

commit 3b248638618bcd40a315bee6027ea8b7dfc578e0
Author: Tonya Mork <hellofromtonya@git.wordpress.org>
Date:   Wed Sep 18 21:38:32 2024 +0000

    Code Modernization: Remove xml_set_object() in MagpieRSS::__construct().

    The XML Parser extension still supports a quite dated mechanism for method based callbacks, where the object is first set via `xml_set_object()` and the callbacks are then set by passing only the name of the method to the relevant parameters on any of the `xml_set_*_handler()` functions.

    {{{
    xml_set_object( $parser, $my_obj );
    xml_set_character_data_handler( $parser, 'method_name_on_my_obj' );
    }}}

    Passing proper callables to the `xml_set_*_handler()` functions has been supported for the longest time and is cross-version compatible. So the above code is 100% equivalent to:

    {{{
    xml_set_character_data_handler( $parser, [$my_obj, 'method_name_on_my_obj'] );
    }}}

    The mechanism of setting the callbacks with `xml_set_object()` has now been deprecated as of PHP 8.4, in favour of passing proper callables to the `xml_set_*_handler()` functions. This is also means that calling the `xml_set_object()` function is deprecated as well.

    This commit fixes this deprecation for the `MagpieRSS::__construct()` method.

    The change has not been not covered by tests. This class has been deprecated since WP 3.0.0 and is not covered by tests at all. Adding those now seems superfluous, all the more as the principle of the fix is no different than for the other files, so we can be sure it works anyway.

    Note: Though this is "officially" an external library, this package is no longer externally maintained. The code style of the fix in the source file is in line with the existing code style for the file.

    Refs:
    * https://wiki.php.net/rfc/deprecations_php_8_4#xml_set_object_and_xml_set_handler_with_string_method_names
    * https://www.php.net/manual/en/function.xml-set-object.php
    * https://www.php.net/manual/en/ref.xml.php

    Follow-up to [4399].

    Props jrf.
    See #62061.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59063 602fd350-edb4-49c9-b593-d223f7449a82

commit ce571018a9d72fb513b803599cba21037fec68ed
Author: Tonya Mork <hellofromtonya@git.wordpress.org>
Date:   Wed Sep 18 21:18:54 2024 +0000

    Code Modernization: Remove xml_set_object() in AtomParser::parse().

    The XML Parser extension still supports a quite dated mechanism for method based callbacks, where the object is first set via `xml_set_object()` and the callbacks are then set by passing only the name of the method to the relevant parameters on any of the `xml_set_*_handler()` functions.

    {{{
    xml_set_object( $parser, $my_obj );
    xml_set_character_data_handler( $parser, 'method_name_on_my_obj' );
    }}}

    Passing proper callables to the `xml_set_*_handler()` functions has been supported for the longest time and is cross-version compatible. So the above code is 100% equivalent to:

    {{{
    xml_set_character_data_handler( $parser, [$my_obj, 'method_name_on_my_obj'] );
    }}}

    The mechanism of setting the callbacks with `xml_set_object()` has now been deprecated as of PHP 8.4, in favour of passing proper callables to the `xml_set_*_handler()` functions. This is also means that calling the `xml_set_object()` function is deprecated as well.

    This commit fixes this deprecation for the `AtomParser::parse()` method.

    This change is safeguarded via the new `AtomParser_Parse_Test` class.

    Notes:
    * Though this is "officially" an external library, this package is no longer externally maintained. The code style of the fix in the source file is in line with the existing code style for the file.
    * It appears that this class is not actually used by WP Core itself, so it could be considered to deprecate the class. However, as the class is not currently deprecated, safeguarding the change with a test seemed prudent.
    * The fixture used for the test reuses a fixture from the original package: https://code.google.com/archive/p/phpatomlib/source/default/source
    * The new test class follows the recommended test format (naming convention of the class, `@covers` tag at class level, only testing one method) as per Trac tickets 62004 / 53010.

    Refs:
    * https://wiki.php.net/rfc/deprecations_php_8_4#xml_set_object_and_xml_set_handler_with_string_method_names
    * https://www.php.net/manual/en/function.xml-set-object.php
    * https://www.php.net/manual/en/ref.xml.php

    Follow-up to [5951].

    Props jrf.
    See #62061.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59062 602fd350-edb4-49c9-b593-d223f7449a82

commit f9f19c7e77bc5898b03a69a48871cd377320c378
Author: Tonya Mork <hellofromtonya@git.wordpress.org>
Date:   Wed Sep 18 21:04:48 2024 +0000

    Tests: Use file paths independent of OS-specifics assertion or helper.

    Use `WP_UnitTestCase_Base::assertSamePathIgnoringDirectorySeparators()` and `WP_UnitTestCase_Base::normalizeDirectorySeparatorsInPath()` in existing tests.

    Follow-up to [59057], [57753], [57215], [56635], [48937], [25002].

    Props jrf.
    See #61530.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59061 602fd350-edb4-49c9-b593-d223f7449a82

commit 5168e1933af6e2e753b5fce4ed0f6fc29bd4fec1
Author: Dennis Snell <dmsnell@git.wordpress.org>
Date:   Wed Sep 18 19:10:56 2024 +0000

    WP_Debug_Data: Extract `wp-media` data into separate method.

    This is the sixth part in a larger modularization of the data in `WP_Debug_Data`. Previously this was a single massive method drawing in debug data from various groups of related data, where the groups were independent from each other.

    This patch separates the sixth of twelve groups, the `wp-media` info, into a separate method focused on that data.

    This work precedes changes to make the `WP_Debug_Data` class more extensible for better use by plugin and theme code.

    Developed in https://github.com/wordpress/wordpress-develop/pull/7356
    Discussed in https://core.trac.wordpress.org/ticket/61648

    Props apermo, dmsnell.
    See #61648.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59060 602fd350-edb4-49c9-b593-d223f7449a82

commit a543c31a1d0f6a86c664e5225f3befe03fb91807
Author: Drew Jaynes <drewapicture@git.wordpress.org>
Date:   Wed Sep 18 19:06:45 2024 +0000

    Docs: The `$feedname` parameter in `add_feed()` should not start with an underscore.

    Props snehapatil02, hellofromtonya, narenin.
    Fixes #59945.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59059 602fd350-edb4-49c9-b593-d223f7449a82

commit 55aa76aa25e9f0f31a54f7bbe3e840b24427d314
Author: Tonya Mork <hellofromtonya@git.wordpress.org>
Date:   Wed Sep 18 18:44:15 2024 +0000

    Code Modernization: Explicitly declare all properties in AtomParser.

    Dynamic (non-explicitly declared) properties are deprecated as of PHP 8.2 and are expected to become a fatal error in PHP 9.0.

    There are a number of ways to mitigate this:
    * If it's an accidental typo for a declared property: fix the typo.
    * For known properties: declare them on the class.
    * For unknown properties: add the magic `__get()`, `__set()` et al methods to the class or let the class extend `stdClass` which has highly optimized versions of these magic methods build in.
    * For unknown _use of_ dynamic properties, the `#[AllowDynamicProperties]` attribute can be added to the class. The attribute will automatically be inherited by child classes.

    In this case, the property added are explicitly referenced in this class, so fall in the "known property" category.

    Refs:
    * https://wiki.php.net/rfc/deprecate_dynamic_properties

    Props jrf.
    See #56034.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59058 602fd350-edb4-49c9-b593-d223f7449a82

commit e6a8fdd754887ec5b2738013163552a0b8c0be76
Author: Tonya Mork <hellofromtonya@git.wordpress.org>
Date:   Wed Sep 18 18:20:43 2024 +0000

    Tests: Introduce assertion for comparing file paths independent of OS-specifics.

    Introduces `WP_UnitTestCase_Base::assertSamePathIgnoringDirectorySeparators()` and an associated helper method `WP_UnitTestCase_Base::normalizeDirectorySeparatorsInPath()` to allow for comparing two file path strings independently of OS-specific differences.

    The normalization is done in a separate method to also allow this method to be used for path normalization within test methods themselves, like for normalizing a group of paths in an array.

    The pretty specific method name for the helper (`normalizeDirectorySeparatorsInPath()`) is an attempt to prevent naming conflicts with methods which may exist in plugin test suites build on top of the WP Core test suite.

    Props jrf, hellofromTonya.
    See #61530.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59057 602fd350-edb4-49c9-b593-d223f7449a82

commit baff405508b09c2fa165f60ffb2eec87515d6f1d
Author: Tonya Mork <hellofromtonya@git.wordpress.org>
Date:   Wed Sep 18 18:02:43 2024 +0000

    Code Modernization: Remove xml_set_object() in IXR_Message::parse().

    The XML Parser extension still supports a quite dated mechanism for method based callbacks, where the object is first set via `xml_set_object()` and the callbacks are then set by passing only the name of the method to the relevant parameters on any of the `xml_set_*_handler()` functions.

    {{{
    xml_set_object( $parser, $my_obj );
    xml_set_character_data_handler( $parser, 'method_name_on_my_obj' );
    }}}

    Passing proper callables to the `xml_set_*_handler()` functions has been supported for the longest time and is cross-version compatible. So the above code is 100% equivalent to:

    {{{
    xml_set_character_data_handler( $parser, [$my_obj, 'method_name_on_my_obj'] );
    }}}

    The mechanism of setting the callbacks with `xml_set_object()` has now been deprecated as of PHP 8.4, in favour of passing proper callables to the `xml_set_*_handler()` functions. This is also means that calling the `xml_set_object()` function is deprecated as well.

    This commit fixes this deprecation for the `IXR_Message::parse()` method.

    This change is safeguarded via the new`Tests_XMLRPC_Message::test_parse_sets_handlers()` test method.

    Note: Though this is "officially" an external library, this package is no longer externally maintained. The code style of the fix in the source file is in line with the existing code style for the file.

    Refs:
    * https://wiki.php.net/rfc/deprecations_php_8_4#xml_set_object_and_xml_set_handler_with_string_method_names
    * https://www.php.net/manual/en/function.xml-set-object.php
    * https://www.php.net/manual/en/ref.xml.php

    Follow-up to [15612], [1346].

    Props jrf, hellofromTonya.
    See #62061.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59056 602fd350-edb4-49c9-b593-d223f7449a82

commit 224e2c17b26caff406a4f5d44fa53901b1b4de7f
Author: Tonya Mork <hellofromtonya@git.wordpress.org>
Date:   Wed Sep 18 17:24:30 2024 +0000

    Tests: Remove use of xml_set_object() in TestXMLParser.

    The XML Parser extension still supports a quite dated mechanism for method based callbacks, where the object is first set via `xml_set_object()` and the callbacks are then set by passing only the name of the method to the relevant parameters on any of the `xml_set_*_handler()` functions.

    {{{
    xml_set_object( $parser, $my_obj );
    xml_set_character_data_handler( $parser, 'method_name_on_my_obj' );
    }}}

    Passing proper callables to the `xml_set_*_handler()` functions has been supported for the longest time and is cross-version compatible. So the above code is 100% equivalent to:

    {{{
    xml_set_character_data_handler( $parser, [$my_obj, 'method_name_on_my_obj'] );
    }}}

    The mechanism of setting the callbacks with `xml_set_object()` has now been deprecated as of PHP 8.4, in favour of passing proper callables to the `xml_set_*_handler()` functions. This is also means that calling the `xml_set_object()` function is deprecated as well.

    This commit fixes this deprecation for the `TestXMLParser` helper utility. In this case, the callbacks were already using the recommended format and the call to `xml_set_object()` was completely redundant.

    As this is a test utility and was already causing pre-existing tests using the utility to fail, there is no need for dedicated tests to cover this change.

    Refs:
    * https://wiki.php.net/rfc/deprecations_php_8_4#xml_set_object_and_xml_set_handler_with_string_method_names
    * https://www.php.net/manual/en/function.xml-set-object.php
    * https://www.php.net/manual/en/ref.xml.php

    Follow-up to [25002].

    Props jrf.
    See #62061.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59055 602fd350-edb4-49c9-b593-d223f7449a82

commit 1324176d519e02d969fb41c00de6b4d2751d0ad8
Author: Tonya Mork <hellofromtonya@git.wordpress.org>
Date:   Wed Sep 18 16:16:19 2024 +0000

    Tests: Fix Tests_Theme tests to run (and pass) cross-OS.

    Uses `DIRECTORY_SEPARATOR` in closures for cross-OS differences.

    Follow-up to [56635].

    Props jrf.
    See #61530.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59054 602fd350-edb4-49c9-b593-d223f7449a82

commit 82171f503600c8fa89e298a7b3ae76710d4be44d
Author: Tonya Mork <hellofromtonya@git.wordpress.org>
Date:   Wed Sep 18 15:02:14 2024 +0000

    Code Modernization: Fix implicitly nullable parameter in WP_HTML_Processor.

    PHP 8.4 deprecates implicitly nullable parameters, i.e. typed parameters with a `null` default value, which are not explicitly declared as nullable.

    This commit the one instance of this in the `WP_HTML_Processor` class.

    Fixed by adding the nullability operator to the type, which is supported since PHP 7.1, so we can use it now the minimum supported PHP version is PHP 7.2.

    As this deprecation is thrown at compile time, it can be seen at the top of the test output when running on PHP 8.4 (which will be gone once this change has been committed). It is not possible to write a test to cover this.

    Ref: https://wiki.php.net/rfc/deprecate-implicitly-nullable-types

    Follow-up to [58867], [58769], [58304], [58192].

    Props jrf.
    See #62061.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59053 602fd350-edb4-49c9-b593-d223f7449a82

commit 8fc4a000fceb64668e7d3962d01f32d8cdc2c82e
Author: Tonya Mork <hellofromtonya@git.wordpress.org>
Date:   Wed Sep 18 14:53:32 2024 +0000

    Tests: Fix implicitly nullable parameters in Tests_HtmlApi_WpHtmlProcessorComments.

    PHP 8.4 deprecates implicitly nullable parameters, i.e. typed parameters with a `null` default value, which are not explicitly declared as nullable.

    The `Tests_HtmlApi_WpHtmlProcessorComments` test class contains one problematic parameter in the `test_comment_processing()` method declaration.

    While this could be fixed by adding the nullability operator, the type declarations in the test method is removed instead, including other type declarations for this method and the second test method, which were not affected by the deprecation.

    The reason for this is quite straight-forward: using type declarations in tests is bad practice and inhibits defense-in-depth type testing.

    Using type declarations in tests prevents being able to test the "code under test" with unexpected input types as the values with unexpected (scalar) types will be juggled to the expected type between the data provider and the test method and the _real_ data value would therefore never reach the method under test.

    The knock-on effects of this are:
    * That the input handling of the "code under test" can not be safeguarded, whether this input handling is done via in-function type checking or via a type declaration in the "code under test".
    * That if such "unexpected data type" tests are added to the data provider, they will silently pass (due to the type being juggled before reaching the "code under test"), giving a false sense of security, while in actual fact, these data sets would not be testing anything at all and if, for instance, the type declaration in the "code under test" would be removed, these tests would still pass, while by rights they should start failing.

    Also note that this problem would only be exacerbated if the file would be put under `strict_types`.

    Ref: https://wiki.php.net/rfc/deprecate-implicitly-nullable-types

    Follow-up to [58734].

    Props jrf.
    See #62061.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59052 602fd350-edb4-49c9-b593-d223f7449a82

commit 91f8e77b3e19dde884cd6a32a8799e8c71db9e92
Author: Sergey Biryukov <sergeybiryukov@git.wordpress.org>
Date:   Wed Sep 18 14:22:27 2024 +0000

    Script Loader: Restore `user-profile.js` dependencies after an accidental revert.

    Follow-up to [59033], [59046], [59047].

    Props TobiasBg.
    See #61754.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59051 602fd350-edb4-49c9-b593-d223f7449a82

commit d8e05446b7d109f8b3c48cbeebf6241d3f6e3946
Author: Drew Jaynes <drewapicture@git.wordpress.org>
Date:   Wed Sep 18 06:02:15 2024 +0000

    Docs: Add missing @since and @param annotations for the `edit_post_{$field}` hook doc.

    Props mukesh27
    See #50654

    git-svn-id: https://develop.svn.wordpress.org/trunk@59050 602fd350-edb4-49c9-b593-d223f7449a82

commit a6166f143444b48eb7250de76a5b8eeee3a7ee34
Author: Jonathan Desrosiers <desrosj@git.wordpress.org>
Date:   Wed Sep 18 05:42:16 2024 +0000

    Build/Test Tools: Submit host test results for each PHP version.

    The WordPress Hosting Test Results now supports multiple reports for the same commit from the same test bot. This updates the PHPUnit test workflow to submit results for each version of PHP running the tests.

    Props swissspidy, jorbin, crixu, kirasong, desrosj.
    See #61564.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59049 602fd350-edb4-49c9-b593-d223f7449a82

commit 52d46a9cb3d808340f2d7b35a0120354bf8ecaf2
Author: ramonopoly <ramonopoly@git.wordpress.org>
Date:   Wed Sep 18 05:17:05 2024 +0000

    Global Styles: allow read access to users with `edit_posts` capabilities

    This patch any role that can edit a post, including custom post types, or edit theme options to read global styles from the API. This enables read-only access to global styles in the post editor. Test coverage in included.

    Props ramonopoly, peterwilsoncc, mukesh27, aaronrobertshaw, mamaduka, spacedmonkey, talldanwp, timothyblynjacobs.
    Fixes #62042.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59048 602fd350-edb4-49c9-b593-d223f7449a82

commit 6693c25c8a786925d16c466694d35c0ea3764e67
Author: David Baumwald <davidbaumwald@git.wordpress.org>
Date:   Wed Sep 18 00:46:43 2024 +0000

    Script Loader: Revert removing unused array_merge.

    Code is poetry, until it isn’t.

    Unprops davidbaumwald.
    See #61754.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59047 602fd350-edb4-49c9-b593-d223f7449a82

commit 5d0753bb6e7c29adc8e6171ee21338cb5ade297b
Author: Jeremy Felt <jeremyfelt@git.wordpress.org>
Date:   Wed Sep 18 00:12:52 2024 +0000

    Application Passwords: Add copy button when adding new password.

    Props circlecube, dhruvang21, ironprogrammer, desrosj.
    Fixes #62019.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59046 602fd350-edb4-49c9-b593-d223f7449a82

commit b0809808e21827e4f6d0325695f37b67211067d5
Author: Drew Jaynes <drewapicture@git.wordpress.org>
Date:   Wed Sep 18 00:00:08 2024 +0000

    Docs: Add possible filter names to the hook docs for the following filters in `sanitize_post_field()`:

    - `edit_{$field}`
    - `{$field_no_prefix}_edit_pre`
    - `edit_post_{$field}`
    - `pre_{$field}`
    - `{$field_no_prefix}_save_pre`
    - `pre_post_{$field}`
    - `{$field}_pre`
    - `{$field}`
    - `post_{$field}`

    Props johnbillion, DrewAPicture.
    Fixes #50654

    git-svn-id: https://develop.svn.wordpress.org/trunk@59045 602fd350-edb4-49c9-b593-d223f7449a82

commit e9bb88d8c2da2c5ea1831ecbd7909ae19ba29708
Author: Aaron Jorbin <jorbin@git.wordpress.org>
Date:   Tue Sep 17 23:56:10 2024 +0000

    Bootstrap/Load: Add documentation warning about updating `$table_prefix`.

    Props bjerke-johannessen, swissspidy, SergeyBiryukov, morganestes, stevenlinx, jorbin.
    Fixes #34189.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59044 602fd350-edb4-49c9-b593-d223f7449a82

commit 36f6f6450175e9b5e2213aa9c4e44eb6e10f18c8
Author: Helen Hou-Sandi <helen@git.wordpress.org>
Date:   Tue Sep 17 23:48:26 2024 +0000

    Bootstrap/Load: Give more context and warning about editing compat.php.

    As indicated by name, this is a compatibility file which warrants more care to begin with, but it's still worth warning folks about how narrow function availability is in this file.

    Props jorbin, dmsnell, helen.
    See #61694.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59043 602fd350-edb4-49c9-b593-d223f7449a82

commit 8f6ec896348f83e63fa239f376d5010b85d24794
Author: Adam Silverstein <adamsilverstein@git.wordpress.org>
Date:   Tue Sep 17 23:26:22 2024 +0000

    Media: improve speed of AVIF image generation.

    Set the AVIF encoder to work faster by raising heic:speed to 7 from the default of 5. AVIF generation time is reduced by up to 20% with minimal impact on image size.

    Props: adamsilverstein, erikyo, mukesh27, yguyon, felixarntz, jzern.
    Fixes #61758.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59042 602fd350-edb4-49c9-b593-d223f7449a82

commit f9aeb0bdc14b251b7f1497771ce34fdeea7578a4
Author: Joe Dolson <joedolson@git.wordpress.org>
Date:   Tue Sep 17 23:26:03 2024 +0000

    Accessibility: Add border around menus and submenus in high contrast mode.

    Add outlines and borders to mark the boundaries between the admin navigation menu and content and around adminbar submenus that are visible when Windows High Contrast Mode is enabled. This clarifies the page structure and makes high contrast mode easier to use.

    Props wildworks, hbhalodia, sabernhardt, joedolson, rcreators.
    Fixes #61616.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59041 602fd350-edb4-49c9-b593-d223f7449a82

commit 71c69dad2e05fd51c508b1311805083943dc5398
Author: K. Adam White <kadamwhite@git.wordpress.org>
Date:   Tue Sep 17 23:22:43 2024 +0000

    REST API: Allow posts to be published with a publication date of midnight 1970-01-01.

    Explicitly checks date parsing return values for `false`, so that `0` (the value returned for the UNIX epoch of `1970-01-01 00:00:00`) is correctly treated as a valid timestamp.

    It should be valid to create a post dated to any point in history.

    Props emmanuel78, sabernhardt, siliconforks, drjosh07, antpb, TimothyBlynJacobs.
    Fixes #60184.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59040 602fd350-edb4-49c9-b593-d223f7449a82

commit c1520f3684dcd4647ef789b2f47aa4850a4ce871
Author: Aaron Jorbin <jorbin@git.wordpress.org>
Date:   Tue Sep 17 22:39:58 2024 +0000

    Bootstrap/Load: Ensure uses of set_time_limit are documented why.

    `set_time_limit` can cause unexpected behavior so it general should be avoided. There are instances though where they should be used so those instances should be properly documented.

    Props Rcrayno, ryan, kurtpayne, jorbin.
    Fixes #21521. See #19487.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59039 602fd350-edb4-49c9-b593-d223f7449a82

commit 3cd3a00c76102913590ade96a44003deb01664c3
Author: Timothy Jacobs <timothyblynjacobs@git.wordpress.org>
Date:   Tue Sep 17 22:25:03 2024 +0000

    Build Tools: Allow easier customization of the .env file.

    The .env file allows for configuring how the WordPress Local environment should be configured. However, because the file is version controlled, developers must be careful not to commit their modifications.

    This commit renames the .env file to be .env.example. During env start, the .env.example file is copied to .env if it does not exist. This allows for contributors to continue using the project without thinking about .env and to make changes when needed. This brings WordPress Core into the dotenv project guidelines.

    Props johnbillion, afragen, h71, desrosj.
    Fixes #52668.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59038 602fd350-edb4-49c9-b593-d223f7449a82

commit 98a9f6481afe3dc764f0ca5bb4f108cefe7203e0
Author: Anthony Burchell <antpb@git.wordpress.org>
Date:   Tue Sep 17 22:24:43 2024 +0000

    Coding Standards: Avoid using confusing `!` condition in Media Library selection check.

    Checks that value is now equal or less than or equal to 0 which has the same result as the previous confusing `!` usage.

    Props kadamwhite, drjosh07.
    See #60369.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59037 602fd350-edb4-49c9-b593-d223f7449a82

commit 15b7d2a86885a6c83b520277f97b1debe31048fb
Author: K. Adam White <kadamwhite@git.wordpress.org>
Date:   Tue Sep 17 22:17:41 2024 +0000

    REST API: Only check password value in query parameters while checking post permissions.

    The `password` property which gets sent as part of a request POST body while setting a post's password should not be checked when calculating post visibility permissions.

    That value in the request body is intended to update the post, not to authenticate, and may be malformed or an invalid non-string type which would cause a fatal when checking against the hashed post password value.

    Query parameter `?password=` values are the correct interface to check, and are also guaranteed to be strings.

    Props mlf20, devansh016, antonvlasenko, TimothyBlynJacobs, kadamwhite.
    Fixes #61837.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59036 602fd350-edb4-49c9-b593-d223f7449a82

commit d3d02c44ebdddc11b5c53b6fc6938e801b3d41f8
Author: Anthony Burchell <antpb@git.wordpress.org>
Date:   Tue Sep 17 21:56:43 2024 +0000

    Media: Add Ctrl/Command + Enter shortcut to insert selected Media Library items.

    Adds a Ctrl/Command + Enter keyboard shortcut to insert the currently selected single media or multiple media items when selecting in the Media Library modal.

    Props poena, hirschferkel, antpb, joedolson, skobe, rcreators, plaidharper.
    Fixes #60369.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59035 602fd350-edb4-49c9-b593-d223f7449a82

commit a9d76fab5641acdd3724a25989979cc51f22b953
Author: Felix Arntz <flixos90@git.wordpress.org>
Date:   Tue Sep 17 21:56:18 2024 +0000

    REST API: Support exact search in the REST API posts endpoint.

    This changeset adds support for a new `search_semantics` enum query parameter that can be passed alongside the `search` string parameter. At this point, it only supports "exact" as possible value, but an enum is used for forward compatibility with potential enhancements like "sentence" search support. If `search_semantics=exact` is passed, it will look for an exact match rather than do a full text search, which for some use-cases is more appropriate and more performant.

    Props mehulkaklotar, timothyblynjacobs, jimmyh61, ironprogrammer, johnregan3, mukesh27, costdev.
    Fixes #56350.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59034 602fd350-edb4-49c9-b593-d223f7449a82

commit af0437b080a1c512816883728bde9a75f70081bf
Author: David Baumwald <davidbaumwald@git.wordpress.org>
Date:   Tue Sep 17 21:52:54 2024 +0000

    Script Loader: Remove unused array_merge.

    This change removes an unused `array_merge` that was added in [44265].

    Props kkmuffme, SergeyBiryukov, akshat2802.
    Fixes #61754.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59033 602fd350-edb4-49c9-b593-d223f7449a82

commit 7b8e4451f4d28102585bdf9573ce0fb193a917f9
Author: Timothy Jacobs <timothyblynjacobs@git.wordpress.org>
Date:   Tue Sep 17 21:50:38 2024 +0000

    REST API: Automatically populate targetHints for the Allow header.

    The REST API uses the "Allow" header to communicate what methods a user is authorized to perform on a resource. This works great when operating on a single item route, but can break down when needing to determine authorization over a collection of items.

    This commit uses the "targetHints" property of JSON Hyper Schema to provide access to the "allow" header for "self" links. This alleviates needing to make a separate network request for each item in a collection.

    Props mamaduka, noisysocks, peterwilsoncc, spacedmonkey, swissspidy, timothyblynjacobs, tyxla, youknowriad.
    Fixes #61739.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59032 602fd350-edb4-49c9-b593-d223f7449a82

commit f79ad14e03162fe7c82bc63bc8137fa974ed87cc
Author: John Blackbourn <johnbillion@git.wordpress.org>
Date:   Tue Sep 17 21:31:14 2024 +0000

    Plugins: Correct the item schema for the plugins REST API endpoint.

    The `author` property contains the string name of the plugin author.

    Props narenin.

    Fixes #61920

    git-svn-id: https://develop.svn.wordpress.org/trunk@59031 602fd350-edb4-49c9-b593-d223f7449a82

commit cdd137e9977ee7a2c276e462b61d55c8cb60a58e
Author: Jonathan Desrosiers <desrosj@git.wordpress.org>
Date:   Tue Sep 17 21:06:30 2024 +0000

    External Libraries: Update PHPass library.

    This updates the PHPass library to version `0.5.4` while maintaining the adjustments introduced in [30466].

    Props jrf.
    Fixes #62058.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59030 602fd350-edb4-49c9-b593-d223f7449a82

commit 70c7962fee55cd10ffb2ab35c19c7d78359bef07
Author: Pascal Birchler <swissspidy@git.wordpress.org>
Date:   Tue Sep 17 20:56:03 2024 +0000

    I18N: Add a new way to determine whether a translation is available.

    A new `has_translation()` function can be used to determine whether a translation exists for a given string.

    Props louiswol94, swissspidy, drzraf, ckanitz, tomhine, mchirag2002, samuelsilvapt.
    Fixes #52696.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59029 602fd350-edb4-49c9-b593-d223f7449a82

commit 4dafd584c91524f0cfd743f728d5f334df761e11
Author: Felix Arntz <flixos90@git.wordpress.org>
Date:   Tue Sep 17 16:58:10 2024 +0000

    Taxonomy: Remove redundant `$taxonomies` value from cache keys used for `WP_Term_Query`.

    Props niravsherasiya7707, spacedmonkey.
    Fixes #59594.
    See #35381.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59028 602fd350-edb4-49c9-b593-d223f7449a82

commit 7dad836c7ff293879da0cdcce98472b5d85d3708
Author: Sergey Biryukov <sergeybiryukov@git.wordpress.org>
Date:   Tue Sep 17 00:01:09 2024 +0000

    General: Add missing `initial-scale` value in viewport meta tags.

    The viewport meta should include `initial-scale=1.0` to ensure that high DPI/mobile display works as expected.

    References:
    * [https://css-tricks.com/probably-use-initial-scale1/ CSS-Tricks: Probably Use initial-scale=1]
    * [https://www.sitepoint.com/community/t/is-it-necessary-to-include-initial-scale-1-0-in-the-meta-viewport-tag/455119 SitePoint Forums: Is it necessary to include initial-scale=1.0 in the meta viewport tag?]

    Follow-up to [59026].

    Props dhruvang21, sabernhardt, kkmuffme, mukesh27, narenin, swissspidy, SergeyBiryukov.
    Fixes #61988.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59027 602fd350-edb4-49c9-b593-d223f7449a82

commit 8b8fb62a066e34862a8bb30498d1e1b5e18290f0
Author: Sergey Biryukov <sergeybiryukov@git.wordpress.org>
Date:   Mon Sep 16 22:16:46 2024 +0000

    Bundled Themes: Add missing `initial-scale` value in viewport meta tag.

    The viewport meta should include `initial-scale=1.0` to ensure that high DPI/mobile display works as expected.

    Includes standardizing on `1.0` vs. `1` for consistency.

    References:
    * [https://css-tricks.com/probably-use-initial-scale1/ CSS-Tricks: Probably Use initial-scale=1]
    * [https://www.sitepoint.com/community/t/is-it-necessary-to-include-initial-scale-1-0-in-the-meta-viewport-tag/455119 SitePoint Forums: Is it necessary to include initial-scale=1.0 in the meta viewport tag?]

    Props dhruvang21, sabernhardt, kkmuffme, mukesh27, swissspidy, SergeyBiryukov.
    See #61988.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59026 602fd350-edb4-49c9-b593-d223f7449a82

commit ca64c851f7d73a48fa19a5d54467d45fc66a1098
Author: Dennis Snell <dmsnell@git.wordpress.org>
Date:   Mon Sep 16 20:15:17 2024 +0000

    HTML API: Update html5lib test runner to support new features.

    This patch updates the html5lib test runner following the merge of changes opening up a full HTML parser and additional fragment contents. It makes no Core code changes, but allows a more tests to complete which previously failed due to incomplete test runner support..

    Developed in https://github.com/wordpress/wordpress-develop/pull/7346
    Discussed in https://core.trac.wordpress.org/ticket/61646

    Props jonsurrell.
    See #61646.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59025 602fd350-edb4-49c9-b593-d223f7449a82

commit 1637791aefdfa2a5169c5b81175655a7c540fcfa
Author: Dennis Snell <dmsnell@git.wordpress.org>
Date:   Mon Sep 16 17:54:08 2024 +0000

    HTML API: Prevent infinite loop in foreign content reprocessing step.

    An infinite loop was discovered in specific situations within foreign content inside the HTML Processor when a given node inside foreign content must be handled in the rules for the current insertion mode.

    This patch resolves the loop by handling those nodes directly instead of reprocessing the node, which previously was redirecting control flow back to where the loop started.

    Developed in https://github.com/wordpress/wordpress-develop/7347
    Discussed in https://core.trac.wordpress.org/ticket/61656

    Follow-up to [58868].

    Props jonsurrell.
    See #61576.

    git-svn-id: https://develop.svn.wordpress.org/trunk@59024 602fd350-edb4-49c9-b593-d223f7449a82

commit d2ce8ddbe026ce33115c1bb6e60d3efbb96fa6ed
Author: Greg Ziółkowski <gziolo@git.wordpress.org>
Date:   Mon Sep 16 11:31:17 2024 +0000

    Meta: Add label argument to register_meta function

    With the introduction of Block Bindings, it became more common to see workflows where users need t…
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants