Merge branch 'WordPress:trunk' into trunk

Author: sabernhardt

.github/workflows/coding-standards.yml

@@ -82,7 +82,9 @@ jobs:
       - name: Cache PHPCS scan cache
         uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11
         with:
-          path: .cache/phpcs.json
+          path: |
+            .cache/phpcs-src.json
+            .cache/phpcs-tests.json
           key: ${{ runner.os }}-date-${{ steps.get-date.outputs.date }}-phpcs-cache-${{ hashFiles('**/composer.json', 'phpcs.xml.dist') }}
 
       # Since Composer dependencies are installed using `composer update` and no lock file is in version control,
@@ -97,15 +99,15 @@ jobs:
 
       - name: Run PHPCS on all Core files
         id: phpcs-core
-        run: phpcs -n --report-full --report-checkstyle=./.cache/phpcs-report.xml
+        run: phpcs -n --report-full --cache=./.cache/phpcs-src.json --report-checkstyle=./.cache/phpcs-report.xml
 
       - name: Show PHPCS results in PR
         if: ${{ always() && steps.phpcs-core.outcome == 'failure' }}
         run: cs2pr ./.cache/phpcs-report.xml
 
       - name: Check test suite files for warnings
         id: phpcs-tests
-        run: phpcs tests --report-full --report-checkstyle=./.cache/phpcs-tests-report.xml
+        run: phpcs tests --report-full --cache=./.cache/phpcs-tests.json --report-checkstyle=./.cache/phpcs-tests-report.xml
 
       - name: Show test suite scan results in PR
         if: ${{ always() && steps.phpcs-tests.outcome == 'failure' }}

.github/workflows/phpunit-tests.yml

@@ -197,9 +197,8 @@ jobs:
         run: node ./tools/local-env/scripts/docker.js run php ./vendor/bin/phpunit --verbose -c phpunit.xml.dist --group external-http
 
       # __fakegroup__ is excluded to force PHPUnit to ignore the <exclude> settings in phpunit.xml.dist.
-      # This test group is not (yet) run against PHP 8.2 as there is no stable Xdebug version available yet for PHP 8.2.
       - name: Run (Xdebug) tests
-        if: ${{ ! matrix.split_slow && matrix.php != '8.2' }}
+        if: ${{ ! matrix.split_slow }}
         run: LOCAL_PHP_XDEBUG=true node ./tools/local-env/scripts/docker.js run php ./vendor/bin/phpunit -v --group xdebug --exclude-group __fakegroup__
 
       - name: Ensure version-controlled files are not modified or deleted

.github/workflows/test-old-branches.yml

@@ -30,8 +30,7 @@ jobs:
         branch: [
             '6.1','6.0',
             '5.9', '5.8', '5.7', '5.6', '5.5', '5.4', '5.3', '5.2', '5.1', '5.0',
-            '4.9', '4.8', '4.7', '4.6', '4.5', '4.4', '4.3', '4.2', '4.1', '4.0',
-            '3.9', '3.8', '3.7'
+            '4.9', '4.8', '4.7', '4.6', '4.5', '4.4', '4.3', '4.2', '4.1'
         ]
         include:
           # PHP Compatibility testing was introduced in 5.5.
@@ -61,12 +60,6 @@ jobs:
             workflow: 'end-to-end-tests.yml'
           - branch: '5.8'
             workflow: 'end-to-end-tests.yml'
-        exclude:
-          # Coding standards and JavaScript testing did not take place in 3.7.
-          - branch: '3.7'
-            workflow: 'coding-standards.yml'
-          - branch: '3.7'
-            workflow: 'javascript-tests.yml'
 
     # Run all branches monthly, but only the currently supported one twice per month.
     steps:

SECURITY.md

@@ -7,50 +7,46 @@ Full details of the WordPress Security Policy can be found on [HackerOne](https:
 Use this section to tell people about which versions of your project are
 currently being supported with security updates.
 
-| Version | Supported          |
-| ------- | ------------------ |
-| 6.1.x   | :white_check_mark: |
-| 6.0.x   | :white_check_mark: |
-| 5.9.x   | :white_check_mark: |
-| 5.8.x   | :white_check_mark: |
-| 5.7.x   | :white_check_mark: |
-| 5.6.x   | :white_check_mark: |
-| 5.5.x   | :white_check_mark: |
-| 5.4.x   | :white_check_mark: |
-| 5.3.x   | :white_check_mark: |
-| 5.2.x   | :white_check_mark: |
-| 5.1.x   | :white_check_mark: |
-| 5.0.x   | :white_check_mark: |
-| 4.9.x   | :white_check_mark: |
-| 4.8.x   | :white_check_mark: |
-| 4.7.x   | :white_check_mark: |
-| 4.6.x   | :white_check_mark: |
-| 4.5.x   | :white_check_mark: |
-| 4.4.x   | :white_check_mark: |
-| 4.3.x   | :white_check_mark: |
-| 4.2.x   | :white_check_mark: |
-| 4.1.x   | :white_check_mark: |
-| 4.0.x   | :white_check_mark: |
-| 3.9.x   | :white_check_mark: |
-| 3.8.x   | :white_check_mark: |
-| 3.7.x   | :white_check_mark: |
-| < 3.7.0 | :x:              |
+| Version | Supported |
+| ------- | --------- |
+| 6.1.x   | Yes       |
+| 6.0.x   | Yes       |
+| 5.9.x   | Yes       |
+| 5.8.x   | Yes       |
+| 5.7.x   | Yes       |
+| 5.6.x   | Yes       |
+| 5.5.x   | Yes       |
+| 5.4.x   | Yes       |
+| 5.3.x   | Yes       |
+| 5.2.x   | Yes       |
+| 5.1.x   | Yes       |
+| 5.0.x   | Yes       |
+| 4.9.x   | Yes       |
+| 4.8.x   | Yes       |
+| 4.7.x   | Yes       |
+| 4.6.x   | Yes       |
+| 4.5.x   | Yes       |
+| 4.4.x   | Yes       |
+| 4.3.x   | Yes       |
+| 4.2.x   | Yes       |
+| 4.1.x   | Yes       |
+| < 4.1.0 | No        |
 
 ## Reporting a Vulnerability
 
-[<span>WordPress</span>](https://wordpress.org/) is an open-source publishing platform. Our HackerOne program covers the Core software, as well as a variety of related projects and infrastructure.
+[WordPress](https://wordpress.org/) is an open-source publishing platform. Our HackerOne program covers the Core software, as well as a variety of related projects and infrastructure.
 
 Our most critical targets are:
 
-*   WordPress Core [<span>software</span>](https://wordpress.org/download/source/), [<span>API</span>](https://codex.wordpress.org/WordPress.org_API), and [<span>website</span>](https://wordpress.org/).
-*   Gutenberg [<span>software</span>](https://github.com/WordPress/gutenberg/) and Classic Editor [<span>software</span>](https://wordpress.org/plugins/classic-editor/).
-*   WP-CLI [<span>software</span>](https://github.com/wp-cli/) and [<span>website</span>](https://wp-cli.org/).
-*   BuddyPress [<span>software</span>](https://buddypress.org/download/) and [<span>website</span>](https://buddypress.org/).
-*   bbPress [<span>software</span>](https://bbpress.org/download/) and [<span>website</span>](https://bbpress.org/).
-*   GlotPress [<span>software</span>](https://github.com/glotpress/glotpress-wp) (but not the website).
-*   WordCamp.org [<span>website</span>](https://central.wordcamp.org).
+*   WordPress Core [software](https://wordpress.org/download/source/), [API](https://codex.wordpress.org/WordPress.org_API), and [website](https://wordpress.org/).
+*   Gutenberg [software](https://github.com/WordPress/gutenberg/) and Classic Editor [software](https://wordpress.org/plugins/classic-editor/).
+*   WP-CLI [software](https://github.com/wp-cli/) and [website](https://wp-cli.org/).
+*   BuddyPress [software](https://buddypress.org/download/) and [website](https://buddypress.org/).
+*   bbPress [software](https://bbpress.org/download/) and [website](https://bbpress.org/).
+*   GlotPress [software](https://github.com/glotpress/glotpress-wp) (but not the website).
+*   WordCamp.org [website](https://central.wordcamp.org).
 
-Source code for most websites can be found in the Meta repository (`git clone git://meta.git.wordpress.org/`). [<span>The Meta Environment</span>](https://github.com/WordPress/meta-environment) will automatically provision a local copy of some sites for you.
+Source code for most websites can be found in the Meta repository (`git clone git://meta.git.wordpress.org/`). [The Meta Environment](https://github.com/WordPress/meta-environment) will automatically provision a local copy of some sites for you.
 
 For more targets, see the `In Scope` section below.
 
@@ -62,14 +58,14 @@ Any reproducible vulnerability that has a severe effect on the security or priva
 
 We generally **aren’t** interested in the following problems:
 
-*   Any vulnerability with a [<span>CVSS 3</span>](https://www.first.org/cvss/calculator/3.0) score lower than `4.0`, unless it can be combined with other vulnerabilities to achieve a higher score.
+*   Any vulnerability with a [CVSS 3](https://www.first.org/cvss/calculator/3.0) score lower than `4.0`, unless it can be combined with other vulnerabilities to achieve a higher score.
 *   Brute force, DoS, phishing, text injection, or social engineering attacks. Wikis, Tracs, forums, etc are intended to allow users to edit them.
-*   Security vulnerabilities in WordPress plugins not _specifically_ listed as an in-scope asset. Out of scope plugins can be [<span>reported to the Plugin Review team</span>](https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/#how-can-i-send-a-security-report).
-*   Reports for hacked websites. The site owner can [<span>learn more about restoring their site</span>](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now).
-*   [<span>Users with administrator or editor privileges can post arbitrary JavaScript</span>](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)
-*   [<span>Disclosure of user IDs</span>](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)
-*   Open API endpoints serving public data (Including [<span>usernames and user IDs</span>](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))
-*   [<span>Path disclosures for errors, warnings, or notices</span>](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)
+*   Security vulnerabilities in WordPress plugins not _specifically_ listed as an in-scope asset. Out of scope plugins can be [reported to the Plugin Review team](https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/#how-can-i-send-a-security-report).
+*   Reports for hacked websites. The site owner can [learn more about restoring their site](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#ive-been-hacked-what-do-i-do-now).
+*   [Users with administrator or editor privileges can post arbitrary JavaScript](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html)
+*   [Disclosure of user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue)
+*   Open API endpoints serving public data (Including [usernames and user IDs](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue))
+*   [Path disclosures for errors, warnings, or notices](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files)
 *   WordPress version number disclosure
 *   Mixed content warnings for passive assets like images and videos
 *   Lack of HTTP security headers (CSP, X-XSS, etc.)
@@ -83,7 +79,7 @@ We generally **aren’t** interested in the following problems:
 
 We're committed to working with security researchers to resolve the vulnerabilities they discover. You can help us by following these guidelines:
 
-*   Follow [<span>HackerOne's disclosure guidelines</span>](https://www.hackerone.com/disclosure-guidelines).
+*   Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).
 *   Pen-testing Production:
     *   Please **setup a local environment** instead whenever possible. Most of our code is open source (see above).
     *   If that's not possible, **limit any data access/modification** to the bare minimum necessary to reproduce a PoC.

src/js/_enqueues/admin/inline-edit-post.js

@@ -305,7 +305,7 @@ window.wp = window.wp || {};
 		if ( !$(':input[name="post_author"] option[value="' + $('.post_author', rowData).text() + '"]', editRow).val() ) {
 
 			// The post author no longer has edit capabilities, so we need to add them to the list of authors.
-			$(':input[name="post_author"]', editRow).prepend('<option value="' + $('.post_author', rowData).text() + '">' + $('#' + t.type + '-' + id + ' .author').text() + '</option>');
+			$(':input[name="post_author"]', editRow).prepend('<option value="' + $('.post_author', rowData).text() + '">' + $('#post-' + id + ' .author').text() + '</option>');
 		}
 		if ( $( ':input[name="post_author"] option', editRow ).length === 1 ) {
 			$('label.inline-edit-author', editRow).hide();

src/js/_enqueues/vendor/imgareaselect/jquery.imgareaselect.js

@@ -1,6 +1,6 @@
 /*
  * imgAreaSelect jQuery plugin
- * version 0.9.10-wp
+ * version 0.9.10-wp-6.2
  *
  * Copyright (c) 2008-2013 Michal Wojciechowski (odyniec.net)
  *
@@ -20,7 +20,7 @@
 var abs = Math.abs,
     max = Math.max,
     min = Math.min,
-    round = Math.round;
+    floor = Math.floor;
 
 /**
  * Create a new HTML div element
@@ -230,12 +230,12 @@ $.imgAreaSelect = function (img, options) {
     function getSelection(noScale) {
         var sx = noScale || scaleX, sy = noScale || scaleY;
 
-        return { x1: round(selection.x1 * sx),
-            y1: round(selection.y1 * sy),
-            x2: round(selection.x2 * sx),
-            y2: round(selection.y2 * sy),
-            width: round(selection.x2 * sx) - round(selection.x1 * sx),
-            height: round(selection.y2 * sy) - round(selection.y1 * sy) };
+        return { x1: floor(selection.x1 * sx),
+            y1: floor(selection.y1 * sy),
+            x2: floor(selection.x2 * sx),
+            y2: floor(selection.y2 * sy),
+            width: floor(selection.x2 * sx) - floor(selection.x1 * sx),
+            height: floor(selection.y2 * sy) - floor(selection.y1 * sy) };
     }
 
     /**
@@ -257,10 +257,10 @@ $.imgAreaSelect = function (img, options) {
         var sx = noScale || scaleX, sy = noScale || scaleY;
 
         selection = {
-            x1: round(x1 / sx || 0),
-            y1: round(y1 / sy || 0),
-            x2: round(x2 / sx || 0),
-            y2: round(y2 / sy || 0)
+            x1: floor(x1 / sx || 0),
+            y1: floor(y1 / sy || 0),
+            x2: floor(x2 / sx || 0),
+            y2: floor(y2 / sy || 0)
         };
 
         selection.width = selection.x2 - selection.x1;
@@ -283,7 +283,7 @@ $.imgAreaSelect = function (img, options) {
          * Get image offset. The .offset() method returns float values, so they
          * need to be rounded.
          */
-        imgOfs = { left: round($img.offset().left), top: round($img.offset().top) };
+        imgOfs = { left: floor($img.offset().left), top: floor($img.offset().top) };
 
         /* Get image dimensions */
         imgWidth = $img.innerWidth();
@@ -293,10 +293,10 @@ $.imgAreaSelect = function (img, options) {
         imgOfs.left += ($img.outerWidth() - imgWidth) >> 1;
 
         /* Set minimum and maximum selection area dimensions */
-        minWidth = round(options.minWidth / scaleX) || 0;
-        minHeight = round(options.minHeight / scaleY) || 0;
-        maxWidth = round(min(options.maxWidth / scaleX || 1<<24, imgWidth));
-        maxHeight = round(min(options.maxHeight / scaleY || 1<<24, imgHeight));
+        minWidth = floor(options.minWidth / scaleX) || 0;
+        minHeight = floor(options.minHeight / scaleY) || 0;
+        maxWidth = floor(min(options.maxWidth / scaleX || 1<<24, imgWidth));
+        maxHeight = floor(min(options.maxHeight / scaleY || 1<<24, imgHeight));
 
         /*
          * Workaround for jQuery 1.3.2 incorrect offset calculation, originally
@@ -311,8 +311,8 @@ $.imgAreaSelect = function (img, options) {
 
         /* Determine parent element offset */
         parOfs = /absolute|relative/.test($parent.css('position')) ?
-            { left: round($parent.offset().left) - $parent.scrollLeft(),
-                top: round($parent.offset().top) - $parent.scrollTop() } :
+            { left: floor($parent.offset().left) - $parent.scrollLeft(),
+                top: floor($parent.offset().top) - $parent.scrollTop() } :
             position == 'fixed' ?
                 { left: $(document).scrollLeft(), top: $(document).scrollTop() } :
                 { left: 0, top: 0 };
@@ -430,6 +430,13 @@ $.imgAreaSelect = function (img, options) {
     function doUpdate(resetKeyPress) {
         adjust();
         update(resetKeyPress);
+        updateSelectionRelativeToParentElement();
+    }
+
+    /**
+     * Set the correct values of x1, y1, x2, and y2.
+     */
+    function updateSelectionRelativeToParentElement() {
         x1 = viewX(selection.x1); y1 = viewY(selection.y1);
         x2 = viewX(selection.x2); y2 = viewY(selection.y2);
     }
@@ -571,16 +578,16 @@ $.imgAreaSelect = function (img, options) {
             if (xFirst) {
                 x2 = max(left, min(left + imgWidth,
                     x1 + abs(y2 - y1) * aspectRatio * (x2 > x1 || -1)));
-                y2 = round(max(top, min(top + imgHeight,
+                y2 = floor(max(top, min(top + imgHeight,
                     y1 + abs(x2 - x1) / aspectRatio * (y2 > y1 || -1))));
-                x2 = round(x2);
+                x2 = floor(x2);
             }
             else {
                 y2 = max(top, min(top + imgHeight,
                     y1 + abs(x2 - x1) / aspectRatio * (y2 > y1 || -1)));
-                x2 = round(max(left, min(left + imgWidth,
+                x2 = floor(max(left, min(left + imgWidth,
                     x1 + abs(y2 - y1) * aspectRatio * (x2 > x1 || -1))));
-                y2 = round(y2);
+                y2 = floor(y2);
             }
     }
 
@@ -589,6 +596,14 @@ $.imgAreaSelect = function (img, options) {
      * aspect ratio
      */
     function doResize() {
+        /*
+         * Make sure x1, x2, y1, y2 are initialized to avoid the following calculation
+         * getting incorrect results.
+         */
+        if ( x1 == null || x2 == null || y1 == null || y2 == null ) {
+            updateSelectionRelativeToParentElement();
+        }
+
         /*
          * Make sure the top left corner of the selection area stays within
          * image boundaries (it might not if the image source was dynamically