Dev Chat Summary: March 1st (4.7.3 week 5)

This post summarizes the dev chat meeting from March 1st (agendaSlack archive).

4.7.3 Schedule

  • Reminder of plan to release 4.7.3 as bugfix and maintenance release on Monday March 6, 2017
  • RC is available so please test

Community Summit

  • Working to review submissions on Planning for Community Summit 2017 post on Make/Core as well as submissions to the Make/Summit team via the Community Summit 2017: Sign-up Request post
  • Between now and Friday, March 5th the Core team needs to come up with:
    • 1) a list of topics for the summit
    • 2) A list of representatives to attend the Community Summit
    • 3) One or two contributors who are willing to help with the organization of the event
  • “participating” generally means being physically present for the discussions in Paris, France days prior to WCEU this summer for the Community Summit
  • Each topic facilitator will do both a pre-summit and post-summit Make/Core post. @jbpaul17 to confirm timelines with @_dorsvenabili to help prep those facilitators for those post timings.
  • Javascript in core [will submit to CS]
    • “what we hope and imagine for the future with the REST API, and how we hope to get there… what we have in core now and how we can improve it and how we can attract more JavaScript first developers to build on WordPress and especially contribute to core… How the REST API relates to wp-admin.” Submitted by @adamsilverstein to attend and volunteer to help in whatever role is most helpful.
    • “REST API admin usage: Where we can start moving things to using the API (and maybe even get a couple of them done at the summit)” Related submission from @chriscct7, recommended to include @rmccue
    • @kadamwhite: A heavy dependency on “the future of JS in core” and that discussion should originate from the broader WP community, not be mandated by the REST API group
  • Technology version support policies [will submit to CS]
    • @jorbin: (versions of PHP, MySQL, Browsers, Screen Readers, other AT, etc.) Let’s come up with some concrete plans for when we intend to deprecate things and how we want to handle it. People Who would be good to have in this discussion: @dd32 (to help with stats) @pento (to help with messaging) @afercia and @rianrietveld ( to help formulate AT support policies if they don’t exist already), @westonruter ( as maintainer of the largest JS component) @azaozz ( as maintainer of tinyMCE component) @matveb ( as dev lead of new editor)
    • @getsource, @boonebgorges, and @matt as additional reps for this topic
  • Improved management of contributors with time to spare [will submit to CS]
    • @johnbillion: This topic is particularly focused on pre-existing contributors who are paid to contribute to WordPress (eg. those whose time is sponsored by their employers), but also pre-existing contributors who aren’t sponsored but who do want to contribute a significant and/or consistent amount of time, and also potential contributors in a similar position.
      As a project, we need to manage these people’s time much better. These people need to be project managed in one way or another to avoid repeats of situations we’ve had in the past where a contributor is literally being paid to fix things in WordPress and the project is failing to enable them to do so effectively, or even at all. I’d (@johnbillion) like to attend the summit, and I’d be happy to jointly lead this discussion with someone who has good project management experience and some ideas about how WordPress might be able to better manage contributors, but at the same time do it in such a way that retains the fun and interesting aspects of contributing without turning it into something that too closely resembles “work”. [Side note from John: Worth noting that this doesn’t only apply to core, but it’s a good place to start.]
    • @helen did a survey of time availability a while ago, sent list to John to use for this topic
    • @aaroncampbell, @getsource, @jorbin, @boonebgorges, and @logankipp as additional reps for this topic
  • On-boarding experience for new contributors [will submit to CS]
    • @joemcgill: Lots of people who want to get involved have no idea where to focus their efforts.
    • @kadamwhite: Speaking for myself this is hugely related to the future of JS in core and the REST API, since those pieces really need the energy new contribs would bring
    • @getsource: I am willing to participate or lead, although I don’t know what leading it means besides guiding conversation at this point. @aaroncampbell also willing to lead.
    • @peterwilsoncc, @flixos90, @logankipp, @jorbin, @johnbillion, and @stevenkword as additional reps for this topic
  • Communicating changes to WordPress Core [will NOT submit to CS]
    • @jorbin: For the past few years, core has produced a field guide and worked with the meta and plugins team to email plugin others about changes to core. Each release though triggers a number of people who don’t know about changes until after the release. Challenge: How can we help ensure changes that aren’t worthy of user marketing promotion are known by a far greater percentage of WordPress developers?
      Might also impact or benefit from input from +make.wordpress.org/plugins +make.wordpress.org/themes +make.wordpress.org/marketing +make.wordpress.org/meta.
      Even when we get the field guide out on time, issues come up post release.
      two ideas:
      1) Translating the field guide (is this reasonable if the posts that it links to aren’t translated?) Also means polyglots should be in the discussion
      2) Using the new release email mailing list to announce RC
    • @helen: I think it’s worth at least starting the conversation earlier, even if it ends up still being valuable to continue something in person.
    • @desrosj: There may also be some great ideas from people who cannot attend in person. It would be a great opportunity for them to have their ideas heard and contribute, even if they are not able to follow through with the discussion in person at the summit.
    • @jorbinI’m going to withdraw the communication topic as my proposal for the summit with the note that I might want to resubmit it depending on how the virtual discussion goes
    • @azaozz and @sergey as additional reps for this topic
  • Security [will submit to CS]
    • @chriscct7: The process of a security ticket from report through triage through disclosure. Aaron Campbell (security czar) has made it clear this needs to be discussed at some point and I feel like the community summit would provide a good venue as many of those on the team will be there in person and we can mirror the conversation easily for those who are not. Recommend including @aaroncampbell
    • @aaroncampbell: This is actually a good idea, although I don’t think it’s because “those on the team will be there” but rather because I’d love to get input from some other people too, and security is generally sensitive enough that a place like the summit seems useful
    • @rmccue, @kadamwhite, @matveb, @joen, @westonruter, @melchoyce as additional reps for this topic
  • Collection of Anonymous data [will NOT submit to CS]
    • @chriscct7: If core is interested in doing it, I think my experience with doing it for a trac ticket (settings reduction) might prove to be useful to add to the discussion. Recommend including @drewapicture
    • General agreement to NOT include this topic since this is currently opt-in and the issue is finding an owner of this topic
  • Bootstrap/Load [will NOT submit to CS]
    • @schlessera: Opening up the WordPress Core Architecture to make it flexible enough as a platform so that it can:  * serve both novice end-users as well as large-scale enterprise installations in an optimized way;  * quickly adapt to changing external requirements, to keep up with the accelerating pace of the web. Recommend including @rmccue
    • General agreement to NOT include this topic since it does not need to happen in-person, already has discussions underway, and should be scheduled in next couple of weeks
  • Code editor [will NOT submit to CS]
    • @georgestephanis: Code Syntax Highlighting implementation and accessibility concerns — how we can get CodeMirror or whatever better library there is implemented and rolled out for both Customizer Custom CSS, Theme/Plugin Editor, and Content Blocks. Recommend including @afercia @westonruter
    • General agreement to NOT include this topic since it does not need to happen in-person and should happen sooner than the CS.
  • REST API authentication [will NOT submit to CS]
    • @georgestephanis: Third-party authentication with the REST API.    Between OAuth 1.0a, OAuth2, central application brokers, Application Passwords, or some other system — there’s a lot of possibilities here, and it’d be really nice if Core could pick something and move forward with it before folks start spoofing cookie authentication in applications to integrate with core.
    • Relevant chat summary from the last time we had one
    • This really needs an owner, otherwise it’ll continue to be punted. There’s fundamental differences on what the direction should be.
    • @samuelsidler: I don’t think core can decide until someone has documented the possible options, along with their strengths and weaknesses, then had some discussions on what would be best for core and why.
    • @georgestephanis, @rmccue, @logankipp volunteered post on Make/Core to move this topic along
    • We will table this idea and maybe propose it for the summit based upon how the near term discussions go
  • Front-end Editing [will NOT submit to CS]
    • @westonruter: Frontend editing powered by bootstrapping the customizer onto the frontend, with inline direct manipulation of elements on the page and the controls sidebar being lazy loaded to slide in from the left as needed. Editable elements include post content and site configuration (sidebars, menus, options, etc). Recommend including @celloexpressions
    • General agreement to NOT include this topic since it depends on too many other things we won’t know by then, so we will pass on that topic (at least for now).
  • Nextgen Widgets [will NOT submit to CS]
    • @westonruter: Next generation of widgets which harmonize with content blocks in the editor.
    • General agreement to NOT include this topic for the CS, but good conversation for the contributor day.
  • Feedback on Core focuses [will NOT submit to CS]
    • @georgestephanis: Six months in, how are we feeling about shifting away to a more top-directed set of focuses for the year?
    • General agreement to NOT include this topic as it’ll be hard to say until/unless we’ve shipped a core release by then (we likely won’t) and is a conversation that should happen in public.
  • Complete list of representatives nominated to attend the Community Summit: @matt, @nacin, @adamsilverstein@rmccue@kadamwhite@chriscct7, @dd32@pento@afercia@rianrietveld@westonruter@azaozz@matveb, @getsource, @boonebgorges@aaroncampbell, @jorbin, @logankipp, @peterwilsoncc, @flixos90, @johnbillion, @stevenkword, @azaozz, @sergey, @karmatosed, @joen, @westonruter, @melchoyce, @jnylen0, @ipstenu, @joemcgill, @joehoyle, @rachelbaker, @michael-arestad, @petya, @danielbachhuber, @ocean90, @samuelsidler, @afercia@desrosj, @iseulde, @jjj@celloexpressions
  • We’re still searching for 1-2 contributors who are willing to help with event organization, so please comment here or reach out to @jbpaul17 if you’re interested
  • @jbpaul17 will send the Core team responses to the Community Summit team by Friday, March 3rd.

Browser support

  • Please take a look at @desrosj’s post: The New Editor and Browser Support
  • This will be a topic of discussion at next week’s devchat.
  • Please leave your thoughts there as comments, and bring them along next week as well.

#4-7, #4-7-3, #community-summit, #core, #core-customize, #core-editor, #core-restapi, #dev-chat, #summary

Disclosure of Additional Security Fix in WordPress 4.7.2

WordPress 4.7.2 was released last Thursday, January 26th. If you have not already updated, please do so immediately.

In addition to the three security vulnerabilities mentioned in the original release post, WordPress 4.7 and 4.7.1 had one additional vulnerability for which disclosure was delayed. There was an Unauthenticated Privilege Escalation Vulnerability in a REST API Endpoint. Previous versions of WordPress, even with the REST API Plugin, were never vulnerable to this.

We believe transparency is in the public’s best interest. It is our stance that security issues should always be disclosed. In this case, we intentionally delayed disclosing this issue by one week to ensure the safety of millions of additional WordPress sites.

On January 20th, Sucuri alerted us to a vulnerability discovered by one of their security researchers, Marc-Alexandre Montpas. The security team began assessing the issue and working on solutions. While a first iteration of a fix was created early on, the team felt that more testing was needed.

Meanwhile, Sucuri added rules to their Web Application Firewall (WAF) to block exploit attempts against their clients. This issue was found internally and no outside attempts were discovered by Sucuri.

Over the weekend, we reached out to several other companies with WAFs including SiteLock, Cloudflare, and Incapsula and worked with them to create a set of rules that could protect more users. By Monday, they had put rules in place and were regularly checking for exploit attempts in the wild.

On Monday, while we continued to test and refine the fix, our focus shifted to WordPress hosts. We contacted them privately with information on the vulnerability and ways to protect users. Hosts worked closely with the security team to implement protections and regularly checked for exploit attempts against their users.

By Wednesday afternoon, most of the hosts we worked with had protections in place. Data from all four WAFs and WordPress hosts showed no indication that the vulnerability had been exploited in the wild. As a result, we made the decision to delay disclosure of this particular issue to give time for automatic updates to run and ensure as many users as possible were protected before the issue was made public.

On Thursday, January 26, we released WordPress 4.7.2 to the world. The release went out over our autoupdate system and, over a couple of hours, millions of WordPress 4.7.x users were protected without knowing about the issue or taking any action at all.

We’d like to thank Sucuri for their responsible disclosure, as well as working with us to delay disclosure until we were confident that as many WordPress sites were updated to 4.7.2 as possible. We’d also like to thank the WAFs and hosts who worked closely with us to add additional protections and monitored their systems for attempts to use this exploit in the wild. As of today, to our knowledge, there have been no attempts to exploit this vulnerability in the wild.

#4-7, #release, #security

Week in Core, January 11th – 17th, 2017

Welcome back the latest issue of Week in Core, covering changes [39759-39923]. Here are the highlights:

  • 165 commits
  • 44 contributors
  • 87 tickets created
  • 9 tickets reopened
  • 83 tickets closed

Ticket numbers based on trac timeline for the period above. The following is a summary of commits, organized by component.

Code Changes

Administration

  • List Tables: Pass the $which parameter to restrict_manage_posts filter instance in WP_Media_List_Table, missed in [37422]. [39917] #38772
  • Improve tab character width in Plugins and Themes editor. [39897] #38684

Build/Test Tools

  • Add assertNotFalse() method to WP_UnitTestCase and use it where appropriate. [39919] #39219
  • Correctly reference function names in @covers entries. [39918] #39235
  • After [29858], update .jsintrc to use spaces, not tabs. [39898] #39359

Bundled Theme

  • Twenty Seventeen: Remove duplicate global $post declaration in twentyseventeen_front_page_section(). [39909] #39590
  • Twenty Seventeen: Correct @param entries for twentyseventeen_custom_colors_css filter. [39901] #39575
  • Twenty Seventeen: Remove extra asterisk from a translator comment so the comment could be parsed correctly. [39894] #39116

Cache API

  • Docs: Add missing @param type for wp_cache_get_last_changed(). [39900] #39571

Database

  • dbDelta: Ignore index subparts when checking for duplicate indices. [39921] #34870

Editor

External Libraries

Formatting

  • Tests: wpautop() should not add extra before. [39914] #39307
  • Fix wpautop() to stop adding paragraph tags around “. [39912] #39307

I18N

  • Move “Site Language” setting above “Timezone”. [39885] #38562

Media

  • Use a consistent error message for file type errors on uploading. [39891] #33242

Misc

  • Post-4.7.1 version bump for 4.7 branch. [39883]
  • Only show major version in readme.html for 4.7 branch [39871]
  • Media: Fix exif_imagetype check in wp_get_image_mime [39851-39861]
  • Tests: Replace broken codeispoetry.png file. [39848-39849]
  • Use plural string ‘Maintenance and Security Releases’ since we have two now [39847]
  • REST API: Change which users are shown in the users endpoint. [39844]
  • Media: Improve image filetype checking. [39832-39842]
  • Updates: Translate plugin data on the Updates screen. [39808]
  • Themes: Fix markup for theme name fallbacks. [39807]
  • Multisite: Use wp_rand() in signup key creation. [39795-39806]
  • Mail: Disable wp-mail.php when mailserver_url is mail.example.com. [39772-39782][39784]

Plugins

  • Docs: Use a consistent description for $plugin parameter in various plugin API functions. [39890] #36333
  • Docs: Improve the DocBlock for validate_plugin(). [39889] #36333

Posts, Post Types

  • Increase the height of post slug input to prevent certain characters from being cut in Firefox on Windows. [39905] #28084

REST API

Taxonomy

  • Docs: In wp_set_object_terms(), add a note that passing an empty value as $terms argument will remove all related terms. [39893] #36690

Text Changes

  • Taxonomy: Add an explanation for “Parent” dropdown for hierarchical custom taxonomies. [39895] #23447

Themes

  • Add a unit test for get_theme_feature_list() to make sure that the list of theme features pulled from the WordPress.org API returns the expected data structure. [39906] #28121
  • Docs: After [37083], change “HEX format” to “3- or 6-digit hexadecimal form” for clarity. [39888] #36336
  • Use curly braces for variables inside strings in `get_page_template() to explicitly specify the end of the variable name. [39884] #38625

TinyMCE

  • Strip browser inserted <u> and <font> tags from inside links when copying and pasting in IE and Edge. [39916] #39570
  • Ensure the inline toolbar is shown and properly positioned when there are several wpview blocks in the editor and the user selects one after the other. [39910] #38849
  • Prevent the inline toolbar from appearing on partially selected wpview nodes. This can happen when HTML is initially loaded in the editor and wpview is the first node, or sometimes on repeatedly pasting the same wpview. [39904] #38849
  • When inserting a wpview, place the caret after is so the user can continue typing without interruption. [39903] #39337
  • Improve removal of spaces from empty paragraphs when loading HTML in the editor. [39902] #39437

Upload

Users

  • Introduce signup_site_meta and signup_user_meta for filtering signup metadata in wpmu_signup_blog() and wpmu_signup_user(), respectively. [39920] #39223
  • User Query: Cast $user_total as an int. [39915] #39297
  • I18N: Reference correct placeholder in a translator comment added in [30333]. [39908] #30264
  • Display the name of user being edited on Edit User screen. [39907] #28182
  • Docs: Make $meta parameter description in multisite signup and registration functions more consistent. [39887] #38781
  • In wpmu_signup_blog() and wpmu_signup_user(), pass unserialized signup meta data to after_signup_site and after_signup_user filters introduced in [34112], to match the documented value. [39886] #38781

Widgets

  • In unregister_sidebar(), rename the $name parameter to $sidebar_id for consistency with is_registered_sidebar(). [39892] #35147
  • Add nonce for widget accessibility mode. [39760-39771] #23328

Thanks to @aaroncampbell, @afercia, @afzalmultani, @Ankit K Gupta, @azaozz, @barryceelen, @ccprog, @dd32, @diddledan, @DrewAPicture, @dspilka, @F J Kaiser, @gitlost, @iandunn, @iseulde, @ixkaito, @jackreichert, @jblz, @jeremyfelt, @jnylen0, @joemcgill, @johnjamesjacoby, @kuck1u, @MaximeCulea, @Mista-Flo, @netweb, @ocean90, @pavelevap, @pbearne, @pento, @peterwilsoncc, @Presskopp, @rachelbaker, @raggedrobins, @rmccue, @runciters, @seanchayes, @SergeyBiryukov, @Soean, @swissspidy, @theMikeD, @tmatsuur, @vortfu, and @wpsmith for their contributions!

#4-8, #week-in-core

Dev Chat Summary: January 11th (4.7.1 week 5)

This post summarizes the dev chat meeting from January 11th (agendaSlack archive).

4.7.1 Update

2017 Release Schedule

  • 4.7.1 will NOT be last in the 4.7 branch, so it’s best to start on anything that needs to go in 4.7.2 immediately
  • Proposal from @samuelsidler:
    • Since we don’t have a set release date for WordPress 4.8, I’d like to propose we look at applicable 4.7.x issues about once a month, and decide if we should ship a release.
    • For 4.7.2, I think we should take a look at issues at the beginning of February, during devchat, and decide if the issues warrant a release, then ship about a week later.
    • That would mean we’d be looking at a release around February 14, but we’d update the schedule after looking at the specific issues.
    • We’d want to evaluate issues the week of February 6 and make a call.
    • I think we said regressions and minor bug fixes are okay in 4.7 at the moment, but we can evaluate other fixes on a case-by-case basis.
  • General agreement on approach, though date for 4.7.2 to be confirmed in February
  • Plan to choose someone soon to lead 4.7.2, maybe at or before next week’s devchat, to keep things moving along. @jnylen0 @aaroncampbell @voldemortensen @swissspidy interest in leading that or future releases. If you have interest, ping @samuelsidler as he’s compiling a list of those interested.
  • @davidakennedy: I’d imagine we’ll package up default theme updates more in minor release. Though, we can also release those whenever to .org. I’d like to think through a schedule for that. Maybe looking at things monthly, and making a decision.

Trac Tickets

  • #39309: Secure WordPress Against Infrastructure Attacks
    • @paragoninitiativeenterprises: propose making it a point of focus for 4.8
    • @aaroncampbell: may not fit as a focus for 4.8, since those should be in the editor, customizer, and API areas. But good to talk about and try to figure out steps forward.
    • @paragoninitiativeenterprises: recommend against punting too far into the future
    • @samuelsidler: let’s think through how to implement it and work on patches for that, then decide which release to put it in
    • @westonruter: Security and performance hardening are ongoing and not limited to focuses
    • @paragoninitiativeenterprises: would like to see this land ASAP, will work on a patch with necessary tests and any necessary back-compat and post to the ticket
  • #38418: Add telemetry (aka usage data collection) as opt-in feature in core)
    • @lukecavanagh: thoughts from the group?
    • @brechtryckaert: personally in favor of usage data collection, but we’ll need to be very upfront about it upon release to avoid criticism; also worried what the impact would be on loading times/slowdown due to communication with the servers that store the data, would all depend on the way it’s implemented.
  • #39157: Feed returns 404 when there are no posts
    • @stevenkword: looking for feedback on approach on adding new conditionals and what to do now. Issue was addressed in 4.7 but caused a regression and code was reverted for 4.7.1.  After 4.7.0 landed, before the reversion, an updated patch was committed that resolved the regression, but it introduced new getters to WP_Query.
    • @stevenkword: would like to find a resolution for this for 4.7.2, but need some opinions how to solve it.
    • Will ping @peterwilsoncc and @dd32 to look at it

#4-7, #4-7-1, #dev-chat, #summary

Week in Core, January 4th – 10th, 2017

Welcome back the latest issue of Week in Core, covering changes [39666-39758]. Here are the highlights:

  • 93 commits
  • 35 contributors
  • 100 tickets created
  • 8 tickets reopened
  • 80 tickets closed

Ticket numbers based on trac timeline for the period above. The following is a summary of commits, organized by component.

Code Changes

Administration

  • Docs: Remove incorrect @param tags for admin_print_footer_scripts-{$hook_suffix} and admin_footer-{$hook_suffix} dynamic actiona. [39755] #39527

Build/Test Tools

  • Build: Update pinned version of grunt-cssjanus for the 4.0 branch to hopefully please the build. [39747-39748] #29038

Bundled Theme

  • Twenty Seventeen: Expand a changelog entry added in [39742] with the new item name. [39752] #39489
  • Twenty Seventeen: Correct @param entries for twentyseventeen_content_width, twentyseventeen_custom_colors_saturation and twentyseventeen_social_links_icons filters. [39733] #39488
  • Twenty Seventeen: Correct @param entry for twentyseventeen_front_page_sections filter. [39732] #39488
  • Twenty Seventeen: Introduce a theme-specific filter twentyseventeen_starter_content for customizing the starter content array. [39720] #39109
  • Upgrade: Fix the installation of TwentySeventeen upon upgrade from an early version. [39687] #38551, #30799, #39138

Comments

  • Docs: Use correct closing tag in submit_field description in comment_form(). [39753] #39508

Customize

  • Correct a comment in get_theme_starter_content() added in [39561]. [39751] #39104
  • Docs: Correct @access entries and duplicate hook references in WP_Customize_Selective_Refresh. [39734] #39501
  • Prevent removal of underline upon hover/focus for nav menu deletion links. [39696] #37527, #39444
  • Remove extra left padding in core for site title and widgets in preview. [39695] #38651, #39349
  • Ensure theme_mod-cache of custom_css lookup of -1 short-circuits a WP_Query from being made. [39694] #35395, #39259
  • CDon’t query for postmeta for Custom CSS (for not-current-themes) and Customizer Changeset posts. [39692-39693] #39194
  • Ensure theme_mod-cache of custom_css lookup of -1 short-circuits a WP_Query from being made. [39688] #35395, #39259
  • Update customize.php URL with changeset_uuid param the instant a change is made instead of deferring until the changeset update request responds. [39686] #39227
  • Remove extra left padding in core for site title and widgets in preview. [39685] #38651, #39349
  • Prevent removal of underline upon hover/focus for nav menu deletion links. [39677] #37527, #39444
  • Docs: Correct @access tag for WP_Customize_Partial::id_data property. [39674] #39464
  • Docs: Add missing @since and @access tags for WP_Widget_Form_Customize_Control::to_json() and ::render_content(). [39673] #39463

Database

  • Docs: Move install_network() DocBlock after the function_exists() call. [39709] #39478

Editor

  • Docs: Use 3-digit, x.x.x style semantic versioning for @since entries in wp-admin/js/word-count.js. [39739] #37718
  • Docs: Add documentation for wp-admin/js/editor.js. [39738] #38933
  • Always add page-template-default class to the editor body when the template is not specified. This matches the behavior on the front-end. [39678-39679] #39368

External Libraries

Feeds

General

  • Docs: Add missing @since entry for Walker::unset_children(). [39741] #39506
  • Update copyright year to 2017 in license.txt. [39698-39707] #39433
  • Docs: Correct rest_insert_* duplicate hook references in REST API. [39671] #39371
  • Docs: Add missing session_token_manager duplicate hook reference in wp-includes/class-wp-session-tokens.php. [39670] #39371
  • Docs: Correct comment_email duplicate hook reference in wp-admin/includes/class-wp-comments-list-table.php. [39669] #39371
  • Docs: Add missing duplicate hook references in wp-admin/includes/ajax-actions.php. [39668] #39371

I18N

  • Docs: Correct @access entries for WP_Locale::init() and WP_Locale::register_globals(). [39737] #39504
  • Add post type context to “Featured Image” post labels. [39667] #39458

Mail

  • In PHPMailer 5.2.7 the case of the Send() method changed to send(), update our call for consistency with the library. [39691] #39469

Media

  • Docs: Use 3-digit, x.x.x style semantic versioning for @since entries in wp-admin/js/image-edit.js. [39740] #38748

Menus

  • Posts, Post Types: Add a @since entry for archives post type label introduced in [35382]. [39666] #16075

Misc

Options, Meta APIs

  • Docs: Add variable to @param entry for whitelist_options filter. [39708] #39477

Posts, Post Types

  • Use an existing string for “Invalid post type” error message. [39756] #39171
  • Docs: Add missing @param tag for show_post_locked_dialog filter. [39710] #39479

Query

  • Docs: Add missing @since and @access tags for WP_Date_Query::is_first_order_clause(). [39672] #39462

REST API

Security

  • Docs: Make @deprecated entry for wp_kses_js_entities(), deprecated in [38785], consistent with other entries. [39758] #39541

Taxonomy

  • Docs: Correct @since and @access tags for WP_Term_Query::get_terms() and WP_Term_Query::parse_orderby_meta(). [39675] #39467

Themes

  • Docs: Add missing @since entries for WP_Theme class methods. [39736] #39503
  • Docs: Correct the DocBlock for get_header_video_url(). [39676] #39468

Upgrade/Install

  • Docs: Move install_global_terms() DocBlock after the function_exists() call. [39754] #39526
  • Avoid creating nonce during installation. [39697] #39047
  • Updates: Properly define $filesystemForm to handle error in modals. [39689-39690] #39057
  • Avoid creating nonce during installation. [39684] #39047

Users

  • Docs: Change @param type for $user_object in WP_Users_List_Table::single_row() from object to WP_User to be more accurate. [39757] #39536
  • Docs: Correct @access entry for WP_User::filter property. [39735] #39502, #39278

Thanks to @ocean90 @Presskop, @aaroncampbell, @adamsilverstein, @asalce, @azaozz, @BharatKambariya, @celloexpressions, @chiragpatel, @dd32, @dlh, @ireneyoast, @Jaydeep Rami, @karmatosed, @keesiemeijer, @ketuchetan, @michalzuber, @monikarao, @Nikschavan, @nullvariable, @pento, @priyankabehera155, @prosti, @ramiy, @rmccue, @sanket.parmar, @sebastian.pisula, @SergeyBiryukov, @sirbrillig, @stevenkword, @teinertb, @terwdan, @timph, @truongwp, and @westonruter for their contributions!

#4-8, #week-in-core

Dev Chat Summary: January 4th (4.7.1 week 4)

This post summarizes the dev chat meeting from January 4th (agendaSlack archive).

Schedule

2017 Release Schedule

  • no update on the “new release schedule”, so for now it will be process as usual

#4-7, #4-7-1, #dev-chat, #summary

Aaron Campbell Leading Security

@aaroncampbell is now the new lead of security triage and resolution for the WordPress project, also known as the Security Czar. Many thanks to Nikolay Bachiyski for kicking this role off and getting a lot of the infrastructure we use in place. This is also a good time to thank the dozens of volunteers who participate in the security group, and the researchers and reporters who bring issues to our attention.

#security

Customizer Improvements in 4.7

WordPress 4.7 has been the most active release on record for the customize component, with four major feature projects merging and shipping with 4.7 and over 90 tickets closed as fixed. This post summarizes the highlights of the user and developer-facing changes.

4.7 Customizer Feature Projects

Create pages within live preview during site setup

Add new pages while building menus and setting a static front page; outline your site directly in the customizer.

This project began with the ability to create posts and pages direction from the available menu items panel in the customizer, as originally proposed near the end of the 4.6 cycle:

https://make.wordpress.org/core/2016/06/16/feature-proposal-content-authorship-in-menus-with-live-preview/

Subsequent changes also added the ability to create new pages when assigning the front page and posts page in the Static Front Page section. Because this is now built into the core dropdown-pages customizer control, themes and plugins can also allow users to create new pages for their options instead of relying on existing content. The homepage sections in Twenty Seventeen include this new allow_addition parameter. Here’s how to register a dropdown-pages control supporting new pages:

$wp_customize->add_control( 'featured_page', array(
	'label'          => __( 'Featured Page', 'mytextdomain' ),
	'section'        => 'theme_options',
	'type'           => 'dropdown-pages',
	'allow_addition' => true, // This allows users to add new pages from this dropdown-pages control.
) );

Additionally, a proposal for term statuses was developed as a first step toward expanding the menus functionality to work for creating and previewing taxonomy terms in a future release (see #37915).

Improvements to the Sliding Panels UI

Customizer navigation is now faster, smoother, and more accessible.

This project tackled a series of tickets focused on improving the usability of the “sliding panels” UI in the customizer controls pane. The first step was to refactor the section and panel markup so that sections and panels are not logically nested. This is the biggest internal change to the UI and has a dedicated post going into the details:

https://make.wordpress.org/core/2016/09/28/changes-to-customizer-sliding-panelssections-in-wordpress-4-7/

This primary change resolved numerous problems with sections and panels not opening and closing properly, and eliminated situations where navigation to leave a section could become hidden. The next step was making section and panel headers “sticky” so that navigation is easier to access within long sections (such as for a menu); see #34343.

Finally, hover and focus styling for navigation in the customizer has been updated to use the blue-border approach found elsewhere in core, including for the device-preview buttons in the customizer, in #29158. This completes a refresh of the customizer controls pane’s UI design that began in WordPress 4.3 with #31336. The core UI now uses the following consistent UI patterns in the customizer:

  • White background colors are used only to indicate navigation and actionable items (such as inputs)
  • The general #eee background color provides visual contrast against the white elements
  • 1px #ddd borders separate navigational elements from background margins and from each other
  • 15px of spacing is provided between elements where visual separation is desired
  • 4px borders are used on one side of a navigation element to show hover or focus, with a color of #0073aa
  • Customizer text uses color: #555d66, with #0073aa for hover and focus states on navigation elements

Plugins and themes should follow these conventions in any custom customizer UI that they introduce, and inherit core styles wherever possible.

Any custom sections and panels, as well as customizations to the core objects in plugins and themes, should be tested extensively to ensure that they continue functioning as intended with all of these changes in 4.7. It’s particularly important to ensure that things like the use of color match the core conventions so that the user experience is seamless between functionality added by plugins and core.

Customize Changesets (formerly Transactions)

Browse your site and switch themes more seamlessly within the customizer, as your changes automatically persist in the background.

This project rewrote the internals of the customizer preview mechanism to make changes persistent. Each change made to a setting in the customizer is saved to a changeset (a new customize_changeset post type), facilitating future features such as scheduled changes, revisions, or saving and sharing drafted changes. Changesets also open the door to using the customizer to preview Ajax requests, headless sites, and REST API calls for mobile apps. In 4.7, changesets enable switching themes in the customizer without needing to decide between publishing or losing your customizations, as they’re automatically persisted in the background.

For more details on changesets, check out the two dedicated posts:

https://make.wordpress.org/core/2016/10/12/customize-changesets-formerly-transactions-merge-proposal/

https://make.wordpress.org/core/2016/10/12/customize-changesets-technical-design-decisions/

Custom CSS

Fine-tune your site and take your theme customizations to the next level with custom css in the customizer.

#35395 introduced a user-oriented custom CSS option in the customizer. Now that the base functionality is in place, it will be further enhanced in #38707 in future releases. Read the feature proposal for details on the implementation and why it’s important for core:

https://make.wordpress.org/core/2016/10/11/feature-proposal-better-theme-customizations-via-custom-css-with-live-previews/

There’s also a dedicated post that walks through the process of migrating existing custom CSS options in themes and plugins to the core functionality – be sure to follow those steps if your plugin or theme does custom CSS:

https://make.wordpress.org/core/2016/11/26/extending-the-custom-css-editor/

Other Changes with Dedicated Posts

4.7 features several other features deserving special attention. Read the posts for visible edit shortcuts (which expand the functionality of customizer partials), video headers (which extend the custom header feature), and starter content for more information:

https://make.wordpress.org/core/2016/11/10/visible-edit-shortcuts-in-the-customizer-preview/

https://make.wordpress.org/core/2016/11/26/video-headers-in-4-7/

https://make.wordpress.org/core/2016/11/30/starter-content-for-themes-in-4-7/

Additional User-facing Changes

With over 90 tickets fixed in the customize component in 4.7, we can’t cover everything here. But, here are a few more highlights:

Improved Custom Background Properties UI

#22058 introduces a more comprehensive and more usable custom background properties UI when a custom background is set up. There are now presets to control all of the detailed options at once, and the individual options are presented in a more visual way. Background size and vertical position are also now available as standalone options when using a custom preset.

Theme developers should update their add_theme_support() calls for custom-background to specify the default size, vertical position, and preset to reflect their default background image CSS. Perhaps the most significant improvement here is the ability for users to easily set up fixed full-screen backgrounds – and the ability for themes to make that behavior default if desired.

And even more…

4.7 also:

  • Loads the frontend preview iframe more naturally, eliminating a lot of weirdness with JS running in an unexpected location and ensuring that JS-based routing will work (#30028)
  • Allows the search results page to be previewed, and any forms that use the GET method in general can now be submitted whereas previously they would do nothing when submitted (#20714)
  • Hides edit post links in the customizer by default. Plugins, such as Customize Posts, can restore the links if they make post editing available in the customizer (#38648), although the visible edit shortcuts should generally be used instead.
  • Shows a cursor: not-allowed for mouse users when hovering over external links in the preview, as these can’t be previewed
  • Officially removes support for the customizer in Internet Explorer 8, preventing users of this outdated browser from accessing the customizer at all (#38021)

Additional Developer-oriented Changes

Hue-only Color Picker

#38263 adds a hue-only mode to the Iris color picker, wpColorPicker, and WP_Customize_Color_Control. Built for Twenty Seventeen’s custom colors functionality, the hue-only mode allows users to select a hue and saves the hue degree as a number between 0 and 359. To add a hue-color control:

$wp_customize->add_control( new WP_Customize_Color_Control( $wp_customize, 'colorscheme_hue', array(
	'mode' => 'hue',
	'section' => 'colors',
) ) );

As demonstrated in Twenty Seventeen’s custom colors strategy, the hue-selection strategy opens up a whole new world of possibilities for custom color options in themes. Rather than introducing numerous text and background color options and requiring users to adjust them to ensure that adequate color contrast is provided, themes can consolidate their color options into one or more hue pickers. Then, the corresponding use of hsl colors in CSS allows themes to define color patterns where users customize color hues without impacting the lightness of a color option, thereby preserving the designer’s use of proper contrast between text and background colors, and any use of color lightness for visual hierarchy. Check out the implementation in Twenty Seventeen for inspiration (including instant live preview).

Fix Sections that .cannot-expand

When creating custom customizer sections that, for example, display an external link but don’t actually expand to show section contents, the cannot-expand class can be added to the section title container to prevent JS events and CSS hover/focus styles from being applied. Be sure to also remove the tabindex="0" from the container if you copy the core code since your custom section shouldn’t be focusable if it can’t expand (and any contained links or buttons would be keyboard-focusable automatically). See #37980 for details.

Allow Plugins to do Comprehensive Late Validation of Settings

To account for custom subclasses of WP_Customize_Setting that don’t apply the customize_validate_{{$setting_id}} filter, this filter now will be applied when WP_Customize_Manager::validate_setting_values() is called. This ensures that plugins can add custom validation for every setting. For more, see #37638.

Credits

Huge thanks to the 61 people (and counting) receiving props for the 120+ customize component commits in 4.7 (as of RC2): @westonruter, @celloexpressions, @afercia, @sirbrillig, @ryankienstra, @helen, @ocean90, @melchoyce, @bradyvercher, @folletto, @johnbillion, @delawski, @karmatosed, @georgestephanis, @dlh, @curdin, @valendesigns, @mattwiebe, @michaelarestad, @joemcgill, @sstoqnov, @lgedeon, @mihai2u, @coreymcollins, @stubgo, @utkarshpatel, @desrosj, @odysseygate, @johnregan3, @aaroncampbell, @mapk, @iseulde, @mrahmadawais, @vishalkakadiya, @sayedwp, @hugobaeta, @jonathanbardo, @jorbin, @tristangemus, @deltafactory, @kkoppenhaver, @seancjones, @Presskopp, @Mista-Flo, @nikeo, @adamsilverstein, @lukecavanagh, @coffee2code, @peterwilsoncc, @presskopp, @pento, @Kelderic, @sebastian.pisula, @mckernanin, @FolioVision, @MikeHansenMe, @welcher, @cdog, @grapplerulrich, @iamfriendly, @flixos90.

 

#4-7, #customize, #dev-notes

Customize Update 2016-10-23

This is the weekly update post for the customize component. It includes a summary of this week’s meeting, recent commits, and next week’s meeting agenda.

4.7 Feature Proposals & Merges

Three proposal posts have been published and approved since our last update:

https://make.wordpress.org/core/2016/10/12/customize-changesets-formerly-transactions-merge-proposal/

https://make.wordpress.org/core/2016/10/12/customize-changesets-technical-design-decisions/

https://make.wordpress.org/core/2016/10/11/feature-proposal-better-theme-customizations-via-custom-css-with-live-previews/

All five of the major customize feature projects proposed for WordPress 4.7 have been successfully merged (in order):

Work continues on follow up tickets for many of these projects. Please test everything in the customizer and report any bugs to trac. We still have a few pending enhancements that need to be completed by this Wednesday, 10/26, 4.7 beta 1, sorted by priority:

  1. #27403 Improve UI for linking areas of Customizer preview to corresponding controls (desktop and mobile) – has-patch, needs testing and adjustments
  2. #38263 Color picker: add a hue-only mode – has-patch, needed for Twenty Seventeen
  3. #28536 Add browser history and deep linking for navigation in Customizer preview – needs-patch punted
  4. #38164 Customize: assign static front page and posts page to new pages – has-patch
  5. #37964 Allow customizer controls to be encapsulated by accepting pre-instantiated settings – has-patch, needs adjustments
  6. #22058 Improve custom background properties UI – has-patch
  7. #29158 Customizer UI Design lacks contrast for visual hierarchy and does not match wp-admin – has-commit, has-patch for revisions

Weekly Customize Meetings

Our past two weekly meetings have focused on preparing our projects for commit. We’ll continue our weekly 4.7 meetings into beta and RC pending the volume of customize tickets remaining in the milestone. For this week’s meeting, our priority will be ensuring that the 7 remaining customize enhancements for 4.7, listed above, are committed before beta 1.

Our weekly update posts will continue on a reduced schedule now that the bulk of 4.7 development is complete, and we’ll also continue posting dev notes for changes in 4.7.

Recent Customize Commits

Here are the customize-related commits for the past two weeks:

  • [38765]: Customize: Ensure `customize_validate_{$setting->id}` filters apply on input post_values for WP_Customize_Setting subclasses that neglect to apply the filter themselves.
  • [38766]: Customize: Improve message displayed in widgets panel when there are no widget areas currently displayed in the preview.
  • [38767]: Customize: Show Pages section first and pre-expanded in list of available menu items.
  • [38794]: Customize: Move Pages below Custom Links in available nav menu items panel.
  • [38807]: Customize: Skip triggering initial click on pages section for available nav menu items if already open.
  • [38810]: Customize: Implement customized state persistence with changesets. 
  • [38811]: Customize: Split out link `click.preview` and form `submit.preview` event handlers…
  • [38813]: Customize: Introduce a new experience for discovering, installing, and previewing themes in the customizer.
  • [38829]: Customize: Introduce custom CSS for extending theme styles.
  • [38830]: Customize: Fix unit tests when `twentyfifteeen` is `WP_DEFAULT_THEME` instead of twentyfifteen.
  • [38831]: Customize: Improve the labeling of background and header images in the list mode of the media library.
  • [38837]: Twenty Seventeen: Fix a PHP warning on fresh installs.
  • [38850]: Tests: Prevent Twenty Seventeen from interfering with Customizer tests.
  • [38851]: Tests: Prevent Twenty Seventeen from interfering with Customizer ajax tests.
  • [38853]: Customize: Add sticky headers for panels and sections.
  • [38862]: Customize: Revert part of [38859] which caused sections to get deactivated in the customizer.
  • [38867]: Twenty Seventeen: Add theme support for customize selective refresh.
  • [38881]: Customize: Keep previously uploaded header images in place.

Big thanks to those who contributed to patches committed this week: @johnregan3, @celloexpressions, @folletto, @westonruter, @deltafactory, @coreymcollins, @desrosj, @pento, @delawski, @davidakennedy, @afercia, @karmatosed, @ryankienstra, @valendesigns, @utkarshpatel, @stubgo, @lgedeon, @ocean90, @mihai2u, @dlh, @aaroncampbell, @jonathanbardo, @jorbin.

We’re always looking for more contributors; check out the open customize tickets and swing by #core-customize in Slack to get involved. Tickets in the Future Release milestone will be considered first for 4.8 if they have a patch.

#4-7, #customize

Week in Core, October 5 – 18, 2016

Welcome back the latest issue of Week in Core, covering changes [38736-38810]. Here are the highlights:

  • 74 commits
  • 76 contributors
  • 129 tickets created
  • 20 tickets reopened
  • 124 tickets closed

Ticket numbers based on trac timeline for the period above. The following is a summary of commits, organized by component.

Administration

  • Accessible Tags autocomplete: [38797] #33902
  • Better consistency for the Media, Add Plugins, and Add Themes toolbars. [38795] #38010

Build/Test Tools

  • Continue eliminating randomness in tests. [38763] #37371
  • Begin eliminating unnecessary randomness in tests. [38762] #37371
  • Revert [38759]. PHPUnit’s @requires syntax was introduced in PHPUnit 3.7, but the tests for PHP 5.2 use PHPUnit 3.6 because it’s the latest version that supports PHP 5.2. [38761] #38256
  • Make use of PHPUnit’s @requires notation. [38759] #38256
  • HTTP API: Remove an unnecessary duplicate HTTP request in the HTTP tests. [38758] #30017
  • HTTP API: Convert the POST redirect test to use a dataProvider in order for its speed to be more accurately measured. [38757] #38237

Charset

  • Allow _canonical_charset() to handle mixed-case strings. [38809] #38337

Comments

  • When checking comments, returned error object should include HTTP status code. [38783] #36901
  • Abstract die() calls from comment submission routine. [38778] #36901
  • Pass $comment to the comment_max_links_url filter. [38748] #37955
  • Account for the comment_order option in get_page_of_comment(). [38740] #31101
  • Improve check for previous comments for authenticated users in check_comment(). [38738] #28603

Customize

  • Implement customized state persistence with changesets. [38810] #28721, #31089, #30937, #31517, #30028, #23225, #34142, #36485
  • Skip triggering initial click on pages section for available nav menu items if already open. [38807] #36984
  • Move Pages below Custom Links in available nav menu items panel. [38794] #36984
  • Show Pages section first and pre-expanded in list of available nav menu items. [38767] #36984
  • Improve message displayed in widgets panel when there are no widget areas currently displayed in the preview. [38766] #36922
  • Ensure customize_validate_{$setting->id} filters apply on input post values for WP_Customize_Setting subclasses that neglect to apply the filter themselves. [38765] #37638
  • Add workaround for Safari bug causing preview frame to be unscrollable via mousewheel after a refresh. [38742] #38149

Date/Time

Editor

  • Add a role button to the Tags meta box tag cloud links. [38800] #38318
  • Do not send the request for releasing the post lock on unload when post_ID or active_post_lock is missing. [38772] #38271

General

  • Docs: In get_pages() and wp_list_pages(), note that post_status argument can also be an array. [38798] #38136
  • XML-RPC: Re-add a global $wpdb missed in [38768]. [38775] #37699
  • Restore usage of $wpdb, instead of $this->db. [38768] #37699
  • Login: Don’t rely on wp_is_mobile() for functionality. [38739] #33704

Media

  • Media modal: make it possible to reorder images by dragging on devices with both touch screen and mouse support. [38793] #31652
  • Correct the hostname used in the wp_get_attachment_metadata() test. [38760] #36246

Menus

Misc

  • Emoji: Update Emoji CDN filter default for resource hints. [38764] #38724
  • Updates for 4.6. Merge of and to the 4.6 branch.

Networks and Sites

  • Multisite: Maintain switched state in site icon/logo functions. [38786] #38253
  • Multisite: Clarify that get_site_by_path() does not return exact matches. [38781] #38152

Pings/Trackbacks

  • Add new pre_trackback_post action before a trackback is added to a post. [38791] #37007
  • Trackbacks: Allow the error message strings passed to trackback_response() to be translatable. [38741] #38214

Plugins

  • Docs: Improve documentation for install_plugin_install_status(). [38805] #36912
  • Correctly display the current plugin in the plugin editor. [38745] #24122, #17552

Posts, Post Types

  • Docs: Document global variables used by get_the_content(). [38746] #37173

Query

  • Allow the hyphen-prefix-for-search-exclusion feature to be disabled by filter. [38792] #38099

REST API

Rewrite Rules

  • Make sure rewrite rules are not written until wp_loaded has fired [38751] #37892

Role/Capability

  • Disregard the order of capabilities when testing that single site and multisite capability tests match. [38802] #38191
  • Add tests for all user roles that check custom capabilities that do not have any form of handling (eg. in a map_meta_cap filter). [38769] #38191

Security

Taxonomy

  • Cache results of term count queries. [38784] #38295
  • Specify taxonomy when populating cached object terms. [38779] #37291
  • Avoid a fatal error in the_tags() in the event that get_the_term_list() returns a WP_Error. [38777] #37291
  • Better error handling when fetching object terms from cache. [38776] #37291
  • On wp-admin/term.php, don’t show a ‘Back to’ link which links to the current page. [38753] #37573
  • Remove paged argument from referer and add it only if current page is greater than 1. [38752] #38194
  • Don’t drop term order and current page when bulk deleting terms. [38750] #38194
  • Introduce WP_Taxonomy and use it in register_taxonomy() and unregister_taxonomy(). [38747] #36224, #36217
  • Docs: Improvements to register_taxonomy() docblock. [38737] #38007

Themes

  • Improve the inline documentation for the get_*_template() functions by providing examples instead of verbose explanations. [38789] #38249, #37770
  • Do not show an update button if there’s no update package. [38788] #37774
  • Remove paged.php from the theme template hierarchy. [38755] #38162

TinyMCE

  • Remove the calls to getBookmark() and moveToBookmark() in IE. [38808] #38335
  • When editing pages, add body class with the page template, or page-template-default. [38803] #37599
  • Restore the monospace font in textareas in the TinyMCE UI. Make it same as in the Text editor. [38801] #38125
  • Prevent applying Indent and Outdent while an image with a caption is selected. [38796] #38313
  • Prevent iOS Safari from expanding the iframe width beyond the container width. [38782] #38289
  • Update the charmap plugin to the latest dev. version. [38780] #37936
  • Add support for custom dashicon for wp.mce.View.setLoader(). [38774] #37900
  • Update to 4.4.3, changelog: ​https://www.tinymce.com/docs/changelog/#version443-september12016 [38773] #38081, #38245, #37507, #37808, #38000
  • Allow pasting in image captions. Remove blocks and insert “ tags instead, also remove elements that would break the caption like other images, video, audio, etc. [38756] #36211

Upgrade/Install

  • Show correct time of last checked update. [38743] #37554
  • Updates: Remove the ‘Download’ button on the Updates screen. [38736] #36811

Users

  • Use the role name instead of the role display name when fetching the list of users with no role. This avoids false positives when dealing with user roles that, for example, contain spaces in the display name. [38787] #38234

Thanks to @aaroncampbell, @abrightclearweb, @achbed, @adamsilverstein, @afercia, @akibjorklund, @aniketpant, @azaozz, @birgire, @bobbingwide, @boonebgorges, @boonebgorges for review, @celloexpressions, @Cheffheid, @choongsavvi, @choongsavvii, @Chouby, @chriseverson, @clarionwpdeveloper, @dd32, @desrosj, @dlh, @dmsnell, @DrewAPicture, @dshanske, @dungengronovius, @flixos90, @goranseric, @helen, @jamesacero, @jayarjo, @jdgrimes for initial patch, @jeremyfelt, @johnbillion, @jonathanbardo, @jorbin, @karmatosed, @koenschipper, @kraftbj, @lgedeon, @mattking5000, @MattyRob, @michalzuber, @mihai2u, @mikeviele, @morganestes, @mt8.biz, @needle, @ocean90, @pbearne, @pdufour for research, @pento, @peterwilsoncc, @PieWP for initial patch, @procodewp, @rachelbaker, @ryankienstra, @ryankienstra for initial patc, @sayedwp, @SergeyBiryukov, @solarissmoke, @stevenlinx, @stubgo, @sudar, @swissspidy, @tristangemus, @tristangemus for initial patch, @tywayne, @tyxla, @utkarshpatel, @valendesigns, @voldemortensen, @webmandesign, @websupporter, @westonruter, and @WraithKenny for their contributions!

#4-7, #week-in-core