Dev Chat Summary: January 11th (4.7.1 week 5)

This post summarizes the dev chat meeting from January 11th (agendaSlack archive).

4.7.1 Update

2017 Release Schedule

  • 4.7.1 will NOT be last in the 4.7 branch, so it’s best to start on anything that needs to go in 4.7.2 immediately
  • Proposal from @samuelsidler:
    • Since we don’t have a set release date for WordPress 4.8, I’d like to propose we look at applicable 4.7.x issues about once a month, and decide if we should ship a release.
    • For 4.7.2, I think we should take a look at issues at the beginning of February, during devchat, and decide if the issues warrant a release, then ship about a week later.
    • That would mean we’d be looking at a release around February 14, but we’d update the schedule after looking at the specific issues.
    • We’d want to evaluate issues the week of February 6 and make a call.
    • I think we said regressions and minor bug fixes are okay in 4.7 at the moment, but we can evaluate other fixes on a case-by-case basis.
  • General agreement on approach, though date for 4.7.2 to be confirmed in February
  • Plan to choose someone soon to lead 4.7.2, maybe at or before next week’s devchat, to keep things moving along. @jnylen0 @aaroncampbell @voldemortensen @swissspidy interest in leading that or future releases. If you have interest, ping @samuelsidler as he’s compiling a list of those interested.
  • @davidakennedy: I’d imagine we’ll package up default theme updates more in minor release. Though, we can also release those whenever to .org. I’d like to think through a schedule for that. Maybe looking at things monthly, and making a decision.

Trac Tickets

  • #39309: Secure WordPress Against Infrastructure Attacks
    • @paragoninitiativeenterprises: propose making it a point of focus for 4.8
    • @aaroncampbell: may not fit as a focus for 4.8, since those should be in the editor, customizer, and API areas. But good to talk about and try to figure out steps forward.
    • @paragoninitiativeenterprises: recommend against punting too far into the future
    • @samuelsidler: let’s think through how to implement it and work on patches for that, then decide which release to put it in
    • @westonruter: Security and performance hardening are ongoing and not limited to focuses
    • @paragoninitiativeenterprises: would like to see this land ASAP, will work on a patch with necessary tests and any necessary back-compat and post to the ticket
  • #38418: Add telemetry (aka usage data collection) as opt-in feature in core)
    • @lukecavanagh: thoughts from the group?
    • @brechtryckaert: personally in favor of usage data collection, but we’ll need to be very upfront about it upon release to avoid criticism; also worried what the impact would be on loading times/slowdown due to communication with the servers that store the data, would all depend on the way it’s implemented.
  • #39157: Feed returns 404 when there are no posts
    • @stevenkword: looking for feedback on approach on adding new conditionals and what to do now. Issue was addressed in 4.7 but caused a regression and code was reverted for 4.7.1.  After 4.7.0 landed, before the reversion, an updated patch was committed that resolved the regression, but it introduced new getters to WP_Query.
    • @stevenkword: would like to find a resolution for this for 4.7.2, but need some opinions how to solve it.
    • Will ping @peterwilsoncc and @dd32 to look at it

#4-7, #4-7-1, #dev-chat, #summary

Week in Core, January 4th – 10th, 2017

Welcome back the latest issue of Week in Core, covering changes [39666-39758]. Here are the highlights:

  • 93 commits
  • 35 contributors
  • 100 tickets created
  • 8 tickets reopened
  • 80 tickets closed

Ticket numbers based on trac timeline for the period above. The following is a summary of commits, organized by component.

Code Changes

Administration

  • Docs: Remove incorrect @param tags for admin_print_footer_scripts-{$hook_suffix} and admin_footer-{$hook_suffix} dynamic actiona. [39755] #39527

Build/Test Tools

  • Build: Update pinned version of grunt-cssjanus for the 4.0 branch to hopefully please the build. [39747-39748] #29038

Bundled Theme

  • Twenty Seventeen: Expand a changelog entry added in [39742] with the new item name. [39752] #39489
  • Twenty Seventeen: Correct @param entries for twentyseventeen_content_width, twentyseventeen_custom_colors_saturation and twentyseventeen_social_links_icons filters. [39733] #39488
  • Twenty Seventeen: Correct @param entry for twentyseventeen_front_page_sections filter. [39732] #39488
  • Twenty Seventeen: Introduce a theme-specific filter twentyseventeen_starter_content for customizing the starter content array. [39720] #39109
  • Upgrade: Fix the installation of TwentySeventeen upon upgrade from an early version. [39687] #38551, #30799, #39138

Comments

  • Docs: Use correct closing tag in submit_field description in comment_form(). [39753] #39508

Customize

  • Correct a comment in get_theme_starter_content() added in [39561]. [39751] #39104
  • Docs: Correct @access entries and duplicate hook references in WP_Customize_Selective_Refresh. [39734] #39501
  • Prevent removal of underline upon hover/focus for nav menu deletion links. [39696] #37527, #39444
  • Remove extra left padding in core for site title and widgets in preview. [39695] #38651, #39349
  • Ensure theme_mod-cache of custom_css lookup of -1 short-circuits a WP_Query from being made. [39694] #35395, #39259
  • CDon’t query for postmeta for Custom CSS (for not-current-themes) and Customizer Changeset posts. [39692-39693] #39194
  • Ensure theme_mod-cache of custom_css lookup of -1 short-circuits a WP_Query from being made. [39688] #35395, #39259
  • Update customize.php URL with changeset_uuid param the instant a change is made instead of deferring until the changeset update request responds. [39686] #39227
  • Remove extra left padding in core for site title and widgets in preview. [39685] #38651, #39349
  • Prevent removal of underline upon hover/focus for nav menu deletion links. [39677] #37527, #39444
  • Docs: Correct @access tag for WP_Customize_Partial::id_data property. [39674] #39464
  • Docs: Add missing @since and @access tags for WP_Widget_Form_Customize_Control::to_json() and ::render_content(). [39673] #39463

Database

  • Docs: Move install_network() DocBlock after the function_exists() call. [39709] #39478

Editor

  • Docs: Use 3-digit, x.x.x style semantic versioning for @since entries in wp-admin/js/word-count.js. [39739] #37718
  • Docs: Add documentation for wp-admin/js/editor.js. [39738] #38933
  • Always add page-template-default class to the editor body when the template is not specified. This matches the behavior on the front-end. [39678-39679] #39368

External Libraries

Feeds

General

  • Docs: Add missing @since entry for Walker::unset_children(). [39741] #39506
  • Update copyright year to 2017 in license.txt. [39698-39707] #39433
  • Docs: Correct rest_insert_* duplicate hook references in REST API. [39671] #39371
  • Docs: Add missing session_token_manager duplicate hook reference in wp-includes/class-wp-session-tokens.php. [39670] #39371
  • Docs: Correct comment_email duplicate hook reference in wp-admin/includes/class-wp-comments-list-table.php. [39669] #39371
  • Docs: Add missing duplicate hook references in wp-admin/includes/ajax-actions.php. [39668] #39371

I18N

  • Docs: Correct @access entries for WP_Locale::init() and WP_Locale::register_globals(). [39737] #39504
  • Add post type context to “Featured Image” post labels. [39667] #39458

Mail

  • In PHPMailer 5.2.7 the case of the Send() method changed to send(), update our call for consistency with the library. [39691] #39469

Media

  • Docs: Use 3-digit, x.x.x style semantic versioning for @since entries in wp-admin/js/image-edit.js. [39740] #38748

Menus

  • Posts, Post Types: Add a @since entry for archives post type label introduced in [35382]. [39666] #16075

Misc

Options, Meta APIs

  • Docs: Add variable to @param entry for whitelist_options filter. [39708] #39477

Posts, Post Types

  • Use an existing string for “Invalid post type” error message. [39756] #39171
  • Docs: Add missing @param tag for show_post_locked_dialog filter. [39710] #39479

Query

  • Docs: Add missing @since and @access tags for WP_Date_Query::is_first_order_clause(). [39672] #39462

REST API

Security

  • Docs: Make @deprecated entry for wp_kses_js_entities(), deprecated in [38785], consistent with other entries. [39758] #39541

Taxonomy

  • Docs: Correct @since and @access tags for WP_Term_Query::get_terms() and WP_Term_Query::parse_orderby_meta(). [39675] #39467

Themes

  • Docs: Add missing @since entries for WP_Theme class methods. [39736] #39503
  • Docs: Correct the DocBlock for get_header_video_url(). [39676] #39468

Upgrade/Install

  • Docs: Move install_global_terms() DocBlock after the function_exists() call. [39754] #39526
  • Avoid creating nonce during installation. [39697] #39047
  • Updates: Properly define $filesystemForm to handle error in modals. [39689-39690] #39057
  • Avoid creating nonce during installation. [39684] #39047

Users

  • Docs: Change @param type for $user_object in WP_Users_List_Table::single_row() from object to WP_User to be more accurate. [39757] #39536
  • Docs: Correct @access entry for WP_User::filter property. [39735] #39502, #39278

Thanks to @ocean90 @Presskop, @aaroncampbell, @adamsilverstein, @asalce, @azaozz, @BharatKambariya, @celloexpressions, @chiragpatel, @dd32, @dlh, @ireneyoast, @Jaydeep Rami, @karmatosed, @keesiemeijer, @ketuchetan, @michalzuber, @monikarao, @Nikschavan, @nullvariable, @pento, @priyankabehera155, @prosti, @ramiy, @rmccue, @sanket.parmar, @sebastian.pisula, @SergeyBiryukov, @sirbrillig, @stevenkword, @teinertb, @terwdan, @timph, @truongwp, and @westonruter for their contributions!

#4-8, #week-in-core

Controlling access to REST API user functionality for multisite

Following last week’s discussion in #core-multisite (read the recap) this week’s office hours agenda was to continue the chat about the multisite-related enhancements for the REST API users endpoint, focussing heavily on how to access the required functionality. Here is a wrap-up of the discussion.

Chat log in #core-multisite

Attendees: @jeremyfelt, @jnylen, @nerrad, @ipstenu, @earnjam, @kenshino, @maximeculea, @mikelking, @lukecavanagh, @flixos90

Now that the way on how one should be able to modify user roles per site was clarified last week, this week the focus laid on where one should be able to perform those actions. The current state of the wp-json/wp/v2/users endpoint in multisite is:

  • The users overview accessible with a GET request to wp-json/wp/v2/users only lists users that are part of the current site.
  • When creating a user with a POST request to wp-json/wp/v2/users, that user is created and added to the current site. When providing the roles parameter, the passed roles are added to the user, otherwise the user will still be part of the site, but without any role. See #38526 for background.
  • It is possible to both read and edit any user from any site with a request to wp-json/wp/v2/users/<id>, regardless of whether the user is part of that site.
  • A DELETE request to wp-json/wp/v2/users/<id> results in an error. See #38962 for background.

After the discussion about how to be able to add a specific user to a site, update their site capabilities and remove them from a site, this week’s chat revolved around where these actions can be accessed, as they are for the most part network-specific actions not available to a site administrator. The approach that was agreed on is:

  • The users overview at wp-json/wp/v2/users should continue to only show users of that site by default, but a request like wp-json/wp/v2/users?global=true should show all users in the WordPress setup. This parameter must only be available to network administrators though, more specifically users with the manage_network_users capability. In the future a network parameter might also be introduced for support of multi networks, but at this point core does not support querying users per network. Accessing global users should be available from all sites in a setup instead of only from the main site. While this approach makes these endpoints duplicates of each other, it has several benefits like preventing the requirement for cross-domain requests, allowing easier API discovery and not requiring the main site of a setup to be exposed to REST API calls to a sub site.
  • Assigning an existing user to a site and removing a user from a site should generally be only available to network administrators, and the site administrators of the site that is being interacted with.
  • Similarly, editing a user that does not belong to the current site should only be possible for a network administrator. Currently this is available to site administrators as well which is probably wrong.
  • Deleting any user completely should only be available to a network administrator. A good way to handle the reassign parameter needs to be found though.

Before coming to the conclusion that dealing with multisite functionality at the existing users endpoint, the possibility of introducing a multisite-specific endpoint only available on the main site was discussed. However this was considered not practical due to the nature of how users work in WordPress. Having separate endpoints for other network-wide functionality might still be a possibility though as long as that component solely affects the network admin, so this idea is something to keep in mind for thought about further network functionality endpoints in the future.

Back to the users endpoint, one related question that came up is:

  • Should the sites a user belongs to be available at the wp-json/wp/v2/users endpoint or at a future wp-json/wp/v2/sites endpoint? If they were available in the wp-json/wp/v2/users endpoint, every user entity would have a new sites key available if the current user had sufficient permissions to see these. If they were available in the wp-json/wp/v2/sites endpoint, that endpoint could easily support this functionality through usage of a user parameter.

@jeremyfelt suggested to look at the “Add New User” screen in the site admin to have a good use-case for how to scaffold the multisite functionality of the API endpoint. This has helped during this week’s office-hours and can also be beneficial in the future. Eventually this screen should be revamped entirely, being powered by the REST API.

Regarding the enhancements of the users endpoint, a general ticket for this task was opened at #39544. This ticket is meant to be used for discussion on the topic, while separate smaller tickets should be opened for actually implementing the individual pieces. For now feedback is welcome on that ticket. The discussion on multisite improvements for the REST API will continue at Tuesday 17:00 UTC.

/cc @rmccue and @kadamwhite

 

 

#multisite, #networks-sites, #rest-api, #users

Dev Chat Agenda for January 11 (4.7.1 week 5)

This is the agenda for the weekly dev meeting on January 11, 2017 at 15:00 CST:

  • Schedule reminder: 4.7.1 scheduled to launch at January 11, 2017 at 15:00 UTC
  • 2017 releases: 4.7.1 will NOT be last in the 4.7 branch, so it’s best to start on anything that needs to go in 4.7.2 immediately
  • General announcements: bring your bullhorn, step up on the soapbox, and shout for all to hear

If you have anything to propose to add to the agenda or specific items related to the above, please leave a comment below. See you there!

#4-7, #4-7-1, #agenda, #dev-chat

API Chat Summary: January 9th (4.8 kickoff)

We’ve had an early kickoff meeting for the REST API for 4.8 (Slack archive) to establish some of the new workflows and structure for the team heading into 4.8.

Development Process for 4.8

  • There are three big areas for the API moving forward: usage in core, usage in apps, and general expansion
  • Focus for 4.8 core development will be on usage in core
  • Other areas will continue development in Feature Projects where they need to, but won’t be the focus of the core API team
  • Feature Projects for the API:
    • Two additional requirements:
      1. Project must have a reviewer, who needs to be a core committer
      2. Project must have a design doc with a few specifics
    • Exactly what is required in the design doc will be laid out in the future, will include detailed merging plan
    • These changes based on our own experiences being a feature project
  • Project Organisation (including feature projects and core projects)
    • Overview and tracking of features will use Trello (mainly for our own internal usage)
    • Projects will have their own teams with a point-person to organise
    • Projects can have their own meetings, and will report their progress in the main API meeting
    • Our first core project is the Multisite API, @jnylen0 has been volunteered for point-person 😉

4.8 Focus: Admin

  • Attacking the problem from multiple fronts: lots of JS work, backend/new endpoints also required
  • New endpoints
    • “Appearance” menu is largest area lacking API support
    • Will work with the Customiser team closely here, including work on Widgets and Menus
  • Frontend work
    • Press This is great candidate, and work is already underway in #38343
    • Large amount of work around List Tables required
    • Work here can start with Quick Edit and Quick Delete
    • These will act as smaller areas to help establish process, including dealing with backwards compatibility

Documentation and Support

As noted, we’re trying out some new things with API development for this cycle. Those may stick, or they may not, and we’ll be continuing to improve and refine the process as we go.

Improving the REST API users endpoint in multisite

One of the objectives for multisite is sorting how users are managed with the REST API. This was one of the agenda items for last week’s #core-multisite office hours and generated some good discussion. Here’s a wrap-up of the ideas and thoughts from that discussion.

Chat log in #core-multisite

Attendees: @iamfriendly, @johnjamesjacoby, @nerrad, @florian-tiar, @mikelking, @earnjam, @jeremyfelt

Users in multisite exist globally and are shared among sites on one or more networks. Users are associated with sites in the user meta table with a wp_#_capabilities key.

The current state of the wp-json/wp/v2/users endpoint for multisite is:

  • A POST request for a new global user to the main site creates the user and associates them with the main site only.
  • A POST request for a new global user to a sub site creates the user and associates them with the sub site only.
  • A POST request for an existing global user results in an error.
  • A PUT request for an existing global user to a sub site updates the user’s meta with a capability for that sub site.
  • A DELETE request on multisite is invalid and results in an error. See #38962.

It is not possible to remove a user from an individual site or to delete the user from the network.

Previous tickets: #38526, #39155, #38962, #39000

The following are a few thoughts expressed separately from the above summary.

  • The right way to associate existing objects over the REST API is with a PUT request.
  • The right way to disassociate existing objects is with a PUT request.
  • Linked previous discussion – “Deleting an item should always delete an item
  • We already have functions like remove_user_from_blog() and add_user_to_blog() available to us.
  • Does “add” invite or literally add? This can probably be included as data in the PUT request.
  • What happens if an API client is built for single site and then that site gets switched to multisite?
  • Handling bulk actions on an endpoint would be nice. (e.g. Add a user to multiple sites) No endpoint has implemented batch handling yet though.

Initial tasks:

  • It should be possible to remove a user from a site with a PUT request to the wp-json/wp/v2/users/# endpoint.
  • It should be possible to delete a global user with a DELETE request to the wp-json/wp/v2/users/# endpoint once all sites have been disassociated.

New tickets will be created soon for these tasks. Please leave any initial feedback in the comments on this post covering the assumptions and conclusions made above. There will be another round of discussion during tomorrow’s #core-multisite office hours at Tuesday 17:00 UTC.

/cc @rmccue and @kadamwhite

#multisite, #networks-sites, #rest-api, #users

Dev Chat Summary: January 4th (4.7.1 week 4)

This post summarizes the dev chat meeting from January 4th (agendaSlack archive).

Schedule

2017 Release Schedule

  • no update on the “new release schedule”, so for now it will be process as usual

#4-7, #4-7-1, #dev-chat, #summary

Aaron Campbell Leading Security

@aaroncampbell is now the new lead of security triage and resolution for the WordPress project, also known as the Security Czar. Many thanks to Nikolay Bachiyski for kicking this role off and getting a lot of the infrastructure we use in place. This is also a good time to thank the dozens of volunteers who participate in the security group, and the researchers and reporters who bring issues to our attention.

#security

4.7.1 Release Candidate

A Release Candidate for WordPress 4.7.1 is now available. This security and maintenance release fixes 62 issues reported against 4.7 and is scheduled for final release on Wednesday, January 11, 2017. Note this does not address a number of other issues, which are slated for a 4.7.2 release.

Thus far WordPress 4.7 has been downloaded over 9 million times since its release on December 6, 2016. Please help us by testing this release candidate to ensure 4.7.1 fixes the reported issues and doesn’t introduce any new ones. As always, the entire WordPress project is grateful to security reporters for practicing responsible disclosure.

PHPMailer Update

Last month a security vulnerability (CVE 20016-10033) in the PHPMailer library was made public. WordPress uses this library as the basis for its email functionality. The Security Team has spent some time analysing this vulnerability, and how it applies to WordPress. This vulnerability does not appear to be directly exploitable in WordPress Core, or any major plugins in the plugin directory. The wp_mail() function, which WordPress Core and most plugins use for sending email, blocks this vulnerability from being exploited.

All Changes

Here’s a list of all closed tickets, sorted by component:

Bootstrap/Load

  • #39132 – WP 4.7, object-cache.php breaks the site if APC is not enabled in php

Build/Test Tools

  • #39327 – Database connection errors in unit tests on 4.7

Bundled Theme

  • #39138 – wordpress 4.7 default theme does not get installed when upgrading
  • #39272 – Twenty Seventeen: Incorrect $content_width
  • #39302 – Twenty Seventeen: Featured image not displayed on single template
  • #39335 – Twenty Seventeen: customize-controls.js incorrectly assumes theme_options section is always present
  • #39109 – Twenty Seventeen: starter content array needs a filter
  • #39489 – Twenty Seventeen: Bump version and update changelog

Charset

  • #37982 – 4.6.1 Breaks apostrophes in titles and utf-8 characters

Comments

  • #39280 – comment permalink wrong in WordPress 4.7
  • #39380 – wp_update_comment can cause database error with new filter

Customize

  • #39009 – Customizer: the preview UI language should be the user language
  • #39098 – Customize: Clicking on child elements of preview links fails to abort navigation to non-previewable links
  • #39100 – Customize: Edit shortcuts do not work if page hasn’t been saved and published
  • #39101 – Customize: edit shortcuts for custom menu widgets do not work
  • #39102 – Customize: Shift-click on placeholder nav menu items fails to focus on the nav menu item control
  • #39103 – Customize: menus aren’t deleted
  • #39104 – Customize: starter content home menu item needs to be a link, not a page
  • #39125 – Customize: Video Header YouTube field has issues when whitespace is inserted at beginning or end of URL
  • #39134 – Customize: custom CSS textarea is scrolled to top when pressing tab
  • #39145 – custom-background URL escaped
  • #39175 – Customizer assumes url is passed with replaceState and pushState
  • #39194 – Invalid parameters in Custom CSS and Changeset queries
  • #39198 – Customize: Apostrophes in custom CSS cause false positives for validation errors
  • #39227 – Changeset parameter not generated
  • #39259 – ‘custom_css_post_id’ theme mod of `-1` doesn’t prevent queries
  • #39270 – Use a higher priority on wp_head for inline custom CSS
  • #39349 – Customizer (mobile preview) site title extra padding
  • #39444 – Text Decoration Underline removes on hover in Customizer

Editor

  • #39276 – Link Editor bug – target=”_blank” not removed
  • #39313 – Add New button not disappearing in Distraction-free Writing mode
  • #39368 – .page-template-default body class in editor doesn’t appear in initial post/page load.

External Libraries

  • #37210 – Update PHPMailer to 5.2.21

Feeds

  • #39066 – `fetch_feed()` changes REST API response `Content-Type`
  • #39141 – RSS feeds have incorrect lastBuildDate when using alternate languages

General

  • #39148 – Correct concatenated dynamic hooks
  • #39433 – Update copyright year in license.txt

HTTP API

  • #37839 – wp_remote_get sometimes mutilates the response body
  • #37991 – fsockopen logic bug
  • #37992 – fsockopen hard codes port 443 when http scheme used
  • #38070 – RegEx to remove double slashes affects query strings as well.
  • #38226 – “cURL error 23: Failed writing body” when updating plugins or themes
  • #38232 – Setting `sslverify` to false still validates the hostname

Media

  • #39195 – Undefined index: extension in class-wp-image-editor-imagick.php on line 152
  • #39231 – Allow the pdf fallback_intermediate_image_sizes filter to process add_image_size() sizes.
  • #39250 – Undefinded Variable in Media-Modal

Posts, Post Types

  • #39211 – is_page_template could return true on terms

REST API

  • #38700 – REST API: Cannot send an empty or no-op comment update
  • #38977 – REST API: `password` is incorrectly included in arguments to get a media item
  • #39010 – REST API: Treat null and other falsy values like `false` in ‘rest_allow_anonymous_comments’
  • #39042 – REST API: Allow sanitization_callback to be set to null to bypass `rest_parse_request_arg()`
  • #39070 – WP-API JS client can’t use getCategories for models returned by collections
  • #39092 – REST API: Add support for filename search in media endpoint
  • #39150 – Empty JSON Payload Causes rest_invalid_json
  • #39293 – WordPress REST API warnings
  • #39300 – REST API Terms Controller Dynamic Filter Bug
  • #39314 – WP-API Backbone Client: buildModelGetter fails to reject deferred on fetch error

Taxonomy

  • #39215 – Support for string $args in wp_get_object_terms() broken in 4.7
  • #39328 – Adding terms without AJAX strips “taxonomy” query arg

Themes

  • #39246 – Theme deletion has a JS error that prevents multiple themes from being deleted.

Upgrade/Install

  • #39047 – Installer tries to create nonce before options table exists
  • #39057 – FTP credentials form doesn’t display the SSH2 fields on the Updates screen

 

#4-7, #4-7-1, #maintenance, #release, #security

Week in Core, December 14th 2016 – January 3rd, 2017

Welcome back the latest issue issues (sorry) of Week in Core, covering changes [39599-39665]. Here are the highlights:

  • 67 commits
  • 56 contributors
  • 203 tickets created
  • 24 tickets reopened
  • 145 tickets closed

Ticket numbers based on trac timeline for the period above. The following is a summary of commits, organized by component.

Code Changes

Bootstrap/Load

  • Bootstrap: Re-initialize any hooks added manually by object-cache.php.
    Prior to 3.1 if a object cache dropin wanted to add actions, they needed to use $wp_filter directly. [39605] #39132

Build/Test Tools

  • Tests: Restore the database connection earlier when switching test groups. [39626-39627] #39327

Bundled Theme

  • Twenty Seventeen: Fix incorrect $content_width value in theme. [39635], [39650] #39272
  • Twenty Seventeen: Hardens the logic for calling featured image in header.php [39624] #39302
  • Twenty Seventeen: Ensure functions in customize-controls.js don’t count on Customizer sections always being present [39623] #39335
  • Twenty Seventeen: Improves code readability and code standards in files [39618] #39152

Comments

  • Ignore the ‘comment_order’ setting when determining comment pagination. [39663-39664] #31101, #39280
  • Fix placement of the wp_update_comment_data filter to safeguard filtered data from triggering a database error. [39640-39641] #39380

Customize

  • Fix visible edit shortcuts for wp_nav_menu() instances using the menu arg (such as in the Custom Menu widget) instead of the theme_location arg. [39622], [39653] #27403, #39101
  • Bump wp_custom_css_cb from running at wp_head priority 11 to 101 to ensure Custom CSS overrides other CSS. [39616], [39651] #35395, #38672, #39270
  • Prevent edit shortcut from losing event handler after selective refresh. [39606] #27403, #39100

Editor

External Libraries

Feeds

  • Replace the RSS2 lastBuildDate date field with the r date specifier. [39614] #39141
  • Do not translate the lastBuildDate field in RSS feeds. [39613] #39141

Filesystem API

  • Filesystem: Add return statement to WP_Filesystem_ftpsockets->rmdir [39644] #39405

General

  • Update copyright year to 2017 in license.txt. [39659], [39661] #39433
  • Docs: Misc corrections and additions to inline documentation. [39639] #39130
  • Use interpolation instead of concatenation for all dynamic hook names. [39600] #39148

Mail

  • Ensure that any phpmailerException exceptions generated by setFrom() are caught to avoid PHP Fatal errors. [39655] #25239, #39360

Media

  • Move a variable definition outside of conditionals to ensure it’s always available.
    This [39654] #39250
  • Allow PDF fallbacks filter to process custom sizes. [39617] #39231, #38594
  • This [39612] #39250
  • PDF Images: Avoid a PHP Warning when attempting to process a file without an extension. [39607] #39195

Posts, Post Types

  • Taxonomy: Eliminate redundant and inaccurate dupe check when creating categories from post.php. [39637] #16567
  • Ensure is_page_template() can only return true when viewing a singular post query. [39599], [39608] #39211

Query

  • Don’t double-escape terms payload in WP_Tax_Query::transform_query(). [39662] #39315
  • Improve documentation for orderby=relevance in WP_Query. [39636] #39336

REST API

  • Add missing assertions to the view and embed context response data for the Users Controller. [39660] #39399
  • Add the supports property to the Post Type response object. [39647] #39033
  • Remove errant annotation from test_get_items_pagination_headers() method. [39643] #39398
  • Allow schema sanitization_callback to be set to null to bypass fallback sanitization functions. [39642] #38593, #39042
  • Docs: Add and correct @since docs for a variety of functions and methods. [39638] #39343, #39357, #39344, #39130
  • Allow sending an empty or no-op comment update. [39628] #38700
  • Improve the rest_*_collection_params filter docs and fix the terms filter. [39621] #39300
  • Fix PHP warnings when get_theme_support( 'post-formats' ) is not an array. [39620] #39293
  • Do not include the password argument when getting media items [39610] #38977
  • Do not error on empty JSON body [39609] #39150
  • WP-API: JavaScript client – fix setup of models used by wp.api.collections objects. [39603-39604] #39070
  • Add support for filename search in media endpoint. [39598] #39092

Shortcodes

  • Clarify the docs for pre_do_shortcode_tag and do_shortcode_tag. [39665] #39294

Taxonomy

  • Redirect to current taxonomy when adding a term without AJAX. [39649], [39652] #39328
  • REST API: Merge similiar error message strings in the Terms Controller. [39648] #39176
  • Ensure that mods to query vars in pre_term_query callbacks have an effect. [39625] #39354
  • Restore the ability to use string-based $args in wp_get_object_terms(). [39611] #39215

Upgrade/Install

  • Updates: Show the Authentication key settings after selecting the SSH transport in both the modal, and also on the plugin/theme updates screen. [39657-39658] #39057
  • Updates: Remove a stray " from a tag. [39656] #39057

Thanks to @adamsilverstein, @afercia, @bcworkz, @boonebgorges, @chandrapatel, @ChopinBach, @chris_de, @davidakennedy, @dd32, @dhanendran, @dl, @dlh, @dots, @dreamon11, @dshanske, @garyc40, @gitlost, @iseulde, @jblz, @jesseenterprises, @jfarthing84, @jnylen0, @joemcgill, @johnbillion, @jorbin, @JPry, @keesiemeije, @keesiemeijer, @kkoppenhaver, @kovshenin, @laurelfulford, @MattyRob, @MikeHansenMe, @natereist, @Nikschavan, @obenland, @ocean90, @pento, @peterwilsoncc, @rachelbaker, @ramiy, @sanket.parmar, @sebastian.pisula, @SergeyBiryukov, @sfpt, @shazahm1hotmailcom, @sirbrillig, @sstoqnov, @stevenkword, @szaqal21, @thepelkus, @timmydcrawford, @tymvie, @tyxla, @voldemortensen, and @westonruter for their contributions!

#4-8, #week-in-core