Dev Chat Summary: December 12th

Dev Chat Scheduling

As many folks will be away over the Christmas/New Year period, the next few meetings will be as follows:

  • December 19: Normal meeting.
  • December 26: Normal meeting will not be happening. There are likely to be core folks around to answer questions for an open floor session.
  • January 2: Normal meeting.

5.0.2 Schedule and Scope

Please note that WordPress 5.0.1 has just been released, so any previous mentions of scope or schedule for WordPress 5.0.1 should now be read as applying to WordPress 5.0.2.

WordPress 5.0.2 is intended to be released two weeks after WordPress 5.0, which would make the release date December 20. To give a little more space before the Christmas/New Year holiday period, I’ve proposed that it be released December 19.

Milestone Dates

  • Release Candidate 1: December 14, 2018
  • Release Candidate 2 (if needed): December 17, 2018.
  • General Release: December 19, 2018.

The following items are in scope for the 5.0.2 release:

  • Gutenberg 4.7 was released today, the fixes in this plugin release will also be in WordPress 5.0.2.
  • Twenty Nineteen bugs and visual issues.
  • There are a few PHP 7.3 compatibility fixes to be made.

Any other tickets currently milestoned for 5.0.2 will be considered on a case-by-case basis, priority will be given to tickets with patches, testing, screenshots, and any other relevant information to show that they’re ready to land immediately.

5.1 Schedule and Scope

As there are already over 200 tickets fixed in WordPress 5.1, I’d like to propose that WordPress 5.1 has a relatively short release cycle.

Milestone Dates

  • Beta 1: January 10, 2019
  • Release Candidate 1: February 7, 2019
  • General Release: February 21, 2019

A key point from the WordPress 5.0 cycle was that it demonstrated the value of having a hard feature freeze at beta 1, as well as string freezes and strict bug fixing policies during the release candidate phase. With that in mind, I’d like to propose that we retain these policies for the WordPress 5.1 cycle.

The tickets already fixed in WordPress 5.1 need to be reviewed, to ensure they’re all stable for release in this cycle.

Apart from that, the PHP upgrade warnings and the White Screen of Death protection from the Site Health Check project are currently the only uncommitted features scheduled for WordPress 5.1. The PHP upgrade warnings are currently soft warnings, ahead of the minimum PHP version bump proposed for April 2019.

@matt will be continuing his role as release lead into WordPress 5.1. Any other feature proposals will need to be approved by him.

Please leave feedback on this post, so the scope and schedule can be confirmed in the next day or two.

Focus and Component Updates

REST API

The REST API group will be re-opening discussion around authentication solutions. They’ll be posting further information about this project on make/core.

Core JS

The Core JS group didn’t meet this week, due to many folks travelling home from WCUS. They’ll be resuming normal meetings next week.

Core Themes

The current themes focus is on triaging Twenty Nineteen issues for 5.0.2, as well as preparing to move activity from GitHub into Trac. This move will likely happen immediately after 5.0.2.

#5-0-1, #5-0, #5-1, #core, #dev-chat #summary

Backwards Compatibility Breaks in 5.0.1

5.0.1 was just released to fix several security bugs. The Security team tried very hard to mitigate all of the vulnerabilities without any back-compat breaks, but unfortunately there were a few cases where that was not possible.

Security patches are backported to the 3.7 branch, so these BC breaks also apply to versions 4.9.9, 4.8.8, etc.

Form element no longer passes KSES

Prior to 5.0.1, the $allowedposttags array contained an entry for the <form> element and some of its attributes. Because of that, Contributors and Authors could use it in posts.

The element was removed in 5.0.1, except for situations where a plugin has explicitly registered input or select fields via the wp_kses_allowed_html filter. If a Contributor or Author includes <form> in their post, it will be removed when the post is saved. It will also be stripped from arbitrary content that plugins pass to wp_kses_post() or wp_kses_allowed_html( 'post' ).

If a plugin author wants to restore the original behavior, they will need to add form, input or select tags via wp_kses_allowed_html. Please exercise caution when doing so, because this could re-introduce a vulnerability. Make sure only trusted users are allowed to add <form> tags. 

meta_input, file, and GUID inputs are ignored

Prior to 5.0.1, $_POST requests for creating posts could contain values for meta_input, file, and guid. This is no longer true, and values passed for those fields will be ignored.

Plugins should not manually manipulate $_POST, but rather use the appropriate filters, and always validate/sanitize any data coming from an untrusted source.

MIME validation for uploaded files

Prior to 5.0.1, WordPress did not require uploaded files to pass MIME type verification, so files could be uploaded even if the contents didn’t match the file extension. For example, a binary file could be uploaded with a .jpg extension.

This is no longer the case, and the content of uploaded files must now match their extension. Most valid files should be unaffected, but there may be cases when a file needs to be renamed to its correct extension (e.g., an OpenOffice doc going from .pptx to .ppxs).

#5-0-1, #5-0, #dev-notes