enmi-conf.org: comparison wp/wp-includes/pluggable.php

equal deleted inserted replaced

-:490d5cc509ed
+:cf61fcea0001
 * Some WordPress functionality is based on the current user and not based on
 * the signed in user. Therefore, it opens the ability to edit and perform
 * actions on users who aren't signed in.
 *
 * @since 2.0.3
-* @global object $current_user The current user object which holds the user data.
+* @global WP_User $current_user The current user object which holds the user data.
 *
-* @param int $id User ID
+* @param int    $id   User ID
 * @param string $name User's username
 * @return WP_User Current user User object
 */
 function wp_set_current_user($id, $name = '') {
 	global $current_user;
-	if ( isset( $current_user ) && ( $current_user instanceof WP_User ) && ( $id == $current_user->ID ) )
+	// If `$id` matches the user who's already current, there's nothing to do.
+	if ( isset( $current_user )
+		&& ( $current_user instanceof WP_User )
+		&& ( $id == $current_user->ID )
+		&& ( null !== $id )
+	) {
 		return $current_user;
+	}
 	$current_user = new WP_User( $id, $name );
 	setup_userdata( $current_user->ID );
 endif;
 if ( !function_exists('wp_get_current_user') ) :
 /**
 * Retrieve the current user object.
-*
-* @since 2.0.3
-*
-* @return WP_User Current user WP_User object
-*/
-function wp_get_current_user() {
-	global $current_user;
-	get_currentuserinfo();
-	return $current_user;
-}
-endif;
-if ( !function_exists('get_currentuserinfo') ) :
-/**
-* Populate global variables with information about the currently logged in user.
 *
 * Will set the current user, if the current user is not set. The current user
 * will be set to the logged-in person. If no user is logged-in, then it will
 * set the current user to 0, which is invalid and won't have any permissions.
 *
+* @since 2.0.3
+*
+* @see _wp_get_current_user()
+* @global WP_User $current_user Checks if the current user is set.
+*
+* @return WP_User Current WP_User instance.
+*/
+function wp_get_current_user() {
+	return _wp_get_current_user();
+}
+endif;
+if ( !function_exists('get_userdata') ) :
+/**
+* Retrieve user info by user ID.
+*
 * @since 0.71
 *
-* @uses $current_user Checks if the current user is set
-*
-* @return null|false False on XML-RPC Request and invalid auth cookie. Null when current user set.
-*/
-function get_currentuserinfo() {
-	global $current_user;
-	if ( ! empty( $current_user ) ) {
-		if ( $current_user instanceof WP_User )
-			return;
-		// Upgrade stdClass to WP_User
-		if ( is_object( $current_user ) && isset( $current_user->ID ) ) {
-			$cur_id = $current_user->ID;
-			$current_user = null;
-			wp_set_current_user( $cur_id );
-			return;
-		}
-		// $current_user has a junk value. Force to WP_User with ID 0.
-		$current_user = null;
-		wp_set_current_user( 0 );
-		return false;
-	}
-	if ( defined('XMLRPC_REQUEST') && XMLRPC_REQUEST ) {
-		wp_set_current_user( 0 );
-		return false;
-	}
-	/**
-	 * Filter the current user.
-	 *
-	 * The default filters use this to determine the current user from the
-	 * request's cookies, if available.
-	 *
-	 * Returning a value of false will effectively short-circuit setting
-	 * the current user.
-	 *
-	 * @since 3.9.0
-	 *
-	 * @param int|bool $user_id User ID if one has been determined, false otherwise.
-	 */
-	$user_id = apply_filters( 'determine_current_user', false );
-	if ( ! $user_id ) {
-		wp_set_current_user( 0 );
-		return false;
-	}
-	wp_set_current_user( $user_id );
-}
-endif;
-if ( !function_exists('get_userdata') ) :
-/**
-* Retrieve user info by user ID.
-*
-* @since 0.71
-*
 * @param int $user_id User ID
-* @return WP_User|bool WP_User object on success, false on failure.
+* @return WP_User|false WP_User object on success, false on failure.
 */
 function get_userdata( $user_id ) {
 	return get_user_by( 'id', $user_id );
 }
 endif;
 if ( !function_exists('get_user_by') ) :
 /**
 * Retrieve user info by a given field
 *
 * @since 2.8.0
-*
+* @since 4.4.0 Added 'ID' as an alias of 'id' for the `$field` parameter.
-* @param string $field The field to retrieve the user with. id | slug | email | login
+*
+* @param string     $field The field to retrieve the user with. id | ID | slug | email | login.
 * @param int|string $value A value for $field. A user ID, slug, email address, or login name.
-* @return WP_User|bool WP_User object on success, false on failure.
+* @return WP_User|false WP_User object on success, false on failure.
 */
 function get_user_by( $field, $value ) {
 	$userdata = WP_User::get_data_by( $field, $value );
 	if ( !$userdata )
 if ( !function_exists('cache_users') ) :
 /**
 * Retrieve info for user lists to prevent multiple queries by get_userdata()
 *
 * @since 3.0.0
+*
+* @global wpdb $wpdb WordPress database abstraction object.
 *
 * @param array $user_ids User ID numbers list
 */
 function cache_users( $user_ids ) {
 	global $wpdb;
 * just 'wp_mail_from' is set, then just the email address will be used with no
 * name.
 *
 * The default content type is 'text/plain' which does not allow using HTML.
 * However, you can set the content type of the email by using the
-* 'wp_mail_content_type' filter.
+* {@see 'wp_mail_content_type'} filter.
 *
 * The default charset is based on the charset used on the blog. The charset can
-* be set using the 'wp_mail_charset' filter.
+* be set using the {@see 'wp_mail_charset'} filter.
 *
 * @since 1.2.1
 *
-* @uses PHPMailer
+* @global PHPMailer $phpmailer
 *
-* @param string|array $to Array or comma-separated list of email addresses to send message.
+* @param string|array $to          Array or comma-separated list of email addresses to send message.
-* @param string $subject Email subject
+* @param string       $subject     Email subject
-* @param string $message Message contents
+* @param string       $message     Message contents
-* @param string|array $headers Optional. Additional headers.
+* @param string|array $headers     Optional. Additional headers.
 * @param string|array $attachments Optional. Files to attach.
 * @return bool Whether the email contents were sent successfully.
 */
 function wp_mail( $to, $subject, $message, $headers = '', $attachments = array() ) {
 	// Compact the input, apply the filters, and extract them back out
 	/**
-	 * Filter the wp_mail() arguments.
+	 * Filters the wp_mail() arguments.
 	 *
 	 * @since 2.2.0
 	 *
 	 * @param array $args A compacted array of wp_mail() arguments, including the "to" email,
 	 *                    subject, message, headers, and attachments values.
 	 */
 	$atts = apply_filters( 'wp_mail', compact( 'to', 'subject', 'message', 'headers', 'attachments' ) );
 	if ( isset( $atts['to'] ) ) {
 		$to = $atts['to'];
+	}
+	if ( !is_array( $to ) ) {
+		$to = explode( ',', $to );
 	}
 	if ( isset( $atts['subject'] ) ) {
 		$subject = $atts['subject'];
 	}
 		require_once ABSPATH . WPINC . '/class-smtp.php';
 		$phpmailer = new PHPMailer( true );
 	}
 	// Headers
+	$cc = $bcc = $reply_to = array();
 	if ( empty( $headers ) ) {
 		$headers = array();
 	} else {
 		if ( !is_array( $headers ) ) {
 			// Explode the headers out, so this function can take both
 			$tempheaders = explode( "\n", str_replace( "\r\n", "\n", $headers ) );
 		} else {
 			$tempheaders = $headers;
 		}
 		$headers = array();
-		$cc = array();
-		$bcc = array();
 		// If it's actually got contents
 		if ( !empty( $tempheaders ) ) {
 			// Iterate through the raw headers
 			foreach ( (array) $tempheaders as $header ) {
 						$cc = array_merge( (array) $cc, explode( ',', $content ) );
 						break;
 					case 'bcc':
 						$bcc = array_merge( (array) $bcc, explode( ',', $content ) );
 						break;
+					case 'reply-to':
+						$reply_to = array_merge( (array) $reply_to, explode( ',', $content ) );
+						break;
 					default:
 						// Add it to our grand headers array
 						$headers[trim( $name )] = trim( $content );
 						break;
 				}
 			}
 		}
 	}
 	// Empty out the values that may be set
-	$phpmailer->ClearAllRecipients();
+	$phpmailer->clearAllRecipients();
-	$phpmailer->ClearAttachments();
+	$phpmailer->clearAttachments();
-	$phpmailer->ClearCustomHeaders();
+	$phpmailer->clearCustomHeaders();
-	$phpmailer->ClearReplyTos();
+	$phpmailer->clearReplyTos();
 	// From email and name
 	// If we don't have a name from the input headers
 	if ( !isset( $from_name ) )
 		$from_name = 'WordPress';
 		$from_email = 'wordpress@' . $sitename;
 	}
 	/**
-	 * Filter the email address to send from.
+	 * Filters the email address to send from.
 	 *
 	 * @since 2.2.0
 	 *
 	 * @param string $from_email Email address to send from.
 	 */
-	$phpmailer->From = apply_filters( 'wp_mail_from', $from_email );
+	$from_email = apply_filters( 'wp_mail_from', $from_email );
 	/**
-	 * Filter the name to associate with the "from" email address.
+	 * Filters the name to associate with the "from" email address.
 	 *
 	 * @since 2.3.0
 	 *
 	 * @param string $from_name Name associated with the "from" email address.
 	 */
-	$phpmailer->FromName = apply_filters( 'wp_mail_from_name', $from_name );
+	$from_name = apply_filters( 'wp_mail_from_name', $from_name );
-	// Set destination addresses
+	try {
-	if ( !is_array( $to ) )
+		$phpmailer->setFrom( $from_email, $from_name, false );
-		$to = explode( ',', $to );
+	} catch ( phpmailerException $e ) {
+		$mail_error_data = compact( 'to', 'subject', 'message', 'headers', 'attachments' );
-	foreach ( (array) $to as $recipient ) {
+		$mail_error_data['phpmailer_exception_code'] = $e->getCode();
-		try {
-			// Break $recipient into name and address parts if in the format "Foo <bar@baz.com>"
+		/** This filter is documented in wp-includes/pluggable.php */
-			$recipient_name = '';
+		do_action( 'wp_mail_failed', new WP_Error( 'wp_mail_failed', $e->getMessage(), $mail_error_data ) );
-			if( preg_match( '/(.*)<(.+)>/', $recipient, $matches ) ) {
-				if ( count( $matches ) == 3 ) {
+		return false;
-					$recipient_name = $matches[1];
-					$recipient = $matches[2];
-				}
-			}
-			$phpmailer->AddAddress( $recipient, $recipient_name);
-		} catch ( phpmailerException $e ) {
-			continue;
-		}
 	}
 	// Set mail's subject and body
 	$phpmailer->Subject = $subject;
 	$phpmailer->Body    = $message;
-	// Add any CC and BCC recipients
+	// Set destination addresses, using appropriate methods for handling addresses
-	if ( !empty( $cc ) ) {
+	$address_headers = compact( 'to', 'cc', 'bcc', 'reply_to' );
-		foreach ( (array) $cc as $recipient ) {
+	foreach ( $address_headers as $address_header => $addresses ) {
+		if ( empty( $addresses ) ) {
+			continue;
+		}
+		foreach ( (array) $addresses as $address ) {
 			try {
 				// Break $recipient into name and address parts if in the format "Foo <bar@baz.com>"
 				$recipient_name = '';
-				if( preg_match( '/(.*)<(.+)>/', $recipient, $matches ) ) {
+				if ( preg_match( '/(.*)<(.+)>/', $address, $matches ) ) {
 					if ( count( $matches ) == 3 ) {
 						$recipient_name = $matches[1];
-						$recipient = $matches[2];
+						$address        = $matches[2];
 					}
 				}
-				$phpmailer->AddCc( $recipient, $recipient_name );
+				switch ( $address_header ) {
+					case 'to':
+						$phpmailer->addAddress( $address, $recipient_name );
+						break;
+					case 'cc':
+						$phpmailer->addCc( $address, $recipient_name );
+						break;
+					case 'bcc':
+						$phpmailer->addBcc( $address, $recipient_name );
+						break;
+					case 'reply_to':
+						$phpmailer->addReplyTo( $address, $recipient_name );
+						break;
+				}
 			} catch ( phpmailerException $e ) {
 				continue;
 			}
 		}
 	}
-	if ( !empty( $bcc ) ) {
+	// Set to use PHP's mail()
-		foreach ( (array) $bcc as $recipient) {
+	$phpmailer->isMail();
+	// Set Content-Type and charset
+	// If we don't have a content-type from the input headers
+	if ( !isset( $content_type ) )
+		$content_type = 'text/plain';
+	/**
+	 * Filters the wp_mail() content type.
+	 *
+	 * @since 2.3.0
+	 *
+	 * @param string $content_type Default wp_mail() content type.
+	 */
+	$content_type = apply_filters( 'wp_mail_content_type', $content_type );
+	$phpmailer->ContentType = $content_type;
+	// Set whether it's plaintext, depending on $content_type
+	if ( 'text/html' == $content_type )
+		$phpmailer->isHTML( true );
+	// If we don't have a charset from the input headers
+	if ( !isset( $charset ) )
+		$charset = get_bloginfo( 'charset' );
+	// Set the content-type and charset
+	/**
+	 * Filters the default wp_mail() charset.
+	 *
+	 * @since 2.3.0
+	 *
+	 * @param string $charset Default email charset.
+	 */
+	$phpmailer->CharSet = apply_filters( 'wp_mail_charset', $charset );
+	// Set custom headers
+	if ( !empty( $headers ) ) {
+		foreach ( (array) $headers as $name => $content ) {
+			$phpmailer->addCustomHeader( sprintf( '%1$s: %2$s', $name, $content ) );
+		}
+		if ( false !== stripos( $content_type, 'multipart' ) && ! empty($boundary) )
+			$phpmailer->addCustomHeader( sprintf( "Content-Type: %s;\n\t boundary=\"%s\"", $content_type, $boundary ) );
+	}
+	if ( !empty( $attachments ) ) {
+		foreach ( $attachments as $attachment ) {
 			try {
-				// Break $recipient into name and address parts if in the format "Foo <bar@baz.com>"
+				$phpmailer->addAttachment($attachment);
-				$recipient_name = '';
-				if( preg_match( '/(.*)<(.+)>/', $recipient, $matches ) ) {
-					if ( count( $matches ) == 3 ) {
-						$recipient_name = $matches[1];
-						$recipient = $matches[2];
-					}
-				}
-				$phpmailer->AddBcc( $recipient, $recipient_name );
 			} catch ( phpmailerException $e ) {
 				continue;
 			}
 		}
 	}
-	// Set to use PHP's mail()
-	$phpmailer->IsMail();
-	// Set Content-Type and charset
-	// If we don't have a content-type from the input headers
-	if ( !isset( $content_type ) )
-		$content_type = 'text/plain';
-	/**
-	 * Filter the wp_mail() content type.
-	 *
-	 * @since 2.3.0
-	 *
-	 * @param string $content_type Default wp_mail() content type.
-	 */
-	$content_type = apply_filters( 'wp_mail_content_type', $content_type );
-	$phpmailer->ContentType = $content_type;
-	// Set whether it's plaintext, depending on $content_type
-	if ( 'text/html' == $content_type )
-		$phpmailer->IsHTML( true );
-	// If we don't have a charset from the input headers
-	if ( !isset( $charset ) )
-		$charset = get_bloginfo( 'charset' );
-	// Set the content-type and charset
-	/**
-	 * Filter the default wp_mail() charset.
-	 *
-	 * @since 2.3.0
-	 *
-	 * @param string $charset Default email charset.
-	 */
-	$phpmailer->CharSet = apply_filters( 'wp_mail_charset', $charset );
-	// Set custom headers
-	if ( !empty( $headers ) ) {
-		foreach( (array) $headers as $name => $content ) {
-			$phpmailer->AddCustomHeader( sprintf( '%1$s: %2$s', $name, $content ) );
-		}
-		if ( false !== stripos( $content_type, 'multipart' ) && ! empty($boundary) )
-			$phpmailer->AddCustomHeader( sprintf( "Content-Type: %s;\n\t boundary=\"%s\"", $content_type, $boundary ) );
-	}
-	if ( !empty( $attachments ) ) {
-		foreach ( $attachments as $attachment ) {
-			try {
-				$phpmailer->AddAttachment($attachment);
-			} catch ( phpmailerException $e ) {
-				continue;
-			}
-		}
-	}
 	/**
 	 * Fires after PHPMailer is initialized.
 	 *
 	 * @since 2.2.0
 	 *
-	 * @param PHPMailer &$phpmailer The PHPMailer instance, passed by reference.
+	 * @param PHPMailer $phpmailer The PHPMailer instance (passed by reference).
 	 */
 	do_action_ref_array( 'phpmailer_init', array( &$phpmailer ) );
 	// Send!
 	try {
-		return $phpmailer->Send();
+		return $phpmailer->send();
 	} catch ( phpmailerException $e ) {
+		$mail_error_data = compact( 'to', 'subject', 'message', 'headers', 'attachments' );
+		$mail_error_data['phpmailer_exception_code'] = $e->getCode();
+		/**
+		 * Fires after a phpmailerException is caught.
+		 *
+		 * @since 4.4.0
+		 *
+		 * @param WP_Error $error A WP_Error object with the phpmailerException message, and an array
+		 *                        containing the mail recipient, subject, message, headers, and attachments.
+		 */
+		do_action( 'wp_mail_failed', new WP_Error( 'wp_mail_failed', $e->getMessage(), $mail_error_data ) );
 		return false;
 	}
 }
 endif;
 if ( !function_exists('wp_authenticate') ) :
 /**
-* Checks a user's login information and logs them in if it checks out.
+* Authenticate a user, confirming the login credentials are valid.
 *
 * @since 2.5.0
-*
+* @since 4.5.0 `$username` now accepts an email address.
-* @param string $username User's username
+*
-* @param string $password User's password
+* @param string $username User's username or email address.
-* @return WP_User|WP_Error WP_User object if login successful, otherwise WP_Error object.
+* @param string $password User's password.
+* @return WP_User|WP_Error WP_User object if the credentials are valid,
+*                          otherwise WP_Error.
 */
 function wp_authenticate($username, $password) {
 	$username = sanitize_user($username);
 	$password = trim($password);
 	/**
-	 * Filter the user to authenticate.
+	 * Filters whether a set of user login credentials are valid.
 	 *
-	 * If a non-null value is passed, the filter will effectively short-circuit
+	 * A WP_User object is returned if the credentials authenticate a user.
-	 * authentication, returning an error instead.
+	 * WP_Error or null otherwise.
 	 *
 	 * @since 2.8.0
-	 *
+	 * @since 4.5.0 `$username` now accepts an email address.
-	 * @param null|WP_User $user     User to authenticate.
+	 *
-	 * @param string       $username User login.
+	 * @param null|WP_User|WP_Error $user     WP_User if the user is authenticated.
-	 * @param string       $password User password
+	 *                                        WP_Error or null otherwise.
+	 * @param string                $username Username or email address.
+	 * @param string                $password User password
 	 */
 	$user = apply_filters( 'authenticate', null, $username, $password );
 	if ( $user == null ) {
 		// TODO what should the error message be? (Or would these even happen?)
 		// Only needed if all authentication handlers fail to return anything.
-		$user = new WP_Error('authentication_failed', __('<strong>ERROR</strong>: Invalid username or incorrect password.'));
+		$user = new WP_Error( 'authentication_failed', __( '<strong>ERROR</strong>: Invalid username, email address or incorrect password.' ) );
 	}
 	$ignore_codes = array('empty_username', 'empty_password');
 	if (is_wp_error($user) && !in_array($user->get_error_code(), $ignore_codes) ) {
 		/**
 		 * Fires after a user login has failed.
 		 *
 		 * @since 2.5.0
-		 *
+		 * @since 4.5.0 The value of `$username` can now be an email address.
-		 * @param string $username User login.
+		 *
+		 * @param string $username Username or email address.
 		 */
 		do_action( 'wp_login_failed', $username );
 	}
 	return $user;
 * Makes sure the cookie is not expired. Verifies the hash in cookie is what is
 * should be and compares the two.
 *
 * @since 2.5.0
 *
+* @global int $login_grace_period
+*
 * @param string $cookie Optional. If used, will validate contents instead of cookie's
 * @param string $scheme Optional. The cookie scheme to use: auth, secure_auth, or logged_in
-* @return bool|int False if invalid cookie, User ID if valid.
+* @return false|int False if invalid cookie, User ID if valid.
 */
 function wp_validate_auth_cookie($cookie = '', $scheme = '') {
 	if ( ! $cookie_elements = wp_parse_auth_cookie($cookie, $scheme) ) {
 		/**
 		 * Fires if an authentication cookie is malformed.
 	$username = $cookie_elements['username'];
 	$hmac = $cookie_elements['hmac'];
 	$token = $cookie_elements['token'];
 	$expired = $expiration = $cookie_elements['expiration'];
-	// Allow a grace period for POST and AJAX requests
+	// Allow a grace period for POST and Ajax requests
-	if ( defined('DOING_AJAX') || 'POST' == $_SERVER['REQUEST_METHOD'] ) {
+	if ( wp_doing_ajax() || 'POST' == $_SERVER['REQUEST_METHOD'] ) {
 		$expired += HOUR_IN_SECONDS;
 	}
 	// Quick check to see if an honest cookie has expired
 	if ( $expired < time() ) {
 	if ( ! $manager->verify( $token ) ) {
 		do_action( 'auth_cookie_bad_session_token', $cookie_elements );
 		return false;
 	}
-	// AJAX/POST grace period set above
+	// Ajax/POST grace period set above
 	if ( $expiration < time() ) {
 		$GLOBALS['login_grace_period'] = 1;
 	}
 	/**
 if ( !function_exists('wp_generate_auth_cookie') ) :
 /**
 * Generate authentication cookie contents.
 *
 * @since 2.5.0
-*
+* @since 4.0.0 The `$token` parameter was added.
-* @param int $user_id User ID
+*
-* @param int $expiration Cookie expiration in seconds
+* @param int    $user_id    User ID
-* @param string $scheme Optional. The cookie scheme to use: auth, secure_auth, or logged_in
+* @param int    $expiration The time the cookie expires as a UNIX timestamp.
-* @param string $token User's session token to use for this cookie
+* @param string $scheme     Optional. The cookie scheme to use: auth, secure_auth, or logged_in
+* @param string $token      User's session token to use for this cookie
 * @return string Authentication cookie contents. Empty string if user does not exist.
 */
 function wp_generate_auth_cookie( $user_id, $expiration, $scheme = 'auth', $token = '' ) {
 	$user = get_userdata($user_id);
 	if ( ! $user ) {
 	$hash = hash_hmac( $algo, $user->user_login . '|' . $expiration . '|' . $token, $key );
 	$cookie = $user->user_login . '|' . $expiration . '|' . $token . '|' . $hash;
 	/**
-	 * Filter the authentication cookie.
+	 * Filters the authentication cookie.
 	 *
 	 * @since 2.5.0
+	 * @since 4.0.0 The `$token` parameter was added.
 	 *
 	 * @param string $cookie     Authentication cookie.
 	 * @param int    $user_id    User ID.
-	 * @param int    $expiration Authentication cookie expiration in seconds.
+	 * @param int    $expiration The time the cookie expires as a UNIX timestamp.
 	 * @param string $scheme     Cookie scheme used. Accepts 'auth', 'secure_auth', or 'logged_in'.
 	 * @param string $token      User's session token used.
 	 */
 	return apply_filters( 'auth_cookie', $cookie, $user_id, $expiration, $scheme, $token );
 }
 *
 * @since 2.7.0
 *
 * @param string $cookie
 * @param string $scheme Optional. The cookie scheme to use: auth, secure_auth, or logged_in
-* @return array Authentication cookie components
+* @return array|false Authentication cookie components
 */
 function wp_parse_auth_cookie($cookie = '', $scheme = '') {
 	if ( empty($cookie) ) {
 		switch ($scheme){
 			case 'auth':
 }
 endif;
 if ( !function_exists('wp_set_auth_cookie') ) :
 /**
-* Sets the authentication cookies based on user ID.
+* Log in a user by setting authentication cookies.
 *
 * The $remember parameter increases the time that the cookie will be kept. The
 * default the cookie is kept without remembering is two days. When $remember is
 * set, the cookies will be kept for 14 days or two weeks.
 *
 * @since 2.5.0
-*
+* @since 4.3.0 Added the `$token` parameter.
-* @param int $user_id User ID
+*
-* @param bool $remember Whether to remember the user
+* @param int    $user_id  User ID
-* @param mixed $secure  Whether the admin cookies should only be sent over HTTPS.
+* @param bool   $remember Whether to remember the user
-*                       Default is_ssl().
+* @param mixed  $secure   Whether the admin cookies should only be sent over HTTPS.
-*/
+*                         Default is_ssl().
-function wp_set_auth_cookie($user_id, $remember = false, $secure = '') {
+* @param string $token    Optional. User's session token to use for this cookie.
+*/
+function wp_set_auth_cookie( $user_id, $remember = false, $secure = '', $token = '' ) {
 	if ( $remember ) {
 		/**
-		 * Filter the duration of the authentication cookie expiration period.
+		 * Filters the duration of the authentication cookie expiration period.
 		 *
 		 * @since 2.8.0
 		 *
 		 * @param int  $length   Duration of the expiration period in seconds.
 		 * @param int  $user_id  User ID.
 	if ( '' === $secure ) {
 		$secure = is_ssl();
 	}
-	// Frontend cookie is secure when the auth cookie is secure and the site's home URL is forced HTTPS.
+	// Front-end cookie is secure when the auth cookie is secure and the site's home URL is forced HTTPS.
 	$secure_logged_in_cookie = $secure && 'https' === parse_url( get_option( 'home' ), PHP_URL_SCHEME );
 	/**
-	 * Filter whether the connection is secure.
+	 * Filters whether the connection is secure.
 	 *
 	 * @since 3.1.0
 	 *
 	 * @param bool $secure  Whether the connection is secure.
 	 * @param int  $user_id User ID.
 	 */
 	$secure = apply_filters( 'secure_auth_cookie', $secure, $user_id );
 	/**
-	 * Filter whether to use a secure cookie when logged-in.
+	 * Filters whether to use a secure cookie when logged-in.
 	 *
 	 * @since 3.1.0
 	 *
 	 * @param bool $secure_logged_in_cookie Whether to use a secure cookie when logged-in.
 	 * @param int  $user_id                 User ID.
 	} else {
 		$auth_cookie_name = AUTH_COOKIE;
 		$scheme = 'auth';
 	}
-	$manager = WP_Session_Tokens::get_instance( $user_id );
+	if ( '' === $token ) {
-	$token = $manager->create( $expiration );
+		$manager = WP_Session_Tokens::get_instance( $user_id );
+		$token   = $manager->create( $expiration );
+	}
 	$auth_cookie = wp_generate_auth_cookie( $user_id, $expiration, $scheme, $token );
 	$logged_in_cookie = wp_generate_auth_cookie( $user_id, $expiration, 'logged_in', $token );
 	/**
 	 * Fires immediately before the authentication cookie is set.
 	 *
 	 * @since 2.5.0
+	 * @since 4.9.0 The `$token` parameter was added.
 	 *
 	 * @param string $auth_cookie Authentication cookie.
-	 * @param int    $expire      Login grace period in seconds. Default 43,200 seconds, or 12 hours.
+	 * @param int    $expire      The time the login grace period expires as a UNIX timestamp.
-	 * @param int    $expiration  Duration in seconds the authentication cookie should be valid.
+	 *                            Default is 12 hours past the cookie's expiration time.
-	 *                            Default 1,209,600 seconds, or 14 days.
+	 * @param int    $expiration  The time when the authentication cookie expires as a UNIX timestamp.
+	 *                            Default is 14 days from now.
 	 * @param int    $user_id     User ID.
 	 * @param string $scheme      Authentication scheme. Values include 'auth', 'secure_auth', or 'logged_in'.
-	 */
+	 * @param string $token       User's session token to use for this cookie.
-	do_action( 'set_auth_cookie', $auth_cookie, $expire, $expiration, $user_id, $scheme );
+	 */
+	do_action( 'set_auth_cookie', $auth_cookie, $expire, $expiration, $user_id, $scheme, $token );
-	/**
-	 * Fires immediately before the secure authentication cookie is set.
+	/**
+	 * Fires immediately before the logged-in authentication cookie is set.
 	 *
 	 * @since 2.6.0
+	 * @since 4.9.0 The `$token` parameter was added.
 	 *
 	 * @param string $logged_in_cookie The logged-in cookie.
-	 * @param int    $expire           Login grace period in seconds. Default 43,200 seconds, or 12 hours.
+	 * @param int    $expire           The time the login grace period expires as a UNIX timestamp.
-	 * @param int    $expiration       Duration in seconds the authentication cookie should be valid.
+	 *                                 Default is 12 hours past the cookie's expiration time.
-	 *                                 Default 1,209,600 seconds, or 14 days.
+	 * @param int    $expiration       The time when the logged-in authentication cookie expires as a UNIX timestamp.
+	 *                                 Default is 14 days from now.
 	 * @param int    $user_id          User ID.
 	 * @param string $scheme           Authentication scheme. Default 'logged_in'.
-	 */
+	 * @param string $token            User's session token to use for this cookie.
-	do_action( 'set_logged_in_cookie', $logged_in_cookie, $expire, $expiration, $user_id, 'logged_in' );
+	 */
+	do_action( 'set_logged_in_cookie', $logged_in_cookie, $expire, $expiration, $user_id, 'logged_in', $token );
+	/**
+	 * Allows preventing auth cookies from actually being sent to the client.
+	 *
+	 * @since 4.7.4
+	 *
+	 * @param bool $send Whether to send auth cookies to the client.
+	 */
+	if ( ! apply_filters( 'send_auth_cookies', true ) ) {
+		return;
+	}
 	setcookie($auth_cookie_name, $auth_cookie, $expire, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN, $secure, true);
 	setcookie($auth_cookie_name, $auth_cookie, $expire, ADMIN_COOKIE_PATH, COOKIE_DOMAIN, $secure, true);
 	setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, COOKIEPATH, COOKIE_DOMAIN, $secure_logged_in_cookie, true);
 	if ( COOKIEPATH != SITECOOKIEPATH )
 	 *
 	 * @since 2.7.0
 	 */
 	do_action( 'clear_auth_cookie' );
+	/** This filter is documented in wp-includes/pluggable.php */
+	if ( ! apply_filters( 'send_auth_cookies', true ) ) {
+		return;
+	}
+	// Auth cookies
 	setcookie( AUTH_COOKIE,        ' ', time() - YEAR_IN_SECONDS, ADMIN_COOKIE_PATH,   COOKIE_DOMAIN );
 	setcookie( SECURE_AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, ADMIN_COOKIE_PATH,   COOKIE_DOMAIN );
 	setcookie( AUTH_COOKIE,        ' ', time() - YEAR_IN_SECONDS, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN );
 	setcookie( SECURE_AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN );
 	setcookie( LOGGED_IN_COOKIE,   ' ', time() - YEAR_IN_SECONDS, COOKIEPATH,          COOKIE_DOMAIN );
 	setcookie( LOGGED_IN_COOKIE,   ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH,      COOKIE_DOMAIN );
+	// Settings cookies
+	setcookie( 'wp-settings-' . get_current_user_id(),      ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH );
+	setcookie( 'wp-settings-time-' . get_current_user_id(), ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH );
 	// Old cookies
 	setcookie( AUTH_COOKIE,        ' ', time() - YEAR_IN_SECONDS, COOKIEPATH,     COOKIE_DOMAIN );
 	setcookie( AUTH_COOKIE,        ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN );
 	setcookie( SECURE_AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH,     COOKIE_DOMAIN );
 	setcookie( SECURE_AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN );
 	// Even older cookies
 	setcookie( USER_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH,     COOKIE_DOMAIN );
 	setcookie( PASS_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH,     COOKIE_DOMAIN );
 	setcookie( USER_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN );
 	setcookie( PASS_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN );
+	// Post password cookie
+	setcookie( 'wp-postpass_' . COOKIEHASH, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN );
 }
 endif;
 if ( !function_exists('is_user_logged_in') ) :
 /**
 * @return bool True if user is logged in, false if not logged in.
 */
 function is_user_logged_in() {
 	$user = wp_get_current_user();
-	if ( ! $user->exists() )
+	return $user->exists();
-		return false;
-	return true;
 }
 endif;
 if ( !function_exists('auth_redirect') ) :
 /**
 	// Checks if a user is logged in, if not redirects them to the login page
 	$secure = ( is_ssl() || force_ssl_admin() );
 	/**
-	 * Filter whether to use a secure authentication redirect.
+	 * Filters whether to use a secure authentication redirect.
 	 *
 	 * @since 3.1.0
 	 *
 	 * @param bool $secure Whether to use a secure authentication redirect. Default false.
 	 */
 			wp_redirect( 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] );
 			exit();
 		}
 	}
-	if ( is_user_admin() ) {
+	/**
-		$scheme = 'logged_in';
+	 * Filters the authentication redirect scheme.
-	} else {
+	 *
-		/**
+	 * @since 2.9.0
-		 * Filter the authentication redirect scheme.
+	 *
-		 *
+	 * @param string $scheme Authentication redirect scheme. Default empty.
-		 * @since 2.9.0
+	 */
-		 *
+	$scheme = apply_filters( 'auth_redirect_scheme', '' );
-		 * @param string $scheme Authentication redirect scheme. Default empty.
-		 */
-		$scheme = apply_filters( 'auth_redirect_scheme', '' );
-	}
 	if ( $user_id = wp_validate_auth_cookie( '',  $scheme) ) {
 		/**
 		 * Fires before the authentication redirect.
 		 *
 * @return false|int False if the nonce is invalid, 1 if the nonce is valid and generated between
 *                   0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago.
 */
 function check_admin_referer( $action = -1, $query_arg = '_wpnonce' ) {
 	if ( -1 == $action )
-		_doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2' );
+		_doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2.0' );
 	$adminurl = strtolower(admin_url());
 	$referer = strtolower(wp_get_referer());
 	$result = isset($_REQUEST[$query_arg]) ? wp_verify_nonce($_REQUEST[$query_arg], $action) : false;
-	if ( !$result && !(-1 == $action && strpos($referer, $adminurl) === 0) ) {
-		wp_nonce_ays($action);
-		die();
-	}
 	/**
 	 * Fires once the admin request has been validated or not.
 	 *
 	 * @since 1.5.1
 	 * @param string    $action The nonce action.
 	 * @param false|int $result False if the nonce is invalid, 1 if the nonce is valid and generated between
 	 *                          0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago.
 	 */
 	do_action( 'check_admin_referer', $action, $result );
+	if ( ! $result && ! ( -1 == $action && strpos( $referer, $adminurl ) === 0 ) ) {
+		wp_nonce_ays( $action );
+		die();
+	}
 	return $result;
 }
 endif;
 if ( !function_exists('check_ajax_referer') ) :
 /**
-* Verifies the AJAX request to prevent processing requests external of the blog.
+* Verifies the Ajax request to prevent processing requests external of the blog.
 *
 * @since 2.0.3
 *
 * @param int|string   $action    Action nonce.
 * @param false|string $query_arg Optional. Key to check for the nonce in `$_REQUEST` (since 2.5). If false,
 *                                Default true.
 * @return false|int False if the nonce is invalid, 1 if the nonce is valid and generated between
 *                   0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago.
 */
 function check_ajax_referer( $action = -1, $query_arg = false, $die = true ) {
+	if ( -1 == $action ) {
+		_doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '4.7' );
+	}
 	$nonce = '';
 	if ( $query_arg && isset( $_REQUEST[ $query_arg ] ) )
 		$nonce = $_REQUEST[ $query_arg ];
 	elseif ( isset( $_REQUEST['_ajax_nonce'] ) )
 	elseif ( isset( $_REQUEST['_wpnonce'] ) )
 		$nonce = $_REQUEST['_wpnonce'];
 	$result = wp_verify_nonce( $nonce, $action );
-	if ( $die && false == $result ) {
+	/**
-		if ( defined( 'DOING_AJAX' ) && DOING_AJAX )
+	 * Fires once the Ajax request has been validated or not.
-			wp_die( -1 );
-		else
-			die( '-1' );
-	}
-	/**
-	 * Fires once the AJAX request has been validated or not.
 	 *
 	 * @since 2.1.0
 	 *
-	 * @param string    $action The AJAX nonce action.
+	 * @param string    $action The Ajax nonce action.
 	 * @param false|int $result False if the nonce is invalid, 1 if the nonce is valid and generated between
 	 *                          0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago.
 	 */
 	do_action( 'check_ajax_referer', $action, $result );
+	if ( $die && false === $result ) {
+		if ( wp_doing_ajax() ) {
+			wp_die( -1, 403 );
+		} else {
+			die( '-1' );
+		}
+	}
 	return $result;
 }
 endif;
 if ( !function_exists('wp_redirect') ) :
 /**
 * Redirects to another page.
 *
+* Note: wp_redirect() does not exit automatically, and should almost always be
+* followed by a call to `exit;`:
+*
+*     wp_redirect( $url );
+*     exit;
+*
+* Exiting can also be selectively manipulated by using wp_redirect() as a conditional
+* in conjunction with the {@see 'wp_redirect'} and {@see 'wp_redirect_location'} hooks:
+*
+*     if ( wp_redirect( $url ) ) {
+*         exit;
+*     }
+*
 * @since 1.5.1
 *
+* @global bool $is_IIS
+*
 * @param string $location The path to redirect to.
-* @param int $status Status code to use.
+* @param int    $status   Status code to use.
 * @return bool False if $location is not provided, true otherwise.
 */
 function wp_redirect($location, $status = 302) {
 	global $is_IIS;
 	/**
-	 * Filter the redirect location.
+	 * Filters the redirect location.
 	 *
 	 * @since 2.1.0
 	 *
 	 * @param string $location The path to redirect to.
 	 * @param int    $status   Status code to use.
 	 */
 	$location = apply_filters( 'wp_redirect', $location, $status );
 	/**
-	 * Filter the redirect status code.
+	 * Filters the redirect status code.
 	 *
 	 * @since 2.3.0
 	 *
 	 * @param int    $status   Status code to use.
 	 * @param string $location The path to redirect to.
 /**
 * Sanitizes a URL for use in a redirect.
 *
 * @since 2.3.0
 *
-* @return string redirect-sanitized URL
+* @param string $location The path to redirect to.
+* @return string Redirect-sanitized URL.
 **/
 function wp_sanitize_redirect($location) {
 	$regex = '/
 		(
 			(?: [\xC2-\xDF][\x80-\xBF]        # double-byte sequences   110xxxxx 10xxxxxx
 			|   [\xF1-\xF3][\x80-\xBF]{3}
 			|   \xF4[\x80-\x8F][\x80-\xBF]{2}
 		){1,40}                              # ...one or more times
 		)/x';
 	$location = preg_replace_callback( $regex, '_wp_sanitize_utf8_in_redirect', $location );
-	$location = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%!*\[\]()]|i', '', $location);
+	$location = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%!*\[\]()@]|i', '', $location);
 	$location = wp_kses_no_null($location);
 	// remove %0d and %0a from location
 	$strip = array('%0d', '%0a', '%0D', '%0A');
-	$location = _deep_replace($strip, $location);
+	return _deep_replace( $strip, $location );
-	return $location;
 }
 /**
 * URL encode UTF-8 characters in a URL.
 *
 * @ignore
 * @since 4.2.0
 * @access private
 *
 * @see wp_sanitize_redirect()
+*
+* @param array $matches RegEx matches against the redirect location.
+* @return string URL-encoded version of the first RegEx match.
 */
 function _wp_sanitize_utf8_in_redirect( $matches ) {
 	return urlencode( $matches[0] );
 }
 endif;
 *
 * Checks whether the $location is using an allowed host, if it has an absolute
 * path. A plugin can therefore set or remove allowed host(s) to or from the
 * list.
 *
-* If the host is not allowed, then the redirect is to wp-admin on the siteurl
+* If the host is not allowed, then the redirect defaults to wp-admin on the siteurl
 * instead. This prevents malicious redirects which redirect to another host,
 * but only used in a few places.
 *
 * @since 2.3.0
 *
-* @return void Does not return anything
+* @param string $location The path to redirect to.
-**/
+* @param int    $status   Status code to use.
+*/
 function wp_safe_redirect($location, $status = 302) {
 	// Need to look at the URL the way it will end up in wp_redirect()
 	$location = wp_sanitize_redirect($location);
-	$location = wp_validate_redirect($location, admin_url());
+	/**
+	 * Filters the redirect fallback URL for when the provided redirect is not safe (local).
+	 *
+	 * @since 4.3.0
+	 *
+	 * @param string $fallback_url The fallback URL to use by default.
+	 * @param int    $status       The redirect status.
+	 */
+	$location = wp_validate_redirect( $location, apply_filters( 'wp_safe_redirect_fallback', admin_url(), $status ) );
 	wp_redirect($location, $status);
 }
 endif;
 * If the host is not allowed, then the redirect is to $default supplied
 *
 * @since 2.8.1
 *
 * @param string $location The redirect to validate
-* @param string $default The value to return if $location is not allowed
+* @param string $default  The value to return if $location is not allowed
 * @return string redirect-sanitized URL
 **/
 function wp_validate_redirect($location, $default = '') {
-	$location = trim( $location );
+	$location = trim( $location, " \t\n\r\0\x08\x0B" );
 	// browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//'
 	if ( substr($location, 0, 2) == '//' )
 		$location = 'http:' . $location;
 	// In php 5 parse_url may fail if the URL query part contains http://, bug #38143
 	$test = ( $cut = strpos($location, '?') ) ? substr( $location, 0, $cut ) : $location;
-	$lp  = parse_url($test);
+	// @-operator is used to prevent possible warnings in PHP < 5.3.3.
+	$lp = @parse_url($test);
 	// Give up if malformed URL
 	if ( false === $lp )
 		return $default;
 	// Allow only http and https schemes. No data:, etc.
 	if ( isset($lp['scheme']) && !('http' == $lp['scheme'] || 'https' == $lp['scheme']) )
 		return $default;
-	// Reject if scheme is set but host is not. This catches urls like https:host.com for which parse_url does not set the host field.
+	// Reject if certain components are set but host is not. This catches urls like https:host.com for which parse_url does not set the host field.
-	if ( isset($lp['scheme'])  && !isset($lp['host']) )
+	if ( ! isset( $lp['host'] ) && ( isset( $lp['scheme'] ) || isset( $lp['user'] ) || isset( $lp['pass'] ) || isset( $lp['port'] ) ) ) {
 		return $default;
+	}
+	// Reject malformed components parse_url() can return on odd inputs.
+	foreach ( array( 'user', 'pass', 'host' ) as $component ) {
+		if ( isset( $lp[ $component ] ) && strpbrk( $lp[ $component ], ':/?#@' ) ) {
+			return $default;
+		}
+	}
 	$wpp = parse_url(home_url());
 	/**
-	 * Filter the whitelist of hosts to redirect to.
+	 * Filters the whitelist of hosts to redirect to.
 	 *
 	 * @since 2.3.0
 	 *
 	 * @param array       $hosts An array of allowed hosts.
 	 * @param bool|string $host  The parsed host; empty if not isset.
 /**
 * Notify an author (and/or others) of a comment/trackback/pingback on a post.
 *
 * @since 1.0.0
 *
-* @param int $comment_id Comment ID
+* @param int|WP_Comment  $comment_id Comment ID or WP_Comment object.
-* @param string $deprecated Not used
+* @param string          $deprecated Not used
 * @return bool True on completion. False if no email addresses were specified.
 */
 function wp_notify_postauthor( $comment_id, $deprecated = null ) {
 	if ( null !== $deprecated ) {
-		_deprecated_argument( __FUNCTION__, '3.8' );
+		_deprecated_argument( __FUNCTION__, '3.8.0' );
 	}
 	$comment = get_comment( $comment_id );
-	if ( empty( $comment ) )
+	if ( empty( $comment ) || empty( $comment->comment_post_ID ) )
 		return false;
 	$post    = get_post( $comment->comment_post_ID );
 	$author  = get_userdata( $post->post_author );
 	if ( $author ) {
 		$emails[] = $author->user_email;
 	}
 	/**
-	 * Filter the list of email addresses to receive a comment notification.
+	 * Filters the list of email addresses to receive a comment notification.
 	 *
 	 * By default, only post authors are notified of comments. This filter allows
 	 * others to be added.
 	 *
 	 * @since 3.7.0
 	 *
 	 * @param array $emails     An array of email addresses to receive a comment notification.
 	 * @param int   $comment_id The comment ID.
 	 */
-	$emails = apply_filters( 'comment_notification_recipients', $emails, $comment_id );
+	$emails = apply_filters( 'comment_notification_recipients', $emails, $comment->comment_ID );
 	$emails = array_filter( $emails );
 	// If there are no addresses to send the comment to, bail.
 	if ( ! count( $emails ) ) {
 		return false;
 	// Facilitate unsetting below without knowing the keys.
 	$emails = array_flip( $emails );
 	/**
-	 * Filter whether to notify comment authors of their comments on their own posts.
+	 * Filters whether to notify comment authors of their comments on their own posts.
 	 *
 	 * By default, comment authors aren't notified of their comments on their own
 	 * posts. This filter allows you to override that.
 	 *
 	 * @since 3.8.0
 	 *
 	 * @param bool $notify     Whether to notify the post author of their own comment.
 	 *                         Default false.
 	 * @param int  $comment_id The comment ID.
 	 */
-	$notify_author = apply_filters( 'comment_notification_notify_author', false, $comment_id );
+	$notify_author = apply_filters( 'comment_notification_notify_author', false, $comment->comment_ID );
 	// The comment was left by the author
 	if ( $author && ! $notify_author && $comment->user_id == $post->post_author ) {
 		unset( $emails[ $author->user_email ] );
 	}
 		return false;
 	} else {
 		$emails = array_flip( $emails );
 	}
+	$switched_locale = switch_to_locale( get_locale() );
 	$comment_author_domain = @gethostbyaddr($comment->comment_author_IP);
 	// The blogname option is escaped with esc_html on the way into the database in sanitize_option
 	// we want to reverse this for the plain text arena of emails.
 	$blogname = wp_specialchars_decode(get_option('blogname'), ENT_QUOTES);
+	$comment_content = wp_specialchars_decode( $comment->comment_content );
 	switch ( $comment->comment_type ) {
 		case 'trackback':
+			/* translators: 1: Post title */
 			$notify_message  = sprintf( __( 'New trackback on your post "%s"' ), $post->post_title ) . "\r\n";
-			/* translators: 1: website name, 2: website IP, 3: website hostname */
+			/* translators: 1: Trackback/pingback website name, 2: website IP address, 3: website hostname */
-			$notify_message .= sprintf( __('Website: %1$s (IP: %2$s, %3$s)'), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
+			$notify_message .= sprintf( __('Website: %1$s (IP address: %2$s, %3$s)'), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
 			$notify_message .= sprintf( __( 'URL: %s' ), $comment->comment_author_url ) . "\r\n";
-			$notify_message .= sprintf( __( 'Comment: %s' ), "\r\n" . $comment->comment_content ) . "\r\n\r\n";
+			$notify_message .= sprintf( __( 'Comment: %s' ), "\r\n" . $comment_content ) . "\r\n\r\n";
 			$notify_message .= __( 'You can see all trackbacks on this post here:' ) . "\r\n";
 			/* translators: 1: blog name, 2: post title */
 			$subject = sprintf( __('[%1$s] Trackback: "%2$s"'), $blogname, $post->post_title );
 			break;
 		case 'pingback':
+			/* translators: 1: Post title */
 			$notify_message  = sprintf( __( 'New pingback on your post "%s"' ), $post->post_title ) . "\r\n";
-			/* translators: 1: website name, 2: website IP, 3: website hostname */
+			/* translators: 1: Trackback/pingback website name, 2: website IP address, 3: website hostname */
-			$notify_message .= sprintf( __('Website: %1$s (IP: %2$s, %3$s)'), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
+			$notify_message .= sprintf( __('Website: %1$s (IP address: %2$s, %3$s)'), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
 			$notify_message .= sprintf( __( 'URL: %s' ), $comment->comment_author_url ) . "\r\n";
-			$notify_message .= sprintf( __( 'Comment: %s' ), "\r\n" . $comment->comment_content ) . "\r\n\r\n";
+			$notify_message .= sprintf( __( 'Comment: %s' ), "\r\n" . $comment_content ) . "\r\n\r\n";
 			$notify_message .= __( 'You can see all pingbacks on this post here:' ) . "\r\n";
 			/* translators: 1: blog name, 2: post title */
 			$subject = sprintf( __('[%1$s] Pingback: "%2$s"'), $blogname, $post->post_title );
 			break;
 		default: // Comments
 			$notify_message  = sprintf( __( 'New comment on your post "%s"' ), $post->post_title ) . "\r\n";
-			/* translators: 1: comment author, 2: author IP, 3: author domain */
+			/* translators: 1: comment author, 2: comment author's IP address, 3: comment author's hostname */
-			$notify_message .= sprintf( __( 'Author: %1$s (IP: %2$s, %3$s)' ), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
+			$notify_message .= sprintf( __( 'Author: %1$s (IP address: %2$s, %3$s)' ), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
-			$notify_message .= sprintf( __( 'E-mail: %s' ), $comment->comment_author_email ) . "\r\n";
+			$notify_message .= sprintf( __( 'Email: %s' ), $comment->comment_author_email ) . "\r\n";
 			$notify_message .= sprintf( __( 'URL: %s' ), $comment->comment_author_url ) . "\r\n";
-			$notify_message .= sprintf( __( 'Whois: %s' ), "http://whois.arin.net/rest/ip/{$comment->comment_author_IP}" ) . "\r\n";
+			$notify_message .= sprintf( __('Comment: %s' ), "\r\n" . $comment_content ) . "\r\n\r\n";
-			$notify_message .= sprintf( __('Comment: %s' ), "\r\n" . $comment->comment_content ) . "\r\n\r\n";
 			$notify_message .= __( 'You can see all comments on this post here:' ) . "\r\n";
 			/* translators: 1: blog name, 2: post title */
 			$subject = sprintf( __('[%1$s] Comment: "%2$s"'), $blogname, $post->post_title );
 			break;
 	}
 	$notify_message .= get_permalink($comment->comment_post_ID) . "#comments\r\n\r\n";
-	$notify_message .= sprintf( __('Permalink: %s'), get_comment_link( $comment_id ) ) . "\r\n";
+	$notify_message .= sprintf( __('Permalink: %s'), get_comment_link( $comment ) ) . "\r\n";
-	if ( user_can( $post->post_author, 'edit_comment', $comment_id ) ) {
+	if ( user_can( $post->post_author, 'edit_comment', $comment->comment_ID ) ) {
-		if ( EMPTY_TRASH_DAYS )
+		if ( EMPTY_TRASH_DAYS ) {
-			$notify_message .= sprintf( __('Trash it: %s'), admin_url("comment.php?action=trash&c=$comment_id") ) . "\r\n";
+			$notify_message .= sprintf( __( 'Trash it: %s' ), admin_url( "comment.php?action=trash&c={$comment->comment_ID}#wpbody-content" ) ) . "\r\n";
-		else
+		} else {
-			$notify_message .= sprintf( __('Delete it: %s'), admin_url("comment.php?action=delete&c=$comment_id") ) . "\r\n";
+			$notify_message .= sprintf( __( 'Delete it: %s' ), admin_url( "comment.php?action=delete&c={$comment->comment_ID}#wpbody-content" ) ) . "\r\n";
-		$notify_message .= sprintf( __('Spam it: %s'), admin_url("comment.php?action=spam&c=$comment_id") ) . "\r\n";
+		}
+		$notify_message .= sprintf( __( 'Spam it: %s' ), admin_url( "comment.php?action=spam&c={$comment->comment_ID}#wpbody-content" ) ) . "\r\n";
 	}
 	$wp_email = 'wordpress@' . preg_replace('#^www\.#', '', strtolower($_SERVER['SERVER_NAME']));
 	if ( '' == $comment->comment_author ) {
 	if ( isset($reply_to) )
 		$message_headers .= $reply_to . "\n";
 	/**
-	 * Filter the comment notification email text.
+	 * Filters the comment notification email text.
 	 *
 	 * @since 1.5.2
 	 *
 	 * @param string $notify_message The comment notification email text.
 	 * @param int    $comment_id     Comment ID.
 	 */
-	$notify_message = apply_filters( 'comment_notification_text', $notify_message, $comment_id );
+	$notify_message = apply_filters( 'comment_notification_text', $notify_message, $comment->comment_ID );
 	/**
-	 * Filter the comment notification email subject.
+	 * Filters the comment notification email subject.
 	 *
 	 * @since 1.5.2
 	 *
 	 * @param string $subject    The comment notification email subject.
 	 * @param int    $comment_id Comment ID.
 	 */
-	$subject = apply_filters( 'comment_notification_subject', $subject, $comment_id );
+	$subject = apply_filters( 'comment_notification_subject', $subject, $comment->comment_ID );
 	/**
-	 * Filter the comment notification email headers.
+	 * Filters the comment notification email headers.
 	 *
 	 * @since 1.5.2
 	 *
 	 * @param string $message_headers Headers for the comment notification email.
 	 * @param int    $comment_id      Comment ID.
 	 */
-	$message_headers = apply_filters( 'comment_notification_headers', $message_headers, $comment_id );
+	$message_headers = apply_filters( 'comment_notification_headers', $message_headers, $comment->comment_ID );
 	foreach ( $emails as $email ) {
 		@wp_mail( $email, wp_specialchars_decode( $subject ), $notify_message, $message_headers );
 	}
+	if ( $switched_locale ) {
+		restore_previous_locale();
+	}
 	return true;
 }
 endif;
 if ( !function_exists('wp_notify_moderator') ) :
 /**
-* Notifies the moderator of the blog about a new comment that is awaiting approval.
+* Notifies the moderator of the site about a new comment that is awaiting approval.
 *
 * @since 1.0.0
 *
 * @global wpdb $wpdb WordPress database abstraction object.
 *
-* @param int $comment_id Comment ID
+* Uses the {@see 'notify_moderator'} filter to determine whether the site moderator
-* @return bool Always returns true
+* should be notified, overriding the site setting.
+*
+* @param int $comment_id Comment ID.
+* @return true Always returns true.
 */
 function wp_notify_moderator($comment_id) {
 	global $wpdb;
-	if ( 0 == get_option( 'moderation_notify' ) )
+	$maybe_notify = get_option( 'moderation_notify' );
+	/**
+	 * Filters whether to send the site moderator email notifications, overriding the site setting.
+	 *
+	 * @since 4.4.0
+	 *
+	 * @param bool $maybe_notify Whether to notify blog moderator.
+	 * @param int  $comment_ID   The id of the comment for the notification.
+	 */
+	$maybe_notify = apply_filters( 'notify_moderator', $maybe_notify, $comment_id );
+	if ( ! $maybe_notify ) {
 		return true;
+	}
 	$comment = get_comment($comment_id);
 	$post = get_post($comment->comment_post_ID);
 	$user = get_userdata( $post->post_author );
 	// Send to the administration and to the post author if the author can modify the comment.
 	$emails = array( get_option( 'admin_email' ) );
-	if ( user_can( $user->ID, 'edit_comment', $comment_id ) && ! empty( $user->user_email ) ) {
+	if ( $user && user_can( $user->ID, 'edit_comment', $comment_id ) && ! empty( $user->user_email ) ) {
 		if ( 0 !== strcasecmp( $user->user_email, get_option( 'admin_email' ) ) )
 			$emails[] = $user->user_email;
 	}
+	$switched_locale = switch_to_locale( get_locale() );
 	$comment_author_domain = @gethostbyaddr($comment->comment_author_IP);
 	$comments_waiting = $wpdb->get_var("SELECT count(comment_ID) FROM $wpdb->comments WHERE comment_approved = '0'");
 	// The blogname option is escaped with esc_html on the way into the database in sanitize_option
 	// we want to reverse this for the plain text arena of emails.
 	$blogname = wp_specialchars_decode(get_option('blogname'), ENT_QUOTES);
+	$comment_content = wp_specialchars_decode( $comment->comment_content );
 	switch ( $comment->comment_type ) {
 		case 'trackback':
+			/* translators: 1: Post title */
 			$notify_message  = sprintf( __('A new trackback on the post "%s" is waiting for your approval'), $post->post_title ) . "\r\n";
 			$notify_message .= get_permalink($comment->comment_post_ID) . "\r\n\r\n";
-			/* translators: 1: website name, 2: website IP, 3: website hostname */
+			/* translators: 1: Trackback/pingback website name, 2: website IP address, 3: website hostname */
-			$notify_message .= sprintf( __( 'Website: %1$s (IP: %2$s, %3$s)' ), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
+			$notify_message .= sprintf( __( 'Website: %1$s (IP address: %2$s, %3$s)' ), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
+			/* translators: 1: Trackback/pingback/comment author URL */
 			$notify_message .= sprintf( __( 'URL: %s' ), $comment->comment_author_url ) . "\r\n";
-			$notify_message .= __('Trackback excerpt: ') . "\r\n" . $comment->comment_content . "\r\n\r\n";
+			$notify_message .= __('Trackback excerpt: ') . "\r\n" . $comment_content . "\r\n\r\n";
 			break;
 		case 'pingback':
+			/* translators: 1: Post title */
 			$notify_message  = sprintf( __('A new pingback on the post "%s" is waiting for your approval'), $post->post_title ) . "\r\n";
 			$notify_message .= get_permalink($comment->comment_post_ID) . "\r\n\r\n";
-			/* translators: 1: website name, 2: website IP, 3: website hostname */
+			/* translators: 1: Trackback/pingback website name, 2: website IP address, 3: website hostname */
-			$notify_message .= sprintf( __( 'Website: %1$s (IP: %2$s, %3$s)' ), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
+			$notify_message .= sprintf( __( 'Website: %1$s (IP address: %2$s, %3$s)' ), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
+			/* translators: 1: Trackback/pingback/comment author URL */
 			$notify_message .= sprintf( __( 'URL: %s' ), $comment->comment_author_url ) . "\r\n";
-			$notify_message .= __('Pingback excerpt: ') . "\r\n" . $comment->comment_content . "\r\n\r\n";
+			$notify_message .= __('Pingback excerpt: ') . "\r\n" . $comment_content . "\r\n\r\n";
 			break;
 		default: // Comments
+			/* translators: 1: Post title */
 			$notify_message  = sprintf( __('A new comment on the post "%s" is waiting for your approval'), $post->post_title ) . "\r\n";
 			$notify_message .= get_permalink($comment->comment_post_ID) . "\r\n\r\n";
-			$notify_message .= sprintf( __( 'Author: %1$s (IP: %2$s, %3$s)' ), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
+			/* translators: 1: Comment author name, 2: comment author's IP address, 3: comment author's hostname */
-			$notify_message .= sprintf( __( 'E-mail: %s' ), $comment->comment_author_email ) . "\r\n";
+			$notify_message .= sprintf( __( 'Author: %1$s (IP address: %2$s, %3$s)' ), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
+			/* translators: 1: Comment author URL */
+			$notify_message .= sprintf( __( 'Email: %s' ), $comment->comment_author_email ) . "\r\n";
+			/* translators: 1: Trackback/pingback/comment author URL */
 			$notify_message .= sprintf( __( 'URL: %s' ), $comment->comment_author_url ) . "\r\n";
-			$notify_message .= sprintf( __( 'Whois: %s' ), "http://whois.arin.net/rest/ip/{$comment->comment_author_IP}" ) . "\r\n";
+			/* translators: 1: Comment text */
-			$notify_message .= sprintf( __( 'Comment: %s' ), "\r\n" . $comment->comment_content ) . "\r\n\r\n";
+			$notify_message .= sprintf( __( 'Comment: %s' ), "\r\n" . $comment_content ) . "\r\n\r\n";
 			break;
 	}
-	$notify_message .= sprintf( __('Approve it: %s'),  admin_url("comment.php?action=approve&c=$comment_id") ) . "\r\n";
+	/* translators: Comment moderation. 1: Comment action URL */
-	if ( EMPTY_TRASH_DAYS )
+	$notify_message .= sprintf( __( 'Approve it: %s' ), admin_url( "comment.php?action=approve&c={$comment_id}#wpbody-content" ) ) . "\r\n";
-		$notify_message .= sprintf( __('Trash it: %s'), admin_url("comment.php?action=trash&c=$comment_id") ) . "\r\n";
-	else
+	if ( EMPTY_TRASH_DAYS ) {
-		$notify_message .= sprintf( __('Delete it: %s'), admin_url("comment.php?action=delete&c=$comment_id") ) . "\r\n";
+		/* translators: Comment moderation. 1: Comment action URL */
-	$notify_message .= sprintf( __('Spam it: %s'), admin_url("comment.php?action=spam&c=$comment_id") ) . "\r\n";
+		$notify_message .= sprintf( __( 'Trash it: %s' ), admin_url( "comment.php?action=trash&c={$comment_id}#wpbody-content" ) ) . "\r\n";
+	} else {
+		/* translators: Comment moderation. 1: Comment action URL */
+		$notify_message .= sprintf( __( 'Delete it: %s' ), admin_url( "comment.php?action=delete&c={$comment_id}#wpbody-content" ) ) . "\r\n";
+	}
+	/* translators: Comment moderation. 1: Comment action URL */
+	$notify_message .= sprintf( __( 'Spam it: %s' ), admin_url( "comment.php?action=spam&c={$comment_id}#wpbody-content" ) ) . "\r\n";
+	/* translators: Comment moderation. 1: Number of comments awaiting approval */
 	$notify_message .= sprintf( _n('Currently %s comment is waiting for approval. Please visit the moderation panel:',
 		'Currently %s comments are waiting for approval. Please visit the moderation panel:', $comments_waiting), number_format_i18n($comments_waiting) ) . "\r\n";
-	$notify_message .= admin_url("edit-comments.php?comment_status=moderated") . "\r\n";
+	$notify_message .= admin_url( "edit-comments.php?comment_status=moderated#wpbody-content" ) . "\r\n";
+	/* translators: Comment moderation notification email subject. 1: Site name, 2: Post title */
 	$subject = sprintf( __('[%1$s] Please moderate: "%2$s"'), $blogname, $post->post_title );
 	$message_headers = '';
 	/**
-	 * Filter the list of recipients for comment moderation emails.
+	 * Filters the list of recipients for comment moderation emails.
 	 *
 	 * @since 3.7.0
 	 *
 	 * @param array $emails     List of email addresses to notify for comment moderation.
 	 * @param int   $comment_id Comment ID.
 	 */
 	$emails = apply_filters( 'comment_moderation_recipients', $emails, $comment_id );
 	/**
-	 * Filter the comment moderation email text.
+	 * Filters the comment moderation email text.
 	 *
 	 * @since 1.5.2
 	 *
 	 * @param string $notify_message Text of the comment moderation email.
 	 * @param int    $comment_id     Comment ID.
 	 */
 	$notify_message = apply_filters( 'comment_moderation_text', $notify_message, $comment_id );
 	/**
-	 * Filter the comment moderation email subject.
+	 * Filters the comment moderation email subject.
 	 *
 	 * @since 1.5.2
 	 *
 	 * @param string $subject    Subject of the comment moderation email.
 	 * @param int    $comment_id Comment ID.
 	 */
 	$subject = apply_filters( 'comment_moderation_subject', $subject, $comment_id );
 	/**
-	 * Filter the comment moderation email headers.
+	 * Filters the comment moderation email headers.
 	 *
 	 * @since 2.8.0
 	 *
 	 * @param string $message_headers Headers for the comment moderation email.
 	 * @param int    $comment_id      Comment ID.
 	foreach ( $emails as $email ) {
 		@wp_mail( $email, wp_specialchars_decode( $subject ), $notify_message, $message_headers );
 	}
+	if ( $switched_locale ) {
+		restore_previous_locale();
+	}
 	return true;
 }
 endif;
 if ( !function_exists('wp_password_change_notification') ) :
 /**
 * Notify the blog admin of a user changing password, normally via email.
 *
 * @since 2.7.0
 *
-* @param object $user User Object
+* @param WP_User $user User object.
 */
-function wp_password_change_notification(&$user) {
+function wp_password_change_notification( $user ) {
 	// send a copy of password change notification to the admin
 	// but check to see if it's the admin whose password we're changing, and skip this
 	if ( 0 !== strcasecmp( $user->user_email, get_option( 'admin_email' ) ) ) {
-		$message = sprintf(__('Password Lost and Changed for user: %s'), $user->user_login) . "\r\n";
+		/* translators: %s: user name */
+		$message = sprintf( __( 'Password changed for user: %s' ), $user->user_login ) . "\r\n";
 		// The blogname option is escaped with esc_html on the way into the database in sanitize_option
 		// we want to reverse this for the plain text arena of emails.
 		$blogname = wp_specialchars_decode(get_option('blogname'), ENT_QUOTES);
-		wp_mail(get_option('admin_email'), sprintf(__('[%s] Password Lost/Changed'), $blogname), $message);
+		$wp_password_change_notification_email = array(
+			'to'      => get_option( 'admin_email' ),
+			/* translators: Password change notification email subject. %s: Site title */
+			'subject' => __( '[%s] Password Changed' ),
+			'message' => $message,
+			'headers' => '',
+		);
+		/**
+		 * Filters the contents of the password change notification email sent to the site admin.
+		 *
+		 * @since 4.9.0
+		 *
+		 * @param array   $wp_password_change_notification_email {
+		 *     Used to build wp_mail().
+		 *
+		 *     @type string $to      The intended recipient - site admin email address.
+		 *     @type string $subject The subject of the email.
+		 *     @type string $message The body of the email.
+		 *     @type string $headers The headers of the email.
+		 * }
+		 * @param WP_User $user     User object for user whose password was changed.
+		 * @param string  $blogname The site title.
+		 */
+		$wp_password_change_notification_email = apply_filters( 'wp_password_change_notification_email', $wp_password_change_notification_email, $user, $blogname );
+		wp_mail(
+			$wp_password_change_notification_email['to'],
+			wp_specialchars_decode( sprintf( $wp_password_change_notification_email['subject'], $blogname ) ),
+			$wp_password_change_notification_email['message'],
+			$wp_password_change_notification_email['headers']
+		);
 	}
 }
 endif;
 if ( !function_exists('wp_new_user_notification') ) :
 * Email login credentials to a newly-registered user.
 *
 * A new user registration notification is also sent to admin email.
 *
 * @since 2.0.0
-*
+* @since 4.3.0 The `$plaintext_pass` parameter was changed to `$notify`.
-* @param int    $user_id        User ID.
+* @since 4.3.1 The `$plaintext_pass` parameter was deprecated. `$notify` added as a third parameter.
-* @param string $plaintext_pass Optional. The user's plaintext password. Default empty.
+* @since 4.6.0 The `$notify` parameter accepts 'user' for sending notification only to the user created.
-*/
+*
-function wp_new_user_notification($user_id, $plaintext_pass = '') {
+* @global wpdb         $wpdb      WordPress database object for queries.
+* @global PasswordHash $wp_hasher Portable PHP password hashing framework instance.
+*
+* @param int    $user_id    User ID.
+* @param null   $deprecated Not used (argument deprecated).
+* @param string $notify     Optional. Type of notification that should happen. Accepts 'admin' or an empty
+*                           string (admin only), 'user', or 'both' (admin and user). Default empty.
+*/
+function wp_new_user_notification( $user_id, $deprecated = null, $notify = '' ) {
+	if ( $deprecated !== null ) {
+		_deprecated_argument( __FUNCTION__, '4.3.1' );
+	}
+	global $wpdb, $wp_hasher;
 	$user = get_userdata( $user_id );
 	// The blogname option is escaped with esc_html on the way into the database in sanitize_option
 	// we want to reverse this for the plain text arena of emails.
 	$blogname = wp_specialchars_decode(get_option('blogname'), ENT_QUOTES);
-	$message  = sprintf(__('New user registration on your site %s:'), $blogname) . "\r\n\r\n";
+	if ( 'user' !== $notify ) {
-	$message .= sprintf(__('Username: %s'), $user->user_login) . "\r\n\r\n";
+		$switched_locale = switch_to_locale( get_locale() );
-	$message .= sprintf(__('E-mail: %s'), $user->user_email) . "\r\n";
+		/* translators: %s: site title */
-	@wp_mail(get_option('admin_email'), sprintf(__('[%s] New User Registration'), $blogname), $message);
+		$message  = sprintf( __( 'New user registration on your site %s:' ), $blogname ) . "\r\n\r\n";
+		/* translators: %s: user login */
-	if ( empty($plaintext_pass) )
+		$message .= sprintf( __( 'Username: %s' ), $user->user_login ) . "\r\n\r\n";
+		/* translators: %s: user email address */
+		$message .= sprintf( __( 'Email: %s' ), $user->user_email ) . "\r\n";
+		$wp_new_user_notification_email_admin = array(
+			'to'      => get_option( 'admin_email' ),
+			/* translators: Password change notification email subject. %s: Site title */
+			'subject' => __( '[%s] New User Registration' ),
+			'message' => $message,
+			'headers' => '',
+		);
+		/**
+		 * Filters the contents of the new user notification email sent to the site admin.
+		 *
+		 * @since 4.9.0
+		 *
+		 * @param array   $wp_new_user_notification_email {
+		 *     Used to build wp_mail().
+		 *
+		 *     @type string $to      The intended recipient - site admin email address.
+		 *     @type string $subject The subject of the email.
+		 *     @type string $message The body of the email.
+		 *     @type string $headers The headers of the email.
+		 * }
+		 * @param WP_User $user     User object for new user.
+		 * @param string  $blogname The site title.
+		 */
+		$wp_new_user_notification_email_admin = apply_filters( 'wp_new_user_notification_email_admin', $wp_new_user_notification_email_admin, $user, $blogname );
+		@wp_mail(
+			$wp_new_user_notification_email_admin['to'],
+			wp_specialchars_decode( sprintf( $wp_new_user_notification_email_admin['subject'], $blogname ) ),
+			$wp_new_user_notification_email_admin['message'],
+			$wp_new_user_notification_email_admin['headers']
+		);
+		if ( $switched_locale ) {
+			restore_previous_locale();
+		}
+	}
+	// `$deprecated was pre-4.3 `$plaintext_pass`. An empty `$plaintext_pass` didn't sent a user notification.
+	if ( 'admin' === $notify || ( empty( $deprecated ) && empty( $notify ) ) ) {
 		return;
+	}
-	$message  = sprintf(__('Username: %s'), $user->user_login) . "\r\n";
-	$message .= sprintf(__('Password: %s'), $plaintext_pass) . "\r\n";
+	// Generate something random for a password reset key.
+	$key = wp_generate_password( 20, false );
+	/** This action is documented in wp-login.php */
+	do_action( 'retrieve_password_key', $user->user_login, $key );
+	// Now insert the key, hashed, into the DB.
+	if ( empty( $wp_hasher ) ) {
+		require_once ABSPATH . WPINC . '/class-phpass.php';
+		$wp_hasher = new PasswordHash( 8, true );
+	}
+	$hashed = time() . ':' . $wp_hasher->HashPassword( $key );
+	$wpdb->update( $wpdb->users, array( 'user_activation_key' => $hashed ), array( 'user_login' => $user->user_login ) );
+	$switched_locale = switch_to_locale( get_user_locale( $user ) );
+	/* translators: %s: user login */
+	$message = sprintf(__('Username: %s'), $user->user_login) . "\r\n\r\n";
+	$message .= __('To set your password, visit the following address:') . "\r\n\r\n";
+	$message .= '<' . network_site_url("wp-login.php?action=rp&key=$key&login=" . rawurlencode($user->user_login), 'login') . ">\r\n\r\n";
 	$message .= wp_login_url() . "\r\n";
-	wp_mail($user->user_email, sprintf(__('[%s] Your username and password'), $blogname), $message);
+	$wp_new_user_notification_email = array(
+		'to'      => $user->user_email,
+		/* translators: Password change notification email subject. %s: Site title */
+		'subject' => __( '[%s] Your username and password info' ),
+		'message' => $message,
+		'headers' => '',
+	);
+	/**
+	 * Filters the contents of the new user notification email sent to the new user.
+	 *
+	 * @since 4.9.0
+	 *
+	 * @param array   $wp_new_user_notification_email {
+	 *     Used to build wp_mail().
+	 *
+	 *     @type string $to      The intended recipient - New user email address.
+	 *     @type string $subject The subject of the email.
+	 *     @type string $message The body of the email.
+	 *     @type string $headers The headers of the email.
+	 * }
+	 * @param WP_User $user     User object for new user.
+	 * @param string  $blogname The site title.
+	 */
+	$wp_new_user_notification_email = apply_filters( 'wp_new_user_notification_email', $wp_new_user_notification_email, $user, $blogname );
+	wp_mail(
+		$wp_new_user_notification_email['to'],
+		wp_specialchars_decode( sprintf( $wp_new_user_notification_email['subject'], $blogname ) ),
+		$wp_new_user_notification_email['message'],
+		$wp_new_user_notification_email['headers']
+	);
+	if ( $switched_locale ) {
+		restore_previous_locale();
+	}
 }
 endif;
 if ( !function_exists('wp_nonce_tick') ) :
 /**
 *
 * @return float Float value rounded up to the next highest integer.
 */
 function wp_nonce_tick() {
 	/**
-	 * Filter the lifespan of nonces in seconds.
+	 * Filters the lifespan of nonces in seconds.
 	 *
 	 * @since 2.5.0
 	 *
 	 * @param int $lifespan Lifespan of nonces in seconds. Default 86,400 seconds, or one day.
 	 */
 	$nonce = (string) $nonce;
 	$user = wp_get_current_user();
 	$uid = (int) $user->ID;
 	if ( ! $uid ) {
 		/**
-		 * Filter whether the user who generated the nonce is logged out.
+		 * Filters whether the user who generated the nonce is logged out.
 		 *
 		 * @since 3.5.0
 		 *
 		 * @param int    $uid    ID of the nonce-owning user.
 		 * @param string $action The nonce action.
 	$expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
 	if ( hash_equals( $expected, $nonce ) ) {
 		return 2;
 	}
+	/**
+	 * Fires when nonce verification fails.
+	 *
+	 * @since 4.4.0
+	 *
+	 * @param string     $nonce  The invalid nonce.
+	 * @param string|int $action The nonce action.
+	 * @param WP_User    $user   The current user object.
+	 * @param string     $token  The user's session token.
+	 */
+	do_action( 'wp_verify_nonce_failed', $nonce, $action, $user, $token );
 	// Invalid nonce
 	return false;
 }
 endif;
 if ( !function_exists('wp_create_nonce') ) :
 /**
-* Creates a cryptographic token tied to a specific action, user, and window of time.
+* Creates a cryptographic token tied to a specific action, user, user session,
+* and window of time.
 *
 * @since 2.0.3
+* @since 4.0.0 Session tokens were integrated with nonce creation
 *
 * @param string|int $action Scalar value to add context to the nonce.
 * @return string The token.
 */
 function wp_create_nonce($action = -1) {
 *
 * @since 2.5.0
 *
 * @link https://api.wordpress.org/secret-key/1.1/salt/ Create secrets for wp-config.php
 *
+* @staticvar array $cached_salts
+* @staticvar array $duplicated_keys
+*
 * @param string $scheme Authentication scheme (auth, secure_auth, logged_in, nonce)
 * @return string Salt value
 */
 function wp_salt( $scheme = 'auth' ) {
 	static $cached_salts = array();
 	if ( isset( $cached_salts[ $scheme ] ) ) {
 		/**
-		 * Filter the WordPress salt.
+		 * Filters the WordPress salt.
 		 *
 		 * @since 2.5.0
 		 *
 		 * @param string $cached_salt Cached salt for the given scheme.
 		 * @param string $scheme      Authentication scheme. Values include 'auth',
 /**
 * Get hash of given string.
 *
 * @since 2.0.3
 *
-* @param string $data Plain text to hash
+* @param string $data   Plain text to hash
+* @param string $scheme Authentication scheme (auth, secure_auth, logged_in, nonce)
 * @return string Hash of $data
 */
 function wp_hash($data, $scheme = 'auth') {
 	$salt = wp_salt($scheme);
 * For integration with other applications, this function can be overwritten to
 * instead use the other package password checking algorithm.
 *
 * @since 2.5.0
 *
-* @global object $wp_hasher PHPass object
+* @global PasswordHash $wp_hasher PHPass object
-* @uses PasswordHash::HashPassword
 *
 * @param string $password Plain text user password to hash
 * @return string The hash string of the password
 */
 function wp_hash_password($password) {
 * For integration with other applications, this function can be overwritten to
 * instead use the other package password checking algorithm.
 *
 * @since 2.5.0
 *
-* @global object $wp_hasher PHPass object used for checking the password
+* @global PasswordHash $wp_hasher PHPass object used for checking the password
 *	against the $hash + $password
 * @uses PasswordHash::CheckPassword
 *
-* @param string $password Plaintext user's password
+* @param string     $password Plaintext user's password
-* @param string $hash Hash of the user's password to check against.
+* @param string     $hash     Hash of the user's password to check against.
+* @param string|int $user_id  Optional. User ID.
 * @return bool False, if the $password does not match the hashed password
 */
 function wp_check_password($password, $hash, $user_id = '') {
 	global $wp_hasher;
 			wp_set_password($password, $user_id);
 			$hash = wp_hash_password($password);
 		}
 		/**
-		 * Filter whether the plaintext password matches the encrypted password.
+		 * Filters whether the plaintext password matches the encrypted password.
 		 *
 		 * @since 2.5.0
 		 *
-		 * @param bool   $check    Whether the passwords match.
+		 * @param bool       $check    Whether the passwords match.
-		 * @param string $password The plaintext password.
+		 * @param string     $password The plaintext password.
-		 * @param string $hash     The hashed password.
+		 * @param string     $hash     The hashed password.
-		 * @param int    $user_id  User ID.
+		 * @param string|int $user_id  User ID. Can be empty.
 		 */
 		return apply_filters( 'check_password', $check, $password, $hash, $user_id );
 	}
 	// If the stored hash is longer than an MD5, presume the
 	for ( $i = 0; $i < $length; $i++ ) {
 		$password .= substr($chars, wp_rand(0, strlen($chars) - 1), 1);
 	}
 	/**
-	 * Filter the randomly-generated password.
+	 * Filters the randomly-generated password.
 	 *
 	 * @since 3.0.0
 	 *
 	 * @param string $password The generated password.
 	 */
 if ( !function_exists('wp_rand') ) :
 /**
 * Generates a random number
 *
 * @since 2.6.2
+* @since 4.4.0 Uses PHP7 random_int() or the random_compat library if available.
+*
+* @global string $rnd_value
+* @staticvar string $seed
+* @staticvar bool $external_rand_source_available
 *
 * @param int $min Lower limit for the generated number
 * @param int $max Upper limit for the generated number
 * @return int A random number between min and max
 */
 function wp_rand( $min = 0, $max = 0 ) {
 	global $rnd_value;
+	// Some misconfigured 32bit environments (Entropy PHP, for example) truncate integers larger than PHP_INT_MAX to PHP_INT_MAX rather than overflowing them to floats.
+	$max_random_number = 3000000000 === 2147483647 ? (float) "4294967295" : 4294967295; // 4294967295 = 0xffffffff
+	// We only handle Ints, floats are truncated to their integer value.
+	$min = (int) $min;
+	$max = (int) $max;
+	// Use PHP's CSPRNG, or a compatible method
+	static $use_random_int_functionality = true;
+	if ( $use_random_int_functionality ) {
+		try {
+			$_max = ( 0 != $max ) ? $max : $max_random_number;
+			// wp_rand() can accept arguments in either order, PHP cannot.
+			$_max = max( $min, $_max );
+			$_min = min( $min, $_max );
+			$val = random_int( $_min, $_max );
+			if ( false !== $val ) {
+				return absint( $val );
+			} else {
+				$use_random_int_functionality = false;
+			}
+		} catch ( Error $e ) {
+			$use_random_int_functionality = false;
+		} catch ( Exception $e ) {
+			$use_random_int_functionality = false;
+		}
+	}
 	// Reset $rnd_value after 14 uses
 	// 32(md5) + 40(sha1) + 40(sha1) / 8 = 14 random numbers from $rnd_value
 	if ( strlen($rnd_value) < 8 ) {
 		if ( defined( 'WP_SETUP_CONFIG' ) )
 			$seed = get_transient('random_seed');
 		$rnd_value = md5( uniqid(microtime() . mt_rand(), true ) . $seed );
 		$rnd_value .= sha1($rnd_value);
 		$rnd_value .= sha1($rnd_value . $seed);
 		$seed = md5($seed . $rnd_value);
-		if ( ! defined( 'WP_SETUP_CONFIG' ) )
+		if ( ! defined( 'WP_SETUP_CONFIG' ) && ! defined( 'WP_INSTALLING' ) ) {
-			set_transient('random_seed', $seed);
+			set_transient( 'random_seed', $seed );
+		}
 	}
 	// Take the first 8 digits for our value
 	$value = substr($rnd_value, 0, 8);
 	// Strip the first eight, leaving the remainder for the next call to wp_rand().
 	$rnd_value = substr($rnd_value, 8);
 	$value = abs(hexdec($value));
-	// Some misconfigured 32bit environments (Entropy PHP, for example) truncate integers larger than PHP_INT_MAX to PHP_INT_MAX rather than overflowing them to floats.
-	$max_random_number = 3000000000 === 2147483647 ? (float) "4294967295" : 4294967295; // 4294967295 = 0xffffffff
 	// Reduce the value to be within the min - max range
 	if ( $max != 0 )
 		$value = $min + ( $max - $min + 1 ) * $value / ( $max_random_number + 1 );
 * @since 2.5.0
 *
 * @global wpdb $wpdb WordPress database abstraction object.
 *
 * @param string $password The plaintext new user password
-* @param int $user_id User ID
+* @param int    $user_id  User ID
 */
 function wp_set_password( $password, $user_id ) {
 	global $wpdb;
 	$hash = wp_hash_password( $password );
 *
 * @since 2.5.0
 * @since 4.2.0 Optional `$args` parameter added.
 *
 * @param mixed $id_or_email The Gravatar to retrieve. Accepts a user_id, gravatar md5 hash,
-*                           user email, WP_User object, WP_Post object, or comment object.
+*                           user email, WP_User object, WP_Post object, or WP_Comment object.
 * @param int    $size       Optional. Height and width of the avatar image file in pixels. Default 96.
 * @param string $default    Optional. URL for the default image or a default type. Accepts '404'
 *                           (return a 404 instead of a default image), 'retro' (8bit), 'monsterid'
 *                           (monster), 'wavatar' (cartoon face), 'indenticon' (the "quilt"),
-*                           'mystery', 'mm', or 'mysterman' (The Oyster Man), 'blank' (transparent GIF),
+*                           'mystery', 'mm', or 'mysteryman' (The Oyster Man), 'blank' (transparent GIF),
 *                           or 'gravatar_default' (the Gravatar logo). Default is the value of the
 *                           'avatar_default' option, with a fallback of 'mystery'.
 * @param string $alt        Optional. Alternative text to use in &lt;img&gt; tag. Default empty.
 * @param array  $args       {
 *     Optional. Extra arguments to retrieve the avatar.
 	}
 	if ( empty( $args['width'] ) ) {
 		$args['width'] = $args['size'];
 	}
-	/**
+	if ( is_object( $id_or_email ) && isset( $id_or_email->comment_ID ) ) {
-	 * Filter whether to retrieve the avatar URL early.
+		$id_or_email = get_comment( $id_or_email );
+	}
+	/**
+	 * Filters whether to retrieve the avatar URL early.
 	 *
 	 * Passing a non-null value will effectively short-circuit get_avatar(), passing
-	 * the value through the {@see 'pre_get_avatar'} filter and returning early.
+	 * the value through the {@see 'get_avatar'} filter and returning early.
 	 *
 	 * @since 4.2.0
 	 *
-	 * @param string            $avatar      HTML for the user's avatar. Default null.
+	 * @param string $avatar      HTML for the user's avatar. Default null.
-	 * @param int|object|string $id_or_email A user ID, email address, or comment object.
+	 * @param mixed  $id_or_email The Gravatar to retrieve. Accepts a user_id, gravatar md5 hash,
-	 * @param array             $args        Arguments passed to get_avatar_url(), after processing.
+	 *                            user email, WP_User object, WP_Post object, or WP_Comment object.
+	 * @param array  $args        Arguments passed to get_avatar_url(), after processing.
 	 */
 	$avatar = apply_filters( 'pre_get_avatar', null, $id_or_email, $args );
 	if ( ! is_null( $avatar ) ) {
 		/** This filter is documented in wp-includes/pluggable.php */
 	$args = get_avatar_data( $id_or_email, $args );
 	$url = $args['url'];
 	if ( ! $url || is_wp_error( $url ) ) {
-return false;
+		return false;
 	}
 	$class = array( 'avatar', 'avatar-' . (int) $args['size'], 'photo' );
 	if ( ! $args['found_avatar'] || $args['force_default'] ) {
-$class[] = 'avatar-default';
+		$class[] = 'avatar-default';
 	}
 	if ( $args['class'] ) {
 		if ( is_array( $args['class'] ) ) {
 			$class = array_merge( $class, $args['class'] );
 	$avatar = sprintf(
 		"<img alt='%s' src='%s' srcset='%s' class='%s' height='%d' width='%d' %s/>",
 		esc_attr( $args['alt'] ),
 		esc_url( $url ),
-		esc_attr( "$url2x 2x" ),
+		esc_url( $url2x ) . ' 2x',
 		esc_attr( join( ' ', $class ) ),
 		(int) $args['height'],
 		(int) $args['width'],
 		$args['extra_attr']
 	);
 	/**
-	 * Filter the avatar to retrieve.
+	 * Filters the avatar to retrieve.
 	 *
 	 * @since 2.5.0
 	 * @since 4.2.0 The `$args` parameter was added.
 	 *
-	 * @param string            $avatar      &lt;img&gt; tag for the user's avatar.
+	 * @param string $avatar      &lt;img&gt; tag for the user's avatar.
-	 * @param int|object|string $id_or_email A user ID, email address, or comment object.
+	 * @param mixed  $id_or_email The Gravatar to retrieve. Accepts a user_id, gravatar md5 hash,
-	 * @param int               $size        Square avatar width and height in pixels to retrieve.
+	 *                            user email, WP_User object, WP_Post object, or WP_Comment object.
-	 * @param string            $alt         Alternative text to use in the avatar image tag.
+	 * @param int    $size        Square avatar width and height in pixels to retrieve.
-	 *                                       Default empty.
+	 * @param string $default     URL for the default image or a default type. Accepts '404', 'retro', 'monsterid',
-	 * @param array             $args        Arguments passed to get_avatar_data(), after processing.
+	 *                            'wavatar', 'indenticon','mystery' (or 'mm', or 'mysteryman'), 'blank', or 'gravatar_default'.
+	 *                            Default is the value of the 'avatar_default' option, with a fallback of 'mystery'.
+	 * @param string $alt         Alternative text to use in the avatar image tag. Default empty.
+	 * @param array  $args        Arguments passed to get_avatar_data(), after processing.
 	 */
 	return apply_filters( 'get_avatar', $avatar, $id_or_email, $args['size'], $args['default'], $args['alt'], $args );
 }
 endif;
 *
 * @see wp_parse_args() Used to change defaults to user defined settings.
 * @uses Text_Diff
 * @uses WP_Text_Diff_Renderer_Table
 *
-* @param string $left_string "old" (left) version of string
+* @param string       $left_string  "old" (left) version of string
-* @param string $right_string "new" (right) version of string
+* @param string       $right_string "new" (right) version of string
-* @param string|array $args Optional. Change 'title', 'title_left', and 'title_right' defaults.
+* @param string|array $args         Optional. Change 'title', 'title_left', and 'title_right' defaults.
 * @return string Empty string if strings are equivalent or HTML with differences.
 */
 function wp_text_diff( $left_string, $right_string, $args = null ) {
 	$defaults = array( 'title' => '', 'title_left' => '', 'title_right' => '' );
 	$args = wp_parse_args( $args, $defaults );
-	if ( !class_exists( 'WP_Text_Diff_Renderer_Table' ) )
+	if ( ! class_exists( 'WP_Text_Diff_Renderer_Table', false ) )
 		require( ABSPATH . WPINC . '/wp-diff.php' );
 	$left_string  = normalize_whitespace($left_string);
 	$right_string = normalize_whitespace($right_string);

changeset 7	cf61fcea0001
parent 5	5e2f62d02dcd
child 9	177826044cd9