--- a/wp/wp-login.php Tue Dec 15 15:52:01 2020 +0100
+++ b/wp/wp-login.php Wed Sep 21 18:19:35 2022 +0200
@@ -42,7 +42,8 @@
global $error, $interim_login, $action;
// Don't index any of these forms.
- add_action( 'login_head', 'wp_sensitive_page_meta' );
+ add_filter( 'wp_robots', 'wp_robots_sensitive_page' );
+ add_action( 'login_head', 'wp_strict_cross_origin_referrer' );
add_action( 'login_head', 'wp_login_viewport_meta' );
@@ -281,14 +282,27 @@
// Don't allow interim logins to navigate away from the page.
if ( ! $interim_login ) {
?>
- <p id="backtoblog"><a href="<?php echo esc_url( home_url( '/' ) ); ?>">
- <?php
-
- /* translators: %s: Site title. */
- printf( _x( '← Back to %s', 'site' ), get_bloginfo( 'title', 'display' ) );
-
- ?>
- </a></p>
+ <p id="backtoblog">
+ <?php
+ $html_link = sprintf(
+ '<a href="%s">%s</a>',
+ esc_url( home_url( '/' ) ),
+ sprintf(
+ /* translators: %s: Site title. */
+ _x( '← Go to %s', 'site' ),
+ get_bloginfo( 'title', 'display' )
+ )
+ );
+ /**
+ * Filter the "Go to site" link displayed in the login page footer.
+ *
+ * @since 5.7.0
+ *
+ * @param string $link HTML link to the home URL of the current site.
+ */
+ echo apply_filters( 'login_site_html_link', $html_link );
+ ?>
+ </p>
<?php
the_privacy_policy_link( '<div class="privacy-policy-page-link">', '</div>' );
@@ -303,7 +317,7 @@
?>
<script type="text/javascript">
try{document.getElementById('<?php echo $input_id; ?>').focus();}catch(e){}
- if(typeof wpOnload=='function')wpOnload();
+ if(typeof wpOnload==='function')wpOnload();
</script>
<?php
}
@@ -323,7 +337,7 @@
}
/**
- * Outputs the Javascript to handle the form shaking.
+ * Outputs the JavaScript to handle the form shaking on the login page.
*
* @since 3.0.0
*/
@@ -336,7 +350,7 @@
}
/**
- * Outputs the viewport meta tag.
+ * Outputs the viewport meta tag for the login page.
*
* @since 3.7.0
*/
@@ -346,141 +360,6 @@
<?php
}
-/**
- * Handles sending password retrieval email to user.
- *
- * @since 2.5.0
- *
- * @return bool|WP_Error True: when finish. WP_Error on error
- */
-function retrieve_password() {
- $errors = new WP_Error();
- $user_data = false;
-
- if ( empty( $_POST['user_login'] ) || ! is_string( $_POST['user_login'] ) ) {
- $errors->add( 'empty_username', __( '<strong>Error</strong>: Please enter a username or email address.' ) );
- } elseif ( strpos( $_POST['user_login'], '@' ) ) {
- $user_data = get_user_by( 'email', trim( wp_unslash( $_POST['user_login'] ) ) );
- if ( empty( $user_data ) ) {
- $errors->add( 'invalid_email', __( '<strong>Error</strong>: There is no account with that username or email address.' ) );
- }
- } else {
- $login = trim( wp_unslash( $_POST['user_login'] ) );
- $user_data = get_user_by( 'login', $login );
- }
-
- /**
- * Fires before errors are returned from a password reset request.
- *
- * @since 2.1.0
- * @since 4.4.0 Added the `$errors` parameter.
- * @since 5.4.0 Added the `$user_data` parameter.
- *
- * @param WP_Error $errors A WP_Error object containing any errors generated
- * by using invalid credentials.
- * @param WP_User|false $user_data WP_User object if found, false if the user does not exist.
- */
- do_action( 'lostpassword_post', $errors, $user_data );
-
- /**
- * Filters the errors encountered on a password reset request.
- *
- * The filtered WP_Error object may, for example, contain errors for an invalid
- * username or email address. A WP_Error object should always be returned,
- * but may or may not contain errors.
- *
- * If any errors are present in $errors, this will abort the password reset request.
- *
- * @since 5.5.0
- *
- * @param WP_Error $errors A WP_Error object containing any errors generated
- * by using invalid credentials.
- * @param WP_User|false $user_data WP_User object if found, false if the user does not exist.
- */
- $errors = apply_filters( 'lostpassword_errors', $errors, $user_data );
-
- if ( $errors->has_errors() ) {
- return $errors;
- }
-
- if ( ! $user_data ) {
- $errors->add( 'invalidcombo', __( '<strong>Error</strong>: There is no account with that username or email address.' ) );
- return $errors;
- }
-
- // Redefining user_login ensures we return the right case in the email.
- $user_login = $user_data->user_login;
- $user_email = $user_data->user_email;
- $key = get_password_reset_key( $user_data );
-
- if ( is_wp_error( $key ) ) {
- return $key;
- }
-
- if ( is_multisite() ) {
- $site_name = get_network()->site_name;
- } else {
- /*
- * The blogname option is escaped with esc_html on the way into the database
- * in sanitize_option we want to reverse this for the plain text arena of emails.
- */
- $site_name = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES );
- }
-
- $message = __( 'Someone has requested a password reset for the following account:' ) . "\r\n\r\n";
- /* translators: %s: Site name. */
- $message .= sprintf( __( 'Site Name: %s' ), $site_name ) . "\r\n\r\n";
- /* translators: %s: User login. */
- $message .= sprintf( __( 'Username: %s' ), $user_login ) . "\r\n\r\n";
- $message .= __( 'If this was a mistake, just ignore this email and nothing will happen.' ) . "\r\n\r\n";
- $message .= __( 'To reset your password, visit the following address:' ) . "\r\n\r\n";
- $message .= network_site_url( "wp-login.php?action=rp&key=$key&login=" . rawurlencode( $user_login ), 'login' ) . "\r\n";
-
- /* translators: Password reset notification email subject. %s: Site title. */
- $title = sprintf( __( '[%s] Password Reset' ), $site_name );
-
- /**
- * Filters the subject of the password reset email.
- *
- * @since 2.8.0
- * @since 4.4.0 Added the `$user_login` and `$user_data` parameters.
- *
- * @param string $title Default email title.
- * @param string $user_login The username for the user.
- * @param WP_User $user_data WP_User object.
- */
- $title = apply_filters( 'retrieve_password_title', $title, $user_login, $user_data );
-
- /**
- * Filters the message body of the password reset mail.
- *
- * If the filtered message is empty, the password reset email will not be sent.
- *
- * @since 2.8.0
- * @since 4.1.0 Added `$user_login` and `$user_data` parameters.
- *
- * @param string $message Default mail message.
- * @param string $key The activation key.
- * @param string $user_login The username for the user.
- * @param WP_User $user_data WP_User object.
- */
- $message = apply_filters( 'retrieve_password_message', $message, $key, $user_login, $user_data );
-
- if ( $message && ! wp_mail( $user_email, wp_specialchars_decode( $title ), $message ) ) {
- $errors->add(
- 'retrieve_password_email_failure',
- sprintf(
- /* translators: %s: Documentation URL. */
- __( '<strong>Error</strong>: The email could not be sent. Your site may not be correctly configured to send emails. <a href="%s">Get support for resetting your password</a>.' ),
- esc_url( __( 'https://wordpress.org/support/article/resetting-your-password/' ) )
- )
- );
- return $errors;
- }
-
- return true;
-}
-
//
// Main.
//
@@ -551,8 +430,22 @@
* Fires before a specified login form action.
*
* The dynamic portion of the hook name, `$action`, refers to the action
- * that brought the visitor to the login form. Actions include 'postpass',
- * 'logout', 'lostpassword', etc.
+ * that brought the visitor to the login form.
+ *
+ * Possible hook names include:
+ *
+ * - 'login_form_checkemail'
+ * - 'login_form_confirm_admin_email'
+ * - 'login_form_confirmaction'
+ * - 'login_form_entered_recovery_mode'
+ * - 'login_form_login'
+ * - 'login_form_logout'
+ * - 'login_form_lostpassword'
+ * - 'login_form_postpass'
+ * - 'login_form_register'
+ * - 'login_form_resetpass'
+ * - 'login_form_retrievepassword'
+ * - 'login_form_rp'
*
* @since 2.8.0
*/
@@ -685,11 +578,11 @@
/* translators: URL to the WordPress help section about admin email. */
$admin_email_help_url = __( 'https://wordpress.org/support/article/settings-general-screen/#email-address' );
- /* translators: accessibility text */
+ /* translators: Accessibility text. */
$accessibility_text = sprintf( '<span class="screen-reader-text"> %s</span>', __( '(opens in a new tab)' ) );
printf(
- '<a href="%s" rel="noopener noreferrer" target="_blank">%s%s</a>',
+ '<a href="%s" rel="noopener" target="_blank">%s%s</a>',
esc_url( $admin_email_help_url ),
__( 'Why is this important?' ),
$accessibility_text
@@ -831,9 +724,9 @@
if ( isset( $_GET['error'] ) ) {
if ( 'invalidkey' === $_GET['error'] ) {
- $errors->add( 'invalidkey', __( 'Your password reset link appears to be invalid. Please request a new link below.' ) );
+ $errors->add( 'invalidkey', __( '<strong>Error</strong>: Your password reset link appears to be invalid. Please request a new link below.' ) );
} elseif ( 'expiredkey' === $_GET['error'] ) {
- $errors->add( 'expiredkey', __( 'Your password reset link has expired. Please request a new link below.' ) );
+ $errors->add( 'expiredkey', __( '<strong>Error</strong>: Your password reset link has expired. Please request a new link below.' ) );
}
}
@@ -914,7 +807,7 @@
list( $rp_path ) = explode( '?', wp_unslash( $_SERVER['REQUEST_URI'] ) );
$rp_cookie = 'wp-resetpass-' . COOKIEHASH;
- if ( isset( $_GET['key'] ) ) {
+ if ( isset( $_GET['key'] ) && isset( $_GET['login'] ) ) {
$value = sprintf( '%s:%s', wp_unslash( $_GET['login'] ), wp_unslash( $_GET['key'] ) );
setcookie( $rp_cookie, $value, 0, $rp_path, COOKIE_DOMAIN, is_ssl(), true );
@@ -949,7 +842,7 @@
$errors = new WP_Error();
if ( isset( $_POST['pass1'] ) && $_POST['pass1'] !== $_POST['pass2'] ) {
- $errors->add( 'password_reset_mismatch', __( 'The passwords do not match.' ) );
+ $errors->add( 'password_reset_mismatch', __( '<strong>Error</strong>: The passwords do not match.' ) );
}
/**
@@ -973,7 +866,7 @@
wp_enqueue_script( 'utils' );
wp_enqueue_script( 'user-profile' );
- login_header( __( 'Reset Password' ), '<p class="message reset-pass">' . __( 'Enter your new password below.' ) . '</p>', $errors );
+ login_header( __( 'Reset Password' ), '<p class="message reset-pass">' . __( 'Enter your new password below or generate one.' ) . '</p>', $errors );
?>
<form name="resetpassform" id="resetpassform" action="<?php echo esc_url( network_site_url( 'wp-login.php?action=resetpass', 'login_post' ) ); ?>" method="post" autocomplete="off">
@@ -1019,8 +912,9 @@
?>
<input type="hidden" name="rp_key" value="<?php echo esc_attr( $rp_key ); ?>" />
- <p class="submit">
- <input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="<?php esc_attr_e( 'Reset Password' ); ?>" />
+ <p class="submit reset-pass-submit">
+ <button type="button" class="button wp-generate-pw hide-if-no-js" aria-expanded="true"><?php _e( 'Generate Password' ); ?></button>
+ <input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="<?php esc_attr_e( 'Save Password' ); ?>" />
</p>
</form>
@@ -1366,11 +1260,24 @@
if ( isset( $_GET['loggedout'] ) && $_GET['loggedout'] ) {
$errors->add( 'loggedout', __( 'You are now logged out.' ), 'message' );
} elseif ( isset( $_GET['registration'] ) && 'disabled' === $_GET['registration'] ) {
- $errors->add( 'registerdisabled', __( 'User registration is currently not allowed.' ) );
+ $errors->add( 'registerdisabled', __( '<strong>Error</strong>: User registration is currently not allowed.' ) );
} elseif ( strpos( $redirect_to, 'about.php?updated' ) ) {
$errors->add( 'updated', __( '<strong>You have successfully updated WordPress!</strong> Please log back in to see what’s new.' ), 'message' );
} elseif ( WP_Recovery_Mode_Link_Service::LOGIN_ACTION_ENTERED === $action ) {
$errors->add( 'enter_recovery_mode', __( 'Recovery Mode Initialized. Please log in to continue.' ), 'message' );
+ } elseif ( isset( $_GET['redirect_to'] ) && false !== strpos( $_GET['redirect_to'], 'wp-admin/authorize-application.php' ) ) {
+ $query_component = wp_parse_url( $_GET['redirect_to'], PHP_URL_QUERY );
+ parse_str( $query_component, $query );
+
+ if ( ! empty( $query['app_name'] ) ) {
+ /* translators: 1: Website name, 2: Application name. */
+ $message = sprintf( 'Please log in to %1$s to authorize %2$s to connect to your account.', get_bloginfo( 'name', 'display' ), '<strong>' . esc_html( $query['app_name'] ) . '</strong>' );
+ } else {
+ /* translators: %s: Website name. */
+ $message = sprintf( 'Please log in to %s to proceed with authorization.', get_bloginfo( 'name', 'display' ) );
+ }
+
+ $errors->add( 'authorize_application', $message, 'message' );
}
}
@@ -1527,7 +1434,7 @@
for ( i in links ) {
if ( links[i].href ) {
links[i].target = '_blank';
- links[i].rel = 'noreferrer noopener';
+ links[i].rel = 'noopener';
}
}
} catch( er ) {}