` element. - * Default 'Log In'. - * @param string $message Optional. Message to display in header. Default empty. - * @param WP_Error $wp_error Optional. The error to pass. Default is a WP_Error instance. + * @param string|null $title Optional. WordPress login page title to display in the `<title>` element. + * Defaults to 'Log In'. + * @param string $message Optional. Message to display in header. Default empty. + * @param WP_Error|null $wp_error Optional. The error to pass. Defaults to a WP_Error instance. */ -function login_header( $title = 'Log In', $message = '', $wp_error = null ) { +function login_header( $title = null, $message = '', $wp_error = null ) { global $error, $interim_login, $action; + if ( null === $title ) { + $title = __( 'Log In' ); + } + // Don't index any of these forms. add_filter( 'wp_robots', 'wp_robots_sensitive_page' ); add_action( 'login_head', 'wp_strict_cross_origin_referrer' ); @@ -101,13 +105,15 @@ * but maybe better if it's not removable by plugins. */ if ( 'loggedout' === $wp_error->get_error_code() ) { + ob_start(); ?> <script>if("sessionStorage" in window){try{for(var key in sessionStorage){if(key.indexOf("wp-autosave-")!=-1){sessionStorage.removeItem(key)}}}catch(e){}};</script> <?php + wp_print_inline_script_tag( wp_remove_surrounding_empty_script_tags( ob_get_clean() ) ); } /** - * Enqueue scripts and styles for the login page. + * Enqueues scripts and styles for the login page. * * @since 3.1.0 */ @@ -193,9 +199,10 @@ ?> </head> <body class="login no-js <?php echo esc_attr( implode( ' ', $classes ) ); ?>"> - <script type="text/javascript"> - document.body.className = document.body.className.replace('no-js','js'); - </script> + <?php + wp_print_inline_script_tag( "document.body.className = document.body.className.replace('no-js','js');" ); + ?> + <?php /** * Fires in the login page header after the body tag is opened. @@ -228,29 +235,52 @@ } if ( $wp_error->has_errors() ) { - $errors = ''; - $messages = ''; + $error_list = array(); + $messages = ''; foreach ( $wp_error->get_error_codes() as $code ) { $severity = $wp_error->get_error_data( $code ); foreach ( $wp_error->get_error_messages( $code ) as $error_message ) { if ( 'message' === $severity ) { - $messages .= ' ' . $error_message . "<br />\n"; + $messages .= '<p>' . $error_message . '</p>'; } else { - $errors .= ' ' . $error_message . "<br />\n"; + $error_list[] = $error_message; } } } - if ( ! empty( $errors ) ) { + if ( ! empty( $error_list ) ) { + $errors = ''; + + if ( count( $error_list ) > 1 ) { + $errors .= '<ul class="login-error-list">'; + + foreach ( $error_list as $item ) { + $errors .= '<li>' . $item . '</li>'; + } + + $errors .= '</ul>'; + } else { + $errors .= '<p>' . $error_list[0] . '</p>'; + } + /** * Filters the error messages displayed above the login form. * * @since 2.1.0 * - * @param string $errors Login error message. + * @param string $errors Login error messages. */ - echo '<div id="login_error">' . apply_filters( 'login_errors', $errors ) . "</div>\n"; + $errors = apply_filters( 'login_errors', $errors ); + + wp_admin_notice( + $errors, + array( + 'type' => 'error', + 'id' => 'login_error', + 'paragraph_wrap' => false, + ) + ); } if ( ! empty( $messages ) ) { @@ -261,7 +291,17 @@ * * @param string $messages Login messages. */ - echo '<p class="message">' . apply_filters( 'login_messages', $messages ) . "</p>\n"; + $messages = apply_filters( 'login_messages', $messages ); + + wp_admin_notice( + $messages, + array( + 'type' => 'info', + 'id' => 'login-message', + 'additional_classes' => array( 'message' ), + 'paragraph_wrap' => false, + ) + ); } } } // End of login_header(). @@ -294,7 +334,7 @@ ) ); /** - * Filter the "Go to site" link displayed in the login page footer. + * Filters the "Go to site" link displayed in the login page footer. * * @since 5.7.0 * @@ -315,11 +355,11 @@ if ( ! $interim_login && /** - * Filters the Languages select input activation on the login screen. + * Filters whether to display the Language selector on the login screen. * * @since 5.9.0 * - * @param bool Whether to display the Languages select input on the login screen. + * @param bool $display Whether to display the Language selector on the login screen. */ apply_filters( 'login_display_language_dropdown', true ) ) { @@ -328,11 +368,16 @@ if ( ! empty( $languages ) ) { ?> <div class="language-switcher"> - <form id="language-switcher" action="" method="get"> + <form id="language-switcher" method="get"> <label for="language-switcher-locales"> <span class="dashicons dashicons-translation" aria-hidden="true"></span> - <span class="screen-reader-text"><?php _e( 'Language' ); ?></span> + <span class="screen-reader-text"> + <?php + /* translators: Hidden accessibility text. */ + _e( 'Language' ); + ?> + </span> </label> <?php @@ -348,6 +393,8 @@ /** * Filters default arguments for the Languages select input on the login screen. * + * The arguments get passed to the wp_dropdown_languages() function. + * * @since 5.9.0 * * @param array $args Arguments for the Languages select input on the login screen. @@ -360,7 +407,7 @@ <?php } ?> <?php if ( isset( $_GET['redirect_to'] ) && '' !== $_GET['redirect_to'] ) { ?> - <input type="hidden" name="redirect_to" value="<?php echo esc_url_raw( $_GET['redirect_to'] ); ?>" /> + <input type="hidden" name="redirect_to" value="<?php echo sanitize_url( $_GET['redirect_to'] ); ?>" /> <?php } ?> <?php if ( isset( $_GET['action'] ) && '' !== $_GET['action'] ) { ?> @@ -376,12 +423,14 @@ <?php if ( ! empty( $input_id ) ) { + ob_start(); ?> - <script type="text/javascript"> + <script> try{document.getElementById('<?php echo $input_id; ?>').focus();}catch(e){} if(typeof wpOnload==='function')wpOnload(); </script> <?php + wp_print_inline_script_tag( wp_remove_surrounding_empty_script_tags( ob_get_clean() ) ); } /** @@ -392,7 +441,6 @@ do_action( 'login_footer' ); ?> - <div class="clear"></div> </body> </html> <?php @@ -404,11 +452,7 @@ * @since 3.0.0 */ function wp_shake_js() { - ?> - <script type="text/javascript"> - document.querySelector('form').classList.add('shake'); - </script> - <?php + wp_print_inline_script_tag( "document.querySelector('form').classList.add('shake');" ); } /** @@ -423,7 +467,9 @@ } /* - * Main part: check the request and redirect or display a form based on the current action. + * Main part. + * + * Check the request and redirect or display a form based on the current action. */ $action = isset( $_REQUEST['action'] ) ? $_REQUEST['action'] : 'login'; @@ -642,10 +688,13 @@ <?php /* translators: URL to the WordPress help section about admin email. */ - $admin_email_help_url = __( 'https://wordpress.org/support/article/settings-general-screen/#email-address' ); + $admin_email_help_url = __( 'https://wordpress.org/documentation/article/settings-general-screen/#email-address' ); - /* translators: Accessibility text. */ - $accessibility_text = sprintf( '<span class="screen-reader-text"> %s</span>', __( '(opens in a new tab)' ) ); + $accessibility_text = sprintf( + '<span class="screen-reader-text"> %s</span>', + /* translators: Hidden accessibility text. */ + __( '(opens in a new tab)' ) + ); printf( '<a href="%s" rel="noopener" target="_blank">%s%s</a>', @@ -708,7 +757,7 @@ break; case 'postpass': - if ( ! array_key_exists( 'post_password', $_POST ) ) { + if ( ! isset( $_POST['post_password'] ) || ! is_string( $_POST['post_password'] ) ) { wp_safe_redirect( wp_get_referer() ); exit; } @@ -747,7 +796,7 @@ wp_logout(); - if ( ! empty( $_REQUEST['redirect_to'] ) ) { + if ( ! empty( $_REQUEST['redirect_to'] ) && is_string( $_REQUEST['redirect_to'] ) ) { $redirect_to = $_REQUEST['redirect_to']; $requested_redirect_to = $redirect_to; } else { @@ -790,9 +839,9 @@ if ( isset( $_GET['error'] ) ) { if ( 'invalidkey' === $_GET['error'] ) { - $errors->add( 'invalidkey', __( '<strong>Error</strong>: Your password reset link appears to be invalid. Please request a new link below.' ) ); + $errors->add( 'invalidkey', __( '<strong>Error:</strong> Your password reset link appears to be invalid. Please request a new link below.' ) ); } elseif ( 'expiredkey' === $_GET['error'] ) { - $errors->add( 'expiredkey', __( '<strong>Error</strong>: Your password reset link has expired. Please request a new link below.' ) ); + $errors->add( 'expiredkey', __( '<strong>Error:</strong> Your password reset link has expired. Please request a new link below.' ) ); } } @@ -817,7 +866,17 @@ */ do_action( 'lost_password', $errors ); - login_header( __( 'Lost Password' ), '<p class="message">' . __( 'Please enter your username or email address. You will receive an email message with instructions on how to reset your password.' ) . '</p>', $errors ); + login_header( + __( 'Lost Password' ), + wp_get_admin_notice( + __( 'Please enter your username or email address. You will receive an email message with instructions on how to reset your password.' ), + array( + 'type' => 'info', + 'additional_classes' => array( 'message' ), + ) + ), + $errors + ); $user_login = ''; @@ -830,7 +889,7 @@ <form name="lostpasswordform" id="lostpasswordform" action="<?php echo esc_url( network_site_url( 'wp-login.php?action=lostpassword', 'login_post' ) ); ?>" method="post"> <p> <label for="user_login"><?php _e( 'Username or Email Address' ); ?></label> - <input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr( $user_login ); ?>" size="20" autocapitalize="off" autocomplete="username" /> + <input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr( $user_login ); ?>" size="20" autocapitalize="off" autocomplete="username" required="required" /> </p> <?php @@ -849,11 +908,11 @@ </form> <p id="nav"> - <a href="<?php echo esc_url( wp_login_url() ); ?>"><?php _e( 'Log in' ); ?></a> + <a class="wp-login-log-in" href="<?php echo esc_url( wp_login_url() ); ?>"><?php _e( 'Log in' ); ?></a> <?php if ( get_option( 'users_can_register' ) ) { - $registration_url = sprintf( '<a href="%s">%s</a>', esc_url( wp_registration_url() ), __( 'Register' ) ); + $registration_url = sprintf( '<a class="wp-login-register" href="%s">%s</a>', esc_url( wp_registration_url() ), __( 'Register' ) ); echo esc_html( $login_link_separator ); @@ -918,7 +977,7 @@ // Check if password fields do not match. if ( ! empty( $_POST['pass1'] ) && trim( $_POST['pass2'] ) !== $_POST['pass1'] ) { - $errors->add( 'password_reset_mismatch', __( '<strong>Error</strong>: The passwords do not match.' ) ); + $errors->add( 'password_reset_mismatch', __( '<strong>Error:</strong> The passwords do not match.' ) ); } /** @@ -934,7 +993,16 @@ if ( ( ! $errors->has_errors() ) && isset( $_POST['pass1'] ) && ! empty( $_POST['pass1'] ) ) { reset_password( $user, $_POST['pass1'] ); setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true ); - login_header( __( 'Password Reset' ), '<p class="message reset-pass">' . __( 'Your password has been reset.' ) . ' <a href="' . esc_url( wp_login_url() ) . '">' . __( 'Log in' ) . '</a></p>' ); + login_header( + __( 'Password Reset' ), + wp_get_admin_notice( + __( 'Your password has been reset.' ) . ' <a href="' . esc_url( wp_login_url() ) . '">' . __( 'Log in' ) . '</a>', + array( + 'type' => 'info', + 'additional_classes' => array( 'message', 'reset-pass' ), + ) + ) + ); login_footer(); exit; } @@ -942,7 +1010,17 @@ wp_enqueue_script( 'utils' ); wp_enqueue_script( 'user-profile' ); - login_header( __( 'Reset Password' ), '<p class="message reset-pass">' . __( 'Enter your new password below or generate one.' ) . '</p>', $errors ); + login_header( + __( 'Reset Password' ), + wp_get_admin_notice( + __( 'Enter your new password below or generate one.' ), + array( + 'type' => 'info', + 'additional_classes' => array( 'message', 'reset-pass' ), + ) + ), + $errors + ); ?> <form name="resetpassform" id="resetpassform" action="<?php echo esc_url( network_site_url( 'wp-login.php?action=resetpass', 'login_post' ) ); ?>" method="post" autocomplete="off"> @@ -954,7 +1032,7 @@ </p> <div class="wp-pwd"> - <input type="password" data-reveal="1" data-pw="<?php echo esc_attr( wp_generate_password( 16 ) ); ?>" name="pass1" id="pass1" class="input password-input" size="24" value="" autocomplete="new-password" aria-describedby="pass-strength-result" /> + <input type="password" name="pass1" id="pass1" class="input password-input" size="24" value="" autocomplete="new-password" spellcheck="false" data-reveal="1" data-pw="<?php echo esc_attr( wp_generate_password( 16 ) ); ?>" aria-describedby="pass-strength-result" /> <button type="button" class="button button-secondary wp-hide-pw hide-if-no-js" data-toggle="0" aria-label="<?php esc_attr_e( 'Hide password' ); ?>"> <span class="dashicons dashicons-hidden" aria-hidden="true"></span> @@ -969,11 +1047,10 @@ <p class="user-pass2-wrap"> <label for="pass2"><?php _e( 'Confirm new password' ); ?></label> - <input type="password" name="pass2" id="pass2" class="input" size="20" value="" autocomplete="new-password" /> + <input type="password" name="pass2" id="pass2" class="input" size="20" value="" autocomplete="new-password" spellcheck="false" /> </p> <p class="description indicator-hint"><?php echo wp_get_password_hint(); ?></p> - <br class="clear" /> <?php @@ -995,11 +1072,11 @@ </form> <p id="nav"> - <a href="<?php echo esc_url( wp_login_url() ); ?>"><?php _e( 'Log in' ); ?></a> + <a class="wp-login-log-in" href="<?php echo esc_url( wp_login_url() ); ?>"><?php _e( 'Log in' ); ?></a> <?php if ( get_option( 'users_can_register' ) ) { - $registration_url = sprintf( '<a href="%s">%s</a>', esc_url( wp_registration_url() ), __( 'Register' ) ); + $registration_url = sprintf( '<a class="wp-login-register" href="%s">%s</a>', esc_url( wp_registration_url() ), __( 'Register' ) ); echo esc_html( $login_link_separator ); @@ -1067,17 +1144,27 @@ */ $redirect_to = apply_filters( 'registration_redirect', $registration_redirect, $errors ); - login_header( __( 'Registration Form' ), '<p class="message register">' . __( 'Register For This Site' ) . '</p>', $errors ); + login_header( + __( 'Registration Form' ), + wp_get_admin_notice( + __( 'Register For This Site' ), + array( + 'type' => 'info', + 'additional_classes' => array( 'message', 'register' ), + ) + ), + $errors + ); ?> <form name="registerform" id="registerform" action="<?php echo esc_url( site_url( 'wp-login.php?action=register', 'login_post' ) ); ?>" method="post" novalidate="novalidate"> <p> <label for="user_login"><?php _e( 'Username' ); ?></label> - <input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr( wp_unslash( $user_login ) ); ?>" size="20" autocapitalize="off" autocomplete="username" /> + <input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr( wp_unslash( $user_login ) ); ?>" size="20" autocapitalize="off" autocomplete="username" required="required" /> </p> <p> <label for="user_email"><?php _e( 'Email' ); ?></label> - <input type="email" name="user_email" id="user_email" class="input" value="<?php echo esc_attr( wp_unslash( $user_email ) ); ?>" size="25" autocomplete="email" /> + <input type="email" name="user_email" id="user_email" class="input" value="<?php echo esc_attr( wp_unslash( $user_email ) ); ?>" size="25" autocomplete="email" required="required" /> </p> <?php @@ -1092,7 +1179,6 @@ <p id="reg_passmail"> <?php _e( 'Registration confirmation will be emailed to you.' ); ?> </p> - <br class="clear" /> <input type="hidden" name="redirect_to" value="<?php echo esc_attr( $redirect_to ); ?>" /> <p class="submit"> <input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="<?php esc_attr_e( 'Register' ); ?>" /> @@ -1100,9 +1186,17 @@ </form> <p id="nav"> - <a href="<?php echo esc_url( wp_login_url() ); ?>"><?php _e( 'Log in' ); ?></a> - <?php echo esc_html( $login_link_separator ); ?> - <a href="<?php echo esc_url( wp_lostpassword_url() ); ?>"><?php _e( 'Lost your password?' ); ?></a> + <a class="wp-login-log-in" href="<?php echo esc_url( wp_login_url() ); ?>"><?php _e( 'Log in' ); ?></a> + <?php + + echo esc_html( $login_link_separator ); + + $html_link = sprintf( '<a class="wp-login-lost-password" href="%s">%s</a>', esc_url( wp_lostpassword_url() ), __( 'Lost your password?' ) ); + + /** This filter is documented in wp-login.php */ + echo apply_filters( 'lost_password_html_link', $html_link ); + + ?> </p> <?php @@ -1206,10 +1300,10 @@ } } - if ( isset( $_REQUEST['redirect_to'] ) ) { + if ( isset( $_REQUEST['redirect_to'] ) && is_string( $_REQUEST['redirect_to'] ) ) { $redirect_to = $_REQUEST['redirect_to']; // Redirect to HTTPS if user wants SSL. - if ( $secure_cookie && false !== strpos( $redirect_to, 'wp-admin' ) ) { + if ( $secure_cookie && str_contains( $redirect_to, 'wp-admin' ) ) { $redirect_to = preg_replace( '|^http://|', 'https://', $redirect_to ); } } else { @@ -1226,25 +1320,26 @@ 'test_cookie', sprintf( /* translators: 1: Browser cookie documentation URL, 2: Support forums URL. */ - __( '<strong>Error</strong>: Cookies are blocked due to unexpected output. For help, please see <a href="%1$s">this documentation</a> or try the <a href="%2$s">support forums</a>.' ), - __( 'https://wordpress.org/support/article/cookies/' ), + __( '<strong>Error:</strong> Cookies are blocked due to unexpected output. For help, please see <a href="%1$s">this documentation</a> or try the <a href="%2$s">support forums</a>.' ), + __( 'https://developer.wordpress.org/advanced-administration/wordpress/cookies/' ), __( 'https://wordpress.org/support/forums/' ) ) ); } elseif ( isset( $_POST['testcookie'] ) && empty( $_COOKIE[ TEST_COOKIE ] ) ) { - // If cookies are disabled, we can't log in even with a valid user and password. + // If cookies are disabled, the user can't log in even with a valid username and password. $user = new WP_Error( 'test_cookie', sprintf( /* translators: %s: Browser cookie documentation URL. */ - __( '<strong>Error</strong>: Cookies are blocked or not supported by your browser. You must <a href="%s">enable cookies</a> to use WordPress.' ), - __( 'https://wordpress.org/support/article/cookies/#enable-cookies-in-your-browser' ) + __( '<strong>Error:</strong> Cookies are blocked or not supported by your browser. You must <a href="%s">enable cookies</a> to use WordPress.' ), + __( 'https://developer.wordpress.org/advanced-administration/wordpress/cookies/#enable-cookies-in-your-browser' ) ) ); } } - $requested_redirect_to = isset( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : ''; + $requested_redirect_to = isset( $_REQUEST['redirect_to'] ) && is_string( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : ''; + /** * Filters the login redirect URL. * @@ -1270,9 +1365,11 @@ do_action( 'login_footer' ); if ( $customize_login ) { + ob_start(); ?> - <script type="text/javascript">setTimeout( function(){ new wp.customize.Messenger({ url: '<?php echo wp_customize_url(); ?>', channel: 'login' }).send('login') }, 1000 );</script> + <script>setTimeout( function(){ new wp.customize.Messenger({ url: '<?php echo wp_customize_url(); ?>', channel: 'login' }).send('login') }, 1000 );</script> <?php + wp_print_inline_script_tag( wp_remove_surrounding_empty_script_tags( ob_get_clean() ) ); } ?> @@ -1283,7 +1380,7 @@ } // Check if it is time to add a redirect to the admin email confirmation screen. - if ( is_a( $user, 'WP_User' ) && $user->exists() && $user->has_cap( 'manage_options' ) ) { + if ( $user instanceof WP_User && $user->exists() && $user->has_cap( 'manage_options' ) ) { $admin_email_lifespan = (int) get_option( 'admin_email_lifespan' ); /* @@ -1341,12 +1438,14 @@ if ( isset( $_GET['loggedout'] ) && $_GET['loggedout'] ) { $errors->add( 'loggedout', __( 'You are now logged out.' ), 'message' ); } elseif ( isset( $_GET['registration'] ) && 'disabled' === $_GET['registration'] ) { - $errors->add( 'registerdisabled', __( '<strong>Error</strong>: User registration is currently not allowed.' ) ); - } elseif ( strpos( $redirect_to, 'about.php?updated' ) ) { + $errors->add( 'registerdisabled', __( '<strong>Error:</strong> User registration is currently not allowed.' ) ); + } elseif ( str_contains( $redirect_to, 'about.php?updated' ) ) { $errors->add( 'updated', __( '<strong>You have successfully updated WordPress!</strong> Please log back in to see what’s new.' ), 'message' ); } elseif ( WP_Recovery_Mode_Link_Service::LOGIN_ACTION_ENTERED === $action ) { $errors->add( 'enter_recovery_mode', __( 'Recovery Mode Initialized. Please log in to continue.' ), 'message' ); - } elseif ( isset( $_GET['redirect_to'] ) && false !== strpos( $_GET['redirect_to'], 'wp-admin/authorize-application.php' ) ) { + } elseif ( isset( $_GET['redirect_to'] ) && is_string( $_GET['redirect_to'] ) + && str_contains( $_GET['redirect_to'], 'wp-admin/authorize-application.php' ) + ) { $query_component = wp_parse_url( $_GET['redirect_to'], PHP_URL_QUERY ); $query = array(); if ( $query_component ) { @@ -1388,10 +1487,15 @@ $rememberme = ! empty( $_POST['rememberme'] ); - if ( $errors->has_errors() ) { - $aria_describedby_error = ' aria-describedby="login_error"'; - } else { - $aria_describedby_error = ''; + $aria_describedby = ''; + $has_errors = $errors->has_errors(); + + if ( $has_errors ) { + $aria_describedby = ' aria-describedby="login_error"'; + } + + if ( $has_errors && 'message' === $errors->get_error_data() ) { + $aria_describedby = ' aria-describedby="login-message"'; } wp_enqueue_script( 'user-profile' ); @@ -1400,13 +1504,13 @@ <form name="loginform" id="loginform" action="<?php echo esc_url( site_url( 'wp-login.php', 'login_post' ) ); ?>" method="post"> <p> <label for="user_login"><?php _e( 'Username or Email Address' ); ?></label> - <input type="text" name="log" id="user_login"<?php echo $aria_describedby_error; ?> class="input" value="<?php echo esc_attr( $user_login ); ?>" size="20" autocapitalize="off" autocomplete="username" /> + <input type="text" name="log" id="user_login"<?php echo $aria_describedby; ?> class="input" value="<?php echo esc_attr( $user_login ); ?>" size="20" autocapitalize="off" autocomplete="username" required="required" /> </p> <div class="user-pass-wrap"> <label for="user_pass"><?php _e( 'Password' ); ?></label> <div class="wp-pwd"> - <input type="password" name="pwd" id="user_pass"<?php echo $aria_describedby_error; ?> class="input password-input" value="" size="20" autocomplete="current-password" /> + <input type="password" name="pwd" id="user_pass"<?php echo $aria_describedby; ?> class="input password-input" value="" size="20" autocomplete="current-password" spellcheck="false" required="required" /> <button type="button" class="button button-secondary wp-hide-pw hide-if-no-js" data-toggle="0" aria-label="<?php esc_attr_e( 'Show password' ); ?>"> <span class="dashicons dashicons-visibility" aria-hidden="true"></span> </button> @@ -1456,7 +1560,7 @@ <?php if ( get_option( 'users_can_register' ) ) { - $registration_url = sprintf( '<a href="%s">%s</a>', esc_url( wp_registration_url() ), __( 'Register' ) ); + $registration_url = sprintf( '<a class="wp-login-register" href="%s">%s</a>', esc_url( wp_registration_url() ), __( 'Register' ) ); /** This filter is documented in wp-includes/general-template.php */ echo apply_filters( 'register', $registration_url ); @@ -1464,8 +1568,18 @@ echo esc_html( $login_link_separator ); } + $html_link = sprintf( '<a class="wp-login-lost-password" href="%s">%s</a>', esc_url( wp_lostpassword_url() ), __( 'Lost your password?' ) ); + + /** + * Filters the link that allows the user to reset the lost password. + * + * @since 6.1.0 + * + * @param string $html_link HTML link to the lost password form. + */ + echo apply_filters( 'lost_password_html_link', $html_link ); + ?> - <a href="<?php echo esc_url( wp_lostpassword_url() ); ?>"><?php _e( 'Lost your password?' ); ?></a> </p> <?php } @@ -1503,15 +1617,12 @@ // Run `wpOnload()` if defined. $login_script .= "if ( typeof wpOnload === 'function' ) { wpOnload() }"; - ?> - <script type="text/javascript"> - <?php echo $login_script; ?> - </script> - <?php + wp_print_inline_script_tag( $login_script ); if ( $interim_login ) { + ob_start(); ?> - <script type="text/javascript"> + <script> ( function() { try { var i, links = document.getElementsByTagName( 'a' ); @@ -1525,6 +1636,7 @@ }()); </script> <?php + wp_print_inline_script_tag( wp_remove_surrounding_empty_script_tags( ob_get_clean() ) ); } login

diff -r 7b1b88e27a20 -r 48c4eec2b7e6 wp/wp-login.php --- a/wp/wp-login.php Thu Sep 29 08:06:27 2022 +0200 +++ b/wp/wp-login.php Fri Sep 05 18:40:08 2025 +0200 @@ -13,7 +13,7 @@ // Redirect to HTTPS login if forced to use SSL. if ( force_ssl_admin() && ! is_ssl() ) { - if ( 0 === strpos( $_SERVER['REQUEST_URI'], 'http' ) ) { + if ( str_starts_with( $_SERVER['REQUEST_URI'], 'http' ) ) { wp_safe_redirect( set_url_scheme( $_SERVER['REQUEST_URI'], 'https' ) ); exit; } else { @@ -23,7 +23,7 @@ } /** - * Output the login page header. + * Outputs the login page header. * * @since 2.1.0 * @@ -33,14 +33,18 @@ * upon successful login. * @global string $action The action that brought the visitor to the login page. * - * @param string $title Optional. WordPress login Page title to display in the `` element. - * Default 'Log In'. - * @param string $message Optional. Message to display in header. Default empty. - * @param WP_Error $wp_error Optional. The error to pass. Default is a WP_Error instance. + * @param string|null $title Optional. WordPress login page title to display in the `<title>` element. + * Defaults to 'Log In'. + * @param string $message Optional. Message to display in header. Default empty. + * @param WP_Error|null $wp_error Optional. The error to pass. Defaults to a WP_Error instance. */ -function login_header( $title = 'Log In', $message = '', $wp_error = null ) { +function login_header( $title = null, $message = '', $wp_error = null ) { global $error, $interim_login, $action; + if ( null === $title ) { + $title = __( 'Log In' ); + } + // Don't index any of these forms. add_filter( 'wp_robots', 'wp_robots_sensitive_page' ); add_action( 'login_head', 'wp_strict_cross_origin_referrer' ); @@ -101,13 +105,15 @@ * but maybe better if it's not removable by plugins. */ if ( 'loggedout' === $wp_error->get_error_code() ) { + ob_start(); ?> <script>if("sessionStorage" in window){try{for(var key in sessionStorage){if(key.indexOf("wp-autosave-")!=-1){sessionStorage.removeItem(key)}}}catch(e){}};</script> <?php + wp_print_inline_script_tag( wp_remove_surrounding_empty_script_tags( ob_get_clean() ) ); } /** - * Enqueue scripts and styles for the login page. + * Enqueues scripts and styles for the login page. * * @since 3.1.0 */ @@ -193,9 +199,10 @@ ?> </head> <body class="login no-js <?php echo esc_attr( implode( ' ', $classes ) ); ?>"> - <script type="text/javascript"> - document.body.className = document.body.className.replace('no-js','js'); - </script> + <?php + wp_print_inline_script_tag( "document.body.className = document.body.className.replace('no-js','js');" ); + ?> + <?php /** * Fires in the login page header after the body tag is opened. @@ -228,29 +235,52 @@ } if ( $wp_error->has_errors() ) { - $errors = ''; - $messages = ''; + $error_list = array(); + $messages = ''; foreach ( $wp_error->get_error_codes() as $code ) { $severity = $wp_error->get_error_data( $code ); foreach ( $wp_error->get_error_messages( $code ) as $error_message ) { if ( 'message' === $severity ) { - $messages .= ' ' . $error_message . "<br />\n"; + $messages .= '<p>' . $error_message . '</p>'; } else { - $errors .= ' ' . $error_message . "<br />\n"; + $error_list[] = $error_message; } } } - if ( ! empty( $errors ) ) { + if ( ! empty( $error_list ) ) { + $errors = ''; + + if ( count( $error_list ) > 1 ) { + $errors .= '<ul class="login-error-list">'; + + foreach ( $error_list as $item ) { + $errors .= '<li>' . $item . '</li>'; + } + + $errors .= '</ul>'; + } else { + $errors .= '<p>' . $error_list[0] . '</p>'; + } + /** * Filters the error messages displayed above the login form. * * @since 2.1.0 * - * @param string $errors Login error message. + * @param string $errors Login error messages. */ - echo '<div id="login_error">' . apply_filters( 'login_errors', $errors ) . "</div>\n"; + $errors = apply_filters( 'login_errors', $errors ); + + wp_admin_notice( + $errors, + array( + 'type' => 'error', + 'id' => 'login_error', + 'paragraph_wrap' => false, + ) + ); } if ( ! empty( $messages ) ) { @@ -261,7 +291,17 @@ * * @param string $messages Login messages. */ - echo '<p class="message">' . apply_filters( 'login_messages', $messages ) . "</p>\n"; + $messages = apply_filters( 'login_messages', $messages ); + + wp_admin_notice( + $messages, + array( + 'type' => 'info', + 'id' => 'login-message', + 'additional_classes' => array( 'message' ), + 'paragraph_wrap' => false, + ) + ); } } } // End of login_header(). @@ -294,7 +334,7 @@ ) ); /** - * Filter the "Go to site" link displayed in the login page footer. + * Filters the "Go to site" link displayed in the login page footer. * * @since 5.7.0 * @@ -315,11 +355,11 @@ if ( ! $interim_login && /** - * Filters the Languages select input activation on the login screen. + * Filters whether to display the Language selector on the login screen. * * @since 5.9.0 * - * @param bool Whether to display the Languages select input on the login screen. + * @param bool $display Whether to display the Language selector on the login screen. */ apply_filters( 'login_display_language_dropdown', true ) ) { @@ -328,11 +368,16 @@ if ( ! empty( $languages ) ) { ?> <div class="language-switcher"> - <form id="language-switcher" action="" method="get"> + <form id="language-switcher" method="get"> <label for="language-switcher-locales"> <span class="dashicons dashicons-translation" aria-hidden="true"></span> - <span class="screen-reader-text"><?php _e( 'Language' ); ?></span> + <span class="screen-reader-text"> + <?php + /* translators: Hidden accessibility text. */ + _e( 'Language' ); + ?> + </span> </label> <?php @@ -348,6 +393,8 @@ /** * Filters default arguments for the Languages select input on the login screen. * + * The arguments get passed to the wp_dropdown_languages() function. + * * @since 5.9.0 * * @param array $args Arguments for the Languages select input on the login screen. @@ -360,7 +407,7 @@ <?php } ?> <?php if ( isset( $_GET['redirect_to'] ) && '' !== $_GET['redirect_to'] ) { ?> - <input type="hidden" name="redirect_to" value="<?php echo esc_url_raw( $_GET['redirect_to'] ); ?>" /> + <input type="hidden" name="redirect_to" value="<?php echo sanitize_url( $_GET['redirect_to'] ); ?>" /> <?php } ?> <?php if ( isset( $_GET['action'] ) && '' !== $_GET['action'] ) { ?> @@ -376,12 +423,14 @@ <?php if ( ! empty( $input_id ) ) { + ob_start(); ?> - <script type="text/javascript"> + <script> try{document.getElementById('<?php echo $input_id; ?>').focus();}catch(e){} if(typeof wpOnload==='function')wpOnload(); </script> <?php + wp_print_inline_script_tag( wp_remove_surrounding_empty_script_tags( ob_get_clean() ) ); } /** @@ -392,7 +441,6 @@ do_action( 'login_footer' ); ?> - <div class="clear"></div> </body> </html> <?php @@ -404,11 +452,7 @@ * @since 3.0.0 */ function wp_shake_js() { - ?> - <script type="text/javascript"> - document.querySelector('form').classList.add('shake'); - </script> - <?php + wp_print_inline_script_tag( "document.querySelector('form').classList.add('shake');" ); } /** @@ -423,7 +467,9 @@ } /* - * Main part: check the request and redirect or display a form based on the current action. + * Main part. + * + * Check the request and redirect or display a form based on the current action. */ $action = isset( $_REQUEST['action'] ) ? $_REQUEST['action'] : 'login'; @@ -642,10 +688,13 @@ <?php /* translators: URL to the WordPress help section about admin email. */ - $admin_email_help_url = __( 'https://wordpress.org/support/article/settings-general-screen/#email-address' ); + $admin_email_help_url = __( 'https://wordpress.org/documentation/article/settings-general-screen/#email-address' ); - /* translators: Accessibility text. */ - $accessibility_text = sprintf( '<span class="screen-reader-text"> %s</span>', __( '(opens in a new tab)' ) ); + $accessibility_text = sprintf( + '<span class="screen-reader-text"> %s</span>', + /* translators: Hidden accessibility text. */ + __( '(opens in a new tab)' ) + ); printf( '<a href="%s" rel="noopener" target="_blank">%s%s</a>', @@ -708,7 +757,7 @@ break; case 'postpass': - if ( ! array_key_exists( 'post_password', $_POST ) ) { + if ( ! isset( $_POST['post_password'] ) || ! is_string( $_POST['post_password'] ) ) { wp_safe_redirect( wp_get_referer() ); exit; } @@ -747,7 +796,7 @@ wp_logout(); - if ( ! empty( $_REQUEST['redirect_to'] ) ) { + if ( ! empty( $_REQUEST['redirect_to'] ) && is_string( $_REQUEST['redirect_to'] ) ) { $redirect_to = $_REQUEST['redirect_to']; $requested_redirect_to = $redirect_to; } else { @@ -790,9 +839,9 @@ if ( isset( $_GET['error'] ) ) { if ( 'invalidkey' === $_GET['error'] ) { - $errors->add( 'invalidkey', __( '<strong>Error</strong>: Your password reset link appears to be invalid. Please request a new link below.' ) ); + $errors->add( 'invalidkey', __( '<strong>Error:</strong> Your password reset link appears to be invalid. Please request a new link below.' ) ); } elseif ( 'expiredkey' === $_GET['error'] ) { - $errors->add( 'expiredkey', __( '<strong>Error</strong>: Your password reset link has expired. Please request a new link below.' ) ); + $errors->add( 'expiredkey', __( '<strong>Error:</strong> Your password reset link has expired. Please request a new link below.' ) ); } } @@ -817,7 +866,17 @@ */ do_action( 'lost_password', $errors ); - login_header( __( 'Lost Password' ), '<p class="message">' . __( 'Please enter your username or email address. You will receive an email message with instructions on how to reset your password.' ) . '</p>', $errors ); + login_header( + __( 'Lost Password' ), + wp_get_admin_notice( + __( 'Please enter your username or email address. You will receive an email message with instructions on how to reset your password.' ), + array( + 'type' => 'info', + 'additional_classes' => array( 'message' ), + ) + ), + $errors + ); $user_login = ''; @@ -830,7 +889,7 @@ <form name="lostpasswordform" id="lostpasswordform" action="<?php echo esc_url( network_site_url( 'wp-login.php?action=lostpassword', 'login_post' ) ); ?>" method="post"> <p> <label for="user_login"><?php _e( 'Username or Email Address' ); ?></label> - <input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr( $user_login ); ?>" size="20" autocapitalize="off" autocomplete="username" /> + <input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr( $user_login ); ?>" size="20" autocapitalize="off" autocomplete="username" required="required" /> </p> <?php @@ -849,11 +908,11 @@ </form> <p id="nav"> - <a href="<?php echo esc_url( wp_login_url() ); ?>"><?php _e( 'Log in' ); ?></a> + <a class="wp-login-log-in" href="<?php echo esc_url( wp_login_url() ); ?>"><?php _e( 'Log in' ); ?></a> <?php if ( get_option( 'users_can_register' ) ) { - $registration_url = sprintf( '<a href="%s">%s</a>', esc_url( wp_registration_url() ), __( 'Register' ) ); + $registration_url = sprintf( '<a class="wp-login-register" href="%s">%s</a>', esc_url( wp_registration_url() ), __( 'Register' ) ); echo esc_html( $login_link_separator ); @@ -918,7 +977,7 @@ // Check if password fields do not match. if ( ! empty( $_POST['pass1'] ) && trim( $_POST['pass2'] ) !== $_POST['pass1'] ) { - $errors->add( 'password_reset_mismatch', __( '<strong>Error</strong>: The passwords do not match.' ) ); + $errors->add( 'password_reset_mismatch', __( '<strong>Error:</strong> The passwords do not match.' ) ); } /** @@ -934,7 +993,16 @@ if ( ( ! $errors->has_errors() ) && isset( $_POST['pass1'] ) && ! empty( $_POST['pass1'] ) ) { reset_password( $user, $_POST['pass1'] ); setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true ); - login_header( __( 'Password Reset' ), '<p class="message reset-pass">' . __( 'Your password has been reset.' ) . ' <a href="' . esc_url( wp_login_url() ) . '">' . __( 'Log in' ) . '</a></p>' ); + login_header( + __( 'Password Reset' ), + wp_get_admin_notice( + __( 'Your password has been reset.' ) . ' <a href="' . esc_url( wp_login_url() ) . '">' . __( 'Log in' ) . '</a>', + array( + 'type' => 'info', + 'additional_classes' => array( 'message', 'reset-pass' ), + ) + ) + ); login_footer(); exit; } @@ -942,7 +1010,17 @@ wp_enqueue_script( 'utils' ); wp_enqueue_script( 'user-profile' ); - login_header( __( 'Reset Password' ), '<p class="message reset-pass">' . __( 'Enter your new password below or generate one.' ) . '</p>', $errors ); + login_header( + __( 'Reset Password' ), + wp_get_admin_notice( + __( 'Enter your new password below or generate one.' ), + array( + 'type' => 'info', + 'additional_classes' => array( 'message', 'reset-pass' ), + ) + ), + $errors + ); ?> <form name="resetpassform" id="resetpassform" action="<?php echo esc_url( network_site_url( 'wp-login.php?action=resetpass', 'login_post' ) ); ?>" method="post" autocomplete="off"> @@ -954,7 +1032,7 @@ </p> <div class="wp-pwd"> - <input type="password" data-reveal="1" data-pw="<?php echo esc_attr( wp_generate_password( 16 ) ); ?>" name="pass1" id="pass1" class="input password-input" size="24" value="" autocomplete="new-password" aria-describedby="pass-strength-result" /> + <input type="password" name="pass1" id="pass1" class="input password-input" size="24" value="" autocomplete="new-password" spellcheck="false" data-reveal="1" data-pw="<?php echo esc_attr( wp_generate_password( 16 ) ); ?>" aria-describedby="pass-strength-result" /> <button type="button" class="button button-secondary wp-hide-pw hide-if-no-js" data-toggle="0" aria-label="<?php esc_attr_e( 'Hide password' ); ?>"> <span class="dashicons dashicons-hidden" aria-hidden="true"></span> @@ -969,11 +1047,10 @@ <p class="user-pass2-wrap"> <label for="pass2"><?php _e( 'Confirm new password' ); ?></label> - <input type="password" name="pass2" id="pass2" class="input" size="20" value="" autocomplete="new-password" /> + <input type="password" name="pass2" id="pass2" class="input" size="20" value="" autocomplete="new-password" spellcheck="false" /> </p> <p class="description indicator-hint"><?php echo wp_get_password_hint(); ?></p> - <br class="clear" /> <?php @@ -995,11 +1072,11 @@ </form> <p id="nav"> - <a href="<?php echo esc_url( wp_login_url() ); ?>"><?php _e( 'Log in' ); ?></a> + <a class="wp-login-log-in" href="<?php echo esc_url( wp_login_url() ); ?>"><?php _e( 'Log in' ); ?></a> <?php if ( get_option( 'users_can_register' ) ) { - $registration_url = sprintf( '<a href="%s">%s</a>', esc_url( wp_registration_url() ), __( 'Register' ) ); + $registration_url = sprintf( '<a class="wp-login-register" href="%s">%s</a>', esc_url( wp_registration_url() ), __( 'Register' ) ); echo esc_html( $login_link_separator ); @@ -1067,17 +1144,27 @@ */ $redirect_to = apply_filters( 'registration_redirect', $registration_redirect, $errors ); - login_header( __( 'Registration Form' ), '<p class="message register">' . __( 'Register For This Site' ) . '</p>', $errors ); + login_header( + __( 'Registration Form' ), + wp_get_admin_notice( + __( 'Register For This Site' ), + array( + 'type' => 'info', + 'additional_classes' => array( 'message', 'register' ), + ) + ), + $errors + ); ?> <form name="registerform" id="registerform" action="<?php echo esc_url( site_url( 'wp-login.php?action=register', 'login_post' ) ); ?>" method="post" novalidate="novalidate"> <p> <label for="user_login"><?php _e( 'Username' ); ?></label> - <input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr( wp_unslash( $user_login ) ); ?>" size="20" autocapitalize="off" autocomplete="username" /> + <input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr( wp_unslash( $user_login ) ); ?>" size="20" autocapitalize="off" autocomplete="username" required="required" /> </p> <p> <label for="user_email"><?php _e( 'Email' ); ?></label> - <input type="email" name="user_email" id="user_email" class="input" value="<?php echo esc_attr( wp_unslash( $user_email ) ); ?>" size="25" autocomplete="email" /> + <input type="email" name="user_email" id="user_email" class="input" value="<?php echo esc_attr( wp_unslash( $user_email ) ); ?>" size="25" autocomplete="email" required="required" /> </p> <?php @@ -1092,7 +1179,6 @@ <p id="reg_passmail"> <?php _e( 'Registration confirmation will be emailed to you.' ); ?> </p> - <br class="clear" /> <input type="hidden" name="redirect_to" value="<?php echo esc_attr( $redirect_to ); ?>" /> <p class="submit"> <input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="<?php esc_attr_e( 'Register' ); ?>" /> @@ -1100,9 +1186,17 @@ </form> <p id="nav"> - <a href="<?php echo esc_url( wp_login_url() ); ?>"><?php _e( 'Log in' ); ?></a> - <?php echo esc_html( $login_link_separator ); ?> - <a href="<?php echo esc_url( wp_lostpassword_url() ); ?>"><?php _e( 'Lost your password?' ); ?></a> + <a class="wp-login-log-in" href="<?php echo esc_url( wp_login_url() ); ?>"><?php _e( 'Log in' ); ?></a> + <?php + + echo esc_html( $login_link_separator ); + + $html_link = sprintf( '<a class="wp-login-lost-password" href="%s">%s</a>', esc_url( wp_lostpassword_url() ), __( 'Lost your password?' ) ); + + /** This filter is documented in wp-login.php */ + echo apply_filters( 'lost_password_html_link', $html_link ); + + ?> </p> <?php @@ -1206,10 +1300,10 @@ } } - if ( isset( $_REQUEST['redirect_to'] ) ) { + if ( isset( $_REQUEST['redirect_to'] ) && is_string( $_REQUEST['redirect_to'] ) ) { $redirect_to = $_REQUEST['redirect_to']; // Redirect to HTTPS if user wants SSL. - if ( $secure_cookie && false !== strpos( $redirect_to, 'wp-admin' ) ) { + if ( $secure_cookie && str_contains( $redirect_to, 'wp-admin' ) ) { $redirect_to = preg_replace( '|^http://|', 'https://', $redirect_to ); } } else { @@ -1226,25 +1320,26 @@ 'test_cookie', sprintf( /* translators: 1: Browser cookie documentation URL, 2: Support forums URL. */ - __( '<strong>Error</strong>: Cookies are blocked due to unexpected output. For help, please see <a href="%1$s">this documentation</a> or try the <a href="%2$s">support forums</a>.' ), - __( 'https://wordpress.org/support/article/cookies/' ), + __( '<strong>Error:</strong> Cookies are blocked due to unexpected output. For help, please see <a href="%1$s">this documentation</a> or try the <a href="%2$s">support forums</a>.' ), + __( 'https://developer.wordpress.org/advanced-administration/wordpress/cookies/' ), __( 'https://wordpress.org/support/forums/' ) ) ); } elseif ( isset( $_POST['testcookie'] ) && empty( $_COOKIE[ TEST_COOKIE ] ) ) { - // If cookies are disabled, we can't log in even with a valid user and password. + // If cookies are disabled, the user can't log in even with a valid username and password. $user = new WP_Error( 'test_cookie', sprintf( /* translators: %s: Browser cookie documentation URL. */ - __( '<strong>Error</strong>: Cookies are blocked or not supported by your browser. You must <a href="%s">enable cookies</a> to use WordPress.' ), - __( 'https://wordpress.org/support/article/cookies/#enable-cookies-in-your-browser' ) + __( '<strong>Error:</strong> Cookies are blocked or not supported by your browser. You must <a href="%s">enable cookies</a> to use WordPress.' ), + __( 'https://developer.wordpress.org/advanced-administration/wordpress/cookies/#enable-cookies-in-your-browser' ) ) ); } } - $requested_redirect_to = isset( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : ''; + $requested_redirect_to = isset( $_REQUEST['redirect_to'] ) && is_string( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : ''; + /** * Filters the login redirect URL. * @@ -1270,9 +1365,11 @@ do_action( 'login_footer' ); if ( $customize_login ) { + ob_start(); ?> - <script type="text/javascript">setTimeout( function(){ new wp.customize.Messenger({ url: '<?php echo wp_customize_url(); ?>', channel: 'login' }).send('login') }, 1000 );</script> + <script>setTimeout( function(){ new wp.customize.Messenger({ url: '<?php echo wp_customize_url(); ?>', channel: 'login' }).send('login') }, 1000 );</script> <?php + wp_print_inline_script_tag( wp_remove_surrounding_empty_script_tags( ob_get_clean() ) ); } ?> @@ -1283,7 +1380,7 @@ } // Check if it is time to add a redirect to the admin email confirmation screen. - if ( is_a( $user, 'WP_User' ) && $user->exists() && $user->has_cap( 'manage_options' ) ) { + if ( $user instanceof WP_User && $user->exists() && $user->has_cap( 'manage_options' ) ) { $admin_email_lifespan = (int) get_option( 'admin_email_lifespan' ); /* @@ -1341,12 +1438,14 @@ if ( isset( $_GET['loggedout'] ) && $_GET['loggedout'] ) { $errors->add( 'loggedout', __( 'You are now logged out.' ), 'message' ); } elseif ( isset( $_GET['registration'] ) && 'disabled' === $_GET['registration'] ) { - $errors->add( 'registerdisabled', __( '<strong>Error</strong>: User registration is currently not allowed.' ) ); - } elseif ( strpos( $redirect_to, 'about.php?updated' ) ) { + $errors->add( 'registerdisabled', __( '<strong>Error:</strong> User registration is currently not allowed.' ) ); + } elseif ( str_contains( $redirect_to, 'about.php?updated' ) ) { $errors->add( 'updated', __( '<strong>You have successfully updated WordPress!</strong> Please log back in to see what’s new.' ), 'message' ); } elseif ( WP_Recovery_Mode_Link_Service::LOGIN_ACTION_ENTERED === $action ) { $errors->add( 'enter_recovery_mode', __( 'Recovery Mode Initialized. Please log in to continue.' ), 'message' ); - } elseif ( isset( $_GET['redirect_to'] ) && false !== strpos( $_GET['redirect_to'], 'wp-admin/authorize-application.php' ) ) { + } elseif ( isset( $_GET['redirect_to'] ) && is_string( $_GET['redirect_to'] ) + && str_contains( $_GET['redirect_to'], 'wp-admin/authorize-application.php' ) + ) { $query_component = wp_parse_url( $_GET['redirect_to'], PHP_URL_QUERY ); $query = array(); if ( $query_component ) { @@ -1388,10 +1487,15 @@ $rememberme = ! empty( $_POST['rememberme'] ); - if ( $errors->has_errors() ) { - $aria_describedby_error = ' aria-describedby="login_error"'; - } else { - $aria_describedby_error = ''; + $aria_describedby = ''; + $has_errors = $errors->has_errors(); + + if ( $has_errors ) { + $aria_describedby = ' aria-describedby="login_error"'; + } + + if ( $has_errors && 'message' === $errors->get_error_data() ) { + $aria_describedby = ' aria-describedby="login-message"'; } wp_enqueue_script( 'user-profile' ); @@ -1400,13 +1504,13 @@ <form name="loginform" id="loginform" action="<?php echo esc_url( site_url( 'wp-login.php', 'login_post' ) ); ?>" method="post"> <p> <label for="user_login"><?php _e( 'Username or Email Address' ); ?></label> - <input type="text" name="log" id="user_login"<?php echo $aria_describedby_error; ?> class="input" value="<?php echo esc_attr( $user_login ); ?>" size="20" autocapitalize="off" autocomplete="username" /> + <input type="text" name="log" id="user_login"<?php echo $aria_describedby; ?> class="input" value="<?php echo esc_attr( $user_login ); ?>" size="20" autocapitalize="off" autocomplete="username" required="required" /> </p> <div class="user-pass-wrap"> <label for="user_pass"><?php _e( 'Password' ); ?></label> <div class="wp-pwd"> - <input type="password" name="pwd" id="user_pass"<?php echo $aria_describedby_error; ?> class="input password-input" value="" size="20" autocomplete="current-password" /> + <input type="password" name="pwd" id="user_pass"<?php echo $aria_describedby; ?> class="input password-input" value="" size="20" autocomplete="current-password" spellcheck="false" required="required" /> <button type="button" class="button button-secondary wp-hide-pw hide-if-no-js" data-toggle="0" aria-label="<?php esc_attr_e( 'Show password' ); ?>"> <span class="dashicons dashicons-visibility" aria-hidden="true"></span> </button> @@ -1456,7 +1560,7 @@ <?php if ( get_option( 'users_can_register' ) ) { - $registration_url = sprintf( '<a href="%s">%s</a>', esc_url( wp_registration_url() ), __( 'Register' ) ); + $registration_url = sprintf( '<a class="wp-login-register" href="%s">%s</a>', esc_url( wp_registration_url() ), __( 'Register' ) ); /** This filter is documented in wp-includes/general-template.php */ echo apply_filters( 'register', $registration_url ); @@ -1464,8 +1568,18 @@ echo esc_html( $login_link_separator ); } + $html_link = sprintf( '<a class="wp-login-lost-password" href="%s">%s</a>', esc_url( wp_lostpassword_url() ), __( 'Lost your password?' ) ); + + /** + * Filters the link that allows the user to reset the lost password. + * + * @since 6.1.0 + * + * @param string $html_link HTML link to the lost password form. + */ + echo apply_filters( 'lost_password_html_link', $html_link ); + ?> - <a href="<?php echo esc_url( wp_lostpassword_url() ); ?>"><?php _e( 'Lost your password?' ); ?></a> </p> <?php } @@ -1503,15 +1617,12 @@ // Run `wpOnload()` if defined. $login_script .= "if ( typeof wpOnload === 'function' ) { wpOnload() }"; - ?> - <script type="text/javascript"> - <?php echo $login_script; ?> - </script> - <?php + wp_print_inline_script_tag( $login_script ); if ( $interim_login ) { + ob_start(); ?> - <script type="text/javascript"> + <script> ( function() { try { var i, links = document.getElementsByTagName( 'a' ); @@ -1525,6 +1636,7 @@ }()); </script> <?php + wp_print_inline_script_tag( wp_remove_surrounding_empty_script_tags( ob_get_clean() ) ); } login_footer();