Customize Meeting Summary: September 18th

This post summarizes the Customize meeting from September 18th in the #core-customize Slack channel (Slack archive).

Participants: @westonruter, @jbpaul17, @melchoyce.

Discussion highlights

CodeMirror (“Better Code Editing“)

  • @melchoyce to review three assigned tickets, #41872 being most urgent and other tickets with @mentions
  • @westonruter: working on ensuring the new CodeMirror-enhanced Custom CSS is compatible with Jetpack
    • Created a reusable “code editor” customizer control so that Jetpack can extend it, also for other plugins to add their own code editor controls easily
    • Need support from the Jetpack team to review and finish off the initial PR that I opened
    • @melchoyce: I’ll ping Jetpack folks this week once we’re all back from the Automattic Grand Meetup (most should be back by Wednesday)

Drafting and Scheduling

  • Best to wrap UX work, as @sayedwp has gotten started on that this week
  • @westonruter to get latest code pushed up to the test environment for review
  • @melchoyce: realized earlier this week that the apps have a similar draft/publish flow
    • @jbpaul17: Are we aligned with the flow there and if not should we align with what they have or open an Issue for them to update to what we’re working on for core?
    • @melchoyce: We are pretty close, I’ll compare side by side this week

Widgets

  • @westonruter: hoping to get the Core Media Widgets plugin updated with the new Gallery widget today for user testing so we can get it merged into core next week (#41914)

Bug scrub

Next week’s meeting

The next meeting will take place on Monday, September 25, 17:00 UTC in the #core-customize Slack channel. Please feel free to drop in with any updates, questions, or tickets you’d like to discuss. If you have items to discuss but cannot make the meeting, please leave a comment on this post so that we can take them into account.

#4-9, #bug-scrub, #core-customize, #media-widgets, #summary

Source: WordPress Development Updates

Dev Chat Summary: September 20th (4.9 week 8)

This post summarizes the dev chat meeting from September 20th (agendaSlack archive).

4.9 schedule

  • 1 week until the feature project merge deadline, 2 weeks until Beta 1
  • Drafting and scheduling (#39896) has designs and is working through development
  • Gallery widget (#41914) is now available in the Core Media Widgets feature plugin, so please test that as we plan to merge it into core next week
  • Updating a plugin via ZIP (#9757) or drag/drop (#24579) is not getting any traction, so they will likely be punted
  • Review needed on #34115 to bring the ability to use oEmbed outside the context of posts
    • This allows the Text widget to have embeds in it, as well as to be able to remove the restriction on the Video widget to only show YouTube and Vimeo
  • Long list of Code Editor tickets that could use contributors
    • If you’re interested and capable with JS and playing with CodeMirror, #41873 is a great place to start
  • Any tickets related to goals in the 4.9 Goals post should be prioritized
  • Bug scrub post will be published with dates/times to scrub features and enhancements ahead of the Beta 1 deadline. If you’re interested in helping run a scrub, then please let @jbpaul17 know.
  • User testing needed on #39693, especially running it through a battery of theme switching tasks; the goal is to improve the “it just works” experience
    • Testing steps include installing a theme, populating sidebars with widgets, switching to another theme, and checking how the widgets appear in the newly switched theme
    • If you switch back to the old theme, the sidebar widgets get restored
    • Testing should be done when switching themes via the WP admin themes page, and also via live preview in the Customizer
    • Themes that have varying numbers of sidebars would be the key to test with. Switching from a theme with 2 sidebars, to one with 4, to another with 1, to another with 5, and so on.
    • If you want to have a public test environment set up with the patch to test, then please ping @westonruter

Editor update

General announcements

#4-9, #core, #core-editor, #dev-chat, #feature-oembed, #media-widgets, #security, #summary

Source: WordPress Development Updates

Dev Chat Agenda for September 20th (4.9 week 8)

This is the agenda for the weekly dev meeting on September 20, 2017 at 20:00 UTC / September 20, 2017 at 20:00 UTC:

  • 4.9 schedule
  • Call for testing and contributors
  • General announcements

If you have anything to propose to add to the agenda or specific items related to the above, please leave a comment below. See you there!

#4-9, #agenda, #dev-chat

Source: WordPress Development Updates

WordPress 4.8.2 Security and Maintenance Release

WordPress 4.8.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.8.1 and earlier are affected by these security issues:

  1. $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Slavco
  2. A cross-site scripting (XSS) vulnerability was discovered in the oEmbed discovery. Reported by xknown of the WordPress Security Team.
  3. A cross-site scripting (XSS) vulnerability was discovered in the visual editor. Reported by Rodolfo Assis (@brutelogic) of Sucuri Security.
  4. A path traversal vulnerability was discovered in the file unzipping code. Reported by Alex Chapman (noxrnet).
  5. A cross-site scripting (XSS) vulnerability was discovered in the plugin editor. Reported by 陈瑞琦 (Chen Ruiqi).
  6. An open redirect was discovered on the user and term edit screens. Reported by Yasin Soliman (ysx).
  7. A path traversal vulnerability was discovered in the customizer. Reported by Weston Ruter of the WordPress Security Team.
  8. A cross-site scripting (XSS) vulnerability was discovered in template names. Reported by Luka (sikic).
  9. A cross-site scripting (XSS) vulnerability was discovered in the link modal. Reported by Anas Roubi (qasuar).

Thank you to the reporters of these issues for practicing responsible disclosure.

In addition to the security issues above, WordPress 4.8.2 contains 6 maintenance fixes to the 4.8 release series. For more information, see the release notes or consult the list of changes.

Download WordPress 4.8.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.8.2.

Thanks to everyone who contributed to 4.8.2.

Source: WordPress

JavaScript Chat Canceled for September 19

With the events of the past week relating to the decision to move away from React and the use of a hooks extensibility pattern, we are expecting the next JavaScript meeting to be very lively. Since many of the individuals leading these efforts and/or active in the discussions will be unable to attend, we have decided to postpone discussion until next week’s meeting on Tuesday, September 26, 2017 at 13:00 UTC.

The agenda for next week’s discussion will include:

  • The role of a JavaScript framework in current and future Core focuses (including but not limited to the Gutenberg editor)
  • Patterns of extensibility and use-cases for hooks

A reminder agenda will be posted ahead of the meeting on Monday, September 25.

#javascript

Source: WordPress Development Updates

Media meeting recap – Sept 14, 2017

Overview

This post is a summary of the latest weekly Media component meeting, which took place in #core-media on Slack, on Thursday, September 14, 2017, 18:00 PM UTC. The purpose of these meetings are to move priority tasks forward, provide feedback on issues of interest, and review media focused tickets on Trac.

Attendees:
@joemcgill, @desrosj, @brainfork, @blobfolio, @jdub233, @tokyobiyori, @presskopp, @nosilver4u.

Transcript: Read on Slack

Tickets Reviewed

  • #41629: Widgets: Default to “custom URL” in the image widget – @desrosj to investigate.
  • #21819: Use an image size for custom headers instead of duplicating an attachment – The main challenge is deciding on how data should be handled so that custom crops of images are associated with the original image but do not clutter up the main media library. @joemcgill to continue working on an approach.
  • #35218: Parse the creation date out of uploaded videos – @mikeschroder did some initial testing and found some concerns with creation date parsing. Needs further investigation.
  • #33981: Default Captions Should Use max-width – Patch is ready, needs second opinion. @desrosj to look.
  • #40921: Inconsistent Handling of mp4 by Audio Widget – MP4 is not in the list of extensions returned by wp_get_audio_extensions(). Patch looks good.
  • #41844: Media: audio players overflow playlist containers – Patch looks good. Needs review.
  • #38264: Tests: Uploads aren’t deleted after running individual tests – Initial approach is on the ticket. Needs review.
  • #41704: Use a consistent title for “Add Media” button and “Insert Media” window – Assigned to @sergeybiryukov for a decision.
  • #41787: Media: JS error when removing a video/audio sourced – There’s a PR for this on GitHub which needs to be reviewed.
  • #40175: Upload Validation / MIME Handling – Added to the milestone for review/commit.
  • #40774: Refine error message when embedding invalid Video (URL) – Patch on the ticket updates the error string with a more accurate message.

Next Meeting

Next meeting will take place on Thursday, September, 21 in #core-media on Slack. The agenda will once again focus on reviewing priority tickets for 4.9.

#core-media, #media

Source: WordPress Development Updates

Multisite Recap for the week of September 11th

Office Hours Recap

The agenda for this office hours meeting was to resolve the remaining discussion and blockers for #29684, the proposed get_main_site_id() function and related integration.

The meeting’s chat log

Attendees: @afragen, @desrosj, @flixos90, @jeremyfelt, @johnjamesjacoby, @spacedmonkey

Chat Summary:

  • The main purpose this function could serve initially is to auto-fill the $blog_id property of the WP_Network class, which currently is only being populated for the current network in the bootstrap process. There is no database field for the main site of a network, therefore custom logic must run for it to be set. get_main_site_id() makes it easy to detect the main site for a network, and magic getters in WP_Network would allow to automatically set the property once it is first accessed, using the new function. In the end of the discussion it was decided that the logic to auto-fill the property makes sense and can be merged with the new function.
  • It was also discussed whether a network option should be used to store the main site ID. This would bring a performance benefit for multisite setups without an object cache and without the network constants enabled. On the other hand, the main site ID at this point is not really an option, since many areas of WordPress assume it is always the site whose domain and path match the network’s ones. Getting rid of this restriction is something that could be evaluated more closely in the future, but for now this restriction exists, and introducing a network option would give the impression that it would be possible to change the main site ID without any issues. Therefore it was decided to not use a network option at this point, but it can be reconsidered later in a separate ticket.
  • Another topic was whether the actual logic should go into the get_main_site_id() function or whether the function is not required at all and instead the logic should be part of WP_Network. Eventually it was agreed to go with the regular function and call it from WP_Network. Moving the logic into a private WP_Network method would not align well with existing core patterns, where pretty much everything relies on a function. As long as there is no methodological approach for this, functions should remain the source as it currently is.
  • Naming of the new function was discussed as well. It was suggested to call the function get_main_site_id_for_network() or get_network_main_site_id() to be more precise. On the other hand, is_main_site() already exists and would have been called similarly in order to align with the new function. Furthermore the function is available for non-multisites, making the extra network affix a bit more confusing. It was decided to proceed with the current idea of get_main_site_id().
  • All remaining items were solved and as of now the patch has been merged into core.

Next meeting

The next office hours will take place on September 19, 2017, 16:00 UTC. Its agenda will be to further plan 4.9 work and which tickets should receive the main focus in the few remaining weeks until Beta 1.

Ticket Scrub Recap

The agenda for this ticket scrub was to review and discuss some multisite tickets in the 4.9 milestone.

The meeting’s chat log

Attendees: @afragen, @desrosj, @flixos90, @jeremyfelt, @sergey, @vizkr

Chat Summary:

  • The first ticket discussed was #40764: @afragen asked for feedback. @flixos90 verified that the latest patch applies cleanly. @desrosj plans to review the patch itself soon.
  • #41285 was discussed: @jeremyfelt was asked for feedback and responded that he is confident that this change can happen, at least for the $public global. He will dive deeper into whether the $site_id global is safe to remove as well. He furthermore stated that the related tickets #34217 and #39419 should be considered as well. A response from Automatticians working on wordpress.com would be much appreciated.
  • #40364 was the last ticket for the meeting: The proposed action hook names used in the new functions wp_insert_site(), wp_update_site() and wp_delete_site() using the same names were questioned and whether it may be more useful to use more precise names using past tense, such as wp_inserted_site(), so that it is clear they run after the database transaction. It was also considered to run multiple actions. Eventually it was decided to go with the simple approach for now, and stick with one action having the function name. Regarding timing, while the latest patch may possibly be merged at this point, it should rather wait until #41333 has also been completed, to have the full new site API in core in one release. The latter ticket is something that can be worked on during the 4.9 beta, to aim for an early 5.0 merge.

Next meeting

The next ticket scrub will take place on September 18, 2017, 17:00 UTC. Its agenda will be to review multisite bug tickets awaiting review with a focus on recently opened tickets.

If you were unable to attend one of these meetings but have feedback, please share your thoughts in the comments on this post. In case there’s a need for further discussion we will ensure to make time for it in one of next week’s chats. See you next week!

#4-9, #multisite, #networks-sites, #summary

Source: WordPress Development Updates

PHP Meeting Recap – September 11th

This recap is a summary of this week’s PHP meeting. It highlights the ideas and decisions which came up during that meeting, both as a means of documenting and to provide a quick overview for those who were unable to attend.

The meeting’s chat log.

Attendees: @brainfork @dnavarrojr @espellcaste @flixos90 @joostdevalk @jdgrimes @milindmore22 @nerrad @pbearne @schlessera @sergey @sobak @vizkr

Chat Summary

The agenda for this week was to review the current progress and plan how to proceed in the upcoming weeks.

  • @flixos90 shared the outcome of the meeting with the #marketing team that had happened some days ago (read the full chat log): The marketing team has started work on the copy for the planned Servehappy page, based on the drafts the PHP team created over the past couple weeks. A Trello board has been set up, and the actual text is being worked on in a Google doc. The team has set a deadline for September 15th. As of writing this post, the document has been completed. They also offered their help in the future for other things that the page would need, such as graphics and illustrations. A special thanks to the marketing team for their efforts!
  • The next PHP meeting will be used to review and discuss the document in detail and figure out questions or suggestions, if any. Anyone from the marketing team is also very welcome to join this chat in particular!
  • It was decided that once the document is considered to be in a good shape, it is time to pitch the idea of the suggested Servehappy page further. In particular more leadership people need to be convinced of the efforts in order to successfully proceed. The page must be officially affiliated with wordpress.org, whether it is hosted as part of it or at a separate location. This is a requirement so that it is eligible for being linked to from WordPress core itself.
  • @schlessera suggested creating a proposal document that describes the problem the team is trying to solve, the goals the solution should meet, the current state of things and what is needed to get this launched. This will provide clear documentation and can be used in addition to the page document itself to pitch the idea. With this, the team hopes to be able to at least get a “conditional” buy-in.
  • It was discussed whether the page should be part of wordpress.org or whether it should be hosted as a separate website, such as servehappy.com or servehappy.org (in either case it should be an official part of WordPress).
    • Having it as a separate site would perhaps make it interesting for other PHP projects as well.
    • Having it as a separate site would give more flexibility on what the overall page layout and design should look like while with .org, it would obviously need to integrate.
    • Having it as a separate site would give parity with something like browsehappy.com, however the Servehappy content would be much more specific to WordPress, so it may be better suited as part of wordpress.org.
    • Having it as a separate site would allow to create separate pages for the bits and pieces if it makes sense, and guide visitors through them.
    • In the end nobody had a heavy preference for either, so where to host this can be approached rather flexibly, as long as it is based on a clear decision by the core leadership. The core leads may very well also have their own preferences for this.
  • In order to bring more attention to the efforts, it was decided that the best way to start once both the copy and proposal documents are ready will be to first publish the proposal on the make blog and then bring it up at the weekly core dev-chat. The post should be available in advance so that it gives people time to prepare. It may also be useful to schedule regular update slots in the dev-chat meetings, in order to provide information on where the project is at and maintain traction.
  • The proposal document should also contain all suggested integration points with core.
    • What feature needs to integrate with the page?
    • Where should the link point to?
    • Is dynamic content transported through the link needed? If so, which GET parameters would the page need to support?
  • Using GET parameters for some dynamic parts of the page would give the visitor a better feeling their specific issue is addressed by the page. However, it needs to be ensured that all data passed is not controversial regarding privacy in any way. It needs to be entirely anonymous.

Next week’s meeting

The next meeting will take place on September 18th, 2017, 18:00 UTC as always in #core-php, and its agenda will be to review and discuss the page document the marketing team has worked on, as described above. If you have suggestions about this but cannot make the meeting, please leave a comment on this post so that we can take them into account. See you next week!

#core-php, #php, #summary

Source: WordPress Development Updates

Dev Chat Summary: September 13th (4.9 week 7)

This post summarizes the dev chat meeting from September 13th (agendaSlack archive).

4.9 schedule and requests for contributions

  • 2 weeks until the feature project merge deadline, 3 weeks until Beta 1
  • These tickets need someone to contribute to them or else they’re in danger of not making it in 4.9:
    • Add nested folder structure deeper than 2 levels (#6531)
    • Add better warnings when you’re editing themes and plugins (even if they’re not active) (#31779, #41078)
    • Updating a plugin or theme via a ZIP file (#9757). Also, drag and drop uploading of themes and plugins (#24579)
    • Widgets: Default to “custom URL” in the image widget (#41629)
    • Customizer drafting/scheduling (#39896, #28721)
  • @westonruter: I committed CodeMirror to integrate with the Theme/Plugin editors, Custom HTML widget, and Additional CSS in the Customizer
  • @jbpaul17: looking to schedule bug scrubs, please reach out if you’re interested in helping
    • Component maintainers: Please confirm if you’re running scrubs for your component

#4-9, #core, #dev-chat, #summary

Source: WordPress Development Updates

Dev Chat Agenda for September 13th (4.9 week 7)

This is the agenda for the weekly dev meeting on September 13, 2017 at 20:00 UTC / September 13, 2017 at 20:00 UTC:

  • 4.9 schedule and requests for contributions
  • General announcements

If you have anything to propose to add to the agenda or specific items related to the above, please leave a comment below. See you there!

#4-9, #agenda, #dev-chat

Source: WordPress Development Updates