Changeset 61953 for branches/5.7/src/wp-includes/ID3/getid3.lib.php

Timestamp:

03/12/2026 02:06:43 AM (2 weeks ago)

Author:

peterwilsoncc

Message:

Grouped backports for the 5.7 branch.

• XML-RPC: Switch to wp_safe_remote() when fetching a pingback URL.
• HTML API: Prevent WP_HTML_Tag_Processor instances being unserialized and add some extra logic for validating pattern and template file paths.
• KSES: Optimize PCRE pattern detecting numeric character references.
• Customize: Improve escaping approach used for nav menu attributes.
• Media: Ensure the attachment parent is accessible to the user before showing a link to it in the media manager.
• Administration: Ensure client-side templates are only detected when they're correctly associated with a script tag.
• Filesystem API: Don't attempt to extract invalid files from a zip when using the PclZip library.

Merges [61879-61885,61887,61890,61913] to the 5.7 branch.

Props johnbillion, xknown, dmsnell, jorbin, peterwilson, desrosj, westonruter, jonsurrell, aurdasjb.

Location:

branches/5.7

Files:

• . (modified) (1 prop)
• src/wp-includes/ID3/getid3.lib.php (modified) (1 diff)

branches/5.7/src/wp-includes/ID3/getid3.lib.php

@@ -724 +724 @@
             // https://core.trac.wordpress.org/changeset/29378
             // This function has been deprecated in PHP 8.0 because in libxml 2.9.0, external entity loading is
-            // disabled by default, but is still needed when LIBXML_NOENT is used.
+            // disabled by default.
             $loader = @libxml_disable_entity_loader(true);
-            $XMLobject = simplexml_load_string($XMLstring, 'SimpleXMLElement', LIBXML_NOENT);
+            $XMLobject = simplexml_load_string($XMLstring, 'SimpleXMLElement', 0);
             $return = self::SimpleXMLelement2array($XMLobject);
             @libxml_disable_entity_loader($loader);