pluggable.php 107 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574257525762577257825792580258125822583258425852586258725882589259025912592259325942595259625972598259926002601260226032604260526062607260826092610261126122613261426152616261726182619262026212622262326242625262626272628262926302631263226332634263526362637263826392640264126422643264426452646264726482649265026512652265326542655265626572658265926602661266226632664266526662667266826692670267126722673267426752676267726782679268026812682268326842685268626872688268926902691269226932694269526962697269826992700270127022703270427052706270727082709271027112712271327142715271627172718271927202721272227232724272527262727272827292730273127322733273427352736273727382739274027412742274327442745274627472748274927502751275227532754275527562757275827592760276127622763276427652766276727682769277027712772277327742775277627772778277927802781278227832784278527862787278827892790279127922793279427952796279727982799280028012802280328042805280628072808280928102811281228132814281528162817281828192820282128222823282428252826282728282829283028312832283328342835283628372838283928402841284228432844284528462847284828492850285128522853285428552856285728582859286028612862286328642865286628672868286928702871287228732874287528762877287828792880288128822883288428852886288728882889289028912892289328942895289628972898289929002901290229032904290529062907290829092910291129122913291429152916291729182919292029212922292329242925292629272928292929302931293229332934293529362937293829392940294129422943294429452946294729482949295029512952295329542955295629572958295929602961296229632964296529662967296829692970297129722973297429752976297729782979298029812982298329842985298629872988298929902991299229932994299529962997299829993000300130023003300430053006300730083009
  1. <?php
  2. /**
  3. * These functions can be replaced via plugins. If plugins do not redefine these
  4. * functions, then these will be used instead.
  5. *
  6. * @package WordPress
  7. */
  8. if ( ! function_exists( 'wp_set_current_user' ) ) :
  9. /**
  10. * Changes the current user by ID or name.
  11. *
  12. * Set $id to null and specify a name if you do not know a user's ID.
  13. *
  14. * Some WordPress functionality is based on the current user and not based on
  15. * the signed in user. Therefore, it opens the ability to edit and perform
  16. * actions on users who aren't signed in.
  17. *
  18. * @since 2.0.3
  19. *
  20. * @global WP_User $current_user The current user object which holds the user data.
  21. *
  22. * @param int|null $id User ID.
  23. * @param string $name User's username.
  24. * @return WP_User Current user User object.
  25. */
  26. function wp_set_current_user( $id, $name = '' ) {
  27. global $current_user;
  28. // If `$id` matches the current user, there is nothing to do.
  29. if ( isset( $current_user )
  30. && ( $current_user instanceof WP_User )
  31. && ( $id == $current_user->ID )
  32. && ( null !== $id )
  33. ) {
  34. return $current_user;
  35. }
  36. $current_user = new WP_User( $id, $name );
  37. setup_userdata( $current_user->ID );
  38. /**
  39. * Fires after the current user is set.
  40. *
  41. * @since 2.0.1
  42. */
  43. do_action( 'set_current_user' );
  44. return $current_user;
  45. }
  46. endif;
  47. if ( ! function_exists( 'wp_get_current_user' ) ) :
  48. /**
  49. * Retrieves the current user object.
  50. *
  51. * Will set the current user, if the current user is not set. The current user
  52. * will be set to the logged-in person. If no user is logged-in, then it will
  53. * set the current user to 0, which is invalid and won't have any permissions.
  54. *
  55. * @since 2.0.3
  56. *
  57. * @see _wp_get_current_user()
  58. * @global WP_User $current_user Checks if the current user is set.
  59. *
  60. * @return WP_User Current WP_User instance.
  61. */
  62. function wp_get_current_user() {
  63. return _wp_get_current_user();
  64. }
  65. endif;
  66. if ( ! function_exists( 'get_userdata' ) ) :
  67. /**
  68. * Retrieves user info by user ID.
  69. *
  70. * @since 0.71
  71. *
  72. * @param int $user_id User ID
  73. * @return WP_User|false WP_User object on success, false on failure.
  74. */
  75. function get_userdata( $user_id ) {
  76. return get_user_by( 'id', $user_id );
  77. }
  78. endif;
  79. if ( ! function_exists( 'get_user_by' ) ) :
  80. /**
  81. * Retrieves user info by a given field.
  82. *
  83. * @since 2.8.0
  84. * @since 4.4.0 Added 'ID' as an alias of 'id' for the `$field` parameter.
  85. *
  86. * @global WP_User $current_user The current user object which holds the user data.
  87. *
  88. * @param string $field The field to retrieve the user with. id | ID | slug | email | login.
  89. * @param int|string $value A value for $field. A user ID, slug, email address, or login name.
  90. * @return WP_User|false WP_User object on success, false on failure.
  91. */
  92. function get_user_by( $field, $value ) {
  93. $userdata = WP_User::get_data_by( $field, $value );
  94. if ( ! $userdata ) {
  95. return false;
  96. }
  97. $user = new WP_User;
  98. $user->init( $userdata );
  99. return $user;
  100. }
  101. endif;
  102. if ( ! function_exists( 'cache_users' ) ) :
  103. /**
  104. * Retrieves info for user lists to prevent multiple queries by get_userdata().
  105. *
  106. * @since 3.0.0
  107. *
  108. * @global wpdb $wpdb WordPress database abstraction object.
  109. *
  110. * @param int[] $user_ids User ID numbers list
  111. */
  112. function cache_users( $user_ids ) {
  113. global $wpdb;
  114. update_meta_cache( 'user', $user_ids );
  115. $clean = _get_non_cached_ids( $user_ids, 'users' );
  116. if ( empty( $clean ) ) {
  117. return;
  118. }
  119. $list = implode( ',', $clean );
  120. $users = $wpdb->get_results( "SELECT * FROM $wpdb->users WHERE ID IN ($list)" );
  121. foreach ( $users as $user ) {
  122. update_user_caches( $user );
  123. }
  124. }
  125. endif;
  126. if ( ! function_exists( 'wp_mail' ) ) :
  127. /**
  128. * Sends an email, similar to PHP's mail function.
  129. *
  130. * A true return value does not automatically mean that the user received the
  131. * email successfully. It just only means that the method used was able to
  132. * process the request without any errors.
  133. *
  134. * The default content type is `text/plain` which does not allow using HTML.
  135. * However, you can set the content type of the email by using the
  136. * {@see 'wp_mail_content_type'} filter.
  137. *
  138. * The default charset is based on the charset used on the blog. The charset can
  139. * be set using the {@see 'wp_mail_charset'} filter.
  140. *
  141. * @since 1.2.1
  142. * @since 5.5.0 is_email() is used for email validation,
  143. * instead of PHPMailer's default validator.
  144. *
  145. * @global PHPMailer\PHPMailer\PHPMailer $phpmailer
  146. *
  147. * @param string|string[] $to Array or comma-separated list of email addresses to send message.
  148. * @param string $subject Email subject.
  149. * @param string $message Message contents.
  150. * @param string|string[] $headers Optional. Additional headers.
  151. * @param string|string[] $attachments Optional. Paths to files to attach.
  152. * @return bool Whether the email was sent successfully.
  153. */
  154. function wp_mail( $to, $subject, $message, $headers = '', $attachments = array() ) {
  155. // Compact the input, apply the filters, and extract them back out.
  156. /**
  157. * Filters the wp_mail() arguments.
  158. *
  159. * @since 2.2.0
  160. *
  161. * @param array $args {
  162. * Array of the `wp_mail()` arguments.
  163. *
  164. * @type string|string[] $to Array or comma-separated list of email addresses to send message.
  165. * @type string $subject Email subject.
  166. * @type string $message Message contents.
  167. * @type string|string[] $headers Additional headers.
  168. * @type string|string[] $attachments Paths to files to attach.
  169. * }
  170. */
  171. $atts = apply_filters( 'wp_mail', compact( 'to', 'subject', 'message', 'headers', 'attachments' ) );
  172. /**
  173. * Filters whether to preempt sending an email.
  174. *
  175. * Returning a non-null value will short-circuit {@see wp_mail()}, returning
  176. * that value instead. A boolean return value should be used to indicate whether
  177. * the email was successfully sent.
  178. *
  179. * @since 5.7.0
  180. *
  181. * @param null|bool $return Short-circuit return value.
  182. * @param array $atts {
  183. * Array of the `wp_mail()` arguments.
  184. *
  185. * @type string|string[] $to Array or comma-separated list of email addresses to send message.
  186. * @type string $subject Email subject.
  187. * @type string $message Message contents.
  188. * @type string|string[] $headers Additional headers.
  189. * @type string|string[] $attachments Paths to files to attach.
  190. * }
  191. */
  192. $pre_wp_mail = apply_filters( 'pre_wp_mail', null, $atts );
  193. if ( null !== $pre_wp_mail ) {
  194. return $pre_wp_mail;
  195. }
  196. if ( isset( $atts['to'] ) ) {
  197. $to = $atts['to'];
  198. }
  199. if ( ! is_array( $to ) ) {
  200. $to = explode( ',', $to );
  201. }
  202. if ( isset( $atts['subject'] ) ) {
  203. $subject = $atts['subject'];
  204. }
  205. if ( isset( $atts['message'] ) ) {
  206. $message = $atts['message'];
  207. }
  208. if ( isset( $atts['headers'] ) ) {
  209. $headers = $atts['headers'];
  210. }
  211. if ( isset( $atts['attachments'] ) ) {
  212. $attachments = $atts['attachments'];
  213. }
  214. if ( ! is_array( $attachments ) ) {
  215. $attachments = explode( "\n", str_replace( "\r\n", "\n", $attachments ) );
  216. }
  217. global $phpmailer;
  218. // (Re)create it, if it's gone missing.
  219. if ( ! ( $phpmailer instanceof PHPMailer\PHPMailer\PHPMailer ) ) {
  220. require_once ABSPATH . WPINC . '/PHPMailer/PHPMailer.php';
  221. require_once ABSPATH . WPINC . '/PHPMailer/SMTP.php';
  222. require_once ABSPATH . WPINC . '/PHPMailer/Exception.php';
  223. $phpmailer = new PHPMailer\PHPMailer\PHPMailer( true );
  224. $phpmailer::$validator = static function ( $email ) {
  225. return (bool) is_email( $email );
  226. };
  227. }
  228. // Headers.
  229. $cc = array();
  230. $bcc = array();
  231. $reply_to = array();
  232. if ( empty( $headers ) ) {
  233. $headers = array();
  234. } else {
  235. if ( ! is_array( $headers ) ) {
  236. // Explode the headers out, so this function can take
  237. // both string headers and an array of headers.
  238. $tempheaders = explode( "\n", str_replace( "\r\n", "\n", $headers ) );
  239. } else {
  240. $tempheaders = $headers;
  241. }
  242. $headers = array();
  243. // If it's actually got contents.
  244. if ( ! empty( $tempheaders ) ) {
  245. // Iterate through the raw headers.
  246. foreach ( (array) $tempheaders as $header ) {
  247. if ( strpos( $header, ':' ) === false ) {
  248. if ( false !== stripos( $header, 'boundary=' ) ) {
  249. $parts = preg_split( '/boundary=/i', trim( $header ) );
  250. $boundary = trim( str_replace( array( "'", '"' ), '', $parts[1] ) );
  251. }
  252. continue;
  253. }
  254. // Explode them out.
  255. list( $name, $content ) = explode( ':', trim( $header ), 2 );
  256. // Cleanup crew.
  257. $name = trim( $name );
  258. $content = trim( $content );
  259. switch ( strtolower( $name ) ) {
  260. // Mainly for legacy -- process a "From:" header if it's there.
  261. case 'from':
  262. $bracket_pos = strpos( $content, '<' );
  263. if ( false !== $bracket_pos ) {
  264. // Text before the bracketed email is the "From" name.
  265. if ( $bracket_pos > 0 ) {
  266. $from_name = substr( $content, 0, $bracket_pos );
  267. $from_name = str_replace( '"', '', $from_name );
  268. $from_name = trim( $from_name );
  269. }
  270. $from_email = substr( $content, $bracket_pos + 1 );
  271. $from_email = str_replace( '>', '', $from_email );
  272. $from_email = trim( $from_email );
  273. // Avoid setting an empty $from_email.
  274. } elseif ( '' !== trim( $content ) ) {
  275. $from_email = trim( $content );
  276. }
  277. break;
  278. case 'content-type':
  279. if ( strpos( $content, ';' ) !== false ) {
  280. list( $type, $charset_content ) = explode( ';', $content );
  281. $content_type = trim( $type );
  282. if ( false !== stripos( $charset_content, 'charset=' ) ) {
  283. $charset = trim( str_replace( array( 'charset=', '"' ), '', $charset_content ) );
  284. } elseif ( false !== stripos( $charset_content, 'boundary=' ) ) {
  285. $boundary = trim( str_replace( array( 'BOUNDARY=', 'boundary=', '"' ), '', $charset_content ) );
  286. $charset = '';
  287. }
  288. // Avoid setting an empty $content_type.
  289. } elseif ( '' !== trim( $content ) ) {
  290. $content_type = trim( $content );
  291. }
  292. break;
  293. case 'cc':
  294. $cc = array_merge( (array) $cc, explode( ',', $content ) );
  295. break;
  296. case 'bcc':
  297. $bcc = array_merge( (array) $bcc, explode( ',', $content ) );
  298. break;
  299. case 'reply-to':
  300. $reply_to = array_merge( (array) $reply_to, explode( ',', $content ) );
  301. break;
  302. default:
  303. // Add it to our grand headers array.
  304. $headers[ trim( $name ) ] = trim( $content );
  305. break;
  306. }
  307. }
  308. }
  309. }
  310. // Empty out the values that may be set.
  311. $phpmailer->clearAllRecipients();
  312. $phpmailer->clearAttachments();
  313. $phpmailer->clearCustomHeaders();
  314. $phpmailer->clearReplyTos();
  315. $phpmailer->Body = '';
  316. $phpmailer->AltBody = '';
  317. // Set "From" name and email.
  318. // If we don't have a name from the input headers.
  319. if ( ! isset( $from_name ) ) {
  320. $from_name = 'WordPress';
  321. }
  322. /*
  323. * If we don't have an email from the input headers, default to wordpress@$sitename
  324. * Some hosts will block outgoing mail from this address if it doesn't exist,
  325. * but there's no easy alternative. Defaulting to admin_email might appear to be
  326. * another option, but some hosts may refuse to relay mail from an unknown domain.
  327. * See https://core.trac.wordpress.org/ticket/5007.
  328. */
  329. if ( ! isset( $from_email ) ) {
  330. // Get the site domain and get rid of www.
  331. $sitename = wp_parse_url( network_home_url(), PHP_URL_HOST );
  332. $from_email = 'wordpress@';
  333. if ( null !== $sitename ) {
  334. if ( 'www.' === substr( $sitename, 0, 4 ) ) {
  335. $sitename = substr( $sitename, 4 );
  336. }
  337. $from_email .= $sitename;
  338. }
  339. }
  340. /**
  341. * Filters the email address to send from.
  342. *
  343. * @since 2.2.0
  344. *
  345. * @param string $from_email Email address to send from.
  346. */
  347. $from_email = apply_filters( 'wp_mail_from', $from_email );
  348. /**
  349. * Filters the name to associate with the "from" email address.
  350. *
  351. * @since 2.3.0
  352. *
  353. * @param string $from_name Name associated with the "from" email address.
  354. */
  355. $from_name = apply_filters( 'wp_mail_from_name', $from_name );
  356. try {
  357. $phpmailer->setFrom( $from_email, $from_name, false );
  358. } catch ( PHPMailer\PHPMailer\Exception $e ) {
  359. $mail_error_data = compact( 'to', 'subject', 'message', 'headers', 'attachments' );
  360. $mail_error_data['phpmailer_exception_code'] = $e->getCode();
  361. /** This filter is documented in wp-includes/pluggable.php */
  362. do_action( 'wp_mail_failed', new WP_Error( 'wp_mail_failed', $e->getMessage(), $mail_error_data ) );
  363. return false;
  364. }
  365. // Set mail's subject and body.
  366. $phpmailer->Subject = $subject;
  367. $phpmailer->Body = $message;
  368. // Set destination addresses, using appropriate methods for handling addresses.
  369. $address_headers = compact( 'to', 'cc', 'bcc', 'reply_to' );
  370. foreach ( $address_headers as $address_header => $addresses ) {
  371. if ( empty( $addresses ) ) {
  372. continue;
  373. }
  374. foreach ( (array) $addresses as $address ) {
  375. try {
  376. // Break $recipient into name and address parts if in the format "Foo <bar@baz.com>".
  377. $recipient_name = '';
  378. if ( preg_match( '/(.*)<(.+)>/', $address, $matches ) ) {
  379. if ( count( $matches ) == 3 ) {
  380. $recipient_name = $matches[1];
  381. $address = $matches[2];
  382. }
  383. }
  384. switch ( $address_header ) {
  385. case 'to':
  386. $phpmailer->addAddress( $address, $recipient_name );
  387. break;
  388. case 'cc':
  389. $phpmailer->addCc( $address, $recipient_name );
  390. break;
  391. case 'bcc':
  392. $phpmailer->addBcc( $address, $recipient_name );
  393. break;
  394. case 'reply_to':
  395. $phpmailer->addReplyTo( $address, $recipient_name );
  396. break;
  397. }
  398. } catch ( PHPMailer\PHPMailer\Exception $e ) {
  399. continue;
  400. }
  401. }
  402. }
  403. // Set to use PHP's mail().
  404. $phpmailer->isMail();
  405. // Set Content-Type and charset.
  406. // If we don't have a content-type from the input headers.
  407. if ( ! isset( $content_type ) ) {
  408. $content_type = 'text/plain';
  409. }
  410. /**
  411. * Filters the wp_mail() content type.
  412. *
  413. * @since 2.3.0
  414. *
  415. * @param string $content_type Default wp_mail() content type.
  416. */
  417. $content_type = apply_filters( 'wp_mail_content_type', $content_type );
  418. $phpmailer->ContentType = $content_type;
  419. // Set whether it's plaintext, depending on $content_type.
  420. if ( 'text/html' === $content_type ) {
  421. $phpmailer->isHTML( true );
  422. }
  423. // If we don't have a charset from the input headers.
  424. if ( ! isset( $charset ) ) {
  425. $charset = get_bloginfo( 'charset' );
  426. }
  427. /**
  428. * Filters the default wp_mail() charset.
  429. *
  430. * @since 2.3.0
  431. *
  432. * @param string $charset Default email charset.
  433. */
  434. $phpmailer->CharSet = apply_filters( 'wp_mail_charset', $charset );
  435. // Set custom headers.
  436. if ( ! empty( $headers ) ) {
  437. foreach ( (array) $headers as $name => $content ) {
  438. // Only add custom headers not added automatically by PHPMailer.
  439. if ( ! in_array( $name, array( 'MIME-Version', 'X-Mailer' ), true ) ) {
  440. try {
  441. $phpmailer->addCustomHeader( sprintf( '%1$s: %2$s', $name, $content ) );
  442. } catch ( PHPMailer\PHPMailer\Exception $e ) {
  443. continue;
  444. }
  445. }
  446. }
  447. if ( false !== stripos( $content_type, 'multipart' ) && ! empty( $boundary ) ) {
  448. $phpmailer->addCustomHeader( sprintf( 'Content-Type: %s; boundary="%s"', $content_type, $boundary ) );
  449. }
  450. }
  451. if ( ! empty( $attachments ) ) {
  452. foreach ( $attachments as $attachment ) {
  453. try {
  454. $phpmailer->addAttachment( $attachment );
  455. } catch ( PHPMailer\PHPMailer\Exception $e ) {
  456. continue;
  457. }
  458. }
  459. }
  460. /**
  461. * Fires after PHPMailer is initialized.
  462. *
  463. * @since 2.2.0
  464. *
  465. * @param PHPMailer $phpmailer The PHPMailer instance (passed by reference).
  466. */
  467. do_action_ref_array( 'phpmailer_init', array( &$phpmailer ) );
  468. $mail_data = compact( 'to', 'subject', 'message', 'headers', 'attachments' );
  469. // Send!
  470. try {
  471. $send = $phpmailer->send();
  472. /**
  473. * Fires after PHPMailer has successfully sent an email.
  474. *
  475. * The firing of this action does not necessarily mean that the recipient(s) received the
  476. * email successfully. It only means that the `send` method above was able to
  477. * process the request without any errors.
  478. *
  479. * @since 5.9.0
  480. *
  481. * @param array $mail_data {
  482. * An array containing the email recipient(s), subject, message, headers, and attachments.
  483. *
  484. * @type string[] $to Email addresses to send message.
  485. * @type string $subject Email subject.
  486. * @type string $message Message contents.
  487. * @type string[] $headers Additional headers.
  488. * @type string[] $attachments Paths to files to attach.
  489. * }
  490. */
  491. do_action( 'wp_mail_succeeded', $mail_data );
  492. return $send;
  493. } catch ( PHPMailer\PHPMailer\Exception $e ) {
  494. $mail_data['phpmailer_exception_code'] = $e->getCode();
  495. /**
  496. * Fires after a PHPMailer\PHPMailer\Exception is caught.
  497. *
  498. * @since 4.4.0
  499. *
  500. * @param WP_Error $error A WP_Error object with the PHPMailer\PHPMailer\Exception message, and an array
  501. * containing the mail recipient, subject, message, headers, and attachments.
  502. */
  503. do_action( 'wp_mail_failed', new WP_Error( 'wp_mail_failed', $e->getMessage(), $mail_data ) );
  504. return false;
  505. }
  506. }
  507. endif;
  508. if ( ! function_exists( 'wp_authenticate' ) ) :
  509. /**
  510. * Authenticates a user, confirming the login credentials are valid.
  511. *
  512. * @since 2.5.0
  513. * @since 4.5.0 `$username` now accepts an email address.
  514. *
  515. * @param string $username User's username or email address.
  516. * @param string $password User's password.
  517. * @return WP_User|WP_Error WP_User object if the credentials are valid,
  518. * otherwise WP_Error.
  519. */
  520. function wp_authenticate( $username, $password ) {
  521. $username = sanitize_user( $username );
  522. $password = trim( $password );
  523. /**
  524. * Filters whether a set of user login credentials are valid.
  525. *
  526. * A WP_User object is returned if the credentials authenticate a user.
  527. * WP_Error or null otherwise.
  528. *
  529. * @since 2.8.0
  530. * @since 4.5.0 `$username` now accepts an email address.
  531. *
  532. * @param null|WP_User|WP_Error $user WP_User if the user is authenticated.
  533. * WP_Error or null otherwise.
  534. * @param string $username Username or email address.
  535. * @param string $password User password.
  536. */
  537. $user = apply_filters( 'authenticate', null, $username, $password );
  538. if ( null == $user ) {
  539. // TODO: What should the error message be? (Or would these even happen?)
  540. // Only needed if all authentication handlers fail to return anything.
  541. $user = new WP_Error( 'authentication_failed', __( '<strong>Error:</strong> Invalid username, email address or incorrect password.' ) );
  542. }
  543. $ignore_codes = array( 'empty_username', 'empty_password' );
  544. if ( is_wp_error( $user ) && ! in_array( $user->get_error_code(), $ignore_codes, true ) ) {
  545. $error = $user;
  546. /**
  547. * Fires after a user login has failed.
  548. *
  549. * @since 2.5.0
  550. * @since 4.5.0 The value of `$username` can now be an email address.
  551. * @since 5.4.0 The `$error` parameter was added.
  552. *
  553. * @param string $username Username or email address.
  554. * @param WP_Error $error A WP_Error object with the authentication failure details.
  555. */
  556. do_action( 'wp_login_failed', $username, $error );
  557. }
  558. return $user;
  559. }
  560. endif;
  561. if ( ! function_exists( 'wp_logout' ) ) :
  562. /**
  563. * Logs the current user out.
  564. *
  565. * @since 2.5.0
  566. */
  567. function wp_logout() {
  568. $user_id = get_current_user_id();
  569. wp_destroy_current_session();
  570. wp_clear_auth_cookie();
  571. wp_set_current_user( 0 );
  572. /**
  573. * Fires after a user is logged out.
  574. *
  575. * @since 1.5.0
  576. * @since 5.5.0 Added the `$user_id` parameter.
  577. *
  578. * @param int $user_id ID of the user that was logged out.
  579. */
  580. do_action( 'wp_logout', $user_id );
  581. }
  582. endif;
  583. if ( ! function_exists( 'wp_validate_auth_cookie' ) ) :
  584. /**
  585. * Validates authentication cookie.
  586. *
  587. * The checks include making sure that the authentication cookie is set and
  588. * pulling in the contents (if $cookie is not used).
  589. *
  590. * Makes sure the cookie is not expired. Verifies the hash in cookie is what is
  591. * should be and compares the two.
  592. *
  593. * @since 2.5.0
  594. *
  595. * @global int $login_grace_period
  596. *
  597. * @param string $cookie Optional. If used, will validate contents instead of cookie's.
  598. * @param string $scheme Optional. The cookie scheme to use: 'auth', 'secure_auth', or 'logged_in'.
  599. * @return int|false User ID if valid cookie, false if invalid.
  600. */
  601. function wp_validate_auth_cookie( $cookie = '', $scheme = '' ) {
  602. $cookie_elements = wp_parse_auth_cookie( $cookie, $scheme );
  603. if ( ! $cookie_elements ) {
  604. /**
  605. * Fires if an authentication cookie is malformed.
  606. *
  607. * @since 2.7.0
  608. *
  609. * @param string $cookie Malformed auth cookie.
  610. * @param string $scheme Authentication scheme. Values include 'auth', 'secure_auth',
  611. * or 'logged_in'.
  612. */
  613. do_action( 'auth_cookie_malformed', $cookie, $scheme );
  614. return false;
  615. }
  616. $scheme = $cookie_elements['scheme'];
  617. $username = $cookie_elements['username'];
  618. $hmac = $cookie_elements['hmac'];
  619. $token = $cookie_elements['token'];
  620. $expired = $cookie_elements['expiration'];
  621. $expiration = $cookie_elements['expiration'];
  622. // Allow a grace period for POST and Ajax requests.
  623. if ( wp_doing_ajax() || 'POST' === $_SERVER['REQUEST_METHOD'] ) {
  624. $expired += HOUR_IN_SECONDS;
  625. }
  626. // Quick check to see if an honest cookie has expired.
  627. if ( $expired < time() ) {
  628. /**
  629. * Fires once an authentication cookie has expired.
  630. *
  631. * @since 2.7.0
  632. *
  633. * @param string[] $cookie_elements {
  634. * Authentication cookie components. None of the components should be assumed
  635. * to be valid as they come directly from a client-provided cookie value.
  636. *
  637. * @type string $username User's username.
  638. * @type string $expiration The time the cookie expires as a UNIX timestamp.
  639. * @type string $token User's session token used.
  640. * @type string $hmac The security hash for the cookie.
  641. * @type string $scheme The cookie scheme to use.
  642. * }
  643. */
  644. do_action( 'auth_cookie_expired', $cookie_elements );
  645. return false;
  646. }
  647. $user = get_user_by( 'login', $username );
  648. if ( ! $user ) {
  649. /**
  650. * Fires if a bad username is entered in the user authentication process.
  651. *
  652. * @since 2.7.0
  653. *
  654. * @param string[] $cookie_elements {
  655. * Authentication cookie components. None of the components should be assumed
  656. * to be valid as they come directly from a client-provided cookie value.
  657. *
  658. * @type string $username User's username.
  659. * @type string $expiration The time the cookie expires as a UNIX timestamp.
  660. * @type string $token User's session token used.
  661. * @type string $hmac The security hash for the cookie.
  662. * @type string $scheme The cookie scheme to use.
  663. * }
  664. */
  665. do_action( 'auth_cookie_bad_username', $cookie_elements );
  666. return false;
  667. }
  668. $pass_frag = substr( $user->user_pass, 8, 4 );
  669. $key = wp_hash( $username . '|' . $pass_frag . '|' . $expiration . '|' . $token, $scheme );
  670. // If ext/hash is not present, compat.php's hash_hmac() does not support sha256.
  671. $algo = function_exists( 'hash' ) ? 'sha256' : 'sha1';
  672. $hash = hash_hmac( $algo, $username . '|' . $expiration . '|' . $token, $key );
  673. if ( ! hash_equals( $hash, $hmac ) ) {
  674. /**
  675. * Fires if a bad authentication cookie hash is encountered.
  676. *
  677. * @since 2.7.0
  678. *
  679. * @param string[] $cookie_elements {
  680. * Authentication cookie components. None of the components should be assumed
  681. * to be valid as they come directly from a client-provided cookie value.
  682. *
  683. * @type string $username User's username.
  684. * @type string $expiration The time the cookie expires as a UNIX timestamp.
  685. * @type string $token User's session token used.
  686. * @type string $hmac The security hash for the cookie.
  687. * @type string $scheme The cookie scheme to use.
  688. * }
  689. */
  690. do_action( 'auth_cookie_bad_hash', $cookie_elements );
  691. return false;
  692. }
  693. $manager = WP_Session_Tokens::get_instance( $user->ID );
  694. if ( ! $manager->verify( $token ) ) {
  695. /**
  696. * Fires if a bad session token is encountered.
  697. *
  698. * @since 4.0.0
  699. *
  700. * @param string[] $cookie_elements {
  701. * Authentication cookie components. None of the components should be assumed
  702. * to be valid as they come directly from a client-provided cookie value.
  703. *
  704. * @type string $username User's username.
  705. * @type string $expiration The time the cookie expires as a UNIX timestamp.
  706. * @type string $token User's session token used.
  707. * @type string $hmac The security hash for the cookie.
  708. * @type string $scheme The cookie scheme to use.
  709. * }
  710. */
  711. do_action( 'auth_cookie_bad_session_token', $cookie_elements );
  712. return false;
  713. }
  714. // Ajax/POST grace period set above.
  715. if ( $expiration < time() ) {
  716. $GLOBALS['login_grace_period'] = 1;
  717. }
  718. /**
  719. * Fires once an authentication cookie has been validated.
  720. *
  721. * @since 2.7.0
  722. *
  723. * @param string[] $cookie_elements {
  724. * Authentication cookie components.
  725. *
  726. * @type string $username User's username.
  727. * @type string $expiration The time the cookie expires as a UNIX timestamp.
  728. * @type string $token User's session token used.
  729. * @type string $hmac The security hash for the cookie.
  730. * @type string $scheme The cookie scheme to use.
  731. * }
  732. * @param WP_User $user User object.
  733. */
  734. do_action( 'auth_cookie_valid', $cookie_elements, $user );
  735. return $user->ID;
  736. }
  737. endif;
  738. if ( ! function_exists( 'wp_generate_auth_cookie' ) ) :
  739. /**
  740. * Generates authentication cookie contents.
  741. *
  742. * @since 2.5.0
  743. * @since 4.0.0 The `$token` parameter was added.
  744. *
  745. * @param int $user_id User ID.
  746. * @param int $expiration The time the cookie expires as a UNIX timestamp.
  747. * @param string $scheme Optional. The cookie scheme to use: 'auth', 'secure_auth', or 'logged_in'.
  748. * Default 'auth'.
  749. * @param string $token User's session token to use for this cookie.
  750. * @return string Authentication cookie contents. Empty string if user does not exist.
  751. */
  752. function wp_generate_auth_cookie( $user_id, $expiration, $scheme = 'auth', $token = '' ) {
  753. $user = get_userdata( $user_id );
  754. if ( ! $user ) {
  755. return '';
  756. }
  757. if ( ! $token ) {
  758. $manager = WP_Session_Tokens::get_instance( $user_id );
  759. $token = $manager->create( $expiration );
  760. }
  761. $pass_frag = substr( $user->user_pass, 8, 4 );
  762. $key = wp_hash( $user->user_login . '|' . $pass_frag . '|' . $expiration . '|' . $token, $scheme );
  763. // If ext/hash is not present, compat.php's hash_hmac() does not support sha256.
  764. $algo = function_exists( 'hash' ) ? 'sha256' : 'sha1';
  765. $hash = hash_hmac( $algo, $user->user_login . '|' . $expiration . '|' . $token, $key );
  766. $cookie = $user->user_login . '|' . $expiration . '|' . $token . '|' . $hash;
  767. /**
  768. * Filters the authentication cookie.
  769. *
  770. * @since 2.5.0
  771. * @since 4.0.0 The `$token` parameter was added.
  772. *
  773. * @param string $cookie Authentication cookie.
  774. * @param int $user_id User ID.
  775. * @param int $expiration The time the cookie expires as a UNIX timestamp.
  776. * @param string $scheme Cookie scheme used. Accepts 'auth', 'secure_auth', or 'logged_in'.
  777. * @param string $token User's session token used.
  778. */
  779. return apply_filters( 'auth_cookie', $cookie, $user_id, $expiration, $scheme, $token );
  780. }
  781. endif;
  782. if ( ! function_exists( 'wp_parse_auth_cookie' ) ) :
  783. /**
  784. * Parses a cookie into its components.
  785. *
  786. * @since 2.7.0
  787. * @since 4.0.0 The `$token` element was added to the return value.
  788. *
  789. * @param string $cookie Authentication cookie.
  790. * @param string $scheme Optional. The cookie scheme to use: 'auth', 'secure_auth', or 'logged_in'.
  791. * @return string[]|false {
  792. * Authentication cookie components. None of the components should be assumed
  793. * to be valid as they come directly from a client-provided cookie value. If
  794. * the cookie value is malformed, false is returned.
  795. *
  796. * @type string $username User's username.
  797. * @type string $expiration The time the cookie expires as a UNIX timestamp.
  798. * @type string $token User's session token used.
  799. * @type string $hmac The security hash for the cookie.
  800. * @type string $scheme The cookie scheme to use.
  801. * }
  802. */
  803. function wp_parse_auth_cookie( $cookie = '', $scheme = '' ) {
  804. if ( empty( $cookie ) ) {
  805. switch ( $scheme ) {
  806. case 'auth':
  807. $cookie_name = AUTH_COOKIE;
  808. break;
  809. case 'secure_auth':
  810. $cookie_name = SECURE_AUTH_COOKIE;
  811. break;
  812. case 'logged_in':
  813. $cookie_name = LOGGED_IN_COOKIE;
  814. break;
  815. default:
  816. if ( is_ssl() ) {
  817. $cookie_name = SECURE_AUTH_COOKIE;
  818. $scheme = 'secure_auth';
  819. } else {
  820. $cookie_name = AUTH_COOKIE;
  821. $scheme = 'auth';
  822. }
  823. }
  824. if ( empty( $_COOKIE[ $cookie_name ] ) ) {
  825. return false;
  826. }
  827. $cookie = $_COOKIE[ $cookie_name ];
  828. }
  829. $cookie_elements = explode( '|', $cookie );
  830. if ( count( $cookie_elements ) !== 4 ) {
  831. return false;
  832. }
  833. list( $username, $expiration, $token, $hmac ) = $cookie_elements;
  834. return compact( 'username', 'expiration', 'token', 'hmac', 'scheme' );
  835. }
  836. endif;
  837. if ( ! function_exists( 'wp_set_auth_cookie' ) ) :
  838. /**
  839. * Sets the authentication cookies based on user ID.
  840. *
  841. * The $remember parameter increases the time that the cookie will be kept. The
  842. * default the cookie is kept without remembering is two days. When $remember is
  843. * set, the cookies will be kept for 14 days or two weeks.
  844. *
  845. * @since 2.5.0
  846. * @since 4.3.0 Added the `$token` parameter.
  847. *
  848. * @param int $user_id User ID.
  849. * @param bool $remember Whether to remember the user.
  850. * @param bool|string $secure Whether the auth cookie should only be sent over HTTPS. Default is an empty
  851. * string which means the value of `is_ssl()` will be used.
  852. * @param string $token Optional. User's session token to use for this cookie.
  853. */
  854. function wp_set_auth_cookie( $user_id, $remember = false, $secure = '', $token = '' ) {
  855. if ( $remember ) {
  856. /**
  857. * Filters the duration of the authentication cookie expiration period.
  858. *
  859. * @since 2.8.0
  860. *
  861. * @param int $length Duration of the expiration period in seconds.
  862. * @param int $user_id User ID.
  863. * @param bool $remember Whether to remember the user login. Default false.
  864. */
  865. $expiration = time() + apply_filters( 'auth_cookie_expiration', 14 * DAY_IN_SECONDS, $user_id, $remember );
  866. /*
  867. * Ensure the browser will continue to send the cookie after the expiration time is reached.
  868. * Needed for the login grace period in wp_validate_auth_cookie().
  869. */
  870. $expire = $expiration + ( 12 * HOUR_IN_SECONDS );
  871. } else {
  872. /** This filter is documented in wp-includes/pluggable.php */
  873. $expiration = time() + apply_filters( 'auth_cookie_expiration', 2 * DAY_IN_SECONDS, $user_id, $remember );
  874. $expire = 0;
  875. }
  876. if ( '' === $secure ) {
  877. $secure = is_ssl();
  878. }
  879. // Front-end cookie is secure when the auth cookie is secure and the site's home URL uses HTTPS.
  880. $secure_logged_in_cookie = $secure && 'https' === parse_url( get_option( 'home' ), PHP_URL_SCHEME );
  881. /**
  882. * Filters whether the auth cookie should only be sent over HTTPS.
  883. *
  884. * @since 3.1.0
  885. *
  886. * @param bool $secure Whether the cookie should only be sent over HTTPS.
  887. * @param int $user_id User ID.
  888. */
  889. $secure = apply_filters( 'secure_auth_cookie', $secure, $user_id );
  890. /**
  891. * Filters whether the logged in cookie should only be sent over HTTPS.
  892. *
  893. * @since 3.1.0
  894. *
  895. * @param bool $secure_logged_in_cookie Whether the logged in cookie should only be sent over HTTPS.
  896. * @param int $user_id User ID.
  897. * @param bool $secure Whether the auth cookie should only be sent over HTTPS.
  898. */
  899. $secure_logged_in_cookie = apply_filters( 'secure_logged_in_cookie', $secure_logged_in_cookie, $user_id, $secure );
  900. if ( $secure ) {
  901. $auth_cookie_name = SECURE_AUTH_COOKIE;
  902. $scheme = 'secure_auth';
  903. } else {
  904. $auth_cookie_name = AUTH_COOKIE;
  905. $scheme = 'auth';
  906. }
  907. if ( '' === $token ) {
  908. $manager = WP_Session_Tokens::get_instance( $user_id );
  909. $token = $manager->create( $expiration );
  910. }
  911. $auth_cookie = wp_generate_auth_cookie( $user_id, $expiration, $scheme, $token );
  912. $logged_in_cookie = wp_generate_auth_cookie( $user_id, $expiration, 'logged_in', $token );
  913. /**
  914. * Fires immediately before the authentication cookie is set.
  915. *
  916. * @since 2.5.0
  917. * @since 4.9.0 The `$token` parameter was added.
  918. *
  919. * @param string $auth_cookie Authentication cookie value.
  920. * @param int $expire The time the login grace period expires as a UNIX timestamp.
  921. * Default is 12 hours past the cookie's expiration time.
  922. * @param int $expiration The time when the authentication cookie expires as a UNIX timestamp.
  923. * Default is 14 days from now.
  924. * @param int $user_id User ID.
  925. * @param string $scheme Authentication scheme. Values include 'auth' or 'secure_auth'.
  926. * @param string $token User's session token to use for this cookie.
  927. */
  928. do_action( 'set_auth_cookie', $auth_cookie, $expire, $expiration, $user_id, $scheme, $token );
  929. /**
  930. * Fires immediately before the logged-in authentication cookie is set.
  931. *
  932. * @since 2.6.0
  933. * @since 4.9.0 The `$token` parameter was added.
  934. *
  935. * @param string $logged_in_cookie The logged-in cookie value.
  936. * @param int $expire The time the login grace period expires as a UNIX timestamp.
  937. * Default is 12 hours past the cookie's expiration time.
  938. * @param int $expiration The time when the logged-in authentication cookie expires as a UNIX timestamp.
  939. * Default is 14 days from now.
  940. * @param int $user_id User ID.
  941. * @param string $scheme Authentication scheme. Default 'logged_in'.
  942. * @param string $token User's session token to use for this cookie.
  943. */
  944. do_action( 'set_logged_in_cookie', $logged_in_cookie, $expire, $expiration, $user_id, 'logged_in', $token );
  945. /**
  946. * Allows preventing auth cookies from actually being sent to the client.
  947. *
  948. * @since 4.7.4
  949. *
  950. * @param bool $send Whether to send auth cookies to the client.
  951. */
  952. if ( ! apply_filters( 'send_auth_cookies', true ) ) {
  953. return;
  954. }
  955. setcookie( $auth_cookie_name, $auth_cookie, $expire, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN, $secure, true );
  956. setcookie( $auth_cookie_name, $auth_cookie, $expire, ADMIN_COOKIE_PATH, COOKIE_DOMAIN, $secure, true );
  957. setcookie( LOGGED_IN_COOKIE, $logged_in_cookie, $expire, COOKIEPATH, COOKIE_DOMAIN, $secure_logged_in_cookie, true );
  958. if ( COOKIEPATH != SITECOOKIEPATH ) {
  959. setcookie( LOGGED_IN_COOKIE, $logged_in_cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN, $secure_logged_in_cookie, true );
  960. }
  961. }
  962. endif;
  963. if ( ! function_exists( 'wp_clear_auth_cookie' ) ) :
  964. /**
  965. * Removes all of the cookies associated with authentication.
  966. *
  967. * @since 2.5.0
  968. */
  969. function wp_clear_auth_cookie() {
  970. /**
  971. * Fires just before the authentication cookies are cleared.
  972. *
  973. * @since 2.7.0
  974. */
  975. do_action( 'clear_auth_cookie' );
  976. /** This filter is documented in wp-includes/pluggable.php */
  977. if ( ! apply_filters( 'send_auth_cookies', true ) ) {
  978. return;
  979. }
  980. // Auth cookies.
  981. setcookie( AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, ADMIN_COOKIE_PATH, COOKIE_DOMAIN );
  982. setcookie( SECURE_AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, ADMIN_COOKIE_PATH, COOKIE_DOMAIN );
  983. setcookie( AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN );
  984. setcookie( SECURE_AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN );
  985. setcookie( LOGGED_IN_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN );
  986. setcookie( LOGGED_IN_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN );
  987. // Settings cookies.
  988. setcookie( 'wp-settings-' . get_current_user_id(), ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH );
  989. setcookie( 'wp-settings-time-' . get_current_user_id(), ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH );
  990. // Old cookies.
  991. setcookie( AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN );
  992. setcookie( AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN );
  993. setcookie( SECURE_AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN );
  994. setcookie( SECURE_AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN );
  995. // Even older cookies.
  996. setcookie( USER_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN );
  997. setcookie( PASS_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN );
  998. setcookie( USER_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN );
  999. setcookie( PASS_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN );
  1000. // Post password cookie.
  1001. setcookie( 'wp-postpass_' . COOKIEHASH, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN );
  1002. }
  1003. endif;
  1004. if ( ! function_exists( 'is_user_logged_in' ) ) :
  1005. /**
  1006. * Determines whether the current visitor is a logged in user.
  1007. *
  1008. * For more information on this and similar theme functions, check out
  1009. * the {@link https://developer.wordpress.org/themes/basics/conditional-tags/
  1010. * Conditional Tags} article in the Theme Developer Handbook.
  1011. *
  1012. * @since 2.0.0
  1013. *
  1014. * @return bool True if user is logged in, false if not logged in.
  1015. */
  1016. function is_user_logged_in() {
  1017. $user = wp_get_current_user();
  1018. return $user->exists();
  1019. }
  1020. endif;
  1021. if ( ! function_exists( 'auth_redirect' ) ) :
  1022. /**
  1023. * Checks if a user is logged in, if not it redirects them to the login page.
  1024. *
  1025. * When this code is called from a page, it checks to see if the user viewing the page is logged in.
  1026. * If the user is not logged in, they are redirected to the login page. The user is redirected
  1027. * in such a way that, upon logging in, they will be sent directly to the page they were originally
  1028. * trying to access.
  1029. *
  1030. * @since 1.5.0
  1031. */
  1032. function auth_redirect() {
  1033. $secure = ( is_ssl() || force_ssl_admin() );
  1034. /**
  1035. * Filters whether to use a secure authentication redirect.
  1036. *
  1037. * @since 3.1.0
  1038. *
  1039. * @param bool $secure Whether to use a secure authentication redirect. Default false.
  1040. */
  1041. $secure = apply_filters( 'secure_auth_redirect', $secure );
  1042. // If https is required and request is http, redirect.
  1043. if ( $secure && ! is_ssl() && false !== strpos( $_SERVER['REQUEST_URI'], 'wp-admin' ) ) {
  1044. if ( 0 === strpos( $_SERVER['REQUEST_URI'], 'http' ) ) {
  1045. wp_redirect( set_url_scheme( $_SERVER['REQUEST_URI'], 'https' ) );
  1046. exit;
  1047. } else {
  1048. wp_redirect( 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] );
  1049. exit;
  1050. }
  1051. }
  1052. /**
  1053. * Filters the authentication redirect scheme.
  1054. *
  1055. * @since 2.9.0
  1056. *
  1057. * @param string $scheme Authentication redirect scheme. Default empty.
  1058. */
  1059. $scheme = apply_filters( 'auth_redirect_scheme', '' );
  1060. $user_id = wp_validate_auth_cookie( '', $scheme );
  1061. if ( $user_id ) {
  1062. /**
  1063. * Fires before the authentication redirect.
  1064. *
  1065. * @since 2.8.0
  1066. *
  1067. * @param int $user_id User ID.
  1068. */
  1069. do_action( 'auth_redirect', $user_id );
  1070. // If the user wants ssl but the session is not ssl, redirect.
  1071. if ( ! $secure && get_user_option( 'use_ssl', $user_id ) && false !== strpos( $_SERVER['REQUEST_URI'], 'wp-admin' ) ) {
  1072. if ( 0 === strpos( $_SERVER['REQUEST_URI'], 'http' ) ) {
  1073. wp_redirect( set_url_scheme( $_SERVER['REQUEST_URI'], 'https' ) );
  1074. exit;
  1075. } else {
  1076. wp_redirect( 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] );
  1077. exit;
  1078. }
  1079. }
  1080. return; // The cookie is good, so we're done.
  1081. }
  1082. // The cookie is no good, so force login.
  1083. nocache_headers();
  1084. $redirect = ( strpos( $_SERVER['REQUEST_URI'], '/options.php' ) && wp_get_referer() ) ? wp_get_referer() : set_url_scheme( 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] );
  1085. $login_url = wp_login_url( $redirect, true );
  1086. wp_redirect( $login_url );
  1087. exit;
  1088. }
  1089. endif;
  1090. if ( ! function_exists( 'check_admin_referer' ) ) :
  1091. /**
  1092. * Ensures intent by verifying that a user was referred from another admin page with the correct security nonce.
  1093. *
  1094. * This function ensures the user intends to perform a given action, which helps protect against clickjacking style
  1095. * attacks. It verifies intent, not authorisation, therefore it does not verify the user's capabilities. This should
  1096. * be performed with `current_user_can()` or similar.
  1097. *
  1098. * If the nonce value is invalid, the function will exit with an "Are You Sure?" style message.
  1099. *
  1100. * @since 1.2.0
  1101. * @since 2.5.0 The `$query_arg` parameter was added.
  1102. *
  1103. * @param int|string $action The nonce action.
  1104. * @param string $query_arg Optional. Key to check for nonce in `$_REQUEST`. Default '_wpnonce'.
  1105. * @return int|false 1 if the nonce is valid and generated between 0-12 hours ago,
  1106. * 2 if the nonce is valid and generated between 12-24 hours ago.
  1107. * False if the nonce is invalid.
  1108. */
  1109. function check_admin_referer( $action = -1, $query_arg = '_wpnonce' ) {
  1110. if ( -1 === $action ) {
  1111. _doing_it_wrong( __FUNCTION__, __( 'You should specify an action to be verified by using the first parameter.' ), '3.2.0' );
  1112. }
  1113. $adminurl = strtolower( admin_url() );
  1114. $referer = strtolower( wp_get_referer() );
  1115. $result = isset( $_REQUEST[ $query_arg ] ) ? wp_verify_nonce( $_REQUEST[ $query_arg ], $action ) : false;
  1116. /**
  1117. * Fires once the admin request has been validated or not.
  1118. *
  1119. * @since 1.5.1
  1120. *
  1121. * @param string $action The nonce action.
  1122. * @param false|int $result False if the nonce is invalid, 1 if the nonce is valid and generated between
  1123. * 0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago.
  1124. */
  1125. do_action( 'check_admin_referer', $action, $result );
  1126. if ( ! $result && ! ( -1 === $action && strpos( $referer, $adminurl ) === 0 ) ) {
  1127. wp_nonce_ays( $action );
  1128. die();
  1129. }
  1130. return $result;
  1131. }
  1132. endif;
  1133. if ( ! function_exists( 'check_ajax_referer' ) ) :
  1134. /**
  1135. * Verifies the Ajax request to prevent processing requests external of the blog.
  1136. *
  1137. * @since 2.0.3
  1138. *
  1139. * @param int|string $action Action nonce.
  1140. * @param false|string $query_arg Optional. Key to check for the nonce in `$_REQUEST` (since 2.5). If false,
  1141. * `$_REQUEST` values will be evaluated for '_ajax_nonce', and '_wpnonce'
  1142. * (in that order). Default false.
  1143. * @param bool $die Optional. Whether to die early when the nonce cannot be verified.
  1144. * Default true.
  1145. * @return int|false 1 if the nonce is valid and generated between 0-12 hours ago,
  1146. * 2 if the nonce is valid and generated between 12-24 hours ago.
  1147. * False if the nonce is invalid.
  1148. */
  1149. function check_ajax_referer( $action = -1, $query_arg = false, $die = true ) {
  1150. if ( -1 == $action ) {
  1151. _doing_it_wrong( __FUNCTION__, __( 'You should specify an action to be verified by using the first parameter.' ), '4.7.0' );
  1152. }
  1153. $nonce = '';
  1154. if ( $query_arg && isset( $_REQUEST[ $query_arg ] ) ) {
  1155. $nonce = $_REQUEST[ $query_arg ];
  1156. } elseif ( isset( $_REQUEST['_ajax_nonce'] ) ) {
  1157. $nonce = $_REQUEST['_ajax_nonce'];
  1158. } elseif ( isset( $_REQUEST['_wpnonce'] ) ) {
  1159. $nonce = $_REQUEST['_wpnonce'];
  1160. }
  1161. $result = wp_verify_nonce( $nonce, $action );
  1162. /**
  1163. * Fires once the Ajax request has been validated or not.
  1164. *
  1165. * @since 2.1.0
  1166. *
  1167. * @param string $action The Ajax nonce action.
  1168. * @param false|int $result False if the nonce is invalid, 1 if the nonce is valid and generated between
  1169. * 0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago.
  1170. */
  1171. do_action( 'check_ajax_referer', $action, $result );
  1172. if ( $die && false === $result ) {
  1173. if ( wp_doing_ajax() ) {
  1174. wp_die( -1, 403 );
  1175. } else {
  1176. die( '-1' );
  1177. }
  1178. }
  1179. return $result;
  1180. }
  1181. endif;
  1182. if ( ! function_exists( 'wp_redirect' ) ) :
  1183. /**
  1184. * Redirects to another page.
  1185. *
  1186. * Note: wp_redirect() does not exit automatically, and should almost always be
  1187. * followed by a call to `exit;`:
  1188. *
  1189. * wp_redirect( $url );
  1190. * exit;
  1191. *
  1192. * Exiting can also be selectively manipulated by using wp_redirect() as a conditional
  1193. * in conjunction with the {@see 'wp_redirect'} and {@see 'wp_redirect_location'} filters:
  1194. *
  1195. * if ( wp_redirect( $url ) ) {
  1196. * exit;
  1197. * }
  1198. *
  1199. * @since 1.5.1
  1200. * @since 5.1.0 The `$x_redirect_by` parameter was added.
  1201. * @since 5.4.0 On invalid status codes, wp_die() is called.
  1202. *
  1203. * @global bool $is_IIS
  1204. *
  1205. * @param string $location The path or URL to redirect to.
  1206. * @param int $status Optional. HTTP response status code to use. Default '302' (Moved Temporarily).
  1207. * @param string $x_redirect_by Optional. The application doing the redirect. Default 'WordPress'.
  1208. * @return bool False if the redirect was cancelled, true otherwise.
  1209. */
  1210. function wp_redirect( $location, $status = 302, $x_redirect_by = 'WordPress' ) {
  1211. global $is_IIS;
  1212. /**
  1213. * Filters the redirect location.
  1214. *
  1215. * @since 2.1.0
  1216. *
  1217. * @param string $location The path or URL to redirect to.
  1218. * @param int $status The HTTP response status code to use.
  1219. */
  1220. $location = apply_filters( 'wp_redirect', $location, $status );
  1221. /**
  1222. * Filters the redirect HTTP response status code to use.
  1223. *
  1224. * @since 2.3.0
  1225. *
  1226. * @param int $status The HTTP response status code to use.
  1227. * @param string $location The path or URL to redirect to.
  1228. */
  1229. $status = apply_filters( 'wp_redirect_status', $status, $location );
  1230. if ( ! $location ) {
  1231. return false;
  1232. }
  1233. if ( $status < 300 || 399 < $status ) {
  1234. wp_die( __( 'HTTP redirect status code must be a redirection code, 3xx.' ) );
  1235. }
  1236. $location = wp_sanitize_redirect( $location );
  1237. if ( ! $is_IIS && 'cgi-fcgi' !== PHP_SAPI ) {
  1238. status_header( $status ); // This causes problems on IIS and some FastCGI setups.
  1239. }
  1240. /**
  1241. * Filters the X-Redirect-By header.
  1242. *
  1243. * Allows applications to identify themselves when they're doing a redirect.
  1244. *
  1245. * @since 5.1.0
  1246. *
  1247. * @param string $x_redirect_by The application doing the redirect.
  1248. * @param int $status Status code to use.
  1249. * @param string $location The path to redirect to.
  1250. */
  1251. $x_redirect_by = apply_filters( 'x_redirect_by', $x_redirect_by, $status, $location );
  1252. if ( is_string( $x_redirect_by ) ) {
  1253. header( "X-Redirect-By: $x_redirect_by" );
  1254. }
  1255. header( "Location: $location", true, $status );
  1256. return true;
  1257. }
  1258. endif;
  1259. if ( ! function_exists( 'wp_sanitize_redirect' ) ) :
  1260. /**
  1261. * Sanitizes a URL for use in a redirect.
  1262. *
  1263. * @since 2.3.0
  1264. *
  1265. * @param string $location The path to redirect to.
  1266. * @return string Redirect-sanitized URL.
  1267. */
  1268. function wp_sanitize_redirect( $location ) {
  1269. // Encode spaces.
  1270. $location = str_replace( ' ', '%20', $location );
  1271. $regex = '/
  1272. (
  1273. (?: [\xC2-\xDF][\x80-\xBF] # double-byte sequences 110xxxxx 10xxxxxx
  1274. | \xE0[\xA0-\xBF][\x80-\xBF] # triple-byte sequences 1110xxxx 10xxxxxx * 2
  1275. | [\xE1-\xEC][\x80-\xBF]{2}
  1276. | \xED[\x80-\x9F][\x80-\xBF]
  1277. | [\xEE-\xEF][\x80-\xBF]{2}
  1278. | \xF0[\x90-\xBF][\x80-\xBF]{2} # four-byte sequences 11110xxx 10xxxxxx * 3
  1279. | [\xF1-\xF3][\x80-\xBF]{3}
  1280. | \xF4[\x80-\x8F][\x80-\xBF]{2}
  1281. ){1,40} # ...one or more times
  1282. )/x';
  1283. $location = preg_replace_callback( $regex, '_wp_sanitize_utf8_in_redirect', $location );
  1284. $location = preg_replace( '|[^a-z0-9-~+_.?#=&;,/:%!*\[\]()@]|i', '', $location );
  1285. $location = wp_kses_no_null( $location );
  1286. // Remove %0D and %0A from location.
  1287. $strip = array( '%0d', '%0a', '%0D', '%0A' );
  1288. return _deep_replace( $strip, $location );
  1289. }
  1290. /**
  1291. * URL encodes UTF-8 characters in a URL.
  1292. *
  1293. * @ignore
  1294. * @since 4.2.0
  1295. * @access private
  1296. *
  1297. * @see wp_sanitize_redirect()
  1298. *
  1299. * @param array $matches RegEx matches against the redirect location.
  1300. * @return string URL-encoded version of the first RegEx match.
  1301. */
  1302. function _wp_sanitize_utf8_in_redirect( $matches ) {
  1303. return urlencode( $matches[0] );
  1304. }
  1305. endif;
  1306. if ( ! function_exists( 'wp_safe_redirect' ) ) :
  1307. /**
  1308. * Performs a safe (local) redirect, using wp_redirect().
  1309. *
  1310. * Checks whether the $location is using an allowed host, if it has an absolute
  1311. * path. A plugin can therefore set or remove allowed host(s) to or from the
  1312. * list.
  1313. *
  1314. * If the host is not allowed, then the redirect defaults to wp-admin on the siteurl
  1315. * instead. This prevents malicious redirects which redirect to another host,
  1316. * but only used in a few places.
  1317. *
  1318. * Note: wp_safe_redirect() does not exit automatically, and should almost always be
  1319. * followed by a call to `exit;`:
  1320. *
  1321. * wp_safe_redirect( $url );
  1322. * exit;
  1323. *
  1324. * Exiting can also be selectively manipulated by using wp_safe_redirect() as a conditional
  1325. * in conjunction with the {@see 'wp_redirect'} and {@see 'wp_redirect_location'} filters:
  1326. *
  1327. * if ( wp_safe_redirect( $url ) ) {
  1328. * exit;
  1329. * }
  1330. *
  1331. * @since 2.3.0
  1332. * @since 5.1.0 The return value from wp_redirect() is now passed on, and the `$x_redirect_by` parameter was added.
  1333. *
  1334. * @param string $location The path or URL to redirect to.
  1335. * @param int $status Optional. HTTP response status code to use. Default '302' (Moved Temporarily).
  1336. * @param string $x_redirect_by Optional. The application doing the redirect. Default 'WordPress'.
  1337. * @return bool False if the redirect was cancelled, true otherwise.
  1338. */
  1339. function wp_safe_redirect( $location, $status = 302, $x_redirect_by = 'WordPress' ) {
  1340. // Need to look at the URL the way it will end up in wp_redirect().
  1341. $location = wp_sanitize_redirect( $location );
  1342. /**
  1343. * Filters the redirect fallback URL for when the provided redirect is not safe (local).
  1344. *
  1345. * @since 4.3.0
  1346. *
  1347. * @param string $fallback_url The fallback URL to use by default.
  1348. * @param int $status The HTTP response status code to use.
  1349. */
  1350. $location = wp_validate_redirect( $location, apply_filters( 'wp_safe_redirect_fallback', admin_url(), $status ) );
  1351. return wp_redirect( $location, $status, $x_redirect_by );
  1352. }
  1353. endif;
  1354. if ( ! function_exists( 'wp_validate_redirect' ) ) :
  1355. /**
  1356. * Validates a URL for use in a redirect.
  1357. *
  1358. * Checks whether the $location is using an allowed host, if it has an absolute
  1359. * path. A plugin can therefore set or remove allowed host(s) to or from the
  1360. * list.
  1361. *
  1362. * If the host is not allowed, then the redirect is to $default supplied.
  1363. *
  1364. * @since 2.8.1
  1365. *
  1366. * @param string $location The redirect to validate.
  1367. * @param string $default The value to return if $location is not allowed.
  1368. * @return string redirect-sanitized URL.
  1369. */
  1370. function wp_validate_redirect( $location, $default = '' ) {
  1371. $location = wp_sanitize_redirect( trim( $location, " \t\n\r\0\x08\x0B" ) );
  1372. // Browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//'.
  1373. if ( '//' === substr( $location, 0, 2 ) ) {
  1374. $location = 'http:' . $location;
  1375. }
  1376. // In PHP 5 parse_url() may fail if the URL query part contains 'http://'.
  1377. // See https://bugs.php.net/bug.php?id=38143
  1378. $cut = strpos( $location, '?' );
  1379. $test = $cut ? substr( $location, 0, $cut ) : $location;
  1380. $lp = parse_url( $test );
  1381. // Give up if malformed URL.
  1382. if ( false === $lp ) {
  1383. return $default;
  1384. }
  1385. // Allow only 'http' and 'https' schemes. No 'data:', etc.
  1386. if ( isset( $lp['scheme'] ) && ! ( 'http' === $lp['scheme'] || 'https' === $lp['scheme'] ) ) {
  1387. return $default;
  1388. }
  1389. if ( ! isset( $lp['host'] ) && ! empty( $lp['path'] ) && '/' !== $lp['path'][0] ) {
  1390. $path = '';
  1391. if ( ! empty( $_SERVER['REQUEST_URI'] ) ) {
  1392. $path = dirname( parse_url( 'http://placeholder' . $_SERVER['REQUEST_URI'], PHP_URL_PATH ) . '?' );
  1393. $path = wp_normalize_path( $path );
  1394. }
  1395. $location = '/' . ltrim( $path . '/', '/' ) . $location;
  1396. }
  1397. // Reject if certain components are set but host is not.
  1398. // This catches URLs like https:host.com for which parse_url() does not set the host field.
  1399. if ( ! isset( $lp['host'] ) && ( isset( $lp['scheme'] ) || isset( $lp['user'] ) || isset( $lp['pass'] ) || isset( $lp['port'] ) ) ) {
  1400. return $default;
  1401. }
  1402. // Reject malformed components parse_url() can return on odd inputs.
  1403. foreach ( array( 'user', 'pass', 'host' ) as $component ) {
  1404. if ( isset( $lp[ $component ] ) && strpbrk( $lp[ $component ], ':/?#@' ) ) {
  1405. return $default;
  1406. }
  1407. }
  1408. $wpp = parse_url( home_url() );
  1409. /**
  1410. * Filters the list of allowed hosts to redirect to.
  1411. *
  1412. * @since 2.3.0
  1413. *
  1414. * @param string[] $hosts An array of allowed host names.
  1415. * @param string $host The host name of the redirect destination; empty string if not set.
  1416. */
  1417. $allowed_hosts = (array) apply_filters( 'allowed_redirect_hosts', array( $wpp['host'] ), isset( $lp['host'] ) ? $lp['host'] : '' );
  1418. if ( isset( $lp['host'] ) && ( ! in_array( $lp['host'], $allowed_hosts, true ) && strtolower( $wpp['host'] ) !== $lp['host'] ) ) {
  1419. $location = $default;
  1420. }
  1421. return $location;
  1422. }
  1423. endif;
  1424. if ( ! function_exists( 'wp_notify_postauthor' ) ) :
  1425. /**
  1426. * Notifies an author (and/or others) of a comment/trackback/pingback on a post.
  1427. *
  1428. * @since 1.0.0
  1429. *
  1430. * @param int|WP_Comment $comment_id Comment ID or WP_Comment object.
  1431. * @param string $deprecated Not used.
  1432. * @return bool True on completion. False if no email addresses were specified.
  1433. */
  1434. function wp_notify_postauthor( $comment_id, $deprecated = null ) {
  1435. if ( null !== $deprecated ) {
  1436. _deprecated_argument( __FUNCTION__, '3.8.0' );
  1437. }
  1438. $comment = get_comment( $comment_id );
  1439. if ( empty( $comment ) || empty( $comment->comment_post_ID ) ) {
  1440. return false;
  1441. }
  1442. $post = get_post( $comment->comment_post_ID );
  1443. $author = get_userdata( $post->post_author );
  1444. // Who to notify? By default, just the post author, but others can be added.
  1445. $emails = array();
  1446. if ( $author ) {
  1447. $emails[] = $author->user_email;
  1448. }
  1449. /**
  1450. * Filters the list of email addresses to receive a comment notification.
  1451. *
  1452. * By default, only post authors are notified of comments. This filter allows
  1453. * others to be added.
  1454. *
  1455. * @since 3.7.0
  1456. *
  1457. * @param string[] $emails An array of email addresses to receive a comment notification.
  1458. * @param string $comment_id The comment ID as a numeric string.
  1459. */
  1460. $emails = apply_filters( 'comment_notification_recipients', $emails, $comment->comment_ID );
  1461. $emails = array_filter( $emails );
  1462. // If there are no addresses to send the comment to, bail.
  1463. if ( ! count( $emails ) ) {
  1464. return false;
  1465. }
  1466. // Facilitate unsetting below without knowing the keys.
  1467. $emails = array_flip( $emails );
  1468. /**
  1469. * Filters whether to notify comment authors of their comments on their own posts.
  1470. *
  1471. * By default, comment authors aren't notified of their comments on their own
  1472. * posts. This filter allows you to override that.
  1473. *
  1474. * @since 3.8.0
  1475. *
  1476. * @param bool $notify Whether to notify the post author of their own comment.
  1477. * Default false.
  1478. * @param string $comment_id The comment ID as a numeric string.
  1479. */
  1480. $notify_author = apply_filters( 'comment_notification_notify_author', false, $comment->comment_ID );
  1481. // The comment was left by the author.
  1482. if ( $author && ! $notify_author && $comment->user_id == $post->post_author ) {
  1483. unset( $emails[ $author->user_email ] );
  1484. }
  1485. // The author moderated a comment on their own post.
  1486. if ( $author && ! $notify_author && get_current_user_id() == $post->post_author ) {
  1487. unset( $emails[ $author->user_email ] );
  1488. }
  1489. // The post author is no longer a member of the blog.
  1490. if ( $author && ! $notify_author && ! user_can( $post->post_author, 'read_post', $post->ID ) ) {
  1491. unset( $emails[ $author->user_email ] );
  1492. }
  1493. // If there's no email to send the comment to, bail, otherwise flip array back around for use below.
  1494. if ( ! count( $emails ) ) {
  1495. return false;
  1496. } else {
  1497. $emails = array_flip( $emails );
  1498. }
  1499. $switched_locale = switch_to_locale( get_locale() );
  1500. $comment_author_domain = '';
  1501. if ( WP_Http::is_ip_address( $comment->comment_author_IP ) ) {
  1502. $comment_author_domain = gethostbyaddr( $comment->comment_author_IP );
  1503. }
  1504. // The blogname option is escaped with esc_html() on the way into the database in sanitize_option().
  1505. // We want to reverse this for the plain text arena of emails.
  1506. $blogname = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES );
  1507. $comment_content = wp_specialchars_decode( $comment->comment_content );
  1508. switch ( $comment->comment_type ) {
  1509. case 'trackback':
  1510. /* translators: %s: Post title. */
  1511. $notify_message = sprintf( __( 'New trackback on your post "%s"' ), $post->post_title ) . "\r\n";
  1512. /* translators: 1: Trackback/pingback website name, 2: Website IP address, 3: Website hostname. */
  1513. $notify_message .= sprintf( __( 'Website: %1$s (IP address: %2$s, %3$s)' ), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
  1514. /* translators: %s: Trackback/pingback/comment author URL. */
  1515. $notify_message .= sprintf( __( 'URL: %s' ), $comment->comment_author_url ) . "\r\n";
  1516. /* translators: %s: Comment text. */
  1517. $notify_message .= sprintf( __( 'Comment: %s' ), "\r\n" . $comment_content ) . "\r\n\r\n";
  1518. $notify_message .= __( 'You can see all trackbacks on this post here:' ) . "\r\n";
  1519. /* translators: Trackback notification email subject. 1: Site title, 2: Post title. */
  1520. $subject = sprintf( __( '[%1$s] Trackback: "%2$s"' ), $blogname, $post->post_title );
  1521. break;
  1522. case 'pingback':
  1523. /* translators: %s: Post title. */
  1524. $notify_message = sprintf( __( 'New pingback on your post "%s"' ), $post->post_title ) . "\r\n";
  1525. /* translators: 1: Trackback/pingback website name, 2: Website IP address, 3: Website hostname. */
  1526. $notify_message .= sprintf( __( 'Website: %1$s (IP address: %2$s, %3$s)' ), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
  1527. /* translators: %s: Trackback/pingback/comment author URL. */
  1528. $notify_message .= sprintf( __( 'URL: %s' ), $comment->comment_author_url ) . "\r\n";
  1529. /* translators: %s: Comment text. */
  1530. $notify_message .= sprintf( __( 'Comment: %s' ), "\r\n" . $comment_content ) . "\r\n\r\n";
  1531. $notify_message .= __( 'You can see all pingbacks on this post here:' ) . "\r\n";
  1532. /* translators: Pingback notification email subject. 1: Site title, 2: Post title. */
  1533. $subject = sprintf( __( '[%1$s] Pingback: "%2$s"' ), $blogname, $post->post_title );
  1534. break;
  1535. default: // Comments.
  1536. /* translators: %s: Post title. */
  1537. $notify_message = sprintf( __( 'New comment on your post "%s"' ), $post->post_title ) . "\r\n";
  1538. /* translators: 1: Comment author's name, 2: Comment author's IP address, 3: Comment author's hostname. */
  1539. $notify_message .= sprintf( __( 'Author: %1$s (IP address: %2$s, %3$s)' ), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
  1540. /* translators: %s: Comment author email. */
  1541. $notify_message .= sprintf( __( 'Email: %s' ), $comment->comment_author_email ) . "\r\n";
  1542. /* translators: %s: Trackback/pingback/comment author URL. */
  1543. $notify_message .= sprintf( __( 'URL: %s' ), $comment->comment_author_url ) . "\r\n";
  1544. if ( $comment->comment_parent && user_can( $post->post_author, 'edit_comment', $comment->comment_parent ) ) {
  1545. /* translators: Comment moderation. %s: Parent comment edit URL. */
  1546. $notify_message .= sprintf( __( 'In reply to: %s' ), admin_url( "comment.php?action=editcomment&c={$comment->comment_parent}#wpbody-content" ) ) . "\r\n";
  1547. }
  1548. /* translators: %s: Comment text. */
  1549. $notify_message .= sprintf( __( 'Comment: %s' ), "\r\n" . $comment_content ) . "\r\n\r\n";
  1550. $notify_message .= __( 'You can see all comments on this post here:' ) . "\r\n";
  1551. /* translators: Comment notification email subject. 1: Site title, 2: Post title. */
  1552. $subject = sprintf( __( '[%1$s] Comment: "%2$s"' ), $blogname, $post->post_title );
  1553. break;
  1554. }
  1555. $notify_message .= get_permalink( $comment->comment_post_ID ) . "#comments\r\n\r\n";
  1556. /* translators: %s: Comment URL. */
  1557. $notify_message .= sprintf( __( 'Permalink: %s' ), get_comment_link( $comment ) ) . "\r\n";
  1558. if ( user_can( $post->post_author, 'edit_comment', $comment->comment_ID ) ) {
  1559. if ( EMPTY_TRASH_DAYS ) {
  1560. /* translators: Comment moderation. %s: Comment action URL. */
  1561. $notify_message .= sprintf( __( 'Trash it: %s' ), admin_url( "comment.php?action=trash&c={$comment->comment_ID}#wpbody-content" ) ) . "\r\n";
  1562. } else {
  1563. /* translators: Comment moderation. %s: Comment action URL. */
  1564. $notify_message .= sprintf( __( 'Delete it: %s' ), admin_url( "comment.php?action=delete&c={$comment->comment_ID}#wpbody-content" ) ) . "\r\n";
  1565. }
  1566. /* translators: Comment moderation. %s: Comment action URL. */
  1567. $notify_message .= sprintf( __( 'Spam it: %s' ), admin_url( "comment.php?action=spam&c={$comment->comment_ID}#wpbody-content" ) ) . "\r\n";
  1568. }
  1569. $wp_email = 'wordpress@' . preg_replace( '#^www\.#', '', wp_parse_url( network_home_url(), PHP_URL_HOST ) );
  1570. if ( '' === $comment->comment_author ) {
  1571. $from = "From: \"$blogname\" <$wp_email>";
  1572. if ( '' !== $comment->comment_author_email ) {
  1573. $reply_to = "Reply-To: $comment->comment_author_email";
  1574. }
  1575. } else {
  1576. $from = "From: \"$comment->comment_author\" <$wp_email>";
  1577. if ( '' !== $comment->comment_author_email ) {
  1578. $reply_to = "Reply-To: \"$comment->comment_author_email\" <$comment->comment_author_email>";
  1579. }
  1580. }
  1581. $message_headers = "$from\n"
  1582. . 'Content-Type: text/plain; charset="' . get_option( 'blog_charset' ) . "\"\n";
  1583. if ( isset( $reply_to ) ) {
  1584. $message_headers .= $reply_to . "\n";
  1585. }
  1586. /**
  1587. * Filters the comment notification email text.
  1588. *
  1589. * @since 1.5.2
  1590. *
  1591. * @param string $notify_message The comment notification email text.
  1592. * @param string $comment_id Comment ID as a numeric string.
  1593. */
  1594. $notify_message = apply_filters( 'comment_notification_text', $notify_message, $comment->comment_ID );
  1595. /**
  1596. * Filters the comment notification email subject.
  1597. *
  1598. * @since 1.5.2
  1599. *
  1600. * @param string $subject The comment notification email subject.
  1601. * @param string $comment_id Comment ID as a numeric string.
  1602. */
  1603. $subject = apply_filters( 'comment_notification_subject', $subject, $comment->comment_ID );
  1604. /**
  1605. * Filters the comment notification email headers.
  1606. *
  1607. * @since 1.5.2
  1608. *
  1609. * @param string $message_headers Headers for the comment notification email.
  1610. * @param string $comment_id Comment ID as a numeric string.
  1611. */
  1612. $message_headers = apply_filters( 'comment_notification_headers', $message_headers, $comment->comment_ID );
  1613. foreach ( $emails as $email ) {
  1614. wp_mail( $email, wp_specialchars_decode( $subject ), $notify_message, $message_headers );
  1615. }
  1616. if ( $switched_locale ) {
  1617. restore_previous_locale();
  1618. }
  1619. return true;
  1620. }
  1621. endif;
  1622. if ( ! function_exists( 'wp_notify_moderator' ) ) :
  1623. /**
  1624. * Notifies the moderator of the site about a new comment that is awaiting approval.
  1625. *
  1626. * @since 1.0.0
  1627. *
  1628. * @global wpdb $wpdb WordPress database abstraction object.
  1629. *
  1630. * Uses the {@see 'notify_moderator'} filter to determine whether the site moderator
  1631. * should be notified, overriding the site setting.
  1632. *
  1633. * @param int $comment_id Comment ID.
  1634. * @return true Always returns true.
  1635. */
  1636. function wp_notify_moderator( $comment_id ) {
  1637. global $wpdb;
  1638. $maybe_notify = get_option( 'moderation_notify' );
  1639. /**
  1640. * Filters whether to send the site moderator email notifications, overriding the site setting.
  1641. *
  1642. * @since 4.4.0
  1643. *
  1644. * @param bool $maybe_notify Whether to notify blog moderator.
  1645. * @param int $comment_ID The id of the comment for the notification.
  1646. */
  1647. $maybe_notify = apply_filters( 'notify_moderator', $maybe_notify, $comment_id );
  1648. if ( ! $maybe_notify ) {
  1649. return true;
  1650. }
  1651. $comment = get_comment( $comment_id );
  1652. $post = get_post( $comment->comment_post_ID );
  1653. $user = get_userdata( $post->post_author );
  1654. // Send to the administration and to the post author if the author can modify the comment.
  1655. $emails = array( get_option( 'admin_email' ) );
  1656. if ( $user && user_can( $user->ID, 'edit_comment', $comment_id ) && ! empty( $user->user_email ) ) {
  1657. if ( 0 !== strcasecmp( $user->user_email, get_option( 'admin_email' ) ) ) {
  1658. $emails[] = $user->user_email;
  1659. }
  1660. }
  1661. $switched_locale = switch_to_locale( get_locale() );
  1662. $comment_author_domain = '';
  1663. if ( WP_Http::is_ip_address( $comment->comment_author_IP ) ) {
  1664. $comment_author_domain = gethostbyaddr( $comment->comment_author_IP );
  1665. }
  1666. $comments_waiting = $wpdb->get_var( "SELECT COUNT(*) FROM $wpdb->comments WHERE comment_approved = '0'" );
  1667. // The blogname option is escaped with esc_html() on the way into the database in sanitize_option().
  1668. // We want to reverse this for the plain text arena of emails.
  1669. $blogname = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES );
  1670. $comment_content = wp_specialchars_decode( $comment->comment_content );
  1671. switch ( $comment->comment_type ) {
  1672. case 'trackback':
  1673. /* translators: %s: Post title. */
  1674. $notify_message = sprintf( __( 'A new trackback on the post "%s" is waiting for your approval' ), $post->post_title ) . "\r\n";
  1675. $notify_message .= get_permalink( $comment->comment_post_ID ) . "\r\n\r\n";
  1676. /* translators: 1: Trackback/pingback website name, 2: Website IP address, 3: Website hostname. */
  1677. $notify_message .= sprintf( __( 'Website: %1$s (IP address: %2$s, %3$s)' ), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
  1678. /* translators: %s: Trackback/pingback/comment author URL. */
  1679. $notify_message .= sprintf( __( 'URL: %s' ), $comment->comment_author_url ) . "\r\n";
  1680. $notify_message .= __( 'Trackback excerpt: ' ) . "\r\n" . $comment_content . "\r\n\r\n";
  1681. break;
  1682. case 'pingback':
  1683. /* translators: %s: Post title. */
  1684. $notify_message = sprintf( __( 'A new pingback on the post "%s" is waiting for your approval' ), $post->post_title ) . "\r\n";
  1685. $notify_message .= get_permalink( $comment->comment_post_ID ) . "\r\n\r\n";
  1686. /* translators: 1: Trackback/pingback website name, 2: Website IP address, 3: Website hostname. */
  1687. $notify_message .= sprintf( __( 'Website: %1$s (IP address: %2$s, %3$s)' ), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
  1688. /* translators: %s: Trackback/pingback/comment author URL. */
  1689. $notify_message .= sprintf( __( 'URL: %s' ), $comment->comment_author_url ) . "\r\n";
  1690. $notify_message .= __( 'Pingback excerpt: ' ) . "\r\n" . $comment_content . "\r\n\r\n";
  1691. break;
  1692. default: // Comments.
  1693. /* translators: %s: Post title. */
  1694. $notify_message = sprintf( __( 'A new comment on the post "%s" is waiting for your approval' ), $post->post_title ) . "\r\n";
  1695. $notify_message .= get_permalink( $comment->comment_post_ID ) . "\r\n\r\n";
  1696. /* translators: 1: Comment author's name, 2: Comment author's IP address, 3: Comment author's hostname. */
  1697. $notify_message .= sprintf( __( 'Author: %1$s (IP address: %2$s, %3$s)' ), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
  1698. /* translators: %s: Comment author email. */
  1699. $notify_message .= sprintf( __( 'Email: %s' ), $comment->comment_author_email ) . "\r\n";
  1700. /* translators: %s: Trackback/pingback/comment author URL. */
  1701. $notify_message .= sprintf( __( 'URL: %s' ), $comment->comment_author_url ) . "\r\n";
  1702. if ( $comment->comment_parent ) {
  1703. /* translators: Comment moderation. %s: Parent comment edit URL. */
  1704. $notify_message .= sprintf( __( 'In reply to: %s' ), admin_url( "comment.php?action=editcomment&c={$comment->comment_parent}#wpbody-content" ) ) . "\r\n";
  1705. }
  1706. /* translators: %s: Comment text. */
  1707. $notify_message .= sprintf( __( 'Comment: %s' ), "\r\n" . $comment_content ) . "\r\n\r\n";
  1708. break;
  1709. }
  1710. /* translators: Comment moderation. %s: Comment action URL. */
  1711. $notify_message .= sprintf( __( 'Approve it: %s' ), admin_url( "comment.php?action=approve&c={$comment_id}#wpbody-content" ) ) . "\r\n";
  1712. if ( EMPTY_TRASH_DAYS ) {
  1713. /* translators: Comment moderation. %s: Comment action URL. */
  1714. $notify_message .= sprintf( __( 'Trash it: %s' ), admin_url( "comment.php?action=trash&c={$comment_id}#wpbody-content" ) ) . "\r\n";
  1715. } else {
  1716. /* translators: Comment moderation. %s: Comment action URL. */
  1717. $notify_message .= sprintf( __( 'Delete it: %s' ), admin_url( "comment.php?action=delete&c={$comment_id}#wpbody-content" ) ) . "\r\n";
  1718. }
  1719. /* translators: Comment moderation. %s: Comment action URL. */
  1720. $notify_message .= sprintf( __( 'Spam it: %s' ), admin_url( "comment.php?action=spam&c={$comment_id}#wpbody-content" ) ) . "\r\n";
  1721. $notify_message .= sprintf(
  1722. /* translators: Comment moderation. %s: Number of comments awaiting approval. */
  1723. _n(
  1724. 'Currently %s comment is waiting for approval. Please visit the moderation panel:',
  1725. 'Currently %s comments are waiting for approval. Please visit the moderation panel:',
  1726. $comments_waiting
  1727. ),
  1728. number_format_i18n( $comments_waiting )
  1729. ) . "\r\n";
  1730. $notify_message .= admin_url( 'edit-comments.php?comment_status=moderated#wpbody-content' ) . "\r\n";
  1731. /* translators: Comment moderation notification email subject. 1: Site title, 2: Post title. */
  1732. $subject = sprintf( __( '[%1$s] Please moderate: "%2$s"' ), $blogname, $post->post_title );
  1733. $message_headers = '';
  1734. /**
  1735. * Filters the list of recipients for comment moderation emails.
  1736. *
  1737. * @since 3.7.0
  1738. *
  1739. * @param string[] $emails List of email addresses to notify for comment moderation.
  1740. * @param int $comment_id Comment ID.
  1741. */
  1742. $emails = apply_filters( 'comment_moderation_recipients', $emails, $comment_id );
  1743. /**
  1744. * Filters the comment moderation email text.
  1745. *
  1746. * @since 1.5.2
  1747. *
  1748. * @param string $notify_message Text of the comment moderation email.
  1749. * @param int $comment_id Comment ID.
  1750. */
  1751. $notify_message = apply_filters( 'comment_moderation_text', $notify_message, $comment_id );
  1752. /**
  1753. * Filters the comment moderation email subject.
  1754. *
  1755. * @since 1.5.2
  1756. *
  1757. * @param string $subject Subject of the comment moderation email.
  1758. * @param int $comment_id Comment ID.
  1759. */
  1760. $subject = apply_filters( 'comment_moderation_subject', $subject, $comment_id );
  1761. /**
  1762. * Filters the comment moderation email headers.
  1763. *
  1764. * @since 2.8.0
  1765. *
  1766. * @param string $message_headers Headers for the comment moderation email.
  1767. * @param int $comment_id Comment ID.
  1768. */
  1769. $message_headers = apply_filters( 'comment_moderation_headers', $message_headers, $comment_id );
  1770. foreach ( $emails as $email ) {
  1771. wp_mail( $email, wp_specialchars_decode( $subject ), $notify_message, $message_headers );
  1772. }
  1773. if ( $switched_locale ) {
  1774. restore_previous_locale();
  1775. }
  1776. return true;
  1777. }
  1778. endif;
  1779. if ( ! function_exists( 'wp_password_change_notification' ) ) :
  1780. /**
  1781. * Notifies the blog admin of a user changing password, normally via email.
  1782. *
  1783. * @since 2.7.0
  1784. *
  1785. * @param WP_User $user User object.
  1786. */
  1787. function wp_password_change_notification( $user ) {
  1788. // Send a copy of password change notification to the admin,
  1789. // but check to see if it's the admin whose password we're changing, and skip this.
  1790. if ( 0 !== strcasecmp( $user->user_email, get_option( 'admin_email' ) ) ) {
  1791. /* translators: %s: User name. */
  1792. $message = sprintf( __( 'Password changed for user: %s' ), $user->user_login ) . "\r\n";
  1793. // The blogname option is escaped with esc_html() on the way into the database in sanitize_option().
  1794. // We want to reverse this for the plain text arena of emails.
  1795. $blogname = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES );
  1796. $wp_password_change_notification_email = array(
  1797. 'to' => get_option( 'admin_email' ),
  1798. /* translators: Password change notification email subject. %s: Site title. */
  1799. 'subject' => __( '[%s] Password Changed' ),
  1800. 'message' => $message,
  1801. 'headers' => '',
  1802. );
  1803. /**
  1804. * Filters the contents of the password change notification email sent to the site admin.
  1805. *
  1806. * @since 4.9.0
  1807. *
  1808. * @param array $wp_password_change_notification_email {
  1809. * Used to build wp_mail().
  1810. *
  1811. * @type string $to The intended recipient - site admin email address.
  1812. * @type string $subject The subject of the email.
  1813. * @type string $message The body of the email.
  1814. * @type string $headers The headers of the email.
  1815. * }
  1816. * @param WP_User $user User object for user whose password was changed.
  1817. * @param string $blogname The site title.
  1818. */
  1819. $wp_password_change_notification_email = apply_filters( 'wp_password_change_notification_email', $wp_password_change_notification_email, $user, $blogname );
  1820. wp_mail(
  1821. $wp_password_change_notification_email['to'],
  1822. wp_specialchars_decode( sprintf( $wp_password_change_notification_email['subject'], $blogname ) ),
  1823. $wp_password_change_notification_email['message'],
  1824. $wp_password_change_notification_email['headers']
  1825. );
  1826. }
  1827. }
  1828. endif;
  1829. if ( ! function_exists( 'wp_new_user_notification' ) ) :
  1830. /**
  1831. * Emails login credentials to a newly-registered user.
  1832. *
  1833. * A new user registration notification is also sent to admin email.
  1834. *
  1835. * @since 2.0.0
  1836. * @since 4.3.0 The `$plaintext_pass` parameter was changed to `$notify`.
  1837. * @since 4.3.1 The `$plaintext_pass` parameter was deprecated. `$notify` added as a third parameter.
  1838. * @since 4.6.0 The `$notify` parameter accepts 'user' for sending notification only to the user created.
  1839. *
  1840. * @param int $user_id User ID.
  1841. * @param null $deprecated Not used (argument deprecated).
  1842. * @param string $notify Optional. Type of notification that should happen. Accepts 'admin' or an empty
  1843. * string (admin only), 'user', or 'both' (admin and user). Default empty.
  1844. */
  1845. function wp_new_user_notification( $user_id, $deprecated = null, $notify = '' ) {
  1846. if ( null !== $deprecated ) {
  1847. _deprecated_argument( __FUNCTION__, '4.3.1' );
  1848. }
  1849. // Accepts only 'user', 'admin' , 'both' or default '' as $notify.
  1850. if ( ! in_array( $notify, array( 'user', 'admin', 'both', '' ), true ) ) {
  1851. return;
  1852. }
  1853. $user = get_userdata( $user_id );
  1854. // The blogname option is escaped with esc_html() on the way into the database in sanitize_option().
  1855. // We want to reverse this for the plain text arena of emails.
  1856. $blogname = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES );
  1857. /**
  1858. * Filters whether the admin is notified of a new user registration.
  1859. *
  1860. * @since 6.1.0
  1861. *
  1862. * @param bool $send Whether to send the email. Default true.
  1863. * @param WP_User $user User object for new user.
  1864. */
  1865. $send_notification_to_admin = apply_filters( 'wp_send_new_user_notification_to_admin', true, $user );
  1866. if ( 'user' !== $notify && true === $send_notification_to_admin ) {
  1867. $switched_locale = switch_to_locale( get_locale() );
  1868. /* translators: %s: Site title. */
  1869. $message = sprintf( __( 'New user registration on your site %s:' ), $blogname ) . "\r\n\r\n";
  1870. /* translators: %s: User login. */
  1871. $message .= sprintf( __( 'Username: %s' ), $user->user_login ) . "\r\n\r\n";
  1872. /* translators: %s: User email address. */
  1873. $message .= sprintf( __( 'Email: %s' ), $user->user_email ) . "\r\n";
  1874. $wp_new_user_notification_email_admin = array(
  1875. 'to' => get_option( 'admin_email' ),
  1876. /* translators: New user registration notification email subject. %s: Site title. */
  1877. 'subject' => __( '[%s] New User Registration' ),
  1878. 'message' => $message,
  1879. 'headers' => '',
  1880. );
  1881. /**
  1882. * Filters the contents of the new user notification email sent to the site admin.
  1883. *
  1884. * @since 4.9.0
  1885. *
  1886. * @param array $wp_new_user_notification_email_admin {
  1887. * Used to build wp_mail().
  1888. *
  1889. * @type string $to The intended recipient - site admin email address.
  1890. * @type string $subject The subject of the email.
  1891. * @type string $message The body of the email.
  1892. * @type string $headers The headers of the email.
  1893. * }
  1894. * @param WP_User $user User object for new user.
  1895. * @param string $blogname The site title.
  1896. */
  1897. $wp_new_user_notification_email_admin = apply_filters( 'wp_new_user_notification_email_admin', $wp_new_user_notification_email_admin, $user, $blogname );
  1898. wp_mail(
  1899. $wp_new_user_notification_email_admin['to'],
  1900. wp_specialchars_decode( sprintf( $wp_new_user_notification_email_admin['subject'], $blogname ) ),
  1901. $wp_new_user_notification_email_admin['message'],
  1902. $wp_new_user_notification_email_admin['headers']
  1903. );
  1904. if ( $switched_locale ) {
  1905. restore_previous_locale();
  1906. }
  1907. }
  1908. /**
  1909. * Filters whether the user is notified of their new user registration.
  1910. *
  1911. * @since 6.1.0
  1912. *
  1913. * @param bool $send Whether to send the email. Default true.
  1914. * @param WP_User $user User object for new user.
  1915. */
  1916. $send_notification_to_user = apply_filters( 'wp_send_new_user_notification_to_user', true, $user );
  1917. // `$deprecated` was pre-4.3 `$plaintext_pass`. An empty `$plaintext_pass` didn't sent a user notification.
  1918. if ( 'admin' === $notify || true !== $send_notification_to_user || ( empty( $deprecated ) && empty( $notify ) ) ) {
  1919. return;
  1920. }
  1921. $key = get_password_reset_key( $user );
  1922. if ( is_wp_error( $key ) ) {
  1923. return;
  1924. }
  1925. $switched_locale = switch_to_locale( get_user_locale( $user ) );
  1926. /* translators: %s: User login. */
  1927. $message = sprintf( __( 'Username: %s' ), $user->user_login ) . "\r\n\r\n";
  1928. $message .= __( 'To set your password, visit the following address:' ) . "\r\n\r\n";
  1929. $message .= network_site_url( "wp-login.php?action=rp&key=$key&login=" . rawurlencode( $user->user_login ), 'login' ) . "\r\n\r\n";
  1930. $message .= wp_login_url() . "\r\n";
  1931. $wp_new_user_notification_email = array(
  1932. 'to' => $user->user_email,
  1933. /* translators: Login details notification email subject. %s: Site title. */
  1934. 'subject' => __( '[%s] Login Details' ),
  1935. 'message' => $message,
  1936. 'headers' => '',
  1937. );
  1938. /**
  1939. * Filters the contents of the new user notification email sent to the new user.
  1940. *
  1941. * @since 4.9.0
  1942. *
  1943. * @param array $wp_new_user_notification_email {
  1944. * Used to build wp_mail().
  1945. *
  1946. * @type string $to The intended recipient - New user email address.
  1947. * @type string $subject The subject of the email.
  1948. * @type string $message The body of the email.
  1949. * @type string $headers The headers of the email.
  1950. * }
  1951. * @param WP_User $user User object for new user.
  1952. * @param string $blogname The site title.
  1953. */
  1954. $wp_new_user_notification_email = apply_filters( 'wp_new_user_notification_email', $wp_new_user_notification_email, $user, $blogname );
  1955. wp_mail(
  1956. $wp_new_user_notification_email['to'],
  1957. wp_specialchars_decode( sprintf( $wp_new_user_notification_email['subject'], $blogname ) ),
  1958. $wp_new_user_notification_email['message'],
  1959. $wp_new_user_notification_email['headers']
  1960. );
  1961. if ( $switched_locale ) {
  1962. restore_previous_locale();
  1963. }
  1964. }
  1965. endif;
  1966. if ( ! function_exists( 'wp_nonce_tick' ) ) :
  1967. /**
  1968. * Returns the time-dependent variable for nonce creation.
  1969. *
  1970. * A nonce has a lifespan of two ticks. Nonces in their second tick may be
  1971. * updated, e.g. by autosave.
  1972. *
  1973. * @since 2.5.0
  1974. * @since 6.1.0 Added `$action` argument.
  1975. *
  1976. * @param string|int $action Optional. The nonce action. Default -1.
  1977. * @return float Float value rounded up to the next highest integer.
  1978. */
  1979. function wp_nonce_tick( $action = -1 ) {
  1980. /**
  1981. * Filters the lifespan of nonces in seconds.
  1982. *
  1983. * @since 2.5.0
  1984. * @since 6.1.0 Added `$action` argument to allow for more targeted filters.
  1985. *
  1986. * @param int $lifespan Lifespan of nonces in seconds. Default 86,400 seconds, or one day.
  1987. * @param string|int $action The nonce action, or -1 if none was provided.
  1988. */
  1989. $nonce_life = apply_filters( 'nonce_life', DAY_IN_SECONDS, $action );
  1990. return ceil( time() / ( $nonce_life / 2 ) );
  1991. }
  1992. endif;
  1993. if ( ! function_exists( 'wp_verify_nonce' ) ) :
  1994. /**
  1995. * Verifies that a correct security nonce was used with time limit.
  1996. *
  1997. * A nonce is valid for 24 hours (by default).
  1998. *
  1999. * @since 2.0.3
  2000. *
  2001. * @param string $nonce Nonce value that was used for verification, usually via a form field.
  2002. * @param string|int $action Should give context to what is taking place and be the same when nonce was created.
  2003. * @return int|false 1 if the nonce is valid and generated between 0-12 hours ago,
  2004. * 2 if the nonce is valid and generated between 12-24 hours ago.
  2005. * False if the nonce is invalid.
  2006. */
  2007. function wp_verify_nonce( $nonce, $action = -1 ) {
  2008. $nonce = (string) $nonce;
  2009. $user = wp_get_current_user();
  2010. $uid = (int) $user->ID;
  2011. if ( ! $uid ) {
  2012. /**
  2013. * Filters whether the user who generated the nonce is logged out.
  2014. *
  2015. * @since 3.5.0
  2016. *
  2017. * @param int $uid ID of the nonce-owning user.
  2018. * @param string|int $action The nonce action, or -1 if none was provided.
  2019. */
  2020. $uid = apply_filters( 'nonce_user_logged_out', $uid, $action );
  2021. }
  2022. if ( empty( $nonce ) ) {
  2023. return false;
  2024. }
  2025. $token = wp_get_session_token();
  2026. $i = wp_nonce_tick( $action );
  2027. // Nonce generated 0-12 hours ago.
  2028. $expected = substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
  2029. if ( hash_equals( $expected, $nonce ) ) {
  2030. return 1;
  2031. }
  2032. // Nonce generated 12-24 hours ago.
  2033. $expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
  2034. if ( hash_equals( $expected, $nonce ) ) {
  2035. return 2;
  2036. }
  2037. /**
  2038. * Fires when nonce verification fails.
  2039. *
  2040. * @since 4.4.0
  2041. *
  2042. * @param string $nonce The invalid nonce.
  2043. * @param string|int $action The nonce action.
  2044. * @param WP_User $user The current user object.
  2045. * @param string $token The user's session token.
  2046. */
  2047. do_action( 'wp_verify_nonce_failed', $nonce, $action, $user, $token );
  2048. // Invalid nonce.
  2049. return false;
  2050. }
  2051. endif;
  2052. if ( ! function_exists( 'wp_create_nonce' ) ) :
  2053. /**
  2054. * Creates a cryptographic token tied to a specific action, user, user session,
  2055. * and window of time.
  2056. *
  2057. * @since 2.0.3
  2058. * @since 4.0.0 Session tokens were integrated with nonce creation.
  2059. *
  2060. * @param string|int $action Scalar value to add context to the nonce.
  2061. * @return string The token.
  2062. */
  2063. function wp_create_nonce( $action = -1 ) {
  2064. $user = wp_get_current_user();
  2065. $uid = (int) $user->ID;
  2066. if ( ! $uid ) {
  2067. /** This filter is documented in wp-includes/pluggable.php */
  2068. $uid = apply_filters( 'nonce_user_logged_out', $uid, $action );
  2069. }
  2070. $token = wp_get_session_token( $action );
  2071. $i = wp_nonce_tick( $action );
  2072. return substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
  2073. }
  2074. endif;
  2075. if ( ! function_exists( 'wp_salt' ) ) :
  2076. /**
  2077. * Returns a salt to add to hashes.
  2078. *
  2079. * Salts are created using secret keys. Secret keys are located in two places:
  2080. * in the database and in the wp-config.php file. The secret key in the database
  2081. * is randomly generated and will be appended to the secret keys in wp-config.php.
  2082. *
  2083. * The secret keys in wp-config.php should be updated to strong, random keys to maximize
  2084. * security. Below is an example of how the secret key constants are defined.
  2085. * Do not paste this example directly into wp-config.php. Instead, have a
  2086. * {@link https://api.wordpress.org/secret-key/1.1/salt/ secret key created} just
  2087. * for you.
  2088. *
  2089. * define('AUTH_KEY', ' Xakm<o xQy rw4EMsLKM-?!T+,PFF})H4lzcW57AF0U@N@< >M%G4Yt>f`z]MON');
  2090. * define('SECURE_AUTH_KEY', 'LzJ}op]mr|6+![P}Ak:uNdJCJZd>(Hx.-Mh#Tz)pCIU#uGEnfFz|f ;;eU%/U^O~');
  2091. * define('LOGGED_IN_KEY', '|i|Ux`9<p-h$aFf(qnT:sDO:D1P^wZ$$/Ra@miTJi9G;ddp_<q}6H1)o|a +&JCM');
  2092. * define('NONCE_KEY', '%:R{[P|,s.KuMltH5}cI;/k<Gx~j!f0I)m_sIyu+&NJZ)-iO>z7X>QYR0Z_XnZ@|');
  2093. * define('AUTH_SALT', 'eZyT)-Naw]F8CwA*VaW#q*|.)g@o}||wf~@C-YSt}(dh_r6EbI#A,y|nU2{B#JBW');
  2094. * define('SECURE_AUTH_SALT', '!=oLUTXh,QW=H `}`L|9/^4-3 STz},T(w}W<I`.JjPi)<Bmf1v,HpGe}T1:Xt7n');
  2095. * define('LOGGED_IN_SALT', '+XSqHc;@Q*K_b|Z?NC[3H!!EONbh.n<+=uKR:>*c(u`g~EJBf#8u#R{mUEZrozmm');
  2096. * define('NONCE_SALT', 'h`GXHhD>SLWVfg1(1(N{;.V!MoE(SfbA_ksP@&`+AycHcAV$+?@3q+rxV{%^VyKT');
  2097. *
  2098. * Salting passwords helps against tools which has stored hashed values of
  2099. * common dictionary strings. The added values makes it harder to crack.
  2100. *
  2101. * @since 2.5.0
  2102. *
  2103. * @link https://api.wordpress.org/secret-key/1.1/salt/ Create secrets for wp-config.php
  2104. *
  2105. * @param string $scheme Authentication scheme (auth, secure_auth, logged_in, nonce).
  2106. * @return string Salt value
  2107. */
  2108. function wp_salt( $scheme = 'auth' ) {
  2109. static $cached_salts = array();
  2110. if ( isset( $cached_salts[ $scheme ] ) ) {
  2111. /**
  2112. * Filters the WordPress salt.
  2113. *
  2114. * @since 2.5.0
  2115. *
  2116. * @param string $cached_salt Cached salt for the given scheme.
  2117. * @param string $scheme Authentication scheme. Values include 'auth',
  2118. * 'secure_auth', 'logged_in', and 'nonce'.
  2119. */
  2120. return apply_filters( 'salt', $cached_salts[ $scheme ], $scheme );
  2121. }
  2122. static $duplicated_keys;
  2123. if ( null === $duplicated_keys ) {
  2124. $duplicated_keys = array(
  2125. 'put your unique phrase here' => true,
  2126. /*
  2127. * translators: This string should only be translated if wp-config-sample.php is localized.
  2128. * You can check the localized release package or
  2129. * https://i18n.svn.wordpress.org/<locale code>/branches/<wp version>/dist/wp-config-sample.php
  2130. */
  2131. __( 'put your unique phrase here' ) => true,
  2132. );
  2133. foreach ( array( 'AUTH', 'SECURE_AUTH', 'LOGGED_IN', 'NONCE', 'SECRET' ) as $first ) {
  2134. foreach ( array( 'KEY', 'SALT' ) as $second ) {
  2135. if ( ! defined( "{$first}_{$second}" ) ) {
  2136. continue;
  2137. }
  2138. $value = constant( "{$first}_{$second}" );
  2139. $duplicated_keys[ $value ] = isset( $duplicated_keys[ $value ] );
  2140. }
  2141. }
  2142. }
  2143. $values = array(
  2144. 'key' => '',
  2145. 'salt' => '',
  2146. );
  2147. if ( defined( 'SECRET_KEY' ) && SECRET_KEY && empty( $duplicated_keys[ SECRET_KEY ] ) ) {
  2148. $values['key'] = SECRET_KEY;
  2149. }
  2150. if ( 'auth' === $scheme && defined( 'SECRET_SALT' ) && SECRET_SALT && empty( $duplicated_keys[ SECRET_SALT ] ) ) {
  2151. $values['salt'] = SECRET_SALT;
  2152. }
  2153. if ( in_array( $scheme, array( 'auth', 'secure_auth', 'logged_in', 'nonce' ), true ) ) {
  2154. foreach ( array( 'key', 'salt' ) as $type ) {
  2155. $const = strtoupper( "{$scheme}_{$type}" );
  2156. if ( defined( $const ) && constant( $const ) && empty( $duplicated_keys[ constant( $const ) ] ) ) {
  2157. $values[ $type ] = constant( $const );
  2158. } elseif ( ! $values[ $type ] ) {
  2159. $values[ $type ] = get_site_option( "{$scheme}_{$type}" );
  2160. if ( ! $values[ $type ] ) {
  2161. $values[ $type ] = wp_generate_password( 64, true, true );
  2162. update_site_option( "{$scheme}_{$type}", $values[ $type ] );
  2163. }
  2164. }
  2165. }
  2166. } else {
  2167. if ( ! $values['key'] ) {
  2168. $values['key'] = get_site_option( 'secret_key' );
  2169. if ( ! $values['key'] ) {
  2170. $values['key'] = wp_generate_password( 64, true, true );
  2171. update_site_option( 'secret_key', $values['key'] );
  2172. }
  2173. }
  2174. $values['salt'] = hash_hmac( 'md5', $scheme, $values['key'] );
  2175. }
  2176. $cached_salts[ $scheme ] = $values['key'] . $values['salt'];
  2177. /** This filter is documented in wp-includes/pluggable.php */
  2178. return apply_filters( 'salt', $cached_salts[ $scheme ], $scheme );
  2179. }
  2180. endif;
  2181. if ( ! function_exists( 'wp_hash' ) ) :
  2182. /**
  2183. * Gets hash of given string.
  2184. *
  2185. * @since 2.0.3
  2186. *
  2187. * @param string $data Plain text to hash.
  2188. * @param string $scheme Authentication scheme (auth, secure_auth, logged_in, nonce).
  2189. * @return string Hash of $data.
  2190. */
  2191. function wp_hash( $data, $scheme = 'auth' ) {
  2192. $salt = wp_salt( $scheme );
  2193. return hash_hmac( 'md5', $data, $salt );
  2194. }
  2195. endif;
  2196. if ( ! function_exists( 'wp_hash_password' ) ) :
  2197. /**
  2198. * Creates a hash (encrypt) of a plain text password.
  2199. *
  2200. * For integration with other applications, this function can be overwritten to
  2201. * instead use the other package password checking algorithm.
  2202. *
  2203. * @since 2.5.0
  2204. *
  2205. * @global PasswordHash $wp_hasher PHPass object
  2206. *
  2207. * @param string $password Plain text user password to hash.
  2208. * @return string The hash string of the password.
  2209. */
  2210. function wp_hash_password( $password ) {
  2211. global $wp_hasher;
  2212. if ( empty( $wp_hasher ) ) {
  2213. require_once ABSPATH . WPINC . '/class-phpass.php';
  2214. // By default, use the portable hash from phpass.
  2215. $wp_hasher = new PasswordHash( 8, true );
  2216. }
  2217. return $wp_hasher->HashPassword( trim( $password ) );
  2218. }
  2219. endif;
  2220. if ( ! function_exists( 'wp_check_password' ) ) :
  2221. /**
  2222. * Checks the plaintext password against the encrypted Password.
  2223. *
  2224. * Maintains compatibility between old version and the new cookie authentication
  2225. * protocol using PHPass library. The $hash parameter is the encrypted password
  2226. * and the function compares the plain text password when encrypted similarly
  2227. * against the already encrypted password to see if they match.
  2228. *
  2229. * For integration with other applications, this function can be overwritten to
  2230. * instead use the other package password checking algorithm.
  2231. *
  2232. * @since 2.5.0
  2233. *
  2234. * @global PasswordHash $wp_hasher PHPass object used for checking the password
  2235. * against the $hash + $password.
  2236. * @uses PasswordHash::CheckPassword
  2237. *
  2238. * @param string $password Plaintext user's password.
  2239. * @param string $hash Hash of the user's password to check against.
  2240. * @param string|int $user_id Optional. User ID.
  2241. * @return bool False, if the $password does not match the hashed password.
  2242. */
  2243. function wp_check_password( $password, $hash, $user_id = '' ) {
  2244. global $wp_hasher;
  2245. // If the hash is still md5...
  2246. if ( strlen( $hash ) <= 32 ) {
  2247. $check = hash_equals( $hash, md5( $password ) );
  2248. if ( $check && $user_id ) {
  2249. // Rehash using new hash.
  2250. wp_set_password( $password, $user_id );
  2251. $hash = wp_hash_password( $password );
  2252. }
  2253. /**
  2254. * Filters whether the plaintext password matches the encrypted password.
  2255. *
  2256. * @since 2.5.0
  2257. *
  2258. * @param bool $check Whether the passwords match.
  2259. * @param string $password The plaintext password.
  2260. * @param string $hash The hashed password.
  2261. * @param string|int $user_id User ID. Can be empty.
  2262. */
  2263. return apply_filters( 'check_password', $check, $password, $hash, $user_id );
  2264. }
  2265. // If the stored hash is longer than an MD5,
  2266. // presume the new style phpass portable hash.
  2267. if ( empty( $wp_hasher ) ) {
  2268. require_once ABSPATH . WPINC . '/class-phpass.php';
  2269. // By default, use the portable hash from phpass.
  2270. $wp_hasher = new PasswordHash( 8, true );
  2271. }
  2272. $check = $wp_hasher->CheckPassword( $password, $hash );
  2273. /** This filter is documented in wp-includes/pluggable.php */
  2274. return apply_filters( 'check_password', $check, $password, $hash, $user_id );
  2275. }
  2276. endif;
  2277. if ( ! function_exists( 'wp_generate_password' ) ) :
  2278. /**
  2279. * Generates a random password drawn from the defined set of characters.
  2280. *
  2281. * Uses wp_rand() is used to create passwords with far less predictability
  2282. * than similar native PHP functions like `rand()` or `mt_rand()`.
  2283. *
  2284. * @since 2.5.0
  2285. *
  2286. * @param int $length Optional. The length of password to generate. Default 12.
  2287. * @param bool $special_chars Optional. Whether to include standard special characters.
  2288. * Default true.
  2289. * @param bool $extra_special_chars Optional. Whether to include other special characters.
  2290. * Used when generating secret keys and salts. Default false.
  2291. * @return string The random password.
  2292. */
  2293. function wp_generate_password( $length = 12, $special_chars = true, $extra_special_chars = false ) {
  2294. $chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
  2295. if ( $special_chars ) {
  2296. $chars .= '!@#$%^&*()';
  2297. }
  2298. if ( $extra_special_chars ) {
  2299. $chars .= '-_ []{}<>~`+=,.;:/?|';
  2300. }
  2301. $password = '';
  2302. for ( $i = 0; $i < $length; $i++ ) {
  2303. $password .= substr( $chars, wp_rand( 0, strlen( $chars ) - 1 ), 1 );
  2304. }
  2305. /**
  2306. * Filters the randomly-generated password.
  2307. *
  2308. * @since 3.0.0
  2309. * @since 5.3.0 Added the `$length`, `$special_chars`, and `$extra_special_chars` parameters.
  2310. *
  2311. * @param string $password The generated password.
  2312. * @param int $length The length of password to generate.
  2313. * @param bool $special_chars Whether to include standard special characters.
  2314. * @param bool $extra_special_chars Whether to include other special characters.
  2315. */
  2316. return apply_filters( 'random_password', $password, $length, $special_chars, $extra_special_chars );
  2317. }
  2318. endif;
  2319. if ( ! function_exists( 'wp_rand' ) ) :
  2320. /**
  2321. * Generates a random non-negative number.
  2322. *
  2323. * @since 2.6.2
  2324. * @since 4.4.0 Uses PHP7 random_int() or the random_compat library if available.
  2325. * @since 6.1.0 Returns zero instead of a random number if both `$min` and `$max` are zero.
  2326. *
  2327. * @global string $rnd_value
  2328. *
  2329. * @param int $min Optional. Lower limit for the generated number.
  2330. * Accepts positive integers or zero. Defaults to 0.
  2331. * @param int $max Optional. Upper limit for the generated number.
  2332. * Accepts positive integers. Defaults to 4294967295.
  2333. * @return int A random non-negative number between min and max.
  2334. */
  2335. function wp_rand( $min = null, $max = null ) {
  2336. global $rnd_value;
  2337. // Some misconfigured 32-bit environments (Entropy PHP, for example)
  2338. // truncate integers larger than PHP_INT_MAX to PHP_INT_MAX rather than overflowing them to floats.
  2339. $max_random_number = 3000000000 === 2147483647 ? (float) '4294967295' : 4294967295; // 4294967295 = 0xffffffff
  2340. if ( null === $min ) {
  2341. $min = 0;
  2342. }
  2343. if ( null === $max ) {
  2344. $max = $max_random_number;
  2345. }
  2346. // We only handle ints, floats are truncated to their integer value.
  2347. $min = (int) $min;
  2348. $max = (int) $max;
  2349. // Use PHP's CSPRNG, or a compatible method.
  2350. static $use_random_int_functionality = true;
  2351. if ( $use_random_int_functionality ) {
  2352. try {
  2353. // wp_rand() can accept arguments in either order, PHP cannot.
  2354. $_max = max( $min, $max );
  2355. $_min = min( $min, $max );
  2356. $val = random_int( $_min, $_max );
  2357. if ( false !== $val ) {
  2358. return absint( $val );
  2359. } else {
  2360. $use_random_int_functionality = false;
  2361. }
  2362. } catch ( Error $e ) {
  2363. $use_random_int_functionality = false;
  2364. } catch ( Exception $e ) {
  2365. $use_random_int_functionality = false;
  2366. }
  2367. }
  2368. // Reset $rnd_value after 14 uses.
  2369. // 32 (md5) + 40 (sha1) + 40 (sha1) / 8 = 14 random numbers from $rnd_value.
  2370. if ( strlen( $rnd_value ) < 8 ) {
  2371. if ( defined( 'WP_SETUP_CONFIG' ) ) {
  2372. static $seed = '';
  2373. } else {
  2374. $seed = get_transient( 'random_seed' );
  2375. }
  2376. $rnd_value = md5( uniqid( microtime() . mt_rand(), true ) . $seed );
  2377. $rnd_value .= sha1( $rnd_value );
  2378. $rnd_value .= sha1( $rnd_value . $seed );
  2379. $seed = md5( $seed . $rnd_value );
  2380. if ( ! defined( 'WP_SETUP_CONFIG' ) && ! defined( 'WP_INSTALLING' ) ) {
  2381. set_transient( 'random_seed', $seed );
  2382. }
  2383. }
  2384. // Take the first 8 digits for our value.
  2385. $value = substr( $rnd_value, 0, 8 );
  2386. // Strip the first eight, leaving the remainder for the next call to wp_rand().
  2387. $rnd_value = substr( $rnd_value, 8 );
  2388. $value = abs( hexdec( $value ) );
  2389. // Reduce the value to be within the min - max range.
  2390. $value = $min + ( $max - $min + 1 ) * $value / ( $max_random_number + 1 );
  2391. return abs( (int) $value );
  2392. }
  2393. endif;
  2394. if ( ! function_exists( 'wp_set_password' ) ) :
  2395. /**
  2396. * Updates the user's password with a new encrypted one.
  2397. *
  2398. * For integration with other applications, this function can be overwritten to
  2399. * instead use the other package password checking algorithm.
  2400. *
  2401. * Please note: This function should be used sparingly and is really only meant for single-time
  2402. * application. Leveraging this improperly in a plugin or theme could result in an endless loop
  2403. * of password resets if precautions are not taken to ensure it does not execute on every page load.
  2404. *
  2405. * @since 2.5.0
  2406. *
  2407. * @global wpdb $wpdb WordPress database abstraction object.
  2408. *
  2409. * @param string $password The plaintext new user password.
  2410. * @param int $user_id User ID.
  2411. */
  2412. function wp_set_password( $password, $user_id ) {
  2413. global $wpdb;
  2414. $hash = wp_hash_password( $password );
  2415. $wpdb->update(
  2416. $wpdb->users,
  2417. array(
  2418. 'user_pass' => $hash,
  2419. 'user_activation_key' => '',
  2420. ),
  2421. array( 'ID' => $user_id )
  2422. );
  2423. clean_user_cache( $user_id );
  2424. }
  2425. endif;
  2426. if ( ! function_exists( 'get_avatar' ) ) :
  2427. /**
  2428. * Retrieves the avatar `<img>` tag for a user, email address, MD5 hash, comment, or post.
  2429. *
  2430. * @since 2.5.0
  2431. * @since 4.2.0 Optional `$args` parameter added.
  2432. *
  2433. * @param mixed $id_or_email The Gravatar to retrieve. Accepts a user_id, gravatar md5 hash,
  2434. * user email, WP_User object, WP_Post object, or WP_Comment object.
  2435. * @param int $size Optional. Height and width of the avatar image file in pixels. Default 96.
  2436. * @param string $default Optional. URL for the default image or a default type. Accepts '404'
  2437. * (return a 404 instead of a default image), 'retro' (8bit), 'monsterid'
  2438. * (monster), 'wavatar' (cartoon face), 'indenticon' (the "quilt"),
  2439. * 'mystery', 'mm', or 'mysteryman' (The Oyster Man), 'blank' (transparent GIF),
  2440. * or 'gravatar_default' (the Gravatar logo). Default is the value of the
  2441. * 'avatar_default' option, with a fallback of 'mystery'.
  2442. * @param string $alt Optional. Alternative text to use in img tag. Default empty.
  2443. * @param array $args {
  2444. * Optional. Extra arguments to retrieve the avatar.
  2445. *
  2446. * @type int $height Display height of the avatar in pixels. Defaults to $size.
  2447. * @type int $width Display width of the avatar in pixels. Defaults to $size.
  2448. * @type bool $force_default Whether to always show the default image, never the Gravatar. Default false.
  2449. * @type string $rating What rating to display avatars up to. Accepts 'G', 'PG', 'R', 'X', and are
  2450. * judged in that order. Default is the value of the 'avatar_rating' option.
  2451. * @type string $scheme URL scheme to use. See set_url_scheme() for accepted values.
  2452. * Default null.
  2453. * @type array|string $class Array or string of additional classes to add to the img element.
  2454. * Default null.
  2455. * @type bool $force_display Whether to always show the avatar - ignores the show_avatars option.
  2456. * Default false.
  2457. * @type string $loading Value for the `loading` attribute.
  2458. * Default null.
  2459. * @type string $extra_attr HTML attributes to insert in the IMG element. Is not sanitized. Default empty.
  2460. * }
  2461. * @return string|false `<img>` tag for the user's avatar. False on failure.
  2462. */
  2463. function get_avatar( $id_or_email, $size = 96, $default = '', $alt = '', $args = null ) {
  2464. $defaults = array(
  2465. // get_avatar_data() args.
  2466. 'size' => 96,
  2467. 'height' => null,
  2468. 'width' => null,
  2469. 'default' => get_option( 'avatar_default', 'mystery' ),
  2470. 'force_default' => false,
  2471. 'rating' => get_option( 'avatar_rating' ),
  2472. 'scheme' => null,
  2473. 'alt' => '',
  2474. 'class' => null,
  2475. 'force_display' => false,
  2476. 'loading' => null,
  2477. 'extra_attr' => '',
  2478. 'decoding' => 'async',
  2479. );
  2480. if ( wp_lazy_loading_enabled( 'img', 'get_avatar' ) ) {
  2481. $defaults['loading'] = wp_get_loading_attr_default( 'get_avatar' );
  2482. }
  2483. if ( empty( $args ) ) {
  2484. $args = array();
  2485. }
  2486. $args['size'] = (int) $size;
  2487. $args['default'] = $default;
  2488. $args['alt'] = $alt;
  2489. $args = wp_parse_args( $args, $defaults );
  2490. if ( empty( $args['height'] ) ) {
  2491. $args['height'] = $args['size'];
  2492. }
  2493. if ( empty( $args['width'] ) ) {
  2494. $args['width'] = $args['size'];
  2495. }
  2496. if ( is_object( $id_or_email ) && isset( $id_or_email->comment_ID ) ) {
  2497. $id_or_email = get_comment( $id_or_email );
  2498. }
  2499. /**
  2500. * Allows the HTML for a user's avatar to be returned early.
  2501. *
  2502. * Returning a non-null value will effectively short-circuit get_avatar(), passing
  2503. * the value through the {@see 'get_avatar'} filter and returning early.
  2504. *
  2505. * @since 4.2.0
  2506. *
  2507. * @param string|null $avatar HTML for the user's avatar. Default null.
  2508. * @param mixed $id_or_email The avatar to retrieve. Accepts a user_id, Gravatar MD5 hash,
  2509. * user email, WP_User object, WP_Post object, or WP_Comment object.
  2510. * @param array $args Arguments passed to get_avatar_url(), after processing.
  2511. */
  2512. $avatar = apply_filters( 'pre_get_avatar', null, $id_or_email, $args );
  2513. if ( ! is_null( $avatar ) ) {
  2514. /** This filter is documented in wp-includes/pluggable.php */
  2515. return apply_filters( 'get_avatar', $avatar, $id_or_email, $args['size'], $args['default'], $args['alt'], $args );
  2516. }
  2517. if ( ! $args['force_display'] && ! get_option( 'show_avatars' ) ) {
  2518. return false;
  2519. }
  2520. $url2x = get_avatar_url( $id_or_email, array_merge( $args, array( 'size' => $args['size'] * 2 ) ) );
  2521. $args = get_avatar_data( $id_or_email, $args );
  2522. $url = $args['url'];
  2523. if ( ! $url || is_wp_error( $url ) ) {
  2524. return false;
  2525. }
  2526. $class = array( 'avatar', 'avatar-' . (int) $args['size'], 'photo' );
  2527. if ( ! $args['found_avatar'] || $args['force_default'] ) {
  2528. $class[] = 'avatar-default';
  2529. }
  2530. if ( $args['class'] ) {
  2531. if ( is_array( $args['class'] ) ) {
  2532. $class = array_merge( $class, $args['class'] );
  2533. } else {
  2534. $class[] = $args['class'];
  2535. }
  2536. }
  2537. // Add `loading` attribute.
  2538. $extra_attr = $args['extra_attr'];
  2539. $loading = $args['loading'];
  2540. if ( in_array( $loading, array( 'lazy', 'eager' ), true ) && ! preg_match( '/\bloading\s*=/', $extra_attr ) ) {
  2541. if ( ! empty( $extra_attr ) ) {
  2542. $extra_attr .= ' ';
  2543. }
  2544. $extra_attr .= "loading='{$loading}'";
  2545. }
  2546. if ( in_array( $args['decoding'], array( 'async', 'sync', 'auto' ) ) && ! preg_match( '/\bdecoding\s*=/', $extra_attr ) ) {
  2547. if ( ! empty( $extra_attr ) ) {
  2548. $extra_attr .= ' ';
  2549. }
  2550. $extra_attr .= "decoding='{$args['decoding']}'";
  2551. }
  2552. $avatar = sprintf(
  2553. "<img alt='%s' src='%s' srcset='%s' class='%s' height='%d' width='%d' %s/>",
  2554. esc_attr( $args['alt'] ),
  2555. esc_url( $url ),
  2556. esc_url( $url2x ) . ' 2x',
  2557. esc_attr( implode( ' ', $class ) ),
  2558. (int) $args['height'],
  2559. (int) $args['width'],
  2560. $extra_attr
  2561. );
  2562. /**
  2563. * Filters the HTML for a user's avatar.
  2564. *
  2565. * @since 2.5.0
  2566. * @since 4.2.0 The `$args` parameter was added.
  2567. *
  2568. * @param string $avatar HTML for the user's avatar.
  2569. * @param mixed $id_or_email The avatar to retrieve. Accepts a user_id, Gravatar MD5 hash,
  2570. * user email, WP_User object, WP_Post object, or WP_Comment object.
  2571. * @param int $size Square avatar width and height in pixels to retrieve.
  2572. * @param string $default URL for the default image or a default type. Accepts '404', 'retro', 'monsterid',
  2573. * 'wavatar', 'indenticon', 'mystery', 'mm', 'mysteryman', 'blank', or 'gravatar_default'.
  2574. * @param string $alt Alternative text to use in the avatar image tag.
  2575. * @param array $args Arguments passed to get_avatar_data(), after processing.
  2576. */
  2577. return apply_filters( 'get_avatar', $avatar, $id_or_email, $args['size'], $args['default'], $args['alt'], $args );
  2578. }
  2579. endif;
  2580. if ( ! function_exists( 'wp_text_diff' ) ) :
  2581. /**
  2582. * Displays a human readable HTML representation of the difference between two strings.
  2583. *
  2584. * The Diff is available for getting the changes between versions. The output is
  2585. * HTML, so the primary use is for displaying the changes. If the two strings
  2586. * are equivalent, then an empty string will be returned.
  2587. *
  2588. * @since 2.6.0
  2589. *
  2590. * @see wp_parse_args() Used to change defaults to user defined settings.
  2591. * @uses Text_Diff
  2592. * @uses WP_Text_Diff_Renderer_Table
  2593. *
  2594. * @param string $left_string "old" (left) version of string.
  2595. * @param string $right_string "new" (right) version of string.
  2596. * @param string|array $args {
  2597. * Associative array of options to pass to WP_Text_Diff_Renderer_Table().
  2598. *
  2599. * @type string $title Titles the diff in a manner compatible
  2600. * with the output. Default empty.
  2601. * @type string $title_left Change the HTML to the left of the title.
  2602. * Default empty.
  2603. * @type string $title_right Change the HTML to the right of the title.
  2604. * Default empty.
  2605. * @type bool $show_split_view True for split view (two columns), false for
  2606. * un-split view (single column). Default true.
  2607. * }
  2608. * @return string Empty string if strings are equivalent or HTML with differences.
  2609. */
  2610. function wp_text_diff( $left_string, $right_string, $args = null ) {
  2611. $defaults = array(
  2612. 'title' => '',
  2613. 'title_left' => '',
  2614. 'title_right' => '',
  2615. 'show_split_view' => true,
  2616. );
  2617. $args = wp_parse_args( $args, $defaults );
  2618. if ( ! class_exists( 'WP_Text_Diff_Renderer_Table', false ) ) {
  2619. require ABSPATH . WPINC . '/wp-diff.php';
  2620. }
  2621. $left_string = normalize_whitespace( $left_string );
  2622. $right_string = normalize_whitespace( $right_string );
  2623. $left_lines = explode( "\n", $left_string );
  2624. $right_lines = explode( "\n", $right_string );
  2625. $text_diff = new Text_Diff( $left_lines, $right_lines );
  2626. $renderer = new WP_Text_Diff_Renderer_Table( $args );
  2627. $diff = $renderer->render( $text_diff );
  2628. if ( ! $diff ) {
  2629. return '';
  2630. }
  2631. $is_split_view = ! empty( $args['show_split_view'] );
  2632. $is_split_view_class = $is_split_view ? ' is-split-view' : '';
  2633. $r = "<table class='diff$is_split_view_class'>\n";
  2634. if ( $args['title'] ) {
  2635. $r .= "<caption class='diff-title'>$args[title]</caption>\n";
  2636. }
  2637. if ( $args['title_left'] || $args['title_right'] ) {
  2638. $r .= '<thead>';
  2639. }
  2640. if ( $args['title_left'] || $args['title_right'] ) {
  2641. $th_or_td_left = empty( $args['title_left'] ) ? 'td' : 'th';
  2642. $th_or_td_right = empty( $args['title_right'] ) ? 'td' : 'th';
  2643. $r .= "<tr class='diff-sub-title'>\n";
  2644. $r .= "\t<$th_or_td_left>$args[title_left]</$th_or_td_left>\n";
  2645. if ( $is_split_view ) {
  2646. $r .= "\t<$th_or_td_right>$args[title_right]</$th_or_td_right>\n";
  2647. }
  2648. $r .= "</tr>\n";
  2649. }
  2650. if ( $args['title_left'] || $args['title_right'] ) {
  2651. $r .= "</thead>\n";
  2652. }
  2653. $r .= "<tbody>\n$diff\n</tbody>\n";
  2654. $r .= '</table>';
  2655. return $r;
  2656. }
  2657. endif;