Updated Wordpress 4.5.3

e636ca21 · lucha · cd5cc004 · e636ca21 · e636ca21 · e636ca21
Commit e636ca21 authored Aug 06, 2016 by lucha
33 changed files
--- a/readme.html
+++ b/readme.html
@@ -9,7 +9,7 @@
 <body>
 <h1 id="logo">
 	<a href="https://wordpress.org/"><img alt="WordPress" src="wp-admin/images/wordpress-logo.png" /></a>
-	<br /> Version 4.5.2
+	<br /> Version 4.5.3
 </h1>
 <p style="text-align: center">Semantic Personal Publishing Platform</p>


--- a/wp-admin/about.php
+++ b/wp-admin/about.php
@@ -40,6 +40,10 @@ include( ABSPATH . 'wp-admin/admin-header.php' );

 		<div class="changelog point-releases">
 			<h3><?php _e( 'Maintenance and Security Releases' ); ?></h3>
+			<p><?php printf( _n( '<strong>Version %s</strong> addressed some security issues and fixed %2$s bug.',
+				'<strong>Version %s</strong> addressed some security issues and fixed %2$s bugs.', 17 ), '4.5.3', number_format_i18n( 17 ) ); ?>
+				<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_4.5.3' ); ?>
+			</p>
 			<p><?php printf( __( '<strong>Version %s</strong> addressed some security issues.' ), '4.5.2' ); ?>
 				<?php printf( __( 'For more information, see <a href="%s">the release notes</a>.' ), 'https://codex.wordpress.org/Version_4.5.2' ); ?>
 			</p>

--- a/wp-admin/includes/ajax-actions.php
+++ b/wp-admin/includes/ajax-actions.php
@@ -2761,7 +2761,7 @@ function wp_ajax_get_revision_diffs() {
 	if ( ! $post = get_post( (int) $_REQUEST['post_id'] ) )
 		wp_send_json_error();

-	if ( ! current_user_can( 'read_post', $post->ID ) )
+	if ( ! current_user_can( 'edit_post', $post->ID ) )
 		wp_send_json_error();

 	// Really just pre-loading the cache here.

--- a/wp-admin/includes/class-wp-media-list-table.php
+++ b/wp-admin/includes/class-wp-media-list-table.php
@@ -395,7 +395,7 @@ class WP_Media_List_Table extends WP_List_Table {
 			<span class="screen-reader-text"><?php _e( 'File name:' ); ?> </span>
 			<?php
 			$file = get_attached_file( $post->ID );
-			echo wp_basename( $file );
+			echo esc_html( wp_basename( $file ) );
 			?>
 		</p>
 		<?php

--- a/wp-admin/includes/post.php
+++ b/wp-admin/includes/post.php
@@ -165,6 +165,13 @@ function _wp_translate_postdata( $update = false, $post_data = null ) {
 		$post_data['post_date_gmt'] = get_gmt_from_date( $post_data['post_date'] );
 	}

+	if ( isset( $post_data['post_category'] ) ) {
+		$category_object = get_taxonomy( 'category' );
+		if ( ! current_user_can( $category_object->cap->assign_terms ) ) {
+			unset( $post_data['post_category'] );
+		}
+	}
+
 	return $post_data;
 }

@@ -1312,7 +1319,7 @@ function get_sample_permalink_html( $id, $new_title = null, $new_slug = null ) {

 		if ( false !== $view_link ) {
 			$display_link = urldecode( $view_link );
-			$return .= '<a id="sample-permalink" href="' . esc_url( $view_link ) . '"' . $preview_target . '>' . $display_link . "</a>\n";
+			$return .= '<a id="sample-permalink" href="' . esc_url( $view_link ) . '"' . $preview_target . '>' . esc_html( $display_link ) . "</a>\n";
 		} else {
 			$return .= '<span id="sample-permalink">' . $permalink . "</span>\n";
 		}
@@ -1336,14 +1343,14 @@ function get_sample_permalink_html( $id, $new_title = null, $new_slug = null ) {
 			}
 		}

-		$post_name_html = '<span id="editable-post-name">' . $post_name_abridged . '</span>';
-		$display_link = str_replace( array( '%pagename%', '%postname%' ), $post_name_html, urldecode( $permalink ) );
+		$post_name_html = '<span id="editable-post-name">' . esc_html( $post_name_abridged ) . '</span>';
+		$display_link = str_replace( array( '%pagename%', '%postname%' ), $post_name_html, esc_html( urldecode( $permalink ) ) );

 		$return = '<strong>' . __( 'Permalink:' ) . "</strong>\n";
 		$return .= '<span id="sample-permalink"><a href="' . esc_url( $view_link ) . '"' . $preview_target . '>' . $display_link . "</a></span>\n";
 		$return .= '&lrm;'; // Fix bi-directional text display defect in RTL languages.
 		$return .= '<span id="edit-slug-buttons"><button type="button" class="edit-slug button button-small hide-if-no-js" aria-label="' . __( 'Edit permalink' ) . '">' . __( 'Edit' ) . "</button></span>\n";
-		$return .= '<span id="editable-post-name-full">' . $post_name . "</span>\n";
+		$return .= '<span id="editable-post-name-full">' . esc_html( $post_name ) . "</span>\n";
 	}

 	/**

--- a/wp-admin/includes/upgrade.php
+++ b/wp-admin/includes/upgrade.php
@@ -2154,6 +2154,9 @@ function dbDelta( $queries = '', $execute = true ) {
 	 */
 	$iqueries = apply_filters( 'dbdelta_insert_queries', $iqueries );

+	$text_fields = array( 'tinytext', 'text', 'mediumtext', 'longtext' );
+	$blob_fields = array( 'tinyblob', 'blob', 'mediumblob', 'longblob' );
+
 	$global_tables = $wpdb->tables( 'global' );
 	foreach ( $cqueries as $table => $qry ) {
 		// Upgrade global tables only for the main site. Don't upgrade at all if conditions are not optimal.
@@ -2223,9 +2226,24 @@ function dbDelta( $queries = '', $execute = true ) {

 				// Is actual field type different from the field type in query?
 				if ($tablefield->Type != $fieldtype) {
+					$do_change = true;
+					if ( in_array( strtolower( $fieldtype ), $text_fields ) && in_array( strtolower( $tablefield->Type ), $text_fields ) ) {
+						if ( array_search( strtolower( $fieldtype ), $text_fields ) < array_search( strtolower( $tablefield->Type ), $text_fields ) ) {
+							$do_change = false;
+						}
+					}
+
+					if ( in_array( strtolower( $fieldtype ), $blob_fields ) && in_array( strtolower( $tablefield->Type ), $blob_fields ) ) {
+						if ( array_search( strtolower( $fieldtype ), $blob_fields ) < array_search( strtolower( $tablefield->Type ), $blob_fields ) ) {
+							$do_change = false;
+						}
+					}
+
+					if ( $do_change ) {
 					// Add a query to change the column type
-					$cqueries[] = "ALTER TABLE {$table} CHANGE COLUMN {$tablefield->Field} " . $cfields[strtolower($tablefield->Field)];
-					$for_update[$table.'.'.$tablefield->Field] = "Changed type of {$table}.{$tablefield->Field} from {$tablefield->Type} to {$fieldtype}";
+						$cqueries[] = "ALTER TABLE {$table} CHANGE COLUMN {$tablefield->Field} " . $cfields[strtolower($tablefield->Field)];
+						$for_update[$table.'.'.$tablefield->Field] = "Changed type of {$table}.{$tablefield->Field} from {$tablefield->Type} to {$fieldtype}";
+					}
 				}

 				// Get the default value from the array

--- a/wp-admin/nav-menus.php
+++ b/wp-admin/nav-menus.php
@@ -49,30 +49,108 @@ $num_locations = count( array_keys( $locations ) );
 // Allowed actions: add, update, delete
 $action = isset( $_REQUEST['action'] ) ? $_REQUEST['action'] : 'edit';

-/*
- * If a JSON blob of navigation menu data is found, expand it and inject it
- * into `$_POST` to avoid PHP `max_input_vars` limitations. See #14134.
+/**
+ * If a JSON blob of navigation menu data is in POST data, expand it and inject
+ * it into `$_POST` to avoid PHP `max_input_vars` limitations. See #14134.
+ *
+ * @ignore
+ * @since 4.5.3
+ * @access private
 */
-if ( isset( $_POST['nav-menu-data'] ) ) {
+function _wp_expand_nav_menu_post_data() {
+	if ( ! isset( $_POST['nav-menu-data'] ) ) {
+		return;
+	}
+
 	$data = json_decode( stripslashes( $_POST['nav-menu-data'] ) );
+
 	if ( ! is_null( $data ) && $data ) {
 		foreach ( $data as $post_input_data ) {
-			// For input names that are arrays (e.g. `menu-item-db-id[3]`), derive the array path keys via regex.
-			if ( preg_match( '#(.*)\[(\w+)\]#', $post_input_data->name, $matches ) ) {
-				if ( empty( $_POST[ $matches[1] ] ) ) {
-					$_POST[ $matches[1] ] = array();
-				}
-				// Cast input elements with a numeric array index to integers.
-				if ( is_numeric( $matches[2] ) ) {
-					$matches[2] = (int) $matches[2];
+			// For input names that are arrays (e.g. `menu-item-db-id[3][4][5]`),
+			// derive the array path keys via regex and set the value in $_POST.
+			preg_match( '#([^\[]*)(\[(.+)\])?#', $post_input_data->name, $matches );
+
+			$array_bits = array( $matches[1] );
+
+			if ( isset( $matches[3] ) ) {
+				$array_bits = array_merge( $array_bits, explode( '][', $matches[3] ) );
+			}
+
+			$new_post_data = array();
+
+			// Build the new array value from leaf to trunk.
+			for ( $i = count( $array_bits ) - 1; $i >= 0; $i -- ) {
+				if ( $i == count( $array_bits ) - 1 ) {
+					$new_post_data[ $array_bits[ $i ] ] = wp_slash( $post_input_data->value );
+				} else {
+					$new_post_data = array( $array_bits[ $i ] => $new_post_data );
 				}
-				$_POST[ $matches[1] ][ $matches[2] ] = wp_slash( $post_input_data->value );
-			} else {
-				$_POST[ $post_input_data->name ] = wp_slash( $post_input_data->value );
 			}
+
+			$_POST = array_replace_recursive( $_POST, $new_post_data );
 		}
 	}
 }
+
+if ( ! function_exists( 'array_replace_recursive' ) ) :
+	/**
+	 * PHP-agnostic version of {@link array_replace_recursive()}.
+	 *
+	 * The array_replace_recursive() function is a PHP 5.3 function. WordPress
+	 * currently supports down to PHP 5.2, so this method is a workaround
+	 * for PHP 5.2.
+	 *
+	 * Note: array_replace_recursive() supports infinite arguments, but for our use-
+	 * case, we only need to support two arguments.
+	 *
+	 * Subject to removal once WordPress makes PHP 5.3.0 the minimum requirement.
+	 *
+	 * @since 4.5.3
+	 *
+	 * @see http://php.net/manual/en/function.array-replace-recursive.php#109390
+	 *
+	 * @param  array $base         Array with keys needing to be replaced.
+	 * @param  array $replacements Array with the replaced keys.
+	 *
+	 * @return array
+	 */
+	function array_replace_recursive( $base = array(), $replacements = array() ) {
+		foreach ( array_slice( func_get_args(), 1 ) as $replacements ) {
+			$bref_stack = array( &$base );
+			$head_stack = array( $replacements );
+
+			do {
+				end( $bref_stack );
+
+				$bref = &$bref_stack[ key( $bref_stack ) ];
+				$head = array_pop( $head_stack );
+
+				unset( $bref_stack[ key( $bref_stack ) ] );
+
+				foreach ( array_keys( $head ) as $key ) {
+					if ( isset( $key, $bref ) &&
+					     isset( $bref[ $key ] ) && is_array( $bref[ $key ] ) &&
+					     isset( $head[ $key ] ) && is_array( $head[ $key ] )
+					) {
+						$bref_stack[] = &$bref[ $key ];
+						$head_stack[] = $head[ $key ];
+					} else {
+						$bref[ $key ] = $head[ $key ];
+					}
+				}
+			} while ( count( $head_stack ) );
+		}
+
+		return $base;
+	}
+endif;
+
+/*
+ * If a JSON blob of navigation menu data is found, expand it and inject it
+ * into `$_POST` to avoid PHP `max_input_vars` limitations. See #14134.
+ */
+_wp_expand_nav_menu_post_data();
+
 switch ( $action ) {
 	case 'add-menu-item':
 		check_admin_referer( 'add-menu_item', 'menu-settings-column-nonce' );

--- a/wp-admin/options.php
+++ b/wp-admin/options.php
@@ -84,7 +84,7 @@ if ( is_multisite() && ! is_super_admin() && 'update' != $action ) {
 $whitelist_options = array(
 	'general' => array( 'blogname', 'blogdescription', 'gmt_offset', 'date_format', 'time_format', 'start_of_week', 'timezone_string', 'WPLANG' ),
 	'discussion' => array( 'default_pingback_flag', 'default_ping_status', 'default_comment_status', 'comments_notify', 'moderation_notify', 'comment_moderation', 'require_name_email', 'comment_whitelist', 'comment_max_links', 'moderation_keys', 'blacklist_keys', 'show_avatars', 'avatar_rating', 'avatar_default', 'close_comments_for_old_posts', 'close_comments_days_old', 'thread_comments', 'thread_comments_depth', 'page_comments', 'comments_per_page', 'default_comments_page', 'comment_order', 'comment_registration' ),
-	'media' => array( 'thumbnail_size_w', 'thumbnail_size_h', 'thumbnail_crop', 'medium_size_w', 'medium_size_h', 'medium_large_size_w', 'medium_large_size_h', 'large_size_w', 'large_size_h', 'image_default_size', 'image_default_align', 'image_default_link_type' ),
+	'media' => array( 'thumbnail_size_w', 'thumbnail_size_h', 'thumbnail_crop', 'medium_size_w', 'medium_size_h', 'large_size_w', 'large_size_h', 'image_default_size', 'image_default_align', 'image_default_link_type' ),
 	'reading' => array( 'posts_per_page', 'posts_per_rss', 'rss_use_excerpt', 'show_on_front', 'page_on_front', 'page_for_posts', 'blog_public' ),
 	'writing' => array( 'default_category', 'default_email_category', 'default_link_category', 'default_post_format' )
 );

--- a/wp-admin/revision.php
+++ b/wp-admin/revision.php
@@ -63,7 +63,7 @@ default :
 	if ( ! $post = get_post( $revision->post_parent ) )
 		break;

-	if ( ! current_user_can( 'read_post', $revision->ID ) || ! current_user_can( 'read_post', $post->ID ) )
+	if ( ! current_user_can( 'read_post', $revision->ID ) || ! current_user_can( 'edit_post', $revision->post_parent ) )
 		break;

 	// Revisions disabled and we're not looking at an autosave

--- a/wp-includes/class-oembed.php
+++ b/wp-includes/class-oembed.php
@@ -315,10 +315,32 @@ class WP_oEmbed {
 	 * @return false|string False on failure, otherwise the UNSANITIZED (and potentially unsafe) HTML that should be used to embed.
 	 */
 	public function get_html( $url, $args = '' ) {
+		/**
+		 * Filters the oEmbed result before any HTTP requests are made.
+		 *
+		 * This allows one to short-circuit the default logic, perhaps by
+		 * replacing it with a routine that is more optimal for your setup.
+		 *
+		 * Passing a non-null value to the filter will effectively short-circuit retrieval,
+		 * returning the passed value instead.
+		 *
+		 * @since 4.5.3
+		 *
+		 * @param null|string $result The UNSANITIZED (and potentially unsafe) HTML that should be used to embed. Default null.
+		 * @param string      $url    The URL to the content that should be attempted to be embedded.
+		 * @param array       $args   Optional. Arguments, usually passed from a shortcode. Default empty.
+		 */
+		$pre = apply_filters( 'pre_oembed_result', null, $url, $args );
+
+		if ( null !== $pre ) {
+			return $pre;
+		}
+
 		$provider = $this->get_provider( $url, $args );

-		if ( !$provider || false === $data = $this->fetch( $provider, $url, $args ) )
+		if ( ! $provider || false === $data = $this->fetch( $provider, $url, $args ) ) {
 			return false;
+		}

 		/**
 		 * Filter the HTML returned by the oEmbed provider.

--- a/wp-includes/class-wp-customize-manager.php
+++ b/wp-includes/class-wp-customize-manager.php
@@ -1542,6 +1542,7 @@ final class WP_Customize_Manager {
 	 * @param string $preview_url URL to be previewed.
 	 */
 	public function set_preview_url( $preview_url ) {
+		$preview_url = esc_url_raw( $preview_url );
 		$this->preview_url = wp_validate_redirect( $preview_url, home_url( '/' ) );
 	}

@@ -1573,6 +1574,7 @@ final class WP_Customize_Manager {
 	 * @param string $return_url URL for return link.
 	 */
 	public function set_return_url( $return_url ) {
+		$return_url = esc_url_raw( $return_url );
 		$return_url = remove_query_arg( wp_removable_query_args(), $return_url );
 		$return_url = wp_validate_redirect( $return_url );
 		$this->return_url = $return_url;

--- a/wp-includes/class-wp-customize-widgets.php
+++ b/wp-includes/class-wp-customize-widgets.php
@@ -1061,7 +1061,7 @@ final class WP_Customize_Widgets {
 	 * @return array
 	 */
 	public function preview_sidebars_widgets( $sidebars_widgets ) {
-		$sidebars_widgets = get_option( 'sidebars_widgets' );
+		$sidebars_widgets = get_option( 'sidebars_widgets', array() );

 		unset( $sidebars_widgets['array_version'] );
 		return $sidebars_widgets;

--- a/wp-includes/customize/class-wp-customize-media-control.php
+++ b/wp-includes/customize/class-wp-customize-media-control.php
@@ -214,7 +214,7 @@ class WP_Customize_Media_Control extends WP_Customize_Control {
 			</div>
 			<div class="actions">
 				<# if ( data.defaultAttachment ) { #>
-					<button type="button" class="button default-button">{{ data.button_labels.default }}</button>
+					<button type="button" class="button default-button">{{ data.button_labels['default'] }}</button>
 				<# } #>
 				<# if ( data.canUpload ) { #>
 				<button type="button" class="button upload-button" id="{{ data.settings['default'] }}-button">{{ data.button_labels.select }}</button>

--- a/wp-includes/customize/class-wp-customize-site-icon-control.php
+++ b/wp-includes/customize/class-wp-customize-site-icon-control.php
@@ -60,6 +60,7 @@ class WP_Customize_Site_Icon_Control extends WP_Customize_Cropped_Image_Control
 		</label>

 		<# if ( data.attachment && data.attachment.id ) { #>
+		<# if ( data.attachment.sizes ) { #>
 		<div class="current">
 			<div class="container">
 				<div class="site-icon-preview">
@@ -75,6 +76,7 @@ class WP_Customize_Site_Icon_Control extends WP_Customize_Cropped_Image_Control
 				</div>
 			</div>
 		</div>
+		<# } #>
 		<div class="actions">
 			<# if ( data.canUpload ) { #>
 				<button type="button" class="button remove-button"><?php echo $this->button_labels['remove']; ?></button>

--- a/wp-includes/default-filters.php
+++ b/wp-includes/default-filters.php
@@ -476,5 +476,6 @@ add_filter( 'the_excerpt_embed',      'wp_embed_excerpt_attachment'           );

 add_filter( 'oembed_dataparse',       'wp_filter_oembed_result',        10, 3 );
 add_filter( 'oembed_response_data',   'get_oembed_response_data_rich',  10, 4 );
+add_filter( 'pre_oembed_result',      'wp_filter_pre_oembed_result',    10, 3 );

 unset( $filter, $action );
--- a/wp-includes/embed.php
+++ b/wp-includes/embed.php
@@ -1079,3 +1079,39 @@ function the_embed_site_title() {
 	 */
 	echo apply_filters( 'embed_site_title_html', $site_title );
 }
+
+/**
+ * Filters the oEmbed result before any HTTP requests are made.
+ *
+ * If the URL belongs to the current site, the result is fetched directly instead of
+ * going through the oEmbed discovery process.
+ *
+ * @since 4.5.3
+ *
+ * @param null|string $result The UNSANITIZED (and potentially unsafe) HTML that should be used to embed. Default null.
+ * @param string      $url    The URL that should be inspected for discovery `<link>` tags.
+ * @param array       $args   oEmbed remote get arguments.
+ * @return null|string The UNSANITIZED (and potentially unsafe) HTML that should be used to embed.
+ *                     Null if the URL does not belong to the current site.
+ */
+function wp_filter_pre_oembed_result( $result, $url, $args ) {
+	$post_id = url_to_postid( $url );
+
+	/** This filter is documented in wp-includes/class-wp-oembed-controller.php */
+	$post_id = apply_filters( 'oembed_request_post_id', $post_id, $url );
+
+	if ( ! $post_id ) {
+		return $result;
+	}
+
+	$width = isset( $args['width'] ) ? $args['width'] : 0;
+
+	$data = get_oembed_response_data( $post_id, $width );
+	$data = _wp_oembed_get_object()->data2html( (object) $data, $url );
+
+	if ( ! $data ) {
+		return $result;
+	}
+
+	return $data;
+}
--- a/wp-includes/formatting.php
+++ b/wp-includes/formatting.php
@@ -1364,7 +1364,8 @@ function remove_accents( $string ) {
 * operating systems and special characters requiring special escaping
 * to manipulate at the command line. Replaces spaces and consecutive
 * dashes with a single dash. Trims period, dash and underscore from beginning
- * and end of filename.
+ * and end of filename. It is not guaranteed that this function will return a
+ * filename that is allowed to be uploaded.
 *
 * @since 2.1.0
 *
@@ -1389,6 +1390,14 @@ function sanitize_file_name( $filename ) {
 	$filename = preg_replace( '/[\r\n\t -]+/', '-', $filename );
 	$filename = trim( $filename, '.-_' );

+	if ( false === strpos( $filename, '.' ) ) {
+		$mime_types = wp_get_mime_types();
+		$filetype = wp_check_filetype( 'test.' . $filename, $mime_types );
+		if ( $filetype['ext'] === $filename ) {
+			$filename = 'unnamed-file.' . $filetype['ext'];
+		}
+	}
+
 	// Split the filename into a base and extension[s]
 	$parts = explode('.', $filename);


--- a/wp-includes/js/jquery/jquery-migrate.js
+++ b/wp-includes/js/jquery/jquery-migrate.js
 /*!
- * jQuery Migrate - v1.4.0 - 2016-02-26
+ * jQuery Migrate - v1.4.1 - 2016-05-19
 * Copyright jQuery Foundation and other contributors
 */
 (function( jQuery, window, undefined ) {
@@ -7,7 +7,7 @@
 // "use strict";


-jQuery.migrateVersion = "1.4.0";
+jQuery.migrateVersion = "1.4.1";


 var warnedAbout = {};
@@ -193,9 +193,11 @@ jQuery.attrHooks.value = {

 var matched, browser,
 	oldInit = jQuery.fn.init,
+	oldFind = jQuery.find,
 	oldParseJSON = jQuery.parseJSON,
 	rspaceAngle = /^\s*</,
-	rattrHash = /\[\s*\w+\s*[~|^$*]?=\s*(?![\s'"])[^#\]]*#/,
+	rattrHashTest = /\[(\s*[-\w]+\s*)([~|^$*]?=)\s*([-\w#]*?#[-\w#]*)\s*\]/,
+	rattrHashGlob = /\[(\s*[-\w]+\s*)([~|^$*]?=)\s*([-\w#]*?#[-\w#]*)\s*\]/g,
 	// Note: XSS check is done below after string is trimmed
 	rquickExpr = /^([^<]*)(<[\w\W]+>)([^>]*)$/;

@@ -203,45 +205,37 @@ var matched, browser,
 jQuery.fn.init = function( selector, context, rootjQuery ) {
 	var match, ret;

-	if ( selector && typeof selector === "string" && !jQuery.isPlainObject( context ) &&
-			(match = rquickExpr.exec( jQuery.trim( selector ) )) && match[ 0 ] ) {
-		// This is an HTML string according to the "old" rules; is it still?
-		if ( !rspaceAngle.test( selector ) ) {
-			migrateWarn("$(html) HTML strings must start with '<' character");
-		}
-		if ( match[ 3 ] ) {
-			migrateWarn("$(html) HTML text after last tag is ignored");
-		}
-
-		// Consistently reject any HTML-like string starting with a hash (#9521)
-		// Note that this may break jQuery 1.6.x code that otherwise would work.
-		if ( match[ 0 ].charAt( 0 ) === "#" ) {
-			migrateWarn("HTML string cannot start with a '#' character");
-			jQuery.error("JQMIGRATE: Invalid selector string (XSS)");
-		}
-		// Now process using loose rules; let pre-1.8 play too
-		if ( context && context.context ) {
-			// jQuery object as context; parseHTML expects a DOM object
-			context = context.context;
-		}
-		if ( jQuery.parseHTML ) {
-			return oldInit.call( this,
-					jQuery.parseHTML( match[ 2 ], context && context.ownerDocument ||
-						context || document, true ), context, rootjQuery );
-		}
-	}
+	if ( selector && typeof selector === "string" ) {
+		if ( !jQuery.isPlainObject( context ) &&
+				(match = rquickExpr.exec( jQuery.trim( selector ) )) && match[ 0 ] ) {

-	if ( selector === "#" ) {
+			// This is an HTML string according to the "old" rules; is it still?
+			if ( !rspaceAngle.test( selector ) ) {
+				migrateWarn("$(html) HTML strings must start with '<' character");
+			}
+			if ( match[ 3 ] ) {
+				migrateWarn("$(html) HTML text after last tag is ignored");
+			}

-		// jQuery( "#" ) is a bogus ID selector, but it returned an empty set before jQuery 3.0
-		migrateWarn( "jQuery( '#' ) is not a valid selector" );
-		selector = [];
+			// Consistently reject any HTML-like string starting with a hash (gh-9521)
+			// Note that this may break jQuery 1.6.x code that otherwise would work.
+			if ( match[ 0 ].charAt( 0 ) === "#" ) {
+				migrateWarn("HTML string cannot start with a '#' character");
+				jQuery.error("JQMIGRATE: Invalid selector string (XSS)");
+			}

-	} else if ( rattrHash.test( selector ) ) {
+			// Now process using loose rules; let pre-1.8 play too
+			// Is this a jQuery context? parseHTML expects a DOM element (#178)
+			if ( context && context.context && context.context.nodeType ) {
+				context = context.context;
+			}

-		// The nonstandard and undocumented unquoted-hash was removed in jQuery 1.12.0
-		// Note that this doesn't actually fix the selector due to potential false positives
-		migrateWarn( "Attribute selectors with '#' must be quoted: '" + selector + "'" );
+			if ( jQuery.parseHTML ) {
+				return oldInit.call( this,
+						jQuery.parseHTML( match[ 2 ], context && context.ownerDocument ||
+							context || document, true ), context, rootjQuery );
+			}
+		}
 	}

 	ret = oldInit.apply( this, arguments );
@@ -263,6 +257,47 @@ jQuery.fn.init = function( selector, context, rootjQuery ) {
 };
 jQuery.fn.init.prototype = jQuery.fn;

+jQuery.find = function( selector ) {
+	var args = Array.prototype.slice.call( arguments );
+
+	// Support: PhantomJS 1.x
+	// String#match fails to match when used with a //g RegExp, only on some strings
+	if ( typeof selector === "string" && rattrHashTest.test( selector ) ) {
+
+		// The nonstandard and undocumented unquoted-hash was removed in jQuery 1.12.0
+		// First see if qS thinks it's a valid selector, if so avoid a false positive
+		try {
+			document.querySelector( selector );
+		} catch ( err1 ) {
+
+			// Didn't *look* valid to qSA, warn and try quoting what we think is the value
+			selector = selector.replace( rattrHashGlob, function( _, attr, op, value ) {
+				return "[" + attr + op + "\"" + value + "\"]";
+			} );
+
+			// If the regexp *may* have created an invalid selector, don't update it
+			// Note that there may be false alarms if selector uses jQuery extensions
+			try {
+				document.querySelector( selector );
+				migrateWarn( "Attribute selector with '#' must be quoted: " + args[ 0 ] );
+				args[ 0 ] = selector;
+			} catch ( err2 ) {
+				migrateWarn( "Attribute selector with '#' was not fixed: " + args[ 0 ] );
+			}
+		}
+	}
+
+	return oldFind.apply( this, args );
+};
+
+// Copy properties attached to original jQuery.find method (e.g. .attr, .isXML)
+var findProp;
+for ( findProp in oldFind ) {
+	if ( Object.prototype.hasOwnProperty.call( oldFind, findProp ) ) {
+		jQuery.find[ findProp ] = oldFind[ findProp ];
+	}
+}
+
 // Let $.parseJSON(falsy_value) return null
 jQuery.parseJSON = function( json ) {
 	if ( !json ) {
@@ -631,7 +666,7 @@ jQuery.event.special.ready = {
 };

 var oldSelf = jQuery.fn.andSelf || jQuery.fn.addBack,
-	oldFind = jQuery.fn.find;
+	oldFnFind = jQuery.fn.find;

 jQuery.fn.andSelf = function() {
 	migrateWarn("jQuery.fn.andSelf() replaced by jQuery.fn.addBack()");
@@ -639,7 +674,7 @@ jQuery.fn.andSelf = function() {
 };

 jQuery.fn.find = function( selector ) {
-	var ret = oldFind.apply( this, arguments );
+	var ret = oldFnFind.apply( this, arguments );
 	ret.context = this.context;
 	ret.selector = this.selector ? this.selector + " " + selector : selector;
 	return ret;

--- a/wp-includes/js/jquery/jquery-migrate.min.js
+++ b/wp-includes/js/jquery/jquery-migrate.min.js
--- a/wp-includes/js/jquery/jquery.js
+++ b/wp-includes/js/jquery/jquery.js
--- a/wp-includes/js/media-views.js
+++ b/wp-includes/js/media-views.js
@@ -462,14 +462,14 @@ EditImage = wp.media.controller.State.extend({
 	 * @since 3.9.0
 	 */
 	activate: function() {
-		this.listenTo( this.frame, 'toolbar:render:edit-image', this.toolbar );
+		this.frame.on( 'toolbar:render:edit-image', _.bind( this.toolbar, this ) );
 	},

 	/**
 	 * @since 3.9.0
 	 */
 	deactivate: function() {
-		this.stopListening( this.frame );
+		this.frame.off( 'toolbar:render:edit-image' );
 	},

 	/**
@@ -4085,8 +4085,8 @@ AttachmentsBrowser = View.extend({
 		});

 		// Add keydown listener to the instance of the Attachments view
-		this.attachments.listenTo( this.controller, 'attachment:keydown:arrow',     this.attachments.arrowEvent );
-		this.attachments.listenTo( this.controller, 'attachment:details:shift-tab', this.attachments.restoreFocus );
+		this.controller.on( 'attachment:keydown:arrow',     _.bind( this.attachments.arrowEvent, this.attachments ) );