Backdrop 1.28.1

Author: shelane

docroot/core/includes/bootstrap.inc

@@ -7,7 +7,7 @@
 /**
  * The current system version.
  */
-define('BACKDROP_VERSION', '1.28.0');
+define('BACKDROP_VERSION', '1.28.1');
 
 /**
  * Core API compatibility.

docroot/core/includes/common.inc

@@ -953,6 +953,8 @@ function backdrop_access_denied() {
  * @see backdrop_http_build_query()
  *
  * @since 1.18.4 The $options['data'] key may now be passed as an array.
+ * @since 1.27.2 Support added for the 429 response code (previously treaded as
+ *   a 400).
  * @since 1.27.2 Now removes any potentially sensitive headers before following
  *   a redirect. See the 'strip_sensitive_headers_on_host_change' setting in
  *   settings.php for details.

docroot/core/includes/icon.inc

@@ -269,7 +269,7 @@ function icon_get_info($icon_name = NULL) {
  * Returns HTML for an inline-icon.
  *
  * This effectively returns the contents of an SVG file. But it could
- * potentially be override to replace inlined SVGs with other mechanisms, like
+ * potentially be overridden to replace inlined SVGs with other mechanisms, like
  * an icon font.
  *
  * @param array $variables
@@ -282,20 +282,46 @@ function icon_get_info($icon_name = NULL) {
  *   - attributes: Attributes to be added to the icon itself.
  *
  * @return string
- *    The HTML output.
+ *   The HTML output.
  *
  * @since 1.28.0 Function added.
+ * @since 1.28.1 The <ellipse>, <line>, <polygon> and <polyline> SVG elements
+ *   are allowed.
  */
 function theme_icon(array $variables) {
   // Ensure the filename is .svg.
   if (image_is_svg($variables['path'])) {
     // Ensure the file contents are an SVG.
     $svg_contents = file_get_contents($variables['path']);
     if (strpos($svg_contents, '<svg') === 0) {
-      // Clean out any embedded XSS within the SVG. This very-restrictive set
-      // of options should be adequate for icons.
-      $svg_contents = filter_xss($svg_contents, array('svg', 'use', 'title',
-        'desc', 'defs', 'linearGradient', 'stop', 'rect', 'circle', 'path'));
+      // Allow basic shapes. See:
+      // https://developer.mozilla.org/en-US/docs/Web/SVG/Element#basic_shapes.
+      $allowed_svg_basic_shapes = array(
+        'circle',
+        'ellipse',
+        'line',
+        'polygon',
+        'polyline',
+        'rect',
+      );
+
+      // Allow some other elements. This very-restrictive set of options should
+      // be adequate for icons.
+      $allowed_svg_other = array(
+        'defs',
+        'desc',
+        'linearGradient',
+        'path',
+        'stop',
+        'svg',
+        'title',
+        'use',
+      );
+
+      $allowed_svg_elements = array_merge($allowed_svg_basic_shapes, $allowed_svg_other);
+
+      // Clean out any embedded XSS within the SVG.
+      $svg_contents = filter_xss($svg_contents, $allowed_svg_elements);
 
       // Move the "alt" text to an attribute.
       if ($variables['alt']) {

docroot/core/includes/image.inc

@@ -584,18 +584,21 @@ function image_is_svg($uri) {
 function image_add_svg_attributes($svg_content, array $attributes) {
   $doc = new DOMDocument();
   $doc->loadXML($svg_content);
+  $svg_tag = $doc->getElementsByTagName('svg')->item(0);
 
   // Convert the alt attribute to a <title> element.
   if (isset($attributes['alt'])) {
       try {
         if (strlen($attributes['alt'])) {
           $title = $doc->createElement('title');
           $title->textContent = $attributes['alt'];
-          $doc->firstChild->prepend($title);
+          // Since DOMDocument::prepend() is not available in PHP versions prior
+          // to v8, we are using DOMNode::insertBefore().
+          $svg_tag->insertBefore($title, $svg_tag->firstChild);
         }
         // Remove any given <title> element if alt is an empty string.
-        elseif ($doc->firstChild->firstChild && $doc->firstChild->firstChild->nodeName === 'title') {
-          $doc->firstChild->removeChild($doc->firstChild->firstChild);
+        elseif ($svg_tag->firstChild && $svg_tag->firstChild->nodeName === 'title') {
+          $svg_tag->removeChild($svg_tag->firstChild);
         }
       } catch (DOMException $e) {}
     unset($attributes['alt']);
@@ -604,13 +607,13 @@ function image_add_svg_attributes($svg_content, array $attributes) {
   foreach ($attributes as $attribute_name => $attribute_value) {
     $attribute_value = implode(' ', (array) $attribute_value);
     if (strlen($attribute_value)) {
-      $doc->firstChild->setAttribute($attribute_name, $attribute_value);
+      $svg_tag->setAttribute($attribute_name, $attribute_value);
     }
     else {
-      $doc->firstChild->removeAttribute($attribute_name);
+      $svg_tag->removeAttribute($attribute_name);
     }
   }
-  return $doc->saveXML($doc->firstChild);
+  return $doc->saveXML($svg_tag);
 }
 
 /**

docroot/core/includes/menu.inc

@@ -154,8 +154,11 @@ define('MENU_CALLBACK', 0x0000);
  *
  * Modules may "suggest" menu items that the administrator may enable. They act
  * just as callbacks do until enabled, at which time they act like normal items.
- * Note for the value: 0x0010 was a flag which is no longer used, but this way
- * the values of MENU_CALLBACK and MENU_SUGGESTED_ITEM are separate.
+ *
+ * Note: The value 0x0010 cannot be removed from the definition of
+ * MENU_SUGGESTED_ITEM. It is a flag (no longer used) that at one time ensured
+ * that the values of MENU_VISIBLE_IN_BREADCRUMB and MENU_SUGGESTED_ITEM were
+ * separate.
  */
 define('MENU_SUGGESTED_ITEM', MENU_VISIBLE_IN_BREADCRUMB | 0x0010);
 
@@ -730,7 +733,7 @@ function _menu_item_localize(&$item, $map, $link_translate = FALSE) {
   $item['localized_options'] = $item['options'];
   // All 'class' attributes are assumed to be an array during rendering, but
   // links stored in the database may use an old string value.
-  // @todo In order to remove this code we need to implement a database update
+  // @todo In order to remove this code we need to implement a site update,
   //   including unserializing all existing link options and running this code
   //   on them, as well as adding validation to menu_link_save().
   if (isset($item['options']['attributes']['class']) && is_string($item['options']['attributes']['class'])) {

docroot/core/includes/update.inc

@@ -1,10 +1,10 @@
 <?php
 /**
  * @file
- * Backdrop database update API.
+ * Backdrop site update API.
  *
- * This file contains functions to perform database updates for a Backdrop
- * installation. It is included and used extensively by update.php.
+ * This file contains functions to perform database and config updates for a
+ * Backdrop installation. It is included and used extensively by update.php.
  */
 
 /**
@@ -611,7 +611,7 @@ function update_do_one($module, $number, $dependency_map, &$context) {
 class BackdropUpdateException extends Exception { }
 
 /**
- * Starts the database update batch process.
+ * Starts the site update batch process.
  *
  * @param $start
  *   An array whose keys contain the names of modules to be updated during the
@@ -714,11 +714,11 @@ function update_finished($success, $results, $operations) {
 }
 
 /**
- * Returns a list of all the pending database updates.
+ * Returns a list of all the pending site updates.
  *
  * @return
- *   An associative array keyed by module name which contains all information
- *   about database updates that need to be run, and any updates that are not
+ *   An associative array keyed by module name, which contains all information
+ *   about site updates that need to be run and any updates that are not
  *   going to proceed due to missing requirements. The system module will
  *   always be listed first.
  *

docroot/core/layouts/boxton/boxton.info

@@ -25,7 +25,7 @@ preview = boxton.png
 ; Include the Bootstrap4 Grid System
 libraries[] = bootstrap4-gs
 
-; Added by Backdrop CMS packaging script on 2024-05-15
+; Added by Backdrop CMS packaging script on 2024-06-23
 project = backdrop
-version = 1.28.0
-timestamp = 1715827451
+version = 1.28.1
+timestamp = 1719196650

docroot/core/layouts/geary/geary.info

@@ -27,7 +27,7 @@ preview = geary.png
 ; Include the Bootstrap4 Grid System
 libraries[] = bootstrap4-gs
 
-; Added by Backdrop CMS packaging script on 2024-05-15
+; Added by Backdrop CMS packaging script on 2024-06-23
 project = backdrop
-version = 1.28.0
-timestamp = 1715827451
+version = 1.28.1
+timestamp = 1719196650

docroot/core/layouts/harris/harris.info

@@ -27,7 +27,7 @@ preview = harris.png
 ; Include the Bootstrap4 Grid System
 libraries[] = bootstrap4-gs
 
-; Added by Backdrop CMS packaging script on 2024-05-15
+; Added by Backdrop CMS packaging script on 2024-06-23
 project = backdrop
-version = 1.28.0
-timestamp = 1715827451
+version = 1.28.1
+timestamp = 1719196650

docroot/core/layouts/legacy/one_column/one_column.info

@@ -18,7 +18,7 @@ regions[footer] = Footer
 ; Modify this line if you would like to change the default in this layout.
 default region = content
 
-; Added by Backdrop CMS packaging script on 2024-05-15
+; Added by Backdrop CMS packaging script on 2024-06-23
 project = backdrop
-version = 1.28.0
-timestamp = 1715827451
+version = 1.28.1
+timestamp = 1719196650

docroot/core/layouts/legacy/three_three_four_column/three_three_four_column.info

@@ -26,7 +26,7 @@ regions[footer] = Footer bottom
 ; Modify this line if you would like to change the default in this layout.
 default region = content
 
-; Added by Backdrop CMS packaging script on 2024-05-15
+; Added by Backdrop CMS packaging script on 2024-06-23
 project = backdrop
-version = 1.28.0
-timestamp = 1715827451
+version = 1.28.1
+timestamp = 1719196650

docroot/core/layouts/legacy/two_column/two_column.info

@@ -15,7 +15,7 @@ regions[footer] = Footer
 ; Modify this line if you would like to change the default in this layout.
 default region = content
 
-; Added by Backdrop CMS packaging script on 2024-05-15
+; Added by Backdrop CMS packaging script on 2024-06-23
 project = backdrop
-version = 1.28.0
-timestamp = 1715827451
+version = 1.28.1
+timestamp = 1719196650

docroot/core/layouts/legacy/two_column_flipped/two_column_flipped.info

@@ -15,7 +15,7 @@ regions[footer] = Footer
 ; Modify this line if you would like to change the default in this layout.
 default region = content
 
-; Added by Backdrop CMS packaging script on 2024-05-15
+; Added by Backdrop CMS packaging script on 2024-06-23
 project = backdrop
-version = 1.28.0
-timestamp = 1715827451
+version = 1.28.1
+timestamp = 1719196650

docroot/core/layouts/moscone/moscone.info

@@ -26,7 +26,7 @@ preview = moscone.png
 ; Include the Bootstrap4 Grid System
 libraries[] = bootstrap4-gs
 
-; Added by Backdrop CMS packaging script on 2024-05-15
+; Added by Backdrop CMS packaging script on 2024-06-23
 project = backdrop
-version = 1.28.0
-timestamp = 1715827451
+version = 1.28.1
+timestamp = 1719196650

docroot/core/layouts/moscone_flipped/moscone_flipped.info

@@ -26,7 +26,7 @@ preview = moscone-flipped.png
 ; Include the Bootstrap4 Grid System
 libraries[] = bootstrap4-gs
 
-; Added by Backdrop CMS packaging script on 2024-05-15
+; Added by Backdrop CMS packaging script on 2024-06-23
 project = backdrop
-version = 1.28.0
-timestamp = 1715827451
+version = 1.28.1
+timestamp = 1719196650

docroot/core/layouts/rolph/rolph.info

@@ -28,7 +28,7 @@ preview = rolph.png
 ; Include the Bootstrap4 Grid System
 libraries[] = bootstrap4-gs
 
-; Added by Backdrop CMS packaging script on 2024-05-15
+; Added by Backdrop CMS packaging script on 2024-06-23
 project = backdrop
-version = 1.28.0
-timestamp = 1715827451
+version = 1.28.1
+timestamp = 1719196650

docroot/core/layouts/simmons/simmons.info

@@ -34,7 +34,7 @@ file = simmons.php
 ; Default stylesheets for this layout
 ; stylesheets[all][] = simmons.css
 
-; Added by Backdrop CMS packaging script on 2024-05-15
+; Added by Backdrop CMS packaging script on 2024-06-23
 project = backdrop
-version = 1.28.0
-timestamp = 1715827451
+version = 1.28.1
+timestamp = 1719196650

docroot/core/layouts/sutro/sutro.info

@@ -27,7 +27,7 @@ preview = sutro.png
 ; Include the Bootstrap4 Grid System
 libraries[] = bootstrap4-gs
 
-; Added by Backdrop CMS packaging script on 2024-05-15
+; Added by Backdrop CMS packaging script on 2024-06-23
 project = backdrop
-version = 1.28.0
-timestamp = 1715827451
+version = 1.28.1
+timestamp = 1719196650

docroot/core/layouts/taylor/taylor.info

@@ -27,7 +27,7 @@ preview = taylor.png
 ; Include the Bootstrap4 Grid System
 libraries[] = bootstrap4-gs
 
-; Added by Backdrop CMS packaging script on 2024-05-15
+; Added by Backdrop CMS packaging script on 2024-06-23
 project = backdrop
-version = 1.28.0
-timestamp = 1715827451
+version = 1.28.1
+timestamp = 1719196650

docroot/core/layouts/taylor_flipped/taylor_flipped.info

@@ -27,7 +27,7 @@ preview = taylor-flipped.png
 ; Include the Bootstrap4 Grid System
 libraries[] = bootstrap4-gs
 
-; Added by Backdrop CMS packaging script on 2024-05-15
+; Added by Backdrop CMS packaging script on 2024-06-23
 project = backdrop
-version = 1.28.0
-timestamp = 1715827451
+version = 1.28.1
+timestamp = 1719196650

docroot/core/misc/ajax.js

@@ -218,7 +218,7 @@ Backdrop.ajax = function (base, element, element_settings) {
       // Sanity check for browser support (object expected).
       // When using iFrame uploads, responses must be returned as a string.
       if (typeof response == 'string') {
-        response = $.parseJSON(response);
+        response = JSON.parse(response);
 
         // Prior to invoking the response's commands, verify that they can be
         // trusted by checking for a response header. See

docroot/core/misc/backdrop.js

@@ -586,15 +586,15 @@ Backdrop.ajaxError = function (xmlhttp, uri, customMessage) {
   // Unfortunately, testing for it with typeof, etc, doesn't seem to catch that
   // and the test causes an exception. So we need to catch the exception here.
   try {
-    statusText = "\n" + Backdrop.t("StatusText: !statusText", {'!statusText': $.trim(xmlhttp.statusText)});
+    statusText = "\n" + Backdrop.t("StatusText: !statusText", {'!statusText': xmlhttp.statusText.trim()});
   }
   catch (e) {}
 
   responseText = '';
   // Again, we don't have a way to know for sure whether accessing
   // xmlhttp.responseText is going to throw an exception. So we'll catch it.
   try {
-    responseText = "\n" + Backdrop.t("ResponseText: !responseText", {'!responseText': $.trim(xmlhttp.responseText) } );
+    responseText = "\n" + Backdrop.t("ResponseText: !responseText", {'!responseText': xmlhttp.responseText.trim() } );
   } catch (e) {}
 
   // Make the responseText more readable by stripping HTML tags and newlines.