WordPress Release: 2.0.6

TL;DR

WordPress 2.0.6 is a maintenance release that focuses on security enhancements, bug fixes, and compatibility improvements. This update introduces better input validation, improved SQL query handling for MySQL strict mode compatibility, and fixes for various UI and functionality issues. It's particularly important for site security as it includes protocol checking for URLs and better escaping of user input.

Highlight of the Release

• Enhanced security with protocol checking for URLs and improved input validation
• Better MySQL strict mode compatibility with improved SQL query handling
• New 'query' filter for SQL queries providing more developer control
• Safari browser support for quicktags
• New attribute_escape() function for safer HTML attribute handling

Migration Guide

WordPress 2.0.6 is a maintenance and security release that doesn't require special migration steps. However, developers should note:

• If you've modified core files, review your changes against the new versions, particularly around SQL queries and input validation
• The new attribute_escape() function is now available and recommended for escaping HTML attributes
• Custom code that relies on specific behavior of balanceTags() or force_balance_tags() should be tested as these functions have been synchronized with trunk
• If you're using custom SQL queries, be aware of the new 'query' filter which might affect query execution
• Plugins that handle URLs should be tested with the enhanced clean_url() function that now includes protocol checking

Upgrade Recommendations

Immediate upgrade recommended for all WordPress 2.0.x users.

This release contains important security fixes that protect your site from potential vulnerabilities. The security enhancements include better URL protocol checking, improved input validation, and safer handling of trackback data.

The upgrade process is straightforward:

1. Back up your database and files
2. Deactivate plugins
3. Replace your existing WordPress files with the new version
4. Run the upgrade script by visiting your site
5. Reactivate plugins

Given the security improvements in this release, upgrading should be prioritized even for sites with customizations or complex setups.

Bug Fixes

• SQL Improvements:

  • Changed SQL string quoting from double quotes to single quotes for better consistency and correctness (#3367)
  • Included post_content_filtered in queries to comply with MySQL strict mode (#3112)
  • Added filtering for post_content_filtered

• UI and Functionality Fixes:

  • Fixed ID issues to allow label clicking in the moderation queue (#3391)
  • Fixed handling of empty authors list (#2384)
  • Resolved issue with orphaned attachments by changing post_parent (#2681)
  • Fixed trailingslashit() for paged posts links (#3163)
  • Prevented dbxize from affecting wrappers (#2987)
  • Fixed array_shift usage with function returns

• Internationalization:

  • Fixed gettext date format strings in wp_get_archives (#1540)
  • Reverted overzealous internationalization (#3438)
  • Fixed _() => __() typo (#1540)

• Other Fixes:

  • Silenced fopen() in wp_remote_fopen()
  • Fixed regular expressions (Props Mordred)
  • Updated Blogger import wording to clarify it only works with old Blogger accounts (#3490)

New Features

New Developer Tools and Functions

• New 'query' filter: Added a powerful filter for SQL queries, giving developers more control over database interactions (#2721)
• attribute_escape() function: New function specifically designed for escaping within HTML attributes
• New filters: Added js_escape and attribute_escape filters for better security practices
• Improved kses functionality: Reorganized kses functions to match trunk version
• Enhanced balanceTags(): Synchronized balanceTags() and force_balance_tags() with trunk version (#2714)

Security Updates

This release includes several important security enhancements:

• URL Protocol Checking: Added kses protocol checking to clean_url() function to prevent potentially malicious URL schemes (#3515)
• Improved Input Validation: Enhanced validation and escaping throughout the codebase
• Trackback Security: Delayed Trackback data escaping until after mb_convert_encoding() to prevent security issues (Props to Stefan Esser)
• New Escaping Functions: Added attribute_escape() function specifically for safer handling of HTML attributes
• Better Content Filtering: Applied wp_specialchars() treatment for the recent file list
• Post-Redirect Exit Fixes: Backported post-redirect exit() fixes for improved security

Performance Improvements

While this release doesn't contain major performance-focused changes, several bug fixes and improvements indirectly contribute to better performance:

• Better handling of SQL queries for MySQL strict mode compatibility
• Improved function organization and code structure
• More efficient handling of HTML tag balancing with updated balanceTags() and force_balance_tags() functions

Impact Summary

WordPress 2.0.6 is primarily a security and maintenance release that strengthens the platform's security posture while fixing various bugs and compatibility issues. The security enhancements focus on better input validation and URL handling, which are critical for preventing common web vulnerabilities.

For developers, this release introduces new tools like the 'query' filter and attribute_escape() function that improve both security and flexibility. The synchronization of functions like balanceTags() with trunk ensures better consistency across WordPress versions.

End users will benefit from UI improvements such as fixed label clicking in the moderation queue and Safari browser support for quicktags. The MySQL strict mode compatibility fixes also improve database reliability for various hosting environments.

Overall, this release represents WordPress's ongoing commitment to security and stability in the 2.0.x branch, making it an essential update for all WordPress sites.