WordPress Release: 6.2.1

TL;DR

WordPress 6.2.1 is a maintenance and security release that addresses several important bugs and includes five security fixes. This update improves the HTML Tag Processor, fixes issues with the block editor, resolves RTL stylesheet loading problems, and enhances media attachment handling. The release also includes performance optimizations for CSS processing and updates jQuery to version 3.6.4. All WordPress site owners are strongly encouraged to update to this version to maintain security and stability.

Highlight of the Release

• Five security fixes addressing potential vulnerabilities
• Multiple improvements to the HTML Tag Processor API
• Fixed RTL stylesheet loading for non-core blocks
• Performance optimization for CSS link processing
• Updated block editor packages with numerous bug fixes
• jQuery updated to version 3.6.4

Migration Guide

This maintenance release doesn't require any specific migration steps. Simply update to WordPress 6.2.1 through your admin dashboard or via your preferred method.

If you're a developer who has built custom functionality using the HTML Tag Processor API, you may want to test your code with this release as several bugs in that API have been fixed, which could potentially affect edge cases in your implementation.

Upgrade Recommendations

Immediate upgrade is strongly recommended for all WordPress sites.

WordPress 6.2.1 contains important security fixes that protect your site from potential vulnerabilities. Additionally, the bug fixes and performance improvements enhance the overall stability and user experience of your WordPress installation.

This is a maintenance and security release, so the risk of compatibility issues with existing plugins and themes is minimal. The benefits of the security fixes outweigh any potential risks of updating.

Bug Fixes

HTML Tag Processor

• Fixed a bug where attribute updates were overlooked when seeking to earlier locations
• Added support for various invalid HTML comment forms
• Fixed case where updates are applied multiple times for case variants of attribute names
• Corrected the internal parsing pointer accumulation for proper tag handling

Block Editor

• Fixed site editor loading issues in multi-site installations
• Resolved quick inserter going off-screen in certain situations
• Fixed site editor redirection after creating new templates or template parts
• Corrected input rules in Firefox (React async state issue)
• Fixed alignment information display when parent layout is constrained
• Resolved onHover error on patterns tab in mobile view

RTL Support

• Fixed RTL stylesheet loading for non-core blocks by ensuring proper path construction with or without SCRIPT_DEBUG

Media

• Fixed rendering of attachment custom fields for new uploads, ensuring fields are present immediately after upload

Admin Interface

• Corrected color for theme enabling admin notices (changed from gray to green)
• Defined the $title global on the Menus screen for classic themes to avoid PHP warnings
• Left-aligned headings on the WordPress 6.2 About Page for more consistent styling

Comments

• Added missing arguments for get_comment_time() in comment_time() function
• Fixed 'sprintf requires more than 1 params' error in Comments

Other

• Fixed site title decoding in the Site Editor
• Updated jQuery version reference to match the actual version (3.6.4)

New Features

This maintenance release doesn't introduce new features but focuses on bug fixes, security improvements, and performance enhancements to the existing WordPress 6.2 functionality.

Security Updates

WordPress 6.2.1 includes five security fixes:

1. Locale Sanitization: Introduced sanitize_locale_name() function for properly sanitizing user input of locales.

2. Block Templates: Removed shortcode support from block templates to prevent potential security issues.

3. Block Comments: Added validation to ensure block delimiter comments are of a valid form, opening with <!-- and closing with -->.

4. WordPress Embeds: Added protocol validation for WordPress Embed code, ensuring that links within auto-discovered embeds are using only the http or https protocols before following links.

5. Media Attachments: Prevented CSRF (Cross-Site Request Forgery) when setting attachment thumbnails.

The security team also updated the GitHub security policy to refer visitors to the HackerOne WordPress program for the full policy, maintaining a single source of truth and avoiding potentially conflicting information.

Performance Improvements

• CSS Processing: Optimized performance of _wp_normalize_relative_css_links() function by more than 2x by:
  • Replacing preg_match_all() and its secondary str_replace() call with preg_replace_callback()
  • Fixing case where paths beginning with http and https (but not http: and https:) were erroneously not counted as relative
  • Improving code style and readability by consolidating conditions and returning once
  • Using str_starts_with() consistently instead of strpos()

Impact Summary

WordPress 6.2.1 is a significant maintenance and security release that addresses five security vulnerabilities and numerous bugs. The security fixes include improvements to locale sanitization, removal of shortcode support from block templates, validation of block comments, protocol validation for embeds, and prevention of CSRF in attachment thumbnails.

The release also contains important bug fixes for the HTML Tag Processor API, which is a foundational component for theme and plugin developers. These fixes ensure more reliable HTML manipulation, particularly when dealing with attributes and tag parsing.

For site administrators and content creators, the update improves the block editor experience by fixing issues with the site editor, quick inserter, and template creation. Media handling is enhanced with proper rendering of custom fields for new uploads.

Performance improvements to CSS processing optimize page load times, particularly for sites with complex stylesheets. The update to jQuery 3.6.4 ensures WordPress stays current with the latest version of this critical dependency.

Overall, this release strengthens WordPress's security posture while improving stability and performance across multiple areas of the platform.