WordPress 4.7.5 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
WordPress versions 4.7.4 and earlier are affected by six security issues:
Thank you to the reporters of these issues for practicing responsible disclosure.
In addition to the security issues above, WordPress 4.7.5 contains 3 maintenance fixes to the 4.7 release series. For more information, see the release notes or consult the list of changes.
Download WordPress 4.7.5 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.7.5.
Thanks to everyone who contributed to 4.7.5.
Adding animations to web interfaces makes pages and apps feel more responsive and interactive. A side menu that smoothly slides out of view provides a much better user experience then a menu that just disappears when you close it.
So far creating web animations was done either via CSS transitions, CSS keyframes, or an external library such as Animate.css or Velocity. Thanks to a new native JavaScript API, we are now able to freely animate any HTML element without ever having to leave our .js file.
To showcase the awesomeness of the new API, let’s build a super simple example, once the old-fashioned CSS way, then with JavaScript Web Animations.
The editor below contains two HTML divs that when clicked on move to the right and then change their color. The square is animated via CSS @keyframes, and the circle via the Web Animations API.
(Play with our code editor on Tutorialzine.com)
The @keyframes animation should be familiar to most developers so let’s look at that first.
Our CSS animation is defined in a @keyframes block that represents a timeline of all the transitions. Once we have our choreography defined, we can map it to a selector via the animation property and it’s options.
.animate {
animation-name: move-and-change-color;
animation-duration: 0.4s;
animation-fill-mode: forwards;
}
@keyframes move-and-change-color {
0% {
transform: translateX(0);
}
80% {
transform: translateX(100px);
background-color: #2196F3;
}
100% {
transform: translateX(100px);
background-color: #EF5350;
}
}
We want the animation to start on user interaction so we will also have to create an on-click event listener that adds a CSS class to the desired element:
var square = document.getElementById('square');
square.addEventListener('click', function() {
square.className += " animate";
});
Although it works pretty well, the CSS approach seems rather non-intuitive as we define what happens in the stylesheets, but actually start it in the JavaScript. We also have very limited control over the animation once it has been invoked. Both these problems can be solved by switching to the Web Animation API.
We can describe our JavaScript animation using almost the exact same transitions we used in the CSS example:
var moveAndChangeColor = [
{
transform: 'translateX(0)',
background: '#2196F3' // blue
},
{
offset: 0.8,
transform: 'translateX(100px)',
background: '#2196F3' // blue
},
{
transform: 'translateX(100px)',
background: '#EF5350' // red
}
];
Each object in the array represents a state of the animation. The states are evenly distributed in time (3 states – 0%, 50%, 100%) unless we change the timing using the offset option, as we’ve done with the middle state.
After we’ve defined our animation array, we can invoke it using the animate() method. It takes as a second argument an object with the same options as the CSS animation property, although with slightly different names (e.g. animation-fill-mode is fill, animation-iteration-count is iteration, etc).
var circle = document.getElementById('circle');
circle.addEventListener('click', function() {
circle.animate(moveAndChangeColor, {
duration: 400,
fill: 'forwards'
});
});
As you can see, the JavaScript approach is much more organized with the animation stored in a variable and the animate() method used for invoking it whenever we need to.
The Web Animation API also makes it possible to easily control the playback of an animation in a number of ways. The animate() method returns an Animation object which we can save in a variable and use to refer to that animation later on.
var animation = elem.animate(transitions, options);
The interface provides us with the following methods:
Below is a tiny demo with a loading indicator that loops infinitely. We’ve setup buttons for the different events so that you can try them out:
(Play with our code editor on Tutorialzine.com)
The Animation object returned from animate() holds several useful properties that give us access to options like the current time, the playback rate, and others. Although some are read-only, most of the properties can be used as setters and getters.
You can view the JS code in the editor below to get a sense of how they work. For the full list of properties visit MDN.
(Play with our code editor on Tutorialzine.com)
In addition to that, the Web Animation API provides us with two useful event handlers for when the animation has finished or has been canceled:
spinnerAnimation.addEventListener('finish', function() {
// Animation has completed or .finish() has been called.
doSomething();
});
spinnerAnimation.addEventListener('cancel', function() {
// Animation has been canceled.
doSomething();
});
Most of the Web Animation features are freely available in Chrome and Firefox, with Edge and Safari implementations in the working (caniuse). There is also a well maintained open-source polyfill which can be used while waiting for full browser coverage.
When it comes to performance, there shouldn’t be any difference compared to regular CSS transitions, as browsers use the same engine for both. If you stick to animating only properties that don’t cause redraws, such as transform and opacity, animations should keep a steady 60fps rate.
The Web Animation API gives developers an awesome new way to create and control web animations using nothing but pure JavaScript. For animations that are invoked on user interaction or other dynamic events, this is great news since the whole animation can be done in the controller code, without having to jump to a CSS file for the actual transitions.
This article covered most of the features of the new API, but if you want to learn more here are a couple of excellent resources we highly recommend:
WordPress has grown a lot over the last thirteen years – it now powers more than 28% of the top ten million sites on the web. During this growth, each team has worked hard to continually improve their tools and processes. Today, the WordPress Security Team is happy to announce that WordPress is now officially on HackerOne!
HackerOne is a platform for security researchers to securely and responsibly report vulnerabilities to our team. It provides tools that improve the quality and consistency of communication with reporters, and will reduce the time spent on responding to commonly reported issues. This frees our team to spend more time working on improving the security of WordPress.
The security team has been working on this project for quite some time. Nikolay Bachiyski started the team working on it just over a year ago. We ran it as a private program while we worked out our procedures and processes, and are excited to finally make it public.
With the announcement of the WordPress HackerOne program we are also introducing bug bounties. Bug bounties let us reward reporters for disclosing issues to us and helping us secure our products and infrastructure. We’ve already awarded more than $3,700 in bounties to seven different reporters! We are thankful to Automattic for paying the bounties on behalf of the WordPress project.
The program and bounties cover all our projects including WordPress, BuddyPress, bbPress, GlotPress, and WP-CLI as well as all of our sites including WordPress.org, bbPress.org, WordCamp.org, BuddyPress.org, and GlotPress.org.