From 3ef55a2ba1880301d1505347a15f16d5b1639325 Mon Sep 17 00:00:00 2001
From: Rishabh Gupta <rishabh.gupta@rtcamp.com>
Date: Sun, 7 Sep 2025 23:49:56 +0530
Subject: [PATCH 1/8] Quick Edit: Add maxlength attribute to post password
 field

---
 src/wp-admin/includes/class-wp-posts-list-table.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/wp-admin/includes/class-wp-posts-list-table.php b/src/wp-admin/includes/class-wp-posts-list-table.php
index bc25dd0045a87..a1f4a5ea7eea8 100644
--- a/src/wp-admin/includes/class-wp-posts-list-table.php
+++ b/src/wp-admin/includes/class-wp-posts-list-table.php
@@ -1781,7 +1781,7 @@ public function inline_edit() {
 					<div class="inline-edit-group wp-clearfix">
 						<label class="alignleft">
 							<span class="title"><?php _e( 'Password' ); ?></span>
-							<span class="input-text-wrap"><input type="text" name="post_password" class="inline-edit-password-input" value="" /></span>
+							<span class="input-text-wrap"><input type="text" name="post_password" class="inline-edit-password-input" value="" maxlength="255" /></span>
 						</label>
 
 						<span class="alignleft inline-edit-or">

From 2b41e3477bd8278ca540a551a2fadd79c43b88f0 Mon Sep 17 00:00:00 2001
From: Rishabh Gupta <rishabh.gupta@rtcamp.com>
Date: Sun, 7 Sep 2025 23:50:18 +0530
Subject: [PATCH 2/8] Posts: Add server-side validation for post password
 length

---
 src/wp-admin/includes/post.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/wp-admin/includes/post.php b/src/wp-admin/includes/post.php
index ebdd61df345dc..a080bc1af052f 100644
--- a/src/wp-admin/includes/post.php
+++ b/src/wp-admin/includes/post.php
@@ -156,6 +156,10 @@ function _wp_translate_postdata( $update = false, $post_data = null ) {
 		unset( $post_data['post_password'] );
 	}
 
+	if ( isset( $post_data['post_password'] ) && strlen( $post_data['post_password'] ) > 255 ) {
+		return new WP_Error( 'invalid_post_password', __( 'Error: Post passwords cannot be longer than 255 characters.' ) );
+	}
+
 	if ( ! isset( $post_data['comment_status'] ) ) {
 		$post_data['comment_status'] = 'closed';
 	}

From 586b9086dd8c83930d298c2635f8a826d8bef53b Mon Sep 17 00:00:00 2001
From: Rishabh Gupta <rishabh.gupta@rtcamp.com>
Date: Sun, 7 Sep 2025 23:50:59 +0530
Subject: [PATCH 3/8] Tests: Add post password length validation tests

---
 tests/phpunit/tests/admin/includesPost.php | 32 ++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/tests/phpunit/tests/admin/includesPost.php b/tests/phpunit/tests/admin/includesPost.php
index de7b42f5eb15a..fbc4624bf4bbf 100644
--- a/tests/phpunit/tests/admin/includesPost.php
+++ b/tests/phpunit/tests/admin/includesPost.php
@@ -1325,4 +1325,36 @@ public function test_user_get_refreshed_metabox_nonce() {
 		$this->assertNotEmpty( $response['wp-refresh-metabox-loader-nonces']['replace']['_wpnonce'] );
 		$this->assertNotEmpty( $response['wp-refresh-metabox-loader-nonces']['replace']['metabox_loader_nonce'] );
 	}
+
+	/**
+	 * Test that _wp_translate_postdata() validates post password length.
+	 *
+	 * @ticket 63943
+	 */
+	public function test__wp_translate_postdata_validates_post_password_length() {
+		wp_set_current_user( self::$editor_id );
+
+		// Test valid password within 255 character limit.
+		$valid_password = str_repeat( 'a', 255 );
+		$post_data = array(
+			'post_type'     => 'post',
+			'post_password' => $valid_password,
+		);
+
+		$result = _wp_translate_postdata( false, $post_data );
+		$this->assertNotWPError( $result );
+		$this->assertSame( $valid_password, $result['post_password'] );
+
+		// Test password over 255 characters (should fail).
+		$invalid_password = str_repeat( 'b', 256 );
+		$post_data = array(
+			'post_type'     => 'post',
+			'post_password' => $invalid_password,
+		);
+
+		$result = _wp_translate_postdata( false, $post_data );
+		$this->assertWPError( $result );
+		$this->assertSame( 'invalid_post_password', $result->get_error_code() );
+		$this->assertSame( 'Error: Post passwords cannot be longer than 255 characters.', $result->get_error_message() );
+	}
 }

From 13b95e9a4643eff9af254b06f2b242f7a5e694ff Mon Sep 17 00:00:00 2001
From: Rishabh Gupta <rishabh.gupta@rtcamp.com>
Date: Mon, 8 Sep 2025 12:52:39 +0530
Subject: [PATCH 4/8] Posts: Update error code for post password length
 validation

---
 src/wp-admin/includes/post.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/wp-admin/includes/post.php b/src/wp-admin/includes/post.php
index a080bc1af052f..ca88e537bd2a1 100644
--- a/src/wp-admin/includes/post.php
+++ b/src/wp-admin/includes/post.php
@@ -157,7 +157,7 @@ function _wp_translate_postdata( $update = false, $post_data = null ) {
 	}
 
 	if ( isset( $post_data['post_password'] ) && strlen( $post_data['post_password'] ) > 255 ) {
-		return new WP_Error( 'invalid_post_password', __( 'Error: Post passwords cannot be longer than 255 characters.' ) );
+		return new WP_Error( 'invalid_post_password_length', __( 'Post passwords cannot be longer than 255 characters.' ) );
 	}
 
 	if ( ! isset( $post_data['comment_status'] ) ) {

From e000f840bdc0ef7ddf9e3de2b30486cec34cad1d Mon Sep 17 00:00:00 2001
From: Rishabh Gupta <rishabh.gupta@rtcamp.com>
Date: Mon, 8 Sep 2025 12:54:46 +0530
Subject: [PATCH 5/8] Tests: Simplify post password length validation test

---
 tests/phpunit/tests/admin/includesPost.php | 21 +++++----------------
 1 file changed, 5 insertions(+), 16 deletions(-)

diff --git a/tests/phpunit/tests/admin/includesPost.php b/tests/phpunit/tests/admin/includesPost.php
index fbc4624bf4bbf..c0fc7a0d89f1f 100644
--- a/tests/phpunit/tests/admin/includesPost.php
+++ b/tests/phpunit/tests/admin/includesPost.php
@@ -1334,27 +1334,16 @@ public function test_user_get_refreshed_metabox_nonce() {
 	public function test__wp_translate_postdata_validates_post_password_length() {
 		wp_set_current_user( self::$editor_id );
 
-		// Test valid password within 255 character limit.
-		$valid_password = str_repeat( 'a', 255 );
-		$post_data = array(
-			'post_type'     => 'post',
-			'post_password' => $valid_password,
-		);
-
-		$result = _wp_translate_postdata( false, $post_data );
-		$this->assertNotWPError( $result );
-		$this->assertSame( $valid_password, $result['post_password'] );
-
-		// Test password over 255 characters (should fail).
-		$invalid_password = str_repeat( 'b', 256 );
-		$post_data = array(
+		// Test password over 255 characters should fail.
+		$invalid_password = str_repeat( 'a', 256 );
+		$post_data        = array(
 			'post_type'     => 'post',
 			'post_password' => $invalid_password,
 		);
 
 		$result = _wp_translate_postdata( false, $post_data );
 		$this->assertWPError( $result );
-		$this->assertSame( 'invalid_post_password', $result->get_error_code() );
-		$this->assertSame( 'Error: Post passwords cannot be longer than 255 characters.', $result->get_error_message() );
+		$this->assertSame( 'invalid_post_password_length', $result->get_error_code() );
+		$this->assertSame( 'Post passwords cannot be longer than 255 characters.', $result->get_error_message() );
 	}
 }

From 6dddf7cccad35388143bc68961a4b8ba4a86a5e6 Mon Sep 17 00:00:00 2001
From: Rishabh Gupta <rishabh.gupta@rtcamp.com>
Date: Mon, 8 Sep 2025 17:27:20 +0530
Subject: [PATCH 6/8] Tests: Refactor post password length validation test and
 update coverage

---
 tests/phpunit/tests/admin/includesPost.php | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/tests/phpunit/tests/admin/includesPost.php b/tests/phpunit/tests/admin/includesPost.php
index c0fc7a0d89f1f..ccadaaf755835 100644
--- a/tests/phpunit/tests/admin/includesPost.php
+++ b/tests/phpunit/tests/admin/includesPost.php
@@ -26,6 +26,9 @@ public static function wpSetUpBeforeClass( WP_UnitTest_Factory $factory ) {
 		self::$post_id = $factory->post->create();
 	}
 
+	/**
+	 * @covers ::_wp_translate_postdata
+	*/
 	public function test__wp_translate_postdata_cap_checks_contributor() {
 		wp_set_current_user( self::$contributor_id );
 
@@ -1330,8 +1333,9 @@ public function test_user_get_refreshed_metabox_nonce() {
 	 * Test that _wp_translate_postdata() validates post password length.
 	 *
 	 * @ticket 63943
+	 * @covers ::_wp_translate_postdata
 	 */
-	public function test__wp_translate_postdata_validates_post_password_length() {
+	public function test_invalid_length_post_password() {
 		wp_set_current_user( self::$editor_id );
 
 		// Test password over 255 characters should fail.
@@ -1344,6 +1348,5 @@ public function test__wp_translate_postdata_validates_post_password_length() {
 		$result = _wp_translate_postdata( false, $post_data );
 		$this->assertWPError( $result );
 		$this->assertSame( 'invalid_post_password_length', $result->get_error_code() );
-		$this->assertSame( 'Post passwords cannot be longer than 255 characters.', $result->get_error_message() );
 	}
 }

From 41d66ed313ae44fa89d10452d43e54a69914ddbb Mon Sep 17 00:00:00 2001
From: Rishabh Gupta <rishabh.gupta@rtcamp.com>
Date: Tue, 9 Sep 2025 14:40:19 +0530
Subject: [PATCH 7/8] Tests: Expand password validation test coverage for
 _wp_translate_postdata

---
 tests/phpunit/tests/admin/includesPost.php | 30 ++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/tests/phpunit/tests/admin/includesPost.php b/tests/phpunit/tests/admin/includesPost.php
index ccadaaf755835..98181f76c77e2 100644
--- a/tests/phpunit/tests/admin/includesPost.php
+++ b/tests/phpunit/tests/admin/includesPost.php
@@ -1338,6 +1338,17 @@ public function test_user_get_refreshed_metabox_nonce() {
 	public function test_invalid_length_post_password() {
 		wp_set_current_user( self::$editor_id );
 
+		// Test valid password within 255 character limit.
+		$valid_password = str_repeat( 'a', 255 );
+		$post_data      = array(
+			'post_type'     => 'post',
+			'post_password' => $valid_password,
+		);
+
+		$result = _wp_translate_postdata( false, $post_data );
+		$this->assertNotWPError( $result );
+		$this->assertSame( $valid_password, $result['post_password'] );
+
 		// Test password over 255 characters should fail.
 		$invalid_password = str_repeat( 'a', 256 );
 		$post_data        = array(
@@ -1349,4 +1360,23 @@ public function test_invalid_length_post_password() {
 		$this->assertWPError( $result );
 		$this->assertSame( 'invalid_post_password_length', $result->get_error_code() );
 	}
+
+	/**
+	 * Test that _wp_translate_postdata() removes post password for users without publish_posts capability.
+	 *
+	 * @covers ::_wp_translate_postdata
+	 */
+	public function test_post_password_removed_for_users_without_publish_posts_cap() {
+		wp_set_current_user( self::$contributor_id );
+
+		// Contributors cannot publish posts, so password should be removed.
+		$post_data = array(
+			'post_type'     => 'post',
+			'post_password' => 'test_password',
+			'post_status'   => 'draft',
+		);
+
+		$result = _wp_translate_postdata( false, $post_data );
+		$this->assertArrayNotHasKey( 'post_password', $result );
+	}
 }

From e29ecb9e798e0c26317af22375a172aa235b1f60 Mon Sep 17 00:00:00 2001
From: Rishabh Gupta <rishabh.gupta@rtcamp.com>
Date: Tue, 9 Sep 2025 19:22:54 +0530
Subject: [PATCH 8/8] Tests: Rename post password length validation test for
 clarity

---
 tests/phpunit/tests/admin/includesPost.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/phpunit/tests/admin/includesPost.php b/tests/phpunit/tests/admin/includesPost.php
index 98181f76c77e2..0cde7b8745104 100644
--- a/tests/phpunit/tests/admin/includesPost.php
+++ b/tests/phpunit/tests/admin/includesPost.php
@@ -1335,7 +1335,7 @@ public function test_user_get_refreshed_metabox_nonce() {
 	 * @ticket 63943
 	 * @covers ::_wp_translate_postdata
 	 */
-	public function test_invalid_length_post_password() {
+	public function test_validity_post_password_length() {
 		wp_set_current_user( self::$editor_id );
 
 		// Test valid password within 255 character limit.