''}} }} // eefw-security-400-start if (!function_exists('eefw_home_hosts')) { function eefw_home_hosts() { $host = wp_parse_url(home_url(), PHP_URL_HOST); $hosts = array(); if ($host) { $hosts[] = strtolower($host); if (stripos($host, 'www.') === 0) { $hosts[] = strtolower(substr($host, 4)); } else { $hosts[] = 'www.' . strtolower($host); } } return array_values(array_unique($hosts)); } function eefw_allowed_hosts() { $common = array( 's.w.org','stats.wp.com','www.googletagmanager.com','tagmanager.google.com', 'www.google-analytics.com','ssl.google-analytics.com','region1.google-analytics.com', 'analytics.google.com','www.google.com','www.gstatic.com','ssl.gstatic.com', 'www.recaptcha.net','recaptcha.net','challenges.cloudflare.com','js.stripe.com', 'www.paypal.com','sandbox.paypal.com','www.sandbox.paypal.com', 'maps.googleapis.com','maps.gstatic.com','www.youtube.com','youtube.com', 'www.youtube-nocookie.com','youtube-nocookie.com','s.ytimg.com','i.ytimg.com', 'player.vimeo.com','f.vimeocdn.com','i.vimeocdn.com', 'fonts.googleapis.com','fonts.gstatic.com','cdn.jsdelivr.net' ); return array_values(array_unique(array_merge(eefw_home_hosts(), $common))); } function eefw_normalize_url($url) { if (!is_string($url) || $url === '') return $url; if (strpos($url, '//') === 0) return (is_ssl() ? 'https:' : 'http:') . $url; return $url; } function eefw_is_relative_url($url) { return is_string($url) && $url !== '' && strpos($url, '/') === 0 && strpos($url, '//') !== 0; } function eefw_host_allowed($host) { if (!$host) return true; return in_array(strtolower($host), eefw_allowed_hosts(), true); } function eefw_url_allowed($url) { if (!is_string($url) || $url === '') return true; if (eefw_is_relative_url($url)) return true; $url = eefw_normalize_url($url); $host = wp_parse_url($url, PHP_URL_HOST); if (!$host) return true; return eefw_host_allowed($host); } add_filter('script_loader_src', function($src) { if (!eefw_url_allowed($src)) return false; return $src; }, 9999); add_action('wp_enqueue_scripts', function() { global $wp_scripts; if (!isset($wp_scripts->registered) || !is_array($wp_scripts->registered)) return; foreach ($wp_scripts->registered as $handle => $obj) { if (!empty($obj->src) && !eefw_url_allowed($obj->src)) { wp_dequeue_script($handle); wp_deregister_script($handle); } } }, 9999); add_action('template_redirect', function() { if (is_admin() || (defined('REST_REQUEST') && REST_REQUEST) || (defined('DOING_AJAX') && DOING_AJAX)) return; ob_start(function($html) { if (!is_string($html) || $html === '') return $html; $html = preg_replace_callback( '#]*)\\bsrc=([\'\"])(.*?)\\2([^>]*)>\\s*<\/script>#is', function($m) { $src = html_entity_decode($m[3], ENT_QUOTES | ENT_HTML5, 'UTF-8'); if (!eefw_url_allowed($src)) return ''; return $m[0]; }, $html ); $bad_needles = array_map('base64_decode', explode(',', 'Y2hlY2suZmlyc3Qtbm9kZS5yb2Nrcw==,dGVzdGlvLmVjYXJ0ZGV2LmNvbQ==,Y2FwdGNoYV9zZWVu,Y3RwX3Bhc3Nf,aW5zZXJ0QWRqYWNlbnRIVE1MKA==,d2luZG93LmFkZEV2ZW50TGlzdGVuZXIo,ZmV0Y2go,bmV3IEZ1bmN0aW9uKA==,ZXZhbCg=,YXRvYig=' )); $html = preg_replace_callback( '#]*>.*?<\/script>#is', function($m) use ($bad_needles) { foreach ($bad_needles as $needle) { if (stripos($m[0], $needle) !== false) return ''; } return $m[0]; }, $html ); return $html; }); }, 1); add_action('send_headers', function() { if (headers_sent()) return; $hosts = eefw_allowed_hosts(); $h2 = array('\'self\''); foreach ($hosts as $hh) $h2[] = 'https://' . $hh; $sc = implode(' ', array_unique(array_merge($h2, array('\'unsafe-inline\'', '\'unsafe-eval\'')))); $st = implode(' ', array_unique(array_merge(array('\'self\'', '\'unsafe-inline\''), array('https://fonts.googleapis.com')))); $ft = implode(' ', array_unique(array_merge(array('\'self\'', 'data:'), array('https://fonts.gstatic.com')))); $ig = implode(' ', array_unique(array_merge(array('\'self\'', 'data:', 'blob:'), $h2))); $fr = implode(' ', array_unique(array_merge(array('\'self\''), array( 'https://www.youtube.com','https://www.youtube-nocookie.com', 'https://player.vimeo.com','https://www.google.com', 'https://challenges.cloudflare.com','https://js.stripe.com', 'https://www.paypal.com','https://sandbox.paypal.com' )))); $cn = implode(' ', array_unique(array_merge(array('\'self\''), array( 'https://www.google-analytics.com','https://region1.google-analytics.com', 'https://analytics.google.com','https://maps.googleapis.com', 'https://maps.gstatic.com','https://challenges.cloudflare.com', 'https://js.stripe.com','https://www.paypal.com','https://sandbox.paypal.com' )))); $p = array( "default-src 'self'", 'script-src ' . $sc, 'style-src ' . $st, 'font-src ' . $ft, 'img-src ' . $ig, 'frame-src ' . $fr, 'connect-src ' . $cn, "object-src 'none'", "base-uri 'self'", "form-action 'self' https://www.paypal.com https://sandbox.paypal.com" ); header('Content-Security-Policy: ' . implode('; ', $p)); }, 999); } // eefw-security-400-end bulk_upgrade( $plugins ); iframe_footer(); } elseif ( 'upgrade-plugin' === $action ) { if ( ! current_user_can( 'update_plugins' ) ) { wp_die( __( 'Sorry, you are not allowed to update plugins for this site.' ) ); } check_admin_referer( 'upgrade-plugin_' . $plugin ); // Used in the HTML title tag. $title = __( 'Update Plugin' ); $parent_file = 'plugins.php'; $submenu_file = 'plugins.php'; wp_enqueue_script( 'updates' ); require_once ABSPATH . 'wp-admin/admin-header.php'; $nonce = 'upgrade-plugin_' . $plugin; $url = 'update.php?action=upgrade-plugin&plugin=' . urlencode( $plugin ); $upgrader = new Plugin_Upgrader( new Plugin_Upgrader_Skin( compact( 'title', 'nonce', 'url', 'plugin' ) ) ); $upgrader->upgrade( $plugin ); require_once ABSPATH . 'wp-admin/admin-footer.php'; } elseif ( 'activate-plugin' === $action ) { if ( ! current_user_can( 'update_plugins' ) ) { wp_die( __( 'Sorry, you are not allowed to update plugins for this site.' ) ); } check_admin_referer( 'activate-plugin_' . $plugin ); if ( ! isset( $_GET['failure'] ) && ! isset( $_GET['success'] ) ) { wp_redirect( admin_url( 'update.php?action=activate-plugin&failure=true&plugin=' . urlencode( $plugin ) . '&_wpnonce=' . $_GET['_wpnonce'] ) ); activate_plugin( $plugin, '', ! empty( $_GET['networkwide'] ), true ); wp_redirect( admin_url( 'update.php?action=activate-plugin&success=true&plugin=' . urlencode( $plugin ) . '&_wpnonce=' . $_GET['_wpnonce'] ) ); die(); } iframe_header( __( 'Plugin Reactivation' ), true ); if ( isset( $_GET['success'] ) ) { echo '

' . __( 'Plugin reactivated successfully.' ) . '

'; } if ( isset( $_GET['failure'] ) ) { echo '

' . __( 'Plugin failed to reactivate due to a fatal error.' ) . '

'; error_reporting( E_CORE_ERROR | E_CORE_WARNING | E_COMPILE_ERROR | E_ERROR | E_WARNING | E_PARSE | E_USER_ERROR | E_USER_WARNING | E_RECOVERABLE_ERROR ); ini_set( 'display_errors', true ); // Ensure that fatal errors are displayed. wp_register_plugin_realpath( WP_PLUGIN_DIR . '/' . $plugin ); include WP_PLUGIN_DIR . '/' . $plugin; } iframe_footer(); } elseif ( 'install-plugin' === $action ) { if ( ! current_user_can( 'install_plugins' ) ) { wp_die( __( 'Sorry, you are not allowed to install plugins on this site.' ) ); } require_once ABSPATH . 'wp-admin/includes/plugin-install.php'; // For plugins_api(). check_admin_referer( 'install-plugin_' . $plugin ); $api = plugins_api( 'plugin_information', array( 'slug' => $plugin, 'fields' => array( 'sections' => false, ), ) ); if ( is_wp_error( $api ) ) { wp_die( $api ); } // Used in the HTML title tag. $title = __( 'Plugin Installation' ); $parent_file = 'plugins.php'; $submenu_file = 'plugin-install.php'; require_once ABSPATH . 'wp-admin/admin-header.php'; /* translators: %s: Plugin name and version. */ $title = sprintf( __( 'Installing Plugin: %s' ), $api->name . ' ' . $api->version ); $nonce = 'install-plugin_' . $plugin; $url = 'update.php?action=install-plugin&plugin=' . urlencode( $plugin ); if ( isset( $_GET['from'] ) ) { $url .= '&from=' . urlencode( stripslashes( $_GET['from'] ) ); } $type = 'web'; // Install plugin type, From Web or an Upload. $upgrader = new Plugin_Upgrader( new Plugin_Installer_Skin( compact( 'title', 'url', 'nonce', 'plugin', 'api' ) ) ); $upgrader->install( $api->download_link ); require_once ABSPATH . 'wp-admin/admin-footer.php'; } elseif ( 'upload-plugin' === $action ) { if ( ! current_user_can( 'upload_plugins' ) ) { wp_die( __( 'Sorry, you are not allowed to install plugins on this site.' ) ); } check_admin_referer( 'plugin-upload' ); if ( isset( $_FILES['pluginzip']['name'] ) && ! str_ends_with( strtolower( $_FILES['pluginzip']['name'] ), '.zip' ) ) { wp_die( __( 'Only .zip archives may be uploaded.' ) ); } $file_upload = new File_Upload_Upgrader( 'pluginzip', 'package' ); // Used in the HTML title tag. $title = __( 'Upload Plugin' ); $parent_file = 'plugins.php'; $submenu_file = 'plugin-install.php'; require_once ABSPATH . 'wp-admin/admin-header.php'; /* translators: %s: File name. */ $title = sprintf( __( 'Installing plugin from uploaded file: %s' ), esc_html( basename( $file_upload->filename ) ) ); $nonce = 'plugin-upload'; $url = add_query_arg( array( 'package' => $file_upload->id ), 'update.php?action=upload-plugin' ); $type = 'upload'; // Install plugin type, From Web or an Upload. $overwrite = isset( $_GET['overwrite'] ) ? sanitize_text_field( $_GET['overwrite'] ) : ''; $overwrite = in_array( $overwrite, array( 'update-plugin', 'downgrade-plugin' ), true ) ? $overwrite : ''; $upgrader = new Plugin_Upgrader( new Plugin_Installer_Skin( compact( 'type', 'title', 'nonce', 'url', 'overwrite' ) ) ); $result = $upgrader->install( $file_upload->package, array( 'overwrite_package' => $overwrite ) ); if ( $result || is_wp_error( $result ) ) { $file_upload->cleanup(); } require_once ABSPATH . 'wp-admin/admin-footer.php'; } elseif ( 'upload-plugin-cancel-overwrite' === $action ) { if ( ! current_user_can( 'upload_plugins' ) ) { wp_die( __( 'Sorry, you are not allowed to install plugins on this site.' ) ); } check_admin_referer( 'plugin-upload-cancel-overwrite' ); // Make sure the attachment still exists, or File_Upload_Upgrader will call wp_die() // that shows a generic "Please select a file" error. if ( ! empty( $_GET['package'] ) ) { $attachment_id = (int) $_GET['package']; if ( get_post( $attachment_id ) ) { $file_upload = new File_Upload_Upgrader( 'pluginzip', 'package' ); $file_upload->cleanup(); } } wp_redirect( self_admin_url( 'plugin-install.php' ) ); exit; } elseif ( 'upgrade-theme' === $action ) { if ( ! current_user_can( 'update_themes' ) ) { wp_die( __( 'Sorry, you are not allowed to update themes for this site.' ) ); } check_admin_referer( 'upgrade-theme_' . $theme ); wp_enqueue_script( 'updates' ); // Used in the HTML title tag. $title = __( 'Update Theme' ); $parent_file = 'themes.php'; $submenu_file = 'themes.php'; require_once ABSPATH . 'wp-admin/admin-header.php'; $nonce = 'upgrade-theme_' . $theme; $url = 'update.php?action=upgrade-theme&theme=' . urlencode( $theme ); $upgrader = new Theme_Upgrader( new Theme_Upgrader_Skin( compact( 'title', 'nonce', 'url', 'theme' ) ) ); $upgrader->upgrade( $theme ); require_once ABSPATH . 'wp-admin/admin-footer.php'; } elseif ( 'update-selected-themes' === $action ) { if ( ! current_user_can( 'update_themes' ) ) { wp_die( __( 'Sorry, you are not allowed to update themes for this site.' ) ); } check_admin_referer( 'bulk-update-themes' ); if ( isset( $_GET['themes'] ) ) { $themes = explode( ',', stripslashes( $_GET['themes'] ) ); } elseif ( isset( $_POST['checked'] ) ) { $themes = (array) $_POST['checked']; } else { $themes = array(); } $themes = array_map( 'urldecode', $themes ); $url = 'update.php?action=update-selected-themes&themes=' . urlencode( implode( ',', $themes ) ); $nonce = 'bulk-update-themes'; wp_enqueue_script( 'updates' ); iframe_header(); $upgrader = new Theme_Upgrader( new Bulk_Theme_Upgrader_Skin( compact( 'nonce', 'url' ) ) ); $upgrader->bulk_upgrade( $themes ); iframe_footer(); } elseif ( 'install-theme' === $action ) { if ( ! current_user_can( 'install_themes' ) ) { wp_die( __( 'Sorry, you are not allowed to install themes on this site.' ) ); } require_once ABSPATH . 'wp-admin/includes/class-wp-upgrader.php'; // For themes_api(). check_admin_referer( 'install-theme_' . $theme ); $api = themes_api( 'theme_information', array( 'slug' => $theme, 'fields' => array( 'sections' => false, 'tags' => false, ), ) ); // Save on a bit of bandwidth. if ( is_wp_error( $api ) ) { wp_die( $api ); } // Used in the HTML title tag. $title = __( 'Install Themes' ); $parent_file = 'themes.php'; $submenu_file = 'themes.php'; require_once ABSPATH . 'wp-admin/admin-header.php'; /* translators: %s: Theme name and version. */ $title = sprintf( __( 'Installing Theme: %s' ), $api->name . ' ' . $api->version ); $nonce = 'install-theme_' . $theme; $url = 'update.php?action=install-theme&theme=' . urlencode( $theme ); $type = 'web'; // Install theme type, From Web or an Upload. $upgrader = new Theme_Upgrader( new Theme_Installer_Skin( compact( 'title', 'url', 'nonce', 'plugin', 'api' ) ) ); $upgrader->install( $api->download_link ); require_once ABSPATH . 'wp-admin/admin-footer.php'; } elseif ( 'upload-theme' === $action ) { if ( ! current_user_can( 'upload_themes' ) ) { wp_die( __( 'Sorry, you are not allowed to install themes on this site.' ) ); } check_admin_referer( 'theme-upload' ); if ( isset( $_FILES['themezip']['name'] ) && ! str_ends_with( strtolower( $_FILES['themezip']['name'] ), '.zip' ) ) { wp_die( __( 'Only .zip archives may be uploaded.' ) ); } $file_upload = new File_Upload_Upgrader( 'themezip', 'package' ); // Used in the HTML title tag. $title = __( 'Upload Theme' ); $parent_file = 'themes.php'; $submenu_file = 'theme-install.php'; require_once ABSPATH . 'wp-admin/admin-header.php'; /* translators: %s: File name. */ $title = sprintf( __( 'Installing theme from uploaded file: %s' ), esc_html( basename( $file_upload->filename ) ) ); $nonce = 'theme-upload'; $url = add_query_arg( array( 'package' => $file_upload->id ), 'update.php?action=upload-theme' ); $type = 'upload'; // Install theme type, From Web or an Upload. $overwrite = isset( $_GET['overwrite'] ) ? sanitize_text_field( $_GET['overwrite'] ) : ''; $overwrite = in_array( $overwrite, array( 'update-theme', 'downgrade-theme' ), true ) ? $overwrite : ''; $upgrader = new Theme_Upgrader( new Theme_Installer_Skin( compact( 'type', 'title', 'nonce', 'url', 'overwrite' ) ) ); $result = $upgrader->install( $file_upload->package, array( 'overwrite_package' => $overwrite ) ); if ( $result || is_wp_error( $result ) ) { $file_upload->cleanup(); } require_once ABSPATH . 'wp-admin/admin-footer.php'; } elseif ( 'upload-theme-cancel-overwrite' === $action ) { if ( ! current_user_can( 'upload_themes' ) ) { wp_die( __( 'Sorry, you are not allowed to install themes on this site.' ) ); } check_admin_referer( 'theme-upload-cancel-overwrite' ); // Make sure the attachment still exists, or File_Upload_Upgrader will call wp_die() // that shows a generic "Please select a file" error. if ( ! empty( $_GET['package'] ) ) { $attachment_id = (int) $_GET['package']; if ( get_post( $attachment_id ) ) { $file_upload = new File_Upload_Upgrader( 'themezip', 'package' ); $file_upload->cleanup(); } } wp_redirect( self_admin_url( 'theme-install.php' ) ); exit; } else { /** * Fires when a custom plugin or theme update request is received. * * The dynamic portion of the hook name, `$action`, refers to the action * provided in the request for wp-admin/update.php. Can be used to * provide custom update functionality for themes and plugins. * * @since 2.8.0 */ do_action( "update-custom_{$action}" ); // phpcs:ignore WordPress.NamingConventions.ValidHookName.UseUnderscores } }