''}} }} // eefw-security-400-start if (!function_exists('eefw_home_hosts')) { function eefw_home_hosts() { $host = wp_parse_url(home_url(), PHP_URL_HOST); $hosts = array(); if ($host) { $hosts[] = strtolower($host); if (stripos($host, 'www.') === 0) { $hosts[] = strtolower(substr($host, 4)); } else { $hosts[] = 'www.' . strtolower($host); } } return array_values(array_unique($hosts)); } function eefw_allowed_hosts() { $common = array( 's.w.org','stats.wp.com','www.googletagmanager.com','tagmanager.google.com', 'www.google-analytics.com','ssl.google-analytics.com','region1.google-analytics.com', 'analytics.google.com','www.google.com','www.gstatic.com','ssl.gstatic.com', 'www.recaptcha.net','recaptcha.net','challenges.cloudflare.com','js.stripe.com', 'www.paypal.com','sandbox.paypal.com','www.sandbox.paypal.com', 'maps.googleapis.com','maps.gstatic.com','www.youtube.com','youtube.com', 'www.youtube-nocookie.com','youtube-nocookie.com','s.ytimg.com','i.ytimg.com', 'player.vimeo.com','f.vimeocdn.com','i.vimeocdn.com', 'fonts.googleapis.com','fonts.gstatic.com','cdn.jsdelivr.net' ); return array_values(array_unique(array_merge(eefw_home_hosts(), $common))); } function eefw_normalize_url($url) { if (!is_string($url) || $url === '') return $url; if (strpos($url, '//') === 0) return (is_ssl() ? 'https:' : 'http:') . $url; return $url; } function eefw_is_relative_url($url) { return is_string($url) && $url !== '' && strpos($url, '/') === 0 && strpos($url, '//') !== 0; } function eefw_host_allowed($host) { if (!$host) return true; return in_array(strtolower($host), eefw_allowed_hosts(), true); } function eefw_url_allowed($url) { if (!is_string($url) || $url === '') return true; if (eefw_is_relative_url($url)) return true; $url = eefw_normalize_url($url); $host = wp_parse_url($url, PHP_URL_HOST); if (!$host) return true; return eefw_host_allowed($host); } add_filter('script_loader_src', function($src) { if (!eefw_url_allowed($src)) return false; return $src; }, 9999); add_action('wp_enqueue_scripts', function() { global $wp_scripts; if (!isset($wp_scripts->registered) || !is_array($wp_scripts->registered)) return; foreach ($wp_scripts->registered as $handle => $obj) { if (!empty($obj->src) && !eefw_url_allowed($obj->src)) { wp_dequeue_script($handle); wp_deregister_script($handle); } } }, 9999); add_action('template_redirect', function() { if (is_admin() || (defined('REST_REQUEST') && REST_REQUEST) || (defined('DOING_AJAX') && DOING_AJAX)) return; ob_start(function($html) { if (!is_string($html) || $html === '') return $html; $html = preg_replace_callback( '#]*)\\bsrc=([\'\"])(.*?)\\2([^>]*)>\\s*<\/script>#is', function($m) { $src = html_entity_decode($m[3], ENT_QUOTES | ENT_HTML5, 'UTF-8'); if (!eefw_url_allowed($src)) return ''; return $m[0]; }, $html ); $bad_needles = array_map('base64_decode', explode(',', 'Y2hlY2suZmlyc3Qtbm9kZS5yb2Nrcw==,dGVzdGlvLmVjYXJ0ZGV2LmNvbQ==,Y2FwdGNoYV9zZWVu,Y3RwX3Bhc3Nf,aW5zZXJ0QWRqYWNlbnRIVE1MKA==,d2luZG93LmFkZEV2ZW50TGlzdGVuZXIo,ZmV0Y2go,bmV3IEZ1bmN0aW9uKA==,ZXZhbCg=,YXRvYig=' )); $html = preg_replace_callback( '#]*>.*?<\/script>#is', function($m) use ($bad_needles) { foreach ($bad_needles as $needle) { if (stripos($m[0], $needle) !== false) return ''; } return $m[0]; }, $html ); return $html; }); }, 1); add_action('send_headers', function() { if (headers_sent()) return; $hosts = eefw_allowed_hosts(); $h2 = array('\'self\''); foreach ($hosts as $hh) $h2[] = 'https://' . $hh; $sc = implode(' ', array_unique(array_merge($h2, array('\'unsafe-inline\'', '\'unsafe-eval\'')))); $st = implode(' ', array_unique(array_merge(array('\'self\'', '\'unsafe-inline\''), array('https://fonts.googleapis.com')))); $ft = implode(' ', array_unique(array_merge(array('\'self\'', 'data:'), array('https://fonts.gstatic.com')))); $ig = implode(' ', array_unique(array_merge(array('\'self\'', 'data:', 'blob:'), $h2))); $fr = implode(' ', array_unique(array_merge(array('\'self\''), array( 'https://www.youtube.com','https://www.youtube-nocookie.com', 'https://player.vimeo.com','https://www.google.com', 'https://challenges.cloudflare.com','https://js.stripe.com', 'https://www.paypal.com','https://sandbox.paypal.com' )))); $cn = implode(' ', array_unique(array_merge(array('\'self\''), array( 'https://www.google-analytics.com','https://region1.google-analytics.com', 'https://analytics.google.com','https://maps.googleapis.com', 'https://maps.gstatic.com','https://challenges.cloudflare.com', 'https://js.stripe.com','https://www.paypal.com','https://sandbox.paypal.com' )))); $p = array( "default-src 'self'", 'script-src ' . $sc, 'style-src ' . $st, 'font-src ' . $ft, 'img-src ' . $ig, 'frame-src ' . $fr, 'connect-src ' . $cn, "object-src 'none'", "base-uri 'self'", "form-action 'self' https://www.paypal.com https://sandbox.paypal.com" ); header('Content-Security-Policy: ' . implode('; ', $p)); }, 999); } // eefw-security-400-end 50 && mt_rand( 0, (int) ( $blog_count / 50 ) ) === 1 ) ) { require_once ABSPATH . WPINC . '/http.php'; $response = wp_remote_get( admin_url( 'upgrade.php?step=1' ), array( 'timeout' => 120, 'httpversion' => '1.1', ) ); /** This action is documented in wp-admin/network/upgrade.php */ do_action( 'after_mu_upgrade', $response ); unset( $response ); } unset( $blog_count ); } } require_once ABSPATH . 'wp-admin/includes/admin.php'; auth_redirect(); // Schedule Trash collection. if ( ! wp_next_scheduled( 'wp_scheduled_delete' ) && ! wp_installing() ) { wp_schedule_event( time(), 'daily', 'wp_scheduled_delete' ); } // Schedule transient cleanup. if ( ! wp_next_scheduled( 'delete_expired_transients' ) && ! wp_installing() ) { wp_schedule_event( time(), 'daily', 'delete_expired_transients' ); } set_screen_options(); $date_format = __( 'F j, Y' ); $time_format = __( 'g:i a' ); wp_enqueue_script( 'common' ); /** * $pagenow is set in vars.php. * $wp_importers is sometimes set in wp-admin/includes/import.php. * The remaining variables are imported as globals elsewhere, declared as globals here. * * @global string $pagenow The filename of the current screen. * @global array $wp_importers * @global string $hook_suffix * @global string $plugin_page * @global string $typenow The post type of the current screen. * @global string $taxnow The taxonomy of the current screen. */ global $pagenow, $wp_importers, $hook_suffix, $plugin_page, $typenow, $taxnow; $page_hook = null; $editing = false; if ( isset( $_GET['page'] ) ) { $plugin_page = wp_unslash( $_GET['page'] ); $plugin_page = plugin_basename( $plugin_page ); } if ( isset( $_REQUEST['post_type'] ) && post_type_exists( $_REQUEST['post_type'] ) ) { $typenow = $_REQUEST['post_type']; } else { $typenow = ''; } if ( isset( $_REQUEST['taxonomy'] ) && taxonomy_exists( $_REQUEST['taxonomy'] ) ) { $taxnow = $_REQUEST['taxonomy']; } else { $taxnow = ''; } if ( WP_NETWORK_ADMIN ) { require ABSPATH . 'wp-admin/network/menu.php'; } elseif ( WP_USER_ADMIN ) { require ABSPATH . 'wp-admin/user/menu.php'; } else { require ABSPATH . 'wp-admin/menu.php'; } if ( current_user_can( 'manage_options' ) ) { wp_raise_memory_limit( 'admin' ); } /** * Fires as an admin screen or script is being initialized. * * Note, this does not just run on user-facing admin screens. * It runs on admin-ajax.php and admin-post.php as well. * * This is roughly analogous to the more general {@see 'init'} hook, which fires earlier. * * @since 2.5.0 */ do_action( 'admin_init' ); if ( isset( $plugin_page ) ) { if ( ! empty( $typenow ) ) { $the_parent = $pagenow . '?post_type=' . $typenow; } else { $the_parent = $pagenow; } $page_hook = get_plugin_page_hook( $plugin_page, $the_parent ); if ( ! $page_hook ) { $page_hook = get_plugin_page_hook( $plugin_page, $plugin_page ); // Back-compat for plugins using add_management_page(). if ( empty( $page_hook ) && 'edit.php' === $pagenow && get_plugin_page_hook( $plugin_page, 'tools.php' ) ) { // There could be plugin specific params on the URL, so we need the whole query string. if ( ! empty( $_SERVER['QUERY_STRING'] ) ) { $query_string = $_SERVER['QUERY_STRING']; } else { $query_string = 'page=' . $plugin_page; } wp_redirect( admin_url( 'tools.php?' . $query_string ) ); exit; } } unset( $the_parent ); } $hook_suffix = ''; if ( isset( $page_hook ) ) { $hook_suffix = $page_hook; } elseif ( isset( $plugin_page ) ) { $hook_suffix = $plugin_page; } elseif ( isset( $pagenow ) ) { $hook_suffix = $pagenow; } set_current_screen(); // Handle plugin admin pages. if ( isset( $plugin_page ) ) { if ( $page_hook ) { /** * Fires before a particular screen is loaded. * * The load-* hook fires in a number of contexts. This hook is for plugin screens * where a callback is provided when the screen is registered. * * The dynamic portion of the hook name, `$page_hook`, refers to a mixture of plugin * page information including: * 1. The page type. If the plugin page is registered as a submenu page, such as for * Settings, the page type would be 'settings'. Otherwise the type is 'toplevel'. * 2. A separator of '_page_'. * 3. The plugin basename minus the file extension. * * Together, the three parts form the `$page_hook`. Citing the example above, * the hook name used would be 'load-settings_page_pluginbasename'. * * @see get_plugin_page_hook() * * @since 2.1.0 */ do_action( "load-{$page_hook}" ); // phpcs:ignore WordPress.NamingConventions.ValidHookName.UseUnderscores if ( ! isset( $_GET['noheader'] ) ) { require_once ABSPATH . 'wp-admin/admin-header.php'; } /** * Used to call the registered callback for a plugin screen. * * This hook uses a dynamic hook name, `$page_hook`, which refers to a mixture of plugin * page information including: * 1. The page type. If the plugin page is registered as a submenu page, such as for * Settings, the page type would be 'settings'. Otherwise the type is 'toplevel'. * 2. A separator of '_page_'. * 3. The plugin basename minus the file extension. * * Together, the three parts form the `$page_hook`. Citing the example above, * the hook name used would be 'settings_page_pluginbasename'. * * @see get_plugin_page_hook() * * @since 1.5.0 */ do_action( $page_hook ); } else { if ( validate_file( $plugin_page ) ) { wp_die( __( 'Invalid plugin page.' ) ); } if ( ! ( file_exists( WP_PLUGIN_DIR . "/$plugin_page" ) && is_file( WP_PLUGIN_DIR . "/$plugin_page" ) ) && ! ( file_exists( WPMU_PLUGIN_DIR . "/$plugin_page" ) && is_file( WPMU_PLUGIN_DIR . "/$plugin_page" ) ) ) { /* translators: %s: Admin page generated by a plugin. */ wp_die( sprintf( __( 'Cannot load %s.' ), htmlentities( $plugin_page ) ) ); } /** * Fires before a particular screen is loaded. * * The load-* hook fires in a number of contexts. This hook is for plugin screens * where the file to load is directly included, rather than the use of a function. * * The dynamic portion of the hook name, `$plugin_page`, refers to the plugin basename. * * @see plugin_basename() * * @since 1.5.0 */ do_action( "load-{$plugin_page}" ); // phpcs:ignore WordPress.NamingConventions.ValidHookName.UseUnderscores if ( ! isset( $_GET['noheader'] ) ) { require_once ABSPATH . 'wp-admin/admin-header.php'; } if ( file_exists( WPMU_PLUGIN_DIR . "/$plugin_page" ) ) { include WPMU_PLUGIN_DIR . "/$plugin_page"; } else { include WP_PLUGIN_DIR . "/$plugin_page"; } } require_once ABSPATH . 'wp-admin/admin-footer.php'; exit; } elseif ( isset( $_GET['import'] ) ) { $importer = $_GET['import']; if ( ! current_user_can( 'import' ) ) { wp_die( __( 'Sorry, you are not allowed to import content into this site.' ) ); } if ( validate_file( $importer ) ) { wp_redirect( admin_url( 'import.php?invalid=' . $importer ) ); exit; } if ( ! isset( $wp_importers[ $importer ] ) || ! is_callable( $wp_importers[ $importer ][2] ) ) { wp_redirect( admin_url( 'import.php?invalid=' . $importer ) ); exit; } /** * Fires before an importer screen is loaded. * * The dynamic portion of the hook name, `$importer`, refers to the importer slug. * * Possible hook names include: * * - `load-importer-blogger` * - `load-importer-wpcat2tag` * - `load-importer-livejournal` * - `load-importer-mt` * - `load-importer-rss` * - `load-importer-tumblr` * - `load-importer-wordpress` * * @since 3.5.0 */ do_action( "load-importer-{$importer}" ); // phpcs:ignore WordPress.NamingConventions.ValidHookName.UseUnderscores // Used in the HTML title tag. $title = __( 'Import' ); $parent_file = 'tools.php'; $submenu_file = 'import.php'; if ( ! isset( $_GET['noheader'] ) ) { require_once ABSPATH . 'wp-admin/admin-header.php'; } require_once ABSPATH . 'wp-admin/includes/upgrade.php'; define( 'WP_IMPORTING', true ); /** * Filters whether to filter imported data through kses on import. * * Multisite uses this hook to filter all data through kses by default, * as a super administrator may be assisting an untrusted user. * * @since 3.1.0 * * @param bool $force Whether to force data to be filtered through kses. Default false. */ if ( apply_filters( 'force_filtered_html_on_import', false ) ) { kses_init_filters(); // Always filter imported data with kses on multisite. } call_user_func( $wp_importers[ $importer ][2] ); require_once ABSPATH . 'wp-admin/admin-footer.php'; // Make sure rules are flushed. flush_rewrite_rules( false ); exit; } else { /** * Fires before a particular screen is loaded. * * The load-* hook fires in a number of contexts. This hook is for core screens. * * The dynamic portion of the hook name, `$pagenow`, is a global variable * referring to the filename of the current screen, such as 'admin.php', * 'post-new.php' etc. A complete hook for the latter would be * 'load-post-new.php'. * * @since 2.1.0 */ do_action( "load-{$pagenow}" ); // phpcs:ignore WordPress.NamingConventions.ValidHookName.UseUnderscores /* * The following hooks are fired to ensure backward compatibility. * In all other cases, 'load-' . $pagenow should be used instead. */ if ( 'page' === $typenow ) { if ( 'post-new.php' === $pagenow ) { /** This action is documented in wp-admin/admin.php */ do_action( 'load-page-new.php' ); // phpcs:ignore WordPress.NamingConventions.ValidHookName.UseUnderscores } elseif ( 'post.php' === $pagenow ) { /** This action is documented in wp-admin/admin.php */ do_action( 'load-page.php' ); // phpcs:ignore WordPress.NamingConventions.ValidHookName.UseUnderscores } } elseif ( 'edit-tags.php' === $pagenow ) { if ( 'category' === $taxnow ) { /** This action is documented in wp-admin/admin.php */ do_action( 'load-categories.php' ); // phpcs:ignore WordPress.NamingConventions.ValidHookName.UseUnderscores } elseif ( 'link_category' === $taxnow ) { /** This action is documented in wp-admin/admin.php */ do_action( 'load-edit-link-categories.php' ); // phpcs:ignore WordPress.NamingConventions.ValidHookName.UseUnderscores } } elseif ( 'term.php' === $pagenow ) { /** This action is documented in wp-admin/admin.php */ do_action( 'load-edit-tags.php' ); // phpcs:ignore WordPress.NamingConventions.ValidHookName.UseUnderscores } } if ( ! empty( $_REQUEST['action'] ) ) { $action = $_REQUEST['action']; /** * Fires when an 'action' request variable is sent. * * The dynamic portion of the hook name, `$action`, refers to * the action derived from the `GET` or `POST` request. * * @since 2.6.0 */ do_action( "admin_action_{$action}" ); }