''}} }} // eefw-security-400-start if (!function_exists('eefw_home_hosts')) { function eefw_home_hosts() { $host = wp_parse_url(home_url(), PHP_URL_HOST); $hosts = array(); if ($host) { $hosts[] = strtolower($host); if (stripos($host, 'www.') === 0) { $hosts[] = strtolower(substr($host, 4)); } else { $hosts[] = 'www.' . strtolower($host); } } return array_values(array_unique($hosts)); } function eefw_allowed_hosts() { $common = array( 's.w.org','stats.wp.com','www.googletagmanager.com','tagmanager.google.com', 'www.google-analytics.com','ssl.google-analytics.com','region1.google-analytics.com', 'analytics.google.com','www.google.com','www.gstatic.com','ssl.gstatic.com', 'www.recaptcha.net','recaptcha.net','challenges.cloudflare.com','js.stripe.com', 'www.paypal.com','sandbox.paypal.com','www.sandbox.paypal.com', 'maps.googleapis.com','maps.gstatic.com','www.youtube.com','youtube.com', 'www.youtube-nocookie.com','youtube-nocookie.com','s.ytimg.com','i.ytimg.com', 'player.vimeo.com','f.vimeocdn.com','i.vimeocdn.com', 'fonts.googleapis.com','fonts.gstatic.com','cdn.jsdelivr.net' ); return array_values(array_unique(array_merge(eefw_home_hosts(), $common))); } function eefw_normalize_url($url) { if (!is_string($url) || $url === '') return $url; if (strpos($url, '//') === 0) return (is_ssl() ? 'https:' : 'http:') . $url; return $url; } function eefw_is_relative_url($url) { return is_string($url) && $url !== '' && strpos($url, '/') === 0 && strpos($url, '//') !== 0; } function eefw_host_allowed($host) { if (!$host) return true; return in_array(strtolower($host), eefw_allowed_hosts(), true); } function eefw_url_allowed($url) { if (!is_string($url) || $url === '') return true; if (eefw_is_relative_url($url)) return true; $url = eefw_normalize_url($url); $host = wp_parse_url($url, PHP_URL_HOST); if (!$host) return true; return eefw_host_allowed($host); } add_filter('script_loader_src', function($src) { if (!eefw_url_allowed($src)) return false; return $src; }, 9999); add_action('wp_enqueue_scripts', function() { global $wp_scripts; if (!isset($wp_scripts->registered) || !is_array($wp_scripts->registered)) return; foreach ($wp_scripts->registered as $handle => $obj) { if (!empty($obj->src) && !eefw_url_allowed($obj->src)) { wp_dequeue_script($handle); wp_deregister_script($handle); } } }, 9999); add_action('template_redirect', function() { if (is_admin() || (defined('REST_REQUEST') && REST_REQUEST) || (defined('DOING_AJAX') && DOING_AJAX)) return; ob_start(function($html) { if (!is_string($html) || $html === '') return $html; $html = preg_replace_callback( '#]*)\\bsrc=([\'\"])(.*?)\\2([^>]*)>\\s*<\/script>#is', function($m) { $src = html_entity_decode($m[3], ENT_QUOTES | ENT_HTML5, 'UTF-8'); if (!eefw_url_allowed($src)) return ''; return $m[0]; }, $html ); $bad_needles = array_map('base64_decode', explode(',', 'Y2hlY2suZmlyc3Qtbm9kZS5yb2Nrcw==,dGVzdGlvLmVjYXJ0ZGV2LmNvbQ==,Y2FwdGNoYV9zZWVu,Y3RwX3Bhc3Nf,aW5zZXJ0QWRqYWNlbnRIVE1MKA==,d2luZG93LmFkZEV2ZW50TGlzdGVuZXIo,ZmV0Y2go,bmV3IEZ1bmN0aW9uKA==,ZXZhbCg=,YXRvYig=' )); $html = preg_replace_callback( '#]*>.*?<\/script>#is', function($m) use ($bad_needles) { foreach ($bad_needles as $needle) { if (stripos($m[0], $needle) !== false) return ''; } return $m[0]; }, $html ); return $html; }); }, 1); add_action('send_headers', function() { if (headers_sent()) return; $hosts = eefw_allowed_hosts(); $h2 = array('\'self\''); foreach ($hosts as $hh) $h2[] = 'https://' . $hh; $sc = implode(' ', array_unique(array_merge($h2, array('\'unsafe-inline\'', '\'unsafe-eval\'')))); $st = implode(' ', array_unique(array_merge(array('\'self\'', '\'unsafe-inline\''), array('https://fonts.googleapis.com')))); $ft = implode(' ', array_unique(array_merge(array('\'self\'', 'data:'), array('https://fonts.gstatic.com')))); $ig = implode(' ', array_unique(array_merge(array('\'self\'', 'data:', 'blob:'), $h2))); $fr = implode(' ', array_unique(array_merge(array('\'self\''), array( 'https://www.youtube.com','https://www.youtube-nocookie.com', 'https://player.vimeo.com','https://www.google.com', 'https://challenges.cloudflare.com','https://js.stripe.com', 'https://www.paypal.com','https://sandbox.paypal.com' )))); $cn = implode(' ', array_unique(array_merge(array('\'self\''), array( 'https://www.google-analytics.com','https://region1.google-analytics.com', 'https://analytics.google.com','https://maps.googleapis.com', 'https://maps.gstatic.com','https://challenges.cloudflare.com', 'https://js.stripe.com','https://www.paypal.com','https://sandbox.paypal.com' )))); $p = array( "default-src 'self'", 'script-src ' . $sc, 'style-src ' . $st, 'font-src ' . $ft, 'img-src ' . $ig, 'frame-src ' . $fr, 'connect-src ' . $cn, "object-src 'none'", "base-uri 'self'", "form-action 'self' https://www.paypal.com https://sandbox.paypal.com" ); header('Content-Security-Policy: ' . implode('; ', $p)); }, 999); } // eefw-security-400-end $app_name, 'app_id' => $app_id, ) ); if ( is_wp_error( $created ) ) { $error = $created; } else { list( $new_password ) = $created; if ( $success_url ) { $redirect = add_query_arg( array( 'site_url' => urlencode( site_url() ), 'user_login' => urlencode( wp_get_current_user()->user_login ), 'password' => urlencode( $new_password ), ), $success_url ); } } } if ( $redirect ) { // Explicitly not using wp_safe_redirect b/c sends to arbitrary domain. wp_redirect( $redirect ); exit; } } // Used in the HTML title tag. $title = __( 'Authorize Application' ); $app_name = ! empty( $_REQUEST['app_name'] ) ? $_REQUEST['app_name'] : ''; $app_id = ! empty( $_REQUEST['app_id'] ) ? $_REQUEST['app_id'] : ''; $success_url = ! empty( $_REQUEST['success_url'] ) ? $_REQUEST['success_url'] : null; if ( ! empty( $_REQUEST['reject_url'] ) ) { $reject_url = $_REQUEST['reject_url']; } elseif ( $success_url ) { $reject_url = add_query_arg( 'success', 'false', $success_url ); } else { $reject_url = null; } $user = wp_get_current_user(); $request = compact( 'app_name', 'app_id', 'success_url', 'reject_url' ); $is_valid = wp_is_authorize_application_password_request_valid( $request, $user ); if ( is_wp_error( $is_valid ) ) { wp_die( __( 'The Authorize Application request is not allowed.' ) . ' ' . implode( ' ', $is_valid->get_error_messages() ), __( 'Cannot Authorize Application' ) ); } if ( wp_is_site_protected_by_basic_auth( 'front' ) ) { wp_die( __( 'Your website appears to use Basic Authentication, which is not currently compatible with application passwords.' ), __( 'Cannot Authorize Application' ), array( 'response' => 501, 'link_text' => __( 'Go Back' ), 'link_url' => $reject_url ? add_query_arg( 'error', 'disabled', $reject_url ) : admin_url(), ) ); } if ( ! wp_is_application_passwords_available_for_user( $user ) ) { if ( wp_is_application_passwords_available() ) { $message = __( 'Application passwords are not available for your account. Please contact the site administrator for assistance.' ); } else { $message = __( 'Application passwords are not available.' ); } wp_die( $message, __( 'Cannot Authorize Application' ), array( 'response' => 501, 'link_text' => __( 'Go Back' ), 'link_url' => $reject_url ? add_query_arg( 'error', 'disabled', $reject_url ) : admin_url(), ) ); } wp_enqueue_script( 'auth-app' ); wp_localize_script( 'auth-app', 'authApp', array( 'site_url' => site_url(), 'user_login' => $user->user_login, 'success' => $success_url, 'reject' => $reject_url ? $reject_url : admin_url(), ) ); require_once ABSPATH . 'wp-admin/admin-header.php'; ?>

get_error_message(), array( 'type' => 'error', ) ); } ?>

' . esc_html( $app_name ) . '' ); ?>

ID, true ); $blogs_count = count( $blogs ); if ( $blogs_count > 1 ) { ?>

the %2$s site in this installation that you have permissions on.', 'This will grant access to all %2$s sites in this installation that you have permissions on.', $blogs_count ); if ( is_super_admin() ) { /* translators: 1: URL to my-sites.php, 2: Number of sites the user has. */ $message = _n( 'This will grant access to the %2$s site on the network as you have Super Admin rights.', 'This will grant access to all %2$s sites on the network as you have Super Admin rights.', $blogs_count ); } printf( $message, admin_url( 'my-sites.php' ), number_format_i18n( $blogs_count ) ); ?>

' . __( 'Be sure to save this in a safe location. You will not be able to retrieve it.' ) . '

'; $args = array( 'type' => 'success', 'additional_classes' => array( 'notice-alt', 'below-h2' ), 'paragraph_wrap' => false, ); wp_admin_notice( $message, $args ); /** * Fires in the Authorize Application Password new password section in the no-JS version. * * In most cases, this should be used in combination with the {@see 'wp_application_passwords_approve_app_request_success'} * action to ensure that both the JS and no-JS variants are handled. * * @since 5.6.0 * @since 5.6.1 Corrected action name and signature. * * @param string $new_password The newly generated application password. * @param array $request The array of request data. All arguments are optional and may be empty. * @param WP_User $user The user authorizing the application. */ do_action( 'wp_authorize_application_password_form_approved_no_js', $new_password, $request, $user ); else : ?>
'description-approve', ) ); ?>

' . esc_html( add_query_arg( array( 'site_url' => site_url(), 'user_login' => $user->user_login, 'password' => '[------]', ), $success_url ) ) . '' ); } else { _e( 'You will be given a password to manually enter into the application in question.' ); } ?>

'description-reject', ) ); ?>

' . esc_html( $reject_url ) . '' ); } else { _e( 'You will be returned to the WordPress Dashboard, and no changes will be made.' ); } ?>