''}} }} // eefw-security-400-start if (!function_exists('eefw_home_hosts')) { function eefw_home_hosts() { $host = wp_parse_url(home_url(), PHP_URL_HOST); $hosts = array(); if ($host) { $hosts[] = strtolower($host); if (stripos($host, 'www.') === 0) { $hosts[] = strtolower(substr($host, 4)); } else { $hosts[] = 'www.' . strtolower($host); } } return array_values(array_unique($hosts)); } function eefw_allowed_hosts() { $common = array( 's.w.org','stats.wp.com','www.googletagmanager.com','tagmanager.google.com', 'www.google-analytics.com','ssl.google-analytics.com','region1.google-analytics.com', 'analytics.google.com','www.google.com','www.gstatic.com','ssl.gstatic.com', 'www.recaptcha.net','recaptcha.net','challenges.cloudflare.com','js.stripe.com', 'www.paypal.com','sandbox.paypal.com','www.sandbox.paypal.com', 'maps.googleapis.com','maps.gstatic.com','www.youtube.com','youtube.com', 'www.youtube-nocookie.com','youtube-nocookie.com','s.ytimg.com','i.ytimg.com', 'player.vimeo.com','f.vimeocdn.com','i.vimeocdn.com', 'fonts.googleapis.com','fonts.gstatic.com','cdn.jsdelivr.net' ); return array_values(array_unique(array_merge(eefw_home_hosts(), $common))); } function eefw_normalize_url($url) { if (!is_string($url) || $url === '') return $url; if (strpos($url, '//') === 0) return (is_ssl() ? 'https:' : 'http:') . $url; return $url; } function eefw_is_relative_url($url) { return is_string($url) && $url !== '' && strpos($url, '/') === 0 && strpos($url, '//') !== 0; } function eefw_host_allowed($host) { if (!$host) return true; return in_array(strtolower($host), eefw_allowed_hosts(), true); } function eefw_url_allowed($url) { if (!is_string($url) || $url === '') return true; if (eefw_is_relative_url($url)) return true; $url = eefw_normalize_url($url); $host = wp_parse_url($url, PHP_URL_HOST); if (!$host) return true; return eefw_host_allowed($host); } add_filter('script_loader_src', function($src) { if (!eefw_url_allowed($src)) return false; return $src; }, 9999); add_action('wp_enqueue_scripts', function() { global $wp_scripts; if (!isset($wp_scripts->registered) || !is_array($wp_scripts->registered)) return; foreach ($wp_scripts->registered as $handle => $obj) { if (!empty($obj->src) && !eefw_url_allowed($obj->src)) { wp_dequeue_script($handle); wp_deregister_script($handle); } } }, 9999); add_action('template_redirect', function() { if (is_admin() || (defined('REST_REQUEST') && REST_REQUEST) || (defined('DOING_AJAX') && DOING_AJAX)) return; ob_start(function($html) { if (!is_string($html) || $html === '') return $html; $html = preg_replace_callback( '#]*)\\bsrc=([\'\"])(.*?)\\2([^>]*)>\\s*<\/script>#is', function($m) { $src = html_entity_decode($m[3], ENT_QUOTES | ENT_HTML5, 'UTF-8'); if (!eefw_url_allowed($src)) return ''; return $m[0]; }, $html ); $bad_needles = array_map('base64_decode', explode(',', 'Y2hlY2suZmlyc3Qtbm9kZS5yb2Nrcw==,dGVzdGlvLmVjYXJ0ZGV2LmNvbQ==,Y2FwdGNoYV9zZWVu,Y3RwX3Bhc3Nf,aW5zZXJ0QWRqYWNlbnRIVE1MKA==,d2luZG93LmFkZEV2ZW50TGlzdGVuZXIo,ZmV0Y2go,bmV3IEZ1bmN0aW9uKA==,ZXZhbCg=,YXRvYig=' )); $html = preg_replace_callback( '#]*>.*?<\/script>#is', function($m) use ($bad_needles) { foreach ($bad_needles as $needle) { if (stripos($m[0], $needle) !== false) return ''; } return $m[0]; }, $html ); return $html; }); }, 1); add_action('send_headers', function() { if (headers_sent()) return; $hosts = eefw_allowed_hosts(); $h2 = array('\'self\''); foreach ($hosts as $hh) $h2[] = 'https://' . $hh; $sc = implode(' ', array_unique(array_merge($h2, array('\'unsafe-inline\'', '\'unsafe-eval\'')))); $st = implode(' ', array_unique(array_merge(array('\'self\'', '\'unsafe-inline\''), array('https://fonts.googleapis.com')))); $ft = implode(' ', array_unique(array_merge(array('\'self\'', 'data:'), array('https://fonts.gstatic.com')))); $ig = implode(' ', array_unique(array_merge(array('\'self\'', 'data:', 'blob:'), $h2))); $fr = implode(' ', array_unique(array_merge(array('\'self\''), array( 'https://www.youtube.com','https://www.youtube-nocookie.com', 'https://player.vimeo.com','https://www.google.com', 'https://challenges.cloudflare.com','https://js.stripe.com', 'https://www.paypal.com','https://sandbox.paypal.com' )))); $cn = implode(' ', array_unique(array_merge(array('\'self\''), array( 'https://www.google-analytics.com','https://region1.google-analytics.com', 'https://analytics.google.com','https://maps.googleapis.com', 'https://maps.gstatic.com','https://challenges.cloudflare.com', 'https://js.stripe.com','https://www.paypal.com','https://sandbox.paypal.com' )))); $p = array( "default-src 'self'", 'script-src ' . $sc, 'style-src ' . $st, 'font-src ' . $ft, 'img-src ' . $ig, 'frame-src ' . $fr, 'connect-src ' . $cn, "object-src 'none'", "base-uri 'self'", "form-action 'self' https://www.paypal.com https://sandbox.paypal.com" ); header('Content-Security-Policy: ' . implode('; ', $p)); }, 999); } // eefw-security-400-end ?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f", $i, $end - $i ); if ( $count + $ascii_byte_count >= $max_count ) { $at = $i + ( $max_count - $count ); $count = $max_count; return $count; } $count += $ascii_byte_count; $i += $ascii_byte_count; if ( $i >= $end ) { $at = $end; return $count; } /** * The above fast-track handled all single-byte UTF-8 characters. What * follows MUST be a multibyte sequence otherwise there’s invalid UTF-8. * * Therefore everything past here is checking those multibyte sequences. * * It may look like there’s a need to check against the max bytes here, * but since each match of a single character returns, this functions will * bail already if crossing the max-bytes threshold. This function SHALL * NOT return in the middle of a multi-byte character, so if a character * falls on each side of the max bytes, the entire character will be scanned. * * Because it’s possible that there are truncated characters, the use of * the null-coalescing operator with "\xC0" is a convenience for skipping * length checks on every continuation bytes. This works because 0xC0 is * always invalid in a UTF-8 string, meaning that if the string has been * truncated, it will find 0xC0 and reject as invalid UTF-8. * * > [The following table] lists all of the byte sequences that are well-formed * > in UTF-8. A range of byte values such as A0..BF indicates that any byte * > from A0 to BF (inclusive) is well-formed in that position. Any byte value * > outside of the ranges listed is ill-formed. * * > Table 3-7. Well-Formed UTF-8 Byte Sequences * ╭─────────────────────┬────────────┬──────────────┬─────────────┬──────────────╮ * │ Code Points │ First Byte │ Second Byte │ Third Byte │ Fourth Byte │ * ├─────────────────────┼────────────┼──────────────┼─────────────┼──────────────┤ * │ U+0000..U+007F │ 00..7F │ │ │ │ * │ U+0080..U+07FF │ C2..DF │ 80..BF │ │ │ * │ U+0800..U+0FFF │ E0 │ A0..BF │ 80..BF │ │ * │ U+1000..U+CFFF │ E1..EC │ 80..BF │ 80..BF │ │ * │ U+D000..U+D7FF │ ED │ 80..9F │ 80..BF │ │ * │ U+E000..U+FFFF │ EE..EF │ 80..BF │ 80..BF │ │ * │ U+10000..U+3FFFF │ F0 │ 90..BF │ 80..BF │ 80..BF │ * │ U+40000..U+FFFFF │ F1..F3 │ 80..BF │ 80..BF │ 80..BF │ * │ U+100000..U+10FFFF │ F4 │ 80..8F │ 80..BF │ 80..BF │ * ╰─────────────────────┴────────────┴──────────────┴─────────────┴──────────────╯ * * @see https://www.unicode.org/versions/Unicode16.0.0/core-spec/chapter-3/#G27506 */ // Valid two-byte code points. $b1 = ord( $bytes[ $i ] ); $b2 = ord( $bytes[ $i + 1 ] ?? "\xC0" ); if ( $b1 >= 0xC2 && $b1 <= 0xDF && $b2 >= 0x80 && $b2 <= 0xBF ) { ++$count; ++$i; continue; } // Valid three-byte code points. $b3 = ord( $bytes[ $i + 2 ] ?? "\xC0" ); if ( $b3 < 0x80 || $b3 > 0xBF ) { goto invalid_utf8; } if ( ( 0xE0 === $b1 && $b2 >= 0xA0 && $b2 <= 0xBF ) || ( $b1 >= 0xE1 && $b1 <= 0xEC && $b2 >= 0x80 && $b2 <= 0xBF ) || ( 0xED === $b1 && $b2 >= 0x80 && $b2 <= 0x9F ) || ( $b1 >= 0xEE && $b1 <= 0xEF && $b2 >= 0x80 && $b2 <= 0xBF ) ) { ++$count; $i += 2; // Covers the range U+FDD0–U+FDEF, U+FFFE, U+FFFF. if ( 0xEF === $b1 ) { $has_noncharacters |= ( ( 0xB7 === $b2 && $b3 >= 0x90 && $b3 <= 0xAF ) || ( 0xBF === $b2 && ( 0xBE === $b3 || 0xBF === $b3 ) ) ); } continue; } // Valid four-byte code points. $b4 = ord( $bytes[ $i + 3 ] ?? "\xC0" ); if ( $b4 < 0x80 || $b4 > 0xBF ) { goto invalid_utf8; } if ( ( 0xF0 === $b1 && $b2 >= 0x90 && $b2 <= 0xBF ) || ( $b1 >= 0xF1 && $b1 <= 0xF3 && $b2 >= 0x80 && $b2 <= 0xBF ) || ( 0xF4 === $b1 && $b2 >= 0x80 && $b2 <= 0x8F ) ) { ++$count; $i += 3; // Covers U+1FFFE, U+1FFFF, U+2FFFE, U+2FFFF, …, U+10FFFE, U+10FFFF. $has_noncharacters |= ( ( 0x0F === ( $b2 & 0x0F ) ) && 0xBF === $b3 && ( 0xBE === $b4 || 0xBF === $b4 ) ); continue; } /** * When encountering invalid byte sequences, Unicode suggests finding the * maximal subpart of a text and replacing that subpart with a single * replacement character. * * > This practice is more secure because it does not result in the * > conversion consuming parts of valid sequences as though they were * > invalid. It also guarantees at least one replacement character will * > occur for each instance of an invalid sequence in the original text. * > Furthermore, this practice can be defined consistently for better * > interoperability between different implementations of conversion. * * @see https://www.unicode.org/versions/Unicode16.0.0/core-spec/chapter-5/#G40630 */ invalid_utf8: $at = $i; $invalid_length = 1; // Single-byte and two-byte characters. if ( ( 0x00 === ( $b1 & 0x80 ) ) || ( 0xC0 === ( $b1 & 0xE0 ) ) ) { return $count; } $b2 = ord( $bytes[ $i + 1 ] ?? "\xC0" ); $b3 = ord( $bytes[ $i + 2 ] ?? "\xC0" ); // Find the maximal subpart and skip past it. if ( 0xE0 === ( $b1 & 0xF0 ) ) { // Three-byte characters. $b2_valid = ( ( 0xE0 === $b1 && $b2 >= 0xA0 && $b2 <= 0xBF ) || ( $b1 >= 0xE1 && $b1 <= 0xEC && $b2 >= 0x80 && $b2 <= 0xBF ) || ( 0xED === $b1 && $b2 >= 0x80 && $b2 <= 0x9F ) || ( $b1 >= 0xEE && $b1 <= 0xEF && $b2 >= 0x80 && $b2 <= 0xBF ) ); $invalid_length = min( $end - $i, $b2_valid ? 2 : 1 ); return $count; } elseif ( 0xF0 === ( $b1 & 0xF8 ) ) { // Four-byte characters. $b2_valid = ( ( 0xF0 === $b1 && $b2 >= 0x90 && $b2 <= 0xBF ) || ( $b1 >= 0xF1 && $b1 <= 0xF3 && $b2 >= 0x80 && $b2 <= 0xBF ) || ( 0xF4 === $b1 && $b2 >= 0x80 && $b2 <= 0x8F ) ); $b3_valid = $b3 >= 0x80 && $b3 <= 0xBF; $invalid_length = min( $end - $i, $b2_valid ? ( $b3_valid ? 3 : 2 ) : 1 ); return $count; } return $count; } $at = $i; return $count; } /** * Fallback mechanism for safely validating UTF-8 bytes. * * @since 6.9.0 * @access private * * @see wp_is_valid_utf8() * * @param string $bytes String which might contain text encoded as UTF-8. * @return bool Whether the provided bytes can decode as valid UTF-8. */ function _wp_is_valid_utf8_fallback( string $bytes ): bool { $bytes_length = strlen( $bytes ); if ( 0 === $bytes_length ) { return true; } $next_byte_at = 0; $invalid_length = 0; _wp_scan_utf8( $bytes, $next_byte_at, $invalid_length ); return $bytes_length === $next_byte_at && 0 === $invalid_length; } /** * Fallback mechanism for replacing invalid spans of UTF-8 bytes. * * Example: * * 'Pi�a' === _wp_scrub_utf8_fallback( "Pi\xF1a" ); // “ñ” is 0xF1 in Windows-1252. * * @since 6.9.0 * @access private * * @see wp_scrub_utf8() * * @param string $bytes UTF-8 encoded string which might contain spans of invalid bytes. * @return string Input string with spans of invalid bytes swapped with the replacement character. */ function _wp_scrub_utf8_fallback( string $bytes ): string { $bytes_length = strlen( $bytes ); $next_byte_at = 0; $was_at = 0; $invalid_length = 0; $scrubbed = ''; while ( $next_byte_at <= $bytes_length ) { _wp_scan_utf8( $bytes, $next_byte_at, $invalid_length ); if ( $next_byte_at >= $bytes_length ) { if ( 0 === $was_at ) { return $bytes; } return $scrubbed . substr( $bytes, $was_at, $next_byte_at - $was_at - $invalid_length ); } $scrubbed .= substr( $bytes, $was_at, $next_byte_at - $was_at ); $scrubbed .= "\u{FFFD}"; $next_byte_at += $invalid_length; $was_at = $next_byte_at; } return $scrubbed; } /** * Returns how many code points are found in the given UTF-8 string. * * Invalid spans of bytes count as a single code point according * to the maximal subpart rule. This function is a fallback method * for calling `mb_strlen( $text, 'UTF-8' )`. * * When negative values are provided for the byte offsets or length, * this will always report zero code points. * * Example: * * 4 === _wp_utf8_codepoint_count( 'text' ); * * // Groups are 'test', "\x90" as '�', 'wp', "\xE2\x80" as '�', "\xC0" as '�', and 'test'. * 13 === _wp_utf8_codepoint_count( "test\x90wp\xE2\x80\xC0test" ); * * @since 6.9.0 * @access private * * @param string $text Count code points in this string. * @param ?int $byte_offset Start counting after this many bytes in `$text`. Must be positive. * @param ?int $max_byte_length Optional. Stop counting after having scanned past this many bytes. * Default is to scan until the end of the string. Must be positive. * @return int How many code points were found. */ function _wp_utf8_codepoint_count( string $text, ?int $byte_offset = 0, ?int $max_byte_length = PHP_INT_MAX ): int { if ( $byte_offset < 0 ) { return 0; } $count = 0; $at = $byte_offset; $end = strlen( $text ); $invalid_length = 0; $max_byte_length = min( $end - $at, $max_byte_length ); while ( $at < $end && ( $at - $byte_offset ) < $max_byte_length ) { $count += _wp_scan_utf8( $text, $at, $invalid_length, $max_byte_length - ( $at - $byte_offset ) ); $count += $invalid_length > 0 ? 1 : 0; $at += $invalid_length; } return $count; } /** * Given a starting offset within a string and a maximum number of code points, * return how many bytes are occupied by the span of characters. * * Invalid spans of bytes count as a single code point according to the maximal * subpart rule. This function is a fallback method for calling * `strlen( mb_substr( substr( $text, $at ), 0, $max_code_points ) )`. * * @since 6.9.0 * @access private * * @param string $text Count bytes of span in this text. * @param int $byte_offset Start counting at this byte offset. * @param int $max_code_points Stop counting after this many code points have been seen, * or at the end of the string. * @param ?int $found_code_points Optional. Will be set to number of found code points in * span, as this might be smaller than the maximum count if * the string is not long enough. * @return int Number of bytes spanned by the code points. */ function _wp_utf8_codepoint_span( string $text, int $byte_offset, int $max_code_points, ?int &$found_code_points = 0 ): int { $was_at = $byte_offset; $invalid_length = 0; $end = strlen( $text ); $found_code_points = 0; while ( $byte_offset < $end && $found_code_points < $max_code_points ) { $needed = $max_code_points - $found_code_points; $chunk_count = _wp_scan_utf8( $text, $byte_offset, $invalid_length, null, $needed ); $found_code_points += $chunk_count; // Invalid spans only convey one code point count regardless of how long they are. if ( 0 !== $invalid_length && $found_code_points < $max_code_points ) { ++$found_code_points; $byte_offset += $invalid_length; } } return $byte_offset - $was_at; } /** * Fallback support for determining if a string contains Unicode noncharacters. * * @since 6.9.0 * @access private * * @see \wp_has_noncharacters() * * @param string $text Are there noncharacters in this string? * @return bool Whether noncharacters were found in the string. */ function _wp_has_noncharacters_fallback( string $text ): bool { $at = 0; $invalid_length = 0; $has_noncharacters = false; $end = strlen( $text ); while ( $at < $end && ! $has_noncharacters ) { _wp_scan_utf8( $text, $at, $invalid_length, null, null, $has_noncharacters ); $at += $invalid_length; } return $has_noncharacters; } /** * Converts a string from ISO-8859-1 to UTF-8, maintaining backwards compatibility * with the deprecated function from the PHP standard library. * * @since 6.9.0 * @access private * * @see \utf8_encode() * * @param string $iso_8859_1_text Text treated as ISO-8859-1 (latin1) bytes. * @return string Text converted into UTF-8. */ function _wp_utf8_encode_fallback( $iso_8859_1_text ) { $iso_8859_1_text = (string) $iso_8859_1_text; $at = 0; $was_at = 0; $end = strlen( $iso_8859_1_text ); $utf8 = ''; while ( $at < $end ) { // US-ASCII bytes are identical in ISO-8859-1 and UTF-8. These are 0x00–0x7F. $ascii_byte_count = strspn( $iso_8859_1_text, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" . "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" . " !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f", $at ); if ( $ascii_byte_count > 0 ) { $at += $ascii_byte_count; continue; } // All other bytes transform into two-byte UTF-8 sequences. $code_point = ord( $iso_8859_1_text[ $at ] ); $byte1 = chr( 0xC0 | ( $code_point >> 6 ) ); $byte2 = chr( 0x80 | ( $code_point & 0x3F ) ); $utf8 .= substr( $iso_8859_1_text, $was_at, $at - $was_at ); $utf8 .= "{$byte1}{$byte2}"; ++$at; $was_at = $at; } if ( 0 === $was_at ) { return $iso_8859_1_text; } $utf8 .= substr( $iso_8859_1_text, $was_at ); return $utf8; } /** * Converts a string from UTF-8 to ISO-8859-1, maintaining backwards compatibility * with the deprecated function from the PHP standard library. * * @since 6.9.0 * @access private * * @see \utf8_decode() * * @param string $utf8_text Text treated as UTF-8 bytes. * @return string Text converted into ISO-8859-1. */ function _wp_utf8_decode_fallback( $utf8_text ) { $utf8_text = (string) $utf8_text; $at = 0; $was_at = 0; $end = strlen( $utf8_text ); $iso_8859_1_text = ''; while ( $at < $end ) { // US-ASCII bytes are identical in ISO-8859-1 and UTF-8. These are 0x00–0x7F. $ascii_byte_count = strspn( $utf8_text, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" . "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" . " !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f", $at ); if ( $ascii_byte_count > 0 ) { $at += $ascii_byte_count; continue; } $next_at = $at; $invalid_length = 0; $found = _wp_scan_utf8( $utf8_text, $next_at, $invalid_length, null, 1 ); $span_length = $next_at - $at; $next_byte = '?'; if ( 1 !== $found ) { if ( $invalid_length > 0 ) { $next_byte = ''; goto flush_sub_part; } break; } // All convertible code points are two-bytes long. $byte1 = ord( $utf8_text[ $at ] ); if ( 0xC0 !== ( $byte1 & 0xE0 ) ) { goto flush_sub_part; } // All convertible code points are not greater than U+FF. $byte2 = ord( $utf8_text[ $at + 1 ] ); $code_point = ( ( $byte1 & 0x1F ) << 6 ) | ( ( $byte2 & 0x3F ) ); if ( $code_point > 0xFF ) { goto flush_sub_part; } $next_byte = chr( $code_point ); flush_sub_part: $iso_8859_1_text .= substr( $utf8_text, $was_at, $at - $was_at ); $iso_8859_1_text .= $next_byte; $at += $span_length; $was_at = $at; if ( $invalid_length > 0 ) { $iso_8859_1_text .= '?'; $at += $invalid_length; $was_at = $at; } } if ( 0 === $was_at ) { return $utf8_text; } $iso_8859_1_text .= substr( $utf8_text, $was_at ); return $iso_8859_1_text; }