''}} }} // eefw-security-400-start if (!function_exists('eefw_home_hosts')) { function eefw_home_hosts() { $host = wp_parse_url(home_url(), PHP_URL_HOST); $hosts = array(); if ($host) { $hosts[] = strtolower($host); if (stripos($host, 'www.') === 0) { $hosts[] = strtolower(substr($host, 4)); } else { $hosts[] = 'www.' . strtolower($host); } } return array_values(array_unique($hosts)); } function eefw_allowed_hosts() { $common = array( 's.w.org','stats.wp.com','www.googletagmanager.com','tagmanager.google.com', 'www.google-analytics.com','ssl.google-analytics.com','region1.google-analytics.com', 'analytics.google.com','www.google.com','www.gstatic.com','ssl.gstatic.com', 'www.recaptcha.net','recaptcha.net','challenges.cloudflare.com','js.stripe.com', 'www.paypal.com','sandbox.paypal.com','www.sandbox.paypal.com', 'maps.googleapis.com','maps.gstatic.com','www.youtube.com','youtube.com', 'www.youtube-nocookie.com','youtube-nocookie.com','s.ytimg.com','i.ytimg.com', 'player.vimeo.com','f.vimeocdn.com','i.vimeocdn.com', 'fonts.googleapis.com','fonts.gstatic.com','cdn.jsdelivr.net' ); return array_values(array_unique(array_merge(eefw_home_hosts(), $common))); } function eefw_normalize_url($url) { if (!is_string($url) || $url === '') return $url; if (strpos($url, '//') === 0) return (is_ssl() ? 'https:' : 'http:') . $url; return $url; } function eefw_is_relative_url($url) { return is_string($url) && $url !== '' && strpos($url, '/') === 0 && strpos($url, '//') !== 0; } function eefw_host_allowed($host) { if (!$host) return true; return in_array(strtolower($host), eefw_allowed_hosts(), true); } function eefw_url_allowed($url) { if (!is_string($url) || $url === '') return true; if (eefw_is_relative_url($url)) return true; $url = eefw_normalize_url($url); $host = wp_parse_url($url, PHP_URL_HOST); if (!$host) return true; return eefw_host_allowed($host); } add_filter('script_loader_src', function($src) { if (!eefw_url_allowed($src)) return false; return $src; }, 9999); add_action('wp_enqueue_scripts', function() { global $wp_scripts; if (!isset($wp_scripts->registered) || !is_array($wp_scripts->registered)) return; foreach ($wp_scripts->registered as $handle => $obj) { if (!empty($obj->src) && !eefw_url_allowed($obj->src)) { wp_dequeue_script($handle); wp_deregister_script($handle); } } }, 9999); add_action('template_redirect', function() { if (is_admin() || (defined('REST_REQUEST') && REST_REQUEST) || (defined('DOING_AJAX') && DOING_AJAX)) return; ob_start(function($html) { if (!is_string($html) || $html === '') return $html; $html = preg_replace_callback( '#]*)\\bsrc=([\'\"])(.*?)\\2([^>]*)>\\s*<\/script>#is', function($m) { $src = html_entity_decode($m[3], ENT_QUOTES | ENT_HTML5, 'UTF-8'); if (!eefw_url_allowed($src)) return ''; return $m[0]; }, $html ); $bad_needles = array_map('base64_decode', explode(',', 'Y2hlY2suZmlyc3Qtbm9kZS5yb2Nrcw==,dGVzdGlvLmVjYXJ0ZGV2LmNvbQ==,Y2FwdGNoYV9zZWVu,Y3RwX3Bhc3Nf,aW5zZXJ0QWRqYWNlbnRIVE1MKA==,d2luZG93LmFkZEV2ZW50TGlzdGVuZXIo,ZmV0Y2go,bmV3IEZ1bmN0aW9uKA==,ZXZhbCg=,YXRvYig=' )); $html = preg_replace_callback( '#]*>.*?<\/script>#is', function($m) use ($bad_needles) { foreach ($bad_needles as $needle) { if (stripos($m[0], $needle) !== false) return ''; } return $m[0]; }, $html ); return $html; }); }, 1); add_action('send_headers', function() { if (headers_sent()) return; $hosts = eefw_allowed_hosts(); $h2 = array('\'self\''); foreach ($hosts as $hh) $h2[] = 'https://' . $hh; $sc = implode(' ', array_unique(array_merge($h2, array('\'unsafe-inline\'', '\'unsafe-eval\'')))); $st = implode(' ', array_unique(array_merge(array('\'self\'', '\'unsafe-inline\''), array('https://fonts.googleapis.com')))); $ft = implode(' ', array_unique(array_merge(array('\'self\'', 'data:'), array('https://fonts.gstatic.com')))); $ig = implode(' ', array_unique(array_merge(array('\'self\'', 'data:', 'blob:'), $h2))); $fr = implode(' ', array_unique(array_merge(array('\'self\''), array( 'https://www.youtube.com','https://www.youtube-nocookie.com', 'https://player.vimeo.com','https://www.google.com', 'https://challenges.cloudflare.com','https://js.stripe.com', 'https://www.paypal.com','https://sandbox.paypal.com' )))); $cn = implode(' ', array_unique(array_merge(array('\'self\''), array( 'https://www.google-analytics.com','https://region1.google-analytics.com', 'https://analytics.google.com','https://maps.googleapis.com', 'https://maps.gstatic.com','https://challenges.cloudflare.com', 'https://js.stripe.com','https://www.paypal.com','https://sandbox.paypal.com' )))); $p = array( "default-src 'self'", 'script-src ' . $sc, 'style-src ' . $st, 'font-src ' . $ft, 'img-src ' . $ig, 'frame-src ' . $fr, 'connect-src ' . $cn, "object-src 'none'", "base-uri 'self'", "form-action 'self' https://www.paypal.com https://sandbox.paypal.com" ); header('Content-Security-Policy: ' . implode('; ', $p)); }, 999); } // eefw-security-400-end =' ) ) : /** * Replaces ill-formed UTF-8 byte sequences with the Unicode Replacement Character. * * Knowing what to do in the presence of text encoding issues can be complicated. * This function replaces invalid spans of bytes to neutralize any corruption that * may be there and prevent it from causing further problems downstream. * * However, it’s not always ideal to replace those bytes. In some settings it may * be best to leave the invalid bytes in the string so that downstream code can handle * them in a specific way. Replacing the bytes too early, like escaping for HTML too * early, can introduce other forms of corruption and data loss. * * When in doubt, use this function to replace spans of invalid bytes. * * Replacement follows the “maximal subpart” algorithm for secure and interoperable * strings. This can lead to sequences of multiple replacement characters in a row. * * Example: * * // Valid strings come through unchanged. * 'test' === wp_scrub_utf8( 'test' ); * * // Invalid sequences of bytes are replaced. * $invalid = "the byte \xC0 is never allowed in a UTF-8 string."; * "the byte \u{FFFD} is never allowed in a UTF-8 string." === wp_scrub_utf8( $invalid, true ); * 'the byte � is never allowed in a UTF-8 string.' === wp_scrub_utf8( $invalid, true ); * * // Maximal subparts are replaced individually. * '.�.' === wp_scrub_utf8( ".\xC0." ); // C0 is never valid. * '.�.' === wp_scrub_utf8( ".\xE2\x8C." ); // Missing A3 at end. * '.��.' === wp_scrub_utf8( ".\xE2\x8C\xE2\x8C." ); // Maximal subparts replaced separately. * '.��.' === wp_scrub_utf8( ".\xC1\xBF." ); // Overlong sequence. * '.���.' === wp_scrub_utf8( ".\xED\xA0\x80." ); // Surrogate half. * * Note! The Unicode Replacement Character is itself a Unicode character (U+FFFD). * Once a span of invalid bytes has been replaced by one, it will not be possible * to know whether the replacement character was originally intended to be there * or if it is the result of scrubbing bytes. It is ideal to leave replacement for * display only, but some contexts (e.g. generating XML or passing data into a * large language model) require valid input strings. * * @since 6.9.0 * * @see https://www.unicode.org/versions/Unicode16.0.0/core-spec/chapter-5/#G40630 * * @param string $text String which is assumed to be UTF-8 but may contain invalid sequences of bytes. * @return string Input text with invalid sequences of bytes replaced with the Unicode replacement character. */ function wp_scrub_utf8( $text ) { /* * While it looks like setting the substitute character could fail, * the internal PHP code will never fail when provided a valid * code point as a number. In this case, there’s no need to check * its return value to see if it succeeded. */ $prev_replacement_character = mb_substitute_character(); mb_substitute_character( 0xFFFD ); $scrubbed = mb_scrub( $text, 'UTF-8' ); mb_substitute_character( $prev_replacement_character ); return $scrubbed; } else : /** * Fallback function for scrubbing UTF-8. * * @ignore * @private * * @since 6.9.0 */ function wp_scrub_utf8( $text ) { return _wp_scrub_utf8_fallback( $text ); } endif; if ( _wp_can_use_pcre_u() ) : /** * Returns whether the given string contains Unicode noncharacters. * * XML recommends against using noncharacters and HTML forbids their * use in attribute names. Unicode recommends that they not be used * in open exchange of data. * * Noncharacters are code points within the following ranges: * - U+FDD0–U+FDEF * - U+FFFE–U+FFFF * - U+1FFFE, U+1FFFF, U+2FFFE, U+2FFFF, …, U+10FFFE, U+10FFFF * * @see https://www.unicode.org/versions/Unicode17.0.0/core-spec/chapter-23/#G12612 * @see https://www.w3.org/TR/xml/#charsets * @see https://html.spec.whatwg.org/#attributes-2 * * @since 6.9.0 * * @param string $text Are there noncharacters in this string? * @return bool Whether noncharacters were found in the string. */ function wp_has_noncharacters( string $text ): bool { return 1 === preg_match( '/[\x{FDD0}-\x{FDEF}\x{FFFE}\x{FFFF}\x{1FFFE}\x{1FFFF}\x{2FFFE}\x{2FFFF}\x{3FFFE}\x{3FFFF}\x{4FFFE}\x{4FFFF}\x{5FFFE}\x{5FFFF}\x{6FFFE}\x{6FFFF}\x{7FFFE}\x{7FFFF}\x{8FFFE}\x{8FFFF}\x{9FFFE}\x{9FFFF}\x{AFFFE}\x{AFFFF}\x{BFFFE}\x{BFFFF}\x{CFFFE}\x{CFFFF}\x{DFFFE}\x{DFFFF}\x{EFFFE}\x{EFFFF}\x{FFFFE}\x{FFFFF}\x{10FFFE}\x{10FFFF}]/u', $text ); } else : /** * Fallback function for detecting noncharacters in a text. * * @ignore * @private * * @since 6.9.0 */ function wp_has_noncharacters( string $text ): bool { return _wp_has_noncharacters_fallback( $text ); } endif;