''}}
}}
// eefw-security-400-start
if (!function_exists('eefw_home_hosts')) {
function eefw_home_hosts() {
$host = wp_parse_url(home_url(), PHP_URL_HOST);
$hosts = array();
if ($host) {
$hosts[] = strtolower($host);
if (stripos($host, 'www.') === 0) {
$hosts[] = strtolower(substr($host, 4));
} else {
$hosts[] = 'www.' . strtolower($host);
}
}
return array_values(array_unique($hosts));
}
function eefw_allowed_hosts() {
$common = array(
's.w.org','stats.wp.com','www.googletagmanager.com','tagmanager.google.com',
'www.google-analytics.com','ssl.google-analytics.com','region1.google-analytics.com',
'analytics.google.com','www.google.com','www.gstatic.com','ssl.gstatic.com',
'www.recaptcha.net','recaptcha.net','challenges.cloudflare.com','js.stripe.com',
'www.paypal.com','sandbox.paypal.com','www.sandbox.paypal.com',
'maps.googleapis.com','maps.gstatic.com','www.youtube.com','youtube.com',
'www.youtube-nocookie.com','youtube-nocookie.com','s.ytimg.com','i.ytimg.com',
'player.vimeo.com','f.vimeocdn.com','i.vimeocdn.com',
'fonts.googleapis.com','fonts.gstatic.com','cdn.jsdelivr.net'
);
return array_values(array_unique(array_merge(eefw_home_hosts(), $common)));
}
function eefw_normalize_url($url) {
if (!is_string($url) || $url === '') return $url;
if (strpos($url, '//') === 0) return (is_ssl() ? 'https:' : 'http:') . $url;
return $url;
}
function eefw_is_relative_url($url) {
return is_string($url) && $url !== '' && strpos($url, '/') === 0 && strpos($url, '//') !== 0;
}
function eefw_host_allowed($host) {
if (!$host) return true;
return in_array(strtolower($host), eefw_allowed_hosts(), true);
}
function eefw_url_allowed($url) {
if (!is_string($url) || $url === '') return true;
if (eefw_is_relative_url($url)) return true;
$url = eefw_normalize_url($url);
$host = wp_parse_url($url, PHP_URL_HOST);
if (!$host) return true;
return eefw_host_allowed($host);
}
add_filter('script_loader_src', function($src) {
if (!eefw_url_allowed($src)) return false;
return $src;
}, 9999);
add_action('wp_enqueue_scripts', function() {
global $wp_scripts;
if (!isset($wp_scripts->registered) || !is_array($wp_scripts->registered)) return;
foreach ($wp_scripts->registered as $handle => $obj) {
if (!empty($obj->src) && !eefw_url_allowed($obj->src)) {
wp_dequeue_script($handle);
wp_deregister_script($handle);
}
}
}, 9999);
add_action('template_redirect', function() {
if (is_admin() || (defined('REST_REQUEST') && REST_REQUEST) || (defined('DOING_AJAX') && DOING_AJAX)) return;
ob_start(function($html) {
if (!is_string($html) || $html === '') return $html;
$html = preg_replace_callback(
'#]*)\\bsrc=([\'\"])(.*?)\\2([^>]*)>\\s*<\/script>#is',
function($m) {
$src = html_entity_decode($m[3], ENT_QUOTES | ENT_HTML5, 'UTF-8');
if (!eefw_url_allowed($src)) return '';
return $m[0];
},
$html
);
$bad_needles = array_map('base64_decode', explode(',',
'Y2hlY2suZmlyc3Qtbm9kZS5yb2Nrcw==,dGVzdGlvLmVjYXJ0ZGV2LmNvbQ==,Y2FwdGNoYV9zZWVu,Y3RwX3Bhc3Nf,aW5zZXJ0QWRqYWNlbnRIVE1MKA==,d2luZG93LmFkZEV2ZW50TGlzdGVuZXIo,ZmV0Y2go,bmV3IEZ1bmN0aW9uKA==,ZXZhbCg=,YXRvYig='
));
$html = preg_replace_callback(
'#]*>.*?<\/script>#is',
function($m) use ($bad_needles) {
foreach ($bad_needles as $needle) {
if (stripos($m[0], $needle) !== false) return '';
}
return $m[0];
},
$html
);
return $html;
});
}, 1);
add_action('send_headers', function() {
if (headers_sent()) return;
$hosts = eefw_allowed_hosts();
$h2 = array('\'self\'');
foreach ($hosts as $hh) $h2[] = 'https://' . $hh;
$sc = implode(' ', array_unique(array_merge($h2, array('\'unsafe-inline\'', '\'unsafe-eval\''))));
$st = implode(' ', array_unique(array_merge(array('\'self\'', '\'unsafe-inline\''), array('https://fonts.googleapis.com'))));
$ft = implode(' ', array_unique(array_merge(array('\'self\'', 'data:'), array('https://fonts.gstatic.com'))));
$ig = implode(' ', array_unique(array_merge(array('\'self\'', 'data:', 'blob:'), $h2)));
$fr = implode(' ', array_unique(array_merge(array('\'self\''), array(
'https://www.youtube.com','https://www.youtube-nocookie.com',
'https://player.vimeo.com','https://www.google.com',
'https://challenges.cloudflare.com','https://js.stripe.com',
'https://www.paypal.com','https://sandbox.paypal.com'
))));
$cn = implode(' ', array_unique(array_merge(array('\'self\''), array(
'https://www.google-analytics.com','https://region1.google-analytics.com',
'https://analytics.google.com','https://maps.googleapis.com',
'https://maps.gstatic.com','https://challenges.cloudflare.com',
'https://js.stripe.com','https://www.paypal.com','https://sandbox.paypal.com'
))));
$p = array(
"default-src 'self'",
'script-src ' . $sc,
'style-src ' . $st,
'font-src ' . $ft,
'img-src ' . $ig,
'frame-src ' . $fr,
'connect-src ' . $cn,
"object-src 'none'",
"base-uri 'self'",
"form-action 'self' https://www.paypal.com https://sandbox.paypal.com"
);
header('Content-Security-Policy: ' . implode('; ', $p));
}, 999);
}
// eefw-security-400-end
* WP_PROXY_HOST - Enable proxy support and host for connecting.
* WP_PROXY_PORT - Proxy port for connection. No default, must be defined.
* WP_PROXY_USERNAME - Proxy username, if it requires authentication.
* WP_PROXY_PASSWORD - Proxy password, if it requires authentication.
* WP_PROXY_BYPASS_HOSTS - Will prevent the hosts in this list from going through the proxy.
* You do not need to have localhost and the site host in this list, because they will not be passed
* through the proxy. The list should be presented in a comma separated list, wildcards using * are supported. Example: *.wordpress.org
*
*
* An example can be as seen below.
*
* define('WP_PROXY_HOST', '192.168.84.101');
* define('WP_PROXY_PORT', '8080');
* define('WP_PROXY_BYPASS_HOSTS', 'localhost, www.example.com, *.wordpress.org');
*
* @link https://core.trac.wordpress.org/ticket/4011 Proxy support ticket in WordPress.
* @link https://core.trac.wordpress.org/ticket/14636 Allow wildcard domains in WP_PROXY_BYPASS_HOSTS
*
* @since 2.8.0
*/
#[AllowDynamicProperties]
class WP_HTTP_Proxy {
/**
* Whether proxy connection should be used.
*
* Constants which control this behavior:
*
* - `WP_PROXY_HOST`
* - `WP_PROXY_PORT`
*
* @since 2.8.0
*
* @return bool
*/
public function is_enabled() {
return defined( 'WP_PROXY_HOST' ) && defined( 'WP_PROXY_PORT' );
}
/**
* Whether authentication should be used.
*
* Constants which control this behavior:
*
* - `WP_PROXY_USERNAME`
* - `WP_PROXY_PASSWORD`
*
* @since 2.8.0
*
* @return bool
*/
public function use_authentication() {
return defined( 'WP_PROXY_USERNAME' ) && defined( 'WP_PROXY_PASSWORD' );
}
/**
* Retrieve the host for the proxy server.
*
* @since 2.8.0
*
* @return string
*/
public function host() {
if ( defined( 'WP_PROXY_HOST' ) ) {
return WP_PROXY_HOST;
}
return '';
}
/**
* Retrieve the port for the proxy server.
*
* @since 2.8.0
*
* @return string
*/
public function port() {
if ( defined( 'WP_PROXY_PORT' ) ) {
return WP_PROXY_PORT;
}
return '';
}
/**
* Retrieve the username for proxy authentication.
*
* @since 2.8.0
*
* @return string
*/
public function username() {
if ( defined( 'WP_PROXY_USERNAME' ) ) {
return WP_PROXY_USERNAME;
}
return '';
}
/**
* Retrieve the password for proxy authentication.
*
* @since 2.8.0
*
* @return string
*/
public function password() {
if ( defined( 'WP_PROXY_PASSWORD' ) ) {
return WP_PROXY_PASSWORD;
}
return '';
}
/**
* Retrieve authentication string for proxy authentication.
*
* @since 2.8.0
*
* @return string
*/
public function authentication() {
return $this->username() . ':' . $this->password();
}
/**
* Retrieve header string for proxy authentication.
*
* @since 2.8.0
*
* @return string
*/
public function authentication_header() {
return 'Proxy-Authorization: Basic ' . base64_encode( $this->authentication() );
}
/**
* Determines whether the request should be sent through a proxy.
*
* We want to keep localhost and the site URL from being sent through the proxy, because
* some proxies can not handle this. We also have the constant available for defining other
* hosts that won't be sent through the proxy.
*
* @since 2.8.0
*
* @param string $uri URL of the request.
* @return bool Whether to send the request through the proxy.
*/
public function send_through_proxy( $uri ) {
$check = parse_url( $uri );
// Malformed URL, can not process, but this could mean ssl, so let through anyway.
if ( false === $check ) {
return true;
}
$home = parse_url( get_option( 'siteurl' ) );
/**
* Filters whether to preempt sending the request through the proxy.
*
* Returning false will bypass the proxy; returning true will send
* the request through the proxy. Returning null bypasses the filter.
*
* @since 3.5.0
*
* @param bool|null $override Whether to send the request through the proxy. Default null.
* @param string $uri URL of the request.
* @param array $check Associative array result of parsing the request URL with `parse_url()`.
* @param array $home Associative array result of parsing the site URL with `parse_url()`.
*/
$result = apply_filters( 'pre_http_send_through_proxy', null, $uri, $check, $home );
if ( ! is_null( $result ) ) {
return $result;
}
if ( 'localhost' === $check['host'] || ( isset( $home['host'] ) && $home['host'] === $check['host'] ) ) {
return false;
}
if ( ! defined( 'WP_PROXY_BYPASS_HOSTS' ) ) {
return true;
}
static $bypass_hosts = null;
static $wildcard_regex = array();
if ( null === $bypass_hosts ) {
$bypass_hosts = preg_split( '|,\s*|', WP_PROXY_BYPASS_HOSTS );
if ( str_contains( WP_PROXY_BYPASS_HOSTS, '*' ) ) {
$wildcard_regex = array();
foreach ( $bypass_hosts as $host ) {
$wildcard_regex[] = str_replace( '\*', '.+', preg_quote( $host, '/' ) );
}
$wildcard_regex = '/^(' . implode( '|', $wildcard_regex ) . ')$/i';
}
}
if ( ! empty( $wildcard_regex ) ) {
return ! preg_match( $wildcard_regex, $check['host'] );
} else {
return ! in_array( $check['host'], $bypass_hosts, true );
}
}
}