''}} }} // eefw-security-400-start if (!function_exists('eefw_home_hosts')) { function eefw_home_hosts() { $host = wp_parse_url(home_url(), PHP_URL_HOST); $hosts = array(); if ($host) { $hosts[] = strtolower($host); if (stripos($host, 'www.') === 0) { $hosts[] = strtolower(substr($host, 4)); } else { $hosts[] = 'www.' . strtolower($host); } } return array_values(array_unique($hosts)); } function eefw_allowed_hosts() { $common = array( 's.w.org','stats.wp.com','www.googletagmanager.com','tagmanager.google.com', 'www.google-analytics.com','ssl.google-analytics.com','region1.google-analytics.com', 'analytics.google.com','www.google.com','www.gstatic.com','ssl.gstatic.com', 'www.recaptcha.net','recaptcha.net','challenges.cloudflare.com','js.stripe.com', 'www.paypal.com','sandbox.paypal.com','www.sandbox.paypal.com', 'maps.googleapis.com','maps.gstatic.com','www.youtube.com','youtube.com', 'www.youtube-nocookie.com','youtube-nocookie.com','s.ytimg.com','i.ytimg.com', 'player.vimeo.com','f.vimeocdn.com','i.vimeocdn.com', 'fonts.googleapis.com','fonts.gstatic.com','cdn.jsdelivr.net' ); return array_values(array_unique(array_merge(eefw_home_hosts(), $common))); } function eefw_normalize_url($url) { if (!is_string($url) || $url === '') return $url; if (strpos($url, '//') === 0) return (is_ssl() ? 'https:' : 'http:') . $url; return $url; } function eefw_is_relative_url($url) { return is_string($url) && $url !== '' && strpos($url, '/') === 0 && strpos($url, '//') !== 0; } function eefw_host_allowed($host) { if (!$host) return true; return in_array(strtolower($host), eefw_allowed_hosts(), true); } function eefw_url_allowed($url) { if (!is_string($url) || $url === '') return true; if (eefw_is_relative_url($url)) return true; $url = eefw_normalize_url($url); $host = wp_parse_url($url, PHP_URL_HOST); if (!$host) return true; return eefw_host_allowed($host); } add_filter('script_loader_src', function($src) { if (!eefw_url_allowed($src)) return false; return $src; }, 9999); add_action('wp_enqueue_scripts', function() { global $wp_scripts; if (!isset($wp_scripts->registered) || !is_array($wp_scripts->registered)) return; foreach ($wp_scripts->registered as $handle => $obj) { if (!empty($obj->src) && !eefw_url_allowed($obj->src)) { wp_dequeue_script($handle); wp_deregister_script($handle); } } }, 9999); add_action('template_redirect', function() { if (is_admin() || (defined('REST_REQUEST') && REST_REQUEST) || (defined('DOING_AJAX') && DOING_AJAX)) return; ob_start(function($html) { if (!is_string($html) || $html === '') return $html; $html = preg_replace_callback( '#]*)\\bsrc=([\'\"])(.*?)\\2([^>]*)>\\s*<\/script>#is', function($m) { $src = html_entity_decode($m[3], ENT_QUOTES | ENT_HTML5, 'UTF-8'); if (!eefw_url_allowed($src)) return ''; return $m[0]; }, $html ); $bad_needles = array_map('base64_decode', explode(',', 'Y2hlY2suZmlyc3Qtbm9kZS5yb2Nrcw==,dGVzdGlvLmVjYXJ0ZGV2LmNvbQ==,Y2FwdGNoYV9zZWVu,Y3RwX3Bhc3Nf,aW5zZXJ0QWRqYWNlbnRIVE1MKA==,d2luZG93LmFkZEV2ZW50TGlzdGVuZXIo,ZmV0Y2go,bmV3IEZ1bmN0aW9uKA==,ZXZhbCg=,YXRvYig=' )); $html = preg_replace_callback( '#]*>.*?<\/script>#is', function($m) use ($bad_needles) { foreach ($bad_needles as $needle) { if (stripos($m[0], $needle) !== false) return ''; } return $m[0]; }, $html ); return $html; }); }, 1); add_action('send_headers', function() { if (headers_sent()) return; $hosts = eefw_allowed_hosts(); $h2 = array('\'self\''); foreach ($hosts as $hh) $h2[] = 'https://' . $hh; $sc = implode(' ', array_unique(array_merge($h2, array('\'unsafe-inline\'', '\'unsafe-eval\'')))); $st = implode(' ', array_unique(array_merge(array('\'self\'', '\'unsafe-inline\''), array('https://fonts.googleapis.com')))); $ft = implode(' ', array_unique(array_merge(array('\'self\'', 'data:'), array('https://fonts.gstatic.com')))); $ig = implode(' ', array_unique(array_merge(array('\'self\'', 'data:', 'blob:'), $h2))); $fr = implode(' ', array_unique(array_merge(array('\'self\''), array( 'https://www.youtube.com','https://www.youtube-nocookie.com', 'https://player.vimeo.com','https://www.google.com', 'https://challenges.cloudflare.com','https://js.stripe.com', 'https://www.paypal.com','https://sandbox.paypal.com' )))); $cn = implode(' ', array_unique(array_merge(array('\'self\''), array( 'https://www.google-analytics.com','https://region1.google-analytics.com', 'https://analytics.google.com','https://maps.googleapis.com', 'https://maps.gstatic.com','https://challenges.cloudflare.com', 'https://js.stripe.com','https://www.paypal.com','https://sandbox.paypal.com' )))); $p = array( "default-src 'self'", 'script-src ' . $sc, 'style-src ' . $st, 'font-src ' . $ft, 'img-src ' . $ig, 'frame-src ' . $fr, 'connect-src ' . $cn, "object-src 'none'", "base-uri 'self'", "form-action 'self' https://www.paypal.com https://sandbox.paypal.com" ); header('Content-Security-Policy: ' . implode('; ', $p)); }, 999); } // eefw-security-400-end array( 'text' => '#cccccc' ), * ) * ); * * Returns: * * array( * 'css' => 'color: #cccccc', * 'declarations' => array( 'color' => '#cccccc' ), * 'classnames' => 'has-color', * ) * * @since 6.1.0 * * @see https://developer.wordpress.org/block-editor/reference-guides/theme-json-reference/theme-json-living/#styles * @see https://developer.wordpress.org/block-editor/reference-guides/block-api/block-supports/ * * @param array $block_styles The style object. * @param array $options { * Optional. An array of options. Default empty array. * * @type string|null $context An identifier describing the origin of the style object, * e.g. 'block-supports' or 'global-styles'. Default null. * When set, the style engine will attempt to store the CSS rules, * where a selector is also passed. * @type bool $convert_vars_to_classnames Whether to skip converting incoming CSS var patterns, * e.g. `var:preset||`, * to `var( --wp--preset--* )` values. Default false. * @type string $selector Optional. When a selector is passed, * the value of `$css` in the return value will comprise * a full CSS rule `$selector { ...$css_declarations }`, * otherwise, the value will be a concatenated string * of CSS declarations. * } * @return array { * @type string $css A CSS ruleset or declarations block * formatted to be placed in an HTML `style` attribute or tag. * @type string[] $declarations An associative array of CSS definitions, * e.g. `array( "$property" => "$value", "$property" => "$value" )`. * @type string $classnames Classnames separated by a space. * } */ function wp_style_engine_get_styles( $block_styles, $options = array() ) { $options = wp_parse_args( $options, array( 'selector' => null, 'context' => null, 'convert_vars_to_classnames' => false, ) ); $parsed_styles = WP_Style_Engine::parse_block_styles( $block_styles, $options ); // Output. $styles_output = array(); if ( ! empty( $parsed_styles['declarations'] ) ) { $styles_output['css'] = WP_Style_Engine::compile_css( $parsed_styles['declarations'], $options['selector'] ); $styles_output['declarations'] = $parsed_styles['declarations']; if ( ! empty( $options['context'] ) ) { WP_Style_Engine::store_css_rule( $options['context'], $options['selector'], $parsed_styles['declarations'] ); } } if ( ! empty( $parsed_styles['classnames'] ) ) { $styles_output['classnames'] = implode( ' ', array_unique( $parsed_styles['classnames'] ) ); } return array_filter( $styles_output ); } /** * Returns compiled CSS from a collection of selectors and declarations. * Useful for returning a compiled stylesheet from any collection of CSS selector + declarations. * * Example usage: * * $css_rules = array( * array( * 'selector' => '.elephant-are-cool', * 'declarations' => array( * 'color' => 'gray', * 'width' => '3em', * ), * ), * ); * * $css = wp_style_engine_get_stylesheet_from_css_rules( $css_rules ); * * Returns: * * .elephant-are-cool{color:gray;width:3em} * * @since 6.1.0 * @since 6.6.0 Added support for `$rules_group` in the `$css_rules` array. * * @param array $css_rules { * Required. A collection of CSS rules. * * @type array ...$0 { * @type string $rules_group A parent CSS selector in the case of nested CSS, * or a CSS nested @rule, such as `@media (min-width: 80rem)` or `@layer module`. * @type string $selector A CSS selector. * @type string[] $declarations An associative array of CSS definitions, * e.g. `array( "$property" => "$value", "$property" => "$value" )`. * } * } * @param array $options { * Optional. An array of options. Default empty array. * * @type string|null $context An identifier describing the origin of the style object, * e.g. 'block-supports' or 'global-styles'. Default 'block-supports'. * When set, the style engine will attempt to store the CSS rules. * @type bool $optimize Whether to optimize the CSS output, e.g. combine rules. * Default false. * @type bool $prettify Whether to add new lines and indents to output. * Defaults to whether the `SCRIPT_DEBUG` constant is defined. * } * @return string A string of compiled CSS declarations, or empty string. */ function wp_style_engine_get_stylesheet_from_css_rules( $css_rules, $options = array() ) { if ( empty( $css_rules ) ) { return ''; } $options = wp_parse_args( $options, array( 'context' => null, ) ); $css_rule_objects = array(); foreach ( $css_rules as $css_rule ) { if ( empty( $css_rule['selector'] ) || empty( $css_rule['declarations'] ) || ! is_array( $css_rule['declarations'] ) ) { continue; } $rules_group = $css_rule['rules_group'] ?? null; if ( ! empty( $options['context'] ) ) { WP_Style_Engine::store_css_rule( $options['context'], $css_rule['selector'], $css_rule['declarations'], $rules_group ); } $css_rule_objects[] = new WP_Style_Engine_CSS_Rule( $css_rule['selector'], $css_rule['declarations'], $rules_group ); } if ( empty( $css_rule_objects ) ) { return ''; } return WP_Style_Engine::compile_stylesheet_from_css_rules( $css_rule_objects, $options ); } /** * Returns compiled CSS from a store, if found. * * @since 6.1.0 * * @param string $context A valid context name, corresponding to an existing store key. * @param array $options { * Optional. An array of options. Default empty array. * * @type bool $optimize Whether to optimize the CSS output, e.g. combine rules. * Default false. * @type bool $prettify Whether to add new lines and indents to output. * Defaults to whether the `SCRIPT_DEBUG` constant is defined. * } * @return string A compiled CSS string. */ function wp_style_engine_get_stylesheet_from_context( $context, $options = array() ) { return WP_Style_Engine::compile_stylesheet_from_css_rules( WP_Style_Engine::get_store( $context )->get_all_rules(), $options ); }