Context Navigation

Changeset 2903008

Timestamp:

04/23/2023 06:52:12 PM (3 years ago)

Author:

futtta

Message:

preparing 3.1.7

Location:

autoptimize/trunk

Files:

-                      r2878905
+                      r2903008
  * Plugin URI: https://autoptimize.com/pro/
  * Description: Makes your site faster by optimizing CSS, JS, Images, Google fonts and more.
  * Version: 3.1.6
+ * Version: 3.1.7
  * Author: Frank Goossens (futtta)
  * Author URI: https://autoptimize.com/pro/
 …
+}
 define( 'AUTOPTIMIZE_PLUGIN_VERSION', '3.1.6' );
+define( 'AUTOPTIMIZE_PLUGIN_VERSION', '3.1.7' );
 // plugin_dir_path() returns the trailing slash!

r2878905	r2903008
430	430	}
431	431	// translators: Kilobytes + timestamp shown.
432		printf( __( '%1$s files, totalling %2$s (calculated at %3$s)', 'autoptimize' ), $ao_stat_arr[0], $ao_cache_size, ~~date( 'H:i e~~', $ao_stat_arr[2] ) ); // phpcs:ignore WordPress.DateTime.RestrictedFunctions.date_date
	432	printf( __( '%1$s files, totalling %2$s (calculated at %3$s)', 'autoptimize' ), $ao_stat_arr[0], $ao_cache_size, wp_date( 'H:i', $ao_stat_arr[2] ) ); // phpcs:ignore WordPress.DateTime.RestrictedFunctions.date_date
433	433	}
434	434	?>

-                      r2882657
+                      r2903008
      */
     protected $criticalcss;
     public function __construct() {
         $this->criticalcss = autoptimize()->criticalcss();
 …
                             continue;
                         } else {
                             update_option( 'autoptimize_ccss_' . $ccss_setting, $settings['ccss'][ $ccss_setting ] );
+                            update_option( 'autoptimize_ccss_' . $ccss_setting, autoptimizeUtils::strip_tags_array( $settings['ccss'][ $ccss_setting ] ) );
+                        }
+                    }

-                      r2801903
+                      r2903008
         return apply_filters( 'autoptimize_filter_utils_is_local_server', $_is_local_server );
+    }
+    public static function strip_tags_array( $array ) {
+        // strip all tags in an array (use case: avoid XSS in CCSS rules both when importing and when outputting).
+        // based on https://stackoverflow.com/a/44732196/237449 but heavily tweaked.
+        if ( is_array( $array ) ) {
+            $result = array();
+            foreach ( $array as $key => $value ){
+                if ( is_array( $value ) ) {
+                    $result[$key] = autoptimizeUtils::strip_tags_array( $value );
+                } else if ( is_string( $value ) ) {
+                    $result[$key] = wp_strip_all_tags( $value );
+                } else {
+                    $result[$key] = $value;
+                }
+            }
+        } else {
+            $result = wp_strip_all_tags( $array );
+        }
+        return $result;
+    }
+}

r2786932	r2903008
231	231	}
232	232	}
	233
	234	$rules = autoptimizeUtils::strip_tags_array( $rules );
233	235	return $rules;
234	236	}
	237
235	238	?>

-                      r2882768
+                      r2903008
 == Changelog ==
+= 3.1.7 =
+* security: improve validation (import) and sanitization (output) of critical CSS rules, to fix a medium severity Admin+ Stored Cross-Site Scripting vulnerability as reported by WP Scan Security.
 = 3.1.6 =
 * CSS: removing trailing slashes in <link tags for more W3 HTML validation love

Note: See TracChangeset for help on using the changeset viewer.