Context Navigation

← Previous Changeset
Next Changeset →

Changeset 2945835

Timestamp:

08/01/2023 07:20:52 AM (3 years ago)

Author:

whatshelp

Message:

fix xss and tagging version 1.8.10

Location:

whatshelp-chat-button

Files:

: 4 edited
: 1 copied

tags/1.8.10 (copied) (copied from whatshelp-chat-button/trunk)
tags/1.8.10/readme.txt (modified) (1 diff)
tags/1.8.10/whatshelp.php (modified) (2 diffs)
trunk/readme.txt (modified) (1 diff)
trunk/whatshelp.php (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

whatshelp-chat-button/tags/1.8.10/readme.txt

r2944547	r2945835
5	5	Requires at least: 2.7
6	6	Tested up to: 6.3
7		Stable tag: 1.8.~~9.4~~
	7	Stable tag: 1.8.10
8	8	License: GPLv2 or later
9	9	License URI: http://www.gnu.org/licenses/gpl-2.0.html

whatshelp-chat-button/tags/1.8.10/whatshelp.php

-                      r2362335
+                      r2945835
  * Plugin Name: Chat Button by GetButton.io (ex. WhatsHelp)
  * Description: The Chat button by GetButton takes website visitor directly to the messaging app such as Facebook Messenger or WhatsApp and allows them to initiate a conversation with you. After that, both you and your customer can follow up the conversation anytime and anywhere!
  * Version: 1.8.4
+ * Version: 1.8.10
  * Author: GetButton
  * Author URI: https://getbutton.io
 …
+}
+function get_clean_code($code)
+{
+    function getParseError() {
+        return 'console.warn("Getbutton: parsing code failed!"); return;';
+    }
+    // 1. remove all comments
+    $code_clean = preg_replace('/(?:(?:\/\*(?:[^*]|(?:\*+[^*\/]))*\*+\/)|(?:(?<!\:|\\\|\'|\")\/\/.*))/', '', $code);
+    // 2. find positions of all variables
+    preg_match_all('/(?:var|let|const)[\s]+[a-zA-Z0-9_]+[\s]*=/', $code_clean, $allVarsPos, PREG_OFFSET_CAPTURE);
+    $allVarsPos = $allVarsPos[0];
+    if (!count($allVarsPos[0])) {
+        return getParseError();
+    }
+    // 3. find start position of "options" variable and next variable after options
+    $varOptionPos = null;
+    $nextVarPos = null;
+    for ($i=0; $i<count($allVarsPos); $i++) {
+        $pos = $allVarsPos[$i];
+        if (strpos($pos[0], 'options') !== false) {
+            $varOptionPos = $pos[1];
+            if (isset($allVarsPos[$i + 1])) {
+                $nextVarPos = $allVarsPos[$i + 1][1];
+            }
+            break;
+        };
+    }
+    if ($varOptionPos === null) {
+        return getParseError();
+    }
+    // 3. find end position of "options" variable
+    // 4.1 find all positions of "}"
+    preg_match_all('/}/', $code_clean, $posCurls, PREG_OFFSET_CAPTURE, $varOptionPos);
+    $posCurls = $posCurls[0];
+    if (!count($posCurls)) {
+        return getParseError();
+    }
+    // 4.2 find position of last "}" before any next variable
+    $positionCurl = null;
+    // if there no var after options
+    if ($nextVarPos === null) {
+        $positionCurl = end($posCurls)[1];
+    } else {
+        for ($i=0; $i<count($posCurls); $i++) {
+            $pos = $posCurls[$i][1];
+            if ($pos < $nextVarPos) {
+                $positionCurl = $pos;
+            }
+        }
+    }
+    if (!$positionCurl) {
+        return getParseError();
+    }
+    // 5. Remove footer (after end of "options" var)
+    $code_clean = substr($code_clean, 0, $positionCurl + 1);
+    // 6. Remove header (before "options" var)
+    $code_clean = substr($code_clean, $varOptionPos);
+    // Clear XSS from code
+    $result = strip_tags($code_clean);
+    return $result;
+}
+function get_prefix()
+{
+    $prefix = <<<EOTEXT
+\n\n<!-- GetButton.io widget -->
+<script type="text/javascript">
+(function () {\n
+EOTEXT;
+    return $prefix;
+}
+function get_suffix()
+{
+    $suffix = <<<EOTEXT
+;
+    var proto = 'https:', host = "getbutton.io", url = proto + '//static.' + host;
+    var s = document.createElement('script'); s.type = 'text/javascript'; s.async = true; s.src = url + '/widget-send-button/js/init.js';
+    s.onload = function () { WhWidgetSendButton.init(host, proto, options); };
+    var x = document.getElementsByTagName('script')[0]; x.parentNode.insertBefore(s, x);
+})();
+</script>
+<!-- /GetButton.io widget -->\n\n
+EOTEXT;
+    return $suffix;
+}
 function add_whatshelp_code()
+{
+    echo get_option('whatshelp-code');
+    echo get_prefix();
+    echo get_clean_code(get_option('whatshelp-code'));
+    echo get_suffix();
+}

whatshelp-chat-button/trunk/readme.txt

r2944547	r2945835
5	5	Requires at least: 2.7
6	6	Tested up to: 6.3
7		Stable tag: 1.8.~~9.4~~
	7	Stable tag: 1.8.10
8	8	License: GPLv2 or later
9	9	License URI: http://www.gnu.org/licenses/gpl-2.0.html

whatshelp-chat-button/trunk/whatshelp.php

-                      r2362335
+                      r2945835
  * Plugin Name: Chat Button by GetButton.io (ex. WhatsHelp)
  * Description: The Chat button by GetButton takes website visitor directly to the messaging app such as Facebook Messenger or WhatsApp and allows them to initiate a conversation with you. After that, both you and your customer can follow up the conversation anytime and anywhere!
  * Version: 1.8.4
+ * Version: 1.8.10
  * Author: GetButton
  * Author URI: https://getbutton.io
 …
+}
+function get_clean_code($code)
+{
+    function getParseError() {
+        return 'console.warn("Getbutton: parsing code failed!"); return;';
+    }
+    // 1. remove all comments
+    $code_clean = preg_replace('/(?:(?:\/\*(?:[^*]|(?:\*+[^*\/]))*\*+\/)|(?:(?<!\:|\\\|\'|\")\/\/.*))/', '', $code);
+    // 2. find positions of all variables
+    preg_match_all('/(?:var|let|const)[\s]+[a-zA-Z0-9_]+[\s]*=/', $code_clean, $allVarsPos, PREG_OFFSET_CAPTURE);
+    $allVarsPos = $allVarsPos[0];
+    if (!count($allVarsPos[0])) {
+        return getParseError();
+    }
+    // 3. find start position of "options" variable and next variable after options
+    $varOptionPos = null;
+    $nextVarPos = null;
+    for ($i=0; $i<count($allVarsPos); $i++) {
+        $pos = $allVarsPos[$i];
+        if (strpos($pos[0], 'options') !== false) {
+            $varOptionPos = $pos[1];
+            if (isset($allVarsPos[$i + 1])) {
+                $nextVarPos = $allVarsPos[$i + 1][1];
+            }
+            break;
+        };
+    }
+    if ($varOptionPos === null) {
+        return getParseError();
+    }
+    // 3. find end position of "options" variable
+    // 4.1 find all positions of "}"
+    preg_match_all('/}/', $code_clean, $posCurls, PREG_OFFSET_CAPTURE, $varOptionPos);
+    $posCurls = $posCurls[0];
+    if (!count($posCurls)) {
+        return getParseError();
+    }
+    // 4.2 find position of last "}" before any next variable
+    $positionCurl = null;
+    // if there no var after options
+    if ($nextVarPos === null) {
+        $positionCurl = end($posCurls)[1];
+    } else {
+        for ($i=0; $i<count($posCurls); $i++) {
+            $pos = $posCurls[$i][1];
+            if ($pos < $nextVarPos) {
+                $positionCurl = $pos;
+            }
+        }
+    }
+    if (!$positionCurl) {
+        return getParseError();
+    }
+    // 5. Remove footer (after end of "options" var)
+    $code_clean = substr($code_clean, 0, $positionCurl + 1);
+    // 6. Remove header (before "options" var)
+    $code_clean = substr($code_clean, $varOptionPos);
+    // Clear XSS from code
+    $result = strip_tags($code_clean);
+    return $result;
+}
+function get_prefix()
+{
+    $prefix = <<<EOTEXT
+\n\n<!-- GetButton.io widget -->
+<script type="text/javascript">
+(function () {\n
+EOTEXT;
+    return $prefix;
+}
+function get_suffix()
+{
+    $suffix = <<<EOTEXT
+;
+    var proto = 'https:', host = "getbutton.io", url = proto + '//static.' + host;
+    var s = document.createElement('script'); s.type = 'text/javascript'; s.async = true; s.src = url + '/widget-send-button/js/init.js';
+    s.onload = function () { WhWidgetSendButton.init(host, proto, options); };
+    var x = document.getElementsByTagName('script')[0]; x.parentNode.insertBefore(s, x);
+})();
+</script>
+<!-- /GetButton.io widget -->\n\n
+EOTEXT;
+    return $suffix;
+}
 function add_whatshelp_code()
+{
+    echo get_option('whatshelp-code');
+    echo get_prefix();
+    echo get_clean_code(get_option('whatshelp-code'));
+    echo get_suffix();
+}

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Plugin Directory