WordPress.org
Get WordPress

Plugin Directory

Changeset 3242543


Ignore:
Timestamp:
02/18/2025 10:25:23 AM (13 months ago)
Author:
visualmodo
Message:

1.6.3 - Feb 18 2025

  • Fixed - SVG Vulnerability.
  • Fixed - Icon Manager Readded.
Location:
borderless
Files:
220 added
5 edited

Legend:

Unmodified
Added
Removed

  • borderless/trunk/borderless.php

    r3242167 r3242543  
    55Plugin URI: https://visualmodo.com/borderless/
    66Description: One service packed with powerful tools to help you reach your purposes.
    7 Version: 1.6.2
     7Version: 1.6.3
    88Author: Visualmodo
    99Author URI: https://visualmodo.com
     
    2121/*-----------------------------------------------------------------------------------*/
    2222
    23 define( 'BORDERLESS__VERSION', '1.6.2' );
     23define( 'BORDERLESS__VERSION', '1.6.3' );
    2424define( 'BORDERLESS__DIR', plugin_dir_path( __FILE__ ) );
    2525define( 'BORDERLESS__URL', plugins_url( '/', __FILE__ ) );
     
    135135       
    136136        require_once( BORDERLESS__INC . "/templates/system-info.php" );
    137         //require_once( BORDERLESS__INC . "/icon-manager/icon-manager.php" );
     137        require_once( BORDERLESS__INC . "/icon-manager/icon-manager.php" );
    138138        require_once( BORDERLESS__INC . "/custom-post-types/custom-post-types.php" );
    139139        require_once( BORDERLESS__INC . "/svg/svg.php" );

  • borderless/trunk/includes/class-borderless.php

    r3242167 r3242543  
    9292       
    9393        require_once( BORDERLESS__INC . "/templates/system-info.php" );
    94         //require_once( BORDERLESS__INC . "/icon-manager/icon-manager.php" );
     94        require_once( BORDERLESS__INC . "/icon-manager/icon-manager.php" );
    9595        require_once( BORDERLESS__INC . "/custom-post-types/custom-post-types.php" );
    9696        require_once( BORDERLESS__INC . "/svg/svg.php" );

  • borderless/trunk/includes/svg/svg.php

    r2479909 r3242543  
    55}
    66
    7 //Sanitizes a comma separated CSS selectors with class and id names to ensure it only contains valid characters.
    8 //Complex selectors (for ex. [name*="value"]) are not allowed.
    9 //Allowed characters: A-Z, a-z, 0-9, _, -, .(dot), >,  (space), #, ,(comma)
     7// Sanitizes a comma-separated list of CSS selectors (with class and id names) to ensure it only contains valid characters.
     8// Complex selectors (e.g., [name*="value"]) are not allowed.
     9// Allowed characters: A-Z, a-z, 0-9, _, -, . (dot), >, (space), #, , (comma)
    1010function borderless_svg_sanitize_css_selectors( $selectors ) {
    1111    $selectors = htmlspecialchars_decode( $selectors );
    1212
    13     //Strip out any % encoded octets
     13    // Strip out any % encoded octets
    1414    $sanitized = preg_replace( '|%[a-fA-F0-9][a-fA-F0-9]|', '', $selectors );
    1515
    16     //Limit to A-Z, a-z, 0-9, _, -, .(dot), >,  (space), #, ,(comma)
     16    // Limit to A-Z, a-z, 0-9, _, -, . (dot), >, (space), #, , (comma)
    1717    $sanitized = preg_replace( '/[^A-Za-z0-9 _,.#>-]/', '', $sanitized );
    1818
    19     //convert the ">" (greater-than) sign to > for storing in a database
    20     $sanitized = htmlspecialchars($sanitized);
     19    // Convert the ">" (greater-than) sign to > for storing in a database
     20    $sanitized = htmlspecialchars( $sanitized );
    2121
    2222    return apply_filters( 'borderless_svg_sanitize_css_selectors', $sanitized );
    2323}
    2424
     25// Allow SVG through WordPress Media Uploader
     26function borderless_svg_cc_mime_types( $mimes ) {
     27    $mimes['svg']  = 'image/svg+xml';
     28    $mimes['svgz'] = 'image/svg+xml';
     29    return $mimes;
     30}
     31add_filter( 'upload_mimes', 'borderless_svg_cc_mime_types' );
    2532
    26 //Allow SVG through WordPress Media Uploader
    27 function borderless_svg_cc_mime_types($mimes) {
    28         $mimes['svg'] = 'image/svg+xml';
    29         $mimes['svgz'] = 'image/svg+xml';
    30         return $mimes;
    31 }
    32 add_filter('upload_mimes', 'borderless_svg_cc_mime_types');
     33// Removed the temporary fix that disabled real MIME checking,
     34// as this practice may compromise security. WordPress versions from 4.7.2 onwards
     35// already perform the check correctly.
    3336
    34 /**
    35  * TEMP FIX FOR 4.7.1
    36  * Issue should be fixed in 4.7.2 in which case this will be deleted.
    37  */
    38 function borderless_svgs_disable_real_mime_check( $data, $file, $filename, $mimes ) {
    39     $wp_filetype = wp_check_filetype( $filename, $mimes );
     37// Sanitize SVG code of a file during upload to the media library: remove all JavaScript tags and attributes.
     38function borderless_sanitize_svg( $file ) {
     39    if ( isset( $file['type'] ) && $file['type'] === 'image/svg+xml' ) {
    4040
    41     $ext = $wp_filetype['ext'];
    42     $type = $wp_filetype['type'];
    43     $proper_filename = $data['proper_filename'];
    44 
    45     return compact( 'ext', 'type', 'proper_filename' );
    46 }
    47 add_filter( 'wp_check_filetype_and_ext', 'borderless_svgs_disable_real_mime_check', 10, 4 );
    48 
    49 //Sanitize SVG code of a file during uploading into media library: remove all JavaScript tags and attributes.
    50 function borderless_sanitize_svg( $file ) {
    51     if( $file['type'] == 'image/svg+xml' ) {
    52        
    5341        require_once 'sanitizer.php';
    5442
    5543        $svg = new BORDERLESS_SvgSanitizer();
    56        
    57         $svg->load_svg( $file['tmp_name'] );
     44        if ( ! $svg->load_svg( $file['tmp_name'] ) ) {
     45            $file['error'] = 'Failed to load the SVG for sanitization.';
     46            return $file;
     47        }
     48
    5849        $svg->borderless_sanitize_svg();
    5950        $sanitized_svg = $svg->save_svg();
     51        if ( empty( $sanitized_svg ) ) {
     52            $file['error'] = 'SVG sanitization resulted in an empty file.';
     53            return $file;
     54        }
    6055
     56        if ( ! function_exists( 'WP_Filesystem' ) ) {
     57            require_once( ABSPATH . 'wp-admin/includes/file.php' );
     58        }
    6159        global $wp_filesystem;
    62         $creds = request_filesystem_credentials( admin_url(), '', FALSE, FALSE, array() );
     60        $creds = request_filesystem_credentials( admin_url(), '', false, false, array() );
    6361        if ( ! WP_Filesystem( $creds ) ) {
    64             request_filesystem_credentials( admin_url(), '', TRUE, FALSE, NULL );
     62            $file['error'] = 'Unable to access the filesystem to sanitize the SVG.';
     63            return $file;
    6564        }
    66        
     65
    6766        $replaced = $wp_filesystem->put_contents( $file['tmp_name'], $sanitized_svg, FS_CHMOD_FILE );
     67        if ( ! $replaced ) {
     68            $file['error'] = 'Failed to write the sanitized SVG to the temporary file.';
     69            return $file;
     70        }
    6871    }
    69 
    7072    return $file;
    7173}
    7274add_filter( 'wp_handle_upload_prefilter', 'borderless_sanitize_svg' );
    7375
    74 
    75 //Fixing SVG width and height attributes to show correctly in TinyMCE editor
     76// Fix SVG width and height attributes so they display correctly in the TinyMCE editor
    7677function borderless_svg_fix_svg_size_attributes( $out, $id ) {
    77     $image_url  = wp_get_attachment_url( $id );
    78     $file_ext   = pathinfo( $image_url, PATHINFO_EXTENSION );
    79     if ( ! is_admin() || 'svg' !== $file_ext )
    80     {
     78    $image_url = wp_get_attachment_url( $id );
     79    $file_ext  = pathinfo( $image_url, PATHINFO_EXTENSION );
     80    if ( ! is_admin() || 'svg' !== $file_ext ) {
    8181        return false;
    8282    }
     
    8585add_filter( 'image_downsize', 'borderless_svg_fix_svg_size_attributes', 10, 2 );
    8686
    87 
    88 //Fixing SVG width and height attributes to show correctly in Media Library in grid mode
    89 function borderless_svg_prepare_attachment_for_js_filter($response, $attachment, $meta){
    90     if( $response['mime'] == 'image/svg+xml' && empty($response['sizes']) ){
     87// Fix SVG width and height attributes so they display correctly in the Media Library grid view
     88function borderless_svg_prepare_attachment_for_js_filter( $response, $attachment, $meta ) {
     89    if ( $response['mime'] == 'image/svg+xml' && empty( $response['sizes'] ) ) {
    9190        $svg_file_path = get_attached_file( $attachment->ID );
    9291
     
    9594        $response['sizes'] = array(
    9695            'full' => array(
    97                 'url' => $response['url'],
    98                 'width' => $orig_size[0],
     96                'url'    => $response['url'],
     97                'width'  => $orig_size[0],
    9998                'height' => $orig_size[1]
    10099            )
     
    106105    return $response;
    107106}
    108 //get width and height attributes of uploded SVG
    109 function borderless_svg_get_original_svg_size($file) {
     107add_filter( 'wp_prepare_attachment_for_js', 'borderless_svg_prepare_attachment_for_js_filter', 10, 3 );
     108
     109// Retrieve width and height attributes of the uploaded SVG.
     110// Now disables external entity loading to prevent XXE attacks.
     111function borderless_svg_get_original_svg_size( $file ) {
    110112    $arr = array();
    111     $xml_get = simplexml_load_file($file);
    112     $xml_attrs = $xml_get->attributes();
    113    
    114     $width = (string) $xml_attrs->width;
    115     if ( empty($width) ) {
    116         $width = '100%';
    117     }
    118    
    119     $height = (string) $xml_attrs->height;
    120     if ( empty($height) ) {
     113
     114    $prev     = libxml_disable_entity_loader( true );
     115    $xml_get  = simplexml_load_file( $file, 'SimpleXMLElement', LIBXML_NONET );
     116    libxml_disable_entity_loader( $prev );
     117
     118    if ( $xml_get === false ) {
     119        $width  = '100%';
    121120        $height = '100%';
     121    } else {
     122        $xml_attrs = $xml_get->attributes();
     123
     124        $width = (string) $xml_attrs->width;
     125        if ( empty( $width ) ) {
     126            $width = '100%';
     127        }
     128
     129        $height = (string) $xml_attrs->height;
     130        if ( empty( $height ) ) {
     131            $height = '100%';
     132        }
    122133    }
    123134
     
    127138    return $arr;
    128139}
    129 add_filter('wp_prepare_attachment_for_js', 'borderless_svg_prepare_attachment_for_js_filter', 10, 3);
    130140
    131 //Define styles and scripts for site's front-end
    132 
     141// Define styles and scripts for the site's front-end
    133142function borderless_svg_scripts() {
    134     wp_enqueue_script( 'borderless_svg_js', plugins_url( '/svg.min.js', __FILE__ ), array('jquery'), BORDERLESS__VERSION, true );
    135    
     143    wp_enqueue_script( 'borderless_svg_js', plugins_url( '/svg.min.js', __FILE__ ), array( 'jquery' ), BORDERLESS__VERSION, true );
    136144    wp_enqueue_script( 'borderless_svg_js' );
    137145}
    138 add_action('wp_enqueue_scripts', 'borderless_svg_scripts');
    139 
     146add_action( 'wp_enqueue_scripts', 'borderless_svg_scripts' );
    140147
    141148?>

  • borderless/trunk/includes/templates/dashboard.php

    r3242167 r3242543  
    8383            }
    8484        }
    85 
    86         /*
    8785       
    8886        add_action( 'admin_menu', 'borderless_icon_fonts_submenu', 50 );
     
    102100            }
    103101        }
    104 
    105         */
    106102
    107103        add_submenu_page(

  • borderless/trunk/readme.txt

    r3242167 r3242543  
    55Tested up to: 6.7.1
    66Requires PHP: 7.4
    7 Stable tag: 1.6.2
     7Stable tag: 1.6.3
    88License: GPLv3
    99License URI: https://www.gnu.org/licenses/gpl-3.0.html
     
    8282== Changelog ==
    8383
     84= 1.6.3 - Feb 18 2025 =
     85* Fixed - SVG Vulnerability.
     86* Fixed - Icon Manager Readded.
     87
    8488= 1.6.2 - Feb 17 2025 =
    8589* Fixed - Icon Manager Removed.
Note: See TracChangeset for help on using the changeset viewer.