Changeset 3285202
- Timestamp:
- 04/30/2025 06:43:23 PM (11 months ago)
- Location:
- head-footer-code
- Files:
-
- 31 added
- 4 edited
-
tags/1.4.3 (added)
-
tags/1.4.3/LICENSE (added)
-
tags/1.4.3/assets (added)
-
tags/1.4.3/assets/css (added)
-
tags/1.4.3/assets/css/admin.min.css (added)
-
tags/1.4.3/assets/css/admin.min.css.map (added)
-
tags/1.4.3/assets/css/edit.min.css (added)
-
tags/1.4.3/assets/css/edit.min.css.map (added)
-
tags/1.4.3/assets/scss (added)
-
tags/1.4.3/assets/scss/admin.scss (added)
-
tags/1.4.3/assets/scss/edit.scss (added)
-
tags/1.4.3/changelog.txt (added)
-
tags/1.4.3/classes (added)
-
tags/1.4.3/classes/autoload.php (added)
-
tags/1.4.3/classes/techwebux (added)
-
tags/1.4.3/classes/techwebux/hfc (added)
-
tags/1.4.3/classes/techwebux/hfc/class-common.php (added)
-
tags/1.4.3/classes/techwebux/hfc/class-front.php (added)
-
tags/1.4.3/classes/techwebux/hfc/class-grid.php (added)
-
tags/1.4.3/classes/techwebux/hfc/class-main.php (added)
-
tags/1.4.3/classes/techwebux/hfc/class-metabox-article.php (added)
-
tags/1.4.3/classes/techwebux/hfc/class-metabox-category.php (added)
-
tags/1.4.3/classes/techwebux/hfc/class-settings.php (added)
-
tags/1.4.3/head-footer-code.php (added)
-
tags/1.4.3/index.php (added)
-
tags/1.4.3/readme.txt (added)
-
tags/1.4.3/templates (added)
-
tags/1.4.3/templates/hfc-form.php (added)
-
tags/1.4.3/templates/settings.php (added)
-
tags/1.4.3/uninstall.php (added)
-
tags/1.4.3/update.php (added)
-
trunk/classes/techwebux/hfc/class-common.php (modified) (1 diff)
-
trunk/classes/techwebux/hfc/class-metabox-article.php (modified) (1 diff)
-
trunk/head-footer-code.php (modified) (2 diffs)
-
trunk/readme.txt (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
-
head-footer-code/trunk/classes/techwebux/hfc/class-common.php
r3277444 r3285202 245 245 246 246 /** 247 * Sanitize HTML code by temporarily removing 248 * <script>...</script> and <style>...</style> 249 * before filtering allowed HTML through wp_kses 250 * 251 * @param string $content 252 * @return string Sanitized content (code inside SCRIPT and STYLE is untouched) 253 */ 254 public static function sanitize_html_with_scripts( $content ) { 255 $allowed_html = self::allowed_html(); 256 257 $placeholders = array(); 258 259 // Match <script>...</script> 260 if ( preg_match_all( '#<script\b[^>]*>.*?</script>#is', $content, $matches ) ) { 261 foreach ( $matches[0] as $i => $match ) { 262 $placeholder = "__TWU_SCRIPT_PLACEHOLDER_{$i}__"; 263 $placeholders[ $placeholder ] = $match; 264 $content = str_replace( $match, $placeholder, $content ); 265 } 266 } 267 268 // Match <style>...</style> 269 if ( preg_match_all( '#<style\b[^>]*>.*?</style>#is', $content, $matches ) ) { 270 foreach ( $matches[0] as $i => $match ) { 271 $placeholder = "__TWU_STYLE_PLACEHOLDER_{$i}__"; 272 $placeholders[ $placeholder ] = $match; 273 $content = str_replace( $match, $placeholder, $content ); 274 } 275 } 276 277 // Sanitize rest of content (outside scripts/styles) 278 $content = wp_kses( $content, $allowed_html ); 279 280 // Restore script/style blocks 281 foreach ( $placeholders as $placeholder => $original ) { 282 $content = str_replace( $placeholder, $original, $content ); 283 } 284 285 return $content; 286 } 287 288 /** 247 289 * Get values of metabox fields 248 290 * -
head-footer-code/trunk/classes/techwebux/hfc/class-metabox-article.php
r3271581 r3285202 95 95 } 96 96 97 // Allow safe HTML, JS, and CSS.98 $allowed_html = Common::allowed_html();99 100 97 // Sanitize each field separately. 101 98 $data = array( 102 99 'behavior' => isset( $_POST['auhfc']['behavior'] ) ? sanitize_key( $_POST['auhfc']['behavior'] ) : '', 103 'head' => isset( $_POST['auhfc']['head'] ) ? wp_kses( $_POST['auhfc']['head'], $allowed_html) : '',104 'body' => isset( $_POST['auhfc']['body'] ) ? wp_kses( $_POST['auhfc']['body'], $allowed_html) : '',105 'footer' => isset( $_POST['auhfc']['footer'] ) ? wp_kses( $_POST['auhfc']['footer'], $allowed_html) : '',100 'head' => isset( $_POST['auhfc']['head'] ) ? Common::sanitize_html_with_scripts( $_POST['auhfc']['head'] ) : '', 101 'body' => isset( $_POST['auhfc']['body'] ) ? Common::sanitize_html_with_scripts( $_POST['auhfc']['body'] ) : '', 102 'footer' => isset( $_POST['auhfc']['footer'] ) ? Common::sanitize_html_with_scripts( $_POST['auhfc']['footer'] ) : '', 106 103 ); 104 107 105 update_post_meta( $post_id, '_auhfc', wp_slash( $data ) ); 108 106 } // END public function save -
head-footer-code/trunk/head-footer-code.php
r3277444 r3285202 11 11 * Plugin URI: https://urosevic.net/wordpress/plugins/head-footer-code/ 12 12 * Description: Easy add site-wide, category or article specific custom code before the closing <strong></head></strong> and <strong></body></strong> or after opening <strong><body></strong> HTML tag. 13 * Version: 1.4. 213 * Version: 1.4.3 14 14 * Author: Aleksandar Urošević 15 15 * Author URI: https://urosevic.net/ … … 30 30 } 31 31 32 define( 'HFC_VER', '1.4. 2' );32 define( 'HFC_VER', '1.4.3' ); 33 33 define( 'HFC_VER_DB', '9' ); 34 34 define( 'HFC_FILE', __FILE__ ); -
head-footer-code/trunk/readme.txt
r3277444 r3285202 6 6 Requires at least: 4.9 7 7 Tested up to: 6.8 8 Stable tag: 1.4. 28 Stable tag: 1.4.3 9 9 Requires PHP: 5.5 10 10 License: GPLv3 … … 191 191 ## Changelog 192 192 193 ### 1.4.3 (2025-04-30) 194 * Fix: Relaxed filtering to allow <script> blocks with `<`, `>`, `=>` characters and `type="application/ld+json"` for structured data (rich snippets), following stricter sanitization introduced in 1.4.0. 195 193 196 ### 1.4.2 (2025-04-20) 194 197 * Fix: meta tag broken by security introduced in 1.4.0
Note: See TracChangeset
for help on using the changeset viewer.