Changeset 3495207
- Timestamp:
- 03/31/2026 06:53:47 AM (42 hours ago)
- Location:
- easy-accordion-block
- Files:
-
- 6 edited
- 1 copied
-
tags/1.4.5 (copied) (copied from easy-accordion-block/trunk)
-
tags/1.4.5/inc/Plugin/Style.php (modified) (1 diff)
-
tags/1.4.5/plugin.php (modified) (2 diffs)
-
tags/1.4.5/readme.txt (modified) (2 diffs)
-
trunk/inc/Plugin/Style.php (modified) (1 diff)
-
trunk/plugin.php (modified) (2 diffs)
-
trunk/readme.txt (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
-
easy-accordion-block/tags/1.4.5/inc/Plugin/Style.php
r3475153 r3495207 143 143 wp_register_style( $handle, false, array(), ESAB_VERSION, 'all' ); 144 144 wp_enqueue_style( $handle, false, array(), ESAB_VERSION, 'all' ); 145 wp_add_inline_style( $handle, wp_strip_all_tags( $css ) ); 145 wp_add_inline_style( $handle, $this->sanitize_css( $css ) ); 146 } 147 148 /** 149 * Sanitize CSS method 150 * 151 * @since 1.0.0 152 * @param string $css CSS to Sanitize. 153 * @return string 154 */ 155 private function sanitize_css( $css ) { 156 // Validate UTF-8 encoding 157 $css = wp_check_invalid_utf8( $css ); 158 159 if ( empty( $css ) ) { 160 return ''; 161 } 162 163 // Normalize whitespace to prevent obfuscation tricks 164 $css = preg_replace( '/\s+/', ' ', $css ); 165 166 // Remove CSS comments (can hide payloads: /* expression */background:url() */) 167 $css = preg_replace( '!/\*.*?\*/!s', '', $css ); 168 169 // Remove backslash escapes used to bypass keyword filters (e.g. \65 xpression) 170 $css = preg_replace( '/\\\\[0-9a-fA-F]{0,6}\s?/', '', $css ); 171 172 // Block dangerous CSS functions and protocols 173 // Covers: expression(), url(), javascript:, vbscript:, data:, behavior 174 if ( preg_match( 175 '/expression\s*\( 176 | url\s*\( 177 | javascript\s*: 178 | vbscript\s*: 179 | data\s*: 180 | @import 181 | behavior\s*: 182 | -moz-binding\s*: 183 | content\s*:/ix', 184 $css 185 ) ) { 186 return ''; 187 } 188 189 // Block HTML tags that could escape the <style> context 190 if ( preg_match( '/<\s*\/?\s*(script|style|link|meta|object|embed|iframe)/i', $css ) ) { 191 return ''; 192 } 193 194 // Trim and return 195 return trim( $css ); 146 196 } 147 197 -
easy-accordion-block/tags/1.4.5/plugin.php
r3475153 r3495207 5 5 * Requires at least: 6.6 6 6 * Requires PHP: 7.4 7 * Version: 1.4. 47 * Version: 1.4.5 8 8 * Author: Binsaifullah 9 9 * License: GPL v2 or later … … 26 26 * Plugin Version 27 27 */ 28 const VERSION = '1.4. 4';28 const VERSION = '1.4.5'; 29 29 30 30 // instance -
easy-accordion-block/tags/1.4.5/readme.txt
r3475153 r3495207 4 4 Requires at least: 6.6 5 5 Tested up to: 6.9 6 Stable tag: 1.4. 46 Stable tag: 1.4.5 7 7 Requires PHP: 7.4 8 8 License: GPLv2 or later … … 120 120 == Changelog == 121 121 122 = 1.4.5 = 123 * Fixed: CSS sanitization issue is fixed 124 122 125 = 1.4.4 = 123 126 * CSS output is escaped properly -
easy-accordion-block/trunk/inc/Plugin/Style.php
r3475153 r3495207 143 143 wp_register_style( $handle, false, array(), ESAB_VERSION, 'all' ); 144 144 wp_enqueue_style( $handle, false, array(), ESAB_VERSION, 'all' ); 145 wp_add_inline_style( $handle, wp_strip_all_tags( $css ) ); 145 wp_add_inline_style( $handle, $this->sanitize_css( $css ) ); 146 } 147 148 /** 149 * Sanitize CSS method 150 * 151 * @since 1.0.0 152 * @param string $css CSS to Sanitize. 153 * @return string 154 */ 155 private function sanitize_css( $css ) { 156 // Validate UTF-8 encoding 157 $css = wp_check_invalid_utf8( $css ); 158 159 if ( empty( $css ) ) { 160 return ''; 161 } 162 163 // Normalize whitespace to prevent obfuscation tricks 164 $css = preg_replace( '/\s+/', ' ', $css ); 165 166 // Remove CSS comments (can hide payloads: /* expression */background:url() */) 167 $css = preg_replace( '!/\*.*?\*/!s', '', $css ); 168 169 // Remove backslash escapes used to bypass keyword filters (e.g. \65 xpression) 170 $css = preg_replace( '/\\\\[0-9a-fA-F]{0,6}\s?/', '', $css ); 171 172 // Block dangerous CSS functions and protocols 173 // Covers: expression(), url(), javascript:, vbscript:, data:, behavior 174 if ( preg_match( 175 '/expression\s*\( 176 | url\s*\( 177 | javascript\s*: 178 | vbscript\s*: 179 | data\s*: 180 | @import 181 | behavior\s*: 182 | -moz-binding\s*: 183 | content\s*:/ix', 184 $css 185 ) ) { 186 return ''; 187 } 188 189 // Block HTML tags that could escape the <style> context 190 if ( preg_match( '/<\s*\/?\s*(script|style|link|meta|object|embed|iframe)/i', $css ) ) { 191 return ''; 192 } 193 194 // Trim and return 195 return trim( $css ); 146 196 } 147 197 -
easy-accordion-block/trunk/plugin.php
r3475153 r3495207 5 5 * Requires at least: 6.6 6 6 * Requires PHP: 7.4 7 * Version: 1.4. 47 * Version: 1.4.5 8 8 * Author: Binsaifullah 9 9 * License: GPL v2 or later … … 26 26 * Plugin Version 27 27 */ 28 const VERSION = '1.4. 4';28 const VERSION = '1.4.5'; 29 29 30 30 // instance -
easy-accordion-block/trunk/readme.txt
r3475153 r3495207 4 4 Requires at least: 6.6 5 5 Tested up to: 6.9 6 Stable tag: 1.4. 46 Stable tag: 1.4.5 7 7 Requires PHP: 7.4 8 8 License: GPLv2 or later … … 120 120 == Changelog == 121 121 122 = 1.4.5 = 123 * Fixed: CSS sanitization issue is fixed 124 122 125 = 1.4.4 = 123 126 * CSS output is escaped properly
Note: See TracChangeset
for help on using the changeset viewer.