function enqueue_scripts() { wp_enqueue_script('jquery'); wp_enqueue_script('itm_script', ITM_Util::url('assets', 'inherit-theme-mods.js'), array('jquery')); wp_enqueue_style('font-awesome', ITM_Util::url('lib', 'font-awesome', 'css', 'font-awesome.min.css')); wp_enqueue_style('itm_style', ITM_Util::url('assets', 'inherit-theme-mods.css'), array('font-awesome')); wp_localize_script('itm_script', 'ajax', array('endpoint' => admin_url('admin-ajax.php'), 'nonce' => wp_create_nonce(self::NONCE_ACTION), 'status' => array('success' => __('Processed successfully.', 'inherit-theme-mods') . '<a href="' . esc_url(home_url('/')) . '" class="ITM-aside">' . __('Visit Site', 'inherit-theme-mods') . '</a>', 'unknownError' => __('Unknown error', 'inherit-theme-mods'), 'updating' => __('Updating..', 'inherit_theme_mods', 'inherit-theme-mods')))); }
function decorate_mod($key, $mods, $col) { $data_key = 'data-key="' . esc_attr($key) . '"'; $data_col = 'data-col="' . esc_attr($col) . '"'; if (!array_key_exists($key, $mods)) { return "<span class=\"ITM-list-data\" {$data_key} {$data_col}><small class=\"no-value\">" . __('(no value)', 'inherit-theme-mods') . '</small></span>'; } $value = esc_html(maybe_serialize($mods[$key])); $match_color = preg_match('/^#?([0-9,a-f,A-F]{3}|[0-9,a-f,A-F]{6})$/', $value); $match_inmageURL = preg_match('/\\.(jpg|jpeg|png|gif)$/i', $value); if (1 === $match_color) { # display color if color string $color_str = substr($value, 0, 1) === '#' ? $value : "#{$value}"; $style_attr = ITM_Util::style_attr(array('background-color' => $color_str)); # xss OK $value = esc_html($value); $value = "<div class=\"ITM-color-indication\" {$style_attr}></div><span class=\"ITM-list-data\" {$data_key} {$data_col}>{$value}</span>"; } else { if (1 === $match_inmageURL) { # display image if image url $value = esc_url($value); $value = "<img src=\"{$value}\" class=\"ITM-image-indication\" alt=\"\" /><br /><span class=\"ITM-list-data\" {$data_key} {$data_col}>{$value}</span>"; # xss OK } else { $value = "<span class=\"ITM-list-data ITM-serialized-text\" {$data_key} {$data_col}>" . esc_html($value) . '</span>'; } } return $value; }
function test_build_style_attr_xss() { $xss_vulnerable_match = preg_match('/<script>.*/', ITM_Util::style_attr(array('background-color' => '#12345', 'color' => 'red', 'padding' => 0, '" ><script>alert(1);</script>' => '', 'aaa' => '" ><script>alert(1);</script>'))); $this->assertEquals(0, $xss_vulnerable_match); }