function wp_kses($string, $allowed_html, $allowed_protocols = array('http', 'https', 'ftp', 'news', 'nntp', 'telnet', 'feed', 'gopher', 'mailto')) { $string = wp_kses_no_null($string); $string = wp_kses_js_entities($string); $string = wp_kses_normalize_entities($string); $string = wp_kses_hook($string); $allowed_html_fixed = wp_kses_array_lc($allowed_html); return wp_kses_split($string, $allowed_html_fixed, $allowed_protocols); }
/** * Filters content and keeps only allowable HTML elements. * * This function makes sure that only the allowed HTML element names, attribute * names and attribute values plus only sane HTML entities will occur in * $string. You have to remove any slashes from PHP's magic quotes before you * call this function. * * The default allowed protocols are 'http', 'https', 'ftp', 'mailto', 'news', * 'irc', 'gopher', 'nntp', 'feed', and finally 'telnet. This covers all common * link protocols, except for 'javascript' which should not be allowed for * untrusted users. * * @since 1.0.0 * * @param string $string Content to filter through kses * @param array $allowed_html List of allowed HTML elements * @param array $allowed_protocols Optional. Allowed protocol in links. * @return string Filtered content with only allowed HTML elements */ function wp_kses($string, $allowed_html, $allowed_protocols = array('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet')) { $string = wp_kses_no_null($string); $string = wp_kses_js_entities($string); $string = wp_kses_normalize_entities($string); $allowed_html_fixed = wp_kses_array_lc($allowed_html); $string = wp_kses_hook($string, $allowed_html_fixed, $allowed_protocols); // WP changed the order of these funcs and added args to wp_kses_hook return wp_kses_split($string, $allowed_html_fixed, $allowed_protocols); }
/** * Filters content and keeps only allowable HTML elements. * * This function makes sure that only the allowed HTML element names, attribute * names and attribute values plus only sane HTML entities will occur in * $string. You have to remove any slashes from PHP's magic quotes before you * call this function. * * The default allowed protocols are 'http', 'https', 'ftp', 'mailto', 'news', * 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This * covers all common link protocols, except for 'javascript' which should not * be allowed for untrusted users. * * @since 1.0.0 * * @param string $string Content to filter through kses * @param array $allowed_html List of allowed HTML elements * @param array $allowed_protocols Optional. Allowed protocol in links. * @return string Filtered content with only allowed HTML elements */ function wp_kses($string, $allowed_html, $allowed_protocols = array()) { global $allowedprotocols; if (empty($allowed_protocols)) { $allowed_protocols = $allowedprotocols; } $string = wp_kses_no_null($string); $string = wp_kses_js_entities($string); $string = wp_kses_normalize_entities($string); return wp_kses_split($string, $allowed_html, $allowed_protocols); }
/** * Sanitizes Custom CSS * @param $input entered value * @return sanitized output * * @since Create 2.1 */ function create_sanitize_custom_css($input) { if ($input != '') { $input = str_replace('<=', '<=', $input); $input = wp_kses_split($input, array(), array()); $input = str_replace('>', '>', $input); $input = strip_tags($input); return $input; } else { return ''; } }
/** * Field Render Function. * Takes the vars and validates them * * @since ReduxFramework 3.0.0 */ function validate() { $data = $this->value; $data = str_replace('<=', '<=', $data); // Why KSES instead of strip_tags? Who knows? $data = wp_kses_split($prev = $data, array(), array()); $data = str_replace('>', '>', $data); // kses replaces lone '>' with > // Why both KSES and strip_tags? Because we just added some '>'. $data = strip_tags($data); if ($data != $this->value) { $this->warning = __('Unsafe strings were found in your CSS and have been filtered out.', 'redux-framework'); } $this->value = $data; }
function wp_kses($string, $allowed_html, $allowed_protocols = array ('http', 'https', 'ftp', 'news', 'nntp', 'telnet', 'feed', 'gopher', 'mailto')) ############################################################################### # This function makes sure that only the allowed HTML element names, attribute # names and attribute values plus only sane HTML entities will occur in # $string. You have to remove any slashes from PHP's magic quotes before you # call this function. ############################################################################### { $string = wp_kses_no_null($string); $string = wp_kses_js_entities($string); $string = wp_kses_normalize_entities($string); $string = wp_kses_hook($string); $allowed_html_fixed = wp_kses_array_lc($allowed_html); return wp_kses_split($string, $allowed_html_fixed, $allowed_protocols); } # function wp_kses
public static function sanitize_css($css) { if (!class_exists('csstidy')) { require_once 'class.csstidy.php'; } $csstidy = new csstidy(); $csstidy->set_cfg('remove_bslash', FALSE); $csstidy->set_cfg('compress_colors', FALSE); $csstidy->set_cfg('compress_font-weight', FALSE); $csstidy->set_cfg('discard_invalid_properties', TRUE); $csstidy->set_cfg('merge_selectors', FALSE); $csstidy->set_cfg('remove_last_;', FALSE); $csstidy->set_cfg('css_level', 'CSS3.0'); $csstovalidateindiv = preg_replace('/\\\\([0-9a-fA-F]{4})/', '\\\\\\\\$1', $css); $csstovalidateindiv = wp_kses_split($csstovalidateindiv, array(), array()); $csstidy->parse($csstovalidateindiv); $cssvalidated = $csstidy->print->plain(); return $cssvalidated; }
function pixopoint_validate_css($css) { // SafeCSS / CSSTidy stuff require_once 'csstidy.php'; // CSS sanitising gizmo $csstidy = new csstidy(); $csstidy->optimise = new safecss($csstidy); $csstidy->set_cfg('remove_bslash', false); $csstidy->set_cfg('compress_colors', false); $csstidy->set_cfg('compress_font-weight', false); $csstidy->set_cfg('discard_invalid_properties', true); $csstidy->set_cfg('merge_selectors', false); $csstidy->set_cfg('preserve_css', true); // Outputs code comments // $csstidy->set_cfg( 'lowercase_s', false ); // $csstidy->set_cfg( 'optimise_shorthands', 1 ); // $csstidy->set_cfg( 'remove_last_;', false ); // $csstidy->set_cfg( 'case_properties', 1 ); // $csstidy->set_cfg( 'sort_properties', false ); // $csstidy->set_cfg( 'sort_selectors', false ); // Santisation stuff copied from SafeCSS by Automattic $css = stripslashes($css); $css = preg_replace('/\\\\([0-9a-fA-F]{4})/', '\\\\\\\\$1', $prev = $css); $css = str_replace('<=', '<=', $css); // Some people put weird stuff in their CSS, KSES tends to be greedy $css = wp_kses_split($prev = $css, array(), array()); // Why KSES instead of strip_tags? Who knows? $css = str_replace('>', '>', $css); // kses replaces lone '>' with > $css = strip_tags($css); // Why both KSES and strip_tags? Because we just added some '>'. // Parse with CSS tidy $csstidy->parse($css); // Parse with CSS Tidy $css = $csstidy->print->plain(); // Grab CSS output // Make CSS look pretty $css = pixopoint_pretty_css($css); return $css; }
function firmasite_sanitize_customcss($css) { // Sadly we cant include csstidy. WordPress Theme Directory's automatic code checking system is not accepting it. // You have 2 option for including css checker: install jetpack and activate custom css or copy csstidy's folder to theme's functions folder from jetpack's plugin firmasite_safecss_class(); if (class_exists('safecss') || class_exists('firmasite_safecss')) { $csstidy = new csstidy(); if (class_exists('firmasite_safecss')) { $csstidy->optimise = new firmasite_safecss($csstidy); } else { $csstidy->optimise = new safecss($csstidy); } $csstidy->set_cfg('remove_bslash', false); $csstidy->set_cfg('compress_colors', false); $csstidy->set_cfg('compress_font-weight', false); $csstidy->set_cfg('optimise_shorthands', 0); $csstidy->set_cfg('remove_last_;', false); $csstidy->set_cfg('case_properties', false); $csstidy->set_cfg('discard_invalid_properties', true); $csstidy->set_cfg('css_level', 'CSS3.0'); $csstidy->set_cfg('preserve_css', true); $csstidy->set_cfg('template', dirname(__FILE__) . '/csstidy/wordpress-standard.tpl'); $css = stripslashes($css); // Some people put weird stuff in their CSS, KSES tends to be greedy $css = str_replace('<=', '<=', $css); // Why KSES instead of strip_tags? Who knows? $css = wp_kses_split($prev = $css, array(), array()); $css = str_replace('>', '>', $css); // kses replaces lone '>' with > // Why both KSES and strip_tags? Because we just added some '>'. $css = strip_tags($css); $csstidy->parse($css); $safe_css = $csstidy->print->plain(); } else { $safe_css = $css; } return $safe_css; }
/** * Field Render Function. * Takes the vars and validates them * * @since ReduxFramework 3.0.0 */ function validate() { require_once dirname(__FILE__) . '/csstidy/class.csstidy.php'; $csstidy = new csstidy(); $csstidy->set_cfg('remove_bslash', false); $csstidy->set_cfg('compress_colors', false); $csstidy->set_cfg('compress_font-weight', false); $csstidy->set_cfg('optimise_shorthands', 0); $csstidy->set_cfg('remove_last_;', false); $csstidy->set_cfg('case_properties', false); $csstidy->set_cfg('discard_invalid_properties', true); $csstidy->set_cfg('css_level', 'CSS3.0'); $csstidy->set_cfg('preserve_css', true); $csstidy->set_cfg('template', dirname(__FILE__) . '/csstidy/wordpress-standard.tpl'); $css = $orig = $this->value; $css = preg_replace('/\\\\([0-9a-fA-F]{4})/', '\\\\\\\\$1', $prev = $css); if ($css != $prev) { $this->warning = true; } // Some people put weird stuff in their CSS, KSES tends to be greedy $css = str_replace('<=', '<=', $css); // Why KSES instead of strip_tags? Who knows? $css = wp_kses_split($prev = $css, array(), array()); $css = str_replace('>', '>', $css); // kses replaces lone '>' with > // Why both KSES and strip_tags? Because we just added some '>'. $css = strip_tags($css); if ($css != $prev) { $this->warning = true; } $csstidy->parse($css); $this->value = $csstidy->print->plain(); if (isset($this->warning) && $this->warning) { $this->warning = __('Unsafe strings were found in your CSS and have been filtered out.', 'redux-framework'); } }
/** * sanitize css input * * @since 0.9.5 * @access private */ function custom_css_sanitize($css) { if ('' != $css) { //$css = stripslashes( wp_filter_post_kses( addslashes( $value ) ) ); $css = str_replace('<=', '<=', $css); $css = wp_kses_split($css, array(), array()); $css = str_replace('>', '>', $css); $css = strip_tags($css); } return $css; }
public function update_settings() { global $register_plus_redux; $options = array(); $redux_usermeta = array(); $_POST = stripslashes_deep((array) $_POST); if (isset($_POST['custom_logo_url']) && !isset($_POST['remove_logo'])) { $options['custom_logo_url'] = esc_url_raw((string) $_POST['custom_logo_url']); } $options['verify_user_email'] = isset($_POST['verify_user_email']) ? '1' : '0'; $options['message_verify_user_email'] = isset($_POST['message_verify_user_email']) ? wp_kses_post((string) $_POST['message_verify_user_email']) : ''; $options['verify_user_admin'] = isset($_POST['verify_user_admin']) ? '1' : '0'; $options['message_verify_user_admin'] = isset($_POST['message_verify_user_admin']) ? wp_kses_post((string) $_POST['message_verify_user_admin']) : ''; $options['delete_unverified_users_after'] = isset($_POST['delete_unverified_users_after']) ? absint((string) $_POST['delete_unverified_users_after']) : '0'; $options['registration_redirect_url'] = isset($_POST['registration_redirect_url']) ? esc_url_raw((string) $_POST['registration_redirect_url']) : ''; $options['verification_redirect_url'] = isset($_POST['verification_redirect_url']) ? esc_url_raw((string) $_POST['verification_redirect_url']) : ''; $options['autologin_user'] = isset($_POST['autologin_user']) ? '1' : '0'; $options['username_is_email'] = isset($_POST['username_is_email']) ? '1' : '0'; $options['double_check_email'] = isset($_POST['double_check_email']) ? '1' : '0'; if (isset($_POST['show_fields']) && is_array($_POST['show_fields'])) { $options['show_fields'] = (array) $_POST['show_fields']; } if (isset($_POST['required_fields']) && is_array($_POST['required_fields'])) { $options['required_fields'] = (array) $_POST['required_fields']; } $options['user_set_password'] = isset($_POST['user_set_password']) ? '1' : '0'; $options['min_password_length'] = isset($_POST['min_password_length']) ? absint($_POST['min_password_length']) : 0; $options['disable_password_confirmation'] = isset($_POST['disable_password_confirmation']) ? '1' : '0'; $options['show_password_meter'] = isset($_POST['show_password_meter']) ? '1' : '0'; $options['message_empty_password'] = isset($_POST['message_empty_password']) ? wp_kses_data((string) $_POST['message_empty_password']) : ''; $options['message_short_password'] = isset($_POST['message_short_password']) ? wp_kses_data((string) $_POST['message_short_password']) : ''; $options['message_bad_password'] = isset($_POST['message_bad_password']) ? wp_kses_data((string) $_POST['message_bad_password']) : ''; $options['message_good_password'] = isset($_POST['message_good_password']) ? wp_kses_data((string) $_POST['message_good_password']) : ''; $options['message_strong_password'] = isset($_POST['message_strong_password']) ? wp_kses_data((string) $_POST['message_strong_password']) : ''; $options['message_mismatch_password'] = isset($_POST['message_mismatch_password']) ? wp_kses_data((string) $_POST['message_mismatch_password']) : ''; $options['enable_invitation_code'] = isset($_POST['enable_invitation_code']) ? '1' : '0'; if (isset($_POST['invitation_code_bank']) && is_array($_POST['invitation_code_bank'])) { $invitation_code_bank = (array) $_POST['invitation_code_bank']; } $options['require_invitation_code'] = isset($_POST['require_invitation_code']) ? '1' : '0'; $options['invitation_code_case_sensitive'] = isset($_POST['invitation_code_case_sensitive']) ? '1' : '0'; $options['invitation_code_unique'] = isset($_POST['invitation_code_unique']) ? '1' : '0'; $options['enable_invitation_tracking_widget'] = isset($_POST['enable_invitation_tracking_widget']) ? '1' : '0'; $options['show_disclaimer'] = isset($_POST['show_disclaimer']) ? '1' : '0'; $options['message_disclaimer_title'] = isset($_POST['message_disclaimer_title']) ? sanitize_text_field((string) $_POST['message_disclaimer_title']) : ''; $options['message_disclaimer'] = isset($_POST['message_disclaimer']) ? wp_kses_post((string) $_POST['message_disclaimer']) : ''; $options['require_disclaimer_agree'] = isset($_POST['require_disclaimer_agree']) ? '1' : '0'; $options['message_disclaimer_agree'] = isset($_POST['message_disclaimer_agree']) ? sanitize_text_field((string) $_POST['message_disclaimer_agree']) : ''; $options['show_license'] = isset($_POST['show_license']) ? '1' : '0'; $options['message_license_title'] = isset($_POST['message_license_title']) ? sanitize_text_field((string) $_POST['message_license_title']) : ''; $options['message_license'] = isset($_POST['message_license']) ? wp_kses_post((string) $_POST['message_license']) : ''; $options['require_license_agree'] = isset($_POST['require_license_agree']) ? '1' : '0'; $options['message_license_agree'] = isset($_POST['message_license_agree']) ? sanitize_text_field((string) $_POST['message_license_agree']) : ''; $options['show_privacy_policy'] = isset($_POST['show_privacy_policy']) ? '1' : '0'; $options['message_privacy_policy_title'] = isset($_POST['message_privacy_policy_title']) ? sanitize_text_field((string) $_POST['message_privacy_policy_title']) : ''; $options['message_privacy_policy'] = isset($_POST['message_privacy_policy']) ? wp_kses_post((string) $_POST['message_privacy_policy']) : ''; $options['require_privacy_policy_agree'] = isset($_POST['require_privacy_policy_agree']) ? '1' : '0'; $options['message_privacy_policy_agree'] = isset($_POST['message_privacy_policy_agree']) ? sanitize_text_field((string) $_POST['message_privacy_policy_agree']) : ''; $options['default_css'] = isset($_POST['default_css']) ? '1' : '0'; $options['required_fields_style'] = ''; if (isset($_POST['required_fields_style'])) { // Stolen from Jetpack 2.0.4 custom-css.php Jetpack_Custom_CSS::filter_attr() require_once 'csstidy/class.csstidy.php'; $csstidy = new csstidy(); $csstidy->set_cfg('remove_bslash', FALSE); $csstidy->set_cfg('compress_colors', FALSE); $csstidy->set_cfg('compress_font-weight', FALSE); $csstidy->set_cfg('discard_invalid_properties', TRUE); $csstidy->set_cfg('merge_selectors', FALSE); $csstidy->set_cfg('remove_last_;', FALSE); $csstidy->set_cfg('css_level', 'CSS3.0'); $required_fields_style = 'div {' . (string) $_POST['required_fields_style'] . '}'; $required_fields_style = preg_replace('/\\\\([0-9a-fA-F]{4})/', '\\\\\\\\$1', $required_fields_style); $required_fields_style = wp_kses_split($required_fields_style, array(), array()); $csstidy->parse($required_fields_style); $required_fields_style = $csstidy->print->plain(); $required_fields_style = str_replace(array("\n", "\r", "\t"), '', $required_fields_style); preg_match("/^div\\s*{(.*)}\\s*\$/", $required_fields_style, $matches); if (!empty($matches[1])) { $options['required_fields_style'] = $matches[1]; } } $options['required_fields_asterisk'] = isset($_POST['required_fields_asterisk']) ? '1' : '0'; $options['starting_tabindex'] = isset($_POST['starting_tabindex']) ? absint($_POST['starting_tabindex']) : 0; /* if ( isset( $_POST['datepicker_firstdayofweek'] ) ) $options['datepicker_firstdayofweek'] = absint( $_POST['datepicker_firstdayofweek'] ); if ( isset( $_POST['datepicker_dateformat'] ) ) $options['datepicker_dateformat'] = sanitize_text_field( (string) $_POST['datepicker_dateformat'] ); if ( isset( $_POST['datepicker_startdate'] ) ) $options['datepicker_startdate'] = sanitize_text_field( (string) $_POST['datepicker_startdate'] ); if ( isset( $_POST['datepicker_calyear'] ) ) $options['datepicker_calyear'] = sanitize_text_field( (string) $_POST['datepicker_calyear'] ); if ( isset( $_POST['datepicker_calmonth'] ) ) $options['datepicker_calmonth'] = sanitize_text_field( (string) $_POST['datepicker_calmonth'] ); */ $options['disable_user_message_registered'] = isset($_POST['disable_user_message_registered']) ? '1' : '0'; $options['disable_user_message_created'] = isset($_POST['disable_user_message_created']) ? '1' : '0'; $options['custom_user_message'] = isset($_POST['custom_user_message']) ? '1' : '0'; $options['user_message_from_email'] = isset($_POST['user_message_from_email']) ? sanitize_text_field((string) $_POST['user_message_from_email']) : ''; $options['user_message_from_name'] = isset($_POST['user_message_from_name']) ? sanitize_text_field((string) $_POST['user_message_from_name']) : ''; $options['user_message_subject'] = isset($_POST['user_message_subject']) ? sanitize_text_field((string) $_POST['user_message_subject']) : ''; $options['user_message_body'] = isset($_POST['user_message_body']) ? wp_kses_post((string) $_POST['user_message_body']) : ''; $options['send_user_message_in_html'] = isset($_POST['send_user_message_in_html']) ? '1' : '0'; $options['user_message_newline_as_br'] = isset($_POST['user_message_newline_as_br']) ? '1' : '0'; $options['custom_verification_message'] = isset($_POST['custom_verification_message']) ? '1' : '0'; $options['verification_message_from_email'] = isset($_POST['verification_message_from_email']) ? sanitize_text_field((string) $_POST['verification_message_from_email']) : ''; $options['verification_message_from_name'] = isset($_POST['verification_message_from_name']) ? sanitize_text_field((string) $_POST['verification_message_from_name']) : ''; $options['verification_message_subject'] = isset($_POST['verification_message_subject']) ? sanitize_text_field((string) $_POST['verification_message_subject']) : ''; $options['verification_message_body'] = isset($_POST['verification_message_body']) ? wp_kses_post((string) $_POST['verification_message_body']) : ''; $options['send_verification_message_in_html'] = isset($_POST['send_verification_message_in_html']) ? '1' : '0'; $options['verification_message_newline_as_br'] = isset($_POST['verification_message_newline_as_br']) ? '1' : '0'; $options['disable_admin_message_registered'] = isset($_POST['disable_admin_message_registered']) ? '1' : '0'; $options['disable_admin_message_created'] = isset($_POST['disable_admin_message_created']) ? '1' : '0'; $options['admin_message_when_verified'] = isset($_POST['admin_message_when_verified']) ? '1' : '0'; $options['custom_admin_message'] = isset($_POST['custom_admin_message']) ? '1' : '0'; $options['admin_message_from_email'] = isset($_POST['admin_message_from_email']) ? sanitize_text_field((string) $_POST['admin_message_from_email']) : ''; $options['admin_message_from_name'] = isset($_POST['admin_message_from_name']) ? sanitize_text_field((string) $_POST['admin_message_from_name']) : ''; $options['admin_message_subject'] = isset($_POST['admin_message_subject']) ? sanitize_text_field((string) $_POST['admin_message_subject']) : ''; $options['admin_message_body'] = isset($_POST['admin_message_body']) ? wp_kses_post((string) $_POST['admin_message_body']) : ''; $options['send_admin_message_in_html'] = isset($_POST['send_admin_message_in_html']) ? '1' : '0'; $options['admin_message_newline_as_br'] = isset($_POST['admin_message_newline_as_br']) ? '1' : '0'; $options['custom_registration_page_css'] = ''; if (isset($_POST['custom_registration_page_css'])) { // Stolen from Jetpack 2.0.4 custom-css.php Jetpack_Custom_CSS::init() require_once 'csstidy/class.csstidy.php'; $csstidy = new csstidy(); $csstidy->set_cfg('remove_bslash', FALSE); $csstidy->set_cfg('compress_colors', FALSE); $csstidy->set_cfg('compress_font-weight', FALSE); $csstidy->set_cfg('optimise_shorthands', 0); $csstidy->set_cfg('remove_last_;', FALSE); $csstidy->set_cfg('case_properties', FALSE); $csstidy->set_cfg('discard_invalid_properties', TRUE); $csstidy->set_cfg('css_level', 'CSS3.0'); $csstidy->set_cfg('preserve_css', TRUE); $csstidy->set_cfg('template', dirname(__FILE__) . '/csstidy/wordpress-standard.tpl'); $custom_registration_page_css = (string) $_POST['custom_registration_page_css']; $custom_registration_page_css = preg_replace('/\\\\([0-9a-fA-F]{4})/', '\\\\\\\\$1', $custom_registration_page_css); $custom_registration_page_css = str_replace('<=', '<=', $custom_registration_page_css); $custom_registration_page_css = wp_kses_split($custom_registration_page_css, array(), array()); $custom_registration_page_css = str_replace('>', '>', $custom_registration_page_css); $custom_registration_page_css = strip_tags($custom_registration_page_css); $csstidy->parse($custom_registration_page_css); $options['custom_registration_page_css'] = $csstidy->print->plain(); } $options['custom_login_page_css'] = ''; if (isset($_POST['custom_login_page_css'])) { // Stolen from Jetpack 2.0.4 custom-css.php Jetpack_Custom_CSS::init() require_once 'csstidy/class.csstidy.php'; $csstidy = new csstidy(); $csstidy->set_cfg('remove_bslash', FALSE); $csstidy->set_cfg('compress_colors', FALSE); $csstidy->set_cfg('compress_font-weight', FALSE); $csstidy->set_cfg('optimise_shorthands', 0); $csstidy->set_cfg('remove_last_;', FALSE); $csstidy->set_cfg('case_properties', FALSE); $csstidy->set_cfg('discard_invalid_properties', TRUE); $csstidy->set_cfg('css_level', 'CSS3.0'); $csstidy->set_cfg('preserve_css', TRUE); $csstidy->set_cfg('template', dirname(__FILE__) . '/csstidy/wordpress-standard.tpl'); $custom_login_page_css = (string) $_POST['custom_login_page_css']; $custom_login_page_css = preg_replace('/\\\\([0-9a-fA-F]{4})/', '\\\\\\\\$1', $custom_login_page_css); $custom_login_page_css = str_replace('<=', '<=', $custom_login_page_css); $custom_login_page_css = wp_kses_split($custom_login_page_css, array(), array()); $custom_login_page_css = str_replace('>', '>', $custom_login_page_css); $custom_login_page_css = strip_tags($custom_login_page_css); $csstidy->parse($custom_login_page_css); $options['custom_login_page_css'] = $csstidy->print->plain(); } if (isset($_POST['label'])) { foreach ((array) $_POST['label'] as $index => $v) { $meta_field = array(); if (!empty($_POST['label'][$index])) { $meta_field['label'] = isset($_POST['label'][$index]) ? sanitize_text_field((string) $_POST['label'][$index]) : ''; $meta_field['meta_key'] = isset($_POST['meta_key'][$index]) ? sanitize_text_field((string) $_POST['meta_key'][$index]) : ''; $meta_field['display'] = isset($_POST['display'][$index]) ? sanitize_text_field((string) $_POST['display'][$index]) : ''; $meta_field['options'] = ''; if (isset($_POST['options'][$index])) { if (in_array($meta_field['display'], array('checkbox', 'radio', 'select'))) { /*.array[]string.*/ $field_options = explode(',', (string) $_POST['options'][$index]); foreach ($field_options as &$field_option) { $field_option = sanitize_text_field($field_option); } $meta_field['options'] = implode(',', $field_options); } else { $meta_field['options'] = sanitize_text_field((string) $_POST['options'][$index]); } } $meta_field['escape_url'] = '0'; $meta_field['show_on_profile'] = isset($_POST['show_on_profile'][$index]) ? '1' : '0'; $meta_field['show_on_registration'] = isset($_POST['show_on_registration'][$index]) ? '1' : '0'; $meta_field['require_on_registration'] = isset($_POST['require_on_registration'][$index]) ? '1' : '0'; $meta_field['show_datepicker'] = isset($_POST['show_datepicker'][$index]) ? '1' : '0'; $meta_field['terms_content'] = isset($_POST['terms_content'][$index]) ? wp_kses_post((string) $_POST['terms_content'][$index]) : ''; $meta_field['terms_agreement_text'] = isset($_POST['terms_agreement_text'][$index]) ? wp_kses_post((string) $_POST['terms_agreement_text'][$index]) : ''; $meta_field['date_revised'] = isset($_POST['date_revised'][$index]) ? strtotime((string) $_POST['date_revised'][$index]) : time(); if (empty($meta_field['meta_key'])) { $meta_field['meta_key'] = 'rpr_' . Register_Plus_Redux::sanitize_text($meta_field['label']); } } $redux_usermeta[] = $meta_field; } } if (isset($_POST['newMetaFields'])) { foreach ((array) $_POST['newMetaFields'] as $label) { $meta_field = array(); $meta_field['label'] = sanitize_text_field($label); $meta_field['meta_key'] = 'rpr_' . Register_Plus_Redux::sanitize_text($meta_field['label']); $meta_field['display'] = ''; $meta_field['options'] = ''; $meta_field['escape_url'] = '0'; $meta_field['show_on_profile'] = '0'; $meta_field['show_on_registration'] = '0'; $meta_field['require_on_registration'] = '0'; $meta_field['show_datepicker'] = '0'; $meta_field['terms_content'] = ''; $meta_field['terms_agreement_text'] = ''; $meta_field['date_revised'] = time(); $redux_usermeta[] = $meta_field; } } $register_plus_redux->rpr_update_options($options); if (!empty($invitation_code_bank)) { update_option('register_plus_redux_invitation_code_bank-rv1', $invitation_code_bank); } if (!empty($redux_usermeta)) { update_option('register_plus_redux_usermeta-rv2', $redux_usermeta); } }
/** * Sanitize the field choices property. * * @param array|null $choices The field choices property. * * @return array|null */ public function sanitize_settings_choices($choices = null) { if (is_null($choices)) { $choices =& $this->choices; } if (!is_array($choices)) { return $choices; } foreach ($choices as &$choice) { if (isset($choice['isSelected'])) { $choice['isSelected'] = (bool) $choice['isSelected']; } if (isset($choice['price']) && !empty($choice['price'])) { $price_number = GFCommon::to_number($choice['price']); $choice['price'] = GFCommon::to_money($price_number); } if (isset($choice['text'])) { $choice['text'] = $this->maybe_wp_kses($choice['text']); } if (isset($choice['value'])) { // Strip scripts but don't encode $allowed_protocols = wp_allowed_protocols(); $choice['value'] = wp_kses_no_null($choice['value'], array('slash_zero' => 'keep')); $choice['value'] = wp_kses_hook($choice['value'], 'post', $allowed_protocols); $choice['value'] = wp_kses_split($choice['value'], 'post', $allowed_protocols); } } return $choices; }
/** * Override this method to implement the appropriate sanitization specific to the field type before the value is saved. * * This base method provides a generic sanitization similar to wp_kses but values are not encoded. * Scripts are stripped out leaving allowed tags if HTMl is allowed. * * @param string $value The field value to be processed. * @param int $form_id The ID of the form currently being processed. * * @return string */ public function sanitize_entry_value($value, $form_id) { if (is_array($value)) { return ''; } //allow HTML for certain field types $allow_html = $this->allow_html(); $allowable_tags = gf_apply_filters(array('gform_allowable_tags', $form_id), $allow_html, $this, $form_id); if ($allowable_tags !== true) { $value = strip_tags($value, $allowable_tags); } $allowed_protocols = wp_allowed_protocols(); $value = wp_kses_no_null($value, array('slash_zero' => 'keep')); $value = wp_kses_hook($value, 'post', $allowed_protocols); $value = wp_kses_split($value, 'post', $allowed_protocols); return $value; }
/** * sanitize user entered css * as seen here: http://wordpress.stackexchange.com/questions/53970/sanitize-user-entered-css * * @param type $css */ function sanitize_css($css) { if (!class_exists('csstidy')) { include_once 'csstidy/class.csstidy.php'; } $csstidy = new csstidy(); $csstidy->set_cfg('remove_bslash', false); $csstidy->set_cfg('compress_colors', false); $csstidy->set_cfg('compress_font-weight', false); $csstidy->set_cfg('discard_invalid_properties', true); $csstidy->set_cfg('merge_selectors', false); $csstidy->set_cfg('remove_last_;', false); $csstidy->set_cfg('css_level', 'CSS3.0'); $css = preg_replace('/\\\\([0-9a-fA-F]{4})/', '\\\\\\\\$1', $css); $css = wp_kses_split($css, array(), array()); $csstidy->parse($css); return $csstidy->print->plain(); }
function EscapeAndFilterPostKSES($strString, $arrAllowedTags = array(), $arrDisallowedTags = array(), $arrAllowedProtocols = array()) { // $arrAllowedTags : e.g. array( 'noscript' => array(), 'style' => array() ); // $arrDisallowedTags : e.g. array( 'table', 'tbody', 'thoot', 'thead', 'th', 'tr' ); global $allowedposttags; // $arrAllowedHTML = array_replace_recursive( $allowedposttags, $arrAllowedTags ); // the second parameter takes over the first. // $arrAllowedHTML = wp_parse_args( $arrAllowedTags, $allowedposttags ); // the first parameter takes over the second. $arrAllowedHTML = $this->oUtil->UniteArraysRecursive($arrAllowedTags, $allowedposttags); // the first parameter takes over the second. foreach ($arrDisallowedTags as $strTag) { if (isset($arrAllowedHTML[$strTag])) { unset($arrAllowedHTML[$strTag]); } } if (empty($arrAllowedProtocols)) { $arrAllowedProtocols = wp_allowed_protocols(); } $strString = addslashes($strString); // the original function call was doing this - could be redundant but haven't fully tested it $strString = stripslashes($strString); // wp_filter_post_kses() $strString = wp_kses_no_null($strString); // wp_kses() $strString = wp_kses_js_entities($strString); // wp_kses() $strString = wp_kses_normalize_entities($strString); // wp_kses() $strString = wp_kses_hook($strString, $arrAllowedHTML, $arrAllowedProtocols); // WP changed the order of these funcs and added args to wp_kses_hook $strString = wp_kses_split($strString, $arrAllowedHTML, $arrAllowedProtocols); $strString = addslashes($strString); // wp_filter_post_kses() $strString = stripslashes($strString); // the original function call was doing this - could be redundant but haven't fully tested it return $strString; }
/** * Clean up CSS. * Minimal intervention, but prevent users from injecting garbage. * * @param $css * * @return string */ protected static function cleanupCss($css) { $css = stripslashes($css); $css = preg_replace('/\\\\([0-9a-fA-F]{2,4})/', '\\\\\\\\$1', $prev = $css); if ($css != $prev) { $warnings[] = 'preg_replace() double escaped unicode escape sequences'; } $css = str_replace('<=', '<=', $css); // Some people put weird stuff in their CSS, KSES tends to be greedy $css = wp_kses_split($prev = $css, array(), array()); $css = str_replace('>', '>', $css); // kses replaces lone '>' with > $css = strip_tags($css); if ($css != $prev) { $warnings[] = 'kses() and strip_tags() do not match'; } // TODO: Something with $warnings[] return $css; }
function fanoe_sanitize_custom_css($value) { // Some people put weird stuff in their CSS, KSES tends to be greedy $css = str_replace('<=', '<=', $value); // Why KSES instead of strip_tags? Who knows? $css = wp_kses_split($css, array(), array()); $css = str_replace('>', '>', $css); // kses replaces lone '>' with > // Why both KSES and strip_tags? Because we just added some '>'. $css = strip_tags($css); return $css; }
/** * Sanitize the CSS for users without `unfiltered_html`. * * @param string $css Input CSS. * @param array $args Array of CSS options. * * @return mixed|string */ public static function sanitize_css($css, $args = array()) { $args = wp_parse_args($args, array('force' => false, 'preprocessor' => null)); if ($args['force'] || !current_user_can('unfiltered_html')) { $warnings = array(); safecss_class(); $csstidy = new csstidy(); $csstidy->optimise = new safecss($csstidy); $csstidy->set_cfg('remove_bslash', false); $csstidy->set_cfg('compress_colors', false); $csstidy->set_cfg('compress_font-weight', false); $csstidy->set_cfg('optimise_shorthands', 0); $csstidy->set_cfg('remove_last_;', false); $csstidy->set_cfg('case_properties', false); $csstidy->set_cfg('discard_invalid_properties', true); $csstidy->set_cfg('css_level', 'CSS3.0'); $csstidy->set_cfg('preserve_css', true); $csstidy->set_cfg('template', dirname(__FILE__) . '/csstidy/wordpress-standard.tpl'); $prev = $css; $css = preg_replace('/\\\\([0-9a-fA-F]{4})/', '\\\\\\\\$1', $css); // prevent content: '\3434' from turning into '\\3434'. $css = str_replace(array('\'\\\\', '"\\\\'), array('\'\\', '"\\'), $css); if ($css !== $prev) { $warnings[] = 'preg_replace found stuff'; } // Some people put weird stuff in their CSS, KSES tends to be greedy. $css = str_replace('<=', '<=', $css); $prev = $css; // Why KSES instead of strip_tags? Who knows? $css = wp_kses_split($css, array(), array()); $css = str_replace('>', '>', $css); // kses replaces lone '>' with > // Why both KSES and strip_tags? Because we just added some '>'. $css = strip_tags($css); if ($css != $prev) { $warnings[] = 'kses found stuff'; } // if we're not using a preprocessor. if (!$args['preprocessor']) { /** This action is documented in modules/custom-css/custom-css.php */ do_action('safecss_parse_pre', $csstidy, $css, $args); $csstidy->parse($css); /** This action is documented in modules/custom-css/custom-css.php */ do_action('safecss_parse_post', $csstidy, $warnings, $args); $css = $csstidy->print->plain(); } } return $css; }
/** * Escapes the given string for the KSES filter with the criteria of allowing/disallowing tags and the protocol. * * @remark Attributes are not supported at this moment. * @param array $aAllowedTags e.g. array( 'noscript', 'style', ) * @param array $aDisallowedTags e.g. array( 'table', 'tbody', 'thoot', 'thead', 'th', 'tr' ) * @since 2.0.0 */ public static function escapeKSESFilter($sString, $aAllowedTags = array(), $aDisallowedTags = array(), $aAllowedProtocols = array()) { foreach ($aAllowedTags as $sTag) { $aFormatAllowedTags[$sTag] = array(); // activate the inline style attribute. } $aAllowedHTMLTags = AmazonAutoLinks_Utility::uniteArrays($aFormatAllowedTags, $GLOBALS['allowedposttags']); // the first parameter takes over the second. foreach ($aDisallowedTags as $sTag) { if (isset($aAllowedHTMLTags[$sTag])) { unset($aAllowedHTMLTags[$sTag]); } } if (empty($aAllowedProtocols)) { $aAllowedProtocols = wp_allowed_protocols(); } $sString = addslashes($sString); // the original function call was doing this - could be redundant but haven't fully tested it $sString = stripslashes($sString); // wp_filter_post_kses() $sString = wp_kses_no_null($sString); // wp_kses() $sString = wp_kses_js_entities($sString); // wp_kses() $sString = wp_kses_normalize_entities($sString); // wp_kses() $sString = wp_kses_hook($sString, $aAllowedHTMLTags, $aAllowedProtocols); // WP changed the order of these funcs and added args to wp_kses_hook $sString = wp_kses_split($sString, $aAllowedHTMLTags, $aAllowedProtocols); $sString = addslashes($sString); // wp_filter_post_kses() $sString = stripslashes($sString); // the original function call was doing this - could be redundant but haven't fully tested it return $sString; }
/** * CSS validation * Much of this code is courtesy of SafeCSS by Automattic and CSSTidy * * @since 0.1 * @author Ryan Hellyer <*****@*****.**> * @param string $css * @return string */ private function validate_css($css) { // SafeCSS / CSSTidy stuff $csstidy = new csstidy(); $csstidy->optimise = new safecss($csstidy); $csstidy->set_cfg('remove_bslash', false); $csstidy->set_cfg('compress_colors', false); $csstidy->set_cfg('compress_font-weight', false); $csstidy->set_cfg('discard_invalid_properties', true); $csstidy->set_cfg('merge_selectors', false); $csstidy->set_cfg('preserve_css', true); // Outputs code comments // $csstidy->set_cfg( 'lowercase_s', false ); // $csstidy->set_cfg( 'optimise_shorthands', 1 ); // $csstidy->set_cfg( 'remove_last_;', false ); // $csstidy->set_cfg( 'case_properties', 1 ); // $csstidy->set_cfg( 'sort_properties', false ); // $csstidy->set_cfg( 'sort_selectors', false ); // Santisation stuff copied from SafeCSS by Automattic $css = stripslashes($css); $css = preg_replace('/\\\\([0-9a-fA-F]{4})/', '\\\\\\\\$1', $prev = $css); $css = str_replace('<=', '<=', $css); // Some people put weird stuff in their CSS, KSES tends to be greedy $css = wp_kses_split($prev = $css, array(), array()); // Why KSES instead of strip_tags? Who knows? $css = str_replace('>', '>', $css); // kses replaces lone '>' with > $css = strip_tags($css); // Why both KSES and strip_tags? Because we just added some '>'. // Parse with CSS tidy $csstidy->parse($css); // Parse with CSS Tidy $css = $csstidy->print->plain(); // Grab CSS output /** * Make the CSS pretty * This code is quite crude, but it works fine and it's not hideously inefficient so we'll do for the mean time :) * @since 0.9 */ $css = preg_replace('/\\n/', '', $css); // Stripping carriage returns $css = str_replace(';', '; ', $css); // Add carriage return after ";" $css = str_replace('!important;', ' !important;', $css); // Adding space back in before !important declaration //$css = str_replace( '#suckerfishnav', '.pixopoint', $css ); // Legacy support for CSS generator and older PixoPoint plugins $css = str_replace(' }', ' } ', $css); // Remove tab before and carriage return after "}" $css = str_replace('{', '{ ', $css); // Add carriage return and tab after "{" $css = str_replace('*/', '*/ ', $css); // Add carriage return after code comment $css = str_replace('/*', ' /*', $css); // Add two carriage returns before code comment // Code Comments $css = str_replace("}/*", "}\n/*", $css); // Prevents comments showing up immediately after { symbol // Nested brace correction $css = str_replace("}\n}", "\t}\n}", $css); // Indents first brace $css = explode('{', $css); // The following is hideous code - but it works so will probably remain here until some kind sole offers to rewrite it foreach ($css as $piece => $chunk) { if (!isset($count)) { $count = ''; } if ($count == 0) { $chunk = explode('}', $chunk); if (!isset($chunk[1])) { $chunk[1] = ''; } $chunk[1] = str_replace(',', ', ', $chunk[1]); // Adds carriage return after comma - doesn't work with first line $chunk[0] = str_replace(':', ': ', $chunk[0]); // Add spaces after colons - needs to be here to avoid messing up pseudo-classes //$chunk[0] = str_replace( ',', ',', $chunk[0] ); // Add space after comma - mainly for font-family declarations - doesn't work $chunk = implode('}', $chunk); $count = -1; } $css[$piece] = $chunk; $count++; } $css = implode('{', $css); $css = str_replace('}{', '{', $css); // Nasty hack to fix "{}" code bug $css = substr($css, 0, -1); // Nasty hack to remove final "}" return $css; }
/** * Override this method to implement the appropriate sanitization specific to the field type before the value is saved. * * This base method provides a generic sanitization similar to wp_kses but values are not encoded. * Scripts are stripped out leaving tags allowed by the gform_allowable_tags filter. * * @param string $value The field value to be processed. * @param int $form_id The ID of the form currently being processed. * * @return string */ public function sanitize_entry_value($value, $form_id) { if (is_array($value)) { return ''; } /** * Provisional filter - may be subject to change or removal. * * @param bool * @param int $form_id * @para GF_Field $this */ $sanitize = apply_filters('gform_sanitize_entry_value', true, $form_id, $this); if (!$sanitize) { return $value; } //allow HTML for certain field types $allow_html = $this->allow_html(); $allowable_tags = gf_apply_filters(array('gform_allowable_tags', $form_id), $allow_html, $this, $form_id); if ($allowable_tags !== true) { $value = strip_tags($value, $allowable_tags); } $allowed_protocols = wp_allowed_protocols(); $value = wp_kses_no_null($value, array('slash_zero' => 'keep')); $value = wp_kses_hook($value, 'post', $allowed_protocols); $value = wp_kses_split($value, 'post', $allowed_protocols); return $value; }
/** * sanitize css input * * @since 1.1.1 * @access private */ function omega_custom_css_sanitize($css) { if ('' != $css) { $css = str_replace('<=', '<=', $css); $css = wp_kses_split($css, array(), array()); $css = str_replace('>', '>', $css); $css = strip_tags($css); } return $css; }
static function filter_attr($css, $element = 'div') { safecss_class(); $css = $element . ' {' . $css . '}'; $csstidy = new csstidy(); $csstidy->optimise = new safecss($csstidy); $csstidy->set_cfg('remove_bslash', false); $csstidy->set_cfg('compress_colors', false); $csstidy->set_cfg('compress_font-weight', false); $csstidy->set_cfg('discard_invalid_properties', true); $csstidy->set_cfg('merge_selectors', false); $csstidy->set_cfg('remove_last_;', false); $csstidy->set_cfg('css_level', 'CSS3.0'); $css = preg_replace('/\\\\([0-9a-fA-F]{4})/', '\\\\\\\\$1', $css); $css = wp_kses_split($css, array(), array()); $csstidy->parse($css); $css = $csstidy->print->plain(); $css = str_replace(array("\n", "\r", "\t"), '', $css); preg_match("/^{$element}\\s*{(.*)}\\s*\$/", $css, $matches); if (empty($matches[1])) { return ''; } return $matches[1]; }
/** * Strip scripts and some HTML tags. * * @param string $value The field value to be processed. * @param int $form_id The ID of the form currently being processed. * * @return string */ public function sanitize_entry_value($value, $form_id) { if (is_array($value)) { return ''; } $allowable_tags = $this->get_allowable_tags($form_id); if ($allowable_tags !== true) { $value = strip_tags($value, $allowable_tags); } $allowed_protocols = wp_allowed_protocols(); $value = wp_kses_no_null($value, array('slash_zero' => 'keep')); $value = wp_kses_hook($value, 'post', $allowed_protocols); $value = wp_kses_split($value, 'post', $allowed_protocols); return $value; }
/** * Filters content and keeps only allowable HTML elements. * * This function makes sure that only the allowed HTML element names, attribute * names and attribute values plus only sane HTML entities will occur in * $string. You have to remove any slashes from PHP's magic quotes before you * call this function. * * The default allowed protocols are 'http', 'https', 'ftp', 'mailto', 'news', * 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This * covers all common link protocols, except for 'javascript' which should not * be allowed for untrusted users. * * @since 1.0.0 * * @param string $string Content to filter through kses * @param array $allowed_html List of allowed HTML elements * @param array $allowed_protocols Optional. Allowed protocol in links. * @return string Filtered content with only allowed HTML elements */ function wp_kses($string, $allowed_html, $allowed_protocols = array()) { if (empty($allowed_protocols)) { $allowed_protocols = wp_allowed_protocols(); } $string = wp_kses_no_null($string, array('slash_zero' => 'keep')); $string = wp_kses_js_entities($string); $string = wp_kses_normalize_entities($string); $string = wp_kses_hook($string, $allowed_html, $allowed_protocols); // WP changed the order of these funcs and added args to wp_kses_hook return wp_kses_split($string, $allowed_html, $allowed_protocols); }
/** * Filters content and keeps only allowable HTML elements. * * This is the same function as built into WP, but with optional allowing of keeping "&" * * @param string $string Content to filter through kses * @param array $allowed_html List of allowed HTML elements * @param array $allowed_protocols Optional. Allowed protocol in links. * @return string Filtered content with only allowed HTML elements */ function wp_kses($string, $allowed_html, $allowed_protocols = array(), $skip_normalize_entities = false) { if (empty($allowed_protocols)) { $allowed_protocols = wp_allowed_protocols(); } $string = wp_kses_no_null($string); $string = wp_kses_js_entities($string); if (!$skip_normalize_entities) { $string = wp_kses_normalize_entities($string); } $string = wp_kses_hook($string, $allowed_html, $allowed_protocols); // WP changed the order of these funcs and added args to wp_kses_hook return wp_kses_split($string, $allowed_html, $allowed_protocols); }