webfuse

Forum Replies Created

Viewing 2 replies - 1 through 2 (of 2 total)
  • Forum: Plugins
    In reply to: [AddFunc Head & Footer Code] Page-specific fields strip “script” and “style” tags on save (v2.4)
    webfuse

    (@webfuse)

    1 month, 1 week ago

    Hi, we’re using this plugin but the recent update broke the functionality. The wp_kses function has the option to customize the allowd protocols. https://developer.ww.wp.xz.cn/reference/functions/wp_kses/

    I would suggest adding a sanitize function with the custom rules. 

    function aFhfc_sanitize_code($value) {
        $allowed = wp_kses_allowed_html('post');
        $allowed['script'] = array('src' => true, 'type' => true, 'async' => true, 'defer' => true);
        $allowed['style']  = array('type' => true, 'media' => true);
        return wp_kses($value, $allowed);
     }

    After this the function can be used as the sanitize callback in the register_meta function.

    sanitize_callback' => 'aFhfc_sanitize_code

    For full control of which tags and attributes are allowed change the sanitize function to the following.

    function aFhfc_sanitize_code($value) {
        $allowed = array(
            'script'   => array('src' => true, 'type' => true, 'async' => true, 'defer' => true, 'id' => true, 'crossorigin' => true),
            'noscript' => array(),
            'style'    => array('type' => true, 'media' => true, 'id' => true),
            'link'     => array('rel' => true, 'href' => true, 'type' => true, 'media' => true, 'crossorigin' => true),
            'meta'     => array('name' => true, 'content' => true, 'property' => true, 'charset' => true, 'http-equiv' => true),
            'iframe'   => array('src' => true, 'width' => true, 'height' => true, 'style' => true, 'frameborder' => true, 'allow' => true),
            'img'      => array('src' => true, 'alt' => true, 'width' => true, 'height' => true),
        );
        return wp_kses($value, $allowed);
    }

    I would recommend using the first option as this extends the current functionality and adds extra excemptions for style and script. I think these tags are very commonly used with the plugin and are now broken.

    Forum: Plugins
    In reply to: [JSM Force HTTP to HTTPS / SSL - No Setup, Fast and Reliable] Can not reach server internal without proxy and thus http
    Thread Starter webfuse

    (@webfuse)

    5 years, 3 months ago

    Thanks!

    I noticed the last line actually executes the main function in the class. So I enclosed that with the “maybe_set_server_https_on” functions if statements.
    It looks like this:

    if ( ! isset( $_SERVER[ 'HTTPS' ] ) || $_SERVER[ 'HTTPS' ] !== 'on' ) {;
    if ( isset( $_SERVER[ 'HTTP_X_FORWARDED_PROTO' ] ) && strpos( $_SERVER[ 'HTTP_X_FORWARDED_PROTO' ], 'https' ) !== false ) {
        JSM_Force_SSL::get_instance();
    }
}

    I suppose I could optimize it a bit more by not continueing with the plugin if the statement is true. Is there a (wordpress) function for that? Otherwise I could include it in the if ( ! class_exists( 'JSM_Force_SSL' ) ) statement. Unfortunately I am not very experienced with PHP.

Viewing 2 replies - 1 through 2 (of 2 total)