WordPress.org
Get WordPress

Making WordPress.org

Changeset 4574


Ignore:
Timestamp:
12/23/2016 05:27:03 PM (8 years ago)
Author:
iandunn
Message:

Jetpack Tweaks: Sanitize CSS saved through the Customizer

Location:
sites/trunk/wordcamp.org/public_html/wp-content/mu-plugins
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • sites/trunk/wordcamp.org/public_html/wp-content/mu-plugins/helper-functions.php

    r4462 r4574  
    226226 * successful request, like stats scripts, where the resulting data would be distorted by a failed response.
    227227 *
     228 * @todo Add support for wp_remote_post() too
    228229 * @todo Remove this if https://github.com/rmccue/Requests/issues/222 is implemented
    229230 *

  • sites/trunk/wordcamp.org/public_html/wp-content/mu-plugins/jetpack-tweaks/css-sanitization.php

    r2958 r4574  
    22
    33namespace WordCamp\Jetpack_Tweaks;
     4use WordCamp\RemoteCSS;
     5use Exception;
     6
    47defined( 'WPINC' ) or die();
    58
     9add_filter( 'update_custom_css_data',     __NAMESPACE__ . '\sanitize_custom_css', 15       );   // After Jetpack_Custom_CSS_Enhancements::update_custom_css_data()
    610add_action( 'csstidy_optimize_postparse', __NAMESPACE__ . '\sanitize_csstidy_parsed_rules' );
    711add_action( 'admin_notices',              __NAMESPACE__ . '\notify_import_rules_stripped'  );
    812add_action( 'csstidy_optimize_subvalue',  __NAMESPACE__ . '\sanitize_csstidy_subvalues'    );
     13
     14/**
     15 * Sanitize CSS saved through the Core/Jetpack editor inside the Customizer
     16 *
     17 * By default, the Additional CSS section is only available to users with `unfiltered_html` -- which nobody on
     18 * wordcamp.org has, not even super-admins -- but Jetpack re-maps that to `edit_theme_options`, allowing
     19 * regular admins on all sites to use it.
     20 *
     21 * @param array $post
     22 *
     23 * @return array
     24 */
     25function sanitize_custom_css( $post ) {
     26    try {
     27        $post['css'] = RemoteCSS\sanitize_unsafe_css( $post['css'] );
     28    } catch ( Exception $exception ) {
     29        /*
     30         * We can't save unsanitized CSS, and also don't want to overwrite the known-good value in the database.
     31         * There's no way to gracefully abort the process and show an error message, so just die.
     32         */
     33        wp_die( $exception->getMessage() );
     34    }
     35
     36    return $post;
     37}
    938
    1039/**
     
    3160/**
    3261 * Notify the user that @import rules were stripped from their CSS
     62 *
     63 * todo Since WP 4.7 / Jetpack 4.2.2, we also need a way to show this warning in Customizer > Additional CSS. It
     64 *      still needs to work in Remote CSS, though.
    3365 */
    3466function notify_import_rules_stripped() {

  • sites/trunk/wordcamp.org/public_html/wp-content/mu-plugins/wp-cli-commands/rewrite-rules.php

    r2178 r4574  
    3535            );
    3636
     37            // todo use wcorg_redundant_remote_get
    3738            $response = wp_remote_get( esc_url_raw( $ajax_url ) );
    3839
Note: See TracChangeset for help on using the changeset viewer.