PluginProbe ʕ •ᴥ•ʔ
Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets / 4.2.3
Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets v4.2.3
4.2.5 4.2.4 trunk 3.7.10 3.7.11 3.7.12 3.7.13 3.7.14 3.7.2 3.7.5 3.7.6 3.7.7 3.7.8 3.7.9 3.8 3.8.1 3.8.10 3.8.2 3.8.3 3.8.4 3.8.5 3.8.6 3.8.7 3.8.8 3.8.9 3.8.9.1 3.9.0 3.9.1 3.9.2 3.9.3 3.9.4 3.9.5 3.9.6 4.0.0 4.0.1 4.0.2 4.0.3 4.0.4 4.0.5 4.0.5.1 4.0.6 4.0.6.1 4.0.7 4.0.8 4.0.9 4.1.0 4.1.1 4.1.2 4.1.3 4.2.0 4.2.1 4.2.2 4.2.3
widget-options / assets / js / widgetopts.global.js
widget-options / assets / js Last commit date
bootstrap-multiselect.min.js 2 months ago jquery.liveFilter.js 2 months ago jquery.liveFilter.min.js 2 months ago jquery.widgetopts.beaver.js 2 months ago jquery.widgetopts.beaver.min.js 2 months ago select2-settings.js 2 months ago select2-settings.min.js 2 months ago select2.min.js 2 months ago settings.js 2 months ago settings.min.js 2 months ago widgetopts.global.js 2 months ago widgetopts.migration.js 2 months ago widgetopts.resize.js 2 months ago widgets.js 2 months ago widgets.min.js 2 months ago wpWidgetOpts.js 2 months ago wpWidgetOpts.min.js 2 months ago
widgetopts.global.js
113 lines
1 jQuery(function () {
2 jQuery(document).on("click", ".widgetopts-notice .notice-dismiss", function () {
3 jQuery.ajax({
4 url: widgetopts10n.ajax_url,
5 type: "POST",
6 data: {
7 method: "delete_widgetopts_update_transient",
8 action: "widgetopts_ajax_settings",
9 nonce: jQuery('input[name="widgetopts-settings-nonce"]').val(),
10 },
11 });
12 });
13
14 jQuery(document).on("change", '.widget-opts-logic textarea[name="extended_widget_opts[class][logic]"], .widget-opts-logic textarea', function () {
15 checkForDangerousPatterns(this);
16 });
17
18 jQuery(document).on("keyup", '.widget-opts-logic textarea[name="extended_widget_opts[class][logic]"], .widget-opts-logic textarea', function () {
19 partialCheckForDangerousPatterns(this);
20 });
21
22 jQuery(document).on("click", ".widgetopts-tab-panel.tab-logic button", function () {
23 checkForDangerousPatterns(jQuery('.widget-opts-logic textarea[name="extended_widget_opts[class][logic]"]'));
24 });
25
26 function checkForDangerousPatterns(that) {
27 let expression = jQuery(that).val();
28 jQuery.ajax({
29 type: "POST",
30 url: widgetopts10n.ajax_url,
31 data: {
32 action: "widgetopts_ajax_validate_expression",
33 nonce: widgetopts10n.validate_expression_nonce,
34 expression: expression,
35 },
36 dataType: "json",
37 success: function (response) {
38 if (response.valid) {
39 if (jQuery(".wopts-warning-message").length !== 0) {
40 jQuery(".wopts-warning-message").remove();
41 }
42 } else {
43 if (jQuery(".wopts-warning-message").length === 0) {
44 if (response.message != "") {
45 jQuery(that).after(`<p class="wopts-warning-message" style="font-size: 11px;">Warning: <span style="color: red;">${response.message}</span></p>`);
46 }
47 }
48 }
49 },
50 error: function () {},
51 });
52 }
53
54 function partialCheckForDangerousPatterns(that) {
55 const dangerousPatterns = [
56 // Database-related keywords
57 { pattern: /\b(insert|update|delete|replace|select|drop|alter|truncate|grant|revoke)\b/i, message: "Potential SQL injection detected." },
58
59 // WordPress-specific database functions
60 { pattern: /\b(wp_insert_post|wp_update_post|wp_delete_post|wp_insert_user|wp_update_user|wp_delete_user|add_option|update_option|delete_option|wpdb)\b/i, message: "Unsafe WordPress database functions found." },
61
62 // PHP file manipulation functions
63 { pattern: /\b(file_put_contents|file_get_contents|fopen|fwrite|unlink|rename|chmod|chown|chgrp|copy|scandir)\b/i, message: "File system manipulation functions are not allowed." },
64
65 // External connections
66 { pattern: /\b(wp_remote_get|wp_remote_post|curl_init|curl_exec|curl_setopt|open_basedir|fsockopen|proc_nice|stream_socket_server|stream_socket_client)\b/i, message: "Potential remote execution functions detected." },
67
68 // Execution function
69 { pattern: /\b(eval|assert|system|exec|shell_exec|passthru|proc_open|popen|pcntl_exec|dl|include|require|include_once|require_once)\b/i, message: "Execution functions are not allowed." },
70
71 // Encoding/decoding functions
72 { pattern: /\b(base64_decode|hex2bin|mb_decode_mimeheader|str_rot13)\b/i, message: "Encoding/decoding functions that may be used for obfuscation are not allowed." },
73
74 // Dynamic function execution
75 { pattern: /\b(call_user_func|call_user_func_array|create_function|compact|extract|parse_str|ReflectionClass|ReflectionMethod|ReflectionProperty)\b/i, message: "Dynamic function execution is not allowed." },
76
77 // Remote execution functions
78 { pattern: /\b(str_replace|str_ireplace|preg_replace|preg_replace_callback|preg_replace_callback_array)\b/i, message: "String replacement functions are restricted due to potential obfuscation." },
79
80 //Dynamic PHP variable call
81 { pattern: /\[\s*[\'"]?[a-zA-Z0-9_]+\s*\.\s*[\'"]?[a-zA-Z0-9_]+\s*\]/i, message: "Concatenated function execution is not allowed." },
82 { pattern: /(?:\(\$[a-zA-Z_]\w*\)|\$[a-zA-Z_]\w*)(?=\s*\()/g, message: "Potential function name obfuscation detected." },
83 { pattern: /\b(str_replace|preg_replace|preg_replace_callback|preg_replace_callback_array)\s*\(\s*[\'"]\s*\.\s*[\'"]/, message: "Potential function name obfuscation detected." },
84
85 //Backtick
86 { pattern: /`[^`]*`/, message: "Backticks execution is not allowed." },
87
88 { pattern: /\\x(?:[0-9A-F]{2})+/i, message: "Hexadecimal escape sequences detected." },
89 { pattern: /\\u(?:[0-9A-F]{4})+/i, message: "Unicode escape sequences detected." },
90 { pattern: /\$\w+\s*\[\s*[\'"]?\d+[\'"]?\s*\]\s*\(/, message: "Dynamic function execution using arrays is not allowed." },
91 ];
92
93 let input = jQuery(that).val();
94 let safe = true;
95
96 for (const { pattern, message } of dangerousPatterns) {
97 if (pattern.test(input)) {
98 safe = false;
99 if (jQuery(".wopts-warning-message").length === 0) {
100 jQuery(that).after(`<p class="wopts-warning-message" style="font-size: 11px;">Warning: <span style="color: red;">${message}</span></p>`);
101 }
102 break;
103 }
104 }
105
106 if (safe === true) {
107 if (jQuery(".wopts-warning-message").length !== 0) {
108 jQuery(".wopts-warning-message").remove();
109 }
110 }
111 }
112 });
113