bootstrap-multiselect.min.js
2 months ago
jquery.liveFilter.js
2 months ago
jquery.liveFilter.min.js
2 months ago
jquery.widgetopts.beaver.js
2 months ago
jquery.widgetopts.beaver.min.js
2 months ago
select2-settings.js
2 months ago
select2-settings.min.js
2 months ago
select2.min.js
2 months ago
settings.js
2 months ago
settings.min.js
2 months ago
widgetopts.global.js
2 months ago
widgetopts.migration.js
2 months ago
widgetopts.resize.js
2 months ago
widgets.js
2 months ago
widgets.min.js
2 months ago
wpWidgetOpts.js
2 months ago
wpWidgetOpts.min.js
2 months ago
widgetopts.global.js
113 lines
| 1 | jQuery(function () { |
| 2 | jQuery(document).on("click", ".widgetopts-notice .notice-dismiss", function () { |
| 3 | jQuery.ajax({ |
| 4 | url: widgetopts10n.ajax_url, |
| 5 | type: "POST", |
| 6 | data: { |
| 7 | method: "delete_widgetopts_update_transient", |
| 8 | action: "widgetopts_ajax_settings", |
| 9 | nonce: jQuery('input[name="widgetopts-settings-nonce"]').val(), |
| 10 | }, |
| 11 | }); |
| 12 | }); |
| 13 | |
| 14 | jQuery(document).on("change", '.widget-opts-logic textarea[name="extended_widget_opts[class][logic]"], .widget-opts-logic textarea', function () { |
| 15 | checkForDangerousPatterns(this); |
| 16 | }); |
| 17 | |
| 18 | jQuery(document).on("keyup", '.widget-opts-logic textarea[name="extended_widget_opts[class][logic]"], .widget-opts-logic textarea', function () { |
| 19 | partialCheckForDangerousPatterns(this); |
| 20 | }); |
| 21 | |
| 22 | jQuery(document).on("click", ".widgetopts-tab-panel.tab-logic button", function () { |
| 23 | checkForDangerousPatterns(jQuery('.widget-opts-logic textarea[name="extended_widget_opts[class][logic]"]')); |
| 24 | }); |
| 25 | |
| 26 | function checkForDangerousPatterns(that) { |
| 27 | let expression = jQuery(that).val(); |
| 28 | jQuery.ajax({ |
| 29 | type: "POST", |
| 30 | url: widgetopts10n.ajax_url, |
| 31 | data: { |
| 32 | action: "widgetopts_ajax_validate_expression", |
| 33 | nonce: widgetopts10n.validate_expression_nonce, |
| 34 | expression: expression, |
| 35 | }, |
| 36 | dataType: "json", |
| 37 | success: function (response) { |
| 38 | if (response.valid) { |
| 39 | if (jQuery(".wopts-warning-message").length !== 0) { |
| 40 | jQuery(".wopts-warning-message").remove(); |
| 41 | } |
| 42 | } else { |
| 43 | if (jQuery(".wopts-warning-message").length === 0) { |
| 44 | if (response.message != "") { |
| 45 | jQuery(that).after(`<p class="wopts-warning-message" style="font-size: 11px;">Warning: <span style="color: red;">${response.message}</span></p>`); |
| 46 | } |
| 47 | } |
| 48 | } |
| 49 | }, |
| 50 | error: function () {}, |
| 51 | }); |
| 52 | } |
| 53 | |
| 54 | function partialCheckForDangerousPatterns(that) { |
| 55 | const dangerousPatterns = [ |
| 56 | // Database-related keywords |
| 57 | { pattern: /\b(insert|update|delete|replace|select|drop|alter|truncate|grant|revoke)\b/i, message: "Potential SQL injection detected." }, |
| 58 | |
| 59 | // WordPress-specific database functions |
| 60 | { pattern: /\b(wp_insert_post|wp_update_post|wp_delete_post|wp_insert_user|wp_update_user|wp_delete_user|add_option|update_option|delete_option|wpdb)\b/i, message: "Unsafe WordPress database functions found." }, |
| 61 | |
| 62 | // PHP file manipulation functions |
| 63 | { pattern: /\b(file_put_contents|file_get_contents|fopen|fwrite|unlink|rename|chmod|chown|chgrp|copy|scandir)\b/i, message: "File system manipulation functions are not allowed." }, |
| 64 | |
| 65 | // External connections |
| 66 | { pattern: /\b(wp_remote_get|wp_remote_post|curl_init|curl_exec|curl_setopt|open_basedir|fsockopen|proc_nice|stream_socket_server|stream_socket_client)\b/i, message: "Potential remote execution functions detected." }, |
| 67 | |
| 68 | // Execution function |
| 69 | { pattern: /\b(eval|assert|system|exec|shell_exec|passthru|proc_open|popen|pcntl_exec|dl|include|require|include_once|require_once)\b/i, message: "Execution functions are not allowed." }, |
| 70 | |
| 71 | // Encoding/decoding functions |
| 72 | { pattern: /\b(base64_decode|hex2bin|mb_decode_mimeheader|str_rot13)\b/i, message: "Encoding/decoding functions that may be used for obfuscation are not allowed." }, |
| 73 | |
| 74 | // Dynamic function execution |
| 75 | { pattern: /\b(call_user_func|call_user_func_array|create_function|compact|extract|parse_str|ReflectionClass|ReflectionMethod|ReflectionProperty)\b/i, message: "Dynamic function execution is not allowed." }, |
| 76 | |
| 77 | // Remote execution functions |
| 78 | { pattern: /\b(str_replace|str_ireplace|preg_replace|preg_replace_callback|preg_replace_callback_array)\b/i, message: "String replacement functions are restricted due to potential obfuscation." }, |
| 79 | |
| 80 | //Dynamic PHP variable call |
| 81 | { pattern: /\[\s*[\'"]?[a-zA-Z0-9_]+\s*\.\s*[\'"]?[a-zA-Z0-9_]+\s*\]/i, message: "Concatenated function execution is not allowed." }, |
| 82 | { pattern: /(?:\(\$[a-zA-Z_]\w*\)|\$[a-zA-Z_]\w*)(?=\s*\()/g, message: "Potential function name obfuscation detected." }, |
| 83 | { pattern: /\b(str_replace|preg_replace|preg_replace_callback|preg_replace_callback_array)\s*\(\s*[\'"]\s*\.\s*[\'"]/, message: "Potential function name obfuscation detected." }, |
| 84 | |
| 85 | //Backtick |
| 86 | { pattern: /`[^`]*`/, message: "Backticks execution is not allowed." }, |
| 87 | |
| 88 | { pattern: /\\x(?:[0-9A-F]{2})+/i, message: "Hexadecimal escape sequences detected." }, |
| 89 | { pattern: /\\u(?:[0-9A-F]{4})+/i, message: "Unicode escape sequences detected." }, |
| 90 | { pattern: /\$\w+\s*\[\s*[\'"]?\d+[\'"]?\s*\]\s*\(/, message: "Dynamic function execution using arrays is not allowed." }, |
| 91 | ]; |
| 92 | |
| 93 | let input = jQuery(that).val(); |
| 94 | let safe = true; |
| 95 | |
| 96 | for (const { pattern, message } of dangerousPatterns) { |
| 97 | if (pattern.test(input)) { |
| 98 | safe = false; |
| 99 | if (jQuery(".wopts-warning-message").length === 0) { |
| 100 | jQuery(that).after(`<p class="wopts-warning-message" style="font-size: 11px;">Warning: <span style="color: red;">${message}</span></p>`); |
| 101 | } |
| 102 | break; |
| 103 | } |
| 104 | } |
| 105 | |
| 106 | if (safe === true) { |
| 107 | if (jQuery(".wopts-warning-message").length !== 0) { |
| 108 | jQuery(".wopts-warning-message").remove(); |
| 109 | } |
| 110 | } |
| 111 | } |
| 112 | }); |
| 113 |