1 ) { foreach ( $ip_list as $ip ) { switch ( $return_type ) { case 'ip': if ( $this->is_ip_valid( trim( $ip ) ) ) { return sanitize_text_field( trim( $ip ) ); } else { return '0.0.0.0'; // placeholder IP address } break; case 'header': return $ip_address_header . ' (multiple IP addresses)'; break; } } } else { switch ( $return_type ) { case 'ip': if ( $this->is_ip_valid( trim( $_SERVER[$ip_address_header] ) ) ) { return sanitize_text_field( $_SERVER[$ip_address_header] ); } else { return '0.0.0.0'; // placeholder IP address } break; case 'header': return $ip_address_header; break; } } } // The following request headers can be modified by user or attacker when sending a request, so, will bypass an already blocked IP // 'HTTP_CLIENT_IP', 'CF_CONNECTING_IP', 'HTTP_CF_CONNECTING_IP', 'HTTP_CF_CONNECTING_IP', 'TRUE_CLIENT_IP', 'HTTP_TRUE_CLIENT_IP', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED' // Reported as security vulnerability in ASE <= v7.6.7.1 -- Limit Login Attempt Bypass via IP Spoofing // Return unreliable but unspoofable IP address coming from the $_SERVER global as the default / fallback switch ( $return_type ) { case 'ip': if ( $this->is_ip_valid( trim( $_SERVER['REMOTE_ADDR'] ) ) ) { return sanitize_text_field( $_SERVER['REMOTE_ADDR'] ); } else { return '0.0.0.0'; // placeholder IP address } break; case 'header': return 'REMOTE_ADDR'; break; } } /** * Check if the supplied IP address is valid or not * * @param string $ip an IP address * @link https://stackoverflow.com/q/1634782 * @return boolean true if supplied address is valid IP, and false otherwise */ public function is_ip_valid( $ip ) { if ( empty( $ip ) ) { return false; } // Ref: https://www.php.net/manual/en/filter.filters.validate.php // Ref: https://www.php.net/manual/en/filter.constants.php#constant.filter-validate-ip // No need to specify which IP type to filter/check, e.g. filter_var( $ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 ) // This should check for both IPv4 and IPv6 addresses if ( false === filter_var( $ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 ) && false === filter_var( $ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6 ) ) { return false; } if ( false !== filter_var( $ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 ) || false !== filter_var( $ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6 ) ) { return true; } } /** * Convert number of seconds into hours, minutes, seconds. In use by at least the Limit Login Attempts feature. * * @since 2.5.0 */ public function seconds_to_period( $seconds, $conversion_type ) { $period_start = new \DateTime('@0'); $period_end = new \DateTime("@{$seconds}"); if ( $conversion_type == 'to-days-hours-minutes-seconds' ) { return $period_start->diff( $period_end )->format( '%a days, %h hours, %i minutes and %s seconds' ); } elseif ( $conversion_type == 'to-hours-minutes-seconds' ) { return $period_start->diff( $period_end )->format( '%h hours, %i minutes and %s seconds' ); } elseif ( $conversion_type == 'to-minutes-seconds' ) { return $period_start->diff( $period_end )->format( '%i minutes and %s seconds' ); } else { return $period_start->diff( $period_end )->format( '%a days, %h hours, %i minutes and %s seconds' ); } } /** * Remove html tags and content inside the tags from a string * * @since 3.0.3 */ public function strip_html_tags_and_content( $string ) { // Strip HTML tags and content inside them. Ref: https://stackoverflow.com/a/39320168 if ( !is_null( $string ) ) { if ( false === strpos( $string, 'fs-submenu-item' ) ) { $string = preg_replace( '@<(\\w+)\\b.*?>.*?@si', '', $string ); } // Strip any remaining HTML or PHP tags $string = strip_tags( $string ); } return $string; } /** * Extract readable text from a string that may contain HTML. * * Unlike strip_html_tags_and_content(), this method keeps the text inside tags, * e.g. it will turn `Paymattic` into `Paymattic`. * * @since 8.0.2 * * @param string|null $html A string that may contain HTML. * @return string Readable plain text (may be empty). */ public function extract_readable_text_from_html( $html ) { if ( null === $html ) { return ''; } $text = wp_strip_all_tags( (string) $html, true ); $charset = get_bloginfo( 'charset' ); if ( empty( $charset ) ) { $charset = 'UTF-8'; } $text = html_entity_decode( $text, ENT_QUOTES, $charset ); $text = preg_replace( '/\\s+/u', ' ', $text ); return trim( $text ); } /** * Get menu hidden by toggle * * @since 5.1.0 */ public function get_menu_hidden_by_toggle() { $menu_hidden_by_toggle = array(); $options_extra = get_option( ASENHA_SLUG_U . '_extra', array() ); $options = ( isset( $options_extra['admin_menu'] ) ? $options_extra['admin_menu'] : array() ); if ( array_key_exists( 'custom_menu_hidden', $options ) ) { $menu_hidden = $options['custom_menu_hidden']; $menu_hidden = explode( ',', $menu_hidden ); $menu_hidden_by_toggle = array(); foreach ( $menu_hidden as $menu_id ) { $menu_hidden_by_toggle[] = $this->restore_menu_item_id( $menu_id ); } } return $menu_hidden_by_toggle; } /** * Get user capabilities for which the "Show All/Less" menu toggle should be shown for * * @since 5.1.0 */ public function get_user_capabilities_to_show_menu_toggle_for() { global $menu, $submenu; $menu_always_hidden = array(); $user_capabilities_menus_are_hidden_for = array(); $menu_hidden_by_toggle = $this->get_menu_hidden_by_toggle(); // indexed array foreach ( $menu as $menu_key => $menu_info ) { foreach ( $menu_hidden_by_toggle as $hidden_menu_id ) { if ( false !== strpos( $menu_info[4], 'wp-menu-separator' ) ) { $menu_item_id = $menu_info[2]; } else { $menu_item_id = $menu_info[5]; } if ( $menu_item_id == $hidden_menu_id ) { $user_capabilities_menus_are_hidden_for[] = $menu_info[1]; } } } $user_capabilities_menus_are_hidden_for = array_unique( $user_capabilities_menus_are_hidden_for ); return $user_capabilities_menus_are_hidden_for; // indexed array } /** * Transform menu item's ID * * @since 5.1.0 */ public function transform_menu_item_id( $menu_item_id ) { // Transform e.g. edit.php?post_type=page ==> edit__php___post_type____page $menu_item_id_transformed = str_replace( array( ".", "?", "=/", "=", "&", "/", ";" ), array( "__", "___", "_______", "____", "_____", "______", "________" ), $menu_item_id ); return $menu_item_id_transformed; } /** * Transform menu item's ID * * @since 5.1.0 */ public function restore_menu_item_id( $menu_item_id_transformed ) { // Transform e.g. edit__php___post_type____page ==> edit.php?post_type=page $menu_item_id = str_replace( array( "________", "_______", "______", "_____", "____", "___", "__" ), array( ";", "=/", "/", "&", "=", "?", "." ), $menu_item_id_transformed ); return $menu_item_id; } /** * Sanitize hexedecimal numbers used for colors * * @link https://plugins.trac.wordpress.org/browser/bm-custom-login/trunk/bm-custom-login.php * @param string $color Hex number to sanitize. * @return string */ public function sanitize_hex_color( $color ) { if ( '' === $color ) { return ''; } // Make sure the color starts with a hash. $color = '#' . ltrim( $color, '#' ); // 3 or 6 hex digits, or the empty string. if ( preg_match( '|^#([A-Fa-f0-9]{3}){1,2}$|', $color ) ) { return $color; } return null; } /** * Get the post ID of the most recent post in a custom post type * * @since 6.4.1 */ public function get_most_recent_post_id( $post_type ) { $args = array( 'post_type' => $post_type, 'posts_per_page' => 1, 'orderby' => 'date', 'order' => 'DESC', ); $query = new WP_Query($args); if ( $query->have_posts() ) { $query->the_post(); $post_id = get_the_ID(); wp_reset_postdata(); return $post_id; } return 0; // Return 0 if no posts found } /** * Extended ruleset for wp_kses() that includes SVG tag and it's children * * @since 6.8.3 */ public function get_kses_extended_ruleset() { $kses_defaults = wp_kses_allowed_html( 'post' ); // For SVG icons $svg_args = array( 'svg' => array( 'class' => true, 'aria-hidden' => true, 'aria-labelledby' => true, 'role' => true, 'xmlns' => true, 'width' => true, 'height' => true, 'viewbox' => true, 'viewBox' => true, ), 'g' => array( 'fill' => true, 'fill-rule' => true, 'stroke' => true, 'stroke-width' => true, 'stroke-linejoin' => true, 'stroke-linecap' => true, ), 'title' => array( 'title' => true, ), 'path' => array( 'd' => true, 'fill' => true, 'stroke' => true, 'stroke-width' => true, 'stroke-linejoin' => true, 'stroke-linecap' => true, ), 'rect' => array( 'width' => true, 'height' => true, 'x' => true, 'y' => true, 'rx' => true, 'ry' => true, 'fill' => true, 'stroke' => true, 'stroke-width' => true, 'stroke-linejoin' => true, 'stroke-linecap' => true, ), 'circle' => array( 'cx' => true, 'cy' => true, 'r' => true, 'stroke' => true, 'stroke-width' => true, 'stroke-linejoin' => true, 'stroke-linecap' => true, ), ); $kses_with_extras = array_merge( $kses_defaults, $svg_args ); // For embedded PDF viewer $style_script_args = array( 'style' => true, 'script' => array( 'src' => true, ), ); return array_merge( $kses_with_extras, $style_script_args ); } /** * Get the singular label from a $post object * * @since 6.9.3 */ function get_post_type_singular_label( $post ) { $post_type_singular_label = ''; if ( property_exists( $post, 'post_type' ) ) { $post_type_object = get_post_type_object( $post->post_type ); if ( is_object( $post_type_object ) && property_exists( $post_type_object, 'label' ) ) { $post_type_singular_label = $post_type_object->labels->singular_name; } } return $post_type_singular_label; } function is_in_block_editor() { $current_screen = get_current_screen(); if ( method_exists( $current_screen, 'is_block_editor' ) && $current_screen->is_block_editor() ) { return true; } else { return false; } } /** * Check if WooCommerce is active * * @since 6.9.9 */ public function is_woocommerce_active() { if ( function_exists( 'is_plugin_active' ) && is_plugin_active( 'woocommerce/woocommerce.php' ) ) { return true; } else { return false; } } /** * Convert HEX color to RGBA * * @link https://stackoverflow.com/a/31934345 * @since 7.0.0 */ public function hex_to_rgba( $hex, $alpha = false ) { $hex = str_replace( '#', '', trim( $hex ) ); $length = strlen( $hex ); $rgb['r'] = hexdec( ( $length == 6 ? substr( $hex, 0, 2 ) : (( $length == 3 ? str_repeat( substr( $hex, 0, 1 ), 2 ) : 0 )) ) ); $rgb['g'] = hexdec( ( $length == 6 ? substr( $hex, 2, 2 ) : (( $length == 3 ? str_repeat( substr( $hex, 1, 1 ), 2 ) : 0 )) ) ); $rgb['b'] = hexdec( ( $length == 6 ? substr( $hex, 4, 2 ) : (( $length == 3 ? str_repeat( substr( $hex, 2, 1 ), 2 ) : 0 )) ) ); if ( false !== $alpha ) { $rgb['a'] = $alpha; } // Return array of r, g, b and a // return $rgb; // Return rgb(255,255,255) or rgba(255,255,255,.5) return implode( array_keys( $rgb ) ) . '(' . implode( ', ', $rgb ) . ')'; } /** * Increases or decreases the brightness of a color by a percentage of the current brightness. * * @param string $hex Supported formats: `#FFF`, `#FFFFFF`, `FFF`, `FFFFFF` * @param float $adjustment_percentage A number between -1 and 1. E.g. 0.3 = 30% lighter; -0.4 = 40% darker. * * @return string * * @link https://stackoverflow.com/a/54393956 * @author maliayas */ function adjust_bnrightness( $hex, $adjustment_percentage ) { $hex = ltrim( $hex, '#' ); if ( strlen( $hex ) == 3 ) { $hex = $hex[0] . $hex[0] . $hex[1] . $hex[1] . $hex[2] . $hex[2]; } $hex = array_map( 'hexdec', str_split( $hex, 2 ) ); foreach ( $hex as &$color ) { $adjustableLimit = ( $adjustment_percentage < 0 ? $color : 255 - $color ); $adjustAmount = ceil( $adjustableLimit * $adjustment_percentage ); $color = str_pad( dechex( $color + $adjustAmount ), 2, '0', STR_PAD_LEFT ); } return '#' . implode( $hex ); } /** * Detect if a color is light or dark * * @link https://stackoverflow.com/a/12228730 * @since 7.0.0 */ public function is_color_dark( $hex ) { $hex = str_replace( '#', '', trim( (string) $hex ) ); if ( 3 === strlen( $hex ) ) { $hex = $hex[0] . $hex[0] . $hex[1] . $hex[1] . $hex[2] . $hex[2]; } if ( 6 !== strlen( $hex ) || !ctype_xdigit( $hex ) ) { return true; } $r = hexdec( substr( $hex, 0, 2 ) ); $g = hexdec( substr( $hex, 2, 2 ) ); $b = hexdec( substr( $hex, 4, 2 ) ); $lightness = (max( $r, $g, $b ) + min( $r, $g, $b )) / 510.0; // HSL algorithm return $lightness <= 0.8; } /** * Return SVG for small triangle in place of using ▶ HTMl character * which may be converted to emoticon by the browser or app * * @since 7.2.0 */ public function get_svg_triangle() { return ''; } /** * Get intrinsic width/height dimensions from a local SVG file. * * Some SVGs use percentage width/height attributes (e.g. width="100%" height="100%"). * In those cases, a correct aspect ratio should be derived from the viewBox instead. * * @since 9.2.0 * * @param string $svg_path Absolute path to a local SVG file. * @return array{width:int,height:int} Intrinsic dimensions if known, otherwise 0/0. */ public function get_svg_intrinsic_dimensions_from_file( $svg_path ) { $dims = array( 'width' => 0, 'height' => 0, ); $svg_path = (string) $svg_path; if ( '' === $svg_path ) { return $dims; } $ext = strtolower( (string) pathinfo( $svg_path, PATHINFO_EXTENSION ) ); if ( 'svg' !== $ext ) { return $dims; } if ( !file_exists( $svg_path ) ) { return $dims; } // Safely parse SVG XML without allowing network access. $prev_internal_errors = libxml_use_internal_errors( true ); $svg = simplexml_load_file( $svg_path, 'SimpleXMLElement', LIBXML_NONET | LIBXML_NOCDATA ); libxml_clear_errors(); libxml_use_internal_errors( $prev_internal_errors ); if ( false === $svg ) { return $dims; } $attributes = $svg->attributes(); $width_raw = ( isset( $attributes->width ) ? trim( (string) $attributes->width ) : '' ); $height_raw = ( isset( $attributes->height ) ? trim( (string) $attributes->height ) : '' ); $view_box = ( isset( $attributes->viewBox ) ? trim( (string) $attributes->viewBox ) : '' ); $length_dims = $this->parse_svg_width_height_pair( $width_raw, $height_raw ); if ( $length_dims['width'] > 0 && $length_dims['height'] > 0 ) { return $length_dims; } $vb_dims = $this->parse_svg_viewbox_dimensions( $view_box ); if ( $vb_dims['width'] > 0 && $vb_dims['height'] > 0 ) { return $vb_dims; } return $dims; } /** * Parse SVG width/height attributes when both values are absolute lengths. * * If either value is percentage-based (contains "%") or otherwise not parseable as an * absolute length, return 0/0 so callers can fall back to viewBox. * * @since 9.2.0 * * @param string $width_raw Raw `width` attribute value. * @param string $height_raw Raw `height` attribute value. * @return array{width:int,height:int} */ private function parse_svg_width_height_pair( $width_raw, $height_raw ) { $dims = array( 'width' => 0, 'height' => 0, ); $width_raw = (string) $width_raw; $height_raw = (string) $height_raw; if ( '' === $width_raw || '' === $height_raw ) { return $dims; } // Percentage sizes are not intrinsic dimensions. if ( false !== strpos( $width_raw, '%' ) || false !== strpos( $height_raw, '%' ) ) { return $dims; } $width_parsed = $this->parse_svg_absolute_length_value( $width_raw ); $height_parsed = $this->parse_svg_absolute_length_value( $height_raw ); if ( empty( $width_parsed['value'] ) || empty( $height_parsed['value'] ) ) { return $dims; } // Require matching units (treat empty as px) to avoid having to convert. $width_unit = ( isset( $width_parsed['unit'] ) ? (string) $width_parsed['unit'] : '' ); $height_unit = ( isset( $height_parsed['unit'] ) ? (string) $height_parsed['unit'] : '' ); if ( $width_unit !== $height_unit ) { return $dims; } $w = (float) $width_parsed['value']; $h = (float) $height_parsed['value']; if ( $w <= 0 || $h <= 0 ) { return $dims; } $dims['width'] = (int) round( $w ); $dims['height'] = (int) round( $h ); return $dims; } /** * Parse SVG viewBox dimensions. * * @since 9.2.0 * * @param string $view_box Raw `viewBox` attribute value. * @return array{width:int,height:int} */ private function parse_svg_viewbox_dimensions( $view_box ) { $dims = array( 'width' => 0, 'height' => 0, ); $view_box = trim( (string) $view_box ); if ( '' === $view_box ) { return $dims; } $parts = preg_split( '/[\\s,]+/', $view_box ); if ( !is_array( $parts ) ) { return $dims; } $parts = array_values( array_filter( $parts, 'strlen' ) ); if ( count( $parts ) < 4 ) { return $dims; } $vb_w = floatval( $parts[2] ); $vb_h = floatval( $parts[3] ); if ( $vb_w <= 0 || $vb_h <= 0 ) { return $dims; } $dims['width'] = (int) round( $vb_w ); $dims['height'] = (int) round( $vb_h ); return $dims; } /** * Parse an SVG length attribute as an absolute value and unit. * * Supports unitless values and common absolute units used in SVG. Percentage values * are rejected earlier by the caller. * * @since 9.2.0 * * @param string $raw Raw attribute value. * @return array{value:float,unit:string}|array{} Empty array if not parseable. */ private function parse_svg_absolute_length_value( $raw ) { $raw = trim( (string) $raw ); if ( '' === $raw ) { return array(); } if ( !preg_match( '/^\\s*([0-9]*\\.?[0-9]+)\\s*(px|pt|pc|mm|cm|in|q)?\\s*$/i', $raw, $matches ) ) { return array(); } $value = floatval( $matches[1] ); if ( $value <= 0 ) { return array(); } $unit = ( isset( $matches[2] ) ? strtolower( (string) $matches[2] ) : '' ); // Normalize empty unit to px (SVG/CSS default). if ( '' === $unit ) { $unit = 'px'; } return array( 'value' => $value, 'unit' => $unit, ); } /** * Get an image URL from an ASE setting field, which could be an internal relative URL or an external URL * * @since 7.2.1 */ public function get_image_url( $ase_settings_field_name ) { $options = get_option( ASENHA_SLUG_U, array() ); if ( isset( $options[$ase_settings_field_name] ) ) { if ( false === strpos( $options[$ase_settings_field_name], 'http' ) && false !== strpos( $options[$ase_settings_field_name], '/uploads/' ) ) { $logo_image = content_url() . $options[$ase_settings_field_name]; } else { // $maybe_valid_url = filter_var( $options['admin_logo_image'], FILTER_SANITIZE_URL ); $maybe_valid_url = sanitize_url( $options[$ase_settings_field_name], array('http', 'https') ); if ( false !== filter_var( $maybe_valid_url, FILTER_VALIDATE_URL ) ) { $logo_image = $maybe_valid_url; } else { $logo_image = ''; } } } else { $logo_image = ''; } return $logo_image; } /** * Get current URL, without query parameters and without trailing slash * e.g. https://www.site.com/some-page * * @return string */ public function get_current_url() { $output = ''; $url = (( is_ssl() ? 'https://' : 'http://' )) . sanitize_text_field( $_SERVER['HTTP_HOST'] ) . sanitize_text_field( $_SERVER['REQUEST_URI'] ); $url_parts = explode( '?', $url, 2 ); // limit to max of 2 elements with last element containing the rest of the string if ( isset( $url_parts[0] ) ) { $output = trim( $url_parts[0], '/' ); } return ( $output ? urldecode( $output ) : '/' ); } /** * Get full URL, with query parameters * e.g. https://www.site.com/some-page?param=value * * @link https://stackoverflow.com/a/6768831 * @since 7.8.18 */ public function get_full_url() { $full_url = (( empty( $_SERVER['HTTPS'] ) ? 'http' : 'https' )) . "://{$_SERVER['HTTP_HOST']}{$_SERVER['REQUEST_URI']}"; return $full_url; } /** * Get array of elements with value of true * * @since 7.6.10 */ public function get_array_of_keys_with_true_value( $array_with_true_false_values ) { $array_of_keys_with_true_value = array(); if ( is_array( $array_with_true_false_values ) && count( $array_with_true_false_values ) > 0 ) { foreach ( $array_with_true_false_values as $key => $value ) { if ( $value ) { $array_of_keys_with_true_value[] = $key; } } return $array_of_keys_with_true_value; } else { return array(); // default, empty array } } /** * Sanitize user-submitted code from potential security vulnerabilities * * @since 7.8.7 */ public function sanitize_html_js_css_code( $code ) { $code_lines = explode( PHP_EOL, $code ); $sanitized_code_lines = array(); foreach ( $code_lines as $code_line ) { if ( false !== strpos( $code_line, 'src=' ) && false !== strpos( $code_line, 'document.cookie' ) ) { // Do nothing. Do not include the code line in the sanitized code. // Example of malicious code: // 1. Stored XSS vulnerability: // This line of code will send cookies from users browser to a remote server for exploitation } else { if ( false !== strpos( $code_line, ' // This may entail account takeover backdoor } else { $sanitized_code_lines[] = $code_line; } } } $sanitized_code = implode( PHP_EOL, $sanitized_code_lines ); return $sanitized_code; } /** * Part of Disable Embeds module * Remove all rewrite rules related to embeds. * During deactivation / activation. * * @link https://plugins.trac.wordpress.org/browser/disable-embeds/tags/1.5.0/disable-embeds.php#L86 * @since 8.0.0 * * @param array $rules WordPress rewrite rules. * @return array Rewrite rules without embeds rules. */ public function disable_embeds_rewrites( $rules ) { foreach ( $rules as $rule => $rewrite ) { if ( false !== strpos( $rewrite, 'embed=true' ) ) { unset($rules[$rule]); } } return $rules; } /** * Get an indexed array of public post type slug => label pairs * * @since 8.0.1 */ public function get_public_post_type_slugs() { $asenha_public_post_types = array(); $public_post_type_names = get_post_types( array( 'public' => true, ), 'names' ); foreach ( $public_post_type_names as $post_type_name ) { $post_type_object = get_post_type_object( $post_type_name ); $asenha_public_post_types[$post_type_name] = $post_type_object->label; } asort( $asenha_public_post_types ); // sort by value, ascending return $asenha_public_post_types; } }