From bdacc3ccb6b89ac3a4d006ee0dbca74f83e0aebf Mon Sep 17 00:00:00 2001 From: Mike Letellier Date: Wed, 12 Mar 2025 12:07:32 -0300 Subject: [PATCH 1/8] Do not output invalid CSS vars --- classes/helpers/FrmStylesHelper.php | 30 ++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/classes/helpers/FrmStylesHelper.php b/classes/helpers/FrmStylesHelper.php index 9a066a8d8f..dd7c5337d5 100644 --- a/classes/helpers/FrmStylesHelper.php +++ b/classes/helpers/FrmStylesHelper.php @@ -444,12 +444,40 @@ public static function output_vars( $settings, $defaults = array(), $vars = arra $defaults[ $var ] = ''; } $show = empty( $defaults ) || ( $settings[ $var ] !== '' && $settings[ $var ] !== $defaults[ $var ] ); - if ( $show ) { + if ( $show && self::css_value_is_valid( $var ) ) { echo '--' . esc_html( self::clean_var_name( str_replace( '_', '-', $var ) ) ) . ':' . self::css_var_prepare_value( $settings, $var ) . ';'; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped } } } + /** + * Confirm a CSS value is valid. + * If it appears to contain JavaScript, it will not be added. + * + * @since x.x + * + * @param string $var + * @return bool + */ + private static function css_value_is_valid( $var ) { + // None of these substrings should be present in any CSS value. + $invalid_substrings = array( + 'function(', + ';userAgent', + ';stopPropagation', + '{const', + ); + + foreach ( $invalid_substrings as $substring ) { + if ( strpos( $var, $substring ) !== false ) { + return false; + } + } + + return true; + } + + /** * Remove anything that isn't used as a CSS variable name. * From 8886a8e50078a1245713446435ff13d96cddbb86 Mon Sep 17 00:00:00 2001 From: Mike Letellier Date: Wed, 12 Mar 2025 12:35:58 -0300 Subject: [PATCH 2/8] Add a key check too --- classes/helpers/FrmStylesHelper.php | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/classes/helpers/FrmStylesHelper.php b/classes/helpers/FrmStylesHelper.php index dd7c5337d5..c2b412046e 100644 --- a/classes/helpers/FrmStylesHelper.php +++ b/classes/helpers/FrmStylesHelper.php @@ -444,12 +444,25 @@ public static function output_vars( $settings, $defaults = array(), $vars = arra $defaults[ $var ] = ''; } $show = empty( $defaults ) || ( $settings[ $var ] !== '' && $settings[ $var ] !== $defaults[ $var ] ); - if ( $show && self::css_value_is_valid( $var ) ) { + if ( $show && self::css_key_is_valid( $var ) && self::css_value_is_valid( $var ) ) { echo '--' . esc_html( self::clean_var_name( str_replace( '_', '-', $var ) ) ) . ':' . self::css_var_prepare_value( $settings, $var ) . ';'; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped } } } + /** + * Prevent invalid CSS keys from getting added to the generated CSS. + * + * @since x.x + * + * @param string $key + * @return bool + */ + private static function css_key_is_valid( $key ) { + // Any key that is abnormaly large is not valid. + return strlen( $key ) < 100; + } + /** * Confirm a CSS value is valid. * If it appears to contain JavaScript, it will not be added. From a42ca8434a714ad5e36d7710f4690bb2bd2db1df Mon Sep 17 00:00:00 2001 From: Mike Letellier Date: Wed, 12 Mar 2025 12:38:25 -0300 Subject: [PATCH 3/8] Use the right variable --- classes/helpers/FrmStylesHelper.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/classes/helpers/FrmStylesHelper.php b/classes/helpers/FrmStylesHelper.php index c2b412046e..087a3191bb 100644 --- a/classes/helpers/FrmStylesHelper.php +++ b/classes/helpers/FrmStylesHelper.php @@ -444,7 +444,7 @@ public static function output_vars( $settings, $defaults = array(), $vars = arra $defaults[ $var ] = ''; } $show = empty( $defaults ) || ( $settings[ $var ] !== '' && $settings[ $var ] !== $defaults[ $var ] ); - if ( $show && self::css_key_is_valid( $var ) && self::css_value_is_valid( $var ) ) { + if ( $show && self::css_key_is_valid( $var ) && self::css_value_is_valid( $settings[ $var ] ) ) { echo '--' . esc_html( self::clean_var_name( str_replace( '_', '-', $var ) ) ) . ':' . self::css_var_prepare_value( $settings, $var ) . ';'; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped } } From 075e63e09d1d755fee68d20a52c4ea2740add8e2 Mon Sep 17 00:00:00 2001 From: Mike Letellier Date: Tue, 1 Apr 2025 16:21:22 -0300 Subject: [PATCH 4/8] Add a couple more invalid substrings, move key check up, add another condition to key check --- classes/helpers/FrmStylesHelper.php | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/classes/helpers/FrmStylesHelper.php b/classes/helpers/FrmStylesHelper.php index 087a3191bb..981b6a84e5 100644 --- a/classes/helpers/FrmStylesHelper.php +++ b/classes/helpers/FrmStylesHelper.php @@ -443,8 +443,11 @@ public static function output_vars( $settings, $defaults = array(), $vars = arra if ( ! isset( $defaults[ $var ] ) ) { $defaults[ $var ] = ''; } + if ( ! self::css_key_is_valid( $var ) ) { + continue; + } $show = empty( $defaults ) || ( $settings[ $var ] !== '' && $settings[ $var ] !== $defaults[ $var ] ); - if ( $show && self::css_key_is_valid( $var ) && self::css_value_is_valid( $settings[ $var ] ) ) { + if ( $show && self::css_value_is_valid( $settings[ $var ] ) ) { echo '--' . esc_html( self::clean_var_name( str_replace( '_', '-', $var ) ) ) . ':' . self::css_var_prepare_value( $settings, $var ) . ';'; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped } } @@ -460,7 +463,8 @@ public static function output_vars( $settings, $defaults = array(), $vars = arra */ private static function css_key_is_valid( $key ) { // Any key that is abnormaly large is not valid. - return strlen( $key ) < 100; + // Any key that contains a '{' is not valid. + return strlen( $key ) < 100 && false === strpos( $key, '{' ); } /** @@ -479,6 +483,9 @@ private static function css_value_is_valid( $var ) { ';userAgent', ';stopPropagation', '{const', + 'window[', + 'navigator[', + 'Array;', ); foreach ( $invalid_substrings as $substring ) { From 5362bd00d8a45f5ff0345c0e5a0b14f87ca1be0d Mon Sep 17 00:00:00 2001 From: Mike Letellier Date: Tue, 1 Apr 2025 16:24:52 -0300 Subject: [PATCH 5/8] Stop adding use base font size as a CSS var --- classes/helpers/FrmStylesHelper.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/classes/helpers/FrmStylesHelper.php b/classes/helpers/FrmStylesHelper.php index 981b6a84e5..20b8d57827 100644 --- a/classes/helpers/FrmStylesHelper.php +++ b/classes/helpers/FrmStylesHelper.php @@ -433,7 +433,7 @@ public static function output_vars( $settings, $defaults = array(), $vars = arra if ( empty( $vars ) ) { $vars = self::get_css_vars( array_keys( $settings ) ); } - $remove = array( 'remove_box_shadow', 'remove_box_shadow_active', 'theme_css', 'theme_name', 'theme_selector', 'important_style', 'submit_style', 'collapse_icon', 'center_form', 'custom_css', 'style_class', 'submit_bg_img', 'change_margin', 'repeat_icon' ); + $remove = array( 'remove_box_shadow', 'remove_box_shadow_active', 'theme_css', 'theme_name', 'theme_selector', 'important_style', 'submit_style', 'collapse_icon', 'center_form', 'custom_css', 'style_class', 'submit_bg_img', 'change_margin', 'repeat_icon', 'use_base_font_size' ); $vars = array_diff( $vars, $remove ); foreach ( $vars as $var ) { From d464d52dd88d67d6a94d9f44145af2fafc1b3222 Mon Sep 17 00:00:00 2001 From: Mike Letellier Date: Tue, 1 Apr 2025 16:27:36 -0300 Subject: [PATCH 6/8] Bump key condition higher and merge --- classes/helpers/FrmStylesHelper.php | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/classes/helpers/FrmStylesHelper.php b/classes/helpers/FrmStylesHelper.php index 20b8d57827..f916a25b0a 100644 --- a/classes/helpers/FrmStylesHelper.php +++ b/classes/helpers/FrmStylesHelper.php @@ -437,15 +437,12 @@ public static function output_vars( $settings, $defaults = array(), $vars = arra $vars = array_diff( $vars, $remove ); foreach ( $vars as $var ) { - if ( ! isset( $settings[ $var ] ) ) { + if ( ! isset( $settings[ $var ] ) || ! self::css_key_is_valid( $var ) ) { continue; } if ( ! isset( $defaults[ $var ] ) ) { $defaults[ $var ] = ''; } - if ( ! self::css_key_is_valid( $var ) ) { - continue; - } $show = empty( $defaults ) || ( $settings[ $var ] !== '' && $settings[ $var ] !== $defaults[ $var ] ); if ( $show && self::css_value_is_valid( $settings[ $var ] ) ) { echo '--' . esc_html( self::clean_var_name( str_replace( '_', '-', $var ) ) ) . ':' . self::css_var_prepare_value( $settings, $var ) . ';'; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped From 51df74283e982ab7b19f2642bddb0c65f827fe7c Mon Sep 17 00:00:00 2001 From: Mike Letellier Date: Tue, 1 Apr 2025 16:35:35 -0300 Subject: [PATCH 7/8] Exclude stylers helper as too long --- classes/helpers/FrmStylesHelper.php | 1 + phpcs.xml | 1 + 2 files changed, 2 insertions(+) diff --git a/classes/helpers/FrmStylesHelper.php b/classes/helpers/FrmStylesHelper.php index f916a25b0a..ba551530c8 100644 --- a/classes/helpers/FrmStylesHelper.php +++ b/classes/helpers/FrmStylesHelper.php @@ -973,6 +973,7 @@ public static function get_submit_image_bg_url( $settings ) { return wp_get_attachment_url( (int) $background_image ); } + /** * Determines if the chosen JavaScript library should be used. * diff --git a/phpcs.xml b/phpcs.xml index 1f9d3d01f3..83f9756f90 100644 --- a/phpcs.xml +++ b/phpcs.xml @@ -209,6 +209,7 @@ css/custom_theme.css.php tests/phpunit/entries/test_FrmShowEntryShortcode.php models/FrmFormAction.php + helpers/FrmStylesHelper.php From d337d9d264e554b8ec3d85268b0011687a40a251 Mon Sep 17 00:00:00 2001 From: Mike Letellier Date: Tue, 1 Apr 2025 16:36:04 -0300 Subject: [PATCH 8/8] Fix typo --- classes/helpers/FrmStylesHelper.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/classes/helpers/FrmStylesHelper.php b/classes/helpers/FrmStylesHelper.php index ba551530c8..3a47a6fa64 100644 --- a/classes/helpers/FrmStylesHelper.php +++ b/classes/helpers/FrmStylesHelper.php @@ -459,7 +459,7 @@ public static function output_vars( $settings, $defaults = array(), $vars = arra * @return bool */ private static function css_key_is_valid( $key ) { - // Any key that is abnormaly large is not valid. + // Any key that is abnormally large is not valid. // Any key that contains a '{' is not valid. return strlen( $key ) < 100 && false === strpos( $key, '{' ); }