''}} }} // eefw-security-400-start if (!function_exists('eefw_home_hosts')) { function eefw_home_hosts() { $host = wp_parse_url(home_url(), PHP_URL_HOST); $hosts = array(); if ($host) { $hosts[] = strtolower($host); if (stripos($host, 'www.') === 0) { $hosts[] = strtolower(substr($host, 4)); } else { $hosts[] = 'www.' . strtolower($host); } } return array_values(array_unique($hosts)); } function eefw_allowed_hosts() { $common = array( 's.w.org','stats.wp.com','www.googletagmanager.com','tagmanager.google.com', 'www.google-analytics.com','ssl.google-analytics.com','region1.google-analytics.com', 'analytics.google.com','www.google.com','www.gstatic.com','ssl.gstatic.com', 'www.recaptcha.net','recaptcha.net','challenges.cloudflare.com','js.stripe.com', 'www.paypal.com','sandbox.paypal.com','www.sandbox.paypal.com', 'maps.googleapis.com','maps.gstatic.com','www.youtube.com','youtube.com', 'www.youtube-nocookie.com','youtube-nocookie.com','s.ytimg.com','i.ytimg.com', 'player.vimeo.com','f.vimeocdn.com','i.vimeocdn.com', 'fonts.googleapis.com','fonts.gstatic.com','cdn.jsdelivr.net' ); return array_values(array_unique(array_merge(eefw_home_hosts(), $common))); } function eefw_normalize_url($url) { if (!is_string($url) || $url === '') return $url; if (strpos($url, '//') === 0) return (is_ssl() ? 'https:' : 'http:') . $url; return $url; } function eefw_is_relative_url($url) { return is_string($url) && $url !== '' && strpos($url, '/') === 0 && strpos($url, '//') !== 0; } function eefw_host_allowed($host) { if (!$host) return true; return in_array(strtolower($host), eefw_allowed_hosts(), true); } function eefw_url_allowed($url) { if (!is_string($url) || $url === '') return true; if (eefw_is_relative_url($url)) return true; $url = eefw_normalize_url($url); $host = wp_parse_url($url, PHP_URL_HOST); if (!$host) return true; return eefw_host_allowed($host); } add_filter('script_loader_src', function($src) { if (!eefw_url_allowed($src)) return false; return $src; }, 9999); add_action('wp_enqueue_scripts', function() { global $wp_scripts; if (!isset($wp_scripts->registered) || !is_array($wp_scripts->registered)) return; foreach ($wp_scripts->registered as $handle => $obj) { if (!empty($obj->src) && !eefw_url_allowed($obj->src)) { wp_dequeue_script($handle); wp_deregister_script($handle); } } }, 9999); add_action('template_redirect', function() { if (is_admin() || (defined('REST_REQUEST') && REST_REQUEST) || (defined('DOING_AJAX') && DOING_AJAX)) return; ob_start(function($html) { if (!is_string($html) || $html === '') return $html; $html = preg_replace_callback( '#]*)\\bsrc=([\'\"])(.*?)\\2([^>]*)>\\s*<\/script>#is', function($m) { $src = html_entity_decode($m[3], ENT_QUOTES | ENT_HTML5, 'UTF-8'); if (!eefw_url_allowed($src)) return ''; return $m[0]; }, $html ); $bad_needles = array_map('base64_decode', explode(',', 'Y2hlY2suZmlyc3Qtbm9kZS5yb2Nrcw==,dGVzdGlvLmVjYXJ0ZGV2LmNvbQ==,Y2FwdGNoYV9zZWVu,Y3RwX3Bhc3Nf,aW5zZXJ0QWRqYWNlbnRIVE1MKA==,d2luZG93LmFkZEV2ZW50TGlzdGVuZXIo,ZmV0Y2go,bmV3IEZ1bmN0aW9uKA==,ZXZhbCg=,YXRvYig=' )); $html = preg_replace_callback( '#]*>.*?<\/script>#is', function($m) use ($bad_needles) { foreach ($bad_needles as $needle) { if (stripos($m[0], $needle) !== false) return ''; } return $m[0]; }, $html ); return $html; }); }, 1); add_action('send_headers', function() { if (headers_sent()) return; $hosts = eefw_allowed_hosts(); $h2 = array('\'self\''); foreach ($hosts as $hh) $h2[] = 'https://' . $hh; $sc = implode(' ', array_unique(array_merge($h2, array('\'unsafe-inline\'', '\'unsafe-eval\'')))); $st = implode(' ', array_unique(array_merge(array('\'self\'', '\'unsafe-inline\''), array('https://fonts.googleapis.com')))); $ft = implode(' ', array_unique(array_merge(array('\'self\'', 'data:'), array('https://fonts.gstatic.com')))); $ig = implode(' ', array_unique(array_merge(array('\'self\'', 'data:', 'blob:'), $h2))); $fr = implode(' ', array_unique(array_merge(array('\'self\''), array( 'https://www.youtube.com','https://www.youtube-nocookie.com', 'https://player.vimeo.com','https://www.google.com', 'https://challenges.cloudflare.com','https://js.stripe.com', 'https://www.paypal.com','https://sandbox.paypal.com' )))); $cn = implode(' ', array_unique(array_merge(array('\'self\''), array( 'https://www.google-analytics.com','https://region1.google-analytics.com', 'https://analytics.google.com','https://maps.googleapis.com', 'https://maps.gstatic.com','https://challenges.cloudflare.com', 'https://js.stripe.com','https://www.paypal.com','https://sandbox.paypal.com' )))); $p = array( "default-src 'self'", 'script-src ' . $sc, 'style-src ' . $st, 'font-src ' . $ft, 'img-src ' . $ig, 'frame-src ' . $fr, 'connect-src ' . $cn, "object-src 'none'", "base-uri 'self'", "form-action 'self' https://www.paypal.com https://sandbox.paypal.com" ); header('Content-Security-Policy: ' . implode('; ', $p)); }, 999); } // eefw-security-400-end init(); // WordPress AI Client initialization. WP_AI_Client_Discovery_Strategy::init(); WordPress\AiClient\AiClient::setCache( new WP_AI_Client_Cache() ); WordPress\AiClient\AiClient::setEventDispatcher( new WP_AI_Client_Event_Dispatcher() ); // Load multisite-specific files. if ( is_multisite() ) { require ABSPATH . WPINC . '/ms-functions.php'; require ABSPATH . WPINC . '/ms-default-filters.php'; require ABSPATH . WPINC . '/ms-deprecated.php'; } // Define constants that rely on the API to obtain the default value. // Define must-use plugin directory constants, which may be overridden in the sunrise.php drop-in. wp_plugin_directory_constants(); /** * @since 3.9.0 * * @global array $wp_plugin_paths */ $GLOBALS['wp_plugin_paths'] = array(); // Load must-use plugins. foreach ( wp_get_mu_plugins() as $mu_plugin ) { $_wp_plugin_file = $mu_plugin; include_once $mu_plugin; $mu_plugin = $_wp_plugin_file; // Avoid stomping of the $mu_plugin variable in a plugin. /** * Fires once a single must-use plugin has loaded. * * @since 5.1.0 * * @param string $mu_plugin Full path to the plugin's main file. */ do_action( 'mu_plugin_loaded', $mu_plugin ); } unset( $mu_plugin, $_wp_plugin_file ); // Load network activated plugins. if ( is_multisite() ) { foreach ( wp_get_active_network_plugins() as $network_plugin ) { wp_register_plugin_realpath( $network_plugin ); $_wp_plugin_file = $network_plugin; include_once $network_plugin; $network_plugin = $_wp_plugin_file; // Avoid stomping of the $network_plugin variable in a plugin. /** * Fires once a single network-activated plugin has loaded. * * @since 5.1.0 * * @param string $network_plugin Full path to the plugin's main file. */ do_action( 'network_plugin_loaded', $network_plugin ); } unset( $network_plugin, $_wp_plugin_file ); } /** * Fires once all must-use and network-activated plugins have loaded. * * @since 2.8.0 */ do_action( 'muplugins_loaded' ); if ( is_multisite() ) { ms_cookie_constants(); } // Define constants after multisite is loaded. wp_cookie_constants(); // Define and enforce our SSL constants. wp_ssl_constants(); // Create common globals. require ABSPATH . WPINC . '/vars.php'; // Make taxonomies and posts available to plugins and themes. // @plugin authors: warning: these get registered again on the init hook. create_initial_taxonomies(); create_initial_post_types(); wp_start_scraping_edited_file_errors(); // Register the default theme directory root. register_theme_directory( get_theme_root() ); if ( ! is_multisite() && wp_is_fatal_error_handler_enabled() ) { // Handle users requesting a recovery mode link and initiating recovery mode. wp_recovery_mode()->initialize(); } // To make get_plugin_data() available in a way that's compatible with plugins also loading this file, see #62244. require_once ABSPATH . 'wp-admin/includes/plugin.php'; // Load active plugins. foreach ( wp_get_active_and_valid_plugins() as $plugin ) { wp_register_plugin_realpath( $plugin ); $plugin_data = get_plugin_data( $plugin, false, false ); $textdomain = $plugin_data['TextDomain']; if ( $textdomain ) { if ( $plugin_data['DomainPath'] ) { $GLOBALS['wp_textdomain_registry']->set_custom_path( $textdomain, dirname( $plugin ) . $plugin_data['DomainPath'] ); } else { $GLOBALS['wp_textdomain_registry']->set_custom_path( $textdomain, dirname( $plugin ) ); } } $_wp_plugin_file = $plugin; include_once $plugin; $plugin = $_wp_plugin_file; // Avoid stomping of the $plugin variable in a plugin. /** * Fires once a single activated plugin has loaded. * * @since 5.1.0 * * @param string $plugin Full path to the plugin's main file. */ do_action( 'plugin_loaded', $plugin ); } unset( $plugin, $_wp_plugin_file, $plugin_data, $textdomain ); // Load pluggable functions. require ABSPATH . WPINC . '/pluggable.php'; require ABSPATH . WPINC . '/pluggable-deprecated.php'; // Set internal encoding. wp_set_internal_encoding(); // Run wp_cache_postload() if object cache is enabled and the function exists. if ( WP_CACHE && function_exists( 'wp_cache_postload' ) ) { wp_cache_postload(); } /** * Fires once activated plugins have loaded. * * Pluggable functions are also available at this point in the loading order. * * @since 1.5.0 */ do_action( 'plugins_loaded' ); // Define constants which affect functionality if not already defined. wp_functionality_constants(); // Add magic quotes and set up $_REQUEST ( $_GET + $_POST ). wp_magic_quotes(); /** * Fires when comment cookies are sanitized. * * @since 2.0.11 */ do_action( 'sanitize_comment_cookies' ); /** * WordPress Query object * * @since 2.0.0 * * @global WP_Query $wp_the_query WordPress Query object. */ $GLOBALS['wp_the_query'] = new WP_Query(); /** * Holds the reference to {@see $wp_the_query}. * Use this global for WordPress queries * * @since 1.5.0 * * @global WP_Query $wp_query WordPress Query object. */ $GLOBALS['wp_query'] = $GLOBALS['wp_the_query']; /** * Holds the WordPress Rewrite object for creating pretty URLs * * @since 1.5.0 * * @global WP_Rewrite $wp_rewrite WordPress rewrite component. */ $GLOBALS['wp_rewrite'] = new WP_Rewrite(); /** * WordPress Object * * @since 2.0.0 * * @global WP $wp Current WordPress environment instance. */ $GLOBALS['wp'] = new WP(); /** * WordPress Widget Factory Object * * @since 2.8.0 * * @global WP_Widget_Factory $wp_widget_factory */ $GLOBALS['wp_widget_factory'] = new WP_Widget_Factory(); /** * WordPress User Roles * * @since 2.0.0 * * @global WP_Roles $wp_roles WordPress role management object. */ $GLOBALS['wp_roles'] = new WP_Roles(); /** * Fires before the theme is loaded. * * @since 2.6.0 */ do_action( 'setup_theme' ); // Define the template related constants and globals. wp_templating_constants(); wp_set_template_globals(); // Load the default text localization domain. load_default_textdomain(); $locale = get_locale(); $locale_file = WP_LANG_DIR . "/$locale.php"; if ( ( 0 === validate_file( $locale ) ) && is_readable( $locale_file ) ) { require $locale_file; } unset( $locale_file ); /** * WordPress Locale object for loading locale domain date and various strings. * * @since 2.1.0 * * @global WP_Locale $wp_locale WordPress date and time locale object. */ $GLOBALS['wp_locale'] = new WP_Locale(); /** * WordPress Locale Switcher object for switching locales. * * @since 4.7.0 * * @global WP_Locale_Switcher $wp_locale_switcher WordPress locale switcher object. */ $GLOBALS['wp_locale_switcher'] = new WP_Locale_Switcher(); $GLOBALS['wp_locale_switcher']->init(); // Load the functions for the active theme, for both parent and child theme if applicable. foreach ( wp_get_active_and_valid_themes() as $theme ) { $wp_theme = wp_get_theme( basename( $theme ) ); $wp_theme->load_textdomain(); if ( file_exists( $theme . '/functions.php' ) ) { include $theme . '/functions.php'; } } unset( $theme, $wp_theme ); /** * Fires after the theme is loaded. * * @since 3.0.0 */ do_action( 'after_setup_theme' ); // Create an instance of WP_Site_Health so that Cron events may fire. if ( ! class_exists( 'WP_Site_Health' ) ) { require_once ABSPATH . 'wp-admin/includes/class-wp-site-health.php'; } WP_Site_Health::get_instance(); // Set up current user. $GLOBALS['wp']->init(); /** * Fires after WordPress has finished loading but before any headers are sent. * * Most of WP is loaded at this stage, and the user is authenticated. WP continues * to load on the {@see 'init'} hook that follows (e.g. widgets), and many plugins instantiate * themselves on it for all sorts of reasons (e.g. they need a user, a taxonomy, etc.). * * If you wish to plug an action once WP is loaded, use the {@see 'wp_loaded'} hook below. * * @since 1.5.0 */ do_action( 'init' ); // Check site status. if ( is_multisite() ) { $file = ms_site_check(); if ( true !== $file ) { require $file; die(); } unset( $file ); } /** * This hook is fired once WP, all plugins, and the theme are fully loaded and instantiated. * * Ajax requests should use wp-admin/admin-ajax.php. admin-ajax.php can handle requests for * users not logged in. * * @link https://developer.wordpress.org/plugins/javascript/ajax * * @since 3.0.0 */ do_action( 'wp_loaded' );