Skip to content

Commit

Permalink
fixed Fancybox XSS
Browse files Browse the repository at this point in the history
  • Loading branch information
@nk-o
nk-o committed Sep 30, 2024
1 parent 03b7d99 commit 18ed3df
Show file tree
Hide file tree
Showing 2 changed files with 65 additions and 0 deletions.
1 change: 1 addition & 0 deletions class-visual-portfolio.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -216,6 +216,7 @@ private function include_dependencies() {
require_once $this->plugin_path . 'classes/3rd/plugins/class-divi.php';
require_once $this->plugin_path . 'classes/3rd/plugins/class-elementor.php';
require_once $this->plugin_path . 'classes/3rd/plugins/class-ewww-image-optimizer.php';
require_once $this->plugin_path . 'classes/3rd/plugins/class-fancybox.php';
require_once $this->plugin_path . 'classes/3rd/plugins/class-imagify.php';
require_once $this->plugin_path . 'classes/3rd/plugins/class-jetpack.php';
require_once $this->plugin_path . 'classes/3rd/plugins/class-lazy-loading-responsive-images.php';
Expand Down
64 changes: 64 additions & 0 deletions classes/3rd/plugins/class-fancybox.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
<?php
/**
* Fancybox script.
*
* @package visual-portfolio
*/

if ( ! defined( 'ABSPATH' ) ) {
exit;
}

/**
* Class Visual_Portfolio_Fancybox
*/
class Visual_Portfolio_Fancybox {
/**
* Visual_Portfolio_Fancybox constructor.
*/
public function __construct() {
add_action( 'wp_enqueue_scripts', array( $this, 'wp_enqueue_scripts' ), 20 );
}

/**
* A temporary fix for possible XSS reported by Wordfence.
* CVE ID: CVE-2024-5020
*/
public function wp_enqueue_scripts() {
$wp_scripts = wp_scripts();
$fancybox_handler = 'fancybox';

if ( ! isset( $wp_scripts->registered[ $fancybox_handler ] ) ) {
return;
}

wp_add_inline_script(
$fancybox_handler,
'(function($){
if (!$) {
return;
}
function escAttr(text) {
return text.replace(/&/g, "&amp;")
.replace(/</g, "&lt;")
.replace(/>/g, "&gt;")
.replace(/"/g, "&quot;")
.replace(/"/g, "&#039;");
}
$(document).on("click", "[data-fancybox]", function (e) {
const $this = $(this);
const caption = $this.attr("data-caption");
if (caption) {
$this.attr("data-caption", escAttr(caption));
}
});
}(window.jQuery));',
'before'
);
}
}

new Visual_Portfolio_Fancybox();

0 comments on commit 18ed3df

Please sign in to comment.