HEX
Server: nginx/1.18.0
System: Linux iZj6c1ieg2jrpk1z5tzi19Z 6.3.9-1.el7.elrepo.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Jun 21 22:18:40 EDT 2023 x86_64
User: www (1001)
PHP: 8.2.4
Disabled: passthru,exec,system,putenv,chroot,chgrp,chown,shell_exec,popen,proc_open,pcntl_exec,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,imap_open,apache_setenv
$ pwd: /www/wwwroot/www.cytocare.cn/wp-content/plugins/mailpoet/lib/Newsletter/
Upload Files
File: /www/wwwroot/www.cytocare.cn/wp-content/plugins/mailpoet/lib/Newsletter/NewsletterHtmlSanitizer.php
<?php // phpcs:ignore SlevomatCodingStandard.TypeHints.DeclareStrictTypes.DeclareStrictTypesMissing

namespace MailPoet\Newsletter;

if (!defined('ABSPATH')) exit;


use MailPoet\WP\Functions as WPFunctions;

class NewsletterHtmlSanitizer {
  /** @var WPFunctions */
  private $wp;

  /**
   * @var array
   * Configuration of allowed tags for form blocks that may contain some html.
   * Covers all tags available in the form editor's Rich Text component
   */
  private $allowedHtml = [
    'p' => [
      'class' => true,
      'style' => true,
    ],
    'span' => [
      'class' => true,
      'style' => true,
    ],
    'a' => [
      'href' => true,
      'class' => true,
      'title' => true,
      'target' => true,
      'style' => true,
    ],
    'h1' => [
      'class' => true,
      'style' => true,
    ],
    'h2' => [
      'class' => true,
      'style' => true,
    ],
    'h3' => [
      'class' => true,
      'style' => true,
    ],
    'ol' => [
      'class' => true,
      'style' => true,
    ],
    'ul' => [
      'class' => true,
      'style' => true,
    ],
    'li' => [
      'class' => true,
      'style' => true,
    ],
    'strong' => [
      'class' => true,
      'style' => true,
    ],
    'em' => [
      'class' => true,
      'style' => true,
    ],
    'strike' => [],
    'br' => [],
    'blockquote' => [
      'class' => true,
      'style' => true,
    ],
    'table' => [
      'class' => true,
      'style' => true,
    ],
    'tr' => [
      'class' => true,
      'style' => true,
    ],
    'th' => [
      'class' => true,
      'style' => true,
    ],
    'td' => [
      'class' => true,
      'style' => true,
    ],
    'del' => [],
  ];

  public function __construct(
    WPFunctions $wp
  ) {
    $this->wp = $wp;
  }

  public function sanitize(string $html): string {
    // Because wpKses break shortcodes we prefix shortcodes with http protocol
    $html = str_replace('href="[', 'href="http://[', $html);
    $this->wp->addFilter('safecss_filter_attr_allow_css', [$this, 'allowRgbInCss'], 10, 2);
    $html = $this->wp->wpKses($html, $this->allowedHtml);
    $this->wp->removeFilter('safecss_filter_attr_allow_css', [$this, 'allowRgbInCss'], 10);
    $html = str_replace('href="http://[', 'href="[', $html);
    return $html;
  }

  /**
   * At the moment rgb() is not allowed to use in the style attribute. `style="color:rgb(0,0,0);"` gets
   * sanitized if you use wp_kses. We hook into safecss_filter_attr_allow_css to allow for rgb. The code
   * follows the precedent WordPress sets for the usage of var(), calc() etc. in safecss_filter_attr()
   */
  public function allowRgbInCss($allowed, $cssString): bool {
    if ($allowed) {
      return (bool)$allowed;
    }
    $cssString = preg_replace(
      '/\b(?:rgb)(\((?:[^()]|(?1))*\))/',
      '',
      $cssString
    );
    return !preg_match('%[\\\(&=}]|/\*%', $cssString);
  }

  public function sanitizeURL(string $url): string {
    return $this->wp->escUrlRaw($url);
  }
}
@ Telegram