Autoptimize - Version 2.8.4

Version Description

  • fix for an authenticated XSS vulnerability
Download this release

Release Info

Developer futtta
Plugin Icon 128x128 Autoptimize
Version 2.8.4
Comparing to
See all releases

Code changes from version 2.8.3 to 2.8.4

Files changed (9) hide show
  1. autoptimize.php +2 -2
  2. classes/autoptimizeConfig.php +1 -1
  3. classes/autoptimizeCriticalCSSCore.php +2 -0
  4. classes/autoptimizeCriticalCSSSettings.php +1 -1
  5. classes/autoptimizeStyles.php +21 -1
  6. classes/critcss-inc/admin_settings_adv.php +2 -2
  7. classes/critcss-inc/admin_settings_key.php +1 -1
  8. classes/critcss-inc/admin_settings_rules.php +2 -2
  9. readme.txt +4 -1
autoptimize.php CHANGED
@@ -3,7 +3,7 @@
3
  * Plugin Name: Autoptimize
4
  * Plugin URI: https://autoptimize.com/
5
  * Description: Makes your site faster by optimizing CSS, JS, Images, Google fonts and more.
6
- * Version: 2.8.3
7
  * Author: Frank Goossens (futtta)
8
  * Author URI: https://autoptimize.com/
9
  * Text Domain: autoptimize
@@ -21,7 +21,7 @@ if ( ! defined( 'ABSPATH' ) ) {
21
  exit;
22
  }
23
 
24
- define( 'AUTOPTIMIZE_PLUGIN_VERSION', '2.8.3' );
25
 
26
  // plugin_dir_path() returns the trailing slash!
27
  define( 'AUTOPTIMIZE_PLUGIN_DIR', plugin_dir_path( __FILE__ ) );
3
  * Plugin Name: Autoptimize
4
  * Plugin URI: https://autoptimize.com/
5
  * Description: Makes your site faster by optimizing CSS, JS, Images, Google fonts and more.
6
+ * Version: 2.8.4
7
  * Author: Frank Goossens (futtta)
8
  * Author URI: https://autoptimize.com/
9
  * Text Domain: autoptimize
21
  exit;
22
  }
23
 
24
+ define( 'AUTOPTIMIZE_PLUGIN_VERSION', '2.8.4' );
25
 
26
  // plugin_dir_path() returns the trailing slash!
27
  define( 'AUTOPTIMIZE_PLUGIN_DIR', plugin_dir_path( __FILE__ ) );
classes/autoptimizeConfig.php CHANGED
@@ -320,7 +320,7 @@ echo sprintf( __( 'This can be fully automated for different types of pages on t
320
  </tr>
321
  <tr valign="top" class="css_sub" id="autoptimize_css_defer_inline">
322
  <th scope="row"></th>
323
- <td><label><textarea rows="10" cols="10" style="width:100%;" placeholder="<?php _e( 'Paste the above the fold CSS here. You can leave this empty when using the automated Critical CSS integration.', 'autoptimize' ); ?>" name="autoptimize_css_defer_inline"><?php echo autoptimizeOptionWrapper::get_option( 'autoptimize_css_defer_inline' ); ?></textarea></label></td>
324
  </tr>
325
  <tr valign="top" class="css_sub css_aggregate">
326
  <th scope="row"><?php _e( 'Inline all CSS?', 'autoptimize' ); ?></th>
320
  </tr>
321
  <tr valign="top" class="css_sub" id="autoptimize_css_defer_inline">
322
  <th scope="row"></th>
323
+ <td><label><textarea rows="10" cols="10" style="width:100%;" placeholder="<?php _e( 'Paste the above the fold CSS here. You can leave this empty when using the automated Critical CSS integration.', 'autoptimize' ); ?>" name="autoptimize_css_defer_inline"><?php echo autoptimizeStyles::sanitize_css( autoptimizeOptionWrapper::get_option( 'autoptimize_css_defer_inline' ) ); ?></textarea></label></td>
324
  </tr>
325
  <tr valign="top" class="css_sub css_aggregate">
326
  <th scope="row"><?php _e( 'Inline all CSS?', 'autoptimize' ); ?></th>
classes/autoptimizeCriticalCSSCore.php CHANGED
@@ -74,7 +74,9 @@ class autoptimizeCriticalCSSCore {
74
  global $ao_ccss_loggedin;
75
  global $ao_ccss_debug;
76
  global $ao_ccss_keyst;
 
77
  $no_ccss = '';
 
78
 
79
  // Only if keystatus is OK and option to add CCSS for logged on users is on or user is not logged in.
80
  if ( ( $ao_ccss_keyst && 2 == $ao_ccss_keyst ) && ( $ao_ccss_loggedin || ! is_user_logged_in() ) ) {
74
  global $ao_ccss_loggedin;
75
  global $ao_ccss_debug;
76
  global $ao_ccss_keyst;
77
+
78
  $no_ccss = '';
79
+ $ao_ccss_additional = autoptimizeStyles::sanitize_css( $ao_ccss_additional );
80
 
81
  // Only if keystatus is OK and option to add CCSS for logged on users is on or user is not logged in.
82
  if ( ( $ao_ccss_keyst && 2 == $ao_ccss_keyst ) && ( $ao_ccss_loggedin || ! is_user_logged_in() ) ) {
classes/autoptimizeCriticalCSSSettings.php CHANGED
@@ -307,7 +307,7 @@ class autoptimizeCriticalCSSSettings {
307
  echo "<input class='hidden' name='autoptimize_ccss_queue' value='" . $ao_ccss_queue_raw . "'>";
308
  echo '<input class="hidden" name="autoptimize_ccss_viewport[w]" value="' . $viewport['w'] . '">';
309
  echo '<input class="hidden" name="autoptimize_ccss_viewport[h]" value="' . $viewport['h'] . '">';
310
- echo '<input class="hidden" name="autoptimize_ccss_finclude" value="' . $ao_ccss_finclude . '">';
311
  echo '<input class="hidden" name="autoptimize_ccss_rtimelimit" value="' . $ao_ccss_rtimelimit . '">';
312
  echo '<input class="hidden" name="autoptimize_ccss_debug" value="' . $ao_ccss_debug . '">';
313
  echo '<input class="hidden" name="autoptimize_ccss_noptimize" value="' . $ao_ccss_noptimize . '">';
307
  echo "<input class='hidden' name='autoptimize_ccss_queue' value='" . $ao_ccss_queue_raw . "'>";
308
  echo '<input class="hidden" name="autoptimize_ccss_viewport[w]" value="' . $viewport['w'] . '">';
309
  echo '<input class="hidden" name="autoptimize_ccss_viewport[h]" value="' . $viewport['h'] . '">';
310
+ echo '<input class="hidden" name="autoptimize_ccss_finclude" value="' . esc_attr( $ao_ccss_finclude ) . '">';
311
  echo '<input class="hidden" name="autoptimize_ccss_rtimelimit" value="' . $ao_ccss_rtimelimit . '">';
312
  echo '<input class="hidden" name="autoptimize_ccss_debug" value="' . $ao_ccss_debug . '">';
313
  echo '<input class="hidden" name="autoptimize_ccss_noptimize" value="' . $ao_ccss_noptimize . '">';
classes/autoptimizeStyles.php CHANGED
@@ -223,7 +223,7 @@ class autoptimizeStyles extends autoptimizeBase
223
 
224
  // Should we inline while deferring?
225
  // value: inlined CSS.
226
- $this->defer_inline = apply_filters( 'autoptimize_filter_css_defer_inline', $options['defer_inline'], $this->content );
227
 
228
  // Should we inline?
229
  // value: true / false.
@@ -1275,4 +1275,24 @@ class autoptimizeStyles extends autoptimizeBase
1275
  {
1276
  return $this->options[ $name ];
1277
  }
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1278
  }
223
 
224
  // Should we inline while deferring?
225
  // value: inlined CSS.
226
+ $this->defer_inline = apply_filters( 'autoptimize_filter_css_defer_inline', $this->sanitize_css( $options['defer_inline'] ), $this->content );
227
 
228
  // Should we inline?
229
  // value: true / false.
1275
  {
1276
  return $this->options[ $name ];
1277
  }
1278
+
1279
+ /**
1280
+ * Sanitize user-provided CSS.
1281
+ *
1282
+ * For now just strip_tags (the WordPress way) and preg_replace to escape < in certain cases but might do full CSS escaping in the future, see:
1283
+ * https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#rule-4-css-encode-and-strictly-validate-before-inserting-untrusted-data-into-html-style-property-values
1284
+ * https://github.com/twigphp/Twig/blob/3.x/src/Extension/EscaperExtension.php#L300-L319
1285
+ * https://github.com/laminas/laminas-escaper/blob/2.8.x/src/Escaper.php#L205-L221
1286
+ *
1287
+ * @param string $css the to be sanitized CSS
1288
+ * @return string sanitized CSS.
1289
+ */
1290
+ public static function sanitize_css( $css )
1291
+ {
1292
+ $css = wp_strip_all_tags( $css );
1293
+ if ( strpos( $css, '<' ) !== false ) {
1294
+ $css = preg_replace( '#<(\/?\w+)#', '\00003C$1', $css );
1295
+ }
1296
+ return $css;
1297
+ }
1298
  }
classes/critcss-inc/admin_settings_adv.php CHANGED
@@ -51,7 +51,7 @@ function ao_ccss_render_adv() {
51
  <?php _e( 'Force Include CSS selectors', 'autoptimize' ); ?>
52
  </th>
53
  <td>
54
- <textarea id="autoptimize_ccss_finclude" name="autoptimize_ccss_finclude" rows='3' maxlenght='500' style="width:100%;" placeholder="<?php _e( '.button-special,//#footer', 'autoptimize' ); ?>"><?php echo trim( $ao_ccss_finclude ); ?></textarea>
55
  <p class="notes">
56
  <?php _e( 'Force include CSS selectors can be used to style dynamic content that is not part of the HTML that is seen during the Critical CSS generation. To use this feature, add comma separated values with both simple strings and/or regular expressions to match the desired selectors. Regular expressions must be preceeded by two forward slashes. For instance: <code>.button-special,//#footer</code>. In this example <code>.button-special</code> will match <code>.button-special</code> selector only, while <code>//#footer</code> will match <code>#footer</code>, <code>#footer-address</code> and <code>#footer-phone</code> selectors in case they exist.<br />Do take into account that changing this setting will only affect new/ updated rules, so you might want to remove old rules and clear your page cache to expedite the forceIncludes becoming used.', 'autoptimize' ); ?>
57
  </p>
@@ -128,7 +128,7 @@ function ao_ccss_render_adv() {
128
  <?php _e( 'Bound domain', 'autoptimize' ); ?>
129
  </th>
130
  <td>
131
- <input type="text" id="autoptimize_ccss_domain" name="autoptimize_ccss_domain" style="width:100%;" placeholder="<?php _e( 'Don\'t leave this empty, put e.g. https://example.net/ or simply \'none\' to disable domain binding.', 'autoptimize' ); ?>" value="<?php echo trim( $ao_ccss_domain ); ?>">
132
  <p class="notes">
133
  <?php _e( 'Only requests from this domain will be sent for Critical CSS generation (pricing is per domain/ month).', 'autoptimize' ); ?>
134
  </p>
51
  <?php _e( 'Force Include CSS selectors', 'autoptimize' ); ?>
52
  </th>
53
  <td>
54
+ <textarea id="autoptimize_ccss_finclude" name="autoptimize_ccss_finclude" rows='3' maxlenght='500' style="width:100%;" placeholder="<?php _e( '.button-special,//#footer', 'autoptimize' ); ?>"><?php echo trim( esc_textarea( $ao_ccss_finclude ) ); ?></textarea>
55
  <p class="notes">
56
  <?php _e( 'Force include CSS selectors can be used to style dynamic content that is not part of the HTML that is seen during the Critical CSS generation. To use this feature, add comma separated values with both simple strings and/or regular expressions to match the desired selectors. Regular expressions must be preceeded by two forward slashes. For instance: <code>.button-special,//#footer</code>. In this example <code>.button-special</code> will match <code>.button-special</code> selector only, while <code>//#footer</code> will match <code>#footer</code>, <code>#footer-address</code> and <code>#footer-phone</code> selectors in case they exist.<br />Do take into account that changing this setting will only affect new/ updated rules, so you might want to remove old rules and clear your page cache to expedite the forceIncludes becoming used.', 'autoptimize' ); ?>
57
  </p>
128
  <?php _e( 'Bound domain', 'autoptimize' ); ?>
129
  </th>
130
  <td>
131
+ <input type="text" id="autoptimize_ccss_domain" name="autoptimize_ccss_domain" style="width:100%;" placeholder="<?php _e( 'Don\'t leave this empty, put e.g. https://example.net/ or simply \'none\' to disable domain binding.', 'autoptimize' ); ?>" value="<?php echo trim( esc_attr( $ao_ccss_domain ) ); ?>">
132
  <p class="notes">
133
  <?php _e( 'Only requests from this domain will be sent for Critical CSS generation (pricing is per domain/ month).', 'autoptimize' ); ?>
134
  </p>
classes/critcss-inc/admin_settings_key.php CHANGED
@@ -43,7 +43,7 @@ function ao_ccss_render_key( $key, $status, $status_msg, $message, $color ) {
43
  <?php _e( 'Your API Key', 'autoptimize' ); ?>
44
  </th>
45
  <td>
46
- <textarea id="autoptimize_ccss_key" name="autoptimize_ccss_key" rows='3' style="width:100%;" placeholder="<?php _e( 'Please enter your criticalcss.com API key here.', 'autoptimize' ); ?>"><?php echo trim( $key ); ?></textarea>
47
  <p class="notes">
48
  <?php _e( 'Enter your <a href="https://criticalcss.com/account/api-keys?aff=1" target="_blank">criticalcss.com</a> API key above. The key is revalidated every time a new job is sent to it.<br />To obtain your API key, go to <a href="https://criticalcss.com/account/api-keys?aff=1" target="_blank">criticalcss.com</a> > Account > API Keys.<br />Requests to generate a critical CSS via the API are priced at £5 per domain per month.<br /><strong>Not sure yet? With the <a href="https://criticalcss.com/faq/?aff=1#trial" target="_blank">30 day money back guarantee</a>, you have nothing to lose!</strong>', 'autoptimize' ); ?>
49
  </p>
43
  <?php _e( 'Your API Key', 'autoptimize' ); ?>
44
  </th>
45
  <td>
46
+ <textarea id="autoptimize_ccss_key" name="autoptimize_ccss_key" rows='3' style="width:100%;" placeholder="<?php _e( 'Please enter your criticalcss.com API key here.', 'autoptimize' ); ?>"><?php echo trim( esc_textarea( $key ) ); ?></textarea>
47
  <p class="notes">
48
  <?php _e( 'Enter your <a href="https://criticalcss.com/account/api-keys?aff=1" target="_blank">criticalcss.com</a> API key above. The key is revalidated every time a new job is sent to it.<br />To obtain your API key, go to <a href="https://criticalcss.com/account/api-keys?aff=1" target="_blank">criticalcss.com</a> > Account > API Keys.<br />Requests to generate a critical CSS via the API are priced at £5 per domain per month.<br /><strong>Not sure yet? With the <a href="https://criticalcss.com/faq/?aff=1#trial" target="_blank">30 day money back guarantee</a>, you have nothing to lose!</strong>', 'autoptimize' ); ?>
49
  </p>
classes/critcss-inc/admin_settings_rules.php CHANGED
@@ -185,8 +185,8 @@ function ao_ccss_render_rules() {
185
  </ol>
186
  </div>
187
  </div>
188
- <textarea id="autoptimize_css_defer_inline" name="autoptimize_css_defer_inline" rows="19" cols="10" style="width:100%;"><?php echo get_option( 'autoptimize_css_defer_inline', '' ); ?></textarea>
189
- <textarea id="autoptimize_ccss_additional" name="autoptimize_ccss_additional" rows="19" cols="10" style="width:100%;"><?php echo get_option( 'autoptimize_ccss_additional', '' ); ?></textarea>
190
  <table class="rules-list" cellspacing="0"><tbody id="rules-list"></tbody></table>
191
  <input class="hidden" type="text" id="critCssOrigin" name="autoptimize_ccss_rules" value='<?php echo ( json_encode( $ao_ccss_rules, JSON_FORCE_OBJECT ) ); ?>'>
192
  <div class="submit rules-btn">
185
  </ol>
186
  </div>
187
  </div>
188
+ <textarea id="autoptimize_css_defer_inline" name="autoptimize_css_defer_inline" rows="19" cols="10" style="width:100%;"><?php echo autoptimizeStyles::sanitize_css( get_option( 'autoptimize_css_defer_inline', '' ) ); ?></textarea>
189
+ <textarea id="autoptimize_ccss_additional" name="autoptimize_ccss_additional" rows="19" cols="10" style="width:100%;"><?php echo autoptimizeStyles::sanitize_css( get_option( 'autoptimize_ccss_additional', '' ) ); ?></textarea>
190
  <table class="rules-list" cellspacing="0"><tbody id="rules-list"></tbody></table>
191
  <input class="hidden" type="text" id="critCssOrigin" name="autoptimize_ccss_rules" value='<?php echo ( json_encode( $ao_ccss_rules, JSON_FORCE_OBJECT ) ); ?>'>
192
  <div class="submit rules-btn">
readme.txt CHANGED
@@ -5,7 +5,7 @@ Donate link: http://blog.futtta.be/2013/10/21/do-not-donate-to-me/
5
  Requires at least: 4.9
6
  Tested up to: 5.7
7
  Requires PHP: 5.6
8
- Stable tag: 2.8.3
9
 
10
  Autoptimize speeds up your website by optimizing JS, CSS, images (incl. lazy-load), HTML and Google Fonts, asyncing JS, removing emoji cruft and more.
11
 
@@ -319,6 +319,9 @@ Just [fork Autoptimize on Github](https://github.com/futtta/autoptimize) and cod
319
 
320
  == Changelog ==
321
 
 
 
 
322
  = 2.8.3 =
323
  * fix for missing ao-minify-html.php file
324
 
5
  Requires at least: 4.9
6
  Tested up to: 5.7
7
  Requires PHP: 5.6
8
+ Stable tag: 2.8.4
9
 
10
  Autoptimize speeds up your website by optimizing JS, CSS, images (incl. lazy-load), HTML and Google Fonts, asyncing JS, removing emoji cruft and more.
11
 
319
 
320
  == Changelog ==
321
 
322
+ = 2.8.4 =
323
+ * fix for an authenticated XSS vulnerability
324
+
325
  = 2.8.3 =
326
  * fix for missing ao-minify-html.php file
327