Permalink
Browse files

Added Remove Unsecure Element option.

  • Loading branch information...
1 parent a3a9a9b commit 9e0aa04f6048d3727f2936dbd1a32e95b1236764 @mvied committed Jul 21, 2012
View
@@ -75,7 +75,7 @@
padding-top: 0;
}
#wphttps-main table th {
- width: 140px;
+ width: 160px;
line-height: 32px;
padding: 0;
}
@@ -36,6 +36,18 @@
</fieldset>
</td>
</tr>
+ <tr valign="top" id="remove_unsecure_row">
+ <th scope="row">Remove Unsecure Elements</th>
+ <td>
+ <fieldset>
+ <label for="remove_unsecure">
+ <input type="hidden" name="remove_unsecure" value="0" />
+ <input name="remove_unsecure" type="checkbox" id="remove_unsecure" value="1"<?php echo (($this->getPlugin()->getSetting('remove_unsecure')) ? ' checked="checked"' : ''); ?> />
+ If possible, remove external elements that can not be loaded over HTTPS. This may prevent other plugins' features from working. This can not always catch everything. Read the <a href="http://wordpress.org/extend/plugins/wordpress-https/faq/" target="_blank">FAQ</a>.
+ </label>
+ </fieldset>
+ </td>
+ </tr>
<tr valign="top" id="ssl_admin_row">
<th scope="row">Force SSL Administration</th>
<td>
View
@@ -37,7 +37,8 @@ class WordPressHTTPS extends Mvied_Plugin {
'unsecure_external_urls' => array(), // Unsecure external URL's
'ssl_host_diff' => 0, // Is SSL Host different than WordPress host
'ssl_host_subdomain' => 0, // Is SSL Host a subdomain of WordPress host
- 'exclusive_https' => 0, // Exclusively force SSL on posts and pages with the `Force SSL` option checked.
+ 'exclusive_https' => 0, // Redirect pages that are not secured to HTTP
+ 'remove_unsecure' => 0, // Remove unsecure elements from HTML
'frontpage' => 0, // Force SSL on front page
'ssl_admin' => 0, // Force SSL Over Administration Panel (The same as FORCE_SSL_ADMIN)
'ssl_proxy' => 0, // Proxy detection
@@ -122,7 +123,7 @@ public function init() {
$this->getLogger()->log('Unsecure External URLs: [ ' . implode(', ', (array)$this->getSetting('unsecure_external_urls')) . ' ]');
// Redirect login page. This is not pluggable due to the redirect methods used in wp-login.php
- if ( ( $GLOBALS['pagenow'] == 'wp-login.php' ) ) {
+ if ( isset($GLOBALS['pagenow']) && $GLOBALS['pagenow'] == 'wp-login.php' ) {
setcookie(constant('TEST_COOKIE'), 'WP Cookie check', 0);
if ( $this->getSetting('ssl_admin') ) {
$this->redirect('https');
@@ -236,17 +237,22 @@ public function makeUrlHttps( $string ) {
}
} else {
$updated = clone $url;
- $updated = WordPressHTTPS_Url::fromString( apply_filters('https_external_url', $updated->setScheme('https')->toString()) );
+ $updated = WordPressHTTPS_Url::fromString( apply_filters('https_external_url', $updated->toString()) );
if ( @in_array($updated->toString(), $this->getSetting('secure_external_urls')) == false && @in_array($updated->toString(), $this->getSetting('unsecure_external_urls')) == false ) {
- if ( $updated->isValid() ) {
+ $test = clone $updated;
+ $test->setScheme('https');
+ if ( $test->isValid() ) {
// Cache this URL as available over HTTPS for future reference
$this->addSecureExternalUrl($updated->toString());
+ $updated->setScheme('https');
} else {
// If not available over HTTPS, mark as an unsecure external URL
$this->addUnsecureExternalUrl($updated->toString());
}
+ } else if ( in_array($updated->toString(), $this->getSetting('secure_external_urls')) ) {
+ $updated->setScheme('https');
}
- if ( $url->toString() != $updated->toString() || in_array($updated->toString(), $this->getSetting('secure_external_urls')) ) {
+ if ( $url->toString() != $updated->toString() ) {
$string = str_replace($url, $updated, $string);
}
}
@@ -71,10 +71,19 @@ public function add_meta_boxes() {
array($this->getPlugin()->getModule('Admin'), 'meta_box_render'),
'toplevel_page_' . $this->getPlugin()->getSlug(),
'side',
- 'core',
+ 'high',
array( 'metabox' => 'ajax', 'url' => 'http://wordpresshttps.com/client/updates.php' )
);
add_meta_box(
+ $this->getPlugin()->getSlug() . '_support',
+ __( 'Support', $this->getPlugin()->getSlug() ),
+ array($this->getPlugin()->getModule('Admin'), 'meta_box_render'),
+ 'toplevel_page_' . $this->getPlugin()->getSlug(),
+ 'side',
+ 'high',
+ array( 'metabox' => 'ajax', 'url' => 'http://wordpresshttps.com/client/support.php' )
+ );
+ add_meta_box(
$this->getPlugin()->getSlug() . '_rate',
__( 'Feedback', $this->getPlugin()->getSlug() ),
array($this->getPlugin()->getModule('Admin'), 'meta_box_render'),
@@ -93,15 +102,6 @@ public function add_meta_boxes() {
array( 'metabox' => 'ajax', 'url' => 'http://wordpresshttps.com/client/donate.php' )
);
add_meta_box(
- $this->getPlugin()->getSlug() . '_support',
- __( 'Support', $this->getPlugin()->getSlug() ),
- array($this->getPlugin()->getModule('Admin'), 'meta_box_render'),
- 'toplevel_page_' . $this->getPlugin()->getSlug(),
- 'side',
- 'core',
- array( 'metabox' => 'ajax', 'url' => 'http://wordpresshttps.com/client/support.php' )
- );
- add_meta_box(
$this->getPlugin()->getSlug() . '_donate2',
__( 'Loading...', $this->getPlugin()->getSlug() ),
array($this->getPlugin()->getModule('Admin'), 'meta_box_render'),
@@ -81,23 +81,35 @@ public function startOutputBuffering() {
*/
public function secureElement( $url, $type = '' ) {
$updated = false;
+ $result = false;
$upload_dir = wp_upload_dir();
$upload_path = str_replace($this->getPlugin()->getHttpsUrl()->getPath(), $this->getPlugin()->getHttpUrl()->getPath(), parse_url($upload_dir['baseurl'], PHP_URL_PATH));
if ( ! is_admin() || ( is_admin() && strpos($url, $upload_path) === false ) ) {
$updated = $this->getPlugin()->makeUrlHttps($url);
- $this->_html = str_replace($url, $updated, $this->_html);
+ if ( $url != $updated ) {
+ $this->_html = str_replace($url, $updated, $this->_html);
+ } else {
+ $updated = false;
+ }
}
-
+
// Add log entry if this change hasn't been logged
- if ( $updated && $url != $updated ) {
+ if ( $updated ) {
$log = '[FIXED] Element: ' . ( $type != '' ? '<' . $type . '> ' : '' ) . $url . ' => ' . $updated;
- } else if ( $updated == false && strpos($url, 'http://') == 0 ) {
- $log = '[WARNING] Unsecure Element: <' . $type . '> - ' . $url;
+ $result = true;
+ } else if ( strpos($url, 'http://') === 0 ) {
+ if ( $this->getPlugin()->getSetting('remove_unsecure') ) {
+ $log = '[FIXED] Removed Unsecure Element: <' . $type . '> - ' . $url;
+ } else {
+ $log = '[WARNING] Unsecure Element: <' . $type . '> - ' . $url;
+ }
}
if ( isset($log) && ! in_array($log, $this->getPlugin()->getLogger()->getLog()) ) {
$this->getPlugin()->getLogger()->log($log);
}
+
+ return $result;
}
/**
@@ -162,9 +174,9 @@ public function normalizeElements() {
*/
public function fixElements() {
if ( is_admin() ) {
- preg_match_all('/\<(script|link|img)[^>]+[\'"]((http|https):\/\/[^\'"]+)[\'"][^>]*>/im', $this->_html, $matches);
+ preg_match_all('/\<(script|link|img)[^>]+[\'"]((http|https):\/\/[^\'"]+)[\'"][^>]*>(<\/(script|link|img|input|embed|param|iframe)>\s?)+/im', $this->_html, $matches);
} else {
- preg_match_all('/\<(script|link|img|input|embed|param|iframe)[^>]+[\'"]((http|https):\/\/[^\'"]+)[\'"][^>]*>/im', $this->_html, $matches);
+ preg_match_all('/\<(script|link|img|input|embed|param|iframe)[^>]+[\'"]((http|https):\/\/[^\'"]+)[\'"][^>]*>(<\/(script|link|img|input|embed|param|iframe)>\s?)+/im', $this->_html, $matches);
}
for ($i = 0; $i < sizeof($matches[0]); $i++) {
@@ -182,7 +194,9 @@ public function fixElements() {
( $type == 'param' && strpos($html, 'movie') !== false )
) {
if ( $this->getPlugin()->isSsl() && ( $this->getPlugin()->getSetting('ssl_host_diff') || ( !$this->getPlugin()->getSetting('ssl_host_diff') && strpos($url, 'http://') === 0 ) ) ) {
- $this->secureElement($url, $type);
+ if ( !$this->secureElement($url, $type) && $this->getPlugin()->getSetting('remove_unsecure') ) {
+ $this->_html = str_replace($html, '', $this->_html);
+ }
} else if ( !$this->getPlugin()->isSsl() && strpos($url, 'https://') === 0 ) {
$this->unsecureElement($url, $type);
}
@@ -376,7 +376,7 @@ public function getContent( $verify_ssl = false ) {
if ( function_exists('curl_init') ) {
$ch = curl_init();
- curl_setopt($ch, CURLOPT_URL, rtrim($this->toString(), '\'"'));
+ curl_setopt($ch, CURLOPT_URL, $this->toString());
curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER["HTTP_USER_AGENT"]);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, $verify_ssl);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
@@ -413,7 +413,7 @@ public function isValid( $verify_ssl = false ) {
if ( function_exists('curl_init') ) {
$ch = curl_init();
- curl_setopt($ch, CURLOPT_URL, rtrim($this->toString(), '\'"'));
+ curl_setopt($ch, CURLOPT_URL, $this->toString());
curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER["HTTP_USER_AGENT"]);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, $verify_ssl);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
View
@@ -77,6 +77,7 @@ add_filter('force_ssl', 'store_force_ssl', 10, 3);`
== Changelog ==
= 3.2 =
* Added domain mapping. Domain mapping allows you to map external domains that host their HTTPS content on a different domain.
+* Added Remove Unsecure Elements option. If possible, this option removes external elements from the page that can not be loaded over HTTPS, preventing insecure content errors without modifying any code.
* ClouldFlare support.
* Substantial memory optimization.
* Bug Fix - Visiting the admin panel over HTTP when using Shared SSL should no longer log the user out, but will not redirect accordingly.

0 comments on commit 9e0aa04

Please sign in to comment.