| Server IP : 66.29.153.156 / Your IP : 216.73.217.22 Web Server : LiteSpeed System : Linux premium322.web-hosting.com 4.18.0-553.50.1.lve.el8.x86_64 #1 SMP Thu Apr 17 19:10:24 UTC 2025 x86_64 User : lastyfjz ( 1521) PHP Version : 8.1.34 Disable Function : NONE MySQL : OFF | cURL : ON | WGET : ON | Perl : ON | Python : ON | Sudo : OFF | Pkexec : OFF Directory : /home/lastyfjz/./werepairmobile.com/wp-content/plugins/wpforms-lite/src/Admin/ |
Upload File : |
<?php
namespace WPForms\Admin;
/**
* Sanitize SVG files uploaded through the WordPress media library within WPForms admin.
*
* Image Choices, the Content field and other WPForms admin areas upload images via the
* standard WordPress media library, which bypasses the File Upload field's SVG sanitization.
* This class closes that gap by sanitizing SVGs at upload time in WPForms-originated requests.
*
* @since 1.10.2
*/
class MediaLibrary {
/**
* Initialize.
*
* @since 1.10.2
*/
public function init(): void {
$this->hooks();
}
/**
* Register hooks.
*
* @since 1.10.2
*/
private function hooks(): void {
add_filter( 'wp_handle_upload_prefilter', [ $this, 'sanitize_svg_upload' ] );
}
/**
* Sanitize an SVG being uploaded to the media library from a WPForms admin context.
*
* Reuses wpforms_sanitize_svg_file(): non-SVG files are untouched, and the upload is
* rejected when an SVG cannot be sanitized (e.g. gzipped .svgz or invalid XML), mirroring
* the File Upload field behavior.
*
* @since 1.10.2
*
* @param array|mixed $file Array of a single uploaded file ( name, type, tmp_name, error, size ).
*
* @return array Modified file array.
*/
public function sanitize_svg_upload( $file ): array {
$file = (array) $file;
// Preserve any pre-existing upload error ( e.g. file too large, failed PHP upload ).
if ( ! empty( $file['error'] ) ) {
return $file;
}
// Only act on SVG uploads; everything else passes through untouched.
if ( empty( $file['name'] ) || ! $this->is_svg( (string) $file['name'] ) ) {
return $file;
}
// Limit to uploads originating from WPForms admin to avoid touching unrelated SVGs.
if ( ! $this->is_wpforms_upload() ) {
return $file;
}
if ( empty( $file['tmp_name'] ) || ! wpforms_sanitize_svg_file( $file['tmp_name'], (string) $file['name'] ) ) {
$file['error'] = esc_html__( 'Sorry, this SVG file could not be sanitized, so it was not uploaded.', 'wpforms-lite' );
}
return $file;
}
/**
* Whether the file name points to an SVG ( or gzipped SVG ).
*
* @since 1.10.2
*
* @param string $file_name Uploaded file name.
*
* @return bool
*/
private function is_svg( string $file_name ): bool {
$extension = strtolower( pathinfo( $file_name, PATHINFO_EXTENSION ) );
return in_array( $extension, [ 'svg', 'svgz' ], true );
}
/**
* Whether the current upload request originates from a WPForms admin context.
*
* Detected either by the `wpforms-` post_id marker ( Rich Text field convention ) or by a
* referer pointing to a WPForms admin page. Nonce and capability are already verified upstream
* by WordPress core ( wp_ajax_upload_attachment ), so this only reads request context for routing.
*
* @since 1.10.2
*
* @return bool
*/
private function is_wpforms_upload(): bool {
// phpcs:disable WordPress.Security.NonceVerification.Missing
$post_id = isset( $_POST['post_id'] ) ? sanitize_text_field( wp_unslash( $_POST['post_id'] ) ) : '';
// phpcs:enable WordPress.Security.NonceVerification.Missing
if ( strpos( $post_id, 'wpforms-' ) === 0 ) {
return true;
}
$referer = wp_get_referer();
if ( ! $referer ) {
return false;
}
$query = (string) wp_parse_url( $referer, PHP_URL_QUERY );
wp_parse_str( $query, $args );
$page = isset( $args['page'] ) ? (string) $args['page'] : '';
return strpos( $page, 'wpforms' ) === 0;
}
}