Issues (4967)

Security Analysis    not enabled

This project does not seem to handle request data directly as such no vulnerable execution paths were found.

  Cross-Site Scripting
Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.
  File Exposure
File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.
  File Manipulation
File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.
  Object Injection
Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.
  Code Injection
Code Injection enables an attacker to execute arbitrary code on the server.
  Response Splitting
Response Splitting can be used to send arbitrary responses.
  File Inclusion
File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.
  Command Injection
Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.
  SQL Injection
SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.
  XPath Injection
XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.
  LDAP Injection
LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.
  Header Injection
  Other Vulnerability
This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.
  Regex Injection
Regex Injection enables an attacker to execute arbitrary code in your PHP process.
  XML Injection
XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.
  Variable Injection
Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.
Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/wp-includes/class.wp-styles.php (4 issues)

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

1
<?php
2
/**
3
 * Dependencies API: WP_Styles class
4
 *
5
 * @since 2.6.0
6
 *
7
 * @package WordPress
8
 * @subpackage Dependencies
9
 */
10
11
/**
12
 * Core class used to register styles.
13
 *
14
 * @package WordPress
15
 * @uses WP_Dependencies
16
 * @since 2.6.0
17
 */
18
class WP_Styles extends WP_Dependencies {
19
	/**
20
	 * Base URL for styles.
21
	 *
22
	 * Full URL with trailing slash.
23
	 *
24
	 * @since 2.6.0
25
	 * @access public
26
	 * @var string
27
	 */
28
	public $base_url;
29
30
	/**
31
	 * URL of the content directory.
32
	 *
33
	 * @since 2.8.0
34
	 * @access public
35
	 * @var string
36
	 */
37
	public $content_url;
38
39
	/**
40
	 * Default version string for stylesheets.
41
	 *
42
	 * @since 2.6.0
43
	 * @access public
44
	 * @var string
45
	 */
46
	public $default_version;
47
48
	/**
49
	 * The current text direction.
50
	 *
51
	 * @since 2.6.0
52
	 * @access public
53
	 * @var string
54
	 */
55
	public $text_direction = 'ltr';
56
57
	/**
58
	 * Holds a list of style handles which will be concatenated.
59
	 *
60
	 * @since 2.8.0
61
	 * @access public
62
	 * @var string
63
	 */
64
	public $concat = '';
65
66
	/**
67
	 * Holds a string which contains style handles and their version.
68
	 *
69
	 * @since 2.8.0
70
	 * @deprecated 3.4.0
71
	 * @access public
72
	 * @var string
73
	 */
74
	public $concat_version = '';
75
76
	/**
77
	 * Whether to perform concatenation.
78
	 *
79
	 * @since 2.8.0
80
	 * @access public
81
	 * @var bool
82
	 */
83
	public $do_concat = false;
84
85
	/**
86
	 * Holds HTML markup of styles and additional data if concatenation
87
	 * is enabled.
88
	 *
89
	 * @since 2.8.0
90
	 * @access public
91
	 * @var string
92
	 */
93
	public $print_html = '';
94
95
	/**
96
	 * Holds inline styles if concatenation is enabled.
97
	 *
98
	 * @since 3.3.0
99
	 * @access public
100
	 * @var string
101
	 */
102
	public $print_code = '';
103
104
	/**
105
	 * List of default directories.
106
	 *
107
	 * @since 2.8.0
108
	 * @access public
109
	 * @var array
110
	 */
111
	public $default_dirs;
112
113
	/**
114
	 * Constructor.
115
	 *
116
	 * @since 2.6.0
117
	 * @access public
118
	 */
119
	public function __construct() {
120
		/**
121
		 * Fires when the WP_Styles instance is initialized.
122
		 *
123
		 * @since 2.6.0
124
		 *
125
		 * @param WP_Styles &$this WP_Styles instance, passed by reference.
126
		 */
127
		do_action_ref_array( 'wp_default_styles', array(&$this) );
128
	}
129
130
	/**
131
	 * Processes a style dependency.
132
	 *
133
	 * @since 2.6.0
134
	 * @access public
135
	 *
136
	 * @see WP_Dependencies::do_item()
137
	 *
138
	 * @param string $handle The style's registered handle.
139
	 * @return bool True on success, false on failure.
140
	 */
141
	public function do_item( $handle ) {
142
		if ( !parent::do_item($handle) )
143
			return false;
144
145
		$obj = $this->registered[$handle];
146 View Code Duplication
		if ( null === $obj->ver )
147
			$ver = '';
148
		else
149
			$ver = $obj->ver ? $obj->ver : $this->default_version;
150
151 View Code Duplication
		if ( isset($this->args[$handle]) )
152
			$ver = $ver ? $ver . '&amp;' . $this->args[$handle] : $this->args[$handle];
153
154
		if ( $this->do_concat ) {
155
			if ( $this->in_default_dir($obj->src) && !isset($obj->extra['conditional']) && !isset($obj->extra['alt']) ) {
156
				$this->concat .= "$handle,";
157
				$this->concat_version .= "$handle$ver";
0 ignored issues
show
Deprecated Code introduced by
The property WP_Styles::$concat_version has been deprecated with message: 3.4.0

This property has been deprecated. The supplier of the class has supplied an explanatory message.

The explanatory message should give you some clue as to whether and when the property will be removed from the class and what other property to use instead.

Loading history...
158
159
				$this->print_code .= $this->print_inline_style( $handle, false );
160
161
				return true;
162
			}
163
		}
164
165
		if ( isset($obj->args) )
166
			$media = esc_attr( $obj->args );
167
		else
168
			$media = 'all';
169
170
		// A single item may alias a set of items, by having dependencies, but no source.
171
		if ( ! $obj->src ) {
172
			if ( $inline_style = $this->print_inline_style( $handle, false ) ) {
173
				$inline_style = sprintf( "<style id='%s-inline-css' type='text/css'>\n%s\n</style>\n", esc_attr( $handle ), $inline_style );
174
				if ( $this->do_concat ) {
175
					$this->print_html .= $inline_style;
176
				} else {
177
					echo $inline_style;
178
				}
179
			}
180
			return true;
181
		}
182
183
		$href = $this->_css_href( $obj->src, $ver, $handle );
184
		if ( ! $href ) {
185
			return true;
186
		}
187
188
		$rel = isset($obj->extra['alt']) && $obj->extra['alt'] ? 'alternate stylesheet' : 'stylesheet';
189
		$title = isset($obj->extra['title']) ? "title='" . esc_attr( $obj->extra['title'] ) . "'" : '';
190
191
		/**
192
		 * Filters the HTML link tag of an enqueued style.
193
		 *
194
		 * @since 2.6.0
195
		 * @since 4.3.0 Introduced the `$href` parameter.
196
		 * @since 4.5.0 Introduced the `$media` parameter.
197
		 *
198
		 * @param string $html   The link tag for the enqueued style.
199
		 * @param string $handle The style's registered handle.
200
		 * @param string $href   The stylesheet's source URL.
201
		 * @param string $media  The stylesheet's media attribute.
202
		 */
203
		$tag = apply_filters( 'style_loader_tag', "<link rel='$rel' id='$handle-css' $title href='$href' type='text/css' media='$media' />\n", $handle, $href, $media);
204
		if ( 'rtl' === $this->text_direction && isset($obj->extra['rtl']) && $obj->extra['rtl'] ) {
205
			if ( is_bool( $obj->extra['rtl'] ) || 'replace' === $obj->extra['rtl'] ) {
206
				$suffix = isset( $obj->extra['suffix'] ) ? $obj->extra['suffix'] : '';
207
				$rtl_href = str_replace( "{$suffix}.css", "-rtl{$suffix}.css", $this->_css_href( $obj->src , $ver, "$handle-rtl" ));
208
			} else {
209
				$rtl_href = $this->_css_href( $obj->extra['rtl'], $ver, "$handle-rtl" );
210
			}
211
212
			/** This filter is documented in wp-includes/class.wp-styles.php */
213
			$rtl_tag = apply_filters( 'style_loader_tag', "<link rel='$rel' id='$handle-rtl-css' $title href='$rtl_href' type='text/css' media='$media' />\n", $handle, $rtl_href, $media );
214
215
			if ( $obj->extra['rtl'] === 'replace' ) {
216
				$tag = $rtl_tag;
217
			} else {
218
				$tag .= $rtl_tag;
219
			}
220
		}
221
222
		$conditional_pre = $conditional_post = '';
223
		if ( isset( $obj->extra['conditional'] ) && $obj->extra['conditional'] ) {
224
			$conditional_pre  = "<!--[if {$obj->extra['conditional']}]>\n";
225
			$conditional_post = "<![endif]-->\n";
226
		}
227
228
		if ( $this->do_concat ) {
229
			$this->print_html .= $conditional_pre;
230
			$this->print_html .= $tag;
231
			if ( $inline_style = $this->print_inline_style( $handle, false ) ) {
232
				$this->print_html .= sprintf( "<style id='%s-inline-css' type='text/css'>\n%s\n</style>\n", esc_attr( $handle ), $inline_style );
233
			}
234
			$this->print_html .= $conditional_post;
235
		} else {
236
			echo $conditional_pre;
237
			echo $tag;
238
			$this->print_inline_style( $handle );
239
			echo $conditional_post;
240
		}
241
242
		return true;
243
	}
244
245
	/**
246
	 * Adds extra CSS styles to a registered stylesheet.
247
	 *
248
	 * @since 3.3.0
249
	 * @access public
250
	 *
251
	 * @param string $handle The style's registered handle.
252
	 * @param string $code   String containing the CSS styles to be added.
253
	 * @return bool True on success, false on failure.
254
	 */
255 View Code Duplication
	public function add_inline_style( $handle, $code ) {
256
		if ( ! $code ) {
257
			return false;
258
		}
259
260
		$after = $this->get_data( $handle, 'after' );
261
		if ( ! $after ) {
262
			$after = array();
263
		}
264
265
		$after[] = $code;
266
267
		return $this->add_data( $handle, 'after', $after );
268
	}
269
270
	/**
271
	 * Prints extra CSS styles of a registered stylesheet.
272
	 *
273
	 * @since 3.3.0
274
	 * @access public
275
	 *
276
	 * @param string $handle The style's registered handle.
277
	 * @param bool   $echo   Optional. Whether to echo the inline style instead of just returning it.
278
	 *                       Default true.
279
	 * @return string|bool False if no data exists, inline styles if `$echo` is true, true otherwise.
280
	 */
281 View Code Duplication
	public function print_inline_style( $handle, $echo = true ) {
282
		$output = $this->get_data( $handle, 'after' );
283
284
		if ( empty( $output ) ) {
285
			return false;
286
		}
287
288
		$output = implode( "\n", $output );
289
290
		if ( ! $echo ) {
291
			return $output;
292
		}
293
294
		printf( "<style id='%s-inline-css' type='text/css'>\n%s\n</style>\n", esc_attr( $handle ), $output );
295
296
		return true;
297
	}
298
299
	/**
300
	 * Determines style dependencies.
301
	 *
302
	 * @since 2.6.0
303
	 * @access public
304
	 *
305
	 * @see WP_Dependencies::all_deps()
306
	 *
307
	 * @param mixed     $handles   Item handle and argument (string) or item handles and arguments (array of strings).
308
	 * @param bool      $recursion Internal flag that function is calling itself.
309
	 * @param int|false $group     Group level: (int) level, (false) no groups.
310
	 * @return bool True on success, false on failure.
311
	 */
312 View Code Duplication
	public function all_deps( $handles, $recursion = false, $group = false ) {
313
		$r = parent::all_deps( $handles, $recursion, $group );
314
		if ( ! $recursion ) {
315
			/**
316
			 * Filters the array of enqueued styles before processing for output.
317
			 *
318
			 * @since 2.6.0
319
			 *
320
			 * @param array $to_do The list of enqueued styles about to be processed.
321
			 */
322
			$this->to_do = apply_filters( 'print_styles_array', $this->to_do );
0 ignored issues
show
Documentation Bug introduced by
It seems like apply_filters('print_styles_array', $this->to_do) of type * is incompatible with the declared type array of property $to_do.

Our type inference engine has found an assignment to a property that is incompatible with the declared type of that property.

Either this assignment is in error or the assigned type should be added to the documentation/type hint for that property..

Loading history...
323
		}
324
		return $r;
325
	}
326
327
	/**
328
	 * Generates an enqueued style's fully-qualified URL.
329
	 *
330
	 * @since 2.6.0
331
	 * @access public
332
	 *
333
	 * @param string $src The source of the enqueued style.
334
	 * @param string $ver The version of the enqueued style.
335
	 * @param string $handle The style's registered handle.
336
	 * @return string Style's fully-qualified URL.
337
	 */
338
	public function _css_href( $src, $ver, $handle ) {
339 View Code Duplication
		if ( !is_bool($src) && !preg_match('|^(https?:)?//|', $src) && ! ( $this->content_url && 0 === strpos($src, $this->content_url) ) ) {
340
			$src = $this->base_url . $src;
341
		}
342
343
		if ( !empty($ver) )
344
			$src = add_query_arg('ver', $ver, $src);
345
346
		/**
347
		 * Filters an enqueued style's fully-qualified URL.
348
		 *
349
		 * @since 2.6.0
350
		 *
351
		 * @param string $src    The source URL of the enqueued style.
352
		 * @param string $handle The style's registered handle.
353
		 */
354
		$src = apply_filters( 'style_loader_src', $src, $handle );
355
		return esc_url( $src );
356
	}
357
358
	/**
359
	 * Whether a handle's source is in a default directory.
360
	 *
361
	 * @since 2.8.0
362
	 * @access public
363
	 *
364
	 * @param string $src The source of the enqueued style.
365
	 * @return bool True if found, false if not.
366
	 */
367
	public function in_default_dir( $src ) {
368
		if ( ! $this->default_dirs )
0 ignored issues
show
Bug Best Practice introduced by
The expression $this->default_dirs of type array is implicitly converted to a boolean; are you sure this is intended? If so, consider using empty($expr) instead to make it clear that you intend to check for an array without elements.

This check marks implicit conversions of arrays to boolean values in a comparison. While in PHP an empty array is considered to be equal (but not identical) to false, this is not always apparent.

Consider making the comparison explicit by using empty(..) or ! empty(...) instead.

Loading history...
369
			return true;
370
371
		foreach ( (array) $this->default_dirs as $test ) {
372
			if ( 0 === strpos($src, $test) )
373
				return true;
374
		}
375
		return false;
376
	}
377
378
	/**
379
	 * Processes items and dependencies for the footer group.
380
	 *
381
	 * HTML 5 allows styles in the body, grab late enqueued items and output them in the footer.
382
	 *
383
	 * @since 3.3.0
384
	 * @access public
385
	 *
386
	 * @see WP_Dependencies::do_items()
387
	 *
388
	 * @return array Handles of items that have been processed.
389
	 */
390
	public function do_footer_items() {
391
		$this->do_items(false, 1);
392
		return $this->done;
393
	}
394
395
	/**
396
	 * Resets class properties.
397
	 *
398
	 * @since 3.3.0
399
	 * @access public
400
	 */
401
	public function reset() {
402
		$this->do_concat = false;
403
		$this->concat = '';
404
		$this->concat_version = '';
0 ignored issues
show
Deprecated Code introduced by
The property WP_Styles::$concat_version has been deprecated with message: 3.4.0

This property has been deprecated. The supplier of the class has supplied an explanatory message.

The explanatory message should give you some clue as to whether and when the property will be removed from the class and what other property to use instead.

Loading history...
405
		$this->print_html = '';
406
	}
407
}
408