Skip to content

Commit ec2a325

Browse files
revert URL sanitization changes
1 parent 676901a commit ec2a325

4 files changed

Lines changed: 21 additions & 69 deletions

File tree

assets/js/src/boxzilla/box.js

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -95,12 +95,14 @@ Box.prototype.events = function () {
9595
break;
9696
}
9797
}
98-
}, false)
98+
})
9999

100100
this.element.addEventListener('submit', (evt) => {
101-
box.setCookie(this.config.cookie.dismissed)
101+
if (this.config.cookie && this.config.cookie.dismissed) {
102+
box.setCookie(this.config.cookie.dismissed)
103+
}
102104
box.fireEvent('box.interactions.form', [box, evt.target])
103-
}, false)
105+
})
104106

105107
this.overlay.addEventListener('click', (evt) => {
106108
const x = evt.offsetX

src/admin/class-admin.php

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -530,7 +530,21 @@ public function sanitize_settings($opts)
530530
*/
531531
public function sanitize_url($url_string)
532532
{
533-
return \boxzilla_normalize_relative_url($url_string);
533+
// if empty, just return a slash
534+
if (empty($url_string)) {
535+
return '/';
536+
}
537+
538+
// if string looks like an absolute URL, extract just the path
539+
if (preg_match('/^((https|http)?\:\/\/)?(\w+\.)?\w+\.\w+\.*/i', $url_string)) {
540+
// make sure URL has scheme prepended, to make parse_url() understand..
541+
$url_string = 'https://' . str_replace([ 'http://', 'https://' ], '', $url_string);
542+
543+
// get just the path
544+
$url_string = parse_url($url_string, PHP_URL_PATH);
545+
}
546+
547+
return $url_string;
534548
}
535549

536550
/**

src/class-loader.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -112,7 +112,7 @@ protected function match_patterns($string, array $patterns, $contains = false)
112112
*/
113113
protected function get_request_url()
114114
{
115-
return \boxzilla_normalize_relative_url(isset($_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] : '/');
115+
return rtrim($_SERVER['REQUEST_URI'] ?? '', '/');
116116
}
117117

118118
/**

src/functions.php

Lines changed: 0 additions & 64 deletions
Original file line numberDiff line numberDiff line change
@@ -20,67 +20,3 @@ function boxzilla()
2020
return $instance;
2121
}
2222

23-
/**
24-
* Normalize a relative URL for Boxzilla rule storage and matching.
25-
*
26-
* @param string $url_string
27-
*
28-
* @return string
29-
*/
30-
function boxzilla_normalize_relative_url($url_string)
31-
{
32-
$url_string = trim((string) $url_string);
33-
if ($url_string === '') {
34-
return '/';
35-
}
36-
37-
if (strpos($url_string, '//') === 0) {
38-
$url_string = 'https:' . $url_string;
39-
} elseif (preg_match('/^[\w.-]+\.[a-z]{2,}(?:[\/?#]|$)/i', $url_string)) {
40-
$url_string = 'https://' . $url_string;
41-
}
42-
43-
$parts = wp_parse_url($url_string);
44-
if (! is_array($parts)) {
45-
return '/';
46-
}
47-
48-
$path = isset($parts['path']) ? $parts['path'] : '/';
49-
$path = '/' . ltrim((string) $path, '/');
50-
$path = untrailingslashit($path);
51-
if ($path === '') {
52-
$path = '/';
53-
}
54-
55-
if (empty($parts['query'])) {
56-
return $path;
57-
}
58-
59-
parse_str($parts['query'], $query_args);
60-
if (empty($query_args)) {
61-
return $path;
62-
}
63-
64-
$tracking_keys = [
65-
'_ga',
66-
'_gl',
67-
'dclid',
68-
'fbclid',
69-
'gclid',
70-
'mc_cid',
71-
'mc_eid',
72-
'msclkid',
73-
];
74-
75-
foreach (array_keys($query_args) as $key) {
76-
if (strpos($key, 'utm_') === 0 || in_array($key, $tracking_keys, true)) {
77-
unset($query_args[ $key ]);
78-
}
79-
}
80-
81-
if (empty($query_args)) {
82-
return $path;
83-
}
84-
85-
return $path . '?' . build_query($query_args);
86-
}

0 commit comments

Comments
 (0)