-
Notifications
You must be signed in to change notification settings - Fork 100
/
Copy pathclass-wp-https-ui.php
379 lines (340 loc) · 11.6 KB
/
class-wp-https-ui.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
<?php
/**
* WP_HTTPS_UI class.
*
* @package PWA
*/
/**
* WP_HTTPS_UI class.
*/
class WP_HTTPS_UI {
/**
* The option group, indicating that this UI should be on the 'General Settings' page.
*
* @var string
*/
const OPTION_GROUP = 'general';
/**
* The option name to upgrade to https.
*
* @var string
*/
const UPGRADE_HTTPS_OPTION = 'should_upgrade_https';
/**
* The expected value if the option is enabled.
*
* @var string
*/
const OPTION_CHECKED_VALUE = '1';
/**
* The ID of the HTTPS settings section.
*
* @var string
*/
const HTTPS_SETTING_ID = 'wp_upgrade_https';
/**
* The maximum number of URLs that show initially, before clicking 'Show more'.
*
* @var int
*/
const NUMBER_INITIAL_URLS = 4;
/**
* The number of URLs in each <ul>, which display on clicking 'Show more'.
*
* @var string
*/
const NUMBER_URLS_IN_EACH_UL = 10;
/**
* The max character length of the URL, after which it will be truncated with an ellipsis.
*
* @var int
*/
const MAX_URL_LENGTH = 75;
/**
* The instance of WP_HTTPS_Detection.
*
* @var WP_HTTPS_Detection
*/
public $wp_https_detection;
/**
* WP_HTTPS_UI constructor.
*
* @param WP_HTTPS_Detection $wp_https_detection An instance of WP_HTTPS_Detection.
*/
public function __construct( $wp_https_detection ) {
$this->wp_https_detection = $wp_https_detection;
}
/**
* Initializes the object.
*/
public function init() {
add_action( 'admin_init', array( $this, 'init_admin' ) );
add_action( 'init', array( $this, 'filter_site_url_and_home' ) );
add_action( 'init', array( $this, 'filter_header' ) );
add_action( 'template_redirect', array( $this, 'conditionally_redirect_to_https' ), 11 ); // At 11 to run after redirect_canonical().
}
/**
* Initializes the admin tasks.
*/
public function init_admin() {
$this->register_settings();
$this->add_settings_field();
}
/**
* Registers the HTTPS settings.
*/
public function register_settings() {
register_setting(
self::OPTION_GROUP,
self::UPGRADE_HTTPS_OPTION,
array(
'type' => 'boolean',
'sanitize_callback' => 'rest_sanitize_boolean',
)
);
}
/**
* Adds a settings field to the 'General Settings' page.
*
* Only add this if the site can support HTTPS,
* but the home and siteurl option values are not HTTPS (WordPress Address and Site Address).
* This UI would not apply if those URLs are already HTTPS.
*/
public function add_settings_field() {
add_settings_field(
self::HTTPS_SETTING_ID,
__( 'HTTPS', 'pwa' ),
array( $this, 'render_https_settings' ),
self::OPTION_GROUP
);
}
/**
* Renders the HTTPS settings in /wp-admin on the General Settings page.
*/
public function render_https_settings() {
$https_support = get_option( WP_HTTPS_Detection::HTTPS_SUPPORT_OPTION_NAME );
if ( empty( $https_support ) ) {
return;
}
$upgrade_https_value = (bool) get_option( self::UPGRADE_HTTPS_OPTION );
$https_more_details = sprintf(
'<a href="%s">%s</a>',
esc_url( __( 'https://make.wordpress.org/support/user-manual/web-publishing/https-for-wordpress/', 'pwa' ) ),
esc_html__( 'More details', 'pwa' )
);
?>
<p class="description">
<?php
echo wp_kses_post(
sprintf(
/* translators: %s: a link for more details */
__( 'HTTPS is essential to securing your WordPress site, we strongly suggest upgrading to it. %s', 'pwa' ),
$https_more_details
)
);
?>
</p>
<?php if ( is_wp_error( $https_support ) ) : ?>
<?php foreach ( $https_support->get_error_messages() as $error_message ) : ?>
<div class="notice notice-error inline">
<p>
<?php echo esc_html( $error_message ); ?>
</p>
</div>
<?php endforeach; ?>
<?php endif; ?>
<p>
<label>
<input name="<?php echo esc_attr( self::UPGRADE_HTTPS_OPTION ); ?>" type="checkbox" <?php checked( $upgrade_https_value ); ?> value="<?php echo esc_attr( self::OPTION_CHECKED_VALUE ); ?>">
<?php esc_html_e( 'Force secure connections', 'pwa' ); ?>
</label>
</p>
<script>
( function ( $ ) {
// Move this UI under the Site Address (URL) <tr> on the General Settings page.
$( 'input[name=<?php echo self::UPGRADE_HTTPS_OPTION; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?>]' ).parents( 'tr' ).insertAfter( $( 'label[for=home]' ).parents( 'tr') );
} )( jQuery );
</script>
<?php
$all_insecure_urls = get_option( WP_HTTPS_Detection::INSECURE_CONTENT_OPTION_NAME );
$total_urls_count = is_array( $all_insecure_urls ) && ! empty( $all_insecure_urls ) ? count( $all_insecure_urls ) : 0;
// Exit if there is no insecure URL to display.
if ( ! $total_urls_count ) {
return;
}
$insecure_content_id = 'insecure-content';
$show_more_button_id = 'view-urls';
$insecure_urls_class = 'insecure-urls';
$description = sprintf(
/* translators: %s is a link for more details */
__( 'We found content on your site that wasn't loading correctly over HTTPS. While we will try to fix these links automatically, you might check to be sure your pages work as expected. %s', 'pwa' ),
sprintf(
'<a href="%s">%s</a>',
esc_url( __( 'https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content/How_to_fix_website_with_mixed_content', 'pwa' ) ),
esc_html__( 'More details', 'pwa' )
)
);
/*
* Add class="hidden" to this <div> if the 'HTTPS Upgrade' checkbox isn't checked.
* This insecure content UI does not apply if the user isn't upgrading to HTTPS,
* as there will be no need to upgrade insecure requests.
*/
?>
<div id="<?php echo esc_attr( $insecure_content_id ); ?>" <?php echo ! $upgrade_https_value ? 'class="hidden"' : ''; ?>>
<p class="description">
<?php echo wp_kses_post( $description ); ?>
</p>
<ul class="<?php echo esc_attr( $insecure_urls_class ); ?>">
<?php
for ( $i = 0; $i < self::NUMBER_INITIAL_URLS; $i++ ) :
if ( ! isset( $all_insecure_urls[ $i ] ) ) :
break;
endif;
$url = $all_insecure_urls[ $i ];
$truncated_url = $this->get_truncated_url( $url );
?>
<li><a href="<?php echo esc_attr( $url ); ?>"><?php echo esc_html( $truncated_url ); ?></a></li>
<?php endfor; ?>
</ul>
<?php
// Output the <ul> elements that display on clicking 'Show more'.
while ( isset( $all_insecure_urls[ $i ] ) ) :
?>
<ul class="<?php echo esc_attr( $insecure_urls_class ); ?> hidden">
<?php
for ( $j = 0; $j < self::NUMBER_URLS_IN_EACH_UL; $j++ ) :
if ( ! isset( $all_insecure_urls[ $i ] ) ) {
break;
}
$url = $all_insecure_urls[ $i++ ];
$truncated_url = $this->get_truncated_url( $url );
?>
<li><a href="<?php echo esc_attr( $url ); ?>"><?php echo esc_html( $truncated_url ); ?></a></li>
<?php endfor; ?>
</ul>
<?php endwhile; ?>
<?php if ( $total_urls_count > self::NUMBER_INITIAL_URLS ) : ?>
<button id="<?php echo esc_attr( $show_more_button_id ); ?>" class="button button-secondary"><?php esc_html_e( 'Show more', 'pwa' ); ?></button>
<?php endif; ?>
</div>
<script>
( function ( $ ) {
// On checking 'Upgrade to secure connection,' toggle the display of the insecure URLs, as they don't apply unless it's checked.
$( 'input[type=checkbox][name="<?php echo esc_attr( self::UPGRADE_HTTPS_OPTION ); ?>"]' ).on( 'change', function() {
$( <?php echo wp_json_encode( "#$insecure_content_id" ); ?> ).toggleClass( 'hidden' );
} );
$( '#<?php echo esc_attr( $show_more_button_id ); ?>' ).on( 'click', function( event ) {
event.preventDefault();
$( <?php echo wp_json_encode( ".$insecure_urls_class.hidden" ); ?> ).first().removeClass( 'hidden' );
// If there are no more insecure URLs that are hidden, hide the 'Show more' button.
if ( ! $( <?php echo wp_json_encode( ".$insecure_urls_class.hidden" ); ?> ).length ) {
$( this ).addClass( 'hidden' );
}
} );
} )( jQuery );
</script>
<style>
.<?php echo $insecure_urls_class; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?> {
margin: 0 0 0 5px;
}
.<?php echo $insecure_urls_class; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?> li {
padding: 4px 0;
margin-bottom: 0;
}
.<?php echo $insecure_urls_class; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?> li:nth-child(odd) {
background: rgba(255,255,255,0.6);
}
#<?php echo $show_more_button_id; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?> {
margin-top: 10px;
}
#<?php echo $insecure_content_id; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?> .description {
margin: 20px 0;
}
</style>
<?php
}
/**
* Gets the URL, which is truncated with an ellipsis if it goes over the maximum character length.
*
* @param string $url URL The URL to truncate.
* @return string $url The processed URL.
*/
public function get_truncated_url( $url ) {
if ( strlen( $url ) <= self::MAX_URL_LENGTH ) {
return $url;
}
return substr( $url, 0, self::MAX_URL_LENGTH ) . '…';
}
/**
* Conditionally filters the 'siteurl' and 'home' values from the wp-config and options.
*
* Note that these run at priority 11 so that they apply after _config_wp_home().
*/
public function filter_site_url_and_home() {
if ( get_option( self::UPGRADE_HTTPS_OPTION ) && ! $this->wp_https_detection->is_currently_https() ) {
add_filter( 'option_home', array( $this, 'convert_to_https' ), 11 );
add_filter( 'option_siteurl', array( $this, 'convert_to_https' ), 11 );
}
}
/**
* Converts a URL from HTTP to HTTPS.
*
* @param string $url The URL to convert.
* @return string $url The converted URL.
*/
public function convert_to_https( $url ) {
return preg_replace( '#^http(?=://)#', 'https', $url );
}
/**
* Conditionally filters the header, to add an Upgrade-Insecure-Requests value.
*
* @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Upgrade-Insecure-Requests
*/
public function filter_header() {
if ( get_option( self::UPGRADE_HTTPS_OPTION ) ) {
add_filter( 'wp_headers', array( $this, 'upgrade_insecure_requests' ) );
}
}
/**
* Adds an Upgrade-Insecure-Requests header.
*
* Upgrades all insecure requests to HTTPS, like scripts and images.
* There's no fallback if the upgraded HTTPS request fails.
*
* @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Upgrade-Insecure-Requests
* @param array $headers The response headers.
* @return array $headers The filtered response headers.
*/
public function upgrade_insecure_requests( $headers ) {
$headers['Content-Security-Policy'] = 'upgrade-insecure-requests';
return $headers;
}
/**
* Conditionally redirects HTTP requests to HTTPS.
*
* @see redirect_canonical() This runs when accessing a post permalink over HTTP.
*/
public function conditionally_redirect_to_https() {
$do_redirect = (
! is_ssl()
&&
get_option( self::UPGRADE_HTTPS_OPTION ) // The checkbox to upgrade to HTTPS is checked.
&&
get_option( WP_HTTPS_Detection::HTTPS_SUPPORT_OPTION_NAME ) // The last loopback request to check for HTTPS succeeded.
&&
isset( $_SERVER['REQUEST_URI'] )
&&
( 'cli' !== php_sapi_name() || class_exists( 'WP_UnitTestCase' ) )
);
if ( $do_redirect ) {
$parsed_url = wp_parse_url( home_url( '/', 'https' ) );
$url = $parsed_url['scheme'] . '://' . $parsed_url['host'];
if ( isset( $parsed_url['port'] ) ) {
$url .= ':' . $parsed_url['port'];
}
$url .= wp_unslash( $_SERVER['REQUEST_URI'] );
wp_safe_redirect( $url, 302 ); // Temporary redirect. @todo Make permanent.
exit;
}
}
}