Changeset 3428251

Timestamp:

12/27/2025 01:30:40 PM (3 months ago)

Author:

butterflymedia

Message:

Add UI toggle for Obfuscated Script Cleaner aggressive filtering (off by default). Also, the Obfuscated Script Cleaner is now less aggressive: only removes detected malicious scripts, not all HTML.

Location:

wp-guardian/trunk

Files:

• assets/templates/guardian-security-measures.php (modified) (3 diffs)
• modules/obfuscated-script-cleaner.php (modified) (3 diffs)
• readme.txt (modified) (2 diffs)
• wp-guardian.php (modified) (2 diffs)

wp-guardian/trunk/assets/templates/guardian-security-measures.php

@@ -9 +9 @@
         echo '<div class="error notice is-dismissible"><p>' . esc_html__( 'Security check failed. Settings not saved.', 'wp-guardian' ) . '</p></div>';
     } else {
+
         $measures = [
             'restrict_file_access',
@@ -31 +32 @@
         }
 
+        // Handle Obfuscated Script Cleaner aggressive filter toggle
+        $osc_aggressive = isset( $_POST['dtjwpg_osc_aggressive_filter'] ) ? 1 : 0;
+        update_option( 'dtjwpg_osc_aggressive_filter', $osc_aggressive );
+
         // Apply PHP execution hardening for wp-content and wp-includes
         if ( isset( $_POST['dtjwpg_security_measure_prevent_php_execution'] ) && (int) $_POST['dtjwpg_security_measure_prevent_php_execution'] === 1 ) {
@@ -54 +59 @@
             <tr>
                 <th scope="row">
+                    <label for="dtjwpg_osc_aggressive_filter"><?php esc_html_e( 'Obfuscated Script Cleaner: Aggressive Filtering', 'wp-guardian' ); ?></label>
+                </th>
+                <td>
+                    <input type="checkbox" value="1" id="dtjwpg_osc_aggressive_filter" name="dtjwpg_osc_aggressive_filter" <?php checked( 1, (int) get_option( 'dtjwpg_osc_aggressive_filter', 0 ) ); ?>>
+                    <p class="description">
+                        <?php esc_html_e( 'If enabled, all HTML will be stripped from post/page content when malicious patterns are detected. If disabled (recommended), only the detected malicious scripts will be removed and normal HTML will be preserved.', 'wp-guardian' ); ?>
+                    </p>
+                </td>
+            </tr>
+        </tbody>
+        <tbody>
+            <tr>
+                <th scope="row">
                     <label><?php esc_html_e( 'Restrict access to files and directories', 'wp-guardian' ); ?></label>
                 </th>

wp-guardian/trunk/modules/obfuscated-script-cleaner.php

@@ -84 +84 @@
     ];
 
+    // Build the SQL with the correct number of placeholders, and pass post types as variadic args (splat operator)
     $placeholders = implode( ',', array_fill( 0, count( $post_types ), '%s' ) );
+    $sql          = "SELECT ID, post_type, post_content, post_excerpt FROM {$wpdb->posts} WHERE post_type IN ($placeholders)";
+    // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared
+    $posts = $wpdb->get_results( $wpdb->prepare( $sql, ...$post_types ) );
 
-    $sql = $wpdb->prepare(
-        "
-        SELECT ID, post_type, post_content, post_excerpt
-        FROM {$wpdb->posts}
-        WHERE post_type IN ($placeholders)
-        ",
-        $post_types
-    );
-
-    $posts   = $wpdb->get_results( $sql );
     $cleaned = 0;
 
@@ -135 +129 @@
 
     echo '<div class="notice notice-success"><p>';
+    // translators: %d: Number of cleaned items.
     echo esc_html( sprintf( __( 'Cleaning complete. %d items cleaned.', 'wp-guardian' ), $cleaned ) );
     echo '</p></div>';
@@ -142 +137 @@
  * Filter to block malicious content on save
  */
+
+// Add a setting to toggle aggressive filtering (off by default)
+if ( false === get_option( 'dtjwpg_osc_aggressive_filter', false ) ) {
+    add_option( 'dtjwpg_osc_aggressive_filter', 0 );
+}
+
 add_filter(
     'content_save_pre',
     function ( $content ) {
+        $aggressive = (int) get_option( 'dtjwpg_osc_aggressive_filter', 0 );
         if ( preg_match( '/_0x[a-f0-9]{3,}|urshort\.live|atob|eval/i', $content ) ) {
             error_log( 'Blocked malicious content save' );
-            return wp_strip_all_tags( $content );
+            if ( $aggressive ) {
+                // Strip all HTML (aggressive)
+                return wp_strip_all_tags( $content );
+            } else {
+                // Only remove the detected malicious scripts, keep other HTML
+                $patterns = [
+                    '#<script[^>]*>.*?(_0x[a-f0-9]{3,}|urshort\.live|atob|eval).*?</script>#is',
+                ];
+                foreach ( $patterns as $pattern ) {
+                    $content = preg_replace( $pattern, '', $content );
+                }
+                return $content;
+            }
         }
         return $content;

wp-guardian/trunk/readme.txt

@@ -7 +7 @@
 Requires PHP: 7.0
 Requires CP: 2.0
-Stable tag: 1.7.3
+Stable tag: 1.8.0
 License: GPLv3 or later
 License URI: https://www.gnu.org/licenses/gpl-3.0.html
@@ -43 +43 @@
 
 == Changelog ==
+
+= 1.8.0 =
+* Add UI toggle for Obfuscated Script Cleaner aggressive filtering (off by default)
+* Obfuscated Script Cleaner is now less aggressive: only removes detected malicious scripts, not all HTML
+* Fix: HTML is no longer stripped from post/page content unless aggressive mode is enabled
 
 = 1.7.3 =

wp-guardian/trunk/wp-guardian.php

@@ -4 +4 @@
  * Plugin URI: https://getbutterfly.com/wordpress-plugins/wp-guardian/
  * Description: An easy way to harden your website's security effectively.
- * Version: 1.7.3
+ * Version: 1.8.0
  * Author: Ciprian Popescu
  * Author URI: https://getbutterfly.com/
@@ -33 +33 @@
 }
 
-define( 'DTJWPG_VERSION', '1.7.3' );
+define( 'DTJWPG_VERSION', '1.8.0' );
 define( 'DTJWPG_URL', __FILE__ );
 define( 'DTJWPG_BASENAME', plugin_basename( DTJWPG_URL ) );