├── changelog.md
├── css
    ├── settings.css
    └── tests.css
├── images
    └── ajax-loader.gif
├── includes
    ├── class.SSLInsecureContentFixer.php
    ├── class.SSLInsecureContentFixerAdmin.php
    └── nonces.php
├── js
    ├── admin-settings.js
    ├── admin-settings.min.js
    ├── admin-tests.js
    └── admin-tests.min.js
├── nowp
    ├── .htaccess
    └── ajax.php
├── readme.md
├── readme.txt
├── ssl-insecure-content-fixer.php
└── views
    ├── requires-extensions.php
    ├── requires-pcre.php
    ├── script-force-https.php
    ├── settings-fields-common.php
    ├── settings-form-network.php
    ├── settings-form.php
    └── ssl-tests.php


/changelog.md:
--------------------------------------------------------------------------------
  1 | # SSL Insecure Content Fixer
  2 | 
  3 | ## Changelog
  4 | 
  5 | ### 2.7.2, 2018-12-04
  6 | 
  7 | * fixed: was missing some hard-coded link elements (e.g. stylesheets) when href was the first attribute
  8 | 
  9 | ### 2.7.1, 2018-11-21
 10 | 
 11 | * tested: WordPress 5.0
 12 | 
 13 | ### 2.7.0, 2018-06-30
 14 | 
 15 | * added: fix for responsive images loaded by JavaScript from image data attributes
 16 | * fixed: call to undefined function `hash_equals()` on environments with obsolete PHP versions (i.e. < 5.6)
 17 | * fixed: don't run the fixer when a WooCommerce download request is detected
 18 | 
 19 | ### 2.6.0, 2018-05-08
 20 | 
 21 | * added: new filter `ssl_insecure_content_pcre_version_permissive` allowing sites that can't update PCRE beyond 7.2 to function
 22 | * added: fix for plugins / themes overriding avatars and breaking them with insecure content
 23 | * changed: no longer sets a cookie on test or settings pages
 24 | 
 25 | ### 2.5.0, 2017-11-23
 26 | 
 27 | * changed: .htaccess rules file for non-WP test script now supports Apache v2.4; thanks, [Andreas Schneider](https://github.com/cryptomilk)!
 28 | * added: option to only fix content resource links for the current website; thanks, [Luke Driscoll](https://github.com/ldriscoll)!
 29 | * added: support for KeyCDN https detection via the X-Forwarded-Scheme header
 30 | 
 31 | ### 2.4.0, 2017-05-14
 32 | 
 33 | * fixed: don't capture content on admin pages when mode is Capture or Capture All
 34 | * added: filter `ssl_insecure_content_disable_capture` for disabling Capture mode on selected pages / scripts
 35 | 
 36 | ### 2.3.0, 2017-05-01
 37 | 
 38 | * added: support for Windows Azure with ARR
 39 | * added: filter `ssl_insecure_content_domain_exclusions` for domains that can be excluded from content cleaning (ignored for enqueued scripts)
 40 | 
 41 | ### 2.2.3, 2017-02-01
 42 | 
 43 | * fixed: breaks Visual Composer back end editing due to a regular expression problem (now you have two!)
 44 | * changed: Capture no longer captures AJAX requests; new mode Capture All introduced to capture AJAX requests too
 45 | * added: prerequisites check, to ensure that plugin can run successfully
 46 | 
 47 | ### 2.2.2, 2017-01-21
 48 | 
 49 | * fixed: make protocol header tests case-insensitive (thanks, [waja](https://github.com/waja)!)
 50 | * added: support for Amazon CloudFront `CloudFront-Forwarded-Proto` header (thanks, [gmazovec](https://github.com/gmazovec)!)
 51 | * added: clean up responsive image srcset links to external images (WordPress already handles local images)
 52 | 
 53 | ### 2.2.1, 2016-11-19
 54 | 
 55 | * fixed: improve accessibility of admin pages
 56 | * removed: update message display forced on multisite; just leave that for WordPress to handle (it does it so well)
 57 | 
 58 | ### 2.2.0, 2016-09-09
 59 | 
 60 | * added: stop WooCommerce cached widgets from http showing on https
 61 | * added: fix Gravity Forms confirmation content
 62 | 
 63 | ### 2.1.6, 2016-02-02
 64 | 
 65 | * fixed: malware warning with GOTMLS vulnerability scanner
 66 | 
 67 | ### 2.1.5, 2015-12-12
 68 | 
 69 | * changed: remove some more clutter from server environment report in tests
 70 | * removed: translations no longer in zip file; now delivered automatically as language packs when required
 71 | 
 72 | ### 2.1.4, 2015-10-24
 73 | 
 74 | * added: French translation (thanks, Houzepha Taheraly!)
 75 | * added: can define `SSLFIX_PLUGIN_NO_HTTPS_DETECT` in wp-config.php to prevent the proxy fix, e.g. to overcome plugin conflicts
 76 | * added: fix inline CSS background image rules, e.g. in Capture level
 77 | * added: indicate whether WordPress HTTPS detection is successful with tick/cross
 78 | 
 79 | ### 2.1.3, 2015-10-05
 80 | 
 81 | * added: Chinese (simplified) translation (thanks, [漠伦](https://molun.net/)!)
 82 | 
 83 | ### 2.1.2, 2015-09-05
 84 | 
 85 | * fixed: HTTPS detection for host 123-reg
 86 | 
 87 | ### 2.1.1, 2015-08-11
 88 | 
 89 | * fixed: HTTPS detection doesn't work unless SSL Tests page was just visited
 90 | * added: show update notice on plugin admin page
 91 | 
 92 | ### 2.1.0, 2015-07-30
 93 | 
 94 | * **SECURITY FIX**: restrict access to AJAX test script; don't disclose server environment with system information
 95 | * changed: always show server environment on test results
 96 | * added: Bulgarian translation (thanks, [Ivan Arnaudov](https://www.bvionline.eu/)!)
 97 | * added: .htaccess file for AJAX SSL Tests, fixes conflict with some security plugins
 98 | 
 99 | ### 2.0.0, 2015-07-26
100 | 
101 | * changed: handle media loaded by calling `wp_get_attachment_image()`, `wp_get_attachment_image_src()`, etc. via AJAX
102 | * changed: in multisite, test tools (and settings) are only available to super admins
103 | * added: settings page for controlling behaviour
104 | * added: Simple, Content, Widgets, Capture, and Off modes for fixes
105 | * added: fix for [WooCommerce + Google Chrome HTTP_HTTPS bug](https://github.com/woothemes/woocommerce/issues/8479) (fixed in WooCommerce v2.3.13)
106 | * added: load translation (if anyone fancies [supplying some](https://translate.wordpress.org/projects/wp-plugins/ssl-insecure-content-fixer)!)
107 | 
108 | ### 1.8.0, 2014-02-02
109 | 
110 | * changed: use script/style source filters instead of iterating over script/style dependency objects
111 | * changed: only handle links for `wp_get_attachment_image()`, `wp_get_attachment_image_src()`, etc. on front end (i.e. not in admin)
112 | * changed: refactor for code simplification
113 | * added: fix data returned from `wp_upload_dir()` (fixes Contact Form 7 CAPTCHA images)
114 | * added: Tools menu link to `is_ssl()` test
115 | 
116 | ### 1.7.1, 2013-03-13
117 | 
118 | * fixed: is_ssl() test checks to ensure test page was actually loaded via HTTPS
119 | 
120 | ### 1.7.0, 2013-03-13
121 | 
122 | * added: simple test to see whether [is_ssl()](https://codex.wordpress.org/Function_Reference/is_ssl) is working, and try to diagnose when it isn't
123 | 
124 | ### 1.6.0, 2013-01-05
125 | 
126 | * added: handle images and other media loaded by calling `wp_get_attachment_image()`, `wp_get_attachment_image_src()`, etc.
127 | 
128 | ### 1.5.0, 2012-11-09
129 | 
130 | * added: handle properly enqueued admin stylesheets for admin over HTTPS
131 | 
132 | ### 1.4.1, 2012-09-21
133 | 
134 | * fixed: handle uppercase links properly (i.e. HTTP://)
135 | 
136 | ### 1.4.0, 2012-09-13
137 | 
138 | * added: fix for images loaded by [image-widget](https://wordpress.org/plugins/image-widget/)
139 | 
140 | ### 1.3.0, 2012-07-22
141 | 
142 | * removed: fix for links-shortcode (fixed in v1.3)
143 | 
144 | ### 1.2.0, 2012-07-21
145 | 
146 | * removed: fix for youtube-feeder (fixed in v2.0.0); NB: v2.0.0 of that plugin still loads Youtube videos over http, so you will still get insecure content errors on pages with embedded videos until plugin author applies a fix.
147 | 
148 | ### 1.1.0, 2012-05-17
149 | 
150 | * added: fix for youtube-feeder stylesheet
151 | 
152 | ### 1.0.0, 2012-04-19
153 | 
154 | * initial release
155 | 


--------------------------------------------------------------------------------
/css/settings.css:
--------------------------------------------------------------------------------
 1 | #sslfix-levels label {
 2 | 	font-weight: bold;
 3 | }
 4 | 
 5 | .sslfix-level-desc {
 6 | 	padding: 0.5em 2em 0 2em;
 7 | }
 8 | 
 9 | .sslfix-bullets {
10 | 	list-style: disc;
11 | 	padding: 0.5em 3em;
12 | }
13 | 
14 | .sslfix-recommended {
15 | 	font-weight: bold;
16 | }
17 | 
18 | .sslfix-recommended span {
19 | 	padding: 0 2em;
20 | 	color: red;
21 | }
22 | 
23 | #sslfix-https-detection.dashicons-yes {
24 | 	color: green;
25 | }
26 | 
27 | #sslfix-https-detection.dashicons-no {
28 | 	color: red;
29 | }
30 | 


--------------------------------------------------------------------------------
/css/tests.css:
--------------------------------------------------------------------------------
 1 | .sslfix-test-result,
 2 | #sslfix-test-result-head {
 3 | 	display: none;
 4 | }
 5 | 
 6 | #sslfix-https-detection.dashicons-yes {
 7 | 	color: green;
 8 | }
 9 | 
10 | #sslfix-https-detection.dashicons-no {
11 | 	color: red;
12 | }
13 | 


--------------------------------------------------------------------------------
/images/ajax-loader.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/webaware/ssl-insecure-content-fixer/b1ab808c38775836c9c5ba4f563cbed884d0aae1/images/ajax-loader.gif


--------------------------------------------------------------------------------
/includes/class.SSLInsecureContentFixer.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | 
  3 | if (!defined('ABSPATH')) {
  4 | 	exit;
  5 | }
  6 | 
  7 | /**
  8 | * class for managing the plugin
  9 | */
 10 | class SSLInsecureContentFixer {
 11 | 
 12 | 	public $options							= false;
 13 | 	public $network_options					= false;
 14 | 
 15 | 	protected $domain_exclusions			= false;
 16 | 	protected $process_only_site			= false;
 17 | 
 18 | 	/**
 19 | 	* static method for getting the instance of this singleton object
 20 | 	* @return self
 21 | 	*/
 22 | 	public static function getInstance() {
 23 | 		static $instance = null;
 24 | 
 25 | 		if (is_null($instance)) {
 26 | 			$instance = new self();
 27 | 		}
 28 | 
 29 | 		return $instance;
 30 | 	}
 31 | 
 32 | 	/**
 33 | 	* hook into WordPress
 34 | 	*/
 35 | 	private function __construct() {
 36 | 		$this->loadOptions();
 37 | 		$this->proxyFix();
 38 | 		$this->configureSiteOnly();
 39 | 
 40 | 		add_action('init', array($this, 'loadTranslations'));
 41 | 
 42 | 		if ($this->allowFixer()) {
 43 | 			add_action('init', array($this, 'runFilters'), 4);
 44 | 
 45 | 			// filter script and stylesheet links
 46 | 			add_filter('script_loader_src', 'ssl_insecure_content_fix_url');
 47 | 			add_filter('style_loader_src', 'ssl_insecure_content_fix_url');
 48 | 
 49 | 			// filter uploads dir so that plugins using it to determine upload URL also work
 50 | 			add_filter('upload_dir', array(__CLASS__, 'uploadDir'));
 51 | 
 52 | 			// catch plugins / themes overriding the user's avatar and breaking it
 53 | 			add_filter('get_avatar', array($this, 'fixContent'), 9999);
 54 | 
 55 | 			// filter image links on front end e.g. in calls to wp_get_attachment_image(), wp_get_attachment_image_src(), etc.
 56 | 			if (!is_admin() || $this->isAjax()) {
 57 | 				add_filter('wp_get_attachment_url', 'ssl_insecure_content_fix_url', 100);
 58 | 			}
 59 | 
 60 | 			switch ($this->options['fix_level']) {
 61 | 
 62 | 				// handle Content fix level
 63 | 				case 'content':
 64 | 					add_filter('the_content', array($this, 'fixContent'), 9999);		// also for fix_level 'widget'
 65 | 					add_filter('widget_text', array($this, 'fixContent'), 9999);		// not for fix_level 'widget' (no need to duplicate effort)
 66 | 					break;
 67 | 
 68 | 				// handle Widget fix level
 69 | 				case 'widgets':
 70 | 					add_filter('the_content', array($this, 'fixContent'), 9999);		// also for fix_level 'content'
 71 | 					add_action('dynamic_sidebar_before', array($this, 'fixWidgetsStart'), 9999, 2);
 72 | 					add_action('dynamic_sidebar_after', array($this, 'fixWidgetsEnd'), 9999, 2);
 73 | 					break;
 74 | 
 75 | 				// handle Capture fix level (excludes AJAX calls)
 76 | 				case 'capture':
 77 | 					if (!is_admin() && !$this->isAjax()) {
 78 | 						add_action('init', array($this, 'fixCaptureStart'), 5);
 79 | 					}
 80 | 					break;
 81 | 
 82 | 				// handle Capture All fix level (even AJAX calls)
 83 | 				case 'capture_all':
 84 | 					if (!is_admin() || $this->isAjaxNotExcluded()) {
 85 | 						add_action('init', array($this, 'fixCaptureStart'), 5);
 86 | 					}
 87 | 					break;
 88 | 
 89 | 			}
 90 | 
 91 | 			// handle some specific plugins
 92 | 			if (!empty($this->options['fix_specific'])) {
 93 | 				add_action('wp_print_styles', array($this, 'fixSpecific'), 100);
 94 | 			}
 95 | 
 96 | 			// filter WooCommerce cached widget ID if base site is not https
 97 | 			if (stripos(get_option('home'), 'http://') === 0) {
 98 | 				add_filter('woocommerce_cached_widget_id', array(__CLASS__, 'woocommerceWidgetID'));
 99 | 			}
100 | 
101 | 			// filter Gravity Forms confirmation content
102 | 			add_filter('gform_confirmation', array($this, 'fixContent'));
103 | 
104 | 			// filter plugin Image Widget old-style image links
105 | 			add_filter('image_widget_image_url', 'ssl_insecure_content_fix_url');
106 | 		}
107 | 
108 | 		if (is_admin()) {
109 | 			require SSLFIX_PLUGIN_ROOT . 'includes/class.SSLInsecureContentFixerAdmin.php';
110 | 			new SSLInsecureContentFixerAdmin();
111 | 		}
112 | 	}
113 | 
114 | 	/**
115 | 	* see whether the fixer should be run for this request
116 | 	* @return bool
117 | 	*/
118 | 	protected function allowFixer() {
119 | 		// do nothing if fixer is turned off
120 | 		if ($this->options['fix_level'] === 'off') {
121 | 			return false;
122 | 		}
123 | 
124 | 		// don't mess with WooCommerce downloads
125 | 		if (isset($_GET['download_file']) && isset($_GET['order']) && (isset($_GET['email']) || isset($_GET['uid']))) {
126 | 			// but ensure that WooCommerce is active and will handle this request
127 | 			if ($this->isPluginActive('woocommerce/woocommerce.php')) {
128 | 				return false;
129 | 			}
130 | 		}
131 | 
132 | 		return is_ssl();
133 | 	}
134 | 
135 | 	/**
136 | 	* test whether a plugin is active
137 | 	* @param string $plugin
138 | 	* @return bool
139 | 	*/
140 | 	protected function isPluginActive($plugin) {
141 | 		if (is_multisite()) {
142 | 			$plugins = (array) get_site_option('active_sitewide_plugins', array());
143 | 			if (isset($plugins[$plugin])) {
144 | 				return true;
145 | 			}
146 | 		}
147 | 
148 | 		return in_array($plugin, (array) get_option('active_plugins', array()));
149 | 	}
150 | 
151 | 	/**
152 | 	* detect AJAX call
153 | 	* @return bool
154 | 	*/
155 | 	protected function isAjax() {
156 | 		if (function_exists('wp_doing_ajax')) {
157 | 			$is_ajax = wp_doing_ajax();
158 | 		}
159 | 		else {
160 | 			$is_ajax = defined('DOING_AJAX') && DOING_AJAX;
161 | 		}
162 | 
163 | 		return $is_ajax;
164 | 	}
165 | 
166 | 	/**
167 | 	* exclude certain AJAX calls from capture_all
168 | 	* @return bool
169 | 	*/
170 | 	protected function isAjaxNotExcluded() {
171 | 		$is_ajax = $this->isAjax();
172 | 
173 | 		if ($is_ajax) {
174 | 			$exclude = false;
175 | 
176 | 			if (!empty($_REQUEST['action'])) {
177 | 				$exclude = in_array($_REQUEST['action'], array(
178 | 					// some standard WordPress actions
179 | 					'heartbeat',
180 | 
181 | 					// this plugin
182 | 					'sslfix-test-https',
183 | 				));
184 | 			}
185 | 
186 | 			$is_ajax = !apply_filters('ssl_insecure_content_ajax_exclude', $exclude);
187 | 		}
188 | 
189 | 		return $is_ajax;
190 | 	}
191 | 
192 | 	/**
193 | 	* run filters for plugins / themes that register domain exclusions
194 | 	*/
195 | 	public function runFilters() {
196 | 		$domains = apply_filters('ssl_insecure_content_domain_exclusions', array());
197 | 		if (!empty($domains) && is_array($domains)) {
198 | 			$this->domain_exclusions = $domains;
199 | 		}
200 | 	}
201 | 
202 | 	/**
203 | 	* load options for plugin
204 | 	*/
205 | 	protected function loadOptions() {
206 | 		$defaults = array(
207 | 			'fix_level'		=>	'simple',
208 | 			'proxy_fix'		=>	'normal',
209 | 			'fix_specific'	=>	array(
210 | 									'woo_https' => 1
211 | 								),
212 | 		);
213 | 
214 | 		if (is_multisite()) {
215 | 			$this->network_options = get_site_option(SSLFIX_PLUGIN_OPTIONS, $defaults);
216 | 
217 | 			// use network-wide settings as default for individual sites
218 | 			$defaults = $this->network_options;
219 | 		}
220 | 
221 | 		$this->options = get_option(SSLFIX_PLUGIN_OPTIONS, $defaults);
222 | 	}
223 | 
224 | 	/**
225 | 	* check options for required proxy fix
226 | 	*/
227 | 	protected function proxyFix() {
228 | 		// failsafe: allow website owners to force the proxy fix off, in case of conflicts
229 | 		if (defined('SSLFIX_PLUGIN_NO_HTTPS_DETECT') && SSLFIX_PLUGIN_NO_HTTPS_DETECT) {
230 | 			return;
231 | 		}
232 | 
233 | 		if (!empty($this->options['proxy_fix'])) {
234 | 			switch ($this->options['proxy_fix']) {
235 | 
236 | 				case 'HTTP_X_FORWARDED_PROTO':
237 | 					if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) === 'https') {
238 | 						$_SERVER['HTTPS'] = 'on';
239 | 					}
240 | 					break;
241 | 
242 | 				case 'HTTP_X_FORWARDED_SSL':
243 | 					if (isset($_SERVER['HTTP_X_FORWARDED_SSL']) && (strtolower($_SERVER['HTTP_X_FORWARDED_SSL']) === 'on' || $_SERVER['HTTP_X_FORWARDED_SSL'] === '1')) {
244 | 						$_SERVER['HTTPS'] = 'on';
245 | 					}
246 | 					break;
247 | 
248 | 				case 'HTTP_CLOUDFRONT_FORWARDED_PROTO':
249 | 					if (isset($_SERVER['HTTP_CLOUDFRONT_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_CLOUDFRONT_FORWARDED_PROTO']) === 'https') {
250 | 						$_SERVER['HTTPS'] = 'on';
251 | 					}
252 | 					break;
253 | 
254 | 				case 'HTTP_CF_VISITOR':
255 | 					if (isset($_SERVER['HTTP_CF_VISITOR']) && strpos($_SERVER['HTTP_CF_VISITOR'], 'https') !== false) {
256 | 						$_SERVER['HTTPS'] = 'on';
257 | 					}
258 | 					break;
259 | 
260 | 				case 'HTTP_X_ARR_SSL':
261 | 					if (!empty($_SERVER['HTTP_X_ARR_SSL'])) {
262 | 						$_SERVER['HTTPS'] = 'on';
263 | 					}
264 | 					break;
265 | 
266 | 				case 'HTTP_X_FORWARDED_SCHEME':
267 | 					if (!empty($_SERVER['HTTP_X_FORWARDED_SCHEME']) && strtolower($_SERVER['HTTP_X_FORWARDED_SCHEME']) === 'https') {
268 | 						$_SERVER['HTTPS'] = 'on';
269 | 					}
270 | 					break;
271 | 
272 | 				case 'detect_fail':
273 | 					// only force-enable https if site is set to run fully on https
274 | 					if (stripos(get_option('siteurl'), 'https://') === 0) {
275 | 						$_SERVER['HTTPS'] = 'on';
276 | 
277 | 						// add JavaScript detection of page protocol, and pray!
278 | 						add_action('wp_print_scripts', array($this, 'scriptForceHTTPS'));
279 | 					}
280 | 					break;
281 | 
282 | 			}
283 | 		}
284 | 
285 | 		if (!empty($this->options['fix_specific']['woo_https'])) {
286 | 			// stop old WooCommerce versions from falsely detecting HTTPS from Google Chrome/Chromium
287 | 			// @link https://woocommerce.wordpress.com/2015/07/07/woocommerce-2-3-13-security-and-maintenance-release/
288 | 			// @link https://github.com/woothemes/woocommerce/issues/8479
289 | 			// @link https://superuser.com/a/943989/473190
290 | 			unset($_SERVER['HTTP_HTTPS']);
291 | 		}
292 | 	}
293 | 
294 | 	/**
295 | 	* if Ignore External Sites is selected, record the http site URL for this website
296 | 	*/
297 | 	protected function configureSiteOnly() {
298 | 		if (!empty($this->options['site_only'])) {
299 | 			$this->process_only_site = site_url('', 'http');
300 | 		}
301 | 	}
302 | 
303 | 	/**
304 | 	* load text translations
305 | 	*/
306 | 	public function loadTranslations() {
307 | 		load_plugin_textdomain('ssl-insecure-content-fixer');
308 | 	}
309 | 
310 | 	/**
311 | 	* fix images, embeds, iframes in content
312 | 	* @param string $content
313 | 	* @return string
314 | 	*/
315 | 	public function fixContent($content) {
316 | 		static $searches = array(
317 | 			'#<(?:img|iframe) .*?src=[\'"]\Khttp://[^\'"]+#i',		// fix image and iframe elements
318 | 			'#<link [^>]*href=[\'"]\Khttp://[^\'"]+#i',				// fix link elements
319 | 			'#<script [^>]*?src=[\'"]\Khttp://[^\'"]+#i',			// fix script elements
320 | 			'#url\([\'"]?\Khttp://[^)]+#i',							// inline CSS e.g. background images
321 | 		);
322 | 		$content = preg_replace_callback($searches, array($this, 'fixContent_src_callback'), $content);
323 | 
324 | 		// fix object embeds
325 | 		static $embed_searches = array(
326 | 			'#<object .*?</object>#is',								// fix object elements, including contained embed elements
327 | 			'#<embed .*?(?:/>|</embed>)#is',						// fix embed elements, not contained in object elements
328 | 			'#<img [^>]*srcset=["\']\K[^"\']+#is',					// responsive image srcset links (to external images; WordPress already handles local images)
329 | 		);
330 | 		$content = preg_replace_callback($embed_searches, array($this, 'fixContent_embed_callback'), $content);
331 | 
332 | 		// fix responsive images with data-* attributes
333 | 		$content = preg_replace_callback('#<img [^>]*data-[^\'"]+=["\'][^>]+#is', array($this, 'fixContent_data_attr_callback'), $content);
334 | 
335 | 		return $content;
336 | 	}
337 | 
338 | 	/**
339 | 	* callback for fixContent() regex replace for URLs
340 | 	* @param array $matches
341 | 	* @return string
342 | 	*/
343 | 	public function fixContent_src_callback($matches) {
344 | 		// support only fixing urls for this website
345 | 		if ($this->process_only_site && stripos($matches[0], $this->process_only_site) !== 0) {
346 | 			return $matches[0];
347 | 		}
348 | 		// allow content URL exclusions for selected domains
349 | 		if (!empty($this->domain_exclusions)) {
350 | 			foreach ($this->domain_exclusions as $domain) {
351 | 				// search for domain name starting after http://
352 | 				if (stripos($matches[0], $domain) === 7) {
353 | 					return $matches[0];
354 | 				}
355 | 			}
356 | 		}
357 | 
358 | 		return 'https' . substr($matches[0], 4);
359 | 	}
360 | 
361 | 	/**
362 | 	* callback for fixContent() regex replace for embeds
363 | 	* @param array $matches
364 | 	* @return string
365 | 	*/
366 | 	public function fixContent_embed_callback($matches) {
367 | 		// match from start of http: URL until either end quotes, space, or query parameter separator, thus allowing for URLs in parameters
368 | 		$content = preg_replace_callback('#http://[^\'"&\? ]+#i', array($this, 'fixContent_src_callback'), $matches[0]);
369 | 
370 | 		return $content;
371 | 	}
372 | 
373 | 	/**
374 | 	* callback for fixContent() regex replace for data attributes on images
375 | 	* @param array $matches
376 | 	* @return string
377 | 	*/
378 | 	public function fixContent_data_attr_callback($matches) {
379 | 		$content = preg_replace_callback('#data-[^\'"]+=[\'"]\Khttp://[^\'"]+#i', array($this, 'fixContent_src_callback'), $matches[0]);
380 | 
381 | 		return $content;
382 | 	}
383 | 
384 | 	/**
385 | 	* start capturing widget zone content to be fixed
386 | 	* @param int|string $index
387 | 	* @param bool $has_widgets
388 | 	*/
389 | 	public function fixWidgetsStart($index, $has_widgets) {
390 | 		if ($has_widgets) {
391 | 			ob_start();
392 | 		}
393 | 	}
394 | 
395 | 	/**
396 | 	* stop capturing widget zone content and fix it
397 | 	* @param int|string $index
398 | 	* @param bool $has_widgets
399 | 	*/
400 | 	public function fixWidgetsEnd($index, $has_widgets) {
401 | 		if ($has_widgets) {
402 | 			echo $this->fixContent(ob_get_clean());
403 | 		}
404 | 	}
405 | 
406 | 	/**
407 | 	* start capturing page for Capture fix level
408 | 	*/
409 | 	public function fixCaptureStart() {
410 | 		// allow hookers to prevent capture
411 | 		if (apply_filters('ssl_insecure_content_disable_capture', false)) {
412 | 			return;
413 | 		}
414 | 
415 | 		// start capturing page
416 | 		ob_start(array($this, 'fixCaptureEnd'));
417 | 	}
418 | 
419 | 	/**
420 | 	* stop capturing page and fix it
421 | 	* @param string $buffer
422 | 	* @return string
423 | 	*/
424 | 	public function fixCaptureEnd($buffer) {
425 | 		return $this->fixContent($buffer);
426 | 	}
427 | 
428 | 	/**
429 | 	* force specific plugins to load assets with HTTPS
430 | 	*/
431 | 	public function fixSpecific() {
432 | 		if (!empty($this->options['fix_specific']['lcpwp'])) {
433 | 			// force list-category-posts-with-pagination plugin to load its CSS with HTTPS (it doesn't use wp_enqueue_style)
434 | 			if (function_exists('admin_register_head') && is_dir(WP_PLUGIN_DIR . '/list-category-posts-with-pagination')) {
435 | 				remove_action('wp_head', 'admin_register_head');
436 | 				$url = plugins_url('pagination.css', 'list-category-posts-with-pagination/x');
437 | 				wp_enqueue_style('lcpwp', $url);
438 | 			}
439 | 		}
440 | 	}
441 | 
442 | 	/**
443 | 	* use JavaScript to force the browser back to HTTPS if the page is loaded via HTTP
444 | 	*/
445 | 	public function scriptForceHTTPS() {
446 | 		require SSLFIX_PLUGIN_ROOT . 'views/script-force-https.php';
447 | 	}
448 | 
449 | 	/**
450 | 	* filter uploads dir so that plugins using it to determine upload URL also work
451 | 	* @param array $uploads
452 | 	* @return array
453 | 	*/
454 | 	public static function uploadDir($uploads) {
455 | 		$uploads['url']		= ssl_insecure_content_fix_url($uploads['url']);
456 | 		$uploads['baseurl']	= ssl_insecure_content_fix_url($uploads['baseurl']);
457 | 
458 | 		return $uploads;
459 | 	}
460 | 
461 | 	/**
462 | 	* make sure that WooCommerce caches its widgets on HTTPS separately to on HTTP
463 | 	* @param string $widget_id
464 | 	* @return string
465 | 	*/
466 | 	public static function woocommerceWidgetID($widget_id) {
467 | 		$widget_id .= '_https';
468 | 
469 | 		return $widget_id;
470 | 	}
471 | 
472 | }
473 | 


--------------------------------------------------------------------------------
/includes/class.SSLInsecureContentFixerAdmin.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | 
  3 | if (!defined('ABSPATH')) {
  4 | 	exit;
  5 | }
  6 | 
  7 | /**
  8 | * manage admin
  9 | */
 10 | class SSLInsecureContentFixerAdmin {
 11 | 
 12 | 	protected $has_settings_errors			= false;
 13 | 
 14 | 	/**
 15 | 	* hook into WordPress
 16 | 	*/
 17 | 	public function __construct() {
 18 | 		add_action('admin_init', array($this, 'adminInit'));
 19 | 		add_action('admin_notices', array($this, 'checkPrerequisites'));
 20 | 		add_action('network_admin_notices', array($this, 'checkPrerequisites'));
 21 | 		add_action('admin_print_styles-settings_page_ssl-insecure-content-fixer', array($this, 'printStylesSettings'));
 22 | 		add_action('admin_print_styles-tools_page_ssl-insecure-content-fixer-tests', array($this, 'printStylesTests'));
 23 | 		add_action('admin_menu', array($this, 'adminMenu'));
 24 | 		add_action('network_admin_menu', array($this, 'adminMenuNetwork'));
 25 | 		add_filter('plugin_row_meta', array($this, 'pluginDetailsLinks'), 10, 2);
 26 | 		add_action('plugin_action_links_' . SSLFIX_PLUGIN_NAME, array($this, 'pluginActionLinks'));
 27 | 		add_action('wp_ajax_sslfix-test-https', array($this, 'ajaxTestHTTPS'));
 28 | 	}
 29 | 
 30 | 	/**
 31 | 	* admin_init action
 32 | 	*/
 33 | 	public function adminInit() {
 34 | 		add_settings_section(SSLFIX_PLUGIN_OPTIONS, false, false, SSLFIX_PLUGIN_OPTIONS);
 35 | 		register_setting(SSLFIX_PLUGIN_OPTIONS, SSLFIX_PLUGIN_OPTIONS, array($this, 'settingsValidate'));
 36 | 	}
 37 | 
 38 | 	/**
 39 | 	* load CSS for settings page
 40 | 	*/
 41 | 	public function printStylesSettings() {
 42 | 		echo "<style>\n";
 43 | 		readfile(SSLFIX_PLUGIN_ROOT . 'css/settings.css');
 44 | 		echo "</style>\n";
 45 | 	}
 46 | 
 47 | 	/**
 48 | 	* load CSS for tests page
 49 | 	*/
 50 | 	public function printStylesTests() {
 51 | 		echo "<style>\n";
 52 | 		readfile(SSLFIX_PLUGIN_ROOT . 'css/tests.css');
 53 | 		echo "</style>\n";
 54 | 	}
 55 | 
 56 | 	/**
 57 | 	* check for required PHP extensions, tell admin if any are missing
 58 | 	*/
 59 | 	public function checkPrerequisites() {
 60 | 		// only bother admins / plugin installers / option setters with this stuff
 61 | 		if (!current_user_can('activate_plugins') && !current_user_can('manage_options')) {
 62 | 			return;
 63 | 		}
 64 | 
 65 | 		// only on specific pages
 66 | 		if (!self::canShowNotices()) {
 67 | 			return;
 68 | 		}
 69 | 
 70 | 		// need these PHP extensions
 71 | 		$prereqs = array('json', 'pcre');
 72 | 		$missing = array();
 73 | 		foreach ($prereqs as $ext) {
 74 | 			if (!extension_loaded($ext)) {
 75 | 				$missing[] = $ext;
 76 | 			}
 77 | 		}
 78 | 		if (!empty($missing)) {
 79 | 			include SSLFIX_PLUGIN_ROOT . 'views/requires-extensions.php';
 80 | 		}
 81 | 
 82 | 		// and PCRE needs to be v8+ or we break! e.g. \K not present until v7.2 and some sites still use v6.6!
 83 | 		$pcre_min = '8';
 84 | 		if (apply_filters('ssl_insecure_content_pcre_version_permissive', false)) {
 85 | 			$pcre_min = '7.2';
 86 | 		}
 87 | 		if (defined('PCRE_VERSION') && version_compare(PCRE_VERSION, $pcre_min, '<')) {
 88 | 			include SSLFIX_PLUGIN_ROOT . 'views/requires-pcre.php';
 89 | 		}
 90 | 	}
 91 | 
 92 | 	/**
 93 | 	* check admin page to see if we should show notices or not
 94 | 	*/
 95 | 	protected static function canShowNotices() {
 96 | 		global $pagenow;
 97 | 
 98 | 		switch ($pagenow) {
 99 | 
100 | 			case 'plugins.php':
101 | 				return true;
102 | 
103 | 			case 'tools.php':
104 | 				if (!empty($_GET['page']) && wp_unslash($_GET['page']) === 'ssl-insecure-content-fixer-tests') {
105 | 					return true;
106 | 				}
107 | 				return false;
108 | 
109 | 			case 'options-general.php':
110 | 			case 'settings.php':
111 | 				if (!empty($_GET['page']) && wp_unslash($_GET['page']) === 'ssl-insecure-content-fixer') {
112 | 					return true;
113 | 				}
114 | 				return false;
115 | 
116 | 			default:
117 | 				return false;
118 | 
119 | 		}
120 | 	}
121 | 
122 | 	/**
123 | 	* add plugin details links on plugins page
124 | 	*/
125 | 	public function pluginDetailsLinks($links, $file) {
126 | 		if ($file == SSLFIX_PLUGIN_NAME) {
127 | 			if (is_network_admin()) {
128 | 				if (current_user_can('manage_network_options')) {
129 | 					$url = network_admin_url('settings.php?page=ssl-insecure-content-fixer');
130 | 					$links[] = sprintf('<a href="%s">%s</a>', esc_url($url), _x('Settings', 'plugin details links', 'ssl-insecure-content-fixer'));
131 | 				}
132 | 			}
133 | 			elseif (current_user_can($this->getMenuCapability())) {
134 | 				$url = admin_url('tools.php?page=ssl-insecure-content-fixer-tests');
135 | 				$links[] = sprintf('<a href="%s">%s</a>', esc_url($url), _x('SSL Tests', 'menu link', 'ssl-insecure-content-fixer'));
136 | 			}
137 | 
138 | 			$links[] = sprintf('<a href="https://ssl.webaware.net.au/" target="_blank" rel="noopener">%s</a>', _x('Instructions', 'plugin details links', 'ssl-insecure-content-fixer'));
139 | 			$links[] = sprintf('<a href="https://wordpress.org/support/plugin/ssl-insecure-content-fixer" target="_blank" rel="noopener">%s</a>', _x('Get help', 'plugin details links', 'ssl-insecure-content-fixer'));
140 | 			$links[] = sprintf('<a href="https://wordpress.org/plugins/ssl-insecure-content-fixer/" target="_blank" rel="noopener">%s</a>', _x('Rating', 'plugin details links', 'ssl-insecure-content-fixer'));
141 | 			$links[] = sprintf('<a href="https://translate.wordpress.org/projects/wp-plugins/ssl-insecure-content-fixer" target="_blank" rel="noopener">%s</a>', _x('Translate', 'plugin details links', 'ssl-insecure-content-fixer'));
142 | 			$links[] = sprintf('<a href="https://shop.webaware.com.au/donations/?donation_for=SSL+Insecure+Content+Fixer" target="_blank" rel="noopener">%s</a>', _x('Donate', 'plugin details links', 'ssl-insecure-content-fixer'));
143 | 		}
144 | 
145 | 		return $links;
146 | 	}
147 | 
148 | 	/**
149 | 	* add our admin menu items
150 | 	*/
151 | 	public function adminMenu() {
152 | 		$capability = $this->getMenuCapability();
153 | 
154 | 		$label = _x('SSL Insecure Content', 'menu link', 'ssl-insecure-content-fixer');
155 | 		add_options_page($label, $label, $capability, 'ssl-insecure-content-fixer', array($this, 'settingsPage'));
156 | 
157 | 		if (!is_network_admin()) {
158 | 			$label = _x('SSL Tests', 'menu link', 'ssl-insecure-content-fixer');
159 | 			add_management_page($label, $label, $capability, 'ssl-insecure-content-fixer-tests', array($this, 'testPage'));
160 | 		}
161 | 	}
162 | 
163 | 	/**
164 | 	* add multisite network admin menu items
165 | 	*/
166 | 	public function adminMenuNetwork() {
167 | 		$label = _x('SSL Insecure Content', 'menu link', 'ssl-insecure-content-fixer');
168 | 		add_submenu_page('settings.php', $label, $label, 'manage_network_options', 'ssl-insecure-content-fixer', array($this, 'settingsPage'));
169 | 	}
170 | 
171 | 	/**
172 | 	* add plugin action links
173 | 	*/
174 | 	public function pluginActionLinks($links) {
175 | 		if (current_user_can('manage_options')) {
176 | 			// add settings link
177 | 			$url = admin_url('options-general.php?page=ssl-insecure-content-fixer');
178 | 			$settings_link = sprintf('<a href="%s">%s</a>', esc_url($url), _x('Settings', 'plugin details links', 'ssl-insecure-content-fixer'));
179 | 			array_unshift($links, $settings_link);
180 | 		}
181 | 
182 | 		return $links;
183 | 	}
184 | 
185 | 	/**
186 | 	* settings admin
187 | 	*/
188 | 	public function settingsPage() {
189 | 		require SSLFIX_PLUGIN_ROOT . 'includes/nonces.php';
190 | 
191 | 		if (is_network_admin()) {
192 | 			// multisite network settings
193 | 			$options = SSLInsecureContentFixer::getInstance()->network_options;
194 | 
195 | 			if (!empty($_POST[SSLFIX_PLUGIN_OPTIONS])) {
196 | 				check_admin_referer('settings', 'sslfix_nonce');
197 | 
198 | 				$options = wp_unslash($_POST[SSLFIX_PLUGIN_OPTIONS]);
199 | 				$options = $this->settingsValidate($options);
200 | 
201 | 				if (!$this->has_settings_errors) {
202 | 					update_site_option(SSLFIX_PLUGIN_OPTIONS, $options);
203 | 					add_settings_error(SSLFIX_PLUGIN_OPTIONS, 'sslfix-network-updated', __('Multisite network settings updated.', 'ssl-insecure-content-fixer'), 'updated');
204 | 				}
205 | 			}
206 | 
207 | 			require SSLFIX_PLUGIN_ROOT . 'views/settings-form-network.php';
208 | 		}
209 | 		else {
210 | 			// individual site settings
211 | 			$options = SSLInsecureContentFixer::getInstance()->options;
212 | 			require SSLFIX_PLUGIN_ROOT . 'views/settings-form.php';
213 | 		}
214 | 
215 | 		$min = SCRIPT_DEBUG ? '' : '.min';
216 | 		$ver = SCRIPT_DEBUG ? time() : SSLFIX_PLUGIN_VERSION;
217 | 
218 | 		$ajax_url = $this->getNoWpAJAX();
219 | 
220 | 		wp_enqueue_script('sslfix-admin-settings', plugins_url("js/admin-settings$min.js", SSLFIX_PLUGIN_FILE), array('jquery'), $ver, true);
221 | 		wp_localize_script('sslfix-admin-settings', 'sslfix', array(
222 | 			'ajax_url_wp'	=> ssl_insecure_content_fix_url(admin_url('admin-ajax.php')),
223 | 			'ajax_url_ssl'	=> ssl_insecure_content_fix_url($ajax_url),
224 | 			'test_nonce'	=> ssl_insecure_content_fix_nonce_value(),
225 | 			'msg'			=> array(
226 | 									'recommended'		=> _x('* detected as recommended setting', 'proxy settings', 'ssl-insecure-content-fixer'),
227 | 								),
228 | 		));
229 | 	}
230 | 
231 | 	/**
232 | 	* validate settings on save
233 | 	* @param array $input
234 | 	* @return array
235 | 	*/
236 | 	public function settingsValidate($input) {
237 | 		$output = array();
238 | 
239 | 		$output['fix_level']		= empty($input['fix_level']) ? '' : $input['fix_level'];
240 | 		$output['proxy_fix']		= empty($input['proxy_fix']) ? '' : $input['proxy_fix'];
241 | 		$output['site_only']		= empty($input['site_only']) ? 0  : 1;
242 | 
243 | 		if (!in_array($output['fix_level'], array('off', 'simple', 'content', 'widgets', 'capture', 'capture_all'))) {
244 | 			add_settings_error(SSLFIX_PLUGIN_OPTIONS, 'sslfix-fix_level', _x('Fix level is invalid', 'settings error', 'ssl-insecure-content-fixer'));
245 | 			$this->has_settings_errors = true;
246 | 		}
247 | 
248 | 		if (!in_array($output['proxy_fix'], array('normal', 'HTTP_X_FORWARDED_PROTO', 'HTTP_CLOUDFRONT_FORWARDED_PROTO', 'HTTP_X_FORWARDED_SSL', 'HTTP_CF_VISITOR', 'HTTP_X_ARR_SSL', 'HTTP_X_FORWARDED_SCHEME', 'detect_fail'))) {
249 | 			add_settings_error(SSLFIX_PLUGIN_OPTIONS, 'sslfix-proxy_fix', _x('HTTPS detection setting is invalid', 'settings error', 'ssl-insecure-content-fixer'));
250 | 			$this->has_settings_errors = true;
251 | 		}
252 | 
253 | 		if (isset($input['fix_specific']) && is_array($input['fix_specific'])) {
254 | 			$output['fix_specific'] = array_map('intval', array_filter($input['fix_specific']));
255 | 		}
256 | 		else {
257 | 			$output['fix_specific'] = array();
258 | 		}
259 | 
260 | 		return $output;
261 | 	}
262 | 
263 | 	/**
264 | 	* show SSL tests page
265 | 	*/
266 | 	public function testPage() {
267 | 		require SSLFIX_PLUGIN_ROOT . 'includes/nonces.php';
268 | 		require SSLFIX_PLUGIN_ROOT . 'views/ssl-tests.php';
269 | 
270 | 		$min = SCRIPT_DEBUG ? '' : '.min';
271 | 		$ver = SCRIPT_DEBUG ? time() : SSLFIX_PLUGIN_VERSION;
272 | 
273 | 		$ajax_url = $this->getNoWpAJAX();
274 | 
275 | 		wp_enqueue_script('sslfix-admin-settings', plugins_url("js/admin-tests$min.js", SSLFIX_PLUGIN_FILE), array('jquery'), $ver, true);
276 | 		wp_localize_script('sslfix-admin-settings', 'sslfix', array(
277 | 			'ajax_url_wp'	=> ssl_insecure_content_fix_url(admin_url('admin-ajax.php')),
278 | 			'ajax_url_ssl'	=> ssl_insecure_content_fix_url($ajax_url),
279 | 			'test_nonce'	=> ssl_insecure_content_fix_nonce_value(),
280 | 		));
281 | 	}
282 | 
283 | 	/**
284 | 	* get path to non-WP AJAX script
285 | 	* @return string
286 | 	*/
287 | 	protected function getNoWpAJAX() {
288 | 		return plugins_url('nowp/ajax.php', SSLFIX_PLUGIN_FILE);
289 | 	}
290 | 
291 | 	/**
292 | 	* get capability required for menu access
293 | 	* @return string
294 | 	*/
295 | 	protected function getMenuCapability() {
296 | 		return $this->isNetworkActivated() ? 'manage_network_options' : 'manage_options';
297 | 	}
298 | 
299 | 	/**
300 | 	* test whether this plugin is network activated
301 | 	* @return bool
302 | 	*/
303 | 	protected function isNetworkActivated() {
304 | 		static $is_network_activated = null;
305 | 
306 | 		if (is_null($is_network_activated)) {
307 | 			if (is_multisite()) {
308 | 				if (!function_exists('is_plugin_active_for_network')) {
309 | 					require_once ABSPATH . '/wp-admin/includes/plugin.php';
310 | 				}
311 | 
312 | 				$is_network_activated = is_plugin_active_for_network(SSLFIX_PLUGIN_NAME);
313 | 			}
314 | 			else {
315 | 				$is_network_activated = false;
316 | 			}
317 | 		}
318 | 
319 | 		return $is_network_activated;
320 | 	}
321 | 
322 | 	/**
323 | 	* AJAX handler for testing HTTPS detection within WordPress
324 | 	*/
325 | 	public function ajaxTestHTTPS() {
326 | 		$response = array('https' => (is_ssl() ? 'yes' : 'no'));
327 | 		wp_send_json($response);
328 | 	}
329 | 
330 | }
331 | 


--------------------------------------------------------------------------------
/includes/nonces.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | /**
 4 | * generate nonce value
 5 | * @return string
 6 | */
 7 | function ssl_insecure_content_fix_nonce_value() {
 8 | 	// some system data, difficult to guess unless server environment is already known
 9 | 	$tick = ceil(time() / (60 * 60 * 6));
10 | 	$data = sprintf("%s\n%s\n%s\n%s\n%s", php_uname(), php_ini_loaded_file(), php_ini_scanned_files(), implode("\n", get_loaded_extensions()), $tick);
11 | 
12 | 	return hash_hmac('md5', $data, 'ssl_insecure_content_fix');
13 | }
14 | 


--------------------------------------------------------------------------------
/js/admin-settings.js:
--------------------------------------------------------------------------------
 1 | "use strict";
 2 | 
 3 | /*!
 4 | SSL Insecure Content Fixer admin settings script
 5 | https://ssl.webaware.net.au/
 6 | */
 7 | (function ($) {
 8 |   $.ajax({
 9 |     url: sslfix.ajax_url_ssl,
10 |     data: {
11 |       action: "sslfix-get-recommended",
12 |       sslfix_nonce: sslfix.test_nonce
13 |     },
14 |     dataType: "json",
15 |     method: "GET",
16 |     success: showRecommended
17 |   });
18 |   /**
19 |   * show recommended settings
20 |   * @param {Object} response
21 |   */
22 | 
23 |   function showRecommended(response) {
24 |     if (response.recommended) {
25 |       var label = $("label[for=" + response.recommended_element + "]");
26 |       label.addClass("sslfix-recommended");
27 |       label.html(label.html() + "<br/><span>" + sslfix.msg.recommended + "</span>");
28 |     }
29 |   }
30 | 
31 |   $.ajax({
32 |     url: sslfix.ajax_url_wp,
33 |     data: {
34 |       action: "sslfix-test-https"
35 |     },
36 |     dataType: "json",
37 |     method: "GET",
38 |     xhrFields: {
39 |       withCredentials: true
40 |     },
41 |     success: showHttpsDetected
42 |   });
43 |   /**
44 |   * show whether HTTPS was detected correctly within WordPress
45 |   * @param {Object} response
46 |   */
47 | 
48 |   function showHttpsDetected(response) {
49 |     if (response.https) {
50 |       $("#sslfix-https-detection").addClass("dashicons dashicons-" + response.https);
51 |     }
52 |   }
53 | })(jQuery);
54 | 


--------------------------------------------------------------------------------
/js/admin-settings.min.js:
--------------------------------------------------------------------------------
1 | // SSL Insecure Content Fixer
2 | // https://ssl.webaware.net.au/
3 | 
4 | "use strict";!function(s){s.ajax({url:sslfix.ajax_url_ssl,data:{action:"sslfix-get-recommended",sslfix_nonce:sslfix.test_nonce},dataType:"json",method:"GET",success:function(e){if(e.recommended){var t=s("label[for="+e.recommended_element+"]");t.addClass("sslfix-recommended"),t.html(t.html()+"<br/><span>"+sslfix.msg.recommended+"</span>")}}}),s.ajax({url:sslfix.ajax_url_wp,data:{action:"sslfix-test-https"},dataType:"json",method:"GET",xhrFields:{withCredentials:!0},success:function(e){e.https&&s("#sslfix-https-detection").addClass("dashicons dashicons-"+e.https)}})}(jQuery);


--------------------------------------------------------------------------------
/js/admin-tests.js:
--------------------------------------------------------------------------------
  1 | "use strict";
  2 | 
  3 | /*!
  4 | SSL Insecure Content Fixer admin tests script
  5 | https://ssl.webaware.net.au/
  6 | */
  7 | (function ($) {
  8 |   $.ajax({
  9 |     url: sslfix.ajax_url_ssl,
 10 |     data: {
 11 |       action: "sslfix-environment",
 12 |       sslfix_nonce: sslfix.test_nonce
 13 |     },
 14 |     dataType: "json",
 15 |     method: "GET",
 16 |     error: showError,
 17 |     success: showResults
 18 |   });
 19 |   /**
 20 |   * show test results
 21 |   * @param {Object} response
 22 |   */
 23 | 
 24 |   function showResults(response) {
 25 |     if (response.ssl) {
 26 |       switch (response.detect) {
 27 |         case "HTTPS":
 28 |         case "port":
 29 |           showHidden("#sslfix-normal");
 30 |           break;
 31 | 
 32 |         case "HTTP_X_FORWARDED_PROTO":
 33 |           showHidden("#sslfix-HTTP_X_FORWARDED_PROTO");
 34 |           break;
 35 | 
 36 |         case "HTTP_X_FORWARDED_SSL":
 37 |           showHidden("#sslfix-HTTP_X_FORWARDED_SSL");
 38 |           break;
 39 | 
 40 |         case "HTTP_CLOUDFRONT_FORWARDED_PROTO":
 41 |           showHidden("#sslfix-HTTP_CLOUDFRONT_FORWARDED_PROTO");
 42 |           break;
 43 | 
 44 |         case "HTTP_X_ARR_SSL":
 45 |           showHidden("#sslfix-HTTP_X_ARR_SSL");
 46 |           break;
 47 | 
 48 |         case "HTTP_X_FORWARDED_SCHEME":
 49 |           showHidden("#sslfix-HTTP_X_FORWARDED_SCHEME");
 50 |           break;
 51 | 
 52 |         case "HTTP_CF_VISITOR":
 53 |           showHidden("#sslfix-HTTP_CF_VISITOR");
 54 |           break;
 55 |       }
 56 |     } else {
 57 |       showHidden("#sslfix-detect_fail");
 58 |     }
 59 | 
 60 |     hideVisible("#sslfix-loading");
 61 |     showHidden("#sslfix-test-result-head");
 62 |     showHidden("#sslfix-environment");
 63 |     $("#sslfix-environment pre").text(response.env);
 64 |   }
 65 |   /**
 66 |   * show test error
 67 |   * @param {Object} xhr
 68 |   * @param {String} status
 69 |   */
 70 | 
 71 | 
 72 |   function showError(xhr, status) {
 73 |     hideVisible("#sslfix-loading");
 74 |     showHidden("#sslfix-test-result-head");
 75 |     showHidden("#sslfix-environment");
 76 |     $("#sslfix-environment pre").text(status + "\n" + xhr.responseText);
 77 |   }
 78 | 
 79 |   $.ajax({
 80 |     url: sslfix.ajax_url_wp,
 81 |     data: {
 82 |       action: "sslfix-test-https"
 83 |     },
 84 |     dataType: "json",
 85 |     method: "GET",
 86 |     xhrFields: {
 87 |       withCredentials: true
 88 |     },
 89 |     success: showHttpsDetected
 90 |   });
 91 |   /**
 92 |   * show whether HTTPS was detected correctly within WordPress
 93 |   * @param {Object} response
 94 |   */
 95 | 
 96 |   function showHttpsDetected(response) {
 97 |     if (response.https) {
 98 |       $("#sslfix-https-detection").addClass("dashicons dashicons-" + response.https);
 99 |     }
100 |   }
101 |   /**
102 |   * show hidden element, with accessibility cues
103 |   * @param {String} selector
104 |   */
105 | 
106 | 
107 |   function showHidden(selector) {
108 |     $(selector).attr("aria-hidden", "false").show();
109 |   }
110 |   /**
111 |   * hide visible element, with accessibility cues
112 |   * @param {String} selector
113 |   */
114 | 
115 | 
116 |   function hideVisible(selector) {
117 |     $(selector).attr("aria-hidden", "true").hide();
118 |   }
119 | })(jQuery);
120 | 


--------------------------------------------------------------------------------
/js/admin-tests.min.js:
--------------------------------------------------------------------------------
1 | // SSL Insecure Content Fixer
2 | // https://ssl.webaware.net.au/
3 | 
4 | "use strict";!function(s){function e(e){s(e).attr("aria-hidden","false").show()}function t(e){s(e).attr("aria-hidden","true").hide()}s.ajax({url:sslfix.ajax_url_ssl,data:{action:"sslfix-environment",sslfix_nonce:sslfix.test_nonce},dataType:"json",method:"GET",error:function(i,a){t("#sslfix-loading"),e("#sslfix-test-result-head"),e("#sslfix-environment"),s("#sslfix-environment pre").text(a+"\n"+i.responseText)},success:function(i){if(i.ssl)switch(i.detect){case"HTTPS":case"port":e("#sslfix-normal");break;case"HTTP_X_FORWARDED_PROTO":e("#sslfix-HTTP_X_FORWARDED_PROTO");break;case"HTTP_X_FORWARDED_SSL":e("#sslfix-HTTP_X_FORWARDED_SSL");break;case"HTTP_CLOUDFRONT_FORWARDED_PROTO":e("#sslfix-HTTP_CLOUDFRONT_FORWARDED_PROTO");break;case"HTTP_X_ARR_SSL":e("#sslfix-HTTP_X_ARR_SSL");break;case"HTTP_X_FORWARDED_SCHEME":e("#sslfix-HTTP_X_FORWARDED_SCHEME");break;case"HTTP_CF_VISITOR":e("#sslfix-HTTP_CF_VISITOR")}else e("#sslfix-detect_fail");t("#sslfix-loading"),e("#sslfix-test-result-head"),e("#sslfix-environment"),s("#sslfix-environment pre").text(i.env)}}),s.ajax({url:sslfix.ajax_url_wp,data:{action:"sslfix-test-https"},dataType:"json",method:"GET",xhrFields:{withCredentials:!0},success:function(e){e.https&&s("#sslfix-https-detection").addClass("dashicons dashicons-"+e.https)}})}(jQuery);


--------------------------------------------------------------------------------
/nowp/.htaccess:
--------------------------------------------------------------------------------
 1 | Options -Indexes
 2 | 
 3 | # Apache 2.4
 4 | <IfModule mod_authz_core.c>
 5 | 	Require all granted
 6 | 
 7 | 	<Files *.php>
 8 | 		Require all granted
 9 | 	</Files>
10 | </IfModule>
11 | 
12 | # Apache 2.2
13 | <IfModule !mod_authz_core.c>
14 | 	Allow from all
15 | 
16 | 	<Files *.php>
17 | 		Allow from all
18 | 	</Files>
19 | </IfModule>
20 | 


--------------------------------------------------------------------------------
/nowp/ajax.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | // phpcs:disable Generic.PHP.NoSilencedErrors.Discouraged
  3 | 
  4 | // compute the path to the plugin's root folder
  5 | $sslfix_plugin_root = dirname(dirname(__FILE__)) . '/';
  6 | 
  7 | require $sslfix_plugin_root . 'includes/nonces.php';
  8 | 
  9 | /**
 10 | * test for nonce, must have expected value
 11 | */
 12 | 
 13 | $sslfix_nonce = ssl_insecure_content_fix_nonce_value();
 14 | 
 15 | if (empty($_GET['sslfix_nonce'])) {
 16 | 	sslfix_send_error('missing nonce.');
 17 | }
 18 | 
 19 | if (!ssl_fix_hash_equals($sslfix_nonce, $_GET['sslfix_nonce'])) {
 20 | 	sslfix_send_error('bad nonce value.');
 21 | }
 22 | 
 23 | /**
 24 | * run some AJAX functions outside of WordPress, so that we can see the raw environment
 25 | */
 26 | 
 27 | if (isset($_GET['action'])) {
 28 | 	switch ($_GET['action']) {
 29 | 
 30 | 		case 'sslfix-get-recommended':
 31 | 			sslfix_get_recommended();
 32 | 			break;
 33 | 
 34 | 		case 'sslfix-environment':
 35 | 			sslfix_environment();
 36 | 			break;
 37 | 
 38 | 		default:
 39 | 			sslfix_send_error('invalid action');
 40 | 			break;
 41 | 
 42 | 	}
 43 | }
 44 | else {
 45 | 	sslfix_send_error('no action given');
 46 | }
 47 | 
 48 | /**
 49 | * test environment and recommend settings
 50 | */
 51 | function sslfix_get_recommended() {
 52 | 	$env = sslfix_get_environment();
 53 | 
 54 | 	$response = array();
 55 | 
 56 | 	switch ($env['detect']) {
 57 | 
 58 | 		case 'HTTPS':
 59 | 		case 'port':
 60 | 			$response['recommended'] = 'normal';
 61 | 			break;
 62 | 
 63 | 		case 'HTTP_X_FORWARDED_PROTO':
 64 | 			$response['recommended'] = 'HTTP_X_FORWARDED_PROTO';
 65 | 			break;
 66 | 
 67 | 		case 'HTTP_X_FORWARDED_SSL':
 68 | 			$response['recommended'] = 'HTTP_X_FORWARDED_SSL';
 69 | 			break;
 70 | 
 71 | 		case 'HTTP_CLOUDFRONT_FORWARDED_PROTO':
 72 | 			$response['recommended'] = 'HTTP_CLOUDFRONT_FORWARDED_PROTO';
 73 | 			break;
 74 | 
 75 | 		case 'HTTP_CF_VISITOR':
 76 | 			$response['recommended'] = 'HTTP_CF_VISITOR';
 77 | 			break;
 78 | 
 79 | 		case 'HTTP_X_ARR_SSL':
 80 | 			$response['recommended'] = 'HTTP_X_ARR_SSL';
 81 | 			break;
 82 | 
 83 | 		case 'HTTP_X_FORWARDED_SCHEME':
 84 | 			$response['recommended'] = 'HTTP_X_FORWARDED_SCHEME';
 85 | 			break;
 86 | 
 87 | 		default:
 88 | 			$response['recommended'] = 'detect_fail';
 89 | 			break;
 90 | 
 91 | 	}
 92 | 
 93 | 	$response['recommended_element'] = 'proxy_fix_' . $response['recommended'];
 94 | 
 95 | 	sslfix_send_json($response);
 96 | }
 97 | 
 98 | /**
 99 | * test environment to see what can be detected
100 | */
101 | function sslfix_environment() {
102 | 	$response = sslfix_get_environment();
103 | 
104 | 	// build a list of environment variables to omit, as keys
105 | 	// some are just unnecessary, some might expose sensitive information like script paths
106 | 	$env_blacklist = array_flip(array(
107 | 		'argc',
108 | 		'argv',
109 | 		'AUTH_TYPE',
110 | 		'CONTENT_LENGTH',
111 | 		'CONTENT_TYPE',
112 | 		'CONTEXT_DOCUMENT_ROOT',
113 | 		'CONTEXT_PREFIX',
114 | 		'DOCUMENT_ROOT',
115 | 		'DOCUMENT_ROOT_REAL',
116 | 		'DOCUMENT_URI',
117 | 		'FCGI_ROLE',
118 | 		'GATEWAY_INTERFACE',
119 | 		'HOME',
120 | 		'HTTP_ACCEPT',
121 | 		'HTTP_ACCEPT_CHARSET',
122 | 		'HTTP_ACCEPT_ENCODING',
123 | 		'HTTP_ACCEPT_LANGUAGE',
124 | 		'HTTP_CONNECTION',
125 | 		'HTTP_COOKIE',
126 | 		'HTTP_HOST',
127 | 		'HTTP_ORIGIN',
128 | 		'HTTP_REFERER',
129 | 		'HTTP_X_REQUESTED_WITH',
130 | 		'HTTP_USER_AGENT',
131 | 		'ORIG_PATH_INFO',
132 | 		'PATH',
133 | 		'PATH_INFO',
134 | 		'PATH_TRANSLATED',
135 | 		'PHP_AUTH_DIGEST',
136 | 		'PHP_AUTH_PW',
137 | 		'PHP_AUTH_USER',
138 | 		'PHP_SELF',
139 | 		'PP_CUSTOM_PHP_INI',
140 | 		'PP_CUSTOM_PHP_CGI_INDEX',
141 | 		'PWD',
142 | 		'QUERY_STRING',
143 | 		'REDIRECT_REMOTE_USER',
144 | 		'REDIRECT_STATUS',
145 | 		'REMOTE_ADDR',
146 | 		'REMOTE_PORT',
147 | 		'REMOTE_USER',
148 | 		'REQUEST_METHOD',
149 | 		'REQUEST_TIME',
150 | 		'REQUEST_TIME_FLOAT',
151 | 		'REQUEST_URI',
152 | 		'SCRIPT_FILENAME',
153 | 		'SCRIPT_NAME',
154 | 		'SCRIPT_URI',
155 | 		'SCRIPT_URL',
156 | 		'SERVER_ADDR',
157 | 		'SERVER_ADMIN',
158 | 		'SERVER_NAME',
159 | 		'SERVER_PORT',
160 | 		'SERVER_PROTOCOL',
161 | 		'SERVER_SIGNATURE',
162 | 		'SERVER_SOFTWARE',
163 | 		'UNIQUE_ID',
164 | 		'USER',
165 | 	));
166 | 
167 | 	// build server environment to return, without blacklisted keys
168 | 	$env = array_diff_key($_SERVER, $env_blacklist);
169 | 
170 | 	$response['env'] = print_r($env, 1);
171 | 
172 | 	sslfix_send_json($response);
173 | }
174 | 
175 | /**
176 | * test environment to see what can be detected
177 | */
178 | function sslfix_get_environment() {
179 | 	$env = array(
180 | 		'ssl' => false,
181 | 	);
182 | 
183 | 	if (isset($_SERVER['HTTPS']) && (strcasecmp($_SERVER['HTTPS'], 'on') === 0 || $_SERVER['HTTPS'] === '1')) {
184 | 		$env['detect'] = 'HTTPS';
185 | 		$env['ssl'] = true;
186 | 	}
187 | 	elseif (isset($_SERVER['SERVER_PORT']) && ($_SERVER['SERVER_PORT'] === '443')) {
188 | 		$env['detect'] = 'port';
189 | 		$env['ssl'] = true;
190 | 	}
191 | 	elseif (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) === 'https') {
192 | 		$env['detect'] = 'HTTP_X_FORWARDED_PROTO';
193 | 		$env['ssl'] = true;
194 | 	}
195 | 	elseif (isset($_SERVER['HTTP_X_FORWARDED_SSL']) && (strtolower($_SERVER['HTTP_X_FORWARDED_SSL']) === 'on' || $_SERVER['HTTP_X_FORWARDED_SSL'] === '1')) {
196 | 		$env['detect'] = 'HTTP_X_FORWARDED_SSL';
197 | 		$env['ssl'] = true;
198 | 	}
199 | 	elseif (isset($_SERVER['HTTP_CLOUDFRONT_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_CLOUDFRONT_FORWARDED_PROTO']) === 'https') {
200 | 		$env['detect'] = 'HTTP_CLOUDFRONT_FORWARDED_PROTO';
201 | 		$env['ssl'] = true;
202 | 	}
203 | 	elseif (!empty($_SERVER['HTTP_X_ARR_SSL'])) {
204 | 		$env['detect'] = 'HTTP_X_ARR_SSL';
205 | 		$env['ssl'] = true;
206 | 	}
207 | 	elseif (isset($_SERVER['HTTP_X_FORWARDED_SCHEME']) && strtolower($_SERVER['HTTP_X_FORWARDED_SCHEME']) === 'https') {
208 | 		$env['detect'] = 'HTTP_X_FORWARDED_SCHEME';
209 | 		$env['ssl'] = true;
210 | 	}
211 | 	elseif (isset($_SERVER['HTTP_CF_VISITOR']) && strpos($_SERVER['HTTP_CF_VISITOR'], 'https') !== false) {
212 | 		$env['detect'] = 'HTTP_CF_VISITOR';
213 | 		$env['ssl'] = true;
214 | 	}
215 | 	else {
216 | 		$env['detect'] = 'fail';
217 | 		$env['ssl'] = false;
218 | 	}
219 | 
220 | 	return $env;
221 | }
222 | 
223 | /**
224 | * send JSON response and terminate
225 | * @param array $response
226 | */
227 | function sslfix_send_json($response) {
228 | 	@header('Content-Type: application/json; charset=UTF-8');
229 | 	@header('Expires: Wed, 11 Jan 1984 05:00:00 GMT');
230 | 	@header('Cache-Control: no-cache, must-revalidate, max-age=0');
231 | 	@header('Pragma: no-cache');
232 | 
233 | 	// add CORS headers so that browsers permit response
234 | 	@header('Access-Control-Allow-Credentials: true');
235 | 	if (isset($_SERVER['HTTP_ORIGIN'])) {
236 | 		@header('Access-Control-Allow-Origin: ' . $_SERVER['HTTP_ORIGIN']);
237 | 	}
238 | 
239 | 	echo json_encode($response);
240 | 	exit;
241 | }
242 | 
243 | /**
244 | * terminate with error
245 | * @param string $msg
246 | */
247 | function sslfix_send_error($msg) {
248 | 	@header('HTTP/1.0 403 Forbidden');
249 | 
250 | 	// add CORS headers so that browsers permit response
251 | 	@header('Access-Control-Allow-Credentials: true');
252 | 	if (isset($_SERVER['HTTP_ORIGIN'])) {
253 | 		@header('Access-Control-Allow-Origin: ' . $_SERVER['HTTP_ORIGIN']);
254 | 	}
255 | 
256 | 	echo $msg;
257 | 	exit;
258 | }
259 | 
260 | /**
261 | * timing-attack safe string comparison for comparing security tokens
262 | * PHP 5.6+ has `hash_equals()` so call that if it exists
263 | * @param string $a
264 | * @param string $b
265 | * @return bool
266 | */
267 | function ssl_fix_hash_equals($a, $b) {
268 | 	// check for native function and use it preferentially
269 | 	if (function_exists('hash_equals')) {
270 | 		// phpcs:ignore PHPCompatibility.FunctionUse.NewFunctions.hash_equalsFound
271 | 		return hash_equals($a, $b);
272 | 	}
273 | 
274 | 	// need to do the comparison ourselves
275 | 	// @link https://php.net/manual/en/function.hash-hmac.php#111435
276 | 
277 | 	$len = strlen($a);
278 | 	if ($len !== strlen($b)) {
279 | 		return false;
280 | 	}
281 | 
282 | 	$status = 0;
283 | 	for ($i = 0; $i < $len; $i++) {
284 | 		$status |= ord($a[$i]) ^ ord($b[$i]);
285 | 	}
286 | 	return $status === 0;
287 | }
288 | 


--------------------------------------------------------------------------------
/readme.md:
--------------------------------------------------------------------------------
 1 | # SSL Insecure Content Fixer #
 2 | 
 3 | Fix some common problems with insecure content on pages using SSL
 4 | 
 5 | * [Home](https://ssl.webaware.net.au/)
 6 | * [GitHub](https://github.com/webaware/ssl-insecure-content-fixer/)
 7 | * [Readme](https://github.com/webaware/ssl-insecure-content-fixer/blob/master/readme.txt)
 8 | * [Changelog](https://github.com/webaware/ssl-insecure-content-fixer/blob/master/changelog.md)
 9 | * [Download](https://wordpress.org/plugins/ssl-insecure-content-fixer/)
10 | * [Documentation](https://ssl.webaware.net.au/)
11 | * [Support](https://wordpress.org/support/plugin/ssl-insecure-content-fixer)
12 | * [Translate](https://translate.wordpress.org/projects/wp-plugins/ssl-insecure-content-fixer)
13 | * [Donate](https://shop.webaware.com.au/donations/?donation_for=SSL+Insecure+Content+Fixer)
14 | 


--------------------------------------------------------------------------------
/readme.txt:
--------------------------------------------------------------------------------
  1 | # SSL Insecure Content Fixer
  2 | Contributors: webaware
  3 | Plugin Name: SSL Insecure Content Fixer
  4 | Plugin URI: https://ssl.webaware.net.au/
  5 | Author URI: https://shop.webaware.com.au/
  6 | Donate link: https://shop.webaware.com.au/donations/?donation_for=SSL+Insecure+Content+Fixer
  7 | Tags: ssl, https, insecure content, partially encrypted, mixed content
  8 | Requires at least: 4.0
  9 | Tested up to: 5.3
 10 | Requires PHP: 5.3
 11 | Stable tag: 2.7.2
 12 | License: GPLv2 or later
 13 | License URI: https://www.gnu.org/licenses/gpl-2.0.html
 14 | 
 15 | Clean up WordPress website HTTPS insecure content
 16 | 
 17 | ## Description
 18 | 
 19 | Clean up your WordPress website's HTTPS insecure content and mixed content warnings. Installing the SSL Insecure Content Fixer plugin will solve most insecure content warnings with little or no effort. The remainder can be diagnosed with a few simple tools.
 20 | 
 21 | When you install SSL Insecure Content Fixer, its default settings are activated and it will automatically perform some basic fixes on your website using the Simple fix level. You can select more comprehensive fix levels as needed by your website.
 22 | 
 23 | WordPress Multisite gets a network settings page. This can be used to set default settings for all sites within a network, so that network administrators only need to specify settings on sites that have requirements differing from the network defaults.
 24 | 
 25 | See the [SSL Insecure Content Fixer website](https://ssl.webaware.net.au/) for more details.
 26 | 
 27 | ### Translations
 28 | 
 29 | Many thanks to the generous efforts of our translators:
 30 | 
 31 | * Bulgarian (bg_BG) -- [the Bulgarian translation team](https://translate.wordpress.org/locale/bg/default/wp-plugins/ssl-insecure-content-fixer)
 32 | * Chinese simplified (zh_CN) -- [the Chinese translation team](https://translate.wordpress.org/locale/zh-cn/default/wp-plugins/ssl-insecure-content-fixer)
 33 | * English (en_CA) -- [the English (Canadian) translation team](https://translate.wordpress.org/locale/en-ca/default/wp-plugins/ssl-insecure-content-fixer)
 34 | * English (en_GB) -- [the English (British) translation team](https://translate.wordpress.org/locale/en-gb/default/wp-plugins/ssl-insecure-content-fixer)
 35 | * English (en_ZA) -- [the English (South African) translation team](https://translate.wordpress.org/locale/en-za/default/wp-plugins/ssl-insecure-content-fixer)
 36 | * Dutch (nl_NL) -- [the Dutch translation team](https://translate.wordpress.org/locale/nl/default/wp-plugins/ssl-insecure-content-fixer)
 37 | * German (de_DE) -- [the German translation team](https://translate.wordpress.org/locale/de/default/wp-plugins/ssl-insecure-content-fixer)
 38 | * French (fr_FR) -- [the French translation team](https://translate.wordpress.org/locale/fr/default/wp-plugins/ssl-insecure-content-fixer)
 39 | * Italian (it_IT) -- [the Italian translation team](https://translate.wordpress.org/locale/it/default/wp-plugins/ssl-insecure-content-fixer)
 40 | * Japanese (ja) -- [the Japanese translation team](https://translate.wordpress.org/locale/ja/default/wp-plugins/ssl-insecure-content-fixer)
 41 | * Russian (ru_RU) -- [the Russian translation team](https://translate.wordpress.org/locale/ru/default/wp-plugins/ssl-insecure-content-fixer)
 42 | * Spanish (es_ES) -- [the Spanish translation team](https://translate.wordpress.org/locale/es/default/wp-plugins/ssl-insecure-content-fixer)
 43 | 
 44 | If you'd like to help out by translating this plugin, please [sign up for an account and dig in](https://translate.wordpress.org/projects/wp-plugins/ssl-insecure-content-fixer).
 45 | 
 46 | ### Privacy
 47 | 
 48 | SSL Insecure Content Fixer does not collect any personally identifying information, and does not set any cookies.
 49 | 
 50 | ## Installation
 51 | 
 52 | 1. Either install automatically through the WordPress admin, or download the .zip file, unzip to a folder, and upload the folder to your /wp-content/plugins/ directory. Read [Installing Plugins](https://codex.wordpress.org/Managing_Plugins#Installing_Plugins) in the WordPress Codex for details.
 53 | 2. Activate the plugin through the 'Plugins' menu in WordPress.
 54 | 
 55 | If your browser still reports insecure/mixed content, have a read of the [Cleaning Up page](https://ssl.webaware.net.au/cleaning-up-content/).
 56 | 
 57 | ## Frequently Asked Questions
 58 | 
 59 | ### How do I tell what is causing the insecure content / mixed content warnings?
 60 | 
 61 | Look in your web browser's error console.
 62 | 
 63 | * Google Chrome has a [JavaScript Console](https://developers.google.com/chrome-developer-tools/docs/console) in its developer tools
 64 | * FireFox has the [Web Console](https://developer.mozilla.org/en-US/docs/Tools/Web_Console) or [Firebug](http://getfirebug.com/)
 65 | * Internet Explorer has the [F12 Tools Console](https://msdn.microsoft.com/library/bg182326%28v=vs.85%29)
 66 | * Safari has the [Error Console](https://developer.apple.com/library/safari/documentation/AppleApplications/Conceptual/Safari_Developer_Guide/Introduction/Introduction.html)
 67 | 
 68 | NB: after you open your browser's console, refresh your page so that it tries to load the insecure content again and logs warnings to the error console.
 69 | 
 70 | [Why No Padlock?](https://www.whynopadlock.com/) has a really good online test tool for diagnosing HTTPS problems.
 71 | 
 72 | ### I get "insecure content" warnings from some of my content
 73 | 
 74 | You are probably loading content (such as images) with a URL that starts with "http:". Take that bit away, but leave the slashes, e.g. `//www.example.com/image.png`; your browser will load the content, using HTTPS when your page uses it. Better still, replace "http:" with "https:" so that it always uses https to load images, e.g. `https://www.example.com/image.png`.
 75 | 
 76 | If your page can be used outside a web browser, e.g. in emails or other non-web documents, then you should always use a protocol and it should probably be "https:" (since you have an SSL certificate). See [Cleaning up content](https://ssl.webaware.net.au/cleaning-up-content/) for more details.
 77 | 
 78 | ### My website is behind a load balancer or reverse proxy
 79 | 
 80 | If your website is behind a load balancer or other reverse proxy, and WordPress doesn't know when HTTPS is being used, you will need to select the appropriate [HTTPS detection settings](https://ssl.webaware.net.au/https-detection/). See my blog post, [WordPress is_ssl() doesn’t work behind some load balancers](https://snippets.webaware.com.au/snippets/wordpress-is_ssl-doesnt-work-behind-some-load-balancers/), for some details.
 81 | 
 82 | ### I get warnings about basic WordPress scripts like jquery.js
 83 | 
 84 | You are probably behind a reverse proxy -- see the FAQ above about load balancers / reverse proxies, and run the SSL Tests from the WordPress admin Tools menu.
 85 | 
 86 | ### I changed the HTTPS Detection settings and now I can't login
 87 | 
 88 | You probably have a conflict with another plugin that is also trying to fix HTTPS detection. Add this line to your wp-config.php file, above the lines about `ABSPATH`. You can then change this plugin back to default settings before proceeding.
 89 | 
 90 | `define('SSLFIX_PLUGIN_NO_HTTPS_DETECT', true);`
 91 | 
 92 | ### I still get "insecure content" warnings on my secure page
 93 | 
 94 | Post about it to [the support forum](https://wordpress.org/support/plugin/ssl-insecure-content-fixer), and be sure to include a link to the page. Posts without working links will probably be ignored.
 95 | 
 96 | ### You listed my plugin, but I've fixed it
 97 | 
 98 | Great! Tell me which plugin is yours and how to check for your new version, and I'll drop the "fix" from my next release.
 99 | 
100 | ## Upgrade Notice
101 | 
102 | ### 2.7.2
103 | 
104 | fixes some hard-coded link elements (e.g. stylesheets) when href is the first attribute
105 | 
106 | ## Changelog
107 | 
108 | The full changelog can be found [on GitHub](https://github.com/webaware/ssl-insecure-content-fixer/blob/master/changelog.md). Recent entries:
109 | 
110 | ### 2.7.2
111 | 
112 | Released 2018-12-04
113 | 
114 | * fixed: some hard-coded link elements (e.g. stylesheets) when href is the first attribute
115 | 


--------------------------------------------------------------------------------
/ssl-insecure-content-fixer.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | /*
 3 | Plugin Name: SSL Insecure Content Fixer
 4 | Plugin URI: https://ssl.webaware.net.au/
 5 | Description: Clean up WordPress website HTTPS insecure content
 6 | Version: 2.7.2
 7 | Author: WebAware
 8 | Author URI: https://shop.webaware.com.au/
 9 | Text Domain: ssl-insecure-content-fixer
10 | */
11 | 
12 | /*
13 | copyright (c) 2012-2018 WebAware Pty Ltd (email : support@webaware.com.au)
14 | 
15 | This program is free software; you can redistribute it and/or
16 | modify it under the terms of the GNU General Public License
17 | as published by the Free Software Foundation; either version 2
18 | of the License, or (at your option) any later version.
19 | 
20 | This program is distributed in the hope that it will be useful,
21 | but WITHOUT ANY WARRANTY; without even the implied warranty of
22 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
23 | GNU General Public License for more details.
24 | 
25 | You should have received a copy of the GNU General Public License
26 | along with this program; if not, write to the Free Software
27 | Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
28 | */
29 | 
30 | 
31 | if (!defined('ABSPATH')) {
32 | 	exit;
33 | }
34 | 
35 | define('SSLFIX_PLUGIN_FILE', __FILE__);
36 | define('SSLFIX_PLUGIN_ROOT', dirname(__FILE__) . '/');
37 | define('SSLFIX_PLUGIN_NAME', basename(dirname(__FILE__)) . '/' . basename(__FILE__));
38 | define('SSLFIX_PLUGIN_VERSION', '2.7.2');
39 | define('SSLFIX_PLUGIN_OPTIONS', 'ssl_insecure_content_fixer');
40 | 
41 | require SSLFIX_PLUGIN_ROOT . 'includes/class.SSLInsecureContentFixer.php';
42 | SSLInsecureContentFixer::getInstance();
43 | 
44 | 
45 | /**
46 | * replace http: URL with https: URL
47 | * @param string $url
48 | * @return string
49 | */
50 | function ssl_insecure_content_fix_url($url) {
51 | 	// only fix if source URL starts with http://
52 | 	if (stripos($url, 'http://') === 0) {
53 | 		$url = 'https' . substr($url, 4);
54 | 	}
55 | 
56 | 	return $url;
57 | }
58 | 


--------------------------------------------------------------------------------
/views/requires-extensions.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | if (!defined('ABSPATH')) {
 3 | 	exit;
 4 | }
 5 | ?>
 6 | 
 7 | <div class="notice notice-error">
 8 | 	<p><?php _e('SSL Insecure Content Fixer requires these missing PHP extensions. Please contact your website host to have these extensions installed.', 'ssl-insecure-content-fixer'); ?></p>
 9 | 	<ul style="padding-left: 2em">
10 | 		<?php foreach ($missing as $ext): ?>
11 | 		<li style="list-style-type:disc"><?php echo esc_html($ext); ?></li>
12 | 		<?php endforeach; ?>
13 | 	</ul>
14 | </div>
15 | 


--------------------------------------------------------------------------------
/views/requires-pcre.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | if (!defined('ABSPATH')) {
 3 | 	exit;
 4 | }
 5 | ?>
 6 | 
 7 | <div class="notice notice-error">
 8 | 	<p><?php printf(__('SSL Insecure Content Fixer requires <a target="_blank" rel="noopener" href="%1$s">PCRE</a> version %2$s or higher; your website has PCRE version %3$s', 'ssl-insecure-content-fixer'),
 9 | 		'https://secure.php.net/manual/en/book.pcre.php', esc_html($pcre_min), esc_html(PCRE_VERSION)); ?></p>
10 | </div>
11 | 


--------------------------------------------------------------------------------
/views/script-force-https.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | if (!defined('ABSPATH')) {
 3 | 	exit;
 4 | }
 5 | ?>
 6 | 
 7 | <script>
 8 | if (document.location.protocol != "https:") {
 9 |     document.location = document.URL.replace(/^http:/i, "https:");
10 | }
11 | </script>
12 | 


--------------------------------------------------------------------------------
/views/settings-fields-common.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | if (!defined('ABSPATH')) {
  3 | 	exit;
  4 | }
  5 | ?>
  6 | 
  7 | <tr valign="top">
  8 | 	<th scope="row"><?php esc_html_e('Fix insecure content', 'ssl-insecure-content-fixer'); ?></th>
  9 | 	<td id="sslfix-levels">
 10 | 		<p><em><?php esc_html_e('Select the level of fixing. Try the Simple level first, it has the least impact on your website performance.', 'ssl-insecure-content-fixer'); ?></em></p>
 11 | 		<ul>
 12 | 
 13 | 			<li>
 14 | 				<input type="radio" name="ssl_insecure_content_fixer[fix_level]" id="fix_level_off" value="off" <?php checked($options['fix_level'], 'off'); ?> />
 15 | 				<label for="fix_level_off"><?php echo esc_html_x('Off', 'fix level settings', 'ssl-insecure-content-fixer'); ?></label>
 16 | 				<p class="sslfix-level-desc"><?php echo esc_html_x('No insecure content will be fixed', 'fix level settings', 'ssl-insecure-content-fixer'); ?></p>
 17 | 			</li>
 18 | 
 19 | 			<li>
 20 | 				<input type="radio" name="ssl_insecure_content_fixer[fix_level]" id="fix_level_simple" value="simple" <?php checked($options['fix_level'], 'simple'); ?> />
 21 | 				<label for="fix_level_simple"><?php echo esc_html_x('Simple', 'fix level settings', 'ssl-insecure-content-fixer'); ?></label>
 22 | 				<p class="sslfix-level-desc"><?php echo esc_html_x('The fastest method with the least impact on website performance', 'fix level settings', 'ssl-insecure-content-fixer'); ?></p>
 23 | 				<ul class="sslfix-bullets">
 24 | 					<li><?php echo _x('scripts registered using <code>wp_register_script()</code> or <code>wp_enqueue_script()</code>', 'fix level settings', 'ssl-insecure-content-fixer'); ?></li>
 25 | 					<li><?php echo _x('stylesheets registered using <code>wp_register_style()</code> or <code>wp_enqueue_style()</code>', 'fix level settings', 'ssl-insecure-content-fixer'); ?></li>
 26 | 					<li><?php echo _x('images and other media loaded by calling <code>wp_get_attachment_image()</code>, <code>wp_get_attachment_image_src()</code>, etc.', 'fix level settings', 'ssl-insecure-content-fixer'); ?></li>
 27 | 					<li><?php echo _x('data returned from <code>wp_upload_dir()</code> (e.g. for some CAPTCHA images)', 'fix level settings', 'ssl-insecure-content-fixer'); ?></li>
 28 | 					<li><?php echo esc_html_x('images loaded by the plugin Image Widget', 'fix level settings', 'ssl-insecure-content-fixer'); ?></li>
 29 | 				</ul>
 30 | 			</li>
 31 | 
 32 | 			<li>
 33 | 				<input type="radio" name="ssl_insecure_content_fixer[fix_level]" id="fix_level_content" value="content" <?php checked($options['fix_level'], 'content'); ?> />
 34 | 				<label for="fix_level_content"><?php echo esc_html_x('Content', 'fix level settings', 'ssl-insecure-content-fixer'); ?></label>
 35 | 				<p class="sslfix-level-desc"><?php echo esc_html_x('Everything that Simple does, plus:', 'fix level settings', 'ssl-insecure-content-fixer'); ?></p>
 36 | 				<ul class="sslfix-bullets">
 37 | 					<li><?php echo esc_html_x('resources in the page content', 'fix level settings', 'ssl-insecure-content-fixer'); ?></li>
 38 | 					<li><?php echo esc_html_x('resources in "Text" widgets', 'fix level settings', 'ssl-insecure-content-fixer'); ?></li>
 39 | 				</ul>
 40 | 			</li>
 41 | 
 42 | 			<li>
 43 | 				<input type="radio" name="ssl_insecure_content_fixer[fix_level]" id="fix_level_widgets" value="widgets" <?php checked($options['fix_level'], 'widgets'); ?> />
 44 | 				<label for="fix_level_widgets"><?php echo esc_html_x('Widgets', 'fix level settings', 'ssl-insecure-content-fixer'); ?></label>
 45 | 				<p class="sslfix-level-desc"><?php echo esc_html_x('Everything that Content does, plus:', 'fix level settings', 'ssl-insecure-content-fixer'); ?></p>
 46 | 				<ul class="sslfix-bullets">
 47 | 					<li><?php echo esc_html_x('resources in any widgets', 'fix level settings', 'ssl-insecure-content-fixer'); ?></li>
 48 | 				</ul>
 49 | 			</li>
 50 | 
 51 | 			<li>
 52 | 				<input type="radio" name="ssl_insecure_content_fixer[fix_level]" id="fix_level_capture" value="capture" <?php checked($options['fix_level'], 'capture'); ?> />
 53 | 				<label for="fix_level_capture"><?php echo esc_html_x('Capture', 'fix level settings', 'ssl-insecure-content-fixer'); ?></label>
 54 | 				<p class="sslfix-level-desc"><?php echo esc_html_x('Everything on the page, from the header to the footer:', 'fix level settings', 'ssl-insecure-content-fixer'); ?></p>
 55 | 				<ul class="sslfix-bullets">
 56 | 					<li><?php echo esc_html_x('capture the whole page and fix scripts, stylesheets, and other resources', 'fix level settings', 'ssl-insecure-content-fixer'); ?></li>
 57 | 					<li><?php echo esc_html_x('excludes AJAX calls, to prevent some compatibility and performance problems', 'fix level settings', 'ssl-insecure-content-fixer'); ?></li>
 58 | 				</ul>
 59 | 			</li>
 60 | 
 61 | 			<li>
 62 | 				<input type="radio" name="ssl_insecure_content_fixer[fix_level]" id="fix_level_capture_all" value="capture_all" <?php checked($options['fix_level'], 'capture_all'); ?> />
 63 | 				<label for="fix_level_capture_all"><?php echo esc_html_x('Capture All', 'fix level settings', 'ssl-insecure-content-fixer'); ?></label>
 64 | 				<p class="sslfix-level-desc"><?php echo esc_html_x('The biggest potential to break things, but sometimes necessary', 'fix level settings', 'ssl-insecure-content-fixer'); ?></p>
 65 | 				<ul class="sslfix-bullets">
 66 | 					<li><?php echo esc_html_x('capture the whole page and fix scripts, stylesheets, and other resources', 'fix level settings', 'ssl-insecure-content-fixer'); ?></li>
 67 | 					<li><?php echo esc_html_x('includes AJAX calls, which can cause compatibility and performance problems', 'fix level settings', 'ssl-insecure-content-fixer'); ?></li>
 68 | 				</ul>
 69 | 			</li>
 70 | 
 71 | 		</ul>
 72 | 	</td>
 73 | </tr>
 74 | 
 75 | <tr valign="top">
 76 | 	<th scope="row"><?php echo esc_html_x('Fixes for specific plugins and themes', 'plugin fix settings', 'ssl-insecure-content-fixer'); ?></th>
 77 | 	<td>
 78 | 		<p><em><?php echo esc_html_x('Select only the fixes your website needs.', 'plugin fix settings', 'ssl-insecure-content-fixer'); ?></em></p>
 79 | 		<ul>
 80 | 			<li>
 81 | 				<input type="checkbox" name="ssl_insecure_content_fixer[fix_specific][lcpwp]" id="fix_specific_lcpwp" value="1" <?php checked(!empty($options['fix_specific']['lcpwp'])); ?> />
 82 | 				<label for="fix_specific_lcpwp">List category posts with pagination</label>
 83 | 			</li>
 84 | 			<li>
 85 | 				<input type="checkbox" name="ssl_insecure_content_fixer[fix_specific][woo_https]" id="fix_specific_woo_https" value="1" <?php checked(!empty($options['fix_specific']['woo_https'])); ?> />
 86 | 				<label for="fix_specific_woo_https"><?php echo esc_html_x('WooCommerce  + Google Chrome HTTP_HTTPS bug (fixed in WooCommerce v2.3.13)', 'plugin fix settings', 'ssl-insecure-content-fixer'); ?></label>
 87 | 			</li>
 88 | 		</ul>
 89 | 	</td>
 90 | </tr>
 91 | 
 92 | <tr valign="top">
 93 | 	<th scope="row"><?php echo esc_html_x('Ignore external sites', 'ignore external settings', 'ssl-insecure-content-fixer'); ?></th>
 94 | 	<td>
 95 | 		<p><em><?php echo esc_html_x('Select only if you wish to leave content pointing to external sites as http', 'ignore external settings', 'ssl-insecure-content-fixer'); ?></em></p>
 96 | 		<ul>
 97 | 			<li>
 98 | 				<input type="checkbox" name="ssl_insecure_content_fixer[site_only]" id="site_only" value="1" <?php checked(!empty($options['site_only'])); ?> />
 99 | 				<label for="site_only"><?php echo esc_html_x('Only fix content pointing to this WordPress site', 'ignore external settings', 'ssl-insecure-content-fixer'); ?></label>
100 | 			</li>
101 | 		</ul>
102 | 	</td>
103 | </tr>
104 | 
105 | <tr valign="top">
106 | 	<th scope="row"><?php echo esc_html_x('HTTPS detection', 'proxy settings', 'ssl-insecure-content-fixer'); ?><i id="sslfix-https-detection" aria-hidden="true"></i></th>
107 | 	<td>
108 | 		<p><em><?php echo esc_html_x('Select how WordPress should detect that a page is loaded via HTTPS', 'proxy settings', 'ssl-insecure-content-fixer'); ?></em></p>
109 | 		<p><?php
110 | 		$proxies = array(
111 | 			/* translators: standard WordPress function means no reverse proxy, just plain website access */
112 | 			'normal'							=> _x('standard WordPress function', 'proxy settings', 'ssl-insecure-content-fixer'),
113 | 			'HTTP_X_FORWARDED_PROTO'			=> _x('HTTP_X_FORWARDED_PROTO (e.g. load balancer, reverse proxy, NginX)', 'proxy settings', 'ssl-insecure-content-fixer'),
114 | 			'HTTP_X_FORWARDED_SSL'				=> _x('HTTP_X_FORWARDED_SSL (e.g. reverse proxy)', 'proxy settings', 'ssl-insecure-content-fixer'),
115 | 			'HTTP_CLOUDFRONT_FORWARDED_PROTO'	=> _x('HTTP_CLOUDFRONT_FORWARDED_PROTO (Amazon CloudFront HTTPS cached content)', 'proxy settings', 'ssl-insecure-content-fixer'),
116 | 			'HTTP_X_FORWARDED_SCHEME'			=> _x('HTTP_X_FORWARDED_SCHEME (e.g. KeyCDN)', 'proxy settings', 'ssl-insecure-content-fixer'),
117 | 			'HTTP_X_ARR_SSL'					=> _x('HTTP_X_ARR_SSL (Windows Azure ARR)', 'proxy settings', 'ssl-insecure-content-fixer'),
118 | 			'HTTP_CF_VISITOR'					=> _x('HTTP_CF_VISITOR (Cloudflare Flexible SSL); deprecated, since Cloudflare sends HTTP_X_FORWARDED_PROTO now', 'proxy settings', 'ssl-insecure-content-fixer'),
119 | 			'detect_fail'						=> _x('unable to detect HTTPS', 'proxy settings', 'ssl-insecure-content-fixer'),
120 | 		);
121 | 
122 | 		foreach ($proxies as $value => $label) {
123 | 			$id = "proxy_fix_{$value}";
124 | 
125 | 			?><input type="radio" name="ssl_insecure_content_fixer[proxy_fix]" id="<?php echo esc_attr($id); ?>"
126 | 				value="<?php echo esc_attr($value); ?>" <?php checked($options['proxy_fix'], $value); ?> />
127 | 			<label for="<?php echo esc_attr($id); ?>"><?php echo esc_html($label); ?></label><br /><?php
128 | 
129 | 		}
130 | 		?></p>
131 | 	</td>
132 | </tr>
133 | 
134 | 


--------------------------------------------------------------------------------
/views/settings-form-network.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | // settings form for single site / blog
 3 | 
 4 | if (!defined('ABSPATH')) {
 5 | 	exit;
 6 | }
 7 | ?>
 8 | 
 9 | <div class="wrap">
10 | 
11 | 	<h1><?php
12 | 		/* translators: heading for multisite network admin settings */
13 | 		esc_html_e('SSL Insecure Content Fixer multisite network settings', 'ssl-insecure-content-fixer');
14 | 	?></h1>
15 | 
16 | 	<p><?php esc_html_e('These settings affect all sites on this network that have not been set individually.', 'ssl-insecure-content-fixer'); ?></p>
17 | 
18 | 	<?php settings_errors(SSLFIX_PLUGIN_OPTIONS); ?>
19 | 
20 | 	<form action="<?php echo esc_url(network_admin_url('settings.php?page=ssl-insecure-content-fixer')); ?>" method="POST">
21 | 		<?php wp_nonce_field('settings', 'sslfix_nonce'); ?>
22 | 
23 | 		<table class="form-table">
24 | 
25 | 			<?php require SSLFIX_PLUGIN_ROOT . 'views/settings-fields-common.php'; ?>
26 | 
27 | 		</table>
28 | 
29 | 		<?php submit_button(); ?>
30 | 	</form>
31 | 
32 | </div>
33 | 


--------------------------------------------------------------------------------
/views/settings-form.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | // settings form for single site / blog
 3 | 
 4 | if (!defined('ABSPATH')) {
 5 | 	exit;
 6 | }
 7 | ?>
 8 | 
 9 | <div class="wrap">
10 | 
11 | 	<h1><?php esc_html_e('SSL Insecure Content Fixer settings', 'ssl-insecure-content-fixer'); ?></h1>
12 | 
13 | 	<form action="<?php echo esc_url(admin_url('options.php')); ?>" method="POST">
14 | 		<?php settings_fields(SSLFIX_PLUGIN_OPTIONS); ?>
15 | 
16 | 		<table class="form-table">
17 | 
18 | 			<?php require SSLFIX_PLUGIN_ROOT . 'views/settings-fields-common.php'; ?>
19 | 
20 | 		</table>
21 | 
22 | 		<?php submit_button(); ?>
23 | 	</form>
24 | 
25 | </div>
26 | 


--------------------------------------------------------------------------------
/views/ssl-tests.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | // settings form
 3 | 
 4 | if (!defined('ABSPATH')) {
 5 | 	exit;
 6 | }
 7 | ?>
 8 | 
 9 | <div class="wrap">
10 | 
11 | 	<h1><?php esc_html_e('SSL Insecure Content Fixer tests', 'ssl-insecure-content-fixer'); ?></h1>
12 | 
13 | 	<p><?php esc_html_e('This page checks to see whether WordPress can detect HTTPS.', 'ssl-insecure-content-fixer'); ?></p>
14 | 
15 | 	<div id="sslfix-loading">
16 | 		<p><?php esc_html_e('Running tests...', 'ssl-insecure-content-fixer'); ?>
17 | 		<img src="<?php echo esc_url(plugins_url('images/ajax-loader.gif', SSLFIX_PLUGIN_FILE)); ?>" aria-hidden="true" />
18 | 		</p>
19 | 	</div>
20 | 
21 | 	<h2 id="sslfix-test-result-head" aria-hidden="true"><?php esc_html_e('Tests completed.', 'ssl-insecure-content-fixer'); ?><i id="sslfix-https-detection"></i></h2>
22 | 
23 | 	<div class="sslfix-test-result" id="sslfix-normal" aria-hidden="true">
24 | 		<p><?php printf(esc_html__('Your server can detect HTTPS normally. The recommended setting for HTTPS detection is %s.', 'ssl-insecure-content-fixer'), sprintf('<strong>%s</strong>', _x('standard WordPress function', 'proxy settings', 'ssl-insecure-content-fixer'))); ?></p>
25 | 	</div>
26 | 
27 | 	<div class="sslfix-test-result" id="sslfix-HTTP_X_FORWARDED_PROTO" aria-hidden="true">
28 | 		<p><?php printf(esc_html__('It looks like your server is behind a reverse proxy. The recommended setting for HTTPS detection is %s.', 'ssl-insecure-content-fixer'), '<strong>HTTP_X_FORWARDED_PROTO</strong>'); ?></p>
29 | 	</div>
30 | 
31 | 	<div class="sslfix-test-result" id="sslfix-HTTP_X_FORWARDED_SSL" aria-hidden="true">
32 | 		<p><?php printf(esc_html__('It looks like your server is behind a reverse proxy. The recommended setting for HTTPS detection is %s.', 'ssl-insecure-content-fixer'), '<strong>HTTP_X_FORWARDED_SSL</strong>'); ?></p>
33 | 	</div>
34 | 
35 | 	<div class="sslfix-test-result" id="sslfix-HTTP_X_FORWARDED_SCHEME" aria-hidden="true">
36 | 		<p><?php printf(esc_html__('It looks like your server is behind a reverse proxy. The recommended setting for HTTPS detection is %s.', 'ssl-insecure-content-fixer'), '<strong>HTTP_X_FORWARDED_SCHEME</strong>'); ?></p>
37 | 	</div>
38 | 
39 | 	<div class="sslfix-test-result" id="sslfix-HTTP_CLOUDFRONT_FORWARDED_PROTO" aria-hidden="true">
40 | 		<p><?php printf(esc_html__('It looks like your server is behind Amazon CloudFront, not configured to send HTTP_X_FORWARDED_PROTO. The recommended setting for HTTPS detection is %s.', 'ssl-insecure-content-fixer'), '<strong>HTTP_CLOUDFRONT_FORWARDED_PROTO</strong>'); ?></p>
41 | 	</div>
42 | 
43 | 	<div class="sslfix-test-result" id="sslfix-HTTP_X_ARR_SSL" aria-hidden="true">
44 | 		<p><?php printf(esc_html__('It looks like your server is behind Windows Azure ARR. The recommended setting for HTTPS detection is %s.', 'ssl-insecure-content-fixer'), '<strong>HTTP_X_ARR_SSL</strong>'); ?></p>
45 | 	</div>
46 | 
47 | 	<?php /* TODO: remove this when removing deprecated HTTP_CF_VISITOR setting */ ?>
48 | 	<div class="sslfix-test-result" id="sslfix-HTTP_CF_VISITOR" aria-hidden="true">
49 | 		<p><?php printf(esc_html__('It looks like your server uses Cloudflare Flexible SSL. The recommended setting for HTTPS detection is %s.', 'ssl-insecure-content-fixer'), '<strong>HTTP_CF_VISITOR</strong>'); ?></p>
50 | 	</div>
51 | 
52 | 	<div class="sslfix-test-result" id="sslfix-detect_fail" aria-hidden="true">
53 | 		<p><?php printf(esc_html__('Your server cannot detect HTTPS. The recommended setting for HTTPS detection is %s.', 'ssl-insecure-content-fixer'), sprintf('<strong>%s</strong>', _x('unable to detect HTTPS', 'proxy settings', 'ssl-insecure-content-fixer'))); ?></p>
54 | 		<p><?php printf(__('If you know of a way to detect HTTPS on your server, please <a href="%s" target="_blank" rel="noopener">tell me about it</a>.', 'ssl-insecure-content-fixer'), 'https://shop.webaware.com.au/support/'); ?></p>
55 | 	</div>
56 | 
57 | 	<div class="sslfix-test-result" id="sslfix-environment" aria-hidden="true">
58 | 		<p><?php esc_html_e('Your server environment shows this:', 'ssl-insecure-content-fixer'); ?></p>
59 | 		<pre></pre>
60 | 	</div>
61 | 
62 | </div>
63 | 


--------------------------------------------------------------------------------