majick777/clean-post-scripts.php

## clean-post-scripts.php
<?php

// ================================
// CLEAN ALL SCRIPT TAGS FROM POSTS
// ================================
//
// Usage: Drop this file in your /wp-content/mu-plugins/ folder.
//
// Any post or page that contains a script tag will have it removed automatically.
// This helps prevent re-infection while hardening your site security.
// You can also run a querystring URL to loop and remove from all posts/pages.
//
// Since it's bad practice to have script tags in your post content anyway!
// This treats all scripts as malware and removes them (eg. via MySQL injection.)
// If you are in the practice of this, DO NOT USE until you manually edit and
// move your own scripts out of any post content to a separately enuqeued file.

// --- set post types to clean ---
// Add any other custom post type slugs if and as needed...
global $clean_post_types;
$clean_post_types = array( 'post', 'page' );


// ----------------------
// Clean All Post Scripts
// ----------------------
// Usage: append /?clean-post-scripts=1 to your site's URL
// Caution: always backup your database before running bulk edits like this!
add_action( 'init', 'clean_all_post_scripts' );
function clean_all_post_scripts() {

	global $wpdb, $clean_post_types;

	if ( !isset( $_REQUEST['clean-post-scripts'] ) || ( '1' != $_REQUEST['clean-post-scripts'] ) ) {
		return;
	}
	if ( !is_array( $clean_post_types ) || ( count( $clean_post_types ) < 1 ) ) {
		return;
	}

	$post_types = '';
	foreach ( $clean_post_types as $clean_post_type ) {
		$clean_post_type = sanitize_text_field( $clean_post_type );
		if ( '' != $post_types ) {
			$post_types .= ',';
		}
		$post_types .= "'" . $clean_post_type . "'";
	}

	$query = "SELECT ID, post_content FROM " . $wpdb->prefix . "posts WHERE post_type IN (" . $post_types . ")";
	echo $query . '<br>';

	$results = $wpdb->get_results( $query, ARRAY_A );
	$found = 0;
	if ( $results && is_array( $results ) && ( count( $results ) > 0 ) ) {
		foreach ( $results as $i => $result ) {
			$content = clean_post_content_script( $result['post_content'] );
			if ( $content != $result['post_content'] ) {
				// $query = "UPDATE " . $wpdb->prefix . "posts SET 'post_content' = %s WHERE ID = %d";
				// $query = $wpdb->prepare( $query, $result['post_content'], $result['ID'] );
				// $result = $wpdb->query( $query );
				$data = array( 'post_content' => $content );
				$where = array( 'ID' => $result['ID'] );
				$update = $wpdb->update( $wpdb->prefix . "posts", $data, $where );
				echo 'Found and removed script in post ID ' . $result['ID'] . ': ' . $update . '<br>';
				$found++;
			}
		}
		echo '<br>Checked ' . count( $results ) . ' posts. Found and removed script tag in ' . $found . ' posts.';
	}

	exit;
}

// -----------------------------------
// Clean Script Tags from Current Post
// -----------------------------------
add_action( 'wp', 'clean_post_content_scripts', 1 );
function clean_post_content_scripts() {
	global $post, $clean_post_types;
	if ( is_object( $post ) && is_singular() && !is_admin() ) {
		if ( in_array( $post->post_type, $clean_post_types ) ) {
			$content = clean_post_content_script( $post->post_content );
			if ( $content != $post->post_content ) {
				$args = array( 'ID' => $post->ID, 'post_content' => $content );
				wp_update_post( $args );
				$post = get_post( $post->ID );
			}
		}
	}
}

// ------------------------------
// Clean Script Tags from Content
// ------------------------------
function clean_post_content_script( $content ) {

	$tag_open = '<script';
	if ( !stristr( $content, $tag_open ) ) {
		return $content;
	}
	while ( stristr( $content, $tag_open ) ) {
		$pos = stripos( $content, $tag_open );
		$chunks = str_split( $content, $pos );
		$before = $chunks[0];
		unset( $chunks[0] );
		$remainder = implode( '', $chunks );
		$tag_close = stristr( $remainder, '</script>' ) ? '</script>' : '>';
		$posb = stripos( $remainder, $tag_close ) + strlen( $tag_close );
		$chunks = str_split( $remainder, $posb );
		unset( $chunks[0] );
		$after = implode( '', $chunks );
		$content = $before . $after;
	}

	return $content;
}
	<?php

	// ================================
	// CLEAN ALL SCRIPT TAGS FROM POSTS
	// ================================
	//
	// Usage: Drop this file in your /wp-content/mu-plugins/ folder.
	//
	// Any post or page that contains a script tag will have it removed automatically.
	// This helps prevent re-infection while hardening your site security.
	// You can also run a querystring URL to loop and remove from all posts/pages.
	//
	// Since it's bad practice to have script tags in your post content anyway!
	// This treats all scripts as malware and removes them (eg. via MySQL injection.)
	// If you are in the practice of this, DO NOT USE until you manually edit and
	// move your own scripts out of any post content to a separately enuqeued file.

	// --- set post types to clean ---
	// Add any other custom post type slugs if and as needed...
	global $clean_post_types;
	$clean_post_types = array( 'post', 'page' );


	// ----------------------
	// Clean All Post Scripts
	// ----------------------
	// Usage: append /?clean-post-scripts=1 to your site's URL
	// Caution: always backup your database before running bulk edits like this!
	add_action( 'init', 'clean_all_post_scripts' );
	function clean_all_post_scripts() {

	global $wpdb, $clean_post_types;

	if ( !isset( $_REQUEST['clean-post-scripts'] ) \|\| ( '1' != $_REQUEST['clean-post-scripts'] ) ) {
	return;
	}
	if ( !is_array( $clean_post_types ) \|\| ( count( $clean_post_types ) < 1 ) ) {
	return;
	}

	$post_types = '';
	foreach ( $clean_post_types as $clean_post_type ) {
	$clean_post_type = sanitize_text_field( $clean_post_type );
	if ( '' != $post_types ) {
	$post_types .= ',';
	}
	$post_types .= "'" . $clean_post_type . "'";
	}

	$query = "SELECT ID, post_content FROM " . $wpdb->prefix . "posts WHERE post_type IN (" . $post_types . ")";
	echo $query . '<br>';

	$results = $wpdb->get_results( $query, ARRAY_A );
	$found = 0;
	if ( $results && is_array( $results ) && ( count( $results ) > 0 ) ) {
	foreach ( $results as $i => $result ) {
	$content = clean_post_content_script( $result['post_content'] );
	if ( $content != $result['post_content'] ) {
	// $query = "UPDATE " . $wpdb->prefix . "posts SET 'post_content' = %s WHERE ID = %d";
	// $query = $wpdb->prepare( $query, $result['post_content'], $result['ID'] );
	// $result = $wpdb->query( $query );
	$data = array( 'post_content' => $content );
	$where = array( 'ID' => $result['ID'] );
	$update = $wpdb->update( $wpdb->prefix . "posts", $data, $where );
	echo 'Found and removed script in post ID ' . $result['ID'] . ': ' . $update . '<br>';
	$found++;
	}
	}
	echo '<br>Checked ' . count( $results ) . ' posts. Found and removed script tag in ' . $found . ' posts.';
	}

	exit;
	}

	// -----------------------------------
	// Clean Script Tags from Current Post
	// -----------------------------------
	add_action( 'wp', 'clean_post_content_scripts', 1 );
	function clean_post_content_scripts() {
	global $post, $clean_post_types;
	if ( is_object( $post ) && is_singular() && !is_admin() ) {
	if ( in_array( $post->post_type, $clean_post_types ) ) {
	$content = clean_post_content_script( $post->post_content );
	if ( $content != $post->post_content ) {
	$args = array( 'ID' => $post->ID, 'post_content' => $content );
	wp_update_post( $args );
	$post = get_post( $post->ID );
	}
	}
	}
	}

	// ------------------------------
	// Clean Script Tags from Content
	// ------------------------------
	function clean_post_content_script( $content ) {

	$tag_open = '<script';
	if ( !stristr( $content, $tag_open ) ) {
	return $content;
	}
	while ( stristr( $content, $tag_open ) ) {
	$pos = stripos( $content, $tag_open );
	$chunks = str_split( $content, $pos );
	$before = $chunks[0];
	unset( $chunks[0] );
	$remainder = implode( '', $chunks );
	$tag_close = stristr( $remainder, '</script>' ) ? '</script>' : '>';
	$posb = stripos( $remainder, $tag_close ) + strlen( $tag_close );
	$chunks = str_split( $remainder, $posb );
	unset( $chunks[0] );
	$after = implode( '', $chunks );
	$content = $before . $after;
	}

	return $content;
	}