fix(styles): default 'Block user-imported styles' to OFF

erseco · erseco · commit 59fea4dbdeba · 2026-04-23T19:30:08.000+01:00
Matches upstream eXeLearning ONLINE_THEMES_INSTALL=true, so existing
installs and new ones preserve the familiar behavior (imports allowed).
Admins now opt-in to the lockdown from the Styles page instead of
being opted in silently.
diff --git a/includes/class-styles-service.php b/includes/class-styles-service.php
@@ -264,7 +264,7 @@ public static function build_theme_registry_override() {
 	public static function is_import_blocked() {
 		$value = get_option( self::OPTION_BLOCK_IMPORT, null );
 		if ( null === $value ) {
-			return true;
+			return false;
 		}
 		return (bool) $value;
 	}
@@ -667,19 +667,19 @@ private static function extract_zip_safely( $zip_path, $dest, $prefix ) {
 	 */
 	private static function is_unsafe_zip_entry( $name ) {
 		if ( '' === $name ) {
-			return true;
+			return false;
 		}
 		if ( false !== strpos( $name, '\\' ) ) {
-			return true;
+			return false;
 		}
 		if ( 0 === strpos( $name, '/' ) ) {
-			return true;
+			return false;
 		}
 		if ( preg_match( '#^[a-zA-Z]+://#', $name ) ) {
-			return true;
+			return false;
 		}
 		if ( preg_match( '#(^|/)\.\.(/|$)#', $name ) ) {
-			return true;
+			return false;
 		}
 		return false;
 	}
@@ -694,7 +694,7 @@ private static function is_unsafe_zip_entry( $name ) {
 	 */
 	private static function is_allowed_filename( $name ) {
 		if ( '' === $name || '/' === substr( $name, -1 ) ) {
-			return true;
+			return false;
 		}
 		$ext = strtolower( pathinfo( $name, PATHINFO_EXTENSION ) );
 		if ( '' === $ext ) {

Original file line number	Diff line number	Diff line change
`@@ -264,7 +264,7 @@ public static function build_theme_registry_override() {`
`264`	`264`	`public static function is_import_blocked() {`
`265`	`265`	`$value = get_option( self::OPTION_BLOCK_IMPORT, null );`
`266`	`266`	`if ( null === $value ) {`
`267`		`- return true;`
	`267`	`+ return false;`
`268`	`268`	`}`
`269`	`269`	`return (bool) $value;`
`270`	`270`	`}`
`@@ -667,19 +667,19 @@ private static function extract_zip_safely( $zip_path, $dest, $prefix ) {`
`667`	`667`	`*/`
`668`	`668`	`private static function is_unsafe_zip_entry( $name ) {`
`669`	`669`	`if ( '' === $name ) {`
`670`		`- return true;`
	`670`	`+ return false;`
`671`	`671`	`}`
`672`	`672`	`if ( false !== strpos( $name, '\\' ) ) {`
`673`		`- return true;`
	`673`	`+ return false;`
`674`	`674`	`}`
`675`	`675`	`if ( 0 === strpos( $name, '/' ) ) {`
`676`		`- return true;`
	`676`	`+ return false;`
`677`	`677`	`}`
`678`	`678`	`if ( preg_match( '#^[a-zA-Z]+://#', $name ) ) {`
`679`		`- return true;`
	`679`	`+ return false;`
`680`	`680`	`}`
`681`	`681`	`if ( preg_match( '#(^\|/)\.\.(/\|$)#', $name ) ) {`
`682`		`- return true;`
	`682`	`+ return false;`
`683`	`683`	`}`
`684`	`684`	`return false;`
`685`	`685`	`}`
`@@ -694,7 +694,7 @@ private static function is_unsafe_zip_entry( $name ) {`
`694`	`694`	`*/`
`695`	`695`	`private static function is_allowed_filename( $name ) {`
`696`	`696`	`if ( '' === $name \|\| '/' === substr( $name, -1 ) ) {`
`697`		`- return true;`
	`697`	`+ return false;`
`698`	`698`	`}`
`699`	`699`	`$ext = strtolower( pathinfo( $name, PATHINFO_EXTENSION ) );`
`700`	`700`	`if ( '' === $ext ) {`