Cavemanon/piratepoet
7
Fork 0
Code Pull Requests Actions Releases 16 Activity

[MAILPOET-3408]

Browse Source
This commit is contained in:
Pavel Dohnal
2021-02-08 13:24:36 +01:00
committed by Veljko V
parent c81d23aafb
commit 5b5e01465c
4 changed files with 19 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
lib/Form/Block/BlockRendererHelper.php
View File

@ -33,6 +33,11 @@ class BlockRendererHelper {
$rules['error-message'] = __('Please specify a valid email address.', 'mailpoet');
}
if (($block['id'] === 'first_name') || ($block['id'] === 'last_name')) {
$rules['pattern'] = "^[^<>]*$";
$rules['error-message'] = __('Please specify a valid name', 'mailpoet');
}
if ($block['id'] === 'segments') {
$rules['required'] = true;
$rules['mincheck'] = 1;

4
lib/Newsletter/Shortcodes/Categories/Subscriber.php
View File

@ -42,9 +42,9 @@ class Subscriber implements CategoryInterface {
'';
switch ($shortcodeDetails['action']) {
case 'firstname':
return (!empty($subscriber->getFirstName())) ? $subscriber->getFirstName() : $defaultValue;
return (!empty($subscriber->getFirstName())) ? htmlspecialchars($subscriber->getFirstName()) : $defaultValue;
case 'lastname':
return !empty($subscriber->getLastName()) ? $subscriber->getLastName() : $defaultValue;
return !empty($subscriber->getLastName()) ? htmlspecialchars($subscriber->getLastName()) : $defaultValue;
case 'email':
return $subscriber->getEmail();
case 'displayname':

10
tests/integration/Newsletter/ShortcodesTest.php
View File

@ -188,6 +188,16 @@ class ShortcodesTest extends \MailPoetTest {
expect($result[0])->equals('test');
}
public function testSanitizeName() {
$subscriber = $this->subscriber;
$subscriber->setFirstName(' "><img src=x onError=prompt(1)>');
$subscriber->setLastName(' "><img src=x onError=prompt(2)>');
$result = $this->shortcodesObject->process(['[subscriber:firstname | default:test]']);
expect($result[0])->equals(' &quot;&gt;&lt;img src=x onError=prompt(1)&gt;');
$result = $this->shortcodesObject->process(['[subscriber:lastname | default:test]']);
expect($result[0])->equals(' &quot;&gt;&lt;img src=x onError=prompt(2)&gt;');
}
public function testItCanProcessSubscriberShortcodes() {
$shortcodesObject = $this->shortcodesObject;
$result =

4
tests/integration/Subscription/ManageSubscriptionFormRendererTest.php
View File

@ -23,8 +23,8 @@ class ManageSubscriptionFormRendererTest extends \MailPoetTest {
$form = $this->formRenderer->renderForm(Subscriber::findOne($subscriber->getId()));
expect($form)->regExp('/<form class="mailpoet-manage-subscription" method="post" action="[a-z0-9:\/\._]+wp-admin\/admin-post.php" novalidate>/');
expect($form)->stringContainsString('<input type="hidden" name="data[email]" value="subscriber@test.com" />');
expect($form)->regExp('/<input type="text" class="mailpoet_text" name="data\[[a-zA-Z0-9=_]+\]" title="First name" value="Fname" data-automation-id="form_first_name" \/>/');
expect($form)->regExp('/<input type="text" class="mailpoet_text" name="data\[[a-zA-Z0-9=_]+\]" title="Last name" value="Lname" data-automation-id="form_last_name" \/>/');
expect($form)->regExp('/<input type="text" class="mailpoet_text" name="data\[[a-zA-Z0-9=_]+\]" title="First name" value="Fname" data-automation-id="form_first_name" data-parsley-pattern="\^\[\^<>\]\*\$" data-parsley-error-message="Please specify a valid name"\/>/');
expect($form)->regExp('/<input type="text" class="mailpoet_text" name="data\[[a-zA-Z0-9=_]+\]" title="Last name" value="Lname" data-automation-id="form_last_name" data-parsley-pattern="\^\[\^<>\]\*\$" data-parsley-error-message="Please specify a valid name"\/>/');
expect($form)->regExp('/<input type="checkbox" class="mailpoet_checkbox" name="data\[[a-zA-Z0-9=_]+\]\[\]" value="1" data-parsley-required="true" data-parsley-group="segments" data-parsley-errors-container="\.mailpoet_error_segments" data-parsley-required-message="Please select a list" \/> Test segment/');
expect($form)->stringContainsString('Need to change your email address? Unsubscribe here, then simply sign up again.');
}