Added more escaping and minor improvements

zonia3000 · Nov 1, 2024 · 47f23d3 · 47f23d3
1 parent c523e10
commit 47f23d3
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 28 deletions.
diff --git a/.github/workflows/end_to_end_tests.yaml b/.github/workflows/end_to_end_tests.yaml
@@ -9,6 +9,7 @@ on:
 jobs:
   end_to_end_tests:
     runs-on: ubuntu-latest
+    timeout-minutes: 20
 
     services:
       mailpit:

diff --git a/classes/mail-sender.php b/classes/mail-sender.php
@@ -24,10 +24,10 @@ private static function get_headers(): array
   public static function send_registration_confirmation(WPOE_Event $event, $to, string $registration_token, array $values)
   {
     /* translators: %s is replaced with the name of the event */
-    $subject = sprintf(__('Registration to the event "%s" is confirmed', 'wp-open-events'), $event->name);
+    $subject = sprintf(__('Registration to the event "%s" is confirmed', 'wp-open-events'), sanitize_text_field($event->name));
     $body = '<p>' . __('Dear user,') . '<br/>'
       /* translators: %s is replaced with the name of the event */
-      . sprintf(__('your registration to the event "%s" is confirmed.'), $event->name) . '</p>'
+      . sprintf(__('your registration to the event "%s" is confirmed.'), sanitize_text_field($event->name)) . '</p>'
       . '<p>' . __('You inserted the following data:') . '</p>';
 
     $body .= WPOE_Mail_Sender::get_registration_fields_content($event, $values);
@@ -44,10 +44,10 @@ public static function send_registration_confirmation(WPOE_Event $event, $to, st
   public static function send_waiting_list_confirmation(WPOE_Event $event, $to, string $registration_token, array $values)
   {
     /* translators: %s is replaced with the name of the event */
-    $subject = sprintf(__('Registration to the waiting list of the event "%s" is confirmed', 'wp-open-events'), $event->name);
+    $subject = sprintf(__('Registration to the waiting list of the event "%s" is confirmed', 'wp-open-events'), sanitize_text_field($event->name));
     $body = '<p>' . __('Dear user,') . '<br/>'
       /* translators: %s is replaced with the name of the event */
-      . sprintf(__('your registration to the waiting list of the event "%s" is confirmed.'), $event->name) . '</p>'
+      . sprintf(__('your registration to the waiting list of the event "%s" is confirmed.'), sanitize_text_field($event->name)) . '</p>'
       . '<p>' . __('If some seats will be available you will be automatically registered and notified by e-mail.') . '</p>'
       . '<p>' . __('You inserted the following data:') . '</p>';
 
@@ -65,10 +65,10 @@ public static function send_waiting_list_confirmation(WPOE_Event $event, $to, st
   public static function send_picked_from_waiting_list_confirmation(WPOE_Event $event, $to, array $values)
   {
     /* translators: %s is replaced with the name of the event */
-    $subject = sprintf(__('New seats available for the event "%s"', 'wp-open-events'), $event->name);
+    $subject = sprintf(__('New seats available for the event "%s"', 'wp-open-events'), sanitize_text_field($event->name));
     $body = '<p>' . __('Dear user,') . '<br/>'
       /* translators: %s is replaced with the name of the event */
-      . sprintf(__('new seats have become available for the event "%s", and you have been automatically selected from the waiting list. Your registration is confirmed.'), $event->name) . '</p>'
+      . sprintf(__('new seats have become available for the event "%s", and you have been automatically selected from the waiting list. Your registration is confirmed.'), sanitize_text_field($event->name)) . '</p>'
       . '<p>' . __('You inserted the following data:') . '</p>';
 
     $body .= WPOE_Mail_Sender::get_registration_fields_content($event, $values);
@@ -81,10 +81,10 @@ public static function send_picked_from_waiting_list_confirmation(WPOE_Event $ev
   public static function send_new_registration_to_admin(WPOE_Event $event, array $values)
   {
     /* translators: %s is replaced with the name of the event */
-    $subject = sprintf(__('New registration for the event "%s"', 'wp-open-events'), $event->name);
+    $subject = sprintf(__('New registration for the event "%s"', 'wp-open-events'), sanitize_text_field($event->name));
     $body = '<p>' . __('Dear admin,') . '<br/>'
       /* translators: %s is replaced with the name of the event */
-      . sprintf(__('a new registration to the event "%s" has been added.'), $event->name) . '</p>'
+      . sprintf(__('a new registration to the event "%s" has been added.'), sanitize_text_field($event->name)) . '</p>'
       . '<p>' . __('The user inserted the following data:') . '</p>';
 
     $body .= WPOE_Mail_Sender::get_registration_fields_content($event, $values);
@@ -96,10 +96,10 @@ public static function send_new_registration_to_admin(WPOE_Event $event, array $
   public static function send_new_waiting_list_registration_to_admin(WPOE_Event $event, array $values)
   {
     /* translators: %s is replaced with the name of the event */
-    $subject = sprintf(__('New registration for the waiting list of event "%s"', 'wp-open-events'), $event->name);
+    $subject = sprintf(__('New registration for the waiting list of event "%s"', 'wp-open-events'), sanitize_text_field($event->name));
     $body = '<p>' . __('Dear admin,') . '<br/>'
       /* translators: %s is replaced with the name of the event */
-      . sprintf(__('a new registration to the waiting list of event "%s" has been added.'), $event->name) . '</p>'
+      . sprintf(__('a new registration to the waiting list of event "%s" has been added.'), sanitize_text_field($event->name)) . '</p>'
       . '<p>' . __('The user inserted the following data:') . '</p>';
 
     $body .= WPOE_Mail_Sender::get_registration_fields_content($event, $values);
@@ -114,10 +114,10 @@ public static function send_new_waiting_list_registration_to_admin(WPOE_Event $e
   public static function send_registration_updated_confirmation(WPOE_Event $event, $to, string $registration_token, array $values)
   {
     /* translators: %s is replaced with the name of the event */
-    $subject = sprintf(__('Registration to the event "%s" has been updated', 'wp-open-events'), $event->name);
+    $subject = sprintf(__('Registration to the event "%s" has been updated', 'wp-open-events'), sanitize_text_field($event->name));
     $body = '<p>' . __('Dear user,') . '<br/>'
       /* translators: %s is replaced with the name of the event */
-      . sprintf(__('your registration to the event "%s" has been updated.'), $event->name) . '</p>'
+      . sprintf(__('your registration to the event "%s" has been updated.'), sanitize_text_field($event->name)) . '</p>'
       . '<p>' . __('You inserted the following data:') . '</p>';
 
     $body .= WPOE_Mail_Sender::get_registration_fields_content($event, $values);
@@ -131,10 +131,10 @@ public static function send_registration_updated_confirmation(WPOE_Event $event,
   public static function send_registration_updated_to_admin(WPOE_Event $event, array $values)
   {
     /* translators: %s is replaced with the name of the event */
-    $subject = sprintf(__('Registration updated for the event "%s"', 'wp-open-events'), $event->name);
+    $subject = sprintf(__('Registration updated for the event "%s"', 'wp-open-events'), sanitize_text_field($event->name));
     $body = '<p>' . __('Dear admin,') . '<br/>'
       /* translators: %s is replaced with the name of the event */
-      . sprintf(__('a registration to the event "%s" has been updated.'), $event->name) . '</p>'
+      . sprintf(__('a registration to the event "%s" has been updated.'), sanitize_text_field($event->name)) . '</p>'
       . '<p>' . __('The user inserted the following data:') . '</p>';
 
     $body .= WPOE_Mail_Sender::get_registration_fields_content($event, $values);
@@ -146,10 +146,10 @@ public static function send_registration_updated_to_admin(WPOE_Event $event, arr
   public static function send_registration_updated_by_admin(WPOE_Event $event, $to, array $values)
   {
     /* translators: %s is replaced with the name of the event */
-    $subject = sprintf(__('Registration to the event "%s" has been updated', 'wp-open-events'), $event->name);
+    $subject = sprintf(__('Registration to the event "%s" has been updated', 'wp-open-events'), sanitize_text_field($event->name));
     $body = '<p>' . __('Dear user,') . '<br/>'
       /* translators: %s is replaced with the name of the event */
-      . sprintf(__('your registration to the event "%s" has been updated by an administrator.'), $event->name) . '</p>'
+      . sprintf(__('your registration to the event "%s" has been updated by an administrator.'), sanitize_text_field($event->name)) . '</p>'
       . '<p>' . __('The updated data is:') . '</p>';
 
     $body .= WPOE_Mail_Sender::get_registration_fields_content($event, $values);
@@ -165,10 +165,10 @@ public static function send_registration_updated_by_admin(WPOE_Event $event, $to
   public static function send_registration_deleted_confirmation(WPOE_Event $event, $to)
   {
     /* translators: %s is replaced with the name of the event */
-    $subject = sprintf(__('Registration to the event "%s" has been deleted', 'wp-open-events'), $event->name);
+    $subject = sprintf(__('Registration to the event "%s" has been deleted', 'wp-open-events'), sanitize_text_field($event->name));
     $body = '<p>' . __('Dear user,') . '<br/>'
       /* translators: %s is replaced with the name of the event */
-      . sprintf(__('your registration to the event "%s" has been deleted.'), $event->name) . '</p>';
+      . sprintf(__('your registration to the event "%s" has been deleted.'), sanitize_text_field($event->name)) . '</p>';
     $body .= WPOE_Mail_Sender::get_extra_content($event);
 
     $headers = WPOE_Mail_Sender::get_headers();
@@ -181,10 +181,10 @@ public static function send_registration_deleted_confirmation(WPOE_Event $event,
   public static function send_registration_deleted_by_admin(WPOE_Event $event, $to)
   {
     /* translators: %s is replaced with the name of the event */
-    $subject = sprintf(__('Registration to the event "%s" has been deleted', 'wp-open-events'), $event->name);
+    $subject = sprintf(__('Registration to the event "%s" has been deleted', 'wp-open-events'), sanitize_text_field($event->name));
     $body = '<p>' . __('Dear user,') . '<br/>'
       /* translators: %s is replaced with the name of the event */
-      . sprintf(__('your registration to the event "%s" has been deleted by an administrator.'), $event->name) . '</p>';
+      . sprintf(__('your registration to the event "%s" has been deleted by an administrator.'), sanitize_text_field($event->name)) . '</p>';
     $body .= WPOE_Mail_Sender::get_extra_content($event);
 
     $headers = WPOE_Mail_Sender::get_headers();
@@ -194,22 +194,28 @@ public static function send_registration_deleted_by_admin(WPOE_Event $event, $to
   public static function send_registration_deleted_to_admin(WPOE_Event $event)
   {
     /* translators: %s is replaced with the name of the event */
-    $subject = sprintf(__('Registration deleted for the event "%s"', 'wp-open-events'), $event->name);
+    $subject = sprintf(__('Registration deleted for the event "%s"', 'wp-open-events'), sanitize_text_field($event->name));
     $body = '<p>' . __('Dear admin,') . '<br/>'
       /* translators: %s is replaced with the name of the event */
-      . sprintf(__('a user deleted their registration to the event "%s".'), $event->name) . '</p>';
+      . sprintf(__('a user deleted their registration to the event "%s".'), sanitize_text_field($event->name)) . '</p>';
 
     $headers = WPOE_Mail_Sender::get_headers();
     wp_mail($event->adminEmail, $subject, $body, $headers);
   }
 
+  /**
+   * Notify the admin when new seats become available and a user is moved from the waiting list to confirmed list.
+   * @param WPOE_Event $event
+   * @param int[] $registrations
+   * @return void
+   */
   public static function send_registrations_picked_from_waiting_list_to_admin(WPOE_Event $event, array $registrations)
   {
     /* translators: %s is replaced with the name of the event */
-    $subject = sprintf(__('Registrations picked from the waiting list of event "%s"', 'wp-open-events'), $event->name);
+    $subject = sprintf(__('Registrations picked from the waiting list of event "%s"', 'wp-open-events'), sanitize_text_field($event->name));
     $body = '<p>' . __('Dear admin,') . '<br/>'
       /* translators: %s is replaced with the name of the event */
-      . sprintf(__('the following registration identifiers for the event "%s" were moved from waiting list to confirmed:'), $event->name)
+      . sprintf(__('the following registration identifiers for the event "%s" were moved from waiting list to confirmed:'), sanitize_text_field($event->name))
       . ' ' . implode(', ', $registrations)
       . '</p>';
 
@@ -234,13 +240,14 @@ private static function get_registration_fields_content(WPOE_Event $event, array
         error_log('Label not found for field id ' . $field_id);
         continue;
       }
-      $content .= "<li><strong>$label</strong>: " . WPOE_Mail_Sender::get_registration_value($type, $value) . "</li>";
+      $content .= '<li><strong>' . sanitize_text_field($label) . '</strong>: '
+        . WPOE_Mail_Sender::get_registration_value($type, $value) . '</li>';
     }
     $content .= '</ul>';
     return $content;
   }
 
-  private static function get_registration_value($type, $value)
+  private static function get_registration_value(string $type, mixed $value)
   {
     if ($type === 'checkbox') {
       if ((int) $value === 1) {
@@ -252,7 +259,15 @@ private static function get_registration_value($type, $value)
     if ($type === 'privacy') {
       return __('Accepted', 'wp-open-events');
     }
-    return sanitize_text_field($value);
+    if (is_numeric($value)) {
+      return $value;
+    }
+    if (is_string($value)) {
+      return sanitize_text_field($value);
+    }
+    if (is_array($value)) {
+      return implode(', ', map_deep($value, 'sanitize_text_field'));
+    }
   }
 
   private static function get_registration_link_content(WPOE_Event $event, string $registration_token): string

diff --git a/docs/index.md b/docs/index.md
@@ -29,6 +29,8 @@ WP Open Events is available in the following languages:
 
 ## User guide
 
+**Important**: before starting, go to the WP Open Events Settings page and ensure that the e-mail address used to send confirmation messages to users is a valid e-mail address, otherwise confirmation e-mail may not be sent.
+
 You can create an event from scratch or based on an event template. Creating a template is useful if you plan to organize several similar events and you need to use the same form and settings for each events.
 
 The event template includes a form editor that enables you to define the fields of your registration forms. This same form will be available when creating a new event. When you create an event based on a template, you have the flexibility to overwrite any settings defined in the template.

diff --git a/wp-open-events.php b/wp-open-events.php
@@ -7,7 +7,7 @@
  * Version: 0.1.0
  * License: GPLv3 or later
  * License URI: https://www.gnu.org/licenses/gpl-3.0.html
- * Description: Open source plugin to manage event registration forms
+ * Description: Free and open source plugin to manage event registrations. Provides form builder, waiting lists, group registrations and email notifications. Works with Gutenberg blocks.
  * Text Domain: wp-open-events
  * Domain Path: /languages
  */