Index: wp-includes/class-phpmailer.php =================================================================== --- wp-includes/class-phpmailer.php (revision 19650) +++ wp-includes/class-phpmailer.php (working copy) @@ -491,6 +491,14 @@ echo $this->Lang('invalid_address').': '.$address; return false; } + if (!self::ValidateDisplayName($name)) { + $this->SetError($this->Lang('invalid_display_name').': '. $name); + if ($this->exceptions) { + throw new phpmailerException($this->Lang('invalid_display_name').': '.$name); + } + echo $this->Lang('invalid_display_name').': '.$name; + return false; + } if ($kind != 'ReplyTo') { if (!isset($this->all_recipients[strtolower($address)])) { array_push($this->$kind, array($address, $name)); @@ -559,6 +567,24 @@ } } + /** + * Check that a string complies with the RFC5322 definition for display-name + * Static so it can be used without instantiation. + * Does utf8_decode() and then strips any characters disallowed by the spec, then compares to the original string to see if the transformations actually changed anything. If so, the name is invalid. + * Conforms approximately to RFC5322 (see section 3.4) + * @param string $name The display-name to check + * @return boolean + * @static + * @access public + */ + public static function ValidateDisplayName($name) { + $allow = '\s\!\$&*\-=\^`\|\~#%\'+\/\?_\{\}a-zA-Z0-9\.\"'; + $_name = $name; + $_name = utf8_decode( $_name ); + $_name = preg_replace( '/[^' . $allow . ']/', '', $_name ); + return $name == $_name; + } + ///////////////////////////////////////////////// // METHODS, MAIL SENDING ///////////////////////////////////////////////// @@ -924,6 +950,7 @@ 'smtp_error' => 'SMTP server error: ', 'empty_message' => 'Message body empty', 'invalid_address' => 'Invalid address', + 'invalid_display_name' => 'Invalid display name', 'variable_set' => 'Cannot set or reset variable: ' ); //Overwrite language-specific strings. This way we'll never have missing translations - no more "language string failed to load"!