Make WordPress Core

Changeset 43459


Ignore:
Timestamp:
07/16/2018 02:23:26 PM (6 years ago)
Author:
SergeyBiryukov
Message:

Privacy: Use consistent values for the site name and URL used in notification emails.

The functions send_confirmation_on_profile_email(), _wp_privacy_send_request_confirmation_notification(), _wp_privacy_send_erasure_fulfillment_notification(), and wp_send_user_request() all include a title and URL indicating the current site. However, so far they have dealt with those values inconsistently, sometimes using the site values, other times using the network values if in a multisite. This changeset ensures that only the current site is taken into account in all cases and that special characters in the site name are consistently decoded.

Props subrataemfluence, desrosj.
Merges [43388], [43390], and [43435] to the 4.9 branch.
Fixes #44396.

Location:
branches/4.9
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • branches/4.9

  • branches/4.9/src/wp-admin/includes/file.php

    r43448 r43459  
    21002100    $email_address = $request->email;
    21012101    $export_file_url = get_post_meta( $request_id, '_export_file_url', true );
    2102     $site_name = is_multisite() ? get_site_option( 'site_name' ) : get_option( 'blogname' );
    2103     $site_url = network_home_url();
     2102    $site_name = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES );
     2103    $site_url = home_url();
    21042104
    21052105    $content = str_replace( '###EXPIRATION###', $expiration_date, $content );
    21062106    $content = str_replace( '###LINK###', esc_url_raw( $export_file_url ), $content );
    21072107    $content = str_replace( '###EMAIL###', $email_address, $content );
    2108     $content = str_replace( '###SITENAME###', wp_specialchars_decode( $site_name, ENT_QUOTES ), $content );
     2108    $content = str_replace( '###SITENAME###', $site_name, $content );
    21092109    $content = str_replace( '###SITEURL###', esc_url_raw( $site_url ), $content );
    21102110
     
    21132113        sprintf(
    21142114            __( '[%s] Personal Data Export' ),
    2115             wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES )
     2115            $site_name
    21162116        ),
    21172117        $content
  • branches/4.9/src/wp-includes/user.php

    r43456 r43459  
    26582658        update_user_meta( $current_user->ID, '_new_email', $new_user_email );
    26592659
    2660         if ( is_multisite() ) {
    2661             $sitename = get_site_option( 'site_name' );
    2662         } else {
    2663             $sitename = get_option( 'blogname' );
    2664         }
     2660        $sitename = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES );
    26652661
    26662662        /* translators: Do not translate USERNAME, ADMIN_URL, EMAIL, SITENAME, SITEURL: those are placeholders. */
     
    27072703        $content = str_replace( '###ADMIN_URL###', esc_url( admin_url( 'profile.php?newuseremail=' . $hash ) ), $content );
    27082704        $content = str_replace( '###EMAIL###', $_POST['email'], $content );
    2709         $content = str_replace( '###SITENAME###', wp_specialchars_decode( $sitename, ENT_QUOTES ), $content );
    2710         $content = str_replace( '###SITEURL###', network_home_url(), $content );
    2711 
    2712         wp_mail( $_POST['email'], sprintf( __( '[%s] New Email Address' ), wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ) ), $content );
     2705        $content = str_replace( '###SITENAME###', $sitename, $content );
     2706        $content = str_replace( '###SITEURL###', home_url(), $content );
     2707
     2708        wp_mail( $_POST['email'], sprintf( __( '[%s] New Email Address' ), $sitename ), $content );
    27132709
    27142710        $_POST['email'] = $current_user->user_email;
     
    29202916        'description' => $action_description,
    29212917        'manage_url'  => $manage_url,
    2922         'sitename'    => get_option( 'blogname' ),
     2918        'sitename'    => wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ),
    29232919        'siteurl'     => home_url(),
    29242920        'admin_email' => $admin_email,
     
    29722968    $content = apply_filters( 'user_confirmed_action_email_content', $email_text, $email_data );
    29732969
    2974     $content = str_replace( '###SITENAME###', wp_specialchars_decode( $email_data['sitename'], ENT_QUOTES ), $content );
     2970    $content = str_replace( '###SITENAME###', $email_data['sitename'], $content );
    29752971    $content = str_replace( '###USER_EMAIL###', $email_data['user_email'], $content );
    29762972    $content = str_replace( '###DESCRIPTION###', $email_data['description'], $content );
     
    29782974    $content = str_replace( '###SITEURL###', esc_url_raw( $email_data['siteurl'] ), $content );
    29792975
    2980     $blogname = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES );
    2981 
    29822976    $subject = sprintf(
    29832977        /* translators: 1: Site name. 2: Name of the confirmed action. */
    29842978        __( '[%1$s] Action Confirmed: %2$s' ),
    2985         $blogname,
     2979        $email_data['sitename'],
    29862980        $action_description
    29872981    );
     
    29932987     *
    29942988     * @param string $subject    The email subject.
    2995      * @param string $blogname   The name of the site.
     2989     * @param string $sitename   The name of the site.
    29962990     * @param array  $email_data {
    29972991     *     Data relating to the account action email.
     
    30063000     * }
    30073001     */
    3008     $subject = apply_filters( 'user_request_confirmed_email_subject', $subject, $blogname, $email_data );
     3002    $subject = apply_filters( 'user_request_confirmed_email_subject', $subject, $email_data['sitename'], $email_data );
    30093003
    30103004    $email_sent = wp_mail( $email_data['admin_email'], $subject, $content );
     
    30363030        return;
    30373031    }
    3038 
    3039     $subject = sprintf(
    3040         /* translators: %s Site name. */
    3041         __( '[%s] Erasure Request Fulfilled' ),
    3042         wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES )
    3043     );
    30443032
    30453033    /**
     
    30573045        'message_recipient'  => $user_email,
    30583046        'privacy_policy_url' => get_privacy_policy_url(),
    3059         'sitename'           => get_option( 'blogname' ),
     3047        'sitename'           => wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ),
    30603048        'siteurl'            => home_url(),
     3049    );
     3050
     3051    $subject  = sprintf(
     3052        /* translators: %s: Site name. */
     3053        __( '[%s] Erasure Request Fulfilled' ),
     3054        $email_data['sitename']
    30613055    );
    30623056
     
    31203114    $content = apply_filters( 'user_confirmed_action_email_content', $email_text, $email_data );
    31213115
    3122     $content = str_replace( '###SITENAME###', wp_specialchars_decode( $email_data['sitename'], ENT_QUOTES ), $content );
     3116    $content = str_replace( '###SITENAME###', $email_data['sitename'], $content );
    31233117    $content = str_replace( '###PRIVACY_POLICY_URL###', $email_data['privacy_policy_url'], $content );
    31243118    $content = str_replace( '###SITEURL###', esc_url_raw( $email_data['siteurl'] ), $content );
     
    32833277            'confirm_key' => wp_generate_user_request_key( $request_id ),
    32843278        ), wp_login_url() ),
    3285         'sitename'    => is_multisite() ? get_site_option( 'site_name' ) : get_option( 'blogname' ),
    3286         'siteurl'     => network_home_url(),
     3279        'sitename'    => wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ),
     3280        'siteurl'     => home_url(),
    32873281    );
    32883282
     
    33353329    $content = str_replace( '###CONFIRM_URL###', esc_url_raw( $email_data['confirm_url'] ), $content );
    33363330    $content = str_replace( '###EMAIL###', $email_data['email'], $content );
    3337     $content = str_replace( '###SITENAME###', wp_specialchars_decode( $email_data['sitename'], ENT_QUOTES ), $content );
     3331    $content = str_replace( '###SITENAME###', $email_data['sitename'], $content );
    33383332    $content = str_replace( '###SITEURL###', esc_url_raw( $email_data['siteurl'] ), $content );
    33393333
    3340     $blogname = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES );
    3341 
    33423334    /* translators: Privacy data request subject. 1: Site name, 2: Name of the action */
    3343     $subject = sprintf( __( '[%1$s] Confirm Action: %2$s' ), $blogname, $email_data['description'] );
     3335    $subject = sprintf( __( '[%1$s] Confirm Action: %2$s' ), $email_data['sitename'], $email_data['description'] );
    33443336
    33453337    /**
     
    33493341     *
    33503342     * @param string $subject    The email subject.
    3351      * @param string $blogname   The name of the site.
     3343     * @param string $sitename   The name of the site.
    33523344     * @param array  $email_data {
    33533345     *     Data relating to the account action email.
     
    33613353     * }
    33623354     */
    3363     $subject = apply_filters( 'user_request_action_email_subject', $subject, $blogname, $email_data );
     3355    $subject = apply_filters( 'user_request_action_email_subject', $subject, $email_data['sitename'], $email_data );
    33643356
    33653357    return wp_mail( $email_data['email'], $subject, $content );
  • branches/4.9/tests/phpunit/tests/user.php

    r43117 r43459  
    14251425        reset_phpmailer_instance();
    14261426
    1427         // Give the site and blog a name containing HTML entities
    1428         update_site_option( 'site_name', ''Test' site's "name" has <html entities> &' );
     1427        // Give the site a name containing HTML entities
    14291428        update_option( 'blogname', ''Test' blog's "name" has <html entities> &' );
    14301429
     
    14441443
    14451444        // Assert that HTML entites have been decoded in body and subject
    1446         if ( is_multisite() ) {
    1447             $this->assertContains( '\'Test\' site\'s "name" has <html entities> &', $email->body, 'Email body does not contain the decoded HTML entities' );
    1448             $this->assertNotContains( '&#039;Test&#039; site&#039;s &quot;name&quot; has &lt;html entities&gt; &amp;', $email->body, 'Email body does contains HTML entities' );
    1449         }
    1450 
    14511445        $this->assertContains( '\'Test\' blog\'s "name" has <html entities> &', $email->subject, 'Email subject does not contain the decoded HTML entities' );
    14521446        $this->assertNotContains( '&#039;Test&#039; blog&#039;s &quot;name&quot; has &lt;html entities&gt; &amp;', $email->subject, 'Email subject does contains HTML entities' );
Note: See TracChangeset for help on using the changeset viewer.