Flamingo - Version 2.1.1

Version Description

Security enhancement, CSV: Prefixes a field when its value begins with =, +, -, or @. See https://contactform7.com/2020/01/15/heads-up-about-spreadsheet-vulnerabilities/ for details.
New filter hook: flamingo_csv_field_prefix

Files changed (4) hide show

flamingo.php CHANGED Viewed

	@@ -5,10 +5,10 @@ Description: A trustworthy message storage plugin for Contact Form 7.
5	Author: Takayuki Miyoshi
6	Text Domain: flamingo
7	Domain Path: /languages/
8	- Version: 2.1
9	*/
10
11	- define( 'FLAMINGO_VERSION', '2.1' );
12
13	define( 'FLAMINGO_PLUGIN', __FILE__ );
14

includes/csv.php CHANGED Viewed

@@ -15,5 +15,35 @@ function flamingo_csv_row( $inputs = array() ) {
             add_filter( 'flamingo_csv_quotation', 'flamingo_csv_quote' );
             function flamingo_csv_quote( $input ) {
             	return sprintf( '"%s"', str_replace( '"', '""', $input ) );
+            }


15	add_filter( 'flamingo_csv_quotation', 'flamingo_csv_quote' );
16
17	function flamingo_csv_quote( $input ) {
18	+ $prefix = apply_filters( 'flamingo_csv_field_prefix', '', $input );
19	+ $input = trim( sprintf( '%1$s %2$s', $prefix, $input ) );
20	+
21	return sprintf( '"%s"', str_replace( '"', '""', $input ) );
22	}
23	+
24	+ /*
25	+ * https://contactform7.com/2020/01/15/heads-up-about-spreadsheet-vulnerabilities/
26	+ */
27	+ add_filter( 'flamingo_csv_field_prefix', 'flamingo_csv_field_prefix_text',
28	+ 10, 2
29	+ );
30	+
31	+ function flamingo_csv_field_prefix_text( $prefix, $input ) {
32	+ $formula_triggers = array( '=', '+', '-', '@' );
33	+
34	+ if ( in_array( substr( $input, 0, 1 ), $formula_triggers, true ) ) {
35	+ /* translators: %s: URL */
36	+ $prefix = __( "(Security Alert: Suspicious content is detected. See %s for details.)", 'flamingo' );
37	+
38	+ if ( in_array( substr( $prefix, 0, 1 ), $formula_triggers, true ) ) {
39	+ $prefix = '\'' . $prefix;
40	+ }
41	+
42	+ $prefix = sprintf(
43	+ $prefix,
44	+ esc_url( __( 'https://contactform7.com/heads-up-about-spreadsheet-vulnerabilities', 'flamingo' ) )
45	+ );
46	+ }
47	+
48	+ return $prefix;
49	+ }

license.txt CHANGED Viewed

	@@ -1,4 +1,4 @@
1	- Flamingo - WordPress Plugin, 2012-~~2019~~ Takayuki Miyoshi
2	Flamingo is distributed under the terms of the GNU GPL
3
4	This program is free software; you can redistribute it and/or modify


1	+ Flamingo - WordPress Plugin, 2012-2020 Takayuki Miyoshi
2	Flamingo is distributed under the terms of the GNU GPL
3
4	This program is free software; you can redistribute it and/or modify

readme.txt CHANGED Viewed

	@@ -2,8 +2,8 @@
2	Contributors: takayukister, megumithemes, itpixelz
3	Tags: bird, contact, mail, crm
4	Requires at least: 5.2
5	- Tested up to: 5.2
6	- Stable tag: 2.1
7	License: GPLv2 or later
8	License URI: https://www.gnu.org/licenses/gpl-2.0.html
9
	@@ -32,6 +32,11 @@ This plugin stores submission data collected through contact forms, which may in
32
33	== Changelog ==
34





35	= 2.1 =
36
37	* UI improvements in displaying JSON reCAPTCHA logs in the Inbound Message editor page.


2	Contributors: takayukister, megumithemes, itpixelz
3	Tags: bird, contact, mail, crm
4	Requires at least: 5.2
5	+ Tested up to: 5.3
6	+ Stable tag: 2.1.1
7	License: GPLv2 or later
8	License URI: https://www.gnu.org/licenses/gpl-2.0.html
9

32
33	== Changelog ==
34
35	+ = 2.1.1 =
36	+
37	+ * Security enhancement, CSV: Prefixes a field when its value begins with `=`, `+`, `-`, or `@`. See https://contactform7.com/2020/01/15/heads-up-about-spreadsheet-vulnerabilities/ for details.
38	+ * New filter hook: flamingo_csv_field_prefix
39	+
40	= 2.1 =
41
42	* UI improvements in displaying JSON reCAPTCHA logs in the Inbound Message editor page.