SendinBlue Subscribe Form And WP SMTP - Version 3.1.34

Version Description

  • Sanitization of form HTML to fix vulnerability issues.
  • Fixed the issue of the user sync button still enabled even after all users are synched.
Download this release

Release Info

Developer amarsib
Plugin Icon 128x128 SendinBlue Subscribe Form And WP SMTP
Version 3.1.34
Comparing to
See all releases

Code changes from version 3.1.33 to 3.1.34

Files changed (7) hide show
  1. inc/SendinblueApiClient.php +1 -1
  2. inc/sib-form-preview.php +1 -1
  3. js/admin.js +1 -0
  4. page/page-form.php +2 -1
  5. page/page-home.php +5 -2
  6. readme.txt +5 -1
  7. sendinblue.php +98 -1
inc/SendinblueApiClient.php CHANGED
@@ -14,7 +14,7 @@ class SendinblueApiClient
14
  const RESPONSE_CODE_CREATED = 201;
15
  const RESPONSE_CODE_ACCEPTED = 202;
16
  const RESPONSE_CODE_UNAUTHORIZED = 401;
17
- const PLUGIN_VERSION = '3.1.33';
18
  const USER_AGENT = 'sendinblue_plugins/wordpress';
19
 
20
  private $apiKey;
14
  const RESPONSE_CODE_CREATED = 201;
15
  const RESPONSE_CODE_ACCEPTED = 202;
16
  const RESPONSE_CODE_UNAUTHORIZED = 401;
17
+ const PLUGIN_VERSION = '3.1.34';
18
  const USER_AGENT = 'sendinblue_plugins/wordpress';
19
 
20
  private $apiKey;
inc/sib-form-preview.php CHANGED
@@ -54,7 +54,7 @@ wp_head();
54
  $html = stripslashes_deep($formData['html']);
55
  $css = stripslashes_deep($formData['css']);
56
  // phpcs:ignore
57
- echo $html;
58
  ?>
59
  </div>
60
  <style>
54
  $html = stripslashes_deep($formData['html']);
55
  $css = stripslashes_deep($formData['css']);
56
  // phpcs:ignore
57
+ echo wp_kses($html, SIB_Manager::wordpress_allowed_attributes());
58
  ?>
59
  </div>
60
  <style>
js/admin.js CHANGED
@@ -936,6 +936,7 @@ $jQ(document).ready(function(){
936
  $jQ('#sync-failure').show().html(respond.message);
937
  } else {
938
  // success to sync wp users
 
939
  $jQ('.sib-sync-modal').modal('toggle');
940
  $jQ('#sib-message-body').html(respond.message);
941
  $jQ('#sib-message-box').show();
936
  $jQ('#sync-failure').show().html(respond.message);
937
  } else {
938
  // success to sync wp users
939
+ location.reload();
940
  $jQ('.sib-sync-modal').modal('toggle');
941
  $jQ('#sib-message-body').html(respond.message);
942
  $jQ('#sib-message-box').show();
page/page-form.php CHANGED
@@ -879,7 +879,8 @@ For your information, you cannot select a template with the tag [DOUBLEOPTIN].',
879
  $formID = isset( $_POST['sib_form_id'] ) ? sanitize_text_field( $_POST['sib_form_id'] ) : '';
880
  $form_name = isset( $_POST['sib_form_name'] ) ? sanitize_text_field( $_POST['sib_form_name'] ) : '';
881
  // phpcs:disable
882
- $form_html = isset( $_POST['sib_form_html'] ) ? $_POST['sib_form_html'] : '';
 
883
  $list_ids = isset( $_POST['list_id'] ) ? maybe_serialize( $_POST['list_id'] ) : '';
884
  // phpcs:enable
885
  $dependTheme = isset( $_POST['sib_css_type'] ) ? sanitize_text_field( $_POST['sib_css_type'] ) : '';
879
  $formID = isset( $_POST['sib_form_id'] ) ? sanitize_text_field( $_POST['sib_form_id'] ) : '';
880
  $form_name = isset( $_POST['sib_form_name'] ) ? sanitize_text_field( $_POST['sib_form_name'] ) : '';
881
  // phpcs:disable
882
+ $form_html = isset( $_POST['sib_form_html'] ) ? wp_kses($_POST['sib_form_html'], SIB_Manager::wordpress_allowed_attributes()) : '';
883
+
884
  $list_ids = isset( $_POST['list_id'] ) ? maybe_serialize( $_POST['list_id'] ) : '';
885
  // phpcs:enable
886
  $dependTheme = isset( $_POST['sib_css_type'] ) ? sanitize_text_field( $_POST['sib_css_type'] ) : '';
page/page-home.php CHANGED
@@ -188,7 +188,7 @@ if ( ! class_exists( 'SIB_Page_Home' ) ) {
188
  $currentUsers = count_users();
189
  $isSynced = get_option( 'sib_sync_users', '0' );
190
  $isEnableSync = '0';
191
- if ( $isSynced != $currentUsers ) {
192
  $isEnableSync = '1';
193
  /* translators: %s: total users */
194
  $desc = sprintf( esc_attr__( 'You have %s existing users. Do you want to add them to Sendinblue?', 'mailin' ), $currentUsers['total_users'] );
@@ -237,7 +237,7 @@ if ( ! class_exists( 'SIB_Page_Home' ) ) {
237
  <?php echo esc_attr( $desc ); ?><br>
238
  </p>
239
  <div class="col-md-4">
240
- <a <?php echo '1' === $isEnableSync ? '' : 'disabled'; ?> id="sib-sync-btn" class="btn btn-primary" style="margin-top: 28px; " name="<?php echo esc_attr__( 'Users Synchronisation', 'mailin' ); ?>" href="#"><?php esc_attr_e( 'Sync my users', 'mailin' ); ?></a>
241
  </div>
242
 
243
  </div>
@@ -724,6 +724,7 @@ if ( ! class_exists( 'SIB_Page_Home' ) ) {
724
  // create body data like csv.
725
  // NAME;SURNAME;EMAIL\nName1;Surname1;example1@example.net\nName2;Surname2;example2@example.net.
726
  $contentData = '';
 
727
  foreach ( $roles as $role ) {
728
  $users = get_users(
729
  array(
@@ -733,6 +734,7 @@ if ( ! class_exists( 'SIB_Page_Home' ) ) {
733
  if ( empty( $users ) ) {
734
  continue;
735
  }
 
736
  foreach ( $users as $user ) {
737
  $userId = $user->ID;
738
  $user_info = get_userdata( $userId );
@@ -760,6 +762,7 @@ if ( ! class_exists( 'SIB_Page_Home' ) ) {
760
 
761
  $usersData .= $contentData;
762
  $result = SIB_API_Manager::sync_users( $usersData, $listIDs );
 
763
  wp_send_json( $result );
764
  }
765
 
188
  $currentUsers = count_users();
189
  $isSynced = get_option( 'sib_sync_users', '0' );
190
  $isEnableSync = '0';
191
+ if ( $isSynced != $currentUsers['total_users'] ) {
192
  $isEnableSync = '1';
193
  /* translators: %s: total users */
194
  $desc = sprintf( esc_attr__( 'You have %s existing users. Do you want to add them to Sendinblue?', 'mailin' ), $currentUsers['total_users'] );
237
  <?php echo esc_attr( $desc ); ?><br>
238
  </p>
239
  <div class="col-md-4">
240
+ <a <?php echo '1' === $isEnableSync ? 'id="sib-sync-btn"' : 'disabled href="javascript:void(0)"'; ?> class="btn btn-primary" style="margin-top: 28px; " name="<?php echo esc_attr__( 'Users Synchronisation', 'mailin' ); ?>" href="#"><?php esc_attr_e( 'Sync my users', 'mailin' ); ?></a>
241
  </div>
242
 
243
  </div>
724
  // create body data like csv.
725
  // NAME;SURNAME;EMAIL\nName1;Surname1;example1@example.net\nName2;Surname2;example2@example.net.
726
  $contentData = '';
727
+ $usersCount = 0;
728
  foreach ( $roles as $role ) {
729
  $users = get_users(
730
  array(
734
  if ( empty( $users ) ) {
735
  continue;
736
  }
737
+ $usersCount += count($users);
738
  foreach ( $users as $user ) {
739
  $userId = $user->ID;
740
  $user_info = get_userdata( $userId );
762
 
763
  $usersData .= $contentData;
764
  $result = SIB_API_Manager::sync_users( $usersData, $listIDs );
765
+ update_option('sib_sync_users', $usersCount);
766
  wp_send_json( $result );
767
  }
768
 
readme.txt CHANGED
@@ -4,7 +4,7 @@ Tags: Email Marketing, Newsletter, Sendinblue, Forms, smtp, marketing automation
4
  Requires at least: 4.4
5
  Tested up to: 5.9
6
  Requires PHP: 5.6
7
- Stable tag: 3.1.33
8
  License: GPLv2 or later
9
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
10
 
@@ -116,6 +116,10 @@ In order to create a signup form, you need to:
116
 
117
  == Changelog ==
118
 
 
 
 
 
119
  = 3.1.33 =
120
  * Enhanced the plugin to be compatible upto Wordpress version 5.9
121
 
4
  Requires at least: 4.4
5
  Tested up to: 5.9
6
  Requires PHP: 5.6
7
+ Stable tag: 3.1.34
8
  License: GPLv2 or later
9
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
10
 
116
 
117
  == Changelog ==
118
 
119
+ = 3.1.34 =
120
+ * Sanitization of form HTML to fix vulnerability issues.
121
+ * Fixed the issue of the user sync button still enabled even after all users are synched.
122
+
123
  = 3.1.33 =
124
  * Enhanced the plugin to be compatible upto Wordpress version 5.9
125
 
sendinblue.php CHANGED
@@ -3,7 +3,7 @@
3
  * Plugin Name: Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue
4
  * Plugin URI: https://www.sendinblue.com/?r=wporg
5
  * Description: Manage your contact lists, subscription forms and all email and marketing-related topics from your wp panel, within one single plugin
6
- * Version: 3.1.33
7
  * Author: Sendinblue
8
  * Author URI: https://www.sendinblue.com/?r=wporg
9
  * License: GPLv2 or later
@@ -87,6 +87,89 @@ if ( ! class_exists( 'SIB_Manager' ) ) {
87
  /** Installation id option name */
88
  const INSTALLATION_ID = 'sib_installation_id';
89
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
90
  /**
91
  * API key
92
  *
@@ -1351,6 +1434,20 @@ if ( ! class_exists( 'SIB_Manager' ) ) {
1351
  $current_plugin_path_name = plugin_basename( __FILE__ );
1352
  activate_plugin( $current_plugin_path_name );
1353
  }
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1354
  }
1355
 
1356
  add_action( 'sendinblue_init', 'sendinblue_init' );
3
  * Plugin Name: Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue
4
  * Plugin URI: https://www.sendinblue.com/?r=wporg
5
  * Description: Manage your contact lists, subscription forms and all email and marketing-related topics from your wp panel, within one single plugin
6
+ * Version: 3.1.34
7
  * Author: Sendinblue
8
  * Author URI: https://www.sendinblue.com/?r=wporg
9
  * License: GPLv2 or later
87
  /** Installation id option name */
88
  const INSTALLATION_ID = 'sib_installation_id';
89
 
90
+ const SIB_ATTRIBUTE = array(
91
+ 'input' => array(
92
+ 'type' => true,
93
+ 'name' => true,
94
+ 'value' => true,
95
+ 'class' => true,
96
+ 'id' => true,
97
+ 'size' => true,
98
+ 'min' => true,
99
+ 'max' => true,
100
+ 'pattern' => true,
101
+ 'title' => true,
102
+ 'placeholder' => true,
103
+ 'required' => true,
104
+ ),
105
+ 'p' => array(
106
+ 'align' => true,
107
+ 'id' => true,
108
+ 'class' => true,
109
+ 'dir' => true,
110
+ 'lang' => true,
111
+ 'style' => true,
112
+ 'xml:lang' => true,
113
+ ),
114
+ 'iframe' => array(
115
+ 'name' => true,
116
+ 'id' => true,
117
+ 'class' => true,
118
+ 'src' => true,
119
+ 'width' => true,
120
+ 'height' => true,
121
+ 'style' => true,
122
+ 'loading' => true,
123
+ 'allow' => true,
124
+ 'allowfullscreen' => true,
125
+ ),
126
+ 'div' => array(
127
+ 'id' => true,
128
+ 'class' => true,
129
+ 'dir' => true,
130
+ 'lang' => true,
131
+ 'style' => true,
132
+ 'xml:lang' => true,
133
+ 'data-require' => true,
134
+ ),
135
+ 'a' => array(
136
+ 'href' => true,
137
+ 'id' => true,
138
+ 'class' => true,
139
+ 'rel' => true,
140
+ 'rev' => true,
141
+ 'name' => true,
142
+ 'target' => true,
143
+ ),
144
+ 'style' => array(),
145
+ 'script' => array(
146
+ 'src' => true,
147
+ ),
148
+ 'link' => array(
149
+ 'rel' => true,
150
+ 'href' => true,
151
+ 'type' => true,
152
+ ),
153
+ 'select' => array(
154
+ 'name' => true,
155
+ 'class' => true,
156
+ 'id' => true,
157
+ 'style' => true,
158
+ 'required' => true,
159
+ ),
160
+ 'option' => array(
161
+ 'value' => true,
162
+ ),
163
+ 'ul' => array(
164
+ 'class' => true,
165
+ 'style' => true,
166
+ ),
167
+ 'center' => array(),
168
+ 'download' => array(
169
+ 'valueless' => 'y',
170
+ )
171
+ );
172
+
173
  /**
174
  * API key
175
  *
1434
  $current_plugin_path_name = plugin_basename( __FILE__ );
1435
  activate_plugin( $current_plugin_path_name );
1436
  }
1437
+
1438
+ public static function wordpress_allowed_attributes()
1439
+ {
1440
+ global $allowedposttags, $allowedtags, $allowedentitynames;
1441
+ $attributes = [$allowedposttags, $allowedtags, $allowedentitynames, self::SIB_ATTRIBUTE];
1442
+ $attributes = call_user_func_array("array_merge", $attributes);
1443
+
1444
+ add_filter( 'safe_style_css', function($css_attr) {
1445
+ array_push($css_attr, 'display');
1446
+ return $css_attr;
1447
+ });
1448
+
1449
+ return $attributes;
1450
+ }
1451
  }
1452
 
1453
  add_action( 'sendinblue_init', 'sendinblue_init' );