SendGrid - Version 1.11.5

Version Description

  • Fixed a potential stored XSS issue on the backend settings form
  • Fixed a potential CSRF issue on the backend settings form
Download this release

Release Info

Developer team-rs
Plugin Icon 128x128 SendGrid
Version 1.11.5
Comparing to
See all releases

Code changes from version 1.11.4 to 1.11.5

Files changed (9) hide show
  1. lib/class-sendgrid-mc-optin.php +6 -6
  2. lib/class-sendgrid-settings.php +15 -6
  3. readme.txt +7 -1
  4. view/sendgrid_settings_general.php +1 -0
  5. view/sendgrid_settings_multisite.php +1 -0
  6. view/sendgrid_settings_nlvx.php +1 -0
  7. view/sendgrid_settings_test_contact.php +1 -0
  8. view/sendgrid_settings_test_email.php +1 -0
  9. wpsendgrid.php +1 -1
lib/class-sendgrid-mc-optin.php CHANGED
@@ -104,18 +104,18 @@ class Sendgrid_OptIn_API_Endpoint{
104
  }
105
  }
106
 
107
- /**
108
  * Send OptIn email
109
- *
110
  * @param string $email Email of subscribed user
111
  * @param string $first_name First Name of subscribed user
112
  * @param string $last_name Last Name of subscribed user
113
  * @return bool
114
  */
115
  public static function send_confirmation_email( $email, $first_name = '', $last_name = '', $from_settings = false ) {
116
- $subject = Sendgrid_Tools::get_mc_signup_email_subject();
117
- $content = Sendgrid_Tools::get_mc_signup_email_content();
118
- $content_text = Sendgrid_Tools::get_mc_signup_email_content_text();
119
 
120
  if ( false == $subject or false == $content or false == $content_text ) {
121
  return false;
@@ -149,7 +149,7 @@ class Sendgrid_OptIn_API_Endpoint{
149
  ->addCategory( 'wp_sendgrid_subscription_widget' );
150
 
151
  add_filter( 'sendgrid_mail_text', function() use ( &$content_text ) { return $content_text; } );
152
-
153
  $result = wp_mail( $to, $subject, $content, $headers );
154
 
155
  return $result;
104
  }
105
  }
106
 
107
+ /**
108
  * Send OptIn email
109
+ *
110
  * @param string $email Email of subscribed user
111
  * @param string $first_name First Name of subscribed user
112
  * @param string $last_name Last Name of subscribed user
113
  * @return bool
114
  */
115
  public static function send_confirmation_email( $email, $first_name = '', $last_name = '', $from_settings = false ) {
116
+ $subject = htmlspecialchars_decode( Sendgrid_Tools::get_mc_signup_email_subject() );
117
+ $content = htmlspecialchars_decode( Sendgrid_Tools::get_mc_signup_email_content() );
118
+ $content_text = htmlspecialchars_decode( Sendgrid_Tools::get_mc_signup_email_content_text() );
119
 
120
  if ( false == $subject or false == $content or false == $content_text ) {
121
  return false;
149
  ->addCategory( 'wp_sendgrid_subscription_widget' );
150
 
151
  add_filter( 'sendgrid_mail_text', function() use ( &$content_text ) { return $content_text; } );
152
+
153
  $result = wp_mail( $to, $subject, $content, $headers );
154
 
155
  return $result;
lib/class-sendgrid-settings.php CHANGED
@@ -15,6 +15,8 @@ class Sendgrid_Settings {
15
  const DEFAULT_LAST_NAME_LABEL = 'Last Name';
16
  const DEFAULT_SUBSCRIBE_LABEL = 'SUBSCRIBE';
17
 
 
 
18
  public static $plugin_directory;
19
 
20
  /**
@@ -389,6 +391,15 @@ class Sendgrid_Settings {
389
  * @return mixed response array from the save or send functions
390
  */
391
  private static function do_post( $params ) {
 
 
 
 
 
 
 
 
 
392
  if ( isset( $params['mc_settings'] ) and $params['mc_settings'] ) {
393
  return self::save_mc_settings( $params );
394
  }
@@ -551,9 +562,8 @@ class Sendgrid_Settings {
551
  'status' => 'error'
552
  );
553
  } else {
554
- // Textarea values are automatically escaping HTML characters.
555
- // The user needs to be able to enter any content.
556
- Sendgrid_Tools::set_mc_signup_email_content( $params['sendgrid_mc_email_content'] );
557
  }
558
  }
559
 
@@ -564,9 +574,8 @@ class Sendgrid_Settings {
564
  'status' => 'error'
565
  );
566
  } else {
567
- // Textarea values are automatically escaping HTML characters.
568
- // The user needs to be able to enter any content.
569
- Sendgrid_Tools::set_mc_signup_email_content_text( $params['sendgrid_mc_email_content_text'] );
570
  }
571
  }
572
 
15
  const DEFAULT_LAST_NAME_LABEL = 'Last Name';
16
  const DEFAULT_SUBSCRIBE_LABEL = 'SUBSCRIBE';
17
 
18
+ const NONCE_ERROR = '<br/><br/> Invalid nonce. Refresh the page and try again.';
19
+
20
  public static $plugin_directory;
21
 
22
  /**
391
  * @return mixed response array from the save or send functions
392
  */
393
  private static function do_post( $params ) {
394
+
395
+ if ( ! isset( $params['sgnonce'] ) ) {
396
+ die( self::NONCE_ERROR );
397
+ }
398
+
399
+ if ( ! wp_verify_nonce( $params['sgnonce'], 'sgnonce' ) ) {
400
+ die( self::NONCE_ERROR );
401
+ }
402
+
403
  if ( isset( $params['mc_settings'] ) and $params['mc_settings'] ) {
404
  return self::save_mc_settings( $params );
405
  }
562
  'status' => 'error'
563
  );
564
  } else {
565
+ $html_content = htmlspecialchars( $params['sendgrid_mc_email_content'], ENT_QUOTES, 'UTF-8' );
566
+ Sendgrid_Tools::set_mc_signup_email_content( $html_content );
 
567
  }
568
  }
569
 
574
  'status' => 'error'
575
  );
576
  } else {
577
+ $plaintext_content = htmlspecialchars( $params['sendgrid_mc_email_content_text'], ENT_QUOTES, 'UTF-8' );
578
+ Sendgrid_Tools::set_mc_signup_email_content_text( $plaintext_content );
 
579
  }
580
  }
581
 
readme.txt CHANGED
@@ -4,7 +4,7 @@ Donate link: http://sendgrid.com/
4
  Tags: email, email reliability, email templates, sendgrid, smtp, transactional email, wp_mail,email infrastructure, email marketing, marketing email, deliverability, email deliverability, email delivery, email server, mail server, email integration, cloud email
5
  Requires at least: 4.6
6
  Tested up to: 4.8
7
- Stable tag: 1.11.4
8
  License: GPLv2 or later
9
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
10
 
@@ -284,6 +284,9 @@ You can find more examples here: https://github.com/sendgrid/sendgrid-php/blob/v
284
 
285
  == Changelog ==
286
 
 
 
 
287
  = 1.11.4 =
288
  * Fixed an issue where TO field recipients could not see each other in the email header
289
  = 1.11.3 =
@@ -458,6 +461,9 @@ You can find more examples here: https://github.com/sendgrid/sendgrid-php/blob/v
458
 
459
  == Upgrade notice ==
460
 
 
 
 
461
  = 1.11.4 =
462
  * Fixed an issue where TO field recipients could not see each other in the email header
463
  = 1.11.3 =
4
  Tags: email, email reliability, email templates, sendgrid, smtp, transactional email, wp_mail,email infrastructure, email marketing, marketing email, deliverability, email deliverability, email delivery, email server, mail server, email integration, cloud email
5
  Requires at least: 4.6
6
  Tested up to: 4.8
7
+ Stable tag: 1.11.5
8
  License: GPLv2 or later
9
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
10
 
284
 
285
  == Changelog ==
286
 
287
+ = 1.11.5 =
288
+ * Fixed a potential stored XSS issue on the backend settings form
289
+ * Fixed a potential CSRF issue on the backend settings form
290
  = 1.11.4 =
291
  * Fixed an issue where TO field recipients could not see each other in the email header
292
  = 1.11.3 =
461
 
462
  == Upgrade notice ==
463
 
464
+ = 1.11.5 =
465
+ * Fixed a potential stored XSS issue on the backend settings form
466
+ * Fixed a potential CSRF issue on the backend settings form
467
  = 1.11.4 =
468
  * Fixed an issue where TO field recipients could not see each other in the email header
469
  = 1.11.3 =
view/sendgrid_settings_general.php CHANGED
@@ -159,6 +159,7 @@
159
  <input class="button button-primary" type="submit" name="Submit" value="<?php _e('Update Settings') ?>" />
160
  </p>
161
  <input type="hidden" name="general_settings" value="true"/>
 
162
  </form>
163
  <br />
164
  <?php endif; ?>
159
  <input class="button button-primary" type="submit" name="Submit" value="<?php _e('Update Settings') ?>" />
160
  </p>
161
  <input type="hidden" name="general_settings" value="true"/>
162
+ <input type="hidden" name="sgnonce" value="<?php echo wp_create_nonce('sgnonce'); ?>"/>
163
  </form>
164
  <br />
165
  <?php endif; ?>
view/sendgrid_settings_multisite.php CHANGED
@@ -78,5 +78,6 @@
78
  <input type="submit" id="doaction" class="button button-primary" value="<?php _e( 'Save Settings' ); ?>">
79
  </p>
80
  <input type="hidden" name="subsite_settings" value="true"/>
 
81
  </form>
82
  <?php endif; ?>
78
  <input type="submit" id="doaction" class="button button-primary" value="<?php _e( 'Save Settings' ); ?>">
79
  </p>
80
  <input type="hidden" name="subsite_settings" value="true"/>
81
+ <input type="hidden" name="sgnonce" value="<?php echo wp_create_nonce('sgnonce'); ?>"/>
82
  </form>
83
  <?php endif; ?>
view/sendgrid_settings_nlvx.php CHANGED
@@ -203,6 +203,7 @@
203
  <input class="button button-primary" type="submit" name="Submit" value="<?php _e('Update Settings') ?>" />
204
  </p>
205
  <input type="hidden" name="mc_settings" value="true"/>
 
206
  <?php
207
  if ( $is_env_mc_api_key ) {
208
  echo '<input type="hidden" name="mc_api_key_defined_in_env" id="mc_api_key_defined_in_env" value="true"/>';
203
  <input class="button button-primary" type="submit" name="Submit" value="<?php _e('Update Settings') ?>" />
204
  </p>
205
  <input type="hidden" name="mc_settings" value="true"/>
206
+ <input type="hidden" name="sgnonce" value="<?php echo wp_create_nonce('sgnonce'); ?>"/>
207
  <?php
208
  if ( $is_env_mc_api_key ) {
209
  echo '<input type="hidden" name="mc_api_key_defined_in_env" id="mc_api_key_defined_in_env" value="true"/>';
view/sendgrid_settings_test_contact.php CHANGED
@@ -22,6 +22,7 @@
22
  </td>
23
  </tr>
24
  <input type="hidden" name="contact_upload_test" value="true"/>
 
25
  <tr valign="top" class="mc_test_email">
26
  <th scope="row" colspan="2">
27
  <input class="button button-primary" type="submit" name="Submit" value="<?php _e('Test') ?>" />
22
  </td>
23
  </tr>
24
  <input type="hidden" name="contact_upload_test" value="true"/>
25
+ <input type="hidden" name="sgnonce" value="<?php echo wp_create_nonce('sgnonce'); ?>"/>
26
  <tr valign="top" class="mc_test_email">
27
  <th scope="row" colspan="2">
28
  <input class="button button-primary" type="submit" name="Submit" value="<?php _e('Test') ?>" />
view/sendgrid_settings_test_email.php CHANGED
@@ -43,6 +43,7 @@
43
  </table>
44
  </tbody>
45
  <input type="hidden" name="email_test" value="true"/>
 
46
  <p class="submit">
47
  <input class="button button-primary" type="submit" name="Submit" value="<?php _e('Send') ?>" />
48
  </p>
43
  </table>
44
  </tbody>
45
  <input type="hidden" name="email_test" value="true"/>
46
+ <input type="hidden" name="sgnonce" value="<?php echo wp_create_nonce('sgnonce'); ?>"/>
47
  <p class="submit">
48
  <input class="button button-primary" type="submit" name="Submit" value="<?php _e('Send') ?>" />
49
  </p>
wpsendgrid.php CHANGED
@@ -3,7 +3,7 @@
3
  Plugin Name: SendGrid
4
  Plugin URI: http://wordpress.org/plugins/sendgrid-email-delivery-simplified/
5
  Description: Email Delivery. Simplified. SendGrid's cloud-based email infrastructure relieves businesses of the cost and complexity of maintaining custom email systems. SendGrid provides reliable delivery, scalability and real-time analytics along with flexible APIs that make custom integration a breeze.
6
- Version: 1.11.4
7
  Author: SendGrid
8
  Author URI: http://sendgrid.com
9
  Text Domain: sendgrid-email-delivery-simplified
3
  Plugin Name: SendGrid
4
  Plugin URI: http://wordpress.org/plugins/sendgrid-email-delivery-simplified/
5
  Description: Email Delivery. Simplified. SendGrid's cloud-based email infrastructure relieves businesses of the cost and complexity of maintaining custom email systems. SendGrid provides reliable delivery, scalability and real-time analytics along with flexible APIs that make custom integration a breeze.
6
+ Version: 1.11.5
7
  Author: SendGrid
8
  Author URI: http://sendgrid.com
9
  Text Domain: sendgrid-email-delivery-simplified