/**
* @ticket 25046
*/
function test_case_sensitivity_of_is_email_address_unsafe() {
update_site_option( 'banned_email_domains', array( 'baR.com', 'Foo.co', 'barfoo.COM', 'BAZ.com' ) );
foreach ( array( '*****@*****.**', '*****@*****.**', '*****@*****.**', '*****@*****.**', '*****@*****.**' ) as $email_address ) {
$this->assertTrue( is_email_address_unsafe( $email_address ), "$email_address should be UNSAFE" );
}
foreach ( array( '*****@*****.**', '*****@*****.**', '*****@*****.**', '*****@*****.**', '*****@*****.**' ) as $email_address ) {
$this->assertFalse( is_email_address_unsafe( $email_address ), "$email_address should be SAFE" );
}
}
/**
* Process the contact form's POST submission
* Stores feedback. Sends email.
*/
function process_submission()
{
global $post;
$plugin = Grunion_Contact_Form_Plugin::init();
$id = $this->get_attribute('id');
$to = $this->get_attribute('to');
$widget = $this->get_attribute('widget');
$contact_form_subject = $this->get_attribute('subject');
$to = str_replace(' ', '', $to);
$emails = explode(',', $to);
$valid_emails = array();
foreach ((array) $emails as $email) {
if (!is_email($email)) {
continue;
}
if (function_exists('is_email_address_unsafe') && is_email_address_unsafe($email)) {
continue;
}
$valid_emails[] = $email;
}
// No one to send it to, which means none of the "to" attributes are valid emails.
// Use default email instead.
if (!$valid_emails) {
$valid_emails = $this->defaults['to'];
}
$to = $valid_emails;
// Last ditch effort to set a recipient if somehow none have been set.
if (empty($to)) {
$to = get_option('admin_email');
}
// Make sure we're processing the form we think we're processing... probably a redundant check.
if ($widget) {
if ('widget-' . $widget != $_POST['contact-form-id']) {
return false;
}
} else {
if ($post->ID != $_POST['contact-form-id']) {
return false;
}
}
$field_ids = $this->get_field_ids();
// Initialize all these "standard" fields to null
$comment_author_email = $comment_author_email_label = $comment_author = $comment_author_label = $comment_author_url = $comment_author_url_label = $comment_content = $comment_content_label = null;
// For each of the "standard" fields, grab their field label and value.
if (isset($field_ids['name'])) {
$field = $this->fields[$field_ids['name']];
$comment_author = Grunion_Contact_Form_Plugin::strip_tags(stripslashes(apply_filters('pre_comment_author_name', addslashes($field->value))));
$comment_author_label = Grunion_Contact_Form_Plugin::strip_tags($field->get_attribute('label'));
}
if (isset($field_ids['email'])) {
$field = $this->fields[$field_ids['email']];
$comment_author_email = Grunion_Contact_Form_Plugin::strip_tags(stripslashes(apply_filters('pre_comment_author_email', addslashes($field->value))));
$comment_author_email_label = Grunion_Contact_Form_Plugin::strip_tags($field->get_attribute('label'));
}
if (isset($field_ids['url'])) {
$field = $this->fields[$field_ids['url']];
$comment_author_url = Grunion_Contact_Form_Plugin::strip_tags(stripslashes(apply_filters('pre_comment_author_url', addslashes($field->value))));
if ('http://' == $comment_author_url) {
$comment_author_url = '';
}
$comment_author_url_label = Grunion_Contact_Form_Plugin::strip_tags($field->get_attribute('label'));
}
if (isset($field_ids['textarea'])) {
$field = $this->fields[$field_ids['textarea']];
$comment_content = trim(Grunion_Contact_Form_Plugin::strip_tags($field->value));
$comment_content_label = Grunion_Contact_Form_Plugin::strip_tags($field->get_attribute('label'));
}
if (isset($field_ids['subject'])) {
$field = $this->fields[$field_ids['subject']];
if ($field->value) {
$contact_form_subject = Grunion_Contact_Form_Plugin::strip_tags($field->value);
}
}
$all_values = $extra_values = array();
$i = 1;
// Prefix counter for stored metadata
// For all fields, grab label and value
foreach ($field_ids['all'] as $field_id) {
$field = $this->fields[$field_id];
$label = $i . '_' . $field->get_attribute('label');
$value = $field->value;
$all_values[$label] = $value;
$i++;
// Increment prefix counter for the next field
}
// For the "non-standard" fields, grab label and value
// Extra fields have their prefix starting from count( $all_values ) + 1
foreach ($field_ids['extra'] as $field_id) {
$field = $this->fields[$field_id];
$label = $i . '_' . $field->get_attribute('label');
$value = $field->value;
if (is_array($value)) {
$value = implode(', ', $value);
}
$extra_values[$label] = $value;
$i++;
// Increment prefix counter for the next extra field
}
$contact_form_subject = trim($contact_form_subject);
$comment_author_IP = Grunion_Contact_Form_Plugin::get_ip_address();
$vars = array('comment_author', 'comment_author_email', 'comment_author_url', 'contact_form_subject', 'comment_author_IP');
foreach ($vars as $var) {
${$var} = str_replace(array("\n", "\r"), '', ${$var});
}
// Ensure that Akismet gets all of the relevant information from the contact form,
// not just the textarea field and predetermined subject.
$akismet_vars = compact($vars);
$akismet_vars['comment_content'] = $comment_content;
foreach (array_merge($field_ids['all'], $field_ids['extra']) as $field_id) {
$field = $this->fields[$field_id];
// Skip any fields that are just a choice from a pre-defined list. They wouldn't have any value
// from a spam-filtering point of view.
if (in_array($field->get_attribute('type'), array('select', 'checkbox', 'checkbox-multiple', 'radio'))) {
continue;
}
// Normalize the label into a slug.
$field_slug = trim(preg_replace('/[^a-z0-9_]+/', '-', strtolower($field->get_attribute('label'))), '-');
$field_value = is_array($field->value) ? trim(implode(', ', $field->value)) : trim($field->value);
// Skip any values that are already in the array we're sending.
if ($field_value && in_array($field_value, $akismet_vars)) {
continue;
}
$akismet_vars['contact_form_field_' . $field_slug] = $field_value;
}
$spam = '';
$akismet_values = $plugin->prepare_for_akismet($akismet_vars);
// Is it spam?
/** This filter is already documented in modules/contact-form/admin.php */
$is_spam = apply_filters('jetpack_contact_form_is_spam', false, $akismet_values);
if (is_wp_error($is_spam)) {
// WP_Error to abort
return $is_spam;
} elseif ($is_spam === TRUE) {
// TRUE to flag a spam
$spam = '***SPAM*** ';
}
if (!$comment_author) {
$comment_author = $comment_author_email;
}
/**
* Filter the email where a submitted feedback is sent.
*
* @module contact-form
*
* @since 1.3.1
*
* @param string|array $to Array of valid email addresses, or single email address.
*/
$to = (array) apply_filters('contact_form_to', $to);
foreach ($to as $to_key => $to_value) {
$to[$to_key] = Grunion_Contact_Form_Plugin::strip_tags($to_value);
}
$blog_url = parse_url(site_url());
$from_email_addr = 'wordpress@' . $blog_url['host'];
$reply_to_addr = $to[0];
if (!empty($comment_author_email)) {
$reply_to_addr = $comment_author_email;
}
$headers = 'From: "' . $comment_author . '" <' . $from_email_addr . ">\r\n" . 'Reply-To: "' . $comment_author . '" <' . $reply_to_addr . ">\r\n" . "Content-Type: text/html; charset=\"" . get_option('blog_charset') . "\"";
// Build feedback reference
$feedback_time = current_time('mysql');
$feedback_title = "{$comment_author} - {$feedback_time}";
$feedback_id = md5($feedback_title);
$all_values = array_merge($all_values, array('entry_title' => the_title_attribute('echo=0'), 'entry_permalink' => esc_url(get_permalink(get_the_ID())), 'feedback_id' => $feedback_id));
/** This filter is already documented in modules/contact-form/admin.php */
$subject = apply_filters('contact_form_subject', $contact_form_subject, $all_values);
$url = $widget ? home_url('/') : get_permalink($post->ID);
$date_time_format = _x('%1$s \\a\\t %2$s', '{$date_format} \\a\\t {$time_format}', 'jetpack');
$date_time_format = sprintf($date_time_format, get_option('date_format'), get_option('time_format'));
$time = date_i18n($date_time_format, current_time('timestamp'));
// keep a copy of the feedback as a custom post type
$feedback_status = $is_spam === TRUE ? 'spam' : 'publish';
foreach ((array) $akismet_values as $av_key => $av_value) {
$akismet_values[$av_key] = Grunion_Contact_Form_Plugin::strip_tags($av_value);
}
foreach ((array) $all_values as $all_key => $all_value) {
$all_values[$all_key] = Grunion_Contact_Form_Plugin::strip_tags($all_value);
}
foreach ((array) $extra_values as $ev_key => $ev_value) {
$extra_values[$ev_key] = Grunion_Contact_Form_Plugin::strip_tags($ev_value);
}
/* We need to make sure that the post author is always zero for contact
* form submissions. This prevents export/import from trying to create
* new users based on form submissions from people who were logged in
* at the time.
*
* Unfortunately wp_insert_post() tries very hard to make sure the post
* author gets the currently logged in user id. That is how we ended up
* with this work around. */
add_filter('wp_insert_post_data', array($plugin, 'insert_feedback_filter'), 10, 2);
$post_id = wp_insert_post(array('post_date' => addslashes($feedback_time), 'post_type' => 'feedback', 'post_status' => addslashes($feedback_status), 'post_parent' => (int) $post->ID, 'post_title' => addslashes(wp_kses($feedback_title, array())), 'post_content' => addslashes(wp_kses($comment_content . "\n<!--more-->\n" . "AUTHOR: {$comment_author}\nAUTHOR EMAIL: {$comment_author_email}\nAUTHOR URL: {$comment_author_url}\nSUBJECT: {$subject}\nIP: {$comment_author_IP}\n" . print_r($all_values, TRUE), array())), 'post_name' => $feedback_id));
// once insert has finished we don't need this filter any more
remove_filter('wp_insert_post_data', array($plugin, 'insert_feedback_filter'), 10);
update_post_meta($post_id, '_feedback_extra_fields', $this->addslashes_deep($extra_values));
if ('publish' == $feedback_status) {
// Increase count of unread feedback.
$unread = get_option('feedback_unread_count', 0) + 1;
update_option('feedback_unread_count', $unread);
}
if (defined('AKISMET_VERSION')) {
update_post_meta($post_id, '_feedback_akismet_values', $this->addslashes_deep($akismet_values));
}
$message = self::get_compiled_form($post_id, $this);
array_push($message, "", '<hr />', __('Time:', 'jetpack') . ' ' . $time . '<br />', __('IP Address:', 'jetpack') . ' ' . $comment_author_IP . '<br />', __('Contact Form URL:', 'jetpack') . " " . $url . '<br />');
if (is_user_logged_in()) {
array_push($message, "", sprintf(__('Sent by a verified %s user.', 'jetpack'), isset($GLOBALS['current_site']->site_name) && $GLOBALS['current_site']->site_name ? $GLOBALS['current_site']->site_name : '"' . get_option('blogname') . '"'));
} else {
array_push($message, __('Sent by an unverified visitor to your site.', 'jetpack'));
}
$message = join($message, "\n");
/**
* Filters the message sent via email after a successfull form submission.
*
* @module contact-form
*
* @since 1.3.1
*
* @param string $message Feedback email message.
*/
$message = apply_filters('contact_form_message', $message);
update_post_meta($post_id, '_feedback_email', $this->addslashes_deep(compact('to', 'message')));
/**
* Fires right before the contact form message is sent via email to
* the recipient specified in the contact form.
*
* @module contact-form
*
* @since 1.3.1
*
* @param integer $post_id Post contact form lives on
* @param array $all_values Contact form fields
* @param array $extra_values Contact form fields not included in $all_values
*/
do_action('grunion_pre_message_sent', $post_id, $all_values, $extra_values);
// schedule deletes of old spam feedbacks
if (!wp_next_scheduled('grunion_scheduled_delete')) {
wp_schedule_event(time() + 250, 'daily', 'grunion_scheduled_delete');
}
if ($is_spam !== TRUE && true === apply_filters('grunion_should_send_email', true, $post_id)) {
wp_mail($to, "{$spam}{$subject}", $message, $headers);
} elseif (true === $is_spam && apply_filters('grunion_still_email_spam', FALSE) == TRUE) {
// don't send spam by default. Filterable.
wp_mail($to, "{$spam}{$subject}", $message, $headers);
}
if (defined('DOING_AJAX') && DOING_AJAX) {
return self::success_message($post_id, $this);
}
$redirect = wp_get_referer();
if (!$redirect) {
// wp_get_referer() returns false if the referer is the same as the current page
$redirect = $_SERVER['REQUEST_URI'];
}
$redirect = add_query_arg(urlencode_deep(array('contact-form-id' => $id, 'contact-form-sent' => $post_id, '_wpnonce' => wp_create_nonce("contact-form-sent-{$post_id}"))), $redirect);
/**
* Filter the URL where the reader is redirected after submitting a form.
*
* @module contact-form
*
* @since 1.9.0
*
* @param string $redirect Post submission URL.
* @param int $id Contact Form ID.
* @param int $post_id Post ID.
*/
$redirect = apply_filters('grunion_contact_form_redirect_url', $redirect, $id, $post_id);
wp_safe_redirect($redirect);
exit;
}
/**
* Processes new user registrations.
*
* Checks the data provided by the user during signup. Verifies
* the validity and uniqueness of user names and user email addresses,
* and checks email addresses against admin-provided domain
* whitelists and blacklists.
*
* The hook 'wpmu_validate_user_signup' provides an easy way
* to modify the signup process. The value $result, which is passed
* to the hook, contains both the user-provided info and the error
* messages created by the function. 'wpmu_validate_user_signup' allows
* you to process the data in any way you'd like, and unset the
* relevant errors if necessary.
*
* @since MU
* @uses is_email_address_unsafe()
* @uses username_exists()
* @uses email_exists()
*
* @param string $user_name The login name provided by the user.
* @param string $user_email The email provided by the user.
* @return array Contains username, email, and error messages.
*/
function wpmu_validate_user_signup($user_name, $user_email)
{
global $wpdb;
$errors = new WP_Error();
$orig_username = $user_name;
$user_name = preg_replace('/\\s+/', '', sanitize_user($user_name, true));
$maybe = array();
preg_match('/[a-z0-9]+/', $user_name, $maybe);
if ($user_name != $orig_username || $user_name != $maybe[0]) {
$errors->add('user_name', __('Only lowercase letters (a-z) and numbers are allowed.'));
$user_name = $orig_username;
}
$user_email = sanitize_email($user_email);
if (empty($user_name)) {
$errors->add('user_name', __('Please enter a username'));
}
$illegal_names = get_site_option('illegal_names');
if (is_array($illegal_names) == false) {
$illegal_names = array('www', 'web', 'root', 'admin', 'main', 'invite', 'administrator');
add_site_option('illegal_names', $illegal_names);
}
if (in_array($user_name, $illegal_names) == true) {
$errors->add('user_name', __('That username is not allowed'));
}
if (is_email_address_unsafe($user_email)) {
$errors->add('user_email', __('You cannot use that email address to signup. We are having problems with them blocking some of our email. Please use another email provider.'));
}
if (strlen($user_name) < 4) {
$errors->add('user_name', __('Username must be at least 4 characters'));
}
if (strpos(' ' . $user_name, '_') != false) {
$errors->add('user_name', __('Sorry, usernames may not contain the character “_”!'));
}
// all numeric?
$match = array();
preg_match('/[0-9]*/', $user_name, $match);
if ($match[0] == $user_name) {
$errors->add('user_name', __('Sorry, usernames must have letters too!'));
}
if (!is_email($user_email)) {
$errors->add('user_email', __('Please enter a correct email address'));
}
$limited_email_domains = get_site_option('limited_email_domains');
if (is_array($limited_email_domains) && empty($limited_email_domains) == false) {
$emaildomain = substr($user_email, 1 + strpos($user_email, '@'));
if (in_array($emaildomain, $limited_email_domains) == false) {
$errors->add('user_email', __('Sorry, that email address is not allowed!'));
}
}
// Check if the username has been used already.
if (username_exists($user_name)) {
$errors->add('user_name', __('Sorry, that username already exists!'));
}
// Check if the email address has been used already.
if (email_exists($user_email)) {
$errors->add('user_email', __('Sorry, that email address is already used!'));
}
// Has someone already signed up for this username?
$signup = $wpdb->get_row($wpdb->prepare("SELECT * FROM {$wpdb->signups} WHERE user_login = %s", $user_name));
if ($signup != null) {
$registered_at = mysql2date('U', $signup->registered);
$now = current_time('timestamp', true);
$diff = $now - $registered_at;
// If registered more than two days ago, cancel registration and let this signup go through.
if ($diff > 172800) {
$wpdb->query($wpdb->prepare("DELETE FROM {$wpdb->signups} WHERE user_login = %s", $user_name));
} else {
$errors->add('user_name', __('That username is currently reserved but may be available in a couple of days.'));
}
if ($signup->active == 0 && $signup->user_email == $user_email) {
$errors->add('user_email_used', __('username and email used'));
}
}
$signup = $wpdb->get_row($wpdb->prepare("SELECT * FROM {$wpdb->signups} WHERE user_email = %s", $user_email));
if ($signup != null) {
$diff = current_time('timestamp', true) - mysql2date('U', $signup->registered);
// If registered more than two days ago, cancel registration and let this signup go through.
if ($diff > 172800) {
$wpdb->query($wpdb->prepare("DELETE FROM {$wpdb->signups} WHERE user_email = %s", $user_email));
} else {
$errors->add('user_email', __('That email address has already been used. Please check your inbox for an activation email. It will become available in a couple of days if you do nothing.'));
}
}
$result = array('user_name' => $user_name, 'orig_username' => $orig_username, 'user_email' => $user_email, 'errors' => $errors);
return apply_filters('wpmu_validate_user_signup', $result);
}
/**
* Process the contact form's POST submission
* Stores feedback. Sends email.
*/
function process_submission()
{
global $post;
$plugin = Grunion_Contact_Form_Plugin::init();
$id = $this->get_attribute('id');
$to = $this->get_attribute('to');
$widget = $this->get_attribute('widget');
$contact_form_subject = $this->get_attribute('subject');
$to = str_replace(' ', '', $to);
$emails = explode(',', $to);
$valid_emails = array();
foreach ((array) $emails as $email) {
if (!is_email($email)) {
continue;
}
if (function_exists('is_email_address_unsafe') && is_email_address_unsafe($email)) {
continue;
}
$valid_emails[] = $email;
}
// No one to send it to :(
if (!$valid_emails) {
return false;
}
$to = $valid_emails;
// Make sure we're processing the form we think we're processing... probably a redundant check.
if ($widget) {
if ('widget-' . $widget != $_POST['contact-form-id']) {
return false;
}
} else {
if ($post->ID != $_POST['contact-form-id']) {
return false;
}
}
$field_ids = $this->get_field_ids();
// Initialize all these "standard" fields to null
$comment_author_email = $comment_author_email_label = $comment_author = $comment_author_label = $comment_author_url = $comment_author_url_label = $comment_content = $comment_content_label = null;
// For each of the "standard" fields, grab their field label and value.
if (isset($field_ids['name'])) {
$field = $this->fields[$field_ids['name']];
$comment_author = Grunion_Contact_Form_Plugin::strip_tags(stripslashes(apply_filters('pre_comment_author_name', addslashes($field->value))));
$comment_author_label = Grunion_Contact_Form_Plugin::strip_tags($field->get_attribute('label'));
}
if (isset($field_ids['email'])) {
$field = $this->fields[$field_ids['email']];
$comment_author_email = Grunion_Contact_Form_Plugin::strip_tags(stripslashes(apply_filters('pre_comment_author_email', addslashes($field->value))));
$comment_author_email_label = Grunion_Contact_Form_Plugin::strip_tags($field->get_attribute('label'));
}
if (isset($field_ids['url'])) {
$field = $this->fields[$field_ids['url']];
$comment_author_url = Grunion_Contact_Form_Plugin::strip_tags(stripslashes(apply_filters('pre_comment_author_url', addslashes($field->value))));
if ('http://' == $comment_author_url) {
$comment_author_url = '';
}
$comment_author_url_label = Grunion_Contact_Form_Plugin::strip_tags($field->get_attribute('label'));
}
if (isset($field_ids['textarea'])) {
$field = $this->fields[$field_ids['textarea']];
$comment_content = trim(Grunion_Contact_Form_Plugin::strip_tags($field->value));
$comment_content_label = Grunion_Contact_Form_Plugin::strip_tags($field->get_attribute('label'));
}
if (isset($field_ids['subject'])) {
$field = $this->fields[$field_ids['subject']];
if ($field->value) {
$contact_form_subject = Grunion_Contact_Form_Plugin::strip_tags($field->value);
}
}
$all_values = $extra_values = array();
// For all fields, grab label and value
foreach ($field_ids['all'] as $field_id) {
$field = $this->fields[$field_id];
$label = $field->get_attribute('label');
$value = $field->value;
$all_values[$label] = $value;
}
// For the "non-standard" fields, grab label and value
foreach ($field_ids['extra'] as $field_id) {
$field = $this->fields[$field_id];
$label = $field->get_attribute('label');
$value = $field->value;
$extra_values[$label] = $value;
}
$contact_form_subject = trim($contact_form_subject);
$comment_author_IP = Grunion_Contact_Form_Plugin::strip_tags($_SERVER['REMOTE_ADDR']);
$vars = array('comment_author', 'comment_author_email', 'comment_author_url', 'contact_form_subject', 'comment_author_IP');
foreach ($vars as $var) {
${$var} = str_replace(array("\n", "\r"), '', ${$var});
}
$vars[] = 'comment_content';
$spam = '';
$akismet_values = $plugin->prepare_for_akismet(compact($vars));
// Is it spam?
$is_spam = apply_filters('contact_form_is_spam', $akismet_values);
if (is_wp_error($is_spam)) {
// WP_Error to abort
return $is_spam;
} else {
if ($is_spam === TRUE) {
// TRUE to flag a spam
$spam = '***SPAM*** ';
}
}
if (!$comment_author) {
$comment_author = $comment_author_email;
}
$to = (array) apply_filters('contact_form_to', $to);
foreach ($to as $to_key => $to_value) {
$to[$to_key] = Grunion_Contact_Form_Plugin::strip_tags($to_value);
}
$blog_url = parse_url(site_url());
$from_email_addr = 'wordpress@' . $blog_url['host'];
$reply_to_addr = $to[0];
if (!empty($comment_author_email)) {
$reply_to_addr = $comment_author_email;
}
$headers = 'From: ' . $comment_author . ' <' . $from_email_addr . ">\r\n" . 'Reply-To: ' . $comment_author . ' <' . $reply_to_addr . ">\r\n" . "Content-Type: text/plain; charset=\"" . get_option('blog_charset') . "\"";
$subject = apply_filters('contact_form_subject', $contact_form_subject);
$time = date_i18n(__('l F j, Y \\a\\t g:i a', 'jetpack'), current_time('timestamp'));
$extra_content = '';
foreach ($extra_values as $label => $value) {
$extra_content .= $label . ': ' . trim($value) . "\n";
}
$message = "{$comment_author_label}: {$comment_author}\n";
if (!empty($comment_author_email)) {
$message .= "{$comment_author_email_label}: {$comment_author_email}\n";
}
if (!empty($comment_author_url)) {
$message .= "{$comment_author_url_label}: {$comment_author_url}\n";
}
if (!empty($comment_content_label)) {
$message .= "{$comment_content_label}: {$comment_content}\n";
}
$message .= $extra_content . "\n";
$message .= __('Time:', 'jetpack') . ' ' . $time . "\n";
$message .= __('IP Address:', 'jetpack') . ' ' . $comment_author_IP . "\n";
if ($widget) {
$url = home_url('/');
} else {
$url = get_permalink($post->ID);
}
$message .= __('Contact Form URL:', 'jetpack') . " {$url}\n";
if (is_user_logged_in()) {
$message .= "\n";
$message .= sprintf(__('Sent by a verified %s user.', 'jetpack'), isset($GLOBALS['current_site']->site_name) && $GLOBALS['current_site']->site_name ? $GLOBALS['current_site']->site_name : '"' . get_option('blogname') . '"');
} else {
$message .= __('Sent by an unverified visitor to your site.', 'jetpack');
}
$message = apply_filters('contact_form_message', $message);
$message = Grunion_Contact_Form_Plugin::strip_tags($message);
// keep a copy of the feedback as a custom post type
$feedback_mysql_time = current_time('mysql');
$feedback_title = "{$comment_author} - {$feedback_mysql_time}";
$feedback_status = 'publish';
if ($is_spam === TRUE) {
$feedback_status = 'spam';
}
foreach ((array) $akismet_values as $av_key => $av_value) {
$akismet_values[$av_key] = Grunion_Contact_Form_Plugin::strip_tags($av_value);
}
foreach ((array) $all_values as $all_key => $all_value) {
$all_values[$all_key] = Grunion_Contact_Form_Plugin::strip_tags($all_value);
}
foreach ((array) $extra_values as $ev_key => $ev_value) {
$extra_values[$ev_key] = Grunion_Contact_Form_Plugin::strip_tags($ev_value);
}
/* We need to make sure that the post author is always zero for contact
* form submissions. This prevents export/import from trying to create
* new users based on form submissions from people who were logged in
* at the time.
*
* Unfortunately wp_insert_post() tries very hard to make sure the post
* author gets the currently logged in user id. That is how we ended up
* with this work around. */
add_filter('wp_insert_post_data', array($plugin, 'insert_feedback_filter'), 10, 2);
$post_id = wp_insert_post(array('post_date' => addslashes($feedback_mysql_time), 'post_type' => 'feedback', 'post_status' => addslashes($feedback_status), 'post_parent' => (int) $post->ID, 'post_title' => addslashes(wp_kses($feedback_title, array())), 'post_content' => addslashes(wp_kses($comment_content . "\n<!--more-->\n" . "AUTHOR: {$comment_author}\nAUTHOR EMAIL: {$comment_author_email}\nAUTHOR URL: {$comment_author_url}\nSUBJECT: {$contact_form_subject}\nIP: {$comment_author_IP}\n" . print_r($all_values, TRUE), array())), 'post_name' => md5($feedback_title)));
// once insert has finished we don't need this filter any more
remove_filter('wp_insert_post_data', array($plugin, 'insert_feedback_filter'), 10, 2);
update_post_meta($post_id, '_feedback_author', addslashes($comment_author));
update_post_meta($post_id, '_feedback_author_email', addslashes($comment_author_email));
update_post_meta($post_id, '_feedback_author_url', addslashes($comment_author_url));
update_post_meta($post_id, '_feedback_subject', addslashes($contact_form_subject));
update_post_meta($post_id, '_feedback_ip', addslashes($comment_author_IP));
update_post_meta($post_id, '_feedback_contact_form_url', addslashes(get_permalink($post->ID)));
update_post_meta($post_id, '_feedback_all_fields', $this->addslashes_deep($all_values));
update_post_meta($post_id, '_feedback_extra_fields', $this->addslashes_deep($extra_values));
update_post_meta($post_id, '_feedback_akismet_values', $this->addslashes_deep($akismet_values));
update_post_meta($post_id, '_feedback_email', $this->addslashes_deep(array('to' => $to, 'subject' => $subject, 'message' => $message, 'headers' => $headers)));
do_action('grunion_pre_message_sent', $post_id, $all_values, $extra_values);
// schedule deletes of old spam feedbacks
if (!wp_next_scheduled('grunion_scheduled_delete')) {
wp_schedule_event(time() + 250, 'daily', 'grunion_scheduled_delete');
}
if ($is_spam !== TRUE) {
wp_mail($to, "{$spam}{$subject}", $message, $headers);
} elseif (apply_filters('grunion_still_email_spam', FALSE) == TRUE) {
// don't send spam by default. Filterable.
wp_mail($to, "{$spam}{$subject}", $message, $headers);
}
if (defined('DOING_AJAX') && DOING_AJAX) {
return self::success_message($post_id, $this);
}
$redirect = wp_get_referer();
if (!$redirect) {
// wp_get_referer() returns false if the referer is the same as the current page
$redirect = $_SERVER['REQUEST_URI'];
}
$redirect = add_query_arg(urlencode_deep(array('contact-form-id' => $id, 'contact-form-sent' => $post_id, '_wpnonce' => wp_create_nonce("contact-form-sent-{$post_id}"))), $redirect);
$redirect = apply_filters('grunion_contact_form_redirect_url', $redirect, $id, $post_id);
wp_safe_redirect($redirect);
exit;
}
/**
* Sanitize and validate data required for a user sign-up.
*
* Verifies the validity and uniqueness of user names and user email addresses,
* and checks email addresses against admin-provided domain whitelists and blacklists.
*
* The {@see 'wpmu_validate_user_signup'} hook provides an easy way to modify the sign-up
* process. The value $result, which is passed to the hook, contains both the user-provided
* info and the error messages created by the function. {@see 'wpmu_validate_user_signup'}
* allows you to process the data in any way you'd like, and unset the relevant errors if
* necessary.
*
* @since MU
*
* @global wpdb $wpdb
*
* @param string $user_name The login name provided by the user.
* @param string $user_email The email provided by the user.
* @return array Contains username, email, and error messages.
*/
function wpmu_validate_user_signup($user_name, $user_email)
{
global $wpdb;
$errors = new WP_Error();
$orig_username = $user_name;
$user_name = preg_replace('/\\s+/', '', sanitize_user($user_name, true));
if ($user_name != $orig_username || preg_match('/[^a-z0-9]/', $user_name)) {
$errors->add('user_name', __('Only lowercase letters (a-z) and numbers are allowed.'));
$user_name = $orig_username;
}
$user_email = sanitize_email($user_email);
if (empty($user_name)) {
$errors->add('user_name', __('Please enter a username.'));
}
$illegal_names = get_site_option('illegal_names');
if (!is_array($illegal_names)) {
$illegal_names = array('www', 'web', 'root', 'admin', 'main', 'invite', 'administrator');
add_site_option('illegal_names', $illegal_names);
}
if (in_array($user_name, $illegal_names)) {
$errors->add('user_name', __('That username is not allowed.'));
}
if (is_email_address_unsafe($user_email)) {
$errors->add('user_email', __('You cannot use that email address to signup. We are having problems with them blocking some of our email. Please use another email provider.'));
}
if (strlen($user_name) < 4) {
$errors->add('user_name', __('Username must be at least 4 characters.'));
}
if (strlen($user_name) > 60) {
$errors->add('user_name', __('Username may not be longer than 60 characters.'));
}
if (strpos($user_name, '_') !== false) {
$errors->add('user_name', __('Sorry, usernames may not contain the character “_”!'));
}
// all numeric?
if (preg_match('/^[0-9]*$/', $user_name)) {
$errors->add('user_name', __('Sorry, usernames must have letters too!'));
}
if (!is_email($user_email)) {
$errors->add('user_email', __('Please enter a valid email address.'));
}
$limited_email_domains = get_site_option('limited_email_domains');
if (is_array($limited_email_domains) && !empty($limited_email_domains)) {
$emaildomain = substr($user_email, 1 + strpos($user_email, '@'));
if (!in_array($emaildomain, $limited_email_domains)) {
$errors->add('user_email', __('Sorry, that email address is not allowed!'));
}
}
// Check if the username has been used already.
if (username_exists($user_name)) {
$errors->add('user_name', __('Sorry, that username already exists!'));
}
// Check if the email address has been used already.
if (email_exists($user_email)) {
$errors->add('user_email', __('Sorry, that email address is already used!'));
}
// Has someone already signed up for this username?
$signup = $wpdb->get_row($wpdb->prepare("SELECT * FROM {$wpdb->signups} WHERE user_login = %s", $user_name));
if ($signup != null) {
$registered_at = mysql2date('U', $signup->registered);
$now = current_time('timestamp', true);
$diff = $now - $registered_at;
// If registered more than two days ago, cancel registration and let this signup go through.
if ($diff > 2 * DAY_IN_SECONDS) {
$wpdb->delete($wpdb->signups, array('user_login' => $user_name));
} else {
$errors->add('user_name', __('That username is currently reserved but may be available in a couple of days.'));
}
}
$signup = $wpdb->get_row($wpdb->prepare("SELECT * FROM {$wpdb->signups} WHERE user_email = %s", $user_email));
if ($signup != null) {
$diff = current_time('timestamp', true) - mysql2date('U', $signup->registered);
// If registered more than two days ago, cancel registration and let this signup go through.
if ($diff > 2 * DAY_IN_SECONDS) {
$wpdb->delete($wpdb->signups, array('user_email' => $user_email));
} else {
$errors->add('user_email', __('That email address has already been used. Please check your inbox for an activation email. It will become available in a couple of days if you do nothing.'));
}
}
$result = array('user_name' => $user_name, 'orig_username' => $orig_username, 'user_email' => $user_email, 'errors' => $errors);
/**
* Filter the validated user registration details.
*
* This does not allow you to override the username or email of the user during
* registration. The values are solely used for validation and error handling.
*
* @since MU
*
* @param array $result {
* The array of user name, email and the error messages.
*
* @type string $user_name Sanitized and unique username.
* @type string $orig_username Original username.
* @type string $user_email User email address.
* @type WP_Error $errors WP_Error object containing any errors found.
* }
*/
return apply_filters('wpmu_validate_user_signup', $result);
}
/**
* Check that an email address is valid for use.
*
* Performs the following checks:
* - Is the email address well-formed?
* - Is the email address already used?
* - If there's an email domain blacklist, is the current domain on it?
* - If there's an email domain whitelest, is the current domain on it?
*
* @since 1.6.2
*
* @param string $user_email The email being checked.
* @return bool|array True if the address passes all checks; otherwise an array
* of error codes.
*/
function bp_core_validate_email_address($user_email)
{
$errors = array();
$user_email = sanitize_email($user_email);
// Is the email well-formed?
if (!is_email($user_email)) {
$errors['invalid'] = 1;
}
// Is the email on the Banned Email Domains list?
// Note: This check only works on Multisite.
if (function_exists('is_email_address_unsafe') && is_email_address_unsafe($user_email)) {
$errors['domain_banned'] = 1;
}
// Is the email on the Limited Email Domains list?
// Note: This check only works on Multisite.
$limited_email_domains = get_site_option('limited_email_domains');
if (is_array($limited_email_domains) && empty($limited_email_domains) == false) {
$emaildomain = substr($user_email, 1 + strpos($user_email, '@'));
if (!in_array($emaildomain, $limited_email_domains)) {
$errors['domain_not_allowed'] = 1;
}
}
// Is the email alreday in use?
if (email_exists($user_email)) {
$errors['in_use'] = 1;
}
$retval = !empty($errors) ? $errors : true;
return $retval;
}
function invite_anyone_validate_email($user_email)
{
$status = 'okay';
if (invite_anyone_check_is_opt_out($user_email)) {
$status = 'opt_out';
} else {
if ($user = get_user_by('email', $user_email)) {
$status = 'used';
} else {
if (function_exists('is_email_address_unsafe') && is_email_address_unsafe($user_email)) {
$status = 'unsafe';
} else {
if (function_exists('is_email') && !is_email($user_email)) {
$status = 'invalid';
}
}
}
}
if (function_exists('get_site_option')) {
if ($limited_email_domains = get_site_option('limited_email_domains')) {
if (is_array($limited_email_domains) && empty($limited_email_domains) == false) {
$emaildomain = substr($user_email, 1 + strpos($user_email, '@'));
if (in_array($emaildomain, $limited_email_domains) == false) {
$status = 'limited_domain';
}
}
}
}
return apply_filters('invite_anyone_validate_email', $status, $user_email);
}
function contact_form_shortcode($atts, $content)
{
global $post;
$default_to = get_option('admin_email');
$default_subject = "[" . get_option('blogname') . "]";
if (!empty($atts['widget']) && $atts['widget']) {
$default_subject .= " Sidebar";
} elseif ($post->ID) {
$default_subject .= " " . wp_kses($post->post_title, array());
$post_author = get_userdata($post->post_author);
$default_to = $post_author->user_email;
}
extract(shortcode_atts(array('to' => $default_to, 'subject' => $default_subject, 'show_subject' => 'no', 'widget' => 0), $atts));
$widget = esc_attr($widget);
if (function_exists('faux_faux') && faux_faux() || is_feed()) {
return '[contact-form]';
}
global $wp_query, $grunion_form, $contact_form_errors, $contact_form_values, $user_identity, $contact_form_last_id, $contact_form_message;
// used to store attributes, configuration etc for access by contact-field shortcodes
$grunion_form = new stdClass();
$grunion_form->to = $to;
$grunion_form->subject = $subject;
$grunion_form->show_subject = $show_subject;
if ($widget) {
$id = 'widget-' . $widget;
} elseif (is_singular()) {
$id = $wp_query->get_queried_object_id();
} else {
$id = $GLOBALS['post']->ID;
}
if (!$id) {
// something terrible has happened
return '[contact-form]';
}
if ($id == $contact_form_last_id) {
return;
} else {
$contact_form_last_id = $id;
}
ob_start();
wp_nonce_field('contact-form_' . $id);
$nonce = ob_get_contents();
ob_end_clean();
$body = contact_form_parse($content);
$r = "<div id='contact-form-{$id}'>\n";
$errors = array();
if (is_wp_error($contact_form_errors) && ($errors = (array) $contact_form_errors->get_error_codes())) {
$r .= "<div class='form-error'>\n<h3>" . __('Error!', "mm") . "</h3>\n<ul class='form-errors'>\n";
foreach ($contact_form_errors->get_error_messages() as $message) {
$r .= "\t<li class='form-error-message' style='color: red;'>{$message}</li>\n";
}
$r .= "</ul>\n</div>\n\n";
}
$r .= "<form action='#contact-form-{$id}' method='post' class='contact-form commentsblock'>\n";
$r .= $body;
$r .= "\t<p class='contact-submit'>\n";
$r .= "\t\t<input type='submit' value='" . __("Submit »", "mm") . "' class='pushbutton-wide'/>\n";
$r .= "\t\t{$nonce}\n";
$r .= "\t\t<input type='hidden' name='contact-form-id' value='{$id}' />\n";
$r .= "\t</p>\n";
$r .= "</form>\n</div>";
// form wasn't submitted, just a GET
if (empty($_POST)) {
return $r;
}
if (is_wp_error($contact_form_errors)) {
return $r;
}
$emails = str_replace(' ', '', $to);
$emails = explode(',', $emails);
foreach ((array) $emails as $email) {
if (is_email($email) && (!function_exists('is_email_address_unsafe') || !is_email_address_unsafe($email))) {
$valid_emails[] = $email;
}
}
$to = $valid_emails ? $valid_emails : $default_to;
$message_sent = contact_form_send_message($to, $subject, $widget);
if (is_array($contact_form_values)) {
extract($contact_form_values);
}
if (!isset($comment_content)) {
$comment_content = '';
} else {
$comment_content = wp_kses($comment_content, array());
}
$r = "<div id='contact-form-{$id}'>\n";
$errors = array();
if (is_wp_error($contact_form_errors) && ($errors = (array) $contact_form_errors->get_error_codes())) {
$r .= "<div class='form-error'>\n<h3>" . __('Error!', "mm") . "</h3>\n<p>\n";
foreach ($contact_form_errors->get_error_messages() as $message) {
$r .= "\t{$message}<br />\n";
}
$r .= "</p>\n</div>\n\n";
} else {
$r .= "<h3>" . __('Message Sent', "mm") . "</h3>\n\n";
$r .= wp_kses($contact_form_message, array('br' => array(), 'blockquote' => array())) . "</div>";
// Reset for multiple contact forms. Hacky
$contact_form_values['comment_content'] = '';
return $r;
}
return $r;
}
/**
* Validate a user name and email address when creating a new user.
*
* @global object $wpdb DB Layer
* @param string $user_name Username to validate
* @param string $user_email Email address to validate
* @return array Results of user validation including errors, if any
*/
function bp_core_validate_user_signup($user_name, $user_email)
{
global $wpdb;
$errors = new WP_Error();
$user_email = sanitize_email($user_email);
if (empty($user_name)) {
$errors->add('user_name', __('Please enter a username', 'buddypress'));
}
$maybe = array();
preg_match("/[a-z0-9]+/", $user_name, $maybe);
// Make sure illegal names include BuddyPress slugs and values
bp_core_flush_illegal_names();
$illegal_names = get_site_option('illegal_names');
if (!validate_username($user_name) || in_array($user_name, (array) $illegal_names) || !empty($maybe[0]) && $user_name != $maybe[0]) {
$errors->add('user_name', __('Only lowercase letters and numbers allowed', 'buddypress'));
}
if (strlen($user_name) < 4) {
$errors->add('user_name', __('Username must be at least 4 characters', 'buddypress'));
}
if (strpos(' ' . $user_name, '_') != false) {
$errors->add('user_name', __('Sorry, usernames may not contain the character "_"!', 'buddypress'));
}
// Is the user_name all numeric?
$match = array();
preg_match('/[0-9]*/', $user_name, $match);
if ($match[0] == $user_name) {
$errors->add('user_name', __('Sorry, usernames must have letters too!', 'buddypress'));
}
if (!is_email($user_email)) {
$errors->add('user_email', __('Please check your email address.', 'buddypress'));
}
if (function_exists('is_email_address_unsafe') && is_email_address_unsafe($user_email)) {
$errors->add('user_email', __('Sorry, that email address is not allowed!', 'buddypress'));
}
$limited_email_domains = get_site_option('limited_email_domains', 'buddypress');
if (is_array($limited_email_domains) && empty($limited_email_domains) == false) {
$emaildomain = substr($user_email, 1 + strpos($user_email, '@'));
if (in_array($emaildomain, (array) $limited_email_domains) == false) {
$errors->add('user_email', __('Sorry, that email address is not allowed!', 'buddypress'));
}
}
// Check if the username has been used already.
if (username_exists($user_name)) {
$errors->add('user_name', __('Sorry, that username already exists!', 'buddypress'));
}
// Check if the email address has been used already.
if (email_exists($user_email)) {
$errors->add('user_email', __('Sorry, that email address is already used!', 'buddypress'));
}
$result = array('user_name' => $user_name, 'user_email' => $user_email, 'errors' => $errors);
// Apply WPMU legacy filter
$result = apply_filters('wpmu_validate_user_signup', $result);
return apply_filters('bp_core_validate_user_signup', $result);
}
/**
* @ticket 21570
*/
function test_is_email_address_unsafe()
{
update_site_option('banned_email_domains', 'bar.com');
foreach (array('*****@*****.**', '*****@*****.**') as $email_address) {
$this->assertTrue(is_email_address_unsafe($email_address), "{$email_address} should be UNSAFE");
}
foreach (array('*****@*****.**', '*****@*****.**') as $email_address) {
$this->assertFalse(is_email_address_unsafe($email_address), "{$email_address} should be SAFE");
}
}
function invite_anyone_validate_email($user_email)
{
//if ( email_exists($user_email) )
// return 'used';
if (invite_anyone_check_is_opt_out($user_email)) {
return 'opt_out';
}
if ($user = get_user_by_email($user_email)) {
return 'used';
}
// Many of he following checks can only be run on WPMU
if (function_exists('is_email_address_unsafe')) {
if (is_email_address_unsafe($user_email)) {
return 'unsafe';
}
}
if (function_exists('validate_email')) {
if (!validate_email($user_email)) {
return 'invalid';
}
}
if (function_exists('get_site_option')) {
if ($limited_email_domains = get_site_option('limited_email_domains')) {
if (is_array($limited_email_domains) && empty($limited_email_domains) == false) {
$emaildomain = substr($user_email, 1 + strpos($user_email, '@'));
if (in_array($emaildomain, $limited_email_domains) == false) {
return 'limited_domain';
}
}
}
}
return 'safe';
}
/**
* @dataProvider data_safe
* @ticket 25046
* @ticket 21570
*/
public function test_safe_emails($banned, $email)
{
update_site_option('banned_email_domains', $banned);
$this->assertFalse(is_email_address_unsafe($email));
}
/**
* Is this a valid email address change?
*
* @param string $email A possible email address to validate.
* @param string $existing_email The user's existing email address (possibly the same).
*
* @return boolean|errors TRUE if `$email` is a valid (available) email address.
* Otherwise, this returns an errors object on failure.
*
* @note Emails may NEVER exceed 100 chars (the max DB column size).
*
* @throws exception If invalid types are passed through arguments list.
*/
public function validate_email_change_of_address($email, $existing_email)
{
$this->check_arg_types('string', 'string', func_get_args());
$form_field_code = 'email';
// For form errors.
$user = (string) strstr($email, '@', TRUE);
$domain = ltrim((string) strstr($email, '@'), '@');
if (!$email) {
return $this->©error($this->method(__FUNCTION__) . '#missing_email', get_defined_vars(), $this->_x('Missing email address (empty).'));
}
if (is_multisite()) {
if (!preg_match($this->regex_valid_email, $email) || !is_email($email) || $email !== sanitize_email($email) || strlen($email) > 100) {
return $this->©error($this->method(__FUNCTION__) . '#invalid_multisite_email', get_defined_vars(), sprintf($this->_x('Invalid email address: `%1$s`.'), $email));
}
if (strcasecmp($email, $existing_email) !== 0 && email_exists($email)) {
return $this->©error($this->method(__FUNCTION__) . '#multisite_email_exists', get_defined_vars(), sprintf($this->_x('Email address: `%1$s`, is already in use.'), $email));
}
if ($this->©array->¤is_not_empty($limited_email_domains = get_site_option('limited_email_domains')) && !in_array(strtolower($domain), $limited_email_domains, TRUE)) {
return $this->©error($this->method(__FUNCTION__) . '#unapproved_multisite_email', get_defined_vars(), sprintf($this->_x('Unapproved email domain: `%1$s`.'), $domain) . ' ' . $this->_x('You cannot use an email address with this domain.'));
}
if (is_email_address_unsafe($email)) {
return $this->©error($this->method(__FUNCTION__) . '#restricted_multisite_email', get_defined_vars(), sprintf($this->_x('Restricted email domain: `%1$s`.'), $domain) . ' ' . $this->_x('We are having problems with this domain blocking some of our email.') . ' ' . $this->_x('Please use another email service provider.'));
}
if (strcasecmp($email, $existing_email) !== 0) {
$query = "SELECT" . " `signups`.*" . " FROM" . " `" . $this->©string->esc_sql($this->©db_tables->get_wp('signups')) . "` AS `signups`" . " WHERE" . " `signups`.`user_email` = '" . $this->©string->esc_sql($email) . "'" . " LIMIT 1";
// Only need one row here.
if (is_object($signup = $this->©db->get_row($query, OBJECT))) {
if ($signup->active) {
return $this->©error($this->method(__FUNCTION__) . '#multisite_email_exists', get_defined_vars(), sprintf($this->_x('Email address: `%1$s`, is already in use.'), $email));
}
if (strtotime($signup->registered) < strtotime('-2 days')) {
$this->©db->delete($this->©db_tables->get_wp('signups'), array('user_email' => $email));
} else {
return $this->©error($this->method(__FUNCTION__) . '#reserved_multisite_email', get_defined_vars(), sprintf($this->_x('Reserved email address: `%1$s`.'), $email) . ' ' . $this->_x('This email address is already associated with another account holder.') . ' ' . $this->_x('However, there\'s a chance it will become available again in a couple of days;') . ' ' . $this->_x('should the other account holder fail to complete activation for some reason.'));
}
}
}
} else {
if (!preg_match($this->regex_valid_email, $email) || !is_email($email) || $email !== sanitize_email($email) || strlen($email) > 100) {
return $this->©error($this->method(__FUNCTION__) . '#invalid_email', get_defined_vars(), sprintf($this->_x('Invalid email address: `%1$s`.'), $email));
}
if (strcasecmp($email, $existing_email) !== 0 && email_exists($email)) {
return $this->©error($this->method(__FUNCTION__) . '#email_exists', get_defined_vars(), sprintf($this->_x('Email address: `%1$s`, is already in use.'), $email));
}
}
return TRUE;
// Default return value.
}
