/** * Manage user request made via GET vars: eg. activation link, unsubscribe link, external request */ function alo_em_check_get_vars() { global $wpdb; // From unsubscribe link if (isset($_GET['emunsub'])) { $get_vars = base64_decode($_GET['emunsub']); $get = explode("|", $get_vars); $subscriber = alo_em_get_subscriber_by_id($get[0]); $uns_link = ""; if ($subscriber) { $div_email = explode("@", $subscriber->email); $arr_params = array('ac' => 'unsubscribe', 'em1' => urlencode($div_email[0]), 'em2' => urlencode($div_email[1]), 'uk' => preg_replace('/[^a-zA-Z0-9]/i', '', $get[1])); $uns_link = add_query_arg($arr_params, alo_em_translate_url(get_option('alo_em_subsc_page'), $subscriber->lang)); } wp_redirect($uns_link); exit; } // From activation link if (isset($_GET['emact'])) { $get_vars = base64_decode($_GET['emact']); $get = explode("|", $get_vars); $subscriber = alo_em_get_subscriber($get[0]); $act_link = ""; if ($subscriber) { $div_email = explode("@", $subscriber->email); //$arr_params = array ('ac' => 'activate', 'em1' => $div_email[0], 'em2' => $div_email[1], 'uk' => $get[1] ); $arr_params = array('ac' => 'activate', 'em1' => urlencode($div_email[0]), 'em2' => urlencode($div_email[1]), 'uk' => preg_replace('/[^a-zA-Z0-9]/i', '', $get[1])); $act_link = add_query_arg($arr_params, alo_em_translate_url(get_option('alo_em_subsc_page'), $get[2])); } wp_redirect($act_link); exit; } // Called from external request (eg. cron task) if (isset($_GET['alo_easymail_doing_cron'])) { //echo "OK let's do the batch!"; alo_em_batch_sending(); exit; } // Called from a tracked link if (isset($_GET['emtrck'])) { $get_vars = base64_decode($_GET['emtrck']); $get = explode("|", $get_vars); $recipient = isset($get[0]) && is_numeric($get[0]) ? (int) $get[0] : false; $unikey = isset($get[1]) ? preg_replace('/[^a-zA-Z0-9]/i', '', $get[1]) : false; $request = isset($get[2]) ? esc_url_raw($get[2]) : false; if ($recipient && $unikey && $request) { $rec_info = alo_em_get_recipient_by_id($recipient); if ($rec_info && alo_em_check_subscriber_email_and_unikey($rec_info->email, $unikey)) { alo_em_tracking_recipient($recipient, $rec_info->newsletter, $request); switch (get_option('alo_em_campaign_vars')) { case 'google': $campaign_args = array('utm_source' => 'AloEasyMail', 'utm_medium' => 'email', 'utm_campaign' => $rec_info->newsletter . '-' . get_the_title($rec_info->newsletter), 'utm_content' => $request); $campaign_args = apply_filters('alo_easymail_prepare_campaign_vars', $campaign_args, $rec_info, $request); // Hook $request_w_campaign = add_query_arg($campaign_args, $request); wp_redirect($request_w_campaign); exit; case 'no': default: wp_redirect($request); exit; } } } exit; } // Block XSS attempt: escape/unset subscription form inputs when not in ajax (eg. if javascript disabled) if (!defined('DOING_AJAX') || !DOING_AJAX) { if (isset($_REQUEST['alo_em_opt_name'])) { unset($_REQUEST['alo_em_opt_name']); } if (isset($_REQUEST['alo_em_opt_email'])) { unset($_REQUEST['alo_em_opt_email']); } // we do not unset 'submit' because its common name, so it could be maybe used by other plugins: only a safe escape if (isset($_REQUEST['submit'])) { esc_sql($_REQUEST['submit']); } } }