From 84ac01a85e1e93e69c9db2e42ac5401f6a938e7d Mon Sep 17 00:00:00 2001
From: Jeremy Herve <jeremy@jeremy.hu>
Date: Wed, 8 Sep 2021 16:38:13 +0200
Subject: [PATCH] Contact Form: adjust wording for filter description. (#20979)

* Contact Form: adjust wording for filter description.

One can use this filter to automatically set up cc or bcc for all contact forms on the site, based on data submitted by site visitors.
See the description in #20912 for an example.

Let's make it clear that by doing so, you're allowing visitors to send emails to any email address they want.

* Update projects/plugins/jetpack/modules/contact-form/grunion-contact-form.php

Co-authored-by: Brad Jorsch <anomiex@users.noreply.github.com>

Co-authored-by: Brad Jorsch <anomiex@users.noreply.github.com>
---
 .../jetpack/changelog/update-form-filter-note-caution       | 5 +++++
 .../jetpack/modules/contact-form/grunion-contact-form.php   | 6 ++++++
 2 files changed, 11 insertions(+)
 create mode 100644 projects/plugins/jetpack/changelog/update-form-filter-note-caution

diff --git a/projects/plugins/jetpack/changelog/update-form-filter-note-caution b/projects/plugins/jetpack/changelog/update-form-filter-note-caution
new file mode 100644
index 0000000000000..261ba9eed3c2c
--- /dev/null
+++ b/projects/plugins/jetpack/changelog/update-form-filter-note-caution
@@ -0,0 +1,5 @@
+Significance: patch
+Type: other
+Comment: Form: adjust wording for filter description.
+
+
diff --git a/projects/plugins/jetpack/modules/contact-form/grunion-contact-form.php b/projects/plugins/jetpack/modules/contact-form/grunion-contact-form.php
index e5b9dc70f042b..01e895c40c720 100644
--- a/projects/plugins/jetpack/modules/contact-form/grunion-contact-form.php
+++ b/projects/plugins/jetpack/modules/contact-form/grunion-contact-form.php
@@ -2889,6 +2889,12 @@ function process_submission() {
 		/**
 		 * Allow customizing the email headers.
 		 *
+		 * Warning: DO NOT add headers or header data from the form submission without proper
+		 * escaping and validation, or you're liable to allow abusers to use your site to send spam.
+		 *
+		 * Especially DO NOT take email addresses from the form data to add as CC or BCC headers
+		 * without strictly validating each address against a list of allowed addresses.
+		 *
 		 * @module contact-form
 		 *
 		 * @since 10.2.0