Merge pull request #22 from JWardee/v1.2.0

+Improved sanitisation
JWardee · Aug 20, 2018 · 0a2e4d5 · 0a2e4d5
2 parents d54ada0 + bd2f29e
commit 0a2e4d5
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 3 deletions.
diff --git a/src/Loggers/Logger.php b/src/Loggers/Logger.php
@@ -77,7 +77,7 @@ protected function getMailArgs($args)
 			'time' => time(),
 			'email_to' => GeneralHelper::arrayToString($args['to']),
 			'subject' => $args['subject'],
-			'message' => strip_tags($args['message']),
+			'message' => $this->sanitiseInput($args['message']),
 			'backtrace_segment' => json_encode($this->getBacktrace()),
 			'status' => 1,
 			'attachments' => json_encode($this->getAttachmentLocations($args['attachments'])),
@@ -133,6 +133,13 @@ protected function getAttachmentLocations($attachments)
 		return $result;
 	}
 
+	protected function sanitiseInput($input)
+    {
+        return htmlspecialchars(
+            preg_replace('#<script(.*?)>(.*?)</script>#is', '', $input)
+        );
+    }
+
 	/**
 	 * Get the details of the method that originally triggered wp_mail
 	 *

diff --git a/src/Models/Logs.php b/src/Models/Logs.php
@@ -80,12 +80,13 @@ static private function dbResultTransform($results, $args = [])
 
             if (GeneralHelper::doesArrayContainSubString($result['additional_headers'], 'text/html')) {
 			    $result['is_html'] = true;
-                $result['message'] = str_replace('\\', '', $result['message']);
             } else {
                 $result['is_html'] = false;
-                $result['message'] = nl2br(htmlspecialchars($result['message']));
+                $result['message'] = htmlspecialchars_decode($result['message']);
             }
 
+            $result['message'] = stripslashes($result['message']);
+
 			if (!empty($result['attachments'])) {
 				foreach ($result['attachments'] as &$attachment) {
 					if ($attachment['id'] == -1) {