Merge remote-tracking branch 'origin/master'

.github/workflows/main.yml

@@ -1,6 +1,6 @@
 name: CI
 
-on: [push, pull_request]
+on: pull_request
 
 jobs:
   run:

WpMailCatcher.php

@@ -6,7 +6,7 @@
 Domain Path: /languages
 Description: Logging your mail will stop you from ever losing your emails again! This fast, lightweight plugin (under 140kb in size!) is also useful for debugging or backing up your messages.
 Author: James Ward
-Version: 2.1.4
+Version: 2.1.5
 Author URI: https://jamesward.io
 Donate link: https://paypal.me/jamesmward
 */

readme.txt

@@ -4,7 +4,7 @@ Tags: mail logging, email log, email logger, logging, email logging, mail, crm
 Requires at least: 4.7
 Tested up to: 6.4
 Requires PHP: 7.4
-Stable tag: 2.1.4
+Stable tag: 2.1.5
 License: GNU General Public License v3.0
 License URI: https://raw.githubusercontent.com/JWardee/wp-mail-catcher/master/LICENSE
 Donate link: https://paypal.me/jamesmward

src/GeneralHelper.php

@@ -141,6 +141,7 @@ private static function getAllowedTags()
 
     public static function filterHtml($value)
     {
+        $value = htmlspecialchars_decode($value);
         return wp_kses($value, self::getAllowedTags());
     }
 

src/Models/Settings.php

@@ -25,7 +25,7 @@ class Settings
     public static function get($key = null, $bypassCache = false)
     {
         if (self::$settings == null || $bypassCache) {
-            $options = unserialize(get_option(self::$optionsName, ""));
+            $options = maybe_unserialize(get_option(self::$optionsName, ""));
 
             if (!is_array($options)) {
                 self::installOptions();

testing/tests/TestEmails.php

@@ -157,4 +157,21 @@ public function testWpFiltersWithMailCatcherAreUnchanged()
         remove_filter('wp_mail_content_type', $wpMailContentFilter);
         remove_filter('wp_mail_content_type', $wpMailContentFilter, 9999991);
     }
+
+    public function testSpecialCharHtmlEmailCanStillBeViewed()
+    {
+        $htmlMessage = '<strong>Hello <a href="https://example.com" target="_blank">world</a></strong>';
+        wp_mail('[email protected]', 'html encoded', htmlspecialchars($htmlMessage));
+
+        $log = Logs::getFirst([
+            'subject' => 'html encoded'
+        ]);
+
+        ob_start();
+        require __DIR__ . '/../../src/Views/HtmlMessage.php';
+        $actualMessage = ob_get_contents();
+        ob_end_clean();
+
+        $this->assertEquals($htmlMessage, $actualMessage);
+    }
 }

testing/tests/TestSecurity.php

@@ -1,5 +1,6 @@
 <?php
 
+use WpMailCatcher\GeneralHelper;
 use WpMailCatcher\Models\Logs;
 use WpMailCatcher\MailAdminTable;
 
@@ -11,12 +12,20 @@ public function tearDown(): void
         parent::tearDown();
     }
 
+    public function testMaliciousHtmlIsEscaped()
+    {
+        $maliciousHtml = '<script>alert("Hello");</script>';
+        $escapedHtml = GeneralHelper::filterHtml($maliciousHtml);
+
+        $this->assertNotEquals($escapedHtml, $maliciousHtml);
+    }
+
     public function testSubjectLineHtmlIsEscaped()
     {
         $mailTable = MailAdminTable::getInstance();
-        $subjectBase = '<script>alert("Hello");</script>';
-        $escapedSubject = $mailTable->runHtmlSpecialChars($subjectBase);
-        $subject = $mailTable->column_subject(['subject' => $subjectBase]);
+        $exploitedSubject = '<script>alert("Hello");</script>';
+        $escapedSubject = $mailTable->runHtmlSpecialChars($exploitedSubject);
+        $subject = $mailTable->column_subject(['subject' => $exploitedSubject]);
 
         $this->assertEquals($subject, $escapedSubject);
     }