Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-5cp2-r794-w37w
Don't use htmlentitiesdecode when sending email
  • Loading branch information
PierreRambaud committed Sep 24, 2020
2 parents 3fa0dfa + f952200 commit 562a231
Show file tree
Hide file tree
Showing 4 changed files with 14 additions and 42 deletions.
3 changes: 0 additions & 3 deletions classes/Mail.php
Expand Up @@ -481,9 +481,6 @@ function ($carry, $item) {
$message->setReplyTo($replyTo, ($replyToName !== '' ? $replyToName : null));
}

$templateVars = array_map(['Tools', 'htmlentitiesDecodeUTF8'], $templateVars);
$templateVars = array_map(['Tools', 'stripslashes'], $templateVars);

if (false !== Configuration::get('PS_LOGO_MAIL') &&
file_exists(_PS_IMG_DIR_ . Configuration::get('PS_LOGO_MAIL', null, null, $idShop))
) {
Expand Down
49 changes: 12 additions & 37 deletions controllers/admin/AdminCustomerThreadsController.php
Expand Up @@ -361,13 +361,13 @@ public function postProcess()
if (($error = $cm->validateField('message', $message, null, array(), true)) !== true) {
$this->errors[] = $error;
} elseif ($id_employee && $employee && Validate::isLoadedObject($employee)) {
$params = array(
'{messages}' => stripslashes($output),
$params = [
'{messages}' => Tools::stripslashes($output),
'{employee}' => $current_employee->firstname . ' ' . $current_employee->lastname,
'{comment}' => stripslashes(Tools::nl2br($_POST['message_forward'])),
'{comment}' => Tools::stripslashes(Tools::nl2br($_POST['message_forward'])),
'{firstname}' => $employee->firstname,
'{lastname}' => $employee->lastname,
);
];

if (Mail::Send(
$this->context->language->id,
Expand All @@ -393,13 +393,13 @@ public function postProcess()
$cm->add();
}
} elseif ($email && Validate::isEmail($email)) {
$params = array(
'{messages}' => Tools::nl2br(stripslashes($output)),
$params = [
'{messages}' => Tools::nl2br(Tools::stripslashes($output)),
'{employee}' => $current_employee->firstname . ' ' . $current_employee->lastname,
'{comment}' => stripslashes($_POST['message_forward']),
'{comment}' => Tools::stripslashes($_POST['message_forward']),
'{firstname}' => '',
'{lastname}' => '',
);
];

if (Mail::Send(
$this->context->language->id,
Expand Down Expand Up @@ -449,15 +449,16 @@ public function postProcess()
$file_attachment['mime'] = $_FILES['joinFile']['type'];
}
$customer = new Customer($ct->id_customer);
$params = array(
'{reply}' => Tools::nl2br(Tools::getValue('reply_message')),

$params = [
'{reply}' => Tools::nl2br(Tools::htmlentitiesUTF8(Tools::getValue('reply_message'))),
'{link}' => Tools::url(
$this->context->link->getPageLink('contact', true, null, null, false, $ct->id_shop),
'id_customer_thread=' . (int) $ct->id . '&token=' . $ct->token
),
'{firstname}' => $customer->firstname,
'{lastname}' => $customer->lastname,
);
];
//#ct == id_customer_thread #tc == token of thread <== used in the synchronization imap
$contact = new Contact((int) $ct->id_contact, (int) $ct->id_lang);

Expand Down Expand Up @@ -894,32 +895,6 @@ public function renderOptions()
return parent::renderOptions();
}

/**
* AdminController::getList() override.
*
* @see AdminController::getList()
*
* @param int $id_lang
* @param string|null $order_by
* @param string|null $order_way
* @param int $start
* @param int|null $limit
* @param int|bool $id_lang_shop
*
* @throws PrestaShopException
*/
public function getList($id_lang, $order_by = null, $order_way = null, $start = 0, $limit = null, $id_lang_shop = false)
{
parent::getList($id_lang, $order_by, $order_way, $start, $limit, $id_lang_shop);

$nb_items = count($this->_list);
for ($i = 0; $i < $nb_items; ++$i) {
if (isset($this->_list[$i]['messages'])) {
$this->_list[$i]['messages'] = Tools::htmlentitiesDecodeUTF8($this->_list[$i]['messages']);
}
}
}

public function updateOptionPsSavImapOpt($value)
{
if ($this->access('edit') != '1') {
Expand Down
2 changes: 1 addition & 1 deletion controllers/admin/AdminOrdersController.php
Expand Up @@ -638,7 +638,7 @@ public function postProcess()
} else {
$message = $customer_message->message;
if (Configuration::get('PS_MAIL_TYPE', null, null, $order->id_shop) != Mail::TYPE_TEXT) {
$message = Tools::nl2br($customer_message->message);
$message = Tools::nl2br(Tools::htmlentitiesUTF8($customer_message->message));
}

$orderLanguage = new Language((int) $order->id_lang);
Expand Down
2 changes: 1 addition & 1 deletion controllers/front/OrderDetailController.php
Expand Up @@ -115,7 +115,7 @@ public function postProcess()
'{email}' => $customer->email,
'{id_order}' => (int) $order->id,
'{order_name}' => $order->getUniqReference(),
'{message}' => Tools::nl2br($msgText),
'{message}' => Tools::nl2br(Tools::htmlentitiesUTF8($msgText)),
'{product_name}' => $product_name,
),
$to,
Expand Down

0 comments on commit 562a231

Please sign in to comment.