From d5ed2f811f6a1a96e6865c8f0ae8b6539e46ea46 Mon Sep 17 00:00:00 2001
From: Olivier Lafleur <olafleur@godaddy.com>
Date: Mon, 14 Mar 2022 14:10:46 -0400
Subject: [PATCH 1/9] remove phpcs:ignore

---
 includes/class-coblocks-form.php | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/includes/class-coblocks-form.php b/includes/class-coblocks-form.php
index 3745d73c1ee..6157cfc6db6 100644
--- a/includes/class-coblocks-form.php
+++ b/includes/class-coblocks-form.php
@@ -225,14 +225,14 @@ public function render_form( $atts, $content ) {
 			?>
 
 			<form action="<?php echo esc_url( sprintf( '%1$s#%2$s', set_url_scheme( get_the_permalink() ), $this->form_hash ) ); ?>" method="post">
-				<?php echo do_blocks( $content ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?>
+				<?php echo do_blocks( $content ); ?>
 				<input class="coblocks-field verify" type="email" name="coblocks-verify-email" autocomplete="off" placeholder="<?php esc_attr_e( 'Email', 'coblocks' ); ?>" tabindex="-1">
 				<input type="hidden" name="form-hash" value="<?php echo esc_attr( $this->form_hash ); ?>">
 
 				<?php
 				// Output a submit button if it's not found in the block content.
 				if ( false === strpos( $content, 'coblocks-form__submit' ) ) :
-					echo $this->render_field_submit_button( $atts ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+					echo $this->render_field_submit_button( $atts );
 				endif;
 				?>
 			</form>
@@ -1028,7 +1028,6 @@ private function setup_email_subject( $atts, $email_field_id, $name_field_id ) {
 				function( $match, $key ) use ( $matches, &$subject, &$email_field_id, &$name_field_id ) {
 					$slug_match = strtolower( str_replace( ' ', '', $match ) );
 
-					// phpcs:disable WordPress.Security.NonceVerification.Missing
 					if ( __( 'name', 'coblocks' ) === $slug_match ) {
 
 						if ( isset( $_POST[ $name_field_id ]['value'] ) ) {

From 085ba661f954788a4c0c3328ac7e0a947081058d Mon Sep 17 00:00:00 2001
From: Olivier Lafleur <olafleur@godaddy.com>
Date: Mon, 14 Mar 2022 14:34:56 -0400
Subject: [PATCH 2/9] extract POST variables outside of function

---
 includes/class-coblocks-form.php | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/includes/class-coblocks-form.php b/includes/class-coblocks-form.php
index 6157cfc6db6..d61b8041a85 100644
--- a/includes/class-coblocks-form.php
+++ b/includes/class-coblocks-form.php
@@ -944,13 +944,19 @@ public function process_form_submission( $atts ) {
 		 */
 		$to = (string) apply_filters( 'coblocks_form_email_to', $to, $_POST, $post_id );
 
+		$raw_name_field_value  = $_POST[ $name_field_id ]['value'];
+		$raw_email_field_value = $_POST[ $email_field_id ]['value'];
 		/**
 		 * Filter the email subject
 		 *
 		 * @param string $subject Email subject.
 		 * @param array  $_POST   Submitted form data.
 		 */
-		$subject = (string) apply_filters( 'coblocks_form_email_subject', $this->setup_email_subject( $atts, $email_field_id, $name_field_id ), $_POST );
+		$subject = (string) apply_filters(
+			'coblocks_form_email_subject',
+			$this->setup_email_subject( $atts, $email_field_id, $name_field_id, $raw_name_field_value, $raw_email_field_value ),
+			$_POST
+		);
 
 		/**
 		 * Filter the form email content.
@@ -1012,10 +1018,12 @@ public function process_form_submission( $atts ) {
 	 *
 	 * @param  array  $atts           Block attributes array.
 	 * @param  string $email_field_id Email field ID.
-	 * @param  string $name_field_id  Nane field ID.
+	 * @param  string $name_field_id  Name field ID.
+	 * @param  string $raw_name_field_value Raw name field value.
+	 * @param  string $raw_email_field_value Raw email field value.
 	 * @return string Email subject.
 	 */
-	private function setup_email_subject( $atts, $email_field_id, $name_field_id ) {
+	private function setup_email_subject( $atts, $email_field_id, $name_field_id, $raw_name_field_value, $raw_email_field_value ) {
 
 		$subject = isset( $atts['subject'] ) ? sanitize_text_field( $atts['subject'] ) : self::default_subject();
 
@@ -1030,9 +1038,9 @@ function( $match, $key ) use ( $matches, &$subject, &$email_field_id, &$name_fie
 
 					if ( __( 'name', 'coblocks' ) === $slug_match ) {
 
-						if ( isset( $_POST[ $name_field_id ]['value'] ) ) {
+						if ( isset( $raw_name_field_value ) ) {
 
-							$name_field_value = is_array( $_POST[ $name_field_id ]['value'] ) ? sanitize_text_field( implode( ' ', $_POST[ $name_field_id ]['value'] ) ) : sanitize_text_field( $_POST[ $name_field_id ]['value'] );
+							$name_field_value = is_array( $raw_name_field_value ) ? sanitize_text_field( implode( ' ', $raw_name_field_value ) ) : sanitize_text_field( $raw_name_field_value );
 							$value            = empty( $name_field_value ) ? $matches[0][ $key ] : $name_field_value;
 
 						} else {
@@ -1042,7 +1050,7 @@ function( $match, $key ) use ( $matches, &$subject, &$email_field_id, &$name_fie
 						}
 					} elseif ( __( 'email', 'coblocks' ) === $slug_match ) {
 
-						$value = isset( $_POST[ $email_field_id ]['value'] ) ? sanitize_text_field( $_POST[ $email_field_id ]['value'] ) : $matches[0][ $key ];
+						$value = isset( $raw_email_field_value ) ? sanitize_text_field( $raw_email_field_value ) : $matches[0][ $key ];
 
 					}
 

From c5ac0a1a79b4d6a77c8ae8ede1cbf722a6fe2efd Mon Sep 17 00:00:00 2001
From: Olivier Lafleur <olafleur@godaddy.com>
Date: Mon, 14 Mar 2022 16:24:50 -0400
Subject: [PATCH 3/9] Passage by reference

---
 includes/class-coblocks-form.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/includes/class-coblocks-form.php b/includes/class-coblocks-form.php
index d61b8041a85..41010f3cf2d 100644
--- a/includes/class-coblocks-form.php
+++ b/includes/class-coblocks-form.php
@@ -1023,7 +1023,7 @@ public function process_form_submission( $atts ) {
 	 * @param  string $raw_email_field_value Raw email field value.
 	 * @return string Email subject.
 	 */
-	private function setup_email_subject( $atts, $email_field_id, $name_field_id, $raw_name_field_value, $raw_email_field_value ) {
+	private function setup_email_subject( $atts, $email_field_id, $name_field_id, &$raw_name_field_value, &$raw_email_field_value ) {
 
 		$subject = isset( $atts['subject'] ) ? sanitize_text_field( $atts['subject'] ) : self::default_subject();
 

From e8a86cb4bc95f2026e239f9cb6d20fc3eb23a8c4 Mon Sep 17 00:00:00 2001
From: Olivier Lafleur <olafleur@godaddy.com>
Date: Mon, 14 Mar 2022 17:09:53 -0400
Subject: [PATCH 4/9] variable in scope

---
 includes/class-coblocks-form.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/includes/class-coblocks-form.php b/includes/class-coblocks-form.php
index 41010f3cf2d..23b3d805cc0 100644
--- a/includes/class-coblocks-form.php
+++ b/includes/class-coblocks-form.php
@@ -1023,7 +1023,7 @@ public function process_form_submission( $atts ) {
 	 * @param  string $raw_email_field_value Raw email field value.
 	 * @return string Email subject.
 	 */
-	private function setup_email_subject( $atts, $email_field_id, $name_field_id, &$raw_name_field_value, &$raw_email_field_value ) {
+	private function setup_email_subject( $atts, $email_field_id, $name_field_id, $raw_name_field_value, $raw_email_field_value ) {
 
 		$subject = isset( $atts['subject'] ) ? sanitize_text_field( $atts['subject'] ) : self::default_subject();
 
@@ -1033,7 +1033,7 @@ private function setup_email_subject( $atts, $email_field_id, $name_field_id, &$
 
 			array_walk(
 				$matches[1],
-				function( $match, $key ) use ( $matches, &$subject, &$email_field_id, &$name_field_id ) {
+				function( $match, $key ) use ( $matches, &$subject, &$email_field_id, &$name_field_id, &$raw_name_field_value, &$raw_email_field_value ) {
 					$slug_match = strtolower( str_replace( ' ', '', $match ) );
 
 					if ( __( 'name', 'coblocks' ) === $slug_match ) {

From b7207c45bc4330c1c4ca226d255a17f62c1338a4 Mon Sep 17 00:00:00 2001
From: Olivier Lafleur <olafleur@godaddy.com>
Date: Mon, 14 Mar 2022 17:12:10 -0400
Subject: [PATCH 5/9] remove unneeded variables

---
 includes/class-coblocks-form.php | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/includes/class-coblocks-form.php b/includes/class-coblocks-form.php
index 23b3d805cc0..5c61dec07da 100644
--- a/includes/class-coblocks-form.php
+++ b/includes/class-coblocks-form.php
@@ -954,7 +954,7 @@ public function process_form_submission( $atts ) {
 		 */
 		$subject = (string) apply_filters(
 			'coblocks_form_email_subject',
-			$this->setup_email_subject( $atts, $email_field_id, $name_field_id, $raw_name_field_value, $raw_email_field_value ),
+			$this->setup_email_subject( $atts, $raw_name_field_value, $raw_email_field_value ),
 			$_POST
 		);
 
@@ -1017,13 +1017,11 @@ public function process_form_submission( $atts ) {
 	 *       [name] will be replaced with the value of field-name etc.
 	 *
 	 * @param  array  $atts           Block attributes array.
-	 * @param  string $email_field_id Email field ID.
-	 * @param  string $name_field_id  Name field ID.
 	 * @param  string $raw_name_field_value Raw name field value.
 	 * @param  string $raw_email_field_value Raw email field value.
 	 * @return string Email subject.
 	 */
-	private function setup_email_subject( $atts, $email_field_id, $name_field_id, $raw_name_field_value, $raw_email_field_value ) {
+	private function setup_email_subject( $atts, $raw_name_field_value, $raw_email_field_value ) {
 
 		$subject = isset( $atts['subject'] ) ? sanitize_text_field( $atts['subject'] ) : self::default_subject();
 
@@ -1033,7 +1031,7 @@ private function setup_email_subject( $atts, $email_field_id, $name_field_id, $r
 
 			array_walk(
 				$matches[1],
-				function( $match, $key ) use ( $matches, &$subject, &$email_field_id, &$name_field_id, &$raw_name_field_value, &$raw_email_field_value ) {
+				function( $match, $key ) use ( $matches, &$subject, &$raw_name_field_value, &$raw_email_field_value ) {
 					$slug_match = strtolower( str_replace( ' ', '', $match ) );
 
 					if ( __( 'name', 'coblocks' ) === $slug_match ) {

From 810fe9aff81f72a06e132e84ab283a98ee182528 Mon Sep 17 00:00:00 2001
From: Olivier Lafleur <olafleur@godaddy.com>
Date: Mon, 14 Mar 2022 17:41:22 -0400
Subject: [PATCH 6/9] Reintroduce ignore

---
 includes/class-coblocks-form.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/includes/class-coblocks-form.php b/includes/class-coblocks-form.php
index 5c61dec07da..4518757b926 100644
--- a/includes/class-coblocks-form.php
+++ b/includes/class-coblocks-form.php
@@ -225,14 +225,14 @@ public function render_form( $atts, $content ) {
 			?>
 
 			<form action="<?php echo esc_url( sprintf( '%1$s#%2$s', set_url_scheme( get_the_permalink() ), $this->form_hash ) ); ?>" method="post">
-				<?php echo do_blocks( $content ); ?>
+				<?php echo do_blocks( $content ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?>
 				<input class="coblocks-field verify" type="email" name="coblocks-verify-email" autocomplete="off" placeholder="<?php esc_attr_e( 'Email', 'coblocks' ); ?>" tabindex="-1">
 				<input type="hidden" name="form-hash" value="<?php echo esc_attr( $this->form_hash ); ?>">
 
 				<?php
 				// Output a submit button if it's not found in the block content.
 				if ( false === strpos( $content, 'coblocks-form__submit' ) ) :
-					echo $this->render_field_submit_button( $atts );
+					echo $this->render_field_submit_button( $atts ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 				endif;
 				?>
 			</form>

From 5fff6e73438d4ec118a283f3857a91fd8218a659 Mon Sep 17 00:00:00 2001
From: Olivier Lafleur <olafleur@godaddy.com>
Date: Mon, 14 Mar 2022 23:04:08 -0400
Subject: [PATCH 7/9] Add rules from the plugin review team

---
 composer.json                            |  2 +-
 includes/class-coblocks-block-assets.php | 12 ++++++------
 includes/class-coblocks-form.php         |  4 ++--
 phpcs.xml                                | 13 +++++++++++++
 4 files changed, 22 insertions(+), 9 deletions(-)

diff --git a/composer.json b/composer.json
index c9ae5791068..19f32267156 100644
--- a/composer.json
+++ b/composer.json
@@ -29,7 +29,7 @@
 		"yoast/phpunit-polyfills": "^1.0.1"
 	},
 	"scripts": {
-		"lint": "@php ./vendor/bin/phpcs",
+		"lint": "@php ./vendor/bin/phpcs --runtime-set ignore_warnings_on_exit 1",
 		"lint:fix": "@php ./vendor/bin/phpcbf",
 		"test": "@php ./vendor/bin/phpunit"
 	}
diff --git a/includes/class-coblocks-block-assets.php b/includes/class-coblocks-block-assets.php
index 99aa1c4a974..ad9685c6e91 100644
--- a/includes/class-coblocks-block-assets.php
+++ b/includes/class-coblocks-block-assets.php
@@ -528,23 +528,23 @@ protected function is_page_gutenberg() {
 			return false;
 		}
 
-		if ( false !== strpos( $admin_page, 'post-new.php' ) && empty( $_GET['post_type'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		if ( false !== strpos( $admin_page, 'post-new.php' ) && empty( $_GET['post_type'] ) ) {
 			return true;
 		}
 
-		if ( false !== strpos( $admin_page, 'post-new.php' ) && isset( $_GET['post_type'] ) && $this->is_post_type_gutenberg( filter_input( INPUT_GET, wp_unslash( $_GET['post_type'] ), FILTER_SANITIZE_STRING ) ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		if ( false !== strpos( $admin_page, 'post-new.php' ) && isset( $_GET['post_type'] ) && $this->is_post_type_gutenberg( filter_input( INPUT_GET, wp_unslash( $_GET['post_type'] ), FILTER_SANITIZE_STRING ) ) ) {
 			return true;
 		}
 
-		if ( false !== strpos( $admin_page, 'post.php' ) && isset( $_GET['post'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
-			$wp_post = get_post( filter_input( INPUT_GET, wp_unslash( $_GET['post'] ), FILTER_SANITIZE_STRING ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		if ( false !== strpos( $admin_page, 'post.php' ) && isset( $_GET['post'] ) ) {
+			$wp_post = get_post( filter_input( INPUT_GET, wp_unslash( $_GET['post'] ), FILTER_SANITIZE_STRING ) );
 			if ( isset( $wp_post ) && isset( $wp_post->post_type ) && $this->is_post_type_gutenberg( $wp_post->post_type ) ) {
 				return true;
 			}
 		}
 
-		if ( false !== strpos( $admin_page, 'revision.php' ) && isset( $_GET['revision'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
-			$wp_post     = get_post( filter_input( INPUT_GET, wp_unslash( $_GET['revision'] ), FILTER_SANITIZE_STRING ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		if ( false !== strpos( $admin_page, 'revision.php' ) && isset( $_GET['revision'] ) ) {
+			$wp_post     = get_post( filter_input( INPUT_GET, wp_unslash( $_GET['revision'] ), FILTER_SANITIZE_STRING ) );
 			$post_parent = get_post( $wp_post->post_parent );
 			if ( isset( $post_parent ) && isset( $post_parent->post_type ) && $this->is_post_type_gutenberg( $post_parent->post_type ) ) {
 				return true;
diff --git a/includes/class-coblocks-form.php b/includes/class-coblocks-form.php
index 4518757b926..5c61dec07da 100644
--- a/includes/class-coblocks-form.php
+++ b/includes/class-coblocks-form.php
@@ -225,14 +225,14 @@ public function render_form( $atts, $content ) {
 			?>
 
 			<form action="<?php echo esc_url( sprintf( '%1$s#%2$s', set_url_scheme( get_the_permalink() ), $this->form_hash ) ); ?>" method="post">
-				<?php echo do_blocks( $content ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?>
+				<?php echo do_blocks( $content ); ?>
 				<input class="coblocks-field verify" type="email" name="coblocks-verify-email" autocomplete="off" placeholder="<?php esc_attr_e( 'Email', 'coblocks' ); ?>" tabindex="-1">
 				<input type="hidden" name="form-hash" value="<?php echo esc_attr( $this->form_hash ); ?>">
 
 				<?php
 				// Output a submit button if it's not found in the block content.
 				if ( false === strpos( $content, 'coblocks-form__submit' ) ) :
-					echo $this->render_field_submit_button( $atts ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+					echo $this->render_field_submit_button( $atts );
 				endif;
 				?>
 			</form>
diff --git a/phpcs.xml b/phpcs.xml
index 32c92a77691..750c6cd4130 100644
--- a/phpcs.xml
+++ b/phpcs.xml
@@ -19,6 +19,19 @@
 	<!-- Whenever possible, cache the scan results and re-use those for unchanged files on the next scan. -->
 	<arg name="cache" value="/tmp/phpcs-coblocks-cache"/>
 
+	<!-- (Subset of?) the rules from the Plugin Review Team -->
+	<rule ref="WordPress.Security.ValidatedSanitizedInput.InputNotSanitized">
+		<type>warning</type>
+	</rule>
+	<rule ref="WordPress.Security.NonceVerification.Recommended" />
+	<rule ref="WordPress.DateTime.RestrictedFunctions.date_date" />
+	<rule ref="WordPress.Security.EscapeOutput.OutputNotEscaped">
+		<type>warning</type>
+	</rule>
+	<rule ref="WordPress.Security.NonceVerification.Missing" />
+	<rule ref="WordPress.WP.AlternativeFunctions.file_get_contents_file_get_contents" />
+	<rule ref="WordPress.WP.EnqueuedResources.NonEnqueuedScript" />
+
 	<!-- Include the WordPress-Extra standard. -->
 	<rule ref="WordPress-Extra">
 		<!--

From e8a42511ceef3a2d0a299b6c81b66708488d4d30 Mon Sep 17 00:00:00 2001
From: Olivier Lafleur <olafleur@godaddy.com>
Date: Tue, 15 Mar 2022 00:07:05 -0400
Subject: [PATCH 8/9] sanitize

---
 includes/class-coblocks-form.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/includes/class-coblocks-form.php b/includes/class-coblocks-form.php
index 5c61dec07da..532921cecc9 100644
--- a/includes/class-coblocks-form.php
+++ b/includes/class-coblocks-form.php
@@ -897,8 +897,8 @@ public function process_form_submission( $atts ) {
 
 		$post_id        = filter_input( INPUT_GET, 'post', FILTER_SANITIZE_NUMBER_INT );
 		$post_title     = get_bloginfo( 'name' ) . ( ( false === $post_id ) ? '' : sprintf( ' - %s', get_the_title( $post_id ) ) );
-		$email_field_id = isset( $_POST['email-field-id'] ) ? esc_html( $_POST['email-field-id'] ) : 'field-email';
-		$name_field_id  = isset( $_POST['name-field-id'] ) ? esc_html( $_POST['name-field-id'] ) : 'field-name';
+		$email_field_id = isset( $_POST['email-field-id'] ) ? sanitize_text_field( $_POST['email-field-id'] ) : 'field-email';
+		$name_field_id  = isset( $_POST['name-field-id'] ) ? sanitize_text_field( $_POST['name-field-id'] ) : 'field-name';
 
 		$to = isset( $atts['to'] ) ? sanitize_email( $atts['to'] ) : get_option( 'admin_email' );
 
@@ -907,7 +907,7 @@ public function process_form_submission( $atts ) {
 		$recaptcha_site_key   = get_option( 'coblocks_google_recaptcha_site_key' );
 		$recaptcha_secret_key = get_option( 'coblocks_google_recaptcha_secret_key' );
 		if ( $recaptcha_site_key && $recaptcha_secret_key ) {
-			if ( ! isset( $_POST['g-recaptcha-token'] ) || ! $this->verify_recaptcha( $_POST['g-recaptcha-token'] ) ) {
+			if ( ! isset( $_POST['g-recaptcha-token'] ) || ! $this->verify_recaptcha( sanitize_text_field( $_POST['g-recaptcha-token'] ) ) ) {
 
 				$this->remove_url_form_hash();
 
@@ -967,8 +967,8 @@ public function process_form_submission( $atts ) {
 		 */
 		$email_content = (string) apply_filters( 'coblocks_form_email_content', $this->email_content, $_POST, $post_id );
 
-		$sender_email = isset( $_POST[ $email_field_id ]['value'] ) ? esc_html( $_POST[ $email_field_id ]['value'] ) : '';
-		$sender_name  = isset( $_POST[ $name_field_id ]['value'] ) ? esc_html( $_POST[ $name_field_id ]['value'] ) : '';
+		$sender_email = isset( $_POST[ $email_field_id ]['value'] ) ? sanitize_text_field( $_POST[ $email_field_id ]['value'] ) : '';
+		$sender_name  = isset( $_POST[ $name_field_id ]['value'] ) ? sanitize_text_field( $_POST[ $name_field_id ]['value'] ) : '';
 
 		$headers = array();
 

From 5ce798701e731d6bb7b421975237607c27850882 Mon Sep 17 00:00:00 2001
From: Olivier Lafleur <olafleur@godaddy.com>
Date: Tue, 15 Mar 2022 00:22:43 -0400
Subject: [PATCH 9/9] more sanitization

---
 includes/class-coblocks-form.php | 23 ++++++++++-------------
 1 file changed, 10 insertions(+), 13 deletions(-)

diff --git a/includes/class-coblocks-form.php b/includes/class-coblocks-form.php
index 532921cecc9..bfe258cd724 100644
--- a/includes/class-coblocks-form.php
+++ b/includes/class-coblocks-form.php
@@ -944,8 +944,8 @@ public function process_form_submission( $atts ) {
 		 */
 		$to = (string) apply_filters( 'coblocks_form_email_to', $to, $_POST, $post_id );
 
-		$raw_name_field_value  = $_POST[ $name_field_id ]['value'];
-		$raw_email_field_value = $_POST[ $email_field_id ]['value'];
+		$name_field_value  = sanitize_text_field( $_POST[ $name_field_id ]['value'] );
+		$email_field_value = sanitize_text_field( $_POST[ $email_field_id ]['value'] );
 		/**
 		 * Filter the email subject
 		 *
@@ -954,7 +954,7 @@ public function process_form_submission( $atts ) {
 		 */
 		$subject = (string) apply_filters(
 			'coblocks_form_email_subject',
-			$this->setup_email_subject( $atts, $raw_name_field_value, $raw_email_field_value ),
+			$this->setup_email_subject( $atts, $name_field_value, $email_field_value ),
 			$_POST
 		);
 
@@ -1017,11 +1017,11 @@ public function process_form_submission( $atts ) {
 	 *       [name] will be replaced with the value of field-name etc.
 	 *
 	 * @param  array  $atts           Block attributes array.
-	 * @param  string $raw_name_field_value Raw name field value.
-	 * @param  string $raw_email_field_value Raw email field value.
+	 * @param  string $name_field_value Name field value.
+	 * @param  string $email_field_value Email field value.
 	 * @return string Email subject.
 	 */
-	private function setup_email_subject( $atts, $raw_name_field_value, $raw_email_field_value ) {
+	private function setup_email_subject( $atts, $name_field_value, $email_field_value ) {
 
 		$subject = isset( $atts['subject'] ) ? sanitize_text_field( $atts['subject'] ) : self::default_subject();
 
@@ -1031,16 +1031,13 @@ private function setup_email_subject( $atts, $raw_name_field_value, $raw_email_f
 
 			array_walk(
 				$matches[1],
-				function( $match, $key ) use ( $matches, &$subject, &$raw_name_field_value, &$raw_email_field_value ) {
+				function( $match, $key ) use ( $matches, &$subject, &$name_field_value, &$email_field_value ) {
 					$slug_match = strtolower( str_replace( ' ', '', $match ) );
 
 					if ( __( 'name', 'coblocks' ) === $slug_match ) {
 
-						if ( isset( $raw_name_field_value ) ) {
-
-							$name_field_value = is_array( $raw_name_field_value ) ? sanitize_text_field( implode( ' ', $raw_name_field_value ) ) : sanitize_text_field( $raw_name_field_value );
-							$value            = empty( $name_field_value ) ? $matches[0][ $key ] : $name_field_value;
-
+						if ( isset( $name_field_value ) ) {
+							$value = empty( $name_field_value ) ? $matches[0][ $key ] : $name_field_value;
 						} else {
 
 							$value = $matches[0][ $key ];
@@ -1048,7 +1045,7 @@ function( $match, $key ) use ( $matches, &$subject, &$raw_name_field_value, &$ra
 						}
 					} elseif ( __( 'email', 'coblocks' ) === $slug_match ) {
 
-						$value = isset( $raw_email_field_value ) ? sanitize_text_field( $raw_email_field_value ) : $matches[0][ $key ];
+						$value = isset( $email_field_value ) ? $email_field_value : $matches[0][ $key ];
 
 					}