Skip to content
Permalink
Browse files Browse the repository at this point in the history
version 2.0.8, XSS fix thanks to MustLive, more fixes for addresses w…
…ith + symbols

git-svn-id: https://plugins.svn.wordpress.org/subscribe-to-comments/trunk@6401 b8457f37-d9ea-0310-8a92-e5e31aec5664
  • Loading branch information
markjaquith committed Sep 17, 2006
1 parent de59be7 commit 9683bdf
Showing 1 changed file with 17 additions and 9 deletions.
26 changes: 17 additions & 9 deletions subscribe-to-comments.php
@@ -1,7 +1,7 @@
<?php
/*
Plugin Name: Subscribe To Comments
Version: 2.0.7
Version: 2.0.8
Plugin URI: http://txfx.net/code/wordpress/subscribe-to-comments/
Description: Allows readers to recieve notifications of new comments that are posted to an entry. Based on version 1 from <a href="http://scriptygoddess.com/">Scriptygoddess</a>
Author: Mark Jaquith
Expand Down Expand Up @@ -87,10 +87,10 @@ function show_manual_subscription_form () {
<?php /* This is the text that is displayed for users who are NOT subscribed */ ?>
<?php /* ------------------------------------------------------------------- */ ?>

<form action="http://<?php echo $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] ?>" method="post">
<form action="http://<?php echo $_SERVER['HTTP_HOST'] . wp_specialchars($_SERVER['REQUEST_URI']); ?>" method="post">
<input type="hidden" name="solo-comment-subscribe" value="solo-comment-subscribe" />
<input type="hidden" name="postid" value="<?php echo $id; ?>" />
<input type="hidden" name="ref" value="<?php echo 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; ?>" />
<input type="hidden" name="ref" value="<?php echo urlencode('http://' . $_SERVER['HTTP_HOST'] . wp_specialchars($_SERVER['REQUEST_URI'])); ?>" />

<p class="solo-subscribe-to-comments">
<?php _e('Subscribe without commenting', 'subscribe-to-comments'); ?>
Expand Down Expand Up @@ -291,9 +291,14 @@ function manager_init() {
$this->after_manager = stripslashes($this->settings['after_manager']);
}

// version 2.0.8 -- allow plugin file to be renamed or placed in a subdirectory
if ( 'edit.php?page=subscribe-to-comments.php' == $this->form_action )
$this->form_action = 'edit.php?page=' . STC_PLUGIN_BASENAME;


foreach (array('email', 'key', 'ref', 'new_email') as $var) {
if ( isset($_REQUEST[$var]) && !empty($_REQUEST[$var]) )
$this->{$var} = trim($_REQUEST[$var]);
$this->{$var} = wp_specialchars(trim($_REQUEST[$var]));
}
if ( !$this->key )
$this->key = 'unset';
Expand Down Expand Up @@ -639,7 +644,7 @@ function change_email_request() {
$subject = __('E-mail change confirmation', 'subscribe-to-comments');
$message = sprintf(__("You are receiving this message to confirm a change of e-mail address for your subscriptions at \"%s\"\n\n", 'subscribe-to-comments'), get_bloginfo('blogname'));
$message .= sprintf(__("To change your e-mail address to %s, click this link:\n\n", 'subscribe-to-comments'), $this->new_email);
$message .= get_bloginfo('wpurl') . "/wp-subscription-manager.php?email=" . $this->email . "&new_email=" . $this->new_email . "&key=" . $this->generate_key($this->email . $this->new_email) . ".\n\n";
$message .= get_bloginfo('wpurl') . "/wp-subscription-manager.php?email=" . urlencode($this->email) . "&new_email=" . urlencode($this->new_email) . "&key=" . $this->generate_key($this->email . $this->new_email) . ".\n\n";
$message .= __('If you did not request this action, please disregard this message.', 'subscribe-to-comments');
return $this->send_mail($this->email, $subject, $message);
}
Expand All @@ -651,7 +656,7 @@ function block_email_request($email) {
$subject = __('E-mail block confirmation', 'subscribe-to-comments');
$message = sprintf(__("You are receiving this message to confirm that you no longer wish to receive e-mail comment notifications from \"%s\"\n\n", 'subscribe-to-comments'), get_bloginfo('name'));
$message .= __("To cancel all future notifications for this address, click this link:\n\n", 'subscribe-to-comments');
$message .= get_bloginfo('wpurl') . "/wp-subscription-manager.php?email=" . $email . "&key=" . $this->generate_key($email . 'blockrequest') . "&blockemailconfirm=true" . ".\n\n";
$message .= get_bloginfo('wpurl') . "/wp-subscription-manager.php?email=" . urlencode($email) . "&key=" . $this->generate_key($email . 'blockrequest') . "&blockemailconfirm=true" . ".\n\n";
$message .= __("If you did not request this action, please disregard this message.", 'subscribe-to-comments');
return $this->send_mail($email, $subject, $message);
}
Expand Down Expand Up @@ -752,7 +757,6 @@ function current_viewer_subscription_status(){
if ( strtolower($post_author->user_email) == $email && $loggedin )
return 'admin';


if ( is_array($this->subscriptions_from_email($email)) )
if ( in_array($post->ID, $this->email_subscriptions) ) return $email;
return false;
Expand All @@ -762,10 +766,11 @@ function current_viewer_subscription_status(){
function manage_link($email='', $html=true, $echo=true) {
$link = get_bloginfo('wpurl') . '/wp-subscription-manager.php';
if ( $email != 'admin' ) {
$link = add_query_arg('email', urlencode($email), $link);
$link = add_query_arg('email', urlencode(urlencode($email)), $link);
$link = add_query_arg('key', $this->generate_key($email), $link);
}
$link = add_query_arg('ref', urlencode('http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']), $link);
$link = add_query_arg('ref', urlencode('http://' . $_SERVER['HTTP_HOST'] . wp_specialchars($_SERVER['REQUEST_URI'])), $link);
$link = str_replace('+', '%2B', $link);
if ( $html )
$link = htmlentities($link);
if ( !$echo )
Expand Down Expand Up @@ -829,4 +834,7 @@ function sg_subscribe_admin() {
$sg_subscribe->solo_subscribe($_POST[\'email\'], $_POST[\'postid\']);
}')
);

define('STC_PLUGIN_BASENAME', plugin_basename(__FILE__));

?>

0 comments on commit 9683bdf

Please sign in to comment.