Merge pull request #350 from weMail/feature/fix-notice-vulnerability

Fix notice vulnerability issue.
weMail · Mar 25, 2024 · 55441c0 · 55441c0
2 parents d03d868 + 627bfde
commit 55441c0
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 3 deletions.
diff --git a/assets/js/admin-notice.js b/assets/js/admin-notice.js
@@ -3,7 +3,8 @@
         $(document).on("click", '.wemail-connect-notice-flex-container .notice-dismiss', function() {
             var url = new URL(location.href);
             url.searchParams.append("dismiss_connect_notice", 1);
+            url.searchParams.append("wemail_dismiss_notice_nonce", wemail_notice_nonce.nonce);
             location.href = url;
         });
     });
-})(jQuery);
+})(jQuery);
diff --git a/includes/Admin/Notice.php b/includes/Admin/Notice.php
@@ -30,6 +30,12 @@ public function enqueue_assets() {
 
         wp_enqueue_style( 'wemail-admin-notice-style' );
         wp_enqueue_script( 'wemail-admin-notice-script' );
+
+        wp_localize_script(
+            'wemail-admin-notice-script', 'wemail_notice_nonce', array(
+                'nonce' => wp_create_nonce( 'wemail_dismiss_notice_nonce' ),
+            )
+        );
     }
 
     /**
@@ -48,7 +54,7 @@ public function connect_notice_html() {
                     <p><?php echo __( 'You are one step closer to use weMail. Connect your site to get started with weMail. With weMail, you can send marketing and transactional emails to your audience.', 'wemail' ); ?></p>
                 </div>
                 <div class="wemail-connect-notice-connect-button">
-                    <a class="button" href="<?php echo wemail()->wemail_app . '/connect?email=' . urlencode( wp_get_current_user()->user_email ) . '&site_name=' . urlencode( get_bloginfo( 'name' ) ) . '&site_url=' . urlencode( site_url( '/' ) ) . '&redirect_url=' . urlencode( admin_url( 'admin.php?page=wemail' ) ); ?>">Connect</a>
+                    <a class="button" href="<?php echo wemail()->wemail_app . '/connect?email=' . rawurlencode( wp_get_current_user()->user_email ) . '&site_name=' . rawurlencode( get_bloginfo( 'name' ) ) . '&site_url=' . rawurlencode( site_url( '/' ) ) . '&redirect_url=' . rawurlencode( admin_url( 'admin.php?page=wemail' ) ); ?>">Connect</a>
                 </div>
             </div>
         <?php
@@ -61,11 +67,14 @@ public function connect_notice_html() {
      */
     public function connect_notice() {
         if ( isset( $_GET['dismiss_connect_notice'] ) && (int) $_GET['dismiss_connect_notice'] === 1 ) {
-            update_option( 'wemail_site_connection_notice', 1 );
+            if ( isset( $_GET['wemail_dismiss_notice_nonce'] ) && wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['wemail_dismiss_notice_nonce'] ) ), 'wemail_dismiss_notice_nonce' ) ) {
+                update_option( 'wemail_site_connection_notice', 1 );
+            }
         }
         if ( ! get_user_meta( get_current_user_id(), 'wemail_api_key', true ) && (int) get_option( 'wemail_site_connection_notice' ) !== 1 && ! ( isset( $_GET['page'] ) && $_GET['page'] === 'wemail' ) ) {
             add_action( 'admin_notices', [ $this, 'connect_notice_html' ] );
         }
     }
 
 }
+