Merge pull request #1425 from rocklobster-in/dev/5.9

Block invalid action URL
rocklobster-in · May 18, 2024 · c29a675 · c29a675
2 parents 435b39d + 66678f8
commit c29a675
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 11 deletions.
diff --git a/includes/contact-form.php b/includes/contact-form.php
@@ -555,6 +555,28 @@ public function form_html( $args = '' ) {
 
 		$this->unit_tag = self::generate_unit_tag( $this->id );
 
+		$action_url = wpcf7_get_request_uri();
+
+		if ( $frag = strstr( $action_url, '#' ) ) {
+			$action_url = substr( $action_url, 0, -strlen( $frag ) );
+		}
+
+		$action_url .= '#' . $this->unit_tag();
+
+		$action_url = apply_filters( 'wpcf7_form_action_url', $action_url );
+
+		if (
+			str_starts_with( $action_url, '//' ) or
+			! str_starts_with( $action_url, '/' ) and
+			! str_starts_with( $action_url, home_url() )
+		) {
+			return sprintf(
+				'<p class="wpcf7-invalid-action-url"><strong>%1$s</strong> %2$s</p>',
+				esc_html( __( 'Error:', 'contact-form-7' ) ),
+				esc_html( __( "Invalid action URL is detected.", 'contact-form-7' ) )
+			);
+		}
+
 		$lang_tag = str_replace( '_', '-', $this->locale );
 
 		if ( preg_match( '/^([a-z]+-[a-z]+)-/i', $lang_tag, $matches ) ) {
@@ -573,16 +595,6 @@ public function form_html( $args = '' ) {
 
 		$html .= "\n" . $this->screen_reader_response() . "\n";
 
-		$url = wpcf7_get_request_uri();
-
-		if ( $frag = strstr( $url, '#' ) ) {
-			$url = substr( $url, 0, -strlen( $frag ) );
-		}
-
-		$url .= '#' . $this->unit_tag();
-
-		$url = apply_filters( 'wpcf7_form_action_url', $url );
-
 		$id_attr = apply_filters( 'wpcf7_form_id_attr',
 			preg_replace( '/[^A-Za-z0-9:._-]/', '', $args['html_id'] )
 		);
@@ -627,7 +639,7 @@ public function form_html( $args = '' ) {
 		$autocomplete = apply_filters( 'wpcf7_form_autocomplete', '' );
 
 		$atts = array(
-			'action' => esc_url( $url ),
+			'action' => esc_url( $action_url ),
 			'method' => 'post',
 			'class' => ( '' !== $class ) ? $class : null,
 			'id' => ( '' !== $id_attr ) ? $id_attr : null,

diff --git a/includes/functions.php b/includes/functions.php
@@ -271,6 +271,7 @@ function wpcf7_get_request_uri() {
 
 	if ( empty( $request_uri ) ) {
 		$request_uri = add_query_arg( array() );
+		$request_uri = '/' . ltrim( $request_uri, '/' );
 	}
 
 	return sanitize_url( $request_uri );