From 66678f82d2a3eebb42320b50e27001aec87f24fb Mon Sep 17 00:00:00 2001 From: Takayuki Miyoshi Date: Sat, 18 May 2024 17:20:38 +0900 Subject: [PATCH] Block invalid action URL Fixes #1424 --- includes/contact-form.php | 34 +++++++++++++++++++++++----------- includes/functions.php | 1 + 2 files changed, 24 insertions(+), 11 deletions(-) diff --git a/includes/contact-form.php b/includes/contact-form.php index ad18e681..2ebf91ba 100644 --- a/includes/contact-form.php +++ b/includes/contact-form.php @@ -555,6 +555,28 @@ public function form_html( $args = '' ) { $this->unit_tag = self::generate_unit_tag( $this->id ); + $action_url = wpcf7_get_request_uri(); + + if ( $frag = strstr( $action_url, '#' ) ) { + $action_url = substr( $action_url, 0, -strlen( $frag ) ); + } + + $action_url .= '#' . $this->unit_tag(); + + $action_url = apply_filters( 'wpcf7_form_action_url', $action_url ); + + if ( + str_starts_with( $action_url, '//' ) or + ! str_starts_with( $action_url, '/' ) and + ! str_starts_with( $action_url, home_url() ) + ) { + return sprintf( + '

%1$s %2$s

', + esc_html( __( 'Error:', 'contact-form-7' ) ), + esc_html( __( "Invalid action URL is detected.", 'contact-form-7' ) ) + ); + } + $lang_tag = str_replace( '_', '-', $this->locale ); if ( preg_match( '/^([a-z]+-[a-z]+)-/i', $lang_tag, $matches ) ) { @@ -573,16 +595,6 @@ public function form_html( $args = '' ) { $html .= "\n" . $this->screen_reader_response() . "\n"; - $url = wpcf7_get_request_uri(); - - if ( $frag = strstr( $url, '#' ) ) { - $url = substr( $url, 0, -strlen( $frag ) ); - } - - $url .= '#' . $this->unit_tag(); - - $url = apply_filters( 'wpcf7_form_action_url', $url ); - $id_attr = apply_filters( 'wpcf7_form_id_attr', preg_replace( '/[^A-Za-z0-9:._-]/', '', $args['html_id'] ) ); @@ -627,7 +639,7 @@ public function form_html( $args = '' ) { $autocomplete = apply_filters( 'wpcf7_form_autocomplete', '' ); $atts = array( - 'action' => esc_url( $url ), + 'action' => esc_url( $action_url ), 'method' => 'post', 'class' => ( '' !== $class ) ? $class : null, 'id' => ( '' !== $id_attr ) ? $id_attr : null, diff --git a/includes/functions.php b/includes/functions.php index 137643cb..569a85ee 100644 --- a/includes/functions.php +++ b/includes/functions.php @@ -271,6 +271,7 @@ function wpcf7_get_request_uri() { if ( empty( $request_uri ) ) { $request_uri = add_query_arg( array() ); + $request_uri = '/' . ltrim( $request_uri, '/' ); } return sanitize_url( $request_uri );