From 4e7b22fde64b94538114c3bfecf939e00521815b Mon Sep 17 00:00:00 2001 From: muli Date: Sun, 21 Aug 2022 14:14:32 +0200 Subject: [PATCH 1/2] fix: Fix sanitation to not break Umlauts and use specific email filter. --- assets/php/contact_form.php | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/assets/php/contact_form.php b/assets/php/contact_form.php index 483eea8..ec0287f 100644 --- a/assets/php/contact_form.php +++ b/assets/php/contact_form.php @@ -1,11 +1,14 @@ FILTER_SANITIZE_SPECIAL_CHARS, + 'email' => FILTER_SANITIZE_EMAIL, + ); $text = trim($text); + $text = filter_var($_POST[$name], $filters[$type]); $text = stripslashes($text); - $text = htmlspecialchars($text); return $text; } @@ -75,10 +78,10 @@ function prepare_response() { $response['errors'][] = 'Wir glauben Sie sind ein Bot.'; } if (!array_key_exists('errors', $response)) { - $subject = sanitize_text('subject'); - $message = sanitize_text('message'); - $name = sanitize_text('name'); - $email = sanitize_text('email'); + $subject = sanitize_text('subject', 'text'); + $message = sanitize_text('message', 'text'); + $name = sanitize_text('name', 'text'); + $email = sanitize_text('email', 'email'); if (!send_message_to_office($subject, $message, $name, $email)) { $response['errors'][] = 'Ihre Nachricht konnte nicht übermittelt werden.'; -- 2.30.2 From 54482d90f68ac05dbbbb3790d54acd7b24aac1e3 Mon Sep 17 00:00:00 2001 From: muli Date: Sun, 21 Aug 2022 14:16:46 +0200 Subject: [PATCH 2/2] fix: Ensure \r\n for line breaks and properly encode subject for umlauts. --- assets/php/contact_form.php | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/assets/php/contact_form.php b/assets/php/contact_form.php index ec0287f..d0c8e33 100644 --- a/assets/php/contact_form.php +++ b/assets/php/contact_form.php @@ -13,8 +13,23 @@ function sanitize_text(string $name, string $type) { return $text; } +function prepare_message_body($message) { + // Replace HTML-Entities with actual carriage returns and line feeds + $message = str_replace(" ", "\r", $message); + $message = str_replace(" ", "\r", $message); + + // Ensure line breaks via carriage return + line feed + $message = str_replace("\r\n", "\n", $message); + $message = str_replace("\n", "\r\n", $message); + + $message = "Nachricht von: $name\r\n\r\n" . $message; + $message = base64_encode($message); + + return $message; +} + /** - * Sending email (Platzhalter) + * Sending email * * mail(): Braucht auf dem Server einen korrekt konfigurierten Mailserver * phpmailer: Bibliothek, der per Composer installiert wird. Tut ganz gut mit SMTP. @@ -22,12 +37,14 @@ function sanitize_text(string $name, string $type) { function send_message_to_office($subject, $message, $name, $email) { return mail( getenv('WTF_CONTACT_TO'), - $subject, - $name . "\r\n" . $message, + "=?UTF-8?B?" . base64_encode($subject) . "?=", + prepare_message_body($message), $additional_headers = array( "From" => getenv('WTF_CONTACT_FROM'), "Reply-To" => $email, "Return-Path" => getenv('WTF_RETURN_PATH'), + "Content-Type" => "text/plain; charset=utf-8", + "Content-Transfer-Encoding" => "base64", ), ); } -- 2.30.2