summaryrefslogtreecommitdiff
path: root/Postman/Postman-Email-Log/PostmanEmailLogController.php
diff options
context:
space:
mode:
authoryehudah <yehudah@b8457f37-d9ea-0310-8a92-e5e31aec5664>2019-08-19 20:57:47 +0000
committeryehudah <yehudah@b8457f37-d9ea-0310-8a92-e5e31aec5664>2019-08-19 20:57:47 +0000
commitd1d82adca1dbb02382d7ccf49b8830816e8fa00f (patch)
treeba061c2b4c1f06cc67efcee7b85a3c8c25162905 /Postman/Postman-Email-Log/PostmanEmailLogController.php
parent7aa4390a6702059342aad220e53e3aa4efc9caad (diff)
downloadPost-SMTP-d1d82adca1dbb02382d7ccf49b8830816e8fa00f.zip
Security issues
Diffstat (limited to 'Postman/Postman-Email-Log/PostmanEmailLogController.php')
-rw-r--r--Postman/Postman-Email-Log/PostmanEmailLogController.php22
1 files changed, 17 insertions, 5 deletions
diff --git a/Postman/Postman-Email-Log/PostmanEmailLogController.php b/Postman/Postman-Email-Log/PostmanEmailLogController.php
index 79751f3..d22b265 100644
--- a/Postman/Postman-Email-Log/PostmanEmailLogController.php
+++ b/Postman/Postman-Email-Log/PostmanEmailLogController.php
@@ -1,4 +1,8 @@
<?php
+if ( ! defined( 'ABSPATH' ) ) {
+ exit; // Exit if accessed directly
+}
+
require_once dirname(__DIR__) . '/PostmanEmailLogs.php';
require_once 'PostmanEmailLogService.php';
require_once 'PostmanEmailLogView.php';
@@ -73,7 +77,7 @@ class PostmanEmailLogController {
/**
*/
public function resendMail() {
- check_ajax_referer( 'resend', 'security' );
+ check_admin_referer( 'resend', 'security' );
// get the email address of the recipient from the HTTP Request
$postid = $this->getRequestParameter( 'email' );
@@ -200,8 +204,13 @@ class PostmanEmailLogController {
// only do this for administrators
if ( PostmanUtils::isAdmin() ) {
$this->logger->trace( 'handling view item' );
- $postid = $_REQUEST ['email'];
+ $postid = absint( $_REQUEST ['email'] );
$post = get_post( $postid );
+
+ if ( $post->post_type !== 'postman_sent_mail' ) {
+ return;
+ }
+
$meta_values = PostmanEmailLogs::get_data( $postid );
// https://css-tricks.com/examples/hrs/
print '<html><head><style>body {font-family: monospace;} hr {
@@ -369,18 +378,21 @@ class PostmanEmailLogController {
?>
<form id="postman-email-log-filter" method="post">
+ <input type="hidden" action="post-smtp-filter" value="1">
+ <?php wp_nonce_field('post-smtp', 'post-smtp-log'); ?>
+
<div id="email-log-filter" class="postman-log-row">
<div class="form-control">
<label for="from_date"><?php _e( 'From Date', 'post-smtp' ); ?></label>
- <input id="from_date" class="email-log-date" value="<?php echo $from_date; ?>" type="text" name="from_date" placeholder="<?php _e( 'From Date', 'post-smtp' ); ?>">
+ <input id="from_date" class="email-log-date" value="<?php echo esc_attr($from_date); ?>" type="text" name="from_date" placeholder="<?php _e( 'From Date', 'post-smtp' ); ?>">
</div>
<div class="form-control">
<label for="to_date"><?php _e( 'To Date', 'post-smtp' ); ?></label>
- <input id="to_date" class="email-log-date" value="<?php echo $to_date; ?>" type="text" name="to_date" placeholder="<?php _e( 'To Date', 'post-smtp' ); ?>">
+ <input id="to_date" class="email-log-date" value="<?php echo esc_attr($to_date); ?>" type="text" name="to_date" placeholder="<?php _e( 'To Date', 'post-smtp' ); ?>">
</div>
<div class="form-control">
<label for="search"><?php _e( 'Search', 'post-smtp' ); ?></label>
- <input id="search" type="text" name="search" value="<?php echo $search; ?>" placeholder="<?php _e( 'Search', 'post-smtp' ); ?>">
+ <input id="search" type="text" name="search" value="<?php echo esc_attr($search); ?>" placeholder="<?php _e( 'Search', 'post-smtp' ); ?>">
</div>
<div class="form-control">
<label id="postman_page_records"><?php _e( 'Records per page', 'post-smtp' ); ?></label>