1 files changed, 51 insertions, 11 deletions

diff --git a/Postman/PostmanLogFields.php b/Postman/PostmanLogFields.php
index 6e04b8d..04d24a4 100644
--- a/Postman/PostmanLogFields.php
+++ b/Postman/PostmanLogFields.php
@@ -3,17 +3,17 @@ class PostmanLogFields {
 
     private $fields = array(
         'success' => 'sanitize_text_field',
-        'from_header' => '',
-        'to_header' => '',
-        'cc_header' => '',
-        'bcc_header' => '',
-        'reply_to_header' => '',
+        'from_header' => [ 'PostmanLogFields', 'email_header_sanitize' ],
+        'to_header' => [ 'PostmanLogFields', 'email_header_sanitize' ],
+        'cc_header' => [ 'PostmanLogFields', 'email_header_sanitize' ],
+        'bcc_header' => [ 'PostmanLogFields', 'email_header_sanitize' ],
+        'reply_to_header' => [ 'PostmanLogFields', 'email_header_sanitize' ],
         'transport_uri' => 'sanitize_text_field',
         'original_to' => 'sanitize_text_field',
         'original_subject' => 'sanitize_text_field',
-        'original_message' => null,
-        'original_headers' => 'sanitize_text_field',
-        'session_transcript' => 'sanitize_textarea_field',
+        'original_message' => '', // only sent to viewed
+        'original_headers' => '', // only sent to viewed
+        'session_transcript' => '', // escaped when viewed
     );
 
     private static $instance = null;
@@ -28,7 +28,7 @@ class PostmanLogFields {
 
     private function __construct()
     {
-        $this->fields['original_message'] = array( $this, 'sanitize_message' );
+
     }
 
     public function get( $post_id ) {
@@ -73,13 +73,14 @@ class PostmanLogFields {
     }
 
     private function sanitize( $key, $value ) {
+
         $callback = is_array( $value ) ? 'array_map' : 'call_user_func';
 
         if ( ! empty( $this->fields[$key] ) ) {
             return $callback( $this->fields[$key], $value );
         }
 
-        return filter_var( $value, FILTER_SANITIZE_STRING | FILTER_SANITIZE_SPECIAL_CHARS );
+        return $value;
     }
 
     private function sanitize_message( $message ) {
@@ -96,4 +97,43 @@ class PostmanLogFields {
 
         return $value;
     }
-}
\ No newline at end of file
+
+    public function get_string_between($string, $start, $end){
+        $string = ' ' . $string;
+        $ini = strpos($string, $start);
+
+        if ($ini == 0) {
+            return '';
+        }
+
+        $ini += strlen($start);
+        $len = strpos($string, $end, $ini) - $ini;
+
+        return substr($string, $ini, $len);
+    }
+
+    public function email_header_sanitize($value) {
+
+        $parts = explode( ',', $value );
+
+        $sanitized = [];
+        foreach ( $parts as $part ) {
+
+            if ( strpos( $part, '<' ) !== false ) {
+                $email = $this->get_string_between( $part, '<', '>' );
+                $clean_email  = $this->sanitize_email($email);
+                preg_match('/(.*)</', $part, $output_array);
+                $name = filter_var( trim( $output_array[1] ), FILTER_SANITIZE_STRING );
+
+                $sanitized[] = "{$name} <{$clean_email}>";
+            }
+        }
+
+        return ! empty( $sanitized ) ? implode( ',', $sanitized ) : implode( ',', array_map( [ $this, 'sanitize_email'], $parts ) );
+    }
+
+    public function sanitize_email( $email ) {
+        return filter_var( $email, FILTER_SANITIZE_EMAIL );
+    }
+}
+