From 75237f5a900d51bc55c8da9fdb7a6a714a890af4 Mon Sep 17 00:00:00 2001 From: krokodok Date: Wed, 15 May 2024 12:36:26 +0200 Subject: [PATCH 1/2] Prevent sprintf errors by escaping % in form title --- connectors/class-connector-gravityforms.php | 22 ++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/connectors/class-connector-gravityforms.php b/connectors/class-connector-gravityforms.php index aa68ba5b7..fa1e14e46 100644 --- a/connectors/class-connector-gravityforms.php +++ b/connectors/class-connector-gravityforms.php @@ -221,7 +221,7 @@ public function register() { * @param bool $is_new Is this a new form?. */ public function callback_gform_after_save_form( $form, $is_new ) { - $title = $form['title']; + $title = str_replace( '%', '%%', $form['title'] ); $id = $form['id']; $this->log( @@ -260,7 +260,7 @@ public function callback_gform_pre_confirmation_save( $confirmation, $form, $is_ __( '"%1$s" confirmation %2$s for "%3$s"', 'stream' ), $confirmation['name'], $is_new ? esc_html__( 'created', 'stream' ) : esc_html__( 'updated', 'stream' ), - $form['title'] + str_replace( '%', '%%', $form['title'] ) ), array( 'is_new' => $is_new, @@ -293,7 +293,7 @@ public function callback_gform_pre_notification_save( $notification, $form, $is_ __( '"%1$s" notification %2$s for "%3$s"', 'stream' ), $notification['name'], $is_new ? esc_html__( 'created', 'stream' ) : esc_html__( 'updated', 'stream' ), - $form['title'] + str_replace( '%', '%%', $form['title'] ) ), array( 'is_update' => $is_new, @@ -319,7 +319,7 @@ public function callback_gform_pre_notification_deleted( $notification, $form ) /* translators: %1$s: a notification name, %2$s: a form title (e.g. "Email", "Contact Form") */ __( '"%1$s" notification deleted from "%2$s"', 'stream' ), $notification['name'], - $form['title'] + str_replace( '%', '%%', $form['title'] ) ), array( 'form_id' => $form['id'], @@ -343,7 +343,7 @@ public function callback_gform_pre_confirmation_deleted( $confirmation, $form ) /* translators: %1$s: a confirmation name, %2$s: a form title (e.g. "Email", "Contact Form") */ __( '"%1$s" confirmation deleted from "%2$s"', 'stream' ), $confirmation['name'], - $form['title'] + str_replace( '%', '%%', $form['title'] ) ), array( 'form_id' => $form['id'], @@ -369,7 +369,7 @@ public function callback_gform_confirmation_status( $confirmation, $form, $is_ac __( '"%1$s" confirmation %2$s from "%3$s"', 'stream' ), $confirmation['name'], $is_active ? esc_html__( 'activated', 'stream' ) : esc_html__( 'deactivated', 'stream' ), - $form['title'] + str_replace( '%', '%%', $form['title'] ) ), array( 'form_id' => $form['id'], @@ -396,7 +396,7 @@ public function callback_gform_notification_status( $notification, $form, $is_ac __( '"%1$s" notification %2$s from "%3$s"', 'stream' ), $notification['name'], $is_active ? esc_html__( 'activated', 'stream' ) : esc_html__( 'deactivated', 'stream' ), - $form['title'] + str_replace( '%', '%%', $form['title'] ) ), array( 'form_id' => $form['id'], @@ -756,7 +756,7 @@ public function callback_gform_update_status( $lead_id, $status, $prev = '' ) { __( 'Lead #%1$d %2$s on "%3$s" form', 'stream' ), $lead_id, $actions[ $status ], - $form['title'] + str_replace( '%', '%%', $form['title'] ) ), array( 'lead_id' => $lead_id, @@ -791,7 +791,7 @@ public function callback_gform_update_is_read( $lead_id, $status ) { $lead_id, $status, $form['id'], - $form['title'] + str_replace( '%', '%%', $form['title'] ) ), array( 'lead_id' => $lead_id, @@ -826,7 +826,7 @@ public function callback_gform_update_is_starred( $lead_id, $status ) { $lead_id, $status, $form['id'], - $form['title'] + str_replace( '%', '%%', $form['title'] ) ), array( 'lead_id' => $lead_id, @@ -945,7 +945,7 @@ public function log_form_action( $form_id, $action ) { /* translators: %1$d: an ID, %2$s: a form title, %3$s: a status (e.g. "42", "Contact Form", "Activated") */ __( 'Form #%1$d ("%2$s") %3$s', 'stream' ), $form_id, - $form['title'], + str_replace( '%', '%%', $form['title'] ), strtolower( $actions[ $action ] ) ), array( From 4648e99cfcf7c82429a9e39e16e4d780a9dbdf93 Mon Sep 17 00:00:00 2001 From: krokodok Date: Mon, 24 Jun 2024 19:30:12 +0200 Subject: [PATCH 2/2] Escape all user input values --- connectors/class-connector-gravityforms.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/connectors/class-connector-gravityforms.php b/connectors/class-connector-gravityforms.php index fa1e14e46..d4f61d0a5 100644 --- a/connectors/class-connector-gravityforms.php +++ b/connectors/class-connector-gravityforms.php @@ -258,7 +258,7 @@ public function callback_gform_pre_confirmation_save( $confirmation, $form, $is_ sprintf( /* translators: %1$s: a confirmation name, %2$s: a status, %3$s: a form title (e.g. "Email", "created", "Contact Form") */ __( '"%1$s" confirmation %2$s for "%3$s"', 'stream' ), - $confirmation['name'], + str_replace( '%', '%%', $confirmation['name'] ), $is_new ? esc_html__( 'created', 'stream' ) : esc_html__( 'updated', 'stream' ), str_replace( '%', '%%', $form['title'] ) ), @@ -291,7 +291,7 @@ public function callback_gform_pre_notification_save( $notification, $form, $is_ sprintf( /* translators: %1$s: a notification name, %2$s: a status, %3$s: a form title (e.g. "Email", "created", "Contact Form") */ __( '"%1$s" notification %2$s for "%3$s"', 'stream' ), - $notification['name'], + str_replace( '%', '%%', $notification['name'] ), $is_new ? esc_html__( 'created', 'stream' ) : esc_html__( 'updated', 'stream' ), str_replace( '%', '%%', $form['title'] ) ), @@ -318,7 +318,7 @@ public function callback_gform_pre_notification_deleted( $notification, $form ) sprintf( /* translators: %1$s: a notification name, %2$s: a form title (e.g. "Email", "Contact Form") */ __( '"%1$s" notification deleted from "%2$s"', 'stream' ), - $notification['name'], + str_replace( '%', '%%', $notification['name'] ), str_replace( '%', '%%', $form['title'] ) ), array( @@ -342,7 +342,7 @@ public function callback_gform_pre_confirmation_deleted( $confirmation, $form ) sprintf( /* translators: %1$s: a confirmation name, %2$s: a form title (e.g. "Email", "Contact Form") */ __( '"%1$s" confirmation deleted from "%2$s"', 'stream' ), - $confirmation['name'], + str_replace( '%', '%%', $confirmation['name'] ), str_replace( '%', '%%', $form['title'] ) ), array( @@ -367,7 +367,7 @@ public function callback_gform_confirmation_status( $confirmation, $form, $is_ac sprintf( /* translators: %1$s: a confirmation name, %2$s: a status, %3$s: a form title (e.g. "Email", "activated", "Contact Form") */ __( '"%1$s" confirmation %2$s from "%3$s"', 'stream' ), - $confirmation['name'], + str_replace( '%', '%%', $confirmation['name'] ), $is_active ? esc_html__( 'activated', 'stream' ) : esc_html__( 'deactivated', 'stream' ), str_replace( '%', '%%', $form['title'] ) ), @@ -394,7 +394,7 @@ public function callback_gform_notification_status( $notification, $form, $is_ac sprintf( /* translators: %1$s: a notification name, %2$s: a status, %3$s: a form title (e.g. "Email", "activated", "Contact Form") */ __( '"%1$s" notification %2$s from "%3$s"', 'stream' ), - $notification['name'], + str_replace( '%', '%%', $notification['name'] ), $is_active ? esc_html__( 'activated', 'stream' ) : esc_html__( 'deactivated', 'stream' ), str_replace( '%', '%%', $form['title'] ) ),