SiteOrigin Contact Form Widget Email Bugs

I’ve been experimenting a bit with the Contact widget from the SiteOrigin Widgets Bundle, and I found a couple of bugs, plus what I think is a missing feature. I was able to fix these by editing the plugin files, but it’s probably a good idea to fix them yourselves in the plugin:

* First, the contact form generates invalid HTML. In “so-contact-widget.php”, function

send_mail

$body = '<strong>From:</strong> ' . $email_fields['name'] . ' <' . sanitize_email( $email_fields['email'] ) . ">nn";

The trouble here is that the brackets around the email address are not HTML escaped. GMail at least interprets it as an invalid HTML tag and doesn’t show the address at all.

* Second, none of the fields received from the user are HTML-escaped. So if the user happens to type anything containing angle brackets (intentionally or by accident), things can get messed up.

(I got around both these by applying

esc_html()

* Third (this is the missing feature, and arguably a bug), the form unconditionally sets the email’s “From:” header to the address provided by the user. This is a bad idea (it should at least be configurable), since depending on the email server used by the WordPress site emails sent in another’s name can be refused.

I replaced this with a “Reply-To:” header, which I think is the generally correct choice. It should at least be an option in the widget configuration.

* Fourth (I just noticed this bug), the “From:” header is constructed from the “name” and “email” input fields, but only the latter is sanitized. I’m not sure exactly how WP handles those arguments later, but I think the “name” field should at least be sanitized to avoid newlines and carriage returns. (You can’t add those with the form, but someone could manufacture a request and send it, and perhaps add evil headers to the generated messages.)