Privacy: Use consistent values for the site name and URL used in notification emails.

The functions `send_confirmation_on_profile_email()`, `_wp_privacy_send_request_confirmation_notification()`, `_wp_privacy_send_erasure_fulfillment_notification()`, and `wp_send_user_request()` all include a title and URL indicating the current site. However, so far they have dealt with those values inconsistently, sometimes using the site values, other times using the network values if in a multisite. This changeset ensures that only the current site is taken into account in all cases and that special characters in the site name are consistently decoded. Props subrataemfluence, desrosj. Fixes #44396. Built from https://develop.svn.wordpress.org/trunk@43388 git-svn-id: http://core.svn.wordpress.org/trunk@43216 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-07-03 17:00:25 +00:00 · 2018-07-03 17:00:25 +00:00 · 057b221af7
parent dc036d5333
commit 057b221af7
2 changed files with 24 additions and 32 deletions
--- a/wp-includes/user.php
+++ b/wp-includes/user.php
@ -2733,11 +2733,7 @@ function send_confirmation_on_profile_email() {
 		);
 		update_user_meta( $current_user->ID, '_new_email', $new_user_email );

-		if ( is_multisite() ) {
-			$sitename = get_site_option( 'site_name' );
-		} else {
-			$sitename = get_option( 'blogname' );
-		}
+		$sitename = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES );

 		/* translators: Do not translate USERNAME, ADMIN_URL, EMAIL, SITENAME, SITEURL: those are placeholders. */
 		$email_text = __(
@ -2784,10 +2780,10 @@ All at ###SITENAME###
 		$content = str_replace( '###USERNAME###', $current_user->user_login, $content );
 		$content = str_replace( '###ADMIN_URL###', esc_url( admin_url( 'profile.php?newuseremail=' . $hash ) ), $content );
 		$content = str_replace( '###EMAIL###', $_POST['email'], $content );
-		$content = str_replace( '###SITENAME###', wp_specialchars_decode( $sitename, ENT_QUOTES ), $content );
-		$content = str_replace( '###SITEURL###', network_home_url(), $content );
+		$content = str_replace( '###SITENAME###', $sitename, $content );
+		$content = str_replace( '###SITEURL###', home_url(), $content );

-		wp_mail( $_POST['email'], sprintf( __( '[%s] New Email Address' ), wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ) ), $content );
+		wp_mail( $_POST['email'], sprintf( __( '[%s] New Email Address' ), $sitename ), $content );

 		$_POST['email'] = $current_user->user_email;
 	}
@ -2997,7 +2993,7 @@ function _wp_privacy_send_request_confirmation_notification( $request_id ) {
 		'user_email'  => $request_data->email,
 		'description' => $action_description,
 		'manage_url'  => $manage_url,
-		'sitename'    => get_option( 'blogname' ),
+		'sitename'    => wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ),
 		'siteurl'     => home_url(),
 		'admin_email' => $admin_email,
 	);
@ -3049,18 +3045,16 @@ All at ###SITENAME###
 	 */
 	$content = apply_filters( 'user_confirmed_action_email_content', $email_text, $email_data );

-	$content = str_replace( '###SITENAME###', wp_specialchars_decode( $email_data['sitename'], ENT_QUOTES ), $content );
+	$content = str_replace( '###SITENAME###', $email_data['sitename'], $content );
 	$content = str_replace( '###USER_EMAIL###', $email_data['user_email'], $content );
 	$content = str_replace( '###DESCRIPTION###', $email_data['description'], $content );
 	$content = str_replace( '###MANAGE_URL###', esc_url_raw( $email_data['manage_url'] ), $content );
 	$content = str_replace( '###SITEURL###', esc_url_raw( $email_data['siteurl'] ), $content );

-	$blogname = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES );
-
 	$subject = sprintf(
 		/* translators: 1: Site name. 2: Name of the confirmed action. */
 		__( '[%1$s] Action Confirmed: %2$s' ),
-		$blogname,
+		$email_data['sitename'],
 		$action_description
 	);

@ -3070,7 +3064,7 @@ All at ###SITENAME###
 	 * @since 4.9.7
 	 *
 	 * @param string $subject    The email subject.
-	 * @param string $blogname   The name of the site.
+	 * @param string $sitename   The name of the site.
 	 * @param array  $email_data {
 	 *     Data relating to the account action email.
 	 *
@ -3083,7 +3077,7 @@ All at ###SITENAME###
 	 *     @type string          $admin_email The administrator email receiving the mail.
 	 * }
 	 */
-	$subject = apply_filters( 'user_request_confirmed_email_subject', $subject, $blogname, $email_data );
+	$subject = apply_filters( 'user_request_confirmed_email_subject', $subject, $email_data['sitename'], $email_data );

 	$email_sent = wp_mail( $email_data['admin_email'], $subject, $content );

@ -3114,12 +3108,6 @@ function _wp_privacy_send_erasure_fulfillment_notification( $request_id ) {
 		return;
 	}

-	$subject = sprintf(
-		/* translators: %s Site name. */
-		__( '[%s] Erasure Request Fulfilled' ),
-		wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES )
-	);
-
 	/**
 	 * Filters the recipient of the data erasure fulfillment notification.
 	 *
@ -3134,10 +3122,16 @@ function _wp_privacy_send_erasure_fulfillment_notification( $request_id ) {
 		'request'            => $request_data,
 		'message_recipient'  => $user_email,
 		'privacy_policy_url' => get_privacy_policy_url(),
-		'sitename'           => get_option( 'blogname' ),
+		'sitename'           => wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ),
 		'siteurl'            => home_url(),
 	);

+	$subject  = sprintf(
+		/* translators: %s: Site name. */
+		__( '[%s] Erasure Request Fulfilled' ),
+		$email_data['sitename']
+	);
+
 	if ( empty( $email_data['privacy_policy_url'] ) ) {
 		/* translators: Do not translate SITENAME, SITEURL; those are placeholders. */
 		$email_text = __(
@ -3197,7 +3191,7 @@ All at ###SITENAME###
 	 */
 	$content = apply_filters( 'user_confirmed_action_email_content', $email_text, $email_data );

-	$content = str_replace( '###SITENAME###', wp_specialchars_decode( $email_data['sitename'], ENT_QUOTES ), $content );
+	$content = str_replace( '###SITENAME###', $email_data['sitename'], $content );
 	$content = str_replace( '###PRIVACY_POLICY_URL###', $email_data['privacy_policy_url'], $content );
 	$content = str_replace( '###SITEURL###', esc_url_raw( $email_data['siteurl'] ), $content );

@ -3360,8 +3354,8 @@ function wp_send_user_request( $request_id ) {
 			'request_id'  => $request_id,
 			'confirm_key' => wp_generate_user_request_key( $request_id ),
 		), wp_login_url() ),
-		'sitename'    => is_multisite() ? get_site_option( 'site_name' ) : get_option( 'blogname' ),
-		'siteurl'     => network_home_url(),
+		'sitename'    => wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ),
+		'siteurl'     => home_url(),
 	);

 	/* translators: Do not translate DESCRIPTION, CONFIRM_URL, SITENAME, SITEURL: those are placeholders. */
@ -3412,13 +3406,11 @@ All at ###SITENAME###
 	$content = str_replace( '###DESCRIPTION###', $email_data['description'], $content );
 	$content = str_replace( '###CONFIRM_URL###', esc_url_raw( $email_data['confirm_url'] ), $content );
 	$content = str_replace( '###EMAIL###', $email_data['email'], $content );
-	$content = str_replace( '###SITENAME###', wp_specialchars_decode( $email_data['sitename'], ENT_QUOTES ), $content );
+	$content = str_replace( '###SITENAME###', $email_data['sitename'], $content );
 	$content = str_replace( '###SITEURL###', esc_url_raw( $email_data['siteurl'] ), $content );

-	$blogname = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES );
-
 	/* translators: Privacy data request subject. 1: Site name, 2: Name of the action */
-	$subject = sprintf( __( '[%1$s] Confirm Action: %2$s' ), $blogname, $email_data['description'] );
+	$subject = sprintf( __( '[%1$s] Confirm Action: %2$s' ), $email_data['sitename'], $email_data['description'] );

 	/**
 	 * Filters the subject of the email sent when an account action is attempted.
@ -3426,7 +3418,7 @@ All at ###SITENAME###
 	 * @since 4.9.6
 	 *
 	 * @param string $subject    The email subject.
-	 * @param string $blogname   The name of the site.
+	 * @param string $sitename   The name of the site.
 	 * @param array  $email_data {
 	 *     Data relating to the account action email.
 	 *
@ -3438,7 +3430,7 @@ All at ###SITENAME###
 	 *     @type string          $siteurl     The site URL sending the mail.
 	 * }
 	 */
-	$subject = apply_filters( 'user_request_action_email_subject', $subject, $blogname, $email_data );
+	$subject = apply_filters( 'user_request_action_email_subject', $subject, $email_data['sitename'], $email_data );

 	return wp_mail( $email_data['email'], $subject, $content );
 }
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@ -4,7 +4,7 @@
 *
 * @global string $wp_version
 */
-$wp_version = '5.0-alpha-43387';
+$wp_version = '5.0-alpha-43388';

 /**
 * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.