Privacy: Use consistent values for the site name and URL used in notification emails.

The functions `send_confirmation_on_profile_email()`, `_wp_privacy_send_request_confirmation_notification()`, `_wp_privacy_send_erasure_fulfillment_notification()`, and `wp_send_user_request()` all include a title and URL indicating the current site. However, so far they have dealt with those values inconsistently, sometimes using the site values, other times using the network values if in a multisite. This changeset ensures that only the current site is taken into account in all cases and that special characters in the site name are consistently decoded. Props subrataemfluence, desrosj. Merges [43388], [43390], and [43435] to the 4.9 branch. Fixes #44396. Built from https://develop.svn.wordpress.org/branches/4.9@43459 git-svn-id: http://core.svn.wordpress.org/branches/4.9@43286 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2024-06-25 06:14:58 +02:00 · 2018-07-16 14:24:26 +00:00 · 2018-07-16 14:24:26 +00:00 · cb2625e260
commit cb2625e260
parent d2342e75d0
3 changed files with 28 additions and 36 deletions
--- a/wp-admin/includes/file.php
+++ b/wp-admin/includes/file.php
@ -2099,20 +2099,20 @@ All at ###SITENAME###

 	$email_address = $request->email;
 	$export_file_url = get_post_meta( $request_id, '_export_file_url', true );
-	$site_name = is_multisite() ? get_site_option( 'site_name' ) : get_option( 'blogname' );
-	$site_url = network_home_url();
+	$site_name = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES );
+	$site_url = home_url();

 	$content = str_replace( '###EXPIRATION###', $expiration_date, $content );
 	$content = str_replace( '###LINK###', esc_url_raw( $export_file_url ), $content );
 	$content = str_replace( '###EMAIL###', $email_address, $content );
-	$content = str_replace( '###SITENAME###', wp_specialchars_decode( $site_name, ENT_QUOTES ), $content );
+	$content = str_replace( '###SITENAME###', $site_name, $content );
 	$content = str_replace( '###SITEURL###', esc_url_raw( $site_url ), $content );

 	$mail_success = wp_mail(
 		$email_address,
 		sprintf(
 			__( '[%s] Personal Data Export' ),
-			wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES )
+			$site_name
 		),
 		$content
 	);
--- a/wp-includes/user.php
+++ b/wp-includes/user.php
@ -2657,11 +2657,7 @@ function send_confirmation_on_profile_email() {
 		);
 		update_user_meta( $current_user->ID, '_new_email', $new_user_email );

-		if ( is_multisite() ) {
-			$sitename = get_site_option( 'site_name' );
-		} else {
-			$sitename = get_option( 'blogname' );
-		}
+		$sitename = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES );

 		/* translators: Do not translate USERNAME, ADMIN_URL, EMAIL, SITENAME, SITEURL: those are placeholders. */
 		$email_text = __( 'Howdy ###USERNAME###,
@ -2706,10 +2702,10 @@ All at ###SITENAME###
 		$content = str_replace( '###USERNAME###', $current_user->user_login, $content );
 		$content = str_replace( '###ADMIN_URL###', esc_url( admin_url( 'profile.php?newuseremail=' . $hash ) ), $content );
 		$content = str_replace( '###EMAIL###', $_POST['email'], $content );
-		$content = str_replace( '###SITENAME###', wp_specialchars_decode( $sitename, ENT_QUOTES ), $content );
-		$content = str_replace( '###SITEURL###', network_home_url(), $content );
+		$content = str_replace( '###SITENAME###', $sitename, $content );
+		$content = str_replace( '###SITEURL###', home_url(), $content );

-		wp_mail( $_POST['email'], sprintf( __( '[%s] New Email Address' ), wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ) ), $content );
+		wp_mail( $_POST['email'], sprintf( __( '[%s] New Email Address' ), $sitename ), $content );

 		$_POST['email'] = $current_user->user_email;
 	}
@ -2919,7 +2915,7 @@ function _wp_privacy_send_request_confirmation_notification( $request_id ) {
 		'user_email'  => $request_data->email,
 		'description' => $action_description,
 		'manage_url'  => $manage_url,
-		'sitename'    => get_option( 'blogname' ),
+		'sitename'    => wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ),
 		'siteurl'     => home_url(),
 		'admin_email' => $admin_email,
 	);
@ -2971,18 +2967,16 @@ All at ###SITENAME###
 	 */
 	$content = apply_filters( 'user_confirmed_action_email_content', $email_text, $email_data );

-	$content = str_replace( '###SITENAME###', wp_specialchars_decode( $email_data['sitename'], ENT_QUOTES ), $content );
+	$content = str_replace( '###SITENAME###', $email_data['sitename'], $content );
 	$content = str_replace( '###USER_EMAIL###', $email_data['user_email'], $content );
 	$content = str_replace( '###DESCRIPTION###', $email_data['description'], $content );
 	$content = str_replace( '###MANAGE_URL###', esc_url_raw( $email_data['manage_url'] ), $content );
 	$content = str_replace( '###SITEURL###', esc_url_raw( $email_data['siteurl'] ), $content );

-	$blogname = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES );
-
 	$subject = sprintf(
 		/* translators: 1: Site name. 2: Name of the confirmed action. */
 		__( '[%1$s] Action Confirmed: %2$s' ),
-		$blogname,
+		$email_data['sitename'],
 		$action_description
 	);

@ -2992,7 +2986,7 @@ All at ###SITENAME###
 	 * @since 4.9.8
 	 *
 	 * @param string $subject    The email subject.
-	 * @param string $blogname   The name of the site.
+	 * @param string $sitename   The name of the site.
 	 * @param array  $email_data {
 	 *     Data relating to the account action email.
 	 *
@ -3005,7 +2999,7 @@ All at ###SITENAME###
 	 *     @type string          $admin_email The administrator email receiving the mail.
 	 * }
 	 */
-	$subject = apply_filters( 'user_request_confirmed_email_subject', $subject, $blogname, $email_data );
+	$subject = apply_filters( 'user_request_confirmed_email_subject', $subject, $email_data['sitename'], $email_data );

 	$email_sent = wp_mail( $email_data['admin_email'], $subject, $content );

@ -3036,12 +3030,6 @@ function _wp_privacy_send_erasure_fulfillment_notification( $request_id ) {
 		return;
 	}

-	$subject = sprintf(
-		/* translators: %s Site name. */
-		__( '[%s] Erasure Request Fulfilled' ),
-		wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES )
-	);
-
 	/**
 	 * Filters the recipient of the data erasure fulfillment notification.
 	 *
@ -3056,10 +3044,16 @@ function _wp_privacy_send_erasure_fulfillment_notification( $request_id ) {
 		'request'            => $request_data,
 		'message_recipient'  => $user_email,
 		'privacy_policy_url' => get_privacy_policy_url(),
-		'sitename'           => get_option( 'blogname' ),
+		'sitename'           => wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ),
 		'siteurl'            => home_url(),
 	);

+	$subject  = sprintf(
+		/* translators: %s: Site name. */
+		__( '[%s] Erasure Request Fulfilled' ),
+		$email_data['sitename']
+	);
+
 	if ( empty( $email_data['privacy_policy_url'] ) ) {
 		/* translators: Do not translate SITENAME, SITEURL; those are placeholders. */
 		$email_text = __(
@ -3119,7 +3113,7 @@ All at ###SITENAME###
 	 */
 	$content = apply_filters( 'user_confirmed_action_email_content', $email_text, $email_data );

-	$content = str_replace( '###SITENAME###', wp_specialchars_decode( $email_data['sitename'], ENT_QUOTES ), $content );
+	$content = str_replace( '###SITENAME###', $email_data['sitename'], $content );
 	$content = str_replace( '###PRIVACY_POLICY_URL###', $email_data['privacy_policy_url'], $content );
 	$content = str_replace( '###SITEURL###', esc_url_raw( $email_data['siteurl'] ), $content );

@ -3282,8 +3276,8 @@ function wp_send_user_request( $request_id ) {
 			'request_id'  => $request_id,
 			'confirm_key' => wp_generate_user_request_key( $request_id ),
 		), wp_login_url() ),
-		'sitename'    => is_multisite() ? get_site_option( 'site_name' ) : get_option( 'blogname' ),
-		'siteurl'     => network_home_url(),
+		'sitename'    => wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ),
+		'siteurl'     => home_url(),
 	);

 	/* translators: Do not translate DESCRIPTION, CONFIRM_URL, SITENAME, SITEURL: those are placeholders. */
@ -3334,13 +3328,11 @@ All at ###SITENAME###
 	$content = str_replace( '###DESCRIPTION###', $email_data['description'], $content );
 	$content = str_replace( '###CONFIRM_URL###', esc_url_raw( $email_data['confirm_url'] ), $content );
 	$content = str_replace( '###EMAIL###', $email_data['email'], $content );
-	$content = str_replace( '###SITENAME###', wp_specialchars_decode( $email_data['sitename'], ENT_QUOTES ), $content );
+	$content = str_replace( '###SITENAME###', $email_data['sitename'], $content );
 	$content = str_replace( '###SITEURL###', esc_url_raw( $email_data['siteurl'] ), $content );

-	$blogname = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES );
-
 	/* translators: Privacy data request subject. 1: Site name, 2: Name of the action */
-	$subject = sprintf( __( '[%1$s] Confirm Action: %2$s' ), $blogname, $email_data['description'] );
+	$subject = sprintf( __( '[%1$s] Confirm Action: %2$s' ), $email_data['sitename'], $email_data['description'] );

 	/**
 	 * Filters the subject of the email sent when an account action is attempted.
@ -3348,7 +3340,7 @@ All at ###SITENAME###
 	 * @since 4.9.6
 	 *
 	 * @param string $subject    The email subject.
-	 * @param string $blogname   The name of the site.
+	 * @param string $sitename   The name of the site.
 	 * @param array  $email_data {
 	 *     Data relating to the account action email.
 	 *
@ -3360,7 +3352,7 @@ All at ###SITENAME###
 	 *     @type string          $siteurl     The site URL sending the mail.
 	 * }
 	 */
-	$subject = apply_filters( 'user_request_action_email_subject', $subject, $blogname, $email_data );
+	$subject = apply_filters( 'user_request_action_email_subject', $subject, $email_data['sitename'], $email_data );

 	return wp_mail( $email_data['email'], $subject, $content );
 }
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@ -4,7 +4,7 @@
 *
 * @global string $wp_version
 */
-$wp_version = '4.9.8-alpha-43458';
+$wp_version = '4.9.8-alpha-43459';

 /**
 * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.