From 048aa1e3c115b1b2712f68abd16ac46b55d9e874 Mon Sep 17 00:00:00 2001
From: sumaisa-mou <mousumaisa@gmail.com>
Date: Wed, 20 Mar 2024 21:52:55 +0600
Subject: [PATCH 1/4] Fix notice vulnerability issue.

---
 assets/js/admin-notice.js |  3 ++-
 includes/Admin/Notice.php | 10 +++++++++-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/assets/js/admin-notice.js b/assets/js/admin-notice.js
index 6c88838..ba82c9c 100644
--- a/assets/js/admin-notice.js
+++ b/assets/js/admin-notice.js
@@ -3,7 +3,8 @@
         $(document).on("click", '.wemail-connect-notice-flex-container .notice-dismiss', function() {
             var url = new URL(location.href);
             url.searchParams.append("dismiss_connect_notice", 1);
+            url.searchParams.append("wemail_dismiss_notice_nonce", wemail_notice_nonce.nonce); // Add nonce
             location.href = url;
         });
     });
-})(jQuery);
\ No newline at end of file
+})(jQuery);
diff --git a/includes/Admin/Notice.php b/includes/Admin/Notice.php
index c2fe164..a242d57 100644
--- a/includes/Admin/Notice.php
+++ b/includes/Admin/Notice.php
@@ -30,6 +30,12 @@ public function enqueue_assets() {
 
         wp_enqueue_style( 'wemail-admin-notice-style' );
         wp_enqueue_script( 'wemail-admin-notice-script' );
+
+        wp_localize_script(
+            'wemail-admin-notice-script', 'wemail_notice_nonce', array(
+				'nonce' => wp_create_nonce( 'wemail_dismiss_notice_nonce' ),
+            )
+        );
     }
 
     /**
@@ -61,7 +67,9 @@ public function connect_notice_html() {
      */
     public function connect_notice() {
         if ( isset( $_GET['dismiss_connect_notice'] ) && (int) $_GET['dismiss_connect_notice'] === 1 ) {
-            update_option( 'wemail_site_connection_notice', 1 );
+            if ( isset( $_GET['wemail_dismiss_notice_nonce'] ) && wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['wemail_dismiss_notice_nonce'] ) ), 'wemail_dismiss_notice_nonce' ) ) {
+                update_option( 'wemail_site_connection_notice', 1 );
+            }
         }
         if ( ! get_user_meta( get_current_user_id(), 'wemail_api_key', true ) && (int) get_option( 'wemail_site_connection_notice' ) !== 1 && ! ( isset( $_GET['page'] ) && $_GET['page'] === 'wemail' ) ) {
             add_action( 'admin_notices', [ $this, 'connect_notice_html' ] );

From b096c7321edf9e4d85ae959e068f2ac7f7d62bf4 Mon Sep 17 00:00:00 2001
From: sumaisa-mou <mousumaisa@gmail.com>
Date: Thu, 21 Mar 2024 15:36:25 +0600
Subject: [PATCH 2/4] Refactor

---
 assets/js/admin-notice.js |  2 +-
 includes/Admin/Notice.php | 11 +++++------
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/assets/js/admin-notice.js b/assets/js/admin-notice.js
index ba82c9c..c57d4fb 100644
--- a/assets/js/admin-notice.js
+++ b/assets/js/admin-notice.js
@@ -3,7 +3,7 @@
         $(document).on("click", '.wemail-connect-notice-flex-container .notice-dismiss', function() {
             var url = new URL(location.href);
             url.searchParams.append("dismiss_connect_notice", 1);
-            url.searchParams.append("wemail_dismiss_notice_nonce", wemail_notice_nonce.nonce); // Add nonce
+            url.searchParams.append("wemail_dismiss_notice_nonce", weMail.nonce);
             location.href = url;
         });
     });
diff --git a/includes/Admin/Notice.php b/includes/Admin/Notice.php
index a242d57..74785e8 100644
--- a/includes/Admin/Notice.php
+++ b/includes/Admin/Notice.php
@@ -31,11 +31,9 @@ public function enqueue_assets() {
         wp_enqueue_style( 'wemail-admin-notice-style' );
         wp_enqueue_script( 'wemail-admin-notice-script' );
 
-        wp_localize_script(
-            'wemail-admin-notice-script', 'wemail_notice_nonce', array(
-				'nonce' => wp_create_nonce( 'wemail_dismiss_notice_nonce' ),
-            )
-        );
+        // Access the $wemail nonce value from the Scripts class
+        $scripts_instance = new Scripts();
+        $scripts_instance->enqueue_scripts();
     }
 
     /**
@@ -67,7 +65,7 @@ public function connect_notice_html() {
      */
     public function connect_notice() {
         if ( isset( $_GET['dismiss_connect_notice'] ) && (int) $_GET['dismiss_connect_notice'] === 1 ) {
-            if ( isset( $_GET['wemail_dismiss_notice_nonce'] ) && wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['wemail_dismiss_notice_nonce'] ) ), 'wemail_dismiss_notice_nonce' ) ) {
+            if ( isset( $_GET['wemail_dismiss_notice_nonce'] ) && wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['wemail_dismiss_notice_nonce'] ) ), 'wp_rest' ) ) {
                 update_option( 'wemail_site_connection_notice', 1 );
             }
         }
@@ -77,3 +75,4 @@ public function connect_notice() {
     }
 
 }
+

From 9e81d0f46b293593952a3ab18575503137992a97 Mon Sep 17 00:00:00 2001
From: sumaisa-mou <mousumaisa@gmail.com>
Date: Fri, 22 Mar 2024 15:39:19 +0600
Subject: [PATCH 3/4] Fix warining

---
 includes/Admin/Notice.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/includes/Admin/Notice.php b/includes/Admin/Notice.php
index 74785e8..5e6681e 100644
--- a/includes/Admin/Notice.php
+++ b/includes/Admin/Notice.php
@@ -52,7 +52,7 @@ public function connect_notice_html() {
                     <p><?php echo __( 'You are one step closer to use weMail. Connect your site to get started with weMail. With weMail, you can send marketing and transactional emails to your audience.', 'wemail' ); ?></p>
                 </div>
                 <div class="wemail-connect-notice-connect-button">
-                    <a class="button" href="<?php echo wemail()->wemail_app . '/connect?email=' . urlencode( wp_get_current_user()->user_email ) . '&site_name=' . urlencode( get_bloginfo( 'name' ) ) . '&site_url=' . urlencode( site_url( '/' ) ) . '&redirect_url=' . urlencode( admin_url( 'admin.php?page=wemail' ) ); ?>">Connect</a>
+                    <a class="button" href="<?php echo wemail()->wemail_app . '/connect?email=' . rawurlencode( wp_get_current_user()->user_email ) . '&site_name=' . rawurlencode( get_bloginfo( 'name' ) ) . '&site_url=' . rawurlencode( site_url( '/' ) ) . '&redirect_url=' . rawurlencode( admin_url( 'admin.php?page=wemail' ) ); ?>">Connect</a>
                 </div>
             </div>
         <?php

From 627bfdedf1ec12e662455ccd30b5cb04a6571f01 Mon Sep 17 00:00:00 2001
From: sumaisa-mou <mousumaisa@gmail.com>
Date: Mon, 25 Mar 2024 10:31:35 +0600
Subject: [PATCH 4/4] Rollback to locally create nonce

---
 assets/js/admin-notice.js |  2 +-
 includes/Admin/Notice.php | 10 ++++++----
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/assets/js/admin-notice.js b/assets/js/admin-notice.js
index c57d4fb..feb5e28 100644
--- a/assets/js/admin-notice.js
+++ b/assets/js/admin-notice.js
@@ -3,7 +3,7 @@
         $(document).on("click", '.wemail-connect-notice-flex-container .notice-dismiss', function() {
             var url = new URL(location.href);
             url.searchParams.append("dismiss_connect_notice", 1);
-            url.searchParams.append("wemail_dismiss_notice_nonce", weMail.nonce);
+            url.searchParams.append("wemail_dismiss_notice_nonce", wemail_notice_nonce.nonce);
             location.href = url;
         });
     });
diff --git a/includes/Admin/Notice.php b/includes/Admin/Notice.php
index 5e6681e..ea5cc9e 100644
--- a/includes/Admin/Notice.php
+++ b/includes/Admin/Notice.php
@@ -31,9 +31,11 @@ public function enqueue_assets() {
         wp_enqueue_style( 'wemail-admin-notice-style' );
         wp_enqueue_script( 'wemail-admin-notice-script' );
 
-        // Access the $wemail nonce value from the Scripts class
-        $scripts_instance = new Scripts();
-        $scripts_instance->enqueue_scripts();
+        wp_localize_script(
+            'wemail-admin-notice-script', 'wemail_notice_nonce', array(
+                'nonce' => wp_create_nonce( 'wemail_dismiss_notice_nonce' ),
+            )
+        );
     }
 
     /**
@@ -65,7 +67,7 @@ public function connect_notice_html() {
      */
     public function connect_notice() {
         if ( isset( $_GET['dismiss_connect_notice'] ) && (int) $_GET['dismiss_connect_notice'] === 1 ) {
-            if ( isset( $_GET['wemail_dismiss_notice_nonce'] ) && wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['wemail_dismiss_notice_nonce'] ) ), 'wp_rest' ) ) {
+            if ( isset( $_GET['wemail_dismiss_notice_nonce'] ) && wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['wemail_dismiss_notice_nonce'] ) ), 'wemail_dismiss_notice_nonce' ) ) {
                 update_option( 'wemail_site_connection_notice', 1 );
             }
         }