Jetpack: Sharing via Email: improve name field validation

Created on 6 Oct 2016 · 5Comments · Source: Automattic/jetpack

There are currently different issues with the values that are accepted in the name field:

Apostrophes (as described below)
URLs (as described in #14221)
field length (as described in #14667)

This should all be addressed by a better validation of this field, when submitting the form but also when trying to POST directly.

Steps to reproduce the issue

Activate Jetpack and its sharing module.
Go to Settings > Sharing, and enable the Email button.
Open your site in an incognito window.
On one of your posts, click the email button, enter your own email address, and a name including an apostrophe, e.g. Jeremy O'Testing.
Check the email you receive:

Jeremy O\’Testing (_@_.com) thinks you may be interested in the following post:

We'd need to get rid of that extra slash.

Sharing [Pri] Normal [Type] Bug [Type] Happiness Request

Source

jeherve

All 5 comments

This issue has been marked as stale. This happened because:

It has been inactive in the past 6 months.
It hasn’t been labeled `[Pri] Blocker`, `[Pri] High`.

No further action is needed. But it's worth checking if this ticket has clear reproduction steps and it is still reproducible. Feel free to close this issue if you think it's not valid anymore — if you do, please add a brief explanation.

stale[bot] on 1 Jul 2018

This also seems to happen with the email subject that's created. 2336158-zen

chaselivingston on 11 Sep 2019

👍1

In accordance with information provided on the Jetpack site:
https://jetpack.com/support/sharing/

Email sharing is enable by adding the following code snippet to a functionality plugin:

add_filter( 'sharing_services_email', '__return_true' );

The email sharing button works, no problem.

Email Subject bug
Clicking the email sharing button:

creates an email and populates the subject line with the product name
spaces and punctuation marks in the subject line are encoded with the + sign and other characters

Example:

Men’s+Zouk+T-shirt:+Love+Dance+Zouk+(v-neck)

A solution is needed to stop encoding spaces and punctuation marks, please!

born2excite on 13 Sep 2019

8b585279ec9ad72abc3a55eb91de515de903f5f2 added some detection of unsafe characters, but the solution was to MIME-encode them. However, the plugin passes whatever the Name input is unsanitized into the body of the email:

https://github.com/Automattic/jetpack/blob/335ccaf7f2469ccafd313a879bcd48ab4ea9e6b0/modules/sharedaddy/sharedaddy.php#L103-L111

Although the name field is sent to Akismet, it doesn't look like Akismet is recognizing this pattern of abuse yet.

https://github.com/Automattic/jetpack/blob/335ccaf7f2469ccafd313a879bcd48ab4ea9e6b0/modules/sharedaddy/sharedaddy.php#L77-L85

The proper thing to do is probably to cap the length of the name field so it is far shorter and less useful for sending a spammy message.

frederickding on 13 Feb 2020

👍1

A user also reported that spammers can use the From field:

-----Mensaje original----- From: PAYOUT: + 9041 dollars >>> http://tour-may.ru/ZWttYW5uZW44MkB5YWhvby5zZQ== Sent: Thursday, May 7, 2020 6:41 PM To: [email protected] Subject: [Entrada compartida] Published title

Reported in: https://wordpress.org/support/topic/sharing-email-abused-for-spam/