fix: handle encoded URLs and block patterns in redirect check (#1635)

* fix: handle encoded URLs and block patterns in redirect check * fix: allow links to redirect from previews, but don’t track the click * fix: don’t track seen for admins, either * test: fix test_tracking_click test * fix: remove admin check bc WP isn't available at this point
Automattic · Sep 12, 2024 · 2fa5d16 · 2fa5d16
1 parent 1b4a6c6
commit 2fa5d16
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 4 deletions.
diff --git a/includes/tracking/class-click.php b/includes/tracking/class-click.php
@@ -155,8 +155,13 @@ public static function handle_click( $with_redirect = true ) {
 
 		// Double-check and make sure the URL is actually a URL within the email.
 		$url_without_query_args = untrailingslashit( strtok( $url, '?' ) );
-		$newsletter_content     = get_post_field( 'post_content', $newsletter_id, 'raw' );
-		if ( '' === $newsletter_content || false === stripos( $newsletter_content, $url_without_query_args ) ) {
+		$newsletter_content     = (string) get_post_meta( $newsletter_id, 'newspack_email_html', true );
+		$is_admin_user          = current_user_can( 'edit_others_posts' );
+		if (
+			false === stripos( $newsletter_content, $url_without_query_args ) &&
+			false === stripos( $newsletter_content, urlencode( $url_without_query_args ) ) && // URL might be encoded via a block pattern.
+			! $is_admin_user // Allow redirect for logged-in editor or admin users.
+		) {
 			\wp_die( 'Invalid URL', '', 400 );
 			exit;
 		}
@@ -177,7 +182,10 @@ public static function handle_click( $with_redirect = true ) {
 			exit;
 		}
 
-		self::track_click( $newsletter_id, $email_address, $url );
+		// Don't track if the user is a logged-in editor or admin user.
+		if ( ! $is_admin_user ) {
+			self::track_click( $newsletter_id, $email_address, $url );
+		}
 
 		if ( $with_redirect ) {
 			\wp_redirect( $url ); // phpcs:ignore WordPress.Security.SafeRedirect.wp_redirect_wp_redirect

diff --git a/tests/test-tracking.php b/tests/test-tracking.php
@@ -54,13 +54,18 @@ public function test_tracking_pixel() {
 	 * Test tracking click.
 	 */
 	public function test_tracking_click() {
+		$content  = "<!-- wp:paragraph -->\n<p><a href=\"https://google.com\">Link</a><\/p>\n<!-- \/wp:paragraph -->";
 		$post_id  = $this->factory->post->create(
 			[
 				'post_type'    => \Newspack_Newsletters::NEWSPACK_NEWSLETTERS_CPT,
 				'post_title'   => 'A newsletter with link.',
-				'post_content' => "<!-- wp:paragraph -->\n<p><a href=\"https://google.com\">Link</a><\/p>\n<!-- \/wp:paragraph -->",
+				'post_content' => $content,
 			]
 		);
+
+		// Ensure the newspack_email_html meta is set.
+		update_post_meta( $post_id, 'newspack_email_html', $content );
+
 		$post     = \get_post( $post_id );
 		$rendered = Newspack_Newsletters_Renderer::post_to_mjml_components( $post );