diff --git a/send-wp-mail.php b/send-wp-mail.php index 086ccc6..37842c6 100644 --- a/send-wp-mail.php +++ b/send-wp-mail.php @@ -55,11 +55,12 @@ add_action('plugins_loaded', 'swpm_plugin_load_textdomain'); * Our main function to display and process our form * * @since 0.9 + * @since 1.1 No more email spoofing - use wp_mail_from hook/default */ function swpm_plugin_main() { - // get site info to construct 'FROM' for email - $from_name = wp_specialchars_decode( get_option('blogname'), ENT_QUOTES ); - $from_email = get_bloginfo('admin_email'); + // get email and name from WordPress hooks if available. + $from_name = apply_filters( 'wp_mail_from_name', '' ); + $from_email = apply_filters( 'wp_mail_from', '' ); // initialize $send_mail_message = false; @@ -115,7 +116,7 @@ function swpm_plugin_main() { // send the email if no errors were found if ( empty($errors) ) { $headers[] = "Content-Type: text/html; charset=\"" . get_option('blog_charset') . "\"\n"; - $headers[] = 'From: ' . $from_name . ' <' . $from_email . ">\r\n"; + // $headers[] = 'From: ' . $from_name . ' <' . $from_email . ">\r\n"; // We should let wp_mail handle the name and address. no spoofing. $attachments = $attachment_path; if ( $group_email === 'yes' ) { @@ -139,10 +140,28 @@ function swpm_plugin_main() { unlink($attachment_path); } } - } + } + + // reconstruct wp_mail defaults. + if ( empty( $from_email ) ) { + $from_email = 'wordpress@'; + $domain = wp_parse_url( network_home_url(), PHP_URL_HOST ); + if ( null !== $domain ) { + if ( str_starts_with( $domain, 'www.' ) ) { + $domain = substr( $domain, 4 ); + } + $from_email .= $domain; + } + } + + if ( empty( $from_name ) ) { + $from_name = 'WordPress'; + } + ?>

+
wp_mail() directly from this website.', 'swpm' ); ?>