From 91ca4ceaf2412e4c4570b7c94c6b5c083ba3e80c Mon Sep 17 00:00:00 2001
From: a6_chris <chris@a6software.co.uk>
Date: Thu, 7 Feb 2019 14:03:48 +0000
Subject: [PATCH 1/5] Adds escaping of some uncommon but valid email characters

---
 public/class-gdpr-requests-public.php | 50 +++++++++++++++++++++++----
 1 file changed, 43 insertions(+), 7 deletions(-)

diff --git a/public/class-gdpr-requests-public.php b/public/class-gdpr-requests-public.php
index 90f1c1d8..5f7da29d 100644
--- a/public/class-gdpr-requests-public.php
+++ b/public/class-gdpr-requests-public.php
@@ -40,7 +40,7 @@ public function delete_user( $user, $index ) {
 
 		if ( parent::remove_from_requests( $index ) ) {
 			$token = GDPR::generate_pin();
-			GDPR_Email::send( $user->user_email, 'delete-resolved', array( 'token' => $token ) );
+			GDPR_Email::send( $this->get_escaped_user_email_address( $user ), 'delete-resolved', array( 'token' => $token ) );
 			GDPR_Audit_Log::log( $user->ID, esc_html__( 'User was removed from the site.', 'gdpr' ) );
 			GDPR_Audit_Log::export_log( $user->ID, $token );
 			wp_delete_user( $user->ID );
@@ -194,14 +194,15 @@ public function send_request_email() {
 				break;
 		}
 
-		$key = parent::add_to_requests( $user->user_email, $type, $data );
+		$escaped_user_email = $this->get_escaped_user_email_address( $user );
+		$key = parent::add_to_requests( $escaped_user_email, $type, $data );
 
 		if ( 'export-data' !== $type ) {
 			$email_args['confirm_url'] = add_query_arg(
 				array(
 					'type'  => $type,
 					'key'   => $key,
-					'email' => $user->user_email,
+					'email' => $escaped_user_email,
 				),
 				home_url()
 			);
@@ -210,7 +211,7 @@ public function send_request_email() {
 				array(
 					'type'   => $type,
 					'key'    => $key,
-					'email'  => $user->user_email,
+					'email'  => $escaped_user_email,
 					'format' => 'xml',
 				),
 				home_url()
@@ -219,7 +220,7 @@ public function send_request_email() {
 				array(
 					'type'   => $type,
 					'key'    => $key,
-					'email'  => $user->user_email,
+					'email'  => $escaped_user_email,
 					'format' => 'json',
 				),
 				home_url()
@@ -227,7 +228,7 @@ public function send_request_email() {
 		}
 
 		if ( GDPR_Email::send(
-			$user->user_email,
+			$escaped_user_email,
 			"{$type}-request",
 			$email_args
 		) ) {
@@ -376,7 +377,7 @@ public function request_confirmed() {
 					$format = isset( $_GET['format'] ) ? sanitize_text_field( wp_unslash( $_GET['format'] ) ) : 'xml'; // WPCS: Input var ok, CSRF ok.
 					/* translators: File format. Can be XML or JSON */
 					GDPR_Audit_Log::log( $user->ID, sprintf( esc_html__( 'User downloaded all their data in %s format.', 'gdpr' ), $format ) );
-					$this->file_export_data( $user->user_email, $format, $key );
+					$this->file_export_data( $this->get_escaped_user_email_address( $user ), $format, $key );
 					break;
 			}
 		}
@@ -404,4 +405,39 @@ private function file_export_data( $email, $format, $key ) {
 		}
 		die();
 	}
+
+	/**
+	 * Provides escaping for uncommon, yet valid email address characters.
+	 *
+	 * @param string $email_in The starting email address.
+	 *
+	 * @return mixed|string
+	 */
+	private function escape_email_address( $email_in = '' ) {
+		$email_out = '';
+		$email_string_length = \strlen( $email_in );
+
+		for ( $i = 0; $i < $email_string_length; $i++ ) {
+			$hex = dechex( ord( $email_in[ $i ] ) );
+			if ('' === $hex) {
+				$email_out .= rawurlencode( $email_in[ $i ] );
+			} else {
+				$email_out = $email_out . '%' . ( ( 1 === strlen( $hex ) ) ? ( '0' . strtoupper( $hex ) ) : strtoupper( $hex ) );
+			}
+		}
+		$email_out = str_replace( array( '+', '_', '.', '-' ), array( '%20', '%5F', '%2E', '%2D' ), $email_out );
+
+		return $email_out;
+	}
+
+	/**
+	 * Get the escpaed user email address.
+	 *
+	 * @param WP_User $user the User object.
+	 *
+	 * @return mixed|string
+	 */
+	private function get_escaped_user_email_address( WP_User $user ) {
+		return $this->escape_email_address( $user->user_email );
+	}
 }

From 5e0491fbfed25ed15473fe20b3ef42de0f5a666c Mon Sep 17 00:00:00 2001
From: a6_chris <chris@a6software.co.uk>
Date: Thu, 7 Feb 2019 15:02:01 +0000
Subject: [PATCH 2/5] Adds data attribute with function to call to close
 notification modal

---
 public/partials/confirmation-screens.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/public/partials/confirmation-screens.php b/public/partials/confirmation-screens.php
index 10e02252..48e715e1 100644
--- a/public/partials/confirmation-screens.php
+++ b/public/partials/confirmation-screens.php
@@ -55,7 +55,7 @@
 			<p><?php echo esc_html( $text ); ?></p>
 		</div>
 		<footer>
-			<button class="gdpr-ok"><?php esc_html_e( 'OK', 'gdpr' ); ?></button>
+			<button class="gdpr-ok" data-callback="closeNotification"><?php esc_html_e( 'OK', 'gdpr' ); ?></button>
 		</footer>
 	</div>
 </div>

From 994d1cd4f9e4ec4a8acfa7ae6a020206894612cf Mon Sep 17 00:00:00 2001
From: a6_chris <chris@a6software.co.uk>
Date: Thu, 7 Feb 2019 15:04:46 +0000
Subject: [PATCH 3/5] Fix for success handler for gdpr-privacy-preferences-frm
 submission

---
 src/js/public/gdpr-public.js | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/js/public/gdpr-public.js b/src/js/public/gdpr-public.js
index b40c44de..9e4ef65e 100644
--- a/src/js/public/gdpr-public.js
+++ b/src/js/public/gdpr-public.js
@@ -98,17 +98,16 @@
 
 		$(document).on('submit', '.gdpr-privacy-preferences-frm', function(e) {
 			e.preventDefault();
-			var that = $(this);
 			var formData = $(this).serialize();
 
 			$.post(
 				GDPR.ajaxurl,
 				formData,
-				function(response) {
-					if ( response.success ) {
+				function(response, textStatus, xhr) {
+					if ( 200 === xhr.status ) {
 						Cookies.set('gdpr[privacy_bar]', 1, { expires: 365 });
 						if ( GDPR.refresh ) {
-							window.location.reload();
+							window.location.reload( true );
 						} else {
               var scrollDistance = $('body').css('top');
 							$('.gdpr-overlay').fadeOut();

From 8e472137ae4d5c06ee790e7fbfea9b0d86121421 Mon Sep 17 00:00:00 2001
From: a6_chris <chris@a6software.co.uk>
Date: Thu, 7 Feb 2019 15:10:38 +0000
Subject: [PATCH 4/5] Dispatch custom event when user accepts the policy

---
 src/js/public/gdpr-public.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/js/public/gdpr-public.js b/src/js/public/gdpr-public.js
index 9e4ef65e..8426f3be 100644
--- a/src/js/public/gdpr-public.js
+++ b/src/js/public/gdpr-public.js
@@ -115,6 +115,7 @@
 							$(window).scrollTop(Math.abs( parseInt( scrollDistance, 10 ) ) );
 							$('.gdpr.gdpr-privacy-preferences .gdpr-wrapper').fadeOut();
 							$('.gdpr-privacy-bar').fadeOut();
+							$( document ).trigger( "updatedPrivacyPreferences" );
 						}
 					} else {
 						displayNotification( response.data.title, response.data.content );

From 704d16bcab931a367cb8bd9749cb088ed2f3d2e4 Mon Sep 17 00:00:00 2001
From: Christopher Moss <chris@a6software.co.uk>
Date: Thu, 7 Feb 2019 15:47:28 +0000
Subject: [PATCH 5/5] Fix: Use single quotes

---
 src/js/public/gdpr-public.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/js/public/gdpr-public.js b/src/js/public/gdpr-public.js
index 8426f3be..e1719bba 100644
--- a/src/js/public/gdpr-public.js
+++ b/src/js/public/gdpr-public.js
@@ -115,7 +115,7 @@
 							$(window).scrollTop(Math.abs( parseInt( scrollDistance, 10 ) ) );
 							$('.gdpr.gdpr-privacy-preferences .gdpr-wrapper').fadeOut();
 							$('.gdpr-privacy-bar').fadeOut();
-							$( document ).trigger( "updatedPrivacyPreferences" );
+							$( document ).trigger( 'updatedPrivacyPreferences' );
 						}
 					} else {
 						displayNotification( response.data.title, response.data.content );