From 4380a086db9ded878be51fb4da041928c9bb11a7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Dufraisse?=
 <jeremy.dufraisse-info@orange.fr>
Date: Wed, 20 Mar 2024 12:48:36 +0100
Subject: [PATCH] fix(contact-form-handler-php): capture wantedContact and
 sanitize it rigthly

---
 src/form/contact-form-handler.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/form/contact-form-handler.php b/src/form/contact-form-handler.php
index 3fbbd3e..c61b2b5 100644
--- a/src/form/contact-form-handler.php
+++ b/src/form/contact-form-handler.php
@@ -14,11 +14,12 @@ $domainFromMyEmail = (
 ) ? ''
 : $myEmailSplitted[1];
 
-$wantedContact = filter_input(INPUT_POST, 'contactTo', FILTER_VALIDATE_EMAIL);
+$wantedContact = filter_input(INPUT_POST, 'contactTo', FILTER_SANITIZE_SPECIAL_CHARS);
 $wantedContact = (
     empty($wantedContact)
+    || strpos($wantedContact, '@') !== false
+    || strpos($wantedContact, '&') !== false
     || empty($domainFromMyEmail)
-    || substr($wantedContact, -strlen($domainFromMyEmail)) != $domainFromMyEmail
 ) ? $myEmail : "$wantedContact@$domainFromMyEmail" ;
 
 if(empty($_POST['namezzz']) || empty($_POST['emailzzz']) || empty($_POST['message'])) {