2.5.0 - allowedMessageFields

CHANGELOG.md

@@ -1,5 +1,10 @@
 # Release Notes for Contact Form
 
+## 2.5.0 - 2022-04-15
+
+### Added
+- Added the `allowedMessageFields` setting, which can be used to restrict which `message` fields are allowed to be submitted.
+
 ## 2.4.1 - 2022-04-12
 
 ### Fixed

README.md

@@ -169,6 +169,16 @@ An email sent with the above form might result in the following message:
 
     Cathy Chino
 
+By default, there’s no restriction on which keys can be included on `message`. You can limit which fields are allowed using the `allowedMessageFields` setting in `config/contact-form.php`:
+
+```php
+<?php
+
+return [
+    'allowedMessageFields' => ['Phone', 'Services'],
+];
+```
+
 ### Overriding plugin settings
 
 If you create a [config file](https://craftcms.com/docs/config-settings) in your `config/` folder called `contact-form.php`, you can override

composer.json

@@ -1,7 +1,7 @@
 {
   "name": "craftcms/contact-form",
   "description": "Add a simple contact form to your Craft CMS site",
-  "version": "2.4.1",
+  "version": "2.5.0",
   "type": "craft-plugin",
   "keywords": [
     "cms",

src/Mailer.php

@@ -195,16 +195,15 @@ public function compileTextBody(Submission $submission): string
         $fields[Craft::t('contact-form', 'Email')] = $submission->fromEmail;
 
         if (is_array($submission->message)) {
+            $settings = Plugin::getInstance()->getSettings();
             $messageFields = array_merge($submission->message);
             $body = ArrayHelper::remove($messageFields, 'body', '');
-            $messageKeys = array_map(function($key) {
-                if (is_string($key)) {
-                    return Craft::t('site', $key);
+            foreach ($messageFields as $key => $value) {
+                if ($settings->allowedMessageFields === null || in_array($key, $settings->allowedMessageFields)) {
+                    $label = Craft::t('site', $key);
+                    $fields[$label] = $value;
                 }
-                return $key;
-            }, array_keys($messageFields));
-            $otherBodyFields = array_combine($messageKeys, $messageFields);
-            $fields = array_merge($fields, $otherBodyFields);
+            }
         } else {
             $body = (string)$submission->message;
         }

src/models/Settings.php

@@ -36,6 +36,12 @@ class Settings extends Model
      */
     public $successFlashMessage;
 
+    /**
+     * @var string[]|null List of allowed `message` sub-keys that can be posted to `contact-form/send` (besides `body`).
+     * @since 2.5.0
+     */
+    public $allowedMessageFields;
+
     /**
      * @inheritdoc
      */