Fix security issue with non-escaped HTML in options page

It adds significant overhead to each pageload and is only needed when
the rules change (aka after install).

bootstrap.php

@@ -55,7 +55,7 @@ class visitors_edits{
 			]);
 			global $post;
 			$new_content = str_replace("#post_link#", get_site_url().'/'.$post->post_name.'/suggestions', stripcslashes($options["propose_edit_link"]));
-			$content .= $new_content;	
+			$content .= $new_content;
 		}
 		return $content;
 	}
@@ -83,6 +83,7 @@ class visitors_edits{
 
 		require_once( ABSPATH . 'wp-admin/includes/upgrade.php' );
 		dbDelta( $sql );
+		flush_rewrite_rules(true);
 	}
 	public function query_vars($query_vars){
 		$query_vars[] = 'visitors_edits_post_name';
@@ -94,7 +95,6 @@ class visitors_edits{
 	        'index.php?visitors_edits_post_name=$matches[1]',
 	        'top'
 	    );
-	    flush_rewrite_rules(true);
 	}
 	public function parse_request($request){
 		if( isset( $request->query_vars['visitors_edits_post_name'] ) ):
@@ -126,10 +126,10 @@ function visitors_editsDIFF($oldHtml,$newHtml){
 	require "vendor/autoload.php";
 	$htmlDiff = new HtmlDiff($oldHtml, $newHtml);
 	$htmlDiff->getConfig()->setGroupDiffs(false);
-	
+
 	return $htmlDiff->build();
 }
 function visitors_editsDOM(){
 	return new Dom;
 }
-?>
+?>

inc/mail.php

@@ -14,14 +14,8 @@ class visitors_edits_EMAIL{
 			"notify_admin"=>null
 		]);
 
-		$headers= "MIME-Version: 1.0\r\n";
-		$headers .= "Content-Type: text/html; charset=UTF-8\r\n";
-
-		wp_mail($destination, $this->subject, $this->body,$headers);
-		/*
-		subject : $this->subject
-		body : $this->body
-		*/
+		$headers = "Content-Type: text/html; charset=UTF-8\r\n";
+		wp_mail($destination, $this->subject, $this->body, $headers);
 	}
 	private function loadTemplate($template){
 		ob_start();

inc/settings.php

@@ -1,4 +1,4 @@
-<?php 
+<?php
 	$options=[];
 	if(isset($_POST["save_settings"])){
 		$options=[
@@ -8,7 +8,7 @@
 			"admin_notif_message"=>$_POST["admin_notif_message"],
 			"visitor_notif_message"=>$_POST["visitor_notif_message"],
 			"edit_notify_message"=>$_POST["edit_notify_message"],
-			"propose_edit_link"=>$_POST["propose_edit_link"]
+			"propose_edit_link"=>html_entity_decode($_POST["propose_edit_link"])
 		];
 		update_option( "visitors_edits_options", $options );
 		flashMessage("Settings saved.","");
@@ -29,7 +29,7 @@
 	<form action="" method="post">
 		<div class="control">
 			<label>Propose an edit link</label>
-			<input type="text" name="propose_edit_link" value="<?php echo stripcslashes($options['propose_edit_link']) ?>">
+			<input type="text" name="propose_edit_link" value="<?php echo htmlentities(stripcslashes($options['propose_edit_link'])) ?>">
 		</div>
 		<div class="control">
 			<label>Admin notification message</label>
@@ -68,4 +68,4 @@ function flashMessage($msg,$type){
     </div>
     <?php
 }
-?>
+?>