From 0ce8b95546f234bc2e1d2727d0816ccb9017e305 Mon Sep 17 00:00:00 2001
From: Scott Hutchinson <scott1702@users.noreply.github.com>
Date: Wed, 21 Feb 2018 13:52:51 +1300
Subject: [PATCH] FIX Escape dollar signs in UserForm contents before inserting
 them with regex (#723)

---
 code/model/UserDefinedForm.php | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/code/model/UserDefinedForm.php b/code/model/UserDefinedForm.php
index 0edee64..29af99b 100755
--- a/code/model/UserDefinedForm.php
+++ b/code/model/UserDefinedForm.php
@@ -5,7 +5,7 @@
  */
 
 class UserDefinedForm extends Page {
-	
+
 	/**
 	 * @var string
 	 */
@@ -370,7 +370,9 @@ class UserDefinedForm_Controller extends Page_Controller {
 		if($this->Content && $form = $this->Form()) {
 			$hasLocation = stristr($this->Content, '$UserDefinedForm');
 			if($hasLocation) {
-				$content = preg_replace('/(<p[^>]*>)?\\$UserDefinedForm(<\\/p>)?/i', $form->forTemplate(), $this->Content);
+				/** @see Requirements_Backend::escapeReplacement */
+				$formEscapedForRegex = addcslashes($form->forTemplate(), '\\$');
+				$content = preg_replace('/(<p[^>]*>)?\\$UserDefinedForm(<\\/p>)?/i', $formEscapedForRegex, $this->Content);
 				return array(
 					'Content' => DBField::create_field('HTMLText', $content),
 					'Form' => ""
@@ -688,7 +690,7 @@ JS
 			foreach($recipients as $recipient) {
 				$email = new UserFormRecipientEmail($submittedFields);
 				$mergeFields = $this->getMergeFieldsMap($emailData['Fields']);
-	
+
 				if($attachments) {
 					foreach($attachments as $file) {
 						if($file->ID != 0) {
@@ -700,7 +702,7 @@ JS
 						}
 					}
 				}
-				
+
 				$parsedBody = SSViewer::execute_string($recipient->getEmailBodyContent(), $mergeFields);
 
 				if (!$recipient->SendPlain && $recipient->emailTemplateExists()) {