diff options
| author | Christian Grothoff <christian@grothoff.org> | 2020-10-19 18:25:02 +0200 |
|---|---|---|
| committer | Christian Grothoff <christian@grothoff.org> | 2020-10-19 18:25:02 +0200 |
| commit | e00ad679a3943dd1b52a635055a7436dfd1f6328 (patch) | |
| tree | 37f826ea168033b6c1b7c98cea684fcb9c3ef359 | |
| parent | 4d8089f2527f9ff10da62f4aba41a3a6274013d2 (diff) | |
| download | woocommerce-taler-e00ad679a3943dd1b52a635055a7436dfd1f6328.tar.gz woocommerce-taler-e00ad679a3943dd1b52a635055a7436dfd1f6328.tar.bz2 woocommerce-taler-e00ad679a3943dd1b52a635055a7436dfd1f6328.zip | |
fixing misc phpcs errors and warnings
| -rw-r--r-- | plugin/GNU-Taler-Payment-Gateway/class-wc-gnutaler-gateway.php | 39 |
1 files changed, 25 insertions, 14 deletions
diff --git a/plugin/GNU-Taler-Payment-Gateway/class-wc-gnutaler-gateway.php b/plugin/GNU-Taler-Payment-Gateway/class-wc-gnutaler-gateway.php index 348d614..5121992 100644 --- a/plugin/GNU-Taler-Payment-Gateway/class-wc-gnutaler-gateway.php +++ b/plugin/GNU-Taler-Payment-Gateway/class-wc-gnutaler-gateway.php @@ -101,7 +101,7 @@ function gnutaler_init_gateway_class() { ), ) ), - get_admin_url( null, 'plugins.php' ) + esc_url( get_admin_url( null, 'plugins.php' ) ) ) ); } @@ -257,8 +257,8 @@ function gnutaler_init_gateway_class() { $refund_url = $wc_order->get_meta( 'GNU_TALER_REFUND_URL' ); echo sprintf( /* translators: placeholder will be replaced with the refund URL */ - __( 'Refund granted. Visit <a href="%1$s">%1$s</a> to obtain the refund.', 'gnutaler' ), - $refund_url + esc_html( __( 'Refund granted. Visit <a href="%1$s">%1$s</a> to obtain the refund.', 'gnutaler' ) ), + esc_url( $refund_url ) ); } } @@ -298,18 +298,23 @@ function gnutaler_init_gateway_class() { public function fulfillment_url_handler(): void { global $woocommerce; + // We intentionally do NOT verify the nonce here, as this page + // should work even if the deep link is shared with other users + // or even non-users. + // phpcs:disable WordPress.Security.NonceVerification if ( ! isset( $_GET['order_id'] ) ) { $this->debug( __( "Lacking 'order_id', forwarding user to neutral page", 'gnutaler' ) ); if ( is_user_logged_in() ) { - wp_redirect( get_home_url() . wc_get_page_permalink( 'myaccount' ) ); + wp_safe_redirect( get_home_url() . wc_get_page_permalink( 'myaccount' ) ); } else { - wp_redirect( get_home_url() . wc_get_page_permalink( 'shop' ) ); + wp_safe_redirect( get_home_url() . wc_get_page_permalink( 'shop' ) ); } exit; } // Gets the order id from the fulfillment url. - $taler_order_id = $_GET['order_id']; + $taler_order_id = sanitize_text_field( wp_unslash( $_GET['order_id'] ) ); + // phpcs:enable $order_id_array = explode( '-', $taler_order_id ); $order_id_name = $order_id_array[0]; $order_id = $order_id_array[1]; @@ -337,7 +342,7 @@ function gnutaler_init_gateway_class() { __( 'backend did not respond', 'gnutaler' ) ); $this->notice( __( 'Payment failed: no reply from Taler backend', 'gnutaler' ) ); - wp_redirect( $this->get_return_url( $order_id ) ); + wp_safe_redirect( $this->get_return_url( $order_id ) ); exit; } if ( 'paid' === $merchant_order_status_response['order_status'] ) { @@ -353,7 +358,7 @@ function gnutaler_init_gateway_class() { ); $this->notice( __( 'Backend did not confirm payment', 'gnutaler' ) ); } - wp_redirect( $this->get_return_url( $wc_order ) ); + wp_safe_redirect( $this->get_return_url( $wc_order ) ); exit; default: $this->error( @@ -361,14 +366,14 @@ function gnutaler_init_gateway_class() { . $payment_http_status . ' - ' . $payment_body ); wc_add_notice( __( 'Payment error:', 'gnutaler' ) . $payment_http_status . ' - ' . $payment_body ); - wp_redirect( $this->get_return_url( $order_id ) ); + wp_safe_redirect( $this->get_return_url( $order_id ) ); break; } $cart_url = $woocommerce->cart->wc_get_cart_url(); if ( is_set( $cart_url ) ) { - wp_redirect( get_home_url() . $cart_url ); + wp_safe_redirect( get_home_url() . $cart_url ); } else { - wp_redirect( wc_get_page_permalink( 'shop' ) ); + wp_safe_redirect( wc_get_page_permalink( 'shop' ) ); } exit; } @@ -385,6 +390,7 @@ function gnutaler_init_gateway_class() { * @return array The return array will either have the successful return value or a detailed error message. */ private function call_api( $method, $url, $body ): array { + // phpcs:disable WordPress.WP.AlternativeFunctions $curl = curl_init(); switch ( $method ) { case 'POST': @@ -403,7 +409,7 @@ function gnutaler_init_gateway_class() { break; } if ( $body ) { - $jsonstr = json_encode( $body, JSON_UNESCAPED_SLASHES ); + $jsonstr = wp_json_encode( $body, JSON_UNESCAPED_SLASHES, 0, 16 ); $this->debug( 'Using POST body ' . $jsonstr . ' for upload to ' . $url ); curl_setopt( $curl, @@ -431,7 +437,7 @@ function gnutaler_init_gateway_class() { $http_code = curl_getinfo( $curl, CURLINFO_HTTP_CODE ); if ( curl_error( $curl ) ) { - $error_msg = curl_error( $curl ); + $error_msg = curl_error( $curl ); $this->warning( sprintf( /* translators: first placeholder is the CURL error message, second the HTTP status code */ @@ -459,6 +465,7 @@ function gnutaler_init_gateway_class() { 'message' => $result, ); curl_close( $curl ); + // phpcs:enable return $message_array; } @@ -1006,7 +1013,11 @@ function gnutaler_init_gateway_class() { } else { $user_id = 'Guest'; } - $order_id = $_GET['order_id']; + // We intentionally do NOT verify the nonce here, as logging + // should always work. + // phpcs:disable WordPress.Security.NonceVerification + $order_id = sanitize_text_field( wp_unslash( $_GET['order_id'] ) ); + // phpcs:enable if ( empty( self::$logger ) ) { self::$logger = wc_get_logger(); } |