From e00ad679a3943dd1b52a635055a7436dfd1f6328 Mon Sep 17 00:00:00 2001
From: Christian Grothoff <christian@grothoff.org>
Date: Mon, 19 Oct 2020 18:25:02 +0200
Subject: fixing misc phpcs errors and warnings

---
 .../class-wc-gnutaler-gateway.php                  | 39 ++++++++++++++--------
 1 file changed, 25 insertions(+), 14 deletions(-)

diff --git a/plugin/GNU-Taler-Payment-Gateway/class-wc-gnutaler-gateway.php b/plugin/GNU-Taler-Payment-Gateway/class-wc-gnutaler-gateway.php
index 348d614..5121992 100644
--- a/plugin/GNU-Taler-Payment-Gateway/class-wc-gnutaler-gateway.php
+++ b/plugin/GNU-Taler-Payment-Gateway/class-wc-gnutaler-gateway.php
@@ -101,7 +101,7 @@ function gnutaler_init_gateway_class() {
 						),
 					)
 				),
-				get_admin_url( null, 'plugins.php' )
+				esc_url( get_admin_url( null, 'plugins.php' ) )
 			)
 		);
 	}
@@ -257,8 +257,8 @@ function gnutaler_init_gateway_class() {
 				$refund_url  = $wc_order->get_meta( 'GNU_TALER_REFUND_URL' );
 				echo sprintf(
 					/* translators: placeholder will be replaced with the refund URL */
-					__( 'Refund granted. Visit <a href="%1$s">%1$s</a> to obtain the refund.', 'gnutaler' ),
-					$refund_url
+					esc_html( __( 'Refund granted. Visit <a href="%1$s">%1$s</a> to obtain the refund.', 'gnutaler' ) ),
+					esc_url( $refund_url )
 				);
 			}
 		}
@@ -298,18 +298,23 @@ function gnutaler_init_gateway_class() {
 		public function fulfillment_url_handler(): void {
 			global $woocommerce;
 
+			// We intentionally do NOT verify the nonce here, as this page
+			// should work even if the deep link is shared with other users
+			// or even non-users.
+                        // phpcs:disable WordPress.Security.NonceVerification
 			if ( ! isset( $_GET['order_id'] ) ) {
 				$this->debug( __( "Lacking 'order_id', forwarding user to neutral page", 'gnutaler' ) );
 				if ( is_user_logged_in() ) {
-					wp_redirect( get_home_url() . wc_get_page_permalink( 'myaccount' ) );
+					wp_safe_redirect( get_home_url() . wc_get_page_permalink( 'myaccount' ) );
 				} else {
-					wp_redirect( get_home_url() . wc_get_page_permalink( 'shop' ) );
+					wp_safe_redirect( get_home_url() . wc_get_page_permalink( 'shop' ) );
 				}
 				exit;
 			}
 
 			// Gets the order id from the fulfillment url.
-			$taler_order_id = $_GET['order_id'];
+			$taler_order_id = sanitize_text_field( wp_unslash( $_GET['order_id'] ) );
+                        // phpcs:enable
 			$order_id_array = explode( '-', $taler_order_id );
 			$order_id_name  = $order_id_array[0];
 			$order_id       = $order_id_array[1];
@@ -337,7 +342,7 @@ function gnutaler_init_gateway_class() {
 							__( 'backend did not respond', 'gnutaler' )
 						);
 						$this->notice( __( 'Payment failed: no reply from Taler backend', 'gnutaler' ) );
-						wp_redirect( $this->get_return_url( $order_id ) );
+						wp_safe_redirect( $this->get_return_url( $order_id ) );
 						exit;
 					}
 					if ( 'paid' === $merchant_order_status_response['order_status'] ) {
@@ -353,7 +358,7 @@ function gnutaler_init_gateway_class() {
 						);
 						$this->notice( __( 'Backend did not confirm payment', 'gnutaler' ) );
 					}
-										wp_redirect( $this->get_return_url( $wc_order ) );
+					wp_safe_redirect( $this->get_return_url( $wc_order ) );
 					exit;
 				default:
 					$this->error(
@@ -361,14 +366,14 @@ function gnutaler_init_gateway_class() {
 							. $payment_http_status . ' - ' . $payment_body
 					);
 					wc_add_notice( __( 'Payment error:', 'gnutaler' ) . $payment_http_status . ' - ' . $payment_body );
-					wp_redirect( $this->get_return_url( $order_id ) );
+					wp_safe_redirect( $this->get_return_url( $order_id ) );
 					break;
 			}
 			$cart_url = $woocommerce->cart->wc_get_cart_url();
 			if ( is_set( $cart_url ) ) {
-				wp_redirect( get_home_url() . $cart_url );
+				wp_safe_redirect( get_home_url() . $cart_url );
 			} else {
-				wp_redirect( wc_get_page_permalink( 'shop' ) );
+				wp_safe_redirect( wc_get_page_permalink( 'shop' ) );
 			}
 			exit;
 		}
@@ -385,6 +390,7 @@ function gnutaler_init_gateway_class() {
 		 * @return array The return array will either have the successful return value or a detailed error message.
 		 */
 		private function call_api( $method, $url, $body ): array {
+                        // phpcs:disable WordPress.WP.AlternativeFunctions
 			$curl = curl_init();
 			switch ( $method ) {
 				case 'POST':
@@ -403,7 +409,7 @@ function gnutaler_init_gateway_class() {
 					break;
 			}
 			if ( $body ) {
-				$jsonstr = json_encode( $body, JSON_UNESCAPED_SLASHES );
+				$jsonstr = wp_json_encode( $body, JSON_UNESCAPED_SLASHES, 0, 16 );
 				$this->debug( 'Using POST body ' . $jsonstr . ' for upload to ' . $url );
 				curl_setopt(
 					$curl,
@@ -431,7 +437,7 @@ function gnutaler_init_gateway_class() {
 
 			$http_code = curl_getinfo( $curl, CURLINFO_HTTP_CODE );
 			if ( curl_error( $curl ) ) {
-				   $error_msg = curl_error( $curl );
+				$error_msg = curl_error( $curl );
 				$this->warning(
 					sprintf(
 						/* translators: first placeholder is the CURL error message, second the HTTP status code */
@@ -459,6 +465,7 @@ function gnutaler_init_gateway_class() {
 				'message'   => $result,
 			);
 			curl_close( $curl );
+                        // phpcs:enable
 			return $message_array;
 		}
 
@@ -1006,7 +1013,11 @@ function gnutaler_init_gateway_class() {
 			} else {
 				$user_id = 'Guest';
 			}
-			$order_id = $_GET['order_id'];
+						// We intentionally do NOT verify the nonce here, as logging
+						// should always work.
+                        // phpcs:disable WordPress.Security.NonceVerification
+			$order_id = sanitize_text_field( wp_unslash( $_GET['order_id'] ) );
+                        // phpcs:enable
 			if ( empty( self::$logger ) ) {
 					self::$logger = wc_get_logger();
 			}
-- 
cgit v1.2.3