fix: add donation form nonce field

Automattic · Dec 19, 2024 · 7348e15 · 7348e15
1 parent 4f3f653
commit 7348e15
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/includes/class-modal-checkout.php b/includes/class-modal-checkout.php
@@ -18,7 +18,7 @@ final class Modal_Checkout {
 	 *
 	 * @var string
 	 */
-	const CHECKOUT_NONCE = 'newspack_modal_checkout_nonce';
+	const CHECKOUT_NONCE = 'newspack_checkout_nonce';
 
 	/**
 	 * Checkout registration flag.

diff --git a/src/blocks/donate/frontend/class-newspack-blocks-donate-renderer-base.php b/src/blocks/donate/frontend/class-newspack-blocks-donate-renderer-base.php
@@ -7,6 +7,8 @@
 
 defined( 'ABSPATH' ) || exit;
 
+use Newspack_Blocks\Modal_Checkout;
+
 /**
  * Handles the Donate block rendering functionality.
  */
@@ -202,6 +204,8 @@ protected static function render_hidden_form_inputs( $attributes ) {
 			<input type='hidden' name='donation_currency' value='<?php echo esc_attr( $currency ); ?>' />
 			<input type='hidden' name='frequency_ids' value='<?php echo esc_attr( wp_json_encode( $donate_child_ids ) ); ?>' />
 		<?php
+		// Add nonce for the donation form.
+		wp_nonce_field( Modal_Checkout::CHECKOUT_NONCE );
 
 		foreach ( [ [ 'afterSuccessBehavior', 'after_success_behavior' ], [ 'afterSuccessButtonLabel', 'after_success_button_label' ], [ 'afterSuccessURL', 'after_success_url' ] ] as $attribute ) {
 			$attribute_name = $attribute[0];