Plugin review changes

ZeekInteractive · Mar 26, 2024 · 4551634 · 4551634
1 parent 9275b06
commit 4551634
Show file tree

Hide file tree

Showing 8 changed files with 36 additions and 13 deletions.
diff --git a/piwa.php b/piwa.php
@@ -1,4 +1,7 @@
 <?php
+
+if ( ! defined( 'ABSPATH' ) ) exit;
+
 /**
  * Plugin Name: Pay Invoices With Amazon
  * Description: Enables a smooth Amazon Pay integration using the WordPress block editor. Accept payments using Amazon Pay, providing a seamless experience for your customers.

diff --git a/readme.txt b/readme.txt
@@ -79,6 +79,17 @@ Long-form to display a payment button set to $100.50 for Business Consulting:
 
 [piwa amount="100.50" title="Business Consulting"]
 
+
+**Third-Party Services**
+
+**Pay Invoices with Amazon** integrates with Amazon Payments to process invoice payments made through the plugin.
+**Third-Party Service Links and Policies**
+
+- Amazon Payments Terms of Service: https://pay.amazon.com/help/201212430
+- Amazon Payments Privacy Policy: https://pay.amazon.com/help/201212490
+
+By using the plugin, you acknowledge and consent to the use of Amazon Payments for payment processing. We ensure that all data transmissions are secure and in compliance with legal standards.
+
 == Installation ==
 
 1. Upload the PIWA plugin to your WordPress plugins directory.
@@ -120,4 +131,4 @@ For support, please post an issue to the [GitHub repository](https://github.com/
 == Upgrade Notice ==
 
 = 1.0 =
-* Initial version of the plugin.
+* Initial version of the plugin.
diff --git a/src/class-admin-settings.php b/src/class-admin-settings.php
@@ -75,6 +75,8 @@ public function rest_get_keys( \WP_REST_Request $request ) {
 				$e->getMessage()
 			);
 
+            // Before calling update_option we are calling register_option_sanitization_callbacks() to ensure the sanitize callback is registered.
+            // The sanitize method on this class is used to sanitize the options by data type before saving them to the database
 			update_option(
 				$this->option_key,
 				array_merge(
@@ -529,9 +531,11 @@ public function admin_menu() {
 		if (
 			isset( $_POST['action'] )
 			&& 'update' === $_POST['action']
-			&& wp_verify_nonce( $_POST['_wpnonce'], sprintf( '%s-options', $this->option_key ) )
+			&& wp_verify_nonce( sanitize_text_field( wp_unslash ($_POST['_wpnonce'] ) ), sprintf( '%s-options', $this->option_key ) )
 			&& ! empty( $_POST['piwa'] )
 		) {
+            // Before calling update_option we are calling register_option_sanitization_callbacks() to ensure the sanitize callback is registered.
+            // The sanitize method on this class is used to sanitize the options by data type before saving them to the database
 			update_option( $this->option_key, $_POST['piwa'] );
 		}
 
@@ -975,14 +979,14 @@ public function account_tab_send_public_key( $args ) { // phpcs:ignore Generic.C
 		printf(
 			'<label for="send_public_key">%s</label><textarea id="send_public_key">%s</textarea></div>',
 			esc_html( $this->i18n( 'public_key' ) ),
-			sanitize_textarea_field( $sent['public'] ) // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+			esc_html( sanitize_textarea_field( $sent['public'] ) ) // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 		);
 
 		printf(
 			'<p><label for="sent_public_key_id">%s</label><input id="sent_public_key_id" name="%s[keys][sent][public_key_id]" value="%s" /></p>',
 			esc_html( $this->i18n( 'public_key_id' ) ),
 			esc_attr( $this->option_key ),
-			esc_attr( $sent['public_key_id'] )
+			esc_attr( sanitize_text_field( $sent['public_key_id'] ) )
 		);
 
 		return ob_get_clean();
@@ -1062,14 +1066,14 @@ public function account_tab_receive_public_private_key( $args ) { // phpcs:ignor
 			esc_html( $this->i18n( 'private_key' ) ),
 			esc_attr( $this->option_key ),
 			esc_attr( $this->i18n( 'private_key_source' ) ),
-			sanitize_textarea_field( $receive['private'] ) // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+			esc_html( sanitize_textarea_field( $receive['private'] ) ) // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 		);
 
 		printf(
 			'<p><label for="receive_public_key_id">%s</label><input id="receive_public_key_id" name="%s[keys][receive][public_key_id]" value="%s" /></p>',
 			esc_html( $this->i18n( 'public_key_id' ) ),
 			esc_attr( $this->option_key ),
-			esc_attr( $receive['public_key_id'] )
+			esc_attr( sanitize_text_field($receive['public_key_id'] ) )
 		);
 
 		return ob_get_clean();

diff --git a/src/class-client.php b/src/class-client.php
@@ -161,7 +161,7 @@ public function get_button_config( $atts ) {
 							// Payment processing will not work if the redirect is HTTP.
 							'http://',
 							'https://',
-							( defined( 'REST_REQUEST' ) && REST_REQUEST ) ? $_SERVER['HTTP_REFERER'] : get_permalink( (int) $atts['invoice_id'] )
+							( defined( 'REST_REQUEST' ) && REST_REQUEST ) ? filter_var($_SERVER['HTTP_REFERER'], FILTER_SANITIZE_FULL_SPECIAL_CHARS) : get_permalink( (int) $atts['invoice_id'] )
 						)
 					) . sprintf(
 						'#container-amazon-pay-%d%s',

diff --git a/src/class-payments.php b/src/class-payments.php
@@ -73,9 +73,12 @@ public function admin_init() {
 	}
 
 	public function get_current_screen() {
+
+        $php_self = filter_input(INPUT_SERVER, 'PHP_SELF', FILTER_SANITIZE_URL);
+
 		if ( empty( $this->current_screen ) ) {
 			$this->current_screen = [
-				'basename'          => basename( $_SERVER['PHP_SELF'] ),
+				'basename'          => basename( $php_self ),
 				'is_this_post_type' => array_key_exists( 'post_type', $_GET ) // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 					? ( self::POST_TYPE === filter_input( INPUT_GET, 'post_type', FILTER_SANITIZE_SPECIAL_CHARS ) )
 					: ( array_key_exists( 'post', $_GET ) // phpcs:ignore WordPress.Security.NonceVerification.Recommended
@@ -292,7 +295,7 @@ private function process_checkout_session( $response, $checkout_session_id ) {
 				),
 				'post_content' => $post_content,
 				'post_status'  => 'publish',
-				'post_parent'  => array_key_exists( 'ap-payment-id', $_GET ) ? intval( explode( '-', (string) $_GET['ap-payment-id'] )[0] ) : 0, // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+				'post_parent'  => array_key_exists( 'ap-payment-id', $_GET ) ? intval( explode( '-', sanitize_text_field( $_GET['ap-payment-id']) )[0] ) : 0, // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 			];
 			$payment_id   = wp_insert_post( $payment_args, true );
 
@@ -341,7 +344,7 @@ private function process_canceled_checkout_session( $response, $checkout_session
 			'post_title'   => 'Declined',
 			'post_content' => '',
 			'post_status'  => 'pending',
-			'post_parent'  => array_key_exists( 'ap-payment-id', $_GET ) ? intval( explode( '-', (string) $_GET['ap-payment-id'] )[0] ) : 0, // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+			'post_parent'  => array_key_exists( 'ap-payment-id', $_GET ) ? intval( explode( '-', sanitize_text_field($_GET['ap-payment-id']) )[0] ) : 0, // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 		];
 		$payment_id   = wp_insert_post( $payment_args, true );
 

diff --git a/src/class-piwa.php b/src/class-piwa.php
@@ -447,7 +447,7 @@ public function credentials_can_connect( $connection_type = null ) {
 	public function maybe_get_payment() {
 		if ( array_key_exists( 'amazonCheckoutSessionId', $_GET ) && array_key_exists( 'ap-payment-id', $_GET ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 			$checkout_session_id                              = sanitize_key( $_GET['amazonCheckoutSessionId'] ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
-			$payment_source_id                                = intval( explode( '-', (string) $_GET['ap-payment-id'] )[0] ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+			$payment_source_id                                = intval( explode( '-', sanitize_text_field($_GET['ap-payment-id']) )[0] ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 			list($payment_source_id, $payment_source_counter) = explode( '-', sanitize_key( $_GET['ap-payment-id'] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 			$payments = get_posts(
 				[

diff --git a/src/class-render.php b/src/class-render.php
@@ -74,7 +74,7 @@ public function wp_footer() {
 		$config = [];
 		if ( array_key_exists( 'ap-payment-id', $_GET ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 			foreach ( $this->buttons_config as $button_config ) {
-				if ( $_GET['ap-payment-id'] === $button_config['payment_id'] ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+				if ( sanitize_text_field($_GET['ap-payment-id']) === $button_config['payment_id'] ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 					$config = $button_config;
 				}
 			}
@@ -226,7 +226,7 @@ public function payment_processed( $invoice_id, $counter ) {
 		) {
 
 			$checkout_session_id                                = sanitize_key( $_GET['amazonCheckoutSessionId'] ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
-			$payment_source_id                                  = intval( explode( '-', (string) $_GET['ap-payment-id'] )[0] ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+			$payment_source_id                                  = intval( explode( '-', sanitize_text_field($_GET['ap-payment-id']) )[0] ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 			list( $payment_source_id, $payment_source_counter ) = explode( '-', sanitize_key( $_GET['ap-payment-id'] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 
 			if (

diff --git a/src/i18n.php b/src/i18n.php
@@ -1,5 +1,7 @@
 <?php
 
+if ( ! defined( 'ABSPATH' ) ) exit;
+
 return [
 	'admin_page_title'                    => __( 'Pay Invoices With Amazon', 'piwa' ),
 	'admin_menu_title'                    => __( 'Pay Invoices With Amazon', 'piwa' ),