Fix errors and warnings

Author: malmo-monei

includes/abstracts/abstract-wc-monei-payment-gateway-component.php

@@ -188,14 +188,16 @@ public function create_payload( $order, $allowed_payment_method = null ) {
 		);
 
 		// If customer has selected a saved payment method, we get the token from $_POST and we add it to the payload.
-		if ( $token_id = $this->get_payment_token_id_if_selected() ) {
+		$token_id = $this->get_payment_token_id_if_selected();
+		if ( $token_id ) {
 			$wc_token                = WC_Payment_Tokens::get( $token_id );
 			$payload['paymentToken'] = $wc_token->get_token();
 		}
 
 		// If user has paid using Apple or Google pay, we add paymentToken.
 		// This will overwrite previous token, in case one preselected token was checked in checkout, but we should ignore it.
-		if ( $token_id = $this->get_frontend_generated_monei_apple_google_token() ) {
+		$token_id = $this->get_frontend_generated_monei_apple_google_token();
+		if ( $token_id ) {
 			$payload['paymentToken'] = $token_id;
 		}
 
@@ -205,7 +207,7 @@ public function create_payload( $order, $allowed_payment_method = null ) {
 		}
 		$componentGateways = array( MONEI_GATEWAY_ID, self::APPLE_GOOGLE_ID );
 		// If merchant is not using redirect flow (means component CC or apple/google pay), there is a generated frontend token paymentToken and we need to add session ID to the request.
-		if ( in_array( $this->id, $componentGateways ) && ! $this->redirect_flow && ( $this->get_frontend_generated_monei_token() || $this->get_frontend_generated_monei_apple_google_token() ) ) {
+		if ( in_array( $this->id, $componentGateways, true ) && ! $this->redirect_flow && ( $this->get_frontend_generated_monei_token() || $this->get_frontend_generated_monei_apple_google_token() ) ) {
 			$payload['sessionId'] = (string) WC()->session->get_customer_id();
 		}
 
@@ -219,7 +221,8 @@ public function create_payload( $order, $allowed_payment_method = null ) {
 	 * @return false|string
 	 */
 	public function get_frontend_generated_monei_token() {
-		return ( isset( $_POST['monei_payment_token'] ) ) ? htmlspecialchars( strip_tags( $_POST['monei_payment_token'] ), ENT_QUOTES, 'UTF-8' ) : false; // WPCS: CSRF ok.
+        //phpcs:ignore WordPress.Security.NonceVerification, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+		return ( isset( $_POST['monei_payment_token'] ) ) ? wc_clean( wp_unslash( $_POST['monei_payment_token'] ) ) : false; // WPCS: CSRF ok.
 	}
 
 	/**
@@ -228,7 +231,8 @@ public function get_frontend_generated_monei_token() {
 	 * @return boolean
 	 */
 	public function isBlockCheckout() {
-		return ( isset( $_POST['monei_is_block_checkout'] ) ) ? htmlspecialchars( strip_tags( $_POST['monei_is_block_checkout'] ), ENT_QUOTES, 'UTF-8' ) === 'yes' : false; // WPCS: CSRF ok.
+        //phpcs:ignore WordPress.Security.NonceVerification, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+		return ( isset( $_POST['monei_is_block_checkout'] ) ) ? wc_clean( wp_unslash( $_POST['monei_is_block_checkout'] ) ) === 'yes' : false; // WPCS: CSRF ok.
 	}
 
 	/**
@@ -238,7 +242,8 @@ public function isBlockCheckout() {
 	 */
 	public function get_frontend_generated_monei_cardholder( $order ) {
 		$defaultName = $order->get_formatted_billing_full_name();
-		return ( isset( $_POST['monei_cardholder_name'] ) ) ? htmlspecialchars( strip_tags( $_POST['monei_cardholder_name'] ), ENT_QUOTES, 'UTF-8' ) : $defaultName; // WPCS: CSRF ok.
+        //phpcs:ignore WordPress.Security.NonceVerification, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+		return ( isset( $_POST['monei_cardholder_name'] ) ) ? wc_clean( wp_unslash( $_POST['monei_cardholder_name'] ) ) : $defaultName; // WPCS: CSRF ok.
 	}
 
 	/**
@@ -248,6 +253,7 @@ public function get_frontend_generated_monei_cardholder( $order ) {
 	 * @return false|string
 	 */
 	protected function get_frontend_generated_monei_apple_google_token() {
-		return ( isset( $_POST['monei_payment_request_token'] ) ) ? htmlspecialchars( strip_tags( $_POST['monei_payment_request_token'] ), ENT_QUOTES, 'UTF-8' ) : false; // WPCS: CSRF ok.
+        //phpcs:ignore WordPress.Security.NonceVerification, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+		return ( isset( $_POST['monei_payment_request_token'] ) ) ? wc_clean( wp_unslash( $_POST['monei_payment_request_token'] ) ) : false; // WPCS: CSRF ok.
 	}
 }

includes/abstracts/abstract-wc-monei-payment-gateway-hosted.php

@@ -97,7 +97,8 @@ public function process_payment( $order_id, $allowed_payment_method = null ) {
 		);
 
 		// If customer has selected a saved payment method, we get the token from $_POST and we add it to the payload.
-		if ( $token_id = $this->get_payment_token_id_if_selected() ) {
+		$token_id = $this->get_payment_token_id_if_selected();
+		if ( $token_id ) {
 			$wc_token                = WC_Payment_Tokens::get( $token_id );
 			$payload['paymentToken'] = $wc_token->get_token();
 		}
@@ -106,8 +107,8 @@ public function process_payment( $order_id, $allowed_payment_method = null ) {
 		if ( $this->tokenization && $this->get_save_payment_card_checkbox() ) {
 			$payload['generatePaymentToken'] = true;
 		}
-
-		if ( $token_id = $this->get_frontend_generated_bizum_token() ) {
+		$token_id = $this->get_frontend_generated_bizum_token();
+		if ( $token_id ) {
 			if ( ! $this->isBlockCheckout() ) {
 				$payload['paymentToken'] = $token_id;
 			}
@@ -161,6 +162,7 @@ protected function get_frontend_generated_bizum_token() {
 		if ( $this->id !== 'monei_bizum' ) {
 			return false;
 		}
-		return ( isset( $_POST['monei_payment_request_token'] ) ) ? htmlspecialchars( strip_tags( $_POST['monei_payment_request_token'] ), ENT_QUOTES, 'UTF-8' ) : false; // WPCS: CSRF ok.
+        //phpcs:ignore WordPress.Security.NonceVerification, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+		return ( isset( $_POST['monei_payment_request_token'] ) ) ? wc_clean( wp_unslash( $_POST['monei_payment_request_token'] ) ) : false; // WPCS: CSRF ok.
 	}
 }

includes/abstracts/abstract-wc-monei-payment-gateway.php

@@ -182,7 +182,7 @@ public function process_refund( $order_id, $amount = null, $reason = '' ) {
 
 				$this->log( $amount . ' Refund approved.', 'debug' );
 
-				$order->add_order_note( __( '<strong>MONEI Refund Approved:</strong> ', 'monei' ) . wc_price( $amount ) . '<br/>Status: ' . $result->getStatus() . ' ' . $result->getStatusMessage() );
+				$order->add_order_note( __( 'MONEI Refund Approved:', 'monei' ) . wc_price( $amount ) . '<br/>Status: ' . $result->getStatus() . ' ' . $result->getStatusMessage() );
 
 				return true;
 
@@ -214,7 +214,8 @@ public function save_payment_method_checkbox() {
 	 * @return int|false
 	 */
 	protected function get_payment_token_id_if_selected() {
-		return ( isset( $_POST[ 'wc-' . $this->id . '-payment-token' ] ) ) ? filter_var( $_POST[ 'wc-' . $this->id . '-payment-token' ], FILTER_SANITIZE_NUMBER_INT ) : false; // WPCS: CSRF ok.
+        //phpcs:ignore WordPress.Security.NonceVerification, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+		return ( isset( $_POST[ 'wc-' . $this->id . '-payment-token' ] ) ) ? filter_var( wp_unslash( $_POST[ 'wc-' . $this->id . '-payment-token' ] ), FILTER_SANITIZE_NUMBER_INT ) : false; // WPCS: CSRF ok.
 	}
 
 	/**
@@ -223,6 +224,7 @@ protected function get_payment_token_id_if_selected() {
 	 * @return bool
 	 */
 	protected function get_save_payment_card_checkbox() {
+        //phpcs:ignore WordPress.Security.NonceVerification, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
 		return ( isset( $_POST[ 'wc-' . $this->id . '-new-payment-method' ] ) );
 	}
 
@@ -298,7 +300,8 @@ public function getTestmode() {
 	 * @return boolean
 	 */
 	public function isBlockCheckout() {
-		return ( isset( $_POST['monei_is_block_checkout'] ) ) ? htmlspecialchars( strip_tags( $_POST['monei_is_block_checkout'] ), ENT_QUOTES, 'UTF-8' ) === 'yes' : false; // WPCS: CSRF ok.
+        //phpcs:ignore WordPress.Security.NonceVerification, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+		return ( isset( $_POST['monei_is_block_checkout'] ) ) ? wc_clean( wp_unslash( $_POST['monei_is_block_checkout'] ) ) === 'yes' : false; // WPCS: CSRF ok.
 	}
 
 	/**
@@ -307,17 +310,20 @@ public function isBlockCheckout() {
 	 * @return false|string
 	 */
 	public function get_frontend_generated_monei_token() {
-		return ( isset( $_POST['monei_payment_token'] ) ) ? htmlspecialchars( strip_tags( $_POST['monei_payment_token'] ), ENT_QUOTES, 'UTF-8' ) : false; // WPCS: CSRF ok.
+        //phpcs:ignore WordPress.Security.NonceVerification, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+		return ( isset( $_POST['monei_payment_token'] ) ) ? wc_clean( wp_unslash( $_POST['monei_payment_token'] ) ) : false; // WPCS: CSRF ok.
 	}
 
 	/**
 	 * @return float|int|string|null
 	 */
 	public function determineTheTotalAmountToBePassed() {
 		$total = null;
+        //phpcs:ignore WordPress.Security.NonceVerification, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
 		if ( is_wc_endpoint_url( 'order-pay' ) && isset( $_GET['key'] ) ) {
 			// If on the pay for order page, get the order total
-			$order_id = wc_get_order_id_by_order_key( sanitize_text_field( $_GET['key'] ) );
+            //phpcs:ignore WordPress.Security.NonceVerification, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+			$order_id = wc_get_order_id_by_order_key( wc_clean( wp_unslash( $_GET['key'] ) ) );
 			if ( $order_id ) {
 				$order = wc_get_order( $order_id );
 				$total = $order ? $order->get_total() : 0;

includes/addons/class-wc-monei-addons-redirect-hooks.php

@@ -33,7 +33,7 @@ public function subscriptions_save_sequence_id_on_payment_method_change() {
 		if ( ! is_account_page() ) {
 			return;
 		}
-
+        //phpcs:ignore WordPress.Security.NonceVerification, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
 		if ( ! isset( $_GET['id'] ) ) {
 			return;
 		}
@@ -78,7 +78,7 @@ public function subscriptions_save_sequence_id() {
 		if ( ! is_order_received_page() ) {
 			return;
 		}
-
+        //phpcs:ignore WordPress.Security.NonceVerification, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
 		if ( ! isset( $_GET['id'] ) ) {
 			return;
 		}

includes/addons/class-wc-monei-apple-pay-verification.php

@@ -30,8 +30,8 @@ public function apple_domain_register() {
 		if ( ! isset( $_POST['woocommerce_monei_apple_google_pay'] ) ) {
 			return;
 		}
-
-		if ( ! sanitize_text_field( $_POST['woocommerce_monei_apple_google_pay'] ) ) {
+        //phpcs:ignore WordPress.Security.NonceVerification, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+		if ( ! wc_clean( wp_unslash( $_POST['woocommerce_monei_apple_google_pay'] ) ) ) {
 			return;
 		}
 

includes/addons/trait-wc-monei-subscriptions.php

@@ -163,7 +163,6 @@ public function create_subscription_payload( WC_Order $order_id, $payment_method
 		$payload['sequence'] = array(
 			'type'      => 'recurring',
 			'recurring' => array(
-				// 'frequency' => $this->get_cart_subscription_interval_in_days() // The minimum number of days between the different recurring payments.
 				'frequency' => 1, // Testing with 1 to know if we can modify subscription dates.
 			),
 		);

includes/class-monei-cc-blocks.php

@@ -32,16 +32,16 @@ public function is_active() {
 	/**
 	 * Removes all saved payment methods when the setting to save cards is disabled.
 	 *
-	 * @param  array $list         List of payment methods passed from wc_get_customer_saved_methods_list().
+	 * @param  array $paymentMethods         List of payment methods passed from wc_get_customer_saved_methods_list().
 	 * @param  int   $customer_id  The customer to fetch payment methods for.
 	 * @return array               Filtered list of customers payment methods.
 	 */
-	public function filter_saved_payment_methods_list( $list, $customer_id ) {
+	public function filter_saved_payment_methods_list( $paymentMethods, $customer_id ) {
 
-		if ( 'no' == $this->get_setting( 'tokenization' ) ) {
+		if ( 'no' === $this->get_setting( 'tokenization' ) ) {
 			return array();
 		}
-		return $list;
+		return $paymentMethods;
 	}
 
 
@@ -77,7 +77,7 @@ public function get_payment_method_script_handles() {
 
 	public function get_payment_method_data() {
 
-		if ( 'no' == $this->get_setting( 'tokenization' ) ) {
+		if ( 'no' === $this->get_setting( 'tokenization' ) ) {
 			$supports = $this->get_supported_features();
 		} else {
 			$supports = array(

includes/class-wc-monei-ipn.php

@@ -29,17 +29,18 @@ public function __construct( bool $logging = false ) {
 	 * @return void
 	 */
 	public function check_ipn_request() {
-
-		if ( ( 'POST' !== sanitize_text_field( $_SERVER['REQUEST_METHOD'] ) ) ) {
+        //phpcs:ignore WordPress.Security.NonceVerification, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+		if ( isset( $_SERVER['REQUEST_METHOD'] ) && ( 'POST' !== wc_clean( wp_unslash( $_SERVER['REQUEST_METHOD'] ) ) ) ) {
 			return;
 		}
 
 		$headers  = $this->get_all_headers();
-		$raw_body = @file_get_contents( 'php://input' );
+		$raw_body = file_get_contents( 'php://input' );
 		$this->log_ipn_request( $headers, $raw_body );
 
 		try {
-			$payload = $this->verify_signature_get_payload( $raw_body, sanitize_text_field( $_SERVER['HTTP_MONEI_SIGNATURE'] ) );
+            //phpcs:ignore WordPress.Security.NonceVerification, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+			$payload = isset( $_SERVER['HTTP_MONEI_SIGNATURE'] ) && $this->verify_signature_get_payload( $raw_body, wc_clean( wp_unslash( $_SERVER['HTTP_MONEI_SIGNATURE'] ) ) );
 			$this->logging && WC_Monei_Logger::log( $payload, 'debug' );
 			$this->handle_valid_ipn( $payload );
 			do_action( 'woocommerce_monei_handle_valid_ipn', $payload );
@@ -95,7 +96,8 @@ protected function handle_valid_ipn( $payload ) {
 		if ( 'CANCELED' === $status ) {
 			// Order cancelled.
 			$order->add_order_note( __( 'HTTP Notification received - <strong>Payment Cancelled</strong>', 'monei' ) . $status );
-			$order->add_order_note( sprintf( __( 'Cancelled by MONEI: %s', 'monei' ), $status_message ) );
+			$message = __( 'Cancelled by MONEI: ', 'monei' ) . $status_message;
+			$order->add_order_note( $message );
 			return;
 		}
 
@@ -119,7 +121,15 @@ protected function handle_valid_ipn( $payload ) {
 			 * 1 cent exception, for subscriptions when 0 sing ups are done.
 			 */
 			if ( ( (int) $amount !== monei_price_format( $order_total ) ) && ( 1 !== $amount ) ) {
-				$order->update_status( 'on-hold', sprintf( __( 'Validation error: Order vs. Notification amounts do not match (order: %1$s - received: %2&s).', 'monei' ), $amount, monei_price_format( $order_total ) ) );
+				$order->update_status(
+					'on-hold',
+					sprintf(
+					/* translators: 1: Order amount, 2: Notification amount */
+						__( 'Validation error: Order vs. Notification amounts do not match (order: %1$s - received: %2$s).', 'monei' ),
+						$amount,
+						monei_price_format( $order_total )
+					)
+				);
 				exit;
 			}
 
@@ -165,7 +175,7 @@ private function get_all_headers() {
 		if ( ! function_exists( 'getallheaders' ) ) {
 			$headers = array();
 			foreach ( $_SERVER as $name => $value ) {
-				if ( substr( $name, 0, 5 ) == 'HTTP_' ) {
+				if ( substr( $name, 0, 5 ) === 'HTTP_' ) {
 					$headers[ str_replace( ' ', '-', ucwords( strtolower( str_replace( '_', ' ', substr( $name, 5 ) ) ) ) ) ] = $value;
 				}
 			}

includes/class-wc-monei-pre-auth.php

@@ -29,9 +29,9 @@ public function __construct() {
 	 * @param $order_id
 	 */
 	public function capture_payment_when_pre_auth( $order_id ) {
-		$order = wc_get_order( $order_id );
-
-		if ( ! $payment_id = $this->is_pre_auth_order( $order ) ) {
+		$order      = wc_get_order( $order_id );
+		$payment_id = $this->is_pre_auth_order( $order );
+		if ( ! $payment_id ) {
 			return;
 		}
 
@@ -56,9 +56,9 @@ public function capture_payment_when_pre_auth( $order_id ) {
 	 * @param $order_id
 	 */
 	public function cancel_payment_when_pre_auth( $order_id ) {
-		$order = wc_get_order( $order_id );
-
-		if ( ! $payment_id = $this->is_pre_auth_order( $order ) ) {
+		$order      = wc_get_order( $order_id );
+		$payment_id = $this->is_pre_auth_order( $order );
+		if ( ! $payment_id ) {
 			return;
 		}
 

includes/class-wc-monei-redirect-hooks.php

@@ -31,10 +31,12 @@ public function __construct() {
 	 * @return void
 	 */
 	public function add_notice_monei_order_failed() {
+        //phpcs:ignore WordPress.Security.NonceVerification, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
 		if ( ! isset( $_GET['status'] ) ) {
 			return;
 		}
-		$status = wc_clean( $_GET['status'] );
+        //phpcs:ignore WordPress.Security.NonceVerification, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+		$status = wc_clean( wp_unslash( $_GET['status'] ) );
 		if ( $status === 'FAILED' ) {
 			wc_add_notice( __( 'The payment failed. Please try again', 'monei' ), 'error' );
 		}
@@ -49,19 +51,24 @@ public function add_notice_monei_order_failed() {
 	 * @return void
 	 */
 	public function add_notice_monei_order_cancelled( $order_id ) {
-		if ( isset( $_GET['status'] ) && isset( $_GET['message'] ) && 'FAILED' === sanitize_text_field( $_GET['status'] ) ) {
-			$order_id = absint( $_GET['order_id'] );
-			$order    = wc_get_order( $order_id );
+        // phpcs:disable WordPress.Security.NonceVerification, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+		if ( isset( $_GET['status'] ) && isset( $_GET['message'] ) && 'FAILED' === wc_clean( wp_unslash( $_GET['status'] ) ) ) {
+			$order_id = isset( $_GET['order_id'] ) ? absint( $_GET['order_id'] ) : false;
+			$order    = $order_id ? wc_get_order( $order_id ) : false;
+			if ( ! $order ) {
+				return;
+			}
 
-			$order->add_order_note( __( 'MONEI Status: ', 'monei' ) . esc_html( sanitize_text_field( $_GET['status'] ) ) );
-			$order->add_order_note( __( 'MONEI message: ', 'monei' ) . esc_html( sanitize_text_field( $_GET['message'] ) ) );
+			$order->add_order_note( __( 'MONEI Status: ', 'monei' ) . esc_html( wc_clean( wp_unslash( $_GET['status'] ) ) ) );
+			$order->add_order_note( __( 'MONEI message: ', 'monei' ) . esc_html( wc_clean( wp_unslash( $_GET['message'] ) ) ) );
 
-			wc_add_notice( esc_html( sanitize_text_field( $_GET['message'] ) ), 'error' );
+			wc_add_notice( esc_html( wc_clean( wp_unslash( $_GET['message'] ) ) ), 'error' );
 
 			WC_Monei_Logger::log( __( 'Order Cancelled: ', 'monei' ) . $order_id );
-			WC_Monei_Logger::log( __( 'MONEI Status: ', 'monei' ) . esc_html( sanitize_text_field( $_GET['status'] ) ) );
-			WC_Monei_Logger::log( __( 'MONEI message: ', 'monei' ) . esc_html( sanitize_text_field( $_GET['message'] ) ) );
+			WC_Monei_Logger::log( __( 'MONEI Status: ', 'monei' ) . esc_html( wc_clean( wp_unslash( $_GET['status'] ) ) ) );
+			WC_Monei_Logger::log( __( 'MONEI message: ', 'monei' ) . esc_html( wc_clean( wp_unslash( $_GET['message'] ) ) ) );
 		}
+        // phpcs:enable
 	}
 
 	/**
@@ -80,7 +87,7 @@ public function save_payment_token() {
 		if ( ! is_add_payment_method_page() && ! is_order_received_page() ) {
 			return;
 		}
-
+        //phpcs:ignore WordPress.Security.NonceVerification, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
 		if ( ! isset( $_GET['id'] ) ) {
 			return;
 		}
@@ -89,7 +96,8 @@ public function save_payment_token() {
 		 * In the redirect back (from add payment method), the payment could have been failed, the only way to check is the url $_GET['status']
 		 * We should remove the "Payment method successfully added." notice and add a 'Unable to add payment method to your account.' manually.
 		 */
-		if ( is_add_payment_method_page() && ( ! isset( $_GET['status'] ) || 'SUCCEEDED' !== sanitize_text_field( $_GET['status'] ) ) ) {
+        //phpcs:ignore WordPress.Security.NonceVerification, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+		if ( is_add_payment_method_page() && ( ! isset( $_GET['status'] ) || 'SUCCEEDED' !== wc_clean( wp_unslash( $_GET['status'] ) ) ) ) {
 			wc_clear_notices();
 			wc_add_notice( __( 'Unable to add payment method to your account.', 'woocommerce' ), 'error' );
 			$error_message = filter_input( INPUT_GET, 'message', FILTER_CALLBACK, array( 'options' => 'sanitize_text_field' ) );
@@ -132,7 +140,7 @@ public function save_payment_token() {
 			WC_Monei_Logger::log( 'saving tokent into DB', 'debug' );
 			WC_Monei_Logger::log( $payment_method, 'debug' );
 
-			$expiration = new DateTime( date( 'm/d/Y', $payment_method->getCard()->getExpiration() ) );
+			$expiration = new DateTime( gmdate( 'm/d/Y', $payment_method->getCard()->getExpiration() ) );
 
 			$token = new WC_Payment_Token_CC();
 			$token->set_token( $payment_token );