Permalink
Browse files

Security hardening

  • Loading branch information...
DevinWalker committed Apr 18, 2015
1 parent a707d1d commit b88fea00999534355e0a124d0b7c4d0cee164d39
@@ -76,10 +76,10 @@ function give_admin_messages() {
echo '<div class="error">';
echo '<p>' . __( 'Your site appears to be blocking the WordPress ajax interface. This may causes issues with Give.', 'give' ) . '</p>';
echo '<p><a href="' . add_query_arg( array(
echo '<p><a href="' . esc_url( add_query_arg( array(
'give_action' => 'dismiss_notices',
'give_notice' => 'admin_ajax_inaccessible'
) ) . '">' . __( 'Dismiss Notice', 'give' ) . '</a></p>';
) ) ) . '">' . __( 'Dismiss Notice', 'give' ) . '</a></p>';
echo '</div>';
}
@@ -205,30 +205,30 @@ public function get_views() {
'status',
'paged'
) ), $current === 'all' || $current == '' ? ' class="current"' : '', __( 'All', 'give' ) . $total_count ),
'publish' => sprintf( '<a href="%s"%s>%s</a>', add_query_arg( array(
'publish' => sprintf( '<a href="%s"%s>%s</a>', esc_url( add_query_arg( array(
'status' => 'publish',
'paged' => false
) ), $current === 'publish' ? ' class="current"' : '', __( 'Completed', 'give' ) . $complete_count ),
'pending' => sprintf( '<a href="%s"%s>%s</a>', add_query_arg( array(
) ) ), $current === 'publish' ? ' class="current"' : '', __( 'Completed', 'give' ) . $complete_count ),
'pending' => sprintf( '<a href="%s"%s>%s</a>', esc_url( add_query_arg( array(
'status' => 'pending',
'paged' => false
) ), $current === 'pending' ? ' class="current"' : '', __( 'Pending', 'give' ) . $pending_count ),
'refunded' => sprintf( '<a href="%s"%s>%s</a>', add_query_arg( array(
) ) ), $current === 'pending' ? ' class="current"' : '', __( 'Pending', 'give' ) . $pending_count ),
'refunded' => sprintf( '<a href="%s"%s>%s</a>', esc_url( add_query_arg( array(
'status' => 'refunded',
'paged' => false
) ), $current === 'refunded' ? ' class="current"' : '', __( 'Refunded', 'give' ) . $refunded_count ),
'revoked' => sprintf( '<a href="%s"%s>%s</a>', add_query_arg( array(
) ) ), $current === 'refunded' ? ' class="current"' : '', __( 'Refunded', 'give' ) . $refunded_count ),
'revoked' => sprintf( '<a href="%s"%s>%s</a>', esc_url( add_query_arg( array(
'status' => 'revoked',
'paged' => false
) ), $current === 'revoked' ? ' class="current"' : '', __( 'Revoked', 'give' ) . $revoked_count ),
'failed' => sprintf( '<a href="%s"%s>%s</a>', add_query_arg( array(
) ) ), $current === 'revoked' ? ' class="current"' : '', __( 'Revoked', 'give' ) . $revoked_count ),
'failed' => sprintf( '<a href="%s"%s>%s</a>', esc_url( add_query_arg( array(
'status' => 'failed',
'paged' => false
) ), $current === 'failed' ? ' class="current"' : '', __( 'Failed', 'give' ) . $failed_count ),
'abandoned' => sprintf( '<a href="%s"%s>%s</a>', add_query_arg( array(
) ) ), $current === 'failed' ? ' class="current"' : '', __( 'Failed', 'give' ) . $failed_count ),
'abandoned' => sprintf( '<a href="%s"%s>%s</a>', esc_url( add_query_arg( array(
'status' => 'abandoned',
'paged' => false
) ), $current === 'abandoned' ? ' class="current"' : '', __( 'Abandoned', 'give' ) . $abandoned_count )
) ) ), $current === 'abandoned' ? ' class="current"' : '', __( 'Abandoned', 'give' ) . $abandoned_count )
);
return apply_filters( 'give_payments_table_views', $views );
@@ -299,7 +299,7 @@ public function column_default( $payment, $column_name ) {
$value = '<div class="give-donation-status status-' . sanitize_title( give_get_payment_status( $payment, true ) ) . '"><span class="give-donation-status-icon"></span> ' . give_get_payment_status( $payment, true ) . '</div>';
break;
case 'details' :
$value = '<a href="' . add_query_arg( 'id', $payment->ID, admin_url( 'edit.php?post_type=give_forms&page=give-payment-history&view=view-order-details' ) ) . '" class="give-payment-details-link">' . __( 'View Order Details', 'give' ) . '</a>';
$value = '<a href="' . esc_url( add_query_arg( 'id', $payment->ID, admin_url( 'edit.php?post_type=give_forms&page=give-payment-history&view=view-order-details' ) ) ) . '" class="give-payment-details-link">' . __( 'View Donation Details', 'give' ) . '</a>';
break;
default:
$value = isset( $payment->$column_name ) ? $payment->$column_name : '';
@@ -325,10 +325,10 @@ public function column_email( $payment ) {
$row_actions = array();
if ( give_is_payment_complete( $payment->ID ) ) {
$row_actions['email_links'] = '<a href="' . add_query_arg( array(
$row_actions['email_links'] = '<a href="' . esc_url( add_query_arg( array(
'give-action' => 'email_links',
'purchase_id' => $payment->ID
), $this->base_url ) . '">' . __( 'Resend Purchase Receipt', 'give' ) . '</a>';
), $this->base_url ) ) . '">' . __( 'Resend Purchase Receipt', 'give' ) . '</a>';
}
@@ -377,7 +377,7 @@ public function column_cb( $payment ) {
* @return string Displays a checkbox
*/
public function column_ID( $payment ) {
return '<span class="give-payment-id">'.give_get_payment_number( $payment->ID ).'</span>';
return '<span class="give-payment-id">' . give_get_payment_number( $payment->ID ) . '</span>';
}
/**
@@ -72,7 +72,7 @@ function give_view_order_details_title( $admin_title, $title ) {
switch( $_GET['give-action'] ) :
case 'view-order-details' :
$title = __( 'View Order Details', 'give' ) . ' - ' . $admin_title;
$title = __( 'View Donation Details', 'give' ) . ' - ' . $admin_title;
break;
case 'edit-payment' :
$title = __( 'Edit Payment', 'give' ) . ' - ' . $admin_title;
@@ -1,6 +1,6 @@
<?php
/**
* View Order Details
* View Donation Details
*
* @package Give
* @subpackage Admin/Payments
@@ -127,10 +127,10 @@ public function admin_page_display() {
<?php
foreach ( $this->give_get_settings_tabs() as $tab_id => $tab_name ) {
$tab_url = add_query_arg( array(
$tab_url = esc_url( add_query_arg( array(
'settings-updated' => false,
'tab' => $tab_id
) );
) ) );
$active = $active_tab == $tab_id ? ' nav-tab-active' : '';
@@ -67,7 +67,7 @@ public function __construct() {
public function column_default( $item, $column_name ) {
switch ( $column_name ) {
case 'form' :
return '<a href="' . add_query_arg( 'form', $item[ $column_name ] ) . '" >' . get_the_title( $item[ $column_name ] ) . '</a>';
return '<a href="' . esc_url( add_query_arg( 'form', $item[ $column_name ] ) ) . '" >' . get_the_title( $item[ $column_name ] ) . '</a>';
case 'user_id' :
return '<a href="' .
@@ -96,7 +96,7 @@ public function get_columns() {
$columns = array(
'ID' => __( 'Log ID', 'give' ),
'user_id' => __( 'User', 'give' ),
'form' => give_get_forms_label_singular(),
'form' => give_get_forms_label_singular(),
'amount' => __( 'Item Amount', 'give' ),
'payment_id' => __( 'Payment ID', 'give' ),
'date' => __( 'Date', 'give' )
@@ -177,7 +177,7 @@ function give_reports_graph() {
}
$data = array(
__( 'Income', 'give' ) => $earnings_data,
__( 'Income', 'give' ) => $earnings_data,
__( 'Donations', 'give' ) => $sales_data
);
@@ -415,7 +415,7 @@ function give_reports_graph_of_form( $form_id = 0 ) {
}
$data = array(
__( 'Income', 'give' ) => $earnings_data,
__( 'Income', 'give' ) => $earnings_data,
__( 'Donations', 'give' ) => $sales_data
);
@@ -749,7 +749,7 @@ function give_parse_report_dates( $data ) {
$view = give_get_reporting_view();
$id = isset( $_GET['form-id'] ) ? $_GET['form-id'] : null;
wp_redirect( add_query_arg( $dates, admin_url( 'edit.php?post_type=give_forms&page=give-reports&view=' . esc_attr( $view ) . '&form-id=' . absint( $id ) ) ) );
wp_redirect( esc_url( add_query_arg( $dates, admin_url( 'edit.php?post_type=give_forms&page=give-reports&view=' . esc_attr( $view ) . '&form-id=' . absint( $id ) ) ) ) );
give_die();
}
@@ -37,20 +37,20 @@ function give_reports_page() {
?>
<div class="wrap">
<h2 class="nav-tab-wrapper">
<a href="<?php echo add_query_arg( array(
<a href="<?php echo esc_url( add_query_arg( array(
'tab' => 'reports',
'settings-updated' => false
), $current_page ); ?>" class="nav-tab <?php echo $active_tab == 'reports' ? 'nav-tab-active' : ''; ?>"><?php _e( 'Reports', 'give' ); ?></a>
), $current_page ) ); ?>" class="nav-tab <?php echo $active_tab == 'reports' ? 'nav-tab-active' : ''; ?>"><?php _e( 'Reports', 'give' ); ?></a>
<?php if ( current_user_can( 'export_give_reports' ) ) { ?>
<a href="<?php echo add_query_arg( array(
<a href="<?php echo esc_url( add_query_arg( array(
'tab' => 'export',
'settings-updated' => false
), $current_page ); ?>" class="nav-tab <?php echo $active_tab == 'export' ? 'nav-tab-active' : ''; ?>"><?php _e( 'Export', 'give' ); ?></a>
), $current_page ) ); ?>" class="nav-tab <?php echo $active_tab == 'export' ? 'nav-tab-active' : ''; ?>"><?php _e( 'Export', 'give' ); ?></a>
<?php } ?>
<a href="<?php echo add_query_arg( array(
<a href="<?php echo esc_url( add_query_arg( array(
'tab' => 'logs',
'settings-updated' => false
), $current_page ); ?>" class="nav-tab <?php echo $active_tab == 'logs' ? 'nav-tab-active' : ''; ?>"><?php _e( 'Logs', 'give' ); ?></a>
), $current_page ) ); ?>" class="nav-tab <?php echo $active_tab == 'logs' ? 'nav-tab-active' : ''; ?>"><?php _e( 'Logs', 'give' ); ?></a>
<?php do_action( 'give_reports_tabs' ); ?>
</h2>
@@ -58,11 +58,11 @@ function give_resend_donation_receipt( $data ) {
give_email_donation_receipt( $purchase_id, false );
wp_redirect( add_query_arg( array(
wp_redirect( esc_url( add_query_arg( array(
'give-message' => 'email_sent',
'give-action' => false,
'purchase_id' => false
) ) );
) ) ) );
exit;
}
@@ -505,6 +505,7 @@ function give_email_tag_receipt_id( $payment_id ) {
function give_email_tag_donation( $payment_id ) {
$payment_data = give_get_payment_meta( $payment_id );
$form_title = ( ! empty( $payment_data['form_title'] ) ? $payment_data['form_title'] : __( 'There was an error retrieving this donation title', 'give' ) );
return $form_title;
}
@@ -541,8 +542,8 @@ function give_email_tag_sitename( $payment_id ) {
* @return string receipt_link
*/
function give_email_tag_receipt_link( $payment_id ) {
return sprintf( __( '%1$sView it in your browser.%2$s', 'give' ), '<a href="' . add_query_arg( array(
return sprintf( __( '%1$sView it in your browser.%2$s', 'give' ), '<a href="' . esc_url( add_query_arg( array(
'payment_key' => give_get_payment_key( $payment_id ),
'give_action' => 'view_receipt'
), home_url() ) . '">', '</a>' );
), home_url() ) ) . '">', '</a>' );
}
@@ -80,10 +80,10 @@ function give_email_preview_template_tags( $message ) {
$message = str_replace( '{sitename}', get_bloginfo( 'name' ), $message );
$message = str_replace( '{product_notes}', $notes, $message );
$message = str_replace( '{payment_id}', $payment_id, $message );
$message = str_replace( '{receipt_link}', sprintf( __( '%1$sView it in your browser.%2$s', 'give' ), '<a href="' . add_query_arg( array(
$message = str_replace( '{receipt_link}', sprintf( __( '%1$sView it in your browser.%2$s', 'give' ), '<a href="' . esc_url( add_query_arg( array(
'payment_key' => $receipt_id,
'give_action' => 'view_receipt'
), home_url() ) . '">', '</a>' ), $message );
), home_url() ) ) . '">', '</a>' ), $message );
return wpautop( apply_filters( 'give_email_preview_template_tags', $message ) );
}
@@ -263,8 +263,8 @@ function give_render_receipt_in_browser() {
<body class="<?php echo apply_filters( 'give_receipt_page_body_class', 'give_receipt_page' ); ?>">
<div id="give_receipt_wrapper">
<?php do_action( 'give_render_receipt_in_browser_before' ); ?>
<?php echo do_shortcode( '[give_receipt payment_key=' . $key . ']' ); ?>
<?php do_action( 'give_render_receipt_in_browser_after' ); ?>
<?php echo do_shortcode( '[give_receipt payment_key=' . $key . ']' ); ?>
<?php do_action( 'give_render_receipt_in_browser_after' ); ?>
</div>
<?php wp_footer(); ?>
</body>
Oops, something went wrong.

0 comments on commit b88fea0

Please sign in to comment.