diff --git a/angelleye-includes/angelleye-utility.php b/angelleye-includes/angelleye-utility.php
index 075873358..994f07c6f 100644
--- a/angelleye-includes/angelleye-utility.php
+++ b/angelleye-includes/angelleye-utility.php
@@ -393,7 +393,7 @@ public function pfw_do_capture($order, $transaction_id = null, $capture_total =
$this->ec_add_log('DoCapture API call');
$order_id = version_compare(WC_VERSION, '3.0', '<') ? $order->id : $order->get_id();
if( !empty($_POST['_regular_price'])) {
- $AMT = self::number_format($_POST['_regular_price']);
+ $AMT = self::number_format(wc_clean( wp_unslash( $_POST['_regular_price'] ) ) );
} elseif ($capture_total == null) {
$AMT = $this->get_amount_by_transaction_id($transaction_id);
} else {
@@ -494,7 +494,7 @@ public function call_do_void($order) {
$this->ec_add_log('DoVoid API call');
$order_id = version_compare(WC_VERSION, '3.0', '<') ? $order->id : $order->get_id();
if (isset($_POST['angelleye_paypal_dovoid_transaction_dropdown']) && !empty($_POST['angelleye_paypal_dovoid_transaction_dropdown'])) {
- $transaction_id = $_POST['angelleye_paypal_dovoid_transaction_dropdown'];
+ $transaction_id = wc_clean($_POST['angelleye_paypal_dovoid_transaction_dropdown']);
} else {
$old_wc = version_compare(WC_VERSION, '3.0', '<');
$transaction_id = $old_wc ? get_post_meta($order_id, '_first_transaction_id', true) : get_post_meta($order->get_id(), '_first_transaction_id', true);
@@ -561,7 +561,7 @@ public function call_do_reauthorization($order) {
$this->ec_add_log('DoReauthorization API call');
$order_id = version_compare(WC_VERSION, '3.0', '<') ? $order->id : $order->get_id();
if (isset($_POST['angelleye_paypal_doreauthorization_transaction_dropdown']) && !empty($_POST['angelleye_paypal_doreauthorization_transaction_dropdown'])) {
- $transaction_id = $_POST['angelleye_paypal_doreauthorization_transaction_dropdown'];
+ $transaction_id = wc_clean($_POST['angelleye_paypal_doreauthorization_transaction_dropdown']);
} else {
$old_wc = version_compare(WC_VERSION, '3.0', '<');
$transaction_id = $old_wc ? get_post_meta($order_id, '_first_transaction_id', true) : get_post_meta($order->get_id(), '_first_transaction_id', true);
@@ -654,7 +654,7 @@ public function call_do_authorization($order) {
if (isset($transaction_id) && !empty($transaction_id)) {
$DRFields = array(
'TRANSACTIONID' => $transaction_id, // Required. The value of a previously authorized transaction ID returned by PayPal.
- 'AMT' => self::number_format($_POST['_regular_price']), // Required. Must have two decimal places. Decimal separator must be a period (.) and optional thousands separator must be a comma (,)
+ 'AMT' => self::number_format(wc_clean( wp_unslash( $_POST['_regular_price']))), // Required. Must have two decimal places. Decimal separator must be a period (.) and optional thousands separator must be a comma (,)
'CURRENCYCODE' => version_compare(WC_VERSION, '3.0', '<') ? $order->get_order_currency() : $order->get_currency()
);
$PayPalRequestData = array('DAFields' => $DRFields);
@@ -1705,7 +1705,7 @@ public function call_paypal_pro_payflow_docapture($order, $transaction_id, $capt
$order_id = version_compare(WC_VERSION, '3.0', '<') ? $order->id : $order->get_id();
if( !empty($_POST['_regular_price'])) {
- $AMT = self::number_format($_POST['_regular_price']);
+ $AMT = self::number_format(wc_clean( wp_unslash( $_POST['_regular_price'])));
} elseif ($capture_total == null) {
$AMT = $this->get_amount_by_transaction_id($transaction_id);
} else {
@@ -1757,7 +1757,7 @@ public function call_paypal_pro_payflow_do_void($order) {
$this->ec_add_log('DoVoid API call');
$order_id = version_compare(WC_VERSION, '3.0', '<') ? $order->id : $order->get_id();
if (isset($_POST['angelleye_paypal_dovoid_transaction_dropdown']) && !empty($_POST['angelleye_paypal_dovoid_transaction_dropdown'])) {
- $transaction_id = $_POST['angelleye_paypal_dovoid_transaction_dropdown'];
+ $transaction_id = wc_clean($_POST['angelleye_paypal_dovoid_transaction_dropdown']);
} else {
$old_wc = version_compare(WC_VERSION, '3.0', '<');
$transaction_id = $old_wc ? get_post_meta($order_id, '_first_transaction_id', true) : get_post_meta($order->get_id(), '_first_transaction_id', true);
diff --git a/angelleye-includes/express-checkout/class-wc-gateway-paypal-express-helper-angelleye.php b/angelleye-includes/express-checkout/class-wc-gateway-paypal-express-helper-angelleye.php
index de58651ec..883332888 100644
--- a/angelleye-includes/express-checkout/class-wc-gateway-paypal-express-helper-angelleye.php
+++ b/angelleye-includes/express-checkout/class-wc-gateway-paypal-express-helper-angelleye.php
@@ -230,7 +230,7 @@ public function angelleye_paypal_express_checkout_redirect_to_paypal($data, $err
}
if (empty($_POST['woocommerce_checkout_update_totals']) && 0 === $notice_count) {
try {
- WC()->session->set('post_data', $_POST);
+ WC()->session->set('post_data', wp_slash($_POST));
if (isset($_POST['payment_method']) && 'paypal_express' === $_POST['payment_method'] && $this->function_helper->ec_notice_count('error') == 0) {
$this->function_helper->ec_redirect_after_checkout();
}
@@ -308,7 +308,7 @@ public function ec_set_checkout_post_data() {
}
}
$post_data = WC()->session->get('post_data');
- $_POST['order_comments'] = isset($post_data['order_comments']) ? $post_data['order_comments'] : '';
+ $_POST['order_comments'] = isset($post_data['order_comments']) ? wc_clean($post_data['order_comments']) : '';
if (!empty($post_data)) {
foreach ($post_data as $key => $value) {
if (!empty($value)) {
@@ -319,11 +319,11 @@ public function ec_set_checkout_post_data() {
if ($this->angelleye_is_need_to_set_billing_address() == false) {
$shipping_details = $this->ec_get_session_data('shipping_details');
if (!empty($shipping_details)) {
- $_POST['billing_first_name'] = $shipping_details['first_name'];
- $_POST['billing_last_name'] = $shipping_details['last_name'];
+ $_POST['billing_first_name'] = !empty($shipping_details['first_name']) ? wc_clean($shipping_details['first_name']) : '';
+ $_POST['billing_last_name'] = !empty($shipping_details['last_name']) ? wc_clean($shipping_details['last_name']) : '';
$_POST['billing_company'] = !empty($shipping_details['company']) ? wc_clean(stripslashes($shipping_details['company'])) : '';
- $_POST['billing_email'] = $shipping_details['email'];
- $_POST['billing_phone'] = $shipping_details['phone'];
+ $_POST['billing_email'] = !empty($shipping_details['email']) ? wc_clean($shipping_details['email']) : '';
+ $_POST['billing_phone'] = !empty($shipping_details['phone']) ? wc_clean($shipping_details['phone']) : '';
}
}
}
@@ -836,7 +836,7 @@ public function angelleye_ajax_generate_cart() {
wp_die(__('Cheatin’ huh?', 'paypal-for-woocommerce'));
}
WC()->shipping->reset_shipping();
- $product_id = $_POST['product_id'];
+ $product_id = absint( wp_unslash( $_POST['product_id']));
$url = esc_url_raw(add_query_arg('pp_action', 'set_express_checkout', add_query_arg('wc-api', 'WC_Gateway_PayPal_Express_AngellEYE', home_url('/'))));
if (!empty($_POST['wc-paypal_express-new-payment-method']) && $_POST['wc-paypal_express-new-payment-method'] == 'true') {
$url = add_query_arg('ec_save_to_account', 'true', $url);
@@ -854,7 +854,7 @@ public function angelleye_ajax_generate_cart() {
if ($product->is_type('variable')) {
$attributes = array_map('wc_clean', json_decode(stripslashes($_POST['attributes']), true));
if(!empty($_POST['variation_id'])) {
- $variation_id = $_POST['variation_id'];
+ $variation_id = absint( wp_unslash( $_POST['variation_id'] ) );
} else {
if (version_compare(WC_VERSION, '3.0', '<')) {
$variation_id = $product->get_matching_variation($attributes);
diff --git a/angelleye-includes/express-checkout/class-wc-gateway-paypal-express-request-angelleye.php b/angelleye-includes/express-checkout/class-wc-gateway-paypal-express-request-angelleye.php
index 5481f2715..c159bb33f 100644
--- a/angelleye-includes/express-checkout/class-wc-gateway-paypal-express-request-angelleye.php
+++ b/angelleye-includes/express-checkout/class-wc-gateway-paypal-express-request-angelleye.php
@@ -152,7 +152,7 @@ public function angelleye_redirect_action($url) {
$query_str = parse_url($url, PHP_URL_QUERY);
parse_str($query_str, $query_params);
wp_send_json(array(
- 'token' => $query_params['token']
+ 'token' => wc_clean($query_params['token'])
));
exit();
}
@@ -241,7 +241,7 @@ public function angelleye_get_express_checkout_details() {
if ($this->angelleye_ec_force_to_display_checkout_page()) {
if ($this->angelleye_ec_force_to_display_checkout_page()) {
if (!empty($_GET['pay_for_order']) && $_GET['pay_for_order'] == true && !empty($_GET['key'])) {
- WC()->session->set('order_awaiting_payment', $_GET['order_id']);
+ WC()->session->set('order_awaiting_payment', absint( wp_unslash( $_GET['order_id'] ) ) ) ;
} else {
$this->angelleye_wp_safe_redirect(wc_get_checkout_url(), 'get_express_checkout_details');
}
@@ -592,7 +592,7 @@ public function angelleye_set_express_checkout_request() {
'utm_nooverride' => 1
), WC()->api_request_url('WC_Gateway_PayPal_Express_AngellEYE')));
}
- WC()->session->set('order_awaiting_payment', $order_id);
+ WC()->session->set('order_awaiting_payment', absint( wp_unslash( $order_id) ) );
} else {
$this->cart_param = $this->gateway_calculation->cart_calculation();
$order_total = WC()->cart->total;
@@ -703,13 +703,13 @@ public function angelleye_set_express_checkout_request() {
$Payment['shiptoname'] = wc_clean(stripslashes($shiptoname));
}
- $Payment['shiptostreet'] = !empty($post_data['billing_address_1']) ? $post_data['billing_address_1'] : '';
- $Payment['shiptostreet2'] = !empty($post_data['billing_address_2']) ? $post_data['billing_address_2'] : '';
+ $Payment['shiptostreet'] = !empty($post_data['billing_address_1']) ? wc_clean($post_data['billing_address_1']) : '';
+ $Payment['shiptostreet2'] = !empty($post_data['billing_address_2']) ? wc_clean($post_data['billing_address_2']) : '';
$Payment['shiptocity'] = !empty($post_data['billing_city']) ? wc_clean(stripslashes($post_data['billing_city'])) : '';
- $Payment['shiptostate'] = !empty($post_data['billing_state']) ? $post_data['billing_state'] : '';
- $Payment['shiptozip'] = !empty($post_data['billing_postcode']) ? $post_data['billing_postcode'] : '';
- $Payment['shiptocountrycode'] = !empty($post_data['billing_country']) ? $post_data['billing_country'] : '';
- $Payment['shiptophonenum'] = !empty($post_data['billing_phone']) ? $post_data['billing_phone'] : '';
+ $Payment['shiptostate'] = !empty($post_data['billing_state']) ? wc_clean($post_data['billing_state']) : '';
+ $Payment['shiptozip'] = !empty($post_data['billing_postcode']) ? wc_clean($post_data['billing_postcode']) : '';
+ $Payment['shiptocountrycode'] = !empty($post_data['billing_country']) ? wc_clean($post_data['billing_country']) : '';
+ $Payment['shiptophonenum'] = !empty($post_data['billing_phone']) ? wc_clean($post_data['billing_phone']) : '';
}
} elseif (is_user_logged_in()) {
if (version_compare(WC_VERSION, '3.0', '<')) {
@@ -1272,7 +1272,7 @@ public function DoReferenceTransaction($order_id) {
$PayPalRequestData = array();
$referenceid = get_post_meta($order_id, '_payment_tokens_id', true);
if (!empty($_POST['wc-paypal_express-payment-token'])) {
- $token_id = $_POST['wc-paypal_express-payment-token'];
+ $token_id = wc_clean($_POST['wc-paypal_express-payment-token']);
$token = WC_Payment_Tokens::get($token_id);
$referenceid = $token->get_token();
}
diff --git a/classes/lib/angelleye/paypal-php-library/includes/paypal.nvp.callback.php b/classes/lib/angelleye/paypal-php-library/includes/paypal.nvp.callback.php
deleted file mode 100644
index 95287cc26..000000000
--- a/classes/lib/angelleye/paypal-php-library/includes/paypal.nvp.callback.php
+++ /dev/null
@@ -1,125 +0,0 @@
-
- *
- * @package Angell_EYE_PayPal_Class_Library
- * @author Andrew K. Angell
- * @copyright Copyright © 2014 Angell EYE, LLC
- * @link https://github.com/angelleye/PayPal-PHP-Library
- * @website http://www.angelleye.com
- * @since Version 1.52
- * @updated 01.14.2014
- * @filesource
-*/
-
-/*
- * This is a bare-bones template for building a callback listener for PayPal Express Checkout.
- * If you include the CALLBACK parameters in your SetExpressCheckout request, this is what you
- * you would setup as your callback URL. PayPal will hit your callback URL with address and item details
- * from the Express Checkout review page in order to populate their screen with shipping and sales tax
- * information that you pass back from this service.
- *
- * This allows you to build real-time shipping and tax calculations into Express Checkout
- * so that you won't need to display another review page on your own site.
-*/
-error_reporting(E_ALL);
-ini_set('display_errors', '1');
-
-require_once('../includes/config.php');
-require_once('paypal.class.php');
-
-// Configure PayPal object
-$paypal_config = array('Sandbox' => $sandbox);
-$paypal = new Angelleye_PayPal($paypal_config);
-
-// Receive data from PayPal and load varaibles accordingly.
-$method = isset($_POST['METHOD']) ? $_POST['METHOD'] : '';
-$token = isset($_POST['TOKEN']) ? $_POST['TOKEN'] : '';
-$currency_code = isset($_POST['CURRENCYCODE']) ? $_POST['CURRENCYCODE'] : '';
-$local_code = isset($_POST['LOCALECODE']) ? $_POST['LOCALECODE'] : '';
-
-$order_items = $paypal->GetOrderItems($_POST);
-$shipping_street = isset($_POST['SHIPTOSTREET']) ? $_POST['SHIPTOSTREET'] : '';
-$shipping_street2 = isset($_POST['SHIPTOSTREET2']) ? $_POST['SHIPTOSTREET2'] : '';
-$shipping_city = isset($_POST['SHIPTOCITY']) ? $_POST['SHIPTOCITY'] : '';
-$shipping_state = isset($_POST['SHIPTOSTATE']) ? $_POST['SHIPTOSTATE'] : '';
-$shipping_zip = isset($_POST['SHIPTOZIP']) ? $_POST['SHIPTOZIP'] : '';
-$shipping_country_code = isset($_POST['SHIPTOCOUNTRY']) ? $_POST['SHIPTOCOUNTRY'] : '';
-
-// Here, we may setup static shipping and tax options, or we could hit a 3rd party
-// web service API (eg. UPS, FedEx, USPS) to gather rates in real-time.
-//
-//
-//
-
-// Now we can generate a response for PayPal based on our new shipping values we got back from our carrier API.
-$CBFields = array();
-
-// Gather shipping options. If you're pulling rates from a carrier API you would be looping through
-// their response in order to populate $ShippingOptions. Here, we're doing it manually for sample purposes.
-$ShippingOptions = array();
-$Option = array(
- 'l_shippingoptionisdefault' => 'true', // Shipping option. Required if specifying the Callback URL. true or false. Must be only 1 default!
- 'l_shippingoptionname' => 'UPS', // Shipping option name. Required if specifying the Callback URL. 50 character max.
- 'l_shipingpoptionlabel' => 'UPS', // Shipping option label. Required if specifying the Callback URL. 50 character max.
- 'l_shippingoptionamount' => '5.00', // Shipping option amount. Required if specifying the Callback URL.
- 'l_taxamt' => '0.00', // New tax amount based on this shipping option and address.
- 'l_insuranceamount' => '1.00' // New insurance amount based on this shipping option and address.
- );
-array_push($ShippingOptions, $Option);
-
-$Option = array(
- 'l_shippingoptionisdefault' => 'false', // Shipping option. Required if specifying the Callback URL. true or false. Must be only 1 default!
- 'l_shippingoptionname' => 'UPS', // Shipping option name. Required if specifying the Callback URL. 50 character max.
- 'l_shipingpoptionlabel' => 'UPS', // Shipping option label. Required if specifying the Callback URL. 50 character max.
- 'l_shippingoptionamount' => '20.00', // Shipping option amount. Required if specifying the Callback URL.
- 'l_taxamt' => '0.00', // New tax amount based on this shipping option and address.
- 'l_insuranceamount' => '1.00' // New insurance amount based on this shipping option and address.
- );
-array_push($ShippingOptions, $Option);
-
-$callback_data_request_array = array(
- 'CBFields' => $CBFields,
- 'ShippingOptions' => $ShippingOptions
- );
-
-// Now we pass the data into the class library which will return an NVP string
-$callback_data_response = $paypal->CallbackResponse($callback_data_request_array);
-
-// Gather the request data that PayPal sent us in case we need to log it somehow to see what's available.
-$request_content = '';
-foreach($_POST as $var => $val)
-{
- $request_content .= '&' . $var . '=' . urldecode($val);
-}
-
-// Pass the shipping/tax data into the library to obtain an NVP string that we'll
-// simply output as a web service response back to PayPal.
-$response_content_body = '';
-$response_content = $paypal->NVPToArray($callback_data_response);
-foreach($response_content as $var => $val)
-{
- $response_content_body .= $var . ': ' . urldecode($val) . '
';
-}
-
-echo $callback_data_response;
-?>
\ No newline at end of file
diff --git a/classes/wc-gateway-braintree-angelleye.php b/classes/wc-gateway-braintree-angelleye.php
index f6d88650a..6bbb4e907 100644
--- a/classes/wc-gateway-braintree-angelleye.php
+++ b/classes/wc-gateway-braintree-angelleye.php
@@ -1244,7 +1244,7 @@ public function payment_scripts() {
}
public static function get_posted_variable($variable, $default = '') {
- return ( isset($_POST[$variable]) ? $_POST[$variable] : $default );
+ return ( isset($_POST[$variable]) ? wc_clean($_POST[$variable]) : $default );
}
function get_transaction_url($order) {
diff --git a/classes/wc-gateway-calculations-angelleye.php b/classes/wc-gateway-calculations-angelleye.php
index a6238dd76..8f215b971 100644
--- a/classes/wc-gateway-calculations-angelleye.php
+++ b/classes/wc-gateway-calculations-angelleye.php
@@ -436,14 +436,4 @@ public function angelleye_disable_line_item() {
}
}
-
-
-
-
-
-
-
-
-
-
endif;
\ No newline at end of file
diff --git a/classes/wc-gateway-paypal-advanced-angelleye.php b/classes/wc-gateway-paypal-advanced-angelleye.php
index 16616f4f7..3644618c8 100644
--- a/classes/wc-gateway-paypal-advanced-angelleye.php
+++ b/classes/wc-gateway-paypal-advanced-angelleye.php
@@ -6,7 +6,6 @@ class WC_Gateway_PayPal_Advanced_AngellEYE extends WC_Payment_Gateway {
public function __construct() {
$this->id = 'paypal_advanced';
-
$this->has_fields = true;
$this->home_url = is_ssl() ? home_url('/', 'https') : home_url('/'); //set the urls (cancel or return) based on SSL
$this->testurl = 'https://pilot-payflowpro.paypal.com';
@@ -165,7 +164,7 @@ public function inquiry_transaction($order, $order_id) {
'VENDOR' => $this->loginid,
'PARTNER' => $this->resellerid,
'PWD[' . strlen($this->password) . ']' => $this->password,
- 'ORIGID' => $_POST['PNREF'],
+ 'ORIGID' => wc_clean($_POST['PNREF']),
'TENDER' => 'C',
'TRXTYPE' => 'I',
'BUTTONSOURCE' => 'AngellEYE_SP_WooCommerce'
@@ -218,7 +217,7 @@ public function inquiry_transaction($order, $order_id) {
private function success_handler($order, $order_id, $silent_post) {
$old_wc = version_compare(WC_VERSION, '3.0', '<');
$_secure_token = $old_wc ? get_post_meta($order->id, '_secure_token', true) : get_post_meta($order->get_id(), '_secure_token', true);
- if ($_secure_token == $_REQUEST['SECURETOKEN']) {
+ if (!empty($_REQUEST['SECURETOKEN']) && $_secure_token == $_REQUEST['SECURETOKEN']) {
if ($this->debug == 'yes') {
$this->log->add('paypal_advanced', __('Relay Response Tokens Match', 'paypal-for-woocommerce'));
}
@@ -240,7 +239,7 @@ private function success_handler($order, $order_id, $silent_post) {
// Handle response
if ($inq_result == 'Approved') {//if approved
// Payment complete
- $this->save_payment_token($order, $_POST['PNREF']);
+ $this->save_payment_token($order, wc_clean($_POST['PNREF']));
do_action('before_save_payment_token', $order_id);
$old_wc = version_compare(WC_VERSION, '3.0', '<');
@@ -251,12 +250,12 @@ private function success_handler($order, $order_id, $silent_post) {
} else {
$customer_id = get_current_user_id();
}
- $TRANSACTIONID = $_POST['PNREF'];
+ $TRANSACTIONID = wc_clean($_POST['PNREF']);
$token = new WC_Payment_Token_CC();
$token->set_token($TRANSACTIONID);
$token->set_gateway_id($this->id);
$token->set_card_type('PayPal');
- $token->set_last4($_POST['ACCT']);
+ $token->set_last4(wc_clean($_POST['ACCT']));
$token->set_expiry_month(date('m'));
$token->set_expiry_year(date('Y', strtotime('+1 year')));
$token->set_user_id($customer_id);
@@ -270,7 +269,7 @@ private function success_handler($order, $order_id, $silent_post) {
}
}
- $order->payment_complete($_POST['PNREF']);
+ $order->payment_complete(wc_clean($_POST['PNREF']));
// Remove cart
WC()->cart->empty_cart();
@@ -302,7 +301,7 @@ private function error_handler($order, $order_id, $silent_post) {
// 12-0 messages
wc_clear_notices();
// Add error
- wc_add_notice(__('Error:', 'paypal-for-woocommerce') . ' "' . urldecode($_POST['RESPMSG']) . '"', 'error');
+ wc_add_notice(__('Error:', 'paypal-for-woocommerce') . ' "' . urldecode(wc_clean($_POST['RESPMSG'])) . '"', 'error');
//redirect to the checkout page, if not silent post
if ($silent_post === false) {
@@ -335,7 +334,7 @@ private function cancel_handler($order, $order_id) {
private function decline_handler($order, $order_id, $silent_post) {
- $order->update_status('failed', __('Payment failed via PayPal Advanced because of.', 'paypal-for-woocommerce') . ' ' . $_POST['RESPMSG']);
+ $order->update_status('failed', __('Payment failed via PayPal Advanced because of.', 'paypal-for-woocommerce') . ' ' . wc_clean($_POST['RESPMSG']));
if ($this->debug == 'yes') {
$this->log->add('paypal_advanced', sprintf(__('Status has been changed to failed for order %s', 'paypal-for-woocommerce'), $order->get_order_number()));
@@ -363,9 +362,9 @@ public function relay_response() {
//log the event
if ($silent_post === true) {
- $this->add_log(sprintf(__('Silent Relay Response Triggered: %s', 'paypal-for-woocommerce'), print_r($_REQUEST, true)));
+ $this->add_log(sprintf(__('Silent Relay Response Triggered: %s', 'paypal-for-woocommerce'), print_r(wp_unslash($_REQUEST, true))));
} else {
- $this->add_log(sprintf(__('Relay Response Triggered: %s', 'paypal-for-woocommerce'), print_r($_REQUEST, true)));
+ $this->add_log(sprintf(__('Relay Response Triggered: %s', 'paypal-for-woocommerce'), print_r(wp_unslash($_REQUEST, true))));
}
//if valid request
if (!isset($_REQUEST['INVOICE'])) { // Redirect to homepage, if any invalid request or hack
@@ -376,7 +375,7 @@ public function relay_response() {
}
}
// get Order ID
- $order_id = $_REQUEST['USER1'];
+ $order_id = absint( wp_unslash( $_REQUEST['USER1']));
// Create order object
$order = new WC_Order($order_id);
@@ -442,7 +441,7 @@ public function get_secure_token($order) {
static $length_error = 0;
$this->add_log(sprintf(__('Requesting for the Secured Token for the order %s', 'paypal-for-woocommerce'), $order->get_order_number()));
// Generate unique id
- $this->secure_token_id = uniqid(substr($_SERVER['HTTP_HOST'], 0, 9), true);
+ $this->secure_token_id = uniqid(substr(sanitize_text_field( wp_unslash($_SERVER['HTTP_HOST'])), 0, 9), true);
// Prepare paypal_ars array to pass to paypal to generate the secure token
$paypal_args = array();
diff --git a/classes/wc-gateway-paypal-express-angelleye.php b/classes/wc-gateway-paypal-express-angelleye.php
index f8fbe5a8e..95c1d530a 100644
--- a/classes/wc-gateway-paypal-express-angelleye.php
+++ b/classes/wc-gateway-paypal-express-angelleye.php
@@ -1238,7 +1238,7 @@ public function process_subscription_payment($order_id) {
require_once( PAYPAL_FOR_WOOCOMMERCE_PLUGIN_DIR . '/angelleye-includes/express-checkout/class-wc-gateway-paypal-express-request-angelleye.php' );
$paypal_express_request = new WC_Gateway_PayPal_Express_Request_AngellEYE($this);
$result = $paypal_express_request->DoReferenceTransaction($order_id);
- if ($result['ACK'] == 'Success' || $result['ACK'] == 'SuccessWithWarning') {
+ if (!empty($result['ACK']) && $result['ACK'] == 'Success' || $result['ACK'] == 'SuccessWithWarning') {
$paypal_express_request->update_payment_status_by_paypal_responce($order_id, $result);
return array(
'result' => 'success',
@@ -1256,8 +1256,7 @@ public function process_payment($order_id) {
try {
if (!empty($_POST['wc-paypal_express-payment-token']) && $_POST['wc-paypal_express-payment-token'] != 'new') {
$result = $this->angelleye_ex_doreference_transaction($order_id);
- if ($result['ACK'] == 'Success' || $result['ACK'] == 'SuccessWithWarning') {
- $_POST = WC()->session->get( 'post_data' );
+ if (!empty($result['ACK']) && $result['ACK'] == 'Success' || $result['ACK'] == 'SuccessWithWarning') {
$order->payment_complete($result['TRANSACTIONID']);
$order->add_order_note(sprintf(__('%s payment approved! Transaction ID: %s', 'paypal-for-woocommerce'), $this->title, $result['TRANSACTIONID']));
WC()->cart->empty_cart();
@@ -1276,7 +1275,7 @@ public function process_payment($order_id) {
} else {
if( empty($_POST['shipping_country'] ) ) {
$paypal_express_checkout = WC()->session->get( 'paypal_express_checkout' );
- $shipping_details = isset($paypal_express_checkout['shipping_details']) ? $paypal_express_checkout['shipping_details'] : array();
+ $shipping_details = isset($paypal_express_checkout['shipping_details']) ? wp_unslash($paypal_express_checkout['shipping_details']) : array();
AngellEYE_Utility::angelleye_set_address($order_id, $shipping_details, 'shipping');
}
}
@@ -1284,7 +1283,7 @@ public function process_payment($order_id) {
if ($this->billing_address && empty($post_data)) {
if( empty($_POST['billing_country'] ) ) {
$paypal_express_checkout = WC()->session->get( 'paypal_express_checkout' );
- $shipping_details = isset($paypal_express_checkout['shipping_details']) ? $paypal_express_checkout['shipping_details'] : array();
+ $shipping_details = isset($paypal_express_checkout['shipping_details']) ? wp_unslash($paypal_express_checkout['shipping_details']) : array();
AngellEYE_Utility::angelleye_set_address($order_id, $shipping_details, 'billing');
}
}
@@ -1314,7 +1313,7 @@ public function process_payment($order_id) {
if (isset($_POST['terms']) && wc_get_page_id('terms') > 0) {
WC()->session->set( 'paypal_express_terms', true );
}
- WC()->session->set( 'post_data', $_POST);
+ WC()->session->set( 'post_data', wp_unslash($_POST));
$_GET['pp_action'] = 'set_express_checkout';
$this->handle_wc_api();
}
@@ -1516,7 +1515,7 @@ public function handle_wc_api() {
AngellEYE_Utility::angelleye_set_address($order_id, $billing_address, 'billing');
}
$paypal_express_checkout = WC()->session->get( 'paypal_express_checkout' );
- $shipping_details = isset($paypal_express_checkout['shipping_details']) ? $paypal_express_checkout['shipping_details'] : array();
+ $shipping_details = isset($paypal_express_checkout['shipping_details']) ? wp_unslash($paypal_express_checkout['shipping_details']) : array();
AngellEYE_Utility::angelleye_set_address($order_id, $shipping_details, 'shipping');
$order_id = version_compare(WC_VERSION, '3.0', '<') ? $order->id : $order->get_id();
if ($old_wc) {
@@ -1613,7 +1612,7 @@ public function add_payment_method() {
'Payments' => $Payments
);
$result = $this->paypal_express_checkout_token_request_handler($PayPalRequest, 'SetExpressCheckout');
- if ($result['ACK'] == 'Success') {
+ if (!empty($result['ACK']) && $result['ACK'] == 'Success') {
return array(
'result' => 'success',
'redirect' => $this->PAYPAL_URL . $result['TOKEN']
@@ -1651,13 +1650,9 @@ public function paypal_express_checkout_token_request_handler($PayPalRequest = a
}
if (!empty($_GET['method_name']) && $_GET['method_name'] == 'paypal_express') {
if ($_GET['action_name'] == 'SetExpressCheckout') {
- $PayPalResult = $PayPal->GetExpressCheckoutDetails($_GET['token']);
+ $PayPalResult = $PayPal->GetExpressCheckoutDetails(wc_clean($_GET['token']));
if ($PayPalResult['ACK'] == 'Success') {
- $data = array(
- 'METHOD' => 'CreateBillingAgreement',
- 'TOKEN' => $_GET['token']
- );
- $billing_result = $PayPal->CreateBillingAgreement($_GET['token']);
+ $billing_result = $PayPal->CreateBillingAgreement(wc_clean($_GET['token']));
if ($billing_result['ACK'] == 'Success') {
if (!empty($billing_result['BILLINGAGREEMENTID'])) {
$billing_agreement_id = $billing_result['BILLINGAGREEMENTID'];
diff --git a/classes/wc-gateway-paypal-pro-angelleye.php b/classes/wc-gateway-paypal-pro-angelleye.php
index ae98e37d2..a28c76d76 100644
--- a/classes/wc-gateway-paypal-pro-angelleye.php
+++ b/classes/wc-gateway-paypal-pro-angelleye.php
@@ -1187,7 +1187,7 @@ function do_payment($order, $card_number, $card_type, $card_exp_month, $card_exp
$order_id = version_compare( WC_VERSION, '3.0', '<' ) ? $order->id : $order->get_id();
$checkout_note = array(
'ID' => $order_id,
- 'post_excerpt' => $_POST['order_comments'],
+ 'post_excerpt' => wc_clean($_POST['order_comments']),
);
wp_update_post($checkout_note);
}
diff --git a/classes/wc-gateway-paypal-pro-payflow-angelleye.php b/classes/wc-gateway-paypal-pro-payflow-angelleye.php
index dfce15015..0ff00a744 100644
--- a/classes/wc-gateway-paypal-pro-payflow-angelleye.php
+++ b/classes/wc-gateway-paypal-pro-payflow-angelleye.php
@@ -133,7 +133,7 @@ public function add_log($message, $level = 'info') {
$this->log->log($level,sprintf(__('PayPal for WooCommerce Version: %s', 'paypal-for-woocommerce'), VERSION_PFW),array('source' => 'paypal_pro_payflow'));
$this->log->log($level,sprintf(__('WooCommerce Version: %s', 'paypal-for-woocommerce'), WC_VERSION),array('source' => 'paypal_pro_payflow'));
$this->log->log($level,'Test Mode: ' . $this->testmode,array('source' => 'paypal_pro_payflow'));
- $this->log->log($level, $message, array('source' => 'paypal_pro_payflow'),array('source' => 'paypal_pro_payflow'));
+ $this->log->log($level, $message, array('source' => 'paypal_pro_payflow'));
}
}
}
@@ -722,7 +722,7 @@ function do_payment($order, $card_number, $card_exp, $card_csc) {
// Update post 37
$checkout_note = array(
'ID' => $order_id,
- 'post_excerpt' => $_POST['order_comments'],
+ 'post_excerpt' => wc_clean($_POST['order_comments']),
);
wp_update_post($checkout_note);
}
diff --git a/paypal-for-woocommerce.php b/paypal-for-woocommerce.php
index a5b0913f4..5b88c613e 100644
--- a/paypal-for-woocommerce.php
+++ b/paypal-for-woocommerce.php
@@ -848,13 +848,6 @@ public static function number_format( $price ) {
return number_format( $price, $decimals, '.', '' );
}
- public function angelleye_paypal_express_checkout_process_checkout_fields() {
- $this->set_session('checkout_form_post_data', serialize($_POST));
- }
-
- private function set_session($key, $value) {
- WC()->session->set( $key, $value );
- }
public function http_api_curl_ec_add_curl_parameter($handle, $r, $url ) {
$Force_tls_one_point_two = get_option('Force_tls_one_point_two', 'no');
if ( (strstr( $url, 'https://' ) && strstr( $url, '.paypal.com' )) && isset($Force_tls_one_point_two) && $Force_tls_one_point_two == 'yes' ) {
@@ -885,7 +878,7 @@ public function is_paypal_plus_plugin_active() {
}
public function wc_gateway_payment_token_api_parser() {
- if( !empty($_GET['do_action']) && $_GET['do_action'] = 'update_payment_method') {
+ if( !empty($_GET['do_action']) && $_GET['do_action'] == 'update_payment_method') {
if( !empty($_GET['method_name']) && $_GET['method_name'] == 'paypal_express') {
switch ($_GET['action_name']) {
case 'SetExpressCheckout':
@@ -903,8 +896,6 @@ public function wc_gateway_payment_token_api_parser() {
public function angelleye_express_checkout_decrypt_gateway_api($bool) {
$gateway_settings = AngellEYE_Utility::angelleye_get_pre_option($bool, 'woocommerce_paypal_express_settings');
- //$row = $wpdb->get_row( $wpdb->prepare( "SELECT option_value FROM $wpdb->options WHERE option_name = %s LIMIT 1", 'woocommerce_paypal_express_settings' ) );
- //$gateway_settings = isset($row->option_value) ? maybe_unserialize($row->option_value) : array();
if( !empty($gateway_settings) && !empty($gateway_settings['is_encrypt'])) {
$gateway_settings_key_array = array('sandbox_api_username', 'sandbox_api_password', 'sandbox_api_signature', 'api_username', 'api_password', 'api_signature');
foreach ($gateway_settings_key_array as $gateway_setting_key => $gateway_settings_value) {
@@ -918,9 +909,6 @@ public function angelleye_express_checkout_decrypt_gateway_api($bool) {
}
}
public function angelleye_paypal_advanced_decrypt_gateway_api($bool) {
- //global $wpdb;
- //$row = $wpdb->get_row( $wpdb->prepare( "SELECT option_value FROM $wpdb->options WHERE option_name = %s LIMIT 1", 'woocommerce_paypal_advanced_settings' ) );
- //$gateway_settings = isset($row->option_value) ? maybe_unserialize($row->option_value) : array();
$gateway_settings = AngellEYE_Utility::angelleye_get_pre_option($bool, 'woocommerce_paypal_advanced_settings');
if( !empty($gateway_settings) && !empty($gateway_settings['is_encrypt'])) {
$gateway_settings_key_array = array('loginid', 'resellerid', 'user', 'password');
@@ -935,9 +923,6 @@ public function angelleye_paypal_advanced_decrypt_gateway_api($bool) {
}
}
public function angelleye_paypal_credit_card_rest_decrypt_gateway_api($bool) {
- //global $wpdb;
- //$row = $wpdb->get_row( $wpdb->prepare( "SELECT option_value FROM $wpdb->options WHERE option_name = %s LIMIT 1", 'woocommerce_paypal_credit_card_rest_settings' ) );
- //$gateway_settings = isset($row->option_value) ? maybe_unserialize($row->option_value) : array();
$gateway_settings = AngellEYE_Utility::angelleye_get_pre_option($bool, 'woocommerce_paypal_credit_card_rest_settings');
if( !empty($gateway_settings) && !empty($gateway_settings['is_encrypt'])) {
$gateway_settings_key_array = array('rest_client_id_sandbox', 'rest_secret_id_sandbox', 'rest_client_id', 'rest_secret_id');
@@ -952,9 +937,6 @@ public function angelleye_paypal_credit_card_rest_decrypt_gateway_api($bool) {
}
}
public function angelleye_paypal_pro_decrypt_gateway_api($bool) {
- //global $wpdb;
- //$row = $wpdb->get_row( $wpdb->prepare( "SELECT option_value FROM $wpdb->options WHERE option_name = %s LIMIT 1", 'woocommerce_paypal_pro_settings' ) );
- //$gateway_settings = isset($row->option_value) ? maybe_unserialize($row->option_value) : array();
$gateway_settings = AngellEYE_Utility::angelleye_get_pre_option($bool, 'woocommerce_paypal_pro_settings');
if( !empty($gateway_settings) && !empty($gateway_settings['is_encrypt'])) {
$gateway_settings_key_array = array('sandbox_api_username', 'sandbox_api_password', 'sandbox_api_signature', 'api_username', 'api_password', 'api_signature');
@@ -969,9 +951,6 @@ public function angelleye_paypal_pro_decrypt_gateway_api($bool) {
}
}
public function angelleye_paypal_pro_payflow_decrypt_gateway_api($bool) {
- //global $wpdb;
- //$row = $wpdb->get_row( $wpdb->prepare( "SELECT option_value FROM $wpdb->options WHERE option_name = %s LIMIT 1", 'woocommerce_paypal_pro_payflow_settings' ) );
- //$gateway_settings = isset($row->option_value) ? maybe_unserialize($row->option_value) : array();
$gateway_settings = AngellEYE_Utility::angelleye_get_pre_option($bool, 'woocommerce_paypal_pro_payflow_settings');
if( !empty($gateway_settings) && !empty($gateway_settings['is_encrypt'])) {
$gateway_settings_key_array = array('sandbox_paypal_vendor', 'sandbox_paypal_password', 'sandbox_paypal_user', 'sandbox_paypal_partner', 'paypal_vendor', 'paypal_password', 'paypal_user', 'paypal_partner');
@@ -1004,9 +983,6 @@ public function angelleye_express_checkout_woocommerce_enable_guest_checkout($bo
}
public function angelleye_braintree_decrypt_gateway_api($bool) {
- //global $wpdb;
- //$row = $wpdb->get_row( $wpdb->prepare( "SELECT option_value FROM $wpdb->options WHERE option_name = %s LIMIT 1", 'woocommerce_braintree_settings' ) );
- //$gateway_settings = isset($row->option_value) ? maybe_unserialize($row->option_value) : array();
$gateway_settings = AngellEYE_Utility::angelleye_get_pre_option($bool, 'woocommerce_braintree_settings');
if( !empty($gateway_settings) && !empty($gateway_settings['is_encrypt'])) {
$gateway_settings_key_array = array('sandbox_public_key', 'sandbox_private_key', 'sandbox_merchant_id', 'public_key', 'private_key', 'merchant_id');
@@ -1044,7 +1020,7 @@ public function wp_paypal_paypal_marketing_solutions_express_checkout_save() {
if( !empty($_POST['action']) && $_POST['action'] == 'wp_paypal_paypal_marketing_solutions_express_checkout_save' ) {
if( !empty($_POST['cid_production']) ) {
$woocommerce_paypal_express_settings = get_option('woocommerce_paypal_express_settings');
- $woocommerce_paypal_express_settings['paypal_marketing_solutions_cid_production'] = $_POST['cid_production'];
+ $woocommerce_paypal_express_settings['paypal_marketing_solutions_cid_production'] = wc_clean($_POST['cid_production']);
update_option('woocommerce_paypal_express_settings', $woocommerce_paypal_express_settings);
}
}
diff --git a/template/admin.php b/template/admin.php
index d24c09dbc..75b7cf4e6 100644
--- a/template/admin.php
+++ b/template/admin.php
@@ -4,8 +4,8 @@
*/
?>