getdokan · shohag121 · Jul 8, 2024 · May 10, 2024 · May 10, 2024 · May 10, 2024
diff --git a/includes/Admin/Hooks.php b/includes/Admin/Hooks.php
@@ -96,7 +96,7 @@ class="dokan_product_author_override"
             data-minimum_input_length="0"
             data-data='<?php echo wp_json_encode( $user ); ?>'
         >
-        </select> <?php echo wc_help_tip( __( 'You can search vendors and assign them.', 'dokan-lite' ) ); ?>
+        </select> <?php echo wp_kses( wc_help_tip( esc_html__( 'You can search vendors and assign them.', 'dokan-lite' ) ), wp_kses_allowed_html( 'user_description' ) ); ?>
         <?php
     }
 
@@ -165,9 +165,9 @@ public function search_vendors() {
      *
      * @return void
      */
-    public function override_product_author_by_admin( $product_id, $post ) {
+    public function override_product_author_by_admin( $product_id ) {
         $product          = wc_get_product( $product_id );
-        $posted_vendor_id = ! empty( $_POST['dokan_product_author_override'] ) ? intval( wp_unslash( $_POST['dokan_product_author_override'] ) ) : 0; // phpcs:ignore
+        $posted_vendor_id = ! empty( $_POST['dokan_product_author_override'] ) ? (int) sanitize_key( wp_unslash( $_POST['dokan_product_author_override'] ) ) : 0; // phpcs:ignore WordPress.Security.NonceVerification.Missing
 
         if ( ! $posted_vendor_id ) {
             return;

diff --git a/includes/Admin/SetupWizard.php b/includes/Admin/SetupWizard.php
@@ -515,7 +515,7 @@ public function dokan_setup_withdraw() {
                                     <div class="wc-wizard-service-description">
                                         <?php
                                         // translators: %s: withdraw method name
-                                        printf( esc_html__( 'Enable %s for your vendor as a withdraw method', 'dokan-lite' ), dokan_withdraw_get_method_title( $key ) );
+                                        printf( esc_html__( 'Enable %s for your vendor as a withdraw method', 'dokan-lite' ), esc_html( dokan_withdraw_get_method_title( $key ) ) );
                                         ?>
                                     </div>
                                     <div class="dokan-wizard-service-enable">
@@ -732,9 +732,15 @@ public function dokan_setup_withdraw_save() {
 
         $options                          = get_option( 'dokan_withdraw', [] );
         $options['withdraw_methods']      = ! empty( $_POST['withdraw_methods'] ) ? wc_clean( wp_unslash( $_POST['withdraw_methods'] ) ) : [];
-        $options['withdraw_limit']        = ! empty( $_POST['withdraw_limit'] ) ? (float) wc_format_decimal( sanitize_text_field( wp_unslash( $_POST['withdraw_limit'] ) ) ) < 0 ? 0 : wc_format_decimal( sanitize_text_field( wp_unslash( $_POST['withdraw_limit'] ) ) ) : 0;
         $options['withdraw_order_status'] = ! empty( $_POST['withdraw_order_status'] ) ? wc_clean( wp_unslash( $_POST['withdraw_order_status'] ) ) : [];
 
+		if ( ! empty( $_POST['withdraw_limit'] ) ) {
+				$input_limit                = sanitize_text_field( wp_unslash( $_POST['withdraw_limit'] ) );
+				$options['withdraw_limit']  = is_numeric( $input_limit ) && $input_limit >= 0 ? wc_format_decimal( $input_limit ) : 0;
+		} else {
+			$options['withdraw_limit'] = 0;
+		}
+
         /**
          * Filter dokan_withdraw options before saving in setup wizard
          *

diff --git a/includes/Admin/SetupWizardNoWC.php b/includes/Admin/SetupWizardNoWC.php
@@ -129,7 +129,7 @@ public function install_woocommerce() {
         delete_transient( '_wc_activation_redirect' );
 
         if ( is_wp_error( $installed ) ) {
-            wp_die( $installed->get_error_message(), __( 'Error installing WooCommerce plugin', 'dokan-lite' ) );
+            wp_die( esc_html( $installed->get_error_message() ), esc_html__( 'Error installing WooCommerce plugin', 'dokan-lite' ) );
         }
 
         set_transient( 'dokan_setup_wizard_no_wc', true, 15 * MINUTE_IN_SECONDS );

diff --git a/includes/Ajax.php b/includes/Ajax.php
@@ -265,8 +265,8 @@
 
                         include dirname( __DIR__ ) . '/templates/orders/order-download-permission-html.php';
 
-                        $loop ++;
-                        $file_count ++;
+                        ++$loop;
+                        ++$file_count;
                     }
                 }
             }
@@ -414,7 +414,7 @@
                 echo 'customer-note';
             }
             echo '"><div class="note_content">';
-            echo wpautop( wptexturize( $note ) ); // phpcs:ignore WordPress.XSS.EscapeOutput.OutputNotEscaped
+            echo wp_kses_post( wpautop( wptexturize( $note ) ) );
             echo '</div><p class="meta"><a href="#" class="delete_note">' . esc_html__( 'Delete note', 'dokan-lite' ) . '</a></p>';
             echo '</li>';
         }
@@ -484,7 +484,7 @@
             echo '<li rel="' . esc_attr( $comment_id ) . '" class="note ';
             echo 'customer-note';
             echo '"><div class="note_content">';
-            echo wpautop( wptexturize( $ship_info ) ); // phpcs:ignore WordPress.XSS.EscapeOutput.OutputNotEscaped
+            echo wp_kses_post( wpautop( wptexturize( $ship_info ) ) );
             echo '</div><p class="meta"><a href="#" class="delete_note">' . esc_html__( 'Delete', 'dokan-lite' ) . '</a></p>';
             echo '</li>';
 
@@ -692,6 +692,7 @@
 
         $drop_down_tags = apply_filters(
             'dokan_search_product_tags_for_vendor_products', [
+                'taxonomy'   => 'product_tag',
                 'name__like' => $name,
                 'hide_empty' => 0,
                 'orderby'    => 'name',
@@ -701,7 +702,7 @@
             ]
         );
 
-        $product_tags = get_terms( 'product_tag', $drop_down_tags );
+        $product_tags = get_terms( $drop_down_tags );
 
         if ( $product_tags ) {
             foreach ( $product_tags as $pro_term ) {
@@ -873,7 +874,7 @@
     *
     * @return int attachment ID
     */
    final public function insert_attachment( $object, $cropped ) {
        $attachment_id = wp_insert_attachment( $object, $cropped );
        $metadata      = wp_generate_attachment_metadata( $attachment_id, $cropped );
        $metadata      = apply_filters( 'wp_header_image_attachment_metadata', $metadata );

diff --git a/includes/Customizer/HeadingControl.php b/includes/Customizer/HeadingControl.php
@@ -28,7 +28,9 @@ protected function render_content() {
         <?php } ?>
 
         <?php if ( ! empty( $this->description ) ) { ?>
-            <span class="description customize-control-description"><?php echo $this->description; ?></span>
+            <span class="description customize-control-description">
+                <?php echo wp_kses( $this->description, wp_kses_allowed_html( 'user_description' ) ); ?>
+            </span>
         <?php } ?>
         <?php
     }

diff --git a/includes/Customizer/RadioImageControl.php b/includes/Customizer/RadioImageControl.php
@@ -80,7 +80,7 @@ public function render_content() {
                     <label for="<?php echo esc_attr( $this->id ) . esc_attr( $value ); ?>">
                         <?php
                         if ( isset( $label['svg'] ) ) {
-                            echo $label['svg'];
+                            echo $label['svg']; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
                         } else {
                             ?>
                             <img src="<?php echo esc_html( $label['src'] ); ?>" alt="<?php echo esc_attr( $label['label'] ); ?>" title="<?php echo esc_attr( $label['label'] ); ?>">

diff --git a/includes/Order/Admin/Hooks.php b/includes/Order/Admin/Hooks.php
@@ -158,7 +158,7 @@ public function shop_order_custom_columns( $col, $post_id ) {
         }
 
         if ( ! empty( $output ) ) {
-            echo apply_filters( "dokan_manage_shop_order_custom_columns_{$col}", $output, $order );
+            echo wp_kses_post( apply_filters( "dokan_manage_shop_order_custom_columns_{$col}", $output, $order ) );
         }
     }
 
@@ -168,15 +168,15 @@ public function shop_order_custom_columns( $col, $post_id ) {
      * @since 3.8.0 Moved from includes/Admin/Hooks.php file
      * @since 3.8.0 Rewritten for HPOS
      *
-     * @param string[] $classes An array of post class names.
-     * @param string[] $class   An array of additional class names added to the post.
+     * @param string[] $classes     An array of post class names.
+     * @param string[] $css_class   An array of additional class names added to the post.
      * @param int      $post_id The post ID.
      *
      * @global WP_Post $post
      *
      * @return array
      */
-    public function admin_shop_order_row_classes( $classes, $class, $post_id ) {
+    public function admin_shop_order_row_classes( $classes, $css_class, $post_id ) {
         if ( ! OrderUtil::is_order( $post_id ) ) {
             return $classes;
         }

diff --git a/includes/PageViews.php b/includes/PageViews.php
@@ -19,31 +19,13 @@ public function __construct() {
     }
 
     public function load_scripts() {
-        $nonce = wp_create_nonce( 'dokan_pageview' );
-
-        echo '<script type="text/javascript">
-            jQuery(document).ready( function($) {
-                if(localStorage){
-                    let new_date = new Date().toISOString().slice(0, 10);
-                    let dokan_pageview_count = JSON.parse(localStorage.getItem("dokan_pageview_count"));
-                    let post_id = ' . get_the_ID() . ';
-
-                    if ( dokan_pageview_count === null || ( dokan_pageview_count.today && dokan_pageview_count.today !== new_date ) ) {
-                        dokan_pageview_count = { "today": new_date, "post_ids": [] };
-                    }
-                    if ( ! dokan_pageview_count.post_ids.includes( post_id )  ) {
-                        var data = {
-                            action: "dokan_pageview",
-                            _ajax_nonce: "' . esc_html( $nonce ) . '",
-                            post_id: ' . get_the_ID() . ',
-                        }
-                        $.post( "' . esc_url( admin_url( 'admin-ajax.php' ) ) . '", data );
-                        dokan_pageview_count.post_ids.push( post_id );
-                        localStorage.setItem("dokan_pageview_count", JSON.stringify(dokan_pageview_count));
-                    }
-                }
-            } );
-            </script>';
+        dokan_get_template_part(
+            'page-views', false, array(
+                'nonce' => wp_create_nonce( 'dokan_pageview' ),
+                'post_id' => get_the_ID(),
+                'ajax_url' => admin_url( 'admin-ajax.php' ),
+            )
+        );
     }
 
     public function load_views() {
@@ -81,5 +63,4 @@ public function update_ajax() {
 
         wp_die();
     }
-
 }
diff --git a/includes/REST/ProductController.php b/includes/REST/ProductController.php
@@ -1197,24 +1197,24 @@ protected function prepare_object_for_database( $request, $creating = false ) {
     /**
      * Prepare links for the request.
      *
-     * @param WC_Data $object Object data.
-     * @param WP_REST_Request $request Request object.
+     * @param WC_Data           $data_object Object data.
+     * @param WP_REST_Request   $request Request object.
      *
-     * @return array                   Links for the given post.
+     * @return array Links for the given post.
      */
-    protected function prepare_links( $object, $request ) {
+    protected function prepare_links( $data_object, $request ) {
         $links = [
             'self'       => [
-                'href' => rest_url( sprintf( '/%s/%s/%d', $this->namespace, $this->base, $object->get_id() ) ),
+                'href' => rest_url( sprintf( '/%s/%s/%d', $this->namespace, $this->base, $data_object->get_id() ) ),
             ],
             'collection' => [
                 'href' => rest_url( sprintf( '/%s/%s', $this->namespace, $this->base ) ),
             ],
         ];
 
-        if ( $object->get_parent_id() ) {
+        if ( $data_object->get_parent_id() ) {
             $links['up'] = [
-                'href' => rest_url( sprintf( '/%s/products/%d', $this->namespace, $object->get_parent_id() ) ),
+                'href' => rest_url( sprintf( '/%s/products/%d', $this->namespace, $data_object->get_parent_id() ) ),
             ];
         }
 
@@ -1343,9 +1343,7 @@ protected function get_attribute_taxonomy_name( $slug, $product ) {
 
         // Taxonomy attribute name.
         if ( $attribute->is_taxonomy() ) {
-            $taxonomy = $attribute->get_taxonomy_object();
-
-            return $taxonomy->attribute_label;
+            return $attribute->get_taxonomy_object()->attribute_label;
         }
 
         // Custom product attribute name.
@@ -1398,7 +1396,9 @@ protected function get_attribute_options( $product_id, $attribute ) {
                     'fields' => 'names',
                 ]
             );
-        } elseif ( isset( $attribute['value'] ) ) {
+        }
+
+        if ( isset( $attribute['value'] ) ) {
             return array_map( 'trim', explode( '|', $attribute['value'] ) );
         }
 
@@ -1505,7 +1505,8 @@ protected function set_product_images( $product, $images ) {
 
                     if ( is_wp_error( $upload ) ) {
                         if ( ! apply_filters( 'woocommerce_rest_suppress_image_upload_error', false, $upload, $product->get_id(), $images ) ) {
-                            throw new WC_REST_Exception( 'woocommerce_product_image_upload_error', $upload->get_error_message(), 400 );
+                            dokan_log( 'Error uploading image: ' . $upload->get_error_message() );
+                            throw new WC_REST_Exception( 'woocommerce_product_image_upload_error', esc_html( $upload->get_error_message() ), 400 );
                         } else {
                             continue;
                         }
@@ -1514,9 +1515,9 @@ protected function set_product_images( $product, $images ) {
                     $attachment_id = wc_rest_set_uploaded_image_as_attachment( $upload, $product->get_id() );
                 }
 
-                if ( ! wp_attachment_is_image( $attachment_id ) ) {
+                if ( $attachment_id && ! wp_attachment_is_image( $attachment_id ) ) {
                     /* translators: %s: attachment id */
-                    throw new WC_REST_Exception( 'woocommerce_product_invalid_image_id', sprintf( __( '#%s is an invalid image ID.', 'dokan-lite' ), $attachment_id ), 400 );
+                    throw new WC_REST_Exception( 'woocommerce_product_invalid_image_id', sprintf( esc_html__( '#%s is an invalid image ID.', 'dokan-lite' ), esc_html( $attachment_id ) ), 400 );
                 }
 
                 if ( isset( $image['position'] ) && 0 === absint( $image['position'] ) ) {
@@ -2308,5 +2309,4 @@ public function get_item_schema() {
 
         return $this->add_additional_fields_schema( $schema );
     }
-
 }
diff --git a/includes/ReverseWithdrawal/ReverseWithdrawal.php b/includes/ReverseWithdrawal/ReverseWithdrawal.php
@@ -28,7 +28,7 @@ class ReverseWithdrawal {
      */
     public function __clone() {
         $message = ' Backtrace: ' . wp_debug_backtrace_summary();
-        _doing_it_wrong( __METHOD__, $message . esc_html__( 'Cloning is forbidden.', 'dokan-lite' ), DOKAN_PLUGIN_VERSION );
+        _doing_it_wrong( __METHOD__, $message . esc_html__( 'Cloning is forbidden.', 'dokan-lite' ), DOKAN_PLUGIN_VERSION ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
     }
 
     /**
@@ -38,7 +38,7 @@ public function __clone() {
      */
     public function __wakeup() {
         $message = ' Backtrace: ' . wp_debug_backtrace_summary();
-        _doing_it_wrong( __METHOD__, $message . esc_html__( 'Unserializing instances of this class is forbidden.', 'dokan-lite' ), DOKAN_PLUGIN_VERSION );
+        _doing_it_wrong( __METHOD__, $message . esc_html__( 'Unserializing instances of this class is forbidden.', 'dokan-lite' ), DOKAN_PLUGIN_VERSION ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
     }
 
     /**

diff --git a/includes/Traits/ChainableContainer.php b/includes/Traits/ChainableContainer.php
@@ -18,7 +18,7 @@ trait ChainableContainer {
      */
     public function __clone() {
         $message = ' Backtrace: ' . wp_debug_backtrace_summary();
-        _doing_it_wrong( __METHOD__, $message . esc_html__( 'Cloning is forbidden.', 'dokan-lite' ), DOKAN_PLUGIN_VERSION );
+        _doing_it_wrong( __METHOD__, $message . esc_html__( 'Cloning is forbidden.', 'dokan-lite' ), DOKAN_PLUGIN_VERSION ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
     }
 
     /**
@@ -28,7 +28,7 @@ public function __clone() {
      */
     public function __wakeup() {
         $message = ' Backtrace: ' . wp_debug_backtrace_summary();
-        _doing_it_wrong( __METHOD__, $message . esc_html__( 'Unserializing instances of this class is forbidden.', 'dokan-lite' ), DOKAN_PLUGIN_VERSION );
+        _doing_it_wrong( __METHOD__, $message . esc_html__( 'Unserializing instances of this class is forbidden.', 'dokan-lite' ), DOKAN_PLUGIN_VERSION ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
     }
 
     /**

diff --git a/includes/Widgets/BestSellingProducts.php b/includes/Widgets/BestSellingProducts.php
@@ -37,9 +37,10 @@ public function widget( $args, $instance ) {
 
         $r = dokan_get_best_selling_products( $no_of_product, $vendor_id, $paged, $hide_outofstock );
 
-        echo $args['before_widget']; // phpcs:ignore WordPress.XSS.EscapeOutput.OutputNotEscaped
+        echo wp_kses_post( $args['before_widget'] );
+
         if ( ! empty( $title ) ) {
-            echo $args['before_title'] . $title . $args['after_title']; // phpcs:ignore WordPress.XSS.EscapeOutput.OutputNotEscaped
+            echo wp_kses_post( $args['before_title'] . $title . $args['after_title'] );
         }
 
         dokan_get_template_part(
@@ -49,7 +50,7 @@ public function widget( $args, $instance ) {
             )
         );
 
-        echo $args['after_widget']; // phpcs:ignore WordPress.XSS.EscapeOutput.OutputNotEscaped
+        echo wp_kses_post( $args['after_widget'] );
 
         wp_reset_postdata();
     }