woocommerce/woocommerce-paypal-payments
2
0
Fork 0
mirror of https://github.com/woocommerce/woocommerce-paypal-payments.git synced 2025-09-06 18:16:38 +08:00
Code Issues Projects Packages Wiki Activity Actions

Handle complex form fields when submitting checkout form

Browse source 
Our current way of handling the checkout form via ajax does not match the WC behavior which submits them in urlencoded request instead of JSON. When it is submitted as JSON object PHP does not parse it for $_POST etc., and we do not get its handling of arrays, breaking some plugin.
Now submitting the form as an urlencoded string inside JSON and parsing via `parse_str` which seems to handle it the same as $_POST.
The parsing is handled in `RequestData` to avoid duplicating it in multiple places and to keep our weird sanitization here. Not sure if it's a good idea to sanitize so early, but for now keeping it like this to avoid major refactoring or introducing new vulnerabilities.
This commit is contained in:
Alex P 2023-07-13 14:43:14 +03:00
parent 81f6340897
commit 639e8409c8
No known key found for this signature in database
GPG key ID: 54487A734A204D71
3 changed files with 12 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

9
modules/ppcp-button/src/Endpoint/RequestData.php
View file

@ -53,6 +53,11 @@ class RequestData {
}
$this->dequeue_nonce_fix();
if ( isset( $json['form_encoded'] ) ) {
$json['form'] = array();
parse_str( $json['form_encoded'], $json['form'] );
}
$sanitized = $this->sanitize( $json );
return $sanitized;
}
@ -80,6 +85,10 @@ class RequestData {
private function sanitize( array $assoc_array ): array {
$data = array();
foreach ( (array) $assoc_array as $raw_key => $raw_value ) {
if ( $raw_key === 'form_encoded' ) {
$data[ $raw_key ] = $raw_value;
continue;
}
if ( ! is_array( $raw_value ) ) {
// Not sure if it is a good idea to sanitize everything at this level,
// but should be fine for now since we do not send any HTML or multi-line texts via ajax.