From 67eb9aa06beef2af53eceeeebe8a33a64ba6f6df Mon Sep 17 00:00:00 2001
From: David Remer <webmaster@websupporter.net>
Date: Mon, 12 Oct 2020 11:52:42 +0300
Subject: [PATCH] sanitize checkout form data differently than usual input data
 as it is url encoded, do not use wp_parse_args as it has sideeffects.

---
 .../src/Endpoint/class-createorderendpoint.php | 18 ++++++++++++++----
 .../src/Endpoint/class-requestdata.php         | 12 ++++++++++--
 2 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/modules/ppcp-button/src/Endpoint/class-createorderendpoint.php b/modules/ppcp-button/src/Endpoint/class-createorderendpoint.php
index b18f351f4..dfc98f9eb 100644
--- a/modules/ppcp-button/src/Endpoint/class-createorderendpoint.php
+++ b/modules/ppcp-button/src/Endpoint/class-createorderendpoint.php
@@ -256,10 +256,20 @@ class CreateOrderEndpoint implements EndpointInterface {
 	 * @throws \Exception On Error.
 	 */
 	private function validate_checkout_form( string $form_values, Order $order ) {
-		$this->order   = $order;
-		$parsed_values = wp_parse_args( $form_values );
-		$_POST         = $parsed_values;
-		$_REQUEST      = $parsed_values;
+		$this->order = $order;
+		$form_values = explode( '&', $form_values );
+
+		$parsed_values = array();
+		foreach ( $form_values as $field ) {
+			$field = explode( '=', $field );
+
+			if ( count( $field ) !== 2 ) {
+				continue;
+			}
+			$parsed_values[ $field[0] ] = $field[1];
+		}
+		$_POST    = $parsed_values;
+		$_REQUEST = $parsed_values;
 
 		add_filter(
 			'woocommerce_after_checkout_validation',
diff --git a/modules/ppcp-button/src/Endpoint/class-requestdata.php b/modules/ppcp-button/src/Endpoint/class-requestdata.php
index 58d520308..aba5e9fe4 100644
--- a/modules/ppcp-button/src/Endpoint/class-requestdata.php
+++ b/modules/ppcp-button/src/Endpoint/class-requestdata.php
@@ -81,10 +81,18 @@ class RequestData {
 		$data = array();
 		foreach ( (array) $assoc_array as $raw_key => $raw_value ) {
 			if ( ! is_array( $raw_value ) ) {
-				$data[ sanitize_text_field( urldecode( (string) $raw_key ) ) ] = sanitize_text_field( urldecode( (string) $raw_value ) );
+				/**
+				 * The 'form' key is preserved for url encoded data and needs different
+				 * sanitization.
+				 */
+				if ( 'form' !== $raw_key ) {
+					$data[ sanitize_text_field( (string) $raw_key ) ] = sanitize_text_field( (string) $raw_value );
+				} else {
+					$data[ sanitize_text_field( (string) $raw_key ) ] = sanitize_text_field( urldecode( (string) $raw_value ) );
+				}
 				continue;
 			}
-			$data[ sanitize_text_field( urldecode( (string) $raw_key ) ) ] = $this->sanitize( $raw_value );
+			$data[ sanitize_text_field( (string) $raw_key ) ] = $this->sanitize( $raw_value );
 		}
 		return $data;
 	}