woocommerce/woocommerce-paypal-payments
2
0
Fork 0
mirror of https://github.com/woocommerce/woocommerce-paypal-payments.git synced 2025-09-06 17:51:41 +08:00
Code Issues Projects Packages Wiki Activity Actions

sanitize checkout form data differently than usual input data as it is url encoded, do not use wp_parse_args as it has sideeffects.

Browse source
This commit is contained in:
David Remer 2020-10-12 11:52:42 +03:00
parent 644194859f
commit 67eb9aa06b
2 changed files with 24 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

18
modules/ppcp-button/src/Endpoint/class-createorderendpoint.php
View file

@ -256,10 +256,20 @@ class CreateOrderEndpoint implements EndpointInterface {
* @throws \Exception On Error. * @throws \Exception On Error.
*/ */
private function validate_checkout_form( string $form_values, Order $order ) { private function validate_checkout_form( string $form_values, Order $order ) {
$this->order = $order; $this->order = $order;
$parsed_values = wp_parse_args( $form_values ); $form_values = explode( '&', $form_values );
$_POST = $parsed_values;
$_REQUEST = $parsed_values; $parsed_values = array();
foreach ( $form_values as $field ) {
$field = explode( '=', $field );
if ( count( $field ) !== 2 ) {
continue;
}
$parsed_values[ $field[0] ] = $field[1];
}
$_POST = $parsed_values;
$_REQUEST = $parsed_values;
add_filter( add_filter(
'woocommerce_after_checkout_validation', 'woocommerce_after_checkout_validation',

12
modules/ppcp-button/src/Endpoint/class-requestdata.php
View file

@ -81,10 +81,18 @@ class RequestData {
$data = array(); $data = array();
foreach ( (array) $assoc_array as $raw_key => $raw_value ) { foreach ( (array) $assoc_array as $raw_key => $raw_value ) {
if ( ! is_array( $raw_value ) ) { if ( ! is_array( $raw_value ) ) {
$data[ sanitize_text_field( urldecode( (string) $raw_key ) ) ] = sanitize_text_field( urldecode( (string) $raw_value ) ); /**
* The 'form' key is preserved for url encoded data and needs different
* sanitization.
*/
if ( 'form' !== $raw_key ) {
$data[ sanitize_text_field( (string) $raw_key ) ] = sanitize_text_field( (string) $raw_value );
} else {
$data[ sanitize_text_field( (string) $raw_key ) ] = sanitize_text_field( urldecode( (string) $raw_value ) );
}
continue; continue;
} }
$data[ sanitize_text_field( urldecode( (string) $raw_key ) ) ] = $this->sanitize( $raw_value ); $data[ sanitize_text_field( (string) $raw_key ) ] = $this->sanitize( $raw_value );
} }
return $data; return $data;
} }