From 7475b0ce1fe4d3fb75ee5492ec03cfd22b1dbf15 Mon Sep 17 00:00:00 2001
From: Philipp Stracker <p.stracker@syde.com>
Date: Wed, 27 Nov 2024 15:14:57 +0100
Subject: [PATCH] =?UTF-8?q?=F0=9F=A6=BA=20Add=20soft=20descriptor=20valida?=
 =?UTF-8?q?tion=20for=20PayPal=20API?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../src/Factory/PurchaseUnitFactory.php       | 27 ++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)

diff --git a/modules/ppcp-api-client/src/Factory/PurchaseUnitFactory.php b/modules/ppcp-api-client/src/Factory/PurchaseUnitFactory.php
index 7642401b1..172409dc5 100644
--- a/modules/ppcp-api-client/src/Factory/PurchaseUnitFactory.php
+++ b/modules/ppcp-api-client/src/Factory/PurchaseUnitFactory.php
@@ -127,7 +127,7 @@ class PurchaseUnitFactory {
 		$description     = '';
 		$custom_id       = (string) $order->get_id();
 		$invoice_id      = $this->prefix . $order->get_order_number();
-		$soft_descriptor = $this->soft_descriptor;
+		$soft_descriptor = $this->sanitize_soft_descriptor( $this->soft_descriptor );
 
 		$purchase_unit = new PurchaseUnit(
 			$amount,
@@ -197,7 +197,7 @@ class PurchaseUnitFactory {
 			}
 		}
 		$invoice_id      = '';
-		$soft_descriptor = $this->soft_descriptor;
+		$soft_descriptor = $this->sanitize_soft_descriptor( $this->soft_descriptor );
 		$purchase_unit   = new PurchaseUnit(
 			$amount,
 			$items,
@@ -233,7 +233,7 @@ class PurchaseUnitFactory {
 		$description     = ( isset( $data->description ) ) ? $data->description : '';
 		$custom_id       = ( isset( $data->custom_id ) ) ? $data->custom_id : '';
 		$invoice_id      = ( isset( $data->invoice_id ) ) ? $data->invoice_id : '';
-		$soft_descriptor = ( isset( $data->soft_descriptor ) ) ? $data->soft_descriptor : $this->soft_descriptor;
+		$soft_descriptor = $this->sanitize_soft_descriptor( $data->soft_descriptor ?? $this->soft_descriptor );
 		$items           = array();
 		if ( isset( $data->items ) && is_array( $data->items ) ) {
 			$items = array_map(
@@ -316,4 +316,25 @@ class PurchaseUnitFactory {
 			$purchase_unit->set_sanitizer( $this->sanitizer );
 		}
 	}
+
+	/**
+	 * Sanitizes a soft descriptor, ensuring it is limited to 22 chars.
+	 *
+	 * The soft descriptor in the DB is escaped using `wp_kses_post()` which
+	 * escapes certain characters via `wp_kses_normalize_entities()`. This
+	 * helper method reverts those normalized entities back to UTF characters.
+	 *
+	 * @param string $soft_descriptor Soft descriptor to sanitize.
+	 *
+	 * @return string The sanitized soft descriptor.
+	 */
+	private function sanitize_soft_descriptor( string $soft_descriptor ) : string {
+		$decoded = html_entity_decode(
+			$soft_descriptor,
+			ENT_QUOTES | ENT_HTML5 | ENT_SUBSTITUTE,
+			'UTF-8'
+		);
+
+		return substr( $decoded, 0, 22 ) ?: '';
+	}
 }