Fix: add additional escaping to stripe onboarding (#7391)

Co-authored-by: Jon Waldstein <[email protected]> Co-authored-by: Jon Waldstein <[email protected]>
impress-org · Aug 21, 2024 · 032fc8a · 032fc8a
1 parent be07248
commit 032fc8a
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/src/PaymentGateways/Gateways/Stripe/Traits/CheckoutRedirect.php b/src/PaymentGateways/Gateways/Stripe/Traits/CheckoutRedirect.php
@@ -27,6 +27,7 @@ public function getRedirectUrl( $sessionId, $formId )
     }
 
     /**
+     * @unreleased add esc_attr to $session_id
      * @since  2.5.5
      * @since 2.19.0 Migrated from the legacy Give_Stripe_Checkout::redirect_to_checkout implementation of the Stripe Checkout Gateway.
      * @return void
@@ -83,7 +84,7 @@ public static function maybeHandleRedirect()
                     // Make the id field from the Checkout Session creation API response
                     // available to this file, so you can provide it as parameter here
                     // instead of the {{CHECKOUT_SESSION_ID}} placeholder.
-                    sessionId: '<?php echo $session_id; ?>'
+                    sessionId: '<?php echo esc_attr($session_id); ?>'
                 }).then( ( result ) => {
                     console.log(result);
                     // If `redirectToCheckout` fails due to a browser or network