From 17c2bd36818b5d3a1f863ebd6606919809cb504f Mon Sep 17 00:00:00 2001
From: Jason Adams
Date: Wed, 8 Jun 2022 13:03:51 -0700
Subject: [PATCH 1/3] Hot Fix: Add additional escaping when adding query args
(#6438)
---
includes/admin/donors/donor-actions.php | 22 +++++----
includes/admin/emails/filters.php | 41 ++++++----------
includes/admin/give-metabox-functions.php | 48 ++++++++++---------
includes/admin/import-functions.php | 6 +--
.../admin/payments/class-payments-table.php | 44 +++++++++--------
.../admin/payments/view-payment-details.php | 24 +++++-----
.../reports/class-gateways-reports-table.php | 46 ++++++++++--------
includes/admin/reports/graphing.php | 2 +-
.../admin/tools/export/export-functions.php | 2 +-
includes/ajax-functions.php | 2 +-
includes/deprecated/deprecated-functions.php | 8 ++--
includes/emails/template.php | 44 +++++++++--------
includes/forms/functions.php | 2 +-
includes/gateways/paypal/paypal-standard.php | 2 +-
.../stripe/includes/give-stripe-helpers.php | 6 +--
includes/misc-functions.php | 2 +-
includes/shortcodes.php | 4 +-
src/Donations/DonationsAdminPage.php | 4 +-
src/DonorDashboards/App.php | 2 +-
src/Donors/DonorsAdminPage.php | 6 +--
.../Actions/GenerateGatewayRouteUrl.php | 4 +-
src/Helpers/Form/Utils.php | 8 ++--
src/Helpers/Utils.php | 2 +-
.../includes/give-subscription.php | 8 ++--
.../PayPalStandard/PayPalStandard.php | 4 +-
.../Stripe/Helpers/CheckoutHelper.php | 4 +-
.../Stripe/Traits/CheckoutRedirect.php | 4 +-
.../Admin/AccountManagerSettingField.php | 8 ++--
src/Route/Form.php | 4 +-
29 files changed, 186 insertions(+), 177 deletions(-)
diff --git a/includes/admin/donors/donor-actions.php b/includes/admin/donors/donor-actions.php
index 9d616d1664..61d41b115b 100644
--- a/includes/admin/donors/donor-actions.php
+++ b/includes/admin/donors/donor-actions.php
@@ -161,16 +161,18 @@ function give_edit_donor( $args ) {
if ( $output['success'] ) {
wp_safe_redirect(
- add_query_arg(
- array(
- 'post_type' => 'give_forms',
- 'page' => 'give-donors',
- 'view' => 'overview',
- 'id' => $donor_id,
- 'give-messages[]' => 'profile-updated',
- ),
- esc_url( admin_url( 'edit.php' ) )
- )
+ esc_url(
+ add_query_arg(
+ array(
+ 'post_type' => 'give_forms',
+ 'page' => 'give-donors',
+ 'view' => 'overview',
+ 'id' => $donor_id,
+ 'give-messages[]' => 'profile-updated',
+ ),
+ admin_url( 'edit.php' )
+ )
+ )
);
}
diff --git a/includes/admin/emails/filters.php b/includes/admin/emails/filters.php
index 10ea804da3..14180eef1d 100755
--- a/includes/admin/emails/filters.php
+++ b/includes/admin/emails/filters.php
@@ -23,41 +23,28 @@ function give_email_notification_row_actions_callback( $row_actions, $email ) {
if ( Give_Email_Notification_Util::is_email_preview( $email ) ) {
$preview_link = sprintf(
'%2$s',
- wp_nonce_url(
- add_query_arg(
- array(
- 'give_action' => 'preview_email',
- 'email_type' => $email->config['id'],
- ),
- home_url()
- ),
- 'give-preview-email'
- ),
+ esc_url(
+ wp_nonce_url(
+ add_query_arg(
+ array(
+ 'give_action' => 'preview_email',
+ 'email_type' => $email->config['id'],
+ ),
+ home_url()
+ ),
+ 'give-preview-email'
+ )
+ ),
__( 'Preview', 'give' )
);
- $send_preview_email_link = sprintf(
- '%2$s',
- wp_nonce_url(
- add_query_arg(
- array(
- 'give_action' => 'send_preview_email',
- 'email_type' => $email->config['id'],
- 'give-messages[]' => 'sent-test-email',
- )
- ),
- 'give-send-preview-email'
- ),
- __( 'Send test email', 'give' )
- );
-
$send_preview_email_link = give()->tooltips->render_link( [
'tag_content' => esc_html__( 'Send test email', 'give' ),
'label' => sprintf(
esc_html__( 'Click this link to send a test email to yourself at %s', 'give' ),
wp_get_current_user()->user_email
),
- 'link' => wp_nonce_url(
+ 'link' => esc_url(wp_nonce_url(
add_query_arg(
array(
'give_action' => 'send_preview_email',
@@ -66,7 +53,7 @@ function give_email_notification_row_actions_callback( $row_actions, $email ) {
)
),
'give-send-preview-email'
- )
+ ))
] );
$row_actions['email_preview'] = $preview_link;
diff --git a/includes/admin/give-metabox-functions.php b/includes/admin/give-metabox-functions.php
index 1fd9bf8564..8782c91659 100644
--- a/includes/admin/give-metabox-functions.php
+++ b/includes/admin/give-metabox-functions.php
@@ -1158,33 +1158,37 @@ function give_email_preview_buttons( $field ) {
echo sprintf(
'%2$s',
- wp_nonce_url(
- add_query_arg(
- [
- 'give_action' => 'preview_email',
- 'email_type' => $field_id,
- 'form_id' => $post->ID,
- ],
- home_url()
- ),
- 'give-preview-email'
- ),
+ esc_url(
+ wp_nonce_url(
+ add_query_arg(
+ [
+ 'give_action' => 'preview_email',
+ 'email_type' => $field_id,
+ 'form_id' => $post->ID,
+ ],
+ home_url()
+ ),
+ 'give-preview-email'
+ )
+ ),
$field['name']
);
echo sprintf(
' %3$s',
- wp_nonce_url(
- add_query_arg(
- [
- 'give_action' => 'send_preview_email',
- 'email_type' => $field_id,
- 'give-messages[]' => 'sent-test-email',
- 'form_id' => $post->ID,
- ]
- ),
- 'give-send-preview-email'
- ),
+ esc_url(
+ wp_nonce_url(
+ add_query_arg(
+ [
+ 'give_action' => 'send_preview_email',
+ 'email_type' => $field_id,
+ 'give-messages[]' => 'sent-test-email',
+ 'form_id' => $post->ID,
+ ]
+ ),
+ 'give-send-preview-email'
+ )
+ ),
esc_attr__( 'Send Test Email.', 'give' ),
esc_html__( 'Send Test Email', 'give' )
);
diff --git a/includes/admin/import-functions.php b/includes/admin/import-functions.php
index 07f9411159..65fd56d8d2 100644
--- a/includes/admin/import-functions.php
+++ b/includes/admin/import-functions.php
@@ -702,7 +702,7 @@ function give_save_import_donation_to_db( $raw_key, $row_data, $main_key = [], $
// check for duplicate donor by donor id
if ( ! empty( $csv_data['donor_id'] ) && ! empty( $data['donor_id'] ) && $csv_data['donor_id'] === $data['donor_id'] ) {
- $donor = array_search( (int) $data['donor_id'], array_column( 'id', $donors_list ) );
+ $donor = array_search( (int) $data['donor_id'], array_column( $donors_list, 'id' ) );
if ( ! empty( $donor ) ) {
$dry_run_duplicate_donor = true;
}
@@ -710,7 +710,7 @@ function give_save_import_donation_to_db( $raw_key, $row_data, $main_key = [], $
// check for duplicate donor by user id
if ( empty( $dry_run_duplicate_donor ) && ! empty( $csv_data['user_id'] ) && ! empty( $data['user_id'] ) && $csv_data['user_id'] === $data['user_id'] ) {
- $donor = array_search( (int) $data['user_id'], array_column( 'user_id', $donors_list ) );
+ $donor = array_search( (int) $data['user_id'], array_column( $donors_list, 'user_id' ) );
if ( ! empty( $donor ) ) {
$dry_run_duplicate_donor = true;
} else {
@@ -1120,5 +1120,5 @@ function give_import_page_url( $parameter = [] ) {
];
$import_query_arg = wp_parse_args( $parameter, $defalut_query_arg );
- return add_query_arg( $import_query_arg, admin_url( 'edit.php' ) );
+ return esc_url_raw( add_query_arg( $import_query_arg, admin_url( 'edit.php' ) ) );
}
diff --git a/includes/admin/payments/class-payments-table.php b/includes/admin/payments/class-payments-table.php
index f121b9a23f..853b3aa2ef 100644
--- a/includes/admin/payments/class-payments-table.php
+++ b/includes/admin/payments/class-payments-table.php
@@ -606,16 +606,18 @@ function get_row_actions( $payment ) {
$actions['email_links'] = sprintf(
'%3$s',
- wp_nonce_url(
- add_query_arg(
- [
- 'give-action' => 'email_links',
- 'purchase_id' => $payment->ID,
- ],
- $this->base_url
- ),
- 'give_payment_nonce'
- ),
+ esc_url(
+ wp_nonce_url(
+ add_query_arg(
+ [
+ 'give-action' => 'email_links',
+ 'purchase_id' => $payment->ID,
+ ],
+ $this->base_url
+ ),
+ 'give_payment_nonce'
+ )
+ ),
sprintf( __( 'Resend Donation %s Receipt', 'give' ), $payment->ID ),
__( 'Resend Receipt', 'give' )
);
@@ -625,16 +627,18 @@ function get_row_actions( $payment ) {
if ( current_user_can( 'view_give_payments' ) ) {
$actions['delete'] = sprintf(
'%3$s',
- wp_nonce_url(
- add_query_arg(
- [
- 'give-action' => 'delete_payment',
- 'purchase_id' => $payment->ID,
- ],
- $this->base_url
- ),
- 'give_donation_nonce'
- ),
+ esc_url(
+ wp_nonce_url(
+ add_query_arg(
+ [
+ 'give-action' => 'delete_payment',
+ 'purchase_id' => $payment->ID,
+ ],
+ $this->base_url
+ ),
+ 'give_donation_nonce'
+ )
+ ),
sprintf( __( 'Delete Donation %s', 'give' ), $payment->ID ),
__( 'Delete', 'give' )
);
diff --git a/includes/admin/payments/view-payment-details.php b/includes/admin/payments/view-payment-details.php
index 57efac53ac..499034c147 100644
--- a/includes/admin/payments/view-payment-details.php
+++ b/includes/admin/payments/view-payment-details.php
@@ -137,16 +137,18 @@
echo sprintf(
'',
$payment_id,
- wp_nonce_url(
- add_query_arg(
- array(
- 'give-action' => 'delete_payment',
- 'purchase_id' => $payment_id,
- ),
- $base_url
- ),
- 'give_donation_nonce'
- ),
+ esc_url(
+ wp_nonce_url(
+ add_query_arg(
+ array(
+ 'give-action' => 'delete_payment',
+ 'purchase_id' => $payment_id,
+ ),
+ $base_url
+ ),
+ 'give_donation_nonce'
+ )
+ ),
sprintf( __( 'Delete Donation %s', 'give' ), $payment_id )
);
}
@@ -357,7 +359,7 @@
-
+
diff --git a/includes/admin/reports/class-gateways-reports-table.php b/includes/admin/reports/class-gateways-reports-table.php
index bba2980a6b..03a453a3f3 100644
--- a/includes/admin/reports/class-gateways-reports-table.php
+++ b/includes/admin/reports/class-gateways-reports-table.php
@@ -74,13 +74,15 @@ public function column_default( $item, $column_name ) {
$value = $item[ $column_name ] ?
sprintf(
'%s',
- add_query_arg(
- array(
- 'status' => 'publish',
- 'gateway' => $item['ID'],
- ),
- $donation_list_page_url
- ),
+ esc_url(
+ add_query_arg(
+ array(
+ 'status' => 'publish',
+ 'gateway' => $item['ID'],
+ ),
+ $donation_list_page_url
+ )
+ ),
$item[ $column_name ]
) :
$item[ $column_name ];
@@ -90,13 +92,15 @@ public function column_default( $item, $column_name ) {
$value = $item[ $column_name ] ?
sprintf(
'%s',
- add_query_arg(
- array(
- 'status' => 'pending',
- 'gateway' => $item['ID'],
- ),
- $donation_list_page_url
- ),
+ esc_url(
+ add_query_arg(
+ array(
+ 'status' => 'pending',
+ 'gateway' => $item['ID'],
+ ),
+ $donation_list_page_url
+ )
+ ),
$item[ $column_name ]
) :
$item[ $column_name ];
@@ -106,12 +110,14 @@ public function column_default( $item, $column_name ) {
$value = $item[ $column_name ] ?
sprintf(
'%s',
- add_query_arg(
- array(
- 'gateway' => $item['ID'],
- ),
- $donation_list_page_url
- ),
+ esc_url(
+ add_query_arg(
+ array(
+ 'gateway' => $item['ID'],
+ ),
+ $donation_list_page_url
+ )
+ ),
$item[ $column_name ]
) :
$item[ $column_name ];
diff --git a/includes/admin/reports/graphing.php b/includes/admin/reports/graphing.php
index accb5fcb0a..c669f44114 100644
--- a/includes/admin/reports/graphing.php
+++ b/includes/admin/reports/graphing.php
@@ -809,7 +809,7 @@ function give_parse_report_dates( $data ) {
$tab = isset( $_GET['tab'] ) ? sanitize_text_field( $_GET['tab'] ) : 'earnings';
$id = isset( $_GET['form-id'] ) ? $_GET['form-id'] : null;
- wp_redirect( add_query_arg( $dates, admin_url( 'edit.php?post_type=give_forms&page=give-reports&legacy=true&tab=' . esc_attr( $tab ) . '&view=' . esc_attr( $view ) . '&form-id=' . absint( $id ) ) ) );
+ wp_redirect( esc_url(add_query_arg( $dates, admin_url( 'edit.php?post_type=give_forms&page=give-reports&legacy=true&tab=' . esc_attr( $tab ) . '&view=' . esc_attr( $view ) . '&form-id=' . absint( $id ) ) ) ) );
give_die();
}
diff --git a/includes/admin/tools/export/export-functions.php b/includes/admin/tools/export/export-functions.php
index 8ab7bd70ce..043af5b2d4 100755
--- a/includes/admin/tools/export/export-functions.php
+++ b/includes/admin/tools/export/export-functions.php
@@ -116,7 +116,7 @@ function give_do_ajax_export() {
$json_data = [
'step' => 'done',
- 'url' => add_query_arg( $args, admin_url() ),
+ 'url' => esc_url_raw(add_query_arg( $args, admin_url() )),
];
}
diff --git a/includes/ajax-functions.php b/includes/ajax-functions.php
index 3f76210781..71f600081f 100644
--- a/includes/ajax-functions.php
+++ b/includes/ajax-functions.php
@@ -130,7 +130,7 @@ function give_get_ajax_url( $query = [] ) {
$ajax_url = add_query_arg( $query, $ajax_url );
}
- return apply_filters( 'give_ajax_url', $ajax_url );
+ return esc_url_raw( apply_filters( 'give_ajax_url', $ajax_url ) );
}
/**
diff --git a/includes/deprecated/deprecated-functions.php b/includes/deprecated/deprecated-functions.php
index 60ca4cbfc1..8802f60446 100755
--- a/includes/deprecated/deprecated-functions.php
+++ b/includes/deprecated/deprecated-functions.php
@@ -1194,7 +1194,7 @@ function give_stripe_connect_button() {
'website_url' => get_bloginfo( 'url' ),
'give_stripe_connected' => '0',
],
- esc_url_raw( 'https://connect.givewp.com/stripe/connect.php' )
+ 'https://connect.givewp.com/stripe/connect.php'
);
return sprintf(
@@ -1234,8 +1234,8 @@ function give_stripe_disconnect_url( $account_id = '', $account_name = '' ) {
}
// Prepare Stripe Disconnect URL.
- return add_query_arg(
+ return esc_url_raw( add_query_arg(
$args,
- esc_url_raw( 'https://connect.givewp.com/stripe/connect.php' )
- );
+ 'https://connect.givewp.com/stripe/connect.php'
+ ) );
}
diff --git a/includes/emails/template.php b/includes/emails/template.php
index d4925f8032..bfa118c4cf 100644
--- a/includes/emails/template.php
+++ b/includes/emails/template.php
@@ -114,31 +114,35 @@ function give_email_preview_buttons_callback( $field ) {
echo sprintf(
'%2$s',
- wp_nonce_url(
- add_query_arg(
- array(
- 'give_action' => 'preview_email',
- 'email_type' => $field_id,
- ),
- home_url()
- ),
- 'give-preview-email'
- ),
+ esc_url(
+ wp_nonce_url(
+ add_query_arg(
+ array(
+ 'give_action' => 'preview_email',
+ 'email_type' => $field_id,
+ ),
+ home_url()
+ ),
+ 'give-preview-email'
+ )
+ ),
$field['name']
);
echo sprintf(
' %3$s',
- wp_nonce_url(
- add_query_arg(
- array(
- 'give_action' => 'send_preview_email',
- 'email_type' => $field_id,
- 'give-messages[]' => 'sent-test-email',
- )
- ),
- 'give-send-preview-email'
- ),
+ esc_url(
+ wp_nonce_url(
+ add_query_arg(
+ array(
+ 'give_action' => 'send_preview_email',
+ 'email_type' => $field_id,
+ 'give-messages[]' => 'sent-test-email',
+ )
+ ),
+ 'give-send-preview-email'
+ )
+ ),
esc_attr__( 'Send Test Email.', 'give' ),
esc_html__( 'Send Test Email', 'give' )
);
diff --git a/includes/forms/functions.php b/includes/forms/functions.php
index 8898691aaa..91276e668b 100644
--- a/includes/forms/functions.php
+++ b/includes/forms/functions.php
@@ -219,7 +219,7 @@ function give_send_back_to_checkout( $args = [] ) {
/**
* Filter the redirect url
*/
- wp_safe_redirect( apply_filters( 'give_send_back_to_checkout', $redirect, $args ) );
+ wp_safe_redirect( esc_url_raw( apply_filters( 'give_send_back_to_checkout', $redirect, $args ) ) );
give_die();
}
diff --git a/includes/gateways/paypal/paypal-standard.php b/includes/gateways/paypal/paypal-standard.php
index 524452ee29..a2fa44b0b5 100644
--- a/includes/gateways/paypal/paypal-standard.php
+++ b/includes/gateways/paypal/paypal-standard.php
@@ -305,7 +305,7 @@ function give_build_paypal_url($payment_id, $payment_data)
'charset' => get_bloginfo('charset'),
'custom' => $payment_id,
'rm' => '2',
- 'return' => $return_url,
+ 'return' => esc_url_raw( $return_url ),
'cancel_return' => give_get_failed_transaction_uri(),
'notify_url' => $listener_url,
'page_style' => give_get_paypal_page_style(),
diff --git a/includes/gateways/stripe/includes/give-stripe-helpers.php b/includes/gateways/stripe/includes/give-stripe-helpers.php
index 370ffb972d..3009b57ca7 100644
--- a/includes/gateways/stripe/includes/give-stripe-helpers.php
+++ b/includes/gateways/stripe/includes/give-stripe-helpers.php
@@ -1348,10 +1348,10 @@ function give_stripe_get_admin_settings_page_url( $args = [] ) {
$args = wp_parse_args( $args, $default_args );
- return add_query_arg(
+ return esc_url_raw( add_query_arg(
$args,
- esc_url_raw( admin_url( 'edit.php' ) )
- );
+ admin_url( 'edit.php' )
+ ) );
}
/**
diff --git a/includes/misc-functions.php b/includes/misc-functions.php
index d5087aaa3a..d3460e69f3 100644
--- a/includes/misc-functions.php
+++ b/includes/misc-functions.php
@@ -61,7 +61,7 @@ function give_get_current_page_url() {
*
* @since 1.0
*/
- return apply_filters( 'give_get_current_page_url', $current_uri );
+ return esc_url_raw( apply_filters( 'give_get_current_page_url', $current_uri ) );
}
diff --git a/includes/shortcodes.php b/includes/shortcodes.php
index 0de9a23653..3712225afb 100644
--- a/includes/shortcodes.php
+++ b/includes/shortcodes.php
@@ -555,9 +555,9 @@ function give_process_profile_editor_updates( $data ) {
* If the password is changed, then logout and redirect to the same page.
*/
if ( '2' === $update_code || '3' === $update_code ) {
- wp_logout( wp_redirect( add_query_arg( $profile_edit_redirect_args, $data['give_redirect'] ) ) );
+ wp_logout();
} else {
- wp_redirect( add_query_arg( $profile_edit_redirect_args, $data['give_redirect'] ) );
+ wp_redirect( esc_url_raw( add_query_arg( $profile_edit_redirect_args, $data['give_redirect'] ) ) );
}
give_die();
diff --git a/src/Donations/DonationsAdminPage.php b/src/Donations/DonationsAdminPage.php
index ff159f0dd9..c323d5e75f 100644
--- a/src/Donations/DonationsAdminPage.php
+++ b/src/Donations/DonationsAdminPage.php
@@ -117,10 +117,10 @@ private function preloadDonations()
$queryParameters['search'] = urldecode($_GET['search']);
}
- $request = WP_REST_Request::from_url(add_query_arg(
+ $request = WP_REST_Request::from_url(esc_url(add_query_arg(
$queryParameters,
$this->apiRoot
- ));
+ )));
return rest_do_request($request)->get_data();
}
diff --git a/src/DonorDashboards/App.php b/src/DonorDashboards/App.php
index c5519f1720..a7a5109700 100644
--- a/src/DonorDashboards/App.php
+++ b/src/DonorDashboards/App.php
@@ -53,7 +53,7 @@ public function getOutput($attributes)
$queryArgs['action'] = urlencode(give_clean($_GET['action']));
}
- $url = add_query_arg($queryArgs, $url);
+ $url = esc_url(add_query_arg($queryArgs, $url));
$loader = $this->getIframeLoader($attributes['accent_color']);
diff --git a/src/Donors/DonorsAdminPage.php b/src/Donors/DonorsAdminPage.php
index 6ae846d9c6..19b3f32d78 100644
--- a/src/Donors/DonorsAdminPage.php
+++ b/src/Donors/DonorsAdminPage.php
@@ -107,10 +107,10 @@ public function getForms(){
'status' => 'any'
];
- $url = add_query_arg(
+ $url = esc_url_raw(add_query_arg(
$queryParameters,
- esc_url_raw(rest_url('give-api/v2/admin/forms'))
- );
+ rest_url('give-api/v2/admin/forms')
+ ));
$request = \WP_REST_Request::from_url($url);
$response = rest_do_request($request);
diff --git a/src/Framework/PaymentGateways/Actions/GenerateGatewayRouteUrl.php b/src/Framework/PaymentGateways/Actions/GenerateGatewayRouteUrl.php
index c5e6fb2589..d498b66b1f 100644
--- a/src/Framework/PaymentGateways/Actions/GenerateGatewayRouteUrl.php
+++ b/src/Framework/PaymentGateways/Actions/GenerateGatewayRouteUrl.php
@@ -26,9 +26,9 @@ public function __invoke($gatewayId, $gatewayMethod, $args = null)
$queryArgs = array_merge($queryArgs, $args);
}
- return add_query_arg(
+ return esc_url_raw(add_query_arg(
$queryArgs,
home_url()
- );
+ ));
}
}
diff --git a/src/Helpers/Form/Utils.php b/src/Helpers/Form/Utils.php
index 47613dc0d3..145285e9a7 100644
--- a/src/Helpers/Form/Utils.php
+++ b/src/Helpers/Form/Utils.php
@@ -119,10 +119,10 @@ public static function createSuccessPageURL($url, $args = [])
{
$args = array_merge($args, ['giveDonationAction' => 'showReceipt']);
- return add_query_arg(
+ return esc_url_raw(add_query_arg(
$args,
$url
- );
+ ));
}
/**
@@ -198,10 +198,10 @@ public static function createFailedPageURL($url, $args = [])
{
$args = array_merge($args, ['giveDonationAction' => 'failedDonation']);
- return add_query_arg(
+ return esc_url_raw(add_query_arg(
$args,
$url
- );
+ ));
}
/**
diff --git a/src/Helpers/Utils.php b/src/Helpers/Utils.php
index 75cff35c7d..5e7f7d4cce 100644
--- a/src/Helpers/Utils.php
+++ b/src/Helpers/Utils.php
@@ -68,7 +68,7 @@ public static function switchRequestedURL($location, $url, $addArgs = [], $remov
}
}
- return $url;
+ return esc_url_raw($url);
}
/**
diff --git a/src/LegacySubscriptions/includes/give-subscription.php b/src/LegacySubscriptions/includes/give-subscription.php
index 9df3d38c63..a0c1bce1e0 100644
--- a/src/LegacySubscriptions/includes/give-subscription.php
+++ b/src/LegacySubscriptions/includes/give-subscription.php
@@ -835,10 +835,10 @@ public function can_update_subscription() {
*/
public function get_update_url() {
- $url = add_query_arg( array(
+ $url = esc_url(add_query_arg( array(
'action' => 'update',
'subscription_id' => $this->id,
- ) );
+ ) ) );
return apply_filters( 'give_subscription_update_url', $url, $this );
}
@@ -851,10 +851,10 @@ public function get_update_url() {
*/
public function get_edit_subscription_url() {
- $url = add_query_arg( array(
+ $url = esc_url(add_query_arg( array(
'action' => 'edit_subscription',
'subscription_id' => $this->id,
- ), give_get_subscriptions_page_uri() );
+ ), give_get_subscriptions_page_uri() ));
return apply_filters( 'give_subscription_edit_subscription_url', $url, $this );
}
diff --git a/src/PaymentGateways/Gateways/PayPalStandard/PayPalStandard.php b/src/PaymentGateways/Gateways/PayPalStandard/PayPalStandard.php
index a4009d77cc..228878c279 100644
--- a/src/PaymentGateways/Gateways/PayPalStandard/PayPalStandard.php
+++ b/src/PaymentGateways/Gateways/PayPalStandard/PayPalStandard.php
@@ -113,10 +113,10 @@ protected function handleSuccessPaymentReturn($queryParams)
{
$donationId = (int)$queryParams['donation-id'];
- return new RedirectResponse(add_query_arg(
+ return new RedirectResponse(esc_url_raw(add_query_arg(
[ 'payment-confirmation' => $this->getId() ],
Call::invoke(GenerateDonationReceiptPageUrl::class, $donationId)
- ));
+ )));
}
/**
diff --git a/src/PaymentGateways/Gateways/Stripe/Helpers/CheckoutHelper.php b/src/PaymentGateways/Gateways/Stripe/Helpers/CheckoutHelper.php
index 5e262376d8..f25a59a773 100644
--- a/src/PaymentGateways/Gateways/Stripe/Helpers/CheckoutHelper.php
+++ b/src/PaymentGateways/Gateways/Stripe/Helpers/CheckoutHelper.php
@@ -16,14 +16,14 @@ class CheckoutHelper
*/
public function getRedirectUrl( $sessionId, $formId )
{
- return add_query_arg(
+ return esc_url_raw(add_query_arg(
[
'action' => 'checkout_processing',
'session' => $sessionId,
'id' => $formId,
],
site_url()
- );
+ ));
}
/**
diff --git a/src/PaymentGateways/Gateways/Stripe/Traits/CheckoutRedirect.php b/src/PaymentGateways/Gateways/Stripe/Traits/CheckoutRedirect.php
index a2fb7148cc..aae82256ba 100644
--- a/src/PaymentGateways/Gateways/Stripe/Traits/CheckoutRedirect.php
+++ b/src/PaymentGateways/Gateways/Stripe/Traits/CheckoutRedirect.php
@@ -16,14 +16,14 @@ trait CheckoutRedirect
*/
public function getRedirectUrl( $sessionId, $formId )
{
- return add_query_arg(
+ return esc_url_raw(add_query_arg(
[
'action' => 'checkout_processing',
'session' => $sessionId,
'id' => $formId,
],
site_url()
- );
+ ));
}
/**
diff --git a/src/PaymentGateways/Stripe/Admin/AccountManagerSettingField.php b/src/PaymentGateways/Stripe/Admin/AccountManagerSettingField.php
index 310e67dbc7..36bc8bfd86 100644
--- a/src/PaymentGateways/Stripe/Admin/AccountManagerSettingField.php
+++ b/src/PaymentGateways/Stripe/Admin/AccountManagerSettingField.php
@@ -247,22 +247,22 @@ private function getStripeAccountMarkup($stripeAccount)
return;
}
- $disconnectUrl = add_query_arg(
+ $disconnectUrl = esc_url_raw(add_query_arg(
[
'account_type' => $stripeAccount['type'],
'action' => 'disconnect_stripe_account',
'account_slug' => $stripeAccountSlug,
],
wp_nonce_url(admin_url('admin-ajax.php'), 'give_disconnect_connected_stripe_account_' . $stripeAccountSlug)
- );
+ ));
- $editStatementDescriptorUrl = add_query_arg(
+ $editStatementDescriptorUrl = esc_url_raw(add_query_arg(
[
'action' => 'edit_stripe_account_statement_descriptor',
'account-slug' => $stripeAccountSlug,
],
admin_url('admin-ajax.php')
- );
+ ));
$classes = $stripeAccountSlug === $this->defaultStripeAccountSlug ? ' give-stripe-boxshadow-option-wrap__selected' : '';
?>
diff --git a/src/Route/Form.php b/src/Route/Form.php
index 36792cef17..515b3c970c 100644
--- a/src/Route/Form.php
+++ b/src/Route/Form.php
@@ -137,13 +137,13 @@ public function getURL($form_id)
return get_option('permalink_structure')
? home_url("/{$this->base}/{$form_id}", $scheme)
- : add_query_arg(
+ : esc_url(add_query_arg(
[
'give_form_id' => $form_id,
'url_prefix' => $this->base,
],
home_url('', $scheme)
- );
+ ));
}
/**
From ebea8dae1e89d3085a280601b3dd26eba7c3cbcb Mon Sep 17 00:00:00 2001
From: Jon Waldstein
Date: Wed, 8 Jun 2022 16:09:41 -0400
Subject: [PATCH 2/3] Hot Fix: Restore ability to change subscriptions via
legacy subscription shortcode (#6439)
Co-authored-by: Jon Waldstein
---
.../gateways/stripe/class-give-stripe.php | 23 ++++---
.../class-give-stripe-card.php | 61 +++++++++++++++++++
2 files changed, 74 insertions(+), 10 deletions(-)
create mode 100644 includes/gateways/stripe/includes/payment-methods/class-give-stripe-card.php
diff --git a/includes/gateways/stripe/class-give-stripe.php b/includes/gateways/stripe/class-give-stripe.php
index 5798242699..c64fc46c51 100644
--- a/includes/gateways/stripe/class-give-stripe.php
+++ b/includes/gateways/stripe/class-give-stripe.php
@@ -161,16 +161,19 @@ public function include_frontend_files() {
require_once GIVE_PLUGIN_DIR . 'includes/gateways/stripe/includes/filters.php';
require_once GIVE_PLUGIN_DIR . 'includes/gateways/stripe/includes/give-stripe-scripts.php';
- // Classes.
- require_once GIVE_PLUGIN_DIR . 'includes/gateways/stripe/includes/class-give-stripe-logger.php';
- require_once GIVE_PLUGIN_DIR . 'includes/gateways/stripe/includes/class-give-stripe-invoice.php';
- require_once GIVE_PLUGIN_DIR . 'includes/gateways/stripe/includes/class-give-stripe-customer.php';
- require_once GIVE_PLUGIN_DIR . 'includes/gateways/stripe/includes/class-give-stripe-payment-intent.php';
- require_once GIVE_PLUGIN_DIR . 'includes/gateways/stripe/includes/class-give-stripe-payment-method.php';
- require_once GIVE_PLUGIN_DIR . 'includes/gateways/stripe/includes/class-give-stripe-checkout-session.php';
- require_once GIVE_PLUGIN_DIR . 'includes/gateways/stripe/includes/class-give-stripe-gateway.php';
- require_once GIVE_PLUGIN_DIR . 'includes/gateways/stripe/includes/class-give-stripe-webhooks.php';
- }
+ // Classes.
+ require_once GIVE_PLUGIN_DIR . 'includes/gateways/stripe/includes/class-give-stripe-logger.php';
+ require_once GIVE_PLUGIN_DIR . 'includes/gateways/stripe/includes/class-give-stripe-invoice.php';
+ require_once GIVE_PLUGIN_DIR . 'includes/gateways/stripe/includes/class-give-stripe-customer.php';
+ require_once GIVE_PLUGIN_DIR . 'includes/gateways/stripe/includes/class-give-stripe-payment-intent.php';
+ require_once GIVE_PLUGIN_DIR . 'includes/gateways/stripe/includes/class-give-stripe-payment-method.php';
+ require_once GIVE_PLUGIN_DIR . 'includes/gateways/stripe/includes/class-give-stripe-checkout-session.php';
+ require_once GIVE_PLUGIN_DIR . 'includes/gateways/stripe/includes/class-give-stripe-gateway.php';
+ require_once GIVE_PLUGIN_DIR . 'includes/gateways/stripe/includes/class-give-stripe-webhooks.php';
+
+ // Payment Methods.
+ require_once GIVE_PLUGIN_DIR . 'includes/gateways/stripe/includes/payment-methods/class-give-stripe-card.php';
+ }
/**
* Register the payment methods supported by Stripe.
diff --git a/includes/gateways/stripe/includes/payment-methods/class-give-stripe-card.php b/includes/gateways/stripe/includes/payment-methods/class-give-stripe-card.php
new file mode 100644
index 0000000000..40abb71265
--- /dev/null
+++ b/includes/gateways/stripe/includes/payment-methods/class-give-stripe-card.php
@@ -0,0 +1,61 @@
+getCreditCardFormHTML($form_id, $args);
+
+ if ( false !== $echo ) {
+ echo $form;
+ }
+
+ return $form;
+ }
+ }
+}
+return new Give_Stripe_Card();
From 8450a70524d7fd66b4c2cd3ceb5baee3401dd5d8 Mon Sep 17 00:00:00 2001
From: Jason Adams
Date: Wed, 8 Jun 2022 13:39:35 -0700
Subject: [PATCH 3/3] chore: prepare for 2.20.2 release
---
give.php | 4 ++--
includes/deprecated/deprecated-functions.php | 2 +-
readme.txt | 9 +++++++--
src/DonorDashboards/Helpers.php | 2 +-
4 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/give.php b/give.php
index 55e838e262..7835c1e2be 100644
--- a/give.php
+++ b/give.php
@@ -6,7 +6,7 @@
* Description: The most robust, flexible, and intuitive way to accept donations on WordPress.
* Author: GiveWP
* Author URI: https://givewp.com/
- * Version: 2.20.1
+ * Version: 2.20.2
* Requires at least: 5.0
* Requires PHP: 7.0
* Text Domain: give
@@ -305,7 +305,7 @@ private function setup_constants()
{
// Plugin version.
if (!defined('GIVE_VERSION')) {
- define('GIVE_VERSION', '2.20.1');
+ define('GIVE_VERSION', '2.20.2');
}
// Plugin Root File.
diff --git a/includes/deprecated/deprecated-functions.php b/includes/deprecated/deprecated-functions.php
index 8802f60446..33d4228c66 100755
--- a/includes/deprecated/deprecated-functions.php
+++ b/includes/deprecated/deprecated-functions.php
@@ -1175,7 +1175,7 @@ static function ( $url ) {
* Displays Stripe Connect Button.
*
* @since 2.5.0
- * @deprecated @unrelesed
+ * @deprecated 2.20.2
*
* @return string
*/
diff --git a/readme.txt b/readme.txt
index b9165e93d8..95ce64fadc 100644
--- a/readme.txt
+++ b/readme.txt
@@ -3,9 +3,9 @@ Contributors: givewp, dlocc, webdevmattcrom, ravinderk, mehul0810, kevinwhoffman
Donate link: https://go.givewp.com/home
Tags: donation, donate, recurring donations, fundraising, crowdfunding
Requires at least: 5.0
-Tested up to: 5.9
+Tested up to: 6.0
Requires PHP: 7.0
-Stable tag: 2.20.1
+Stable tag: 2.20.2
License: GPLv3
License URI: http://www.gnu.org/licenses/gpl-3.0.html
@@ -250,6 +250,11 @@ The 2% fee on Stripe donations only applies to donations taken via our free Stri
8. GiveWP has a dedicated support team to help answer any questions you may have and help you through stumbling blocks.
== Changelog ==
+= 2.20.2: June 8th, 2022 =
+* Security: Donors are no longer able to view the Donor Dashboard for the email they donated in without logging in
+* Security: Added additional URL escaping around the codebase to protect against XSS attacks
+* Fix: Subscriptions can now be changed again by donors using the legacy subscriptions shortcode
+
= 2.20.1: May 19th, 2022 =
* Fix: Corrected an issue where admin notices were displaying strangely
* Fix: Removed the "Switch to New View" button that would show up in strange admin places when switched to the legacy donor or donation lists
diff --git a/src/DonorDashboards/Helpers.php b/src/DonorDashboards/Helpers.php
index 1f776729c5..21ed0f2f58 100644
--- a/src/DonorDashboards/Helpers.php
+++ b/src/DonorDashboards/Helpers.php
@@ -38,7 +38,7 @@ public static function getCurrentDonorId()
/**
* Retrieve donor logged in status
*
- * @unreleased
+ * @since 2.20.2
*/
public static function isDonorLoggedIn(): bool
{