From 17c2bd36818b5d3a1f863ebd6606919809cb504f Mon Sep 17 00:00:00 2001 From: Jason Adams Date: Wed, 8 Jun 2022 13:03:51 -0700 Subject: [PATCH 1/3] Hot Fix: Add additional escaping when adding query args (#6438) --- includes/admin/donors/donor-actions.php | 22 +++++---- includes/admin/emails/filters.php | 41 ++++++---------- includes/admin/give-metabox-functions.php | 48 ++++++++++--------- includes/admin/import-functions.php | 6 +-- .../admin/payments/class-payments-table.php | 44 +++++++++-------- .../admin/payments/view-payment-details.php | 24 +++++----- .../reports/class-gateways-reports-table.php | 46 ++++++++++-------- includes/admin/reports/graphing.php | 2 +- .../admin/tools/export/export-functions.php | 2 +- includes/ajax-functions.php | 2 +- includes/deprecated/deprecated-functions.php | 8 ++-- includes/emails/template.php | 44 +++++++++-------- includes/forms/functions.php | 2 +- includes/gateways/paypal/paypal-standard.php | 2 +- .../stripe/includes/give-stripe-helpers.php | 6 +-- includes/misc-functions.php | 2 +- includes/shortcodes.php | 4 +- src/Donations/DonationsAdminPage.php | 4 +- src/DonorDashboards/App.php | 2 +- src/Donors/DonorsAdminPage.php | 6 +-- .../Actions/GenerateGatewayRouteUrl.php | 4 +- src/Helpers/Form/Utils.php | 8 ++-- src/Helpers/Utils.php | 2 +- .../includes/give-subscription.php | 8 ++-- .../PayPalStandard/PayPalStandard.php | 4 +- .../Stripe/Helpers/CheckoutHelper.php | 4 +- .../Stripe/Traits/CheckoutRedirect.php | 4 +- .../Admin/AccountManagerSettingField.php | 8 ++-- src/Route/Form.php | 4 +- 29 files changed, 186 insertions(+), 177 deletions(-) diff --git a/includes/admin/donors/donor-actions.php b/includes/admin/donors/donor-actions.php index 9d616d1664..61d41b115b 100644 --- a/includes/admin/donors/donor-actions.php +++ b/includes/admin/donors/donor-actions.php @@ -161,16 +161,18 @@ function give_edit_donor( $args ) { if ( $output['success'] ) { wp_safe_redirect( - add_query_arg( - array( - 'post_type' => 'give_forms', - 'page' => 'give-donors', - 'view' => 'overview', - 'id' => $donor_id, - 'give-messages[]' => 'profile-updated', - ), - esc_url( admin_url( 'edit.php' ) ) - ) + esc_url( + add_query_arg( + array( + 'post_type' => 'give_forms', + 'page' => 'give-donors', + 'view' => 'overview', + 'id' => $donor_id, + 'give-messages[]' => 'profile-updated', + ), + admin_url( 'edit.php' ) + ) + ) ); } diff --git a/includes/admin/emails/filters.php b/includes/admin/emails/filters.php index 10ea804da3..14180eef1d 100755 --- a/includes/admin/emails/filters.php +++ b/includes/admin/emails/filters.php @@ -23,41 +23,28 @@ function give_email_notification_row_actions_callback( $row_actions, $email ) { if ( Give_Email_Notification_Util::is_email_preview( $email ) ) { $preview_link = sprintf( '%2$s', - wp_nonce_url( - add_query_arg( - array( - 'give_action' => 'preview_email', - 'email_type' => $email->config['id'], - ), - home_url() - ), - 'give-preview-email' - ), + esc_url( + wp_nonce_url( + add_query_arg( + array( + 'give_action' => 'preview_email', + 'email_type' => $email->config['id'], + ), + home_url() + ), + 'give-preview-email' + ) + ), __( 'Preview', 'give' ) ); - $send_preview_email_link = sprintf( - '%2$s', - wp_nonce_url( - add_query_arg( - array( - 'give_action' => 'send_preview_email', - 'email_type' => $email->config['id'], - 'give-messages[]' => 'sent-test-email', - ) - ), - 'give-send-preview-email' - ), - __( 'Send test email', 'give' ) - ); - $send_preview_email_link = give()->tooltips->render_link( [ 'tag_content' => esc_html__( 'Send test email', 'give' ), 'label' => sprintf( esc_html__( 'Click this link to send a test email to yourself at %s', 'give' ), wp_get_current_user()->user_email ), - 'link' => wp_nonce_url( + 'link' => esc_url(wp_nonce_url( add_query_arg( array( 'give_action' => 'send_preview_email', @@ -66,7 +53,7 @@ function give_email_notification_row_actions_callback( $row_actions, $email ) { ) ), 'give-send-preview-email' - ) + )) ] ); $row_actions['email_preview'] = $preview_link; diff --git a/includes/admin/give-metabox-functions.php b/includes/admin/give-metabox-functions.php index 1fd9bf8564..8782c91659 100644 --- a/includes/admin/give-metabox-functions.php +++ b/includes/admin/give-metabox-functions.php @@ -1158,33 +1158,37 @@ function give_email_preview_buttons( $field ) { echo sprintf( '%2$s', - wp_nonce_url( - add_query_arg( - [ - 'give_action' => 'preview_email', - 'email_type' => $field_id, - 'form_id' => $post->ID, - ], - home_url() - ), - 'give-preview-email' - ), + esc_url( + wp_nonce_url( + add_query_arg( + [ + 'give_action' => 'preview_email', + 'email_type' => $field_id, + 'form_id' => $post->ID, + ], + home_url() + ), + 'give-preview-email' + ) + ), $field['name'] ); echo sprintf( ' %3$s', - wp_nonce_url( - add_query_arg( - [ - 'give_action' => 'send_preview_email', - 'email_type' => $field_id, - 'give-messages[]' => 'sent-test-email', - 'form_id' => $post->ID, - ] - ), - 'give-send-preview-email' - ), + esc_url( + wp_nonce_url( + add_query_arg( + [ + 'give_action' => 'send_preview_email', + 'email_type' => $field_id, + 'give-messages[]' => 'sent-test-email', + 'form_id' => $post->ID, + ] + ), + 'give-send-preview-email' + ) + ), esc_attr__( 'Send Test Email.', 'give' ), esc_html__( 'Send Test Email', 'give' ) ); diff --git a/includes/admin/import-functions.php b/includes/admin/import-functions.php index 07f9411159..65fd56d8d2 100644 --- a/includes/admin/import-functions.php +++ b/includes/admin/import-functions.php @@ -702,7 +702,7 @@ function give_save_import_donation_to_db( $raw_key, $row_data, $main_key = [], $ // check for duplicate donor by donor id if ( ! empty( $csv_data['donor_id'] ) && ! empty( $data['donor_id'] ) && $csv_data['donor_id'] === $data['donor_id'] ) { - $donor = array_search( (int) $data['donor_id'], array_column( 'id', $donors_list ) ); + $donor = array_search( (int) $data['donor_id'], array_column( $donors_list, 'id' ) ); if ( ! empty( $donor ) ) { $dry_run_duplicate_donor = true; } @@ -710,7 +710,7 @@ function give_save_import_donation_to_db( $raw_key, $row_data, $main_key = [], $ // check for duplicate donor by user id if ( empty( $dry_run_duplicate_donor ) && ! empty( $csv_data['user_id'] ) && ! empty( $data['user_id'] ) && $csv_data['user_id'] === $data['user_id'] ) { - $donor = array_search( (int) $data['user_id'], array_column( 'user_id', $donors_list ) ); + $donor = array_search( (int) $data['user_id'], array_column( $donors_list, 'user_id' ) ); if ( ! empty( $donor ) ) { $dry_run_duplicate_donor = true; } else { @@ -1120,5 +1120,5 @@ function give_import_page_url( $parameter = [] ) { ]; $import_query_arg = wp_parse_args( $parameter, $defalut_query_arg ); - return add_query_arg( $import_query_arg, admin_url( 'edit.php' ) ); + return esc_url_raw( add_query_arg( $import_query_arg, admin_url( 'edit.php' ) ) ); } diff --git a/includes/admin/payments/class-payments-table.php b/includes/admin/payments/class-payments-table.php index f121b9a23f..853b3aa2ef 100644 --- a/includes/admin/payments/class-payments-table.php +++ b/includes/admin/payments/class-payments-table.php @@ -606,16 +606,18 @@ function get_row_actions( $payment ) { $actions['email_links'] = sprintf( '%3$s', - wp_nonce_url( - add_query_arg( - [ - 'give-action' => 'email_links', - 'purchase_id' => $payment->ID, - ], - $this->base_url - ), - 'give_payment_nonce' - ), + esc_url( + wp_nonce_url( + add_query_arg( + [ + 'give-action' => 'email_links', + 'purchase_id' => $payment->ID, + ], + $this->base_url + ), + 'give_payment_nonce' + ) + ), sprintf( __( 'Resend Donation %s Receipt', 'give' ), $payment->ID ), __( 'Resend Receipt', 'give' ) ); @@ -625,16 +627,18 @@ function get_row_actions( $payment ) { if ( current_user_can( 'view_give_payments' ) ) { $actions['delete'] = sprintf( '%3$s', - wp_nonce_url( - add_query_arg( - [ - 'give-action' => 'delete_payment', - 'purchase_id' => $payment->ID, - ], - $this->base_url - ), - 'give_donation_nonce' - ), + esc_url( + wp_nonce_url( + add_query_arg( + [ + 'give-action' => 'delete_payment', + 'purchase_id' => $payment->ID, + ], + $this->base_url + ), + 'give_donation_nonce' + ) + ), sprintf( __( 'Delete Donation %s', 'give' ), $payment->ID ), __( 'Delete', 'give' ) ); diff --git a/includes/admin/payments/view-payment-details.php b/includes/admin/payments/view-payment-details.php index 57efac53ac..499034c147 100644 --- a/includes/admin/payments/view-payment-details.php +++ b/includes/admin/payments/view-payment-details.php @@ -137,16 +137,18 @@ echo sprintf( '', $payment_id, - wp_nonce_url( - add_query_arg( - array( - 'give-action' => 'delete_payment', - 'purchase_id' => $payment_id, - ), - $base_url - ), - 'give_donation_nonce' - ), + esc_url( + wp_nonce_url( + add_query_arg( + array( + 'give-action' => 'delete_payment', + 'purchase_id' => $payment_id, + ), + $base_url + ), + 'give_donation_nonce' + ) + ), sprintf( __( 'Delete Donation %s', 'give' ), $payment_id ) ); } @@ -357,7 +359,7 @@

- + diff --git a/includes/admin/reports/class-gateways-reports-table.php b/includes/admin/reports/class-gateways-reports-table.php index bba2980a6b..03a453a3f3 100644 --- a/includes/admin/reports/class-gateways-reports-table.php +++ b/includes/admin/reports/class-gateways-reports-table.php @@ -74,13 +74,15 @@ public function column_default( $item, $column_name ) { $value = $item[ $column_name ] ? sprintf( '%s', - add_query_arg( - array( - 'status' => 'publish', - 'gateway' => $item['ID'], - ), - $donation_list_page_url - ), + esc_url( + add_query_arg( + array( + 'status' => 'publish', + 'gateway' => $item['ID'], + ), + $donation_list_page_url + ) + ), $item[ $column_name ] ) : $item[ $column_name ]; @@ -90,13 +92,15 @@ public function column_default( $item, $column_name ) { $value = $item[ $column_name ] ? sprintf( '%s', - add_query_arg( - array( - 'status' => 'pending', - 'gateway' => $item['ID'], - ), - $donation_list_page_url - ), + esc_url( + add_query_arg( + array( + 'status' => 'pending', + 'gateway' => $item['ID'], + ), + $donation_list_page_url + ) + ), $item[ $column_name ] ) : $item[ $column_name ]; @@ -106,12 +110,14 @@ public function column_default( $item, $column_name ) { $value = $item[ $column_name ] ? sprintf( '%s', - add_query_arg( - array( - 'gateway' => $item['ID'], - ), - $donation_list_page_url - ), + esc_url( + add_query_arg( + array( + 'gateway' => $item['ID'], + ), + $donation_list_page_url + ) + ), $item[ $column_name ] ) : $item[ $column_name ]; diff --git a/includes/admin/reports/graphing.php b/includes/admin/reports/graphing.php index accb5fcb0a..c669f44114 100644 --- a/includes/admin/reports/graphing.php +++ b/includes/admin/reports/graphing.php @@ -809,7 +809,7 @@ function give_parse_report_dates( $data ) { $tab = isset( $_GET['tab'] ) ? sanitize_text_field( $_GET['tab'] ) : 'earnings'; $id = isset( $_GET['form-id'] ) ? $_GET['form-id'] : null; - wp_redirect( add_query_arg( $dates, admin_url( 'edit.php?post_type=give_forms&page=give-reports&legacy=true&tab=' . esc_attr( $tab ) . '&view=' . esc_attr( $view ) . '&form-id=' . absint( $id ) ) ) ); + wp_redirect( esc_url(add_query_arg( $dates, admin_url( 'edit.php?post_type=give_forms&page=give-reports&legacy=true&tab=' . esc_attr( $tab ) . '&view=' . esc_attr( $view ) . '&form-id=' . absint( $id ) ) ) ) ); give_die(); } diff --git a/includes/admin/tools/export/export-functions.php b/includes/admin/tools/export/export-functions.php index 8ab7bd70ce..043af5b2d4 100755 --- a/includes/admin/tools/export/export-functions.php +++ b/includes/admin/tools/export/export-functions.php @@ -116,7 +116,7 @@ function give_do_ajax_export() { $json_data = [ 'step' => 'done', - 'url' => add_query_arg( $args, admin_url() ), + 'url' => esc_url_raw(add_query_arg( $args, admin_url() )), ]; } diff --git a/includes/ajax-functions.php b/includes/ajax-functions.php index 3f76210781..71f600081f 100644 --- a/includes/ajax-functions.php +++ b/includes/ajax-functions.php @@ -130,7 +130,7 @@ function give_get_ajax_url( $query = [] ) { $ajax_url = add_query_arg( $query, $ajax_url ); } - return apply_filters( 'give_ajax_url', $ajax_url ); + return esc_url_raw( apply_filters( 'give_ajax_url', $ajax_url ) ); } /** diff --git a/includes/deprecated/deprecated-functions.php b/includes/deprecated/deprecated-functions.php index 60ca4cbfc1..8802f60446 100755 --- a/includes/deprecated/deprecated-functions.php +++ b/includes/deprecated/deprecated-functions.php @@ -1194,7 +1194,7 @@ function give_stripe_connect_button() { 'website_url' => get_bloginfo( 'url' ), 'give_stripe_connected' => '0', ], - esc_url_raw( 'https://connect.givewp.com/stripe/connect.php' ) + 'https://connect.givewp.com/stripe/connect.php' ); return sprintf( @@ -1234,8 +1234,8 @@ function give_stripe_disconnect_url( $account_id = '', $account_name = '' ) { } // Prepare Stripe Disconnect URL. - return add_query_arg( + return esc_url_raw( add_query_arg( $args, - esc_url_raw( 'https://connect.givewp.com/stripe/connect.php' ) - ); + 'https://connect.givewp.com/stripe/connect.php' + ) ); } diff --git a/includes/emails/template.php b/includes/emails/template.php index d4925f8032..bfa118c4cf 100644 --- a/includes/emails/template.php +++ b/includes/emails/template.php @@ -114,31 +114,35 @@ function give_email_preview_buttons_callback( $field ) { echo sprintf( '%2$s', - wp_nonce_url( - add_query_arg( - array( - 'give_action' => 'preview_email', - 'email_type' => $field_id, - ), - home_url() - ), - 'give-preview-email' - ), + esc_url( + wp_nonce_url( + add_query_arg( + array( + 'give_action' => 'preview_email', + 'email_type' => $field_id, + ), + home_url() + ), + 'give-preview-email' + ) + ), $field['name'] ); echo sprintf( ' %3$s', - wp_nonce_url( - add_query_arg( - array( - 'give_action' => 'send_preview_email', - 'email_type' => $field_id, - 'give-messages[]' => 'sent-test-email', - ) - ), - 'give-send-preview-email' - ), + esc_url( + wp_nonce_url( + add_query_arg( + array( + 'give_action' => 'send_preview_email', + 'email_type' => $field_id, + 'give-messages[]' => 'sent-test-email', + ) + ), + 'give-send-preview-email' + ) + ), esc_attr__( 'Send Test Email.', 'give' ), esc_html__( 'Send Test Email', 'give' ) ); diff --git a/includes/forms/functions.php b/includes/forms/functions.php index 8898691aaa..91276e668b 100644 --- a/includes/forms/functions.php +++ b/includes/forms/functions.php @@ -219,7 +219,7 @@ function give_send_back_to_checkout( $args = [] ) { /** * Filter the redirect url */ - wp_safe_redirect( apply_filters( 'give_send_back_to_checkout', $redirect, $args ) ); + wp_safe_redirect( esc_url_raw( apply_filters( 'give_send_back_to_checkout', $redirect, $args ) ) ); give_die(); } diff --git a/includes/gateways/paypal/paypal-standard.php b/includes/gateways/paypal/paypal-standard.php index 524452ee29..a2fa44b0b5 100644 --- a/includes/gateways/paypal/paypal-standard.php +++ b/includes/gateways/paypal/paypal-standard.php @@ -305,7 +305,7 @@ function give_build_paypal_url($payment_id, $payment_data) 'charset' => get_bloginfo('charset'), 'custom' => $payment_id, 'rm' => '2', - 'return' => $return_url, + 'return' => esc_url_raw( $return_url ), 'cancel_return' => give_get_failed_transaction_uri(), 'notify_url' => $listener_url, 'page_style' => give_get_paypal_page_style(), diff --git a/includes/gateways/stripe/includes/give-stripe-helpers.php b/includes/gateways/stripe/includes/give-stripe-helpers.php index 370ffb972d..3009b57ca7 100644 --- a/includes/gateways/stripe/includes/give-stripe-helpers.php +++ b/includes/gateways/stripe/includes/give-stripe-helpers.php @@ -1348,10 +1348,10 @@ function give_stripe_get_admin_settings_page_url( $args = [] ) { $args = wp_parse_args( $args, $default_args ); - return add_query_arg( + return esc_url_raw( add_query_arg( $args, - esc_url_raw( admin_url( 'edit.php' ) ) - ); + admin_url( 'edit.php' ) + ) ); } /** diff --git a/includes/misc-functions.php b/includes/misc-functions.php index d5087aaa3a..d3460e69f3 100644 --- a/includes/misc-functions.php +++ b/includes/misc-functions.php @@ -61,7 +61,7 @@ function give_get_current_page_url() { * * @since 1.0 */ - return apply_filters( 'give_get_current_page_url', $current_uri ); + return esc_url_raw( apply_filters( 'give_get_current_page_url', $current_uri ) ); } diff --git a/includes/shortcodes.php b/includes/shortcodes.php index 0de9a23653..3712225afb 100644 --- a/includes/shortcodes.php +++ b/includes/shortcodes.php @@ -555,9 +555,9 @@ function give_process_profile_editor_updates( $data ) { * If the password is changed, then logout and redirect to the same page. */ if ( '2' === $update_code || '3' === $update_code ) { - wp_logout( wp_redirect( add_query_arg( $profile_edit_redirect_args, $data['give_redirect'] ) ) ); + wp_logout(); } else { - wp_redirect( add_query_arg( $profile_edit_redirect_args, $data['give_redirect'] ) ); + wp_redirect( esc_url_raw( add_query_arg( $profile_edit_redirect_args, $data['give_redirect'] ) ) ); } give_die(); diff --git a/src/Donations/DonationsAdminPage.php b/src/Donations/DonationsAdminPage.php index ff159f0dd9..c323d5e75f 100644 --- a/src/Donations/DonationsAdminPage.php +++ b/src/Donations/DonationsAdminPage.php @@ -117,10 +117,10 @@ private function preloadDonations() $queryParameters['search'] = urldecode($_GET['search']); } - $request = WP_REST_Request::from_url(add_query_arg( + $request = WP_REST_Request::from_url(esc_url(add_query_arg( $queryParameters, $this->apiRoot - )); + ))); return rest_do_request($request)->get_data(); } diff --git a/src/DonorDashboards/App.php b/src/DonorDashboards/App.php index c5519f1720..a7a5109700 100644 --- a/src/DonorDashboards/App.php +++ b/src/DonorDashboards/App.php @@ -53,7 +53,7 @@ public function getOutput($attributes) $queryArgs['action'] = urlencode(give_clean($_GET['action'])); } - $url = add_query_arg($queryArgs, $url); + $url = esc_url(add_query_arg($queryArgs, $url)); $loader = $this->getIframeLoader($attributes['accent_color']); diff --git a/src/Donors/DonorsAdminPage.php b/src/Donors/DonorsAdminPage.php index 6ae846d9c6..19b3f32d78 100644 --- a/src/Donors/DonorsAdminPage.php +++ b/src/Donors/DonorsAdminPage.php @@ -107,10 +107,10 @@ public function getForms(){ 'status' => 'any' ]; - $url = add_query_arg( + $url = esc_url_raw(add_query_arg( $queryParameters, - esc_url_raw(rest_url('give-api/v2/admin/forms')) - ); + rest_url('give-api/v2/admin/forms') + )); $request = \WP_REST_Request::from_url($url); $response = rest_do_request($request); diff --git a/src/Framework/PaymentGateways/Actions/GenerateGatewayRouteUrl.php b/src/Framework/PaymentGateways/Actions/GenerateGatewayRouteUrl.php index c5e6fb2589..d498b66b1f 100644 --- a/src/Framework/PaymentGateways/Actions/GenerateGatewayRouteUrl.php +++ b/src/Framework/PaymentGateways/Actions/GenerateGatewayRouteUrl.php @@ -26,9 +26,9 @@ public function __invoke($gatewayId, $gatewayMethod, $args = null) $queryArgs = array_merge($queryArgs, $args); } - return add_query_arg( + return esc_url_raw(add_query_arg( $queryArgs, home_url() - ); + )); } } diff --git a/src/Helpers/Form/Utils.php b/src/Helpers/Form/Utils.php index 47613dc0d3..145285e9a7 100644 --- a/src/Helpers/Form/Utils.php +++ b/src/Helpers/Form/Utils.php @@ -119,10 +119,10 @@ public static function createSuccessPageURL($url, $args = []) { $args = array_merge($args, ['giveDonationAction' => 'showReceipt']); - return add_query_arg( + return esc_url_raw(add_query_arg( $args, $url - ); + )); } /** @@ -198,10 +198,10 @@ public static function createFailedPageURL($url, $args = []) { $args = array_merge($args, ['giveDonationAction' => 'failedDonation']); - return add_query_arg( + return esc_url_raw(add_query_arg( $args, $url - ); + )); } /** diff --git a/src/Helpers/Utils.php b/src/Helpers/Utils.php index 75cff35c7d..5e7f7d4cce 100644 --- a/src/Helpers/Utils.php +++ b/src/Helpers/Utils.php @@ -68,7 +68,7 @@ public static function switchRequestedURL($location, $url, $addArgs = [], $remov } } - return $url; + return esc_url_raw($url); } /** diff --git a/src/LegacySubscriptions/includes/give-subscription.php b/src/LegacySubscriptions/includes/give-subscription.php index 9df3d38c63..a0c1bce1e0 100644 --- a/src/LegacySubscriptions/includes/give-subscription.php +++ b/src/LegacySubscriptions/includes/give-subscription.php @@ -835,10 +835,10 @@ public function can_update_subscription() { */ public function get_update_url() { - $url = add_query_arg( array( + $url = esc_url(add_query_arg( array( 'action' => 'update', 'subscription_id' => $this->id, - ) ); + ) ) ); return apply_filters( 'give_subscription_update_url', $url, $this ); } @@ -851,10 +851,10 @@ public function get_update_url() { */ public function get_edit_subscription_url() { - $url = add_query_arg( array( + $url = esc_url(add_query_arg( array( 'action' => 'edit_subscription', 'subscription_id' => $this->id, - ), give_get_subscriptions_page_uri() ); + ), give_get_subscriptions_page_uri() )); return apply_filters( 'give_subscription_edit_subscription_url', $url, $this ); } diff --git a/src/PaymentGateways/Gateways/PayPalStandard/PayPalStandard.php b/src/PaymentGateways/Gateways/PayPalStandard/PayPalStandard.php index a4009d77cc..228878c279 100644 --- a/src/PaymentGateways/Gateways/PayPalStandard/PayPalStandard.php +++ b/src/PaymentGateways/Gateways/PayPalStandard/PayPalStandard.php @@ -113,10 +113,10 @@ protected function handleSuccessPaymentReturn($queryParams) { $donationId = (int)$queryParams['donation-id']; - return new RedirectResponse(add_query_arg( + return new RedirectResponse(esc_url_raw(add_query_arg( [ 'payment-confirmation' => $this->getId() ], Call::invoke(GenerateDonationReceiptPageUrl::class, $donationId) - )); + ))); } /** diff --git a/src/PaymentGateways/Gateways/Stripe/Helpers/CheckoutHelper.php b/src/PaymentGateways/Gateways/Stripe/Helpers/CheckoutHelper.php index 5e262376d8..f25a59a773 100644 --- a/src/PaymentGateways/Gateways/Stripe/Helpers/CheckoutHelper.php +++ b/src/PaymentGateways/Gateways/Stripe/Helpers/CheckoutHelper.php @@ -16,14 +16,14 @@ class CheckoutHelper */ public function getRedirectUrl( $sessionId, $formId ) { - return add_query_arg( + return esc_url_raw(add_query_arg( [ 'action' => 'checkout_processing', 'session' => $sessionId, 'id' => $formId, ], site_url() - ); + )); } /** diff --git a/src/PaymentGateways/Gateways/Stripe/Traits/CheckoutRedirect.php b/src/PaymentGateways/Gateways/Stripe/Traits/CheckoutRedirect.php index a2fb7148cc..aae82256ba 100644 --- a/src/PaymentGateways/Gateways/Stripe/Traits/CheckoutRedirect.php +++ b/src/PaymentGateways/Gateways/Stripe/Traits/CheckoutRedirect.php @@ -16,14 +16,14 @@ trait CheckoutRedirect */ public function getRedirectUrl( $sessionId, $formId ) { - return add_query_arg( + return esc_url_raw(add_query_arg( [ 'action' => 'checkout_processing', 'session' => $sessionId, 'id' => $formId, ], site_url() - ); + )); } /** diff --git a/src/PaymentGateways/Stripe/Admin/AccountManagerSettingField.php b/src/PaymentGateways/Stripe/Admin/AccountManagerSettingField.php index 310e67dbc7..36bc8bfd86 100644 --- a/src/PaymentGateways/Stripe/Admin/AccountManagerSettingField.php +++ b/src/PaymentGateways/Stripe/Admin/AccountManagerSettingField.php @@ -247,22 +247,22 @@ private function getStripeAccountMarkup($stripeAccount) return; } - $disconnectUrl = add_query_arg( + $disconnectUrl = esc_url_raw(add_query_arg( [ 'account_type' => $stripeAccount['type'], 'action' => 'disconnect_stripe_account', 'account_slug' => $stripeAccountSlug, ], wp_nonce_url(admin_url('admin-ajax.php'), 'give_disconnect_connected_stripe_account_' . $stripeAccountSlug) - ); + )); - $editStatementDescriptorUrl = add_query_arg( + $editStatementDescriptorUrl = esc_url_raw(add_query_arg( [ 'action' => 'edit_stripe_account_statement_descriptor', 'account-slug' => $stripeAccountSlug, ], admin_url('admin-ajax.php') - ); + )); $classes = $stripeAccountSlug === $this->defaultStripeAccountSlug ? ' give-stripe-boxshadow-option-wrap__selected' : ''; ?> diff --git a/src/Route/Form.php b/src/Route/Form.php index 36792cef17..515b3c970c 100644 --- a/src/Route/Form.php +++ b/src/Route/Form.php @@ -137,13 +137,13 @@ public function getURL($form_id) return get_option('permalink_structure') ? home_url("/{$this->base}/{$form_id}", $scheme) - : add_query_arg( + : esc_url(add_query_arg( [ 'give_form_id' => $form_id, 'url_prefix' => $this->base, ], home_url('', $scheme) - ); + )); } /** From ebea8dae1e89d3085a280601b3dd26eba7c3cbcb Mon Sep 17 00:00:00 2001 From: Jon Waldstein Date: Wed, 8 Jun 2022 16:09:41 -0400 Subject: [PATCH 2/3] Hot Fix: Restore ability to change subscriptions via legacy subscription shortcode (#6439) Co-authored-by: Jon Waldstein --- .../gateways/stripe/class-give-stripe.php | 23 ++++--- .../class-give-stripe-card.php | 61 +++++++++++++++++++ 2 files changed, 74 insertions(+), 10 deletions(-) create mode 100644 includes/gateways/stripe/includes/payment-methods/class-give-stripe-card.php diff --git a/includes/gateways/stripe/class-give-stripe.php b/includes/gateways/stripe/class-give-stripe.php index 5798242699..c64fc46c51 100644 --- a/includes/gateways/stripe/class-give-stripe.php +++ b/includes/gateways/stripe/class-give-stripe.php @@ -161,16 +161,19 @@ public function include_frontend_files() { require_once GIVE_PLUGIN_DIR . 'includes/gateways/stripe/includes/filters.php'; require_once GIVE_PLUGIN_DIR . 'includes/gateways/stripe/includes/give-stripe-scripts.php'; - // Classes. - require_once GIVE_PLUGIN_DIR . 'includes/gateways/stripe/includes/class-give-stripe-logger.php'; - require_once GIVE_PLUGIN_DIR . 'includes/gateways/stripe/includes/class-give-stripe-invoice.php'; - require_once GIVE_PLUGIN_DIR . 'includes/gateways/stripe/includes/class-give-stripe-customer.php'; - require_once GIVE_PLUGIN_DIR . 'includes/gateways/stripe/includes/class-give-stripe-payment-intent.php'; - require_once GIVE_PLUGIN_DIR . 'includes/gateways/stripe/includes/class-give-stripe-payment-method.php'; - require_once GIVE_PLUGIN_DIR . 'includes/gateways/stripe/includes/class-give-stripe-checkout-session.php'; - require_once GIVE_PLUGIN_DIR . 'includes/gateways/stripe/includes/class-give-stripe-gateway.php'; - require_once GIVE_PLUGIN_DIR . 'includes/gateways/stripe/includes/class-give-stripe-webhooks.php'; - } + // Classes. + require_once GIVE_PLUGIN_DIR . 'includes/gateways/stripe/includes/class-give-stripe-logger.php'; + require_once GIVE_PLUGIN_DIR . 'includes/gateways/stripe/includes/class-give-stripe-invoice.php'; + require_once GIVE_PLUGIN_DIR . 'includes/gateways/stripe/includes/class-give-stripe-customer.php'; + require_once GIVE_PLUGIN_DIR . 'includes/gateways/stripe/includes/class-give-stripe-payment-intent.php'; + require_once GIVE_PLUGIN_DIR . 'includes/gateways/stripe/includes/class-give-stripe-payment-method.php'; + require_once GIVE_PLUGIN_DIR . 'includes/gateways/stripe/includes/class-give-stripe-checkout-session.php'; + require_once GIVE_PLUGIN_DIR . 'includes/gateways/stripe/includes/class-give-stripe-gateway.php'; + require_once GIVE_PLUGIN_DIR . 'includes/gateways/stripe/includes/class-give-stripe-webhooks.php'; + + // Payment Methods. + require_once GIVE_PLUGIN_DIR . 'includes/gateways/stripe/includes/payment-methods/class-give-stripe-card.php'; + } /** * Register the payment methods supported by Stripe. diff --git a/includes/gateways/stripe/includes/payment-methods/class-give-stripe-card.php b/includes/gateways/stripe/includes/payment-methods/class-give-stripe-card.php new file mode 100644 index 0000000000..40abb71265 --- /dev/null +++ b/includes/gateways/stripe/includes/payment-methods/class-give-stripe-card.php @@ -0,0 +1,61 @@ +getCreditCardFormHTML($form_id, $args); + + if ( false !== $echo ) { + echo $form; + } + + return $form; + } + } +} +return new Give_Stripe_Card(); From 8450a70524d7fd66b4c2cd3ceb5baee3401dd5d8 Mon Sep 17 00:00:00 2001 From: Jason Adams Date: Wed, 8 Jun 2022 13:39:35 -0700 Subject: [PATCH 3/3] chore: prepare for 2.20.2 release --- give.php | 4 ++-- includes/deprecated/deprecated-functions.php | 2 +- readme.txt | 9 +++++++-- src/DonorDashboards/Helpers.php | 2 +- 4 files changed, 11 insertions(+), 6 deletions(-) diff --git a/give.php b/give.php index 55e838e262..7835c1e2be 100644 --- a/give.php +++ b/give.php @@ -6,7 +6,7 @@ * Description: The most robust, flexible, and intuitive way to accept donations on WordPress. * Author: GiveWP * Author URI: https://givewp.com/ - * Version: 2.20.1 + * Version: 2.20.2 * Requires at least: 5.0 * Requires PHP: 7.0 * Text Domain: give @@ -305,7 +305,7 @@ private function setup_constants() { // Plugin version. if (!defined('GIVE_VERSION')) { - define('GIVE_VERSION', '2.20.1'); + define('GIVE_VERSION', '2.20.2'); } // Plugin Root File. diff --git a/includes/deprecated/deprecated-functions.php b/includes/deprecated/deprecated-functions.php index 8802f60446..33d4228c66 100755 --- a/includes/deprecated/deprecated-functions.php +++ b/includes/deprecated/deprecated-functions.php @@ -1175,7 +1175,7 @@ static function ( $url ) { * Displays Stripe Connect Button. * * @since 2.5.0 - * @deprecated @unrelesed + * @deprecated 2.20.2 * * @return string */ diff --git a/readme.txt b/readme.txt index b9165e93d8..95ce64fadc 100644 --- a/readme.txt +++ b/readme.txt @@ -3,9 +3,9 @@ Contributors: givewp, dlocc, webdevmattcrom, ravinderk, mehul0810, kevinwhoffman Donate link: https://go.givewp.com/home Tags: donation, donate, recurring donations, fundraising, crowdfunding Requires at least: 5.0 -Tested up to: 5.9 +Tested up to: 6.0 Requires PHP: 7.0 -Stable tag: 2.20.1 +Stable tag: 2.20.2 License: GPLv3 License URI: http://www.gnu.org/licenses/gpl-3.0.html @@ -250,6 +250,11 @@ The 2% fee on Stripe donations only applies to donations taken via our free Stri 8. GiveWP has a dedicated support team to help answer any questions you may have and help you through stumbling blocks. == Changelog == += 2.20.2: June 8th, 2022 = +* Security: Donors are no longer able to view the Donor Dashboard for the email they donated in without logging in +* Security: Added additional URL escaping around the codebase to protect against XSS attacks +* Fix: Subscriptions can now be changed again by donors using the legacy subscriptions shortcode + = 2.20.1: May 19th, 2022 = * Fix: Corrected an issue where admin notices were displaying strangely * Fix: Removed the "Switch to New View" button that would show up in strange admin places when switched to the legacy donor or donation lists diff --git a/src/DonorDashboards/Helpers.php b/src/DonorDashboards/Helpers.php index 1f776729c5..21ed0f2f58 100644 --- a/src/DonorDashboards/Helpers.php +++ b/src/DonorDashboards/Helpers.php @@ -38,7 +38,7 @@ public static function getCurrentDonorId() /** * Retrieve donor logged in status * - * @unreleased + * @since 2.20.2 */ public static function isDonorLoggedIn(): bool {