Merge pull request #49 from veritrans/wip-2.21

version 2.21

abstract/index.php

@@ -0,0 +1,2 @@
+<?php
+// Silence is golden. Output nothing to avoid exposing directory listing

class/class.midtrans-gateway-paymentrequest.php

@@ -112,7 +112,7 @@ function receipt_page( $order_id ) {
         $order = new WC_Order( $order_id );
         $gross_amount = $order->get_total();
         $pluginName = 'cc_paymentrequest';
-        require_once(dirname(__FILE__) . '/payment-page-paymentrequest.php'); 
+        require_once(dirname(__FILE__) . '/payment-page.php'); 
       }
 
       /**

class/class.midtrans-utils.php

@@ -75,5 +75,60 @@ public static function array_insert( &$array, $position, $insert ) {
             );
   }
 
+  // `wp_get_script_tag` & `wp_get_inline_script_tag` is used to avoid future CSP issue
+  // because future WP version might implement CSP, which means JS script tags without proper
+  // nonce attribute (presumably auto-generated by those funcs) may not be executable.
+  // Introduced in WP 5.7: https://make.wordpress.org/core/2021/02/23/introducing-script-attributes-related-functions-in-wordpress-5-7/
+
+  // Backward compatibility technique for 'polyfill'-ing not yet exist func, according to 
+  // https://developer.wordpress.org/plugins/plugin-basics/best-practices/#example
+
+  /**
+   * Declare global function `wp_get_script_tag`, if it not exist (WP version <5.7)
+   * To ensure backward compatibility with WP version <5.7
+   * based on https://wpseek.com/function/wp_get_script_tag/
+   * and https://wpseek.com/function/wp_sanitize_script_attributes/
+   * @return void function declared on global namespace
+   */
+  public static function polyfill_wp_get_script_tag(){
+    if( !function_exists('wp_get_script_tag')){
+      function wp_get_script_tag($attributes = array()){
+        if ( !isset($attributes['type'])) {
+          $attributes['type'] = 'text/javascript';
+        }
+        $attributes_string    = '';
+        foreach ( $attributes as $attribute_name => $attribute_value ) {
+          if ( is_bool( $attribute_value ) ) {
+            if ( $attribute_value ) {
+              $attributes_string .= ' ' . $attribute_name;
+            }
+          } else {
+            $attributes_string .= sprintf( 
+              ' %1$s="%2$s"', esc_attr( $attribute_name ), esc_attr( $attribute_value ) );
+          }
+        }
+        $script_string = sprintf( "<script%s></script>\n", $attributes_string );
+        return $script_string;
+      }
+    }
+  }
+  /**
+   * Declare global function `wp_get_inline_script_tag`, if it not exist (WP version <5.7)
+   * To ensure backward compatibility with WP version <5.7
+   * based on https://wpseek.com/function/wp_get_inline_script_tag/
+   * @return void function declared on global namespace
+   */
+  public static function polyfill_wp_get_inline_script_tag(){
+    if( !function_exists('wp_get_inline_script_tag')){
+      function wp_get_inline_script_tag($javascript, $attributes = array()){
+        $script_string = wp_get_script_tag($attributes);
+        // add the inline javascript before closing script tag
+        $script_string = str_replace(
+          "</script>", sprintf("%s</script>",$javascript), $script_string);
+        return $script_string;
+      }
+    }
+  }
+
 }
 ?>

class/order-view-and-thankyou-page.php

@@ -20,6 +20,7 @@
               <td>Payment Completed</td>
           </tr>
           <?php else : ?>
+          <!-- TODO refactor this script tag to be CSP compliant -->
           <!-- Make customer focus to payment url, if order need payment -->
           <script type="text/javascript">
             setTimeout(function(){