Skip to content

Commit

Permalink
Merge pull request #37 from razorpay/security-fix
Browse files Browse the repository at this point in the history 
PO-241 added esc_url for add and remove arguments
  • Loading branch information
@abdulwahidsharief
abdulwahidsharief authored Nov 12, 2024
2 parents 173d117 + 2e1d142 commit 2e5c68e
Show file tree
Hide file tree
Showing 5 changed files with 26 additions and 23 deletions.
6 changes: 3 additions & 3 deletions includes/rzp-payment-buttons.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,16 +88,16 @@ protected function get_views()

//All Buttons
$class = ($current === 'all' ? ' class="current"' :'');
$all_url = remove_query_arg('status');
$all_url = esc_url(remove_query_arg('status'));
$views['all'] = "<a href='{$all_url }' {$class} >All</a>";

//Recovered link
$foo_url = add_query_arg('status','active');
$foo_url = esc_url(add_query_arg('status','active'));
$class = ($current === 'active' ? ' class="current"' :'');
$views['status'] = "<a href='{$foo_url}' {$class} >Enabled</a>";

//Abandon
$bar_url = add_query_arg('status','inactive');
$bar_url = esc_url(add_query_arg('status','inactive'));
$class = ($current === 'inactive' ? ' class="current"' :'');
$views['disabled'] = "<a href='{$bar_url}' {$class} >Disabled</a>";

Expand Down
6 changes: 3 additions & 3 deletions includes/rzp-subscription-buttons.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,16 +88,16 @@ protected function get_views()

//All Buttons
$class = ($current === 'all' ? ' class="current"' :'');
$all_url = remove_query_arg('status');
$all_url = esc_url(remove_query_arg('status'));
$views['all'] = "<a href='{$all_url }' {$class} >All</a>";

//Recovered link
$foo_url = add_query_arg('status','active');
$foo_url = esc_url(add_query_arg('status','active'));
$class = ($current === 'active' ? ' class="current"' :'');
$views['status'] = "<a href='{$foo_url}' {$class} >Enabled</a>";

//Abandon
$bar_url = add_query_arg('status','inactive');
$bar_url = esc_url(add_query_arg('status','inactive'));
$class = ($current === 'inactive' ? ' class="current"' :'');
$views['disabled'] = "<a href='{$bar_url}' {$class} >Disabled</a>";

Expand Down
2 changes: 1 addition & 1 deletion razorpay-payment-buttons.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
* Plugin Name: Razorpay Payment Button
* Plugin URI: https://github.com/razorpay/payment-button-wordpress-plugin
* Description: Add a Razorpay Payment Button (Donate Now, Buy Now, Support Now and more) to your website and start accepting payments via Credit/Debit cards, Netbanking, UPI, Wallets, Pay later etc. instantly.
* Version: 2.4.6
* Version: 2.4.7
* Author: Razorpay
* Author URI: https://razorpay.com
*/
Expand Down
5 changes: 4 additions & 1 deletion readme.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
Contributors: razorpay
Tags: Payment gateway, Donate button, UPI/credit/debit card, Payment plugin, India, e-commerce, education.
Tested up to: 6.6
Stable tag: 2.4.6
Stable tag: 2.4.7
License: GPLv2 or later
License URI: http://www.gnu.org/licenses/gpl-2.0.html

Expand Down Expand Up @@ -98,6 +98,9 @@ Connect your WordPress website with your Razorpay account and you're all ready t

== Changelog ==

= 2.4.7 =
* Added security enhancements

= 2.4.6 =
* Fixed naming conflict in razorpay section

Expand Down
30 changes: 15 additions & 15 deletions templates/razorpay-button-view-templates.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,8 @@ function razorpay_view_button()
{
wp_die("This page consist some request parameters to view response");
}
$pagenum = $_REQUEST['paged'];
$type = $_REQUEST['type'];
$pagenum = sanitize_text_field($_REQUEST['paged']); // nosemgrep
$type = sanitize_text_field($_REQUEST['type']); // nosemgrep
if($type === 'payment')
{
$previous_page_url = admin_url('admin.php?page=razorpay_button&paged='.$pagenum);
Expand All @@ -46,39 +46,39 @@ function razorpay_view_button()
<a href="'.$previous_page_url.'">
<span class="dashicons rzp-dashicons dashicons-arrow-left-alt"></span> Button List
</a>
<span class="dashicons rzp-dashicons dashicons-arrow-right-alt2"></span>'.$button_detail['title'].'
<span class="dashicons rzp-dashicons dashicons-arrow-right-alt2"></span>' . esc_html($button_detail['title']) . '
</div>
<div class="container rzp-container">
<div class="row panel-heading">
<div class="text">'.$button_detail['title'].'</div>
<div class="text">' . esc_html($button_detail['title']) . '</div>
</div>
<div class="row panel-body">
<div class="col-md-5 panel-body-left">
<div class="row">
<div class="col-sm-4 panel-label">Button ID</div>
<div class="col-sm-8 panel-value">'.$button_detail["id"].'</div>
<div class="col-sm-8 panel-value">' . esc_html($button_detail["id"]) . '</div>
</div>
<div class="row">
<div class="col-sm-4 panel-label">Button Status</div>
<div class="col-sm-8 panel-value">
<span class="status-label">'.$button_detail['status'].'</span>
<button onclick="'.$show.'" class="status-button">'.$button_detail['btn_pointer_status'].'</button>
<span class="status-label">' . esc_html($button_detail['status']) . '</span>
<button onclick="'.$show.'" class="status-button">' . esc_html($button_detail['btn_pointer_status']) . '</button>
</div>
</div>
<div class="row">
<div class="col-sm-4 panel-label">Total Quantity Sold</div>
<div class="col-sm-8 panel-value">'.$button_detail['total_item_sold'].'</div>
<div class="col-sm-8 panel-value">' . htmlentities($button_detail['total_item_sold']) . '</div>
</div>';
if($type === 'payment')
{
echo '<div class="row">
<div class="col-sm-4 panel-label">Total revenue</div>
<div class="col-sm-8 panel-value"><span class="rzp-currency">₹ </span>' . $button_detail['total_revenue'] . '</div>
<div class="col-sm-8 panel-value"><span class="rzp-currency">₹ </span>' . esc_html($button_detail['total_revenue']) . '</div>
</div>';
}
echo '<div class="row">
<div class="col-sm-4 panel-label">Created on</div>
<div class="col-sm-8 panel-value">'.$button_detail['created_at'].'</div>
<div class="col-sm-8 panel-value">' . esc_html($button_detail['created_at']) . '</div>
</div>
</div>';
if($type === 'subscription')
Expand All @@ -97,17 +97,17 @@ function razorpay_view_button()
<form class="modal-content" action="'.esc_url( admin_url('admin-post.php') ).'" method="POST">
<div class="container">
<div class="modal-header">
<h3 class="modal-title">'.$button_detail["modal_title_content"].'</h3>
<h3 class="modal-title">' . esc_html($button_detail["modal_title_content"]) . '</h3>
</div>
<div class="modal-body">
<div class="text-semi-muted">
<p>'.$button_detail["modal_body_content"].'</p>
<p>' . esc_html($button_detail["modal_body_content"]) . '</p>
</div>
<div class="Modal__actions">
<button type="button" onclick="'.$hide.'" class="btn btn-default">No, don`t!</button>
<button type="submit" onclick="'.$hide.'" name="btn_action" value="'.$button_detail['btn_pointer_status'].'" class="btn btn-primary">Yes, '.$button_detail['btn_pointer_status'].'</button>
<button type="submit" onclick="'.$hide.'" name="btn_action" value="' . esc_html($button_detail['btn_pointer_status']) . '" class="btn btn-primary">Yes, ' . esc_html($button_detail['btn_pointer_status']) . '</button>
<input type="hidden" name="type" value="'.$type.'">
<input type="hidden" name="btn_id" value="'.$button_detail['id'].'">
<input type="hidden" name="btn_id" value="' . esc_html($button_detail['id']) . '">
<input type="hidden" name="paged" value="'.$pagenum.'">
<input type="hidden" name="action" value="rzp_btn_action">
</div>
Expand Down Expand Up @@ -202,7 +202,7 @@ public function fetch_button_detail($btn_id)
}
$html_content_item = $html_content_item.$content;
}

return array(
'id' => $button_detail['id'],
'title' => $button_detail['title'],
Expand Down

0 comments on commit 2e5c68e

Please sign in to comment.