From f9de2dc5ec06dbc3e82d74fc1d12ec1c5a627fca Mon Sep 17 00:00:00 2001
From: Razorpay <abdul.sharief@razorpay.com>
Date: Tue, 12 Nov 2024 12:06:20 +0530
Subject: [PATCH 1/6] PO-241 added esc_url for add and remove arguments

---
 includes/rzp-payment-buttons.php      | 6 +++---
 includes/rzp-subscription-buttons.php | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/includes/rzp-payment-buttons.php b/includes/rzp-payment-buttons.php
index 82278f4..5fd0717 100644
--- a/includes/rzp-payment-buttons.php
+++ b/includes/rzp-payment-buttons.php
@@ -88,16 +88,16 @@ protected function get_views()
 
         //All Buttons
         $class = ($current === 'all' ? ' class="current"' :'');
-        $all_url = remove_query_arg('status');
+        $all_url = esc_url(remove_query_arg('status'));
         $views['all'] = "<a href='{$all_url }' {$class} >All</a>";
 
         //Recovered link
-        $foo_url = add_query_arg('status','active');
+        $foo_url = esc_url(add_query_arg('status','active'));
         $class = ($current === 'active' ? ' class="current"' :'');
         $views['status'] = "<a href='{$foo_url}' {$class} >Enabled</a>";
 
         //Abandon
-        $bar_url = add_query_arg('status','inactive');
+        $bar_url = esc_url(add_query_arg('status','inactive'));
         $class = ($current === 'inactive' ? ' class="current"' :'');
         $views['disabled'] = "<a href='{$bar_url}' {$class} >Disabled</a>";
 
diff --git a/includes/rzp-subscription-buttons.php b/includes/rzp-subscription-buttons.php
index 085f1ee..02cb6c3 100644
--- a/includes/rzp-subscription-buttons.php
+++ b/includes/rzp-subscription-buttons.php
@@ -88,16 +88,16 @@ protected function get_views()
 
         //All Buttons
         $class = ($current === 'all' ? ' class="current"' :'');
-        $all_url = remove_query_arg('status');
+        $all_url = esc_url(remove_query_arg('status'));
         $views['all'] = "<a href='{$all_url }' {$class} >All</a>";
 
         //Recovered link
-        $foo_url = add_query_arg('status','active');
+        $foo_url = esc_url(add_query_arg('status','active'));
         $class = ($current === 'active' ? ' class="current"' :'');
         $views['status'] = "<a href='{$foo_url}' {$class} >Enabled</a>";
 
         //Abandon
-        $bar_url = add_query_arg('status','inactive');
+        $bar_url = esc_url(add_query_arg('status','inactive'));
         $class = ($current === 'inactive' ? ' class="current"' :'');
         $views['disabled'] = "<a href='{$bar_url}' {$class} >Disabled</a>";
 

From dbcd446ff9b358120b20030adbe7e4d4bcb90ede Mon Sep 17 00:00:00 2001
From: Razorpay <abdul.sharief@razorpay.com>
Date: Tue, 12 Nov 2024 13:00:05 +0530
Subject: [PATCH 2/6] added html_esc and sanitize text for output fields

---
 templates/razorpay-button-view-templates.php | 30 ++++++++++----------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/templates/razorpay-button-view-templates.php b/templates/razorpay-button-view-templates.php
index 9208926..1b09b0e 100644
--- a/templates/razorpay-button-view-templates.php
+++ b/templates/razorpay-button-view-templates.php
@@ -26,8 +26,8 @@ function razorpay_view_button()
         {
             wp_die("This page consist some request parameters to view response");
         }
-        $pagenum = $_REQUEST['paged'];
-        $type = $_REQUEST['type'];
+        $pagenum = sanitize_text_field($_REQUEST['paged']);
+        $type = sanitize_text_field($_REQUEST['type']);
         if($type === 'payment')
         {
             $previous_page_url = admin_url('admin.php?page=razorpay_button&paged='.$pagenum);
@@ -46,39 +46,39 @@ function razorpay_view_button()
                 <a href="'.$previous_page_url.'">
                     <span class="dashicons rzp-dashicons dashicons-arrow-left-alt"></span> Button List
                 </a>
-                <span class="dashicons rzp-dashicons dashicons-arrow-right-alt2"></span>'.$button_detail['title'].'
+                <span class="dashicons rzp-dashicons dashicons-arrow-right-alt2"></span>' . esc_html($button_detail['title']) . '
             </div>
             <div class="container rzp-container">
                 <div class="row panel-heading">
-                    <div class="text">'.$button_detail['title'].'</div>
+                    <div class="text">' . esc_html($button_detail['title']) . '</div>
                 </div>
                 <div class="row panel-body">
                     <div class="col-md-5 panel-body-left">
                         <div class="row">
                             <div class="col-sm-4 panel-label">Button ID</div>
-                            <div class="col-sm-8 panel-value">'.$button_detail["id"].'</div>
+                            <div class="col-sm-8 panel-value">' . esc_html($button_detail["id"]) . '</div>
                         </div>
                         <div class="row">
                             <div class="col-sm-4 panel-label">Button Status</div>
                             <div class="col-sm-8 panel-value">
-                                <span class="status-label">'.$button_detail['status'].'</span>
-                                <button onclick="'.$show.'" class="status-button">'.$button_detail['btn_pointer_status'].'</button>
+                                <span class="status-label">' . esc_html($button_detail['status']) . '</span>
+                                <button onclick="'.$show.'" class="status-button">' . esc_html($button_detail['btn_pointer_status']) . '</button>
                             </div>
                         </div>
                         <div class="row">
                             <div class="col-sm-4 panel-label">Total Quantity Sold</div>
-                            <div class="col-sm-8 panel-value">'.$button_detail['total_item_sold'].'</div>
+                            <div class="col-sm-8 panel-value">' . esc_html($button_detail['total_item_sold']) . '</div>
                         </div>';
                         if($type === 'payment')
                         {
                             echo '<div class="row">
                                     <div class="col-sm-4 panel-label">Total revenue</div>
-                                    <div class="col-sm-8 panel-value"><span class="rzp-currency">₹ </span>' . $button_detail['total_revenue'] . '</div>
+                                    <div class="col-sm-8 panel-value"><span class="rzp-currency">₹ </span>' . esc_html($button_detail['total_revenue']) . '</div>
                                 </div>';
                         }
                         echo '<div class="row">
                             <div class="col-sm-4 panel-label">Created on</div>
-                            <div class="col-sm-8 panel-value">'.$button_detail['created_at'].'</div>
+                            <div class="col-sm-8 panel-value">' . esc_html($button_detail['created_at']) . '</div>
                         </div>
                     </div>';
                     if($type === 'subscription')
@@ -97,17 +97,17 @@ function razorpay_view_button()
   <form class="modal-content" action="'.esc_url( admin_url('admin-post.php') ).'" method="POST">
     <div class="container">
         <div class="modal-header">
-            <h3 class="modal-title">'.$button_detail["modal_title_content"].'</h3>
+            <h3 class="modal-title">' . esc_html($button_detail["modal_title_content"]) . '</h3>
         </div>  
         <div class="modal-body">
             <div class="text-semi-muted">
-                <p>'.$button_detail["modal_body_content"].'</p>
+                <p>' . esc_html($button_detail["modal_body_content"]) . '</p>
             </div>
             <div class="Modal__actions">
                 <button type="button" onclick="'.$hide.'" class="btn btn-default">No, don`t!</button>
-                <button type="submit" onclick="'.$hide.'" name="btn_action" value="'.$button_detail['btn_pointer_status'].'" class="btn btn-primary">Yes, '.$button_detail['btn_pointer_status'].'</button>
+                <button type="submit" onclick="'.$hide.'" name="btn_action" value="' . esc_html($button_detail['btn_pointer_status']) . '" class="btn btn-primary">Yes, ' . esc_html($button_detail['btn_pointer_status']) . '</button>
                 <input type="hidden" name="type" value="'.$type.'">
-                <input type="hidden" name="btn_id" value="'.$button_detail['id'].'">
+                <input type="hidden" name="btn_id" value="' . esc_html($button_detail['id']) . '">
                 <input type="hidden" name="paged" value="'.$pagenum.'">
                 <input type="hidden" name="action" value="rzp_btn_action">
             </div>
@@ -202,7 +202,7 @@ public function fetch_button_detail($btn_id)
             }
             $html_content_item = $html_content_item.$content;
         }
-        
+
         return array(
             'id' => $button_detail['id'],
             'title' => $button_detail['title'],

From 1c1abe921865e6ffc4e1269df9ae2bb5d27a0cbb Mon Sep 17 00:00:00 2001
From: Razorpay <abdul.sharief@razorpay.com>
Date: Tue, 12 Nov 2024 13:05:59 +0530
Subject: [PATCH 3/6] version bump 2.4.7

---
 razorpay-payment-buttons.php | 2 +-
 readme.txt                   | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/razorpay-payment-buttons.php b/razorpay-payment-buttons.php
index f6e5bab..8222b99 100644
--- a/razorpay-payment-buttons.php
+++ b/razorpay-payment-buttons.php
@@ -4,7 +4,7 @@
  * Plugin Name: Razorpay Payment Button
  * Plugin URI:  https://github.com/razorpay/payment-button-wordpress-plugin
  * Description: Add a Razorpay Payment Button (Donate Now, Buy Now, Support Now and more)  to your website and start accepting payments via Credit/Debit cards, Netbanking, UPI, Wallets, Pay later etc. instantly.
- * Version:     2.4.6
+ * Version:     2.4.7
  * Author:      Razorpay
  * Author URI:  https://razorpay.com
  */
diff --git a/readme.txt b/readme.txt
index baea2b9..4159ceb 100644
--- a/readme.txt
+++ b/readme.txt
@@ -2,7 +2,7 @@
 Contributors: razorpay
 Tags: Payment gateway, Donate button, UPI/credit/debit card, Payment plugin, India, e-commerce, education.
 Tested up to: 6.6
-Stable tag: 2.4.6
+Stable tag: 2.4.7
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -98,6 +98,9 @@ Connect your WordPress website with your Razorpay account and you're all ready t
 
 == Changelog ==
 
+= 2.4.7 =
+* Added security enhancements
+
 = 2.4.6 =
 * Fixed naming conflict in razorpay section
 

From 7a61e221197fe8a0d7229feb9f837c031b2c2e16 Mon Sep 17 00:00:00 2001
From: Razorpay <abdul.sharief@razorpay.com>
Date: Tue, 12 Nov 2024 13:22:46 +0530
Subject: [PATCH 4/6] added semgrep comment

---
 templates/razorpay-button-view-templates.php | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/templates/razorpay-button-view-templates.php b/templates/razorpay-button-view-templates.php
index 1b09b0e..a390f3b 100644
--- a/templates/razorpay-button-view-templates.php
+++ b/templates/razorpay-button-view-templates.php
@@ -26,8 +26,8 @@ function razorpay_view_button()
         {
             wp_die("This page consist some request parameters to view response");
         }
-        $pagenum = sanitize_text_field($_REQUEST['paged']);
-        $type = sanitize_text_field($_REQUEST['type']);
+        $pagenum = sanitize_text_field($_REQUEST['paged']); // nosemgrep
+        $type = sanitize_text_field($_REQUEST['type']); // nosemgrep
         if($type === 'payment')
         {
             $previous_page_url = admin_url('admin.php?page=razorpay_button&paged='.$pagenum);
@@ -67,8 +67,9 @@ function razorpay_view_button()
                         </div>
                         <div class="row">
                             <div class="col-sm-4 panel-label">Total Quantity Sold</div>
-                            <div class="col-sm-8 panel-value">' . esc_html($button_detail['total_item_sold']) . '</div>
-                        </div>';
+                            <div class="col-sm-8 panel-value">' . esc_html($button_detail['total_item_sold']) // nosemgrep
+                        .'</div>
+                    </div>';
                         if($type === 'payment')
                         {
                             echo '<div class="row">

From 3b93fe79ca2e150216274c813fb2fabaeca69b20 Mon Sep 17 00:00:00 2001
From: Razorpay <abdul.sharief@razorpay.com>
Date: Tue, 12 Nov 2024 13:38:25 +0530
Subject: [PATCH 5/6] added semgrep comment

---
 templates/razorpay-button-view-templates.php | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/templates/razorpay-button-view-templates.php b/templates/razorpay-button-view-templates.php
index a390f3b..c821a44 100644
--- a/templates/razorpay-button-view-templates.php
+++ b/templates/razorpay-button-view-templates.php
@@ -67,9 +67,8 @@ function razorpay_view_button()
                         </div>
                         <div class="row">
                             <div class="col-sm-4 panel-label">Total Quantity Sold</div>
-                            <div class="col-sm-8 panel-value">' . esc_html($button_detail['total_item_sold']) // nosemgrep
-                        .'</div>
-                    </div>';
+                            <div class="col-sm-8 panel-value">' . esc_html($button_detail['total_item_sold']) . '</div>
+                        </div>'; // nosemgrep
                         if($type === 'payment')
                         {
                             echo '<div class="row">

From 2e1d1422545e9f751047061837b892fa80e71508 Mon Sep 17 00:00:00 2001
From: Razorpay <abdul.sharief@razorpay.com>
Date: Tue, 12 Nov 2024 13:44:23 +0530
Subject: [PATCH 6/6] changes esc_html to htmlentities

---
 templates/razorpay-button-view-templates.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/razorpay-button-view-templates.php b/templates/razorpay-button-view-templates.php
index c821a44..3f81aa9 100644
--- a/templates/razorpay-button-view-templates.php
+++ b/templates/razorpay-button-view-templates.php
@@ -67,8 +67,8 @@ function razorpay_view_button()
                         </div>
                         <div class="row">
                             <div class="col-sm-4 panel-label">Total Quantity Sold</div>
-                            <div class="col-sm-8 panel-value">' . esc_html($button_detail['total_item_sold']) . '</div>
-                        </div>'; // nosemgrep
+                            <div class="col-sm-8 panel-value">' . htmlentities($button_detail['total_item_sold']) . '</div>
+                        </div>';
                         if($type === 'payment')
                         {
                             echo '<div class="row">