WPCS Updates

Author: krugazul

includes/classes/class-confirm-payment.php

@@ -269,7 +269,8 @@ protected function update_payment_dates( $data ) {
 			} else {
 				if ( $this->oamount !== $amount_paid ) {
 					$return = [
-						'message' => sprintf( __( 'Invalid amount Paid. Amount required is %s<b>%s</b>', 'pff-paystack' ), $this->meta['currency'], number_format( $this->oamount ) ),
+						// translators: %1$s: currency, %2$s: formatted amount required
+						'message' => sprintf( __( 'Invalid amount Paid. Amount required is %1$s<b>%2$s</b>', 'pff-paystack' ), $this->meta['currency'], number_format( $this->oamount ) ),
 						'result' => 'failed',
 					];
 				} else {

includes/classes/class-email-invoice.php

@@ -125,7 +125,7 @@ public function get_html_body() {
 												<tbody>
 													<tr>
 														<td class="column_cell font_default" align="center" valign="top" style="padding:16px 16px 0;font-family:Helvetica,Arial,sans-serif;font-size:15px;text-align:left;vertical-align:top;color:#888">
-															<small class="text-muted" style="font-size:86%;font-weight:normal;color:#b3b3b5"><?php echo date('F j,Y'); ?></small>
+															<small class="text-muted" style="font-size:86%;font-weight:normal;color:#b3b3b5"><?php echo esc_html( gmdate('F j,Y') ); ?></small>
 															<h6 style="font-family:Helvetica,Arial,sans-serif;margin-left:0;margin-right:0;margin-top:0;margin-bottom:8px;padding:0;font-size:16px;line-height:24px;font-weight:bold;color:#666"><?php echo esc_html( $this->name ); ?></h6>
 															<p style="font-family:Helvetica,Arial,sans-serif;font-size:15px;line-height:23px;margin-top:8px;margin-bottom:8px"><?php echo esc_html( $this->email ); ?></p>
 														</td>
@@ -206,7 +206,7 @@ public function get_html_body() {
 												<tbody>
 													<tr>
 														<td class="column_cell font_default" align="center" valign="top" style="padding:16px;font-family:Helvetica,Arial,sans-serif;font-size:15px;text-align:left;vertical-align:top;color:#b3b3b5;padding-bottom:0;padding-top:16px">
-															<strong><?php echo get_option('blogname'); ?></strong><br>
+															<strong><?php echo esc_html( get_option('blogname') ); ?></strong><br>
 														</td>
 													</tr>
 												</tbody>

includes/classes/class-email-receipt-owner.php

@@ -163,8 +163,8 @@ public function get_html_body() {
 												<tbody>
 													<tr>
 														<td class="column_cell font_default" align="center" valign="top" style="padding:16px 16px 0;font-family:Helvetica,Arial,sans-serif;font-size:15px;text-align:center;vertical-align:top;color:#888">
-															<small style="font-size:86%;font-weight:normal"><strong>Notice</strong><br>
-																You're getting this email because someone made a payment of <?php $this->currency . ' ' . number_format($this->amount); ?> to <a href="<?php echo get_bloginfo('url') ?>" style="display:inline-block;text-decoration:none;font-family:Helvetica,Arial,sans-serif;color:#2f68b4"><?php echo get_option('blogname'); ?></a>.</small>
+															<small style="font-size:86%;font-weight:normal"><strong><?php echo esc_html__( 'Notice', 'pff-paystack' ); ?></strong><br>
+															<?php echo esc_html__( 'You\'re getting this email because someone made a payment of', 'pff-paystack' ); ?> <?php $this->currency . ' ' . number_format($this->amount); ?> <?php echo esc_html__( 'to', 'pff-paystack' ); ?> <a href="<?php echo get_bloginfo( 'url' ) ?>" style="display:inline-block;text-decoration:none;font-family:Helvetica,Arial,sans-serif;color:#2f68b4"><?php echo esc_html( get_option( 'blogname' ) ); ?></a>.</small>
 														</td>
 													</tr>
 												</tbody>
@@ -186,7 +186,7 @@ public function get_html_body() {
 												<tbody>
 													<tr>
 														<td class="column_cell font_default" align="center" valign="top" style="padding:16px;font-family:Helvetica,Arial,sans-serif;font-size:15px;text-align:left;vertical-align:top;color:#b3b3b5;padding-bottom:0;padding-top:16px">
-															<strong><?php echo get_option('blogname'); ?></strong><br>
+															<strong><?php echo esc_html( get_option( 'blogname' ) ); ?></strong><br>
 														</td>
 													</tr>
 												</tbody>

includes/classes/class-email-receipt.php

@@ -163,7 +163,7 @@ public function get_html_body() {
 																	// translators: %1$s is the currency code, %2$s is the formatted amount
 																	esc_html__( 'Amount : %1$s %2$s', 'pff-paystack' ),
 																	esc_html( $this->currency ),
-																	number_format_i18n( $this->amount )
+																	esc_html( number_format_i18n( $this->amount ) )
 																);
 																?><br>
 																<?php 

includes/classes/class-field-shortcodes.php

@@ -94,7 +94,10 @@ public function textarea_field( $atts ) {
 
 		$code .= '</label>';
 		$code .= '<div class="input">';
-		$code .= '<textarea id="' . esc_attr( $id ) . '" name="' . esc_attr( $name ) . '" rows="3" placeholder="' . sprintf( esc_attr__( 'Enter %s', 'pff-paystack' ), $name ) . '" ' . esc_attr( $required ) . '></textarea></div></div>';
+		$code .= '<textarea id="' . esc_attr( $id ) . '" name="' . esc_attr( $name ) . '" rows="3" placeholder="' . 
+		// translators: %s: textarea field to be entered by the user
+		sprintf( esc_attr__( 'Enter %s', 'pff-paystack' ), $name ) . 
+		'" ' . esc_attr( $required ) . '></textarea></div></div>';
 
 		return $code;
 	}
@@ -210,7 +213,10 @@ public function datepicker_field( $atts ) {
 
 		$code .= '</label>';
 		$code .= '<div class="input">';
-		$code .= '<input type="date" id="' . esc_attr( $id ) . '" class="date-picker" name="' . esc_attr( $name ) . '" placeholder="' . sprintf( esc_attr__( 'Enter %s', 'pff-paystack' ), $name ) . '" ' . esc_attr( $required ) . ' /></div></div>';
+		$code .= '<input type="date" id="' . esc_attr( $id ) . '" class="date-picker" name="' . esc_attr( $name ) . '" placeholder="' . 
+		// translators: %s: datepicker field to be selected by the user
+		sprintf( esc_attr__( 'Enter %s', 'pff-paystack' ), $name ) . 
+		'" ' . esc_attr( $required ) . ' /></div></div>';
 
 		return $code;
 	}

includes/classes/class-helpers.php

@@ -561,15 +561,19 @@ public function get_allowed_html() {
 	 * @return string User's IP address.
 	 */
 	public function get_the_user_ip() {
+		$ip = '';
+
 		if ( ! empty( $_SERVER['HTTP_CLIENT_IP'] ) ) {
-			$ip = $_SERVER['HTTP_CLIENT_IP'];
+			$ip = sanitize_text_field( wp_unslash( $_SERVER['HTTP_CLIENT_IP'] ) );
 		} elseif ( ! empty( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) {
-			$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
-		} else {
-			$ip = $_SERVER['REMOTE_ADDR'];
+			$ip = sanitize_text_field( wp_unslash( $_SERVER['HTTP_X_FORWARDED_FOR'] ) );
+		} elseif ( ! empty( $_SERVER['REMOTE_ADDR'] ) ) {
+			$ip = sanitize_text_field( wp_unslash( $_SERVER['REMOTE_ADDR'] ) );
 		}
+
 		return $ip;
 	}
+
 
 	/**
 	 * Get the DB records by the transaction code supplied.
@@ -770,7 +774,7 @@ public function generate_new_code( $length = 10 ) {
 		$random_string     = '';
 
 		for ( $i = 0; $i < $length; $i++ ) {
-			$random_string .= $characters[ rand( 0, $characters_length - 1 ) ];
+			$random_string .= $characters[ wp_rand( 0, $characters_length - 1 ) ];
 		}
 
 		return time() . '_' . $random_string;
@@ -786,17 +790,17 @@ public function generate_new_code( $length = 10 ) {
 	public function check_code( $code ) {
 		global $wpdb;
 		$table = $wpdb->prefix . PFF_PAYSTACK_TABLE;
-
 		$o_exist = $wpdb->get_results(
 			$wpdb->prepare(
-				"SELECT * FROM {$table} WHERE txn_code = %s",
+				"SELECT * FROM %i WHERE txn_code = %s",
+				$table,
 				$code
 			)
 		);
-
 		return ( count( $o_exist ) > 0 );
 	}
 
+
 	/**
 	 * Takes the amount and processes the "transactional" fees.
 	 *