Adding int he WPCS fixes

Author: krugazul

includes/classes/class-confirm-payment.php

@@ -102,7 +102,7 @@ protected function setup_data( $payment ) {
 	 * Confirm Payment Functionality.
 	 */
 	public function confirm_payment() {
-		if ( trim( $_POST['code'] ) === '' ) {
+		if ( ! isset( $_POST['code'] ) || '' === trim( wp_unslash( $_POST['code'] ) ) ) {
 			$response = array(
 				'error' => true,
 				'error_message' => __( 'Did you make a payment?', 'pff-paystack' ),
@@ -117,7 +117,7 @@ public function confirm_payment() {
 		}
 
 		$this->helpers = new Helpers();
-		$code          = sanitize_text_field( $_POST['code'] );
+		$code          = sanitize_text_field( wp_unslash( $_POST['code'] ) );
 		$record        = $this->helpers->get_db_record( $code, $this->txn_column );
 
 		if ( false !== $record ) {
@@ -198,10 +198,13 @@ public function confirm_payment() {
 	 */
 	protected function update_sold_inventory() {
 		$usequantity = $this->meta['usequantity'];
-		$sold        = $this->meta['sold'];
+		$sold        = (int) $this->meta['sold'];
 
 		if ( 'yes' === $usequantity ) {
-			$quantity = $_POST['quantity'];
+			$quantity = 1;
+			if ( isset( $_POST['quantity'] ) ) {
+				$quantity = (int) sanitize_text_field( wp_unslash( $_POST['quantity'] ) );
+			}
 			$sold     = $this->meta['sold'];
 
 			if ( '' === $sold ) {
@@ -298,7 +301,7 @@ protected function update_payment_dates( $data ) {
 	protected function maybe_create_subscription() {
 		// Create a "subscription" and attach it to the current plan code.
 		if ( 1 == $this->meta['startdate_enabled'] && ! empty( $this->meta['startdate_days'] ) && ! empty( $this->meta['startdate_plan_code'] ) ) {
-			$start_date = date( 'c', strtotime( '+' . $this->meta['startdate_days'] . ' days' ) );
+			$start_date = gmdate( 'c', strtotime( '+' . $this->meta['startdate_days'] . ' days' ) );
 			$body       = array(
 				'start_date' => $start_date,
 				'plan'       => $this->meta['startdate_plan_code'],

includes/classes/class-email-receipt-owner.php

@@ -164,7 +164,7 @@ public function get_html_body() {
 													<tr>
 														<td class="column_cell font_default" align="center" valign="top" style="padding:16px 16px 0;font-family:Helvetica,Arial,sans-serif;font-size:15px;text-align:center;vertical-align:top;color:#888">
 															<small style="font-size:86%;font-weight:normal"><strong><?php echo esc_html__( 'Notice', 'pff-paystack' ); ?></strong><br>
-															<?php echo esc_html__( 'You\'re getting this email because someone made a payment of', 'pff-paystack' ); ?> <?php $this->currency . ' ' . number_format($this->amount); ?> <?php echo esc_html__( 'to', 'pff-paystack' ); ?> <a href="<?php echo get_bloginfo( 'url' ) ?>" style="display:inline-block;text-decoration:none;font-family:Helvetica,Arial,sans-serif;color:#2f68b4"><?php echo esc_html( get_option( 'blogname' ) ); ?></a>.</small>
+															<?php echo esc_html__( 'You\'re getting this email because someone made a payment of', 'pff-paystack' ); ?> <?php echo esc_html( $this->currency . ' ' . number_format( $this->amount ) ); ?> <?php echo esc_html__( 'to', 'pff-paystack' ); ?> <a href="<?php echo esc_html( get_bloginfo( 'url' ) ); ?>" style="display:inline-block;text-decoration:none;font-family:Helvetica,Arial,sans-serif;color:#2f68b4"><?php echo esc_html( get_option( 'blogname' ) ); ?></a>.</small>
 														</td>
 													</tr>
 												</tbody>

includes/classes/class-form-shortcode.php

@@ -188,6 +188,8 @@ public function form_shortcode( $atts ) {
 	 * @return void
 	 */
 	public function get_code() {
+		// We ignore this as we are not performing any update action with the data 
+		// phpcs:ignore WordPress.Security.NonceVerification
 		$code = isset( $_GET['code'] ) ? sanitize_text_field( wp_unslash( $_GET['code'] ) ) : '';
 		return $code;
 	}
@@ -268,7 +270,9 @@ public function get_hidden_fields() {
 				<input type="hidden" name="pf-id" value="' . esc_attr( $this->form->ID ) . '" />
 				<input type="hidden" name="pf-user_id" value="' . esc_attr( $this->user['id'] ) . '" />
 				<input type="hidden" name="pf-recur" value="' . esc_attr( $this->meta['recur'] ) . '" />
-				<input type="hidden" name="pf-currency" id="pf-currency" value="' . $this->meta['currency'] . '" />';
+				<input type="hidden" name="pf-currency" id="pf-currency" value="' . $this->meta['currency'] . '" />' . 
+				wp_nonce_field( 'pff-paystack-invoice', 'pf-nonce', true, false );
+				;
 		return $html;
 	}
 

includes/classes/class-form-submit.php

@@ -98,15 +98,15 @@ protected function valid_submission() {
 		/**
 		 * TODO - Needs better security checks - NONCE
 		 */
-		if ( ! isset( $_POST['pf-id'] ) || '' == trim( sanitize_text_field( $_POST['pf-id'] ) ) ) {
+		if ( ! isset( $_POST['pf-id'] ) || '' == trim( sanitize_text_field( wp_unslash( $_POST['pf-id'] ) ) ) ) {
 			$this->response['result']  = 'failed';
 			$this->response['message'] = 'A form ID is required';
 			return false;
 		} else {
-			$this->form_id = sanitize_text_field( $_POST['pf-id'] );
+			$this->form_id = sanitize_text_field( wp_unslash( $_POST['pf-id'] ) );
 		}
 
-		if ( '' == trim( sanitize_text_field( $_POST['pf-pemail'] ) ) ) {
+		if ( ! isset( $_POST['pf-pemail'] ) || '' == trim( sanitize_text_field( wp_unslash( $_POST['pf-pemail'] ) ) ) ) {
 			$this->response['result']  = 'failed';
 			$this->response['message'] = 'Email is required';
 			return false;
@@ -143,7 +143,7 @@ protected function setup_data() {
 
 		if ( isset( $_SERVER['HTTP_REFERER'] ) ) {
 			// Get the referer URL
-			$this->referer_url = sanitize_url( $_SERVER['HTTP_REFERER'] );
+			$this->referer_url = sanitize_url( wp_unslash( $_SERVER['HTTP_REFERER'] ) );
 		}
 	}
 
@@ -314,7 +314,7 @@ public function submit_action() {
 		$exist = $wpdb->get_results(
 			$wpdb->prepare(
 				"SELECT * 
-					FROM {$table} 
+					FROM %i
 					WHERE post_id = %s 
 					AND email = %s 
 					AND user_id = %s 
@@ -323,6 +323,7 @@ public function submit_action() {
 					AND ip = %s 
 					AND paid = '0' 
 					AND metadata = %s",
+				$table,
 				$insert['post_id'], 
 				$insert['email'],
 				$insert['user_id'],

includes/classes/class-retry-submit.php

@@ -73,9 +73,7 @@ public function __construct() {
 	 */
 	protected function setup_data() {
 		$this->helpers   = new Helpers();
-		$this->code      = sanitize_text_field( $_POST['code'] );
 		$this->new_code  = $this->generate_code() . '_2';
-
 		$retry_record    = $this->helpers->get_db_record( $this->code );
 		if ( false !== $retry_record ) {
 			$this->retry_meta = $retry_record;
@@ -90,12 +88,13 @@ protected function setup_data() {
 	 * @return void
 	 */
 	public function retry_action() {
-		if ( '' === trim( $_POST['code'] ) ) {
+		if ( isset( $_POST['code'] ) && '' !== trim( wp_unslash( $_POST['code'] ) ) ) {
+			$this->code = sanitize_text_field( wp_unslash( $_POST['code'] ) );
+		} else {
 			$response = array(
 				'result'  => 'failed',
 				'message' => __( 'Code is required', 'pff-paystack' ),
 			);
-
 			// Exit here, for not processing further because of the error.
 			exit( wp_json_encode( $response ) );
 		}
@@ -178,14 +177,15 @@ protected function update_retry_code() {
 		global $wpdb;
 		$return = false;
 		$table  = $wpdb->prefix . PFF_PAYSTACK_TABLE;
-		$sql = $wpdb->prepare(
-			"UPDATE %i SET txn_code_2 = %s WHERE txn_code = %s",
-			$table,
-			$this->new_code,
-			$this->code
-		);
 		// phpcs:ignore WordPress.DB.DirectDatabaseQuery
-		$return = $wpdb->query( $sql );
+		$return = $wpdb->query(
+			$wpdb->prepare(
+				"UPDATE %i SET txn_code_2 = %s WHERE txn_code = %s",
+				$table,
+				$this->new_code,
+				$this->code
+			)
+		);
 		return $return;
 	}
 }

includes/classes/class-setup.php

@@ -137,7 +137,7 @@ public function enqueue_scripts() {
 
 		wp_enqueue_script( 'blockUI', PFF_PAYSTACK_PLUGIN_URL . '/assets/js/jquery.blockUI.min.js', array( 'jquery', 'jquery-ui-core' ), PFF_PAYSTACK_VERSION, true, true );
 
-		wp_register_script( 'Paystack', 'https://js.paystack.co/v1/inline.js', false, '1' );
+		wp_register_script( 'Paystack', 'https://js.paystack.co/v1/inline.js', false, true );
 		wp_enqueue_script( 'Paystack' );
 
 		wp_enqueue_script( PFF_PLUGIN_NAME . '-public', PFF_PAYSTACK_PLUGIN_URL . '/assets/js/paystack-public.js', array( 'jquery' ), PFF_PAYSTACK_VERSION, true, true);