improve field sanitization

Author: Andrew-Paystack

includes/classes/class-field-shortcodes.php

@@ -43,9 +43,10 @@ public function text_field( $atts ) {
 			$atts,
 			'text'
 		);
-		
-		$atts['name'] = sanitize_text_field( esc_attr( esc_html__($atts['name']) ) );
 
+		// sanitize name attribute before using it.
+		$atts['name'] = $this->sanitize_and_escape( $atts['name'] );
+		
 		// translators: %s: input field name to be entered by the user
 		$name     = sanitize_text_field( sprintf( esc_attr__( 'Enter %s', 'pff-paystack' ), $atts['name'] ) );
 		$required = $atts['required'] === 'required' ? 'required' : '';
@@ -71,6 +72,7 @@ public function text_field( $atts ) {
 	 * @return string
 	 */
 	public function textarea_field( $atts ) {
+		
 		$atts = shortcode_atts(
 			array(
 				'name'     => esc_html__( 'Title', 'pff-paystack' ),
@@ -79,8 +81,8 @@ public function textarea_field( $atts ) {
 			$atts,
 			'textarea'
 		);
-
-		$atts['name'] = sanitize_text_field( esc_attr( esc_html__($atts['name']) ) );
+		// sanitize name attribute before using it
+		$atts['name'] = $this->sanitize_and_escape( $atts['name'] );
 
 		// translators: %s: textarea field to be entered by the user
 		$name     = sanitize_text_field( sprintf( esc_attr__( 'Enter %s', 'pff-paystack' ), $atts['name'] ) );
@@ -160,10 +162,10 @@ public function input_field( $atts ) {
 			$atts,
 			'input'
 		);
-		
-		$atts['name'] = sanitize_text_field( esc_attr( esc_html__($atts['name']) ) );
-		
+
+		$atts['name'] = $this->sanitize_and_escape( $atts['name'] );
 		$name       = sanitize_text_field( $atts['name'] );
+		
 		$required   = $atts['required'] === 'required' ? 'required' : '';
 		$fileInputId = uniqid( 'file-input-' );
 		$textInputId = uniqid( 'text-input-' );
@@ -201,9 +203,10 @@ public function datepicker_field( $atts ) {
 			$atts,
 			'datepicker'
 		);
-		
-		$atts['name'] = sanitize_text_field( esc_attr( esc_html__($atts['name']) ) );
 
+		// sanitize name attribute before using it
+        $atts['name'] = $this->sanitize_and_escape( $atts['name'] );	
+		
 		// translators: %s: datepicker field to be selected by the user
 		$name     = sanitize_text_field( sprintf( esc_attr__( 'Enter %s', 'pff-paystack' ), $atts['name'] ) );
 		$required = $atts['required'] === 'required' ? 'required' : '';
@@ -238,7 +241,6 @@ public function select_field( $atts ) {
 			$atts,
 			'select'
 		);
-		$atts['name'] = sanitize_text_field( esc_attr( esc_html__($atts['name']) ) );
 
 		$name     = sanitize_text_field( $atts['name'] );
 		$options  = array_map( 'sanitize_text_field', explode( ',', $atts['options'] ) );
@@ -280,9 +282,7 @@ public function radio_field( $atts ) {
 			$atts,
 			'radio'
 		);
-		
-		$atts['name'] = sanitize_text_field( esc_attr( esc_html__($atts['name']) ) );
-
+	
 		$name     = sanitize_text_field( $atts['name'] );
 		$options  = array_map( 'sanitize_text_field', explode( ',', $atts['options'] ) );
 		$required = $atts['required'] === 'required' ? 'required' : '';
@@ -311,4 +311,24 @@ public function radio_field( $atts ) {
 
 		return $code;
 	}
-}
+
+	/**
+	 * Sanitize and escape a string for safe HTML output.
+	 *
+	 * @param string $value The input string to sanitize and escape.
+	 * @return string The sanitized and escaped string.
+	 */
+	private function sanitize_and_escape( $value ) {
+	    // Remove all HTML tags, including malformed ones
+		$value = wp_kses( $value, array() );
+
+	    // Replace backticks with single quotes
+	    $value = str_replace( '`', '`', $value );
+
+	    // Sanitize the string for safe database storage
+	    $value = sanitize_text_field( $value );
+
+	    // Escape the string for safe HTML output
+	    return esc_html( $value );
+	}
+}

includes/classes/class-settings.php

@@ -193,7 +193,7 @@ public function is_option_selected( $value, $compare ) {
 	}
 
 	/**
-	 * Checks to see if the curren value is selected.
+	 * Sanitises the field name
 	 *
 	 * @param string $value
 	 * /

package.json

@@ -1,6 +1,6 @@
 {
   "name": "pff-paystack",
-  "version": "4.0.2",
+  "version": "4.0.3",
   "description": "Paystack Payment forms for WordPress",
   "main": "gulpfile.js",
   "scripts": {

paystack-forms.php

@@ -3,7 +3,7 @@
   Plugin Name:  Payment Forms for Paystack
   Plugin URI:   https://github.com/PaystackHQ/Wordpress-Payment-forms-for-Paystack
   Description:  Payment Forms for Paystack allows you create forms that will be used to bill clients for goods and services via Paystack.
-  Version:      4.0.2
+  Version:      32
   Author:       Paystack
   Author URI:   http://paystack.com
   License:      GPL-2.0+
@@ -16,7 +16,7 @@
 define( 'PFF_PAYSTACK_PLUGIN_PATH', plugin_dir_path( __FILE__ ) );
 define( 'PFF_PAYSTACK_PLUGIN_URL', plugin_dir_url( __FILE__ ) );
 define( 'PFF_PAYSTACK_MAIN_FILE', __FILE__ );
-define( 'PFF_PAYSTACK_VERSION', '4.0.2' );
+define( 'PFF_PAYSTACK_VERSION', '4.0.3' );
 define( 'PFF_PAYSTACK_TABLE', 'paystack_forms_payments' );
 define( 'PFF_PLUGIN_BASENAME', plugin_basename(__FILE__) );
 define( 'PFF_PLUGIN_NAME', 'pff-paystack' );

readme.txt

@@ -4,7 +4,7 @@ Donate link: https://paystack.com/demo
 Tags: paystack, recurrent payments, donation, forms, payments
 Requires at least: 5.0
 Tested up to: 6.7
-Stable tag: 4.0.2
+Stable tag: 4.0.3
 Requires PHP: 7.4
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -91,6 +91,12 @@ If you get stuck, you can ask for help in the [Payment Forms for Paystack Plugin
 Yes you can! Join in on our [GitHub repository](https://github.com/PaystackOSS/plugin-payment-forms-for-wordpress) :)
 
 == Changelog ==
+= 4.0.4 =
+* Add better sanitization to form fields
+
+= 4.0.3 =
+* Security update - Add extra sanitization to form fields
+
 = 4.0.2 =
 * Security Update - Adding in sanitization to the Payments List order variable.