Escape anti-fraud iframe src via add_query_arg() and esc_url()

[Copilot]

The fingerprint iframe src was built via raw PHP string interpolation with no URL encoding, leaving it open to XSS/attribute-injection if the org/session ID values ever contain unexpected characters.

Changes

• includes/payment-methods/class-wc-gateway-braspag-creditcard.php
  • Replace raw interpolation with add_query_arg() to encode query parameters
  • Wrap output in esc_url() before rendering into the src attribute

// Before
<iframe src="<?php echo "https://h.online-metrix.net/fp/tags.js?org_id={$this->antifraud_finger_print_org_id}&session_id={$this->antifraud_finger_print_session_id}" ?>">

// After
<iframe src="<?php echo esc_url( add_query_arg( array( 'org_id' => $this->antifraud_finger_print_org_id, 'session_id' => $this->antifraud_finger_print_session_id ), 'https://h.online-metrix.net/fp/tags.js' ) ); ?>">

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.