Merge pull request #22 from razorpay/security-fix

PO-242 : added esc_url for security fix
razorpay · Nov 12, 2024 · 02da5b6 · 02da5b6
2 parents 0d40f09 + 11c3f52
commit 02da5b6
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 19 deletions.
diff --git a/includes/rzp-payment-buttons.php b/includes/rzp-payment-buttons.php
@@ -88,16 +88,16 @@ protected function get_views()
 
         //All Buttons
         $class = ($current === 'all' ? ' class="current"' :'');
-        $all_url = remove_query_arg('status');
+        $all_url = esc_url(remove_query_arg('status'));
         $views['all'] = "<a href='{$all_url}' {$class} >All</a>";
 
         //Recovered link
-        $foo_url = add_query_arg('status','active');
+        $foo_url = esc_url(add_query_arg('status','active'));
         $class = ($current === 'active' ? ' class="current"' :'');
         $views['status'] = "<a href='{$foo_url}' {$class} >Enabled</a>";
 
         //Abandon
-        $bar_url = add_query_arg('status','inactive');
+        $bar_url = esc_url(add_query_arg('status','inactive'));
         $class = ($current === 'inactive' ? ' class="current"' :'');
         $views['disabled'] = "<a href='{$bar_url}' {$class} >Disabled</a>";
 

diff --git a/razorpay-payment-buttons.php b/razorpay-payment-buttons.php
@@ -3,7 +3,7 @@
  * Plugin Name: Razorpay Payment Button for Elementor
  * Plugin URI:  https://github.com/razorpay/payment-button-elementor-plugin
  * Description: Razorpay Payment Button for Elementor
- * Version:     1.2.5
+ * Version:     1.2.6
  * Author:      Razorpay
  * Author URI:  https://razorpay.com
  */

diff --git a/readme.txt b/readme.txt
@@ -1,8 +1,8 @@
 === Razorpay Payment Button Elementor Plugin ===
 Contributors: razorpay
 Tags: Payment gateway, Donate button, UPI/credit/debit card, Payment plugin, India
-Tested up to: 6.0
-Stable tag: 1.2.5
+Tested up to: 6.6
+Stable tag: 1.2.6
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -96,6 +96,9 @@ Connect your WordPress website with your Razorpay account and you're all ready t
 
 == Changelog ==
 
+= 1.2.6 =
+* Added security enhancements
+
 = 1.2.5 =
 * Fix fatal error: Cannot use isset() on the result of an expression
 * Fixed 'constant already defined' error in sdk

diff --git a/templates/razorpay-button-view-templates.php b/templates/razorpay-button-view-templates.php
@@ -25,7 +25,7 @@ function razorpay_view_button()
         {
             wp_die("This page consist some request parameters to view response");
         }
-        $pagenum = $_REQUEST['paged'];
+        $pagenum = sanitize_text_field($_REQUEST['paged']); // nosemgrep
         $previous_page_url = admin_url('admin.php?page=razorpay_button_elementor&paged='.$pagenum);
         $button_detail = $this->fetch_button_detail(sanitize_text_field($_REQUEST['btn']));
 
@@ -36,36 +36,36 @@ function razorpay_view_button()
                 <a href="'.$previous_page_url.'">
                     <span class="dashicons rzp-dashicons dashicons-arrow-left-alt"></span> Button List
                 </a>
-                <span class="dashicons rzp-dashicons dashicons-arrow-right-alt2"></span>'.$button_detail['title'].'
+                <span class="dashicons rzp-dashicons dashicons-arrow-right-alt2"></span>'. esc_html($button_detail['title']) . '
             </div>
             <div class="container rzp-container">
                 <div class="row panel-heading">
-                    <div class="text">'.$button_detail['title'].'</div>
+                    <div class="text">' . esc_html($button_detail['title']) . '</div>
                 </div>
                 <div class="row panel-body">
                     <div class="col-md-5 panel-body-left">
                         <div class="row">
                             <div class="col-sm-4 panel-label">Button ID</div>
-                            <div class="col-sm-8 panel-value">'.$button_detail["id"].'</div>
+                            <div class="col-sm-8 panel-value">' . esc_html($button_detail["id"]) . '</div>
                         </div>
                         <div class="row">
                             <div class="col-sm-4 panel-label">Button Status</div>
                             <div class="col-sm-8 panel-value">
-                                <span class="status-label">'.$button_detail['status'].'</span>
-                                <button onclick="'.$show.'" class="status-button">'.$button_detail['btn_pointer_status'].'</button>
+                                <span class="status-label">' . esc_html$button_detail['status']) . '</span>
+                                <button onclick="'.$show.'" class="status-button">' . esc_html($button_detail['btn_pointer_status']) . '</button>
                             </div>
                         </div>
                         <div class="row">
                             <div class="col-sm-4 panel-label">Total Quantity Sold</div>
-                            <div class="col-sm-8 panel-value">'.$button_detail['total_item_sold'].'</div>
+                            <div class="col-sm-8 panel-value">' . htmlentities($button_detail['total_item_sold']) . '</div>
                         </div>
                         <div class="row">
                             <div class="col-sm-4 panel-label">Total revenue</div>
-                            <div class="col-sm-8 panel-value"><span class="rzp-currency">₹ </span>'.$button_detail['total_revenue'].'</div>
+                            <div class="col-sm-8 panel-value"><span class="rzp-currency">₹ </span>' . esc_html($button_detail['total_revenue']) . '</div>
                         </div>
                         <div class="row">
                             <div class="col-sm-4 panel-label">Created on</div>
-                            <div class="col-sm-8 panel-value">'.$button_detail['created_at'].'</div>
+                            <div class="col-sm-8 panel-value">' . esc_html($button_detail['created_at']) . '</div>
                         </div>
                     </div>
                     <div class="col-md-7">'.$button_detail['html_content_item'].'</div>
@@ -78,16 +78,16 @@ function razorpay_view_button()
         <form class="modal-content" action="'.esc_url( admin_url('admin-post.php') ).'" method="POST">
             <div class="container">
                 <div class="modal-header">
-                    <h3 class="modal-title">'.$button_detail["modal_title_content"].'</h3>
+                    <h3 class="modal-title">' . esc_html($button_detail["modal_title_content"]) . '</h3>
                 </div>  
             <div class="modal-body">
                 <div class="text-semi-muted">
-                    <p>'.$button_detail["modal_body_content"].'</p>
+                    <p>' . esc_html($button_detail["modal_body_content"]) . '</p>
                 </div>
                 <div class="Modal__actions">
                     <button type="button" onclick="'.$hide.'" class="btn btn-default">No, don`t!</button>
-                    <button type="submit" onclick="'.$hide.'" name="btn_action" value="'.$button_detail['btn_pointer_status'].'" class="btn btn-primary">Yes, '.$button_detail['btn_pointer_status'].'</button>
-                    <input type="hidden" name="btn_id" value="'.$button_detail['id'].'">
+                    <button type="submit" onclick="'.$hide.'" name="btn_action" value="' . esc_html($button_detail['btn_pointer_status']) . '" class="btn btn-primary">Yes, ' . esc_html($button_detail['btn_pointer_status']) . '</button>
+                    <input type="hidden" name="btn_id" value="' . esc_html($button_detail['id']) . '">
                     <input type="hidden" name="paged" value="'.$pagenum.'">
                     <input type="hidden" name="action" value="rzp_btn_elementor_action">
                 </div>