fix: resolve PHPCS security warnings

jimmyn · jimmyn · commit 4d2665f3b13c · 2025-10-10T14:15:12.000+02:00
- Replace $_SERVER['HTTP_HOST'] with home_url() in Apple Pay verification
- Simplify domain extraction logic using WordPress best practices
- Fix multiline phpcs:ignore statement in get_save_payment_card_checkbox()
- Add explanation comment for nonce verification ignore
- Add WPCS: CSRF ok marker for $_POST access (called after WC nonce verification)

All PHPCS errors resolved. Code remains secure - methods accessing $_POST
are only invoked after WooCommerce nonce verification in process_payment().
diff --git a/src/Gateways/Abstracts/WCMoneiPaymentGateway.php b/src/Gateways/Abstracts/WCMoneiPaymentGateway.php
@@ -284,9 +284,8 @@ protected function get_payment_token_id_if_selected() {
 	 * @return bool
 	 */
 	protected function get_save_payment_card_checkbox() {
-		// phpcs:ignore WordPress.Security.NonceVerification, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
-		return isset( $_POST[ 'wc-' . $this->id . '-new-payment-method' ] ) &&
-			filter_var( wp_unslash( $_POST[ 'wc-' . $this->id . '-new-payment-method' ] ), FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE );
+		// phpcs:ignore WordPress.Security.NonceVerification, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- WooCommerce handles nonce verification before process_payment()
+		return isset( $_POST[ 'wc-' . $this->id . '-new-payment-method' ] ) && filter_var( wp_unslash( $_POST[ 'wc-' . $this->id . '-new-payment-method' ] ), FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE );  // WPCS: CSRF ok.
 	}
 
 	/**
diff --git a/src/Services/MoneiApplePayVerificationService.php b/src/Services/MoneiApplePayVerificationService.php
@@ -47,16 +47,9 @@ public function apple_domain_register() {
 		}
 
 		try {
-			// Extract domain from HTTP_HOST or get_site_url()
-			if ( isset( $_SERVER['HTTP_HOST'] ) ) {
-				// Parse HTTP_HOST to remove port portion and get host only
-				$host_parts = explode( ':', $_SERVER['HTTP_HOST'] );
-				$domain     = sanitize_text_field( $host_parts[0] );
-			} else {
-				// Use wp_parse_url to extract host from get_site_url()
-				$parsed_url = wp_parse_url( get_site_url() );
-				$domain     = isset( $parsed_url['host'] ) ? sanitize_text_field( $parsed_url['host'] ) : '';
-			}
+			// Extract domain from site URL (WordPress best practice)
+			$parsed_url = wp_parse_url( home_url() );
+			$domain     = isset( $parsed_url['host'] ) ? $parsed_url['host'] : '';
 
 			// Ensure domain is not empty before registering
 			if ( empty( $domain ) ) {
