fix: prevent wp_sanitize_redirect from stripping domain in payment URLs

jimmyn · jimmyn · commit a9826998d3ca · 2025-11-20T11:49:12.000+01:00
- Remove wp_sanitize_redirect() from callback/complete/fail URLs - Use esc_url_raw() for URL sanitization (sufficient for API payloads) - Update token generation to use wc_get_account_endpoint_url() for absolute URLs wp_sanitize_redirect() strips domains not in WordPress allowed hosts list, causing completeUrl to become relative instead of absolute. MONEI API requires absolute URLs for callbacks. Since these URLs are internally generated (not user input) and already sanitized with esc_url_raw(), removing wp_sanitize_redirect() is safe and fixes payment failures. Affected files: - WCMoneiPaymentGatewayHosted.php - WCMoneiPaymentGatewayComponent.php - WCGatewayMoneiCC.php Fixes issue where completeUrl was sent as /order-received/123/ instead of https://example.com/order-received/123/
diff --git a/src/Gateways/Abstracts/WCMoneiPaymentGatewayComponent.php b/src/Gateways/Abstracts/WCMoneiPaymentGatewayComponent.php
@@ -201,19 +201,17 @@ public function create_payload( $order, $allowed_payment_method = null ) {
 		$description = $this->shop_name . ' - #' . $order_id;
 
 		/** The URL to which a payment result should be sent asynchronously. */
-		$callback_url = wp_sanitize_redirect( esc_url_raw( $this->notify_url ) );
+		$callback_url = esc_url_raw( $this->notify_url );
 		/** The URL the customer will be directed to if the payment failed. */
 		$fail_url = esc_url_raw( $order->get_checkout_payment_url( false ) );
 		/** The URL the customer will be directed to after transaction completed (successful or failed). */
-		$complete_url = wp_sanitize_redirect(
-			esc_url_raw(
-				add_query_arg(
-					array(
-						'utm_nooverride' => '1',
-						'orderId'        => $order_id,
-					),
-					$this->get_return_url( $order )
-				)
+		$complete_url = esc_url_raw(
+			add_query_arg(
+				array(
+					'utm_nooverride' => '1',
+					'orderId'        => $order_id,
+				),
+				$this->get_return_url( $order )
 			)
 		);
 
diff --git a/src/Gateways/Abstracts/WCMoneiPaymentGatewayHosted.php b/src/Gateways/Abstracts/WCMoneiPaymentGatewayHosted.php
@@ -37,11 +37,11 @@ public function process_payment( $order_id, $allowed_payment_method = null ) {
 		$description = $this->shop_name . ' - #' . $order_id;
 
 		/** The URL to which a payment result should be sent asynchronously. */
-		$callback_url = wp_sanitize_redirect( esc_url_raw( $this->notify_url ) );
+		$callback_url = esc_url_raw( $this->notify_url );
 		/** The URL the customer will be directed to if the payment failed. */
 		$fail_url = esc_url_raw( $order->get_checkout_payment_url( false ) );
 		/** The URL the customer will be directed to after transaction completed (successful or failed). */
-		$complete_url = wp_sanitize_redirect( esc_url_raw( add_query_arg( 'utm_nooverride', '1', $this->get_return_url( $order ) ) ) );
+		$complete_url = esc_url_raw( add_query_arg( 'utm_nooverride', '1', $this->get_return_url( $order ) ) );
 
 		/** Create Payment Payload */
 		$payload = array(
diff --git a/src/Gateways/PaymentMethods/WCGatewayMoneiCC.php b/src/Gateways/PaymentMethods/WCGatewayMoneiCC.php
@@ -294,10 +294,10 @@ protected function create_zero_eur_payload() {
 			'currency'              => get_woocommerce_currency(),
 			'orderId'               => $current_user_id . 'generatetoken' . wp_rand( 0, 1000000 ),
 			'description'           => "User $current_user_id creating empty transaction to generate token",
-			'callbackUrl'           => wp_sanitize_redirect( esc_url_raw( $this->notify_url ) ),
-			'completeUrl'           => wc_get_endpoint_url( 'payment-methods' ),
-			'cancelUrl'             => wc_get_endpoint_url( 'payment-methods' ),
-			'failUrl'               => wc_get_endpoint_url( 'payment-methods' ),
+			'callbackUrl'           => esc_url_raw( $this->notify_url ),
+			'completeUrl'           => esc_url_raw( wc_get_account_endpoint_url( 'payment-methods' ) ),
+			'cancelUrl'             => esc_url_raw( wc_get_account_endpoint_url( 'payment-methods' ) ),
+			'failUrl'               => esc_url_raw( wc_get_account_endpoint_url( 'payment-methods' ) ),
 			'transactionType'       => self::VERIFY_TRANSACTION_TYPE,
 			'sessionDetails'        => array(
 				'ip'        => WC_Geolocation::get_ip_address(),
