WordPress.org
Get WordPress

Plugin Directory

Changeset 3299113


Ignore:
Timestamp:
05/23/2025 04:24:35 AM (10 months ago)
Author:
codemenschen
Message:

Version 4.5.4

Location:
gift-voucher
Files:
971 added
12 edited

Legend:

Unmodified
Added
Removed

  • gift-voucher/trunk/assets/js/item-script.js

    r3020770 r3299113  
    1 jQuery(document).ready(function($) {
     1jQuery(document).ready(function ($) {
    22    var $itemform = $('#wpgv-giftitems'),
    33        $cataccording = $('.wpgv-according-category'),
     
    3636    $('.wpgv-giftitem-wrapper .wpgv_preview-box:not(:nth-child(2))').addClass('mailhidden');
    3737    $('.wpgv-according-category:not(:first-child) .wpgv-items').slideUp();
    38     $('.wpgv-according-title').click(function() {
     38    $('.wpgv-according-title').click(function () {
    3939        var $catid = $(this).data('cat-id');
    4040        $.ajax({
     
    4242            type: "POST",
    4343            data: "action=wpgv_doajax_get_itemcat_image&catid=" + $catid,
    44             success: function(data) {
     44            success: function (data) {
    4545                $(".wpgv-giftitemimage img").attr('src', data.image);
    4646            }
     
    5151        $('#itemcat' + $catid).find('.wpgv-items').slideDown();
    5252    });
    53     $('.wpgv-buy button').click(function() {
     53    $('.wpgv-buy button').click(function () {
    5454        var $itemid = $(this).data('item-id')
    5555        $catid = $(this).data('cat-id'),
     
    6767            type: "POST",
    6868            data: "action=wpgv_doajax_get_item_data&itemid=" + $itemid,
    69             success: function(data) {
     69            success: function (data) {
    7070                $(".wpgv-gifttitle h3, .itemtitle").html(data.title);
    7171                $(".wpgv-gifttitle span, .itemdescription").html(data.description);
    7272                $('.voucherValueCard').val(data.price);
    73                 $.each(data.images, function(key, value) {
     73                $.each(data.images, function (key, value) {
    7474                    $(".wpgvstyle" + (parseInt(key) + 1) + " .cardDiv .cardImgTop img").attr('src', value);
    7575                });
     
    7777        });
    7878    });
    79     $('.next-button').click(function(e) {
     79    $('.next-button').click(function (e) {
    8080        var $nextwrap = $(this).data('next'),
    8181            $result = wpgv_validateitemform($nextwrap);
     
    8383        $itemform.addClass('loading');
    8484        $itemswrap.fadeOut();
    85         setTimeout(function() {
     85        setTimeout(function () {
    8686            $itemform.removeClass('loading');
    8787            $('#wpgv-giftitems-' + $nextwrap).fadeIn();
    8888        }, 500);
    8989    });
    90     $('.back-button').click(function(e) {
     90    $('.back-button').click(function (e) {
    9191        var $prevwrap = $(this).data('prev');
    9292        $itemform.addClass('loading');
    9393        $itemswrap.fadeOut();
    94         setTimeout(function() {
     94        setTimeout(function () {
    9595            $itemform.removeClass('loading');
    9696            $('#wpgv-giftitems-' + $prevwrap).fadeIn();
     
    9898    });
    9999
    100     $your_name.on('input blur', function() {
     100    $your_name.on('input blur', function () {
    101101        var dInput = this.value;
    102102        $(".forNameCard").val(dInput);
    103103    });
    104     $recipient_name.on('input blur', function() {
     104    $recipient_name.on('input blur', function () {
    105105        var dInput = this.value;
    106106        $(".fromNameCard").val(dInput);
    107107    });
    108     $message.on('input blur', function() {
     108    $message.on('input blur', function () {
    109109        var dInput = this.value;
    110110        $(".personalMessageCard").val(dInput);
    111111    });
    112     $('.buying-options div').click(function(e) {
     112    $('.buying-options div').click(function (e) {
    113113        $('.buying-options div').removeClass('selected');
    114114        $(this).addClass('selected');
     
    133133        $shipping_email.closest('.wpgv-form-fields').removeClass('mailhidden');
    134134    }
    135     $('.shipping-options div').click(function(e) {
     135    $('.shipping-options div').click(function (e) {
    136136        $('.shipping-options div').removeClass('selected');
    137137        $(this).addClass('selected');
     
    174174    });
    175175
    176     $('input[name="shipping_method"]').change(function() {
     176    $('input[name="shipping_method"]').change(function () {
    177177        var $shippingprice = $(this).closest('label').data('value');
    178178        var $totalprice = (parseFloat($itempricespan.html()) + parseFloat($shippingprice) + parseFloat($website_commission_price.data('price'))).toFixed(2);
     
    184184    });
    185185
    186     $chooseStyle.on('change', function() {
     186    $chooseStyle.on('change', function () {
    187187        $('.wpgv_preview-box').addClass('mailhidden');
    188188        $itemform.addClass('loading');
    189         setTimeout(function() {
     189        setTimeout(function () {
    190190            $itemform.removeClass('loading');
    191191        }, 1000);
     
    193193    });
    194194
    195     $('#itempreview').click(function() {
     195    $('#itempreview').click(function () {
    196196        var $url = $(this).data('url'),
    197197            $urlstring = wpgv_formdata();
     
    199199    });
    200200
    201     $('#paynowbtn').click(function() {
     201    $('#paynowbtn').click(function () {
     202        var nonce = $('input[name=wpgv_giftitems_form_verify]').val();
    202203        var $error = 0,
    203204            $datastring = '',
     
    230231        }
    231232
     233        if (nonce) {
     234            $datastring += '&nonce=' + encodeURIComponent(nonce);
     235        }
     236
    232237        if (!$('input[name=acceptVoucherTerms]').is(':checked')) {
    233238            alert(frontend_ajax_object.accept_terms);
     
    239244                type: "POST",
    240245                data: $datastring,
    241                 success: function(response) {
     246                success: function (response) {
    242247                    if (response.success) {
    243248                        if (response.data.approve_link) {
     
    250255                    }
    251256                },
    252                 error: function() {
     257                error: function () {
    253258                    alert(frontend_ajax_object.error_occur);
    254259                }
     
    259264    });
    260265
    261     $(document).ajaxStart(function() { $itemform.addClass('loading'); })
    262         .ajaxStop(function() { $itemform.removeClass('loading'); });
     266    $(document).ajaxStart(function () { $itemform.addClass('loading'); })
     267        .ajaxStop(function () { $itemform.removeClass('loading'); });
    263268
    264269    function wpgv_validateitemform($step) {
     
    304309                    type: "POST",
    305310                    data: "action=wpgv_doajax_get_item_data&itemid=" + $itemid,
    306                     success: function(data) {
     311                    success: function (data) {
    307312                        $(".wpgv-itemtitle").html(data.title);
    308313                        var $price = (data.special_price) ? data.special_price : data.price;
     
    333338
    334339    function wpgv_b64EncodeUnicode(str) {
    335         return btoa(encodeURIComponent(str).replace(/%([0-9A-F]{2})/g, function(match, p1) {
     340        return btoa(encodeURIComponent(str).replace(/%([0-9A-F]{2})/g, function (match, p1) {
    336341            return String.fromCharCode(parseInt(p1, 16))
    337342        }))
     
    339344
    340345    function wpgv_b64DecodeUnicode(str) {
    341         return decodeURIComponent(Array.prototype.map.call(atob(str), function(c) {
     346        return decodeURIComponent(Array.prototype.map.call(atob(str), function (c) {
    342347            return '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2)
    343348        }).join(''))
     
    353358    }
    354359
    355     $('#wpgv-message #message').on('keydown', function(e) {
     360    $('#wpgv-message #message').on('keydown', function (e) {
    356361        newLines = $(this).val().split("\n").length;
    357362        $('.maxchar').html(frontend_ajax_object.total_character + ": " + (this.value.length));

  • gift-voucher/trunk/assets/js/voucher-template-script.js

    r3262503 r3299113  
    518518        var data = voucherTemplate.find('#dataVoucher').val();
    519519        var dataURL = voucherTemplate.find('#show-preview-gift-card').attr('href');
     520        var nonce = jQuery('#wpgv_giftitems_form_verify').val();
    520521        voucherTemplate.find('#setup-voucher-template').addClass('loading');
    521522        $.ajax({
    522523            url: frontend_ajax_object.ajaxurl,
    523524            type: "POST",
    524             data: 'action=wpgv_save_gift_card' + data + '&urlImage=' + wpgv_b64EncodeUnicode(dataURL),
     525            data: 'action=wpgv_save_gift_card' + data + '&urlImage=' + wpgv_b64EncodeUnicode(dataURL) + '&nonce=' + nonce,
    525526            success: function (response) {
    526527                if (response.success) {

  • gift-voucher/trunk/classes/class-nag.php

    r3258145 r3299113  
    11<?php
     2
     3if (!defined('ABSPATH')) exit;
    24
    35class WPGIFT_Nag
     
    3739
    3840            $redirect_url = "";
    39             $host  = isset($_SERVER['HTTP_HOST']) ? wp_unslash($_SERVER['HTTP_HOST']) : '';
    40             $path  = isset($_SERVER['PHP_SELF']) ? wp_unslash($_SERVER['PHP_SELF']) : '';
     41            $host = isset($_SERVER['HTTP_HOST']) ? sanitize_text_field(wp_unslash($_SERVER['HTTP_HOST'])) : '';
     42            $path = isset($_SERVER['PHP_SELF']) ? sanitize_text_field(wp_unslash($_SERVER['PHP_SELF'])) : '';
    4143
    4244            if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on') {
     
    9799    {
    98100
    99         $query_string = isset($_SERVER['QUERY_STRING']) ? wp_unslash($_SERVER['QUERY_STRING']) : '';
     101        $query_string = isset($_SERVER['QUERY_STRING']) ? sanitize_text_field(wp_unslash($_SERVER['QUERY_STRING'])) : '';
    100102
    101103        if (!empty($query_string)) {

  • gift-voucher/trunk/gift-voucher.php

    r3287346 r3299113  
    77 * Author: Codemenschen GmbH
    88 * Author URI: https://www.codemenschen.at/
    9  * Version: 4.5.3
     9 * Version: 4.5.4
    1010 * Text Domain: gift-voucher
    1111 * Domain Path: /languages
     
    2323if (!defined('ABSPATH')) exit;  // Exit if accessed directly
    2424
    25 define('WPGIFT_VERSION', '4.5.3');
     25define('WPGIFT_VERSION', '4.5.4');
    2626define('WPGIFT__MINIMUM_WP_VERSION', '4.0');
    2727define('WPGIFT__PLUGIN_DIR', untrailingslashit(plugin_dir_path(__FILE__)));

  • gift-voucher/trunk/giftcard.php

    r3258145 r3299113  
    134134        $html .= '<div class="wrap-shipping-info-voucher">' . show_shipping_method_voucher() . '</div>';
    135135    }
     136    $nonce = wp_create_nonce('wpgv_giftitems_form_action');
    136137    $html .= '<div class="choose-payment-method">' . show_payment_option_voucher() . '</div>
    137138                                        <div class="order-voucher-details">' . show_order_detail_voucher() . '</div>
     
    151152                    </div>
    152153                    <div class="next-prev-button next-button">
     154                        <input type="hidden" name="wpgv_giftitems_form_verify" id="wpgv_giftitems_form_verify" value="' . esc_attr($nonce) . '">
    153155                        <input type="hidden" value="" id="dataVoucher"/>
    154156                        <input type="hidden" value="' . $number_slider . '" id="number_giftcard_sl"/>';

  • gift-voucher/trunk/include/voucher_list.php

    r3287344 r3299113  
    4646                    <input type="hidden" name="search" value="<?php echo esc_html("1"); ?>">
    4747                    <input type="text" name="voucher_code" autocomplete="off" placeholder="<?php echo esc_attr__('Search by Gift voucher code or email', 'gift-voucher'); ?>" value="<?php echo esc_html($voucher_code); ?>" style="width: 400px;">
    48                     <input type="submit" class="button button-primary" value="<?php echo esc_attr__("Search"); ?>">
     48                    <input type="submit" class="button button-primary" value="<?php echo esc_attr__("Search", 'gift-voucher'); ?>">
    4949                </form>
    5050            </div>

  • gift-voucher/trunk/include/wpgv_giftcard_pdf.php

    r3248177 r3299113  
    99function wpgv__doajax_gift_card_pdf_save_func()
    1010{
     11
     12    // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
     13    if (! isset($_POST['nonce']) || ! ! wp_verify_nonce(wp_unslash($_POST['nonce']), 'wpgv_giftitems_form_verify')) {
     14        wp_send_json_error(array('message' => 'Invalid security token'));
     15        wp_die();
     16    }
     17
    1118    global $wpdb;
    1219    $voucher_table  = $wpdb->prefix . 'giftvouchers_list';

  • gift-voucher/trunk/include/wpgv_item_pdf.php

    r3179739 r3299113  
    88function wpgv__doajax_item_pdf_save_func()
    99{
     10
     11    // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
     12    if (! isset($_POST['nonce']) || ! wp_verify_nonce(wp_unslash($_POST['nonce']), 'wpgv_giftitems_form_verify')) {
     13        wp_send_json_error(array('message' => 'Invalid security token'));
     14        wp_die();
     15    }
     16
    1017    $catid = sanitize_text_field(base64_decode($_POST['catid']));
    1118    $itemid = sanitize_text_field(base64_decode($_POST['itemid']));

  • gift-voucher/trunk/include/wpgv_voucher_pdf.php

    r3179739 r3299113  
    99function wpgv__doajax_voucher_pdf_save_func()
    1010{
     11    // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
     12    if (! isset($_POST['nonce']) || ! wp_verify_nonce(wp_unslash($_POST['nonce']), 'voucher_form_verify')) {
     13        wp_send_json_error(array('message' => 'Invalid security token'));
     14        wp_die();
     15    }
    1116
    1217    $template = wp_kses_post($_POST['template']);

  • gift-voucher/trunk/readme.txt

    r3287344 r3299113  
    44Requires at least: 4.0
    55Tested up to: 6.8.1
    6 Stable tag: 4.5.3
     6Stable tag: 4.5.4
    77Requires PHP: 5.6
    88License: GPLv2 or later
     
    219219== Changelog ==
    220220
     221= Version 4.5.4 - Released: May 23 2025
     222* Add nonce verification to form processing for security.
     223* Escape translatable output properly.
     224* Add __("Search", 'gift-voucher') for translation support
     225
    221226= Version 4.5.3 - Released: May 05 2025
    222227* Fix incorrect usage of esc_html_ in submit button templates.

  • gift-voucher/trunk/templates/wpgv_item_pdf.php

    r3287344 r3299113  
    1515    $watermark = __('This is a preview voucher.', 'gift-voucher');
    1616} else {
    17     wp_die(__('Security check failed', 'gift-voucher'));
     17    wp_die(esc_html__('Security check failed', 'gift-voucher'));
    1818}
    1919
    20 $catid = isset($_GET['catid']) ? sanitize_text_field(base64_decode(wp_unslash($_GET['catid']))) : '';
    21 $itemid = isset($_GET['itemid']) ? sanitize_text_field(base64_decode(wp_unslash($_GET['itemid']))) : '';
    22 $buyingfor = isset($_GET['buyingfor']) ? sanitize_text_field(base64_decode(wp_unslash($_GET['buyingfor']))) : '';
    23 $for = isset($_GET['yourname']) ? sanitize_text_field(base64_decode(wp_unslash($_GET['yourname']))) : '';
    24 $from = isset($_GET['recipientname']) ? sanitize_text_field(base64_decode(wp_unslash($_GET['recipientname']))) : '';
    25 $value = isset($_GET['totalprice']) ? sanitize_text_field(base64_decode(wp_unslash($_GET['totalprice']))) : '';
    26 $message = isset($_GET['recipientmessage']) ? sanitize_text_field(base64_decode(wp_unslash($_GET['recipientmessage']))) : '';
     20
     21
     22$get = filter_input_array(INPUT_GET, FILTER_SANITIZE_STRING) ?: [];
     23$catid = !empty($get['catid']) ? sanitize_text_field(base64_decode(wp_unslash($get['catid']))) : '';
     24$itemid    = !empty($get['itemid']) ? sanitize_text_field(base64_decode(wp_unslash($get['itemid']))) : '';
     25$buyingfor = !empty($get['buyingfor']) ? sanitize_text_field(base64_decode(wp_unslash($get['buyingfor']))) : '';
     26$for       = !empty($get['yourname']) ? sanitize_text_field(base64_decode(wp_unslash($get['yourname']))) : '';
     27$from      = !empty($get['recipientname']) ? sanitize_text_field(base64_decode(wp_unslash($get['recipientname']))) : '';
     28$value     = !empty($get['totalprice']) ? sanitize_text_field(base64_decode(wp_unslash($get['totalprice']))) : '';
     29$message   = !empty($get['recipientmessage']) ? sanitize_text_field(base64_decode(wp_unslash($get['recipientmessage']))) : '';
    2730
    2831$code = '################';
     
    5053
    5154if ($setting_options->is_style_choose_enable) {
    52     $voucher_style = sanitize_text_field(base64_decode($_GET['style']));
     55    $voucher_style = !empty($get['style']) ? sanitize_text_field(base64_decode(wp_unslash($get['style']))) : '';
    5356    $style_image = esc_html(get_post_meta($itemid, 'style' . ($voucher_style + 1) . '_image', true));
    5457    $image_attributes = get_attached_file($style_image);

  • gift-voucher/trunk/templates/wpgv_voucher_pdf.php

    r3287344 r3299113  
    1515    $watermark = __('This is a preview voucher.', 'gift-voucher');
    1616} else {
    17     wp_die(__('Security check failed', 'gift-voucher'));
     17    wp_die(esc_html__('Security check failed', 'gift-voucher'));
    1818}
    1919
    20 $template   = isset($_GET['template']) ? sanitize_text_field(base64_decode(wp_unslash($_GET['template']))) : '';
    21 $buyingfor  = isset($_GET['buying_for']) ? sanitize_text_field(base64_decode(wp_unslash($_GET['buying_for']))) : '';
    22 $for        = isset($_GET['for']) ? sanitize_text_field(base64_decode(wp_unslash($_GET['for']))) : '';
    23 $from       = isset($_GET['from']) ? sanitize_text_field(base64_decode(wp_unslash($_GET['from']))) : '';
    24 $value      = isset($_GET['value']) ? sanitize_text_field(base64_decode(wp_unslash($_GET['value']))) : '';
    25 $message    = isset($_GET['message']) ? sanitize_textarea_field(base64_decode(wp_unslash($_GET['message']))) : '';
    26 $expiry     = isset($_GET['expiry']) ? sanitize_text_field(base64_decode(wp_unslash($_GET['expiry']))) : '';
     20$get = filter_input_array(INPUT_GET, FILTER_SANITIZE_STRING) ?: [];
     21
     22$template  = !empty($get['template'])   ? sanitize_text_field(base64_decode(wp_unslash($get['template']))) : '';
     23$buyingfor = !empty($get['buying_for']) ? sanitize_text_field(base64_decode(wp_unslash($get['buying_for']))) : '';
     24$for       = !empty($get['for'])        ? sanitize_text_field(base64_decode(wp_unslash($get['for']))) : '';
     25$from      = !empty($get['from'])       ? sanitize_text_field(base64_decode(wp_unslash($get['from']))) : '';
     26$value     = !empty($get['value'])      ? sanitize_text_field(base64_decode(wp_unslash($get['value']))) : '';
     27$message   = !empty($get['message'])    ? sanitize_textarea_field(base64_decode(wp_unslash($get['message']))) : '';
     28$expiry    = !empty($get['expiry'])     ? sanitize_text_field(base64_decode(wp_unslash($get['expiry']))) : '';
    2729$code = '################';
    2830
    2931global $wpdb;
    30 $setting_table = $wpdb->prefix . 'giftvouchers_setting';
    31 $template_table = $wpdb->prefix . 'giftvouchers_template';
    3232
    33 $setting_options = $wpdb->get_row($wpdb->prepare("SELECT * FROM $setting_table WHERE id = %d", 1));
    34 $template_options = $wpdb->get_row($wpdb->prepare("SELECT image_style FROM $template_table WHERE id = %d", $template));
     33$setting_options = $wpdb->get_row($wpdb->prepare("SELECT * FROM {$wpdb->prefix}giftvouchers_setting WHERE id = %d", 1));
     34$template_options = $wpdb->get_row($wpdb->prepare("SELECT image_style FROM {$wpdb->prefix}giftvouchers_template WHERE id = %d", $template));
    3535$images = $template_options->image_style ? json_decode($template_options->image_style) : ['', '', ''];
    3636
     
    4444
    4545if ($setting_options->is_style_choose_enable) {
    46     $voucher_style = isset($_GET['style']) ? sanitize_text_field(base64_decode(wp_unslash($_GET['style']))) : '';
     46    $voucher_style = !empty($get['style']) ? sanitize_text_field(base64_decode(wp_unslash($get['style']))) : '';
    4747    $image_attributes = get_attached_file($images[$voucher_style]);
    4848    $image = ($image_attributes) ? $image_attributes : get_option('wpgv_demoimageurl_voucher');
Note: See TracChangeset for help on using the changeset viewer.