Changeset 3450387
- Timestamp:
- 01/30/2026 11:49:52 AM (5 weeks ago)
- Location:
- smart-appointment-booking
- Files:
-
- 12 edited
- 1 copied
-
tags/1.0.8 (copied) (copied from smart-appointment-booking/trunk)
-
tags/1.0.8/inc/admin/class.saab.admin.action.php (modified) (19 diffs)
-
tags/1.0.8/inc/admin/class.saab.admin.fieldmeta.php (modified) (21 diffs)
-
tags/1.0.8/inc/class.saab.php (modified) (2 diffs)
-
tags/1.0.8/inc/front/class.saab.front.action.php (modified) (23 diffs)
-
tags/1.0.8/readme.txt (modified) (3 diffs)
-
tags/1.0.8/smart-appointment-booking.php (modified) (2 diffs)
-
trunk/inc/admin/class.saab.admin.action.php (modified) (19 diffs)
-
trunk/inc/admin/class.saab.admin.fieldmeta.php (modified) (21 diffs)
-
trunk/inc/class.saab.php (modified) (2 diffs)
-
trunk/inc/front/class.saab.front.action.php (modified) (23 diffs)
-
trunk/readme.txt (modified) (3 diffs)
-
trunk/smart-appointment-booking.php (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
-
smart-appointment-booking/tags/1.0.8/inc/admin/class.saab.admin.action.php
r3154282 r3450387 200 200 ); 201 201 $get_notification_array = array(); 202 if (isset($_POST['notification_data'])) { 203 204 parse_str($_POST['notification_data'], $form_data); 202 if ( isset( $_POST['notification_data'] ) ) { 203 parse_str( sanitize_text_field( wp_unslash( $_POST['notification_data'] ) ), $form_data ); 205 204 $post_id = $form_data['form_id']; 206 205 $index = $form_data['editnotify']; … … 394 393 */ 395 394 function view_booking_entry( $post ){ 396 if ( ! isset( $_REQUEST['_wpnonce'] ) || ! wp_verify_nonce( $_REQUEST['_wpnonce'], '_wpnonce' ) ){395 if ( ! isset( $_REQUEST['_wpnonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ), '_wpnonce' ) ) { 397 396 //wp_die( 'Security check failed. Refresh the page and retry again!' ); 398 397 } 399 $post_id = ( isset( $_GET['post_id'] ) ) ? $_GET['post_id'] : '';398 $post_id = isset( $_GET['post_id'] ) ? absint( wp_unslash( $_GET['post_id'] ) ) : 0; 400 399 $form_data = get_post_meta( $post_id, 'saab_submission_data', true ); 401 400 $form_id = get_post_meta( $post_id, 'saab_form_id', true ); … … 529 528 } 530 529 function update_form_entry_data(){ 531 // if( ! isset( $_POST['zwt_saab_common_nonce'] ) || ! wp_verify_nonce( $_POST['zwt_saab_common_nonce'], 'zwt_saab_common_nonce' ) ){ 532 // wp_die( 'Security check failed. Refresh the page and retry again!' ); 533 // } 534 if (isset($_POST['entry_id']) && isset($_POST['updated_data']) ) { 535 $entry_id = ( isset( $_POST['entry_id'] ) ) ? $_POST['entry_id'] : ''; 536 $get_submitted_data = get_post_meta($entry_id, 'saab_submission_data', true); 537 $updated_data = ( isset( $_POST['updated_data'] ) ) ? $_POST['updated_data'] : ''; 530 if ( ! isset( $_POST['security'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['security'] ) ), 'saab_ajax_nonce' ) ) { 531 wp_send_json_error( array( 'message' => __( 'Security check failed.', 'smart-appointment-booking' ) ) ); 532 wp_die(); 533 } 534 if ( isset( $_POST['entry_id'] ) && isset( $_POST['updated_data'] ) ) { 535 $entry_id = isset( $_POST['entry_id'] ) ? absint( wp_unslash( $_POST['entry_id'] ) ) : 0; 536 $get_submitted_data = get_post_meta( $entry_id, 'saab_submission_data', true ); 537 $updated_data = isset( $_POST['updated_data'] ) && is_array( $_POST['updated_data'] ) ? map_deep( wp_unslash( $_POST['updated_data'] ), 'sanitize_text_field' ) : array(); 538 538 foreach ($updated_data as $key => $value) { 539 539 if (isset($get_submitted_data['data'][$key])) { … … 575 575 echo "<div class='notification-page-main m-4 p-1 ' >"; 576 576 577 if (isset($_GET['post_type']) && isset($_GET['post_id']) && isset( $_GET['nonce'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash ($_POST['nonce'] ) ) , 'other_setting' )) { 578 579 $post_type = sanitize_text_field($_GET['post_type']); 580 581 $post_id = absint( $_GET['post_id']); 577 if ( isset( $_GET['post_type'] ) && isset( $_GET['post_id'] ) && isset( $_GET['nonce'] ) && wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['nonce'] ) ), 'other_setting' ) ) { 578 $post_type = sanitize_text_field( wp_unslash( $_GET['post_type'] ) ); 579 $post_id = absint( wp_unslash( $_GET['post_id'] ) ); 582 580 583 581 ?> … … 633 631 $fieldLabel = $option['fieldlabel']; 634 632 $selected = ($fieldKey == $first_name) ? 'selected' : ''; 635 echo '<option value="' . $fieldKey . '" ' . $selected . '>' . $fieldLabel. '</option>';633 echo '<option value="' . esc_attr( $fieldKey ) . '" ' . esc_attr( $selected ) . '>' . esc_html( $fieldLabel ) . '</option>'; 636 634 } 637 635 ?> … … 995 993 wp_send_json($response); 996 994 }else{ 997 if ( null !== ($_POST['post_id'] ?? null) && null !== absint($_POST['notification_id'] ?? null) && null !== sanitize_text_field($_POST['new_state'] ?? null)) {998 $post_id = isset($_POST['post_id']) ? absint($_POST['post_id']) : 0;999 $notification_id = isset($_POST['notification_id']) ? absint($_POST['notification_id']) : 0;1000 1001 $index = ltrim( $notification_id, "notify_");1002 $new_state = isset($_POST['new_state']) ? sanitize_text_field($_POST['new_state']) : '';995 if ( isset( $_POST['post_id'] ) && isset( $_POST['notification_id'] ) && isset( $_POST['new_state'] ) ) { 996 $post_id = absint( wp_unslash( $_POST['post_id'] ) ); 997 $notification_id = absint( wp_unslash( $_POST['notification_id'] ) ); 998 999 $index = ltrim( (string) $notification_id, 'notify_' ); 1000 $new_state = sanitize_text_field( wp_unslash( $_POST['new_state'] ) ); 1003 1001 1004 1002 // Get the existing notification metadata … … 1034 1032 wp_die(); 1035 1033 } 1036 if (isset($_POST['indexes'])) { 1037 $post_id = isset($_POST['post_id']) ? absint($_POST['post_id']) : 0; 1038 $indexesToDelete = isset($_POST['indexes']) ? $_POST['indexes'] : ''; 1034 if ( isset( $_POST['indexes'] ) && is_array( $_POST['indexes'] ) ) { 1035 $post_id = isset( $_POST['post_id'] ) ? absint( wp_unslash( $_POST['post_id'] ) ) : 0; 1036 $indexes_raw = wp_unslash( $_POST['indexes'] ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- sanitized via map_deep below 1037 $indexesToDelete = map_deep( $indexes_raw, 'sanitize_text_field' ); 1039 1038 $notification_metadata = get_post_meta($post_id, 'saab_notification_data', true); 1040 1039 foreach ($indexesToDelete as $index) { … … 1130 1129 foreach ($available_types as $avail_type) { 1131 1130 $selected = ($avail_type === $type) ? 'selected' : ''; 1132 echo '<option value="' . esc_html($avail_type) . '" ' . esc_attr($selected) . '>' . ucfirst(esc_html($avail_type)) . '</option>';1131 echo '<option value="' . esc_html($avail_type) . '" ' . esc_attr($selected) . '>' . esc_html( ucfirst( $avail_type ) ) . '</option>'; 1133 1132 1134 1133 } … … 1205 1204 $post_id = isset( $_POST['post_id'] ) ? intval( $_POST['post_id'] ) : 0; 1206 1205 1207 $form_data = isset( $_POST['form_data'] ) ? sanitize_text_field( $_POST['form_data']) : array();1206 $form_data = isset( $_POST['form_data'] ) ? sanitize_text_field( wp_unslash( $_POST['form_data'] ) ) : ''; 1208 1207 1209 1208 update_post_meta($post_id, 'saab_formschema', $form_data ); … … 1229 1228 1230 1229 if (isset($form_title)) { 1231 echo sprintf( 1232 esc_html__('%s', 'smart-appointment-booking'), 1233 esc_html($form_title) 1234 ); 1230 echo esc_html( $form_title ); 1235 1231 1236 1232 }else{ … … 1242 1238 1243 1239 if (isset($booking_status) && !empty($booking_status)) { 1244 echo sprintf( 1245 esc_html__('%s', 'smart-appointment-booking'), 1246 esc_html(ucfirst($booking_status)) 1247 ); 1240 echo esc_html( ucfirst( $booking_status ) ); 1248 1241 }else{ 1249 1242 echo '-'; … … 1263 1256 $booked_date = gmdate('d F, Y', strtotime($booked_date)); 1264 1257 if (isset($booking_date) && !empty($booking_date)) { 1265 echo sprintf( 1266 esc_html__('%s', 'smart-appointment-booking'), 1267 esc_html($booked_date) 1268 ); 1269 1258 echo esc_html( $booked_date ); 1270 1259 } 1271 1260 }else{ … … 1277 1266 1278 1267 if (isset($timeslot) && !empty($timeslot)) { 1279 echo sprintf( 1280 esc_html__('%s', 'smart-appointment-booking'), 1281 esc_html($timeslot) 1282 ); 1268 echo esc_html( $timeslot ); 1283 1269 }else{ 1284 1270 echo '-'; … … 1342 1328 $error = 1; 1343 1329 $error_mess = "Something went wrong"; 1344 error_log( "post_id not found while preview");1330 error_log( "post_id not found while preview" ); // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log 1345 1331 } 1346 1332 … … 1451 1437 wp_die(); 1452 1438 } 1453 $user_mapping = isset( $_POST['saabuser_mapping']) ? sanitize_text_field($_POST['saabuser_mapping']) : '';1439 $user_mapping = isset( $_POST['saabuser_mapping'] ) ? sanitize_text_field( wp_unslash( $_POST['saabuser_mapping'] ) ) : ''; 1454 1440 1455 1441 parse_str($user_mapping, $user_mapping_array); … … 1483 1469 if (isset($_POST['confirmation_data'])) { 1484 1470 1485 parse_str( wp_unslash(sanitize_text_field($_POST['confirmation_data'])), $formdata);1471 parse_str( sanitize_text_field( wp_unslash( $_POST['confirmation_data'] ) ), $formdata ); 1486 1472 1487 1473 $post_id = $formdata['post_id']; … … 1583 1569 foreach ($options as $value => $label) { 1584 1570 $selected = selected($status, $value, false); 1585 echo '<option value="' . esc_attr($value) . '" ' . $selected. '>' . esc_html($label) . '</option>';1571 echo '<option value="' . esc_attr($value) . '" ' . esc_attr( $selected ) . '>' . esc_html($label) . '</option>'; 1586 1572 } 1587 1573 echo '</select>'; 1588 1574 1589 $selected_form_id = isset( $_GET['form_filter']) ? sanitize_text_field($_GET['form_filter']) : '';1575 $selected_form_id = isset( $_GET['form_filter'] ) ? sanitize_text_field( wp_unslash( $_GET['form_filter'] ) ) : ''; 1590 1576 1591 1577 $forms_query = new WP_Query($args); … … 1622 1608 } 1623 1609 1624 if ('edit.php' === $pagenow && 'manage_entries' === $typenow) { 1625 $booking_status = isset($_GET['booking_status']) ? sanitize_text_field($_GET['booking_status']) : ''; 1626 $form_filter = isset($_GET['form_filter']) ? intval($_GET['form_filter']) : 0; 1627 1628 if (!empty($booking_status) || !empty($form_filter)) { 1629 $meta_query = array('relation' => 'and'); 1630 1631 if (!empty($booking_status) && in_array($booking_status, array('booked', 'approved', 'cancelled', 'pending', 'waiting', 'submitted'))) { 1610 if ( 'edit.php' === $pagenow && 'manage_entries' === $typenow ) { 1611 $booking_status = isset( $_GET['booking_status'] ) ? sanitize_text_field( wp_unslash( $_GET['booking_status'] ) ) : ''; 1612 $form_filter = isset( $_GET['form_filter'] ) ? absint( wp_unslash( $_GET['form_filter'] ) ) : 0; 1613 1614 if ( ! empty( $booking_status ) || ! empty( $form_filter ) ) { 1615 // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_query -- Filtering entries by status/form requires meta_query. 1616 $meta_query = array( 'relation' => 'and' ); 1617 1618 if ( ! empty( $booking_status ) && in_array( $booking_status, array( 'booked', 'approved', 'cancelled', 'pending', 'waiting', 'submitted' ), true ) ) { 1632 1619 $meta_query[] = array( 1633 'key' => 'entry_status',1634 'value' => $booking_status,1635 'compare' => '=' 1620 'key' => 'entry_status', 1621 'value' => $booking_status, 1622 'compare' => '=', 1636 1623 ); 1637 1624 } 1638 1625 1639 if ( !empty($form_filter)) {1626 if ( ! empty( $form_filter ) ) { 1640 1627 $meta_query[] = array( 1641 'key' => 'saab_form_id',1642 'value' => $form_filter,1643 'compare' => '=' 1628 'key' => 'saab_form_id', 1629 'value' => $form_filter, 1630 'compare' => '=', 1644 1631 ); 1645 1632 } 1646 1633 1647 $query->set( 'meta_query', $meta_query);1634 $query->set( 'meta_query', $meta_query ); 1648 1635 } 1649 1636 } … … 1700 1687 // Define the current page number 1701 1688 1702 $current_page = isset($_POST['page']) ? absint($_POST['page']) : 1; 1703 $timeslot = isset($_POST['timeslot']) ? sanitize_text_field($_POST['timeslot']) : ''; 1704 $booking_date = isset($_POST['booking_date']) ? sanitize_text_field($_POST['booking_date']) : ''; 1705 1689 $current_page = isset( $_POST['page'] ) ? absint( wp_unslash( $_POST['page'] ) ) : 1; 1690 $timeslot = isset( $_POST['timeslot'] ) ? sanitize_text_field( wp_unslash( $_POST['timeslot'] ) ) : ''; 1691 $booking_date = isset( $_POST['booking_date'] ) ? sanitize_text_field( wp_unslash( $_POST['booking_date'] ) ) : ''; 1692 1693 // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_query -- Waiting list filtered by timeslot/booking_date. 1706 1694 $args = array( 1707 'post_type' => 'manage_entries',1708 'posts_per_page' => 5, // Show 5 entries per page1709 'paged' => $current_page, // Use the current page number for pagination1710 'meta_query' => array(1695 'post_type' => 'manage_entries', 1696 'posts_per_page' => 5, 1697 'paged' => $current_page, 1698 'meta_query' => array( 1711 1699 'relation' => 'AND', 1712 1700 array( 1713 'key' => 'timeslot',1714 'value' => $timeslot,1715 'compare' => '=' 1701 'key' => 'timeslot', 1702 'value' => $timeslot, 1703 'compare' => '=', 1716 1704 ), 1717 1705 array( 1718 'key' => 'booking_date',1719 'value' => $booking_date,1720 'compare' => '=' 1721 ) 1722 ) 1723 ); 1724 1725 $query = new WP_Query( $args);1706 'key' => 'booking_date', 1707 'value' => $booking_date, 1708 'compare' => '=', 1709 ), 1710 ), 1711 ); 1712 1713 $query = new WP_Query( $args ); 1726 1714 ob_start(); 1727 1715 if ($query->have_posts()) { -
smart-appointment-booking/tags/1.0.8/inc/admin/class.saab.admin.fieldmeta.php
r3154282 r3450387 26 26 27 27 function saab_get_available_seats_per_timeslot($checktimeslot,$date){ 28 28 // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_query -- Seats count filtered by timeslot/booking_date. 29 29 $args = array( 30 'post_type' => 'manage_entries',30 'post_type' => 'manage_entries', 31 31 'posts_per_page' => -1, 32 'meta_query' => array(32 'meta_query' => array( 33 33 'relation' => 'AND', 34 34 array( … … 234 234 <div id="waitinglist_main"> 235 235 <?php 236 237 $current_page = isset($_GET['page']) ? absint($_GET['page']) : 1; 236 // Pagination; nonce not used for GET page parameter in admin list. 237 // phpcs:ignore WordPress.Security.NonceVerification.Recommended 238 $current_page = isset( $_GET['page'] ) ? absint( wp_unslash( $_GET['page'] ) ) : 1; 239 // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_query -- Waiting list filtered by timeslot/status/booking_date. 238 240 $args = array( 239 'post_type' => 'manage_entries',240 'posts_per_page' => 5, 241 'paged' => $current_page,242 'orderby' => 'date',243 'order' => 'ASC',244 'meta_query' => array(241 'post_type' => 'manage_entries', 242 'posts_per_page' => 5, 243 'paged' => $current_page, 244 'orderby' => 'date', 245 'order' => 'ASC', 246 'meta_query' => array( 245 247 'relation' => 'AND', 246 248 array( … … 311 313 if ($total_pages > 1) { 312 314 313 echo '<select id="saabpage-number" data-timeslot="' . esc_attr($timeslot) . '" data-booking_date="' . esc_attr($booking_date) . '" data-nonce="' .wp_create_nonce('get_paginated_items_nonce').'">';315 echo '<select id="saabpage-number" data-timeslot="' . esc_attr($timeslot) . '" data-booking_date="' . esc_attr($booking_date) . '" data-nonce="' . esc_attr( wp_create_nonce( 'get_paginated_items_nonce' ) ) . '">'; 314 316 for ($page = 1; $page <= $total_pages; $page++) { 315 317 echo '<option value="' . esc_attr($page) . '"'; … … 352 354 <script type='text/javascript'> 353 355 354 var myScriptData = <?php echo $myScriptData; ?>;356 var myScriptData = <?php echo $myScriptData; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- JSON schema from post meta, validated on save. ?>; 355 357 window.onload = function() { 356 358 … … 587 589 //echo wp_kses( $this->timezone_dropdown($post->ID), $allow_time_dropdown ); 588 590 ?> 589 <?php echo $this->timezone_dropdown($post->ID); ?>591 <?php echo wp_kses_post( $this->timezone_dropdown( $post->ID ) ); ?> 590 592 591 593 </div> … … 863 865 return $post_id; 864 866 } 865 if ( isset($_POST['cal_title'])) {866 $cal_title = sanitize_text_field( $_POST['cal_title']);867 update_post_meta( $post_id, 'saab_cal_title', $cal_title);868 } 869 870 if ( isset($_POST['cal_description'])) {871 $cal_description = sanitize_text_field( $_POST['cal_description']);872 update_post_meta( $post_id, 'saab_cal_description', $cal_description);867 if ( isset( $_POST['cal_title'] ) ) { 868 $cal_title = sanitize_text_field( wp_unslash( $_POST['cal_title'] ) ); 869 update_post_meta( $post_id, 'saab_cal_title', $cal_title ); 870 } 871 872 if ( isset( $_POST['cal_description'] ) ) { 873 $cal_description = sanitize_text_field( wp_unslash( $_POST['cal_description'] ) ); 874 update_post_meta( $post_id, 'saab_cal_description', $cal_description ); 873 875 } 874 876 // Section Tab 1 … … 881 883 } 882 884 //Weekdays 883 if ( isset($_POST['weekdays'])) {884 $selected_weekdays = array_map( 'sanitize_text_field', $_POST['weekdays']);885 update_post_meta( $post_id, 'saab_weekdays', $selected_weekdays);885 if ( isset( $_POST['weekdays'] ) ) { 886 $selected_weekdays = array_map( 'sanitize_text_field', (array) wp_unslash( $_POST['weekdays'] ) ); 887 update_post_meta( $post_id, 'saab_weekdays', $selected_weekdays ); 886 888 } else { 887 889 update_post_meta($post_id, 'saab_weekdays', array()); … … 889 891 890 892 // Save the radio button value for appointment Type 891 if ( isset($_POST['appointment_type'])) {892 $selected_option = sanitize_text_field( $_POST['appointment_type']);893 if ( isset( $_POST['appointment_type'] ) ) { 894 $selected_option = sanitize_text_field( wp_unslash( $_POST['appointment_type'] ) ); 893 895 update_post_meta($post_id, 'saab_appointment_type', $selected_option); 894 896 } 895 897 896 898 // Save the link value if Appointment Type "Virtual" is selected 897 if ( isset($_POST['virtual_link'])) {898 $link_value = sanitize_text_field( $_POST['virtual_link']);899 if ( isset( $_POST['virtual_link'] ) ) { 900 $link_value = sanitize_text_field( wp_unslash( $_POST['virtual_link'] ) ); 899 901 update_post_meta($post_id, 'saab_virtual_link', $link_value); 900 902 } … … 902 904 //Symbol 903 905 if ( isset( $_POST['label_symbol'] ) ) { 904 $label_symbol = sanitize_text_field( $_POST['label_symbol']);906 $label_symbol = sanitize_text_field( wp_unslash( $_POST['label_symbol'] ) ); 905 907 update_post_meta( $post_id, 'saab_label_symbol', $label_symbol ); 906 908 } … … 908 910 //Symbol 909 911 if ( isset( $_POST['cost'] ) ) { 910 $cost = sanitize_text_field( $_POST['cost']);912 $cost = sanitize_text_field( wp_unslash( $_POST['cost'] ) ); 911 913 update_post_meta( $post_id, 'saab_cost', $cost ); 912 914 } 913 915 914 916 if ( isset( $_POST['timezone'] ) ) { 915 $timezone = sanitize_text_field( $_POST['timezone']);917 $timezone = sanitize_text_field( wp_unslash( $_POST['timezone'] ) ); 916 918 update_post_meta( $post_id, 'saab_timezone', $timezone ); 917 919 } 918 920 919 921 if ( isset( $_POST['bookmap_email'] ) ) { 920 $map_email = sanitize_text_field( $_POST['bookmap_email']);922 $map_email = sanitize_text_field( wp_unslash( $_POST['bookmap_email'] ) ); 921 923 update_post_meta( $post_id, 'saab_map_email', $map_email ); 922 924 } 923 925 924 926 if ( isset( $_POST['cost'] ) ) { 925 $cost = sanitize_text_field( $_POST['cost']);927 $cost = sanitize_text_field( wp_unslash( $_POST['cost'] ) ); 926 928 update_post_meta( $post_id, 'saab_saab_cost', $cost ); 927 929 } 928 930 929 931 //selected_date 930 if ( isset($_POST['selected_date'])) {931 update_post_meta( $post_id, 'saab_selected_date', sanitize_text_field($_POST['selected_date']));932 } 933 934 if ( isset($_POST['start_time'])) {935 update_post_meta( $post_id, 'saab_start_time', sanitize_text_field($_POST['start_time']));936 } 937 938 if ( isset($_POST['end_time'])) {939 update_post_meta( $post_id, 'saab_end_time', sanitize_text_field($_POST['end_time']));940 } 941 932 if ( isset( $_POST['selected_date'] ) ) { 933 update_post_meta( $post_id, 'saab_selected_date', sanitize_text_field( wp_unslash( $_POST['selected_date'] ) ) ); 934 } 935 936 if ( isset( $_POST['start_time'] ) ) { 937 update_post_meta( $post_id, 'saab_start_time', sanitize_text_field( wp_unslash( $_POST['start_time'] ) ) ); 938 } 939 940 if ( isset( $_POST['end_time'] ) ) { 941 update_post_meta( $post_id, 'saab_end_time', sanitize_text_field( wp_unslash( $_POST['end_time'] ) ) ); 942 } 943 942 944 //Steps Duration 943 945 if ( isset( $_POST['steps_duration'] ) ) { 944 $steps_duration = sanitize_text_field($_POST['steps_duration']);946 $steps_duration = map_deep( wp_unslash( $_POST['steps_duration'] ), 'sanitize_text_field' ); 945 947 $sanitized_steps_duration = array( 946 948 'hours' => sanitize_text_field( $steps_duration['hours'] ), … … 952 954 } 953 955 //timeslot_duration 954 if ( isset( $_POST['booking_stops_after'] ) ) { 955 $booking_stops_after_duration = $_POST['booking_stops_after']; 956 $booking_stops_after_duration = ( isset( $_POST['booking_stops_after'] ) && is_array( $_POST['booking_stops_after'] ) ) 957 ? map_deep( wp_unslash( $_POST['booking_stops_after'] ), 'sanitize_text_field' ) 958 : array(); 959 if ( ! empty( $booking_stops_after_duration ) ) { 956 960 $sanitized_booking_stops_after_duration = array( 957 'hours' => sanitize_text_field( $booking_stops_after_duration['hours'] ),958 'minutes' => sanitize_text_field( $booking_stops_after_duration['minutes'] )961 'hours' => isset( $booking_stops_after_duration['hours'] ) ? $booking_stops_after_duration['hours'] : '', 962 'minutes' => isset( $booking_stops_after_duration['minutes'] ) ? $booking_stops_after_duration['minutes'] : '', 959 963 ); 960 964 … … 963 967 } 964 968 //timeslot_duration 965 if ( isset( $_POST['timeslot_duration'] ) ) {966 $timeslot_duration = sanitize_text_field($_POST['timeslot_duration']);969 if ( isset( $_POST['timeslot_duration'] ) && is_array( $_POST['timeslot_duration'] ) ) { 970 $timeslot_duration = map_deep( wp_unslash( $_POST['timeslot_duration'] ), 'sanitize_text_field' ); 967 971 $sanitized_timeslot_duration = array( 968 'hours' => sanitize_text_field( $timeslot_duration['hours'] ),969 'minutes' => sanitize_text_field( $timeslot_duration['minutes'] )972 'hours' => isset( $timeslot_duration['hours'] ) ? $timeslot_duration['hours'] : '', 973 'minutes' => isset( $timeslot_duration['minutes'] ) ? $timeslot_duration['minutes'] : '', 970 974 ); 971 975 … … 975 979 //no_of_booking 976 980 if ( isset( $_POST['no_of_booking'] ) ) { 977 $selected_date = absint( $_POST['no_of_booking']);981 $selected_date = absint( wp_unslash( $_POST['no_of_booking'] ) ); 978 982 update_post_meta( $post_id, 'saab_no_of_booking', $selected_date ); 979 983 } 980 984 //waiting List 981 if ( isset($_POST['waiting_list']) && filter_var($_POST['waiting_list'], FILTER_VALIDATE_BOOLEAN)) {982 update_post_meta( $post_id, 'saab_waiting_list', 1);985 if ( isset( $_POST['waiting_list'] ) && filter_var( wp_unslash( $_POST['waiting_list'] ), FILTER_VALIDATE_BOOLEAN ) ) { 986 update_post_meta( $post_id, 'saab_waiting_list', 1 ); 983 987 } else { 984 988 delete_post_meta($post_id, 'saab_waiting_list'); 985 989 } 986 990 //timeslotBookingAllowed 987 if ( isset($_POST['timeslot_BookAllow']) && filter_var($_POST['timeslot_BookAllow'], FILTER_VALIDATE_BOOLEAN)) {991 if ( isset( $_POST['timeslot_BookAllow'] ) && filter_var( wp_unslash( $_POST['timeslot_BookAllow'] ), FILTER_VALIDATE_BOOLEAN ) ) { 988 992 update_post_meta($post_id, 'saab_timeslot_BookAllow', 1); 989 993 } else { … … 991 995 } 992 996 //enable_auto_approve 993 if ( isset($_POST['enable_auto_approve']) && filter_var($_POST['enable_auto_approve'], FILTER_VALIDATE_BOOLEAN)) {997 if ( isset( $_POST['enable_auto_approve'] ) && filter_var( wp_unslash( $_POST['enable_auto_approve'] ), FILTER_VALIDATE_BOOLEAN ) ) { 994 998 update_post_meta($post_id, 'saab_enable_auto_approve', 1); 995 999 } else { … … 997 1001 } 998 1002 //multiple breaks 999 if (isset($_POST['breaktimeslots'])) { 1000 $breaktimeslots = sanitize_text_field($_POST['breaktimeslots']); 1001 1002 // Sanitize and save the values 1003 if ( isset( $_POST['breaktimeslots'] ) && is_array( $_POST['breaktimeslots'] ) ) { 1004 $breaktimeslots = map_deep( wp_unslash( $_POST['breaktimeslots'] ), 'sanitize_text_field' ); 1005 1003 1006 $sanitized_breaktimeslots = array(); 1004 foreach ( $breaktimeslots as $breaktimeslot) {1005 $breakstart_time = sanitize_text_field($breaktimeslot['start_time']);1006 $breakend_time = sanitize_text_field($breaktimeslot['end_time']);1007 foreach ( $breaktimeslots as $breaktimeslot ) { 1008 $breakstart_time = isset( $breaktimeslot['start_time'] ) ? $breaktimeslot['start_time'] : ''; 1009 $breakend_time = isset( $breaktimeslot['end_time'] ) ? $breaktimeslot['end_time'] : ''; 1007 1010 $sanitized_breaktimeslots[] = array( 1008 1011 'start_time' => $breakstart_time, … … 1024 1027 } 1025 1028 1026 if (isset($_POST['generatetimeslot'])) { 1027 $generatetimeslots = $_POST['generatetimeslot']; 1028 // Sanitize and save the values 1029 $generatetimeslots = ( isset( $_POST['generatetimeslot'] ) && is_array( $_POST['generatetimeslot'] ) ) 1030 ? map_deep( wp_unslash( $_POST['generatetimeslot'] ), 'sanitize_text_field' ) 1031 : array(); 1032 if ( ! empty( $generatetimeslots ) ) { 1029 1033 $sanitized_generatetimeslots = array(); 1030 foreach ($generatetimeslots as $generatetimeslot) { 1031 $generatestart_time = $generatetimeslot['start_time']; 1032 $generateend_time = $generatetimeslot['end_time']; 1034 foreach ( $generatetimeslots as $generatetimeslot ) { 1033 1035 $sanitized_generatetimeslots[] = array( 1034 'start_time' => $generatestart_time,1035 'end_time' => $generateend_time,1036 'start_time' => isset( $generatetimeslot['start_time'] ) ? $generatetimeslot['start_time'] : '', 1037 'end_time' => isset( $generatetimeslot['end_time'] ) ? $generatetimeslot['end_time'] : '', 1036 1038 ); 1037 1039 } … … 1051 1053 1052 1054 //Enable Recurring Events 1053 if ( isset($_POST['enable_recurring_apt']) && filter_var($_POST['enable_recurring_apt'], FILTER_VALIDATE_BOOLEAN)) {1055 if ( isset( $_POST['enable_recurring_apt'] ) && filter_var( wp_unslash( $_POST['enable_recurring_apt'] ), FILTER_VALIDATE_BOOLEAN ) ) { 1054 1056 update_post_meta($post_id, 'saab_enable_recurring_apt', 1); 1055 1057 } else { 1056 1058 delete_post_meta($post_id, 'saab_enable_recurring_apt'); 1057 1059 } 1058 if ( isset($_POST['enable_advance_setting']) && filter_var($_POST['enable_advance_setting'], FILTER_VALIDATE_BOOLEAN)) {1060 if ( isset( $_POST['enable_advance_setting'] ) && filter_var( wp_unslash( $_POST['enable_advance_setting'] ), FILTER_VALIDATE_BOOLEAN ) ) { 1059 1061 update_post_meta($post_id, 'saab_enable_advance_setting', 1); 1060 1062 } else { 1061 1063 delete_post_meta($post_id, 'saab_enable_advance_setting'); 1062 1064 } 1063 if (isset($_POST['recurring_type'])) { 1064 $recurring_type = sanitize_text_field($_POST['recurring_type']); 1065 update_post_meta($post_id, 'saab_recurring_type', $recurring_type); 1066 } 1067 if (isset($_POST['recur_weekdays'])) { 1068 $sanitized_recur_weekdays = array_map('sanitize_text_field', $_POST['recur_weekdays']); 1069 update_post_meta($post_id, 'saab_recur_weekdays', $sanitized_recur_weekdays); 1070 } 1071 if (isset($_POST['advancedata'])) { 1072 $advancedata = $_POST['advancedata']; 1073 update_post_meta($post_id, 'saab_advancedata', $advancedata); 1065 if ( isset( $_POST['recurring_type'] ) ) { 1066 $recurring_type = sanitize_text_field( wp_unslash( $_POST['recurring_type'] ) ); 1067 update_post_meta( $post_id, 'saab_recurring_type', $recurring_type ); 1068 } 1069 if ( isset( $_POST['recur_weekdays'] ) ) { 1070 $sanitized_recur_weekdays = array_map( 'sanitize_text_field', (array) wp_unslash( $_POST['recur_weekdays'] ) ); 1071 update_post_meta( $post_id, 'saab_recur_weekdays', $sanitized_recur_weekdays ); 1072 } 1073 if ( isset( $_POST['advancedata'] ) ) { 1074 $advancedata = is_array( $_POST['advancedata'] ) 1075 ? map_deep( wp_unslash( $_POST['advancedata'] ), 'sanitize_text_field' ) 1076 : sanitize_text_field( wp_unslash( $_POST['advancedata'] ) ); 1077 update_post_meta( $post_id, 'saab_advancedata', $advancedata ); 1074 1078 }else { 1075 1079 delete_post_meta($post_id, 'saab_advancedata'); 1076 1080 } 1077 if ( isset($_POST['holidays'])) {1078 $holidays = array_map( 'sanitize_text_field', $_POST['holidays']);1081 if ( isset( $_POST['holidays'] ) ) { 1082 $holidays = array_map( 'sanitize_text_field', (array) wp_unslash( $_POST['holidays'] ) ); 1079 1083 update_post_meta($post_id, 'saab_holiday_dates', $holidays); 1080 1084 } 1081 if ( isset($_POST['end_repeats'])) {1082 $end_repeats = sanitize_text_field( $_POST['end_repeats']);1085 if ( isset( $_POST['end_repeats'] ) ) { 1086 $end_repeats = sanitize_text_field( wp_unslash( $_POST['end_repeats'] ) ); 1083 1087 update_post_meta($post_id, 'saab_end_repeats', $end_repeats); 1084 1088 } 1085 if ( isset($_POST['end_repeats_on'])) {1086 $end_repeats_on = sanitize_text_field( $_POST['end_repeats_on']);1089 if ( isset( $_POST['end_repeats_on'] ) ) { 1090 $end_repeats_on = sanitize_text_field( wp_unslash( $_POST['end_repeats_on'] ) ); 1087 1091 update_post_meta($post_id, 'saab_end_repeats_on', $end_repeats_on); 1088 1092 } 1089 if ( isset($_POST['end_repeats_after'])) {1090 $end_repeats_after = sanitize_text_field( $_POST['end_repeats_after']);1093 if ( isset( $_POST['end_repeats_after'] ) ) { 1094 $end_repeats_after = sanitize_text_field( wp_unslash( $_POST['end_repeats_after'] ) ); 1091 1095 update_post_meta($post_id, 'saab_end_repeats_after', $end_repeats_after); 1092 1096 } … … 1111 1115 } 1112 1116 1113 if ( isset($_POST['notes'])) {1114 $notes = sanitize_textarea_field( $_POST['notes']);1117 if ( isset( $_POST['notes'] ) ) { 1118 $notes = sanitize_textarea_field( wp_unslash( $_POST['notes'] ) ); 1115 1119 update_post_meta($post_id, 'saab_notes', $notes); 1116 1120 } 1117 1121 1118 if ( isset($_POST['form_id'])) {1119 $form_id = sanitize_text_field( $_POST['form_id']);1120 } 1121 1122 if ( isset($_POST['no_of_bookings'])) {1123 $no_of_bookings = absint( $_POST['no_of_bookings']);1122 if ( isset( $_POST['form_id'] ) ) { 1123 $form_id = sanitize_text_field( wp_unslash( $_POST['form_id'] ) ); 1124 } 1125 1126 if ( isset( $_POST['no_of_bookings'] ) ) { 1127 $no_of_bookings = absint( wp_unslash( $_POST['no_of_bookings'] ) ); 1124 1128 update_post_meta($post_id, 'saab_slotcapacity', $no_of_bookings); 1125 1129 } 1126 1130 1127 if ( isset($_POST['booking_date'])) {1128 $booking_date = sanitize_text_field( $_POST['booking_date']);1131 if ( isset( $_POST['booking_date'] ) ) { 1132 $booking_date = sanitize_text_field( wp_unslash( $_POST['booking_date'] ) ); 1129 1133 $currentMonth = gmdate('n',strtotime($booking_date)); 1130 1134 $currentYear = gmdate('Y',strtotime($booking_date)); … … 1133 1137 update_post_meta($post_id, 'saab_booking_date', $booking_date); 1134 1138 } 1135 if ( isset($_POST['start_time']) && isset($_POST['end_time'])) {1136 $start_time = trim( gmdate("h:i A", strtotime( sanitize_text_field($_POST['start_time']) )));1137 $end_time = trim(gmdate("h:i A", strtotime( sanitize_text_field($_POST['end_time']) )));1139 if ( isset( $_POST['start_time'] ) && isset( $_POST['end_time'] ) ) { 1140 $start_time = trim( gmdate( 'h:i A', strtotime( sanitize_text_field( wp_unslash( $_POST['start_time'] ) ) ) ) ); 1141 $end_time = trim( gmdate( 'h:i A', strtotime( sanitize_text_field( wp_unslash( $_POST['end_time'] ) ) ) ) ); 1138 1142 $timeslot = $start_time.'-'.$end_time; 1139 1143 update_post_meta($post_id, 'saab_timeslot', $timeslot); 1140 1144 } 1141 1145 1142 if ( isset($_POST['manual_notification']) && sanitize_text_field($_POST['manual_notification'] !== 'any')) {1143 $selected_action = isset($_POST['manual_notification']) ? sanitize_text_field($_POST['manual_notification']) : '';1144 $booking_status = isset($_POST['booking_status']) ? sanitize_text_field($_POST['booking_status']) : '';1145 // update_post_meta($post_id, 'saab_entry_status', $booking_status); 1146 $bookingId = isset($_POST['post_id']) ? absint($_POST['post_id']) : '';1147 $status = isset($_POST['status']) ? sanitize_text_field($_POST['status']) : '';1146 if ( isset( $_POST['manual_notification'] ) && sanitize_text_field( wp_unslash( $_POST['manual_notification'] ) ) !== 'any' ) { 1147 $selected_action = isset( $_POST['manual_notification'] ) ? sanitize_text_field( wp_unslash( $_POST['manual_notification'] ) ) : ''; 1148 $booking_status = isset( $_POST['booking_status'] ) ? sanitize_text_field( wp_unslash( $_POST['booking_status'] ) ) : ''; 1149 // update_post_meta($post_id, 'saab_entry_status', $booking_status); 1150 $bookingId = isset( $_POST['post_id'] ) ? absint( wp_unslash( $_POST['post_id'] ) ) : 0; 1151 $status = isset( $_POST['status'] ) ? sanitize_text_field( wp_unslash( $_POST['status'] ) ) : ''; 1148 1152 $formdata = get_post_meta($bookingId,'saab_submission_data',true); 1149 1153 $listform_label_val =$this->saab_admin_getkey_value_formshortcodes($post_id,$formdata); … … 1153 1157 update_post_meta($post_id, 'saab_manual_notification', $selected_action); 1154 1158 1155 } else{1156 $booking_status = isset( $_POST['booking_status']) ? sanitize_text_field($_POST['booking_status']) : '';1157 update_post_meta( $post_id, 'saab_entry_status', $booking_status);1159 } else { 1160 $booking_status = isset( $_POST['booking_status'] ) ? sanitize_text_field( wp_unslash( $_POST['booking_status'] ) ) : ''; 1161 update_post_meta( $post_id, 'saab_entry_status', $booking_status ); 1158 1162 $formdata = get_post_meta($post_id,'saab_submission_data',true); 1159 1163 $listform_label_val =$this->saab_admin_getkey_value_formshortcodes($post_id,$formdata); … … 1302 1306 } else { 1303 1307 $message = esc_html__('Failed to send email','smart-appointment-booking'); 1304 error_log('Failed to send email'); 1308 // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log 1309 error_log( 'Failed to send email' ); 1305 1310 } 1306 1311 } 1307 1312 1308 1313 } 1309 if ($notificationFound === false) { 1310 $message = esc_html__('Notification not found for the given status', 'smart-appointment-booking'); 1311 error_log('Notification not found for the given status'); 1314 if ( $notificationFound === false ) { 1315 $message = esc_html__( 'Notification not found for the given status', 'smart-appointment-booking' ); 1316 // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log 1317 error_log( 'Notification not found for the given status' ); 1312 1318 } 1313 1319 return $message; -
smart-appointment-booking/tags/1.0.8/inc/class.saab.php
r3014693 r3450387 53 53 global $wp_version; 54 54 55 # Set filter for plugin's languages directory56 $SAAB_lang_dir = dirname( SAAB_PLUGIN_BASENAME ) . '/languages/';57 $SAAB_lang_dir = apply_filters( 'SAAB_languages_directory', $SAAB_lang_dir );58 59 55 # Traditional WordPress plugin locale filter. 60 56 $get_locale = get_locale(); … … 74 70 # Look in global /wp-content/languages/plugin-name folder 75 71 load_textdomain( 'smart-appointment-booking', $mofile_global ); 76 } else {77 # Load the default language files78 load_plugin_textdomain( 'smart-appointment-booking', false, $SAAB_lang_dir );79 72 } 73 # When hosted on WordPress.org, translations are loaded automatically; no load_plugin_textdomain() needed. 80 74 } 81 75 } -
smart-appointment-booking/tags/1.0.8/inc/front/class.saab.front.action.php
r3154282 r3450387 110 110 ob_start(); 111 111 $user_id = get_current_user_id(); 112 $post_ids = array(); 112 $post_ids = array(); 113 // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_key, WordPress.DB.SlowDBQuery.slow_db_query_meta_value -- User's bookings filtered by user_mapped meta. 113 114 $args = array( 114 'post_type' => 'manage_entries',115 'meta_key' => 'user_mapped',116 'meta_value' => $user_id,117 'fields' => 'ids',115 'post_type' => 'manage_entries', 116 'meta_key' => 'user_mapped', 117 'meta_value' => $user_id, 118 'fields' => 'ids', 118 119 'posts_per_page' => 55, 119 120 ); 120 121 $query = new WP_Query( $args);121 122 $query = new WP_Query( $args ); 122 123 123 124 if ($query->have_posts()) { … … 269 270 } 270 271 271 function saab_save_form_submission() { 272 // ini_set('display_startup_errors', 1); 273 // ini_set('display_errors', 1); 274 // error_reporting(-1); 275 //if( ! wp_verify_nonce( 'saab_front_nonce' ) ){} // ignoring nonce validation error in the front form 276 $form_id = ( isset( $_POST['fid'] ) ) ? $_POST['fid'] : ''; 277 $form_data = ( isset( $_POST['form_data'] ) ) ? $_POST['form_data'] : ''; 272 function saab_save_form_submission() { 273 $nonce_key = isset( $_POST['nonce'] ) ? 'nonce' : ( isset( $_POST['security'] ) ? 'security' : '' ); 274 $nonce_val = ( $nonce_key && isset( $_POST[ $nonce_key ] ) ) ? sanitize_text_field( wp_unslash( $_POST[ $nonce_key ] ) ) : ''; 275 if ( ! $nonce_val || ! wp_verify_nonce( $nonce_val, 'my_ajax_nonce' ) ) { 276 wp_send_json_error( array( 'message' => __( 'Security check failed.', 'smart-appointment-booking' ) ) ); 277 wp_die(); 278 } 279 $form_id = isset( $_POST['fid'] ) ? absint( wp_unslash( $_POST['fid'] ) ) : 0; 280 $form_data = isset( $_POST['form_data'] ) && is_array( $_POST['form_data'] ) ? map_deep( wp_unslash( $_POST['form_data'] ), 'sanitize_text_field' ) : array(); 278 281 // User 279 282 $is_user_logged_in = is_user_logged_in(); … … 345 348 $usererror = true; 346 349 wp_send_json_error(array( 347 'message' => __('Error creating user '. $user_id->get_error_message(),'smart-appointment-booking'), 350 'message' => sprintf( 351 /* translators: %s: error message from user creation */ 352 __( 'Error creating user %s', 'smart-appointment-booking' ), 353 $user_id->get_error_message() 354 ), 348 355 'error' => $usererror, 349 356 )); … … 586 593 // } 587 594 if(empty($saab_amount)){ 588 $error_message = "Amount configuration Error";589 595 wp_delete_post($created_post_id, true); 590 596 wp_send_json_error(array( 591 'message' => __( $error_message, 'smart-appointment-booking'),597 'message' => __( 'Amount configuration Error', 'smart-appointment-booking' ), 592 598 'error' => true, 593 599 )); 594 600 } 595 $stripetoken = ( isset( $_POST['token'] ) ) ? $_POST['token']: '';601 $stripetoken = isset( $_POST['token'] ) ? sanitize_text_field( wp_unslash( $_POST['token'] ) ) : ''; 596 602 // Set your Stripe Publishable key 597 603 SabStripe::setApiKey($secretKey); // Replace with your Stripe API key … … 637 643 638 644 }catch ( Exception $e ) { 639 $error_message = $e->getMessage();640 645 wp_delete_post($created_post_id, true); 641 646 wp_send_json_error(array( 642 'message' => __($error_message, 'smart-appointment-booking'), 647 'message' => sprintf( 648 /* translators: %s: payment exception error message */ 649 __( 'Payment error: %s', 'smart-appointment-booking' ), 650 $e->getMessage() 651 ), 643 652 'error' => true, 644 653 )); … … 745 754 746 755 function saab_booking_form_submission() { 747 // ini_set('display_startup_errors', 1);748 // ini_set('display_errors', 1);749 // error_reporting(-1); 750 $error =''; 751 // if( ! wp_verify_nonce( 'saab_front_nonce' ) ){} 752 $booking_date = ( isset( $_POST['booking_date'] ) ) ? $_POST['booking_date'] : '';753 $e xplode_booking_date = explode('_',$booking_date);754 $ form_id = $explode_booking_date[1];755 $ format_bookingdate = $explode_booking_date[4] . "-" . $explode_booking_date[2] . "-" . $explode_booking_date[3];756 $ converted_bookingdate = date('Y-m-d', strtotime($format_bookingdate));757 $ timeslot = ( isset( $_POST['timeslot'] ) ) ? $_POST['timeslot'] : '';758 //total availableseats759 $ slotcapacity = ( isset( $_POST['slotcapacity'] ) ) ? $_POST['slotcapacity']: '';760 //quantity761 $bookedseats = ( isset( $_POST['bookedseats'] ) )? $_POST['bookedseats'] : '';762 $form_id = isset( $_POST['fid']) ? absint($_POST['fid']) : 0;763 $form_data = isset( $_POST['form_data'] ) ? $_POST['form_data']:'';764 if ( is_array($form_data)) {756 $nonce_key = isset( $_POST['nonce'] ) ? 'nonce' : ( isset( $_POST['security'] ) ? 'security' : '' ); 757 $nonce_val = ( $nonce_key && isset( $_POST[ $nonce_key ] ) ) ? sanitize_text_field( wp_unslash( $_POST[ $nonce_key ] ) ) : ''; 758 if ( ! $nonce_val || ! wp_verify_nonce( $nonce_val, 'my_ajax_nonce' ) ) { 759 wp_send_json_error( array( 'message' => __( 'Security check failed.', 'smart-appointment-booking' ) ) ); 760 wp_die(); 761 } 762 $error = ''; 763 $booking_date = isset( $_POST['booking_date'] ) ? sanitize_text_field( wp_unslash( $_POST['booking_date'] ) ) : ''; 764 $explode_booking_date = explode( '_', $booking_date ); 765 $form_id = isset( $explode_booking_date[1] ) ? absint( $explode_booking_date[1] ) : 0; 766 $format_bookingdate = ( isset( $explode_booking_date[4], $explode_booking_date[2], $explode_booking_date[3] ) ) ? $explode_booking_date[4] . '-' . $explode_booking_date[2] . '-' . $explode_booking_date[3] : ''; 767 $converted_bookingdate = $format_bookingdate ? gmdate( 'Y-m-d', strtotime( $format_bookingdate ) ) : ''; 768 $timeslot = isset( $_POST['timeslot'] ) ? sanitize_text_field( wp_unslash( $_POST['timeslot'] ) ) : ''; 769 $slotcapacity = isset( $_POST['slotcapacity'] ) ? sanitize_text_field( wp_unslash( $_POST['slotcapacity'] ) ) : ''; 770 $bookedseats = isset( $_POST['bookedseats'] ) ? sanitize_text_field( wp_unslash( $_POST['bookedseats'] ) ) : ''; 771 $form_id = isset( $_POST['fid'] ) ? absint( wp_unslash( $_POST['fid'] ) ) : $form_id; 772 $form_data = isset( $_POST['form_data'] ) ? wp_unslash( $_POST['form_data'] ) : array(); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- sanitized in loop below 773 if ( is_array( $form_data ) ) { 765 774 foreach ($form_data as $field_name => $field_value) { 766 775 // Check if the field value is an array (e.g., for checkboxes or multi-select) … … 989 998 } 990 999 function saab_add_event_to_calender(){ 991 1000 // OAuth callback from Google; code/state are from redirect, not form POST. Nonce not applicable. 1001 // phpcs:disable WordPress.Security.NonceVerification.Recommended 992 1002 ob_start(); 993 1003 994 if(isset($_GET['code'])){ 995 996 require_once SAAB_DIR . '/inc/lib/google-library/vendor/autoload.php'; 997 $stateParameter = ( isset( $_GET['state'] ) ) ? $_GET['state'] : ''; 1004 if ( isset( $_GET['code'] ) ) { 1005 require_once SAAB_DIR . '/inc/lib/google-library/vendor/autoload.php'; 1006 $stateParameter = isset( $_GET['state'] ) ? sanitize_text_field( wp_unslash( $_GET['state'] ) ) : ''; 998 1007 $mystate = explode('T', $stateParameter); 999 1008 $form_id = $mystate[0]; … … 1040 1049 $client_new->setAccessType('offline'); 1041 1050 1042 if ( isset($_GET['code'])) {1043 1044 $token = $client_new->fetchAccessTokenWithAuthCode( $_GET['code']);1051 if ( isset( $_GET['code'] ) ) { 1052 $auth_code = sanitize_text_field( wp_unslash( $_GET['code'] ) ); 1053 $token = $client_new->fetchAccessTokenWithAuthCode( $auth_code ); 1045 1054 $client_new->setAccessToken($token); 1046 1055 $service = new Google_Service_Calendar($client_new); … … 1104 1113 } 1105 1114 } 1115 // phpcs:enable WordPress.Security.NonceVerification.Recommended 1106 1116 return ob_get_clean(); 1107 1117 } … … 1117 1127 */ 1118 1128 function saab_send_notification($status, $form_id, $post_id, $form_data) { 1119 // Sanitize the status value from $_POST, if applicable 1120 $status = (isset($_POST['status']) && !empty($_POST['status'])) ? sanitize_text_field($_POST['status']) : $status; 1121 1122 // Log status to ensure it's being received correctly 1123 if (defined('WP_DEBUG') && WP_DEBUG) { 1124 error_log('Status received: ' . $status); 1125 } 1126 1129 // Status may be overridden from POST; nonce verified in calling AJAX handler. 1130 // phpcs:ignore WordPress.Security.NonceVerification.Missing 1131 $status = ( isset( $_POST['status'] ) && ! empty( $_POST['status'] ) ) ? sanitize_text_field( wp_unslash( $_POST['status'] ) ) : $status; 1132 1133 // Log status to ensure it's being received correctly. 1134 if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) { 1135 // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log 1136 error_log( 'Status received: ' . $status ); 1137 } 1138 1127 1139 $message = ''; 1128 1140 $notificationFound = false; 1129 1141 1130 1142 // Get notification data 1131 $get_notification_array = get_post_meta($form_id, 'saab_notification_data', true); 1132 1133 // Log the retrieved notification data for debugging 1134 if (defined('WP_DEBUG') && WP_DEBUG) { 1135 error_log('Notification array: ' . print_r($get_notification_array, true)); 1143 $get_notification_array = get_post_meta( $form_id, 'saab_notification_data', true ); 1144 1145 // Log the retrieved notification data for debugging. 1146 if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) { 1147 // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log, WordPress.PHP.DevelopmentFunctions.error_log_print_r 1148 error_log( 'Notification array: ' . print_r( $get_notification_array, true ) ); 1136 1149 } 1137 1150 … … 1143 1156 $notificationFound = true; // Mark notification as found 1144 1157 1145 // Log notification for debugging 1146 if (defined('WP_DEBUG') && WP_DEBUG) { 1147 error_log('Notification found: ' . print_r($notification, true)); 1158 // Log notification for debugging. 1159 if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) { 1160 // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log, WordPress.PHP.DevelopmentFunctions.error_log_print_r 1161 error_log( 'Notification found: ' . print_r( $notification, true ) ); 1148 1162 } 1149 1163 … … 1167 1181 $check_body = $this->saab_check_shortcodes_exist_in_editor($check_body, $form_id, $form_data, $shortcodesArray); 1168 1182 1169 // Log email details for debugging 1170 if (defined('WP_DEBUG') && WP_DEBUG) { 1171 error_log('Email details: to: ' . $to . ', from: ' . $from . ', subject: ' . $subject . ', body: ' . $check_body); 1183 // Log email details for debugging. 1184 if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) { 1185 // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log 1186 error_log( 'Email details: to: ' . $to . ', from: ' . $from . ', subject: ' . $subject . ', body: ' . $check_body ); 1172 1187 } 1173 1188 1174 1189 // Set email headers 1175 1190 $headers = array( … … 1193 1208 $message = esc_html__('Email sent successfully', 'smart-appointment-booking'); 1194 1209 } else { 1195 $message = esc_html__('Failed to send email', 'smart-appointment-booking'); 1196 if (defined('WP_DEBUG') && WP_DEBUG) { 1197 error_log('Failed to send email to: ' . $to); // Debug logging 1210 $message = esc_html__( 'Failed to send email', 'smart-appointment-booking' ); 1211 if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) { 1212 // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log 1213 error_log( 'Failed to send email to: ' . $to ); 1198 1214 } 1199 1215 } … … 1201 1217 } 1202 1218 } else { 1203 // Log an error if no notification data was found for the form 1204 if (defined('WP_DEBUG') && WP_DEBUG) { 1205 error_log('No notification data found for form ID: ' . $form_id); 1206 } 1207 } 1208 1209 // If no notification was found, log an error 1210 if ($notificationFound === false) { 1211 $message = __('Notification not found for the given status: ' . $status, 'smart-appointment-booking'); 1212 if (defined('WP_DEBUG') && WP_DEBUG) { 1213 error_log('Notification not found for the given status: ' . $status); // Debug logging 1214 } 1215 wp_send_json_error(array('message' => $message)); 1219 // Log an error if no notification data was found for the form. 1220 if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) { 1221 // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log 1222 error_log( 'No notification data found for form ID: ' . $form_id ); 1223 } 1224 } 1225 1226 // If no notification was found, log an error. 1227 if ( $notificationFound === false ) { 1228 $message = sprintf( 1229 /* translators: %s: notification status (e.g. booked, approved, cancelled) */ 1230 __( 'Notification not found for the given status: %s', 'smart-appointment-booking' ), 1231 $status 1232 ); 1233 if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) { 1234 // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log 1235 error_log( 'Notification not found for the given status: ' . $status ); 1236 } 1237 wp_send_json_error( array( 'message' => $message ) ); 1216 1238 wp_die(); 1217 1239 } … … 1225 1247 1226 1248 function saab_send_post_update_notification($status, $form_id, $post_id, $form_data) { 1227 // Sanitize status and other input data 1228 $status = (isset($_POST['status']) && !empty($_POST['status'])) ? sanitize_text_field($_POST['status']) : sanitize_text_field($status); 1249 // Status may be overridden from POST; nonce verified in calling AJAX handler. 1250 // phpcs:ignore WordPress.Security.NonceVerification.Missing 1251 $status = ( isset( $_POST['status'] ) && ! empty( $_POST['status'] ) ) ? sanitize_text_field( wp_unslash( $_POST['status'] ) ) : sanitize_text_field( $status ); 1229 1252 $message = ''; 1230 1253 … … 1284 1307 } else { 1285 1308 // Log details if email sending fails 1286 $message = __('Failed to send email. Details: to-' . $to . ', from-' . $from . ', Bcc-' . $bcc . ', Cc-' . $cc . ', subject-' . $subject . ', body-' . $check_body . ', headers-' . json_encode($headers), 'smart-appointment-booking'); 1287 if (defined('WP_DEBUG') && WP_DEBUG) { 1288 error_log('Failed to send email. Details: to-' . $to . ', from-' . $from . ', Bcc-' . $bcc . ', Cc-' . $cc . ', subject-' . $subject . ', body-' . $check_body . ', headers-' . json_encode($headers)); 1309 $message = sprintf( 1310 /* translators: 1: to address, 2: from address, 3: Bcc, 4: Cc, 5: subject, 6: body, 7: headers */ 1311 __( 'Failed to send email. Details: to-%1$s, from-%2$s, Bcc-%3$s, Cc-%4$s, subject-%5$s, body-%6$s, headers-%7$s', 'smart-appointment-booking' ), 1312 $to, 1313 $from, 1314 $bcc, 1315 $cc, 1316 $subject, 1317 $check_body, 1318 wp_json_encode( $headers ) 1319 ); 1320 if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) { 1321 // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log 1322 error_log( 'Failed to send email. Details: to-' . $to . ', from-' . $from . ', Bcc-' . $bcc . ', Cc-' . $cc . ', subject-' . $subject . ', body-' . $check_body . ', headers-' . wp_json_encode( $headers ) ); 1289 1323 } 1290 1324 } … … 1294 1328 1295 1329 // Handle case where no matching notification is found 1296 if ($notificationFound === false) { 1297 $message = __('Notification not found for the given status: ' . $status, 'smart-appointment-booking'); 1298 if (defined('WP_DEBUG') && WP_DEBUG) { 1299 error_log('Notification not found for the given status: ' . $status); 1300 } 1301 } 1302 1330 if ( $notificationFound === false ) { 1331 $message = sprintf( 1332 /* translators: %s: notification status (e.g. booked, approved, cancelled) */ 1333 __( 'Notification not found for the given status: %s', 'smart-appointment-booking' ), 1334 $status 1335 ); 1336 if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) { 1337 // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log 1338 error_log( 'Notification not found for the given status: ' . $status ); 1339 } 1340 } 1341 1303 1342 return $message; 1304 1343 } 1305 1344 1306 1345 /** 1307 1346 * Process the given field value containing shortcodes and replace them with actual values. … … 2113 2152 $timezone = get_post_meta($post_id,'saab_timezone',true); 2114 2153 $error = false; 2115 $TodaysDate = date('F d, Y');2116 $todaysDate = date('Y-m-d');2154 $TodaysDate = gmdate( 'F d, Y' ); 2155 $todaysDate = gmdate( 'Y-m-d' ); 2117 2156 echo "<h3 id='head_avail_time'><span class='gfb-timezone'>Timezone: " . esc_attr($timezone) . "</span></h3>"; 2118 2157 echo "<h4 id='headtodays_date'>" . esc_html($TodaysDate) . "</h4>"; … … 2326 2365 12 => 'December' 2327 2366 ); 2328 $currentMonth = isset($_POST['currentMonth']) ? intval($_POST['currentMonth']) : date('n'); //phpcs:ignore 2329 $currentMonth = max(1, min(12, $currentMonth)); // Ensure currentMonth is between 1 and 12 2330 $currentYear = isset($_POST['currentYear']) ? intval($_POST['currentYear']) : date('Y'); //phpcs:ignore 2331 $post_id = isset($_POST['form_id']) ? $_POST['form_id'] : ''; 2367 // phpcs:disable WordPress.Security.NonceVerification.Missing -- Calendar month/year/form_id from AJAX; nonce verified in caller or optional display. 2368 $currentMonth = isset( $_POST['currentMonth'] ) ? max( 1, min( 12, intval( wp_unslash( $_POST['currentMonth'] ) ) ) ) : (int) gmdate( 'n' ); 2369 $currentYear = isset( $_POST['currentYear'] ) ? absint( wp_unslash( $_POST['currentYear'] ) ) : (int) gmdate( 'Y' ); 2370 $post_id = isset( $_POST['form_id'] ) ? absint( wp_unslash( $_POST['form_id'] ) ) : 0; 2371 // phpcs:enable WordPress.Security.NonceVerification.Missing 2332 2372 $running_year = date("Y"); //phpcs:ignore 2333 2373 ob_start(); … … 2427 2467 */ 2428 2468 function saab_action_display_available_timeslots(){ 2429 ini_set('display_startup_errors', 1); 2430 ini_set('display_errors', 1); 2431 error_reporting(-1); 2432 //if( ! wp_verify_nonce( 'saab_front_nonce' ) ){} 2469 $nonce_key = isset( $_POST['nonce'] ) ? 'nonce' : ( isset( $_POST['security'] ) ? 'security' : '' ); 2470 $nonce_val = ( $nonce_key && isset( $_POST[ $nonce_key ] ) ) ? sanitize_text_field( wp_unslash( $_POST[ $nonce_key ] ) ) : ''; 2471 if ( ! $nonce_val || ! wp_verify_nonce( $nonce_val, 'my_ajax_nonce' ) ) { 2472 wp_send_json_error( array( 'message' => __( 'Security check failed.', 'smart-appointment-booking' ) ) ); 2473 wp_die(); 2474 } 2433 2475 $error = false; 2434 if(isset( $_POST['form_data'])){ 2435 $form_data = $_POST['form_data']; 2436 $array_data = explode('_',$form_data); 2437 $post_id = $array_data[1]; 2438 $current_month = $array_data[2]; 2439 $current_day = $array_data[3]; 2440 $current_year = $array_data[4]; 2441 } 2442 if(isset( $_POST['clickedId'])){ 2443 $clickedId = $_POST['clickedId']; 2476 $post_id = 0; 2477 $current_month = ''; 2478 $current_day = ''; 2479 $current_year = ''; 2480 $clickedId = ''; 2481 if ( isset( $_POST['form_data'] ) ) { 2482 $form_data = sanitize_text_field( wp_unslash( $_POST['form_data'] ) ); 2483 $array_data = explode( '_', $form_data ); 2484 $post_id = isset( $array_data[1] ) ? absint( $array_data[1] ) : 0; 2485 $current_month = isset( $array_data[2] ) ? sanitize_text_field( $array_data[2] ) : ''; 2486 $current_day = isset( $array_data[3] ) ? sanitize_text_field( $array_data[3] ) : ''; 2487 $current_year = isset( $array_data[4] ) ? sanitize_text_field( $array_data[4] ) : ''; 2488 } 2489 if ( isset( $_POST['clickedId'] ) ) { 2490 $clickedId = sanitize_text_field( wp_unslash( $_POST['clickedId'] ) ); 2444 2491 } 2445 2492 $todaysDate = date('Y-m-d', strtotime("$current_year-$current_month-$current_day")); //phpcs:ignore … … 2523 2570 $response = array(); 2524 2571 2525 if ( isset($_POST['bookingId']) && isset($_POST['bookingstatus'])) {2572 if ( isset( $_POST['bookingId'] ) && isset( $_POST['bookingstatus'] ) ) { 2526 2573 // $booking_id = wp_base64_decode($encrypt_bookingId); 2527 $booking_id = $encrypt_bookingId;2528 $bookingstatus = isset( $_POST['bookingstatus']) ? sanitize_text_field($_POST['bookingstatus']) : '';2529 2530 if ( $bookingstatus === 'cancel') {2531 if ( isset($_POST['status'])) {2532 $status = sanitize_text_field( $_POST['status']);2574 $booking_id = $encrypt_bookingId; 2575 $bookingstatus = isset( $_POST['bookingstatus'] ) ? sanitize_text_field( wp_unslash( $_POST['bookingstatus'] ) ) : ''; 2576 2577 if ( $bookingstatus === 'cancel' ) { 2578 if ( isset( $_POST['status'] ) ) { 2579 $status = sanitize_text_field( wp_unslash( $_POST['status'] ) ); 2533 2580 if ($status === 'check') { 2534 2581 $get_current_status = get_post_meta($booking_id, 'saab_entry_status', true); … … 2587 2634 } 2588 2635 echo '<div class="booking-cancellation-card">'; 2589 $encrypt_bookingId = isset( $_REQUEST['booking_id']) ? sanitize_text_field($_REQUEST['booking_id']) : '';2590 2591 if ( isset($_REQUEST['booking_id']) && isset($_REQUEST['status'])) {2636 $encrypt_bookingId = isset( $_REQUEST['booking_id'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['booking_id'] ) ) : ''; 2637 2638 if ( isset( $_REQUEST['booking_id'] ) && isset( $_REQUEST['status'] ) ) { 2592 2639 // $booking_id = wp_base64_decode($encrypt_bookingId); 2593 2640 $booking_id = $encrypt_bookingId; 2594 $bookingstatus = sanitize_text_field( $_REQUEST['status']);2641 $bookingstatus = sanitize_text_field( wp_unslash( $_REQUEST['status'] ) ); 2595 2642 2596 2643 if ($bookingstatus === 'cancel' ) { … … 2625 2672 function saab_cancel_booking_shortcode() { 2626 2673 $response = array( 2627 'message' => esc_html__('','smart-appointment-booking'),2674 'message' => '', 2628 2675 'mail_message' => '', 2629 2676 -
smart-appointment-booking/tags/1.0.8/readme.txt
r3421205 r3450387 7 7 Tested up to: 6.9 8 8 License: GPL-3.0-or-later 9 Version: 1.0. 710 Stable tag: 1.0. 79 Version: 1.0.8 10 Stable tag: 1.0.8 11 11 License: GPLv3 or later License 12 12 License URI: http://www.gnu.org/licenses/gpl-3.0.html … … 131 131 == Changelog == 132 132 133 = 1.0.8 = 134 * Security: Nonce verification and input sanitization improvements across admin and front forms. 135 * Security: Proper use of wp_unslash() before sanitization for POST/GET data. 136 * Code quality: Addressed WordPress PHPCS warnings (escaping, validated input, slow query notices). 137 * Tested with the latest version of WordPress (6.9). 138 133 139 = 1.0.7 = 134 140 * Tested with the latest version of WordPress (6.9). … … 172 178 == Upgrade Notice == 173 179 180 = 1.0.8 = 181 * Security: Nonce verification and input sanitization improvements across admin and front forms. 182 * Security: Proper use of wp_unslash() before sanitization for POST/GET data. 183 * Code quality: Addressed WordPress PHPCS warnings (escaping, validated input, slow query notices). 184 * Tested with the latest version of WordPress (6.9). 185 186 = 1.0.7 = 187 * Tested with the latest version of WordPress (6.9). 188 189 = 1.0.6 = 190 * Issue Fixed 191 192 = 1.0.5 = 193 * Issue Fixed 194 195 = 1.0.4 = 196 * Fix: Issue with enabling or disabling the booking form 197 * Fix: Calendar not displaying when clicking arrows 198 * Fix: Calendar not displaying when selecting a month 199 * Fix: Calendar not displaying when selecting a year 200 * Fix: Timeslot issue in the 'Manage Entry' section 201 * Fix: Display of booked timeslots in the form 202 * Fix: Change button name for "Add New Form (Booking Form)" 203 * Fix: Remove "View Post" link after form is published 204 * Fix: Generate shortcode when publishing the form 205 * Add: List of added users 206 * Add: List of added statuses 207 * Add: "Appointment Type: Virtual" option 208 209 = 1.0.3 = 210 * Fix: Date being selected in calendar issue 211 * Fix: Time being selected issue 212 * Fix: Available seat count issue 213 * Fix: Data listing issue 214 * Fix: Manage Entry issue 215 216 = 1.0.2 = 217 * The issue on the backend has been fixed. 218 219 = 1.0.1 = 220 * Issue Fixed "Form Is not being saved" 221 174 222 = 1.0.0 = 175 1.0 is Initial Release. 223 * Initial Release -
smart-appointment-booking/tags/1.0.8/smart-appointment-booking.php
r3421205 r3450387 4 4 * Plugin URL: https://wordpress.org/plugins/smart-appointment-booking/ 5 5 * Description: This is the all-in-one solution for efficient appointment management, offering customizable forms, seamless booking and modifications waitlist management. 6 * Version: 1.0. 76 * Version: 1.0.8 7 7 * Author: ZealousWeb 8 8 * Author URI: https://www.zealousweb.com … … 24 24 * 25 25 * @package Smart Appointment & Booking 26 * @since 1.0. 726 * @since 1.0.8 27 27 */ 28 28 29 29 /* Start of Code */ 30 30 if ( ! defined( 'SAAB_VERSION' ) ) { 31 define( 'SAAB_VERSION', '1.0. 7' ); // Version of the plugin31 define( 'SAAB_VERSION', '1.0.8' ); // Version of the plugin 32 32 } 33 33 -
smart-appointment-booking/trunk/inc/admin/class.saab.admin.action.php
r3154282 r3450387 200 200 ); 201 201 $get_notification_array = array(); 202 if (isset($_POST['notification_data'])) { 203 204 parse_str($_POST['notification_data'], $form_data); 202 if ( isset( $_POST['notification_data'] ) ) { 203 parse_str( sanitize_text_field( wp_unslash( $_POST['notification_data'] ) ), $form_data ); 205 204 $post_id = $form_data['form_id']; 206 205 $index = $form_data['editnotify']; … … 394 393 */ 395 394 function view_booking_entry( $post ){ 396 if ( ! isset( $_REQUEST['_wpnonce'] ) || ! wp_verify_nonce( $_REQUEST['_wpnonce'], '_wpnonce' ) ){395 if ( ! isset( $_REQUEST['_wpnonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ), '_wpnonce' ) ) { 397 396 //wp_die( 'Security check failed. Refresh the page and retry again!' ); 398 397 } 399 $post_id = ( isset( $_GET['post_id'] ) ) ? $_GET['post_id'] : '';398 $post_id = isset( $_GET['post_id'] ) ? absint( wp_unslash( $_GET['post_id'] ) ) : 0; 400 399 $form_data = get_post_meta( $post_id, 'saab_submission_data', true ); 401 400 $form_id = get_post_meta( $post_id, 'saab_form_id', true ); … … 529 528 } 530 529 function update_form_entry_data(){ 531 // if( ! isset( $_POST['zwt_saab_common_nonce'] ) || ! wp_verify_nonce( $_POST['zwt_saab_common_nonce'], 'zwt_saab_common_nonce' ) ){ 532 // wp_die( 'Security check failed. Refresh the page and retry again!' ); 533 // } 534 if (isset($_POST['entry_id']) && isset($_POST['updated_data']) ) { 535 $entry_id = ( isset( $_POST['entry_id'] ) ) ? $_POST['entry_id'] : ''; 536 $get_submitted_data = get_post_meta($entry_id, 'saab_submission_data', true); 537 $updated_data = ( isset( $_POST['updated_data'] ) ) ? $_POST['updated_data'] : ''; 530 if ( ! isset( $_POST['security'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['security'] ) ), 'saab_ajax_nonce' ) ) { 531 wp_send_json_error( array( 'message' => __( 'Security check failed.', 'smart-appointment-booking' ) ) ); 532 wp_die(); 533 } 534 if ( isset( $_POST['entry_id'] ) && isset( $_POST['updated_data'] ) ) { 535 $entry_id = isset( $_POST['entry_id'] ) ? absint( wp_unslash( $_POST['entry_id'] ) ) : 0; 536 $get_submitted_data = get_post_meta( $entry_id, 'saab_submission_data', true ); 537 $updated_data = isset( $_POST['updated_data'] ) && is_array( $_POST['updated_data'] ) ? map_deep( wp_unslash( $_POST['updated_data'] ), 'sanitize_text_field' ) : array(); 538 538 foreach ($updated_data as $key => $value) { 539 539 if (isset($get_submitted_data['data'][$key])) { … … 575 575 echo "<div class='notification-page-main m-4 p-1 ' >"; 576 576 577 if (isset($_GET['post_type']) && isset($_GET['post_id']) && isset( $_GET['nonce'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash ($_POST['nonce'] ) ) , 'other_setting' )) { 578 579 $post_type = sanitize_text_field($_GET['post_type']); 580 581 $post_id = absint( $_GET['post_id']); 577 if ( isset( $_GET['post_type'] ) && isset( $_GET['post_id'] ) && isset( $_GET['nonce'] ) && wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['nonce'] ) ), 'other_setting' ) ) { 578 $post_type = sanitize_text_field( wp_unslash( $_GET['post_type'] ) ); 579 $post_id = absint( wp_unslash( $_GET['post_id'] ) ); 582 580 583 581 ?> … … 633 631 $fieldLabel = $option['fieldlabel']; 634 632 $selected = ($fieldKey == $first_name) ? 'selected' : ''; 635 echo '<option value="' . $fieldKey . '" ' . $selected . '>' . $fieldLabel. '</option>';633 echo '<option value="' . esc_attr( $fieldKey ) . '" ' . esc_attr( $selected ) . '>' . esc_html( $fieldLabel ) . '</option>'; 636 634 } 637 635 ?> … … 995 993 wp_send_json($response); 996 994 }else{ 997 if ( null !== ($_POST['post_id'] ?? null) && null !== absint($_POST['notification_id'] ?? null) && null !== sanitize_text_field($_POST['new_state'] ?? null)) {998 $post_id = isset($_POST['post_id']) ? absint($_POST['post_id']) : 0;999 $notification_id = isset($_POST['notification_id']) ? absint($_POST['notification_id']) : 0;1000 1001 $index = ltrim( $notification_id, "notify_");1002 $new_state = isset($_POST['new_state']) ? sanitize_text_field($_POST['new_state']) : '';995 if ( isset( $_POST['post_id'] ) && isset( $_POST['notification_id'] ) && isset( $_POST['new_state'] ) ) { 996 $post_id = absint( wp_unslash( $_POST['post_id'] ) ); 997 $notification_id = absint( wp_unslash( $_POST['notification_id'] ) ); 998 999 $index = ltrim( (string) $notification_id, 'notify_' ); 1000 $new_state = sanitize_text_field( wp_unslash( $_POST['new_state'] ) ); 1003 1001 1004 1002 // Get the existing notification metadata … … 1034 1032 wp_die(); 1035 1033 } 1036 if (isset($_POST['indexes'])) { 1037 $post_id = isset($_POST['post_id']) ? absint($_POST['post_id']) : 0; 1038 $indexesToDelete = isset($_POST['indexes']) ? $_POST['indexes'] : ''; 1034 if ( isset( $_POST['indexes'] ) && is_array( $_POST['indexes'] ) ) { 1035 $post_id = isset( $_POST['post_id'] ) ? absint( wp_unslash( $_POST['post_id'] ) ) : 0; 1036 $indexes_raw = wp_unslash( $_POST['indexes'] ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- sanitized via map_deep below 1037 $indexesToDelete = map_deep( $indexes_raw, 'sanitize_text_field' ); 1039 1038 $notification_metadata = get_post_meta($post_id, 'saab_notification_data', true); 1040 1039 foreach ($indexesToDelete as $index) { … … 1130 1129 foreach ($available_types as $avail_type) { 1131 1130 $selected = ($avail_type === $type) ? 'selected' : ''; 1132 echo '<option value="' . esc_html($avail_type) . '" ' . esc_attr($selected) . '>' . ucfirst(esc_html($avail_type)) . '</option>';1131 echo '<option value="' . esc_html($avail_type) . '" ' . esc_attr($selected) . '>' . esc_html( ucfirst( $avail_type ) ) . '</option>'; 1133 1132 1134 1133 } … … 1205 1204 $post_id = isset( $_POST['post_id'] ) ? intval( $_POST['post_id'] ) : 0; 1206 1205 1207 $form_data = isset( $_POST['form_data'] ) ? sanitize_text_field( $_POST['form_data']) : array();1206 $form_data = isset( $_POST['form_data'] ) ? sanitize_text_field( wp_unslash( $_POST['form_data'] ) ) : ''; 1208 1207 1209 1208 update_post_meta($post_id, 'saab_formschema', $form_data ); … … 1229 1228 1230 1229 if (isset($form_title)) { 1231 echo sprintf( 1232 esc_html__('%s', 'smart-appointment-booking'), 1233 esc_html($form_title) 1234 ); 1230 echo esc_html( $form_title ); 1235 1231 1236 1232 }else{ … … 1242 1238 1243 1239 if (isset($booking_status) && !empty($booking_status)) { 1244 echo sprintf( 1245 esc_html__('%s', 'smart-appointment-booking'), 1246 esc_html(ucfirst($booking_status)) 1247 ); 1240 echo esc_html( ucfirst( $booking_status ) ); 1248 1241 }else{ 1249 1242 echo '-'; … … 1263 1256 $booked_date = gmdate('d F, Y', strtotime($booked_date)); 1264 1257 if (isset($booking_date) && !empty($booking_date)) { 1265 echo sprintf( 1266 esc_html__('%s', 'smart-appointment-booking'), 1267 esc_html($booked_date) 1268 ); 1269 1258 echo esc_html( $booked_date ); 1270 1259 } 1271 1260 }else{ … … 1277 1266 1278 1267 if (isset($timeslot) && !empty($timeslot)) { 1279 echo sprintf( 1280 esc_html__('%s', 'smart-appointment-booking'), 1281 esc_html($timeslot) 1282 ); 1268 echo esc_html( $timeslot ); 1283 1269 }else{ 1284 1270 echo '-'; … … 1342 1328 $error = 1; 1343 1329 $error_mess = "Something went wrong"; 1344 error_log( "post_id not found while preview");1330 error_log( "post_id not found while preview" ); // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log 1345 1331 } 1346 1332 … … 1451 1437 wp_die(); 1452 1438 } 1453 $user_mapping = isset( $_POST['saabuser_mapping']) ? sanitize_text_field($_POST['saabuser_mapping']) : '';1439 $user_mapping = isset( $_POST['saabuser_mapping'] ) ? sanitize_text_field( wp_unslash( $_POST['saabuser_mapping'] ) ) : ''; 1454 1440 1455 1441 parse_str($user_mapping, $user_mapping_array); … … 1483 1469 if (isset($_POST['confirmation_data'])) { 1484 1470 1485 parse_str( wp_unslash(sanitize_text_field($_POST['confirmation_data'])), $formdata);1471 parse_str( sanitize_text_field( wp_unslash( $_POST['confirmation_data'] ) ), $formdata ); 1486 1472 1487 1473 $post_id = $formdata['post_id']; … … 1583 1569 foreach ($options as $value => $label) { 1584 1570 $selected = selected($status, $value, false); 1585 echo '<option value="' . esc_attr($value) . '" ' . $selected. '>' . esc_html($label) . '</option>';1571 echo '<option value="' . esc_attr($value) . '" ' . esc_attr( $selected ) . '>' . esc_html($label) . '</option>'; 1586 1572 } 1587 1573 echo '</select>'; 1588 1574 1589 $selected_form_id = isset( $_GET['form_filter']) ? sanitize_text_field($_GET['form_filter']) : '';1575 $selected_form_id = isset( $_GET['form_filter'] ) ? sanitize_text_field( wp_unslash( $_GET['form_filter'] ) ) : ''; 1590 1576 1591 1577 $forms_query = new WP_Query($args); … … 1622 1608 } 1623 1609 1624 if ('edit.php' === $pagenow && 'manage_entries' === $typenow) { 1625 $booking_status = isset($_GET['booking_status']) ? sanitize_text_field($_GET['booking_status']) : ''; 1626 $form_filter = isset($_GET['form_filter']) ? intval($_GET['form_filter']) : 0; 1627 1628 if (!empty($booking_status) || !empty($form_filter)) { 1629 $meta_query = array('relation' => 'and'); 1630 1631 if (!empty($booking_status) && in_array($booking_status, array('booked', 'approved', 'cancelled', 'pending', 'waiting', 'submitted'))) { 1610 if ( 'edit.php' === $pagenow && 'manage_entries' === $typenow ) { 1611 $booking_status = isset( $_GET['booking_status'] ) ? sanitize_text_field( wp_unslash( $_GET['booking_status'] ) ) : ''; 1612 $form_filter = isset( $_GET['form_filter'] ) ? absint( wp_unslash( $_GET['form_filter'] ) ) : 0; 1613 1614 if ( ! empty( $booking_status ) || ! empty( $form_filter ) ) { 1615 // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_query -- Filtering entries by status/form requires meta_query. 1616 $meta_query = array( 'relation' => 'and' ); 1617 1618 if ( ! empty( $booking_status ) && in_array( $booking_status, array( 'booked', 'approved', 'cancelled', 'pending', 'waiting', 'submitted' ), true ) ) { 1632 1619 $meta_query[] = array( 1633 'key' => 'entry_status',1634 'value' => $booking_status,1635 'compare' => '=' 1620 'key' => 'entry_status', 1621 'value' => $booking_status, 1622 'compare' => '=', 1636 1623 ); 1637 1624 } 1638 1625 1639 if ( !empty($form_filter)) {1626 if ( ! empty( $form_filter ) ) { 1640 1627 $meta_query[] = array( 1641 'key' => 'saab_form_id',1642 'value' => $form_filter,1643 'compare' => '=' 1628 'key' => 'saab_form_id', 1629 'value' => $form_filter, 1630 'compare' => '=', 1644 1631 ); 1645 1632 } 1646 1633 1647 $query->set( 'meta_query', $meta_query);1634 $query->set( 'meta_query', $meta_query ); 1648 1635 } 1649 1636 } … … 1700 1687 // Define the current page number 1701 1688 1702 $current_page = isset($_POST['page']) ? absint($_POST['page']) : 1; 1703 $timeslot = isset($_POST['timeslot']) ? sanitize_text_field($_POST['timeslot']) : ''; 1704 $booking_date = isset($_POST['booking_date']) ? sanitize_text_field($_POST['booking_date']) : ''; 1705 1689 $current_page = isset( $_POST['page'] ) ? absint( wp_unslash( $_POST['page'] ) ) : 1; 1690 $timeslot = isset( $_POST['timeslot'] ) ? sanitize_text_field( wp_unslash( $_POST['timeslot'] ) ) : ''; 1691 $booking_date = isset( $_POST['booking_date'] ) ? sanitize_text_field( wp_unslash( $_POST['booking_date'] ) ) : ''; 1692 1693 // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_query -- Waiting list filtered by timeslot/booking_date. 1706 1694 $args = array( 1707 'post_type' => 'manage_entries',1708 'posts_per_page' => 5, // Show 5 entries per page1709 'paged' => $current_page, // Use the current page number for pagination1710 'meta_query' => array(1695 'post_type' => 'manage_entries', 1696 'posts_per_page' => 5, 1697 'paged' => $current_page, 1698 'meta_query' => array( 1711 1699 'relation' => 'AND', 1712 1700 array( 1713 'key' => 'timeslot',1714 'value' => $timeslot,1715 'compare' => '=' 1701 'key' => 'timeslot', 1702 'value' => $timeslot, 1703 'compare' => '=', 1716 1704 ), 1717 1705 array( 1718 'key' => 'booking_date',1719 'value' => $booking_date,1720 'compare' => '=' 1721 ) 1722 ) 1723 ); 1724 1725 $query = new WP_Query( $args);1706 'key' => 'booking_date', 1707 'value' => $booking_date, 1708 'compare' => '=', 1709 ), 1710 ), 1711 ); 1712 1713 $query = new WP_Query( $args ); 1726 1714 ob_start(); 1727 1715 if ($query->have_posts()) { -
smart-appointment-booking/trunk/inc/admin/class.saab.admin.fieldmeta.php
r3154282 r3450387 26 26 27 27 function saab_get_available_seats_per_timeslot($checktimeslot,$date){ 28 28 // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_query -- Seats count filtered by timeslot/booking_date. 29 29 $args = array( 30 'post_type' => 'manage_entries',30 'post_type' => 'manage_entries', 31 31 'posts_per_page' => -1, 32 'meta_query' => array(32 'meta_query' => array( 33 33 'relation' => 'AND', 34 34 array( … … 234 234 <div id="waitinglist_main"> 235 235 <?php 236 237 $current_page = isset($_GET['page']) ? absint($_GET['page']) : 1; 236 // Pagination; nonce not used for GET page parameter in admin list. 237 // phpcs:ignore WordPress.Security.NonceVerification.Recommended 238 $current_page = isset( $_GET['page'] ) ? absint( wp_unslash( $_GET['page'] ) ) : 1; 239 // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_query -- Waiting list filtered by timeslot/status/booking_date. 238 240 $args = array( 239 'post_type' => 'manage_entries',240 'posts_per_page' => 5, 241 'paged' => $current_page,242 'orderby' => 'date',243 'order' => 'ASC',244 'meta_query' => array(241 'post_type' => 'manage_entries', 242 'posts_per_page' => 5, 243 'paged' => $current_page, 244 'orderby' => 'date', 245 'order' => 'ASC', 246 'meta_query' => array( 245 247 'relation' => 'AND', 246 248 array( … … 311 313 if ($total_pages > 1) { 312 314 313 echo '<select id="saabpage-number" data-timeslot="' . esc_attr($timeslot) . '" data-booking_date="' . esc_attr($booking_date) . '" data-nonce="' .wp_create_nonce('get_paginated_items_nonce').'">';315 echo '<select id="saabpage-number" data-timeslot="' . esc_attr($timeslot) . '" data-booking_date="' . esc_attr($booking_date) . '" data-nonce="' . esc_attr( wp_create_nonce( 'get_paginated_items_nonce' ) ) . '">'; 314 316 for ($page = 1; $page <= $total_pages; $page++) { 315 317 echo '<option value="' . esc_attr($page) . '"'; … … 352 354 <script type='text/javascript'> 353 355 354 var myScriptData = <?php echo $myScriptData; ?>;356 var myScriptData = <?php echo $myScriptData; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- JSON schema from post meta, validated on save. ?>; 355 357 window.onload = function() { 356 358 … … 587 589 //echo wp_kses( $this->timezone_dropdown($post->ID), $allow_time_dropdown ); 588 590 ?> 589 <?php echo $this->timezone_dropdown($post->ID); ?>591 <?php echo wp_kses_post( $this->timezone_dropdown( $post->ID ) ); ?> 590 592 591 593 </div> … … 863 865 return $post_id; 864 866 } 865 if ( isset($_POST['cal_title'])) {866 $cal_title = sanitize_text_field( $_POST['cal_title']);867 update_post_meta( $post_id, 'saab_cal_title', $cal_title);868 } 869 870 if ( isset($_POST['cal_description'])) {871 $cal_description = sanitize_text_field( $_POST['cal_description']);872 update_post_meta( $post_id, 'saab_cal_description', $cal_description);867 if ( isset( $_POST['cal_title'] ) ) { 868 $cal_title = sanitize_text_field( wp_unslash( $_POST['cal_title'] ) ); 869 update_post_meta( $post_id, 'saab_cal_title', $cal_title ); 870 } 871 872 if ( isset( $_POST['cal_description'] ) ) { 873 $cal_description = sanitize_text_field( wp_unslash( $_POST['cal_description'] ) ); 874 update_post_meta( $post_id, 'saab_cal_description', $cal_description ); 873 875 } 874 876 // Section Tab 1 … … 881 883 } 882 884 //Weekdays 883 if ( isset($_POST['weekdays'])) {884 $selected_weekdays = array_map( 'sanitize_text_field', $_POST['weekdays']);885 update_post_meta( $post_id, 'saab_weekdays', $selected_weekdays);885 if ( isset( $_POST['weekdays'] ) ) { 886 $selected_weekdays = array_map( 'sanitize_text_field', (array) wp_unslash( $_POST['weekdays'] ) ); 887 update_post_meta( $post_id, 'saab_weekdays', $selected_weekdays ); 886 888 } else { 887 889 update_post_meta($post_id, 'saab_weekdays', array()); … … 889 891 890 892 // Save the radio button value for appointment Type 891 if ( isset($_POST['appointment_type'])) {892 $selected_option = sanitize_text_field( $_POST['appointment_type']);893 if ( isset( $_POST['appointment_type'] ) ) { 894 $selected_option = sanitize_text_field( wp_unslash( $_POST['appointment_type'] ) ); 893 895 update_post_meta($post_id, 'saab_appointment_type', $selected_option); 894 896 } 895 897 896 898 // Save the link value if Appointment Type "Virtual" is selected 897 if ( isset($_POST['virtual_link'])) {898 $link_value = sanitize_text_field( $_POST['virtual_link']);899 if ( isset( $_POST['virtual_link'] ) ) { 900 $link_value = sanitize_text_field( wp_unslash( $_POST['virtual_link'] ) ); 899 901 update_post_meta($post_id, 'saab_virtual_link', $link_value); 900 902 } … … 902 904 //Symbol 903 905 if ( isset( $_POST['label_symbol'] ) ) { 904 $label_symbol = sanitize_text_field( $_POST['label_symbol']);906 $label_symbol = sanitize_text_field( wp_unslash( $_POST['label_symbol'] ) ); 905 907 update_post_meta( $post_id, 'saab_label_symbol', $label_symbol ); 906 908 } … … 908 910 //Symbol 909 911 if ( isset( $_POST['cost'] ) ) { 910 $cost = sanitize_text_field( $_POST['cost']);912 $cost = sanitize_text_field( wp_unslash( $_POST['cost'] ) ); 911 913 update_post_meta( $post_id, 'saab_cost', $cost ); 912 914 } 913 915 914 916 if ( isset( $_POST['timezone'] ) ) { 915 $timezone = sanitize_text_field( $_POST['timezone']);917 $timezone = sanitize_text_field( wp_unslash( $_POST['timezone'] ) ); 916 918 update_post_meta( $post_id, 'saab_timezone', $timezone ); 917 919 } 918 920 919 921 if ( isset( $_POST['bookmap_email'] ) ) { 920 $map_email = sanitize_text_field( $_POST['bookmap_email']);922 $map_email = sanitize_text_field( wp_unslash( $_POST['bookmap_email'] ) ); 921 923 update_post_meta( $post_id, 'saab_map_email', $map_email ); 922 924 } 923 925 924 926 if ( isset( $_POST['cost'] ) ) { 925 $cost = sanitize_text_field( $_POST['cost']);927 $cost = sanitize_text_field( wp_unslash( $_POST['cost'] ) ); 926 928 update_post_meta( $post_id, 'saab_saab_cost', $cost ); 927 929 } 928 930 929 931 //selected_date 930 if ( isset($_POST['selected_date'])) {931 update_post_meta( $post_id, 'saab_selected_date', sanitize_text_field($_POST['selected_date']));932 } 933 934 if ( isset($_POST['start_time'])) {935 update_post_meta( $post_id, 'saab_start_time', sanitize_text_field($_POST['start_time']));936 } 937 938 if ( isset($_POST['end_time'])) {939 update_post_meta( $post_id, 'saab_end_time', sanitize_text_field($_POST['end_time']));940 } 941 932 if ( isset( $_POST['selected_date'] ) ) { 933 update_post_meta( $post_id, 'saab_selected_date', sanitize_text_field( wp_unslash( $_POST['selected_date'] ) ) ); 934 } 935 936 if ( isset( $_POST['start_time'] ) ) { 937 update_post_meta( $post_id, 'saab_start_time', sanitize_text_field( wp_unslash( $_POST['start_time'] ) ) ); 938 } 939 940 if ( isset( $_POST['end_time'] ) ) { 941 update_post_meta( $post_id, 'saab_end_time', sanitize_text_field( wp_unslash( $_POST['end_time'] ) ) ); 942 } 943 942 944 //Steps Duration 943 945 if ( isset( $_POST['steps_duration'] ) ) { 944 $steps_duration = sanitize_text_field($_POST['steps_duration']);946 $steps_duration = map_deep( wp_unslash( $_POST['steps_duration'] ), 'sanitize_text_field' ); 945 947 $sanitized_steps_duration = array( 946 948 'hours' => sanitize_text_field( $steps_duration['hours'] ), … … 952 954 } 953 955 //timeslot_duration 954 if ( isset( $_POST['booking_stops_after'] ) ) { 955 $booking_stops_after_duration = $_POST['booking_stops_after']; 956 $booking_stops_after_duration = ( isset( $_POST['booking_stops_after'] ) && is_array( $_POST['booking_stops_after'] ) ) 957 ? map_deep( wp_unslash( $_POST['booking_stops_after'] ), 'sanitize_text_field' ) 958 : array(); 959 if ( ! empty( $booking_stops_after_duration ) ) { 956 960 $sanitized_booking_stops_after_duration = array( 957 'hours' => sanitize_text_field( $booking_stops_after_duration['hours'] ),958 'minutes' => sanitize_text_field( $booking_stops_after_duration['minutes'] )961 'hours' => isset( $booking_stops_after_duration['hours'] ) ? $booking_stops_after_duration['hours'] : '', 962 'minutes' => isset( $booking_stops_after_duration['minutes'] ) ? $booking_stops_after_duration['minutes'] : '', 959 963 ); 960 964 … … 963 967 } 964 968 //timeslot_duration 965 if ( isset( $_POST['timeslot_duration'] ) ) {966 $timeslot_duration = sanitize_text_field($_POST['timeslot_duration']);969 if ( isset( $_POST['timeslot_duration'] ) && is_array( $_POST['timeslot_duration'] ) ) { 970 $timeslot_duration = map_deep( wp_unslash( $_POST['timeslot_duration'] ), 'sanitize_text_field' ); 967 971 $sanitized_timeslot_duration = array( 968 'hours' => sanitize_text_field( $timeslot_duration['hours'] ),969 'minutes' => sanitize_text_field( $timeslot_duration['minutes'] )972 'hours' => isset( $timeslot_duration['hours'] ) ? $timeslot_duration['hours'] : '', 973 'minutes' => isset( $timeslot_duration['minutes'] ) ? $timeslot_duration['minutes'] : '', 970 974 ); 971 975 … … 975 979 //no_of_booking 976 980 if ( isset( $_POST['no_of_booking'] ) ) { 977 $selected_date = absint( $_POST['no_of_booking']);981 $selected_date = absint( wp_unslash( $_POST['no_of_booking'] ) ); 978 982 update_post_meta( $post_id, 'saab_no_of_booking', $selected_date ); 979 983 } 980 984 //waiting List 981 if ( isset($_POST['waiting_list']) && filter_var($_POST['waiting_list'], FILTER_VALIDATE_BOOLEAN)) {982 update_post_meta( $post_id, 'saab_waiting_list', 1);985 if ( isset( $_POST['waiting_list'] ) && filter_var( wp_unslash( $_POST['waiting_list'] ), FILTER_VALIDATE_BOOLEAN ) ) { 986 update_post_meta( $post_id, 'saab_waiting_list', 1 ); 983 987 } else { 984 988 delete_post_meta($post_id, 'saab_waiting_list'); 985 989 } 986 990 //timeslotBookingAllowed 987 if ( isset($_POST['timeslot_BookAllow']) && filter_var($_POST['timeslot_BookAllow'], FILTER_VALIDATE_BOOLEAN)) {991 if ( isset( $_POST['timeslot_BookAllow'] ) && filter_var( wp_unslash( $_POST['timeslot_BookAllow'] ), FILTER_VALIDATE_BOOLEAN ) ) { 988 992 update_post_meta($post_id, 'saab_timeslot_BookAllow', 1); 989 993 } else { … … 991 995 } 992 996 //enable_auto_approve 993 if ( isset($_POST['enable_auto_approve']) && filter_var($_POST['enable_auto_approve'], FILTER_VALIDATE_BOOLEAN)) {997 if ( isset( $_POST['enable_auto_approve'] ) && filter_var( wp_unslash( $_POST['enable_auto_approve'] ), FILTER_VALIDATE_BOOLEAN ) ) { 994 998 update_post_meta($post_id, 'saab_enable_auto_approve', 1); 995 999 } else { … … 997 1001 } 998 1002 //multiple breaks 999 if (isset($_POST['breaktimeslots'])) { 1000 $breaktimeslots = sanitize_text_field($_POST['breaktimeslots']); 1001 1002 // Sanitize and save the values 1003 if ( isset( $_POST['breaktimeslots'] ) && is_array( $_POST['breaktimeslots'] ) ) { 1004 $breaktimeslots = map_deep( wp_unslash( $_POST['breaktimeslots'] ), 'sanitize_text_field' ); 1005 1003 1006 $sanitized_breaktimeslots = array(); 1004 foreach ( $breaktimeslots as $breaktimeslot) {1005 $breakstart_time = sanitize_text_field($breaktimeslot['start_time']);1006 $breakend_time = sanitize_text_field($breaktimeslot['end_time']);1007 foreach ( $breaktimeslots as $breaktimeslot ) { 1008 $breakstart_time = isset( $breaktimeslot['start_time'] ) ? $breaktimeslot['start_time'] : ''; 1009 $breakend_time = isset( $breaktimeslot['end_time'] ) ? $breaktimeslot['end_time'] : ''; 1007 1010 $sanitized_breaktimeslots[] = array( 1008 1011 'start_time' => $breakstart_time, … … 1024 1027 } 1025 1028 1026 if (isset($_POST['generatetimeslot'])) { 1027 $generatetimeslots = $_POST['generatetimeslot']; 1028 // Sanitize and save the values 1029 $generatetimeslots = ( isset( $_POST['generatetimeslot'] ) && is_array( $_POST['generatetimeslot'] ) ) 1030 ? map_deep( wp_unslash( $_POST['generatetimeslot'] ), 'sanitize_text_field' ) 1031 : array(); 1032 if ( ! empty( $generatetimeslots ) ) { 1029 1033 $sanitized_generatetimeslots = array(); 1030 foreach ($generatetimeslots as $generatetimeslot) { 1031 $generatestart_time = $generatetimeslot['start_time']; 1032 $generateend_time = $generatetimeslot['end_time']; 1034 foreach ( $generatetimeslots as $generatetimeslot ) { 1033 1035 $sanitized_generatetimeslots[] = array( 1034 'start_time' => $generatestart_time,1035 'end_time' => $generateend_time,1036 'start_time' => isset( $generatetimeslot['start_time'] ) ? $generatetimeslot['start_time'] : '', 1037 'end_time' => isset( $generatetimeslot['end_time'] ) ? $generatetimeslot['end_time'] : '', 1036 1038 ); 1037 1039 } … … 1051 1053 1052 1054 //Enable Recurring Events 1053 if ( isset($_POST['enable_recurring_apt']) && filter_var($_POST['enable_recurring_apt'], FILTER_VALIDATE_BOOLEAN)) {1055 if ( isset( $_POST['enable_recurring_apt'] ) && filter_var( wp_unslash( $_POST['enable_recurring_apt'] ), FILTER_VALIDATE_BOOLEAN ) ) { 1054 1056 update_post_meta($post_id, 'saab_enable_recurring_apt', 1); 1055 1057 } else { 1056 1058 delete_post_meta($post_id, 'saab_enable_recurring_apt'); 1057 1059 } 1058 if ( isset($_POST['enable_advance_setting']) && filter_var($_POST['enable_advance_setting'], FILTER_VALIDATE_BOOLEAN)) {1060 if ( isset( $_POST['enable_advance_setting'] ) && filter_var( wp_unslash( $_POST['enable_advance_setting'] ), FILTER_VALIDATE_BOOLEAN ) ) { 1059 1061 update_post_meta($post_id, 'saab_enable_advance_setting', 1); 1060 1062 } else { 1061 1063 delete_post_meta($post_id, 'saab_enable_advance_setting'); 1062 1064 } 1063 if (isset($_POST['recurring_type'])) { 1064 $recurring_type = sanitize_text_field($_POST['recurring_type']); 1065 update_post_meta($post_id, 'saab_recurring_type', $recurring_type); 1066 } 1067 if (isset($_POST['recur_weekdays'])) { 1068 $sanitized_recur_weekdays = array_map('sanitize_text_field', $_POST['recur_weekdays']); 1069 update_post_meta($post_id, 'saab_recur_weekdays', $sanitized_recur_weekdays); 1070 } 1071 if (isset($_POST['advancedata'])) { 1072 $advancedata = $_POST['advancedata']; 1073 update_post_meta($post_id, 'saab_advancedata', $advancedata); 1065 if ( isset( $_POST['recurring_type'] ) ) { 1066 $recurring_type = sanitize_text_field( wp_unslash( $_POST['recurring_type'] ) ); 1067 update_post_meta( $post_id, 'saab_recurring_type', $recurring_type ); 1068 } 1069 if ( isset( $_POST['recur_weekdays'] ) ) { 1070 $sanitized_recur_weekdays = array_map( 'sanitize_text_field', (array) wp_unslash( $_POST['recur_weekdays'] ) ); 1071 update_post_meta( $post_id, 'saab_recur_weekdays', $sanitized_recur_weekdays ); 1072 } 1073 if ( isset( $_POST['advancedata'] ) ) { 1074 $advancedata = is_array( $_POST['advancedata'] ) 1075 ? map_deep( wp_unslash( $_POST['advancedata'] ), 'sanitize_text_field' ) 1076 : sanitize_text_field( wp_unslash( $_POST['advancedata'] ) ); 1077 update_post_meta( $post_id, 'saab_advancedata', $advancedata ); 1074 1078 }else { 1075 1079 delete_post_meta($post_id, 'saab_advancedata'); 1076 1080 } 1077 if ( isset($_POST['holidays'])) {1078 $holidays = array_map( 'sanitize_text_field', $_POST['holidays']);1081 if ( isset( $_POST['holidays'] ) ) { 1082 $holidays = array_map( 'sanitize_text_field', (array) wp_unslash( $_POST['holidays'] ) ); 1079 1083 update_post_meta($post_id, 'saab_holiday_dates', $holidays); 1080 1084 } 1081 if ( isset($_POST['end_repeats'])) {1082 $end_repeats = sanitize_text_field( $_POST['end_repeats']);1085 if ( isset( $_POST['end_repeats'] ) ) { 1086 $end_repeats = sanitize_text_field( wp_unslash( $_POST['end_repeats'] ) ); 1083 1087 update_post_meta($post_id, 'saab_end_repeats', $end_repeats); 1084 1088 } 1085 if ( isset($_POST['end_repeats_on'])) {1086 $end_repeats_on = sanitize_text_field( $_POST['end_repeats_on']);1089 if ( isset( $_POST['end_repeats_on'] ) ) { 1090 $end_repeats_on = sanitize_text_field( wp_unslash( $_POST['end_repeats_on'] ) ); 1087 1091 update_post_meta($post_id, 'saab_end_repeats_on', $end_repeats_on); 1088 1092 } 1089 if ( isset($_POST['end_repeats_after'])) {1090 $end_repeats_after = sanitize_text_field( $_POST['end_repeats_after']);1093 if ( isset( $_POST['end_repeats_after'] ) ) { 1094 $end_repeats_after = sanitize_text_field( wp_unslash( $_POST['end_repeats_after'] ) ); 1091 1095 update_post_meta($post_id, 'saab_end_repeats_after', $end_repeats_after); 1092 1096 } … … 1111 1115 } 1112 1116 1113 if ( isset($_POST['notes'])) {1114 $notes = sanitize_textarea_field( $_POST['notes']);1117 if ( isset( $_POST['notes'] ) ) { 1118 $notes = sanitize_textarea_field( wp_unslash( $_POST['notes'] ) ); 1115 1119 update_post_meta($post_id, 'saab_notes', $notes); 1116 1120 } 1117 1121 1118 if ( isset($_POST['form_id'])) {1119 $form_id = sanitize_text_field( $_POST['form_id']);1120 } 1121 1122 if ( isset($_POST['no_of_bookings'])) {1123 $no_of_bookings = absint( $_POST['no_of_bookings']);1122 if ( isset( $_POST['form_id'] ) ) { 1123 $form_id = sanitize_text_field( wp_unslash( $_POST['form_id'] ) ); 1124 } 1125 1126 if ( isset( $_POST['no_of_bookings'] ) ) { 1127 $no_of_bookings = absint( wp_unslash( $_POST['no_of_bookings'] ) ); 1124 1128 update_post_meta($post_id, 'saab_slotcapacity', $no_of_bookings); 1125 1129 } 1126 1130 1127 if ( isset($_POST['booking_date'])) {1128 $booking_date = sanitize_text_field( $_POST['booking_date']);1131 if ( isset( $_POST['booking_date'] ) ) { 1132 $booking_date = sanitize_text_field( wp_unslash( $_POST['booking_date'] ) ); 1129 1133 $currentMonth = gmdate('n',strtotime($booking_date)); 1130 1134 $currentYear = gmdate('Y',strtotime($booking_date)); … … 1133 1137 update_post_meta($post_id, 'saab_booking_date', $booking_date); 1134 1138 } 1135 if ( isset($_POST['start_time']) && isset($_POST['end_time'])) {1136 $start_time = trim( gmdate("h:i A", strtotime( sanitize_text_field($_POST['start_time']) )));1137 $end_time = trim(gmdate("h:i A", strtotime( sanitize_text_field($_POST['end_time']) )));1139 if ( isset( $_POST['start_time'] ) && isset( $_POST['end_time'] ) ) { 1140 $start_time = trim( gmdate( 'h:i A', strtotime( sanitize_text_field( wp_unslash( $_POST['start_time'] ) ) ) ) ); 1141 $end_time = trim( gmdate( 'h:i A', strtotime( sanitize_text_field( wp_unslash( $_POST['end_time'] ) ) ) ) ); 1138 1142 $timeslot = $start_time.'-'.$end_time; 1139 1143 update_post_meta($post_id, 'saab_timeslot', $timeslot); 1140 1144 } 1141 1145 1142 if ( isset($_POST['manual_notification']) && sanitize_text_field($_POST['manual_notification'] !== 'any')) {1143 $selected_action = isset($_POST['manual_notification']) ? sanitize_text_field($_POST['manual_notification']) : '';1144 $booking_status = isset($_POST['booking_status']) ? sanitize_text_field($_POST['booking_status']) : '';1145 // update_post_meta($post_id, 'saab_entry_status', $booking_status); 1146 $bookingId = isset($_POST['post_id']) ? absint($_POST['post_id']) : '';1147 $status = isset($_POST['status']) ? sanitize_text_field($_POST['status']) : '';1146 if ( isset( $_POST['manual_notification'] ) && sanitize_text_field( wp_unslash( $_POST['manual_notification'] ) ) !== 'any' ) { 1147 $selected_action = isset( $_POST['manual_notification'] ) ? sanitize_text_field( wp_unslash( $_POST['manual_notification'] ) ) : ''; 1148 $booking_status = isset( $_POST['booking_status'] ) ? sanitize_text_field( wp_unslash( $_POST['booking_status'] ) ) : ''; 1149 // update_post_meta($post_id, 'saab_entry_status', $booking_status); 1150 $bookingId = isset( $_POST['post_id'] ) ? absint( wp_unslash( $_POST['post_id'] ) ) : 0; 1151 $status = isset( $_POST['status'] ) ? sanitize_text_field( wp_unslash( $_POST['status'] ) ) : ''; 1148 1152 $formdata = get_post_meta($bookingId,'saab_submission_data',true); 1149 1153 $listform_label_val =$this->saab_admin_getkey_value_formshortcodes($post_id,$formdata); … … 1153 1157 update_post_meta($post_id, 'saab_manual_notification', $selected_action); 1154 1158 1155 } else{1156 $booking_status = isset( $_POST['booking_status']) ? sanitize_text_field($_POST['booking_status']) : '';1157 update_post_meta( $post_id, 'saab_entry_status', $booking_status);1159 } else { 1160 $booking_status = isset( $_POST['booking_status'] ) ? sanitize_text_field( wp_unslash( $_POST['booking_status'] ) ) : ''; 1161 update_post_meta( $post_id, 'saab_entry_status', $booking_status ); 1158 1162 $formdata = get_post_meta($post_id,'saab_submission_data',true); 1159 1163 $listform_label_val =$this->saab_admin_getkey_value_formshortcodes($post_id,$formdata); … … 1302 1306 } else { 1303 1307 $message = esc_html__('Failed to send email','smart-appointment-booking'); 1304 error_log('Failed to send email'); 1308 // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log 1309 error_log( 'Failed to send email' ); 1305 1310 } 1306 1311 } 1307 1312 1308 1313 } 1309 if ($notificationFound === false) { 1310 $message = esc_html__('Notification not found for the given status', 'smart-appointment-booking'); 1311 error_log('Notification not found for the given status'); 1314 if ( $notificationFound === false ) { 1315 $message = esc_html__( 'Notification not found for the given status', 'smart-appointment-booking' ); 1316 // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log 1317 error_log( 'Notification not found for the given status' ); 1312 1318 } 1313 1319 return $message; -
smart-appointment-booking/trunk/inc/class.saab.php
r3014693 r3450387 53 53 global $wp_version; 54 54 55 # Set filter for plugin's languages directory56 $SAAB_lang_dir = dirname( SAAB_PLUGIN_BASENAME ) . '/languages/';57 $SAAB_lang_dir = apply_filters( 'SAAB_languages_directory', $SAAB_lang_dir );58 59 55 # Traditional WordPress plugin locale filter. 60 56 $get_locale = get_locale(); … … 74 70 # Look in global /wp-content/languages/plugin-name folder 75 71 load_textdomain( 'smart-appointment-booking', $mofile_global ); 76 } else {77 # Load the default language files78 load_plugin_textdomain( 'smart-appointment-booking', false, $SAAB_lang_dir );79 72 } 73 # When hosted on WordPress.org, translations are loaded automatically; no load_plugin_textdomain() needed. 80 74 } 81 75 } -
smart-appointment-booking/trunk/inc/front/class.saab.front.action.php
r3154282 r3450387 110 110 ob_start(); 111 111 $user_id = get_current_user_id(); 112 $post_ids = array(); 112 $post_ids = array(); 113 // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_key, WordPress.DB.SlowDBQuery.slow_db_query_meta_value -- User's bookings filtered by user_mapped meta. 113 114 $args = array( 114 'post_type' => 'manage_entries',115 'meta_key' => 'user_mapped',116 'meta_value' => $user_id,117 'fields' => 'ids',115 'post_type' => 'manage_entries', 116 'meta_key' => 'user_mapped', 117 'meta_value' => $user_id, 118 'fields' => 'ids', 118 119 'posts_per_page' => 55, 119 120 ); 120 121 $query = new WP_Query( $args);121 122 $query = new WP_Query( $args ); 122 123 123 124 if ($query->have_posts()) { … … 269 270 } 270 271 271 function saab_save_form_submission() { 272 // ini_set('display_startup_errors', 1); 273 // ini_set('display_errors', 1); 274 // error_reporting(-1); 275 //if( ! wp_verify_nonce( 'saab_front_nonce' ) ){} // ignoring nonce validation error in the front form 276 $form_id = ( isset( $_POST['fid'] ) ) ? $_POST['fid'] : ''; 277 $form_data = ( isset( $_POST['form_data'] ) ) ? $_POST['form_data'] : ''; 272 function saab_save_form_submission() { 273 $nonce_key = isset( $_POST['nonce'] ) ? 'nonce' : ( isset( $_POST['security'] ) ? 'security' : '' ); 274 $nonce_val = ( $nonce_key && isset( $_POST[ $nonce_key ] ) ) ? sanitize_text_field( wp_unslash( $_POST[ $nonce_key ] ) ) : ''; 275 if ( ! $nonce_val || ! wp_verify_nonce( $nonce_val, 'my_ajax_nonce' ) ) { 276 wp_send_json_error( array( 'message' => __( 'Security check failed.', 'smart-appointment-booking' ) ) ); 277 wp_die(); 278 } 279 $form_id = isset( $_POST['fid'] ) ? absint( wp_unslash( $_POST['fid'] ) ) : 0; 280 $form_data = isset( $_POST['form_data'] ) && is_array( $_POST['form_data'] ) ? map_deep( wp_unslash( $_POST['form_data'] ), 'sanitize_text_field' ) : array(); 278 281 // User 279 282 $is_user_logged_in = is_user_logged_in(); … … 345 348 $usererror = true; 346 349 wp_send_json_error(array( 347 'message' => __('Error creating user '. $user_id->get_error_message(),'smart-appointment-booking'), 350 'message' => sprintf( 351 /* translators: %s: error message from user creation */ 352 __( 'Error creating user %s', 'smart-appointment-booking' ), 353 $user_id->get_error_message() 354 ), 348 355 'error' => $usererror, 349 356 )); … … 586 593 // } 587 594 if(empty($saab_amount)){ 588 $error_message = "Amount configuration Error";589 595 wp_delete_post($created_post_id, true); 590 596 wp_send_json_error(array( 591 'message' => __( $error_message, 'smart-appointment-booking'),597 'message' => __( 'Amount configuration Error', 'smart-appointment-booking' ), 592 598 'error' => true, 593 599 )); 594 600 } 595 $stripetoken = ( isset( $_POST['token'] ) ) ? $_POST['token']: '';601 $stripetoken = isset( $_POST['token'] ) ? sanitize_text_field( wp_unslash( $_POST['token'] ) ) : ''; 596 602 // Set your Stripe Publishable key 597 603 SabStripe::setApiKey($secretKey); // Replace with your Stripe API key … … 637 643 638 644 }catch ( Exception $e ) { 639 $error_message = $e->getMessage();640 645 wp_delete_post($created_post_id, true); 641 646 wp_send_json_error(array( 642 'message' => __($error_message, 'smart-appointment-booking'), 647 'message' => sprintf( 648 /* translators: %s: payment exception error message */ 649 __( 'Payment error: %s', 'smart-appointment-booking' ), 650 $e->getMessage() 651 ), 643 652 'error' => true, 644 653 )); … … 745 754 746 755 function saab_booking_form_submission() { 747 // ini_set('display_startup_errors', 1);748 // ini_set('display_errors', 1);749 // error_reporting(-1); 750 $error =''; 751 // if( ! wp_verify_nonce( 'saab_front_nonce' ) ){} 752 $booking_date = ( isset( $_POST['booking_date'] ) ) ? $_POST['booking_date'] : '';753 $e xplode_booking_date = explode('_',$booking_date);754 $ form_id = $explode_booking_date[1];755 $ format_bookingdate = $explode_booking_date[4] . "-" . $explode_booking_date[2] . "-" . $explode_booking_date[3];756 $ converted_bookingdate = date('Y-m-d', strtotime($format_bookingdate));757 $ timeslot = ( isset( $_POST['timeslot'] ) ) ? $_POST['timeslot'] : '';758 //total availableseats759 $ slotcapacity = ( isset( $_POST['slotcapacity'] ) ) ? $_POST['slotcapacity']: '';760 //quantity761 $bookedseats = ( isset( $_POST['bookedseats'] ) )? $_POST['bookedseats'] : '';762 $form_id = isset( $_POST['fid']) ? absint($_POST['fid']) : 0;763 $form_data = isset( $_POST['form_data'] ) ? $_POST['form_data']:'';764 if ( is_array($form_data)) {756 $nonce_key = isset( $_POST['nonce'] ) ? 'nonce' : ( isset( $_POST['security'] ) ? 'security' : '' ); 757 $nonce_val = ( $nonce_key && isset( $_POST[ $nonce_key ] ) ) ? sanitize_text_field( wp_unslash( $_POST[ $nonce_key ] ) ) : ''; 758 if ( ! $nonce_val || ! wp_verify_nonce( $nonce_val, 'my_ajax_nonce' ) ) { 759 wp_send_json_error( array( 'message' => __( 'Security check failed.', 'smart-appointment-booking' ) ) ); 760 wp_die(); 761 } 762 $error = ''; 763 $booking_date = isset( $_POST['booking_date'] ) ? sanitize_text_field( wp_unslash( $_POST['booking_date'] ) ) : ''; 764 $explode_booking_date = explode( '_', $booking_date ); 765 $form_id = isset( $explode_booking_date[1] ) ? absint( $explode_booking_date[1] ) : 0; 766 $format_bookingdate = ( isset( $explode_booking_date[4], $explode_booking_date[2], $explode_booking_date[3] ) ) ? $explode_booking_date[4] . '-' . $explode_booking_date[2] . '-' . $explode_booking_date[3] : ''; 767 $converted_bookingdate = $format_bookingdate ? gmdate( 'Y-m-d', strtotime( $format_bookingdate ) ) : ''; 768 $timeslot = isset( $_POST['timeslot'] ) ? sanitize_text_field( wp_unslash( $_POST['timeslot'] ) ) : ''; 769 $slotcapacity = isset( $_POST['slotcapacity'] ) ? sanitize_text_field( wp_unslash( $_POST['slotcapacity'] ) ) : ''; 770 $bookedseats = isset( $_POST['bookedseats'] ) ? sanitize_text_field( wp_unslash( $_POST['bookedseats'] ) ) : ''; 771 $form_id = isset( $_POST['fid'] ) ? absint( wp_unslash( $_POST['fid'] ) ) : $form_id; 772 $form_data = isset( $_POST['form_data'] ) ? wp_unslash( $_POST['form_data'] ) : array(); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- sanitized in loop below 773 if ( is_array( $form_data ) ) { 765 774 foreach ($form_data as $field_name => $field_value) { 766 775 // Check if the field value is an array (e.g., for checkboxes or multi-select) … … 989 998 } 990 999 function saab_add_event_to_calender(){ 991 1000 // OAuth callback from Google; code/state are from redirect, not form POST. Nonce not applicable. 1001 // phpcs:disable WordPress.Security.NonceVerification.Recommended 992 1002 ob_start(); 993 1003 994 if(isset($_GET['code'])){ 995 996 require_once SAAB_DIR . '/inc/lib/google-library/vendor/autoload.php'; 997 $stateParameter = ( isset( $_GET['state'] ) ) ? $_GET['state'] : ''; 1004 if ( isset( $_GET['code'] ) ) { 1005 require_once SAAB_DIR . '/inc/lib/google-library/vendor/autoload.php'; 1006 $stateParameter = isset( $_GET['state'] ) ? sanitize_text_field( wp_unslash( $_GET['state'] ) ) : ''; 998 1007 $mystate = explode('T', $stateParameter); 999 1008 $form_id = $mystate[0]; … … 1040 1049 $client_new->setAccessType('offline'); 1041 1050 1042 if ( isset($_GET['code'])) {1043 1044 $token = $client_new->fetchAccessTokenWithAuthCode( $_GET['code']);1051 if ( isset( $_GET['code'] ) ) { 1052 $auth_code = sanitize_text_field( wp_unslash( $_GET['code'] ) ); 1053 $token = $client_new->fetchAccessTokenWithAuthCode( $auth_code ); 1045 1054 $client_new->setAccessToken($token); 1046 1055 $service = new Google_Service_Calendar($client_new); … … 1104 1113 } 1105 1114 } 1115 // phpcs:enable WordPress.Security.NonceVerification.Recommended 1106 1116 return ob_get_clean(); 1107 1117 } … … 1117 1127 */ 1118 1128 function saab_send_notification($status, $form_id, $post_id, $form_data) { 1119 // Sanitize the status value from $_POST, if applicable 1120 $status = (isset($_POST['status']) && !empty($_POST['status'])) ? sanitize_text_field($_POST['status']) : $status; 1121 1122 // Log status to ensure it's being received correctly 1123 if (defined('WP_DEBUG') && WP_DEBUG) { 1124 error_log('Status received: ' . $status); 1125 } 1126 1129 // Status may be overridden from POST; nonce verified in calling AJAX handler. 1130 // phpcs:ignore WordPress.Security.NonceVerification.Missing 1131 $status = ( isset( $_POST['status'] ) && ! empty( $_POST['status'] ) ) ? sanitize_text_field( wp_unslash( $_POST['status'] ) ) : $status; 1132 1133 // Log status to ensure it's being received correctly. 1134 if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) { 1135 // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log 1136 error_log( 'Status received: ' . $status ); 1137 } 1138 1127 1139 $message = ''; 1128 1140 $notificationFound = false; 1129 1141 1130 1142 // Get notification data 1131 $get_notification_array = get_post_meta($form_id, 'saab_notification_data', true); 1132 1133 // Log the retrieved notification data for debugging 1134 if (defined('WP_DEBUG') && WP_DEBUG) { 1135 error_log('Notification array: ' . print_r($get_notification_array, true)); 1143 $get_notification_array = get_post_meta( $form_id, 'saab_notification_data', true ); 1144 1145 // Log the retrieved notification data for debugging. 1146 if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) { 1147 // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log, WordPress.PHP.DevelopmentFunctions.error_log_print_r 1148 error_log( 'Notification array: ' . print_r( $get_notification_array, true ) ); 1136 1149 } 1137 1150 … … 1143 1156 $notificationFound = true; // Mark notification as found 1144 1157 1145 // Log notification for debugging 1146 if (defined('WP_DEBUG') && WP_DEBUG) { 1147 error_log('Notification found: ' . print_r($notification, true)); 1158 // Log notification for debugging. 1159 if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) { 1160 // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log, WordPress.PHP.DevelopmentFunctions.error_log_print_r 1161 error_log( 'Notification found: ' . print_r( $notification, true ) ); 1148 1162 } 1149 1163 … … 1167 1181 $check_body = $this->saab_check_shortcodes_exist_in_editor($check_body, $form_id, $form_data, $shortcodesArray); 1168 1182 1169 // Log email details for debugging 1170 if (defined('WP_DEBUG') && WP_DEBUG) { 1171 error_log('Email details: to: ' . $to . ', from: ' . $from . ', subject: ' . $subject . ', body: ' . $check_body); 1183 // Log email details for debugging. 1184 if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) { 1185 // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log 1186 error_log( 'Email details: to: ' . $to . ', from: ' . $from . ', subject: ' . $subject . ', body: ' . $check_body ); 1172 1187 } 1173 1188 1174 1189 // Set email headers 1175 1190 $headers = array( … … 1193 1208 $message = esc_html__('Email sent successfully', 'smart-appointment-booking'); 1194 1209 } else { 1195 $message = esc_html__('Failed to send email', 'smart-appointment-booking'); 1196 if (defined('WP_DEBUG') && WP_DEBUG) { 1197 error_log('Failed to send email to: ' . $to); // Debug logging 1210 $message = esc_html__( 'Failed to send email', 'smart-appointment-booking' ); 1211 if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) { 1212 // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log 1213 error_log( 'Failed to send email to: ' . $to ); 1198 1214 } 1199 1215 } … … 1201 1217 } 1202 1218 } else { 1203 // Log an error if no notification data was found for the form 1204 if (defined('WP_DEBUG') && WP_DEBUG) { 1205 error_log('No notification data found for form ID: ' . $form_id); 1206 } 1207 } 1208 1209 // If no notification was found, log an error 1210 if ($notificationFound === false) { 1211 $message = __('Notification not found for the given status: ' . $status, 'smart-appointment-booking'); 1212 if (defined('WP_DEBUG') && WP_DEBUG) { 1213 error_log('Notification not found for the given status: ' . $status); // Debug logging 1214 } 1215 wp_send_json_error(array('message' => $message)); 1219 // Log an error if no notification data was found for the form. 1220 if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) { 1221 // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log 1222 error_log( 'No notification data found for form ID: ' . $form_id ); 1223 } 1224 } 1225 1226 // If no notification was found, log an error. 1227 if ( $notificationFound === false ) { 1228 $message = sprintf( 1229 /* translators: %s: notification status (e.g. booked, approved, cancelled) */ 1230 __( 'Notification not found for the given status: %s', 'smart-appointment-booking' ), 1231 $status 1232 ); 1233 if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) { 1234 // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log 1235 error_log( 'Notification not found for the given status: ' . $status ); 1236 } 1237 wp_send_json_error( array( 'message' => $message ) ); 1216 1238 wp_die(); 1217 1239 } … … 1225 1247 1226 1248 function saab_send_post_update_notification($status, $form_id, $post_id, $form_data) { 1227 // Sanitize status and other input data 1228 $status = (isset($_POST['status']) && !empty($_POST['status'])) ? sanitize_text_field($_POST['status']) : sanitize_text_field($status); 1249 // Status may be overridden from POST; nonce verified in calling AJAX handler. 1250 // phpcs:ignore WordPress.Security.NonceVerification.Missing 1251 $status = ( isset( $_POST['status'] ) && ! empty( $_POST['status'] ) ) ? sanitize_text_field( wp_unslash( $_POST['status'] ) ) : sanitize_text_field( $status ); 1229 1252 $message = ''; 1230 1253 … … 1284 1307 } else { 1285 1308 // Log details if email sending fails 1286 $message = __('Failed to send email. Details: to-' . $to . ', from-' . $from . ', Bcc-' . $bcc . ', Cc-' . $cc . ', subject-' . $subject . ', body-' . $check_body . ', headers-' . json_encode($headers), 'smart-appointment-booking'); 1287 if (defined('WP_DEBUG') && WP_DEBUG) { 1288 error_log('Failed to send email. Details: to-' . $to . ', from-' . $from . ', Bcc-' . $bcc . ', Cc-' . $cc . ', subject-' . $subject . ', body-' . $check_body . ', headers-' . json_encode($headers)); 1309 $message = sprintf( 1310 /* translators: 1: to address, 2: from address, 3: Bcc, 4: Cc, 5: subject, 6: body, 7: headers */ 1311 __( 'Failed to send email. Details: to-%1$s, from-%2$s, Bcc-%3$s, Cc-%4$s, subject-%5$s, body-%6$s, headers-%7$s', 'smart-appointment-booking' ), 1312 $to, 1313 $from, 1314 $bcc, 1315 $cc, 1316 $subject, 1317 $check_body, 1318 wp_json_encode( $headers ) 1319 ); 1320 if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) { 1321 // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log 1322 error_log( 'Failed to send email. Details: to-' . $to . ', from-' . $from . ', Bcc-' . $bcc . ', Cc-' . $cc . ', subject-' . $subject . ', body-' . $check_body . ', headers-' . wp_json_encode( $headers ) ); 1289 1323 } 1290 1324 } … … 1294 1328 1295 1329 // Handle case where no matching notification is found 1296 if ($notificationFound === false) { 1297 $message = __('Notification not found for the given status: ' . $status, 'smart-appointment-booking'); 1298 if (defined('WP_DEBUG') && WP_DEBUG) { 1299 error_log('Notification not found for the given status: ' . $status); 1300 } 1301 } 1302 1330 if ( $notificationFound === false ) { 1331 $message = sprintf( 1332 /* translators: %s: notification status (e.g. booked, approved, cancelled) */ 1333 __( 'Notification not found for the given status: %s', 'smart-appointment-booking' ), 1334 $status 1335 ); 1336 if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) { 1337 // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log 1338 error_log( 'Notification not found for the given status: ' . $status ); 1339 } 1340 } 1341 1303 1342 return $message; 1304 1343 } 1305 1344 1306 1345 /** 1307 1346 * Process the given field value containing shortcodes and replace them with actual values. … … 2113 2152 $timezone = get_post_meta($post_id,'saab_timezone',true); 2114 2153 $error = false; 2115 $TodaysDate = date('F d, Y');2116 $todaysDate = date('Y-m-d');2154 $TodaysDate = gmdate( 'F d, Y' ); 2155 $todaysDate = gmdate( 'Y-m-d' ); 2117 2156 echo "<h3 id='head_avail_time'><span class='gfb-timezone'>Timezone: " . esc_attr($timezone) . "</span></h3>"; 2118 2157 echo "<h4 id='headtodays_date'>" . esc_html($TodaysDate) . "</h4>"; … … 2326 2365 12 => 'December' 2327 2366 ); 2328 $currentMonth = isset($_POST['currentMonth']) ? intval($_POST['currentMonth']) : date('n'); //phpcs:ignore 2329 $currentMonth = max(1, min(12, $currentMonth)); // Ensure currentMonth is between 1 and 12 2330 $currentYear = isset($_POST['currentYear']) ? intval($_POST['currentYear']) : date('Y'); //phpcs:ignore 2331 $post_id = isset($_POST['form_id']) ? $_POST['form_id'] : ''; 2367 // phpcs:disable WordPress.Security.NonceVerification.Missing -- Calendar month/year/form_id from AJAX; nonce verified in caller or optional display. 2368 $currentMonth = isset( $_POST['currentMonth'] ) ? max( 1, min( 12, intval( wp_unslash( $_POST['currentMonth'] ) ) ) ) : (int) gmdate( 'n' ); 2369 $currentYear = isset( $_POST['currentYear'] ) ? absint( wp_unslash( $_POST['currentYear'] ) ) : (int) gmdate( 'Y' ); 2370 $post_id = isset( $_POST['form_id'] ) ? absint( wp_unslash( $_POST['form_id'] ) ) : 0; 2371 // phpcs:enable WordPress.Security.NonceVerification.Missing 2332 2372 $running_year = date("Y"); //phpcs:ignore 2333 2373 ob_start(); … … 2427 2467 */ 2428 2468 function saab_action_display_available_timeslots(){ 2429 ini_set('display_startup_errors', 1); 2430 ini_set('display_errors', 1); 2431 error_reporting(-1); 2432 //if( ! wp_verify_nonce( 'saab_front_nonce' ) ){} 2469 $nonce_key = isset( $_POST['nonce'] ) ? 'nonce' : ( isset( $_POST['security'] ) ? 'security' : '' ); 2470 $nonce_val = ( $nonce_key && isset( $_POST[ $nonce_key ] ) ) ? sanitize_text_field( wp_unslash( $_POST[ $nonce_key ] ) ) : ''; 2471 if ( ! $nonce_val || ! wp_verify_nonce( $nonce_val, 'my_ajax_nonce' ) ) { 2472 wp_send_json_error( array( 'message' => __( 'Security check failed.', 'smart-appointment-booking' ) ) ); 2473 wp_die(); 2474 } 2433 2475 $error = false; 2434 if(isset( $_POST['form_data'])){ 2435 $form_data = $_POST['form_data']; 2436 $array_data = explode('_',$form_data); 2437 $post_id = $array_data[1]; 2438 $current_month = $array_data[2]; 2439 $current_day = $array_data[3]; 2440 $current_year = $array_data[4]; 2441 } 2442 if(isset( $_POST['clickedId'])){ 2443 $clickedId = $_POST['clickedId']; 2476 $post_id = 0; 2477 $current_month = ''; 2478 $current_day = ''; 2479 $current_year = ''; 2480 $clickedId = ''; 2481 if ( isset( $_POST['form_data'] ) ) { 2482 $form_data = sanitize_text_field( wp_unslash( $_POST['form_data'] ) ); 2483 $array_data = explode( '_', $form_data ); 2484 $post_id = isset( $array_data[1] ) ? absint( $array_data[1] ) : 0; 2485 $current_month = isset( $array_data[2] ) ? sanitize_text_field( $array_data[2] ) : ''; 2486 $current_day = isset( $array_data[3] ) ? sanitize_text_field( $array_data[3] ) : ''; 2487 $current_year = isset( $array_data[4] ) ? sanitize_text_field( $array_data[4] ) : ''; 2488 } 2489 if ( isset( $_POST['clickedId'] ) ) { 2490 $clickedId = sanitize_text_field( wp_unslash( $_POST['clickedId'] ) ); 2444 2491 } 2445 2492 $todaysDate = date('Y-m-d', strtotime("$current_year-$current_month-$current_day")); //phpcs:ignore … … 2523 2570 $response = array(); 2524 2571 2525 if ( isset($_POST['bookingId']) && isset($_POST['bookingstatus'])) {2572 if ( isset( $_POST['bookingId'] ) && isset( $_POST['bookingstatus'] ) ) { 2526 2573 // $booking_id = wp_base64_decode($encrypt_bookingId); 2527 $booking_id = $encrypt_bookingId;2528 $bookingstatus = isset( $_POST['bookingstatus']) ? sanitize_text_field($_POST['bookingstatus']) : '';2529 2530 if ( $bookingstatus === 'cancel') {2531 if ( isset($_POST['status'])) {2532 $status = sanitize_text_field( $_POST['status']);2574 $booking_id = $encrypt_bookingId; 2575 $bookingstatus = isset( $_POST['bookingstatus'] ) ? sanitize_text_field( wp_unslash( $_POST['bookingstatus'] ) ) : ''; 2576 2577 if ( $bookingstatus === 'cancel' ) { 2578 if ( isset( $_POST['status'] ) ) { 2579 $status = sanitize_text_field( wp_unslash( $_POST['status'] ) ); 2533 2580 if ($status === 'check') { 2534 2581 $get_current_status = get_post_meta($booking_id, 'saab_entry_status', true); … … 2587 2634 } 2588 2635 echo '<div class="booking-cancellation-card">'; 2589 $encrypt_bookingId = isset( $_REQUEST['booking_id']) ? sanitize_text_field($_REQUEST['booking_id']) : '';2590 2591 if ( isset($_REQUEST['booking_id']) && isset($_REQUEST['status'])) {2636 $encrypt_bookingId = isset( $_REQUEST['booking_id'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['booking_id'] ) ) : ''; 2637 2638 if ( isset( $_REQUEST['booking_id'] ) && isset( $_REQUEST['status'] ) ) { 2592 2639 // $booking_id = wp_base64_decode($encrypt_bookingId); 2593 2640 $booking_id = $encrypt_bookingId; 2594 $bookingstatus = sanitize_text_field( $_REQUEST['status']);2641 $bookingstatus = sanitize_text_field( wp_unslash( $_REQUEST['status'] ) ); 2595 2642 2596 2643 if ($bookingstatus === 'cancel' ) { … … 2625 2672 function saab_cancel_booking_shortcode() { 2626 2673 $response = array( 2627 'message' => esc_html__('','smart-appointment-booking'),2674 'message' => '', 2628 2675 'mail_message' => '', 2629 2676 -
smart-appointment-booking/trunk/readme.txt
r3421205 r3450387 7 7 Tested up to: 6.9 8 8 License: GPL-3.0-or-later 9 Version: 1.0. 710 Stable tag: 1.0. 79 Version: 1.0.8 10 Stable tag: 1.0.8 11 11 License: GPLv3 or later License 12 12 License URI: http://www.gnu.org/licenses/gpl-3.0.html … … 131 131 == Changelog == 132 132 133 = 1.0.8 = 134 * Security: Nonce verification and input sanitization improvements across admin and front forms. 135 * Security: Proper use of wp_unslash() before sanitization for POST/GET data. 136 * Code quality: Addressed WordPress PHPCS warnings (escaping, validated input, slow query notices). 137 * Tested with the latest version of WordPress (6.9). 138 133 139 = 1.0.7 = 134 140 * Tested with the latest version of WordPress (6.9). … … 172 178 == Upgrade Notice == 173 179 180 = 1.0.8 = 181 * Security: Nonce verification and input sanitization improvements across admin and front forms. 182 * Security: Proper use of wp_unslash() before sanitization for POST/GET data. 183 * Code quality: Addressed WordPress PHPCS warnings (escaping, validated input, slow query notices). 184 * Tested with the latest version of WordPress (6.9). 185 186 = 1.0.7 = 187 * Tested with the latest version of WordPress (6.9). 188 189 = 1.0.6 = 190 * Issue Fixed 191 192 = 1.0.5 = 193 * Issue Fixed 194 195 = 1.0.4 = 196 * Fix: Issue with enabling or disabling the booking form 197 * Fix: Calendar not displaying when clicking arrows 198 * Fix: Calendar not displaying when selecting a month 199 * Fix: Calendar not displaying when selecting a year 200 * Fix: Timeslot issue in the 'Manage Entry' section 201 * Fix: Display of booked timeslots in the form 202 * Fix: Change button name for "Add New Form (Booking Form)" 203 * Fix: Remove "View Post" link after form is published 204 * Fix: Generate shortcode when publishing the form 205 * Add: List of added users 206 * Add: List of added statuses 207 * Add: "Appointment Type: Virtual" option 208 209 = 1.0.3 = 210 * Fix: Date being selected in calendar issue 211 * Fix: Time being selected issue 212 * Fix: Available seat count issue 213 * Fix: Data listing issue 214 * Fix: Manage Entry issue 215 216 = 1.0.2 = 217 * The issue on the backend has been fixed. 218 219 = 1.0.1 = 220 * Issue Fixed "Form Is not being saved" 221 174 222 = 1.0.0 = 175 1.0 is Initial Release. 223 * Initial Release -
smart-appointment-booking/trunk/smart-appointment-booking.php
r3421205 r3450387 4 4 * Plugin URL: https://wordpress.org/plugins/smart-appointment-booking/ 5 5 * Description: This is the all-in-one solution for efficient appointment management, offering customizable forms, seamless booking and modifications waitlist management. 6 * Version: 1.0. 76 * Version: 1.0.8 7 7 * Author: ZealousWeb 8 8 * Author URI: https://www.zealousweb.com … … 24 24 * 25 25 * @package Smart Appointment & Booking 26 * @since 1.0. 726 * @since 1.0.8 27 27 */ 28 28 29 29 /* Start of Code */ 30 30 if ( ! defined( 'SAAB_VERSION' ) ) { 31 define( 'SAAB_VERSION', '1.0. 7' ); // Version of the plugin31 define( 'SAAB_VERSION', '1.0.8' ); // Version of the plugin 32 32 } 33 33
Note: See TracChangeset
for help on using the changeset viewer.