Yet another round.

joedolson · Oct 12, 2021 · b6c3be2 · b6c3be2
1 parent 7b5a300
commit b6c3be2
Show file tree

Hide file tree

Showing 11 changed files with 57 additions and 62 deletions.
diff --git a/src/gateways/paypal.php b/src/gateways/paypal.php
@@ -28,7 +28,8 @@ function mt_paypal_ipn() {
 
 			$req = 'cmd=_notify-validate';
 			foreach ( $_POST as $key => $value ) {
-				$value = urlencode( stripslashes( $value ) );
+				$value = sanitize_text_field( $value );
+				$key   = sanitize_text_field( $key );
 				$req  .= "&$key=$value";
 			}
 
@@ -44,19 +45,19 @@ function mt_paypal_ipn() {
 			$payment_status = sanitize_text_field( $_POST['payment_status'] );
 			if ( isset( $_POST['num_cart_items'] ) ) {
 				// My Tickets support for cart formatted requests. My Tickets only supports processing of a single order, however.
-				$item_number = $_POST['item_number1'];
+				$item_number = absint( $_POST['item_number1'] );
 			} else {
 				$item_number = absint( $_POST['item_number'] );
 			}
 			$price            = sanitize_text_field( $_POST['mc_gross'] );
 			$payment_currency = sanitize_text_field( $_POST['mc_currency'] );
 			$receiver_email   = sanitize_email( $_POST['receiver_email'] );
 			$payer_email      = sanitize_email( $_POST['payer_email'] );
-			$payer_first_name = sanitize_text( $_POST['first_name'] );
-			$payer_last_name  = sanitize_text( $_POST['last_name'] );
-			$mc_fee           = sanitize_text( $_POST['mc_fee'] );
-			$txn_id           = sanitize_text( $_POST['txn_id'] );
-			$parent           = isset( $_POST['parent_txn_id'] ) ? sanitize_text( $_POST['parent_txn_id'] ) : '';
+			$payer_first_name = sanitize_text_field( $_POST['first_name'] );
+			$payer_last_name  = sanitize_text_field( $_POST['last_name'] );
+			$mc_fee           = sanitize_text_field( $_POST['mc_fee'] );
+			$txn_id           = sanitize_text_field( $_POST['txn_id'] );
+			$parent           = isset( $_POST['parent_txn_id'] ) ? sanitize_text_field( $_POST['parent_txn_id'] ) : '';
 			$ipn              = wp_remote_post( $url, $params );
 
 			if ( is_wp_error( $ipn ) ) {
@@ -71,12 +72,12 @@ function mt_paypal_ipn() {
 			// map paypal IPN format of address to MT format
 			// All gateways must map shipping addresses to this format.
 			$address = array(
-				'street'  => isset( $_POST['address_street'] ) ? sanitize_text( $_POST['address_street'] ) : '',
-				'street2' => isset( $_POST['address2'] ) ? sanitize_text( $_POST['address2'] ) : '',
-				'city'    => isset( $_POST['address_city'] ) ? sanitize_text( $_POST['address_city'] ) : '',
-				'state'   => isset( $_POST['address_state'] ) ? sanitize_text( $_POST['address_state'] ) : '',
-				'country' => isset( $_POST['address_country_code'] ) ? sanitize_text( $_POST['address_country_code'] ) : '',
-				'code'    => isset( $_POST['address_zip'] ) ? sanitize_text( $_POST['address_zip'] ) : '',
+				'street'  => isset( $_POST['address_street'] ) ? sanitize_text_field( $_POST['address_street'] ) : '',
+				'street2' => isset( $_POST['address2'] ) ? sanitize_text_field( $_POST['address2'] ) : '',
+				'city'    => isset( $_POST['address_city'] ) ? sanitize_text_field( $_POST['address_city'] ) : '',
+				'state'   => isset( $_POST['address_state'] ) ? sanitize_text_field( $_POST['address_state'] ) : '',
+				'country' => isset( $_POST['address_country_code'] ) ? sanitize_text_field( $_POST['address_country_code'] ) : '',
+				'code'    => isset( $_POST['address_zip'] ) ? sanitize_text_field( $_POST['address_zip'] ) : '',
 			);
 
 			$data = array(
@@ -139,13 +140,13 @@ function mt_paypal_ipn() {
 						array(
 							'post_type'  => 'mt-payments',
 							'meta_key'   => '_transaction_id',
-							'meta_value' => sanitize_text( $_POST['txn_id'] ),
+							'meta_value' => sanitize_text_field( $_POST['txn_id'] ),
 						)
 					);
 					if ( ! empty( $posts ) ) {
 						$post = $posts[0];
-						update_post_meta( $post->ID, '_dispute_reason', sanitize_text( $_POST['reason_code'] ) );
-						update_post_meta( $post->ID, '_dispute_message', sanitize_text( $_POST['buyer_additional_information'] ) );
+						update_post_meta( $post->ID, '_dispute_reason', sanitize_text_field( $_POST['reason_code'] ) );
+						update_post_meta( $post->ID, '_dispute_message', sanitize_text_field( $_POST['buyer_additional_information'] ) );
 					}
 				}
 				status_header( 200 );

diff --git a/src/mt-cart-handler.php b/src/mt-cart-handler.php
@@ -50,7 +50,7 @@ function mt_handle_cart() {
  * @param string $data Type of data to delete.
  */
 function mt_delete_data( $data = 'cart' ) {
-	$unique_id = ( isset( $_COOKIE['mt_unique_id'] ) ) ? $_COOKIE['mt_unique_id'] : false;
+	$unique_id = ( isset( $_COOKIE['mt_unique_id'] ) ) ? sanitize_text_field( $_COOKIE['mt_unique_id'] ) : false;
 	if ( is_user_logged_in() ) {
 		$current_user = wp_get_current_user();
 		delete_user_meta( $current_user->ID, "_mt_user_$data" );

diff --git a/src/mt-cart.php b/src/mt-cart.php
@@ -998,13 +998,13 @@ function mt_generate_gateway( $cart ) {
 	$total        = mt_total_cart( $cart, $payment );
 	$count        = mt_count_cart( $cart );
 	if ( $count > 0 ) {
-		$ticket_method  = ( isset( $_POST['ticketing_method'] ) ) ? $_POST['ticketing_method'] : 'willcall';
+		$ticket_method  = ( isset( $_POST['ticketing_method'] ) ) ? sanitize_text_field( $_POST['ticketing_method'] ) : 'willcall';
 		$shipping_total = ( 'postal' === $ticket_method && is_numeric( $options['mt_shipping'] ) ) ? $options['mt_shipping'] : 0;
 		$handling_total = ( isset( $options['mt_handling'] ) && is_numeric( $options['mt_handling'] ) ) ? $options['mt_handling'] : 0;
 		$shipping       = ( $shipping_total ) ? "<div class='mt_cart_shipping mt_cart_label'>" . __( 'Shipping:', 'my-tickets' ) . " <span class='mt_shipping_number mt_cart_value'>" . apply_filters( 'mt_money_format', $shipping_total ) . '</span></div>' : '';
 		$handling       = ( $handling_total ) ? "<div class='mt_cart_handling mt_cart_label'>" . __( 'Handling:', 'my-tickets' ) . " <span class='mt_handling_number mt_cart_value'>" . apply_filters( 'mt_money_format', $handling_total ) . '</span></div>' : '';
 		$tick_handling  = mt_handling_notice();
-		$mt_gateway     = ( isset( $_POST['mt_gateway'] ) ) ? $_POST['mt_gateway'] : 'offline';
+		$mt_gateway     = ( isset( $_POST['mt_gateway'] ) ) ? sanitize_text_field( $_POST['mt_gateway'] ) : 'offline';
 		$other_charges  = apply_filters( 'mt_custom_charges', 0, $cart, $mt_gateway );
 		$other_notices  = apply_filters( 'mt_custom_notices', '', $cart, $mt_gateway );
 		// If everything in cart is free, don't pass through payment gateway.
@@ -1112,7 +1112,7 @@ function mt_expired( $event, $react = false ) {
  */
 function mt_get_cart( $user_ID = false, $cart_id = false ) {
 	$cart      = array();
-	$unique_id = ( isset( $_COOKIE['mt_unique_id'] ) ) ? $_COOKIE['mt_unique_id'] : false;
+	$unique_id = ( isset( $_COOKIE['mt_unique_id'] ) ) ? sanitize_text_field( $_COOKIE['mt_unique_id'] ) : false;
 	if ( $user_ID ) {
 		$cart = get_user_meta( $user_ID, '_mt_user_cart', true );
 	} elseif ( ! $user_ID && $cart_id ) {

diff --git a/src/mt-cpt.php b/src/mt-cpt.php
@@ -247,7 +247,7 @@ function mt_add_inner_box() {
 			$cart_id = (int) $_GET['cart'];
 		}
 		if ( isset( $_GET['cart_id'] ) ) {
-			$cart_transient_id = esc_html( $_GET['cart_id'] );
+			$cart_transient_id = sanitize_text_field( $_GET['cart_id'] );
 		}
 		$cart = mt_get_cart( $cart_id, $cart_transient_id );
 		// Translators: link to public web site.
@@ -553,7 +553,7 @@ function mt_post_meta( $id ) {
 		}
 		// create new ticket purchase.
 		if ( isset( $_POST['mt_cart_order'] ) ) {
-			$purchased = $_POST['mt_cart_order'];
+			$purchased = map_deep( $_POST['mt_cart_order'], 'sanitize_text_field' );
 			mt_create_tickets( $id, $purchased );
 			// handle custom fields in custom orders.
 			do_action( 'mt_save_payment_fields', $id, $_POST, $purchased );

diff --git a/src/mt-payment-settings.php b/src/mt-payment-settings.php
@@ -22,7 +22,7 @@
  */
 function mt_update_payment_settings( $post ) {
 	if ( isset( $post['mt-payment-settings'] ) ) {
-		$nonce = $_POST['_wpnonce'];
+		$nonce = sanitize_text_field( $_POST['_wpnonce'] );
 		if ( ! wp_verify_nonce( $nonce, 'my-tickets' ) ) {
 			return '';
 		}
@@ -226,11 +226,11 @@ function mt_payment_settings() {
 								</ul>
 								<ul>
 									<li>
-										<input type="checkbox" id="mt_use_sandbox" name="mt_use_sandbox" <?php mt_is_checked( 'mt_use_sandbox', 'true', $options ); ?> />
+										<input type="checkbox" id="mt_use_sandbox" name="mt_use_sandbox" <?php checked( true, mt_is_checked( 'mt_use_sandbox', 'true', $options ) ); ?> />
 										<label for="mt_use_sandbox"><?php _e( 'Testing mode (no payments will be processed)', 'my-tickets' ); ?></label>
 									</li>
 									<li>
-										<input type="checkbox" id="mt_ssl" name="mt_ssl" value="true" aria-describedby="mt_ssl_note" <?php mt_is_checked( 'mt_ssl', 'true', $options ); ?> />
+										<input type="checkbox" id="mt_ssl" name="mt_ssl" value="true" aria-describedby="mt_ssl_note" <?php checked( true, mt_is_checked( 'mt_ssl', 'true', $options ) ); ?> />
 										<label for="mt_ssl"><?php _e( 'Use SSL for Payment pages.', 'my-tickets' ); ?></label><br/>
 										<span id="mt_ssl_note"><?php _e( 'You must have an SSL certificate to use this option', 'my-tickets' ); ?></span>
 									</li>

diff --git a/src/mt-processing.php b/src/mt-processing.php
@@ -96,7 +96,7 @@ function mt_add_ticket_form() {
  */
 function mt_ticket_meta( $post_id ) {
 	if ( isset( $_POST['mt-tickets-nonce'] ) && isset( $_POST['mt-trigger'] ) ) {
-		$nonce = $_POST['mt-tickets-nonce'];
+		$nonce = sanitize_text_field( $_POST['mt-tickets-nonce'] );
 		if ( ! wp_verify_nonce( $nonce, 'mt-tickets-nonce' ) ) {
 			wp_die( 'Invalid nonce' );
 		}

diff --git a/src/mt-reports.php b/src/mt-reports.php
@@ -140,7 +140,7 @@ function mt_generate_report_by_event( $event_id = false, $return = false ) {
 			$title        = get_the_title( $event_id );
 			$tabs         = '';
 			$out          = '';
-			$options      = ( isset( $_GET['options'] ) ) ? $_GET['options'] : array(
+			$options      = ( isset( $_GET['options'] ) ) ? map_deep( $_GET['options'], 'sanitize_text_field' ) : array(
 				'type'           => 'html',
 				'output'         => 'payments',
 				'include_failed' => true,
@@ -234,11 +234,11 @@ function mt_generate_report_by_event( $event_id = false, $return = false ) {
 function mt_choose_report_by_event() {
 	$selector = mt_select_events();
 	$selected = ( isset( $_GET['format'] ) && 'csv' === $_GET['format'] ) ? " selected='selected'" : '';
-	$report   = ( isset( $_GET['mt-event-report'] ) ) ? $_GET['mt-event-report'] : '';
+	$report   = ( isset( $_GET['mt-event-report'] ) ) ? sanitize_text_field( $_GET['mt-event-report'] ) : '';
 	$form     = "
 			<div class='report-by-event'>
 				<h3>" . __( 'Report by Event', 'my-tickets' ) . "</h3>
-				<form method='GET' action='" . admin_url( 'admin.php?page=mt-reports' ) . "'>
+				<form method='GET' action='" . esc_url( admin_url( 'admin.php?page=mt-reports' ) ) . "'>
 					<div>
 						<input type='hidden' name='page' value='mt-reports' />
 					</div>
@@ -275,8 +275,8 @@ function mt_choose_report_by_event() {
  */
 function mt_choose_report_by_date() {
 	$selected = ( isset( $_GET['format'] ) && 'csv' === $_GET['format'] ) ? " selected='selected'" : '';
-	$start    = ( isset( $_GET['mt_start'] ) ) ? $_GET['mt_start'] : mt_date( 'Y-m-d', strtotime( '-1 month' ) );
-	$end      = ( isset( $_GET['mt_end'] ) ) ? $_GET['mt_end'] : mt_date( 'Y-m-d' );
+	$start    = ( isset( $_GET['mt_start'] ) ) ? sanitize_text_field( $_GET['mt_start'] ) : mt_date( 'Y-m-d', strtotime( '-1 month' ) );
+	$end      = ( isset( $_GET['mt_end'] ) ) ? sanitize_text_field( $_GET['mt_end'] ) : mt_date( 'Y-m-d' );
 	$form     = "
 			<div class='report-by-date'>
 				<h3>" . __( 'Sales Report by Date', 'my-tickets' ) . "</h3>
@@ -342,7 +342,7 @@ function mt_email_purchasers() {
 			</p>
 			<p>
 			<label for='mt_body' id='body_label'>" . __( 'Email Body', 'my-tickets' ) . "</label><br />
-			<textarea name='mt_body' id='mt_body' cols='60' rows='12' aria-labelledby='body_label body_description'>" . esc_attr( $body ) . "</textarea><br />
+			<textarea name='mt_body' id='mt_body' cols='60' rows='12' aria-labelledby='body_label body_description'>" . esc_textarea( stripslashes( $body ) ) . "</textarea><br />
 			<span id='body_description'>" . __( 'Use <code>{name}</code> to insert the recipient\'s name', 'my-tickets' ) . "</span>
 			</p>
 			<p><input type='checkbox' name='mt-test-email' value='test' id='mt_test_email'> <label for='mt_test_email'>" . __( 'Send test email', 'my-tickets' ) . "</label></p>
@@ -457,6 +457,7 @@ function mt_purchases( $event_id, $options = array( 'include_failed' => false )
 			$ticket_count = 0;
 			$subtotal     = 0;
 			// get total # tickets on purchase.
+			// get total # tickets on purchase.
 			// get count of tickets for *this* event on purchase.
 			// get total paid.
 			// get total price to get owed (on purchase).

diff --git a/src/mt-settings.php b/src/mt-settings.php
@@ -106,7 +106,7 @@ function mt_settings() {
 									echo apply_filters( 'mt_settings_fields', '', $options );
 								?>
 								<p>
-									<input type="checkbox" id="mt_html_email" name="mt_html_email" <?php mt_is_checked( 'mt_html_email', 'true', $options ); ?> />
+									<input type="checkbox" id="mt_html_email" name="mt_html_email" <?php checked( true, mt_is_checked( 'mt_html_email', 'true', $options ) ); ?> />
 									<label for="mt_html_email"><?php _e( 'Send email as HTML.', 'my-tickets' ); ?></label>
 								</p>
 								<p>

diff --git a/src/mt-templating.php b/src/mt-templating.php
@@ -138,7 +138,7 @@ function mt_get_payment_tickets() {
  */
 function mt_get_receipt_id() {
 	if ( isset( $_GET['receipt_id'] ) ) {
-		$receipt_id = esc_attr( $_GET['receipt_id'] );
+		$receipt_id = sanitize_text_field( $_GET['receipt_id'] );
 
 		return $receipt_id;
 	}
@@ -150,7 +150,7 @@ function mt_get_receipt_id() {
  * @return void
  */
 function mt_receipt_id() {
-	echo sanitize_text_field( mt_get_receipt_id() );
+	echo esc_html( mt_get_receipt_id() );
 }
 
 /**
@@ -171,7 +171,7 @@ function mt_get_receipt_purchase_id() {
  * @return void
  */
 function mt_receipt_purchase_id() {
-	echo sanitize_text_field( mt_get_receipt_purchase_id() );
+	echo esc_html( mt_get_receipt_purchase_id() );
 }
 
 /**
@@ -196,7 +196,7 @@ function mt_get_cart_purchaser() {
  * @return void
  */
 function mt_cart_purchaser() {
-	echo sanitize_text_field( mt_get_cart_purchaser() );
+	echo esc_html( mt_get_cart_purchaser() );
 }
 
 /**
@@ -287,7 +287,7 @@ function mt_payment_details() {
  * @return string
  */
 function mt_get_ticket_id() {
-	$ticket_id = esc_attr( $_GET['ticket_id'] );
+	$ticket_id = sanitize_text_field( $_GET['ticket_id'] );
 
 	return $ticket_id;
 }
@@ -298,7 +298,7 @@ function mt_get_ticket_id() {
  * @return void
  */
 function mt_ticket_id() {
-	echo sanitize_text_field( mt_get_ticket_id() );
+	echo esc_html( mt_get_ticket_id() );
 }
 
 /**
@@ -325,7 +325,7 @@ function mt_get_sequential_id( $ticket_id = false ) {
  * @return void
  */
 function mt_sequential_id() {
-	echo sanitize_text_field( mt_get_sequential_id() );
+	echo esc_html( mt_get_sequential_id() );
 }
 
 /**
@@ -355,7 +355,7 @@ function mt_get_ticket_method( $ticket_id = false ) {
  * @return void
  */
 function mt_ticket_method( $ticket_id = false ) {
-	echo sanitize_text_field( mt_get_ticket_method( $ticket_id ) );
+	echo esc_html( mt_get_ticket_method( $ticket_id ) );
 }
 
 /**
@@ -383,7 +383,7 @@ function mt_get_ticket_purchase_id( $ticket_id = false ) {
  * @return void
  */
 function mt_ticket_purchase_id( $ticket_id = false ) {
-	echo sanitize_text_field( mt_get_ticket_purchase_id( $ticket_id ) );
+	echo esc_html( mt_get_ticket_purchase_id( $ticket_id ) );
 }
 
 /**
@@ -412,7 +412,7 @@ function mt_get_ticket_purchaser( $ticket_id = false ) {
  * @return void
  */
 function mt_ticket_purchaser( $ticket_id = false ) {
-	echo sanitize_text_field( mt_get_ticket_purchaser( $ticket_id ) );
+	echo esc_html( mt_get_ticket_purchaser( $ticket_id ) );
 }
 
 /**
@@ -477,7 +477,7 @@ function mt_get_event_date( $ticket_id = false ) {
  * @return void
  */
 function mt_event_date( $ticket_id = false ) {
-	echo sanitize_text_field( mt_get_event_date( $ticket_id ) );
+	echo wp_kses_post( mt_get_event_date( $ticket_id ) );
 }
 
 /**
@@ -545,7 +545,7 @@ function mt_get_event_time( $ticket_id = false ) {
  * @return void
  */
 function mt_event_time( $ticket_id = false ) {
-	echo sanitize_text_field( mt_get_event_time( $ticket_id ) );
+	echo esc_html( mt_get_event_time( $ticket_id ) );
 }
 
 /**
@@ -581,7 +581,7 @@ function mt_get_ticket_type( $ticket_id = false ) {
  * @return void
  */
 function mt_ticket_type( $ticket_id = false ) {
-	echo sanitize_text_field( mt_get_ticket_type( $ticket_id ) );
+	echo esc_html( mt_get_ticket_type( $ticket_id ) );
 }
 
 /**

diff --git a/src/mt-tickets.php b/src/mt-tickets.php
@@ -18,7 +18,7 @@ function mt_ticket() {
 	$id      = ( '' !== $options['mt_tickets_page'] ) ? $options['mt_tickets_page'] : false;
 	if ( $id && ( is_single( $id ) || is_page( $id ) ) ) {
 		if ( ! isset( $_GET['multiple'] ) ) {
-			if ( isset( $_GET['ticket_id'] ) && mt_verify_ticket( $_GET['ticket_id'] ) ) {
+			if ( isset( $_GET['ticket_id'] ) && mt_verify_ticket( sanitize_text_field( $_GET['ticket_id'] ) ) ) {
 				$template = locate_template( 'tickets.php' );
 				if ( $template ) {
 					load_template( $template );

diff --git a/src/my-tickets.php b/src/my-tickets.php
@@ -750,21 +750,15 @@ function mt_money_format( $price ) {
  * @param array  $options Field options.
  * @param bool   $return Return or echo.
  *
- * @return string|void
+ * @return bool
  */
 function mt_is_checked( $field, $value, $options, $return = false ) {
 	if ( isset( $options[ $field ] ) && $options[ $field ] === $value ) {
-		$checked = ' checked="checked"';
-	} else {
-		$checked = '';
-	}
-	if ( $return ) {
-		return $checked;
+		$checked = true;
 	} else {
-		echo $checked;
+		$checked = false;
 	}
-
-	return '';
+	return $checked;
 }
 
 add_action( 'show_user_profile', 'mt_user_profile' );
@@ -782,7 +776,7 @@ function mt_user_profile() {
 		$edit_user    = $current_user->ID;
 	}
 	if ( current_user_can( 'manage_options' ) ) {
-		echo '<h3>' . __( 'Grant My Tickets Permissions', 'my-tickets' ) . '</h3>';
+		echo wp_kses_post( '<h3>' . __( 'Grant My Tickets Permissions', 'my-tickets' ) . '</h3>' );
 		$caps    = array(
 			'mt-verify-ticket' => __( 'Can verify tickets', 'my-tickets' ),
 			'mt-order-expired' => __( 'Can place orders after expiration dates.', 'my-tickets' ),
@@ -796,14 +790,13 @@ function mt_user_profile() {
 			$options .= "<li><input type='checkbox' name='mt_capabilities[]' value='$cap' id='mt_$cap' $checked /> <label for='mt_$cap'>$label</label></li>";
 		}
 		$options = "<ul>$options</ul>";
-		echo $options;
+		echo wp_kses( $options, mc_kses_elements() );
 	}
 	if ( current_user_can( 'mt-copy-cart' ) || current_user_can( 'edit_user' ) ) {
-		echo '<h3>' . __( 'My Tickets Shopping Cart', 'my-tickets' ) . '</h3>';
+		echo wp_kses_post( '<h3>' . __( 'My Tickets Shopping Cart', 'my-tickets' ) . '</h3>' );
 		$cart         = mt_get_cart( $edit_user );
 		$confirmation = mt_generate_cart_table( $cart, 'confirmation' );
-		echo $confirmation;
-		echo "<p><a href='" . admin_url( "post-new.php?post_type=mt-payments&amp;cart=$edit_user" ) . "'>" . __( 'Create new payment with this cart', 'my-tickets' ) . '</a></p>';
+		echo wp_kses( $confirmation . "<p><a href='" . admin_url( "post-new.php?post_type=mt-payments&amp;cart=$edit_user" ) . "'>" . __( 'Create new payment with this cart', 'my-tickets' ) . '</a></p>', mc_kses_elements() );
 	}
 }