Updated version and enhanced security

- Bumped up the version number in multiple files - Added nonce verification for form submission to enhance security - Escaped HTML output in various places to prevent potential XSS attacks - Fixed some minor issues with input fields and select options
SimPaypl · Aug 17, 2024 · c3e420d · c3e420d
1 parent cef0c82
commit c3e420d
Show file tree

Hide file tree

Showing 10 changed files with 28 additions and 19 deletions.
diff --git a/composer.json b/composer.json
@@ -1,6 +1,6 @@
 {
     "name": "simpay/simpay-wordpress",
-    "version": "2.2.3",
+    "version": "2.2.4",
     "type": "library",
     "require": {
         "simpaypl/simpay": "^2.2"

diff --git a/readme.txt b/readme.txt
@@ -4,7 +4,7 @@ Donate link: https://darkgl.pl/
 Tags: simpay, payments, directbiling, sms
 Requires at least: 6.0
 Tested up to: 6.6.1
-Stable tag: 2.2.3
+Stable tag: 2.2.4
 Requires PHP: 8.1
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html

diff --git a/simpay-wordpress.php b/simpay-wordpress.php
@@ -4,7 +4,7 @@
  * Plugin Name:       SimPay Wordpress
  * Plugin URI:        https://simpay.pl
  * Description:       Use SimPay SMS service to use during registration or access to the post.
- * Version:           2.2.3
+ * Version:           2.2.4
  * Author:            SimPay
  * Author URI:        https://simpay.pl
  * License:           GPL-2.0+

diff --git a/src/Modules/PaywallMode/Hooks/AddPaywallOnPost.php b/src/Modules/PaywallMode/Hooks/AddPaywallOnPost.php
@@ -85,6 +85,10 @@ private function showNotLoggedInAlert(): string
      */
     private function handlePaywallForm(mixed $wpQuery): ?string
     {
+        if (!isset($_POST['_simpay_nonce']) || !wp_verify_nonce($_POST['_simpay_nonce'], 'simpay_paywall_nonce')) {
+            return '';
+        }
+
         if (isset($_POST['sms_code'])) {
             if ($error = $this->validateSmsForm()) {
                 $this->renderSimPayPaymentForm(get_the_ID(), $error);
@@ -138,6 +142,7 @@ public function renderSimPayPaymentForm(int $postId, string $error = null): void
             'smsNumber' => $smsNumber->getNumber(),
             'smsPrice' => $smsNumber->getPriceGross(),
             'smsCode' => $this->simPayService->getSmsCode()->getCode(),
+            '_simpay_nonce' => wp_create_nonce('simpay_paywall_nonce'),
         ]);
     }
 

diff --git a/view/admin/settings/partials/field-checkbox.php b/view/admin/settings/partials/field-checkbox.php
@@ -5,5 +5,5 @@
 <input
     id="<?php echo esc_html($args['name']); ?>"
     type="checkbox"
-    name="<?php echo $args['name']; ?>"
+    name="<?php echo esc_html($args['name']); ?>"
     <?php echo $args['value'] ? 'checked' : ''; ?>>
diff --git a/view/admin/settings/partials/field-input.php b/view/admin/settings/partials/field-input.php
@@ -13,9 +13,10 @@
 $args = array_merge($defaultArgs, $args);
 ?>
 
-<input id="<?php echo $args['name']; ?>"
-    type="<?php echo $args['type']; ?>"
-    type="<?php echo $args['value']; ?>"
-    name="<?php echo $args['name']; ?>"
-    placeholder="<?php echo $args['placeholder']; ?>"
-    value="<?php echo $args['value']; ?>">
+<input
+    id="<?php echo esc_html($args['name']); ?>"
+    type="<?php echo esc_html($args['type']); ?>"
+    type="<?php echo esc_html($args['value']); ?>"
+    name="<?php echo esc_html($args['name']); ?>"
+    placeholder="<?php echo esc_html($args['placeholder']); ?>"
+    value="<?php echo esc_html($args['value']); ?>">
diff --git a/view/admin/settings/partials/field-select.php b/view/admin/settings/partials/field-select.php
@@ -21,9 +21,9 @@ class='post_form'
             $disabledReason = '';
         }
         ?>
-    <option value="<?php echo $optionValue; ?>" <?php echo $checked; ?><?php echo $disabled; ?>>
-        <?php echo $optionTitle; ?>
-        <?php echo $disabledReason; ?>
+    <option value="<?php echo esc_html($optionValue); ?>" <?php echo esc_html($checked); ?><?php echo esc_html($disabled); ?>>
+        <?php echo esc_html($optionTitle); ?>
+        <?php echo esc_html($disabledReason); ?>
     </option>
     <?php } ?>
 </select>
diff --git a/view/public/paywall/access-denied-alert.php b/view/public/paywall/access-denied-alert.php
@@ -7,7 +7,7 @@
     <p>Dostęp do treści na tej stronie jest zarezerwowany tylko dla płatnych użytkowników.</p>
     <?php if (isset($error) && null !== $error) { ?>
     <p>
-        <?php echo $error; ?>
+        <?php echo esc_html($error); ?>
     </p>
     <?php } ?>
     <?php if (isset($showNotLoggedInInfo) && true === $showNotLoggedInInfo) { ?>

diff --git a/view/public/paywall/payment-form.php b/view/public/paywall/payment-form.php
@@ -5,11 +5,14 @@
 <div class="simpay-paywall-payment-form">
     <p class="message">
         Aby uzyskać dostęp, wyślij SMS na numer
-        <strong><?php echo $smsNumber; ?></strong> o treści
-        <strong><?php echo $smsCode; ?></strong>. Koszt SMS to
-        <strong><?php echo $smsPrice; ?> zł (brutto)</strong>
+        <strong><?php echo esc_html($smsNumber); ?></strong> o treści
+        <strong><?php echo esc_html($smsCode); ?></strong>. Koszt SMS
+        to
+        <strong><?php echo esc_html($smsPrice); ?> zł
+            (brutto)</strong>
     </p>
     <form method="post">
+        <?php wp_nonce_field('simpay_paywall_nonce', '_simpay_nonce'); ?>
         <input type="text" name="sms_code" id="sms_code" class="input" size="25" placeholder="Kod SMS" required />
         <input type="hidden" name="post_id"
             value="<?php echo esc_html($postId); ?>">

diff --git a/view/public/register/register-form.php b/view/public/register/register-form.php
@@ -4,8 +4,8 @@
 
 <p class="message">
     Aby się zarejestrować, wyślij SMS <br>na numer
-    <strong><?php echo $smsNumber; ?></strong><br>
-    o treści <strong><?php echo $smsCode; ?></strong>.<br>
+    <strong><?php echo esc_html($smsNumber); ?></strong><br>
+    o treści <strong><?php echo esc_html($smsCode); ?></strong>.<br>
     Koszt SMS to <strong><?php echo esc_html($smsPrice); ?> zł
         (brutto)</strong>
 </p>