From c65d2f23b3abd3b79afa30df8a6e3386f3a71607 Mon Sep 17 00:00:00 2001
From: Ben Firth <bfirth@squareup.com>
Date: Thu, 18 Jan 2024 14:13:10 +1030
Subject: [PATCH] EIT-3646: Allow custom alphanumeric data to be sent to
 checkout. Also change `deviceId` to `device_id`.

---
 src/HTTP/Response/CreateCheckout.php | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/src/HTTP/Response/CreateCheckout.php b/src/HTTP/Response/CreateCheckout.php
index 7374909..596ed05 100644
--- a/src/HTTP/Response/CreateCheckout.php
+++ b/src/HTTP/Response/CreateCheckout.php
@@ -55,10 +55,23 @@ public function afterReceive()
 
                     if ($decodedCookie) {
                         $cookieObj = json_decode($decodedCookie, false);
+                        $urlChanged = false;
 
-                        if (isset($cookieObj->deviceId)) {
-                            $bodyObj->redirectCheckoutUrl .= "&deviceId={$cookieObj->deviceId}";
+                        if (isset($cookieObj->deviceId) && preg_match('/^[0-9a-z-]*$/i', $cookieObj->deviceId)) {
+                            $bodyObj->redirectCheckoutUrl .= "&device_id={$cookieObj->deviceId}";
+                            $urlChanged = true;
+                        }
+
+                        if (isset($cookieObj->checkout) && is_object($cookieObj->checkout)) {
+                            foreach ($cookieObj->checkout as $prop => $val) {
+                                if (preg_match('/^[0-9a-z]+$/i', $prop) && preg_match('/^[0-9a-z-]*$/i', $val)) {
+                                    $bodyObj->redirectCheckoutUrl .= "&{$prop}={$val}";
+                                    $urlChanged = true;
+                                }
+                            }
+                        }
 
+                        if ($urlChanged) {
                             $this->setRawBody(json_encode($bodyObj, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES));
                         }
                     }