Updated version and enhanced security

- Bumped up the version number in multiple files - Added nonce verification for form submission to enhance security - Escaped HTML output in various places to prevent potential XSS attacks - Fixed some minor issues with input fields and select options
SimPaypl · Aug 17, 2024 · c3e420d · c3e420d
1 parent cef0c82
commit c3e420d
Show file tree

Hide file tree

Showing 10 changed files with 28 additions and 19 deletions.
diff --git a/composer.json b/composer.json
@@ -1,6 +1,6 @@
 {
  "name": "simpay/simpay-wordpress",
- "version": "2.2.3",
+ "version": "2.2.4",
  "type": "library",
  "require": {
  "simpaypl/simpay": "^2.2"

diff --git a/readme.txt b/readme.txt
@@ -4,7 +4,7 @@ Donate link: https://darkgl.pl/
 Tags: simpay, payments, directbiling, sms
 Requires at least: 6.0
 Tested up to: 6.6.1
-Stable tag: 2.2.3
+Stable tag: 2.2.4
 Requires PHP: 8.1
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html

diff --git a/simpay-wordpress.php b/simpay-wordpress.php
@@ -4,7 +4,7 @@
  * Plugin Name: SimPay Wordpress
  * Plugin URI: https://simpay.pl
  * Description: Use SimPay SMS service to use during registration or access to the post.
- * Version: 2.2.3
+ * Version: 2.2.4
  * Author: SimPay
  * Author URI: https://simpay.pl
  * License: GPL-2.0+

diff --git a/src/Modules/PaywallMode/Hooks/AddPaywallOnPost.php b/src/Modules/PaywallMode/Hooks/AddPaywallOnPost.php
@@ -85,6 +85,10 @@ private function showNotLoggedInAlert(): string
  */
  private function handlePaywallForm(mixed $wpQuery): ?string
  {
+ if (!isset($_POST['_simpay_nonce']) || !wp_verify_nonce($_POST['_simpay_nonce'], 'simpay_paywall_nonce')) {
+ return '';
+ }
+
  if (isset($_POST['sms_code'])) {
  if ($error = $this->validateSmsForm()) {
  $this->renderSimPayPaymentForm(get_the_ID(), $error);
@@ -138,6 +142,7 @@ public function renderSimPayPaymentForm(int $postId, string $error = null): void
  'smsNumber' => $smsNumber->getNumber(),
  'smsPrice' => $smsNumber->getPriceGross(),
  'smsCode' => $this->simPayService->getSmsCode()->getCode(),
+ '_simpay_nonce' => wp_create_nonce('simpay_paywall_nonce'),
  ]);
  }
 

diff --git a/view/admin/settings/partials/field-checkbox.php b/view/admin/settings/partials/field-checkbox.php
@@ -5,5 +5,5 @@
 <input
  id="<?php echo esc_html($args['name']); ?>"
  type="checkbox"
- name="<?php echo $args['name']; ?>"
+ name="<?php echo esc_html($args['name']); ?>"
  <?php echo $args['value'] ? 'checked' : ''; ?>>
diff --git a/view/admin/settings/partials/field-input.php b/view/admin/settings/partials/field-input.php
@@ -13,9 +13,10 @@
 $args = array_merge($defaultArgs, $args);
 ?>
 
-<input id="<?php echo $args['name']; ?>"
- type="<?php echo $args['type']; ?>"
- type="<?php echo $args['value']; ?>"
- name="<?php echo $args['name']; ?>"
- placeholder="<?php echo $args['placeholder']; ?>"
- value="<?php echo $args['value']; ?>">
+<input
+ id="<?php echo esc_html($args['name']); ?>"
+ type="<?php echo esc_html($args['type']); ?>"
+ type="<?php echo esc_html($args['value']); ?>"
+ name="<?php echo esc_html($args['name']); ?>"
+ placeholder="<?php echo esc_html($args['placeholder']); ?>"
+ value="<?php echo esc_html($args['value']); ?>">
diff --git a/view/admin/settings/partials/field-select.php b/view/admin/settings/partials/field-select.php
@@ -21,9 +21,9 @@ class='post_form'
  $disabledReason = '';
  }
  ?>
- <option value="<?php echo $optionValue; ?>" <?php echo $checked; ?><?php echo $disabled; ?>>
- <?php echo $optionTitle; ?>
- <?php echo $disabledReason; ?>
+ <option value="<?php echo esc_html($optionValue); ?>" <?php echo esc_html($checked); ?><?php echo esc_html($disabled); ?>>
+ <?php echo esc_html($optionTitle); ?>
+ <?php echo esc_html($disabledReason); ?>
  </option>
  <?php } ?>
 </select>
diff --git a/view/public/paywall/access-denied-alert.php b/view/public/paywall/access-denied-alert.php
@@ -7,7 +7,7 @@
  <p>Dostęp do treści na tej stronie jest zarezerwowany tylko dla płatnych użytkowników.</p>
  <?php if (isset($error) && null !== $error) { ?>
  <p>
- <?php echo $error; ?>
+ <?php echo esc_html($error); ?>
  </p>
  <?php } ?>
  <?php if (isset($showNotLoggedInInfo) && true === $showNotLoggedInInfo) { ?>

diff --git a/view/public/paywall/payment-form.php b/view/public/paywall/payment-form.php
@@ -5,11 +5,14 @@
 <div class="simpay-paywall-payment-form">
  <p class="message">
  Aby uzyskać dostęp, wyślij SMS na numer
- <strong><?php echo $smsNumber; ?></strong> o treści
- <strong><?php echo $smsCode; ?></strong>. Koszt SMS to
- <strong><?php echo $smsPrice; ?> zł (brutto)</strong>
+ <strong><?php echo esc_html($smsNumber); ?></strong> o treści
+ <strong><?php echo esc_html($smsCode); ?></strong>. Koszt SMS
+ to
+ <strong><?php echo esc_html($smsPrice); ?> zł
+ (brutto)</strong>
  </p>
  <form method="post">
+ <?php wp_nonce_field('simpay_paywall_nonce', '_simpay_nonce'); ?>
  <input type="text" name="sms_code" id="sms_code" class="input" size="25" placeholder="Kod SMS" required />
  <input type="hidden" name="post_id"
  value="<?php echo esc_html($postId); ?>">

diff --git a/view/public/register/register-form.php b/view/public/register/register-form.php
@@ -4,8 +4,8 @@
 
 <p class="message">
  Aby się zarejestrować, wyślij SMS <br>na numer
- <strong><?php echo $smsNumber; ?></strong><br>
- o treści <strong><?php echo $smsCode; ?></strong>.<br>
+ <strong><?php echo esc_html($smsNumber); ?></strong><br>
+ o treści <strong><?php echo esc_html($smsCode); ?></strong>.<br>
  Koszt SMS to <strong><?php echo esc_html($smsPrice); ?> zł
  (brutto)</strong>
 </p>