monei / monei-woocommerce Goto Github PK
View Code? Open in Web Editor NEWWooCommerce module for MONEI
Home Page: https://docs.monei.com/docs/e-commerce/woocommerce/
License: Other
WooCommerce module for MONEI
Home Page: https://docs.monei.com/docs/e-commerce/woocommerce/
License: Other
Administrator messages fail when Woo isn't active.
Need to fix woocommerce_gateway_monei_get_template() usage.
we are stating:
== Installation ==
In order to use this plugin you need to be registered in MONEI
@joseconti is this the flow a normal user would follow?
Add Multibanco payment method, it has no insite option, just a simple redirect, the only difference with Card redirect method is allowedPaymentMethod: [mbway]
parameter
@joseconti can we avoid intermediate screen and redirect right away?
Payment Capture is required. Current implementation is missing Payment capture from admin dashboard
This plugin is incompatible with WooCommerce's active feature "High Performance Order Storage".
https://woocommerce.com/document/high-performance-order-storage/
this header is not being sent from Woo to MONEI API.
--header 'Authorization: <PARTNER_API_KEY>' \
Plugin isn't HPOS ready, WordPress displays :
This plugin is incompatible with the enabled WooCommerce feature 'High-Performance order storage', it shouldn't be activated
When you include POST/GET/REQUEST/FILE calls in your plugin, it's important to sanitize, validate, and escape them. The goal here is to prevent a user from accidentally sending trash data through the system, as well as protecting them from potential security issues.
SANITIZE: Data that is input (either by a user or automatically) must be sanitized as soon as possible. This lessens the possibility of XSS vulnerabilities and MITM attacks where posted data is subverted.
VALIDATE: All data should be validated, no matter what. Even when you sanitize, remember that you don’t want someone putting in ‘dog’ when the only valid values are numbers.
ESCAPE: Data that is output must be escaped properly when it is echo'd, so it can't hijack admin screens. There are many esc_*() functions you can use to make sure you don't show people the wrong data.
To help you with this, WordPress comes with a number of sanitization and escaping functions. You can read about those here:
https://developer.wordpress.org/apis/security/sanitizing/
https://developer.wordpress.org/apis/security/escaping/
Remember: You must use the most appropriate functions for the context. If you’re sanitizing email, use sanitize_email(), if you’re outputting HTML, use wp_kses_post(), and so on.
An easy mantra here is this:
Sanitize early
Escape Late
Always Validate
Clean everything, check everything, escape everything, and never trust the users to always have input sane data. After all, users come from all walks of life.
Example(s) from your plugin:
monei/includes/addons/class-wc-monei-addons-redirect-hooks.php:41 $payment_id = filter_input( INPUT_GET, 'id' );
monei/includes/class-wc-monei-redirect-hooks.php:84 $order_id = filter_input( INPUT_GET, 'orderId' );
monei/class-woocommerce-gateway-monei.php:140 if ( wp_verify_nonce( $_GET['_monei_hide_new_version_nonce'], 'monei_hide_new_version_nonce' ) ) {
monei/includes/addons/class-wc-monei-addons-redirect-hooks.php:86 $payment_id = filter_input( INPUT_GET, 'id' );
monei/includes/class-wc-monei-ipn.php:39 $payload = $this->verify_signature_get_payload( $raw_body, $_SERVER['HTTP_MONEI_SIGNATURE'] );
monei/includes/class-wc-monei-redirect-hooks.php:37 $order->add_order_note( __( 'MONEI Status: ', 'monei' ) . esc_html( $_GET['status'] ) );
-----> esc_html($_GET['status'])
monei/includes/addons/class-wc-monei-apple-pay-verification.php:39 $domain = isset( $_SERVER['HTTP_HOST'] ) ? $_SERVER['HTTP_HOST'] : str_replace( array( 'https://', 'http://' ), '', get_site_url() ); // @codingStandardsIgnoreLine
monei/includes/class-wc-monei-ipn.php:35 $raw_body = @file_get_contents( 'php://input' );
... out of a total of 18 coincidences.
Note: escape functions cannot be used to sanitize. They serve different purposes. Even if they seem to be perfect for this purpose, most of the functions are filterable and people expect to use them to escape. Therefore, another plugin may change what they do and make yours at risk and exploitable.
If you are trying to echo the variable, you have to first sanitize it and then escape it, as for example:
echo esc_html(sanitize_text_field($_POST['example']));
Example(s) from your plugin:
monei/includes/class-wc-monei-redirect-hooks.php:40 wc_add_notice( esc_html( $_GET['message'] ), 'error' );
monei/includes/class-wc-monei-redirect-hooks.php:37 $order->add_order_note( __( 'MONEI Status: ', 'monei' ) . esc_html( $_GET['status'] ) );
-----> esc_html($_GET['status'])
monei/includes/class-wc-monei-redirect-hooks.php:43 WC_Monei_Logger::log( __( 'MONEI Status: ', 'monei' ) . esc_html( $_GET['status'] ) );
-----> esc_html($_GET['status'])
monei/includes/class-wc-monei-redirect-hooks.php:38 $order->add_order_note( __( 'MONEI message: ', 'monei' ) . esc_html( $_GET['message'] ) );
-----> esc_html($_GET['message'])
... out of a total of 5 coincidences.
Note: When checking a nonce using wp_verify_nonce you will need to sanitize the input using wp_unslash AND sanitize_text_field, this is because this function is pluggable, and extenders should not trust its input values.
Example:
if ( ! isset( $_POST['prefix_nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash ( $_POST['prefix_nonce'] ) ) , 'prefix_nonce' ) )
Example(s) from your plugin:
monei/class-woocommerce-gateway-monei.php:140 if ( wp_verify_nonce( $_GET['_monei_hide_new_version_nonce'], 'monei_hide_new_version_nonce' ) ) {
monei/includes/payment-methods/class-wc-gateway-monei-cc.php:152 if ( ! wp_verify_nonce( $_POST['woocommerce-add-payment-method-nonce'], 'woocommerce-add-payment-method' ) ) {
Note: When using functions like filter_var, filter_var_array, filter_input and/or filter_input_array you will need to set the FILTER parameter to any kind of filter that sanitizes the input.
Leaving the filter parameter empty, PHP by default will apply the filter "FILTER_DEFAULT" which is not sanitizing at all.
Example:
$post_id = filter_input(INPUT_GET, 'post_id', FILTER_SANITIZE_NUMBER_INT);
Example(s) from your plugin:
monei/includes/class-wc-monei-redirect-hooks.php:76 $error_message = filter_input( INPUT_GET, 'message' );
monei/includes/class-wc-monei-redirect-hooks.php:84 $order_id = filter_input( INPUT_GET, 'orderId' );
monei/includes/addons/class-wc-monei-addons-redirect-hooks.php:42 $order_id = filter_input( INPUT_GET, 'orderId' );
monei/includes/class-wc-monei-redirect-hooks.php:83 $payment_id = filter_input( INPUT_GET, 'id' );
... out of a total of 7 coincidences.
Much related to sanitizing everything, all variables that are echoed need to be escaped when they're echoed, so it can't hijack users or (worse) admin screens. There are many esc_*() functions you can use to make sure you don't show people the wrong data, as well as some that will allow you to echo HTML safely.
At this time, we ask you escape all $-variables, options, and any sort of generated data when it is being echoed. That means you should not be escaping when you build a variable, but when you output it at the end. We call this 'escaping late.'
Besides protecting yourself from a possible XSS vulnerability, escaping late makes sure that you're keeping the future you safe. While today your code may be only outputted hardcoded content, that may not be true in the future. By taking the time to properly escape when you echo, you prevent a mistake in the future from becoming a critical security issue.
This remains true of options you've saved to the database. Even if you've properly sanitized when you saved, the tools for sanitizing and escaping aren't interchangeable. Sanitizing makes sure it's safe for processing and storing in the database. Escaping makes it safe to output.
Also keep in mind that sometimes a function is echoing when it should really be returning content instead. This is a common mistake when it comes to returning JSON encoded content. Very rarely is that actually something you should be echoing at all. Echoing is because it needs to be on the screen, read by a human. Returning (which is what you would do with an API) can be json encoded, though remember to sanitize when you save to that json object!
There are a number of options to secure all types of content (html, email, etc). Yes, even HTML needs to be properly escaped.
https://developer.wordpress.org/apis/security/escaping/
Remember: You must use the most appropriate functions for the context. There is pretty much an option for everything you could echo. Even echoing HTML safely.
Example(s) from your plugin:
monei/includes/payment-methods/class-wc-gateway-monei-hosted-cofidis.php:119 echo $this->description;
monei/includes/payment-methods/class-wc-gateway-monei-cc.php:224 _e( 'Pay via MONEI: you can add your payment method for future payments.', 'monei' );
Note: The functions _e and _ex outputs the translation without escaping, please use an alternative function that escapes the output.
An alternative to _e would be esc_html_e, esc_attr_e or simply using __ wrapped by a escaping function and inside an echo.
An alternative to _ex would be using _x wrapped by a escaping function and inside an echo.
Examples:
<h2><?php esc_html_e('Settings page', 'plugin-slug'); ?></h2>
<h2><?php echo esc_html(__('Settings page', 'plugin-slug')); ?></h2>
<h2><?php echo esc_html(_x('Settings page', 'Settings page title', 'plugin-slug')); ?></h2>
Example(s) from your plugin:
monei/includes/payment-methods/class-wc-gateway-monei-cc.php:224 _e( 'Pay via MONEI: you can add your payment method for future payments.', 'monei' );
Direct file access is when someone directly queries your file. This can be done by simply entering the complete path to the file in the URL bar of the browser but can also be done by doing a POST request directly to the file. For files that only contain a PHP class the risk of something funky happening when directly accessed is pretty small. For files that contain procedural code, functions and function calls, the chance of security risks is a lot bigger.
You can avoid this by putting this code at the top of all PHP files that could potentially execute code if accessed directly :
if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
Example(s) from your plugin:
monei/templates/notice-admin-new-install.php:3
monei/templates/notice-admin-gateway-not-available.php:1
monei/templates/notice-admin-dependency.php:2
Add Multibanco payment method, it has no insite option, just a simple redirect, the only difference with Card redirect method is allowedPaymentMethod: [multibanco]
parameter
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.