fix: sanitizing and escaping data (#717)

classes/admin-user-profile.php

@@ -318,7 +318,7 @@ function add_meta_fields( $user ) {
                     <td>
                         <select id="dokan_admin_percentage_type" name="dokan_admin_percentage_type">
                             <?php foreach ( dokan_commission_types() as $key => $value ) : ?>
-                                <option value="<?php echo wc_clean( $key ); ?>" <?php selected( $admin_commission_type, $key );  ?>><?php echo $value ?></option>
+                                <option value="<?php echo esc_attr( $key ); ?>" <?php selected( $admin_commission_type, $key );  ?>><?php echo esc_attr( $value ); ?></option>
                             <?php endforeach; ?>
                         </select>
                         <p class="description"><?php esc_html_e( 'Set the commmission type admin gets from this seller', 'dokan-lite' ); ?></p>

classes/ajax.php

@@ -84,7 +84,7 @@ function create_product() {
             wp_send_json_error( __( 'You have no permission to do this action', 'dokan-lite' ) );
         }
 
-        $submited_data = isset( $_POST['postdata'] ) ? wp_unslash( $_POST['postdata'] ): '';
+        $submited_data = isset( $_POST['postdata'] ) ? wp_unslash( $_POST['postdata'] ): ''; // WPCS: input var ok, CSRF ok, sanitization ok.
 
         parse_str( $submited_data, $postdata );
 
@@ -113,7 +113,7 @@ function create_product() {
     function shop_url_check() {
         global $user_ID;
 
-        $nonce = isset( $_POST['_nonce'] ) ? sanitize_text_field( $_POST['_nonce'] ) : '';
+        $nonce = isset( $_POST['_nonce'] ) ? sanitize_text_field( wp_unslash( $_POST['_nonce'] ) ) : '';
 
         if ( ! wp_verify_nonce( $nonce, 'dokan_reviews' ) ) {
             wp_send_json_error( array(
@@ -122,7 +122,7 @@ function shop_url_check() {
             ) );
         }
 
-        $url_slug = isset( $_POST['url_slug'] ) ? sanitize_text_field( $_POST['url_slug'] ) : '';
+        $url_slug = isset( $_POST['url_slug'] ) ? sanitize_text_field( wp_unslash( $_POST['url_slug'] ) ) : '';
         $check    = true;
         $user     = get_user_by( 'slug', $url_slug );
 
@@ -173,7 +173,7 @@ function complete_order() {
             wp_die( esc_html__( 'You have taken too long. Please go back and retry.', 'dokan-lite' ) );
         }
 
-        $order_id = isset( $_GET['order_id'] ) && $_GET['order_id'] ? (int) $_GET['order_id'] : 0;
+        $order_id = ! empty( $_GET['order_id'] ) ? intval( $_GET['order_id'] ) : 0;
 
         if ( ! $order_id ) {
             die();
@@ -208,7 +208,7 @@ function process_order() {
             wp_die( esc_html__( 'You have taken too long. Please go back and retry.', 'dokan-lite' ) );
         }
 
-        $order_id = isset( $_GET['order_id'] ) && $_GET['order_id'] ? (int) $_GET['order_id'] : 0;
+        $order_id = ! empty( $_GET['order_id'] ) ? intval( $_GET['order_id'] ) : 0;
 
         if ( ! $order_id ) {
             die();
@@ -294,7 +294,7 @@ function change_order_status() {
         }
 
         $order_id     = isset( $_POST['order_id'] ) ? intval( $_POST['order_id'] ) : '';
-        $order_status = isset( $_POST['order_status'] ) ? sanitize_text_field( $_POST['order_status'] ) : '';
+        $order_status = isset( $_POST['order_status'] ) ? sanitize_text_field( wp_unslash( $_POST['order_status'] ) ) : '';
 
         $order = wc_get_order( $order_id );
         $order->update_status( $order_status );
@@ -383,8 +383,8 @@ public function add_order_note() {
         }
 
         $post_id   = isset( $_POST['post_id'] ) ? absint( $_POST['post_id'] ) : '';
-        $note      = isset( $_POST['note'] ) ? sanitize_textarea_field( $_POST['note'] ) : '';
-        $note_type = isset( $_POST['note_type'] ) ? sanitize_text_field( $_POST['note_type'] ) : '';
+        $note      = isset( $_POST['note'] ) ? sanitize_textarea_field( wp_unslash( $_POST['note'] ) ) : '';
+        $note_type = isset( $_POST['note_type'] ) ? sanitize_text_field( wp_unslash( $_POST['note_type'] ) ) : '';
 
         $is_customer_note = ( $note_type == 'customer' ) ? 1 : 0;
 
@@ -411,7 +411,7 @@ public function add_order_note() {
      */
     public function add_shipping_tracking_info() {
 
-        if ( isset( $_POST['dokan_security_nonce'] ) && ! wp_verify_nonce( $_POST['dokan_security_nonce'], 'dokan_security_action' ) ) {
+        if ( isset( $_POST['dokan_security_nonce'] ) && ! wp_verify_nonce( sanitize_key( $_POST['dokan_security_nonce'] ), 'dokan_security_action' ) ) {
             die( -1 );
         }
 
@@ -424,8 +424,8 @@ public function add_shipping_tracking_info() {
         }
 
         $post_id           = isset( $_POST['post_id'] ) ? absint( $_POST['post_id'] ) : 0;
-        $shipping_provider = isset( $_POST['shipping_provider'] ) ? sanitize_text_field( $_POST['shipping_provider'] ) : '';
-        $shipping_number   = isset( $_POST['shipping_number'] ) ? sanitize_text_field( $_POST['shipping_number'] ) : '';
+        $shipping_provider = isset( $_POST['shipping_provider'] ) ? sanitize_text_field( wp_unslash( $_POST['shipping_provider'] ) ) : '';
+        $shipping_number   = isset( $_POST['shipping_number'] ) ? sanitize_text_field( wp_unslash( $_POST['shipping_number'] ) ) : '';
         $shipping_number   = trim( stripslashes( $shipping_number ) );
         $shipped_date      = isset( $_POST['shipped_date'] ) ? trim( sanitize_text_field( wp_unslash( $_POST['shipped_date'] ) ) ) : '';
 
@@ -450,8 +450,8 @@ public function add_shipping_tracking_info() {
                 'comment_type'         => 'order_note',
                 'comment_parent'       => 0,
                 'user_id'              => dokan_get_current_user_id(),
-                'comment_author_IP'    => isset( $_SERVER['REMOTE_ADDR'] ) ? $_SERVER['REMOTE_ADDR'] : '',
-                'comment_agent'        => isset( $_SERVER['HTTP_USER_AGENT'] ) ? $_SERVER['HTTP_USER_AGENT'] : '',
+                'comment_author_IP'    => isset( $_SERVER['REMOTE_ADDR'] ) ? sanitize_text_field( wp_unslash( $_SERVER['REMOTE_ADDR'] ) ) : '',
+                'comment_agent'        => isset( $_SERVER['HTTP_USER_AGENT'] ) ? sanitize_text_field( wp_unslash( $_SERVER['HTTP_USER_AGENT'] ) ) : '',
                 'comment_date'         => $time,
                 'comment_approved'     => 1,
             );
@@ -493,7 +493,7 @@ public function delete_order_note() {
             die( -1 );
         }
 
-        $note_id = isset( $_POST['note_id'] ) ? (int) sanitize_text_field( $_POST['note_id'] ) : '';
+        $note_id = isset( $_POST['note_id'] ) ? intval( $_POST['note_id'] ) : '';
 
         if ( $note_id > 0 ) {
             wp_delete_comment( $note_id );
@@ -510,7 +510,7 @@ public function delete_order_note() {
      */
     public function seller_listing_search() {
 
-        $nonce = isset( $_REQUEST['_wpnonce'] ) ? $_REQUEST['_wpnonce'] : '';
+        $nonce = isset( $_REQUEST['_wpnonce'] ) ? sanitize_key( $_REQUEST['_wpnonce'] ) : '';
 
         if ( ! $nonce || ! wp_verify_nonce( $nonce, 'dokan-seller-listing-search' ) ) {
             wp_send_json_error( __( 'Error: Nonce verification failed', 'dokan-lite' ) );
@@ -525,25 +525,22 @@ public function seller_listing_search() {
             'offset' => $offset,
         );
 
-        $search_term     = isset( $_REQUEST['search_term'] ) ? sanitize_text_field( $_REQUEST['search_term'] ) : '';
-        $pagination_base = isset( $_REQUEST['pagination_base'] ) ? sanitize_text_field( $_REQUEST['pagination_base'] ) : '';
+        $search_term     = isset( $_REQUEST['search_term'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['search_term'] ) ) : '';
+        $pagination_base = isset( $_REQUEST['pagination_base'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['pagination_base'] ) ) : '';
         $per_row         = isset( $_REQUEST['per_row'] ) ? absint( $_REQUEST['per_row'] ) : '3';
 
         if ( '' != $search_term ) {
-
             $seller_args['meta_query'] = array(
                 array(
                     'key'     => 'dokan_store_name',
                     'value'   => $search_term,
                     'compare' => 'LIKE',
                 ),
-
             );
         }
 
         $seller_args = apply_filters( 'dokan_seller_listing_search_args', $seller_args, $_REQUEST );
-
-        $sellers = dokan_get_sellers( $seller_args );
+        $sellers     = dokan_get_sellers( $seller_args );
 
         $template_args = apply_filters( 'dokan_store_list_args', array(
             'sellers'         => $sellers,
@@ -633,10 +630,9 @@ public function crop_store_banner() {
     public function json_search_product() {
         check_ajax_referer( 'search-products', 'security' );
 
-        $_term              = isset( $_GET['term'] ) ? sanitize_text_field( $_GET['term'] ) : '';
-        $term               = wc_clean( empty( $term ) ? $_term : $term );
+        $term               = ! empty( $_GET['term'] ) ? sanitize_text_field( wp_unslash( $_GET['term'] ) ) : '';
         $include_variations = ! empty( $_GET['include_variations'] ) ? true : false;
-        $user_ids           = ! empty( $_GET['user_ids'] ) ? sanitize_text_field( $_GET['user_ids'] ) : false;
+        $user_ids           = ! empty( $_GET['user_ids'] ) ? sanitize_text_field( wp_unslash( $_GET['user_ids'] ) ) : false;
 
         if ( empty( $term ) ) {
             wp_die();
@@ -645,11 +641,11 @@ public function json_search_product() {
         $ids = dokan_search_seller_products( $term, $user_ids, '', (bool) $include_variations );
 
         if ( ! empty( $_GET['exclude'] ) ) {
-            $ids = array_diff( $ids, (array) sanitize_text_field( $_GET['exclude'] ) );
+            $ids = array_diff( $ids, (array) sanitize_text_field( wp_unslash( $_GET['exclude'] ) ) );
         }
 
         if ( ! empty( $_GET['include'] ) ) {
-            $ids = array_intersect( $ids, (array) sanitize_text_field( $_GET['include'] ) );
+            $ids = array_intersect( $ids, (array) sanitize_text_field( wp_unslash( $_GET['include'] ) ) );
         }
 
         if ( ! empty( $_GET['limit'] ) ) {
@@ -680,7 +676,7 @@ public function dokan_json_search_vendor_customers() {
             wp_die( -1 );
         }
 
-        $term    = isset( $_GET['term'] ) ? sanitize_text_field( $_GET['term'] ) : '';
+        $term    = isset( $_GET['term'] ) ? sanitize_text_field( wp_unslash( $_GET['term'] ) ) : '';
         $exclude = array();
         $limit   = '';
 

classes/seller-setup-wizard.php

@@ -328,7 +328,7 @@ public function dokan_setup_store_save() {
             return;
         }
 
-        $nonce = sanitize_text_field( $_POST['_wpnonce'] );
+        $nonce = sanitize_text_field( wp_unslash( $_POST['_wpnonce'] ) );
 
         if ( ! wp_verify_nonce( $nonce, 'dokan-seller-setup' ) ) {
             return;
@@ -337,7 +337,7 @@ public function dokan_setup_store_save() {
         $dokan_settings = $this->store_info;
 
         $dokan_settings['store_ppp']  = isset( $_POST['store_ppp'] ) ? absint( $_POST['store_ppp'] ) : '';
-        $dokan_settings['address']    = isset( $_POST['address'] ) ? array_map( 'sanitize_text_field', $_POST['address'] ) : array();
+        $dokan_settings['address']    = isset( $_POST['address'] ) ? array_map( 'sanitize_text_field', wp_unslash( $_POST['address'] ) ) : array();
         $dokan_settings['show_email'] = isset( $_POST['show_email'] ) ? 'yes' : 'no';
 
         update_user_meta( $this->store_id, 'dokan_profile_settings', $dokan_settings );

classes/template-withdraw.php

@@ -371,8 +371,8 @@ function show_alert_messages() {
      */
     function withdraw_form( $validate = '' ) {
 
-        $get_data  = wp_unslash( $_GET );
-        $post_data = wp_unslash( $_POST );
+        $get_data  = wp_unslash( $_GET ); // WPCS: CSRF ok
+        $post_data = wp_unslash( $_POST ); // WPCS: CSRF ok
 
         global $current_user;
 

dokan.php

@@ -527,7 +527,7 @@ public function render_missing_woocommerce_notice() {
         $plugin_url = self_admin_url( 'plugin-install.php?s=woocommerce&tab=search&type=term' );
         $message    = sprintf( esc_html__( 'Dokan requires WooCommerce to be installed and active. You can activate %s here.', 'dokan-lite' ), '<a href="' . $plugin_url . '">WooCommerce</a>' );
 
-        printf( '<div class="error"><p><strong>%1$s</strong></p></div>', $message );
+        echo wp_kses_post( sprintf( '<div class="error"><p><strong>%1$s</strong></p></div>', $message ) );
     }
 
     /**

includes/admin-functions.php

@@ -720,7 +720,7 @@ function dokan_add_seller_meta_box(){
 **/
 function dokan_override_product_author_by_admin( $product_id, $post ) {
     $product          = wc_get_product( $product_id );
-    $posted_vendor_id = ! empty( $_POST['dokan_product_author_override'] ) ? (int) $_POST['dokan_product_author_override'] : 0;
+    $posted_vendor_id = ! empty( $_POST['dokan_product_author_override'] ) ? intval( $_POST['dokan_product_author_override'] ) : 0; // WPCS: CSRF ok.
 
     if ( ! $posted_vendor_id ) {
         return;
@@ -775,7 +775,7 @@ function dokan_admin_report_by_seller( $chosen_seller_id) {
     $group_by     = 'day';
     $year         = '';
     $group_by     = apply_filters( 'dokan_report_group_by', $group_by );
-    $_post_data   = wp_unslash( $_POST );
+    $_post_data   = wp_unslash( $_POST ); // WPCS: CSRF ok.
     $start_date   = isset( $_post_data['start_date'] ) ? sanitize_text_field( $_post_data['start_date'] ) : ''; // WPCS: CSRF ok.
     $end_date     = isset( $_post_data['end_date'] ) ? sanitize_text_field( $_post_data['end_date'] ) : ''; // WPCS: CSRF ok.
     $current_year = date( 'Y' );

includes/admin/class-admin.php

@@ -63,7 +63,7 @@ public function promotional_offer() {
             ?>
                 <div class="notice notice-success is-dismissible" id="dokan-christmas-notice">
                     <div class="logo">
-                        <img src="<?php echo DOKAN_PLUGIN_ASSEST . '/images/promo-logo.png' ?>" alt="Dokan">
+                        <img src="<?php echo esc_url( DOKAN_PLUGIN_ASSEST . '/images/promo-logo.png' ); ?>" alt="Dokan">
                     </div>
                     <div class="content">
                         <p class="highlight-magento">Biggest Sale of the year on this</p>

includes/admin/setup-wizard-no-wc.php

@@ -125,7 +125,10 @@ public function install_woocommerce() {
         delete_transient( '_wc_activation_redirect' );
 
         if ( is_wp_error( $installed ) ) {
-            wp_die( $installed->get_error_message(), __( 'Error installing WooCommerce plugin', 'dokan-lite' ) );
+            wp_die(
+                esc_html( $installed->get_error_message() ),
+                esc_html( __( 'Error installing WooCommerce plugin', 'dokan-lite' ) )
+            );
         }
 
         set_transient( 'dokan_setup_wizard_no_wc', true, 15 * MINUTE_IN_SECONDS );
@@ -224,15 +227,17 @@ public static function add_wc_html_step_start() {
      * @return void
      */
     public static function save_wc_store_setup_data() {
-        $address        = isset( $_POST['store_address'] ) ? wc_clean( wp_unslash( $_POST['store_address'] ) ) : '';
-        $address_2      = isset( $_POST['store_address_2'] ) ? wc_clean( wp_unslash( $_POST['store_address_2'] ) ) : '';
-        $city           = isset( $_POST['store_city'] ) ? wc_clean( wp_unslash( $_POST['store_city'] ) ) : '';
-        $country        = isset( $_POST['store_country'] ) ? wc_clean( wp_unslash( $_POST['store_country'] ) ) : '';
-        $state          = isset( $_POST['store_state'] ) ? wc_clean( wp_unslash( $_POST['store_state'] ) ) : '*';
-        $postcode       = isset( $_POST['store_postcode'] ) ? wc_clean( wp_unslash( $_POST['store_postcode'] ) ) : '';
-        $currency_code  = isset( $_POST['currency_code'] ) ? wc_clean( wp_unslash( $_POST['currency_code'] ) ) : '';
-        $product_type   = isset( $_POST['product_type'] ) ? wc_clean( wp_unslash( $_POST['product_type'] ) ) : '';
-        $sell_in_person = isset( $_POST['sell_in_person'] ) && ( 'on' === wc_clean( wp_unslash( $_POST['sell_in_person'] ) ) );
+        check_admin_referer( 'dokan-setup' );
+
+        $address        = isset( $_POST['store_address'] ) ? sanitize_text_field( wp_unslash( $_POST['store_address'] ) ) : '';
+        $address_2      = isset( $_POST['store_address_2'] ) ? sanitize_text_field( wp_unslash( $_POST['store_address_2'] ) ) : '';
+        $city           = isset( $_POST['store_city'] ) ? sanitize_text_field( wp_unslash( $_POST['store_city'] ) ) : '';
+        $country        = isset( $_POST['store_country'] ) ? sanitize_text_field( wp_unslash( $_POST['store_country'] ) ) : '';
+        $state          = isset( $_POST['store_state'] ) ? sanitize_text_field( wp_unslash( $_POST['store_state'] ) ) : '*';
+        $postcode       = isset( $_POST['store_postcode'] ) ? sanitize_text_field( wp_unslash( $_POST['store_postcode'] ) ) : '';
+        $currency_code  = isset( $_POST['currency_code'] ) ? sanitize_text_field( wp_unslash( $_POST['currency_code'] ) ) : '';
+        $product_type   = isset( $_POST['product_type'] ) ? sanitize_text_field( wp_unslash( $_POST['product_type'] ) ) : '';
+        $sell_in_person = isset( $_POST['sell_in_person'] ) && ( 'on' === sanitize_text_field( wp_unslash( $_POST['sell_in_person'] ) ) );
 
         update_option( 'woocommerce_store_address', $address );
         update_option( 'woocommerce_store_address_2', $address_2 );

includes/admin/setup-wizard-wc-admin.php

@@ -285,7 +285,7 @@ class="switch-input"
                     type="checkbox"
                     name="wc-wizard-service-<?php echo esc_attr( $item_id ); ?>-enabled"
                     value="yes" <?php checked( $should_enable_toggle ); ?>
-                    data-plugins="<?php echo wc_esc_json( wp_json_encode( $plugins ) ); ?>"
+                    data-plugins="<?php echo wc_esc_json( wp_json_encode( $plugins ) ); // WPCS: XSS ok. ?>"
                 >
                 <label for="wc-wizard-service-<?php echo esc_attr( $item_id ); ?>-enabled" class="switch-label"></label>
 
@@ -329,7 +329,7 @@ class="<?php echo esc_attr( 'payment-' . $setting['type'] . '-input' ); ?>"
                                     placeholder="<?php echo esc_attr( $setting['placeholder'] ); ?>"
                                     <?php echo ( $setting['required'] ) ? 'required' : ''; ?>
                                     <?php echo $is_checkbox ? checked( isset( $checked ) && $checked, true, false ) : ''; ?>
-                                    data-plugins="<?php echo wc_esc_json( wp_json_encode( isset( $setting['plugins'] ) ? $setting['plugins'] : null ) ); ?>"
+                                    data-plugins="<?php echo wc_esc_json( wp_json_encode( isset( $setting['plugins'] ) ? $setting['plugins'] : null ) ); // WPCS: XSS ok. ?>"
                                 />
                                 <?php if ( ! empty( $setting['description'] ) ) : ?>
                                     <span class="wc-wizard-service-settings-description"><?php echo esc_html( $setting['description'] ); ?></span>

includes/class-registration.php

@@ -110,7 +110,7 @@ function validate_registration( $error ) {
      * @return array
      */
     function set_new_vendor_names( $data ) {
-        $post_data = wp_unslash( $_POST );
+        $post_data = wp_unslash( $_POST ); // WPCS: CSRF ok.
 
         $allowed_roles = array( 'customer', 'seller' );
         $role          = ( isset( $post_data['role'] ) && in_array( $post_data['role'], $allowed_roles ) ) ? $post_data['role'] : 'customer';
@@ -137,7 +137,7 @@ function set_new_vendor_names( $data ) {
      * @return void
      */
     function save_vendor_info( $user_id, $data ) {
-        $post_data = wp_unslash( $_POST );
+        $post_data = wp_unslash( $_POST ); // WPCS: CSRF ok.
 
         if ( ! isset( $data['role'] ) || $data['role'] != 'seller' ) {
             return;