Inspect and fix escape errors

mollie · Aug 22, 2024 · 66bfb86 · 66bfb86
1 parent d5e6e21
commit 66bfb86
Show file tree

Hide file tree

Showing 10 changed files with 37 additions and 24 deletions.
diff --git a/pluginEnvironmentChecker/Constraints/AbstractVersionConstraint.php b/pluginEnvironmentChecker/Constraints/AbstractVersionConstraint.php
@@ -36,7 +36,7 @@ abstract class AbstractVersionConstraint implements ConstraintInterface
 	public function __construct($requiredVersion, $requiredPluginName = null)
 	{
 		$this->requiredVersion = $requiredVersion;
-		$this->requiredPluginName = $requiredPluginName;
+		$this->requiredPluginName = esc_html($requiredPluginName);
 		$this->error = '';
 		$this->message = '';
 	}
@@ -60,11 +60,13 @@ protected function checkVersion($actualVersion)
 		if ($result) {
 			return $result;
 		}
-		throw new ConstraintFailedException(
+        // phpcs:disable WordPress.Security.EscapeOutput.ExceptionNotEscaped
+        throw new ConstraintFailedException(
 			$this,
 			$actualVersion,
 			[$this->error],
 			esc_html($this->message)
 		);
-	}
+        // phpcs:enable WordPress.Security.EscapeOutput.ExceptionNotEscaped
+    }
 }
diff --git a/pluginEnvironmentChecker/Constraints/ExtensionConstraint.php b/pluginEnvironmentChecker/Constraints/ExtensionConstraint.php
@@ -15,7 +15,7 @@ class ExtensionConstraint extends AbstractVersionConstraint
 	public function __construct($requiredVersion)
 	{
 		parent::__construct($requiredVersion);
-		$this->error = 'Required Extension not loaded';
+		$this->error = esc_html('Required Extension not loaded');
 	}
 
 	/**
@@ -25,18 +25,21 @@ public function check()
 	{
 		$this->message = $this->requiredVersion
 			. ' extension is required. Enable it in your server or ask your webhoster to enable it for you.';
+        $this->message = esc_html($this->message);
 		if (function_exists('extension_loaded')
 			&& !extension_loaded(
 				$this->requiredVersion
 			)
 		) {
-			throw new ConstraintFailedException(
+            // phpcs:disable WordPress.Security.EscapeOutput.ExceptionNotEscaped
+            throw new ConstraintFailedException(
 				$this,
 				$this->requiredVersion,
 				[$this->error],
 				$this->message
 			);
-		}
+            // phpcs:enable WordPress.Security.EscapeOutput.ExceptionNotEscaped
+        }
 		return true;
 	}
 }
diff --git a/pluginEnvironmentChecker/Constraints/PluginConstraint.php b/pluginEnvironmentChecker/Constraints/PluginConstraint.php
@@ -18,7 +18,7 @@ class PluginConstraint extends AbstractVersionConstraint
 	public function __construct($requiredVersion, $requiredPluginName, $pluginDisplayName)
 	{
 		parent::__construct($requiredVersion, $requiredPluginName);
-		$this->error = 'Plugin incompatibility';
+		$this->error = esc_html('Plugin incompatibility');
 		$this->requiredPluginName = $requiredPluginName;
 		$this->pluginDisplayName = $pluginDisplayName;
 	}
@@ -33,23 +33,26 @@ public function check()
 		if (!$isPluginActive) {
 			$this->message
 				= "The {$this->pluginDisplayName} plugin must be active. Please install & activate {$this->pluginDisplayName}";
-
+            // phpcs:disable WordPress.Security.EscapeOutput.ExceptionNotEscaped
 			throw new ConstraintFailedException(
 				$this,
-				$this->requiredPluginName,
+                esc_html($this->requiredPluginName),
 				[$this->error],
 				esc_html($this->message)
 			);
-		}
+            // phpcs:enable WordPress.Security.EscapeOutput.ExceptionNotEscaped
+        }
 
 		$pathToPluginFile = $this->absolutePathToPlugin();
 		if (!$pathToPluginFile) {
-			throw new ConstraintFailedException(
+            // phpcs:disable WordPress.Security.EscapeOutput.ExceptionNotEscaped
+            throw new ConstraintFailedException(
 				$this,
-				$this->requiredPluginName,
+                esc_html($this->requiredPluginName),
 				[$this->error],
 				esc_html("Cannot find absolute path to {$this->pluginDisplayName} plugin")
 			);
+            // phpcs:enable WordPress.Security.EscapeOutput.ExceptionNotEscaped
 		}
 		if (!function_exists('get_plugin_data')) {
 			require_once ABSPATH . 'wp-admin/includes/plugin.php';
@@ -59,7 +62,7 @@ public function check()
 		$this->message = "The {$this->pluginDisplayName} plugin has to be version "
 			. $this->requiredVersion
 			. " or higher. Please update your {$this->pluginDisplayName} version.";
-
+        $this->message = esc_html($this->message);
 		return $this->checkVersion(
 			$currentVersion
 		);

diff --git a/pluginEnvironmentChecker/Constraints/WordPressConstraint.php b/pluginEnvironmentChecker/Constraints/WordPressConstraint.php
@@ -12,7 +12,7 @@ class WordPressConstraint extends AbstractVersionConstraint
 	public function __construct($requiredVersion)
 	{
 		parent::__construct($requiredVersion);
-		$this->error = 'Wordpress version incompatibility';
+		$this->error = esc_html('Wordpress version incompatibility');
 	}
 
     /**
@@ -24,6 +24,7 @@ public function check()
 	    $this->message = 'WordPress version has to be '
 		    . $this->requiredVersion
 		    . ' or higher. Please update your WordPress version';
+        $this->message = esc_html($this->message);
 
 	    return $this->checkVersion(
 		    $WPCurrentVersion

diff --git a/pluginEnvironmentChecker/EnvironmentChecker.php b/pluginEnvironmentChecker/EnvironmentChecker.php
@@ -42,13 +42,15 @@ public function check()
 
 		$errCount = count($this->errors);
 		if ($errCount) {
-			throw new ConstraintFailedException(
+            // phpcs:disable WordPress.Security.EscapeOutput.ExceptionNotEscaped
+            throw new ConstraintFailedException(
 				$this,
 				'General Checker',
 				$this->errors,
-				$this->__('Validation failed with %1$d errors', [$errCount])
+				$this->esc_html__('Validation failed with %1$d errors', [$errCount])
 			);
-		}
+            // phpcs:enable WordPress.Security.EscapeOutput.ExceptionNotEscaped
+        }
 	}
 
 	/**

diff --git a/src/Payment/OrderItemsRefunder.php b/src/Payment/OrderItemsRefunder.php
@@ -167,7 +167,7 @@ private function normalizedRemoteItems(array $remoteItems)
                             'Impossible to retrieve the order item ID related to the remote item: %1$s. Try to do a refund by amount.',
                             'mollie-payments-for-woocommerce'
                         ),
-                        $remoteItem->id
+                        esc_html($remoteItem->id)
                     )
                 );
             }

diff --git a/src/Payment/RefundLineItemsBuilder.php b/src/Payment/RefundLineItemsBuilder.php
@@ -64,7 +64,7 @@ public function buildLineItems(
                             'Cannot refund %s item because it was not found in Mollie order. Aborting refund process. Try to do a refund by amount.',
                             'mollie-payments-for-woocommerce'
                         ),
-                        $toRefundItemId
+                        esc_html($toRefundItemId)
                     )
                 );
             }

diff --git a/src/SDK/WordPressHttpAdapter.php b/src/SDK/WordPressHttpAdapter.php
@@ -45,7 +45,9 @@ public function send($httpMethod, $url, $headers, $httpBody)
         if (is_wp_error($response)) {
             $message =  $response->get_error_message() ?? 'Unknown error';
             $code = is_int($response->get_error_code()) ? $response->get_error_code() : 0;
+            // phpcs:disable WordPress.Security.EscapeOutput.ExceptionNotEscaped
             throw new ApiException(esc_html($message), $code);
+            // phpcs:enable WordPress.Security.EscapeOutput.ExceptionNotEscaped
         }
 
         return $this->parseResponse($response);

diff --git a/src/Shared/Data.php b/src/Shared/Data.php
@@ -270,21 +270,21 @@ public function getFilters(
         $amountValue = $this->getAmountValue($orderTotal, $currency);
         if ($amountValue <= 0) {
             throw new InvalidArgumentException(
-                sprintf(esc_html__('Amount %s is not valid.', 'mollie-payments-for-woocommerce'), $amountValue)
+                sprintf(esc_html__('Amount %s is not valid.', 'mollie-payments-for-woocommerce'), esc_html($amountValue))
             );
         }
 
         // Check if currency is in ISO 4217 alpha-3 format (ex: EUR)
         if (!preg_match('/^[a-zA-Z]{3}$/', $currency)) {
             throw new InvalidArgumentException(
-                sprintf(esc_html__('Currency %s is not valid.', 'mollie-payments-for-woocommerce'), $currency)
+                sprintf(esc_html__('Currency %s is not valid.', 'mollie-payments-for-woocommerce'), esc_html($currency))
             );
         }
 
         // Check if billing country is in ISO 3166-1 alpha-2 format (ex: NL)
         if (!preg_match('/^[a-zA-Z]{2}$/', $billingCountry)) {
             throw new InvalidArgumentException(
-                sprintf(esc_html__('Billing Country %s is not valid.', 'mollie-payments-for-woocommerce'), $billingCountry)
+                sprintf(esc_html__('Billing Country %s is not valid.', 'mollie-payments-for-woocommerce'), esc_html($billingCountry))
             );
         }
 

diff --git a/src/Shared/Status.php b/src/Shared/Status.php
@@ -193,8 +193,8 @@ public function getMollieApiStatus($apiClient)
                     esc_html__('incorrect API key or other authentication issue. Please check your API keys!', 'mollie-payments-for-woocommerce')
                 );
             }
-            $message = esc_html($apiException->getMessage());
-            throw new \Mollie\Api\Exceptions\ApiException($message);
+            $message = $apiException->getMessage();
+            throw new \Mollie\Api\Exceptions\ApiException(esc_html($message));
         }
     }
 }