Merge pull request #24 from razorpay/output-esc-formatting

abdulwahidsharief · web-flow · commit 3ec336a8fd8c · 2024-11-14T18:29:15.000+05:30
PO-243 changing escaping for attributes
diff --git a/razorpay-payment-buttons.php b/razorpay-payment-buttons.php
@@ -3,7 +3,7 @@
  * Plugin Name: Razorpay Payment Button for Elementor
  * Plugin URI:  https://github.com/razorpay/payment-button-elementor-plugin
  * Description: Razorpay Payment Button for Elementor
- * Version:     1.2.6
+ * Version:     1.2.7
  * Author:      Razorpay
  * Author URI:  https://razorpay.com
  */
diff --git a/readme.txt b/readme.txt
@@ -2,7 +2,7 @@
 Contributors: razorpay
 Tags: Payment gateway, Donate button, UPI/credit/debit card, Payment plugin, India
 Tested up to: 6.6
-Stable tag: 1.2.6
+Stable tag: 1.2.7
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -96,6 +96,9 @@ Connect your WordPress website with your Razorpay account and you're all ready t
 
 == Changelog ==
 
+= 1.2.7 =
+* Added security enhancements
+
 = 1.2.6 =
 * Added security enhancements
 
diff --git a/templates/razorpay-button-view-templates.php b/templates/razorpay-button-view-templates.php
@@ -29,11 +29,9 @@ function razorpay_view_button()
         $previous_page_url = admin_url('admin.php?page=razorpay_button_elementor&paged='.$pagenum);
         $button_detail = $this->fetch_button_detail(sanitize_text_field($_REQUEST['btn']));
         
-        $show = "jQuery('.overlay').show()";
-        $hide = "jQuery('.overlay').hide()";
         echo '<div class="wrap">
             <div class="content-header">
-                <a href="'.$previous_page_url.'">
+                <a href="' . esc_url($previous_page_url) . '">
                     <span class="dashicons rzp-dashicons dashicons-arrow-left-alt"></span> Button List
                 </a>
                 <span class="dashicons rzp-dashicons dashicons-arrow-right-alt2"></span>'. esc_html($button_detail['title']) . '
@@ -52,12 +50,12 @@ function razorpay_view_button()
                             <div class="col-sm-4 panel-label">Button Status</div>
                             <div class="col-sm-8 panel-value">
                                 <span class="status-label">' . esc_html($button_detail['status']) . '</span>
-                                <button onclick="'.$show.'" class="status-button">' . esc_html($button_detail['btn_pointer_status']) . '</button>
+                                <button onclick="jQuery(\'.overlay\').show()" class="status-button">' . esc_html($button_detail['btn_pointer_status']) . '</button>
                             </div>
                         </div>
                         <div class="row">
                             <div class="col-sm-4 panel-label">Total Quantity Sold</div>
-                            <div class="col-sm-8 panel-value">' . htmlentities($button_detail['total_item_sold']) . '</div>
+                            <div class="col-sm-8 panel-value">' . esc_html($button_detail['total_item_sold']) . '</div>
                         </div>
                         <div class="row">
                             <div class="col-sm-4 panel-label">Total revenue</div>
@@ -85,10 +83,10 @@ function razorpay_view_button()
                     <p>' . esc_html($button_detail["modal_body_content"]) . '</p>
                 </div>
                 <div class="Modal__actions">
-                    <button type="button" onclick="'.$hide.'" class="btn btn-default">No, don`t!</button>
-                    <button type="submit" onclick="'.$hide.'" name="btn_action" value="' . esc_html($button_detail['btn_pointer_status']) . '" class="btn btn-primary">Yes, ' . esc_html($button_detail['btn_pointer_status']) . '</button>
-                    <input type="hidden" name="btn_id" value="' . esc_html($button_detail['id']) . '">
-                    <input type="hidden" name="paged" value="'.$pagenum.'">
+                    <button type="button" onclick="jQuery(\'.overlay\').hide()" class="btn btn-default">No, don`t!</button>
+                    <button type="submit" onclick="jQuery(\'.overlay\').hide()" name="btn_action" value="' . esc_attr($button_detail['btn_pointer_status']) . '" class="btn btn-primary">Yes, ' . esc_html($button_detail['btn_pointer_status']) . '</button>
+                    <input type="hidden" name="btn_id" value="' . esc_attr($button_detail['id']) . '">
+                    <input type="hidden" name="paged" value="' . esc_attr($pagenum) . '">
                     <input type="hidden" name="action" value="rzp_btn_elementor_action">
                 </div>
             </div>
diff --git a/widget/RazorpayElementsButton.php b/widget/RazorpayElementsButton.php
@@ -194,7 +194,7 @@ protected function content_template()
             <# if ( settings.select_button === 'select') { #>
                 <div class="elementor-counter-title">Please select payment button.</div>
             <# } else { #>
-                <img src=" <?php echo plugin_dir_url(__FILE__).'../public/image/elementorSVG.svg';?>" alt="Razorpay" >
+                <img src=" <?php echo esc_url(plugin_dir_url(__FILE__).'../public/image/elementorSVG.svg');?>" alt="Razorpay" >
             <# } #>
         <?php
     }

Original file line number	Diff line number	Diff line change
`@@ -194,7 +194,7 @@ protected function content_template()`
`194`	`194`	`<# if ( settings.select_button === 'select') { #>`
`195`	`195`	`<div class="elementor-counter-title">Please select payment button.</div>`
`196`	`196`	`<# } else { #>`
`197`		`- <img src=" <?php echo plugin_dir_url(__FILE__).'../public/image/elementorSVG.svg';?>" alt="Razorpay" >`
	`197`	`+ <img src=" <?php echo esc_url(plugin_dir_url(__FILE__).'../public/image/elementorSVG.svg');?>" alt="Razorpay" >`
`198`	`198`	`<# } #>`
`199`	`199`	`<?php`
`200`	`200`	`}`