1. Objective

To prevent any suspicious sources from trying to alter Omise options, this pull request is aiming to add a validation and sanitizing the input fields.

Related information:
Internal ticket: T10248
Related issue(s): -

2. Description of change

• Validating WP Nonce before allowing a particular post-request pass through the rest of the code.
• Sanitizing inputs before save a new value to the database.

3. Quality assurance

🔧 Environments:

• PHP version: 7.3.3.
• WordPress: v5.1.1.
• WooCommerce: v3.5.7.

✏️ Details:

At the Omise Setting page, you may try to edit a nonce value directly via browser's inspect element feature then, submit the form.

Omise will raise an error message warning that you cannot update the setting.

You may also try to update any of the setting's field with the following value:

<script type="text/javascript">alert("Hello! I am an alert box!!");</script>

or

%3Cscript+type=%22text/javascript%22%3Ealert(%22Hello!+I+am+an+alert+box!!%22);%3C/script%3E

The plugin will then sanitize it to

script+type=text/javascriptalert(Hello!+I+am+an+alert+box!!);/script

4. Impact of the change

No

5. Priority of change

High.

6. Additional Notes

Alternatively, I think there is a better way to handle & validate HTTP Request than adding a condition at class-omise-page-settings.php.

Maybe can have a class

$request = new Omise_Http_Request;

print_r( $request->is_post() ); // true

$request->input( 'omise_setting_page_nonce' )->sanitize();
$this->settings->update_settings( $request->to_array() );

Just idea.