Changeset 2838157

Timestamp:

12/22/2022 08:05:36 PM (2 years ago)

Author:

Goback2

Message:

update ver 2.9

Location:

pardakht-delkhah

Files:

• tags/2.9.4/class-fields-generator.php (modified) (19 diffs)
• tags/2.9.4/cupri.php (modified) (3 diffs)
• tags/2.9.4/extra.php (modified) (1 diff)
• tags/2.9.4/gateways/class-cupri-payir-gateway.php (modified) (1 diff)
• tags/2.9.4/gateways/class-cupri-zarinpal-gateway.php (modified) (1 diff)
• tags/2.9.4/help.php (modified) (1 diff)
• tags/2.9.4/shortcode.php (modified) (1 diff)
• trunk/class-fields-generator.php (modified) (19 diffs)
• trunk/cupri.php (modified) (3 diffs)
• trunk/extra.php (modified) (1 diff)
• trunk/gateways/class-cupri-payir-gateway.php (modified) (1 diff)
• trunk/gateways/class-cupri-zarinpal-gateway.php (modified) (1 diff)
• trunk/help.php (modified) (1 diff)
• trunk/shortcode.php (modified) (1 diff)

pardakht-delkhah/tags/2.9.4/class-fields-generator.php

@@ -193 +193 @@
          */
         if (isset($_POST['wpm_fields'])) {
-             $wpm_fields = cupri_array_map_recursive('sanitize_text_field', $_POST['wpm_fields']);
-            update_option($slug,  $wpm_fields);
+            $wpm_fields = cupri_array_map_recursive('sanitize_text_field', $_POST['wpm_fields']);
+            update_option($slug, $wpm_fields);
 
         }
@@ -212 +212 @@
         ?>
 
-        <form method="post" action="<?php echo admin_url('edit.php?post_type=cupri_pay&page=cupri-fields'); ?>">
+        <form method="post"
+              action="<?php echo esc_url(admin_url('edit.php?post_type=cupri_pay&page=cupri-fields')); ?>">
             <div class="wpm_custom_fields">
                 <button class="wpm_add_field button-secondary"><?php _e('+Add Field', 'cupri'); ?></button>
@@ -256 +257 @@
                                                        type="text">
                                             </label>
-                                            <label class="f_minimal_price"><strong><?php _e('Minimum price', 'cupri'); ?><?php echo '(' . cupri_get_currency() . ')'; ?> </strong>
+                                            <label class="f_minimal_price"><strong><?php _e('Minimum price', 'cupri'); ?><?php echo '(' . esc_html(cupri_get_currency()) . ')'; ?> </strong>
                                                 <input value="<?php if (isset($fields['name']['price'])) {
                                                     echo esc_html($fields['min']['price']);
@@ -350 +351 @@
 
                                 default:
-                                    echo $this->generate_field_html($i, $fields);
+                                    echo cupri_wp_kses($this->generate_field_html($i, $fields));
                                     break;
                             }
@@ -363 +364 @@
             </div>
             <button class="button-primary"><?php _e('Save', 'cupri'); ?></button>
-            <a href="<?php echo admin_url('edit.php?post_type=cupri_pay&page=cupri-fields&cupri_reset_form=true'); ?>"
+            <a href="<?php echo esc_url(admin_url('edit.php?post_type=cupri_pay&page=cupri-fields&cupri_reset_form=true')); ?>"
                class="button-secondary"
                onclick="if(!confirm('All Fields will be destructed , Are you sure?')){return false;}"><?php _e('Reset', 'cupri'); ?></a>
@@ -383 +384 @@
                     } else {
                         $i_new = 1;
-                    } echo str_replace(array("\n", "\r"), '', $this->generate_field_html($i_new, array(), true)); ?>');
+                    } echo str_replace(array("\n", "\r"), '', cupri_wp_kses($this->generate_field_html($i_new, array(), true))); ?>');
                     new_element.appendTo(".fields_placeholder");
                     new_element.closest('.m_fields').find('.field_settings').slideDown();
@@ -420 +421 @@
                     var elem_index = parseInt($(this).attr('data-current-id'));
                     var element_to_add = $(this).closest('.field_settings_wrapper.field_select .f_choices');
-                    var new_element = $('<?php $to_add = '<div class="cobmobox_choices_wrapper">                                <strong>&nbsp;</strong>                             <input value="" name="wpm_fields[combobox_choices][\'+elem_index+\'][]" type="text">                                <span data-current-id="\'+elem_index+\'" class="combo_add">+</span>                             <span class="combo_remove">-</span>                         </div>'; echo str_replace(array("\n", "\r"), '', $to_add); ?>');
+                    var new_element = $('<?php $to_add = '<div class="cobmobox_choices_wrapper">                                <strong>&nbsp;</strong>                             <input value="" name="wpm_fields[combobox_choices][\'+elem_index+\'][]" type="text">                                <span data-current-id="\'+elem_index+\'" class="combo_add">+</span>                             <span class="combo_remove">-</span>                         </div>'; echo str_replace(array("\n", "\r"), '', cupri_wp_kses($to_add)); ?>');
                     new_element.appendTo(element_to_add);
                 });
@@ -465 +466 @@
             <span title="حذف" class="wpm_del_field">-</span>
             <span class="wpm_field_main_name"><span
-                        class="id">#<?php echo $i; ?></span>  <?php if (isset($fields['name'][$i]) && !empty($fields['name'][$i])) {
+                        class="id">#<?php echo (int)$i; ?></span>  <?php if (isset($fields['name'][$i]) && !empty($fields['name'][$i])) {
                     echo esc_html($fields['name'][$i]);
                 } else {
@@ -473 +474 @@
                 <div class="f_type">
                     <label><strong><?php _e('Field Type', 'cupri'); ?></strong></label>
-                    <select class="f_type_select" name="wpm_fields[type][<?php echo $i; ?>]">
+                    <select class="f_type_select" name="wpm_fields[type][<?php echo (int)$i; ?>]">
                         <option value="none"><?php _e('Select Field Type', 'cupri'); ?></option>
                         <?php
                         foreach ($this->fields as $field_types) {
                             ?>
-                            <option value="<?php echo esc_attr($field_types['type']); ?>" <?php selected($fields['type'][$i], $field_types['type'], true); ?>> <?php echo esc_html($field_types['name']); ?> </option>
+                            <option value="<?php echo esc_attr($field_types['type']); ?>" <?php selected($fields['type'][$i], $field_types['type'], true); ?> > <?php echo esc_html($field_types['name']); ?> </option>
                             <?php
                         }
@@ -488 +489 @@
                                                                                                   value="<?php echo isset($fields['name'][$i]) ? esc_attr($fields['name'][$i]) : ''; ?>"
                                                                                                   class="wpm_change_title_name"
-                                                                                                  name="wpm_fields[name][<?php echo $i; ?>]">
+                                                                                                  name="wpm_fields[name][<?php echo (int)$i; ?>]">
                 </label>
                 <label class="f_required"><strong><?php _e('Required?', 'cupri'); ?></strong> <input
                             type="checkbox" <?php if (isset($fields['required'][$i])) {
                         echo 'checked=checked';
-                    } ?> name="wpm_fields[required][<?php echo $i; ?>]" value="1"> </label>
+                    } ?> name="wpm_fields[required][<?php echo (int)$i; ?>]" value="1"> </label>
                 <label class="f_desc"><strong><?php _e('Description', 'cupri'); ?></strong> <input type="text"
                                                                                                    value="<?php echo isset($fields['desc'][$i]) ? esc_attr($fields['desc'][$i]) : ''; ?>"
-                                                                                                   name="wpm_fields[desc][<?php echo $i; ?>]">
+                                                                                                   name="wpm_fields[desc][<?php echo (int)$i; ?>]">
                 </label>
 
@@ -509 +510 @@
                         <input type="text"
                                value="<?php echo isset($fields['text_default'][$i]) ? esc_attr($fields['text_default'][$i]) : ''; ?>"
-                               name="wpm_fields[text_default][<?php echo $i; ?>]">
+                               name="wpm_fields[text_default][<?php echo (int)$i; ?>]">
                     </label>
                     <br>
@@ -516 +517 @@
                         <input type="text"
                                value="<?php echo isset($fields['text_placeholder'][$i]) ? esc_attr($fields['text_placeholder'][$i]) : ''; ?>"
-                               name="wpm_fields[text_placeholder][<?php echo $i; ?>]">
+                               name="wpm_fields[text_placeholder][<?php echo (int)$i; ?>]">
                     </label>
                     <br>
@@ -523 +524 @@
                         <input <?php if (isset($fields['readonly'][$i]) && $fields['readonly'][$i] == 1) {
                             echo ' checked=checked ';
-                        } ?> name="wpm_fields[readonly][<?php echo $i; ?>]" value="1" type="checkbox">
+                        } ?> name="wpm_fields[readonly][<?php echo (int)$i; ?>]" value="1" type="checkbox">
                     </label>
                 </div>
@@ -534 +535 @@
                     <label class="f_value">
                         <strong><?php _e('Default Value', 'cupri'); ?></strong>
-                        <textarea name="wpm_fields[text_default][<?php echo $i; ?>]" cols="30"
+                        <textarea name="wpm_fields[text_default][<?php echo (int)$i; ?>]" cols="30"
                                   rows="10"><?php echo isset($fields['text_default'][$i]) ? esc_textarea($fields['text_default'][$i]) : ''; ?></textarea>
                     </label>
@@ -540 +541 @@
                     <label class="f_placeholder">
                         <strong><?php _e('Placeholder', 'cupri'); ?></strong>
-                        <textarea name="wpm_fields[text_placeholder][<?php echo $i; ?>]" cols="30"
+                        <textarea name="wpm_fields[text_placeholder][<?php echo (int)$i; ?>]" cols="30"
                                   rows="10"><?php echo isset($fields['text_placeholder'][$i]) ? esc_textarea($fields['text_placeholder'][$i]) : ''; ?></textarea>
 
@@ -549 +550 @@
                         <input <?php if (isset($fields['readonly'][$i]) && $fields['readonly'][$i] == 1) {
                             echo ' checked=checked ';
-                        } ?> name="wpm_fields[readonly][<?php echo $i; ?>]" value="1" type="checkbox">
+                        } ?> name="wpm_fields[readonly][<?php echo (int)$i; ?>]" value="1" type="checkbox">
                     </label>
                 </div>
@@ -562 +563 @@
                         <strong><?php _e('Content', 'cupri'); ?></strong>
                         <textarea
-                                name="wpm_fields[paragraph_content][<?php echo $i; ?>]"><?php echo isset($fields['paragraph_content'][$i]) ? esc_textarea($fields['paragraph_content'][$i]) : ''; ?></textarea>
+                                name="wpm_fields[paragraph_content][<?php echo (int)$i; ?>]"><?php echo isset($fields['paragraph_content'][$i]) ? esc_textarea($fields['paragraph_content'][$i]) : ''; ?></textarea>
                     </label>
                 </div>
@@ -589 +590 @@
                                     <strong>&nbsp;</strong>
                                     <input type="text" value="<?php echo esc_attr($c_choice); ?>"
-                                           name="wpm_fields[combobox_choices][<?php echo $i; ?>][]">
-                                    <span class="combo_add" data-current-id="<?php echo $i; ?>">+</span>
+                                           name="wpm_fields[combobox_choices][<?php echo (int)$i; ?>][]">
+                                    <span class="combo_add" data-current-id="<?php echo (int)$i; ?>">+</span>
                                     <span class="combo_remove">-</span>
                                 </div>
@@ -600 +601 @@
                             <div class="cobmobox_choices_wrapper">
                                 <strong>&nbsp;</strong>
-                                <input type="text" value="" name="wpm_fields[combobox_choices][<?php echo $i; ?>][]">
-                                <span class="combo_add" data-current-id="<?php echo $i; ?>">+</span>
+                                <input type="text" value=""
+                                       name="wpm_fields[combobox_choices][<?php echo (int)$i; ?>][]">
+                                <span class="combo_add" data-current-id="<?php echo (int)$i; ?>">+</span>
                                 <!-- <span class="combo_remove">-</span> -->
                             </div>

pardakht-delkhah/tags/2.9.4/cupri.php

@@ -241 +241 @@
                         if (!$flag) {
                             // display field/column names as first row
-                            echo implode("\t", array_keys($row)) . "\r\n";
+                            echo cupri_wp_kses(implode("\t", array_keys($row)) . "\r\n");
                             $flag = true;
                         }
@@ -249 +249 @@
                     fclose($file_handle);
                     $csv = ob_get_clean();
-                    echo $csv; // should send headers first!
+                    echo cupri_wp_kses($csv); // should send headers first!
                     die();
                 }
@@ -381 +381 @@
                 _e('Please set the default gateway from admin', 'cupri');
                 echo '  ';
-                echo '<a href="' . admin_url('edit.php?post_type=cupri_pay&page=cupri-gateways') . '">' . __('Settings', 'cupri') . '</a>';
+                echo '<a href="' . esc_url(admin_url('edit.php?post_type=cupri_pay&page=cupri-gateways')) . '">' . __('Settings', 'cupri') . '</a>';
             } else {
                 _e('No defualt gateway was set', 'cupri');

pardakht-delkhah/tags/2.9.4/extra.php

@@ -738 +738 @@
     return array_map($func, $array);
 }
+
+function cupri_wp_kses($html)
+{
+    return wp_kses($html, ['img' => ['class' => [], 'src' => [], 'width' => [], 'style' => []], 'button' => ['id' => [], 'class' => [], 'name' => []], 'option' => ['value' => [], 'selected' => []], 'select' => ['name' => [], 'class' => [], 'option' => []], 'span' => ['id' => [], 'class' => [], 'data-current-id' => [], 'title' => []], 'strong' => ['class' => []], 'ul' => [], 'div' => ['id' => [], 'class' => []], 'p' => ['class' => []], 'label' => ['class' => []], 'br' => [], 'input' => ['checked' => [], 'type' => [], 'value' => [], 'name' => []], 'hr' => [], 'h3' => [], 'h4' => [], 'li' => ['data-tab-id' => [], 'class' => []], 'a' => ['href' => []]]);
+}

pardakht-delkhah/tags/2.9.4/gateways/class-cupri-payir-gateway.php

@@ -26 +26 @@
             $go = "https://pay.ir/pg/$result->token";
             echo cupri_success_msg('در حال انتقال به بانک...');
-            echo '<script>window.location.href="' . $go . '";</script>';
+            echo '<script>window.location.href="' . esc_url($go) . '";</script>';
         } else {
             echo cupri_failed_msg($result->errorMessage);

pardakht-delkhah/tags/2.9.4/gateways/class-cupri-zarinpal-gateway.php

@@ -51 +51 @@
                 $to_redirect = 'https://www.zarinpal.com/pg/StartPay/' . $result->Authority . $gt_zarin_zaringate;
                 echo cupri_success_msg('در حال انتقال به بانک...');
-                echo '<script>window.location.href="' . $to_redirect . '";</script>';
+                echo '<script>window.location.href="' . esc_url($to_redirect) . '";</script>';
                 //برای استفاده از زرین گیت باید ادرس به صورت زیر تغییر کند:
                 //Header('Location: https://www.zarinpal.com/pg/StartPay/'.$result->Authority.'/ZarinGate');

pardakht-delkhah/tags/2.9.4/help.php

@@ -1 +1 @@
 <?php
-defined( 'ABSPATH' ) or die(  'No script kiddies please!' );
+defined('ABSPATH') or die('No script kiddies please!');
 $notes = array
 (
-'درگاه پرداخت اینترنتی چیست و کدام را انتخاب کنیم؟'=>'<a href="https://wp-master.ir/what-is-payment-gateway-and-which-one-should-we-choose/">برای مطالعه راهنمای انتخاب درگاه اینجا کلیک کنید</a>',
-__('Insert into posts or pages' , 'cupri')=>__("you can use [cupri] shortcode anywhere you want",'cupri'),
-__('send pre selected value to selectable fields' , 'cupri')=>__("add your value to link of your custom payment page with this sample: http://yoursite.com/custom-pay/?cupri_fX=Y while X is your field number and Y is it's value , so when user open this link that field selected value filled with sent value",'cupri'),
-__('send pre defined value to price field' , 'cupri')=>__("such as above just use <i>price</i> instead of X",'cupri'),
-__('Special role in transaction review' , 'cupri')=>__("You can define a user and give it a payment management role so that it can track transactions.This user will only have access to the payments menu.",'cupri'),
+    'درگاه پرداخت اینترنتی چیست و کدام را انتخاب کنیم؟' => '<a href="https://wp-master.ir/what-is-payment-gateway-and-which-one-should-we-choose/">برای مطالعه راهنمای انتخاب درگاه اینجا کلیک کنید</a>',
+    __('Insert into posts or pages', 'cupri') => __("you can use [cupri] shortcode anywhere you want", 'cupri'),
+    __('send pre selected value to selectable fields', 'cupri') => __("add your value to link of your custom payment page with this sample: http://yoursite.com/custom-pay/?cupri_fX=Y while X is your field number and Y is it's value , so when user open this link that field selected value filled with sent value", 'cupri'),
+    __('send pre defined value to price field', 'cupri') => __("such as above just use <i>price</i> instead of X", 'cupri'),
+    __('Special role in transaction review', 'cupri') => __("You can define a user and give it a payment management role so that it can track transactions.This user will only have access to the payments menu.", 'cupri'),
 );
 ?>
 <div class="wrap">
-    <?php foreach ($notes  as $title => $note): ?>
-        <h3><?php echo $title; ?></h3>
-        <p sytle=""><?php echo $note; ?></p>
-    <?php endforeach ?> 
+    <?php foreach ($notes as $title => $note): ?>
+        <h3><?php echo esc_html($title); ?></h3>
+        <p sytle=""><?php echo wp_kses($note, ['strong' => [], 'ul' => [], 'div' => ['id' => []], 'p' => ['class' => []], 'label' => [], 'br' => [], 'input' => ['checked' => [], 'type' => [], 'value' => [], 'name' => []], 'hr' => [], 'h3' => [], 'h4' => [], 'li' => ['data-tab-id' => [], 'class' => []], 'a' => ['href' => []]]);
+            ?></p>
+    <?php endforeach ?>
 </div>

pardakht-delkhah/tags/2.9.4/shortcode.php

@@ -298 +298 @@
 }
 echo '<p class="cupri_submit_label">';
-echo '<button class="cupri_full_centered" name="cupri_submit" id="cupri_submit">' . esc_html($submit_button_text) . '<img width="7px" style="display:none;" class="cupri_ajax_img" src="' . cupri_url . '/assets/ajax-loader.gif"></button>';
+echo '<button class="cupri_full_centered" name="cupri_submit" id="cupri_submit">' . cupri_wp_kses($submit_button_text) . '<img width="7px" style="display:none;" class="cupri_ajax_img" src="' . cupri_url . '/assets/ajax-loader.gif"></button>';
 echo '<p class="cupri_response_placeholder alert"></p>';
 echo '</p>';

pardakht-delkhah/trunk/class-fields-generator.php

@@ -193 +193 @@
          */
         if (isset($_POST['wpm_fields'])) {
-             $wpm_fields = cupri_array_map_recursive('sanitize_text_field', $_POST['wpm_fields']);
-            update_option($slug,  $wpm_fields);
+            $wpm_fields = cupri_array_map_recursive('sanitize_text_field', $_POST['wpm_fields']);
+            update_option($slug, $wpm_fields);
 
         }
@@ -212 +212 @@
         ?>
 
-        <form method="post" action="<?php echo admin_url('edit.php?post_type=cupri_pay&page=cupri-fields'); ?>">
+        <form method="post"
+              action="<?php echo esc_url(admin_url('edit.php?post_type=cupri_pay&page=cupri-fields')); ?>">
             <div class="wpm_custom_fields">
                 <button class="wpm_add_field button-secondary"><?php _e('+Add Field', 'cupri'); ?></button>
@@ -256 +257 @@
                                                        type="text">
                                             </label>
-                                            <label class="f_minimal_price"><strong><?php _e('Minimum price', 'cupri'); ?><?php echo '(' . cupri_get_currency() . ')'; ?> </strong>
+                                            <label class="f_minimal_price"><strong><?php _e('Minimum price', 'cupri'); ?><?php echo '(' . esc_html(cupri_get_currency()) . ')'; ?> </strong>
                                                 <input value="<?php if (isset($fields['name']['price'])) {
                                                     echo esc_html($fields['min']['price']);
@@ -350 +351 @@
 
                                 default:
-                                    echo $this->generate_field_html($i, $fields);
+                                    echo cupri_wp_kses($this->generate_field_html($i, $fields));
                                     break;
                             }
@@ -363 +364 @@
             </div>
             <button class="button-primary"><?php _e('Save', 'cupri'); ?></button>
-            <a href="<?php echo admin_url('edit.php?post_type=cupri_pay&page=cupri-fields&cupri_reset_form=true'); ?>"
+            <a href="<?php echo esc_url(admin_url('edit.php?post_type=cupri_pay&page=cupri-fields&cupri_reset_form=true')); ?>"
                class="button-secondary"
                onclick="if(!confirm('All Fields will be destructed , Are you sure?')){return false;}"><?php _e('Reset', 'cupri'); ?></a>
@@ -383 +384 @@
                     } else {
                         $i_new = 1;
-                    } echo str_replace(array("\n", "\r"), '', $this->generate_field_html($i_new, array(), true)); ?>');
+                    } echo str_replace(array("\n", "\r"), '', cupri_wp_kses($this->generate_field_html($i_new, array(), true))); ?>');
                     new_element.appendTo(".fields_placeholder");
                     new_element.closest('.m_fields').find('.field_settings').slideDown();
@@ -420 +421 @@
                     var elem_index = parseInt($(this).attr('data-current-id'));
                     var element_to_add = $(this).closest('.field_settings_wrapper.field_select .f_choices');
-                    var new_element = $('<?php $to_add = '<div class="cobmobox_choices_wrapper">                                <strong>&nbsp;</strong>                             <input value="" name="wpm_fields[combobox_choices][\'+elem_index+\'][]" type="text">                                <span data-current-id="\'+elem_index+\'" class="combo_add">+</span>                             <span class="combo_remove">-</span>                         </div>'; echo str_replace(array("\n", "\r"), '', $to_add); ?>');
+                    var new_element = $('<?php $to_add = '<div class="cobmobox_choices_wrapper">                                <strong>&nbsp;</strong>                             <input value="" name="wpm_fields[combobox_choices][\'+elem_index+\'][]" type="text">                                <span data-current-id="\'+elem_index+\'" class="combo_add">+</span>                             <span class="combo_remove">-</span>                         </div>'; echo str_replace(array("\n", "\r"), '', cupri_wp_kses($to_add)); ?>');
                     new_element.appendTo(element_to_add);
                 });
@@ -465 +466 @@
             <span title="حذف" class="wpm_del_field">-</span>
             <span class="wpm_field_main_name"><span
-                        class="id">#<?php echo $i; ?></span>  <?php if (isset($fields['name'][$i]) && !empty($fields['name'][$i])) {
+                        class="id">#<?php echo (int)$i; ?></span>  <?php if (isset($fields['name'][$i]) && !empty($fields['name'][$i])) {
                     echo esc_html($fields['name'][$i]);
                 } else {
@@ -473 +474 @@
                 <div class="f_type">
                     <label><strong><?php _e('Field Type', 'cupri'); ?></strong></label>
-                    <select class="f_type_select" name="wpm_fields[type][<?php echo $i; ?>]">
+                    <select class="f_type_select" name="wpm_fields[type][<?php echo (int)$i; ?>]">
                         <option value="none"><?php _e('Select Field Type', 'cupri'); ?></option>
                         <?php
                         foreach ($this->fields as $field_types) {
                             ?>
-                            <option value="<?php echo esc_attr($field_types['type']); ?>" <?php selected($fields['type'][$i], $field_types['type'], true); ?>> <?php echo esc_html($field_types['name']); ?> </option>
+                            <option value="<?php echo esc_attr($field_types['type']); ?>" <?php selected($fields['type'][$i], $field_types['type'], true); ?> > <?php echo esc_html($field_types['name']); ?> </option>
                             <?php
                         }
@@ -488 +489 @@
                                                                                                   value="<?php echo isset($fields['name'][$i]) ? esc_attr($fields['name'][$i]) : ''; ?>"
                                                                                                   class="wpm_change_title_name"
-                                                                                                  name="wpm_fields[name][<?php echo $i; ?>]">
+                                                                                                  name="wpm_fields[name][<?php echo (int)$i; ?>]">
                 </label>
                 <label class="f_required"><strong><?php _e('Required?', 'cupri'); ?></strong> <input
                             type="checkbox" <?php if (isset($fields['required'][$i])) {
                         echo 'checked=checked';
-                    } ?> name="wpm_fields[required][<?php echo $i; ?>]" value="1"> </label>
+                    } ?> name="wpm_fields[required][<?php echo (int)$i; ?>]" value="1"> </label>
                 <label class="f_desc"><strong><?php _e('Description', 'cupri'); ?></strong> <input type="text"
                                                                                                    value="<?php echo isset($fields['desc'][$i]) ? esc_attr($fields['desc'][$i]) : ''; ?>"
-                                                                                                   name="wpm_fields[desc][<?php echo $i; ?>]">
+                                                                                                   name="wpm_fields[desc][<?php echo (int)$i; ?>]">
                 </label>
 
@@ -509 +510 @@
                         <input type="text"
                                value="<?php echo isset($fields['text_default'][$i]) ? esc_attr($fields['text_default'][$i]) : ''; ?>"
-                               name="wpm_fields[text_default][<?php echo $i; ?>]">
+                               name="wpm_fields[text_default][<?php echo (int)$i; ?>]">
                     </label>
                     <br>
@@ -516 +517 @@
                         <input type="text"
                                value="<?php echo isset($fields['text_placeholder'][$i]) ? esc_attr($fields['text_placeholder'][$i]) : ''; ?>"
-                               name="wpm_fields[text_placeholder][<?php echo $i; ?>]">
+                               name="wpm_fields[text_placeholder][<?php echo (int)$i; ?>]">
                     </label>
                     <br>
@@ -523 +524 @@
                         <input <?php if (isset($fields['readonly'][$i]) && $fields['readonly'][$i] == 1) {
                             echo ' checked=checked ';
-                        } ?> name="wpm_fields[readonly][<?php echo $i; ?>]" value="1" type="checkbox">
+                        } ?> name="wpm_fields[readonly][<?php echo (int)$i; ?>]" value="1" type="checkbox">
                     </label>
                 </div>
@@ -534 +535 @@
                     <label class="f_value">
                         <strong><?php _e('Default Value', 'cupri'); ?></strong>
-                        <textarea name="wpm_fields[text_default][<?php echo $i; ?>]" cols="30"
+                        <textarea name="wpm_fields[text_default][<?php echo (int)$i; ?>]" cols="30"
                                   rows="10"><?php echo isset($fields['text_default'][$i]) ? esc_textarea($fields['text_default'][$i]) : ''; ?></textarea>
                     </label>
@@ -540 +541 @@
                     <label class="f_placeholder">
                         <strong><?php _e('Placeholder', 'cupri'); ?></strong>
-                        <textarea name="wpm_fields[text_placeholder][<?php echo $i; ?>]" cols="30"
+                        <textarea name="wpm_fields[text_placeholder][<?php echo (int)$i; ?>]" cols="30"
                                   rows="10"><?php echo isset($fields['text_placeholder'][$i]) ? esc_textarea($fields['text_placeholder'][$i]) : ''; ?></textarea>
 
@@ -549 +550 @@
                         <input <?php if (isset($fields['readonly'][$i]) && $fields['readonly'][$i] == 1) {
                             echo ' checked=checked ';
-                        } ?> name="wpm_fields[readonly][<?php echo $i; ?>]" value="1" type="checkbox">
+                        } ?> name="wpm_fields[readonly][<?php echo (int)$i; ?>]" value="1" type="checkbox">
                     </label>
                 </div>
@@ -562 +563 @@
                         <strong><?php _e('Content', 'cupri'); ?></strong>
                         <textarea
-                                name="wpm_fields[paragraph_content][<?php echo $i; ?>]"><?php echo isset($fields['paragraph_content'][$i]) ? esc_textarea($fields['paragraph_content'][$i]) : ''; ?></textarea>
+                                name="wpm_fields[paragraph_content][<?php echo (int)$i; ?>]"><?php echo isset($fields['paragraph_content'][$i]) ? esc_textarea($fields['paragraph_content'][$i]) : ''; ?></textarea>
                     </label>
                 </div>
@@ -589 +590 @@
                                     <strong>&nbsp;</strong>
                                     <input type="text" value="<?php echo esc_attr($c_choice); ?>"
-                                           name="wpm_fields[combobox_choices][<?php echo $i; ?>][]">
-                                    <span class="combo_add" data-current-id="<?php echo $i; ?>">+</span>
+                                           name="wpm_fields[combobox_choices][<?php echo (int)$i; ?>][]">
+                                    <span class="combo_add" data-current-id="<?php echo (int)$i; ?>">+</span>
                                     <span class="combo_remove">-</span>
                                 </div>
@@ -600 +601 @@
                             <div class="cobmobox_choices_wrapper">
                                 <strong>&nbsp;</strong>
-                                <input type="text" value="" name="wpm_fields[combobox_choices][<?php echo $i; ?>][]">
-                                <span class="combo_add" data-current-id="<?php echo $i; ?>">+</span>
+                                <input type="text" value=""
+                                       name="wpm_fields[combobox_choices][<?php echo (int)$i; ?>][]">
+                                <span class="combo_add" data-current-id="<?php echo (int)$i; ?>">+</span>
                                 <!-- <span class="combo_remove">-</span> -->
                             </div>

pardakht-delkhah/trunk/cupri.php

@@ -241 +241 @@
                         if (!$flag) {
                             // display field/column names as first row
-                            echo implode("\t", array_keys($row)) . "\r\n";
+                            echo cupri_wp_kses(implode("\t", array_keys($row)) . "\r\n");
                             $flag = true;
                         }
@@ -249 +249 @@
                     fclose($file_handle);
                     $csv = ob_get_clean();
-                    echo $csv; // should send headers first!
+                    echo cupri_wp_kses($csv); // should send headers first!
                     die();
                 }
@@ -381 +381 @@
                 _e('Please set the default gateway from admin', 'cupri');
                 echo '  ';
-                echo '<a href="' . admin_url('edit.php?post_type=cupri_pay&page=cupri-gateways') . '">' . __('Settings', 'cupri') . '</a>';
+                echo '<a href="' . esc_url(admin_url('edit.php?post_type=cupri_pay&page=cupri-gateways')) . '">' . __('Settings', 'cupri') . '</a>';
             } else {
                 _e('No defualt gateway was set', 'cupri');

pardakht-delkhah/trunk/extra.php

@@ -738 +738 @@
     return array_map($func, $array);
 }
+
+function cupri_wp_kses($html)
+{
+    return wp_kses($html, ['img' => ['class' => [], 'src' => [], 'width' => [], 'style' => []], 'button' => ['id' => [], 'class' => [], 'name' => []], 'option' => ['value' => [], 'selected' => []], 'select' => ['name' => [], 'class' => [], 'option' => []], 'span' => ['id' => [], 'class' => [], 'data-current-id' => [], 'title' => []], 'strong' => ['class' => []], 'ul' => [], 'div' => ['id' => [], 'class' => []], 'p' => ['class' => []], 'label' => ['class' => []], 'br' => [], 'input' => ['checked' => [], 'type' => [], 'value' => [], 'name' => []], 'hr' => [], 'h3' => [], 'h4' => [], 'li' => ['data-tab-id' => [], 'class' => []], 'a' => ['href' => []]]);
+}

pardakht-delkhah/trunk/gateways/class-cupri-payir-gateway.php

@@ -26 +26 @@
             $go = "https://pay.ir/pg/$result->token";
             echo cupri_success_msg('در حال انتقال به بانک...');
-            echo '<script>window.location.href="' . $go . '";</script>';
+            echo '<script>window.location.href="' . esc_url($go) . '";</script>';
         } else {
             echo cupri_failed_msg($result->errorMessage);

pardakht-delkhah/trunk/gateways/class-cupri-zarinpal-gateway.php

@@ -51 +51 @@
                 $to_redirect = 'https://www.zarinpal.com/pg/StartPay/' . $result->Authority . $gt_zarin_zaringate;
                 echo cupri_success_msg('در حال انتقال به بانک...');
-                echo '<script>window.location.href="' . $to_redirect . '";</script>';
+                echo '<script>window.location.href="' . esc_url($to_redirect) . '";</script>';
                 //برای استفاده از زرین گیت باید ادرس به صورت زیر تغییر کند:
                 //Header('Location: https://www.zarinpal.com/pg/StartPay/'.$result->Authority.'/ZarinGate');

pardakht-delkhah/trunk/help.php

@@ -1 +1 @@
 <?php
-defined( 'ABSPATH' ) or die(  'No script kiddies please!' );
+defined('ABSPATH') or die('No script kiddies please!');
 $notes = array
 (
-'درگاه پرداخت اینترنتی چیست و کدام را انتخاب کنیم؟'=>'<a href="https://wp-master.ir/what-is-payment-gateway-and-which-one-should-we-choose/">برای مطالعه راهنمای انتخاب درگاه اینجا کلیک کنید</a>',
-__('Insert into posts or pages' , 'cupri')=>__("you can use [cupri] shortcode anywhere you want",'cupri'),
-__('send pre selected value to selectable fields' , 'cupri')=>__("add your value to link of your custom payment page with this sample: http://yoursite.com/custom-pay/?cupri_fX=Y while X is your field number and Y is it's value , so when user open this link that field selected value filled with sent value",'cupri'),
-__('send pre defined value to price field' , 'cupri')=>__("such as above just use <i>price</i> instead of X",'cupri'),
-__('Special role in transaction review' , 'cupri')=>__("You can define a user and give it a payment management role so that it can track transactions.This user will only have access to the payments menu.",'cupri'),
+    'درگاه پرداخت اینترنتی چیست و کدام را انتخاب کنیم؟' => '<a href="https://wp-master.ir/what-is-payment-gateway-and-which-one-should-we-choose/">برای مطالعه راهنمای انتخاب درگاه اینجا کلیک کنید</a>',
+    __('Insert into posts or pages', 'cupri') => __("you can use [cupri] shortcode anywhere you want", 'cupri'),
+    __('send pre selected value to selectable fields', 'cupri') => __("add your value to link of your custom payment page with this sample: http://yoursite.com/custom-pay/?cupri_fX=Y while X is your field number and Y is it's value , so when user open this link that field selected value filled with sent value", 'cupri'),
+    __('send pre defined value to price field', 'cupri') => __("such as above just use <i>price</i> instead of X", 'cupri'),
+    __('Special role in transaction review', 'cupri') => __("You can define a user and give it a payment management role so that it can track transactions.This user will only have access to the payments menu.", 'cupri'),
 );
 ?>
 <div class="wrap">
-    <?php foreach ($notes  as $title => $note): ?>
-        <h3><?php echo $title; ?></h3>
-        <p sytle=""><?php echo $note; ?></p>
-    <?php endforeach ?> 
+    <?php foreach ($notes as $title => $note): ?>
+        <h3><?php echo esc_html($title); ?></h3>
+        <p sytle=""><?php echo wp_kses($note, ['strong' => [], 'ul' => [], 'div' => ['id' => []], 'p' => ['class' => []], 'label' => [], 'br' => [], 'input' => ['checked' => [], 'type' => [], 'value' => [], 'name' => []], 'hr' => [], 'h3' => [], 'h4' => [], 'li' => ['data-tab-id' => [], 'class' => []], 'a' => ['href' => []]]);
+            ?></p>
+    <?php endforeach ?>
 </div>

pardakht-delkhah/trunk/shortcode.php

@@ -298 +298 @@
 }
 echo '<p class="cupri_submit_label">';
-echo '<button class="cupri_full_centered" name="cupri_submit" id="cupri_submit">' . esc_html($submit_button_text) . '<img width="7px" style="display:none;" class="cupri_ajax_img" src="' . cupri_url . '/assets/ajax-loader.gif"></button>';
+echo '<button class="cupri_full_centered" name="cupri_submit" id="cupri_submit">' . cupri_wp_kses($submit_button_text) . '<img width="7px" style="display:none;" class="cupri_ajax_img" src="' . cupri_url . '/assets/ajax-loader.gif"></button>';
 echo '<p class="cupri_response_placeholder alert"></p>';
 echo '</p>';