Headline
CVE-2021-4377: Changeset 2459548 – WordPress Plugin Repository
The Doneren met Mollie plugin for WordPress is vulnerable to Sensitive Data Exposure in versions up to, and including, 2.8.5 via the dmm_export_donations() function which is called via the admin_post_dmm_export hook due to missing capability checks. This can allow authenticated attackers to extract a CSV file that contains sensitive information about the donors.
doneren-met-mollie/tags/2.8.5/includes/class-admin.php
r2459234
r2459548
298
298
299
299
$where = '';
300
if (isset($\_GET\['subscription'\]))
301
$where .= ' WHERE subscription\_id="' . esc\_sql($\_GET\['subscription'\]) . '"';
302
303
if (isset($\_GET\['search'\]))
304
$where .= ($where ? ' AND' : ' WHERE') . ' (dm\_name LIKE "%' . esc\_sql($\_GET\['search'\]) . '%" OR dm\_email LIKE "%' . esc\_sql($\_GET\['search'\]) . '%" OR dm\_company LIKE "%' . esc\_sql($\_GET\['search'\]) . '%" OR donation\_id LIKE "%' . esc\_sql($\_GET\['search'\]) . '%" OR payment\_id LIKE "%' . esc\_sql($\_GET\['search'\]) . '%")';
300
if (isset($\_GET\['subscription'\])) {
301
$subscription = sanitize\_title\_for\_query($\_GET\['subscription'\]);
302
$where .= ' WHERE subscription\_id="' . esc\_sql($subscription) . '"';
303
}
304
305
if (isset($\_GET\['search'\])) {
306
$search = sanitize\_title\_for\_query($\_GET\['search'\]);
307
$where .= ($where ? ' AND' : ' WHERE') . ' (dm\_name LIKE "%' . esc\_sql($search) . '%" OR dm\_email LIKE "%' . esc\_sql($search) . '%" OR dm\_company LIKE "%' . esc\_sql($search) . '%" OR donation\_id LIKE "%' . esc\_sql($search) . '%" OR payment\_id LIKE "%' . esc\_sql($search) . '%")';
308
}
305
309
306
310
$donations = $this->wpdb->get\_results("SELECT \* FROM " . DMM\_TABLE\_DONATIONS . $where . " ORDER BY time DESC");
307
foreach ($donations as $donation)
308
{
311
foreach ($donations as $donation) {
309
312
fputcsv($output, array(
310
313
$donation->time,
…
…
478
481
if (isset($\_GET\['action'\]) && $\_GET\['action'\] == 'cancel' && isset($\_GET\['subscription'\]) && check\_admin\_referer('cancel-subscription\_' . $\_GET\['subscription'\]))
479
482
{
480
$customer = $this->wpdb->get\_row("SELECT \* FROM " . DMM\_TABLE\_DONORS . " WHERE id = '" . esc\_sql($\_GET\['customer'\]) . "'");
483
$customer = $this->wpdb->get\_row("SELECT \* FROM " . DMM\_TABLE\_DONORS . " WHERE id = '" . esc\_sql(sanitize\_title\_for\_query($\_GET\['customer'\])) . "'");
481
484
482
485
try {
…
…
531
534
$tab = 'general';
532
535
else
533
$tab = $\_GET\['tab'\];
536
$tab = esc\_url($\_GET\['tab'\]);
534
537
?>
535
538
<div class="wrap">
536
539
<h2 class="nav-tab-wrapper">
537
<a href="?page=<?php echo DMM\_PAGE\_SETTINGS ?>" class="nav-tab<?php echo $tab == 'general' ? ' nav-tab-active' : '';?>"><?php esc\_html\_e('General', 'doneren-met-mollie');?></a>
538
<a href="?page=<?php echo DMM\_PAGE\_SETTINGS ?>&tab=form" class="nav-tab<?php echo $tab == 'form' ? ' nav-tab-active' : '';?>"><?php esc\_html\_e('Form', 'doneren-met-mollie');?></a>
539
<a href="?page=<?php echo DMM\_PAGE\_SETTINGS ?>&tab=mollie" class="nav-tab<?php echo $tab == 'mollie' ? ' nav-tab-active' : '';?>"><?php esc\_html\_e('Mollie settings', 'doneren-met-mollie');?></a>
540
<a href="?page=<?php echo DMM\_PAGE\_SETTINGS ?>&tab=recurring" class="nav-tab<?php echo $tab == 'recurring' ? ' nav-tab-active' : '';?>"><?php esc\_html\_e('Recurring payments', 'doneren-met-mollie');?></a>
540
<a href="?page=<?php echo DMM\_PAGE\_SETTINGS ?>" class="nav-tab<?php echo $tab ==\= 'general' ? ' nav-tab-active' : '';?>"><?php esc\_html\_e('General', 'doneren-met-mollie');?></a>
541
<a href="?page=<?php echo DMM\_PAGE\_SETTINGS ?>&tab=form" class="nav-tab<?php echo $tab ==\= 'form' ? ' nav-tab-active' : '';?>"><?php esc\_html\_e('Form', 'doneren-met-mollie');?></a>
542
<a href="?page=<?php echo DMM\_PAGE\_SETTINGS ?>&tab=mollie" class="nav-tab<?php echo $tab ==\= 'mollie' ? ' nav-tab-active' : '';?>"><?php esc\_html\_e('Mollie settings', 'doneren-met-mollie');?></a>
543
<a href="?page=<?php echo DMM\_PAGE\_SETTINGS ?>&tab=recurring" class="nav-tab<?php echo $tab ==\= 'recurring' ? ' nav-tab-active' : '';?>"><?php esc\_html\_e('Recurring payments', 'doneren-met-mollie');?></a>
541
544
<a href="https://features.wobbie.nl/b/doneren-met-mollie/" target="\_blank" class="nav-tab" style="float: right"><?php esc\_html\_e('Feature Requests', 'doneren-met-mollie');?></a>
542
545
<a href="https://support.wobbie.nl" target="\_blank" class="nav-tab" style="float: right"><?php esc\_html\_e('Support', 'doneren-met-mollie');?></a>
…
…
579
582
<select name="dmm\_currency">
580
583
<?php foreach (dmm\_get\_currencies() as $currency => $decimals): ?>
581
<option value="<?php echo esc\_attr($currency);?>" <?php echo (get\_option('dmm\_currency') == $currency ? 'selected' : '');?>><?php echo esc\_attr($currency);?></option>
584
<option value="<?php echo esc\_attr($currency);?>" <?php echo (get\_option('dmm\_currency') ==\= $currency ? 'selected' : '');?>><?php echo esc\_attr($currency);?></option>
582
585
<?php endforeach;?>
583
586
</select><br>
…
…
646
649
<select name="dmm\_methods\_display">
647
650
<option value="list"><?php esc\_html\_e('Icons & text', 'doneren-met-mollie');?></option>
648
<option value="list\_no\_icons" <?php echo (get\_option('dmm\_methods\_display') == 'list\_no\_icons' ? 'selected' : '');?>><?php esc\_html\_e('Only text', 'doneren-met-mollie');?></option>
649
<option value="list\_icons" <?php echo (get\_option('dmm\_methods\_display') == 'list\_icons' ? 'selected' : '');?>><?php esc\_html\_e('Only icons', 'doneren-met-mollie');?></option>
650
<option value="dropdown" <?php echo (get\_option('dmm\_methods\_display') == 'dropdown' ? 'selected' : '');?>><?php esc\_html\_e('Dropdown', 'doneren-met-mollie');?></option>
651
<option value="list\_no\_icons" <?php echo (get\_option('dmm\_methods\_display') ==\= 'list\_no\_icons' ? 'selected' : '');?>><?php esc\_html\_e('Only text', 'doneren-met-mollie');?></option>
652
<option value="list\_icons" <?php echo (get\_option('dmm\_methods\_display') ==\= 'list\_icons' ? 'selected' : '');?>><?php esc\_html\_e('Only icons', 'doneren-met-mollie');?></option>
653
<option value="dropdown" <?php echo (get\_option('dmm\_methods\_display') ==\= 'dropdown' ? 'selected' : '');?>><?php esc\_html\_e('Dropdown', 'doneren-met-mollie');?></option>
651
654
</select>
652
655
</td>
…
…
687
690
<select name="dmm\_rights\_donations">
688
691
<option value="edit\_dashboard"><?php esc\_html\_e('Administrator', 'doneren-met-mollie');?></option>
689
<option value="edit\_pages" <?php echo (get\_option('dmm\_rights\_donations') == 'edit\_pages' ? 'selected' : '');?>><?php esc\_html\_e('Editor', 'doneren-met-mollie');?></option>
690
<option value="edit\_posts" <?php echo (get\_option('dmm\_rights\_donations') == 'edit\_posts' ? 'selected' : '');?>><?php esc\_html\_e('Author', 'doneren-met-mollie');?></option>
692
<option value="edit\_pages" <?php echo (get\_option('dmm\_rights\_donations') ==\= 'edit\_pages' ? 'selected' : '');?>><?php esc\_html\_e('Editor', 'doneren-met-mollie');?></option>
693
<option value="edit\_posts" <?php echo (get\_option('dmm\_rights\_donations') ==\= 'edit\_posts' ? 'selected' : '');?>><?php esc\_html\_e('Author', 'doneren-met-mollie');?></option>
691
694
</select>
692
695
</td>
…
…
699
702
<select name="dmm\_rights\_subscriptions">
700
703
<option value="edit\_dashboard"><?php esc\_html\_e('Administrator', 'doneren-met-mollie');?></option>
701
<option value="edit\_pages" <?php echo (get\_option('dmm\_rights\_subscriptions') == 'edit\_pages' ? 'selected' : '');?>><?php esc\_html\_e('Editor', 'doneren-met-mollie');?></option>
702
<option value="edit\_posts" <?php echo (get\_option('dmm\_rights\_subscriptions') == 'edit\_posts' ? 'selected' : '');?>><?php esc\_html\_e('Author', 'doneren-met-mollie');?></option>
704
<option value="edit\_pages" <?php echo (get\_option('dmm\_rights\_subscriptions') ==\= 'edit\_pages' ? 'selected' : '');?>><?php esc\_html\_e('Editor', 'doneren-met-mollie');?></option>
705
<option value="edit\_posts" <?php echo (get\_option('dmm\_rights\_subscriptions') ==\= 'edit\_posts' ? 'selected' : '');?>><?php esc\_html\_e('Author', 'doneren-met-mollie');?></option>
703
706
</select>
704
707
</td>
…
…
917
920
<select name="dmm\_default\_interval">
918
921
<option value="one"><?php esc\_html\_e('One-time donation', 'doneren-met-mollie');?></option>
919
<option value="month" <?php echo get\_option('dmm\_default\_interval') == 'month' ? 'selected' : '';?>><?php esc\_html\_e('Monthly', 'doneren-met-mollie');?></option>
920
<option value="quarter" <?php echo get\_option('dmm\_default\_interval') == 'quarter' ? 'selected' : '';?>><?php esc\_html\_e('Each quarter', 'doneren-met-mollie');?></option>
921
<option value="year" <?php echo get\_option('dmm\_default\_interval') == 'year' ? 'selected' : '';?>><?php esc\_html\_e('Annually', 'doneren-met-mollie');?></option>
922
<option value="month" <?php echo get\_option('dmm\_default\_interval') ==\= 'month' ? 'selected' : '';?>><?php esc\_html\_e('Monthly', 'doneren-met-mollie');?></option>
923
<option value="quarter" <?php echo get\_option('dmm\_default\_interval') ==\= 'quarter' ? 'selected' : '';?>><?php esc\_html\_e('Each quarter', 'doneren-met-mollie');?></option>
924
<option value="year" <?php echo get\_option('dmm\_default\_interval') ==\= 'year' ? 'selected' : '';?>><?php esc\_html\_e('Annually', 'doneren-met-mollie');?></option>
922
925
</select>
923
926
</td>
…
…
960
963
public function get\_page\_id\_by\_slug($slug)
961
964
{
962
$id = $this->wpdb->get\_var("SELECT id FROM " . $this->wpdb->posts . " WHERE post\_name = '" . esc\_sql($slug) . "' AND post\_type = 'page'");
963
return $id;
965
return $this->wpdb->get\_var("SELECT id FROM " . $this->wpdb->posts . " WHERE post\_name = '" . esc\_sql(sanitize\_title\_for\_query($slug)) . "' AND post\_type = 'page'");
964
966
}
965
967
}
doneren-met-mollie/tags/2.8.5/includes/class-donations-table.php
r2459234
r2459548
57
57
$actions\['view'\] = sprintf('<a href="%s">' . esc\_html\_\_('View', 'doneren-met-mollie') . '</a>', $url\_view);
58
58
59
if ($item\['dm\_status'\] == 'paid' && $item\['dm\_amount'\] > 0.30)
59
if ($item\['dm\_status'\] ==\= 'paid' && $item\['dm\_amount'\] > 0.30)
60
60
$actions\['refund'\] = sprintf('<a href="%s" style="color:#a00;" onclick="return confirm(\\'' . \_\_('Are you sure?', 'doneren-met-mollie') . '\\')">' . esc\_html\_\_('Refund', 'doneren-met-mollie') . '</a>', $url\_refund);
61
61
…
…
77
77
78
78
$where = '';
79
if (isset($\_GET\['subscription'\]))
80
$where .= ' WHERE subscription\_id="' . esc\_sql($\_GET\['subscription'\]) . '"';
79
if (isset($\_GET\['subscription'\])) {
80
$where .= ' WHERE subscription\_id="' . esc\_sql(sanitize\_title\_for\_query($\_GET\['subscription'\])) . '"';
81
}
81
82
82
if (isset($\_GET\['search'\]))
83
$where .= ($where ? ' AND' : ' WHERE') . ' (dm\_name LIKE "%' . esc\_sql($\_GET\['search'\]) . '%" OR dm\_email LIKE "%' . esc\_sql($\_GET\['search'\]) . '%" OR dm\_company LIKE "%' . esc\_sql($\_GET\['search'\]) . '%" OR donation\_id LIKE "%' . esc\_sql($\_GET\['search'\]) . '%" OR payment\_id LIKE "%' . esc\_sql($\_GET\['search'\]) . '%")';
83
if (isset($\_GET\['search'\])) {
84
$search = sanitize\_title\_for\_query($\_GET\['search'\]);
85
$where .= ($where ? ' AND' : ' WHERE') . ' (dm\_name LIKE "%' . esc\_sql($search) . '%" OR dm\_email LIKE "%' . esc\_sql($search) . '%" OR dm\_company LIKE "%' . esc\_sql($search) . '%" OR donation\_id LIKE "%' . esc\_sql($search) . '%" OR payment\_id LIKE "%' . esc\_sql($search) . '%")';
86
}
84
87
85
88
$donations = $wpdb->get\_results("SELECT \* FROM " . DMM\_TABLE\_DONATIONS . $where . " ORDER BY time DESC", ARRAY\_A);
doneren-met-mollie/tags/2.8.5/includes/class-start.php
r2459282
r2459548
310
310
{
311
311
$donation\_id = uniqid(rand(1,99));
312
$amount = number\_format(str\_replace(',', '.', $\_POST\['dmm\_amount'\]), 2, '.', '');
312
$amount = number\_format(str\_replace(',', '.', sanitize\_text\_field($\_POST\['dmm\_amount'\])), 2, '.', '');
313
313
314
314
// Hook to handle POST data for custom fields
…
…
347
347
array(
348
348
$donation\_id,
349
isset($\_POST\['dmm\_name'\]) ? $\_POST\['dmm\_name'\] : '',
350
isset($\_POST\['dmm\_project'\]) ? $\_POST\['dmm\_project'\] : '',
349
isset($\_POST\['dmm\_name'\]) ? sanitize\_text\_field($\_POST\['dmm\_name'\]) : '',
350
isset($\_POST\['dmm\_project'\]) ? sanitize\_text\_field($\_POST\['dmm\_project'\]) : '',
351
351
$amount,
352
isset($\_POST\['dmm\_company'\]) ? $\_POST\['dmm\_company'\] : '',
353
isset($\_POST\['dmm\_email'\]) ? $\_POST\['dmm\_email'\] : '',
352
isset($\_POST\['dmm\_company'\]) ? sanitize\_text\_field($\_POST\['dmm\_company'\]) : '',
353
isset($\_POST\['dmm\_email'\]) ? sanitize\_email($\_POST\['dmm\_email'\]) : '',
354
354
$interval,
355
355
),
356
get\_option('dmm\_payment\_description')
356
sanitize\_text\_field(get\_option('dmm\_payment\_description'))
357
357
);
358
358
…
…
366
366
if (get\_option('dmm\_metadata') != '0') {
367
367
$metadata = array(
368
"name" => isset($\_POST\['dmm\_name'\]) ? esc\_js($\_POST\['dmm\_name'\]) : '',
369
"email" => isset($\_POST\['dmm\_email'\]) ? esc\_js($\_POST\['dmm\_email'\]) : '',
370
"project" => isset($\_POST\['dmm\_project'\]) ? esc\_js($\_POST\['dmm\_project'\]) : '',
371
"company" => isset($\_POST\['dmm\_company'\]) ? esc\_js($\_POST\['dmm\_company'\]) : '',
372
"address" => isset($\_POST\['dmm\_address'\]) ? esc\_js($\_POST\['dmm\_address'\]) : '',
373
"zipcode" => isset($\_POST\['dmm\_zipcode'\]) ? esc\_js($\_POST\['dmm\_zipcode'\]) : '',
374
"city" => isset($\_POST\['dmm\_city'\]) ? esc\_js($\_POST\['dmm\_city'\]) : '',
375
"country" => isset($\_POST\['dmm\_country'\]) ? esc\_js($\_POST\['dmm\_country'\]) : '',
376
"message" => isset($\_POST\['dmm\_message'\]) ? esc\_js($\_POST\['dmm\_message'\]) : '',
377
"phone" => isset($\_POST\['dmm\_phone'\]) ? esc\_js($\_POST\['dmm\_phone'\]) : '',
368
"name" => isset($\_POST\['dmm\_name'\]) ? sanitize\_text\_field($\_POST\['dmm\_name'\]) : '',
369
"email" => isset($\_POST\['dmm\_email'\]) ? sanitize\_email($\_POST\['dmm\_email'\]) : '',
370
"project" => isset($\_POST\['dmm\_project'\]) ? sanitize\_text\_field($\_POST\['dmm\_project'\]) : '',
371
"company" => isset($\_POST\['dmm\_company'\]) ? sanitize\_text\_field($\_POST\['dmm\_company'\]) : '',
372
"address" => isset($\_POST\['dmm\_address'\]) ? sanitize\_text\_field($\_POST\['dmm\_address'\]) : '',
373
"zipcode" => isset($\_POST\['dmm\_zipcode'\]) ? sanitize\_text\_field($\_POST\['dmm\_zipcode'\]) : '',
374
"city" => isset($\_POST\['dmm\_city'\]) ? sanitize\_text\_field($\_POST\['dmm\_city'\]) : '',
375
"country" => isset($\_POST\['dmm\_country'\]) ? sanitize\_text\_field($\_POST\['dmm\_country'\]) : '',
376
"message" => isset($\_POST\['dmm\_message'\]) ? sanitize\_textarea\_field($\_POST\['dmm\_message'\]) : '',
377
"phone" => isset($\_POST\['dmm\_phone'\]) ? sanitize\_text\_field($\_POST\['dmm\_phone'\]) : '',
378
378
"donation\_id" => $donation\_id,
379
379
);
…
…
384
384
$payment = $mollie->post('payments', array(
385
385
"amount" => array(
386
"currency" => $\_POST\['dmm\_currency'\],
386
"currency" => sanitize\_text\_field($\_POST\['dmm\_currency'\]),
387
387
"value" => (string)$amount
388
388
),
…
…
396
396
$secret = uniqid();
397
397
$customer = $mollie->post('customers', array(
398
"name" => isset($\_POST\['dmm\_name'\]) ? esc\_html($\_POST\['dmm\_name'\]) : '',
399
"email" => isset($\_POST\['dmm\_email'\]) ? esc\_html($\_POST\['dmm\_email'\]) : '',
398
"name" => isset($\_POST\['dmm\_name'\]) ? sanitize\_text\_field($\_POST\['dmm\_name'\]) : '',
399
"email" => isset($\_POST\['dmm\_email'\]) ? sanitize\_email($\_POST\['dmm\_email'\]) : '',
400
400
));
401
401
…
…
409
409
$customer->name,
410
410
$customer->email,
411
$\_POST\['dmm\_recurring\_interval'\],
412
$\_POST\['dmm\_currency'\],
411
sanitize\_text\_field($\_POST\['dmm\_recurring\_interval'\]),
412
sanitize\_text\_field($\_POST\['dmm\_currency'\]),
413
413
$amount,
414
414
$description,
…
…
419
419
$payment = $mollie->post('payments', array(
420
420
"amount" => array(
421
"currency" => esc\_html($\_POST\['dmm\_currency'\]),
421
"currency" => sanitize\_text\_field($\_POST\['dmm\_currency'\]),
422
422
"value" => (string)$amount
423
423
),
…
…
427
427
"redirectUrl" => $redirectBaseUrl . '?dmm\_id=' . $donation\_id,
428
428
"webhookUrl" => $dmm\_webhook . 'first/' . $this->wpdb->insert\_id . '/secret/' . $secret,
429
"method" => esc\_html($\_POST\['dmm\_method'\]),
429
"method" => sanitize\_text\_field($\_POST\['dmm\_method'\]),
430
430
"metadata" => $metadata
431
431
));
…
…
451
451
$payment->settlementAmount->currency ?: $payment->amount->currency,
452
452
$payment->settlementAmount->value ?: $payment->amount->value,
453
isset($\_POST\['dmm\_name'\]) ? $\_POST\['dmm\_name'\] : null,
454
isset($\_POST\['dmm\_email'\]) ? $\_POST\['dmm\_email'\] : null,
455
isset($\_POST\['dmm\_project'\]) ? $\_POST\['dmm\_project'\] : null,
456
isset($\_POST\['dmm\_company'\]) ? $\_POST\['dmm\_company'\] : null,
457
isset($\_POST\['dmm\_address'\]) ? $\_POST\['dmm\_address'\] : null,
458
isset($\_POST\['dmm\_zipcode'\]) ? $\_POST\['dmm\_zipcode'\] : null,
459
isset($\_POST\['dmm\_city'\]) ? $\_POST\['dmm\_city'\] : null,
460
isset($\_POST\['dmm\_country'\]) ? $\_POST\['dmm\_country'\] : null,
461
isset($\_POST\['dmm\_message'\]) ? $\_POST\['dmm\_message'\] : null,
462
isset($\_POST\['dmm\_phone'\]) ? $\_POST\['dmm\_phone'\] : null,
453
isset($\_POST\['dmm\_name'\]) ? sanitize\_text\_field($\_POST\['dmm\_name'\]) : null,
454
isset($\_POST\['dmm\_email'\]) ? sanitize\_email($\_POST\['dmm\_email'\]) : null,
455
isset($\_POST\['dmm\_project'\]) ? sanitize\_text\_field($\_POST\['dmm\_project'\]) : null,
456
isset($\_POST\['dmm\_company'\]) ? sanitize\_text\_field($\_POST\['dmm\_company'\]) : null,
457
isset($\_POST\['dmm\_address'\]) ? sanitize\_text\_field($\_POST\['dmm\_address'\]) : null,
458
isset($\_POST\['dmm\_zipcode'\]) ? sanitize\_text\_field($\_POST\['dmm\_zipcode'\]) : null,
459
isset($\_POST\['dmm\_city'\]) ? sanitize\_text\_field($\_POST\['dmm\_city'\]) : null,
460
isset($\_POST\['dmm\_country'\]) ? sanitize\_text\_field($\_POST\['dmm\_country'\]) : null,
461
isset($\_POST\['dmm\_message'\]) ? sanitize\_textarea\_field($\_POST\['dmm\_message'\]) : null,
462
isset($\_POST\['dmm\_phone'\]) ? sanitize\_text\_field($\_POST\['dmm\_phone'\]) : null,
463
463
$payment->method,
464
464
$payment->mode
…
…
482
482
}
483
483
484
echo '<p class="' . esc\_attr(get\_option('dmm\_success\_cls')) . '">' . esc\_html\_\_('Thank you for your donation!', 'doneren-met-mollie') . '</p>';
484
echo '<p class="' . esc\_attr(sanitize\_html\_class(get\_option('dmm\_success\_cls'))) . '">' . esc\_html\_\_('Thank you for your donation!', 'doneren-met-mollie') . '</p>';
485
485
486
486
// Hook to add logic after the donation has been paid
…
…
492
492
}
493
493
494
echo '<p class="' . esc\_attr(get\_option('dmm\_failure\_cls')) . '">' . esc\_html\_\_('The payment was not successful, please try again.', 'doneren-met-mollie') . '</p>';
494
echo '<p class="' . esc\_attr(sanitize\_html\_class(get\_option('dmm\_failure\_cls'))) . '">' . esc\_html\_\_('The payment was not successful, please try again.', 'doneren-met-mollie') . '</p>';
495
495
}
496
496
} else {
…
…
499
499
$intervals = get\_option('dmm\_recurring\_interval');
500
500
501
$selected\_interval = isset($\_POST\['dmm\_recurring\_interval'\]) ? $\_POST\['dmm\_recurring\_interval'\] : get\_option('dmm\_default\_interval');
501
$selected\_interval = isset($\_POST\['dmm\_recurring\_interval'\]) ? sanitize\_text\_field($\_POST\['dmm\_recurring\_interval'\]) : get\_option('dmm\_default\_interval');
502
502
?>
503
<form action="<?php echo esc\_attr($\_SERVER\['REQUEST\_URI'\]);?>" class="<?php echo esc\_attr(get\_option('dmm\_form\_cls'));?>" method="post">
503
<form action="<?php echo esc\_attr($\_SERVER\['REQUEST\_URI'\]);?>" class="<?php echo esc\_attr(sanitize\_html\_class(get\_option('dmm\_form\_cls')));?>" method="post">
504
504
505
505
<?php
…
…
509
509
<?php if (get\_option('dmm\_recurring')) { ?>
510
510
<p>
511
<select id="dmm\_interval" name="dmm\_recurring\_interval" style="width: 100%" class="<?php echo esc\_attr(get\_option('dmm\_fields\_cls'));?>" onchange="dmm\_recurring\_methods(this.value);">
511
<select id="dmm\_interval" name="dmm\_recurring\_interval" style="width: 100%" class="<?php echo esc\_attr(sanitize\_html\_class(get\_option('dmm\_fields\_cls')));?>" onchange="dmm\_recurring\_methods(this.value);">
512
512
<option value="one"><?php echo esc\_html\_e('One-time donation', 'doneren-met-mollie');?></option>
513
513
<?php if (isset($intervals\['month'\])) { ?>
…
…
529
529
<p <?php echo ($dmm\_fields\['Name'\]\['active'\] ? '' : 'style="display:none"');?>>
530
530
<?php echo esc\_html\_e('Name', 'doneren-met-mollie') . (isset($dmm\_fields\['Name'\]\['required'\]) && $dmm\_fields\['Name'\]\['required'\] ? '<span style="color:red;">\*</span>' : '') . '<br>';?>
531
<input type="text" name="dmm\_name" class="<?php echo esc\_attr(get\_option('dmm\_fields\_cls'));?>" value="<?php echo (isset($\_POST\["dmm\_name"\]) ? esc\_attr($\_POST\["dmm\_name"\]) : '');?>" style="width: 100%">
531
<input type="text" name="dmm\_name" class="<?php echo esc\_attr(sanitize\_html\_class(get\_option('dmm\_fields\_cls')));?>" value="<?php echo (isset($\_POST\["dmm\_name"\]) ? esc\_attr($\_POST\["dmm\_name"\]) : '');?>" style="width: 100%">
532
532
</p>
533
533
<?php } ?>
…
…
536
536
<p>
537
537
<?php echo esc\_html\_e('Company name', 'doneren-met-mollie') . (isset($dmm\_fields\['Company name'\]\['required'\]) && $dmm\_fields\['Company name'\]\['required'\] ? '<span style="color:red;">\*</span>' : '') . '<br>';?>
538
<input type="text" name="dmm\_company" class="<?php echo esc\_attr(get\_option('dmm\_fields\_cls'));?>" value="<?php echo (isset($\_POST\["dmm\_company"\]) ? esc\_attr($\_POST\["dmm\_company"\]) : '');?>" style="width: 100%">
538
<input type="text" name="dmm\_company" class="<?php echo esc\_attr(sanitize\_html\_class(get\_option('dmm\_fields\_cls')));?>" value="<?php echo (isset($\_POST\["dmm\_company"\]) ? esc\_attr($\_POST\["dmm\_company"\]) : '');?>" style="width: 100%">
539
539
</p>
540
540
<?php } ?>
…
…
543
543
<p <?php echo ($dmm\_fields\['Email address'\]\['active'\] ? '' : 'style="display:none"');?>>
544
544
<?php echo esc\_html\_e('Email address', 'doneren-met-mollie') . (isset($dmm\_fields\['Email address'\]\['required'\]) && $dmm\_fields\['Email address'\]\['required'\] ? '<span style="color:red;">\*</span>' : '') . '<br>';?>
545
<input type="email" name="dmm\_email" class="<?php echo esc\_attr(get\_option('dmm\_fields\_cls'));?>" value="<?php echo (isset($\_POST\["dmm\_email"\]) ? esc\_attr($\_POST\["dmm\_email"\]) : '');?>" style="width: 100%">
545
<input type="email" name="dmm\_email" class="<?php echo esc\_attr(sanitize\_html\_class(get\_option('dmm\_fields\_cls')));?>" value="<?php echo (isset($\_POST\["dmm\_email"\]) ? esc\_attr($\_POST\["dmm\_email"\]) : '');?>" style="width: 100%">
546
546
</p>
547
547
<?php } ?>
…
…
550
550
<p>
551
551
<?php echo esc\_html\_e('Phone number', 'doneren-met-mollie') . (isset($dmm\_fields\['Phone number'\]\['required'\]) && $dmm\_fields\['Phone number'\]\['required'\] ? '<span style="color:red;">\*</span>' : '') . '<br>';?>
552
<input type="text" name="dmm\_phone" class="<?php echo esc\_attr(get\_option('dmm\_fields\_cls'));?>" value="<?php echo (isset($\_POST\["dmm\_phone"\]) ? esc\_attr($\_POST\["dmm\_phone"\]) : '');?>" style="width: 100%">
552
<input type="text" name="dmm\_phone" class="<?php echo esc\_attr(sanitize\_html\_class(get\_option('dmm\_fields\_cls')));?>" value="<?php echo (isset($\_POST\["dmm\_phone"\]) ? esc\_attr($\_POST\["dmm\_phone"\]) : '');?>" style="width: 100%">
553
553
</p>
554
554
<?php } ?>
…
…
557
557
<p>
558
558
<?php echo esc\_html\_e('Street', 'doneren-met-mollie') . (isset($dmm\_fields\['Address'\]\['required'\]) && $dmm\_fields\['Address'\]\['required'\] ? '<span style="color:red;">\*</span>' : '') . '<br>';?>
559
<input type="text" name="dmm\_address" class="<?php echo esc\_attr(get\_option('dmm\_fields\_cls'));?>" value="<?php echo (isset($\_POST\["dmm\_address"\]) ? esc\_attr($\_POST\["dmm\_address"\]) : '');?>" style="width: 100%">
559
<input type="text" name="dmm\_address" class="<?php echo esc\_attr(sanitize\_html\_class(get\_option('dmm\_fields\_cls')));?>" value="<?php echo (isset($\_POST\["dmm\_address"\]) ? esc\_attr($\_POST\["dmm\_address"\]) : '');?>" style="width: 100%">
560
560
</p>
561
561
<p>
562
562
<?php echo esc\_html\_e('Zipcode', 'doneren-met-mollie') . (isset($dmm\_fields\['Address'\]\['required'\]) && $dmm\_fields\['Address'\]\['required'\] ? '<span style="color:red;">\*</span>' : '') . '<br>';?>
563
<input type="text" name="dmm\_zipcode" class="<?php echo esc\_attr(get\_option('dmm\_fields\_cls'));?>" value="<?php echo (isset($\_POST\["dmm\_zipcode"\]) ? esc\_attr($\_POST\["dmm\_zipcode"\]) : '');?>" style="width: 100%">
563
<input type="text" name="dmm\_zipcode" class="<?php echo esc\_attr(sanitize\_html\_class(get\_option('dmm\_fields\_cls')));?>" value="<?php echo (isset($\_POST\["dmm\_zipcode"\]) ? esc\_attr($\_POST\["dmm\_zipcode"\]) : '');?>" style="width: 100%">
564
564
</p>
565
565
<p>
566
566
<?php echo esc\_html\_e('City', 'doneren-met-mollie') . (isset($dmm\_fields\['Address'\]\['required'\]) && $dmm\_fields\['Address'\]\['required'\] ? '<span style="color:red;">\*</span>' : '') . '<br>';?>
567
<input type="text" name="dmm\_city" class="<?php echo esc\_attr(get\_option('dmm\_fields\_cls'));?>" value="<?php echo (isset($\_POST\["dmm\_city"\]) ? esc\_attr($\_POST\["dmm\_city"\]) : '');?>" style="width: 100%">
567
<input type="text" name="dmm\_city" class="<?php echo esc\_attr(sanitize\_html\_class(get\_option('dmm\_fields\_cls')));?>" value="<?php echo (isset($\_POST\["dmm\_city"\]) ? esc\_attr($\_POST\["dmm\_city"\]) : '');?>" style="width: 100%">
568
568
</p>
569
569
<p>
570
570
<?php echo esc\_html\_e('Country', 'doneren-met-mollie') . (isset($dmm\_fields\['Address'\]\['required'\]) && $dmm\_fields\['Address'\]\['required'\] ? '<span style="color:red;">\*</span>' : '') . '<br>';?>
571
<input type="text" name="dmm\_country" class="<?php echo esc\_attr(get\_option('dmm\_fields\_cls'));?>" value="<?php echo (isset($\_POST\["dmm\_country"\]) ? esc\_attr($\_POST\["dmm\_country"\]) : '');?>" style="width: 100%">
571
<input type="text" name="dmm\_country" class="<?php echo esc\_attr(sanitize\_html\_class(get\_option('dmm\_fields\_cls')));?>" value="<?php echo (isset($\_POST\["dmm\_country"\]) ? esc\_attr($\_POST\["dmm\_country"\]) : '');?>" style="width: 100%">
572
572
</p>
573
573
<?php } ?>
…
…
576
576
<p>
577
577
<?php echo esc\_html\_e('Project', 'doneren-met-mollie') . (isset($dmm\_fields\['Project'\]\['required'\]) && $dmm\_fields\['Project'\]\['required'\] ? '<span style="color:red;">\*</span>' : '') . '<br>';?>
578
<?php echo $this->dmm\_projects(isset($\_POST\["dmm\_project"\]) ? esc\_attr($\_POST\["dmm\_project"\]) : '');?>
578
<?php echo $this->dmm\_projects(isset($\_POST\["dmm\_project"\]) ? sanitize\_text\_field($\_POST\["dmm\_project"\]) : '');?>
579
579
</p>
580
580
<?php } ?>
…
…
583
583
<p>
584
584
<?php echo esc\_html\_e('Message', 'doneren-met-mollie') . (isset($dmm\_fields\['Message'\]\['required'\]) && $dmm\_fields\['Message'\]\['required'\] ? '<span style="color:red;">\*</span>' : '') . '<br>';?>
585
<textarea name="dmm\_message" class="<?php echo esc\_attr(get\_option('dmm\_fields\_cls'));?>" rows="5" style="width: 100%"><?php echo (isset($\_POST\["dmm\_message"\]) ? esc\_attr($\_POST\["dmm\_message"\]) : '');?></textarea>
585
<textarea name="dmm\_message" class="<?php echo esc\_attr(sanitize\_html\_class(get\_option('dmm\_fields\_cls')));?>" rows="5" style="width: 100%"><?php echo (isset($\_POST\["dmm\_message"\]) ? esc\_attr($\_POST\["dmm\_message"\]) : '');?></textarea>
586
586
</p>
587
587
<?php } ?>
…
…
593
593
if (get\_option('dmm\_amount')) {
594
594
if (get\_option('dmm\_free\_input')) {
595
echo '<select id="dmm\_dd" style="width: 100%" class="' . esc\_attr(get\_option('dmm\_fields\_cls')) . '" onchange="if(this.value!=\\'--\\'){document.getElementById(\\'dmm\_amount\\').value=this.value;document.getElementById(\\'dmm\_amount\\').style.display = \\'none\\';}else{document.getElementById(\\'dmm\_amount\\').style.display = \\'block\\';}">';
595
echo '<select id="dmm\_dd" style="width: 100%" class="' . esc\_attr(sanitize\_html\_class(get\_option('dmm\_fields\_cls'))) . '" onchange="if(this.value!=\\'--\\'){document.getElementById(\\'dmm\_amount\\').value=this.value;document.getElementById(\\'dmm\_amount\\').style.display = \\'none\\';}else{document.getElementById(\\'dmm\_amount\\').style.display = \\'block\\';}">';
596
596
echo '<option value="--">' . esc\_html\_\_('Enter your own amount', 'doneren-met-mollie') . '</option>';
597
597
} else {
598
echo '<select style="width: 100%" name="dmm\_amount" class="' . esc\_attr(get\_option('dmm\_fields\_cls')) . '" >';
598
echo '<select style="width: 100%" name="dmm\_amount" class="' . esc\_attr(sanitize\_html\_class(get\_option('dmm\_fields\_cls'))) . '" >';
599
599
}
600
600
…
…
607
607
if (get\_option('dmm\_free\_input')) {
608
608
if (get\_option('dmm\_currency\_switch') == '1') {
609
echo '<select name="dmm\_currency" class="' . esc\_attr(get\_option('dmm\_fields\_cls')) . '" id="dmm\_currency" onchange="dmm\_multicurrency\_methods(this.value);" style="width: 20%;float:left;">';
609
echo '<select name="dmm\_currency" class="' . esc\_attr(sanitize\_html\_class(get\_option('dmm\_fields\_cls'))) . '" id="dmm\_currency" onchange="dmm\_multicurrency\_methods(this.value);" style="width: 20%;float:left;">';
610
610
611
611
foreach (dmm\_get\_currencies() as $currency => $decimals)
…
…
617
617
}
618
618
619
echo '<span style="display:block;overflow:auto;"><input type="text" id="dmm\_amount" name="dmm\_amount" class="' . esc\_attr(get\_option('dmm\_fields\_cls')) . '" value="' . esc\_attr(isset($\_POST\["dmm\_amount"\]) ? $\_POST\["dmm\_amount"\] : get\_option('dmm\_default\_amount')) . '" style="width: 100%;float:left;"></span>';
619
echo '<span style="display:block;overflow:auto;"><input type="text" id="dmm\_amount" name="dmm\_amount" class="' . esc\_attr(sanitize\_html\_class(get\_option('dmm\_fields\_cls'))) . '" value="' . esc\_attr(isset($\_POST\["dmm\_amount"\]) ? $\_POST\["dmm\_amount"\] : get\_option('dmm\_default\_amount')) . '" style="width: 100%;float:left;"></span>';
620
620
}
621
621
else {
…
…
664
664
do\_action('dmm\_donate\_form\_bottom');?>
665
665
666
<input type="submit" name="dmm\_submitted" class="<?php echo esc\_attr(get\_option('dmm\_button\_cls'));?>" value="<?php echo esc\_attr(\_\_('Donate', 'doneren-met-mollie'));?>">
666
<input type="submit" name="dmm\_submitted" class="<?php echo esc\_attr(sanitize\_html\_class(get\_option('dmm\_fields\_cls')));?>" value="<?php echo esc\_attr(\_\_('Donate', 'doneren-met-mollie'));?>">
667
667
668
668
</form>
…
…
757
757
if ($option === 'list') {
758
758
foreach ($mollie->all('methods') as $method) {
759
$methods .= '<label class="' . esc\_attr($this->dmm\_pm\_class($method->id)) . '"><input type="radio" name="dmm\_method" value="' . esc\_attr($method->id) . '" ' . ($first ? 'checked' : '') . '> <img style="vertical-align:middle;display:inline-block" src="' . esc\_url($method->image->size1x) . '"> ' . esc\_html\_\_($method->description, 'doneren-met-mollie') . '<br></label>';
759
$methods .= '<label class="' . esc\_attr(sanitize\_html\_class($this->dmm\_pm\_class($method->id))) . '"><input type="radio" name="dmm\_method" value="' . esc\_attr($method->id) . '" ' . ($first ? 'checked' : '') . '> <img style="vertical-align:middle;display:inline-block" src="' . esc\_url($method->image->size1x) . '"> ' . esc\_html\_\_($method->description, 'doneren-met-mollie') . '<br></label>';
760
760
$first = false;
761
761
}
762
762
} elseif ($option === 'list\_no\_icons') {
763
763
foreach ($mollie->all('methods') as $method) {
764
$methods .= '<label class="' . esc\_attr($this->dmm\_pm\_class($method->id)) . '"><input type="radio" name="dmm\_method" value="' . esc\_attr($method->id) . '" ' . ($first ? 'checked' : '') . '> ' . esc\_html\_\_($method->description, 'doneren-met-mollie') . '<br></label>';
764
$methods .= '<label class="' . esc\_attr(sanitize\_html\_class($this->dmm\_pm\_class($method->id))) . '"><input type="radio" name="dmm\_method" value="' . esc\_attr($method->id) . '" ' . ($first ? 'checked' : '') . '> ' . esc\_html\_\_($method->description, 'doneren-met-mollie') . '<br></label>';
765
765
$first = false;
766
766
}
767
767
} elseif ($option === 'list\_icons') {
768
768
foreach ($mollie->all('methods') as $method) {
769
$methods .= '<label class="' . esc\_attr($this->dmm\_pm\_class($method->id)) . '"><input type="radio" name="dmm\_method" value="' . esc\_attr($method->id) . '" ' . ($first ? 'checked' : '') . '> <img style="vertical-align:middle;display:inline-block" src="' . esc\_url($method->image->size1x) . '"></label> ';
769
$methods .= '<label class="' . esc\_attr(sanitize\_html\_class($this->dmm\_pm\_class($method->id))) . '"><input type="radio" name="dmm\_method" value="' . esc\_attr($method->id) . '" ' . ($first ? 'checked' : '') . '> <img style="vertical-align:middle;display:inline-block" src="' . esc\_url($method->image->size1x) . '"></label> ';
770
770
$first = false;
771
771
}
772
772
} elseif ($option === 'dropdown') {
773
$methods .= '<select style="width: 100%" name="dmm\_method" class="' . esc\_attr(get\_option('dmm\_fields\_cls')) . '">';
773
$methods .= '<select style="width: 100%" name="dmm\_method" class="' . esc\_attr(sanitize\_html\_class(get\_option('dmm\_fields\_cls'))) . '">';
774
774
$methods .= '<option value="">== ' . esc\_html\_\_('Choose a payment method', 'doneren-met-mollie') . ' ==</option>';
775
775
foreach ($mollie->all('methods') as $method) {
776
$methods .= '<option class="' . $this->dmm\_pm\_class($method->id) . '" value="' . $method->id . '">' . esc\_html\_\_($method->description, 'doneren-met-mollie') . '</option>';
776
$methods .= '<option class="' . esc\_attr(sanitize\_html\_class($this->dmm\_pm\_class($method->id))) . '" value="' . $method->id . '">' . esc\_html\_\_($method->description, 'doneren-met-mollie') . '</option>';
777
777
}
778
778
$methods .= '</select>';
…
…
831
831
\*/
832
832
private function dmm\_projects($selected = '') {
833
$projects = explode(PHP\_EOL, get\_option('dmm\_projects'));
834
835
$projectList = '<select style="width: 100%" name="dmm\_project" class="' . esc\_attr(get\_option('dmm\_fields\_cls')) . '">';
833
$projects = explode(PHP\_EOL, sanitize\_text\_field(get\_option('dmm\_projects')));
834
835
$projectList = '<select style="width: 100%" name="dmm\_project" class="' . esc\_attr(sanitize\_html\_class(get\_option('dmm\_fields\_cls'))) . '">';
836
836
foreach ($projects as $project) {
837
837
$projectList .= '<option' . ($selected === $project ? ' selected' : '') . '>' . esc\_attr($project) . '</option>';
…
…
848
848
private function get\_page\_id\_by\_slug($slug)
849
849
{
850
return $this->wpdb->get\_var("SELECT id FROM " . $this->wpdb->posts . " WHERE post\_name = '" . esc\_sql($slug) . "' AND post\_type = 'page'");
850
return $this->wpdb->get\_var("SELECT id FROM " . $this->wpdb->posts . " WHERE post\_name = '" . esc\_sql(sanitize\_title\_for\_query($slug)) . "' AND post\_type = 'page'");
851
851
}
852
852
}
doneren-met-mollie/tags/2.8.5/includes/class-subscriptions-table.php
r2459234
r2459548
38
38
function column\_customer\_name($item){
39
39
global $wpdb;
40
$customer = $wpdb->get\_row("SELECT \* FROM " . DMM\_TABLE\_DONORS . " WHERE id = '" . esc\_sql($item\['customer\_id'\]) . "'");
40
$customer = $wpdb->get\_row("SELECT \* FROM " . DMM\_TABLE\_DONORS . " WHERE id = '" . esc\_sql(sanitize\_title\_for\_query($item\['customer\_id'\])) . "'");
41
41
return $customer->customer\_name;
42
42
}
doneren-met-mollie/tags/2.8.5/includes/class-webhook.php
r2459266
r2459548
71
71
{
72
72
$dmm\_webhook = get\_home\_url(null, DMM\_WEBHOOK);
73
74
do\_action('dmm\_webhook\_called', esc\_html($\_POST\['id'\]));
73
$payment\_id = sanitize\_text\_field($\_POST\['id'\]);
74
75
if (empty($payment\_id)) {
76
status\_header(404);
77
return 'No payment id';
78
}
79
80
do\_action('dmm\_webhook\_called', $payment\_id);
75
81
76
82
try {
…
…
86
92
{
87
93
// First payment of recurring donation or one-time donation
88
$payment\_id = $\_POST\['id'\];
89
if (!$payment\_id) {
90
status\_header(404);
91
return 'No payment id';
92
}
93
94
94
$donation = $this->wpdb->get\_row("SELECT \* FROM " . DMM\_TABLE\_DONATIONS . " WHERE payment\_id = '" . esc\_sql($payment\_id) . "'");
95
95
…
…
181
181
182
182
return 'OK, ' . esc\_html($payment\_id);
183
}
184
else
185
{
183
} else {
186
184
// Subscription
187
185
$sub = $this->wpdb->get\_row("SELECT \* FROM " . DMM\_TABLE\_SUBSCRIPTIONS . " WHERE id = '" . esc\_sql($query->query\_vars\['sub'\]) . "'");
…
…
196
194
status\_header(404);
197
195
return 'Donation not found';
198
}
199
200
$payment\_id = $\_POST\['id'\];
201
if (!$payment\_id) {
202
status\_header(404);
203
return 'No payment id';
204
196
}
205
197
doneren-met-mollie/trunk/includes/class-admin.php
r2459234
r2459548
298
298
299
299
$where = '';
300
if (isset($\_GET\['subscription'\]))
301
$where .= ' WHERE subscription\_id="' . esc\_sql($\_GET\['subscription'\]) . '"';
302
303
if (isset($\_GET\['search'\]))
304
$where .= ($where ? ' AND' : ' WHERE') . ' (dm\_name LIKE "%' . esc\_sql($\_GET\['search'\]) . '%" OR dm\_email LIKE "%' . esc\_sql($\_GET\['search'\]) . '%" OR dm\_company LIKE "%' . esc\_sql($\_GET\['search'\]) . '%" OR donation\_id LIKE "%' . esc\_sql($\_GET\['search'\]) . '%" OR payment\_id LIKE "%' . esc\_sql($\_GET\['search'\]) . '%")';
300
if (isset($\_GET\['subscription'\])) {
301
$subscription = sanitize\_title\_for\_query($\_GET\['subscription'\]);
302
$where .= ' WHERE subscription\_id="' . esc\_sql($subscription) . '"';
303
}
304
305
if (isset($\_GET\['search'\])) {
306
$search = sanitize\_title\_for\_query($\_GET\['search'\]);
307
$where .= ($where ? ' AND' : ' WHERE') . ' (dm\_name LIKE "%' . esc\_sql($search) . '%" OR dm\_email LIKE "%' . esc\_sql($search) . '%" OR dm\_company LIKE "%' . esc\_sql($search) . '%" OR donation\_id LIKE "%' . esc\_sql($search) . '%" OR payment\_id LIKE "%' . esc\_sql($search) . '%")';
308
}
305
309
306
310
$donations = $this->wpdb->get\_results("SELECT \* FROM " . DMM\_TABLE\_DONATIONS . $where . " ORDER BY time DESC");
307
foreach ($donations as $donation)
308
{
311
foreach ($donations as $donation) {
309
312
fputcsv($output, array(
310
313
$donation->time,
…
…
478
481
if (isset($\_GET\['action'\]) && $\_GET\['action'\] == 'cancel' && isset($\_GET\['subscription'\]) && check\_admin\_referer('cancel-subscription\_' . $\_GET\['subscription'\]))
479
482
{
480
$customer = $this->wpdb->get\_row("SELECT \* FROM " . DMM\_TABLE\_DONORS . " WHERE id = '" . esc\_sql($\_GET\['customer'\]) . "'");
483
$customer = $this->wpdb->get\_row("SELECT \* FROM " . DMM\_TABLE\_DONORS . " WHERE id = '" . esc\_sql(sanitize\_title\_for\_query($\_GET\['customer'\])) . "'");
481
484
482
485
try {
…
…
531
534
$tab = 'general';
532
535
else
533
$tab = $\_GET\['tab'\];
536
$tab = esc\_url($\_GET\['tab'\]);
534
537
?>
535
538
<div class="wrap">
536
539
<h2 class="nav-tab-wrapper">
537
<a href="?page=<?php echo DMM\_PAGE\_SETTINGS ?>" class="nav-tab<?php echo $tab == 'general' ? ' nav-tab-active' : '';?>"><?php esc\_html\_e('General', 'doneren-met-mollie');?></a>
538
<a href="?page=<?php echo DMM\_PAGE\_SETTINGS ?>&tab=form" class="nav-tab<?php echo $tab == 'form' ? ' nav-tab-active' : '';?>"><?php esc\_html\_e('Form', 'doneren-met-mollie');?></a>
539
<a href="?page=<?php echo DMM\_PAGE\_SETTINGS ?>&tab=mollie" class="nav-tab<?php echo $tab == 'mollie' ? ' nav-tab-active' : '';?>"><?php esc\_html\_e('Mollie settings', 'doneren-met-mollie');?></a>
540
<a href="?page=<?php echo DMM\_PAGE\_SETTINGS ?>&tab=recurring" class="nav-tab<?php echo $tab == 'recurring' ? ' nav-tab-active' : '';?>"><?php esc\_html\_e('Recurring payments', 'doneren-met-mollie');?></a>
540
<a href="?page=<?php echo DMM\_PAGE\_SETTINGS ?>" class="nav-tab<?php echo $tab ==\= 'general' ? ' nav-tab-active' : '';?>"><?php esc\_html\_e('General', 'doneren-met-mollie');?></a>
541
<a href="?page=<?php echo DMM\_PAGE\_SETTINGS ?>&tab=form" class="nav-tab<?php echo $tab ==\= 'form' ? ' nav-tab-active' : '';?>"><?php esc\_html\_e('Form', 'doneren-met-mollie');?></a>
542
<a href="?page=<?php echo DMM\_PAGE\_SETTINGS ?>&tab=mollie" class="nav-tab<?php echo $tab ==\= 'mollie' ? ' nav-tab-active' : '';?>"><?php esc\_html\_e('Mollie settings', 'doneren-met-mollie');?></a>
543
<a href="?page=<?php echo DMM\_PAGE\_SETTINGS ?>&tab=recurring" class="nav-tab<?php echo $tab ==\= 'recurring' ? ' nav-tab-active' : '';?>"><?php esc\_html\_e('Recurring payments', 'doneren-met-mollie');?></a>
541
544
<a href="https://features.wobbie.nl/b/doneren-met-mollie/" target="\_blank" class="nav-tab" style="float: right"><?php esc\_html\_e('Feature Requests', 'doneren-met-mollie');?></a>
542
545
<a href="https://support.wobbie.nl" target="\_blank" class="nav-tab" style="float: right"><?php esc\_html\_e('Support', 'doneren-met-mollie');?></a>
…
…
579
582
<select name="dmm\_currency">
580
583
<?php foreach (dmm\_get\_currencies() as $currency => $decimals): ?>
581
<option value="<?php echo esc\_attr($currency);?>" <?php echo (get\_option('dmm\_currency') == $currency ? 'selected' : '');?>><?php echo esc\_attr($currency);?></option>
584
<option value="<?php echo esc\_attr($currency);?>" <?php echo (get\_option('dmm\_currency') ==\= $currency ? 'selected' : '');?>><?php echo esc\_attr($currency);?></option>
582
585
<?php endforeach;?>
583
586
</select><br>
…
…
646
649
<select name="dmm\_methods\_display">
647
650
<option value="list"><?php esc\_html\_e('Icons & text', 'doneren-met-mollie');?></option>
648
<option value="list\_no\_icons" <?php echo (get\_option('dmm\_methods\_display') == 'list\_no\_icons' ? 'selected' : '');?>><?php esc\_html\_e('Only text', 'doneren-met-mollie');?></option>
649
<option value="list\_icons" <?php echo (get\_option('dmm\_methods\_display') == 'list\_icons' ? 'selected' : '');?>><?php esc\_html\_e('Only icons', 'doneren-met-mollie');?></option>
650
<option value="dropdown" <?php echo (get\_option('dmm\_methods\_display') == 'dropdown' ? 'selected' : '');?>><?php esc\_html\_e('Dropdown', 'doneren-met-mollie');?></option>
651
<option value="list\_no\_icons" <?php echo (get\_option('dmm\_methods\_display') ==\= 'list\_no\_icons' ? 'selected' : '');?>><?php esc\_html\_e('Only text', 'doneren-met-mollie');?></option>
652
<option value="list\_icons" <?php echo (get\_option('dmm\_methods\_display') ==\= 'list\_icons' ? 'selected' : '');?>><?php esc\_html\_e('Only icons', 'doneren-met-mollie');?></option>
653
<option value="dropdown" <?php echo (get\_option('dmm\_methods\_display') ==\= 'dropdown' ? 'selected' : '');?>><?php esc\_html\_e('Dropdown', 'doneren-met-mollie');?></option>
651
654
</select>
652
655
</td>
…
…
687
690
<select name="dmm\_rights\_donations">
688
691
<option value="edit\_dashboard"><?php esc\_html\_e('Administrator', 'doneren-met-mollie');?></option>
689
<option value="edit\_pages" <?php echo (get\_option('dmm\_rights\_donations') == 'edit\_pages' ? 'selected' : '');?>><?php esc\_html\_e('Editor', 'doneren-met-mollie');?></option>
690
<option value="edit\_posts" <?php echo (get\_option('dmm\_rights\_donations') == 'edit\_posts' ? 'selected' : '');?>><?php esc\_html\_e('Author', 'doneren-met-mollie');?></option>
692
<option value="edit\_pages" <?php echo (get\_option('dmm\_rights\_donations') ==\= 'edit\_pages' ? 'selected' : '');?>><?php esc\_html\_e('Editor', 'doneren-met-mollie');?></option>
693
<option value="edit\_posts" <?php echo (get\_option('dmm\_rights\_donations') ==\= 'edit\_posts' ? 'selected' : '');?>><?php esc\_html\_e('Author', 'doneren-met-mollie');?></option>
691
694
</select>
692
695
</td>
…
…
699
702
<select name="dmm\_rights\_subscriptions">
700
703
<option value="edit\_dashboard"><?php esc\_html\_e('Administrator', 'doneren-met-mollie');?></option>
701
<option value="edit\_pages" <?php echo (get\_option('dmm\_rights\_subscriptions') == 'edit\_pages' ? 'selected' : '');?>><?php esc\_html\_e('Editor', 'doneren-met-mollie');?></option>
702
<option value="edit\_posts" <?php echo (get\_option('dmm\_rights\_subscriptions') == 'edit\_posts' ? 'selected' : '');?>><?php esc\_html\_e('Author', 'doneren-met-mollie');?></option>
704
<option value="edit\_pages" <?php echo (get\_option('dmm\_rights\_subscriptions') ==\= 'edit\_pages' ? 'selected' : '');?>><?php esc\_html\_e('Editor', 'doneren-met-mollie');?></option>
705
<option value="edit\_posts" <?php echo (get\_option('dmm\_rights\_subscriptions') ==\= 'edit\_posts' ? 'selected' : '');?>><?php esc\_html\_e('Author', 'doneren-met-mollie');?></option>
703
706
</select>
704
707
</td>
…
…
917
920
<select name="dmm\_default\_interval">
918
921
<option value="one"><?php esc\_html\_e('One-time donation', 'doneren-met-mollie');?></option>
919
<option value="month" <?php echo get\_option('dmm\_default\_interval') == 'month' ? 'selected' : '';?>><?php esc\_html\_e('Monthly', 'doneren-met-mollie');?></option>
920
<option value="quarter" <?php echo get\_option('dmm\_default\_interval') == 'quarter' ? 'selected' : '';?>><?php esc\_html\_e('Each quarter', 'doneren-met-mollie');?></option>
921
<option value="year" <?php echo get\_option('dmm\_default\_interval') == 'year' ? 'selected' : '';?>><?php esc\_html\_e('Annually', 'doneren-met-mollie');?></option>
922
<option value="month" <?php echo get\_option('dmm\_default\_interval') ==\= 'month' ? 'selected' : '';?>><?php esc\_html\_e('Monthly', 'doneren-met-mollie');?></option>
923
<option value="quarter" <?php echo get\_option('dmm\_default\_interval') ==\= 'quarter' ? 'selected' : '';?>><?php esc\_html\_e('Each quarter', 'doneren-met-mollie');?></option>
924
<option value="year" <?php echo get\_option('dmm\_default\_interval') ==\= 'year' ? 'selected' : '';?>><?php esc\_html\_e('Annually', 'doneren-met-mollie');?></option>
922
925
</select>
923
926
</td>
…
…
960
963
public function get\_page\_id\_by\_slug($slug)
961
964
{
962
$id = $this->wpdb->get\_var("SELECT id FROM " . $this->wpdb->posts . " WHERE post\_name = '" . esc\_sql($slug) . "' AND post\_type = 'page'");
963
return $id;
965
return $this->wpdb->get\_var("SELECT id FROM " . $this->wpdb->posts . " WHERE post\_name = '" . esc\_sql(sanitize\_title\_for\_query($slug)) . "' AND post\_type = 'page'");
964
966
}
965
967
}
doneren-met-mollie/trunk/includes/class-donations-table.php
r2459234
r2459548
57
57
$actions\['view'\] = sprintf('<a href="%s">' . esc\_html\_\_('View', 'doneren-met-mollie') . '</a>', $url\_view);
58
58
59
if ($item\['dm\_status'\] == 'paid' && $item\['dm\_amount'\] > 0.30)
59
if ($item\['dm\_status'\] ==\= 'paid' && $item\['dm\_amount'\] > 0.30)
60
60
$actions\['refund'\] = sprintf('<a href="%s" style="color:#a00;" onclick="return confirm(\\'' . \_\_('Are you sure?', 'doneren-met-mollie') . '\\')">' . esc\_html\_\_('Refund', 'doneren-met-mollie') . '</a>', $url\_refund);
61
61
…
…
77
77
78
78
$where = '';
79
if (isset($\_GET\['subscription'\]))
80
$where .= ' WHERE subscription\_id="' . esc\_sql($\_GET\['subscription'\]) . '"';
79
if (isset($\_GET\['subscription'\])) {
80
$where .= ' WHERE subscription\_id="' . esc\_sql(sanitize\_title\_for\_query($\_GET\['subscription'\])) . '"';
81
}
81
82
82
if (isset($\_GET\['search'\]))
83
$where .= ($where ? ' AND' : ' WHERE') . ' (dm\_name LIKE "%' . esc\_sql($\_GET\['search'\]) . '%" OR dm\_email LIKE "%' . esc\_sql($\_GET\['search'\]) . '%" OR dm\_company LIKE "%' . esc\_sql($\_GET\['search'\]) . '%" OR donation\_id LIKE "%' . esc\_sql($\_GET\['search'\]) . '%" OR payment\_id LIKE "%' . esc\_sql($\_GET\['search'\]) . '%")';
83
if (isset($\_GET\['search'\])) {
84
$search = sanitize\_title\_for\_query($\_GET\['search'\]);
85
$where .= ($where ? ' AND' : ' WHERE') . ' (dm\_name LIKE "%' . esc\_sql($search) . '%" OR dm\_email LIKE "%' . esc\_sql($search) . '%" OR dm\_company LIKE "%' . esc\_sql($search) . '%" OR donation\_id LIKE "%' . esc\_sql($search) . '%" OR payment\_id LIKE "%' . esc\_sql($search) . '%")';
86
}
84
87
85
88
$donations = $wpdb->get\_results("SELECT \* FROM " . DMM\_TABLE\_DONATIONS . $where . " ORDER BY time DESC", ARRAY\_A);
doneren-met-mollie/trunk/includes/class-start.php
r2459282
r2459548
310
310
{
311
311
$donation\_id = uniqid(rand(1,99));
312
$amount = number\_format(str\_replace(',', '.', $\_POST\['dmm\_amount'\]), 2, '.', '');
312
$amount = number\_format(str\_replace(',', '.', sanitize\_text\_field($\_POST\['dmm\_amount'\])), 2, '.', '');
313
313
314
314
// Hook to handle POST data for custom fields
…
…
347
347
array(
348
348
$donation\_id,
349
isset($\_POST\['dmm\_name'\]) ? $\_POST\['dmm\_name'\] : '',
350
isset($\_POST\['dmm\_project'\]) ? $\_POST\['dmm\_project'\] : '',
349
isset($\_POST\['dmm\_name'\]) ? sanitize\_text\_field($\_POST\['dmm\_name'\]) : '',
350
isset($\_POST\['dmm\_project'\]) ? sanitize\_text\_field($\_POST\['dmm\_project'\]) : '',
351
351
$amount,
352
isset($\_POST\['dmm\_company'\]) ? $\_POST\['dmm\_company'\] : '',
353
isset($\_POST\['dmm\_email'\]) ? $\_POST\['dmm\_email'\] : '',
352
isset($\_POST\['dmm\_company'\]) ? sanitize\_text\_field($\_POST\['dmm\_company'\]) : '',
353
isset($\_POST\['dmm\_email'\]) ? sanitize\_email($\_POST\['dmm\_email'\]) : '',
354
354
$interval,
355
355
),
356
get\_option('dmm\_payment\_description')
356
sanitize\_text\_field(get\_option('dmm\_payment\_description'))
357
357
);
358
358
…
…
366
366
if (get\_option('dmm\_metadata') != '0') {
367
367
$metadata = array(
368
"name" => isset($\_POST\['dmm\_name'\]) ? esc\_js($\_POST\['dmm\_name'\]) : '',
369
"email" => isset($\_POST\['dmm\_email'\]) ? esc\_js($\_POST\['dmm\_email'\]) : '',
370
"project" => isset($\_POST\['dmm\_project'\]) ? esc\_js($\_POST\['dmm\_project'\]) : '',
371
"company" => isset($\_POST\['dmm\_company'\]) ? esc\_js($\_POST\['dmm\_company'\]) : '',
372
"address" => isset($\_POST\['dmm\_address'\]) ? esc\_js($\_POST\['dmm\_address'\]) : '',
373
"zipcode" => isset($\_POST\['dmm\_zipcode'\]) ? esc\_js($\_POST\['dmm\_zipcode'\]) : '',
374
"city" => isset($\_POST\['dmm\_city'\]) ? esc\_js($\_POST\['dmm\_city'\]) : '',
375
"country" => isset($\_POST\['dmm\_country'\]) ? esc\_js($\_POST\['dmm\_country'\]) : '',
376
"message" => isset($\_POST\['dmm\_message'\]) ? esc\_js($\_POST\['dmm\_message'\]) : '',
377
"phone" => isset($\_POST\['dmm\_phone'\]) ? esc\_js($\_POST\['dmm\_phone'\]) : '',
368
"name" => isset($\_POST\['dmm\_name'\]) ? sanitize\_text\_field($\_POST\['dmm\_name'\]) : '',
369
"email" => isset($\_POST\['dmm\_email'\]) ? sanitize\_email($\_POST\['dmm\_email'\]) : '',
370
"project" => isset($\_POST\['dmm\_project'\]) ? sanitize\_text\_field($\_POST\['dmm\_project'\]) : '',
371
"company" => isset($\_POST\['dmm\_company'\]) ? sanitize\_text\_field($\_POST\['dmm\_company'\]) : '',
372
"address" => isset($\_POST\['dmm\_address'\]) ? sanitize\_text\_field($\_POST\['dmm\_address'\]) : '',
373
"zipcode" => isset($\_POST\['dmm\_zipcode'\]) ? sanitize\_text\_field($\_POST\['dmm\_zipcode'\]) : '',
374
"city" => isset($\_POST\['dmm\_city'\]) ? sanitize\_text\_field($\_POST\['dmm\_city'\]) : '',
375
"country" => isset($\_POST\['dmm\_country'\]) ? sanitize\_text\_field($\_POST\['dmm\_country'\]) : '',
376
"message" => isset($\_POST\['dmm\_message'\]) ? sanitize\_textarea\_field($\_POST\['dmm\_message'\]) : '',
377
"phone" => isset($\_POST\['dmm\_phone'\]) ? sanitize\_text\_field($\_POST\['dmm\_phone'\]) : '',
378
378
"donation\_id" => $donation\_id,
379
379
);
…
…
384
384
$payment = $mollie->post('payments', array(
385
385
"amount" => array(
386
"currency" => $\_POST\['dmm\_currency'\],
386
"currency" => sanitize\_text\_field($\_POST\['dmm\_currency'\]),
387
387
"value" => (string)$amount
388
388
),
…
…
396
396
$secret = uniqid();
397
397
$customer = $mollie->post('customers', array(
398
"name" => isset($\_POST\['dmm\_name'\]) ? esc\_html($\_POST\['dmm\_name'\]) : '',
399
"email" => isset($\_POST\['dmm\_email'\]) ? esc\_html($\_POST\['dmm\_email'\]) : '',
398
"name" => isset($\_POST\['dmm\_name'\]) ? sanitize\_text\_field($\_POST\['dmm\_name'\]) : '',
399
"email" => isset($\_POST\['dmm\_email'\]) ? sanitize\_email($\_POST\['dmm\_email'\]) : '',
400
400
));
401
401
…
…
409
409
$customer->name,
410
410
$customer->email,
411
$\_POST\['dmm\_recurring\_interval'\],
412
$\_POST\['dmm\_currency'\],
411
sanitize\_text\_field($\_POST\['dmm\_recurring\_interval'\]),
412
sanitize\_text\_field($\_POST\['dmm\_currency'\]),
413
413
$amount,
414
414
$description,
…
…
419
419
$payment = $mollie->post('payments', array(
420
420
"amount" => array(
421
"currency" => esc\_html($\_POST\['dmm\_currency'\]),
421
"currency" => sanitize\_text\_field($\_POST\['dmm\_currency'\]),
422
422
"value" => (string)$amount
423
423
),
…
…
427
427
"redirectUrl" => $redirectBaseUrl . '?dmm\_id=' . $donation\_id,
428
428
"webhookUrl" => $dmm\_webhook . 'first/' . $this->wpdb->insert\_id . '/secret/' . $secret,
429
"method" => esc\_html($\_POST\['dmm\_method'\]),
429
"method" => sanitize\_text\_field($\_POST\['dmm\_method'\]),
430
430
"metadata" => $metadata
431
431
));
…
…
451
451
$payment->settlementAmount->currency ?: $payment->amount->currency,
452
452
$payment->settlementAmount->value ?: $payment->amount->value,
453
isset($\_POST\['dmm\_name'\]) ? $\_POST\['dmm\_name'\] : null,
454
isset($\_POST\['dmm\_email'\]) ? $\_POST\['dmm\_email'\] : null,
455
isset($\_POST\['dmm\_project'\]) ? $\_POST\['dmm\_project'\] : null,
456
isset($\_POST\['dmm\_company'\]) ? $\_POST\['dmm\_company'\] : null,
457
isset($\_POST\['dmm\_address'\]) ? $\_POST\['dmm\_address'\] : null,
458
isset($\_POST\['dmm\_zipcode'\]) ? $\_POST\['dmm\_zipcode'\] : null,
459
isset($\_POST\['dmm\_city'\]) ? $\_POST\['dmm\_city'\] : null,
460
isset($\_POST\['dmm\_country'\]) ? $\_POST\['dmm\_country'\] : null,
461
isset($\_POST\['dmm\_message'\]) ? $\_POST\['dmm\_message'\] : null,
462
isset($\_POST\['dmm\_phone'\]) ? $\_POST\['dmm\_phone'\] : null,
453
isset($\_POST\['dmm\_name'\]) ? sanitize\_text\_field($\_POST\['dmm\_name'\]) : null,
454
isset($\_POST\['dmm\_email'\]) ? sanitize\_email($\_POST\['dmm\_email'\]) : null,
455
isset($\_POST\['dmm\_project'\]) ? sanitize\_text\_field($\_POST\['dmm\_project'\]) : null,
456
isset($\_POST\['dmm\_company'\]) ? sanitize\_text\_field($\_POST\['dmm\_company'\]) : null,
457
isset($\_POST\['dmm\_address'\]) ? sanitize\_text\_field($\_POST\['dmm\_address'\]) : null,
458
isset($\_POST\['dmm\_zipcode'\]) ? sanitize\_text\_field($\_POST\['dmm\_zipcode'\]) : null,
459
isset($\_POST\['dmm\_city'\]) ? sanitize\_text\_field($\_POST\['dmm\_city'\]) : null,
460
isset($\_POST\['dmm\_country'\]) ? sanitize\_text\_field($\_POST\['dmm\_country'\]) : null,
461
isset($\_POST\['dmm\_message'\]) ? sanitize\_textarea\_field($\_POST\['dmm\_message'\]) : null,
462
isset($\_POST\['dmm\_phone'\]) ? sanitize\_text\_field($\_POST\['dmm\_phone'\]) : null,
463
463
$payment->method,
464
464
$payment->mode
…
…
482
482
}
483
483
484
echo '<p class="' . esc\_attr(get\_option('dmm\_success\_cls')) . '">' . esc\_html\_\_('Thank you for your donation!', 'doneren-met-mollie') . '</p>';
484
echo '<p class="' . esc\_attr(sanitize\_html\_class(get\_option('dmm\_success\_cls'))) . '">' . esc\_html\_\_('Thank you for your donation!', 'doneren-met-mollie') . '</p>';
485
485
486
486
// Hook to add logic after the donation has been paid
…
…
492
492
}
493
493
494
echo '<p class="' . esc\_attr(get\_option('dmm\_failure\_cls')) . '">' . esc\_html\_\_('The payment was not successful, please try again.', 'doneren-met-mollie') . '</p>';
494
echo '<p class="' . esc\_attr(sanitize\_html\_class(get\_option('dmm\_failure\_cls'))) . '">' . esc\_html\_\_('The payment was not successful, please try again.', 'doneren-met-mollie') . '</p>';
495
495
}
496
496
} else {
…
…
499
499
$intervals = get\_option('dmm\_recurring\_interval');
500
500
501
$selected\_interval = isset($\_POST\['dmm\_recurring\_interval'\]) ? $\_POST\['dmm\_recurring\_interval'\] : get\_option('dmm\_default\_interval');
501
$selected\_interval = isset($\_POST\['dmm\_recurring\_interval'\]) ? sanitize\_text\_field($\_POST\['dmm\_recurring\_interval'\]) : get\_option('dmm\_default\_interval');
502
502
?>
503
<form action="<?php echo esc\_attr($\_SERVER\['REQUEST\_URI'\]);?>" class="<?php echo esc\_attr(get\_option('dmm\_form\_cls'));?>" method="post">
503
<form action="<?php echo esc\_attr($\_SERVER\['REQUEST\_URI'\]);?>" class="<?php echo esc\_attr(sanitize\_html\_class(get\_option('dmm\_form\_cls')));?>" method="post">
504
504
505
505
<?php
…
…
509
509
<?php if (get\_option('dmm\_recurring')) { ?>
510
510
<p>
511
<select id="dmm\_interval" name="dmm\_recurring\_interval" style="width: 100%" class="<?php echo esc\_attr(get\_option('dmm\_fields\_cls'));?>" onchange="dmm\_recurring\_methods(this.value);">
511
<select id="dmm\_interval" name="dmm\_recurring\_interval" style="width: 100%" class="<?php echo esc\_attr(sanitize\_html\_class(get\_option('dmm\_fields\_cls')));?>" onchange="dmm\_recurring\_methods(this.value);">
512
512
<option value="one"><?php echo esc\_html\_e('One-time donation', 'doneren-met-mollie');?></option>
513
513
<?php if (isset($intervals\['month'\])) { ?>
…
…
529
529
<p <?php echo ($dmm\_fields\['Name'\]\['active'\] ? '' : 'style="display:none"');?>>
530
530
<?php echo esc\_html\_e('Name', 'doneren-met-mollie') . (isset($dmm\_fields\['Name'\]\['required'\]) && $dmm\_fields\['Name'\]\['required'\] ? '<span style="color:red;">\*</span>' : '') . '<br>';?>
531
<input type="text" name="dmm\_name" class="<?php echo esc\_attr(get\_option('dmm\_fields\_cls'));?>" value="<?php echo (isset($\_POST\["dmm\_name"\]) ? esc\_attr($\_POST\["dmm\_name"\]) : '');?>" style="width: 100%">
531
<input type="text" name="dmm\_name" class="<?php echo esc\_attr(sanitize\_html\_class(get\_option('dmm\_fields\_cls')));?>" value="<?php echo (isset($\_POST\["dmm\_name"\]) ? esc\_attr($\_POST\["dmm\_name"\]) : '');?>" style="width: 100%">
532
532
</p>
533
533
<?php } ?>
…
…
536
536
<p>
537
537
<?php echo esc\_html\_e('Company name', 'doneren-met-mollie') . (isset($dmm\_fields\['Company name'\]\['required'\]) && $dmm\_fields\['Company name'\]\['required'\] ? '<span style="color:red;">\*</span>' : '') . '<br>';?>
538
<input type="text" name="dmm\_company" class="<?php echo esc\_attr(get\_option('dmm\_fields\_cls'));?>" value="<?php echo (isset($\_POST\["dmm\_company"\]) ? esc\_attr($\_POST\["dmm\_company"\]) : '');?>" style="width: 100%">
538
<input type="text" name="dmm\_company" class="<?php echo esc\_attr(sanitize\_html\_class(get\_option('dmm\_fields\_cls')));?>" value="<?php echo (isset($\_POST\["dmm\_company"\]) ? esc\_attr($\_POST\["dmm\_company"\]) : '');?>" style="width: 100%">
539
539
</p>
540
540
<?php } ?>
…
…
543
543
<p <?php echo ($dmm\_fields\['Email address'\]\['active'\] ? '' : 'style="display:none"');?>>
544
544
<?php echo esc\_html\_e('Email address', 'doneren-met-mollie') . (isset($dmm\_fields\['Email address'\]\['required'\]) && $dmm\_fields\['Email address'\]\['required'\] ? '<span style="color:red;">\*</span>' : '') . '<br>';?>
545
<input type="email" name="dmm\_email" class="<?php echo esc\_attr(get\_option('dmm\_fields\_cls'));?>" value="<?php echo (isset($\_POST\["dmm\_email"\]) ? esc\_attr($\_POST\["dmm\_email"\]) : '');?>" style="width: 100%">
545
<input type="email" name="dmm\_email" class="<?php echo esc\_attr(sanitize\_html\_class(get\_option('dmm\_fields\_cls')));?>" value="<?php echo (isset($\_POST\["dmm\_email"\]) ? esc\_attr($\_POST\["dmm\_email"\]) : '');?>" style="width: 100%">
546
546
</p>
547
547
<?php } ?>
…
…
550
550
<p>
551
551
<?php echo esc\_html\_e('Phone number', 'doneren-met-mollie') . (isset($dmm\_fields\['Phone number'\]\['required'\]) && $dmm\_fields\['Phone number'\]\['required'\] ? '<span style="color:red;">\*</span>' : '') . '<br>';?>
552
<input type="text" name="dmm\_phone" class="<?php echo esc\_attr(get\_option('dmm\_fields\_cls'));?>" value="<?php echo (isset($\_POST\["dmm\_phone"\]) ? esc\_attr($\_POST\["dmm\_phone"\]) : '');?>" style="width: 100%">
552
<input type="text" name="dmm\_phone" class="<?php echo esc\_attr(sanitize\_html\_class(get\_option('dmm\_fields\_cls')));?>" value="<?php echo (isset($\_POST\["dmm\_phone"\]) ? esc\_attr($\_POST\["dmm\_phone"\]) : '');?>" style="width: 100%">
553
553
</p>
554
554
<?php } ?>
…
…
557
557
<p>
558
558
<?php echo esc\_html\_e('Street', 'doneren-met-mollie') . (isset($dmm\_fields\['Address'\]\['required'\]) && $dmm\_fields\['Address'\]\['required'\] ? '<span style="color:red;">\*</span>' : '') . '<br>';?>
559
<input type="text" name="dmm\_address" class="<?php echo esc\_attr(get\_option('dmm\_fields\_cls'));?>" value="<?php echo (isset($\_POST\["dmm\_address"\]) ? esc\_attr($\_POST\["dmm\_address"\]) : '');?>" style="width: 100%">
559
<input type="text" name="dmm\_address" class="<?php echo esc\_attr(sanitize\_html\_class(get\_option('dmm\_fields\_cls')));?>" value="<?php echo (isset($\_POST\["dmm\_address"\]) ? esc\_attr($\_POST\["dmm\_address"\]) : '');?>" style="width: 100%">
560
560
</p>
561
561
<p>
562
562
<?php echo esc\_html\_e('Zipcode', 'doneren-met-mollie') . (isset($dmm\_fields\['Address'\]\['required'\]) && $dmm\_fields\['Address'\]\['required'\] ? '<span style="color:red;">\*</span>' : '') . '<br>';?>
563
<input type="text" name="dmm\_zipcode" class="<?php echo esc\_attr(get\_option('dmm\_fields\_cls'));?>" value="<?php echo (isset($\_POST\["dmm\_zipcode"\]) ? esc\_attr($\_POST\["dmm\_zipcode"\]) : '');?>" style="width: 100%">
563
<input type="text" name="dmm\_zipcode" class="<?php echo esc\_attr(sanitize\_html\_class(get\_option('dmm\_fields\_cls')));?>" value="<?php echo (isset($\_POST\["dmm\_zipcode"\]) ? esc\_attr($\_POST\["dmm\_zipcode"\]) : '');?>" style="width: 100%">
564
564
</p>
565
565
<p>
566
566
<?php echo esc\_html\_e('City', 'doneren-met-mollie') . (isset($dmm\_fields\['Address'\]\['required'\]) && $dmm\_fields\['Address'\]\['required'\] ? '<span style="color:red;">\*</span>' : '') . '<br>';?>
567
<input type="text" name="dmm\_city" class="<?php echo esc\_attr(get\_option('dmm\_fields\_cls'));?>" value="<?php echo (isset($\_POST\["dmm\_city"\]) ? esc\_attr($\_POST\["dmm\_city"\]) : '');?>" style="width: 100%">
567
<input type="text" name="dmm\_city" class="<?php echo esc\_attr(sanitize\_html\_class(get\_option('dmm\_fields\_cls')));?>" value="<?php echo (isset($\_POST\["dmm\_city"\]) ? esc\_attr($\_POST\["dmm\_city"\]) : '');?>" style="width: 100%">
568
568
</p>
569
569
<p>
570
570
<?php echo esc\_html\_e('Country', 'doneren-met-mollie') . (isset($dmm\_fields\['Address'\]\['required'\]) && $dmm\_fields\['Address'\]\['required'\] ? '<span style="color:red;">\*</span>' : '') . '<br>';?>
571
<input type="text" name="dmm\_country" class="<?php echo esc\_attr(get\_option('dmm\_fields\_cls'));?>" value="<?php echo (isset($\_POST\["dmm\_country"\]) ? esc\_attr($\_POST\["dmm\_country"\]) : '');?>" style="width: 100%">
571
<input type="text" name="dmm\_country" class="<?php echo esc\_attr(sanitize\_html\_class(get\_option('dmm\_fields\_cls')));?>" value="<?php echo (isset($\_POST\["dmm\_country"\]) ? esc\_attr($\_POST\["dmm\_country"\]) : '');?>" style="width: 100%">
572
572
</p>
573
573
<?php } ?>
…
…
576
576
<p>
577
577
<?php echo esc\_html\_e('Project', 'doneren-met-mollie') . (isset($dmm\_fields\['Project'\]\['required'\]) && $dmm\_fields\['Project'\]\['required'\] ? '<span style="color:red;">\*</span>' : '') . '<br>';?>
578
<?php echo $this->dmm\_projects(isset($\_POST\["dmm\_project"\]) ? esc\_attr($\_POST\["dmm\_project"\]) : '');?>
578
<?php echo $this->dmm\_projects(isset($\_POST\["dmm\_project"\]) ? sanitize\_text\_field($\_POST\["dmm\_project"\]) : '');?>
579
579
</p>
580
580
<?php } ?>
…
…
583
583
<p>
584
584
<?php echo esc\_html\_e('Message', 'doneren-met-mollie') . (isset($dmm\_fields\['Message'\]\['required'\]) && $dmm\_fields\['Message'\]\['required'\] ? '<span style="color:red;">\*</span>' : '') . '<br>';?>
585
<textarea name="dmm\_message" class="<?php echo esc\_attr(get\_option('dmm\_fields\_cls'));?>" rows="5" style="width: 100%"><?php echo (isset($\_POST\["dmm\_message"\]) ? esc\_attr($\_POST\["dmm\_message"\]) : '');?></textarea>
585
<textarea name="dmm\_message" class="<?php echo esc\_attr(sanitize\_html\_class(get\_option('dmm\_fields\_cls')));?>" rows="5" style="width: 100%"><?php echo (isset($\_POST\["dmm\_message"\]) ? esc\_attr($\_POST\["dmm\_message"\]) : '');?></textarea>
586
586
</p>
587
587
<?php } ?>
…
…
593
593
if (get\_option('dmm\_amount')) {
594
594
if (get\_option('dmm\_free\_input')) {
595
echo '<select id="dmm\_dd" style="width: 100%" class="' . esc\_attr(get\_option('dmm\_fields\_cls')) . '" onchange="if(this.value!=\\'--\\'){document.getElementById(\\'dmm\_amount\\').value=this.value;document.getElementById(\\'dmm\_amount\\').style.display = \\'none\\';}else{document.getElementById(\\'dmm\_amount\\').style.display = \\'block\\';}">';
595
echo '<select id="dmm\_dd" style="width: 100%" class="' . esc\_attr(sanitize\_html\_class(get\_option('dmm\_fields\_cls'))) . '" onchange="if(this.value!=\\'--\\'){document.getElementById(\\'dmm\_amount\\').value=this.value;document.getElementById(\\'dmm\_amount\\').style.display = \\'none\\';}else{document.getElementById(\\'dmm\_amount\\').style.display = \\'block\\';}">';
596
596
echo '<option value="--">' . esc\_html\_\_('Enter your own amount', 'doneren-met-mollie') . '</option>';
597
597
} else {
598
echo '<select style="width: 100%" name="dmm\_amount" class="' . esc\_attr(get\_option('dmm\_fields\_cls')) . '" >';
598
echo '<select style="width: 100%" name="dmm\_amount" class="' . esc\_attr(sanitize\_html\_class(get\_option('dmm\_fields\_cls'))) . '" >';
599
599
}
600
600
…
…
607
607
if (get\_option('dmm\_free\_input')) {
608
608
if (get\_option('dmm\_currency\_switch') == '1') {
609
echo '<select name="dmm\_currency" class="' . esc\_attr(get\_option('dmm\_fields\_cls')) . '" id="dmm\_currency" onchange="dmm\_multicurrency\_methods(this.value);" style="width: 20%;float:left;">';
609
echo '<select name="dmm\_currency" class="' . esc\_attr(sanitize\_html\_class(get\_option('dmm\_fields\_cls'))) . '" id="dmm\_currency" onchange="dmm\_multicurrency\_methods(this.value);" style="width: 20%;float:left;">';
610
610
611
611
foreach (dmm\_get\_currencies() as $currency => $decimals)
…
…
617
617
}
618
618
619
echo '<span style="display:block;overflow:auto;"><input type="text" id="dmm\_amount" name="dmm\_amount" class="' . esc\_attr(get\_option('dmm\_fields\_cls')) . '" value="' . esc\_attr(isset($\_POST\["dmm\_amount"\]) ? $\_POST\["dmm\_amount"\] : get\_option('dmm\_default\_amount')) . '" style="width: 100%;float:left;"></span>';
619
echo '<span style="display:block;overflow:auto;"><input type="text" id="dmm\_amount" name="dmm\_amount" class="' . esc\_attr(sanitize\_html\_class(get\_option('dmm\_fields\_cls'))) . '" value="' . esc\_attr(isset($\_POST\["dmm\_amount"\]) ? $\_POST\["dmm\_amount"\] : get\_option('dmm\_default\_amount')) . '" style="width: 100%;float:left;"></span>';
620
620
}
621
621
else {
…
…
664
664
do\_action('dmm\_donate\_form\_bottom');?>
665
665
666
<input type="submit" name="dmm\_submitted" class="<?php echo esc\_attr(get\_option('dmm\_button\_cls'));?>" value="<?php echo esc\_attr(\_\_('Donate', 'doneren-met-mollie'));?>">
666
<input type="submit" name="dmm\_submitted" class="<?php echo esc\_attr(sanitize\_html\_class(get\_option('dmm\_fields\_cls')));?>" value="<?php echo esc\_attr(\_\_('Donate', 'doneren-met-mollie'));?>">
667
667
668
668
</form>
…
…
757
757
if ($option === 'list') {
758
758
foreach ($mollie->all('methods') as $method) {
759
$methods .= '<label class="' . esc\_attr($this->dmm\_pm\_class($method->id)) . '"><input type="radio" name="dmm\_method" value="' . esc\_attr($method->id) . '" ' . ($first ? 'checked' : '') . '> <img style="vertical-align:middle;display:inline-block" src="' . esc\_url($method->image->size1x) . '"> ' . esc\_html\_\_($method->description, 'doneren-met-mollie') . '<br></label>';
759
$methods .= '<label class="' . esc\_attr(sanitize\_html\_class($this->dmm\_pm\_class($method->id))) . '"><input type="radio" name="dmm\_method" value="' . esc\_attr($method->id) . '" ' . ($first ? 'checked' : '') . '> <img style="vertical-align:middle;display:inline-block" src="' . esc\_url($method->image->size1x) . '"> ' . esc\_html\_\_($method->description, 'doneren-met-mollie') . '<br></label>';
760
760
$first = false;
761
761
}
762
762
} elseif ($option === 'list\_no\_icons') {
763
763
foreach ($mollie->all('methods') as $method) {
764
$methods .= '<label class="' . esc\_attr($this->dmm\_pm\_class($method->id)) . '"><input type="radio" name="dmm\_method" value="' . esc\_attr($method->id) . '" ' . ($first ? 'checked' : '') . '> ' . esc\_html\_\_($method->description, 'doneren-met-mollie') . '<br></label>';
764
$methods .= '<label class="' . esc\_attr(sanitize\_html\_class($this->dmm\_pm\_class($method->id))) . '"><input type="radio" name="dmm\_method" value="' . esc\_attr($method->id) . '" ' . ($first ? 'checked' : '') . '> ' . esc\_html\_\_($method->description, 'doneren-met-mollie') . '<br></label>';
765
765
$first = false;
766
766
}
767
767
} elseif ($option === 'list\_icons') {
768
768
foreach ($mollie->all('methods') as $method) {
769
$methods .= '<label class="' . esc\_attr($this->dmm\_pm\_class($method->id)) . '"><input type="radio" name="dmm\_method" value="' . esc\_attr($method->id) . '" ' . ($first ? 'checked' : '') . '> <img style="vertical-align:middle;display:inline-block" src="' . esc\_url($method->image->size1x) . '"></label> ';
769
$methods .= '<label class="' . esc\_attr(sanitize\_html\_class($this->dmm\_pm\_class($method->id))) . '"><input type="radio" name="dmm\_method" value="' . esc\_attr($method->id) . '" ' . ($first ? 'checked' : '') . '> <img style="vertical-align:middle;display:inline-block" src="' . esc\_url($method->image->size1x) . '"></label> ';
770
770
$first = false;
771
771
}
772
772
} elseif ($option === 'dropdown') {
773
$methods .= '<select style="width: 100%" name="dmm\_method" class="' . esc\_attr(get\_option('dmm\_fields\_cls')) . '">';
773
$methods .= '<select style="width: 100%" name="dmm\_method" class="' . esc\_attr(sanitize\_html\_class(get\_option('dmm\_fields\_cls'))) . '">';
774
774
$methods .= '<option value="">== ' . esc\_html\_\_('Choose a payment method', 'doneren-met-mollie') . ' ==</option>';
775
775
foreach ($mollie->all('methods') as $method) {
776
$methods .= '<option class="' . $this->dmm\_pm\_class($method->id) . '" value="' . $method->id . '">' . esc\_html\_\_($method->description, 'doneren-met-mollie') . '</option>';
776
$methods .= '<option class="' . esc\_attr(sanitize\_html\_class($this->dmm\_pm\_class($method->id))) . '" value="' . $method->id . '">' . esc\_html\_\_($method->description, 'doneren-met-mollie') . '</option>';
777
777
}
778
778
$methods .= '</select>';
…
…
831
831
\*/
832
832
private function dmm\_projects($selected = '') {
833
$projects = explode(PHP\_EOL, get\_option('dmm\_projects'));
834
835
$projectList = '<select style="width: 100%" name="dmm\_project" class="' . esc\_attr(get\_option('dmm\_fields\_cls')) . '">';
833
$projects = explode(PHP\_EOL, sanitize\_text\_field(get\_option('dmm\_projects')));
834
835
$projectList = '<select style="width: 100%" name="dmm\_project" class="' . esc\_attr(sanitize\_html\_class(get\_option('dmm\_fields\_cls'))) . '">';
836
836
foreach ($projects as $project) {
837
837
$projectList .= '<option' . ($selected === $project ? ' selected' : '') . '>' . esc\_attr($project) . '</option>';
…
…
848
848
private function get\_page\_id\_by\_slug($slug)
849
849
{
850
return $this->wpdb->get\_var("SELECT id FROM " . $this->wpdb->posts . " WHERE post\_name = '" . esc\_sql($slug) . "' AND post\_type = 'page'");
850
return $this->wpdb->get\_var("SELECT id FROM " . $this->wpdb->posts . " WHERE post\_name = '" . esc\_sql(sanitize\_title\_for\_query($slug)) . "' AND post\_type = 'page'");
851
851
}
852
852
}
doneren-met-mollie/trunk/includes/class-subscriptions-table.php
r2459234
r2459548
38
38
function column\_customer\_name($item){
39
39
global $wpdb;
40
$customer = $wpdb->get\_row("SELECT \* FROM " . DMM\_TABLE\_DONORS . " WHERE id = '" . esc\_sql($item\['customer\_id'\]) . "'");
40
$customer = $wpdb->get\_row("SELECT \* FROM " . DMM\_TABLE\_DONORS . " WHERE id = '" . esc\_sql(sanitize\_title\_for\_query($item\['customer\_id'\])) . "'");
41
41
return $customer->customer\_name;
42
42
}
doneren-met-mollie/trunk/includes/class-webhook.php
r2459267
r2459548
71
71
{
72
72
$dmm\_webhook = get\_home\_url(null, DMM\_WEBHOOK);
73
74
do\_action('dmm\_webhook\_called', esc\_html($\_POST\['id'\]));
73
$payment\_id = sanitize\_text\_field($\_POST\['id'\]);
74
75
if (empty($payment\_id)) {
76
status\_header(404);
77
return 'No payment id';
78
}
79
80
do\_action('dmm\_webhook\_called', $payment\_id);
75
81
76
82
try {
…
…
86
92
{
87
93
// First payment of recurring donation or one-time donation
88
$payment\_id = $\_POST\['id'\];
89
if (!$payment\_id) {
90
status\_header(404);
91
return 'No payment id';
92
}
93
94
94
$donation = $this->wpdb->get\_row("SELECT \* FROM " . DMM\_TABLE\_DONATIONS . " WHERE payment\_id = '" . esc\_sql($payment\_id) . "'");
95
95
…
…
181
181
182
182
return 'OK, ' . esc\_html($payment\_id);
183
}
184
else
185
{
183
} else {
186
184
// Subscription
187
185
$sub = $this->wpdb->get\_row("SELECT \* FROM " . DMM\_TABLE\_SUBSCRIPTIONS . " WHERE id = '" . esc\_sql($query->query\_vars\['sub'\]) . "'");
…
…
196
194
status\_header(404);
197
195
return 'Donation not found';
198
}
199
200
$payment\_id = $\_POST\['id'\];
201
if (!$payment\_id) {
202
status\_header(404);
203
return 'No payment id';
204
196
}
205
197