vulnerability improvements; code cleanup; plugin version change

form-handler.php

@@ -9,25 +9,21 @@
 require_once TMM_PAYPAL_PLUGIN_PATH . '/classes/paypalApi.php';
 
 if (isset($_POST['func']) && $_POST['func'] === 'start') {
-
 	paypalApi::startExpressCheckout();
-
 } else if (isset($_GET['func']) && $_GET['func'] == 'confirm' && isset($_GET['token']) && isset($_GET['PayerID'])) {
 
 	$message_num = 0;
 	$paypal_data = paypalApi::confirmExpressCheckout();
 	$config = paypalConfig::getInstance();
 
-	if ( isset($paypal_data['ACK']) && ($paypal_data['ACK'] == 'Success' || $paypal_data['ACK'] == 'SuccessWithWarning') ) {
+	if (isset($paypal_data['ACK']) && ($paypal_data['ACK'] == 'Success' || $paypal_data['ACK'] == 'SuccessWithWarning')) {
 		$message_num = TMM_Cardealer_User::user_paid_money($paypal_data);
 		header('Location: ' . $config->getItem('success_page'));
 	} else {
 		$message_num = $paypal_data['L_ERRORCODE0'];
 		header('Location: ' . $config->getItem('cancel_page') . '?errorcode=' . $message_num);
 	}
-
 } else {
 
 	header('Location: ' . $config->getItem('cancel_page'));
-
 }

index.php

@@ -5,7 +5,7 @@
  * Plugin URI: http://webtemplatemasters.com
  * Description: Integration of PayPal Express Checkout
  * Author: ThemeMakers
- * Version: 1.1.9
+ * Version: 1.2.0
  * Author URI: http://themeforest.net/user/ThemeMakers
  * Text Domain: tmm_paypal_checkout
  */
@@ -17,7 +17,8 @@
 require_once TMM_PAYPAL_PLUGIN_PATH . '/classes/paypalShortcode.php';
 require_once TMM_PAYPAL_PLUGIN_PATH . '/classes/paypalAdmin.php';
 
-function tmm_paypal_init () {
+function tmm_paypal_init()
+{
 
 	/* Set base configuration */
 	$config = paypalConfig::getInstance();
@@ -43,12 +44,13 @@ function tmm_paypal_init () {
 	$config->addItem('checkout_button_src', 'https://www.paypalobjects.com/en_US/i/btn/btn_xpressCheckout.gif');
 	// default currency
 	if (defined('TMM_APP_CARDEALER_PREFIX')) {
-		$config->addItem('default_currency', TMM::get_option('default_currency', TMM_APP_CARDEALER_PREFIX) );
-	}else {
+		$config->addItem('default_currency', TMM::get_option('default_currency', TMM_APP_CARDEALER_PREFIX));
+	} else {
 		$config->addItem('default_currency', false);
 	}
 	// supported currencies
-	$config->addItem('supported_currencies',
+	$config->addItem(
+		'supported_currencies',
 		array(
 			'AUD',
 			'BRL',
@@ -93,45 +95,47 @@ function tmm_paypal_init () {
 
 	/* create shortcode */
 	add_shortcode('paypal', array('paypalShortcode', 'frontendIndex'));
-
 }
 
 add_action('init', 'tmm_paypal_init', 2);
 
 /**
  * Load plugin textdomain.
  */
-function tmm_paypal_load_textdomain() {
-	load_plugin_textdomain( 'tmm_paypal_checkout', false, plugin_basename( dirname( __FILE__ ) ) . '/languages' );
+function tmm_paypal_load_textdomain()
+{
+	load_plugin_textdomain('tmm_paypal_checkout', false, plugin_basename(dirname(__FILE__)) . '/languages');
 }
 
-add_action( 'plugins_loaded', 'tmm_paypal_load_textdomain' );
+add_action('plugins_loaded', 'tmm_paypal_load_textdomain');
 
 /**
  * Create admin menus
  */
-function adminMenu() {
-    $config = paypalConfig::getInstance();
+function adminMenu()
+{
+	$config = paypalConfig::getInstance();
 
-    add_menu_page($config->getItem('plugin_name'), $config->getItem('plugin_name'), 'level_10', $config->getItem('plugin_id'), array('paypalAdmin', 'adminConfiguration'), TMM_PAYPAL_PLUGIN_URL . '/images/icon.png');
-    add_submenu_page($config->getItem('plugin_id'), __('Payments history', $config->getItem('plugin_id')), __('Payments history', $config->getItem('plugin_id')), 'level_10', $config->getItem('plugin_history_id'), array('paypalAdmin', 'adminHistory'));
+	add_menu_page($config->getItem('plugin_name'), $config->getItem('plugin_name'), 'level_10', $config->getItem('plugin_id'), array('paypalAdmin', 'adminConfiguration'), TMM_PAYPAL_PLUGIN_URL . '/images/icon.png');
+	add_submenu_page($config->getItem('plugin_id'), __('Payments history', $config->getItem('plugin_id')), __('Payments history', $config->getItem('plugin_id')), 'level_10', $config->getItem('plugin_history_id'), array('paypalAdmin', 'adminHistory'));
 }
 
 add_action('admin_menu', 'adminMenu');
 
 /**
  * Display amount in currency that supported by Paypal
  */
-function tmm_paypal_default_currency($amount) {
+function tmm_paypal_default_currency($amount)
+{
 	if ($amount <= 0) {
 		return;
 	}
 
-    $currency = TMM_Ext_Car_Dealer::$default_currency['name'];
+	$currency = TMM_Ext_Car_Dealer::$default_currency['name'];
 	$checked = apply_filters('tmm_paypal_currency', $currency, (float)$amount);
 
 	if ($currency !== $checked['currency']) {
-		if (TMM::get_option( 'car_price_symbol_pos', TMM_APP_CARDEALER_PREFIX ) === 'right') {
+		if (TMM::get_option('car_price_symbol_pos', TMM_APP_CARDEALER_PREFIX) === 'right') {
 			$price = $checked['amount'] . ' ' . $checked['currency'];
 		} else {
 			$price = $checked['currency'] . ' ' . $checked['amount'];
@@ -146,10 +150,11 @@ function tmm_paypal_default_currency($amount) {
  * Check currency.
  * If currency is not supported by Paypal convert it to default
  */
-function tmm_paypal_currency($currency, $amount) {
+function tmm_paypal_currency($currency, $amount)
+{
 	$config = paypalConfig::getInstance();
 
-	if ( !in_array($currency, $config->getItem('supported_currencies')) ){
+	if (!in_array($currency, $config->getItem('supported_currencies'))) {
 
 		$def_currency = get_option('paypal_currency');
 
@@ -161,12 +166,10 @@ function tmm_paypal_currency($currency, $amount) {
 				$amount = $new_amount;
 				$currency = $def_currency;
 			}
-
 		}
-
 	}
 
-	return array('currency'=>$currency, 'amount'=>$amount);
+	return array('currency' => $currency, 'amount' => $amount);
 }
 
 add_filter('tmm_paypal_currency', 'tmm_paypal_currency', 10, 2);

views/adminconfiguration.php

@@ -1,58 +1,57 @@
-<?php if ( !defined('ABSPATH') ) exit; ?>
+<?php if (!defined('ABSPATH')) exit; ?>
 
 <div class="wrap">
-	<h2><?php _e('PayPal Express Checkout - Configuration', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?></h2>
+	<h2><?php esc_html_e('PayPal Express Checkout - Configuration', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?></h2>
 
 	<?php if (isset($config_saved) && $config_saved === TRUE) { ?>
-	    <div class="updated" id="message">
-			<p><strong><?php _e('Configuration updated.', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?></strong></p>
+		<div class="updated" id="message">
+			<p><strong><?php esc_html_e('Configuration updated.', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?></strong></p>
 		</div>
 	<?php } ?>
 
 	<form method="post" action="<?php echo $config->getItem('plugin_url'); ?>">
 		<table class="form-table">
 			<tbody>
 				<tr class="form-field">
-					<th scope="row"><label for="environment"><strong><?php _e('PayPal environment', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?>:</strong></label></th>
+					<th scope="row"><label for="environment"><strong><?php esc_html_e('PayPal environment', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?>:</strong></label></th>
 					<td>
 						<select id="environment" name="environment">
-							<!--<option value=""><?php //_e('Please select', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?></option>-->
-							<option value="sandbox" <?php echo get_option('paypal_environment') == 'sandbox' ? 'selected="selected"' : ''; ?>><?php _e('Sandbox - Testing', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?></option>
-							<option value="live" <?php echo get_option('paypal_environment') == 'live' ? 'selected="selected"' : ''; ?>><?php _e('Live - Production', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?></option>
+							<option value="sandbox" <?php echo get_option('paypal_environment') == 'sandbox' ? 'selected="selected"' : ''; ?>><?php esc_html_e('Sandbox - Testing', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?></option>
+							<option value="live" <?php echo get_option('paypal_environment') == 'live' ? 'selected="selected"' : ''; ?>><?php esc_html_e('Live - Production', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?></option>
 						</select>
 					</td>
 				</tr>
 			</tbody>
 		</table>
-        <hr>
-        <h3 class="title"><?php _e('PayPal API credentials', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?>:</h3>
+		<hr>
+		<h3 class="title"><?php esc_html_e('PayPal API credentials', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?>:</h3>
 		<table class="form-table">
 			<tbody>
 				<tr class="form-field form-required">
-					<th scope="row"><label for="api_username"><?php _e('API Username', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?> <span class="description">(<?php _e('required', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?>)</span></label></th>
-					<td><input type="text"  value="<?php echo get_option('paypal_api_username'); ?>" id="api_username" name="api_username" autocomplete="off"></td>
+					<th scope="row"><label for="api_username"><?php esc_html_e('API Username', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?> <span class="description">(<?php esc_html_e('required', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?>)</span></label></th>
+					<td><input type="text" value="<?php echo get_option('paypal_api_username'); ?>" id="api_username" name="api_username" autocomplete="off"></td>
 				</tr>
 				<tr class="form-field form-required">
-					<th scope="row"><label for="api_password"><?php _e('API Password', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?><span class="description">(<?php _e('required', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?>)</span></label></th>
-					<td><input type="password"  value="<?php echo get_option('paypal_api_password'); ?>" id="api_password" name="api_password" autocomplete="off"></td>
+					<th scope="row"><label for="api_password"><?php esc_html_e('API Password', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?><span class="description">(<?php esc_html_e('required', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?>)</span></label></th>
+					<td><input type="password" value="<?php echo get_option('paypal_api_password'); ?>" id="api_password" name="api_password" autocomplete="off"></td>
 				</tr>
 				<tr class="form-field form-required">
-					<th scope="row"><label for="api_signature"><?php _e('API Signature', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?><span class="description">(<?php _e('required', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?>)</span></label></th>
+					<th scope="row"><label for="api_signature"><?php esc_html_e('API Signature', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?><span class="description">(<?php esc_html_e('required', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?>)</span></label></th>
 					<td><input type="text" aria-required="true" value="<?php echo get_option('paypal_api_signature'); ?>" id="api_signature" name="api_signature" autocomplete="off"></td>
 				</tr>
 			</tbody>
 		</table>
-        <hr>
+		<hr>
 		<table class="form-table">
 			<tbody>
 				<tr class="form-field">
-					<th scope="row"><label for="success_page"><strong><?php _e('Thank you page', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?> - <br /><?php _e('successful payment', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?>:</strong></label></th>
+					<th scope="row"><label for="success_page"><strong><?php esc_html_e('Thank you page', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?> - <br /><?php esc_html_e('successful payment', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?>:</strong></label></th>
 					<td>
 						<?php wp_dropdown_pages(array('name' => 'success_page', 'selected' => get_option('paypal_success_page'), 'show_option_none' => 'Please select')); ?>
 					</td>
 				</tr>
 				<tr class="form-field">
-					<th scope="row"><label for="cancel_page"><strong><?php _e('Error page', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?> - <br /><?php _e('failed payment', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?>:</strong></label></th>
+					<th scope="row"><label for="cancel_page"><strong><?php esc_html_e('Error page', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?> - <br /><?php esc_html_e('failed payment', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?>:</strong></label></th>
 					<td>
 						<?php wp_dropdown_pages(array('name' => 'cancel_page', 'selected' => get_option('paypal_cancel_page'), 'show_option_none' => __('Please select', TMM_PAYPAL_PLUGIN_TEXTDOMAIN))); ?>
 					</td>
@@ -63,50 +62,50 @@
 		<hr>
 		<table class="form-table">
 			<tbody>
-			<tr class="form-field form-required">
-				<th scope="row"><label for="paypal_solutiontype"><strong><?php _e('Type of checkout flow', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?></strong></label></th>
-				<td>
-					<select id="paypal_solutiontype" name="paypal_solutiontype">
-						<?php
+				<tr class="form-field form-required">
+					<th scope="row"><label for="paypal_solutiontype"><strong><?php esc_html_e('Type of checkout flow', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?></strong></label></th>
+					<td>
+						<select id="paypal_solutiontype" name="paypal_solutiontype">
+							<?php
 							$selected = get_option('paypal_solutiontype');
 							if (!$selected) {
 								$selected = 'Sole';
 							}
 							?>
-							<option value="Sole" <?php selected($selected, 'Sole');?>><?php _e('Buyer does not need to create a PayPal account to check out.', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?></option>
-							<option value="Mark" <?php selected($selected, 'Mark');?>><?php _e('Buyer must have a PayPal account to check out.', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?></option>
-					</select>
-				</td>
-			</tr>
+							<option value="Sole" <?php selected($selected, 'Sole'); ?>><?php esc_html_e('Buyer does not need to create a PayPal account to check out.', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?></option>
+							<option value="Mark" <?php selected($selected, 'Mark'); ?>><?php esc_html_e('Buyer must have a PayPal account to check out.', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?></option>
+						</select>
+					</td>
+				</tr>
 			</tbody>
 		</table>
 
 		<?php if (!in_array($config->getItem('default_currency'), $config->getItem('supported_currencies'))) { ?>
-		<hr>
-		<h3 class="title"><?php _e('PayPal currency', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?>:</h3>
-		<table class="form-table">
-			<tbody>
-			<tr class="form-field form-required">
-				<th scope="row"><label for="paypal_currency"><strong><?php _e('Currency', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?></strong></label></th>
-				<td>
-					<select id="paypal_currency" name="paypal_currency">
-					<?php foreach ( $config->getItem('supported_currencies') as $val ) {
-						$selected = get_option('paypal_currency');
-						if (!$selected) {
-							$selected = 'USD';
-						}
-						?>
-						<option value="<?php echo $val; ?>" <?php selected($selected, $val);?>><?php echo $val; ?></option>
-					<?php } ?>
-					</select>
-				</td>
-			</tr>
-			</tbody>
-		</table>
+			<hr>
+			<h3 class="title"><?php esc_html_e('PayPal currency', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?>:</h3>
+			<table class="form-table">
+				<tbody>
+					<tr class="form-field form-required">
+						<th scope="row"><label for="paypal_currency"><strong><?php esc_html_e('Currency', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?></strong></label></th>
+						<td>
+							<select id="paypal_currency" name="paypal_currency">
+								<?php foreach ($config->getItem('supported_currencies') as $val) {
+									$selected = get_option('paypal_currency');
+									if (!$selected) {
+										$selected = 'USD';
+									}
+								?>
+									<option value="<?php echo $val; ?>" <?php selected($selected, $val); ?>><?php echo $val; ?></option>
+								<?php } ?>
+							</select>
+						</td>
+					</tr>
+				</tbody>
+			</table>
 		<?php } ?>
 
 		<p class="submit">
-			<input type="submit" value="<?php _e('Save', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?>" class="button-primary" />
+			<input type="submit" value="<?php esc_html_e('Save', TMM_PAYPAL_PLUGIN_TEXTDOMAIN) ?>" class="button-primary" />
 		</p>
 	</form>
-</div><!-- .wrap -->
+</div><!-- .wrap -->