Set version to 1.3.22 and release

Makefile

@@ -101,7 +101,7 @@ pre-deployment:
 	@cd $(BUILD_DIR) && composer install --no-dev --optimize-autoloader --prefer-dist --no-interaction || { echo "$(RED)Composer install failed!$(NC)"; exit 1; }
 	@cd $(BUILD_DIR) && composer clear-cache
 	@echo "$(BLUE)Removing unnecessary files from build directory...$(NC)"
-	@cd $(BUILD_DIR) && rm -rf README.md .git Makefile tools .env.sample .gitignore Dockerfile .env.sample .gitignore docker-compose.yml codeception.yml Dockerfile loadenv.sh Makefile .php-cs-fixer.cache .phpunit.result.cache .travis.yml phpunit.xml psalm.xml .DS_STORE .svnignore
+	@cd $(BUILD_DIR) && rm -rf README.md .git Makefile tools .env.sample .gitignore Dockerfile .env.sample .gitignore docker-compose.yml codeception.yml Dockerfile loadenv.sh Makefile .php-cs-fixer.cache .phpunit.result.cache .travis.yml phpunit.xml psalm.xml .DS_STORE .svnignore loadenv.sh
 	@rm -rf $(BUILD_DIR)/vendor/bluem-development/bluem-php/examples $(BUILD_DIR)/vendor/bluem-development/bluem-php/tests $(BUILD_DIR)/vendor/bluem-development/bluem-php/.github
 	@rm $(BUILD_DIR)/vendor/bluem-development/bluem-php/.env.example
 	@rm $(BUILD_DIR)/vendor/bluem-development/bluem-php/.gitignore

bluem-idin.php

@@ -866,7 +866,7 @@ function bluem_idin_form(): string
         return $html;
     }
 
-    if (isset($_GET['result']) && sanitize_text_field($_GET['result']) === 'false') {
+    if (isset($_GET['result']) && sanitize_text_field(wp_unslash($_GET['result'])) === 'false') {
         $html .= '<div class="">';
 
         if (isset($bluem_config->IDINErrorMessage)) {
@@ -905,14 +905,14 @@ function bluem_idin_shortcode_idin_execute(): void
 {
     $shortcode_execution_url = 'bluem-woocommerce/idin_execute';
 
-    if (!str_contains(sanitize_url(wp_unslash($_SERVER['REQUEST_URI'])), $shortcode_execution_url)) {
+    if (!isset($_SERVER['REQUEST_URI']) || !str_contains(sanitize_url(wp_unslash($_SERVER['REQUEST_URI'])), $shortcode_execution_url)) {
         // any other request
         return;
     }
 
     $goto = false;
     if (!empty($_GET['redirect_to_checkout'])
-        && sanitize_text_field($_GET['redirect_to_checkout']) === 'true'
+        && sanitize_text_field(wp_unslash($_GET['redirect_to_checkout'])) === 'true'
     ) {
         // v1.2.6: added cart url instead of static cart as this is front-end language dependent
         // $goto = wc_get_cart_url();
@@ -948,7 +948,7 @@ function bluem_idin_shortcode_callback(): void
     $request_by_debtor_ref = false;
 
     if (isset($_GET['debtorReference']) && $_GET['debtorReference'] !== '') {
-        $debtorReference = sanitize_text_field($_GET['debtorReference']);
+        $debtorReference = sanitize_text_field(wp_unslash($_GET['debtorReference']));
         $request_by_debtor_ref = bluem_db_get_request_by_debtor_reference($debtorReference);
     }
 
@@ -1488,45 +1488,59 @@ function bluem_woocommerce_idin_save_extra_profile_fields($user_id): bool
         return false;
     }
 
-    update_user_meta(
-        $user_id,
-        'bluem_idin_entrance_code',
-        sanitize_text_field(wp_unslash($_POST['bluem_idin_entrance_code']))
-    );
-    update_user_meta(
-        $user_id,
-        'bluem_idin_transaction_id',
-        sanitize_text_field(wp_unslash($_POST['bluem_idin_transaction_id']))
-    );
-    update_user_meta(
-        $user_id,
-        'bluem_idin_transaction_url',
-        sanitize_text_field(wp_unslash($_POST['bluem_idin_transaction_url']))
-    );
+    if (!empty($_POST['bluem_idin_entrance_code'])) {
+        update_user_meta(
+            $user_id,
+            'bluem_idin_entrance_code',
+            sanitize_text_field(wp_unslash($_POST['bluem_idin_entrance_code']))
+        );
+    }
+    if (!empty($_POST['bluem_idin_transaction_id'])) {
+        update_user_meta(
+            $user_id,
+            'bluem_idin_transaction_id',
+            sanitize_text_field(wp_unslash($_POST['bluem_idin_transaction_id']))
+        );
+    }
+    if (!empty($_POST['bluem_idin_transaction_url'])) {
+        update_user_meta(
+            $user_id,
+            'bluem_idin_transaction_url',
+            sanitize_text_field(wp_unslash($_POST['bluem_idin_transaction_url']))
+        );
+    }
 
-    update_user_meta(
-        $user_id,
-        'bluem_idin_validated',
-        sanitize_text_field(wp_unslash($_POST['bluem_idin_validated']))
-    );
+    if (!empty($_POST['bluem_idin_validated'])) {
+        update_user_meta(
+            $user_id,
+            'bluem_idin_validated',
+            sanitize_text_field(wp_unslash($_POST['bluem_idin_validated']))
+        );
+    }
 
-    update_user_meta(
-        $user_id,
-        'bluem_idin_report_last_verification_timestamp',
-        sanitize_text_field(wp_unslash($_POST['bluem_idin_report_last_verification_timestamp']))
-    );
+    if (!empty($_POST['bluem_idin_report_last_verification_timestamp'])) {
+        update_user_meta(
+            $user_id,
+            'bluem_idin_report_last_verification_timestamp',
+            sanitize_text_field(wp_unslash($_POST['bluem_idin_report_last_verification_timestamp']))
+        );
+    }
 
-    update_user_meta(
-        $user_id,
-        'bluem_idin_report_customeridresponse',
-        sanitize_text_field(wp_unslash($_POST['bluem_idin_report_customeridresponse']))
-    );
+    if (!empty($_POST['bluem_idin_report_customeridresponse'])) {
+        update_user_meta(
+            $user_id,
+            'bluem_idin_report_customeridresponse',
+            sanitize_text_field(wp_unslash($_POST['bluem_idin_report_customeridresponse']))
+        );
+    }
 
-    update_user_meta(
-        $user_id,
-        'bluem_idin_report_agecheckresponse',
-        sanitize_text_field(wp_unslash($_POST['bluem_idin_report_agecheckresponse']))
-    );
+    if (!empty($_POST['bluem_idin_report_agecheckresponse'])) {
+        update_user_meta(
+            $user_id,
+            'bluem_idin_report_agecheckresponse',
+            sanitize_text_field(wp_unslash($_POST['bluem_idin_report_agecheckresponse']))
+        );
+    }
 
     return true;
 }

bluem-integrations.php

@@ -189,7 +189,7 @@ function bluem_woocommerce_integration_wpcf7_ajax()
 {
     $bluem_config = bluem_woocommerce_get_config();
 
-    if (strpos(sanitize_url(wp_unslash($_SERVER['REQUEST_URI'])), 'bluem-woocommerce/bluem-integrations/wpcf7_mandate') === false) {
+    if (!isset($_SERVER['REQUEST_URI']) || strpos(sanitize_url(wp_unslash($_SERVER['REQUEST_URI'])), 'bluem-woocommerce/bluem-integrations/wpcf7_mandate') === false) {
         return;
     }
 
@@ -199,7 +199,7 @@ function bluem_woocommerce_integration_wpcf7_ajax()
         return;
     }
 
-    if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+    if (isset($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] === 'POST') {
         $bluem_config = bluem_woocommerce_get_config();
 
         $debtorReference = bin2hex(random_bytes(15));
@@ -549,7 +549,7 @@ function bluem_woocommerce_integration_wpcf7_callback()
 
     $storage = bluem_db_get_storage();
 
-    if (strpos(sanitize_url(wp_unslash($_SERVER['REQUEST_URI'])), 'bluem-woocommerce/bluem-integrations/wpcf7_callback') === false) {
+    if (empty($_SERVER['REQUEST_URI']) || strpos(sanitize_url(wp_unslash($_SERVER['REQUEST_URI'])), 'bluem-woocommerce/bluem-integrations/wpcf7_callback') === false) {
         return;
     }
 
@@ -752,11 +752,14 @@ function bluem_woocommerce_integration_wpcf7_results_shortcode()
         return 'Er is een fout opgetreden. Ga terug en probeer het opnieuw.';
     }
 
-    $contact_form = WPCF7_ContactForm::get_instance(sanitize_text_field($_GET['form']));
+    if (!empty($_GET['form'])) {
 
-    if (!empty($contact_form)) {
-        if (!empty($_GET['result']) && $_GET['result'] === 'true') {
-            return '<p>' . $contact_form->pref('bluem_mandate_success') . '</p>';
+        $contact_form = WPCF7_ContactForm::get_instance(sanitize_text_field(wp_unslash($_GET['form'])));
+
+        if (!empty($contact_form)) {
+            if (!empty($_GET['result']) && wp_unslash($_GET['result']) === 'true') {
+                return '<p>' . $contact_form->pref('bluem_mandate_success') . '</p>';
+            }
         }
     }
     return '<p>' . $contact_form->pref('bluem_mandate_failure') . '</p>';
@@ -1315,8 +1318,8 @@ function bluem_woocommerce_integration_gform_results_shortcode()
     }
 
     $request_from_db = bluem_db_get_request_by_transaction_id_and_entrance_code(
-        sanitize_text_field($_GET['mid']),
-        sanitize_text_field($_GET['ec']),
+        sanitize_text_field(wp_unslash($_GET['mid'])),
+        sanitize_text_field(wp_unslash($_GET['ec'])),
     );
 
     if ($request_from_db !== false) {

bluem-mandates.php

@@ -344,26 +344,35 @@ function bluem_woocommerce_mandates_save_extra_profile_fields($user_id)
         return false;
     }
 
-    update_user_meta(
-        $user_id,
-        'bluem_latest_mandate_id',
-        esc_attr(sanitize_text_field($_POST['bluem_latest_mandate_id']))
-    );
-    update_user_meta(
-        $user_id,
-        'bluem_latest_mandate_entrance_code',
-        esc_attr(sanitize_text_field($_POST['bluem_latest_mandate_entrance_code']))
-    );
-    update_user_meta(
-        $user_id,
-        'bluem_latest_mandate_amount',
-        esc_attr(sanitize_text_field($_POST['bluem_latest_mandate_amount']))
-    );
-    update_user_meta(
-        $user_id,
-        'bluem_mandates_validated',
-        esc_attr(sanitize_text_field($_POST['bluem_mandates_validated']))
-    );
+    if (isset($_POST['bluem_latest_mandate_id'])) {
+        update_user_meta(
+            $user_id,
+            'bluem_latest_mandate_id',
+            esc_attr(sanitize_text_field(wp_unslash($_POST['bluem_latest_mandate_id'])))
+        );
+    }
+
+    if (isset($_POST['bluem_latest_mandate_entrance_code'])) {
+        update_user_meta(
+            $user_id,
+            'bluem_latest_mandate_entrance_code',
+            esc_attr(sanitize_text_field(wp_unslash($_POST['bluem_latest_mandate_entrance_code'])))
+        );
+    }
+    if (isset($_POST['bluem_latest_mandate_amount'])) {
+        update_user_meta(
+            $user_id,
+            'bluem_latest_mandate_amount',
+            esc_attr(sanitize_text_field(wp_unslash($_POST['bluem_latest_mandate_amount'])))
+        );
+    }
+    if (isset($_POST['bluem_mandates_validated'])) {
+        update_user_meta(
+            $user_id,
+            'bluem_mandates_validated',
+            esc_attr(sanitize_text_field(wp_unslash($_POST['bluem_mandates_validated'])))
+        );
+    }
 }
 
 function bluem_woocommerce_mandates_settings_section()

bluem.php

@@ -2,7 +2,7 @@
 
 /**
  * Plugin Name: Bluem ePayments, iDIN, eMandates services and integration for WooCommerce
- * Version: 1.3.21
+ * Version: 1.3.22
  * Plugin URI: https://bluem.nl/en/
  * Description: Bluem integration for WordPress and WooCommerce for Payments, eMandates, iDIN identity verification and more
  * Author: Bluem Payment Services
@@ -337,9 +337,7 @@ function bluem_plugin_activation()
         $is_valid = true;
 
         foreach ($required_fields as $required_field) {
-            $value = sanitize_text_field(wp_unslash($_POST[$required_field]));
-
-            if (empty ($value)) {
+            if (empty($_POST[$required_field]) || empty(sanitize_text_field(wp_unslash($_POST[$required_field])))) {
                 $is_valid = false;
             }
         }
@@ -757,6 +755,10 @@ function bluem_requests_view_request()
 {
     global $wpdb;
 
+    if (!isset($_GET['request_id'])) {
+        return;
+    }
+
     $id = sanitize_text_field(wp_unslash($_GET['request_id']));
 
     if (!is_numeric($id)) {

gateways/Bluem_Bank_Based_Payment_Gateway.php

@@ -250,7 +250,6 @@ public function process_payment($order_id)
 
         return array(
             'result' => 'failure',
-            'message' => print_r($response, true)
         );
     }
 
@@ -371,7 +370,7 @@ public function bluem_bank_payments_callback(): void
             exit;
         }
 
-        $entranceCode = sanitize_text_field($_GET['entranceCode']);
+        $entranceCode = sanitize_text_field(wp_unslash($_GET['entranceCode']));
 
         $order = $this->getOrderByEntranceCode($entranceCode);
 

gateways/Bluem_Mandates_Payment_Gateway.php

@@ -634,7 +634,7 @@ public function bluem_mandates_callback()
         // $this->bluem = new Bluem( $this->bluem_config );
         // dont recreate it here, it should already exist in the gateway!
 
-        if (!isset($_GET['mandateID'])) {
+        if (!empty(sanitize_text_field(wp_unslash($_GET['mandateID'])))) {
             $errormessage = esc_html__("Fout: geen juist mandaat id teruggekregen bij mandates_callback. Neem contact op met de webshop en vermeld je contactgegevens.", 'bluem');
             bluem_error_report_email(
                 [
@@ -659,7 +659,7 @@ public function bluem_mandates_callback()
             bluem_dialogs_render_prompt($errormessage);
             exit;
         }
-        $mandateID = sanitize_text_field($_GET['mandateID']);
+        $mandateID = sanitize_text_field(wp_unslash($_GET['mandateID']));
 
         $order = $this->getOrder($mandateID);
         if (is_null($order)) {

readme.txt

@@ -4,7 +4,7 @@ Tags: Bluem,Payments,iDIN,iDEAL,eMandates
 Requires at least: 5.0
 Tested up to: 6.6
 Requires PHP: 8.0
-Stable tag: 1.3.21
+Stable tag: 1.3.22
 License: GPLv3
 License URI: http://www.gnu.org/licenses/gpl-3.0.html
 
@@ -77,6 +77,7 @@ Shortcode: `[bluem_identificatieformulier]`
 It is possible to programmatically block display and functionality on your site based on the verification status. Please contact us if you are interested in developing this in your site.
 
 == Changelog ==
+- 1.3.22: Further optimizations and security improvements
 - 1.3.21: Further optimizations
 - 1.3.20: General stability and code improvements to adhere to the standards
 - 1.3.19: General stability and code improvements to adhere to the standards