dwindown/formipay
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: resolve all Week 2 performance & security issues (F1.10–F1.19)

Browse Source 
Security:
- Replace maybe_serialize() in cookies with json_encode() (PHP object injection fix)
- Add PayPal webhook signature verification
- Add current_user_can('manage_options') to all 18 admin-ajax handlers

Performance:
- Remove flush_rewrite_rules() from init hooks (Thankyou + Payment)
- Add activation/deactivation hooks for flush_rewrite_rules
- Cache currency, country, flags JSON reads in static variables
- Add server-side pagination to Customer::formipay_tabledata_customers()
- Optimize Order::formipay_tabledata_orders() with COUNT(*) GROUP BY

Cleanup:
- Delete Paypal.phpbak backup file
- Fix timezone hardcode Asia/Jakarta → wp_timezone_string()
- Create uninstall.php for proper cleanup on uninstall

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
dwindown
2026-04-17 19:52:01 +07:00
parent be9a1a0a86
commit 66e7b37f92
15 changed files with 341 additions and 868 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
includes/Thankyou.php
View File

@@ -41,7 +41,6 @@ class Thankyou {
'top'
);
flush_rewrite_rules();
}
@@ -425,7 +424,7 @@ class Thankyou {
$cookie = $this->get_cookie();
$cookie[$order_id] = $order_meta_data['session_id'];
setcookie( 'fp_access', maybe_serialize($cookie), time() + 86400, '/' );
setcookie( 'fp_access', wp_json_encode($cookie), time() + 86400, '/', '', is_ssl(), true );
if($method == 'magic_link'){
do_action('formipay/notification/access/email', $order);
@@ -678,15 +677,11 @@ class Thankyou {
if (!empty($_COOKIE['fp_access'])) {
// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
$raw_value = wp_unslash($_COOKIE['fp_access']);
// Validate before unserializing
if (is_serialized($raw_value)) { // Use WordPress core function
$maybe = maybe_unserialize($raw_value);
// Type-check and sanitize array contents
if (is_array($maybe)) {
$cookie = array_map('sanitize_text_field', $maybe);
}
$decoded = json_decode($raw_value, true);
if (is_array($decoded)) {
$cookie = array_map('sanitize_text_field', $decoded);
}
}
return $cookie;