WP eCommerce - Version 3.9.4

Version Description

  • Security Fix: Harden several instances of $_POST input that were not sanitized properly. Specifically, PayPal settings and Quick Edit fields for products.
  • Security Fix: Do not return visitor meta if WP eCommerce presumes a user to be a bot.
  • Enhancement: Provide a notice for users to repair their WP eCommerce tables if visitor and visitor meta tables are in need of repair. See #1901.
  • Fix: Notices on stats saving for products.
Download this release

Release Info

Developer JustinSainton
Plugin Icon 128x128 WP eCommerce
Version 3.9.4
Comparing to
See all releases

Code changes from version 3.9.3 to 3.9.4

Files changed (31) hide show
  1. license.txt +0 -281
  2. readme.txt +9 -2
  3. wp-shopping-cart.php +29 -1
  4. wpsc-admin/admin.php +3 -2
  5. wpsc-admin/db-upgrades/upgrade.php +1 -1
  6. wpsc-admin/includes/display-items-functions.php +6 -2
  7. wpsc-admin/includes/product-functions.php +2 -2
  8. wpsc-admin/includes/product-variations-page.class.php +1 -1
  9. wpsc-admin/includes/purchase-log-list-table-class.php +1 -1
  10. wpsc-admin/includes/save-data.functions.php +2 -2
  11. wpsc-admin/includes/settings-tabs/gateway.php +1 -1
  12. wpsc-admin/includes/settings-tabs/shipping.php +3 -5
  13. wpsc-admin/init.php +8 -8
  14. wpsc-admin/settings-page.php +1 -1
  15. wpsc-components/marketplace-core-v1/library/Sputnik/API.php +5 -5
  16. wpsc-components/marketplace-core-v1/library/Sputnik/Admin.php +4 -4
  17. wpsc-components/marketplace-core-v1/library/Sputnik/List/Install.php +4 -4
  18. wpsc-components/merchant-core-v2/helpers/admin.php +6 -4
  19. wpsc-components/merchant-core-v3/gateways/paypal-express-checkout.php +2 -2
  20. wpsc-components/theme-engine-v1/helpers/ajax.php +4 -4
  21. wpsc-components/theme-engine-v1/helpers/page.php +1 -0
  22. wpsc-components/theme-engine-v2/classes/cart-item-table-form.php +3 -3
  23. wpsc-components/theme-engine-v2/classes/cart-item-table-widget-form.php +1 -1
  24. wpsc-core/wpsc-constants.php +5 -3
  25. wpsc-core/wpsc-functions.php +81 -0
  26. wpsc-includes/form-display.functions.php +1 -1
  27. wpsc-includes/purchase-log.class.php +6 -2
  28. wpsc-includes/stats.functions.php +2 -2
  29. wpsc-includes/wpsc-meta-visitor.php +16 -0
  30. wpsc-merchants/chronopay.php +7 -7
  31. wpsc-merchants/paypal-express.merchant.php +1 -3
license.txt DELETED
@@ -1,281 +0,0 @@
1
- GNU GENERAL PUBLIC LICENSE
2
- Version 2, June 1991
3
-
4
- Copyright (C) 1989, 1991 Free Software Foundation, Inc.
5
- 51 Franklin St, Fifth Floor, Boston, MA 02110, USA
6
-
7
- Everyone is permitted to copy and distribute verbatim copies
8
- of this license document, but changing it is not allowed.
9
-
10
- Preamble
11
-
12
- The licenses for most software are designed to take away your
13
- freedom to share and change it. By contrast, the GNU General Public
14
- License is intended to guarantee your freedom to share and change free
15
- software--to make sure the software is free for all its users. This
16
- General Public License applies to most of the Free Software
17
- Foundation's software and to any other program whose authors commit to
18
- using it. (Some other Free Software Foundation software is covered by
19
- the GNU Library General Public License instead.) You can apply it to
20
- your programs, too.
21
-
22
- When we speak of free software, we are referring to freedom, not
23
- price. Our General Public Licenses are designed to make sure that you
24
- have the freedom to distribute copies of free software (and charge for
25
- this service if you wish), that you receive source code or can get it
26
- if you want it, that you can change the software or use pieces of it
27
- in new free programs; and that you know you can do these things.
28
-
29
- To protect your rights, we need to make restrictions that forbid
30
- anyone to deny you these rights or to ask you to surrender the rights.
31
- These restrictions translate to certain responsibilities for you if you
32
- distribute copies of the software, or if you modify it.
33
-
34
- For example, if you distribute copies of such a program, whether
35
- gratis or for a fee, you must give the recipients all the rights that
36
- you have. You must make sure that they, too, receive or can get the
37
- source code. And you must show them these terms so they know their
38
- rights.
39
-
40
- We protect your rights with two steps: (1) copyright the software, and
41
- (2) offer you this license which gives you legal permission to copy,
42
- distribute and/or modify the software.
43
-
44
- Also, for each author's protection and ours, we want to make certain
45
- that everyone understands that there is no warranty for this free
46
- software. If the software is modified by someone else and passed on, we
47
- want its recipients to know that what they have is not the original, so
48
- that any problems introduced by others will not reflect on the original
49
- authors' reputations.
50
-
51
- Finally, any free program is threatened constantly by software
52
- patents. We wish to avoid the danger that redistributors of a free
53
- program will individually obtain patent licenses, in effect making the
54
- program proprietary. To prevent this, we have made it clear that any
55
- patent must be licensed for everyone's free use or not licensed at all.
56
-
57
- The precise terms and conditions for copying, distribution and
58
- modification follow.
59
-
60
- GNU GENERAL PUBLIC LICENSE
61
- TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
62
-
63
- 0. This License applies to any program or other work which contains
64
- a notice placed by the copyright holder saying it may be distributed
65
- under the terms of this General Public License. The "Program", below,
66
- refers to any such program or work, and a "work based on the Program"
67
- means either the Program or any derivative work under copyright law:
68
- that is to say, a work containing the Program or a portion of it,
69
- either verbatim or with modifications and/or translated into another
70
- language. (Hereinafter, translation is included without limitation in
71
- the term "modification".) Each licensee is addressed as "you".
72
-
73
- Activities other than copying, distribution and modification are not
74
- covered by this License; they are outside its scope. The act of
75
- running the Program is not restricted, and the output from the Program
76
- is covered only if its contents constitute a work based on the
77
- Program (independent of having been made by running the Program).
78
- Whether that is true depends on what the Program does.
79
-
80
- 1. You may copy and distribute verbatim copies of the Program's
81
- source code as you receive it, in any medium, provided that you
82
- conspicuously and appropriately publish on each copy an appropriate
83
- copyright notice and disclaimer of warranty; keep intact all the
84
- notices that refer to this License and to the absence of any warranty;
85
- and give any other recipients of the Program a copy of this License
86
- along with the Program.
87
-
88
- You may charge a fee for the physical act of transferring a copy, and
89
- you may at your option offer warranty protection in exchange for a fee.
90
-
91
- 2. You may modify your copy or copies of the Program or any portion
92
- of it, thus forming a work based on the Program, and copy and
93
- distribute such modifications or work under the terms of Section 1
94
- above, provided that you also meet all of these conditions:
95
-
96
- a) You must cause the modified files to carry prominent notices
97
- stating that you changed the files and the date of any change.
98
-
99
- b) You must cause any work that you distribute or publish, that in
100
- whole or in part contains or is derived from the Program or any
101
- part thereof, to be licensed as a whole at no charge to all third
102
- parties under the terms of this License.
103
-
104
- c) If the modified program normally reads commands interactively
105
- when run, you must cause it, when started running for such
106
- interactive use in the most ordinary way, to print or display an
107
- announcement including an appropriate copyright notice and a
108
- notice that there is no warranty (or else, saying that you provide
109
- a warranty) and that users may redistribute the program under
110
- these conditions, and telling the user how to view a copy of this
111
- License. (Exception: if the Program itself is interactive but
112
- does not normally print such an announcement, your work based on
113
- the Program is not required to print an announcement.)
114
-
115
- These requirements apply to the modified work as a whole. If
116
- identifiable sections of that work are not derived from the Program,
117
- and can be reasonably considered independent and separate works in
118
- themselves, then this License, and its terms, do not apply to those
119
- sections when you distribute them as separate works. But when you
120
- distribute the same sections as part of a whole which is a work based
121
- on the Program, the distribution of the whole must be on the terms of
122
- this License, whose permissions for other licensees extend to the
123
- entire whole, and thus to each and every part regardless of who wrote it.
124
- Thus, it is not the intent of this section to claim rights or contest
125
- your rights to work written entirely by you; rather, the intent is to
126
- exercise the right to control the distribution of derivative or
127
- collective works based on the Program.
128
-
129
- In addition, mere aggregation of another work not based on the Program
130
- with the Program (or with a work based on the Program) on a volume of
131
- a storage or distribution medium does not bring the other work under
132
- the scope of this License.
133
-
134
- 3. You may copy and distribute the Program (or a work based on it,
135
- under Section 2) in object code or executable form under the terms of
136
- Sections 1 and 2 above provided that you also do one of the following:
137
-
138
- a) Accompany it with the complete corresponding machine-readable
139
- source code, which must be distributed under the terms of Sections
140
- 1 and 2 above on a medium customarily used for software interchange; or,
141
-
142
- b) Accompany it with a written offer, valid for at least three
143
- years, to give any third party, for a charge no more than your
144
- cost of physically performing source distribution, a complete
145
- machine-readable copy of the corresponding source code, to be
146
- distributed under the terms of Sections 1 and 2 above on a medium
147
- customarily used for software interchange; or,
148
-
149
- c) Accompany it with the information you received as to the offer
150
- to distribute corresponding source code. (This alternative is
151
- allowed only for noncommercial distribution and only if you
152
- received the program in object code or executable form with such
153
- an offer, in accord with Subsection b above.)
154
-
155
- The source code for a work means the preferred form of the work for
156
- making modifications to it. For an executable work, complete source
157
- code means all the source code for all modules it contains, plus any
158
- associated interface definition files, plus the scripts used to
159
- control compilation and installation of the executable. However, as a
160
- special exception, the source code distributed need not include
161
- anything that is normally distributed (in either source or binary
162
- form) with the major components (compiler, kernel, and so on) of the
163
- operating system on which the executable runs, unless that component
164
- itself accompanies the executable.
165
-
166
- If distribution of executable or object code is made by offering
167
- access to copy from a designated place, then offering equivalent
168
- access to copy the source code from the same place counts as
169
- distribution of the source code, even though third parties are not
170
- compelled to copy the source along with the object code.
171
-
172
- 4. You may not copy, modify, sublicense, or distribute the Program
173
- except as expressly provided under this License. Any attempt
174
- otherwise to copy, modify, sublicense or distribute the Program is
175
- void, and will automatically terminate your rights under this License.
176
- However, parties who have received copies, or rights, from you under
177
- this License will not have their licenses terminated so long as such
178
- parties remain in full compliance.
179
-
180
- 5. You are not required to accept this License, since you have not
181
- signed it. However, nothing else grants you permission to modify or
182
- distribute the Program or its derivative works. These actions are
183
- prohibited by law if you do not accept this License. Therefore, by
184
- modifying or distributing the Program (or any work based on the
185
- Program), you indicate your acceptance of this License to do so, and
186
- all its terms and conditions for copying, distributing or modifying
187
- the Program or works based on it.
188
-
189
- 6. Each time you redistribute the Program (or any work based on the
190
- Program), the recipient automatically receives a license from the
191
- original licensor to copy, distribute or modify the Program subject to
192
- these terms and conditions. You may not impose any further
193
- restrictions on the recipients' exercise of the rights granted herein.
194
- You are not responsible for enforcing compliance by third parties to
195
- this License.
196
-
197
- 7. If, as a consequence of a court judgment or allegation of patent
198
- infringement or for any other reason (not limited to patent issues),
199
- conditions are imposed on you (whether by court order, agreement or
200
- otherwise) that contradict the conditions of this License, they do not
201
- excuse you from the conditions of this License. If you cannot
202
- distribute so as to satisfy simultaneously your obligations under this
203
- License and any other pertinent obligations, then as a consequence you
204
- may not distribute the Program at all. For example, if a patent
205
- license would not permit royalty-free redistribution of the Program by
206
- all those who receive copies directly or indirectly through you, then
207
- the only way you could satisfy both it and this License would be to
208
- refrain entirely from distribution of the Program.
209
-
210
- If any portion of this section is held invalid or unenforceable under
211
- any particular circumstance, the balance of the section is intended to
212
- apply and the section as a whole is intended to apply in other
213
- circumstances.
214
-
215
- It is not the purpose of this section to induce you to infringe any
216
- patents or other property right claims or to contest validity of any
217
- such claims; this section has the sole purpose of protecting the
218
- integrity of the free software distribution system, which is
219
- implemented by public license practices. Many people have made
220
- generous contributions to the wide range of software distributed
221
- through that system in reliance on consistent application of that
222
- system; it is up to the author/donor to decide if he or she is willing
223
- to distribute software through any other system and a licensee cannot
224
- impose that choice.
225
-
226
- This section is intended to make thoroughly clear what is believed to
227
- be a consequence of the rest of this License.
228
-
229
- 8. If the distribution and/or use of the Program is restricted in
230
- certain countries either by patents or by copyrighted interfaces, the
231
- original copyright holder who places the Program under this License
232
- may add an explicit geographical distribution limitation excluding
233
- those countries, so that distribution is permitted only in or among
234
- countries not thus excluded. In such case, this License incorporates
235
- the limitation as if written in the body of this License.
236
-
237
- 9. The Free Software Foundation may publish revised and/or new versions
238
- of the General Public License from time to time. Such new versions will
239
- be similar in spirit to the present version, but may differ in detail to
240
- address new problems or concerns.
241
-
242
- Each version is given a distinguishing version number. If the Program
243
- specifies a version number of this License which applies to it and "any
244
- later version", you have the option of following the terms and conditions
245
- either of that version or of any later version published by the Free
246
- Software Foundation. If the Program does not specify a version number of
247
- this License, you may choose any version ever published by the Free Software
248
- Foundation.
249
-
250
- 10. If you wish to incorporate parts of the Program into other free
251
- programs whose distribution conditions are different, write to the author
252
- to ask for permission. For software which is copyrighted by the Free
253
- Software Foundation, write to the Free Software Foundation; we sometimes
254
- make exceptions for this. Our decision will be guided by the two goals
255
- of preserving the free status of all derivatives of our free software and
256
- of promoting the sharing and reuse of software generally.
257
-
258
- NO WARRANTY
259
-
260
- 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
261
- FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
262
- OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
263
- PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
264
- OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
265
- MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
266
- TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
267
- PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
268
- REPAIR OR CORRECTION.
269
-
270
- 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
271
- WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
272
- REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
273
- INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
274
- OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
275
- TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
276
- YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
277
- PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
278
- POSSIBILITY OF SUCH DAMAGES.
279
-
280
- END OF TERMS AND CONDITIONS
281
-
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
readme.txt CHANGED
@@ -2,9 +2,9 @@
2
  Contributors: JustinSainton, mufasa
3
  Donate link: https://wpecommerce.org
4
  Tags: e-commerce, wp-e-commerce, shop, cart, paypal, authorize, stock control, ecommerce, shipping, tax
5
- Requires at least: 3.9
6
  Tested up to: 4.2
7
- Stable tag: 3.9.3
8
 
9
  WP eCommerce is a free, powerful plugin that empowers you to sell anything online, quickly and easily.
10
 
@@ -36,6 +36,13 @@ After upgrading from earlier versions look for link "Update Store". This will up
36
 
37
  == Changelog ==
38
 
 
 
 
 
 
 
 
39
  = 3.9.3 =
40
 
41
  * Fix: Fix potential reflexive XSS issue with add_query_arg() and remove_query_arg() usage. Update is _highly_ recommended.
2
  Contributors: JustinSainton, mufasa
3
  Donate link: https://wpecommerce.org
4
  Tags: e-commerce, wp-e-commerce, shop, cart, paypal, authorize, stock control, ecommerce, shipping, tax
5
+ Requires at least: 4.0
6
  Tested up to: 4.2
7
+ Stable tag: 3.9.4
8
 
9
  WP eCommerce is a free, powerful plugin that empowers you to sell anything online, quickly and easily.
10
 
36
 
37
  == Changelog ==
38
 
39
+ = 3.9.4 =
40
+
41
+ * Security Fix: Harden several instances of $_POST input that were not sanitized properly. Specifically, PayPal settings and Quick Edit fields for products.
42
+ * Security Fix: Do not return visitor meta if WP eCommerce presumes a user to be a bot.
43
+ * Enhancement: Provide a notice for users to repair their WP eCommerce tables if visitor and visitor meta tables are in need of repair. See [#1901](https://github.com/wp-e-commerce/WP-e-Commerce/issues/1901).
44
+ * Fix: Notices on stats saving for products.
45
+
46
  = 3.9.3 =
47
 
48
  * Fix: Fix potential reflexive XSS issue with add_query_arg() and remove_query_arg() usage. Update is _highly_ recommended.
wp-shopping-cart.php CHANGED
@@ -3,7 +3,7 @@
3
  * Plugin Name: WP eCommerce
4
  * Plugin URI: http://wpecommerce.org/
5
  * Description: A plugin that provides a WordPress Shopping Cart. See also: <a href="http://wpecommerce.org" target="_blank">WPeCommerce.org</a> | <a href="https://wordpress.org/support/plugin/wp-e-commerce/" target="_blank">Support Forum</a> | <a href="http://docs.wpecommerce.org/" target="_blank">Documentation</a>
6
- * Version: 3.9.3
7
  * Author: WP eCommerce
8
  * Author URI: http://wpecommerce.org/
9
  **/
@@ -119,8 +119,15 @@ class WP_eCommerce {
119
  do_action( 'wpsc_started' );
120
  }
121
 
 
 
 
 
 
 
122
  public function setup_table_names() {
123
  global $wpdb;
 
124
  $wpdb->wpsc_meta = WPSC_TABLE_META;
125
  $wpdb->wpsc_also_bought = WPSC_TABLE_ALSO_BOUGHT;
126
  $wpdb->wpsc_region_tax = WPSC_TABLE_REGION_TAX;
@@ -137,6 +144,27 @@ class WP_eCommerce {
137
  $wpdb->wpsc_purchasemeta = WPSC_TABLE_PURCHASE_META;
138
  $wpdb->wpsc_visitors = WPSC_TABLE_VISITORS;
139
  $wpdb->wpsc_visitormeta = WPSC_TABLE_VISITOR_META;
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
140
  }
141
 
142
  /**
3
  * Plugin Name: WP eCommerce
4
  * Plugin URI: http://wpecommerce.org/
5
  * Description: A plugin that provides a WordPress Shopping Cart. See also: <a href="http://wpecommerce.org" target="_blank">WPeCommerce.org</a> | <a href="https://wordpress.org/support/plugin/wp-e-commerce/" target="_blank">Support Forum</a> | <a href="http://docs.wpecommerce.org/" target="_blank">Documentation</a>
6
+ * Version: 3.9.4
7
  * Author: WP eCommerce
8
  * Author URI: http://wpecommerce.org/
9
  **/
119
  do_action( 'wpsc_started' );
120
  }
121
 
122
+ /**
123
+ * Sets table names as WPDB properties.
124
+ *
125
+ * @since 4.0
126
+ * @return array Array of custom tables
127
+ */
128
  public function setup_table_names() {
129
  global $wpdb;
130
+
131
  $wpdb->wpsc_meta = WPSC_TABLE_META;
132
  $wpdb->wpsc_also_bought = WPSC_TABLE_ALSO_BOUGHT;
133
  $wpdb->wpsc_region_tax = WPSC_TABLE_REGION_TAX;
144
  $wpdb->wpsc_purchasemeta = WPSC_TABLE_PURCHASE_META;
145
  $wpdb->wpsc_visitors = WPSC_TABLE_VISITORS;
146
  $wpdb->wpsc_visitormeta = WPSC_TABLE_VISITOR_META;
147
+
148
+ return array(
149
+ $wpdb->wpsc_meta ,
150
+ $wpdb->wpsc_also_bought ,
151
+ $wpdb->wpsc_region_tax ,
152
+ $wpdb->wpsc_coupon_codes ,
153
+ $wpdb->wpsc_cart_contents ,
154
+ $wpdb->wpsc_claimed_stock ,
155
+ $wpdb->wpsc_currency_list ,
156
+ $wpdb->wpsc_purchase_logs ,
157
+ $wpdb->wpsc_checkout_forms ,
158
+ $wpdb->wpsc_product_rating ,
159
+ $wpdb->wpsc_download_status ,
160
+ $wpdb->wpsc_submitted_form_data,
161
+ $wpdb->wpsc_cart_itemmeta ,
162
+ $wpdb->wpsc_purchasemeta ,
163
+ $wpdb->wpsc_visitors ,
164
+ $wpdb->wpsc_visitormeta ,
165
+ );
166
+
167
+
168
  }
169
 
170
  /**
wpsc-admin/admin.php CHANGED
@@ -642,7 +642,7 @@ function wpsc_admin_include_css_and_js_refac( $pagehook ) {
642
 
643
  wp_enqueue_script( 'wp-e-commerce-product-variations', WPSC_URL . '/wpsc-admin/js/product-variations.js', array( 'jquery' ), $version_identifier );
644
  wp_localize_script( 'wp-e-commerce-product-variations', 'WPSC_Product_Variations', array(
645
- 'product_id' => $_REQUEST['product_id'],
646
  'add_variation_set_nonce' => _wpsc_create_ajax_nonce( 'add_variation_set' ),
647
  ) );
648
  }
@@ -1225,7 +1225,8 @@ function wpsc_ajax_ie_save() {
1225
  update_product_meta( $product['ID'], 'product_metadata', $product_meta );
1226
  update_product_meta( $product['ID'], 'price', (float)$_POST['price'] );
1227
  update_product_meta( $product['ID'], 'special_price', (float)$_POST['special_price'] );
1228
- update_product_meta( $product['ID'], 'sku', $_POST['sku'] );
 
1229
  if ( !is_numeric($_POST['stock']) )
1230
  update_product_meta( $product['ID'], 'stock', '' );
1231
  else
642
 
643
  wp_enqueue_script( 'wp-e-commerce-product-variations', WPSC_URL . '/wpsc-admin/js/product-variations.js', array( 'jquery' ), $version_identifier );
644
  wp_localize_script( 'wp-e-commerce-product-variations', 'WPSC_Product_Variations', array(
645
+ 'product_id' => absint( $_REQUEST['product_id'] ),
646
  'add_variation_set_nonce' => _wpsc_create_ajax_nonce( 'add_variation_set' ),
647
  ) );
648
  }
1225
  update_product_meta( $product['ID'], 'product_metadata', $product_meta );
1226
  update_product_meta( $product['ID'], 'price', (float)$_POST['price'] );
1227
  update_product_meta( $product['ID'], 'special_price', (float)$_POST['special_price'] );
1228
+ update_product_meta( $product['ID'], 'sku', sanitize_text_field( $_POST['sku'] ) );
1229
+
1230
  if ( !is_numeric($_POST['stock']) )
1231
  update_product_meta( $product['ID'], 'stock', '' );
1232
  else
wpsc-admin/db-upgrades/upgrade.php CHANGED
@@ -145,7 +145,7 @@ function _wpsc_action_load_db_upgrade() {
145
 
146
  _wpsc_maybe_upgrade();
147
 
148
- wp_redirect( add_query_arg( 'wpsc_db_upgrade_successful', 1, admin_url() ) );
149
  exit;
150
  }
151
 
145
 
146
  _wpsc_maybe_upgrade();
147
 
148
+ wp_redirect( esc_url_raw( add_query_arg( 'wpsc_db_upgrade_successful', 1, admin_url() ) ) );
149
  exit;
150
  }
151
 
wpsc-admin/includes/display-items-functions.php CHANGED
@@ -1253,7 +1253,7 @@ function wpsc_save_quickedit_box( $post_id ) {
1253
  global $doaction;
1254
 
1255
  // Only save product if saving (not autosaving) via AJAX.
1256
- if ( ( defined( 'DOING_AUTOSAVE' ) && DOING_AUTOSAVE ) || ! defined( 'DOING_AJAX' ) || ! DOING_AJAX || get_post_type( $post_id ) != 'wpsc-product' ) {
1257
  return;
1258
  }
1259
 
@@ -1330,8 +1330,12 @@ function wpsc_save_quickedit_box( $post_id ) {
1330
  case 'sku':
1331
  if ( $value == __( 'N/A', 'wpsc' ) ) {
1332
  $value = '';
 
 
1333
  }
1334
  break;
 
 
1335
 
1336
  }
1337
 
@@ -1545,7 +1549,7 @@ function save_term_prices( $term_id ) {
1545
 
1546
  $term_prices = get_option( 'term_prices' );
1547
 
1548
- $term_prices[$term_id]["price"] = $_POST["variation_price"];
1549
  $term_prices[$term_id]["checked"] = (isset( $_POST["apply_to_current"] )) ? "checked" : "unchecked";
1550
 
1551
  update_option( 'term_prices', $term_prices );
1253
  global $doaction;
1254
 
1255
  // Only save product if saving (not autosaving) via AJAX.
1256
+ if ( ( defined( 'DOING_AUTOSAVE' ) && DOING_AUTOSAVE ) || ! defined( 'DOING_AJAX' ) || ! DOING_AJAX || get_post_type( $post_id ) != 'wpsc-product' ) {
1257
  return;
1258
  }
1259
 
1330
  case 'sku':
1331
  if ( $value == __( 'N/A', 'wpsc' ) ) {
1332
  $value = '';
1333
+ } else {
1334
+ $value = sanitize_text_field( $value );
1335
  }
1336
  break;
1337
+ default :
1338
+ $value = sanitize_text_field( $value );
1339
 
1340
  }
1341
 
1549
 
1550
  $term_prices = get_option( 'term_prices' );
1551
 
1552
+ $term_prices[$term_id]["price"] = sanitize_text_field( $_POST["variation_price"] );
1553
  $term_prices[$term_id]["checked"] = (isset( $_POST["apply_to_current"] )) ? "checked" : "unchecked";
1554
 
1555
  update_option( 'term_prices', $term_prices );
wpsc-admin/includes/product-functions.php CHANGED
@@ -625,7 +625,7 @@ function wpsc_edit_product_variations($product_id, $post_data) {
625
 
626
  wp_set_object_terms($product_id, $variation_sets_and_values, 'wpsc-variation');
627
 
628
- $parent_id = $_REQUEST['product_id'];
629
 
630
  $child_product_template = array(
631
  'post_author' => $user_ID,
@@ -741,7 +741,7 @@ function wpsc_edit_product_variations($product_id, $post_data) {
741
  return;
742
  }
743
 
744
- if(!empty($term_ids_to_delete) && (isset($_REQUEST["product_id"]) || isset($post_id))) {
745
  $post_ids_to_delete = array();
746
 
747
  // Whatever remains, find child products of current product with that term, in the variation taxonomy, and delete
625
 
626
  wp_set_object_terms($product_id, $variation_sets_and_values, 'wpsc-variation');
627
 
628
+ $parent_id = absint( $_REQUEST['product_id'] );
629
 
630
  $child_product_template = array(
631
  'post_author' => $user_ID,
741
  return;
742
  }
743
 
744
+ if(!empty($term_ids_to_delete) && (isset($_REQUEST["product_id"]) || isset($post_id))) {
745
  $post_ids_to_delete = array();
746
 
747
  // Whatever remains, find child products of current product with that term, in the variation taxonomy, and delete
wpsc-admin/includes/product-variations-page.class.php CHANGED
@@ -86,7 +86,7 @@ class WPSC_Product_Variations_Page {
86
  }
87
 
88
  if ( isset( $data['sku'] ) ) {
89
- update_product_meta( $id, 'sku', $data['sku'] );
90
  }
91
 
92
  if ( isset( $data['stock'] ) ) {
86
  }
87
 
88
  if ( isset( $data['sku'] ) ) {
89
+ update_product_meta( $id, 'sku', sanitize_text_field( $data['sku'] ) );
90
  }
91
 
92
  if ( isset( $data['stock'] ) ) {
wpsc-admin/includes/purchase-log-list-table-class.php CHANGED
@@ -502,7 +502,7 @@ class WPSC_Purchase_Log_List_Table extends WP_List_Table {
502
  }
503
 
504
  public function column_amount( $item ) {
505
- echo '<a href="' . esc_url( $this->item_url( $item ) ) . '" title="' . esc_attr__( 'View order details', 'wpsc' ) . '">';
506
  echo wpsc_currency_display( $item->amount ) . "<br />";
507
  echo '<small>' . sprintf( _n( '1 item', '%s items', $item->item_count, 'wpsc' ), number_format_i18n( $item->item_count ) ) . '</small>';
508
  echo '</a>';
502
  }
503
 
504
  public function column_amount( $item ) {
505
+ echo '<a href="' . esc_attr( $this->item_url( $item ) ) . '" title="' . esc_attr__( 'View order details', 'wpsc' ) . '">';
506
  echo wpsc_currency_display( $item->amount ) . "<br />";
507
  echo '<small>' . sprintf( _n( '1 item', '%s items', $item->item_count, 'wpsc' ), number_format_i18n( $item->item_count ) ) . '</small>';
508
  echo '</a>';
wpsc-admin/includes/save-data.functions.php CHANGED
@@ -20,7 +20,7 @@ function wpsc_ajax_set_variation_order(){
20
 
21
  $value = preg_replace( '/[^0-9]/', '', $value );
22
 
23
- if ( ! wpsc_update_meta( $value, 'sort_order', $key, 'wpsc_variation' ) ) {
24
  $result = false;
25
  }
26
  }
@@ -539,7 +539,7 @@ function wpsc_save_category_set( $category_id, $tt_id ) {
539
  }
540
 
541
  if ( ! empty( $_POST['use_additional_form_set'] ) ) {
542
- wpsc_update_categorymeta( $category_id, 'use_additional_form_set', $_POST['use_additional_form_set'] );
543
  } else {
544
  wpsc_delete_categorymeta( $category_id, 'use_additional_form_set' );
545
  }
20
 
21
  $value = preg_replace( '/[^0-9]/', '', $value );
22
 
23
+ if ( ! wpsc_update_meta( $value, 'sort_order', absint( $key ), 'wpsc_variation' ) ) {
24
  $result = false;
25
  }
26
  }
539
  }
540
 
541
  if ( ! empty( $_POST['use_additional_form_set'] ) ) {
542
+ wpsc_update_categorymeta( $category_id, 'use_additional_form_set', absint( $_POST['use_additional_form_set'] ) );
543
  } else {
544
  wpsc_delete_categorymeta( $category_id, 'use_additional_form_set' );
545
  }
wpsc-admin/includes/settings-tabs/gateway.php CHANGED
@@ -6,7 +6,7 @@ class WPSC_Settings_Tab_Gateway extends WPSC_Settings_Tab {
6
 
7
  public function __construct() {
8
  if ( isset( $_REQUEST['payment_gateway_id'] ) ) {
9
- update_user_option( get_current_user_id(), 'wpsc_settings_selected_payment_gateway', $_REQUEST['payment_gateway_id'] );
10
  } else {
11
  update_user_option( get_current_user_id(), 'wpsc_settings_selected_payment_gateway', '' );
12
  }
6
 
7
  public function __construct() {
8
  if ( isset( $_REQUEST['payment_gateway_id'] ) ) {
9
+ update_user_option( get_current_user_id(), 'wpsc_settings_selected_payment_gateway', sanitize_text_field( $_REQUEST['payment_gateway_id'] ) );
10
  } else {
11
  update_user_option( get_current_user_id(), 'wpsc_settings_selected_payment_gateway', '' );
12
  }
wpsc-admin/includes/settings-tabs/shipping.php CHANGED
@@ -4,7 +4,7 @@ class WPSC_Settings_Tab_Shipping extends WPSC_Settings_Tab {
4
  parent::__construct();
5
 
6
  if ( isset( $_REQUEST['shipping_module_id'] ) )
7
- update_user_option( get_current_user_id(), 'wpsc_settings_selected_shipping_module', $_REQUEST['shipping_module_id'] );
8
 
9
  add_action( 'admin_notices', array( $this, 'no_shipping_notice' ) );
10
  }
@@ -40,9 +40,9 @@ class WPSC_Settings_Tab_Shipping extends WPSC_Settings_Tab {
40
  $_POST['update_gateways'] = '';
41
 
42
  if ( ! isset( $_POST['custom_shipping_options'] ) )
43
- $_POST['custom_shipping_options'] = null;
44
 
45
- update_option( 'custom_shipping_options', $_POST['custom_shipping_options'] );
46
 
47
  $shipadd = 0;
48
  foreach ( $wpsc_shipping_modules as $shipping ) {
@@ -106,9 +106,7 @@ class WPSC_Settings_Tab_Shipping extends WPSC_Settings_Tab {
106
  'page' => 'wpsc-settings',
107
  'shipping_module_id' => $shipping->getInternalName(),
108
  ), $location );
109
-
110
  $location .= '#wpsc-shipping-module-options';
111
-
112
  return esc_url( $location );
113
  }
114
 
4
  parent::__construct();
5
 
6
  if ( isset( $_REQUEST['shipping_module_id'] ) )
7
+ update_user_option( get_current_user_id(), 'wpsc_settings_selected_shipping_module', sanitize_text_field( $_REQUEST['shipping_module_id'] ) );
8
 
9
  add_action( 'admin_notices', array( $this, 'no_shipping_notice' ) );
10
  }
40
  $_POST['update_gateways'] = '';
41
 
42
  if ( ! isset( $_POST['custom_shipping_options'] ) )
43
+ $_POST['custom_shipping_options'] = array();
44
 
45
+ update_option( 'custom_shipping_options', array_map( 'sanitize_text_field', $_POST['custom_shipping_options'] ) );
46
 
47
  $shipadd = 0;
48
  foreach ( $wpsc_shipping_modules as $shipping ) {
106
  'page' => 'wpsc-settings',
107
  'shipping_module_id' => $shipping->getInternalName(),
108
  ), $location );
 
109
  $location .= '#wpsc-shipping-module-options';
 
110
  return esc_url( $location );
111
  }
112
 
wpsc-admin/init.php CHANGED
@@ -335,8 +335,8 @@ function wpsc_purchase_log_action_downloads_lock( $log_id ) {
335
 
336
  // Redirect back to purchase logs list
337
  $sendback = wp_get_referer();
338
- $sendback = add_query_arg( 'cleared', 1, $sendback );
339
- wp_redirect( esc_url_raw( $sendback ) );
340
  exit();
341
 
342
  }
@@ -360,8 +360,8 @@ function wpsc_purchase_log_action_delete( $log_id ) {
360
  // Redirect back to purchase logs list
361
  $sendback = wp_get_referer();
362
  $sendback = remove_query_arg( array( 'c', 'id' ), $sendback );
363
- $sendback = add_query_arg( 'deleted', absint( $deleted ), $sendback );
364
- wp_redirect( esc_url_raw( $sendback ) );
365
  exit();
366
 
367
  }
@@ -383,8 +383,8 @@ function wpsc_purchase_log_action_email_receipt( $log_id ) {
383
 
384
  // Redirect back to purchase logs list
385
  $sendback = wp_get_referer();
386
- $sendback = add_query_arg( 'sent', absint( $sent ), $sendback );
387
- wp_redirect( esc_url_raw( $sendback ) );
388
  exit();
389
 
390
  }
@@ -409,8 +409,8 @@ function wpsc_purchlog_resend_email( $log_id = '' ) {
409
  _wpsc_doing_it_wrong( 'wpsc_purchlog_resend_email', __( '$log_id parameter requires a numeric purchase log ID.', 'wpsc' ), '3.9.0' );
410
 
411
  // Support redirect for legacy purposes for the moment
412
- $sendback = add_query_arg( 'sent', 0, wp_get_referer() );
413
- wp_redirect( esc_url_raw( $sendback ) );
414
  exit();
415
 
416
  }
335
 
336
  // Redirect back to purchase logs list
337
  $sendback = wp_get_referer();
338
+ $sendback = esc_url_raw( add_query_arg( 'cleared', 1, $sendback ) );
339
+ wp_redirect( $sendback );
340
  exit();
341
 
342
  }
360
  // Redirect back to purchase logs list
361
  $sendback = wp_get_referer();
362
  $sendback = remove_query_arg( array( 'c', 'id' ), $sendback );
363
+ $sendback = esc_url_raw( add_query_arg( 'deleted', absint( $deleted ), $sendback ) );
364
+ wp_redirect( $sendback );
365
  exit();
366
 
367
  }
383
 
384
  // Redirect back to purchase logs list
385
  $sendback = wp_get_referer();
386
+ $sendback = esc_url_raw( add_query_arg( 'sent', absint( $sent ), $sendback ) );
387
+ wp_redirect( $sendback );
388
  exit();
389
 
390
  }
409
  _wpsc_doing_it_wrong( 'wpsc_purchlog_resend_email', __( '$log_id parameter requires a numeric purchase log ID.', 'wpsc' ), '3.9.0' );
410
 
411
  // Support redirect for legacy purposes for the moment
412
+ $sendback = esc_url_raw( add_query_arg( 'sent', 0, wp_get_referer() ) );
413
+ wp_redirect( $sendback );
414
  exit();
415
 
416
  }
wpsc-admin/settings-page.php CHANGED
@@ -703,7 +703,7 @@ final class WPSC_Settings_Page {
703
 
704
  if ( $_POST['update_gateways'] == 'true' ) {
705
 
706
- update_option( 'custom_shipping_options', $_POST['custom_shipping_options'] );
707
 
708
  $shipadd = 0;
709
  foreach ( $GLOBALS['wpsc_shipping_modules'] as $shipping ) {
703
 
704
  if ( $_POST['update_gateways'] == 'true' ) {
705
 
706
+ update_option( 'custom_shipping_options', array_map( 'sanitize_text_field', $_POST['custom_shipping_options'] ) );
707
 
708
  $shipadd = 0;
709
  foreach ( $GLOBALS['wpsc_shipping_modules'] as $shipping ) {
wpsc-components/marketplace-core-v1/library/Sputnik/API.php CHANGED
@@ -91,10 +91,10 @@ class Sputnik_API {
91
 
92
  //Modifying to add marketplace and user email to query string.
93
  if ( $redirect ) {
94
- wp_redirect( add_query_arg( array( 'domain' => self::domain(), 'user' => rawurlencode( wp_get_current_user()->user_email ) ), $auth_url ) );
95
  exit;
96
  } else {
97
- return $auth_url;
98
  }
99
  }
100
 
@@ -195,7 +195,7 @@ class Sputnik_API {
195
  public static function request($url, $params = null, $args = array()) {
196
 
197
  if ( ! empty( $params ) ) {
198
- $url = esc_url_raw( add_query_arg( $params, $url ) );
199
  }
200
 
201
  $defaults = array( 'method' => 'GET' );
@@ -203,14 +203,14 @@ class Sputnik_API {
203
  $args = wp_parse_args( $args, $defaults );
204
 
205
  if ( strpos( $url, 'http' ) !== 0 ) {
206
- $url = esc_url_raw( Sputnik::API_BASE . $url );
207
  }
208
 
209
  $args['timeout'] = 25;
210
  $args['headers']['user-agent'] = 'WP eCommerce Marketplace: ' . WPSC_VERSION;
211
  $args['headers']['X-WP-Domain'] = self::domain();
212
 
213
- $request = wp_remote_request( $url, $args );
214
 
215
  if ( is_wp_error( $request ) ) {
216
  throw new Exception( $request->get_error_message() );
91
 
92
  //Modifying to add marketplace and user email to query string.
93
  if ( $redirect ) {
94
+ wp_redirect( esc_url( add_query_arg( array( 'domain' => self::domain(), 'user' => rawurlencode( wp_get_current_user()->user_email ) ), $auth_url ) ) );
95
  exit;
96
  } else {
97
+ return esc_url( $auth_url );
98
  }
99
  }
100
 
195
  public static function request($url, $params = null, $args = array()) {
196
 
197
  if ( ! empty( $params ) ) {
198
+ $url = add_query_arg( $params, $url );
199
  }
200
 
201
  $defaults = array( 'method' => 'GET' );
203
  $args = wp_parse_args( $args, $defaults );
204
 
205
  if ( strpos( $url, 'http' ) !== 0 ) {
206
+ $url = Sputnik::API_BASE . $url;
207
  }
208
 
209
  $args['timeout'] = 25;
210
  $args['headers']['user-agent'] = 'WP eCommerce Marketplace: ' . WPSC_VERSION;
211
  $args['headers']['X-WP-Domain'] = self::domain();
212
 
213
+ $request = wp_remote_request( esc_url_raw( $url ), $args );
214
 
215
  if ( is_wp_error( $request ) ) {
216
  throw new Exception( $request->get_error_message() );
wpsc-components/marketplace-core-v1/library/Sputnik/Admin.php CHANGED
@@ -242,7 +242,7 @@ class Sputnik_Admin {
242
  if (!empty($args)) {
243
  $url = add_query_arg( $args, $url );
244
  }
245
- return esc_url_raw( $url );
246
  }
247
 
248
  public static function build_account_url($args = array()) {
@@ -250,7 +250,7 @@ class Sputnik_Admin {
250
  if (!empty($args)) {
251
  $url = add_query_arg( $args, $url );
252
  }
253
- return esc_url_raw( $url );
254
  }
255
 
256
  public static function page_styles() {
@@ -813,7 +813,7 @@ class Sputnik_Admin {
813
 
814
  $install_url = self::build_url(array('install' => $product_slug));
815
  $install_url = add_query_arg('_wpnonce', wp_create_nonce('sputnik_install-plugin_' . $product_slug), $install_url);
816
- $install_url = add_query_arg(array('TB_iframe' => true), $install_url);
817
 
818
  self::iframe_closer( self::build_url( array('run-installer' => urlencode( $install_url ) ) ), __( 'Installing ... ', 'wpsc' ) );
819
  }
@@ -987,7 +987,7 @@ class Sputnik_Admin {
987
  $url = self::build_url(array('upgrade' => $file));
988
  // wp_nonce_url also does a esc_html, so do it ourselves
989
  $url = add_query_arg('_wpnonce', wp_create_nonce('sputnik_upgrade-plugin_' . $file), $url);
990
- wp_redirect($url);
991
 
992
  die();
993
  }
242
  if (!empty($args)) {
243
  $url = add_query_arg( $args, $url );
244
  }
245
+ return esc_url( $url );
246
  }
247
 
248
  public static function build_account_url($args = array()) {
250
  if (!empty($args)) {
251
  $url = add_query_arg( $args, $url );
252
  }
253
+ return esc_url( $url );
254
  }
255
 
256
  public static function page_styles() {
813
 
814
  $install_url = self::build_url(array('install' => $product_slug));
815
  $install_url = add_query_arg('_wpnonce', wp_create_nonce('sputnik_install-plugin_' . $product_slug), $install_url);
816
+ $install_url = esc_url( add_query_arg(array('TB_iframe' => true), $install_url) );
817
 
818
  self::iframe_closer( self::build_url( array('run-installer' => urlencode( $install_url ) ) ), __( 'Installing ... ', 'wpsc' ) );
819
  }
987
  $url = self::build_url(array('upgrade' => $file));
988
  // wp_nonce_url also does a esc_html, so do it ourselves
989
  $url = add_query_arg('_wpnonce', wp_create_nonce('sputnik_upgrade-plugin_' . $file), $url);
990
+ wp_redirect( esc_url_raw( $url ) );
991
 
992
  die();
993
  }
wpsc-components/marketplace-core-v1/library/Sputnik/List/Install.php CHANGED
@@ -298,7 +298,7 @@ class Sputnik_List_Install extends WP_List_Table {
298
  switch ( $status['status'] ) {
299
  case 'purchase':
300
  if ( $status['url'] ) {
301
- $purchase_link = '<a id="' . $plugin->slug . '" class="button-primary buy" href="' . $status['url'] . '" title="'
302
  . esc_attr(sprintf(__( 'Buy %s', 'wpsc' ), $name)) . '">' . sprintf(__('<span>%s</span> Buy Now</a>', 'wpsc' ), $plugin->price);
303
  }
304
  break;
@@ -378,14 +378,14 @@ class Sputnik_List_Install extends WP_List_Table {
378
  switch ( $status['status'] ) {
379
  case 'purchase':
380
  if ( $status['url'] ) {
381
- $purchase_link = '<a id="' . $plugin->slug . '" class="button-primary buy status" href="' . $status['url'] . '" title="'
382
  . esc_attr(sprintf(__( 'Buy %s', 'wpsc' ), $name)) . '">' . __('Buy Now', 'wpsc' ) . '</a>';
383
  }
384
  break;
385
  case 'install':
386
  if ( $status['url'] ) {
387
  $status['url'] = add_query_arg(array('TB_iframe' => true, 'width' => 800, 'height' => 600), $status['url']);
388
- $purchase_link = '<a class="button install status" href="' . $status['url'] . '" title="'
389
  . esc_attr(sprintf(__( 'Install %s', 'wpsc' ), $name)) . '">' . __('Install', 'wpsc' ) . '</a>';
390
  }
391
  else {
@@ -396,7 +396,7 @@ class Sputnik_List_Install extends WP_List_Table {
396
  case 'update_available':
397
  if ( $status['url'] ) {
398
  $status['url'] = add_query_arg(array('TB_iframe' => true, 'width' => 800, 'height' => 600), $status['url']);
399
- $purchase_link = '<a class="button install" href="' . $status['url'] . '" title="'
400
  . esc_attr(sprintf(__( 'Update to version %s', 'wpsc' ), $status['version'])) . '">' . __('Update', 'wpsc' ) . '</a>';
401
  }
402
  else {
298
  switch ( $status['status'] ) {
299
  case 'purchase':
300
  if ( $status['url'] ) {
301
+ $purchase_link = '<a id="' . $plugin->slug . '" class="button-primary buy" href="' . esc_url( $status['url'] ) . '" title="'
302
  . esc_attr(sprintf(__( 'Buy %s', 'wpsc' ), $name)) . '">' . sprintf(__('<span>%s</span> Buy Now</a>', 'wpsc' ), $plugin->price);
303
  }
304
  break;
378
  switch ( $status['status'] ) {
379
  case 'purchase':
380
  if ( $status['url'] ) {
381
+ $purchase_link = '<a id="' . $plugin->slug . '" class="button-primary buy status" href="' . esc_url( $status['url'] ) . '" title="'
382
  . esc_attr(sprintf(__( 'Buy %s', 'wpsc' ), $name)) . '">' . __('Buy Now', 'wpsc' ) . '</a>';
383
  }
384
  break;
385
  case 'install':
386
  if ( $status['url'] ) {
387
  $status['url'] = add_query_arg(array('TB_iframe' => true, 'width' => 800, 'height' => 600), $status['url']);
388
+ $purchase_link = '<a class="button install status" href="' . esc_url( $status['url'] ) . '" title="'
389
  . esc_attr(sprintf(__( 'Install %s', 'wpsc' ), $name)) . '">' . __('Install', 'wpsc' ) . '</a>';
390
  }
391
  else {
396
  case 'update_available':
397
  if ( $status['url'] ) {
398
  $status['url'] = add_query_arg(array('TB_iframe' => true, 'width' => 800, 'height' => 600), $status['url']);
399
+ $purchase_link = '<a class="button install" href="' . esc_url( $status['url'] ) . '" title="'
400
  . esc_attr(sprintf(__( 'Update to version %s', 'wpsc' ), $status['version'])) . '">' . __('Update', 'wpsc' ) . '</a>';
401
  }
402
  else {
wpsc-components/merchant-core-v2/helpers/admin.php CHANGED
@@ -123,6 +123,7 @@ add_action(
123
  );
124
 
125
  function _wpsc_action_merchant_v2_submit_gateway_options() {
 
126
  if ( isset( $_POST['user_defined_name'] ) && is_array( $_POST['user_defined_name'] ) ) {
127
  $payment_gateway_names = get_option( 'payment_gateway_names' );
128
 
@@ -130,20 +131,21 @@ function _wpsc_action_merchant_v2_submit_gateway_options() {
130
  $payment_gateway_names = array( );
131
  }
132
  $payment_gateway_names = array_merge( $payment_gateway_names, (array)$_POST['user_defined_name'] );
133
- update_option( 'payment_gateway_names', $payment_gateway_names );
134
  }
 
135
  $custom_gateways = get_option( 'custom_gateway_options' );
136
 
137
  global $nzshpcrt_gateways;
138
  foreach ( $nzshpcrt_gateways as $gateway ) {
139
  if ( in_array( $gateway['internalname'], $custom_gateways ) ) {
140
  if ( isset( $gateway['submit_function'] ) ) {
141
- call_user_func_array( $gateway['submit_function'], array( ) );
142
  $changes_made = true;
143
  }
144
  }
145
  }
146
  if ( (isset( $_POST['payment_gw'] ) && $_POST['payment_gw'] != null ) ) {
147
- update_option( 'payment_gateway', $_POST['payment_gw'] );
148
  }
149
- }
123
  );
124
 
125
  function _wpsc_action_merchant_v2_submit_gateway_options() {
126
+
127
  if ( isset( $_POST['user_defined_name'] ) && is_array( $_POST['user_defined_name'] ) ) {
128
  $payment_gateway_names = get_option( 'payment_gateway_names' );
129
 
131
  $payment_gateway_names = array( );
132
  }
133
  $payment_gateway_names = array_merge( $payment_gateway_names, (array)$_POST['user_defined_name'] );
134
+ update_option( 'payment_gateway_names', array_map( 'sanitize_text_field', $payment_gateway_names ) );
135
  }
136
+
137
  $custom_gateways = get_option( 'custom_gateway_options' );
138
 
139
  global $nzshpcrt_gateways;
140
  foreach ( $nzshpcrt_gateways as $gateway ) {
141
  if ( in_array( $gateway['internalname'], $custom_gateways ) ) {
142
  if ( isset( $gateway['submit_function'] ) ) {
143
+ call_user_func_array( $gateway['submit_function'], array() );
144
  $changes_made = true;
145
  }
146
  }
147
  }
148
  if ( (isset( $_POST['payment_gw'] ) && $_POST['payment_gw'] != null ) ) {
149
+ update_option( 'payment_gateway', sanitize_text_field( $_POST['payment_gw'] ) );
150
  }
151
+ }
wpsc-components/merchant-core-v3/gateways/paypal-express-checkout.php CHANGED
@@ -69,7 +69,7 @@ class WPSC_Payment_Gateway_Paypal_Express_Checkout extends WPSC_Payment_Gateway
69
  public function filter_unselect_default( $fields ) {
70
  foreach ( $fields as $i=>$field ) {
71
  $fields[ $i ][ 'checked' ] = false;
72
- }
73
 
74
  return $fields;
75
  }
@@ -274,7 +274,7 @@ class WPSC_Payment_Gateway_Paypal_Express_Checkout extends WPSC_Payment_Gateway
274
  'token' => $token,
275
  'payer_id' => $PayerID,
276
  'message_id' => $this->purchase_log->get( 'sessionid' ),
277
- 'invoice' => $this->purchase_log->get( 'id' ),
278
  );
279
  $options += $this->checkout_data->get_gateway_data();
280
  $options += $this->purchase_log->get_gateway_data( parent::get_currency_code(), $this->get_currency_code() );
69
  public function filter_unselect_default( $fields ) {
70
  foreach ( $fields as $i=>$field ) {
71
  $fields[ $i ][ 'checked' ] = false;
72
+ }
73
 
74
  return $fields;
75
  }
274
  'token' => $token,
275
  'payer_id' => $PayerID,
276
  'message_id' => $this->purchase_log->get( 'sessionid' ),
277
+ 'invoice' => $this->purchase_log->get( 'id' ),
278
  );
279
  $options += $this->checkout_data->get_gateway_data();
280
  $options += $this->purchase_log->get_gateway_data( parent::get_currency_code(), $this->get_currency_code() );
wpsc-components/theme-engine-v1/helpers/ajax.php CHANGED
@@ -458,7 +458,7 @@ function wpsc_update_location() {
458
  * releases. Let's check for that.
459
  */
460
  if ( isset( $_POST['zipcode'] ) ) {
461
- wpsc_update_customer_meta( 'shippingpostcode', $_POST['zipcode'] );
462
  }
463
 
464
  /*
@@ -775,7 +775,7 @@ function wpsc_change_tax() {
775
  global $wpdb, $user_ID, $wpsc_customer_checkout_details;
776
 
777
  if ( isset( $_POST['billing_country'] ) ) {
778
- $wpsc_selected_country = $_POST['billing_country'];
779
  wpsc_update_customer_meta( 'billingcountry', $wpsc_selected_country );
780
  }
781
 
@@ -791,7 +791,7 @@ function wpsc_change_tax() {
791
  }
792
 
793
  if ( isset( $_POST['shipping_country'] ) ) {
794
- $wpsc_delivery_country = $_POST['shipping_country'];
795
  wpsc_update_customer_meta( 'shippingcountry', $wpsc_delivery_country );
796
  }
797
  if ( isset( $_POST['shipping_region'] ) ) {
@@ -916,7 +916,7 @@ function _wpsc_change_profile_country() {
916
  }
917
 
918
  function wpsc_shipping_same_as_billing(){
919
- wpsc_update_customer_meta( 'shippingSameBilling', $_POST['wpsc_shipping_same_as_billing'] );
920
  }
921
 
922
  function wpsc_update_shipping_quotes_on_shipping_same_as_billing() {
458
  * releases. Let's check for that.
459
  */
460
  if ( isset( $_POST['zipcode'] ) ) {
461
+ wpsc_update_customer_meta( 'shippingpostcode', sanitize_text_field( $_POST['zipcode'] ) );
462
  }
463
 
464
  /*
775
  global $wpdb, $user_ID, $wpsc_customer_checkout_details;
776
 
777
  if ( isset( $_POST['billing_country'] ) ) {
778
+ $wpsc_selected_country = sanitize_text_field( $_POST['billing_country'] );
779
  wpsc_update_customer_meta( 'billingcountry', $wpsc_selected_country );
780
  }
781
 
791
  }
792
 
793
  if ( isset( $_POST['shipping_country'] ) ) {
794
+ $wpsc_delivery_country = sanitize_text_field( $_POST['shipping_country'] );
795
  wpsc_update_customer_meta( 'shippingcountry', $wpsc_delivery_country );
796
  }
797
  if ( isset( $_POST['shipping_region'] ) ) {
916
  }
917
 
918
  function wpsc_shipping_same_as_billing(){
919
+ wpsc_update_customer_meta( 'shippingSameBilling', sanitize_text_field( $_POST['wpsc_shipping_same_as_billing'] ) );
920
  }
921
 
922
  function wpsc_update_shipping_quotes_on_shipping_same_as_billing() {
wpsc-components/theme-engine-v1/helpers/page.php CHANGED
@@ -1416,6 +1416,7 @@ function wpsc_this_page_url() {
1416
  } else {
1417
  $output = get_permalink( get_the_ID() );
1418
  }
 
1419
  return esc_url( $output );
1420
  }
1421
 
1416
  } else {
1417
  $output = get_permalink( get_the_ID() );
1418
  }
1419
+
1420
  return esc_url( $output );
1421
  }
1422
 
wpsc-components/theme-engine-v2/classes/cart-item-table-form.php CHANGED
@@ -45,17 +45,17 @@ class WPSC_Cart_Item_Table_Form extends WPSC_Cart_Item_Table {
45
 
46
  protected function tfoot_append() {
47
  $prev = isset( $_REQUEST['prev'] ) ? esc_attr( $_REQUEST['prev'] ) : '';
48
- $clear_cart_url = esc_url( add_query_arg( array(
49
  'prev' => $prev,
50
  '_wp_nonce' => wp_create_nonce( 'wpsc-clear-cart' ),
51
  ),
52
  wpsc_get_cart_url( 'clear' )
53
- ) );
54
  ?>
55
  <tr class="wpsc-cart-item-table-actions">
56
  <td></td>
57
  <td colspan="<?php echo count( $this->columns ) - 1; ?>">
58
- <a class="wpsc-button wpsc-button-small wpsc-clear-cart" href="<?php echo $clear_cart_url; ?>"><?php esc_html_e( 'Clear Cart', 'wpsc' ); ?></a>
59
  <input type="submit" class="wpsc-button wpsc-button-small wpsc-cart-update" name="update_quantity" value="<?php esc_html_e( 'Update Quantity', 'wpsc' ); ?>" />
60
  <input type="hidden" name="action" value="update_quantity" />
61
  <input type="hidden" name="prev" value="<?php echo $prev; ?> ">
45
 
46
  protected function tfoot_append() {
47
  $prev = isset( $_REQUEST['prev'] ) ? esc_attr( $_REQUEST['prev'] ) : '';
48
+ $clear_cart_url = add_query_arg( array(
49
  'prev' => $prev,
50
  '_wp_nonce' => wp_create_nonce( 'wpsc-clear-cart' ),
51
  ),
52
  wpsc_get_cart_url( 'clear' )
53
+ );
54
  ?>
55
  <tr class="wpsc-cart-item-table-actions">
56
  <td></td>
57
  <td colspan="<?php echo count( $this->columns ) - 1; ?>">
58
+ <a class="wpsc-button wpsc-button-small wpsc-clear-cart" href="<?php echo esc_url( $clear_cart_url ); ?>"><?php esc_html_e( 'Clear Cart', 'wpsc' ); ?></a>
59
  <input type="submit" class="wpsc-button wpsc-button-small wpsc-cart-update" name="update_quantity" value="<?php esc_html_e( 'Update Quantity', 'wpsc' ); ?>" />
60
  <input type="hidden" name="action" value="update_quantity" />
61
  <input type="hidden" name="prev" value="<?php echo $prev; ?> ">
wpsc-components/theme-engine-v2/classes/cart-item-table-widget-form.php CHANGED
@@ -43,7 +43,7 @@ class WPSC_Cart_Item_Table_Widget_Form extends WPSC_Cart_Item_Table_Form {
43
  <tr class="wpsc-cart-item-table-actions">
44
  <td></td>
45
  <td colspan="<?php echo count( $this->columns ) - 1; ?>">
46
- <a class="wpsc-button wpsc-button-small wpsc-clear-cart" href="<?php echo $clear_cart_url; ?>"><?php esc_html_e( 'Clear Cart', 'wpsc' ); ?></a>
47
  <input type="hidden" name="action" value="update_quantity" />
48
  <input type="hidden" name="prev" value="<?php echo $prev; ?> ">
49
  </td>
43
  <tr class="wpsc-cart-item-table-actions">
44
  <td></td>
45
  <td colspan="<?php echo count( $this->columns ) - 1; ?>">
46
+ <a class="wpsc-button wpsc-button-small wpsc-clear-cart" href="<?php echo esc_url( $clear_cart_url ); ?>"><?php esc_html_e( 'Clear Cart', 'wpsc' ); ?></a>
47
  <input type="hidden" name="action" value="update_quantity" />
48
  <input type="hidden" name="prev" value="<?php echo $prev; ?> ">
49
  </td>
wpsc-core/wpsc-constants.php CHANGED
@@ -8,6 +8,7 @@ $wpsc_title_data = array();
8
  * _wpsc_is_session_started()
9
  *
10
  * Check if PHP session is started using method suggested on php.net
 
11
  * @since 3.8.14
12
  * @return boolean
13
  */
@@ -30,6 +31,7 @@ function _wpsc_is_session_started() {
30
  * wpsc_core_load_session()
31
  *
32
  * Load up the WPEC session
 
33
  * @return boolean
34
  */
35
  function wpsc_core_load_session() {
@@ -53,15 +55,15 @@ function wpsc_core_constants() {
53
 
54
  // Define Plugin version
55
  if ( ! defined( 'WPSC_VERSION' ) ) {
56
- define( 'WPSC_VERSION' , '3.9.3' );
57
  }
58
 
59
  if ( ! defined( 'WPSC_MINOR_VERSION' ) ) {
60
- define( 'WPSC_MINOR_VERSION' , '7fdd6de' );
61
  }
62
 
63
  if ( ! defined( 'WPSC_PRESENTABLE_VERSION' ) ) {
64
- define( 'WPSC_PRESENTABLE_VERSION', '3.9.3' );
65
  }
66
 
67
  // Define a salt to use when we hash, WPSC_SALT may be defined for us in our config file, so check first
8
  * _wpsc_is_session_started()
9
  *
10
  * Check if PHP session is started using method suggested on php.net
11
+ *
12
  * @since 3.8.14
13
  * @return boolean
14
  */
31
  * wpsc_core_load_session()
32
  *
33
  * Load up the WPEC session
34
+ *
35
  * @return boolean
36
  */
37
  function wpsc_core_load_session() {
55
 
56
  // Define Plugin version
57
  if ( ! defined( 'WPSC_VERSION' ) ) {
58
+ define( 'WPSC_VERSION' , '3.9.4' );
59
  }
60
 
61
  if ( ! defined( 'WPSC_MINOR_VERSION' ) ) {
62
+ define( 'WPSC_MINOR_VERSION' , '0b2bb1c' );
63
  }
64
 
65
  if ( ! defined( 'WPSC_PRESENTABLE_VERSION' ) ) {
66
+ define( 'WPSC_PRESENTABLE_VERSION', '3.9.4' );
67
  }
68
 
69
  // Define a salt to use when we hash, WPSC_SALT may be defined for us in our config file, so check first
wpsc-core/wpsc-functions.php CHANGED
@@ -918,3 +918,84 @@ function _wpsc_clear_wp_cache_on_version_change() {
918
  }
919
 
920
  add_action( 'admin_init', '_wpsc_clear_wp_cache_on_version_change', 1 );
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
918
  }
919
 
920
  add_action( 'admin_init', '_wpsc_clear_wp_cache_on_version_change', 1 );
921
+
922
+ /**
923
+ * Adds custom WP eCommerce tables to `tables_to_repair` array.
924
+ *
925
+ * WordPress provides a link, `admin_url( 'maint/repair.php' )`, that allows users to repair database tables.
926
+ * We find that this becomes necessary often times when visitor/visitor meta tables become corrupt.
927
+ * Symptoms of a corrupt visitor/meta table include disappearing carts, refreshing checkout pages, etc.
928
+ *
929
+ * In a future version, we will likely have a `System` page that would include a link to the repair.php page.
930
+ *
931
+ * @since 3.9.4
932
+ *
933
+ * @param array $tables Core tables
934
+ *
935
+ * @return array $tables Core + WP eCommerce tables
936
+ */
937
+ function wpsc_add_tables_to_repair( $tables ) {
938
+ global $wpec;
939
+
940
+ return array_merge( $wpec->setup_table_names(), $tables );
941
+ }
942
+
943
+ add_filter( 'tables_to_repair', 'wpsc_add_tables_to_repair' );
944
+
945
+ /**
946
+ * Checks visitor and visitor meta table for corruption.
947
+ *
948
+ * If tables are corrupted, site admins are alerted and given the ability to repair them.
949
+ *
950
+ * @since 3.9.4
951
+ * @return void
952
+ */
953
+ function wpsc_check_visitor_tables() {
954
+
955
+ // Don't check if current user is not a store admin or if we have checked in the last hour.
956
+ if ( wpsc_is_store_admin() && ! ( $check = get_transient( 'wpsc_tables_intact' ) ) ) {
957
+ global $wpdb;
958
+
959
+ $visitor_check = $wpdb->get_row( "CHECK TABLE {$wpdb->wpsc_visitors}" );
960
+ $visitor_meta_check = $wpdb->get_row( "CHECK TABLE {$wpdb->wpsc_visitormeta}" );
961
+
962
+ // If both tables are fine
963
+ if ( 'OK' == $visitor_check->Msg_text && 'OK' == $visitor_meta_check->Msg_text ) {
964
+ set_transient( 'wpsc_tables_intact', true, HOUR_IN_SECONDS );
965
+ return;
966
+ } else {
967
+ set_transient( 'wpsc_tables_intact', false, HOUR_IN_SECONDS );
968
+ }
969
+
970
+ add_action( 'all_admin_notices', 'wpsc_visitor_tables_need_repair' );
971
+ }
972
+ }
973
+
974
+ add_action( 'init', 'wpsc_check_visitor_tables' );
975
+
976
+ /**
977
+ * Adds admin notice to all screens, for store administators, when database tables are in need of repair.
978
+ *
979
+ * @since 3.9.4
980
+ * @return void
981
+ */
982
+ function wpsc_visitor_tables_need_repair() {
983
+ echo '<div class="error"><p>' . sprintf( __( 'It appears that your WP eCommerce database tables are in need of repair. This is very important for both security and performance. <a href="%s">Repair your tables now</a>. <br />Note: If you encounter errors upon repairing your tables, simply refresh the page.', 'wpsc' ), esc_url( admin_url( 'maint/repair.php' ) ) ) . '</p></div>';
984
+ }
985
+
986
+ /**
987
+ * Defines `WP_ALLOW_REPAIR` to true when WP eCommerce tables are in need of repair.
988
+ *
989
+ * @since 3.9.4
990
+ * @return void
991
+ */
992
+ function wpsc_repair_tables() {
993
+
994
+ $needs_repair = ! get_transient( 'wpsc_tables_intact' );
995
+
996
+ if ( ! defined( 'WP_ALLOW_REPAIR' ) && apply_filters( 'wpsc_tables_need_repair', $needs_repair ) && ( defined( 'WP_REPAIRING' ) && WP_REPAIRING ) ) {
997
+ define( 'WP_ALLOW_REPAIR', true );
998
+ }
999
+ }
1000
+
1001
+ add_action( 'wpsc_init', 'wpsc_repair_tables' );
wpsc-includes/form-display.functions.php CHANGED
@@ -117,7 +117,7 @@ function wpsc_select_product_file( $product_id = null ) {
117
  $output .= '<td style="padding-right: 30px;"><img src="'. $icon_url .'"><span>' . $file->post_title . '</span></td>';
118
  $output .= '<td>' . $file_size .'</td>';
119
  $output .= '<td>' . $file_type . '</td>';
120
- $output .= '<td><a href="' .$file_url .'">' . _x( 'Download', 'Digital download row UI', 'wpsc' ) . '</a><a data-file-name="' . esc_attr( $file->post_title ) . '" data-product-id="' . esc_attr( $product_id ) . '" data-nonce="' . esc_attr( $delete_nonce ) . '" class="file_delete_button" href="' .$deletion_url. '" >' . _x( "Delete", "Digital download row UI", "wpsc" ) . '</a></td>';
121
 
122
  $output .= '</tr>';
123
 
117
  $output .= '<td style="padding-right: 30px;"><img src="'. $icon_url .'"><span>' . $file->post_title . '</span></td>';
118
  $output .= '<td>' . $file_size .'</td>';
119
  $output .= '<td>' . $file_type . '</td>';
120
+ $output .= '<td><a href="' . esc_url( $file_url ) .'">' . _x( 'Download', 'Digital download row UI', 'wpsc' ) . '</a><a data-file-name="' . esc_attr( $file->post_title ) . '" data-product-id="' . esc_attr( $product_id ) . '" data-nonce="' . esc_attr( $delete_nonce ) . '" class="file_delete_button" href="' .$deletion_url. '" >' . _x( "Delete", "Digital download row UI", "wpsc" ) . '</a></td>';
121
 
122
  $output .= '</tr>';
123
 
wpsc-includes/purchase-log.class.php CHANGED
@@ -160,11 +160,15 @@ class WPSC_Purchase_Log {
160
  if ( $product->post->_wpsc_stats === '' ) {
161
  $needs_fetching[] = $product->post->ID;
162
  } else {
 
163
  // tally up the sales and earnings if this one has cache already
164
- $prod_meta = get_post_meta( $product->post->ID, '_wpsc_stats', true );
 
 
165
  $stats['sales'] += $prod_meta['sales'];
166
  $stats['earnings'] += $prod_meta['earnings'];
167
- $needs_fetching[] = $product->post->ID;
 
168
  }
169
  }
170
  }
160
  if ( $product->post->_wpsc_stats === '' ) {
161
  $needs_fetching[] = $product->post->ID;
162
  } else {
163
+
164
  // tally up the sales and earnings if this one has cache already
165
+ $prod_meta = get_post_meta( $product->post->ID, '_wpsc_stats', true );
166
+
167
+ if ( isset( $prod_meta['sales'] ) && isset( $prod_meta['earnings'] ) ) {
168
  $stats['sales'] += $prod_meta['sales'];
169
  $stats['earnings'] += $prod_meta['earnings'];
170
+ }
171
+ $needs_fetching[] = $product->post->ID;
172
  }
173
  }
174
  }
wpsc-includes/stats.functions.php CHANGED
@@ -37,13 +37,13 @@ function _wpsc_action_update_product_stats( $log_id, $new_status, $old_status, $
37
  $diff_sales = $yay_or_boo * (int) $cart_item->quantity;
38
  $diff_earnings = $yay_or_boo * (int) $cart_item->price * (int) $cart_item->quantity;
39
 
40
- $product->sales += $diff_sales;
41
  $product->earnings += $diff_earnings;
42
 
43
  // if this product has parent, make the same changes to the parent
44
  if ( $product->post->post_parent ) {
45
  $parent = WPSC_Product::get_instance( $product->post->post_parent );
46
- $parent->sales += $diff_sales;
47
  $parent->earnings += $diff_earnings;
48
  }
49
  }
37
  $diff_sales = $yay_or_boo * (int) $cart_item->quantity;
38
  $diff_earnings = $yay_or_boo * (int) $cart_item->price * (int) $cart_item->quantity;
39
 
40
+ $product->sales += $diff_sales;
41
  $product->earnings += $diff_earnings;
42
 
43
  // if this product has parent, make the same changes to the parent
44
  if ( $product->post->post_parent ) {
45
  $parent = WPSC_Product::get_instance( $product->post->post_parent );
46
+ $parent->sales += $diff_sales;
47
  $parent->earnings += $diff_earnings;
48
  }
49
  }
wpsc-includes/wpsc-meta-visitor.php CHANGED
@@ -878,6 +878,10 @@ function wpsc_add_visitor_meta( $visitor_id, $meta_key, $meta_value, $unique = f
878
  return false;
879
  }
880
 
 
 
 
 
881
  // Allow central validation (and possibly transformation) of visitor meta prior to it being saved
882
  $meta_key = _wpsc_validate_visitor_meta_key( $meta_key );
883
 
@@ -906,6 +910,10 @@ function wpsc_delete_visitor_meta( $visitor_id, $meta_key, $meta_value = '' ) {
906
  return false;
907
  }
908
 
 
 
 
 
909
  // Allow central validation (and possibly transformation) of visitor meta prior to it being saved
910
  $meta_key = _wpsc_validate_visitor_meta_key( $meta_key );
911
 
@@ -941,6 +949,10 @@ function wpsc_get_visitor_meta( $visitor_id, $meta_key = '', $single = false ) {
941
  return false;
942
  }
943
 
 
 
 
 
944
  // Allow central validation (and possibly transformation) of visitor meta prior to it being saved
945
  $meta_key = _wpsc_validate_visitor_meta_key( $meta_key );
946
 
@@ -1005,6 +1017,10 @@ function wpsc_update_visitor_meta( $visitor_id, $meta_key, $meta_value, $prev_va
1005
  return false;
1006
  }
1007
 
 
 
 
 
1008
  // Allow central validation (and possibly transformation) of visitor meta prior to it being saved
1009
  $meta_key = _wpsc_validate_visitor_meta_key( $meta_key );
1010
 
878
  return false;
879
  }
880
 
881
+ if ( $visitor_id == WPSC_BOT_VISITOR_ID ) {
882
+ return false;
883
+ }
884
+
885
  // Allow central validation (and possibly transformation) of visitor meta prior to it being saved
886
  $meta_key = _wpsc_validate_visitor_meta_key( $meta_key );
887
 
910
  return false;
911
  }
912
 
913
+ if ( $visitor_id == WPSC_BOT_VISITOR_ID ) {
914
+ return false;
915
+ }
916
+
917
  // Allow central validation (and possibly transformation) of visitor meta prior to it being saved
918
  $meta_key = _wpsc_validate_visitor_meta_key( $meta_key );
919
 
949
  return false;
950
  }
951
 
952
+ if ( $visitor_id == WPSC_BOT_VISITOR_ID ) {
953
+ return $single ? '' : array();
954
+ }
955
+
956
  // Allow central validation (and possibly transformation) of visitor meta prior to it being saved
957
  $meta_key = _wpsc_validate_visitor_meta_key( $meta_key );
958
 
1017
  return false;
1018
  }
1019
 
1020
+ if ( $visitor_id == WPSC_BOT_VISITOR_ID ) {
1021
+ return false;
1022
+ }
1023
+
1024
  // Allow central validation (and possibly transformation) of visitor meta prior to it being saved
1025
  $meta_key = _wpsc_validate_visitor_meta_key( $meta_key );
1026
 
wpsc-merchants/chronopay.php CHANGED
@@ -292,32 +292,32 @@ function submit_chronopay()
292
  {
293
  if(isset($_POST['chronopay_product_id']))
294
  {
295
- update_option('chronopay_product_id', $_POST['chronopay_product_id']);
296
  }
297
 
298
  if(isset($_POST['chronopay_product_name']))
299
  {
300
- update_option('chronopay_product_name', $_POST['chronopay_product_name']);
301
  }
302
 
303
  if(isset($_POST['chronopay_curcode']))
304
  {
305
- update_option('chronopay_curcode', $_POST['chronopay_curcode']);
306
  }
307
 
308
  if(isset($_POST['chronopay_language']))
309
  {
310
- update_option('chronopay_language', $_POST['chronopay_language']);
311
  }
312
 
313
  if(isset($_POST['chronopay_url']))
314
  {
315
- update_option('chronopay_url', $_POST['chronopay_url']);
316
  }
317
 
318
  if(isset($_POST['chronopay_salt']))
319
  {
320
- update_option('chronopay_salt', $_POST['chronopay_salt']);
321
  }
322
 
323
  if(isset($_POST['chronopay_debug']))
@@ -328,7 +328,7 @@ function submit_chronopay()
328
  if (!isset($_POST['chronopay_form'])) $_POST['chronopay_form'] = array();
329
  foreach((array)$_POST['chronopay_form'] as $form => $value)
330
  {
331
- update_option(('chronopay_form_'.$form), $value);
332
  }
333
  return true;
334
  }
292
  {
293
  if(isset($_POST['chronopay_product_id']))
294
  {
295
+ update_option('chronopay_product_id', sanitize_text_field( $_POST['chronopay_product_id'] ) );
296
  }
297
 
298
  if(isset($_POST['chronopay_product_name']))
299
  {
300
+ update_option('chronopay_product_name', sanitize_text_field( $_POST['chronopay_product_name'] ) );
301
  }
302
 
303
  if(isset($_POST['chronopay_curcode']))
304
  {
305
+ update_option('chronopay_curcode', sanitize_text_field( $_POST['chronopay_curcode'] ) );
306
  }
307
 
308
  if(isset($_POST['chronopay_language']))
309
  {
310
+ update_option('chronopay_language', sanitize_text_field( $_POST['chronopay_language'] ) );
311
  }
312
 
313
  if(isset($_POST['chronopay_url']))
314
  {
315
+ update_option('chronopay_url', esc_url_raw( $_POST['chronopay_url'] ) );
316
  }
317
 
318
  if(isset($_POST['chronopay_salt']))
319
  {
320
+ update_option('chronopay_salt', sanitize_text_field( $_POST['chronopay_salt'] ) );
321
  }
322
 
323
  if(isset($_POST['chronopay_debug']))
328
  if (!isset($_POST['chronopay_form'])) $_POST['chronopay_form'] = array();
329
  foreach((array)$_POST['chronopay_form'] as $form => $value)
330
  {
331
+ update_option(('chronopay_form_'.sanitize_text_field( $form ) ), sanitize_text_field( $value ) );
332
  }
333
  return true;
334
  }
wpsc-merchants/paypal-express.merchant.php CHANGED
@@ -889,7 +889,7 @@ function paypal_processingfunctions(){
889
  } else {
890
 
891
  wpsc_update_customer_meta( 'paypal_express_token' , $_REQUEST['token'] );
892
- wpsc_update_customer_meta( 'paypal_express_payer_id', $_REQUEST['PayerID'] );
893
 
894
  $resArray = wpsc_get_customer_meta( 'paypal_express_reshash' );
895
 
@@ -973,8 +973,6 @@ function paypal_processingfunctions(){
973
 
974
  }
975
 
976
-
977
-
978
  function paypal_hash_call( $methodName, $nvpStr ) {
979
  //declaring of variables
980
  $version = 71;
889
  } else {
890
 
891
  wpsc_update_customer_meta( 'paypal_express_token' , $_REQUEST['token'] );
892
+ wpsc_update_customer_meta( 'paypal_express_payer_id', sanitize_text_field( $_REQUEST['PayerID'] ) );
893
 
894
  $resArray = wpsc_get_customer_meta( 'paypal_express_reshash' );
895
 
973
 
974
  }
975
 
 
 
976
  function paypal_hash_call( $methodName, $nvpStr ) {
977
  //declaring of variables
978
  $version = 71;