Remove XSS vulnerabilities

This commit is contained in:
Rene Vergara 2023-06-23 09:29:08 -05:00
parent 0dd89a0e7f
commit 08690a29a5
Signed by: pitmutt
GPG key ID: 65122AD495A7F5B2

View file

@ -35,23 +35,23 @@ class zpmt_stats_page {
$wpdb->query($sql); $wpdb->query($sql);
if ( ! $this->pmtLstRdy() ) { if ( ! $this->pmtLstRdy() ) {
// //
// Calculate first time pagination paramters // Calculate first time pagination paramters
// //
$this->_limit = 10; $this->_limit = 10;
$this->_page = 1; $this->_page = 1;
$this->_offset = 0; $this->_offset = 0;
$this->_npages = intdiv($this->_nrows,$this->_limit); $this->_npages = intdiv($this->_nrows,$this->_limit);
if ( $this->_nrows > ($this->_npages*$this->_limit) ) { if ( $this->_nrows > ($this->_npages*$this->_limit) ) {
$this->_npages++; $this->_npages++;
} }
$sql = 'insert into zgo_pmtlst (pg_ix,pg_page,pg_npages,pg_offset,pg_limit) values (1,' . $sql = 'insert into zgo_pmtlst (pg_ix,pg_page,pg_npages,pg_offset,pg_limit) values (1,' .
$this->_page . ',' . $this->_page . ',' .
$this->_npages . ',' . $this->_npages . ',' .
$this->_offset . ',' . $this->_offset . ',' .
$this->_limit .')'; $this->_limit .')';
$wpdb->query($sql); $wpdb->query($sql);
} else { } else {
// Load last state // Load last state
$params = $this->pmtLstParams(); $params = $this->pmtLstParams();
@ -232,9 +232,9 @@ class zpmt_stats_page {
font-weight: 600;">'; font-weight: 600;">';
} }
$line++; $line++;
print '<td><a href="https://dev.zgo.cash/invoice/' . $row->pmt_orderid . '" target="_blank">' . $row->pmt_orderid . "</a></td>"; print '<td><a href="https://dev.zgo.cash/invoice/' . htmlentities($row->pmt_orderid, ENT_QUOTES) . '" target="_blank">' . htmlentities($row->pmt_orderid, ENT_QUOTES) . "</a></td>";
print "<td>" . $row->pmt_wc_order . "</td>"; print "<td>" . $row->pmt_wc_order . "</td>";
print "<td>" . $row->pmt_wc_custname . "</td>"; print "<td>" . htmlentities($row->pmt_wc_custname, ENT_QUOTES) . "</td>";
print '<td style="text-align:center;">'. $row->pmt_accepted . "</td>"; print '<td style="text-align:center;">'. $row->pmt_accepted . "</td>";
print '<td style="text-align:center;">'.$row->pmt_confirmed ."</td>"; print '<td style="text-align:center;">'.$row->pmt_confirmed ."</td>";
print '<td style="text-align:right;">'. number_format($row->pmt_amount,2) . "</td>"; print '<td style="text-align:right;">'. number_format($row->pmt_amount,2) . "</td>";