__( 'Nonce validation failed', 'cartflows' ) ); wp_send_json_error( $response_data ); } if ( ! ( $post_id && is_array( $post_meta ) ) ) { return; } $allowed_html = array( 'a' => array( 'href' => array(), ), 'br' => array(), 'strong' => array(), 'p' => array(), 'span' => array(), ); foreach ( $post_meta as $key => $data ) { if ( ! isset( $_POST[ $key ] ) ) { continue; } $meta_value = false; // Sanitize values. $sanitize_filter = ( isset( $data['sanitize'] ) ) ? $data['sanitize'] : 'FILTER_DEFAULT'; switch ( $sanitize_filter ) { case 'FILTER_SANITIZE_STRING': $meta_value = isset( $_POST[ $key ] ) ? sanitize_text_field( wp_unslash( $_POST[ $key ] ) ) : ''; break; case 'FILTER_SANITIZE_URL': $meta_value = filter_input( INPUT_POST, $key, FILTER_SANITIZE_URL ); break; case 'FILTER_SANITIZE_NUMBER_INT': $meta_value = filter_input( INPUT_POST, $key, FILTER_SANITIZE_NUMBER_INT ); break; case 'FILTER_CARTFLOWS_ARRAY': if ( isset( $_POST[ $key ] ) && is_array( $_POST[ $key ] ) ) { $meta_value = array_map( 'sanitize_text_field', wp_unslash( $_POST[ $key ] ) ); } break; case 'FILTER_SANITIZE_COLOR': // Sanitizes a hex color with #. $meta_value = sanitize_hex_color( $_POST[ $key ] ); break; case 'FILTER_SANITIZE_FONT_FAMILY': // FILTER_FLAG_NO_ENCODE_QUOTES - Do not encode the single and double quotes. $meta_value = isset( $_POST[ $key ] ) ? sanitize_text_field( wp_unslash( $_POST[ $key ] ) ) : ''; break; case 'FILTER_WP_KSES': // It allow only tags that are defined in $allowed_html variable. $meta_value = wp_kses( $_POST[ $key ], $allowed_html ); break; case 'FILTER_SCRIPT': // Reason for ignoring phpcs rule: Here we are saving the custom JS script. Encoding it before sacing to db. No escaping function working here. $meta_value = htmlentities( wp_unslash( $_POST[ $key ] ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized break; case 'FILTER_WP_KSES_POST': // wp_kses_post() allow only the same tags that are allowed in WP Posts. $meta_value = wp_kses_post( $_POST[ $key ] ); break; case 'FILTER_CARTFLOWS_CHECKOUT_PRODUCTS': if ( isset( $_POST[ $key ] ) && is_array( $_POST[ $key ] ) ) { $i = 0; $q = 0; $post_data = wc_clean( $_POST[ $key ] ); foreach ( $post_data as $p_index => $p_data ) { if ( ! array_key_exists( 'product', $p_data ) ) { continue; } foreach ( $p_data as $i_key => $i_value ) { if ( is_array( $i_value ) ) { foreach ( $i_value as $q_key => $q_value ) { $meta_value[ $i ][ $i_key ][ $q ] = array_map( 'sanitize_text_field', $q_value ); $q++; } } else { $meta_value[ $i ][ $i_key ] = sanitize_text_field( $i_value ); } } $i++; } } break; case 'FILTER_CARTFLOWS_CHECKOUT_FIELDS': $count = 10; $ordered_fields = array(); $billing_shipping_fields = array(); if ( isset( $_POST[ $key ] ) && is_array( $_POST[ $key ] ) ) { // Ignoring sanitization rule as we are here to sanitize user input. $post_data = $_POST[ $key ]; //phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized if ( 'wcf_field_order_billing' == $key || 'wcf_field_order_shipping' == $key ) { $type_of_fields = ltrim( $key, 'wcf_field_order_' ); $billing_shipping_fields = \Cartflows_Helper::get_checkout_fields( $type_of_fields, $post_id ); foreach ( $post_data as $field_key_name => $value ) { if ( isset( $billing_shipping_fields[ $field_key_name ] ) ) { $is_custom_field = isset( $billing_shipping_fields[ $field_key_name ]['custom'] ) ? $billing_shipping_fields[ $field_key_name ]['custom'] : false; $ordered_fields[ $field_key_name ] = $billing_shipping_fields[ $field_key_name ]; $ordered_fields[ $field_key_name ]['priority'] = $count; $count += 10; $placeholder_text = ! empty( $value['placeholder'] ) ? wc_clean( stripslashes( $value['placeholder'] ) ) : ''; $ordered_fields[ $field_key_name ]['width'] = intval( $value['width'] ); $ordered_fields[ $field_key_name ]['label'] = wp_kses_post( trim( stripslashes( $value['label'] ) ) ); $ordered_fields[ $field_key_name ]['placeholder'] = $placeholder_text; $ordered_fields[ $field_key_name ]['default'] = wp_kses_post( trim( stripslashes( $value['default'] ) ) ); $ordered_fields[ $field_key_name ]['required'] = 'yes' === $value['required'] ? true : false; $ordered_fields[ $field_key_name ]['optimized'] = 'yes' === $value['optimized'] ? true : false; $ordered_fields[ $field_key_name ]['enabled'] = 'yes' === $value['enabled'] ? true : false; $ordered_fields[ $field_key_name ]['options'] = ''; if ( isset( $value['options'] ) && $value['options'] ) { $options = explode( '|', $value['options'] ); $options = AdminHelper::sanitize_array_values( $options ); $ordered_fields[ $field_key_name ]['options'] = array_combine( array_keys( $options ), $options ); } if ( ! empty( $value['custom_attributes'] ) ) { $ordered_fields[ $field_key_name ]['custom_attributes'] = wc_clean( $value['custom_attributes'] ); } if ( true === $is_custom_field ) { $ordered_fields[ $field_key_name ]['show_in_email'] = isset( $value['show_in_email'] ) && 'yes' === $value['show_in_email'] ? true : false; } } } $meta_value = $ordered_fields; } } break; case 'FILTER_CARTFLOWS_OPTIN_FIELDS': $count = 10; $ordered_fields = array(); $billing_shipping_fields = array(); if ( isset( $_POST[ $key ] ) && is_array( $_POST[ $key ] ) ) { // Ignoring sanitization rule as we are here to sanitize user input. $post_data = $_POST[ $key ]; //phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized if ( 'wcf-optin-fields-billing' === $key ) { $type_of_fields = 'billing'; $billing_shipping_fields = \Cartflows_Helper::get_optin_fields( $type_of_fields, $post_id ); foreach ( $post_data as $field_key_name => $value ) { if ( isset( $billing_shipping_fields[ $field_key_name ] ) ) { $is_custom_field = isset( $billing_shipping_fields[ $field_key_name ]['custom'] ) ? $billing_shipping_fields[ $field_key_name ]['custom'] : false; $ordered_fields[ $field_key_name ] = $billing_shipping_fields[ $field_key_name ]; $placeholder_text = ! empty( $value['placeholder'] ) ? wc_clean( stripslashes( $value['placeholder'] ) ) : ''; $ordered_fields[ $field_key_name ]['priority'] = $count; $count += 10; $ordered_fields[ $field_key_name ]['width'] = intval( $value['width'] ); $ordered_fields[ $field_key_name ]['label'] = wp_kses_post( trim( stripslashes( $value['label'] ) ) ); $ordered_fields[ $field_key_name ]['placeholder'] = $placeholder_text; $ordered_fields[ $field_key_name ]['default'] = wp_kses_post( trim( stripslashes( $value['default'] ) ) ); $ordered_fields[ $field_key_name ]['required'] = 'yes' === $value['required'] ? true : false; $ordered_fields[ $field_key_name ]['enabled'] = 'yes' === $value['enabled'] ? true : false; $ordered_fields[ $field_key_name ]['options'] = ''; if ( isset( $value['options'] ) && $value['options'] ) { $options = explode( '|', $value['options'] ); $options = AdminHelper::sanitize_array_values( $options ); $ordered_fields[ $field_key_name ]['options'] = array_combine( array_keys( $options ), $options ); } if ( ! empty( $value['custom_attributes'] ) ) { $ordered_fields[ $field_key_name ]['custom_attributes'] = wc_clean( $value['custom_attributes'] ); } if ( true === $is_custom_field ) { $ordered_fields[ $field_key_name ]['show_in_email'] = isset( $value['show_in_email'] ) && 'yes' === $value['show_in_email'] ? true : false; } } } $meta_value = $ordered_fields; } } break; default: if ( 'FILTER_DEFAULT' === $sanitize_filter ) { $meta_value = isset( $_POST[ $key ] ) ? sanitize_text_field( wp_unslash( $_POST[ $key ] ) ) : ''; } else { $meta_value = apply_filters( 'cartflows_admin_save_meta_field_values', $meta_value, $post_id, $key, $sanitize_filter, $action ); } break; } if ( is_null( $meta_value ) ) { continue; } if ( false !== $meta_value ) { update_post_meta( $post_id, $key, $meta_value ); } else { // To delete the wcf-checkout-products if empty. delete_post_meta( $post_id, $key ); } } } }