Ensure transaction URLs are urlencoded before passed to add_query_arg() to follow best practice

[brucealdridge]

URLs query string parameters used for links to the transaction details are not URL-encoded properly.

add_query_arg() does not encode the parameter value. It expects the parameter value already encoded which currently, it is not url-encoded.

// current
-/wp-admin/admin.php?page=wc-admin&path=/payments/transactions/details&id=ch_123

// preferred
+/wp-admin/admin.php?page=wc-admin&path=%2Fpayments%2Ftransactions%2Fdetails&id=ch_123

Note

Nothing breaks due to this issue. It's just that it's not a best practice that was picked up from #9788.

woocommerce-payments/includes/class-wc-payments-utils.php

Lines 962 to 982 in 320f0ed

	public static function compose_transaction_url( $primary_id, $fallback_id, $query_args = [] ) {
	if ( empty( $fallback_id ) && empty( $primary_id ) ) {
	return '';
	}
	if ( strpos( $primary_id, 'seti_' ) !== false ) {
	return '';
	}
	return add_query_arg( // nosemgrep: audit.php.wp.security.xss.query-arg -- server generated url is passed in.
	array_merge(
	[
	'page' => 'wc-admin',
	'path' => '/payments/transactions/details',
	'id' => self::get_transaction_url_id( $primary_id, $fallback_id ),
	],
	$query_args
	),
	admin_url( 'admin.php' )
	);
	}