All notable changes to this project will be documented in this file. The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
- Add stoken to EasyCreditDispatcher redirect to fix checkSessionChallenge() always failing in frontend
- Add error logging to loadAgreementTxt() instead of silently swallowing exceptions
- Add error message to checkEasyCreditExampleCalulation() when API call fails
- Display collected error messages to user via OXID error display when isEasyCreditPossible() returns false
- Add CSRF protection (checkSessionChallenge) to EasyCreditDispatcherController::initializeandredirect()
- Migrate serialize/unserialize to json_encode/json_decode for order confirmation response (EasyCreditOrder)
- Add
allowed_classesrestriction to unserialize() in EasyCreditOrderEasyCreditController (backward-compatible with existing serialized data) - Add
allowed_classesrestriction to unserialize() in EasyCreditSession::getStorage() - Escape easyCredit API data (paymentPlanTxt) with htmlspecialchars in EasyCreditOrderController
- Replace
getRawValue()withvaluefor payment description in Smarty template - Replace MD5 with SHA-256 for payment integrity hash in EasyCreditInitializeRequestBuilder
- Add SECURITY.md documenting known security considerations and intentionally unfixed items