Merge pull request #218 from moderntribe/release/3.22.0

Package version 3.22.0

Author: becomevocal

CHANGELOG.md

@@ -1,9 +1,20 @@
 # Changelog
 
+## [3.22.0]
+
+### Added
+- Segment support for cross-domain analytics with Google Analytics. It enables the
+  `autoLinker` plugin feature for GA.
+- Enforce BigCommerce password requirements when registering new customers
+- Display category description on product category pages
+
+### Changed
+- Data Sanitization/Escaping code refactor for WPVIP compliance
+
 ## [3.21.0]
 
 ### Added
-- Added manuall site URL sync option in the Diagnostics panel
+- Added manual site URL sync option in the Diagnostics panel
 
 ### Changed
 - Modified admin import timeout message
@@ -22,7 +33,7 @@
 
 ### Fixed
 
-- Fixed an issue with product grids where Ajax to cart is enabled but no simple products are on the page. This would 
+- Fixed an issue with product grids where Ajax to cart is enabled but no simple products are on the page. This would
   cause the Add to Cart button on Quick View to redirect to the cart page instead of an ajax submission.
 
 - Fixed Google SiteKit plugin breaking Settings page.
@@ -36,7 +47,7 @@
 
 ### Fixed
 
-- Featured and regular product sort order reflect order in BC store 
+- Featured and regular product sort order reflect order in BC store
 
 
 ## [3.18.1]
@@ -50,7 +61,7 @@
 
 ### Added
 
-- Added support for new larger image size and zoom features on the PDP in multiple 
+- Added support for new larger image size and zoom features on the PDP in multiple
   supported WordPress themes.
 - Added version numbers to templates. Diagnostics panel will now check major versions of overridden files.
 - Support for Flatsome theme added starting with version 3.10.1 of the theme.
@@ -1207,6 +1218,7 @@
   in fact, reset postdata, so far as Gutenberg 3.2.0 is concerned.
 
 
+[3.22.0]: https://github.com/bigcommerce/bigcommerce-for-wordpress/compare/3.21.0...3.22.0
 [3.21.0]: https://github.com/bigcommerce/bigcommerce-for-wordpress/compare/3.20.0...3.21.0
 [3.20.0]: https://github.com/bigcommerce/bigcommerce-for-wordpress/compare/3.19.0...3.20.0
 [3.19.0]: https://github.com/bigcommerce/bigcommerce-for-wordpress/compare/3.18.1...3.19.0

assets/js/dist/scripts.js

@@ -4,6 +4,7 @@
  */
 
 import delegate from 'delegate';
+import { STORE_DOMAIN } from 'publicConfig/wp-settings';
 import * as tools from '../../utils/tools';
 
 const el = {
@@ -44,6 +45,13 @@ const handleClickTracker = (e) => {
 	console.info(`Segment has sent the following tracking data to your analytics account(s): ${analyticsData}`);
 };
 
+const gaCrossDomainInit = async () => {
+	await analytics.ready(() => {
+		ga('require', 'linker');
+		ga('linker:autoLink', [STORE_DOMAIN]);
+	});
+};
+
 const bindEvents = () => {
 	tools.getNodes('bc-product-loop-card', true, document).forEach((product) => {
 		delegate(product, '[data-js="bc-product-quick-view-dialog-trigger"]', 'click', handleClickTracker);
@@ -60,6 +68,7 @@ const init = () => {
 		return;
 	}
 
+	gaCrossDomainInit();
 	bindEvents();
 	handleAddToCartTracker();
 };

assets/js/dist/scripts.min.js

@@ -10,3 +10,4 @@ export const PRODUCT_MESSAGES = CONFIG.product.messages || '';
 export const PRICING_API_URL = CONFIG.pricing.api_url || '';
 export const PRICING_API_NONCE = CONFIG.pricing.ajax_pricing_nonce || '';
 export const MINI_CART = CONFIG.cart.mini_cart.enabled || false;
+export const STORE_DOMAIN = CONFIG.store_domain || '';

assets/js/dist/vendor.js

@@ -3,7 +3,7 @@
 Plugin Name:  BigCommerce for WordPress
 Description:  Scale your ecommerce business with WordPress on the front-end and BigCommerce on the back end. Free up server resources from things like catalog management, processing payments, and managing fulfillment logistics.
 Author:       BigCommerce
-Version:      3.21.0
+Version:      3.22.0
 Author URI:   https://www.bigcommerce.com/wordpress
 Requires PHP: 5.6.24
 Text Domain:  bigcommerce

assets/js/dist/vendor.min.js

@@ -1,2 +1,2 @@
 <?php
-define('BIGCOMMERCE_ASSETS_BUILD_TIMESTAMP', '3.04.07.03.2020');
+define('BIGCOMMERCE_ASSETS_BUILD_TIMESTAMP', '5.44.07.17.2020');

assets/js/src/public/buttons/analytics.js

@@ -3,7 +3,7 @@ Contributors: bigcommerce, moderntribe, jbrinley, becomevocal, vincentlistrani,
 Tags: ecommerce, online store, sell online, storefront, retail, online shop, bigcommerce, big commerce, e-commerce, physical products, buy buttons, commerce, shopping cart, checkout, cart, shop, headless commerce, shipping, payments, fulfillment
 Requires at least: 4.6
 Tested up to: 5.3
-Stable tag: 3.21.0
+Stable tag: 3.22.0
 Requires PHP: 5.6.24
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html

assets/js/src/public/config/wp-settings.js

@@ -183,12 +183,13 @@ public function lostpassword_url( $login_url, $redirect ) {
 	public function lostpassword_error_handler( $error ) {
 
 		if ( ! $error->get_error_code() ) {
-			if ( strpos( $_POST[ 'user_login' ], '@' ) !== false ) {
+			$user_login = filter_input( INPUT_POST, 'user_login', FILTER_SANITIZE_STRING );
+			if ( strpos( $user_login, '@' ) !== false ) {
 				return; // WP has already checked it as an email address
 			}
-			if ( isset( $_POST[ 'user_login' ] ) ) { // WP doesn't add this as an error until after lostpassword_post
-				$user_data = get_user_by( 'login', $_POST[ 'user_login' ] );
-			}
+			// WP doesn't add this as an error until after lostpassword_post
+			$user_data = get_user_by( 'login', $user_login );
+			
 			if ( ! empty( $user_data ) ) {
 				return; // no errors
 			} else {

bigcommerce.php

@@ -42,7 +42,9 @@ public function sync_reset_password_with_bigcommerce( $user, $new_pass ) {
 	 * @action profile_update
 	 */
 	public function sync_password_change_with_bigcommerce( $user_id, $old_user_data ) {
-		if ( empty( $_POST['pass1'] ) ) { // $_POST is the only place we can find the plain text password
+		// $_POST is the only place we can find the plain text password
+		$pass1 = filter_input( INPUT_POST, 'pass1', FILTER_UNSAFE_RAW ); // phpcs:ignore
+		if ( empty( $pass1 ) ) {
 			return; // not a request to update a user's password
 		}
 		$sync = get_user_meta( $user_id, User_Profile_Settings::SYNC_PASSWORD, true );
@@ -55,7 +57,7 @@ public function sync_password_change_with_bigcommerce( $user_id, $old_user_data
 			return; // nothing changes
 		}
 
-		$this->set_password( $current_user, $_POST['pass1'] );
+		$this->set_password( $current_user, $pass1 );
 	}
 
 	/**

build-timestamp.php

@@ -22,21 +22,21 @@ public function render_profile_settings( $user ) {
 		}
 		$sync = get_user_meta( $user->ID, self::SYNC_PASSWORD, true );
 		?>
-		<h2><?php _e( 'BigCommerce', 'bigcommerce' ); ?></h2>
+		<h2><?php esc_html_e( 'BigCommerce', 'bigcommerce' ); ?></h2>
 		<table class="form-table">
 			<tr id="bigcommerce-sync-password" class="">
 				<th scope="row">
-					<?php _e( 'Authentication', 'bigcommerce' ); ?>
+					<?php esc_html_e( 'Authentication', 'bigcommerce' ); ?>
 					<?php wp_nonce_field( self::NONCE_ACTION, self::NONCE_NAME ); ?>
 				</th>
 				<td>
 					<label for="<?php echo esc_attr( self::SYNC_PASSWORD ); ?>">
 						<input id="<?php echo esc_attr( self::SYNC_PASSWORD ); ?>" type="checkbox"
 									 name="<?php echo esc_attr( self::SYNC_PASSWORD ); ?>" value="1" <?php checked( $sync ); ?> />
-						<?php _e( 'Synchronize Password', 'bigcommerce' ); ?>
+						<?php esc_html_e( 'Synchronize Password', 'bigcommerce' ); ?>
 					</label>
 					<p
-						class="description"><?php _e( "Validate the user's password with the BigCommerce API.", 'bigcommerce' ) ?></p>
+						class="description"><?php esc_html_e( "Validate the user's password with the BigCommerce API.", 'bigcommerce' ) ?></p>
 				</td>
 			</tr>
 		</table>
@@ -54,10 +54,9 @@ public function save_profile_settings( $user_id ) {
 		if ( ! current_user_can( 'edit_users' ) ) {
 			return;
 		}
-		if ( ! isset( $_POST[ self::NONCE_NAME ] ) ) {
-			return;
-		}
-		if ( ! wp_verify_nonce( $_POST[ self::NONCE_NAME ], self::NONCE_ACTION ) ) {
+
+		$nonce = filter_input( INPUT_POST, self::NONCE_NAME, FILTER_SANITIZE_STRING ); 
+		if ( empty( $nonce ) || ! wp_verify_nonce( $nonce, self::NONCE_ACTION ) ) {
 			return;
 		}
 

readme.txt

@@ -31,7 +31,7 @@ public function set_tracking_attributes_on_success_message( $args, $data ) {
 			$args[ Message::ATTRIBUTES ] = array_merge( $args[ Message::ATTRIBUTES ], [
 				'data-tracking-trigger' => 'ready',
 				'data-tracking-event'   => 'add_to_cart',
-				'data-tracking-data'    => json_encode( [
+				'data-tracking-data'    => wp_json_encode( [
 					'cart_id'    => $data['cart_id'],
 					'post_id'    => $data['post_id'],
 					'product_id' => $data['product_id'],

src/BigCommerce/Accounts/Login.php

@@ -30,7 +30,7 @@ public function add_tracking_attributes_to_button( $options = [], $template = ''
 		$options[ View_Product_Button::ATTRIBUTES ] = array_merge( $options[ View_Product_Button::ATTRIBUTES ], [
 			'data-tracking-trigger' => 'click',
 			'data-tracking-event'   => 'view_product',
-			'data-tracking-data'    => json_encode( [
+			'data-tracking-data'    => wp_json_encode( [
 				'post_id'    => $product->post_id(),
 				'product_id' => $product->bc_id(),
 				'name'       => get_the_title( $product->post_id() ),
@@ -61,7 +61,7 @@ public function add_tracking_attributes_to_permalink( $options, $template ) {
 		$options[ Product_Title::LINK_ATTRIBUTES ] = array_merge( $options[ Product_Title::LINK_ATTRIBUTES ], [
 			'data-tracking-trigger' => 'click',
 			'data-tracking-event'   => 'view_product',
-			'data-tracking-data'    => json_encode( [
+			'data-tracking-data'    => wp_json_encode( [
 				'post_id'    => $product->post_id(),
 				'product_id' => $product->bc_id(),
 				'name'       => get_the_title( $product->post_id() ),

src/BigCommerce/Accounts/Password_Reset.php

@@ -18,7 +18,7 @@ public function render_tracking_code() {
 		<!-- Segment Analytics Code -->
 		<script type="text/javascript" data-js="bc-segment-tracker">
 			!function(){var analytics=window.analytics||[];if(!analytics.initialize)if(analytics.invoked)window.console&&console.error&&console.error("Segment snippet included twice.");else{analytics.invoked=!0;analytics.methods=["trackSubmit","trackClick","trackLink","trackForm","pageview","identify","reset","group","track","ready","alias","debug","page","once","off","on"];analytics.factory=function(t){return function(){var e=Array.prototype.slice.call(arguments);e.unshift(t);analytics.push(e);return analytics}};for(var t=0;t<analytics.methods.length;t++){var e=analytics.methods[t];analytics[e]=analytics.factory(e)}analytics.loadPlatform=function(t,e,a,o){window[o||"analytics"]=analytics;window._analytics_js_global_name=o;analytics.platformSettings=e;analytics.platformPlan=a;var n=("https:"===document.location.protocol?"https://":"http://")+"cdn.segment.com/analytics.js/v1";t&&(n+="/"+t);var r=document.createElement("script");r.type="text/javascript";r.async=!0;r.src=n+"/platform/analytics.min.js";var i=document.getElementsByTagName("script")[0];i.parentNode.insertBefore(r,i)};analytics.SNIPPET_VERSION="4.0.0_platform";
-				analytics.loadPlatform(<?php echo ( $key ? json_encode( $key ) : 'null' ); ?>, <?php echo json_encode( $settings ) ?>,{},"analytics");
+				analytics.loadPlatform(<?php echo ( $key ? wp_json_encode( $key ) : 'null' ); ?>, <?php echo wp_json_encode( $settings ) ?>,{},"analytics");
 				analytics.page()
 			}}();
 		</script>
@@ -43,7 +43,7 @@ private function get_settings() {
 		$facebook = get_option( Analytics::FACEBOOK_PIXEL );
 		if ( $facebook ) {
 			$settings[ 'Facebook Pixel' ] = [
-				'pixelId' => $facebook,
+				'pixelId'                => $facebook,
 				'initWithExistingTraits' => true,
 			];
 		}
@@ -55,4 +55,4 @@ private function get_settings() {
 		return (object) $settings;
 	}
 
-}
+}

src/BigCommerce/Accounts/User_Profile_Settings.php

@@ -140,7 +140,7 @@ private function build_cache_key( $resourcePath, $method, $queryParams, $postDat
 			'headerParams' => $headerParams,
 			'responseType' => $responseType,
 		];
-		$serialized = md5( json_encode( $args ) );
+		$serialized = md5( wp_json_encode( $args ) );
 
 		return $resourcePath . ':' . $serialized . ':' . $this->get_generation_key();
 	}

src/BigCommerce/Analytics/Events/Add_To_Cart.php

@@ -21,8 +21,9 @@ public function __construct( $asset_directory ) {
 	public function get_data() {
 		if ( ! isset( $this->data ) ) {
 			$this->data = [
-				'images_url' => $this->directory . 'img/admin/',
-				'product'    => [
+				'store_domain' => get_option( \BigCommerce\Import\Processors\Store_Settings::DOMAIN ),
+				'images_url'   => $this->directory . 'img/admin/',
+				'product'      => [
 					'messages' => [
 						'not_available' => __( 'The selected product combination is currently unavailable.', 'bigcommerce' ),
 					],
@@ -33,4 +34,4 @@ public function get_data() {
 
 		return $this->data;
 	}
-}
+}

src/BigCommerce/Analytics/Events/View_Product.php

@@ -39,7 +39,7 @@ public function run( $args, $assoc_args ) {
 			exit;
 		}
 		$data        = $this->get_data();
-		$json        = json_encode( $data, JSON_PRETTY_PRINT );
+		$json        = wp_json_encode( $data, JSON_PRETTY_PRINT );
 		$output_file = reset( $args );
 		$result      = file_put_contents( $output_file, $json );
 		WP_CLI::line();

src/BigCommerce/Analytics/Segment.php

@@ -79,7 +79,7 @@ public function run( $args, $assoc_args ) {
 			$flags |= JSON_PRETTY_PRINT;
 		}
 
-		echo json_encode( $output, $flags );
+		echo wp_json_encode( $output, $flags );
 
 	}
 }

src/BigCommerce/Api/Caching_Client.php

@@ -48,7 +48,7 @@ public function run( $args, $assoc_args ) {
 		if ( empty( $countries ) ) {
 			\WP_CLI::error( __( 'Unable to retrieve country data from the BigCommerce API', 'bigcommerce' ) );
 		}
-		$json = json_encode( $countries );
+		$json = wp_json_encode( $countries );
 		\WP_CLI::debug( sprintf( __( 'Writing country json to %s', 'bigcommerce' ), $output_file ) );
 		file_put_contents( $output_file, $json );
 		\WP_CLI::success( __( 'Update complete', 'bigcommerce' ) );

src/BigCommerce/Assets/Theme/JS_Config.php

@@ -44,9 +44,10 @@ public function handle_request( $post_id, CartApi $cart_api ) {
 
 		$options = [];
 
-		$submitted_options  = empty( $_POST[ 'option' ] ) ? [] : (array) $_POST[ 'option' ];
-		$option_config = $product->options();
-		$modifier_config = $product->modifiers();
+		// Options are sanitized bellow
+		$submitted_options = empty( $_POST[ 'option' ] ) ? [] : (array) $_POST[ 'option' ]; // phpcs:ignore
+		$option_config     = $product->options();
+		$modifier_config   = $product->modifiers();
 		foreach ( $option_config as $config ) {
 			if ( array_key_exists( $config[ 'id' ], $submitted_options ) ) {
 				$options[ $config[ 'id' ] ] = absint( $submitted_options[ $config[ 'id' ] ] );

src/BigCommerce/CLI/Documentation/Build_Docs.php

@@ -37,8 +37,9 @@ public function __construct( CartApi $api ) {
 	 */
 	public function get_cart_id() {
 		$cart_id = '';
-		if ( isset( $_COOKIE[ self::CART_COOKIE ] ) && get_option( Settings\Sections\Cart::OPTION_ENABLE_CART, true ) ) {
-			$cart_id = $_COOKIE[ self::CART_COOKIE ];
+		$cookie  = filter_input( INPUT_COOKIE, self::CART_COOKIE, FILTER_SANITIZE_STRING );
+		if ( $cookie && get_option( Settings\Sections\Cart::OPTION_ENABLE_CART, true ) ) {
+			$cart_id = $cookie;
 		}
 
 		/**

src/BigCommerce/CLI/Resources/Build_Resources.php

@@ -41,7 +41,7 @@ public function handle_request(  ) {
 		$token = filter_input( INPUT_GET, 't', FILTER_SANITIZE_STRING );
 
 		if ( empty( $token ) ) {
-			wp_die( __( 'Bad Request', 'bigcommerce' ), __( 'Bad Request', 'bigcommerce' ), 400 );
+			wp_die( esc_html( __( 'Bad Request', 'bigcommerce' ) ), esc_html( __( 'Bad Request', 'bigcommerce' ) ), 400 );
 			exit();
 		}
 

src/BigCommerce/CLI/Update_Country_Cache.php

@@ -90,7 +90,7 @@ public function check_requirements() {
 			printf(
 				'<div class="notice notice-error bigcommerce-notice"><p class="bigcommerce-notice__refresh"><a class="bigcommerce-notice__refresh-button" href="%s"><i class="bc-icon icon-bc-sync"></i> %s</a></p><h3 class="bigcommerce-notice__heading">%s</h3>%s</div>',
 				esc_url( $this->refresh_url() ),
-				__( 'Refresh', 'bigcommerce' ),
+				esc_html( __( 'Refresh', 'bigcommerce' ) ),
 				$notice_header,
 				$list
 			);
@@ -133,7 +133,7 @@ private function refresh_url( $redirect = '' ) {
 			'action' => self::REFRESH,
 		], $url );
 		if ( empty( $redirect ) ) {
-			$redirect = $_SERVER['REQUEST_URI'];
+			$redirect = filter_input( INPUT_SERVER, 'REQUEST_URI', FILTER_SANITIZE_URL );
 		}
 		$url = add_query_arg( [ 'redirect_to' => urlencode( $redirect ) ], $url );
 		$url = wp_nonce_url( $url, self::REFRESH );

src/BigCommerce/Cart/Add_To_Cart.php

@@ -17,7 +17,7 @@ class Cart {
 	public function __construct( CartApi $bc_cart_api )
 	{
 		$this->bc_cart_api         = $bc_cart_api;
-		$this->cart_contents_count = isset( $_COOKIE[ BC_Cart::COUNT_COOKIE ] ) ? $_COOKIE[ BC_Cart::COUNT_COOKIE ] : 0;
+		$this->cart_contents_count = filter_input( INPUT_COOKIE, BC_Cart::COUNT_COOKIE, FILTER_SANITIZE_NUMBER_INT ) ?: 0;
 	}
 
 	public function get_cart_subtotal() {

src/BigCommerce/Cart/Cart.php

@@ -51,7 +51,7 @@ function wc_locate_template( $template_name, $template_path = '', $default_path
 
 if ( ! function_exists( 'woocommerce_mini_cart' ) ) {
 	function woocommerce_mini_cart() {
-		printf( '<div data-js="bc-mini-cart"><span class="bc-loading">%s</span></div>', __( 'Loading', 'bigcommerce' ) );
+		printf( '<div data-js="bc-mini-cart"><span class="bc-loading">%s</span></div>', esc_html( __( 'Loading', 'bigcommerce' ) ) );
 	}
 }
 

src/BigCommerce/Cart/Cart_Recovery.php

@@ -47,7 +47,7 @@ public function register( Container $container ) {
 		} ), 10, 3 );
 
 		add_action( 'setup_theme', $this->create_callback( 'woo_compat_functions', function () use ( $container ) {
-			if ( filter_input( INPUT_GET, 'action' ) === 'activate' && filter_input( INPUT_GET, 'plugin' ) === 'woocommerce/woocommerce.php' ) {
+			if ( filter_input( INPUT_GET, 'action', FILTER_SANITIZE_STRING ) === 'activate' && filter_input( INPUT_GET, 'plugin', FILTER_SANITIZE_STRING ) === 'woocommerce/woocommerce.php' ) {
 				return;
 			}
 			include_once( dirname( $container[ 'plugin_file' ] ) . '/src/BigCommerce/Compatibility/woocommerce-functions.php' );

src/BigCommerce/Checkout/Requirements_Notice.php

@@ -43,8 +43,9 @@ private function actions( Container $container ) {
 		 * Handle all form submissions with a bc-action argument
 		 */
 		add_action( 'parse_request', $this->create_callback( 'handle_form_action', function () use ( $container ) {
-			if ( isset( $_REQUEST[ 'bc-action' ] ) ) {
-				do_action( 'bigcommerce/form/action=' . $_REQUEST[ 'bc-action' ], stripslashes_deep( $_REQUEST ) );
+			$action = filter_var_array( $_REQUEST, [ 'bc-action' => FILTER_SANITIZE_STRING ] );
+			if ( $action['bc-action'] ) {
+				do_action( 'bigcommerce/form/action=' . $action['bc-action'], stripslashes_deep( $_REQUEST ) );
 			}
 		} ), 10, 0 );