ravinderk / Give

includes/admin/payments/view-payment-details.php

<?php
/**
 * View Donation Details
 *
 * @package     Give
 * @subpackage  Admin/Payments
 * @copyright   Copyright (c) 2016, WordImpress
 * @license     https://opensource.org/licenses/gpl-license GNU Public License
 * @since       1.0
 */

// Exit if accessed directly.
if ( ! defined( 'ABSPATH' ) ) {
	exit;
}

/**
 * View Order Details Page
 *
 * @since 1.0
 * @return void
 */
if ( ! isset( $_GET['id'] ) || ! is_numeric( $_GET['id'] ) ) {

This code seems to be duplicated across your project.

Detected access of super global var $_GET, probably need manual inspection.

Detected usage of a non-sanitized input variable: $_GET

	wp_die( esc_html__( 'Donation ID not supplied. Please try again.', 'give' ), esc_html__( 'Error', 'give' ), array( 'response' => 400 ) );
}

// Setup the variables
$payment_id = absint( $_GET['id'] );

Detected access of super global var $_GET, probably need manual inspection.

$payment    = new Give_Payment( $payment_id );

// Sanity check... fail if donation ID is invalid
$payment_exists = $payment->ID;
if ( empty( $payment_exists ) ) {
	wp_die( esc_html__( 'The specified ID does not belong to a donation. Please try again.', 'give' ), esc_html__( 'Error', 'give' ), array( 'response' => 400 ) );
}

$number         = $payment->number;
$payment_meta   = $payment->get_meta();
$transaction_id = esc_attr( $payment->transaction_id );
$user_id        = $payment->user_id;
$donor_id       = $payment->customer_id;
$payment_date   = strtotime( $payment->date );
$user_info      = give_get_payment_meta_user_info( $payment_id );
$address        = $payment->address;
$currency_code  = $payment->currency;
$gateway        = $payment->gateway;
$currency_code  = $payment->currency;
$payment_mode   = $payment->mode;
?>
<div class="wrap give-wrap">

	<h1 id="transaction-details-heading"><?php
		printf(
			/* translators: %s: donation number */
			esc_html__( 'Donation %s', 'give' ),
			$number
		);
		if ( $payment_mode == 'test' ) {

Found "== '". Use Yoda Condition checks, you must

			echo '<span id="test-payment-label" class="give-item-label give-item-label-orange" data-tooltip="' . esc_attr__( 'This donation was made in test mode.', 'give' ) . '" data-tooltip-my-position="center left" data-tooltip-target-position="center right">' . esc_html__( 'Test Donation', 'give' ) . '</span>';
		}
		?></h1>

	<?php
	/**
	 * Fires in order details page, before the order form.
	 *
	 * @since 1.0
	 *
	 * @param int $payment_id Payment id.
	 */
	do_action( 'give_view_order_details_before', $payment_id );
	?>
	<form id="give-edit-order-form" method="post">
		<?php
		/**
		 * Fires in order details page, in the form before the order details.
		 *
		 * @since 1.0
		 *
		 * @param int $payment_id Payment id.
		 */
		do_action( 'give_view_order_details_form_top', $payment_id );
		?>
		<div id="poststuff">
			<div id="give-dashboard-widgets-wrap">
				<div id="post-body" class="metabox-holder columns-2">
					<div id="postbox-container-1" class="postbox-container">
						<div id="side-sortables" class="meta-box-sortables ui-sortable">

							<?php
							/**
							 * Fires in order details page, before the sidebar.
							 *
							 * @since 1.0
							 *
							 * @param int $payment_id Payment id.
							 */
							do_action( 'give_view_order_details_sidebar_before', $payment_id );
							?>

							<div id="give-order-update" class="postbox give-order-data">

								<h3 class="hndle"><?php esc_html_e( 'Update Donation', 'give' ); ?></h3>

								<div class="inside">
									<div class="give-admin-box">

										<?php
										/**
										 * Fires in order details page, before the sidebar update-payment metabox.
										 *
										 * @since 1.0
										 *
										 * @param int $payment_id Payment id.
										 */
										do_action( 'give_view_order_details_totals_before', $payment_id );
										?>

										<div class="give-admin-box-inside">
											<p>
												<label for="give-payment-status" class="strong"><?php esc_html_e( 'Status:', 'give' ); ?></label>&nbsp;
												<select id="give-payment-status" name="give-payment-status" class="medium-text">
													<?php foreach ( give_get_payment_statuses() as $key => $status ) : ?>
														<option value="<?php echo esc_attr( $key ); ?>"<?php selected( $payment->status, $key, true ); ?>><?php echo esc_html( $status ); ?></option>
													<?php endforeach; ?>
												</select>
												<span class="give-donation-status status-<?php echo sanitize_title( $payment->status ); ?>"><span class="give-donation-status-icon"></span></span>
											</p>
										</div>

										<div class="give-admin-box-inside">
											<p>
												<label for="give-payment-date" class="strong"><?php esc_html_e( 'Date:', 'give' ); ?></label>&nbsp;
												<input type="text" id="give-payment-date" name="give-payment-date" value="<?php echo esc_attr( date( 'm/d/Y', $payment_date ) ); ?>" class="medium-text give_datepicker"/>
											</p>
										</div>

										<div class="give-admin-box-inside">
											<p>
												<label for="give-payment-time-hour" class="strong"><?php esc_html_e( 'Time:', 'give' ); ?></label>&nbsp;
												<input type="number" step="1" max="24" id="give-payment-time-hour" name="give-payment-time-hour" value="<?php echo esc_attr( date_i18n( 'H', $payment_date ) ); ?>" class="small-text give-payment-time-hour"/>&nbsp;:&nbsp;
												<input type="number" step="1" max="59" id="give-payment-time-min" name="give-payment-time-min" value="<?php echo esc_attr( date( 'i', $payment_date ) ); ?>" class="small-text give-payment-time-min"/>
											</p>
										</div>

										<?php
										/**
										 * Fires in order details page, in the sidebar update-payment metabox.
										 *
										 * Allows you to add new inner items.
										 *
										 * @since 1.0
										 *
										 * @param int $payment_id Payment id.
										 */
										do_action( 'give_view_order_details_update_inner', $payment_id ); ?>

										<div class="give-order-payment give-admin-box-inside">
											<p>
												<label for="give-payment-total" class="strong"><?php esc_html_e( 'Total Donation:', 'give' ); ?></label>&nbsp;
												<?php echo give_currency_symbol( $payment->currency ); ?>

Expected a sanitizing function (see Codex for 'Data Validation'), but instead saw 'give_currency_symbol'

												&nbsp;<input id="give-payment-total" name="give-payment-total" type="text" class="small-text give-price-field" value="<?php echo esc_attr( give_format_decimal( give_get_payment_amount( $payment_id ), false, false ) ); ?>"/>
											</p>
										</div>

										<?php
										/**
										 * Fires in order details page, after the sidebar update-donation metabox.
										 *
										 * @since 1.0
										 *
										 * @param int $payment_id Payment id.
										 */
										do_action( 'give_view_order_details_totals_after', $payment_id );
										?>

									</div>
									<!-- /.give-admin-box -->

								</div>
								<!-- /.inside -->

								<div class="give-order-update-box give-admin-box">
									<?php
									/**
									 * Fires in order details page, before the sidebar update-peyment metabox actions buttons.
									 *
									 * @since 1.0
									 *
									 * @param int $payment_id Payment id.
									 */
									do_action( 'give_view_order_details_update_before', $payment_id );
									?>

									<div id="major-publishing-actions">
										<div id="publishing-action">
											<input type="submit" class="button button-primary right" value="<?php esc_attr_e( 'Save Donation', 'give' ); ?>"/>
											<?php if ( give_is_payment_complete( $payment_id ) ) : ?>
												<a href="<?php echo esc_url( add_query_arg( array(
													'give-action' => 'email_links',
													'purchase_id' => $payment_id,
												) ) ); ?>" id="give-resend-receipt" class="button-secondary right"><?php esc_html_e( 'Resend Receipt', 'give' ); ?></a>
											<?php endif; ?>
										</div>
										<div class="clear"></div>
									</div>

									<?php
									/**
									 * Fires in order details page, after the sidebar update-peyment metabox actions buttons.
									 *
									 * @since 1.0
									 *
									 * @param int $payment_id Payment id.
									 */
									do_action( 'give_view_order_details_update_after', $payment_id );
									?>

								</div>
								<!-- /.give-order-update-box -->

							</div>
							<!-- /#give-order-data -->

							<div id="give-order-details" class="postbox give-order-data">

								<h3 class="hndle"><?php esc_html_e( 'Donation Meta', 'give' ); ?></h3>

								<div class="inside">
									<div class="give-admin-box">

										<?php
										/**
										 * Fires in order details page, before the donation-meta metabox.
										 *
										 * @since 1.0
										 *
										 * @param int $payment_id Payment id.
										 */
										do_action( 'give_view_order_details_payment_meta_before', $payment_id );

										$gateway = give_get_payment_gateway( $payment_id );
										if ( $gateway ) : ?>
											<div class="give-order-gateway give-admin-box-inside">
												<p>
													<strong><?php esc_html_e( 'Gateway:', 'give' ); ?></strong>&nbsp;
													<?php echo give_get_gateway_admin_label( $gateway ); ?>

Expected a sanitizing function (see Codex for 'Data Validation'), but instead saw 'give_get_gateway_admin_label'

												</p>
											</div>
										<?php endif; ?>

										<div class="give-order-payment-key give-admin-box-inside">
											<p>
												<strong><?php esc_html_e( 'Key:', 'give' ); ?></strong>&nbsp;
												<?php echo give_get_payment_key( $payment_id ); ?>

Expected a sanitizing function (see Codex for 'Data Validation'), but instead saw 'give_get_payment_key'

											</p>
										</div>

										<div class="give-order-ip give-admin-box-inside">
											<p>
												<strong><?php esc_html_e( 'IP:', 'give' ); ?></strong>&nbsp;
												<?php echo esc_html( give_get_payment_user_ip( $payment_id ) ); ?>
											</p>
										</div>

										<?php if ( $transaction_id ) : ?>
											<div class="give-order-tx-id give-admin-box-inside">
												<p>
													<strong><?php esc_html_e( 'Donation ID:', 'give' ); ?></strong>&nbsp;
													<?php echo apply_filters( "give_payment_details_transaction_id-{$gateway}", $transaction_id, $payment_id ); ?>

Expected a sanitizing function (see Codex for 'Data Validation'), but instead saw 'apply_filters'

												</p>
											</div>
										<?php endif; ?>

										<div class="give-admin-box-inside">
											<p><?php $purchase_url = admin_url( 'edit.php?post_type=give_forms&page=give-payment-history&user=' . urlencode( esc_attr( give_get_payment_user_email( $payment_id ) ) ) ); ?>
												<a href="<?php echo $purchase_url; ?>"><?php esc_html_e( 'View all donations for this donor &raquo;', 'give' ); ?></a>

Expected next thing to be a escaping function, not '$purchase_url'

											</p>
										</div>

										<?php
										/**
										 * Fires in order details page, after the donation-meta metabox.
										 *
										 * @since 1.0
										 *
										 * @param int $payment_id Payment id.
										 */
										do_action( 'give_view_order_details_payment_meta_after', $payment_id );
										?>

									</div>
									<!-- /.column-container -->

								</div>
								<!-- /.inside -->

							</div>
							<!-- /#give-order-data -->

							<?php
							/**
							 * Fires in order details page, after the sidebar.
							 *
							 * @since 1.0
							 *
							 * @param int $payment_id Payment id.
							 */
							do_action( 'give_view_order_details_sidebar_after', $payment_id );
							?>

						</div>
						<!-- /#side-sortables -->
					</div>
					<!-- /#postbox-container-1 -->

					<div id="postbox-container-2" class="postbox-container">

						<div id="normal-sortables" class="meta-box-sortables ui-sortable">

							<?php
							/**
							 * Fires in order details page, before the main area.
							 *
							 * @since 1.0
							 *
							 * @param int $payment_id Payment id.
							 */
							do_action( 'give_view_order_details_main_before', $payment_id );
							?>

							<?php $column_count = 'columns-3'; ?>
							<div id="give-donation-overview" class="postbox <?php echo $column_count; ?>">

Expected next thing to be a escaping function, not '$column_count'

								<h3 class="hndle"><?php esc_html_e( 'Donation Information', 'give' ); ?></h3>

								<div class="inside">

									<div class="column-container">
										<div class="column">
											<p>
												<strong><?php esc_html_e( 'Donation Form ID:', 'give' ); ?></strong><br>
												<?php
												if ( $payment_meta['form_id'] ) :
													printf(
														'<a href="%1$s" target="_blank">#%2$s</a>',
														admin_url( 'post.php?action=edit&post=' . $payment_meta['form_id'] ),
														$payment_meta['form_id']
													);
												endif;
												?>
											</p>
											<p>
												<strong><?php esc_html_e( 'Donation Form Title:', 'give' ); ?></strong><br>
												<?php echo Give()->html->forms_dropdown( array(

Expected a sanitizing function (see Codex for 'Data Validation'), but instead saw 'Give'

													'selected' => $payment_meta['form_id'],
													'name'   => 'give-payment-form-select',
													'id'     => 'give-payment-form-select',
													'chosen' => true,
												) ); ?>
											</p>
										</div>
										<div class="column">
											<p>
												<strong><?php esc_html_e( 'Donation Date:', 'give' ); ?></strong><br>
												<?php echo date_i18n( give_date_format(), $payment_date ); ?>

Expected a sanitizing function (see Codex for 'Data Validation'), but instead saw 'date_i18n'

											</p>
											<p>
												<strong><?php esc_html_e( 'Donation Level:', 'give' ); ?></strong><br>
												<span class="give-donation-level">
													<?php
													$var_prices = give_has_variable_prices( $payment_meta['form_id'] );
													if ( empty( $var_prices ) ) {
														esc_html_e( 'n/a', 'give' );
													} else {
														$prices_atts = '';
														if( $variable_prices = give_get_variable_prices( $payment_meta['form_id'] ) ) {

This code seems to be duplicated across your project.

Space after opening control structure is required

No space before opening parenthesis is prohibited

															foreach ( $variable_prices as $variable_price ) {
																$prices_atts[$variable_price['_give_id']['level_id']] = give_format_amount( $variable_price['_give_amount'], array( 'sanitize' => false ) );

Array keys should be surrounded by spaces unless they contain a string or an integer.

															}
														}
														// Variable price dropdown options.
														$variable_price_dropdown_option = array(
															'id'               => $payment_meta['form_id'],
															'name'             => 'give-variable-price',
															'chosen'           => true,
															'show_option_all'  => '',
															'show_option_none' => ( '' === get_post_meta( $payment_id, '_give_payment_price_id', true ) ? __( 'None', 'give' )  : '' ),
															'select_atts'      => 'data-prices=' . esc_attr( json_encode( $prices_atts ) ),
															'selected'         => $payment_meta['price_id'],
														);
														// Render variable prices select tag html.
														give_get_form_variable_price_dropdown( $variable_price_dropdown_option, true );
													}
													?>
												</span>
											</p>
										</div>
										<div class="column">
											<p>
												<strong><?php esc_html_e( 'Total Donation:', 'give' ); ?></strong><br>
												<?php echo give_currency_filter( give_format_amount( $payment->total, array( 'sanitize' => false ) ), give_get_payment_currency_code( $payment->ID ) ); ?>

Expected a sanitizing function (see Codex for 'Data Validation'), but instead saw 'give_currency_filter'

											</p>
											<p>
												<?php
												/**
												 * Fires in order details page, in the donation-information metabox, before the head elements.
												 *
												 * Allows you to add new TH elements at the beginning.
												 *
												 * @since 1.0
												 *
												 * @param int $payment_id Payment id.
												 */
												do_action( 'give_donation_details_thead_before', $payment_id );


												/**
												 * Fires in order details page, in the donation-information metabox, after the head elements.
												 *
												 * Allows you to add new TH elements at the end.
												 *
												 * @since 1.0
												 *
												 * @param int $payment_id Payment id.
												 */
												do_action( 'give_donation_details_thead_after', $payment_id );

												/**
												 * Fires in order details page, in the donation-information metabox, before the body elements.
												 *
												 * Allows you to add new TD elements at the beginning.
												 *
												 * @since 1.0
												 *
												 * @param int $payment_id Payment id.
												 */
												do_action( 'give_donation_details_tbody_before', $payment_id );

												/**
												 * Fires in order details page, in the donation-information metabox, after the body elements.
												 *
												 * Allows you to add new TD elements at the end.
												 *
												 * @since 1.0
												 *
												 * @param int $payment_id Payment id.
												 */
												do_action( 'give_donation_details_tbody_after', $payment_id );
												?>
											</p>
										</div>
									</div>

								</div>
								<!-- /.inside -->

							</div>
							<!-- /#give-donation-overview -->

							<?php
							/**
							 * Fires in order details page, after the files metabox.
							 *
							 * @since 1.0
							 *
							 * @param int $payment_id Payment id.
							 */
							do_action( 'give_view_order_details_files_after', $payment_id );
							?>

							<div id="give-donor-details" class="postbox">
								<h3 class="hndle"><?php esc_html_e( 'Donor Details', 'give' ); ?></h3>

								<div class="inside">

									<?php $donor = new Give_Donor( $donor_id ); ?>

$donor_id is of type integer, but the function expects a boolean.

									<div class="column-container donor-info">
										<div class="column">
											<p>
												<strong><?php esc_html_e( 'Donor ID:', 'give' ); ?></strong><br>
												<?php
												if ( ! empty( $donor->id ) ) {
													printf(
														'<a href="%1$s" target="_blank">#%2$s</a>',
														admin_url( 'edit.php?post_type=give_forms&page=give-donors&view=overview&id=' . $donor->id ),
														$donor->id
													);
												}
												?>
											</p>
											<p>
												<strong><?php esc_html_e( 'Donor Since:', 'give' ); ?></strong><br>
												<?php echo date_i18n( give_date_format(), strtotime( $donor->date_created ) ) ?>

Expected a sanitizing function (see Codex for 'Data Validation'), but instead saw 'date_i18n'

											</p>
										</div>
										<div class="column">
											<p>
												<strong><?php esc_html_e( 'Donor Name:', 'give' ); ?></strong><br>
												<?php
                                                $donor_billing_name = give_get_donor_name_by( $payment_id, 'donation' );
                                                $donor_name = give_get_donor_name_by( $donor_id, 'donor' );

                                                // Check whether the donor name and WP_User name is same or not.
                                                if( sanitize_title( $donor_billing_name ) != sanitize_title( $donor_name ) ){

Space after opening control structure is required

No space before opening parenthesis is prohibited

                                                    echo $donor_billing_name . ' (<a href="' . esc_url( admin_url( "edit.php?post_type=give_forms&page=give-donors&view=overview&id=$donor_id" ) ) . '">' . $donor_name . '</a>)';

Expected next thing to be a escaping function, not '$donor_billing_name'

Expected next thing to be a escaping function, not '$donor_name'

                                                }else{

Space after opening control structure is required

No space before opening parenthesis is prohibited

                                                    echo $donor_name;

Expected next thing to be a escaping function, not '$donor_name'

                                                }
                                                ?>
											</p>
											<p>
												<strong><?php esc_html_e( 'Donor Email:', 'give' ); ?></strong><br>
												<?php echo $donor->email; ?>

Expected next thing to be a escaping function, not '$donor'

											</p>
										</div>
										<div class="column">
											<p>
												<strong><?php esc_html_e( 'Change Donor:', 'give' ); ?></strong><br>
												<?php
												echo Give()->html->donor_dropdown( array(

Expected a sanitizing function (see Codex for 'Data Validation'), but instead saw 'Give'

													'selected' => $donor->id,
													'name'     => 'donor-id',
												) );
												?>
											</p>
											<p>
												<a href="#new" class="give-payment-new-donor"><?php esc_html_e( 'Create New Donor', 'give' ); ?></a>
											</p>
										</div>
									</div>

									<div class="column-container new-donor" style="display: none">
										<div class="column">
											<p>
												<label for="give-new-donor-name"><?php esc_html_e( 'New Donor Name:', 'give' ); ?></label>
												<input id="give-new-donor-name" type="text" name="give-new-donor-name" value="" class="medium-text"/>
											</p>
										</div>
										<div class="column">
											<p>
												<label for="give-new-donor-email"><?php esc_html_e( 'New Donor Email:', 'give' ); ?></label>
												<input id="give-new-donor-email" type="email" name="give-new-donor-email" value="" class="medium-text"/>
											</p>
										</div>
										<div class="column">
											<p>
												<input type="hidden" name="give-current-donor" value="<?php echo $donor->id; ?>"/>

Expected next thing to be a escaping function, not '$donor'

												<input type="hidden" id="give-new-donor" name="give-new-donor" value="0"/>
												<a href="#cancel" class="give-payment-new-donor-cancel give-delete"><?php esc_html_e( 'Cancel', 'give' ); ?></a>
												<br>
												<em><?php esc_html_e( 'Click "Save Donation" to create new donor.', 'give' ); ?></em>
											</p>
										</div>
									</div>

									<?php
									/**
									 * Fires on the donation details page, in the donor-details metabox.
									 *
									 * The hook is left here for backwards compatibility.
									 *
									 * @since 1.7
									 *
									 * @param array $payment_meta Payment meta.
									 * @param array $user_info    User information.
									 */
									do_action( 'give_payment_personal_details_list', $payment_meta, $user_info );

									/**
									 * Fires on the donation details page, in the donor-details metabox.
									 *
									 * @since 1.7
									 *
									 * @param int $payment_id Payment id.
									 */
									do_action( 'give_payment_view_details', $payment_id );
									?>

								</div>
								<!-- /.inside -->
							</div>
							<!-- /#give-donor-details -->

							<?php
							/**
							 * Fires in order details page, before the billing metabox.
							 *
							 * @since 1.0
							 *
							 * @param int $payment_id Payment id.
							 */
							do_action( 'give_view_order_details_billing_before', $payment_id );
							?>

							<div id="give-billing-details" class="postbox">
								<h3 class="hndle"><?php esc_html_e( 'Billing Address', 'give' ); ?></h3>

								<div class="inside">

									<div id="give-order-address">

										<div class="order-data-address">
											<div class="data column-container">
												<div class="column">
													<div class="give-wrap-address-line1">
														<label for="give-payment-address-line1" class="order-data-address"><?php esc_html_e( 'Address 1:', 'give' ); ?></label>
														<input id="give-payment-address-line1" type="text" name="give-payment-address[0][line1]" value="<?php echo esc_attr( $address['line1'] ); ?>" class="medium-text"/>
													</div>
													<div class="give-wrap-address-line2">
														<label for="give-payment-address-line2" class="order-data-address-line"><?php esc_html_e( 'Address 2:', 'give' ); ?></label>
														<input id="give-payment-address-line2" type="text" name="give-payment-address[0][line2]" value="<?php echo esc_attr( $address['line2'] ); ?>" class="medium-text"/>
													</div>
												</div>
												<div class="column">
													<div class="give-wrap-address-city">
														<label for="give-payment-address-city" class="order-data-address-line"><?php esc_html_e( 'City:', 'give' ); ?></label>
														<input id="give-payment-address-city" type="text" name="give-payment-address[0][city]" value="<?php echo esc_attr( $address['city'] ); ?>" class="medium-text"/>
													</div>
													<div class="give-wrap-address-zip">
														<label for="give-payment-address-zip" class="order-data-address-line"><?php esc_html_e( 'Zip / Postal Code:', 'give' ); ?></label>
														<input id="give-payment-address-zip" type="text" name="give-payment-address[0][zip]" value="<?php echo esc_attr( $address['zip'] ); ?>" class="medium-text"/>

													</div>
												</div>
												<div class="column">
													<div id="give-order-address-country-wrap">
														<label class="order-data-address-line"><?php esc_html_e( 'Country:', 'give' ); ?></label>
														<?php
														echo Give()->html->select( array(

Expected a sanitizing function (see Codex for 'Data Validation'), but instead saw 'Give'

															'options'          => give_get_country_list(),
															'name'             => 'give-payment-address[0][country]',
															'selected'         => $address['country'],
															'show_option_all'  => false,
															'show_option_none' => false,
															'chosen'           => true,
															'placeholder'      => esc_attr__( 'Select a country', 'give' ),
															'data'             => array( 'search-type' => 'no_ajax' ),
														) );
														?>
													</div>
													<div id="give-order-address-state-wrap">
														<label for="give-payment-address-state" class="order-data-address-line"><?php esc_html_e( 'State / Province / County:', 'give' ); ?></label>
														<?php
														$states = give_get_states( $address['country'] );
														if ( ! empty( $states ) ) {
															echo Give()->html->select( array(

Expected a sanitizing function (see Codex for 'Data Validation'), but instead saw 'Give'

																'options'          => $states,
																'name'             => 'give-payment-address[0][state]',
																'selected'         => $address['state'],
																'show_option_all'  => false,
																'show_option_none' => false,
																'chosen'           => true,
																'placeholder'      => esc_attr__( 'Select a state', 'give' ),
																'data'             => array( 'search-type' => 'no_ajax' ),
															) );
														} else {
															?>
															<input id="give-payment-address-state" type="text" name="give-payment-address[0][state]" value="<?php echo esc_attr( $address['state'] ); ?>" class="medium-text"/>
															<?php
														} ?>
													</div>
												</div>
											</div>
										</div>
									</div>
									<!-- /#give-order-address -->

									<?php
									/**
									 * Fires in order details page, in the billing metabox, after all the fields.
									 *
									 * Allows you to insert new billing address fields.
									 *
									 * @since 1.7
									 *
									 * @param int $payment_id Payment id.
									 */
									do_action( 'give_payment_billing_details', $payment_id );
									?>

								</div>
								<!-- /.inside -->
							</div>
							<!-- /#give-billing-details -->

							<?php
							/**
							 * Fires in order details page, after the billing metabox.
							 *
							 * @since 1.0
							 *
							 * @param int $payment_id Payment id.
							 */
							do_action( 'give_view_order_details_billing_after', $payment_id );
							?>

							<div id="give-payment-notes" class="postbox">
								<h3 class="hndle"><?php esc_html_e( 'Donation Notes', 'give' ); ?></h3>

								<div class="inside">
									<div id="give-payment-notes-inner">
										<?php
										$notes = give_get_payment_notes( $payment_id );
										if ( ! empty( $notes ) ) {
											$no_notes_display = ' style="display:none;"';
											foreach ( $notes as $note ) :

												echo give_get_payment_note_html( $note, $payment_id );

Expected a sanitizing function (see Codex for 'Data Validation'), but instead saw 'give_get_payment_note_html'

											endforeach;
										} else {
											$no_notes_display = '';
										}
										echo '<p class="give-no-payment-notes"' . $no_notes_display . '>' . esc_html__( 'No donation notes.', 'give' ) . '</p>'; ?>

Expected next thing to be a escaping function, not '$no_notes_display'

									</div>
									<textarea name="give-payment-note" id="give-payment-note" class="large-text"></textarea>

									<div class="give-clearfix">
										<button id="give-add-payment-note" class="button button-secondary button-small" data-payment-id="<?php echo absint( $payment_id ); ?>"><?php esc_html_e( 'Add Note', 'give' ); ?></button>
									</div>

								</div>
								<!-- /.inside -->
							</div>
							<!-- /#give-payment-notes -->

							<?php
							/**
							 * Fires in order details page, after the main area.
							 *
							 * @since 1.0
							 *
							 * @param int $payment_id Payment id.
							 */
							do_action( 'give_view_order_details_main_after', $payment_id );
							?>

						</div>
						<!-- /#normal-sortables -->
					</div>
					<!-- #postbox-container-2 -->
				</div>
				<!-- /#post-body -->
			</div>
			<!-- #give-dashboard-widgets-wrap -->
		</div>
		<!-- /#post-stuff -->

		<?php
		/**
		 * Fires in order details page, in the form after the order details.
		 *
		 * @since 1.0
		 *
		 * @param int $payment_id Payment id.
		 */
		do_action( 'give_view_order_details_form_bottom', $payment_id );

		wp_nonce_field( 'give_update_payment_details_nonce' );
		?>
		<input type="hidden" name="give_payment_id" value="<?php echo esc_attr( $payment_id ); ?>"/>
		<input type="hidden" name="give_action" value="update_payment_details"/>
	</form>
	<?php
	/**
	 * Fires in order details page, after the order form.
	 *
	 * @since 1.0
	 *
	 * @param int $payment_id Payment id.
	 */
	do_action( 'give_view_order_details_after', $payment_id );
	?>
</div><!-- /.wrap -->