Issues in ajax-functions.php (master) - Issues in master - ravinderk/Give - Measure and Improve Code Quality continuously with Scrutinizer

Issues (4335)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

includes/ajax-functions.php (1 issue)

Labels

Severity

Informational 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * AJAX Functions
 *
 * Process the front-end AJAX actions.
 *
 * @package     Give
 * @subpackage  Functions/AJAX
 * @copyright   Copyright (c) 2016, GiveWP
 * @license     https://opensource.org/licenses/gpl-license GNU Public License
 * @since       1.0
 */

// Exit if accessed directly.
if ( ! defined( 'ABSPATH' ) ) {
	exit;
}

/**
 * Check if AJAX works as expected
 * Note: Do not use this function before init hook.
 *
 * @since  1.0
 *
 * @param bool $force Flag to test ajax by discarding cache result
 *
 * @return bool True if AJAX works, false otherwise
 */
function give_test_ajax_works( $force = false ) {
	// Handle ajax.
	if ( doing_action( 'wp_ajax_nopriv_give_test_ajax' ) ) {
		wp_die( 0, 200 );
	}

	// Check if the Airplane Mode plugin is installed.
	if ( class_exists( 'Airplane_Mode_Core' ) ) {

		$airplane = Airplane_Mode_Core::getInstance();

		if ( method_exists( $airplane, 'enabled' ) ) {

			if ( $airplane->enabled() ) {
				return true;
			}
		} else {

			if ( 'on' === $airplane->check_status() ) {
				return true;
			}
		}
	}

	add_filter( 'block_local_requests', '__return_false' );

	$works = Give_Cache::get( '_give_ajax_works', true );

	if ( ! $works || $force ) {
		$params = array(
			'sslverify' => false,
			'timeout'   => 30,
			'body'      => array(
				'action' => 'give_test_ajax',
			),
		);

		$ajax = wp_remote_post( give_get_ajax_url(), $params );

		$works = true;

		if ( is_wp_error( $ajax ) ) {

			$works = false;

		} else {

			if ( empty( $ajax['response'] ) ) {
				$works = false;
			}

			if ( empty( $ajax['response']['code'] ) || 200 !== (int) $ajax['response']['code'] ) {
				$works = false;
			}

			if ( empty( $ajax['response']['message'] ) || 'OK' !== $ajax['response']['message'] ) {
				$works = false;
			}

			if ( ! isset( $ajax['body'] ) || 0 !== (int) $ajax['body'] ) {
				$works = false;
			}
		}

		if ( $works ) {
			Give_Cache::set( '_give_ajax_works', '1', DAY_IN_SECONDS, true );
		}
	}

	/**
	 * Filter the output
	 *
	 * @since 1.0
	 */
	return apply_filters( 'give_test_ajax_works', $works );
}

add_action( 'wp_ajax_nopriv_give_test_ajax', 'give_test_ajax_works' );

/**
 * Get AJAX URL
 *
 * @since  1.0
 *
 * @param array $query
 *
 * @return string
 */
function give_get_ajax_url( $query = array() ) {
	$scheme = defined( 'FORCE_SSL_ADMIN' ) && FORCE_SSL_ADMIN ? 'https' : 'admin';

	$current_url = give_get_current_page_url();
	$ajax_url    = admin_url( 'admin-ajax.php', $scheme );

	if ( preg_match( '/^https/', $current_url ) && ! preg_match( '/^https/', $ajax_url ) ) {
		$ajax_url = preg_replace( '/^http/', 'https', $ajax_url );
	}

	if ( ! empty( $query ) ) {
		$ajax_url = add_query_arg( $query, $ajax_url );
	}

	return apply_filters( 'give_ajax_url', $ajax_url );
}

/**
 * Loads Checkout Login Fields via AJAX
 *
 * @since  1.0
 *
 * @return void
 */
function give_load_checkout_login_fields() {
	/**
	 * Fire when render login fields via ajax.
	 *
	 * @since 1.7
	 */
	do_action( 'give_donation_form_login_fields' );

	give_die();
}

add_action( 'wp_ajax_nopriv_give_checkout_login', 'give_load_checkout_login_fields' );

/**
 * Load Checkout Fields
 *
 * @since  1.3.6
 *
 * @return void
 */
function give_load_checkout_fields() {
	$form_id = isset( $_POST['form_id'] ) ? $_POST['form_id'] : '';

	ob_start();

	/**
	 * Fire to render registration/login form.
	 *
	 * @since 1.7
	 */
	do_action( 'give_donation_form_register_login_fields', $form_id );

	$fields = ob_get_clean();

	wp_send_json( array(
		'fields' => wp_json_encode( $fields ),
		'submit' => wp_json_encode( give_get_donation_form_submit_button( $form_id ) ),
	) );
}

add_action( 'wp_ajax_nopriv_give_cancel_login', 'give_load_checkout_fields' );
add_action( 'wp_ajax_nopriv_give_checkout_register', 'give_load_checkout_fields' );

/**
 * Get Form Title via AJAX (used only in WordPress Admin)
 *
 * @since  1.0
 *
 * @return void
 */
function give_ajax_get_form_title() {
	if ( isset( $_POST['form_id'] ) ) {
		$title = get_the_title( $_POST['form_id'] );
		if ( $title ) {
			echo $title;
		} else {
			echo 'fail';
		}
	}
	give_die();
}

add_action( 'wp_ajax_give_get_form_title', 'give_ajax_get_form_title' );
add_action( 'wp_ajax_nopriv_give_get_form_title', 'give_ajax_get_form_title' );

/**
 * Retrieve a states drop down
 *
 * @since  1.0
 *
 * @return void
 */
function give_ajax_get_states_field() {
	$states_found   = false;
	$show_field     = true;
	$states_require = true;
	// Get the Country code from the $_POST.
	$country = sanitize_text_field( $_POST['country'] );

	// Get the field name from the $_POST.
	$field_name = sanitize_text_field( $_POST['field_name'] );

	$label        = __( 'State', 'give' );
	$states_label = give_get_states_label();

	$default_state = '';
	if ( give_get_country() === $country ) {
		$default_state = give_get_state();
	}

	// Check if $country code exists in the array key for states label.
	if ( array_key_exists( $country, $states_label ) ) {
		$label = $states_label[ $country ];
	}

	if ( empty( $country ) ) {
		$country = give_get_country();
	}

	$states = give_get_states( $country );
	if ( ! empty( $states ) ) {
		$args         = array(
			'name'             => $field_name,
			'id'               => $field_name,
			'class'            => $field_name . '  give-select',
			'options'          => $states,
			'show_option_all'  => false,
			'show_option_none' => false,
			'placeholder'      => $label,
			'selected'         => $default_state,
		);
		$data         = Give()->html->select( $args );
		$states_found = true;
	} else {
		$data = 'nostates';

		// Get the country list that does not have any states init.
		$no_states_country = give_no_states_country_list();

		// Check if $country code exists in the array key.
		if ( array_key_exists( $country, $no_states_country ) ) {
			$show_field = false;
		}

		// Get the country list that does not require states.
		$states_not_required_country_list = give_states_not_required_country_list();

		// Check if $country code exists in the array key.
		if ( array_key_exists( $country, $states_not_required_country_list ) ) {
			$states_require = false;
		}
	}

	$response = array(
		'success'        => true,
		'states_found'   => $states_found,
		'states_label'   => $label,
		'show_field'     => $show_field,
		'states_require' => $states_require,
		'data'           => $data,
		'default_state'  => $default_state,
		'city_require'   => ! array_key_exists( $country, give_city_not_required_country_list() ),
	);
	wp_send_json( $response );
}

add_action( 'wp_ajax_give_get_states', 'give_ajax_get_states_field' );
add_action( 'wp_ajax_nopriv_give_get_states', 'give_ajax_get_states_field' );

/**
 * Retrieve donation forms via AJAX for chosen dropdown search field.
 *
 * @since  1.0
 *
 * @return void
 */
function give_ajax_form_search() {
	$results = array();
	$search  = esc_sql( sanitize_text_field( $_POST['s'] ) );

	$args = array(
		'post_type'              => 'give_forms',
		's'                      => $search,
		'update_post_term_cache' => false,
		'update_post_meta_cache' => false,
		'cache_results'          => false,
		'no_found_rows'          => true,
		'post_status'            => 'publish',
		'orderby'                => 'title',
		'order'                  => 'ASC',
		'posts_per_page'         => empty( $search ) ? 30 : -1,
	);

	/**
	 * Filter to modify Ajax form search args
	 *
	 * @since 2.1
	 *
	 * @param array $args Query argument for WP_query
	 *
	 * @return array $args Query argument for WP_query
	 */
	$args = (array) apply_filters( 'give_ajax_form_search_args', $args );

	// get all the donation form.
	$query = new WP_Query( $args );
	if ( $query->have_posts() ) {
		while ( $query->have_posts() ) {
			$query->the_post();
			global $post;

			$results[] = array(
				'id'   => $post->ID,
				'name' => $post->post_title,
			);
		}
		wp_reset_postdata();
	}

	/**
	 * Filter to modify Ajax form search result
	 *
	 * @since 2.1
	 *
	 * @param array $results Contain the Donation Form id
	 *
	 * @return array $results Contain the Donation Form id
	 */
	$results = (array) apply_filters( 'give_ajax_form_search_responce', $results );

	wp_send_json( $results );
}

add_action( 'wp_ajax_give_form_search', 'give_ajax_form_search' );
add_action( 'wp_ajax_nopriv_give_form_search', 'give_ajax_form_search' );

/**
 * Search the donors database via Ajax
 *
 * @since  1.0
 *
 * @return void
 */
function give_ajax_donor_search() {
	global $wpdb;

	$search  = esc_sql( sanitize_text_field( $_POST['s'] ) );
	$results = array();
	if ( ! current_user_can( 'view_give_reports' ) ) {
		$donors = array();
	} else {
		$donors = $wpdb->get_results( "SELECT id,name,email FROM $wpdb->donors WHERE `name` LIKE '%$search%' OR `email` LIKE '%$search%' LIMIT 50" );
	}

	if ( $donors ) {
		foreach ( $donors as $donor ) {

			$results[] = array(
				'id'   => $donor->id,
				'name' => $donor->name . ' (' . $donor->email . ')',
			);
		}
	}

	wp_send_json( $results );
}

add_action( 'wp_ajax_give_donor_search', 'give_ajax_donor_search' );


/**
 * Searches for users via ajax and returns a list of results
 *
 * @since  1.0
 *
 * @return void
 */
function give_ajax_search_users() {
	$results = array();

	if ( current_user_can( 'manage_give_settings' ) ) {

		$search = esc_sql( sanitize_text_field( $_POST['s'] ) );

		$get_users_args = array(
			'number' => 9999,
			'search' => $search . '*',
		);

		$get_users_args = apply_filters( 'give_search_users_args', $get_users_args );

		$found_users = apply_filters( 'give_ajax_found_users', get_users( $get_users_args ), $search );
		$results     = array();

		if ( $found_users ) {

			foreach ( $found_users as $user ) {

				$results[] = array(
					'id'   => $user->ID,
					'name' => esc_html( $user->user_login . ' (' . $user->user_email . ')' ),
				);
			}
		}
	}// End if().

	wp_send_json( $results );

}

add_action( 'wp_ajax_give_user_search', 'give_ajax_search_users' );


/**
 * Queries page by title and returns page ID and title in JSON format.
 *
 * Note: this function in for internal use.
 *
 * @since 2.1
 *
 * @return string
 */
function give_ajax_pages_search() {
	$data = array();
	$args = array(
		'post_type' => 'page',
		's'         => give_clean( $_POST['s'] ),
	);

	$query = new WP_Query( $args );

	// Query posts by title.
	if ( $query->have_posts() ) {
		while ( $query->have_posts() ) {
			$query->the_post();

			$data[] = array(
				'id'   => get_the_ID(),
				'name' => get_the_title(),
			);
		}
	}

	wp_send_json( $data );
}

add_action( 'wp_ajax_give_pages_search', 'give_ajax_pages_search' );

/**
 * Retrieve Categories via AJAX for chosen dropdown search field.
 *
 * @since  2.1
 *
 * @return void
 */
function give_ajax_categories_search() {
	$results = array();

	/**
	 * Filter to modify Ajax tags search args
	 *
	 * @since 2.1
	 *
	 * @param array $args argument for get_terms
	 *
	 * @return array $args argument for get_terms
	 */
	$args = (array) apply_filters( 'give_forms_categories_dropdown_args', array(
		'number'     => 30,
		'name__like' => esc_sql( sanitize_text_field( $_POST['s'] ) )
	) );

	$categories = get_terms( 'give_forms_category', $args );

	foreach ( $categories as $category ) {
		$results[] = array(
			'id'   => $category->term_id,
			'name' => $category->name,
		);
	}

	/**
	 * Filter to modify Ajax tags search result
	 *
	 * @since 2.1
	 *
	 * @param array $results Contain the categories id and name
	 *
	 * @return array $results Contain the categories id and name
	 */
	$results = (array) apply_filters( 'give_forms_categories_dropdown_responce', $results );

	wp_send_json( $results );
}

add_action( 'wp_ajax_give_categories_search', 'give_ajax_categories_search' );

/**
 * Retrieve Tags via AJAX for chosen dropdown search field.
 *
 * @since  2.1
 *
 * @return void
 */
function give_ajax_tags_search() {
	$results = array();

	/**
	 * Filter to modify Ajax tags search args
	 *
	 * @since 2.1
	 *
	 * @param array $args argument for get_terms
	 *
	 * @return array $args argument for get_terms
	 */
	$args = (array) apply_filters( 'give_forms_tags_dropdown_args', array(
		'number'     => 30,
		'name__like' => esc_sql( sanitize_text_field( $_POST['s'] ) )
	) );

	$categories = get_terms( 'give_forms_tag', $args );

	foreach ( $categories as $category ) {
		$results[] = array(
			'id'   => $category->term_id,
			'name' => $category->name,
		);
	}

	/**
	 * Filter to modify Ajax tags search result
	 *
	 * @since 2.1
	 *
	 * @param array $results Contain the tags id and name
	 *
	 * @return array $results Contain the tags id and name
	 */
	$results = (array) apply_filters( 'give_forms_tags_dropdown_responce', $results );

	wp_send_json( $results );
}

add_action( 'wp_ajax_give_tags_search', 'give_ajax_tags_search' );

/**
 * Check for Price Variations (Multi-level donation forms)
 *
 * @since  1.5
 *
 * @return void
 */
function give_check_for_form_price_variations() {

	if ( ! current_user_can( 'edit_give_forms', get_current_user_id() ) ) {
		die( '-1' );
	}

	$form_id = intval( $_POST['form_id'] );
	$form    = get_post( $form_id );

	if ( 'give_forms' !== $form->post_type ) {
		die( '-2' );
	}

	if ( give_has_variable_prices( $form_id ) ) {
		$variable_prices = give_get_variable_prices( $form_id );

		if ( $variable_prices ) {
			$ajax_response = '<select class="give_price_options_select give-select give-select" name="give_price_option">';

			if ( isset( $_POST['all_prices'] ) ) {
				$ajax_response .= '<option value="all">' . esc_html__( 'All Levels', 'give' ) . '</option>';
			}

			foreach ( $variable_prices as $key => $price ) {

				$level_text = ! empty( $price['_give_text'] ) ? esc_html( $price['_give_text'] ) : give_currency_filter( give_format_amount( $price['_give_amount'], array( 'sanitize' => false ) ) );

				$ajax_response .= '<option value="' . esc_attr( $price['_give_id']['level_id'] ) . '">' . $level_text . '</option>';
			}
			$ajax_response .= '</select>';
			echo $ajax_response;
		}
	}

	give_die();
}

add_action( 'wp_ajax_give_check_for_form_price_variations', 'give_check_for_form_price_variations' );


/**
 * Check for Variation Prices HTML  (Multi-level donation forms)
 *
 * @since  1.6
 *
 * @return void
 */
function give_check_for_form_price_variations_html() {
	if ( ! current_user_can( 'edit_give_payments', get_current_user_id() ) ) {
		wp_die();
	}

	$form_id    = ! empty( $_POST['form_id'] ) ? intval( $_POST['form_id'] ) : false;
	$payment_id = ! empty( $_POST['payment_id'] ) ? intval( $_POST['payment_id'] ) : false;
	if ( empty( $form_id ) || empty( $payment_id ) ) {
		wp_die();
	}

	$form = get_post( $form_id );
	if ( ! empty( $form->post_type ) && 'give_forms' !== $form->post_type ) {
		wp_die();
	}

	if ( ! give_has_variable_prices( $form_id ) || ! $form_id ) {
		esc_html_e( 'n/a', 'give' );
	} else {
		$prices_atts = array();
		if ( $variable_prices = give_get_variable_prices( $form_id ) ) {
			foreach ( $variable_prices as $variable_price ) {
				$prices_atts[ $variable_price['_give_id']['level_id'] ] = give_format_amount( $variable_price['_give_amount'], array( 'sanitize' => false ) );
			}
		}

		// Variable price dropdown options.
		$variable_price_dropdown_option = array(
			'id'               => $form_id,
			'name'             => 'give-variable-price',
			'chosen'           => true,
			'show_option_all'  => '',
			'show_option_none' => '',
			'select_atts'      => 'data-prices=' . esc_attr( json_encode( $prices_atts ) ),
		);

		if ( $payment_id ) {
			// Payment object.
			$payment = new Give_Payment( $payment_id );

			// Payment meta.
			$payment_meta                               = $payment->get_meta();
			$variable_price_dropdown_option['selected'] = $payment_meta['price_id'];
		}

		// Render variable prices select tag html.
		give_get_form_variable_price_dropdown( $variable_price_dropdown_option, true );
	}

	give_die();
}

add_action( 'wp_ajax_give_check_for_form_price_variations_html', 'give_check_for_form_price_variations_html' );

/**
 * Send Confirmation Email For Complete Donation History Access.
 *
 * @since 1.8.17
 *
 * @return bool
 */
function give_confirm_email_for_donation_access() {

	// Verify Security using Nonce.
	if ( ! check_ajax_referer( 'give_ajax_nonce', 'nonce' ) ) {
		return false;
	}

	// Bail Out, if email is empty.
	if ( empty( $_POST['email'] ) ) {
		return false;
	}

	$donor = Give()->donors->get_donor_by( 'email', give_clean( $_POST['email'] ) );
	if ( Give()->email_access->can_send_email( $donor->id ) ) {
		$return     = array();
		$email_sent = Give()->email_access->send_email( $donor->id, $donor->email );

		if ( ! $email_sent ) {
			$return['status']  = 'error';
			$return['message'] = Give()->notices->print_frontend_notice(
				__( 'Unable to send email. Please try again.', 'give' ),
				false,
				'error'
			);
		}

		$return['status']  = 'success';

		/**
		 * Filter to modify access mail send notice
		 *
		 * @since 2.1.3
		 *
		 * @param string Send notice message for email access.
		 *
		 * @return  string $message Send notice message for email access.
		 */
		$message = (string) apply_filters( 'give_email_access_mail_send_notice', __( 'Please check your email and click on the link to access your complete donation history.', 'give' ) );

		$return['message'] = Give()->notices->print_frontend_notice(
			$message,
			false,
			'success'
		);



	} else {
		$value             = Give()->email_access->verify_throttle / 60;
		$return['status']  = 'error';

		/**
		 * Filter to modify email access exceed notices message.
		 *
		 * @since 2.1.3
		 *
		 * @param string $message email access exceed notices message
		 * @param int $value email access exceed times
		 *
		 * @return string $message email access exceed notices message
		 */
		$message = (string) apply_filters(
			'give_email_access_requests_exceed_notice',
			sprintf(
				__( 'Too many access email requests detected. Please wait %s before requesting a new donation history access link.', 'give' ),
				sprintf( _n( '%s minute', '%s minutes', $value, 'give' ), $value )
			),
			$value
		);

		$return['message'] = Give()->notices->print_frontend_notice(
			$message,
			false,
			'error'
		);
	}

	echo json_encode( $return );
	give_die();
}

add_action( 'wp_ajax_nopriv_give_confirm_email_for_donations_access', 'give_confirm_email_for_donation_access' );

/**
 * Render receipt by ajax
 * Note: only for internal use
 *
 * @since 2.2.0
 */
function __give_get_receipt(){
	
	$get_data = give_clean( filter_input_array( INPUT_GET ) );
	
	if( ! isset( $get_data['shortcode_atts'] ) ) {
		give_die();
	}

	$atts = (array) json_decode( $get_data['shortcode_atts'] );
	$data = give_receipt_shortcode( $atts );

	wp_send_json( $data );
}
add_action( 'wp_ajax_get_receipt', '__give_get_receipt' );
add_action( 'wp_ajax_nopriv_get_receipt', '__give_get_receipt' );


1		<?php
2		/**
3		* AJAX Functions
4		*
5		* Process the front-end AJAX actions.
6		*
7		* @package Give
8		* @subpackage Functions/AJAX
9		* @copyright Copyright (c) 2016, GiveWP
10		* @license https://opensource.org/licenses/gpl-license GNU Public License
11		* @since 1.0
12		*/
13
14		// Exit if accessed directly.
15		if ( ! defined( 'ABSPATH' ) ) {
16		exit;
17		}
18
19		/**
20		* Check if AJAX works as expected
21		* Note: Do not use this function before init hook.
22		*
23		* @since 1.0
24		*
25		* @param bool $force Flag to test ajax by discarding cache result
26		*
27		* @return bool True if AJAX works, false otherwise
28		*/
29		function give_test_ajax_works( $force = false ) {
30		// Handle ajax.
31		if ( doing_action( 'wp_ajax_nopriv_give_test_ajax' ) ) {
32		wp_die( 0, 200 );
33		}
34
35		// Check if the Airplane Mode plugin is installed.
36		if ( class_exists( 'Airplane_Mode_Core' ) ) {
37
38		$airplane = Airplane_Mode_Core::getInstance();
39
40		if ( method_exists( $airplane, 'enabled' ) ) {
41
42		if ( $airplane->enabled() ) {
43		return true;
44		}
45		} else {
46
47		if ( 'on' === $airplane->check_status() ) {
48		return true;
49		}
50		}
51		}
52
53		add_filter( 'block_local_requests', '__return_false' );
54
55		$works = Give_Cache::get( '_give_ajax_works', true );
56
57		if ( ! $works \|\| $force ) {
58		$params = array(
59		'sslverify' => false,
60		'timeout' => 30,
61		'body' => array(
62		'action' => 'give_test_ajax',
63		),
64		);
65
66		$ajax = wp_remote_post( give_get_ajax_url(), $params );
67
68		$works = true;
69
70		if ( is_wp_error( $ajax ) ) {
71
72		$works = false;
73
74		} else {
75
76		if ( empty( $ajax['response'] ) ) {
77		$works = false;
78		}
79
80		if ( empty( $ajax['response']['code'] ) \|\| 200 !== (int) $ajax['response']['code'] ) {
81		$works = false;
82		}
83
84		if ( empty( $ajax['response']['message'] ) \|\| 'OK' !== $ajax['response']['message'] ) {
85		$works = false;
86		}
87
88		if ( ! isset( $ajax['body'] ) \|\| 0 !== (int) $ajax['body'] ) {
89		$works = false;
90		}
91		}
92
93		if ( $works ) {
94		Give_Cache::set( '_give_ajax_works', '1', DAY_IN_SECONDS, true );
95		}
96		}
97
98		/**
99		* Filter the output
100		*
101		* @since 1.0
102		*/
103		return apply_filters( 'give_test_ajax_works', $works );
104		}
105
106		add_action( 'wp_ajax_nopriv_give_test_ajax', 'give_test_ajax_works' );
107
108		/**
109		* Get AJAX URL
110		*
111		* @since 1.0
112		*
113		* @param array $query
114		*
115		* @return string
116		*/
117		function give_get_ajax_url( $query = array() ) {
118		$scheme = defined( 'FORCE_SSL_ADMIN' ) && FORCE_SSL_ADMIN ? 'https' : 'admin';
119
120		$current_url = give_get_current_page_url();
121		$ajax_url = admin_url( 'admin-ajax.php', $scheme );
122
123		if ( preg_match( '/^https/', $current_url ) && ! preg_match( '/^https/', $ajax_url ) ) {
124		$ajax_url = preg_replace( '/^http/', 'https', $ajax_url );
125		}
126
127		if ( ! empty( $query ) ) {
128		$ajax_url = add_query_arg( $query, $ajax_url );
129		}
130
131		return apply_filters( 'give_ajax_url', $ajax_url );
132		}
133
134		/**
135		* Loads Checkout Login Fields via AJAX
136		*
137		* @since 1.0
138		*
139		* @return void
140		*/
141		function give_load_checkout_login_fields() {
142		/**
143		* Fire when render login fields via ajax.
144		*
145		* @since 1.7
146		*/
147		do_action( 'give_donation_form_login_fields' );
148
149		give_die();
150		}
151
152		add_action( 'wp_ajax_nopriv_give_checkout_login', 'give_load_checkout_login_fields' );
153
154		/**
155		* Load Checkout Fields
156		*
157		* @since 1.3.6
158		*
159		* @return void
160		*/
161		function give_load_checkout_fields() {
162		$form_id = isset( $_POST['form_id'] ) ? $_POST['form_id'] : '';
163
164		ob_start();
165
166		/**
167		* Fire to render registration/login form.
168		*
169		* @since 1.7
170		*/
171		do_action( 'give_donation_form_register_login_fields', $form_id );
172
173		$fields = ob_get_clean();
174
175		wp_send_json( array(
176		'fields' => wp_json_encode( $fields ),
177		'submit' => wp_json_encode( give_get_donation_form_submit_button( $form_id ) ),
178		) );
179		}
180
181		add_action( 'wp_ajax_nopriv_give_cancel_login', 'give_load_checkout_fields' );
182		add_action( 'wp_ajax_nopriv_give_checkout_register', 'give_load_checkout_fields' );
183
184		/**
185		* Get Form Title via AJAX (used only in WordPress Admin)
186		*
187		* @since 1.0
188		*
189		* @return void
190		*/
191		function give_ajax_get_form_title() {
192		if ( isset( $_POST['form_id'] ) ) {
193		$title = get_the_title( $_POST['form_id'] );
194		if ( $title ) {
195		echo $title;
196		} else {
197		echo 'fail';
198		}
199		}
200		give_die();
201		}
202
203		add_action( 'wp_ajax_give_get_form_title', 'give_ajax_get_form_title' );
204		add_action( 'wp_ajax_nopriv_give_get_form_title', 'give_ajax_get_form_title' );
205
206		/**
207		* Retrieve a states drop down
208		*
209		* @since 1.0
210		*
211		* @return void
212		*/
213		function give_ajax_get_states_field() {
214		$states_found = false;
215		$show_field = true;
216		$states_require = true;
217		// Get the Country code from the $_POST.
218		$country = sanitize_text_field( $_POST['country'] );
219
220		// Get the field name from the $_POST.
221		$field_name = sanitize_text_field( $_POST['field_name'] );
222
223		$label = __( 'State', 'give' );
224		$states_label = give_get_states_label();
225
226		$default_state = '';
227		if ( give_get_country() === $country ) {
228		$default_state = give_get_state();
229		}
230
231		// Check if $country code exists in the array key for states label.
232		if ( array_key_exists( $country, $states_label ) ) {
233		$label = $states_label[ $country ];
234		}
235
236		if ( empty( $country ) ) {
237		$country = give_get_country();
238		}
239
240		$states = give_get_states( $country );
241		if ( ! empty( $states ) ) {
242		$args = array(
243		'name' => $field_name,
244		'id' => $field_name,
245		'class' => $field_name . ' give-select',
246		'options' => $states,
247		'show_option_all' => false,
248		'show_option_none' => false,
249		'placeholder' => $label,
250		'selected' => $default_state,
251		);
252		$data = Give()->html->select( $args );
253		$states_found = true;
254		} else {
255		$data = 'nostates';
256
257		// Get the country list that does not have any states init.
258		$no_states_country = give_no_states_country_list();
259
260		// Check if $country code exists in the array key.
261		if ( array_key_exists( $country, $no_states_country ) ) {
262		$show_field = false;
263		}
264
265		// Get the country list that does not require states.
266		$states_not_required_country_list = give_states_not_required_country_list();
267
268		// Check if $country code exists in the array key.
269		if ( array_key_exists( $country, $states_not_required_country_list ) ) {
270		$states_require = false;
271		}
272		}
273
274		$response = array(
275		'success' => true,
276		'states_found' => $states_found,
277		'states_label' => $label,
278		'show_field' => $show_field,
279		'states_require' => $states_require,
280		'data' => $data,
281		'default_state' => $default_state,
282		'city_require' => ! array_key_exists( $country, give_city_not_required_country_list() ),
283		);
284		wp_send_json( $response );
285		}
286
287		add_action( 'wp_ajax_give_get_states', 'give_ajax_get_states_field' );
288		add_action( 'wp_ajax_nopriv_give_get_states', 'give_ajax_get_states_field' );
289
290		/**
291		* Retrieve donation forms via AJAX for chosen dropdown search field.
292		*
293		* @since 1.0
294		*
295		* @return void
296		*/
297		function give_ajax_form_search() {
298		$results = array();
299		$search = esc_sql( sanitize_text_field( $_POST['s'] ) );
300
301		$args = array(
302		'post_type' => 'give_forms',
303		's' => $search,
304		'update_post_term_cache' => false,
305		'update_post_meta_cache' => false,
306		'cache_results' => false,
307		'no_found_rows' => true,
308		'post_status' => 'publish',
309		'orderby' => 'title',
310		'order' => 'ASC',
311		'posts_per_page' => empty( $search ) ? 30 : -1,
312		);
313
314		/**
315		* Filter to modify Ajax form search args
316		*
317		* @since 2.1
318		*
319		* @param array $args Query argument for WP_query
320		*
321		* @return array $args Query argument for WP_query
322		*/
323		$args = (array) apply_filters( 'give_ajax_form_search_args', $args );
324
325		// get all the donation form.
326		$query = new WP_Query( $args );
327		if ( $query->have_posts() ) {
328		while ( $query->have_posts() ) {
329		$query->the_post();
330		global $post;
331
332		$results[] = array(
333		'id' => $post->ID,
334		'name' => $post->post_title,
335		);
336		}
337		wp_reset_postdata();
338		}
339
340		/**
341		* Filter to modify Ajax form search result
342		*
343		* @since 2.1
344		*
345		* @param array $results Contain the Donation Form id
346		*
347		* @return array $results Contain the Donation Form id
348		*/
349		$results = (array) apply_filters( 'give_ajax_form_search_responce', $results );
350
351		wp_send_json( $results );
352		}
353
354		add_action( 'wp_ajax_give_form_search', 'give_ajax_form_search' );
355		add_action( 'wp_ajax_nopriv_give_form_search', 'give_ajax_form_search' );
356
357		/**
358		* Search the donors database via Ajax
359		*
360		* @since 1.0
361		*
362		* @return void
363		*/
364		function give_ajax_donor_search() {
365		global $wpdb;
366
367		$search = esc_sql( sanitize_text_field( $_POST['s'] ) );
368		$results = array();
369		if ( ! current_user_can( 'view_give_reports' ) ) {
370		$donors = array();
371		} else {
372		$donors = $wpdb->get_results( "SELECT id,name,email FROM $wpdb->donors WHERE `name` LIKE '%$search%' OR `email` LIKE '%$search%' LIMIT 50" );
373		}
374
375		if ( $donors ) {
376		foreach ( $donors as $donor ) {
377
378		$results[] = array(
379		'id' => $donor->id,
380		'name' => $donor->name . ' (' . $donor->email . ')',
381		);
382		}
383		}
384
385		wp_send_json( $results );
386		}
387
388		add_action( 'wp_ajax_give_donor_search', 'give_ajax_donor_search' );
389
390
391		/**
392		* Searches for users via ajax and returns a list of results
393		*
394		* @since 1.0
395		*
396		* @return void
397		*/
398		function give_ajax_search_users() {
399		$results = array();
400
401		if ( current_user_can( 'manage_give_settings' ) ) {
402
403		$search = esc_sql( sanitize_text_field( $_POST['s'] ) );
404
405		$get_users_args = array(
406		'number' => 9999,
407		'search' => $search . '*',
408		);
409
410		$get_users_args = apply_filters( 'give_search_users_args', $get_users_args );
411
412		$found_users = apply_filters( 'give_ajax_found_users', get_users( $get_users_args ), $search );
413		$results = array();
414
415		if ( $found_users ) {
416
417		foreach ( $found_users as $user ) {
418
419		$results[] = array(
420		'id' => $user->ID,
421		'name' => esc_html( $user->user_login . ' (' . $user->user_email . ')' ),
422		);
423		}
424		}
425		}// End if().
426
427		wp_send_json( $results );
428
429		}
430
431		add_action( 'wp_ajax_give_user_search', 'give_ajax_search_users' );
432
433
434		/**
435		* Queries page by title and returns page ID and title in JSON format.
436		*
437		* Note: this function in for internal use.
438		*
439		* @since 2.1
440		*
441		* @return string
442		*/
443		function give_ajax_pages_search() {
444		$data = array();
445		$args = array(
446		'post_type' => 'page',
447		's' => give_clean( $_POST['s'] ),
448		);
449
450		$query = new WP_Query( $args );
451
452		// Query posts by title.
453		if ( $query->have_posts() ) {
454		while ( $query->have_posts() ) {
455		$query->the_post();
456
457		$data[] = array(
458		'id' => get_the_ID(),
459		'name' => get_the_title(),
460		);
461		}
462		}
463
464		wp_send_json( $data );
465		}
466
467		add_action( 'wp_ajax_give_pages_search', 'give_ajax_pages_search' );
468
469		/**
470		* Retrieve Categories via AJAX for chosen dropdown search field.
471		*
472		* @since 2.1
473		*
474		* @return void
475		*/
476	View Code Duplication	function give_ajax_categories_search() {
477		$results = array();
478
479		/**
480		* Filter to modify Ajax tags search args
481		*
482		* @since 2.1
483		*
484		* @param array $args argument for get_terms
485		*
486		* @return array $args argument for get_terms
487		*/
488		$args = (array) apply_filters( 'give_forms_categories_dropdown_args', array(
489		'number' => 30,
490		'name__like' => esc_sql( sanitize_text_field( $_POST['s'] ) )
491		) );
492
493		$categories = get_terms( 'give_forms_category', $args );
494
495		foreach ( $categories as $category ) {
496		$results[] = array(
497		'id' => $category->term_id,
498		'name' => $category->name,
499		);
500		}
501
502		/**
503		* Filter to modify Ajax tags search result
504		*
505		* @since 2.1
506		*
507		* @param array $results Contain the categories id and name
508		*
509		* @return array $results Contain the categories id and name
510		*/
511		$results = (array) apply_filters( 'give_forms_categories_dropdown_responce', $results );
512
513		wp_send_json( $results );
514		}
515
516		add_action( 'wp_ajax_give_categories_search', 'give_ajax_categories_search' );
517
518		/**
519		* Retrieve Tags via AJAX for chosen dropdown search field.
520		*
521		* @since 2.1
522		*
523		* @return void
524		*/
525	View Code Duplication	function give_ajax_tags_search() {
526		$results = array();
527
528		/**
529		* Filter to modify Ajax tags search args
530		*
531		* @since 2.1
532		*
533		* @param array $args argument for get_terms
534		*
535		* @return array $args argument for get_terms
536		*/
537		$args = (array) apply_filters( 'give_forms_tags_dropdown_args', array(
538		'number' => 30,
539		'name__like' => esc_sql( sanitize_text_field( $_POST['s'] ) )
540		) );
541
542		$categories = get_terms( 'give_forms_tag', $args );
543
544		foreach ( $categories as $category ) {
545		$results[] = array(
546		'id' => $category->term_id,
547		'name' => $category->name,
548		);
549		}
550
551		/**
552		* Filter to modify Ajax tags search result
553		*
554		* @since 2.1
555		*
556		* @param array $results Contain the tags id and name
557		*
558		* @return array $results Contain the tags id and name
559		*/
560		$results = (array) apply_filters( 'give_forms_tags_dropdown_responce', $results );
561
562		wp_send_json( $results );
563		}
564
565		add_action( 'wp_ajax_give_tags_search', 'give_ajax_tags_search' );
566
567		/**
568		* Check for Price Variations (Multi-level donation forms)
569		*
570		* @since 1.5
571		*
572		* @return void
573		*/
574		function give_check_for_form_price_variations() {
575
576		if ( ! current_user_can( 'edit_give_forms', get_current_user_id() ) ) {
577		die( '-1' );
578		}
579
580		$form_id = intval( $_POST['form_id'] );
581		$form = get_post( $form_id );
582
583		if ( 'give_forms' !== $form->post_type ) {
584		die( '-2' );
585		}
586
587		if ( give_has_variable_prices( $form_id ) ) {
588		$variable_prices = give_get_variable_prices( $form_id );
589
590		if ( $variable_prices ) {
591		$ajax_response = '<select class="give_price_options_select give-select give-select" name="give_price_option">';
592
593		if ( isset( $_POST['all_prices'] ) ) {
594		$ajax_response .= '<option value="all">' . esc_html__( 'All Levels', 'give' ) . '</option>';
595		}
596
597		foreach ( $variable_prices as $key => $price ) {
598
599		$level_text = ! empty( $price['_give_text'] ) ? esc_html( $price['_give_text'] ) : give_currency_filter( give_format_amount( $price['_give_amount'], array( 'sanitize' => false ) ) );
600
601		$ajax_response .= '<option value="' . esc_attr( $price['_give_id']['level_id'] ) . '">' . $level_text . '</option>';
602		}
603		$ajax_response .= '</select>';
604		echo $ajax_response;
605		}
606		}
607
608		give_die();
609		}
610
611		add_action( 'wp_ajax_give_check_for_form_price_variations', 'give_check_for_form_price_variations' );
612
613
614		/**
615		* Check for Variation Prices HTML (Multi-level donation forms)
616		*
617		* @since 1.6
618		*
619		* @return void
620		*/
621		function give_check_for_form_price_variations_html() {
622		if ( ! current_user_can( 'edit_give_payments', get_current_user_id() ) ) {
623		wp_die();
624		}
625
626		$form_id = ! empty( $_POST['form_id'] ) ? intval( $_POST['form_id'] ) : false;
627		$payment_id = ! empty( $_POST['payment_id'] ) ? intval( $_POST['payment_id'] ) : false;
628		if ( empty( $form_id ) \|\| empty( $payment_id ) ) {
629		wp_die();
630		}
631
632		$form = get_post( $form_id );
633		if ( ! empty( $form->post_type ) && 'give_forms' !== $form->post_type ) {
634		wp_die();
635		}
636
637		if ( ! give_has_variable_prices( $form_id ) \|\| ! $form_id ) {
638		esc_html_e( 'n/a', 'give' );
639		} else {
640		$prices_atts = array();
641	View Code Duplication	if ( $variable_prices = give_get_variable_prices( $form_id ) ) {
642		foreach ( $variable_prices as $variable_price ) {
643		$prices_atts[ $variable_price['_give_id']['level_id'] ] = give_format_amount( $variable_price['_give_amount'], array( 'sanitize' => false ) );
644		}
645		}
646
647		// Variable price dropdown options.
648		$variable_price_dropdown_option = array(
649		'id' => $form_id,
650		'name' => 'give-variable-price',
651		'chosen' => true,
652		'show_option_all' => '',
653		'show_option_none' => '',
654		'select_atts' => 'data-prices=' . esc_attr( json_encode( $prices_atts ) ),
655		);
656
657		if ( $payment_id ) {
658		// Payment object.
659		$payment = new Give_Payment( $payment_id );
660
661		// Payment meta.
662		$payment_meta = $payment->get_meta();
663		$variable_price_dropdown_option['selected'] = $payment_meta['price_id'];
664		}
665
666		// Render variable prices select tag html.
667		give_get_form_variable_price_dropdown( $variable_price_dropdown_option, true );
668		}
669
670		give_die();
671		}
672
673		add_action( 'wp_ajax_give_check_for_form_price_variations_html', 'give_check_for_form_price_variations_html' );
674
675		/**
676		* Send Confirmation Email For Complete Donation History Access.
677		*
678		* @since 1.8.17
679		*
680		* @return bool
681		*/
682		function give_confirm_email_for_donation_access() {
683
684		// Verify Security using Nonce.
685		if ( ! check_ajax_referer( 'give_ajax_nonce', 'nonce' ) ) {
686		return false;
687		}
688
689		// Bail Out, if email is empty.
690		if ( empty( $_POST['email'] ) ) {
691		return false;
692		}
693
694		$donor = Give()->donors->get_donor_by( 'email', give_clean( $_POST['email'] ) );
695		if ( Give()->email_access->can_send_email( $donor->id ) ) {
696		$return = array();
697		$email_sent = Give()->email_access->send_email( $donor->id, $donor->email );
698
699		if ( ! $email_sent ) {
700		$return['status'] = 'error';
701		$return['message'] = Give()->notices->print_frontend_notice(
702		__( 'Unable to send email. Please try again.', 'give' ),
703		false,
704		'error'
705		);
706		}
707
708		$return['status'] = 'success';
709
710		/**
711		* Filter to modify access mail send notice
712		*
713		* @since 2.1.3
714		*
715		* @param string Send notice message for email access.
716		*
717		* @return string $message Send notice message for email access.
718		*/
719		$message = (string) apply_filters( 'give_email_access_mail_send_notice', __( 'Please check your email and click on the link to access your complete donation history.', 'give' ) );
720
721		$return['message'] = Give()->notices->print_frontend_notice(
722		$message,
723		false,
724		'success'
725		);
726
		0 ignored issues – show Coding Style introduced 2017-12-08 06:50 UTC by Report Bug Copy Issue Report Show Similar Issues like this Functions must not contain multiple empty lines in a row; found 2 empty lines Loading history...
727
728		} else {
729		$value = Give()->email_access->verify_throttle / 60;
730		$return['status'] = 'error';
731
732		/**
733		* Filter to modify email access exceed notices message.
734		*
735		* @since 2.1.3
736		*
737		* @param string $message email access exceed notices message
738		* @param int $value email access exceed times
739		*
740		* @return string $message email access exceed notices message
741		*/
742		$message = (string) apply_filters(
743		'give_email_access_requests_exceed_notice',
744		sprintf(
745		__( 'Too many access email requests detected. Please wait %s before requesting a new donation history access link.', 'give' ),
746		sprintf( _n( '%s minute', '%s minutes', $value, 'give' ), $value )
747		),
748		$value
749		);
750
751		$return['message'] = Give()->notices->print_frontend_notice(
752		$message,
753		false,
754		'error'
755		);
756		}
757
758		echo json_encode( $return );
759		give_die();
760		}
761
762		add_action( 'wp_ajax_nopriv_give_confirm_email_for_donations_access', 'give_confirm_email_for_donation_access' );
763
764		/**
765		* Render receipt by ajax
766		* Note: only for internal use
767		*
768		* @since 2.2.0
769		*/
770		function __give_get_receipt(){
771
772		$get_data = give_clean( filter_input_array( INPUT_GET ) );
773
774		if( ! isset( $get_data['shortcode_atts'] ) ) {
775		give_die();
776		}
777
778		$atts = (array) json_decode( $get_data['shortcode_atts'] );
779		$data = give_receipt_shortcode( $atts );
780
781		wp_send_json( $data );
782		}
783		add_action( 'wp_ajax_get_receipt', '__give_get_receipt' );
784		add_action( 'wp_ajax_nopriv_get_receipt', '__give_get_receipt' );
785

ravinderk / Give

Issues (4335)

Security Analysis not enabled

includes/ajax-functions.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like