Merge branch 'release/3.2.1'

README.md

@@ -3,11 +3,11 @@
 **Donate Link:** http://tareq.co/donate/  
 **Tags:** WooCommerce multivendor marketplace, multi vendor marketplace, multi seller store, multi-vendor, multi seller, commissions, multivendor, marketplace, product vendors, woocommerce vendor, commission rate, e-commerce, woocommerce, ebay, ecommerce, yith, yithemes  
 **Requires at least:** 4.4  
-**Tested up to:** 5.6  
+**Tested up to:** 5.6.1  
 **WC requires at least:** 3.0  
-**WC tested up to:** 4.9.2  
+**WC tested up to:** 5.0.0  
 **Requires PHP:** 5.6  
-**Stable tag:** 3.2.0  
+**Stable tag:** 3.2.1  
 **License:** GPLv2 or later  
 **License URI:** http://www.gnu.org/licenses/gpl-2.0.html  
 
@@ -292,6 +292,12 @@ A. Just install and activate the PRO version without deleting the free plugin. A
 
 ## Changelog ##
 
+### v3.2.1 ( February 12, 2021 ) ###
+
+**fix:** Optimized code for better security
+**update:** performance improvements on vendor dashboard end
+**fix:** fixed conflict with user frontend menu position with Dokan
+
 ### v3.2.0 ( January 29, 2021 ) ###
 
 **new** Added blank product page new UI on vendor dashboard

dokan.php

@@ -3,12 +3,12 @@
  * Plugin Name: Dokan
  * Plugin URI: https://wordpress.org/plugins/dokan-lite/
  * Description: An e-commerce marketplace plugin for WordPress. Powered by WooCommerce and weDevs.
- * Version: 3.2.0
+ * Version: 3.2.1
  * Author: weDevs
  * Author URI: https://wedevs.com/
  * Text Domain: dokan-lite
  * WC requires at least: 3.0
- * WC tested up to: 4.9.2
+ * WC tested up to: 5.0.0
  * Domain Path: /languages/
  * License: GPL2
  */
@@ -56,7 +56,7 @@ final class WeDevs_Dokan {
      *
      * @var string
      */
-    public $version = '3.2.0';
+    public $version = '3.2.1';
 
     /**
      * Instance of self

includes/Abstracts/DokanPromotion.php

@@ -186,7 +186,7 @@ public function dismiss_upgrade_promo() {
             wp_send_json_error( __( 'You have no permission to do that', 'dokan-lite' ) );
         }
 
-        if ( ! wp_verify_nonce( $post_data['nonce'], 'dokan_admin' ) ) {
+        if ( ! isset( $post_data['nonce'] ) || ! wp_verify_nonce( sanitize_key( $post_data['nonce'] ), 'dokan_admin' ) ) {
             wp_send_json_error( __( 'Invalid nonce', 'dokan-lite' ) );
         }
 

includes/Admin/LimitedTimePromotion.php

@@ -200,7 +200,7 @@ public function dismiss_limited_time_promo() {
             wp_send_json_error( __( 'You have no permission to do that', 'dokan-lite' ) );
         }
 
-        if ( ! wp_verify_nonce( $post_data['nonce'], 'dokan_admin' ) ) {
+        if ( ! isset( $post_data['nonce'] ) || ! wp_verify_nonce( sanitize_key( $post_data['nonce'] ), 'dokan_admin' ) ) {
             wp_send_json_error( __( 'Invalid nonce', 'dokan-lite' ) );
         }
 

includes/Admin/Settings.php

@@ -68,7 +68,7 @@ public function get_settings_value() {
 
         $_post_data = wp_unslash( $_POST );
 
-        if ( ! wp_verify_nonce( sanitize_text_field( $_post_data['nonce'] ), 'dokan_admin' ) ) {
+        if ( ! isset( $_post_data['nonce'] ) || ! wp_verify_nonce( sanitize_key( $_post_data['nonce'] ), 'dokan_admin' ) ) {
             wp_send_json_error( __( 'Invalid nonce', 'dokan-lite' ) );
         }
 
@@ -96,7 +96,7 @@ public function save_settings_value() {
 
             $_post_data = wp_unslash( $_POST );
 
-            if ( ! wp_verify_nonce( sanitize_text_field( $_post_data['nonce'] ), 'dokan_admin' ) ) {
+            if ( ! isset( $_post_data['nonce'] ) || ! wp_verify_nonce( sanitize_key( $_post_data['nonce'] ), 'dokan_admin' ) ) {
                 throw new DokanException( 'dokan_settings_invalid_nonce', __( 'Invalid nonce', 'dokan-lite' ), 403 );
             }
 
@@ -360,6 +360,7 @@ public function get_settings_fields() {
                 'store_products_per_page' => [
                     'name'    => 'store_products_per_page',
                     'label'   => __( 'Store Products Per Page', 'dokan-lite' ),
+                    'desc'    => __( 'Set how many products to display per page on the vendor store page. It will affect only if the vendor isn\'t set this value on their vendor setting page.', 'dokan-lite' ),
                     'type'    => 'number',
                     'default' => '12',
                 ],
@@ -512,7 +513,6 @@ public function get_settings_fields() {
                 'reg_tc_page'   => [
                     'name'        => 'reg_tc_page',
                     'label'       => __( 'Terms and Conditions Page', 'dokan-lite' ),
-                    //'desc'        => __( 'Select a page to show Terms and Conditions', 'dokan-lite' ),
                     'type'        => 'select',
                     'placeholder' => __( 'Select page', 'dokan-lite' ),
                     'options'     => $pages_array,

includes/Admin/UserProfile.php

@@ -26,8 +26,8 @@ public function __construct() {
      *
      * @return void
      */
-    function enqueue_scripts( $page ) {
-        if ( in_array( $page, array( 'profile.php', 'user-edit.php' ) ) ) {
+    public function enqueue_scripts( $page ) {
+        if ( in_array( $page, array( 'profile.php', 'user-edit.php' ), true ) ) {
             wp_enqueue_media();
 
             $admin_admin_script = array(
@@ -52,7 +52,7 @@ function enqueue_scripts( $page ) {
      *
      * @return void|false
      */
-    function add_meta_fields( $user ) {
+    public function add_meta_fields( $user ) {
         if ( ! current_user_can( 'manage_woocommerce' ) ) {
             return;
         }
@@ -81,7 +81,7 @@ function add_meta_fields( $user ) {
 
         $banner_width    = dokan_get_option( 'store_banner_width', 'dokan_appearance', 625 );
         $banner_height   = dokan_get_option( 'store_banner_height', 'dokan_appearance', 300 );
-        $admin_commission = ( 'flat' == $admin_commission_type ) ? wc_format_localized_price( $admin_commission ) : wc_format_localized_decimal( $admin_commission );
+        $admin_commission = ( 'flat' === $admin_commission_type ) ? wc_format_localized_price( $admin_commission ) : wc_format_localized_decimal( $admin_commission );
 
         $country_state = array(
             'country' => array(
@@ -119,6 +119,7 @@ function add_meta_fields( $user ) {
                                 <p class="description">
                                     <?php
                                     echo sprintf(
+                                        /* translators: %1$s: banner width, %2$s: banner height in integers */
                                         esc_attr__( 'Upload a banner for your store. Banner size is (%1$sx%2$s) pixels.', 'dokan-lite' ),
                                         esc_attr( $banner_width ),
                                         esc_attr( $banner_height )
@@ -177,10 +178,10 @@ function add_meta_fields( $user ) {
                     <tr>
                         <th><label for="<?php echo esc_attr( $key ); ?>"><?php echo esc_html( $field['label'] ); ?></label></th>
                         <td>
-                            <?php if ( ! empty( $field['type'] ) && 'select' == $field['type'] ) : ?>
+                            <?php if ( ! empty( $field['type'] ) && 'select' === (string) $field['type'] ) : ?>
                             <select name="dokan_store_address[<?php echo esc_attr( $key ); ?>]" id="<?php echo esc_attr( $key ); ?>" class="<?php echo ( ! empty( $field['class'] ) ? esc_attr( $field['class'] ) : '' ); ?>" style="width: 25em;">
                                     <?php
-									if ( 'country' == $key ) {
+									if ( 'country' === (string) $key ) {
 										$selected = esc_attr( $address_country );
 									} else {
 										$selected = esc_attr( $address_state );
@@ -192,7 +193,7 @@ function add_meta_fields( $user ) {
                                 </select>
                             <?php else : ?>
                                 <?php
-                                if ( 'country' == $key ) {
+                                if ( 'country' === (string) $key ) {
                                     $value = esc_attr( $address_country );
                                 } else {
                                     $value = esc_attr( $address_state );
@@ -531,14 +532,14 @@ function add_meta_fields( $user ) {
      *
      * @return void
      */
-    function save_meta_fields( $user_id ) {
+    public function save_meta_fields( $user_id ) {
         if ( ! current_user_can( 'manage_woocommerce' ) ) {
             return;
         }
 
         $post_data = wp_unslash( $_POST );
 
-        if ( isset( $post_data['dokan_update_user_profile_info_nonce'] ) && ! wp_verify_nonce( $post_data['dokan_update_user_profile_info_nonce'], 'dokan_update_user_profile_info' ) ) {
+        if ( ! isset( $post_data['dokan_update_user_profile_info_nonce'] ) || ! wp_verify_nonce( sanitize_key( $post_data['dokan_update_user_profile_info_nonce'] ), 'dokan_update_user_profile_info' ) ) {
             return;
         }
 
@@ -548,7 +549,7 @@ function save_meta_fields( $user_id ) {
 
         $selling         = sanitize_text_field( $post_data['dokan_enable_selling'] );
         $publishing      = sanitize_text_field( $post_data['dokan_publish'] );
-        $percentage      = isset( $post_data['dokan_admin_percentage'] ) && $post_data['dokan_admin_percentage'] != '' ? $post_data['dokan_admin_percentage'] : '';
+        $percentage      = isset( $post_data['dokan_admin_percentage'] ) && $post_data['dokan_admin_percentage'] !== '' ? $post_data['dokan_admin_percentage'] : '';
         $percentage_type = empty( $post_data['dokan_admin_percentage_type'] ) ? 'percentage' : sanitize_text_field( $post_data['dokan_admin_percentage_type'] );
         $feature_seller  = sanitize_text_field( $post_data['dokan_feature'] );
         $store_settings  = dokan_get_store_info( $user_id );

includes/Ajax.php

@@ -101,11 +101,7 @@ public function create_product() {
      * @return void
      */
     public function shop_url_check() {
-        global $user_ID;
-
-        $nonce = isset( $_POST['_nonce'] ) ? sanitize_text_field( wp_unslash( $_POST['_nonce'] ) ) : '';
-
-        if ( ! wp_verify_nonce( $nonce, 'dokan_reviews' ) ) {
+        if ( ! isset( $_POST['_nonce'] ) || ! wp_verify_nonce( sanitize_key( $_POST['_nonce'] ), 'dokan_reviews' ) ) {
             wp_send_json_error(
                 [
 					'type'    => 'nonce',
@@ -114,6 +110,8 @@ public function shop_url_check() {
             );
         }
 
+        global $user_ID;
+
         $url_slug = isset( $_POST['url_slug'] ) ? sanitize_text_field( wp_unslash( $_POST['url_slug'] ) ) : '';
         $check    = true;
         $user     = get_user_by( 'slug', $url_slug );
@@ -418,7 +416,7 @@ public function add_order_note() {
      * Add shipping tracking info via ajax
      */
     public function add_shipping_tracking_info() {
-        if ( isset( $_POST['dokan_security_nonce'] ) && ! wp_verify_nonce( sanitize_key( $_POST['dokan_security_nonce'] ), 'dokan_security_action' ) ) {
+        if ( ! isset( $_POST['dokan_security_nonce'] ) || ! wp_verify_nonce( sanitize_key( $_POST['dokan_security_nonce'] ), 'dokan_security_action' ) ) {
             die( -1 );
         }
 
@@ -518,9 +516,7 @@ public function delete_order_note() {
      * @return void
      */
     public function seller_listing_search() {
-        $nonce = isset( $_REQUEST['_wpnonce'] ) ? sanitize_key( $_REQUEST['_wpnonce'] ) : '';
-
-        if ( ! $nonce || ! wp_verify_nonce( $nonce, 'dokan-seller-listing-search' ) ) {
+        if ( ! isset( $_REQUEST['_wpnonce'] ) || ! wp_verify_nonce( sanitize_key( $_REQUEST['_wpnonce'] ), 'dokan-seller-listing-search' ) ) {
             wp_send_json_error( __( 'Error: Nonce verification failed', 'dokan-lite' ) );
         }
 
@@ -538,7 +534,7 @@ public function seller_listing_search() {
         $per_row         = isset( $_REQUEST['per_row'] ) ? absint( $_REQUEST['per_row'] ) : '3';
 
         if ( '' !== $search_term ) {
-            $seller_args['meta_query'] = [
+            $seller_args['meta_query'] = [ // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_query
                 [
                     'key'     => 'dokan_store_name',
                     'value'   => $search_term,
@@ -947,7 +943,7 @@ public static function login_user() {
 
         foreach ( $headers as $header ) {
             if ( 0 === strpos( $header, 'Set-Cookie: ' . LOGGED_IN_COOKIE ) ) {
-                $value = str_replace( '&', urlencode( '&' ), substr( $header, 12 ) );
+                $value = str_replace( '&', rawurlencode( '&' ), substr( $header, 12 ) );
                 parse_str( current( explode( ';', $value, 1 ) ), $pair );
                 $_COOKIE[ LOGGED_IN_COOKIE ] = $pair[ LOGGED_IN_COOKIE ];
                 break;

includes/Dashboard/Templates/Orders.php

@@ -61,7 +61,7 @@ public function order_main_content() {
         $order_id = isset( $_GET['order_id'] ) ? intval( $_GET['order_id'] ) : 0;
 
         if ( $order_id ) {
-            $_nonce = isset( $_REQUEST['_wpnonce'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ) : '';
+            $_nonce = isset( $_REQUEST['_wpnonce'] ) ? sanitize_key( $_REQUEST['_wpnonce'] ) : '';
 
             if ( wp_verify_nonce( $_nonce, 'dokan_view_order' ) && current_user_can( 'dokan_view_order' ) ) {
                 dokan_get_template_part( 'orders/details' );
@@ -95,11 +95,7 @@ function handle_order_export() {
 
         $post_data = wp_unslash( $_POST );
 
-        if ( ! isset( $post_data['dokan_vendor_order_export_nonce'] ) ) {
-            return;
-        }
-
-        if ( ! wp_verify_nonce( sanitize_text_field( $post_data['dokan_vendor_order_export_nonce'] ), 'dokan_vendor_order_export_action' ) ) {
+        if ( ! isset( $post_data['dokan_vendor_order_export_nonce'] ) || ! wp_verify_nonce( sanitize_key( $post_data['dokan_vendor_order_export_nonce'] ), 'dokan_vendor_order_export_action' ) ) {
             return;
         }
 

includes/Dashboard/Templates/Products.php

@@ -220,16 +220,12 @@ public function handle_product_add() {
             return;
         }
 
-        if ( ! isset( $_POST['dokan_add_new_product_nonce'] ) ) {
+        if ( ! isset( $_POST['dokan_add_new_product_nonce'] ) || ! wp_verify_nonce( sanitize_key( $_POST['dokan_add_new_product_nonce'] ), 'dokan_add_new_product' )  ) {
             return;
         }
 
         $postdata = wp_unslash( $_POST );
 
-        if ( ! wp_verify_nonce( sanitize_key( $postdata['dokan_add_new_product_nonce'] ), 'dokan_add_new_product' ) ) {
-            return;
-        }
-
         $errors             = array();
         self::$product_cat  = -1;
         self::$post_content = __( 'Details of your product ...', 'dokan-lite' );
@@ -379,12 +375,12 @@ public function handle_product_update() {
             return;
         }
 
-        $postdata = wp_unslash( $_POST );
-
-        if ( ! wp_verify_nonce( sanitize_key( $postdata['dokan_edit_product_nonce'] ), 'dokan_edit_product' ) ) {
+        if ( ! isset( $_POST['dokan_edit_product_nonce'] ) || ! wp_verify_nonce( sanitize_key( $_POST['dokan_edit_product_nonce'] ), 'dokan_edit_product' ) ) {
             return;
         }
 
+        $postdata = wp_unslash( $_POST );
+
         $errors     = array();
         $post_title = sanitize_text_field( $postdata['post_title'] );
 
@@ -500,35 +496,35 @@ public function handle_delete_product() {
             return;
         }
 
-        if ( isset( $_GET['action'] ) && $_GET['action'] == 'dokan-delete-product' ) {
-            $product_id = isset( $_GET['product_id'] ) ? (int) $_GET['product_id'] : 0;
+        if ( ! isset( $_GET['action'] ) || $_GET['action'] !== 'dokan-delete-product' ) {
+            return;
+        }
 
-            $getdata = wp_unslash( $_GET );
+        if ( ! isset( $_GET['_wpnonce'] ) || ! wp_verify_nonce( sanitize_key( $_GET['_wpnonce'] ), 'dokan-delete-product' ) ) {
+            wp_redirect( add_query_arg( array( 'message' => 'error' ), dokan_get_navigation_url( 'products' ) ) );
+            exit;
+        }
 
-            if ( ! $product_id ) {
-                wp_redirect( add_query_arg( array( 'message' => 'error' ), dokan_get_navigation_url( 'products' ) ) );
-                return;
-            }
+        $product_id = isset( $_GET['product_id'] ) ? (int) wp_unslash( $_GET['product_id'] ) : 0;
 
-            if ( ! wp_verify_nonce( $getdata['_wpnonce'], 'dokan-delete-product' ) ) {
-                wp_redirect( add_query_arg( array( 'message' => 'error' ), dokan_get_navigation_url( 'products' ) ) );
-                return;
-            }
+        if ( ! $product_id ) {
+            wp_redirect( add_query_arg( array( 'message' => 'error' ), dokan_get_navigation_url( 'products' ) ) );
+            exit;
+        }
 
-            if ( ! dokan_is_product_author( $product_id ) ) {
-                wp_redirect( add_query_arg( array( 'message' => 'error' ), dokan_get_navigation_url( 'products' ) ) );
-                return;
-            }
+        if ( ! dokan_is_product_author( $product_id ) ) {
+            wp_redirect( add_query_arg( array( 'message' => 'error' ), dokan_get_navigation_url( 'products' ) ) );
+            exit;
+        }
 
-            dokan()->product->delete( $product_id, true );
+        dokan()->product->delete( $product_id, true );
 
-            do_action( 'dokan_product_deleted', $product_id );
+        do_action( 'dokan_product_deleted', $product_id );
 
-            $redirect = apply_filters( 'dokan_add_new_product_redirect', dokan_get_navigation_url( 'products' ), '' );
+        $redirect = apply_filters( 'dokan_add_new_product_redirect', dokan_get_navigation_url( 'products' ), '' );
 
-            wp_redirect( add_query_arg( array( 'message' => 'product_deleted' ), $redirect ) );
-            exit;
-        }
+        wp_redirect( add_query_arg( array( 'message' => 'product_deleted' ), $redirect ) );
+        exit;
     }
 
 }