From 7dbc2b9735831984d465e02c94a8ab8b7642acdf Mon Sep 17 00:00:00 2001
From: vendidero <info@vendidero.de>
Date: Tue, 31 May 2022 13:15:57 +0200
Subject: [PATCH] Security: Harden URL escaping. Version bump.

---
 includes/class-vd-admin-license-table.php |  6 +++---
 includes/class-vd-admin.php               | 10 +++++-----
 includes/class-vd-request.php             |  4 ++--
 screens/screen-notice-expire.php          |  4 ++--
 vendidero-helper.php                      |  4 ++--
 5 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/includes/class-vd-admin-license-table.php b/includes/class-vd-admin-license-table.php
index b54f531..a787789 100644
--- a/includes/class-vd-admin-license-table.php
+++ b/includes/class-vd-admin-license-table.php
@@ -88,13 +88,13 @@ public function column_product_expires( $item ) {
         if ( $item->get_expiration_date() ) {
 
             if ( $item->has_expired() && $item->supports_renewals() ) {
-                $return = '<a href="' . $item->get_renewal_url() . '" class="button button-primary wc-gzd-button" target="_blank">' . __( 'renew now', 'vendidero-helper' ) . '</a>';
+                $return = '<a href="' . esc_url( $item->get_renewal_url() ) . '" class="button button-primary wc-gzd-button" target="_blank">' . __( 'renew now', 'vendidero-helper' ) . '</a>';
             } else {
 	            $return = $item->get_expiration_date();
             }
 
 			if ( $item->supports_renewals() ) {
-				$return .= '<a class="refresh-expiration" href="' . wp_nonce_url( admin_url( 'admin-post.php?action=vd_refresh_license_status&product_id=' . esc_attr( $item->id ) ), 'vd-refresh-license-status' ) . '">' . __( 'Refresh', 'vendidero-helper' ) . '</a>';
+				$return .= '<a class="refresh-expiration" href="' . esc_url( wp_nonce_url( admin_url( 'admin-post.php?action=vd_refresh_license_status&product_id=' . esc_attr( $item->id ) ), 'vd-refresh-license-status' ) ) . '">' . __( 'Refresh', 'vendidero-helper' ) . '</a>';
 			}
 
 			return $return;
@@ -121,7 +121,7 @@ public function column_product_version( $item ) {
     			$new_version =  __( 'Newest version:', 'vendidero-helper' ) . ' <span class="version version-latest">' . $latest->version . '</span>';
 
     			if ( ! $item->has_expired() ) {
-				    $new_version .= '<br/>' . '<a class="button button-secondary" href="' . $update_url . '">' . __( 'Check for updates', 'vendidero-helper' ) . '</a>';
+				    $new_version .= '<br/>' . '<a class="button button-secondary" href="' . esc_url( $update_url ) . '">' . __( 'Check for updates', 'vendidero-helper' ) . '</a>';
 			    }
 		    }
 	    }
diff --git a/includes/class-vd-admin.php b/includes/class-vd-admin.php
index f5fc263..63e6ba5 100644
--- a/includes/class-vd-admin.php
+++ b/includes/class-vd-admin.php
@@ -35,7 +35,7 @@ public function refresh_license_status() {
                         $product->refresh_expiration_date( true );
                     }
 
-                    wp_safe_redirect( VD()->get_helper_url() );
+                    wp_safe_redirect( esc_url_raw( VD()->get_helper_url() ) );
                     exit();
                 }
             }
@@ -96,7 +96,7 @@ public function set_upgrade_notice() {
 						$product->refresh_expiration_date();
 
 						if ( $product->has_expired() && $product->supports_renewals() ) {
-							echo '<div class="vd-upgrade-notice" data-for="' . md5( $product->Name ) .'" style="display: none"><span class="vd-inline-upgrade-expire-notice">' . sprintf( __( 'Seems like your update- and support flat has expired. Please %s your license before updating.', 'vendidero-helper' ), '<a href="' . VD()->get_helper_url() . '">' . __( 'check', 'vendidero-helper' ) . '</a>' ) . '</span></div>';
+							echo '<div class="vd-upgrade-notice" data-for="' . md5( $product->Name ) .'" style="display: none"><span class="vd-inline-upgrade-expire-notice">' . sprintf( __( 'Seems like your update- and support flat has expired. Please %s your license before updating.', 'vendidero-helper' ), '<a href="' . esc_url( VD()->get_helper_url() ) . '">' . __( 'check', 'vendidero-helper' ) . '</a>' ) . '</span></div>';
 						}
 					}
 				}
@@ -110,7 +110,7 @@ public function set_upgrade_notice() {
                         $product->refresh_expiration_date();
 	
 						if ( $product->has_expired() && $product->supports_renewals() ) {
-                            echo '<div class="vd-upgrade-notice" data-for="' . md5( $product->Name ) .'" style="display: none"><span class="vd-inline-upgrade-expire-notice">' . sprintf( __( 'Seems like your update- and support flat has expired. Please %s your license before updating.', 'vendidero-helper' ), '<a href="' . VD()->get_helper_url() . '">' . __( 'check', 'vendidero-helper' ) . '</a>' ) . '</span></div>';
+                            echo '<div class="vd-upgrade-notice" data-for="' . md5( $product->Name ) .'" style="display: none"><span class="vd-inline-upgrade-expire-notice">' . sprintf( __( 'Seems like your update- and support flat has expired. Please %s your license before updating.', 'vendidero-helper' ), '<a href="' . esc_url( VD()->get_helper_url() ) . '">' . __( 'check', 'vendidero-helper' ) . '</a>' ) . '</span></div>';
 						}
 					}
 				}
@@ -252,7 +252,7 @@ public function process_register() {
 
 		VD()->api->flush_cache();
 
-        wp_safe_redirect( VD()->get_helper_url() );
+        wp_safe_redirect( esc_url_raw( VD()->get_helper_url() ) );
         exit();
 	}
 
@@ -273,7 +273,7 @@ public function process_unregister() {
 
 		VD()->api->flush_cache();
 
-		wp_safe_redirect( VD()->get_helper_url() );
+		wp_safe_redirect( esc_url_raw( VD()->get_helper_url() ) );
 		exit();
 	}
 
diff --git a/includes/class-vd-request.php b/includes/class-vd-request.php
index 1f68aa1..2e772fb 100644
--- a/includes/class-vd-request.php
+++ b/includes/class-vd-request.php
@@ -49,7 +49,7 @@ public function do_request() {
 	    if ( 'GET' === $this->args['method'] ) {
 	        $url = add_query_arg( $this->args, $this->get_endpoint() );
 
-            $this->raw = wp_remote_get( $url, array(
+            $this->raw = wp_remote_get( esc_url_raw( $url ), array(
                 'redirection' => 5,
                 'blocking'    => true,
                 'headers'     => array( 'user-agent' => 'Vendidero/' . VD()->version ),
@@ -57,7 +57,7 @@ public function do_request() {
                 'sslverify'   => false
             ) );
         } else {
-            $this->raw = wp_remote_post( $this->get_endpoint(), array(
+            $this->raw = wp_remote_post( esc_url_raw( $this->get_endpoint() ), array(
                 'method'      => 'POST',
                 'redirection' => 5,
                 'blocking'    => true,
diff --git a/screens/screen-notice-expire.php b/screens/screen-notice-expire.php
index 6fb14bf..decec6e 100644
--- a/screens/screen-notice-expire.php
+++ b/screens/screen-notice-expire.php
@@ -36,14 +36,14 @@
             <p><?php printf( __( '%1$s expires on %2$s', 'vendidero-helper' ), '<strong>' . esc_attr( $product->Name ) . '</strong>', $product->get_expiration_date( get_option( 'date_format' ) ) ); ?></p>
 	    <?php endif; ?>
 
-        <a class="button button-primary wc-gzd-button" href="<?php echo $product->get_renewal_url();?>" target="_blank"><?php _e( 'renew now', 'vendidero-helper' );?></a>
+        <a class="button button-primary wc-gzd-button" href="<?php echo esc_url( $product->get_renewal_url() ); ?>" target="_blank"><?php _e( 'renew now', 'vendidero-helper' );?></a>
 	<?php endforeach; ?>
 
 	<p class="alignleft wc-gzd-button-wrapper"></p>
 
 	<p class="alignright">
         <a class="" href="https://vendidero.de/vendidero-service" target="_blank"><?php _e( 'Learn more', 'vendidero-helper' );?></a> |
-        <a class="" href="<?php echo VD()->get_helper_url(); ?>"><?php _e( 'See license details', 'vendidero-helper' );?></a> |
+        <a class="" href="<?php echo esc_url( VD()->get_helper_url() ); ?>"><?php _e( 'See license details', 'vendidero-helper' );?></a> |
         <a href="<?php echo esc_url( $dismiss_url );?>" class="vendidero-helper-dismiss"><?php _e( 'Hide this notice', 'vendidero-helper' ); ?></a>
 	</p>
 	<div class="clear"></div>
diff --git a/vendidero-helper.php b/vendidero-helper.php
index 8475010..d81fb5b 100644
--- a/vendidero-helper.php
+++ b/vendidero-helper.php
@@ -3,7 +3,7 @@
  * Plugin Name: Vendidero Helper
  * Plugin URI: http://vendidero.de
  * Description: Will help vendidero users to manage their licenses and receive automatic updates
- * Version: 2.1.4
+ * Version: 2.1.5
  * Author: Vendidero
  * Author URI: http://vendidero.de
  * License: GPL version 2 or later - http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
@@ -25,7 +25,7 @@ final class Vendidero_Helper {
      */
     protected static $_instance = null;
 
-    public $version = '2.1.4';
+    public $version = '2.1.5';
 
     /**
      * @var VD_API $api