Added escaping to things

c008cbe9 · David Weston · 3a2417cc · c008cbe9 · c008cbe9 · c008cbe9
Commit c008cbe9 authored May 19, 2014 by David Weston
9 changed files
--- a/objects/stppaddressableobject.php
+++ b/objects/stppaddressableobject.php
@@ -6,7 +6,7 @@
 *	quite a lot of functionality is shared between billing and customers, for
 *	example.
 *	
- *	@version: 1.0-beta
+ *	@version: 1.0
 *	@author: David Weston <stpp@typefish.co.uk>
 */
@@ -219,7 +219,8 @@ abstract class STPPAddressable extends STPPObject
 		if(empty($this->options["telephone"]))
 			return false;
-		$element->addChild("telephone", $this->options["telephone"]["number"])->addAttribute("type", $this->options["telephone"]["type"]);
+		$element->addChild("telephone", $this->escape($this->options["telephone"]["number"]))
+		        ->addAttribute("type", $this->escape($this->options["telephone"]["type"]));
 		return true;
 	}

--- a/objects/stppbilling.php
+++ b/objects/stppbilling.php
@@ -7,7 +7,7 @@
 *	this class matches the name registered on the card. Addresses
 *	are also key.
 *	
- *	@version: 1.0-beta
+ *	@version: 1.0
 *	@author: David Weston <stpp@typefish.co.uk>
 */
@@ -157,7 +157,8 @@ class STPPBilling extends STPPAddressable
 		if(empty($this->options["amount"]))
 			return false;
-		$element->addChild("amount", $this->options["amount"]["value"])->addAttribute("currencycode", $this->options["amount"]["currencycode"]);
+		$element->addChild("amount", $this->escape($this->options["amount"]["value"]))
+		        ->addAttribute("currencycode", $this->escape($this->options["amount"]["currencycode"]));
 		return true;
 	}
@@ -176,12 +177,12 @@ class STPPBilling extends STPPAddressable
 		$node = $element->addChild("payment");
 		if(isset($this->options["payment"]["type"]))
-			$node->addAttribute("type", $this->options["payment"]["type"]);
+			$node->addAttribute("type", $this->escape($this->options["payment"]["type"]));
 		unset($this->options["payment"]["type"]);
 		foreach($this->options["payment"] as $option => $value)
-			$node->addChild($option, $value);
+			$node->addChild($option, $this->escape($value));
 		return true;
 	}

--- a/objects/stppcustomer.php
+++ b/objects/stppcustomer.php
@@ -10,7 +10,7 @@
 *	no real need to fill in anything like addresses and such - however there
 *	/is/ a recommendation from ST to do so.
 *	
- *	@version: 1.0-beta
+ *	@version: 1.0
 *	@author: David Weston <stpp@typefish.co.uk>
 */

--- a/objects/stppmerchant.php
+++ b/objects/stppmerchant.php
@@ -10,7 +10,7 @@
 *	it is a required feature for 3D-Secure, which most if not all
 *	transactions should be performed using (if available).
 *	
- *	@version: 1.0-beta
+ *	@version: 1.0
 *	@author: David Weston <stpp@typefish.co.uk>
 */

--- a/objects/stppobject.php
+++ b/objects/stppobject.php
@@ -5,7 +5,7 @@
 *	This is the god object for all parts of the request, such as
 *	the merchant, operations and such.
 *	
- *	@version: 1.0-beta
+ *	@version: 1.0
 *	@author: David Weston <stpp@typefish.co.uk>
 */
@@ -39,7 +39,7 @@ abstract class STPPObject
 			if(method_exists($this, $method))
 				$this->$method($element);
 			else
-				$element->addChild(strtolower($option), $value);
+				$element->addChild(strtolower($option), $this->escape($value));
 		}
 		return true;
@@ -53,4 +53,14 @@ abstract class STPPObject
 	{
 		return $this->options;
 	}
+	/**
+	 *	We can use this as a way of escaping values, since SimpleXMLElement::addChild
+	 *	doesn't escape things for you.
+	 */
+	public function escape($string)
+	{
+		return htmlspecialchars($string);
+	}
 }
\ No newline at end of file
--- a/objects/stppoperation.php
+++ b/objects/stppoperation.php
@@ -5,7 +5,7 @@
 *	The operation object contains some other information that is needed
 *	to complete the request.
 *	
- *	@version: 1.0-beta
+ *	@version: 1.0
 *	@author: David Weston <stpp@typefish.co.uk>
 */

--- a/objects/stppresponse.php
+++ b/objects/stppresponse.php
@@ -9,7 +9,7 @@
 *	give the XML response as the argument to the constructor and all will be
 *	revealed.
 *	
- *	@version: 1.0-beta
+ *	@version: 1.0
 *	@author: David Weston <stpp@typefish.co.uk>
 */
@@ -19,7 +19,8 @@ class STPPResponse
 	/**
 	 *	Store the XML response somewhere...
 	 */
-	protected $feed = null;
+	private $feed = null;
+	private $request = null;
 	/**
@@ -28,10 +29,22 @@ class STPPResponse
 	public function __construct($response = null, $request = null)
 	{
 		$this->feed = simplexml_load_string($response);
+		$this->request = $request;
 		return true;
 	}
+	/**
+	 *	Retrieves a cleansed version of the request - where this means
+	 *	all credit card information is removed.
+	 */
+	public function getRequest()
+	{
+		return $this->request;
+	}
 	/**
 	 *	Retrieves the XML object that was sent back from SecureTrading.
 	 */

--- a/objects/stppsettlement.php
+++ b/objects/stppsettlement.php
@@ -4,7 +4,7 @@
 *	
 *	This is the object that represents updated settlement details.
 *	
- *	@version: 1.0-beta
+ *	@version: 1.0
 *	@author: David Weston <stpp@typefish.co.uk>
 */

--- a/stapi.php
+++ b/stapi.php
@@ -6,7 +6,7 @@
 *	to a setup, however, it'll allow you to with ease create
 *	and maintain a new contract with a SecureTrading node.
 *	
- *	@version: 1.0-beta
+ *	@version: 1.0
 *	@author: David Weston <stpp@typefish.co.uk>
 */
@@ -266,7 +266,7 @@ class STAPI
 	 */
 	public function resetSettlement()
 	{
-		$this->objects["settlement"] = new STPtSettlement();
+		$this->objects["settlement"] = new STPPSettlement();
 		return $this;
 	}
@@ -425,4 +425,6 @@ class STAPI
 		return $envelope;
 	}
+}
+	}
 }
\ No newline at end of file