feat: sanitizeCode

ajax/frontend/redeem.php

@@ -16,6 +16,7 @@
     'package_quiqqer_coupons_ajax_frontend_redeem',
     function ($code, $orderHash) {
         try {
+            $code       = Handler::sanitizeCode($code);
             $CouponCode = Handler::getCouponCodeByCode($code);
             $CouponCode->checkRedemption(QUI::getUserBySession());
         } catch (QUI\ERP\Coupons\CouponCodeException $Exception) {

src/QUI/ERP/Coupons/Handler.php

@@ -130,7 +130,7 @@ public static function createCouponCode($discountIds, $settings = [])
                 ]);
             }
 
-            $code = $settings['code'];
+            $code = self::sanitizeCode($settings['code']);
         } else {
             $code = CodeGenerator::generate();
         }
@@ -221,7 +221,7 @@ public static function editCouponCode($id, $discountIds, $settings = [])
                 ]);
             }
 
-            $code = $settings['code'];
+            $code = self::sanitizeCode($settings['code']);
         } else {
             $code = CodeGenerator::generate();
         }
@@ -492,6 +492,17 @@ public static function deleteRedeemedCouponCodes($days = null)
         );
     }
 
+    /**
+     * Sanitize coupon code and allow only certain characters
+     *
+     * @param string $code
+     * @return string
+     */
+    public static function sanitizeCode($code)
+    {
+        return preg_replace('#[^A-Za-z0-9\.\-_\*&$% ]#i', '', $code);
+    }
+
     /**
      * Get CouponCode table
      *