Plugin breaks Braintree for WooCommerce’s fraud protection tools

Hi,

I’m a developer who manages two WooCommerce stores for a client. Both stores use Braintree for WooCommerce as the payment gateway, and we have been experiencing an issue where the fraud tools for one of the two stores were not working correctly. Braintree informed us that this site was “not capturing the device data”.

In investigating the issue, it turns out that the only configuration difference between the sites was that the site that was not working correctly was running this plugin. In investigating the issue, I have found that the cause is line 265 of core\App.php:

$_POST  = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);

The problem is that Braintree captures the device data in a hidden checkout field like this:

<input type="hidden" name="device_data" id="device_data" value="{"device_session_id":"9a20b3f135bb44e1070c2b77feef92a0","fraud_merchant_id":"600000","correlation_id":"995fe71f0d9876c4effb58546bdade9e"}">

As part of the payment gateway processing, the Braintree for WooCommerce plugin decodes this JSON with json_decode(). The problem is that the above line from this plugin modifies the value of the device_data field such that it cannot be properly decoded.

The issue here, as I see it, is that this plugin has no business sanitising the entire $_POST array from checkout. That is not the concern of this plugin, and it is causing checkout data to differ from what other plugins would expect it to be based on the default behaviour of WooCommerce. Ideally the offending line should be removed and this plugin should only apply the sanitisation it needs to its own fields, and even then not to $_POST directly.

To work around this issue I have commented out that line and will need to avoid installing any future updates to this plugin until this is resolved, or remove the plugin entirely. I hope that this can be fixed quickly.