From c6ba5318d493eb28df63a9905eeff3c8e5bfdae8 Mon Sep 17 00:00:00 2001
From: a6_chris <chris@a6software.co.uk>
Date: Wed, 6 Feb 2019 14:52:24 +0000
Subject: [PATCH] [PEAKE-701] Set cookies via JS

---
 admin/class-gdpr-admin.php              |  2 +-
 includes/class-gdpr.php                 |  6 +--
 public/class-gdpr-cookie-setting-js.php | 70 +++++++++++++++++++++++++
 public/class-gdpr-public.php            | 18 +++----
 4 files changed, 83 insertions(+), 13 deletions(-)
 create mode 100644 public/class-gdpr-cookie-setting-js.php

diff --git a/admin/class-gdpr-admin.php b/admin/class-gdpr-admin.php
index 931ab3d3..e3f09fd5 100755
--- a/admin/class-gdpr-admin.php
+++ b/admin/class-gdpr-admin.php
@@ -914,7 +914,7 @@ public function user_profile_update( $user_id ) {
 			GDPR_Audit_Log::log( $user_id, $consent );
 		}
 
-		setcookie( 'gdpr[consent_types]', json_encode( $consents ), time() + YEAR_IN_SECONDS, '/' );
+		Gdpr_Cookie_Setting_Js::js_setcookie( 'gdpr[consent_types]', json_encode( $consents ), time() + YEAR_IN_SECONDS, '/' );
 	}
 
 	/**
diff --git a/includes/class-gdpr.php b/includes/class-gdpr.php
index f13a5c6c..7443aa30 100755
--- a/includes/class-gdpr.php
+++ b/includes/class-gdpr.php
@@ -312,7 +312,7 @@ public static function save_user_consent_on_registration( $user_id ) {
 				GDPR_Audit_Log::log( $user_id, sprintf( esc_html__( 'User gave explicit consent to %s', 'gdpr' ), $consent ) );
 				add_user_meta( $user_id, 'gdpr_consents', $consent );
 			}
-			setcookie( 'gdpr[consent_types]', json_encode( $consents ), time() + YEAR_IN_SECONDS, '/' );
+			Gdpr_Cookie_Setting_Js::js_setcookie( 'gdpr[consent_types]', json_encode( $consents ), time() + YEAR_IN_SECONDS, '/' );
 		}
 	}
 
@@ -609,7 +609,7 @@ public static function save_consent( $user_id, $consent ) {
 			if ( in_array( $consent, $consent_ids, true ) && ! in_array( $consent, $user_consent, true ) ) {
 				add_user_meta( $user_id, 'gdpr_consents', $consent );
 				$user_consent[] = $consent;
-				setcookie( 'gdpr[consent_types]', json_encode( $user_consent ), time() + YEAR_IN_SECONDS, '/' );
+				Gdpr_Cookie_Setting_Js::js_setcookie( 'gdpr[consent_types]', json_encode( $user_consent ), time() + YEAR_IN_SECONDS, '/' );
 				return true;
 			}
 		}
@@ -636,7 +636,7 @@ public static function remove_consent( $user_id, $consent ) {
 			if ( false !== $key ) {
 				delete_user_meta( $user_id, 'gdpr_consents', $consent );
 				unset( $user_consent[ $key ] );
-				setcookie( 'gdpr[consent_types]', json_encode( $user_consent ), time() + YEAR_IN_SECONDS, '/' );
+				Gdpr_Cookie_Setting_Js::js_setcookie( 'gdpr[consent_types]', json_encode( $user_consent ), time() + YEAR_IN_SECONDS, '/' );
 				return true;
 			}
 		}
diff --git a/public/class-gdpr-cookie-setting-js.php b/public/class-gdpr-cookie-setting-js.php
new file mode 100644
index 00000000..de9c59d5
--- /dev/null
+++ b/public/class-gdpr-cookie-setting-js.php
@@ -0,0 +1,70 @@
+<?php
+/**
+ * GDPR Cookie Setting via JS
+ *
+ * @package Gdpr
+ */
+
+declare( strict_types=1 );
+
+/**
+ * Class Gdpr_Cookie_Setting_Js
+ *
+ * @package Gdpr
+ */
+class Gdpr_Cookie_Setting_Js {
+	private const GMT_DATE_FORMAT = 'D, d M Y H:i:s \G\M\T';
+
+	/**
+	 * A wrapper to ensure this code is added to the page footer.
+	 *
+	 * @param string $name the cookie name.
+	 * @param string $value the cookie value.
+	 * @param int    $expires a timestamp.
+	 * @param string $path the path.
+	 * @param string $domain the domain.
+	 */
+	public static function js_setcookie( string $name, string $value = '', int $expires = 0, string $path = '/', string $domain = '' ): void {
+		add_filter(
+			'wp_footer',
+			function() use ( $name, $value, $expires, $path, $domain ) : bool {
+				return Gdpr_Cookie_Setting_Js::set_cookie( $name, $value, $expires, $path, $domain );
+			}
+		);
+	}
+
+	/**
+	 * Taking the signature of `setcookie`, and abusing it to write a cookie with JS.
+	 *
+	 * @param string $name the cookie name.
+	 * @param string $value the cookie value.
+	 * @param int    $expires a timestamp.
+	 * @param string $path the path.
+	 * @param string $domain the domain.
+	 *
+	 * @return bool
+	 */
+	public static function set_cookie( string $name, string $value = '', int $expires = 0, string $path = '/', string $domain = '' ) : bool {
+		$cookie_val = sprintf( '%s=%s;', $name, $value );
+
+		if ( 0 === $expires ) {
+			$date = new \DateTime( '+1 year' );
+		} else {
+			$date = ( new \DateTime() )->setTimestamp( $expires );
+		}
+
+		$cookie_val .= sprintf( 'expires=%s;', $date->format( self::GMT_DATE_FORMAT ) );
+
+		$cookie_val .= sprintf( 'path=%s;', $path );
+
+		if ( '' !== $domain ) {
+			$cookie_val .= sprintf( 'domain=%s;', $domain );
+		}
+
+		echo '<script type="text/javascript">',
+			"document.cookie = '" . esc_js( $cookie_val ) . "'",
+		'</script>';
+
+		return true;
+	}
+}
diff --git a/public/class-gdpr-public.php b/public/class-gdpr-public.php
index 9909e5ea..c9cd347b 100755
--- a/public/class-gdpr-public.php
+++ b/public/class-gdpr-public.php
@@ -234,16 +234,16 @@ public function update_privacy_preferences() {
 		$cookies_as_json  = json_encode( $approved_cookies );
 		$consents_as_json = json_encode( $consents );
 
-		setcookie( 'gdpr[allowed_cookies]', $cookies_as_json, time() + YEAR_IN_SECONDS, '/' );
-		setcookie( 'gdpr[consent_types]', $consents_as_json, time() + YEAR_IN_SECONDS, '/' );
+		Gdpr_Cookie_Setting_Js::js_setcookie( 'gdpr[allowed_cookies]', $cookies_as_json, time() + YEAR_IN_SECONDS, '/' );
+		Gdpr_Cookie_Setting_Js::js_setcookie( 'gdpr[consent_types]', $consents_as_json, time() + YEAR_IN_SECONDS, '/' );
 
 		foreach ( $cookies_to_remove as $cookie ) {
 			if ( GDPR::similar_in_array( $cookie, array_keys( $_COOKIE ) ) ) { // WPCS: Input var ok.
 				$domain = get_site_url();
 				$domain = wp_parse_url( $domain, PHP_URL_HOST );
 				unset( $_COOKIE[ $cookie ] ); // WPCS: Input var ok.
-				setcookie( $cookie, null, -1, '/', $domain );
-				setcookie( $cookie, null, -1, '/', '.' . $domain );
+				Gdpr_Cookie_Setting_Js::js_setcookie( $cookie, null, -1, '/', $domain );
+				Gdpr_Cookie_Setting_Js::js_setcookie( $cookie, null, -1, '/', '.' . $domain );
 			}
 		}
 
@@ -326,10 +326,10 @@ public function set_plugin_cookies() {
 
 		if ( ! isset( $_COOKIE['gdpr']['consent_types'] ) ) { // WPCS: Input var ok.
 			if ( ! $user_id ) {
-				setcookie( 'gdpr[consent_types]', '[]', time() + YEAR_IN_SECONDS, '/' );
+				Gdpr_Cookie_Setting_Js::js_setcookie( 'gdpr[consent_types]', '[]', time() + YEAR_IN_SECONDS, '/' );
 			} else {
 				$user_consents = get_user_meta( $user_id, 'gdpr_consents' );
-				setcookie( 'gdpr[consent_types]', json_encode( $user_consents ), time() + YEAR_IN_SECONDS, '/' );
+				Gdpr_Cookie_Setting_Js::js_setcookie( 'gdpr[consent_types]', json_encode( $user_consents ), time() + YEAR_IN_SECONDS, '/' );
 			}
 		} else {
 			if ( $user_id ) {
@@ -340,7 +340,7 @@ public function set_plugin_cookies() {
 				$diff      = array_merge( array_diff( $user_consents, $intersect ), array_diff( $cookie_consents, $intersect ) );
 
 				if ( ! empty( $diff ) ) {
-					setcookie( 'gdpr[consent_types]', json_encode( $user_consents ), time() + YEAR_IN_SECONDS, '/' );
+					Gdpr_Cookie_Setting_Js::js_setcookie( 'gdpr[consent_types]', json_encode( $user_consents ), time() + YEAR_IN_SECONDS, '/' );
 				}
 			}
 		}
@@ -365,9 +365,9 @@ public function set_plugin_cookies() {
 			}
 
 			if ( ! empty( $cookies ) ) {
-				setcookie( 'gdpr[allowed_cookies]', json_encode( $cookies ), time() + YEAR_IN_SECONDS, '/' );
+				Gdpr_Cookie_Setting_Js::js_setcookie( 'gdpr[allowed_cookies]', json_encode( $cookies ), time() + YEAR_IN_SECONDS, '/' );
 			} else {
-				setcookie( 'gdpr[allowed_cookies]', '[]', time() + YEAR_IN_SECONDS, '/' );
+				Gdpr_Cookie_Setting_Js::js_setcookie( 'gdpr[allowed_cookies]', '[]', time() + YEAR_IN_SECONDS, '/' );
 			}
 		}
 	}