A list of changes for the Easy Digital Downloads 2.9.4 release that add nonce verification to some actions. The format lists the file, a function (if relevant), what changes were made, and then the previous version of code, and the new version of the code.

edd-2.9.4-templatable-changes.txt

/**
 *
 * Templates Changed
 *
 * These files are part of the Easy Digital Downlaods template structure. If you've added custom template files to your theme, for any of the following files, you will need to be sure the changes
 * are added to your custom templates in order to avoid any unexpected behavior.
 *
 */

/**
 * File: templates/checkout_cart.php
 * What changed: A nonce was added to the "Remove" link from cart items, specific to the cart position of the item.
 */
Previously: <a class="edd_cart_remove_item_btn" href="<?php echo esc_url( edd_remove_item_url( $key ) ); ?>"><?php _e( 'Remove', 'easy-digital-downloads' ); ?></a>

Modified: <a class="edd_cart_remove_item_btn" href="<?php echo esc_url( wp_nonce_url( edd_remove_item_url( $key ), 'edd-remove-from-cart-' . $key, 'edd_remove_from_cart_nonce' ) ); ?>"><?php _e( 'Remove', 'easy-digital-downloads' ); ?></a>


/**
 * File: templates/shortcode-profile-editor.php
 * What Changed: A nonce was added to the country field, in order to be able to validate a nonce when requesting a list of states for the selected country.
 */
 Previously: <select name="edd_address_country" id="edd_address_country" class="select edd-select">

 Modified: <select name="edd_address_country" id="edd_address_country" class="select edd-select" data-nonce="<?php echo wp_create_nonce( 'edd-country-field-nonce' ); ?>">

/**
 * File: templates/widget-cart-item.php
 * What Changed: A nonce was added to the 'remove' link in the cart widget.
 */
 Previously: <a href="{remove_url}" data-cart-item="{cart_item_id}" data-download-id="{item_id}" data-action="edd_remove_from_cart" class="edd-remove-from-cart"><?php _e( 'remove', 'easy-digital-downloads' ); ?></a>


 Modified: <a href="{remove_url}" data-nonce="<?php echo wp_create_nonce( 'edd-remove-cart-widget-item' ); ?>" data-cart-item="{cart_item_id}" data-download-id="{item_id}" data-action="edd_remove_from_cart" class="edd-remove-from-cart"><?php _e( 'remove', 'easy-digital-downloads' ); ?></a>




/**
 *
 * Functions Changed
 *
 * These functions, while not part of our template structure, are easily modified by removing the default actions in Easy Digital Downloads, and adding your own.
 * 
 * If you've modified any of the following functions, you will need to be sure the changes are made to your custom functions in order to avoid any unexpected behavior.
 *
 */

 /**
 * File: includes/template-functions.php
 * Function: edd_get_purchase_link()
 * What changed: A data-nonce attribute was added to the purchase link anchor tag. The action is `edd-add-to-cart-<download_id>`
 */
Previously: echo '<a href="#" class="edd-add-to-cart ' . esc_attr( $class ) . '" data-action="edd_add_to_cart" data-download-id="' . esc_attr( $download->ID ) . '" ' . $data_variable . ' ' . $type . ' ' . $data_price . ' ' . $button_display . '><span class="edd-add-to-cart-label">' . $args['text'] . '</span> <span class="edd-loading" aria-label="' . esc_attr__( 'Loading', 'easy-digital-downloads' ) . '"></span></a>';

Modified: echo '<a href="#" class="edd-add-to-cart ' . esc_attr( $class ) . '" data-nonce="' .  wp_create_nonce( 'edd-add-to-cart-' . $download->ID ) . '" data-action="edd_add_to_cart" data-download-id="' . esc_attr( $download->ID ) . '" ' . $data_variable . ' ' . $type . ' ' . $data_price . ' ' . $button_display . '><span class="edd-add-to-cart-label">' . $args['text'] . '</span> <span class="edd-loading" aria-label="' . esc_attr__( 'Loading', 'easy-digital-downloads' ) . '"></span></a>';


/**
 * File: includes/checkout/template.php
 * Function: edd_default_cc_address_fields()
 * What changed: A data attribute of `nonce` was added. The Action to generate this nonce is `edd-country-field-nonce`
 */
Previously: <select name="billing_country" id="billing_country" class="billing_country edd-select<?php if( edd_field_is_required( 'billing_country' ) ) { echo ' required'; } ?>"<?php if( edd_field_is_required( 'billing_country' ) ) {  echo ' required '; } ?>>

Modified: <select name="billing_country" id="billing_country" data-nonce="<?php echo wp_create_nonce( 'edd-country-field-nonce' ); ?>" class="billing_country edd-select<?php if( edd_field_is_required( 'billing_country' ) ) { echo ' required'; } ?>"<?php if( edd_field_is_required( 'billing_country' ) ) {  echo ' required '; } ?>>

/**
 * File: includes/checkout/template.php
 * Function: edd_default_cc_address_fields()
 * What changed: Added a wp_nonce_field after do_action( 'edd_cc_billing_bottom' )
 */
New Line: <?php wp_nonce_field( 'edd-checkout-address-fields', 'edd-checkout-address-fields-nonce', false, true ); ?>

/**
 * File: includes/checkout/template.php
 * Function: edd_get_register_fields()
 * What changed: Added a nonce to the link to AJAX in the login fields
 */
Previously: <p id="edd-login-account-wrap"><?php _e( 'Already have an account?', 'easy-digital-downloads' ); ?> <a href="<?php echo esc_url( add_query_arg( 'login', 1 ) ); ?>" class="edd_checkout_register_login" data-action="checkout_login"><?php _e( 'Login', 'easy-digital-downloads' ); ?></a></p>

Modified:
<p id="edd-login-account-wrap">
	<?php _e( 'Already have an account?', 'easy-digital-downloads' ); ?>
	 <a href="<?php echo esc_url( add_query_arg( 'login', 1 ) ); ?>" class="edd_checkout_register_login" data-action="checkout_login" data-nonce="<?php echo wp_create_nonce( 'edd_checkout_login' ); ?>">
		 <?php _e( 'Login', 'easy-digital-downloads' ); ?>
	</a>
</p>

/**
 * File: includes/checkout/template.php
 * Function: edd_get_login_fields()
 * What changed: Added a nonce data attribute to the link to AJAX in the registration fields
 */
Previously: <a href="<?php echo esc_url( remove_query_arg('login') ); ?>" class="edd_checkout_register_login" data-action="checkout_register">

Modified: <a href="<?php echo esc_url( remove_query_arg('login') ); ?>" class="edd_checkout_register_login" data-action="checkout_register" data-nonce="<?php echo wp_create_nonce( 'edd_checkout_register' ); ?>">

/**
 * File: includes/checkout/template.php
 * Function: edd_get_login_fields()
 * What changed: Added a nonce field to the login form on checkout after the submit button.
 */
Previously:
<p id="edd-user-login-submit">
	<input type="submit" class="edd-submit button <?php echo $color; ?>" name="edd_login_submit" value="<?php _e( 'Login', 'easy-digital-downloads' ); ?>"/>
</p>

Modified:
<p id="edd-user-login-submit">
	<input type="submit" class="edd-submit button <?php echo $color; ?>" name="edd_login_submit" value="<?php _e( 'Login', 'easy-digital-downloads' ); ?>"/>
	<?php wp_nonce_field( 'edd-login-form', 'edd_login_nonce', false, true ); ?>
</p>

/**
 * File: includes/checkout/template.php
 * Function: edd_payment_mode_select()
 * What changed: Each gateway option has a specific nonce added to it via a data-<gateawy>-nonce attribute. The nonce action is `edd-gateway-selected-<gateway>`
 * 
 * Example: Stripe Gateway:
 * Data Attribute: data-stripe-nonce
 * Nonce Action: edd-gateway-selected-stripe
 */
Previously: echo '<input type="radio" name="payment-mode" class="edd-gateway" id="edd-gateway-' . esc_attr( $gateway_id ) . '" value="' . esc_attr( $gateway_id ) . '"' . $checked . '>' . esc_html( $label );

Modified:
$nonce = ' data-' . esc_attr( $gateway_id ) . '-nonce="' . wp_create_nonce( 'edd-gateway-selected-' . esc_attr( $gateway_id ) ) .'"';
echo '<input type="radio" name="payment-mode" class="edd-gateway" id="edd-gateway-' . esc_attr( $gateway_id ) . '" value="' . esc_attr( $gateway_id ) . '"' . $checked . $nonce . '>' . esc_html( $label );