danmarsden
commented
6 years ago a good example in your code that could do with sesskey improvements is the bill_controller class - all the actions deleteitems/changestate/ignoretax etc should probably be protected with a sesskey check.
There are a number of hard-coded forms that do not appear to implement sesskey checking - some of these may not need sesskey handling, but as your plugin deals with shopping carts/payments it would be good to make sure you prevent any possible csrf and also make it easy for other devs when reviewing your code to see that the forms are safe.