Remove nonce on cancel order URL

Nonces are invalid if the user ID changes during checkout e.g. through
registration. Cancel links are invalid.

cc @claudiosmweb

Fixes #10605

includes/abstracts/abstract-wc-order.php

@@ -2121,19 +2121,18 @@ abstract class WC_Abstract_Order {
 		// Get cancel endpoint
 		$cancel_endpoint = $this->get_cancel_endpoint();
 
-		return apply_filters( 'woocommerce_get_cancel_order_url', wp_nonce_url( add_query_arg( array(
+		return apply_filters( 'woocommerce_get_cancel_order_url', esc_url( add_query_arg( array(
 			'cancel_order' => 'true',
 			'order'        => $this->order_key,
 			'order_id'     => $this->id,
-			'redirect'     => $redirect
-		), $cancel_endpoint ), 'woocommerce-cancel_order' ) );
+			'redirect'     => $redirect,
+		), $cancel_endpoint ) ) );
 	}
 
 	/**
 	 * Generates a raw (unescaped) cancel-order URL for use by payment gateways.
 	 *
 	 * @param string $redirect
-	 *
 	 * @return string The unescaped cancel-order URL.
 	 */
 	public function get_cancel_order_url_raw( $redirect = '' ) {
@@ -2146,7 +2145,6 @@ abstract class WC_Abstract_Order {
 			'order'        => $this->order_key,
 			'order_id'     => $this->id,
 			'redirect'     => $redirect,
-			'_wpnonce'     => wp_create_nonce( 'woocommerce-cancel_order' )
 		), $cancel_endpoint ) );
 	}
 

includes/class-wc-form-handler.php

@@ -566,7 +566,7 @@ class WC_Form_Handler {
 
 			if ( $order->has_status( 'cancelled' ) ) {
 				// Already cancelled - take no action
-			} elseif ( $user_can_cancel && $order_can_cancel && $order->id == $order_id && $order->order_key == $order_key && isset( $_GET['_wpnonce'] ) && wp_verify_nonce( $_GET['_wpnonce'], 'woocommerce-cancel_order' ) ) {
+			} elseif ( $user_can_cancel && $order_can_cancel && $order->id === $order_id && $order->order_key === $order_key ) {
 
 				// Cancel the order + restore stock
 				$order->cancel_order( __('Order cancelled by customer.', 'woocommerce' ) );