From 0045df2cb022ebc52d6af165d4c7348689b03b76 Mon Sep 17 00:00:00 2001 From: Nestor Soriano Date: Tue, 30 Mar 2021 11:04:44 +0200 Subject: [PATCH] Make product name escaping consistent in the front-end --- includes/class-wc-structured-data.php | 4 ++-- templates/cart/mini-cart.php | 6 +++--- templates/checkout/form-pay.php | 4 ++-- templates/checkout/review-order.php | 4 ++-- templates/content-widget-reviews.php | 17 +++++++++++++++-- templates/emails/plain/email-order-items.php | 15 +++++++++------ templates/order/order-details-item.php | 4 ++-- 7 files changed, 35 insertions(+), 19 deletions(-) diff --git a/includes/class-wc-structured-data.php b/includes/class-wc-structured-data.php index 070bea646b0..1d3778864e7 100644 --- a/includes/class-wc-structured-data.php +++ b/includes/class-wc-structured-data.php @@ -198,7 +198,7 @@ class WC_Structured_Data { $markup = array( '@type' => 'Product', '@id' => $permalink . '#product', // Append '#product' to differentiate between this @id and the @id generated for the Breadcrumblist. - 'name' => $product->get_name(), + 'name' => wp_kses_post( $product->get_name() ), 'url' => $permalink, 'description' => wp_strip_all_tags( do_shortcode( $product->get_short_description() ? $product->get_short_description() : $product->get_description() ) ), ); @@ -477,7 +477,7 @@ class WC_Structured_Data { ), 'itemOffered' => array( '@type' => 'Product', - 'name' => apply_filters( 'woocommerce_order_item_name', $item->get_name(), $item, $is_visible ), + 'name' => wp_kses_post( apply_filters( 'woocommerce_order_item_name', $item->get_name(), $item, $is_visible ) ), 'sku' => $product_exists ? $product->get_sku() : '', 'image' => $product_exists ? wp_get_attachment_image_url( $product->get_image_id() ) : '', 'url' => $is_visible ? get_permalink( $product->get_id() ) : get_home_url(), diff --git a/templates/cart/mini-cart.php b/templates/cart/mini-cart.php index 57c73ff56d9..a3c1ecf2e4e 100644 --- a/templates/cart/mini-cart.php +++ b/templates/cart/mini-cart.php @@ -14,7 +14,7 @@ * * @see https://docs.woocommerce.com/document/template-structure/ * @package WooCommerce\Templates - * @version 3.7.0 + * @version 5.2.0 */ defined( 'ABSPATH' ) || exit; @@ -53,10 +53,10 @@ do_action( 'woocommerce_before_mini_cart' ); ?> ); ?> - + - + diff --git a/templates/checkout/form-pay.php b/templates/checkout/form-pay.php index b9244b6e210..e7bdd506ff3 100644 --- a/templates/checkout/form-pay.php +++ b/templates/checkout/form-pay.php @@ -12,7 +12,7 @@ * * @see https://docs.woocommerce.com/document/template-structure/ * @package WooCommerce\Templates - * @version 3.4.0 + * @version 5.2.0 */ defined( 'ABSPATH' ) || exit; @@ -40,7 +40,7 @@ $totals = $order->get_order_item_totals(); // phpcs:ignore WordPress.WP.GlobalVa get_name() ), $item, false ); // @codingStandardsIgnoreLine + echo wp_kses_post( apply_filters( 'woocommerce_order_item_name', $item->get_name(), $item, false ) ); do_action( 'woocommerce_order_item_meta_start', $item_id, $item, $order, false ); diff --git a/templates/checkout/review-order.php b/templates/checkout/review-order.php index e85d43dc39c..576a8648387 100644 --- a/templates/checkout/review-order.php +++ b/templates/checkout/review-order.php @@ -12,7 +12,7 @@ * * @see https://docs.woocommerce.com/document/template-structure/ * @package WooCommerce\Templates - * @version 3.8.0 + * @version 5.2.0 */ defined( 'ABSPATH' ) || exit; @@ -35,7 +35,7 @@ defined( 'ABSPATH' ) || exit; ?> - get_name(), $cart_item, $cart_item_key ) . ' '; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?> + get_name(), $cart_item, $cart_item_key ) ) . ' '; ?> ' . sprintf( '× %s', $cart_item['quantity'] ) . '', $cart_item, $cart_item_key ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?> diff --git a/templates/content-widget-reviews.php b/templates/content-widget-reviews.php index d46cbd5873f..d16368479ae 100644 --- a/templates/content-widget-reviews.php +++ b/templates/content-widget-reviews.php @@ -21,14 +21,27 @@ defined( 'ABSPATH' ) || exit;
  • + + get_image(); ?> - get_name(); ?> + get_name() ); ?> comment_ID, 'rating', true ) ) ); ?> - comment_ID ) ); ?> + + comment_ID ) ); + ?> + + +
    • diff --git a/templates/emails/plain/email-order-items.php b/templates/emails/plain/email-order-items.php index bcd446630e9..61cf3fdbd52 100644 --- a/templates/emails/plain/email-order-items.php +++ b/templates/emails/plain/email-order-items.php @@ -12,11 +12,11 @@ * * @see https://docs.woocommerce.com/document/template-structure/ * @package WooCommerce\Templates\Emails\Plain - * @version 3.7.0 + * @version 5.2.0 */ if ( ! defined( 'ABSPATH' ) ) { - exit; // Exit if accessed directly + exit; // Exit if accessed directly. } foreach ( $items as $item_id => $item ) : @@ -30,15 +30,18 @@ foreach ( $items as $item_id => $item ) : $purchase_note = $product->get_purchase_note(); } - echo apply_filters( 'woocommerce_order_item_name', $item->get_name(), $item, false ); + // phpcs:disable WordPress.Security.EscapeOutput.OutputNotEscaped + echo wp_kses_post( apply_filters( 'woocommerce_order_item_name', $item->get_name(), $item, false ) ); if ( $show_sku && $sku ) { echo ' (#' . $sku . ')'; } echo ' X ' . apply_filters( 'woocommerce_email_order_item_quantity', $item->get_quantity(), $item ); echo ' = ' . $order->get_formatted_line_subtotal( $item ) . "\n"; + // phpcs:enable WordPress.Security.EscapeOutput.OutputNotEscaped - // allow other plugins to add additional product information here + // allow other plugins to add additional product information here. do_action( 'woocommerce_order_item_meta_start', $item_id, $item, $order, $plain_text ); + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo strip_tags( wc_display_item_meta( $item, @@ -52,10 +55,10 @@ foreach ( $items as $item_id => $item ) : ) ); - // allow other plugins to add additional product information here + // allow other plugins to add additional product information here. do_action( 'woocommerce_order_item_meta_end', $item_id, $item, $order, $plain_text ); } - // Note + // Note. if ( $show_purchase_note && $purchase_note ) { echo "\n" . do_shortcode( wp_kses_post( $purchase_note ) ); } diff --git a/templates/order/order-details-item.php b/templates/order/order-details-item.php index 7894d37b92f..271b94c8892 100644 --- a/templates/order/order-details-item.php +++ b/templates/order/order-details-item.php @@ -12,7 +12,7 @@ * * @see https://docs.woocommerce.com/document/template-structure/ * @package WooCommerce\Templates - * @version 3.7.0 + * @version 5.2.0 */ if ( ! defined( 'ABSPATH' ) ) { @@ -30,7 +30,7 @@ if ( ! apply_filters( 'woocommerce_order_item_visible', true, $item ) ) { $is_visible = $product && $product->is_visible(); $product_permalink = apply_filters( 'woocommerce_order_item_permalink', $is_visible ? $product->get_permalink( $item ) : '', $item, $order ); - echo apply_filters( 'woocommerce_order_item_name', $product_permalink ? sprintf( '%s', $product_permalink, $item->get_name() ) : $item->get_name(), $item, $is_visible ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped + echo wp_kses_post( apply_filters( 'woocommerce_order_item_name', $product_permalink ? sprintf( '%s', $product_permalink, $item->get_name() ) : $item->get_name(), $item, $is_visible ) ); $qty = $item->get_quantity(); $refunded_qty = $order->get_qty_refunded_for_item( $item_id );