From 0f4e675fb55dca6ef78f64f2d8326fff35f9d521 Mon Sep 17 00:00:00 2001
From: Seghir Nadir <nadir.seghir@gmail.com>
Date: Tue, 23 Apr 2024 15:34:31 +0200
Subject: [PATCH] Correctly serialize data in additional fields API (#46762)

* fix data sanitization on session

* add changelog
---
 ...t-shopper.block_theme.side_effects.spec.ts |  8 +++----
 .../changelog/fix-sanitize-data-fields        |  4 ++++
 .../class-wc-customer-data-store-session.php  | 24 +++++++++++++------
 3 files changed, 25 insertions(+), 11 deletions(-)
 create mode 100644 plugins/woocommerce/changelog/fix-sanitize-data-fields

diff --git a/plugins/woocommerce-blocks/tests/e2e/tests/checkout/additional-fields.guest-shopper.block_theme.side_effects.spec.ts b/plugins/woocommerce-blocks/tests/e2e/tests/checkout/additional-fields.guest-shopper.block_theme.side_effects.spec.ts
index 39af6a676c6..e26f15632b2 100644
--- a/plugins/woocommerce-blocks/tests/e2e/tests/checkout/additional-fields.guest-shopper.block_theme.side_effects.spec.ts
+++ b/plugins/woocommerce-blocks/tests/e2e/tests/checkout/additional-fields.guest-shopper.block_theme.side_effects.spec.ts
@@ -55,7 +55,7 @@ test.describe( 'Shopper → Additional Checkout Fields', () => {
 				{
 					contact: {
 						'Enter a gift message to include in the package':
-							'This is for you!',
+							'For my non-ascii named friend: niño',
 					},
 					address: {
 						shipping: {
@@ -105,7 +105,7 @@ test.describe( 'Shopper → Additional Checkout Fields', () => {
 				{
 					contact: {
 						'Enter a gift message to include in the package':
-							'This is for you!',
+							'For my non-ascii named friend: niño',
 						'Is this a personal purchase or a business purchase?':
 							'business',
 					},
@@ -188,7 +188,7 @@ test.describe( 'Shopper → Additional Checkout Fields', () => {
 					[ 'What is your favourite colour?', 'Blue' ],
 					[
 						'Enter a gift message to include in the package',
-						'This is for you!',
+						'For my non-ascii named friend: niño',
 					],
 					[ 'Do you want to subscribe to our newsletter?', 'Yes' ],
 					[ 'Would you like a free gift with your order?', 'Yes' ],
@@ -220,7 +220,7 @@ test.describe( 'Shopper → Additional Checkout Fields', () => {
 					.getByLabel(
 						'Enter a gift message to include in the package'
 					)
-			).toHaveValue( 'This is for you!' );
+			).toHaveValue( 'For my non-ascii named friend: niño' );
 			await expect(
 				checkoutPageObject.page
 					.getByRole( 'group', {
diff --git a/plugins/woocommerce/changelog/fix-sanitize-data-fields b/plugins/woocommerce/changelog/fix-sanitize-data-fields
new file mode 100644
index 00000000000..a6f629d262a
--- /dev/null
+++ b/plugins/woocommerce/changelog/fix-sanitize-data-fields
@@ -0,0 +1,4 @@
+Significance: patch
+Type: fix
+
+Fix sanitization of special letters in Additional fields API
diff --git a/plugins/woocommerce/includes/data-stores/class-wc-customer-data-store-session.php b/plugins/woocommerce/includes/data-stores/class-wc-customer-data-store-session.php
index c29ed861d77..c58d40fbe41 100644
--- a/plugins/woocommerce/includes/data-stores/class-wc-customer-data-store-session.php
+++ b/plugins/woocommerce/includes/data-stores/class-wc-customer-data-store-session.php
@@ -95,14 +95,24 @@ class WC_Customer_Data_Store_Session extends WC_Data_Store_WP implements WC_Cust
 				 * @param WC_Customer $customer The customer object.
 				 */
 				$allowed_keys  = apply_filters( 'woocommerce_customer_allowed_session_meta_keys', array(), $customer );
-				$session_value = wp_json_encode(
-					array_filter(
-						$customer->get_meta_data(),
-						function( $meta_data ) use ( $allowed_keys ) {
-							return in_array( $meta_data->key, $allowed_keys, true );
-						}
+				$session_value = maybe_serialize(
+					array_map(
+						function ( $meta_data ) {
+							// Data comes to us a WC_Meta_Data, we cast it to an array to ensure it is serializable.
+								return array(
+									'key'   => $meta_data->key,
+									'value' => $meta_data->value,
+								);
+						},
+						array_filter(
+							$customer->get_meta_data(),
+							function ( $meta_data ) use ( $allowed_keys ) {
+									return in_array( $meta_data->key, $allowed_keys, true );
+							}
+						)
 					)
 				);
+
 			} else {
 				$session_value = $customer->{"get_$function_key"}( 'edit' );
 			}
@@ -137,7 +147,7 @@ class WC_Customer_Data_Store_Session extends WC_Data_Store_WP implements WC_Cust
 				}
 				if ( ! empty( $data[ $session_key ] ) && is_callable( array( $customer, "set_{$function_key}" ) ) ) {
 					if ( 'meta_data' === $session_key ) {
-						$meta_data_values = json_decode( wp_unslash( $data[ $session_key ] ), true );
+						$meta_data_values = maybe_unserialize( $data[ $session_key ] );
 						if ( $meta_data_values ) {
 							foreach ( $meta_data_values as $meta_data_value ) {
 								if ( ! isset( $meta_data_value['key'], $meta_data_value['value'] ) ) {