Correctly serialize data in additional fields API (#46762)

* fix data sanitization on session * add changelog
2024-04-23 15:34:31 +02:00 · 2024-04-23 15:34:31 +02:00 · 0f4e675fb5
parent 2ea10959a6
commit 0f4e675fb5
3 changed files with 25 additions and 11 deletions
--- a/plugins/woocommerce-blocks/tests/e2e/tests/checkout/additional-fields.guest-shopper.block_theme.side_effects.spec.ts
+++ b/plugins/woocommerce-blocks/tests/e2e/tests/checkout/additional-fields.guest-shopper.block_theme.side_effects.spec.ts
@ -55,7 +55,7 @@ test.describe( 'Shopper → Additional Checkout Fields', () => {
 				{
 					contact: {
 						'Enter a gift message to include in the package':
-							'This is for you!',
+							'For my non-ascii named friend: niño',
 					},
 					address: {
 						shipping: {
@ -105,7 +105,7 @@ test.describe( 'Shopper → Additional Checkout Fields', () => {
 				{
 					contact: {
 						'Enter a gift message to include in the package':
-							'This is for you!',
+							'For my non-ascii named friend: niño',
 						'Is this a personal purchase or a business purchase?':
 							'business',
 					},
@ -188,7 +188,7 @@ test.describe( 'Shopper → Additional Checkout Fields', () => {
 					[ 'What is your favourite colour?', 'Blue' ],
 					[
 						'Enter a gift message to include in the package',
-						'This is for you!',
+						'For my non-ascii named friend: niño',
 					],
 					[ 'Do you want to subscribe to our newsletter?', 'Yes' ],
 					[ 'Would you like a free gift with your order?', 'Yes' ],
@ -220,7 +220,7 @@ test.describe( 'Shopper → Additional Checkout Fields', () => {
 					.getByLabel(
 						'Enter a gift message to include in the package'
 					)
-			).toHaveValue( 'This is for you!' );
+			).toHaveValue( 'For my non-ascii named friend: niño' );
 			await expect(
 				checkoutPageObject.page
 					.getByRole( 'group', {
--- a/plugins/woocommerce/changelog/fix-sanitize-data-fields
+++ b/plugins/woocommerce/changelog/fix-sanitize-data-fields
@ -0,0 +1,4 @@
+Significance: patch
+Type: fix
+
+Fix sanitization of special letters in Additional fields API
--- a/plugins/woocommerce/includes/data-stores/class-wc-customer-data-store-session.php
+++ b/plugins/woocommerce/includes/data-stores/class-wc-customer-data-store-session.php
@ -95,14 +95,24 @@ class WC_Customer_Data_Store_Session extends WC_Data_Store_WP implements WC_Cust
 				 * @param WC_Customer $customer The customer object.
 				 */
 				$allowed_keys  = apply_filters( 'woocommerce_customer_allowed_session_meta_keys', array(), $customer );
-				$session_value = wp_json_encode(
-					array_filter(
-						$customer->get_meta_data(),
-						function( $meta_data ) use ( $allowed_keys ) {
-							return in_array( $meta_data->key, $allowed_keys, true );
-						}
+				$session_value = maybe_serialize(
+					array_map(
+						function ( $meta_data ) {
+							// Data comes to us a WC_Meta_Data, we cast it to an array to ensure it is serializable.
+								return array(
+									'key'   => $meta_data->key,
+									'value' => $meta_data->value,
+								);
+						},
+						array_filter(
+							$customer->get_meta_data(),
+							function ( $meta_data ) use ( $allowed_keys ) {
+									return in_array( $meta_data->key, $allowed_keys, true );
+							}
+						)
 					)
 				);
+
 			} else {
 				$session_value = $customer->{"get_$function_key"}( 'edit' );
 			}
@ -137,7 +147,7 @@ class WC_Customer_Data_Store_Session extends WC_Data_Store_WP implements WC_Cust
 				}
 				if ( ! empty( $data[ $session_key ] ) && is_callable( array( $customer, "set_{$function_key}" ) ) ) {
 					if ( 'meta_data' === $session_key ) {
-						$meta_data_values = json_decode( wp_unslash( $data[ $session_key ] ), true );
+						$meta_data_values = maybe_unserialize( $data[ $session_key ] );
 						if ( $meta_data_values ) {
 							foreach ( $meta_data_values as $meta_data_value ) {
 								if ( ! isset( $meta_data_value['key'], $meta_data_value['value'] ) ) {