From 7c3774e65ff2aaeb1ab91b5e28a9093f47f9d027 Mon Sep 17 00:00:00 2001
From: Justin Shreve <justin.shreve@gmail.com>
Date: Wed, 10 Jun 2015 15:34:36 +0000
Subject: [PATCH 1/2] For file URLs and images, run the URL through esc_url_raw
 rather than wc_clean (which removes/strips things like entities).

---
 includes/api/class-wc-api-products.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/includes/api/class-wc-api-products.php b/includes/api/class-wc-api-products.php
index cbafdd4c473..803a21b6763 100644
--- a/includes/api/class-wc-api-products.php
+++ b/includes/api/class-wc-api-products.php
@@ -1603,7 +1603,7 @@ class WC_API_Products extends WC_API_Resource {
 			}
 
 			$file_name = isset( $file['name'] ) ? wc_clean( $file['name'] ) : '';
-			$file_url  = wc_clean( $file['file'] );
+			$file_url  = esc_url_raw( $file['file'] );
 
 			$files[ md5( $file_url ) ] = array(
 				'name' => $file_name,
@@ -1734,7 +1734,7 @@ class WC_API_Products extends WC_API_Resource {
 					$attachment_id = isset( $image['id'] ) ? absint( $image['id'] ) : 0;
 
 					if ( 0 === $attachment_id && isset( $image['src'] ) ) {
-						$upload = $this->upload_product_image( wc_clean( $image['src'] ) );
+						$upload = $this->upload_product_image( esc_url_raw( $image['src'] ) );
 
 						if ( is_wp_error( $upload ) ) {
 							throw new WC_API_Exception( 'woocommerce_api_cannot_upload_product_image', $upload->get_error_message(), 400 );
@@ -1748,7 +1748,7 @@ class WC_API_Products extends WC_API_Resource {
 					$attachment_id = isset( $image['id'] ) ? absint( $image['id'] ) : 0;
 
 					if ( 0 === $attachment_id && isset( $image['src'] ) ) {
-						$upload = $this->upload_product_image( wc_clean( $image['src'] ) );
+						$upload = $this->upload_product_image( esc_url_raw( $image['src'] ) );
 
 						if ( is_wp_error( $upload ) ) {
 							throw new WC_API_Exception( 'woocommerce_api_cannot_upload_product_image', $upload->get_error_message(), 400 );

From 66ccc8a75caf1de3e4fa98feeb29a5f66209ffea Mon Sep 17 00:00:00 2001
From: Justin Shreve <justin.shreve@gmail.com>
Date: Wed, 10 Jun 2015 16:12:10 +0000
Subject: [PATCH 2/2] Only run the file URL through esc_url_raw if it looks
 like an absolute URL, otherwise if it is a shortcode or relative URL,
 continue to use wc_clean.

---
 includes/api/class-wc-api-products.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/includes/api/class-wc-api-products.php b/includes/api/class-wc-api-products.php
index 803a21b6763..1e130050355 100644
--- a/includes/api/class-wc-api-products.php
+++ b/includes/api/class-wc-api-products.php
@@ -1603,7 +1603,12 @@ class WC_API_Products extends WC_API_Resource {
 			}
 
 			$file_name = isset( $file['name'] ) ? wc_clean( $file['name'] ) : '';
-			$file_url  = esc_url_raw( $file['file'] );
+
+			if ( 0 === strpos( $file['file'], 'http' ) ) {
+				$file_url = esc_url_raw( $file['file'] );
+			} else {
+				$file_url = wc_clean( $file['file'] );
+			}
 
 			$files[ md5( $file_url ) ] = array(
 				'name' => $file_name,