Steve-Dee-Designs
/
woocommerce
mirror of https://github.com/woocommerce/woocommerce.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use consistent strategy for sanitizing the payment gateway title. 

Elsewhere, in relation to payment gateway titles, we use the HtmlSanitizer utility to remove dangerous HTML but allow a safe subset. We should also apply that here, for consistency.
This commit is contained in:
barryhughes 2023-03-28 12:50:58 -07:00
parent 30ea6cfc71
commit 17c4952e72
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
plugins/woocommerce/templates/order/order-details.php
View File

@ -15,6 +15,8 @@
* @version 4.6.0
*/
use Automattic\WooCommerce\Internal\Utilities\HtmlSanitizer;
defined( 'ABSPATH' ) || exit;
$order = wc_get_order( $order_id ); // phpcs:ignore WordPress.WP.GlobalVariablesOverride.Prohibited
@ -83,7 +85,7 @@ if ( $show_downloads ) {
?>
<tr>
<th scope="row"><?php echo esc_html( $total['label'] ); ?></th>
<td><?php echo ( 'payment_method' === $key ) ? esc_html( $total['value'] ) : wp_kses_post( $total['value'] ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?></td>
<td><?php echo ( 'payment_method' === $key ) ? wc_get_container()->get( HtmlSanitizer::class )->sanitize( $total['value'] ) : wp_kses_post( $total['value'] ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?></td>
</tr>
<?php
}