From f7fa7b6a41f7844e34533d986c9518a5e794e3d9 Mon Sep 17 00:00:00 2001
From: James Kemp <me@jckemp.com>
Date: Thu, 24 May 2018 15:15:35 +0100
Subject: [PATCH 1/4] Escape attributes labels but allow HTML

Escape attribute labels with wp_kses_post so HTML is allowed if required.
---
 includes/wc-template-hooks.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/includes/wc-template-hooks.php b/includes/wc-template-hooks.php
index fea838ddc97..352fe1a252c 100644
--- a/includes/wc-template-hooks.php
+++ b/includes/wc-template-hooks.php
@@ -180,6 +180,11 @@ add_action( 'woocommerce_external_add_to_cart', 'woocommerce_external_add_to_car
 add_action( 'woocommerce_single_variation', 'woocommerce_single_variation', 10 );
 add_action( 'woocommerce_single_variation', 'woocommerce_single_variation_add_to_cart_button', 20 );
 
+/**
+ * Product attributes.
+ */
+add_filter( 'woocommerce_attribute_label', 'wp_kses_post', 100 );
+
 /**
  * Pagination after shop loops.
  *

From 16785b33ab864e32a4dc7fd10e9f2ab93e02c9b0 Mon Sep 17 00:00:00 2001
From: James Kemp <james@madebyplatform.com>
Date: Thu, 24 May 2018 15:29:53 +0100
Subject: [PATCH 2/4] Do not escape HTML for attribute label

---
 includes/admin/meta-boxes/views/html-product-attribute.php | 4 ++--
 templates/single-product/add-to-cart/variable.php          | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/includes/admin/meta-boxes/views/html-product-attribute.php b/includes/admin/meta-boxes/views/html-product-attribute.php
index b3b846f8385..7de8f729df7 100644
--- a/includes/admin/meta-boxes/views/html-product-attribute.php
+++ b/includes/admin/meta-boxes/views/html-product-attribute.php
@@ -7,7 +7,7 @@ if ( ! defined( 'ABSPATH' ) ) {
 	<h3>
 		<a href="#" class="remove_row delete"><?php esc_html_e( 'Remove', 'woocommerce' ); ?></a>
 		<div class="handlediv" title="<?php esc_attr_e( 'Click to toggle', 'woocommerce' ); ?>"></div>
-		<strong class="attribute_name"><?php echo esc_html( wc_attribute_label( $attribute->get_name() ) ); ?></strong>
+		<strong class="attribute_name"><?php echo wc_attribute_label( $attribute->get_name() ); ?></strong>
 	</h3>
 	<div class="woocommerce_attribute_data wc-metabox-content">
 		<table cellpadding="0" cellspacing="0">
@@ -17,7 +17,7 @@ if ( ! defined( 'ABSPATH' ) ) {
 						<label><?php esc_html_e( 'Name', 'woocommerce' ); ?>:</label>
 
 						<?php if ( $attribute->is_taxonomy() ) : ?>
-							<strong><?php echo esc_html( wc_attribute_label( $attribute->get_name() ) ); ?></strong>
+							<strong><?php echo wc_attribute_label( $attribute->get_name() ); ?></strong>
 							<input type="hidden" name="attribute_names[<?php echo esc_attr( $i ); ?>]" value="<?php echo esc_attr( $attribute->get_name() ); ?>" />
 						<?php else : ?>
 							<input type="text" class="attribute_name" name="attribute_names[<?php echo esc_attr( $i ); ?>]" value="<?php echo esc_attr( $attribute->get_name() ); ?>" />
diff --git a/templates/single-product/add-to-cart/variable.php b/templates/single-product/add-to-cart/variable.php
index 3bad96cdebe..aa7e3a48b03 100644
--- a/templates/single-product/add-to-cart/variable.php
+++ b/templates/single-product/add-to-cart/variable.php
@@ -33,7 +33,7 @@ do_action( 'woocommerce_before_add_to_cart_form' ); ?>
 			<tbody>
 				<?php foreach ( $attributes as $attribute_name => $options ) : ?>
 					<tr>
-						<td class="label"><label for="<?php echo esc_attr( sanitize_title( $attribute_name ) ); ?>"><?php echo esc_html( wc_attribute_label( $attribute_name ) ); ?></label></td>
+						<td class="label"><label for="<?php echo esc_attr( sanitize_title( $attribute_name ) ); ?>"><?php echo wc_attribute_label( $attribute_name ); ?></label></td>
 						<td class="value">
 							<?php
 								$selected = isset( $_REQUEST[ 'attribute_' . $attribute_name ] ) ? wc_clean( urldecode( wp_unslash( $_REQUEST[ 'attribute_' . $attribute_name ] ) ) ) : $product->get_variation_default_attribute( $attribute_name ); // WPCS: input var ok, CSRF ok, sanitization ok.

From 71a4f1079fa00556617e54069a1a717e1ec22570 Mon Sep 17 00:00:00 2001
From: James Kemp <james@madebyplatform.com>
Date: Thu, 24 May 2018 19:30:48 +0100
Subject: [PATCH 3/4] Revert "Escape attributes labels but allow HTML"

This reverts commit f7fa7b6a41f7844e34533d986c9518a5e794e3d9.
---
 includes/wc-template-hooks.php | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/includes/wc-template-hooks.php b/includes/wc-template-hooks.php
index 352fe1a252c..fea838ddc97 100644
--- a/includes/wc-template-hooks.php
+++ b/includes/wc-template-hooks.php
@@ -180,11 +180,6 @@ add_action( 'woocommerce_external_add_to_cart', 'woocommerce_external_add_to_car
 add_action( 'woocommerce_single_variation', 'woocommerce_single_variation', 10 );
 add_action( 'woocommerce_single_variation', 'woocommerce_single_variation_add_to_cart_button', 20 );
 
-/**
- * Product attributes.
- */
-add_filter( 'woocommerce_attribute_label', 'wp_kses_post', 100 );
-
 /**
  * Pagination after shop loops.
  *

From 596e6e2271cddca854e551339cda7fcc7479452b Mon Sep 17 00:00:00 2001
From: James Kemp <james@madebyplatform.com>
Date: Thu, 24 May 2018 19:32:32 +0100
Subject: [PATCH 4/4] Add filter to sanitize woocommerce_attribute_label

---
 includes/wc-core-functions.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/includes/wc-core-functions.php b/includes/wc-core-functions.php
index 6f1bdc56fc4..e78e0ed621e 100644
--- a/includes/wc-core-functions.php
+++ b/includes/wc-core-functions.php
@@ -38,6 +38,7 @@ add_filter( 'woocommerce_coupon_code', 'sanitize_text_field' );
 add_filter( 'woocommerce_coupon_code', 'wc_strtolower' );
 add_filter( 'woocommerce_stock_amount', 'intval' ); // Stock amounts are integers by default.
 add_filter( 'woocommerce_shipping_rate_label', 'sanitize_text_field' ); // Shipping rate label.
+add_filter( 'woocommerce_attribute_label', 'wp_kses_post', 100 );
 
 /**
  * Short Description (excerpt).