From af7f271de1656bd5d061ae24105a263115311bce Mon Sep 17 00:00:00 2001
From: Claudio Sanches <contato@claudiosanches.com>
Date: Thu, 6 Apr 2017 17:58:24 -0300
Subject: [PATCH] Fixed sanitization of order items meta data

Closes #14067
---
 includes/admin/wc-admin-functions.php | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/includes/admin/wc-admin-functions.php b/includes/admin/wc-admin-functions.php
index 0e2aa839a9a..7d026da55ff 100644
--- a/includes/admin/wc-admin-functions.php
+++ b/includes/admin/wc-admin-functions.php
@@ -224,7 +224,7 @@ function wc_save_order_items( $order_id, $items ) {
 
 			if ( isset( $items['meta_key'][ $item_id ], $items['meta_value'][ $item_id ] ) ) {
 				foreach ( $items['meta_key'][ $item_id ] as $meta_id => $meta_key ) {
-					$meta_value = isset( $items['meta_value'][ $item_id ][ $meta_id ] ) ? $items['meta_value'][ $item_id ][ $meta_id ] : '';
+					$meta_value = isset( $items['meta_value'][ $item_id ][ $meta_id ] ) ? wp_unslash( $items['meta_value'][ $item_id ][ $meta_id ] ) : '';
 
 					if ( '' === $meta_key && '' === $meta_value ) {
 						if ( ! strstr( $meta_id, 'new-' ) ) {
@@ -250,6 +250,7 @@ function wc_save_order_items( $order_id, $items ) {
 			'shipping_cost'         => 0,
 			'shipping_taxes'        => array(),
 		);
+
 		foreach ( $items['shipping_method_id'] as $item_id ) {
 			if ( ! $item = $order->get_item( absint( $item_id ) ) ) {
 				continue;
@@ -258,7 +259,7 @@ function wc_save_order_items( $order_id, $items ) {
 			$item_data = array();
 
 			foreach ( $data_keys as $key => $default ) {
-				$item_data[ $key ] = isset( $items[ $key ][ $item_id ] ) ? $items[ $key ][ $item_id ] : $default;
+				$item_data[ $key ] = isset( $items[ $key ][ $item_id ] ) ? wc_clean( wp_unslash( $items[ $key ][ $item_id ] ) ) : $default;
 			}
 
 			$item->set_props( array(
@@ -272,7 +273,7 @@ function wc_save_order_items( $order_id, $items ) {
 
 			if ( isset( $items['meta_key'][ $item_id ], $items['meta_value'][ $item_id ] ) ) {
 				foreach ( $items['meta_key'][ $item_id ] as $meta_id => $meta_key ) {
-					$meta_value = isset( $items['meta_value'][ $item_id ][ $meta_id ] ) ? $items['meta_value'][ $item_id ][ $meta_id ] : '';
+					$meta_value = isset( $items['meta_value'][ $item_id ][ $meta_id ] ) ? wp_unslash( $items['meta_value'][ $item_id ][ $meta_id ] ) : '';
 
 					if ( '' === $meta_key && '' === $meta_value ) {
 						if ( ! strstr( $meta_id, 'new-' ) ) {