From bd625a05379c1920824fe5e9a08409f1af6a723a Mon Sep 17 00:00:00 2001 From: Mike Jolley Date: Tue, 22 May 2018 10:52:51 +0100 Subject: [PATCH 1/3] Escape and decode amsersands correcrtly --- includes/class-wc-product-external.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/includes/class-wc-product-external.php b/includes/class-wc-product-external.php index 6083f89584f..b99f10b90bc 100644 --- a/includes/class-wc-product-external.php +++ b/includes/class-wc-product-external.php @@ -49,7 +49,7 @@ class WC_Product_External extends WC_Product { * @return string */ public function get_product_url( $context = 'view' ) { - return esc_url( $this->get_prop( 'product_url', $context ) ); + return esc_url_raw( $this->get_prop( 'product_url', $context ) ); } /** @@ -79,7 +79,7 @@ class WC_Product_External extends WC_Product { * @param string $product_url Product URL. */ public function set_product_url( $product_url ) { - $this->set_prop( 'product_url', $product_url ); + $this->set_prop( 'product_url', htmlspecialchars_decode( $product_url ) ); } /** From 7609ed82da430bed614683dd6d54edaa843d6377 Mon Sep 17 00:00:00 2001 From: Mike Jolley Date: Tue, 22 May 2018 10:53:08 +0100 Subject: [PATCH 2/3] Make wc_query_string_form_fields handle strings --- includes/wc-template-functions.php | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/includes/wc-template-functions.php b/includes/wc-template-functions.php index 461413636ba..f6beb42b2d6 100644 --- a/includes/wc-template-functions.php +++ b/includes/wc-template-functions.php @@ -655,15 +655,22 @@ function wc_product_class( $class = '', $product_id = null ) { * Outputs hidden form inputs for each query string variable. * * @since 3.0.0 - * @param array $values Name value pairs. - * @param array $exclude Keys to exclude. - * @param string $current_key Current key we are outputting. - * @param bool $return Whether to return. + * @param string|array $values Name value pairs, or a URL to parse. + * @param array $exclude Keys to exclude. + * @param string $current_key Current key we are outputting. + * @param bool $return Whether to return. * @return string */ function wc_query_string_form_fields( $values = null, $exclude = array(), $current_key = '', $return = false ) { if ( is_null( $values ) ) { $values = $_GET; // WPCS: input var ok, CSRF ok. + } elseif ( is_string( $values ) ) { + $url_parts = wp_parse_url( $values ); + $values = array(); + + if ( ! empty( $url_parts['query'] ) ) { + parse_str( $url_parts['query'], $values ); + } } $html = ''; From 6e0d0fe6ed5d54aabe7771b5230e51cad6e0047c Mon Sep 17 00:00:00 2001 From: Mike Jolley Date: Tue, 22 May 2018 10:53:33 +0100 Subject: [PATCH 3/3] Simplify code in template --- templates/single-product/add-to-cart/external.php | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/templates/single-product/add-to-cart/external.php b/templates/single-product/add-to-cart/external.php index 744a44b9999..8a9e3e0d6ca 100644 --- a/templates/single-product/add-to-cart/external.php +++ b/templates/single-product/add-to-cart/external.php @@ -17,13 +17,6 @@ defined( 'ABSPATH' ) || exit; -$product_url_parts = wp_parse_url( $product_url ); -$query_string = array(); - -if ( ! empty( $product_url_parts['query'] ) ) { - parse_str( $product_url_parts['query'], $query_string ); -} - do_action( 'woocommerce_before_add_to_cart_form' ); ?>
@@ -31,7 +24,7 @@ do_action( 'woocommerce_before_add_to_cart_form' ); ?> - +