From 5d15f30cea52b089ee267c7eb4dbf05587d51055 Mon Sep 17 00:00:00 2001 From: Mike Jolley Date: Mon, 15 Oct 2012 14:42:36 +0100 Subject: [PATCH] [3.2.3] XSS #1575 --- .../writepanels/writepanel-product_data.php | 119 +++++++++--------- .../writepanels/writepanels-init.php | 83 ++++++------ 2 files changed, 96 insertions(+), 106 deletions(-) diff --git a/admin/post-types/writepanels/writepanel-product_data.php b/admin/post-types/writepanels/writepanel-product_data.php index 4095aafce1a..ae5d1823711 100644 --- a/admin/post-types/writepanels/writepanel-product_data.php +++ b/admin/post-types/writepanels/writepanel-product_data.php @@ -7,13 +7,13 @@ * @author WooThemes * @category Admin * @package WooCommerce/Admin/WritePanels - * @version 1.6.4 + * @version 1.7.0 */ if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly /** Variable products */ -require_once('writepanel-product-type-variable.php'); +require_once( 'writepanel-product-type-variable.php' ); /** * Display the product data meta box. @@ -34,15 +34,15 @@ function woocommerce_product_data_box() { else $product_type = 'simple'; - $product_type_selector = apply_filters('product_type_selector', array( - 'simple' => __('Simple product', 'woocommerce'), - 'grouped' => __('Grouped product', 'woocommerce'), - 'external' => __('External/Affiliate product', 'woocommerce') - ), $product_type); + $product_type_selector = apply_filters( 'product_type_selector', array( + 'simple' => __( 'Simple product', 'woocommerce' ), + 'grouped' => __( 'Grouped product', 'woocommerce' ), + 'external' => __( 'External/Affiliate product', 'woocommerce' ) + ), $product_type ); - $type_box = ''; $product_type_options = apply_filters('product_type_options', array( @@ -62,7 +62,7 @@ function woocommerce_product_data_box() { foreach ( $product_type_options as $key => $option ) { $selected_value = get_post_meta( $post->ID, '_' . $key, true ); - $type_box .= ''; + $type_box .= ''; } ?> @@ -86,7 +86,7 @@ function woocommerce_product_data_box() {
  • - +
    '; // SKU - if( get_option('woocommerce_enable_sku', true) !== 'no' ) : + if( get_option('woocommerce_enable_sku', true) !== 'no' ) woocommerce_wp_text_input( array( 'id' => '_sku', 'label' => '' . __('SKU', 'woocommerce') . '', 'desc_tip' => 'true', 'description' => __('SKU refers to a Stock-keeping unit, a unique identifier for each distinct product and service that can be purchased.', 'woocommerce') ) ); - else: - echo ''; - endif; + else + echo ''; do_action('woocommerce_product_options_sku'); @@ -123,19 +122,17 @@ function woocommerce_product_data_box() { woocommerce_wp_text_input( array( 'id' => '_sale_price', 'class' => 'wc_input_price short', 'label' => __('Sale Price', 'woocommerce') . ' ('.get_woocommerce_currency_symbol().')', 'description' => '' . __('Schedule', 'woocommerce') . '' ) ); // Special Price date range - $field = array( 'id' => '_sale_price_dates', 'label' => __('Sale Price Dates', 'woocommerce') ); - - $sale_price_dates_from = get_post_meta( $thepostid, '_sale_price_dates_from', true ); - $sale_price_dates_to = get_post_meta( $thepostid, '_sale_price_dates_to', true ); + $sale_price_dates_from = ( $date = get_post_meta( $thepostid, '_sale_price_dates_from', true ) ) ? date_i18n( 'Y-m-d', $date ) : ''; + $sale_price_dates_to = ( $date = get_post_meta( $thepostid, '_sale_price_dates_to', true ) ) ? date_i18n( 'Y-m-d', $date ) : ''; echo '

    - - - + + + '. __( 'Cancel', 'woocommerce' ) .'

    '; - do_action('woocommerce_product_options_pricing'); + do_action( 'woocommerce_product_options_pricing' ); echo '
    '; @@ -143,49 +140,47 @@ function woocommerce_product_data_box() { // File URL $file_paths = get_post_meta( $post->ID, '_file_paths', true ); - if ( is_array( $file_paths ) ) $file_paths = implode( "\n", $file_paths ); - - $field = array( 'id' => '_file_paths', 'label' => __('File paths (one per line)', 'woocommerce' ) ); - echo '

    - - + if ( is_array( $file_paths ) ) + $file_paths = implode( "\n", $file_paths ); + + echo '

    + +

    '; // Download Limit - woocommerce_wp_text_input( array( 'id' => '_download_limit', 'label' => __('Download Limit', 'woocommerce'), 'placeholder' => __('Unlimited', 'woocommerce'), 'description' => __('Leave blank for unlimited re-downloads.', 'woocommerce') ) ); + woocommerce_wp_text_input( array( 'id' => '_download_limit', 'label' => __( 'Download Limit', 'woocommerce' ), 'placeholder' => __( 'Unlimited', 'woocommerce' ), 'description' => __( 'Leave blank for unlimited re-downloads.', 'woocommerce' ) ) ); // Expirey - woocommerce_wp_text_input( array( 'id' => '_download_expiry', 'label' => __('Download Expiry', 'woocommerce'), 'placeholder' => __('Never', 'woocommerce'), 'description' => __('Enter the number of days before a download link expires, or leave blank.', 'woocommerce') ) ); + woocommerce_wp_text_input( array( 'id' => '_download_expiry', 'label' => __( 'Download Expiry', 'woocommerce' ), 'placeholder' => __( 'Never', 'woocommerce' ), 'description' => __( 'Enter the number of days before a download link expires, or leave blank.', 'woocommerce' ) ) ); - do_action('woocommerce_product_options_downloads'); + do_action( 'woocommerce_product_options_downloads' ); echo ''; - do_action('woocommerce_product_options_general_product_data'); - + do_action( 'woocommerce_product_options_general_product_data' ); ?>
    - '_tax_status', 'label' => __('Tax Status', 'woocommerce'), 'options' => array( - 'taxable' => __('Taxable', 'woocommerce'), - 'shipping' => __('Shipping only', 'woocommerce'), - 'none' => __('None', 'woocommerce') + woocommerce_wp_select( array( 'id' => '_tax_status', 'label' => __( 'Tax Status', 'woocommerce' ), 'options' => array( + 'taxable' => __( 'Taxable', 'woocommerce' ), + 'shipping' => __( 'Shipping only', 'woocommerce' ), + 'none' => __( 'None', 'woocommerce' ) ) ) ); - $tax_classes = array_filter(array_map('trim', explode("\n", get_option('woocommerce_tax_classes')))); + $tax_classes = array_filter( array_map( 'trim', explode( "\n", get_option( 'woocommerce_tax_classes' ) ) ) ); $classes_options = array(); - $classes_options[''] = __('Standard', 'woocommerce'); - if ($tax_classes) foreach ($tax_classes as $class) : - $classes_options[sanitize_title($class)] = $class; - endforeach; + $classes_options[''] = __( 'Standard', 'woocommerce' ); + if ( $tax_classes ) + foreach ( $tax_classes as $class ) + $classes_options[ sanitize_title( $class ) ] = esc_html( $class ); - woocommerce_wp_select( array( 'id' => '_tax_class', 'label' => __('Tax Class', 'woocommerce'), 'options' => $classes_options ) ); + woocommerce_wp_select( array( 'id' => '_tax_class', 'label' => __( 'Tax Class', 'woocommerce' ), 'options' => $classes_options ) ); - do_action('woocommerce_product_options_tax'); + do_action( 'woocommerce_product_options_tax' ); ?>
    @@ -246,27 +241,27 @@ function woocommerce_product_data_box() { if( get_option('woocommerce_enable_weight', true) !== 'no' ) : woocommerce_wp_text_input( array( 'id' => '_weight', 'label' => __('Weight', 'woocommerce') . ' ('.get_option('woocommerce_weight_unit').')', 'placeholder' => '0.00', 'description' => __('Weight in decimal form', 'woocommerce') ) ); else: - echo ''; + echo ''; endif; // Size fields - if( get_option('woocommerce_enable_dimensions', true) !== 'no' ) : + if( get_option( 'woocommerce_enable_dimensions', true ) !== 'no' ) : ?>

    - + - - - + + + - +

    '; - echo ''; - echo ''; + echo ''; + echo ''; + echo ''; endif; - do_action('woocommerce_product_options_dimensions'); + do_action( 'woocommerce_product_options_dimensions' ); echo ''; @@ -285,9 +280,9 @@ function woocommerce_product_data_box() { 'selected' => $current_shipping_class, 'class' => 'select short' ); - ?>

    '; ?> @@ -297,14 +292,14 @@ function woocommerce_product_data_box() {

    - +

    get_attribute_taxonomies(); // Array of defined attribute taxonomies - $attributes = maybe_unserialize( get_post_meta($thepostid, '_product_attributes', true) ); // Product attributes - taxonomies and custom, ordered, with visibility and variation attributes set + $attributes = maybe_unserialize( get_post_meta( $thepostid, '_product_attributes', true ) ); // Product attributes - taxonomies and custom, ordered, with visibility and variation attributes set $i = -1; diff --git a/admin/post-types/writepanels/writepanels-init.php b/admin/post-types/writepanels/writepanels-init.php index 76a7e7feb0c..1cd3aaeda3f 100644 --- a/admin/post-types/writepanels/writepanels-init.php +++ b/admin/post-types/writepanels/writepanels-init.php @@ -7,7 +7,7 @@ * @author WooThemes * @category Admin * @package WooCommerce/Admin/WritePanels - * @version 1.6.4 + * @version 1.7.0 */ if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly @@ -292,7 +292,7 @@ function woocommerce_meta_boxes_show_errors() { echo '
    '; foreach ( $woocommerce_errors as $error ) - echo '

    ' . $error . '

    '; + echo '

    ' . esc_html( $error ) . '

    '; echo '
    '; // Clear @@ -313,21 +313,21 @@ add_action( 'admin_notices', 'woocommerce_meta_boxes_show_errors' ); */ function woocommerce_wp_text_input( $field ) { global $thepostid, $post, $woocommerce; + + $thepostid = empty( $thepostid ) ? $post->ID : $thepostid; + $field['placeholder'] = isset( $field['placeholder'] ) ? $field['placeholder'] : ''; + $field['class'] = isset( $field['class'] ) ? $field['class'] : 'short'; + $field['value'] = isset( $field['value'] ) ? $field['value'] : get_post_meta( $thepostid, $field['id'], true ); + $field['name'] = isset( $field['name'] ) ? $field['name'] : $field['id']; - if ( ! $thepostid ) $thepostid = $post->ID; - if ( ! isset( $field['placeholder'] ) ) $field['placeholder'] = ''; - if ( ! isset( $field['class'] ) ) $field['class'] = 'short'; - if ( ! isset( $field['value'] ) ) $field['value'] = get_post_meta( $thepostid, $field['id'], true ); - if ( ! isset( $field['name'] ) ) $field['name'] = $field['id']; + echo '

    '; - echo '

    '; - - if ( isset( $field['description'] ) && $field['description'] ) { + if ( ! empty( $field['description'] ) ) { if ( isset( $field['desc_tip'] ) ) { echo ''; } else { - echo '' . $field['description'] . ''; + echo '' . esc_html( $field['description'] ) . ''; } } @@ -344,9 +344,11 @@ function woocommerce_wp_text_input( $field ) { */ function woocommerce_wp_hidden_input( $field ) { global $thepostid, $post; - if (!$thepostid) $thepostid = $post->ID; - if (!isset($field['value'])) $field['value'] = get_post_meta($thepostid, $field['id'], true); - echo ' '; + + $thepostid = empty( $thepostid ) ? $post->ID : $thepostid; + $field['value'] = isset( $field['value'] ) ? $field['value'] : get_post_meta( $thepostid, $field['id'], true ); + + echo ' '; } @@ -360,19 +362,19 @@ function woocommerce_wp_hidden_input( $field ) { function woocommerce_wp_textarea_input( $field ) { global $thepostid, $post, $woocommerce; - if (!$thepostid) $thepostid = $post->ID; - if (!isset($field['placeholder'])) $field['placeholder'] = ''; - if (!isset($field['class'])) $field['class'] = 'short'; - if (!isset($field['value'])) $field['value'] = get_post_meta($thepostid, $field['id'], true); + $thepostid = empty( $thepostid ) ? $post->ID : $thepostid; + $field['placeholder'] = isset( $field['placeholder'] ) ? $field['placeholder'] : ''; + $field['class'] = isset( $field['class'] ) ? $field['class'] : 'short'; + $field['value'] = isset( $field['value'] ) ? $field['value'] : get_post_meta( $thepostid, $field['id'], true ); - echo '

    '; + echo '

    '; - if ( isset( $field['description'] ) && $field['description'] ) { + if ( ! empty( $field['description'] ) ) { if ( isset( $field['desc_tip'] ) ) { echo ''; } else { - echo '' . $field['description'] . ''; + echo '' . esc_html( $field['description'] ) . ''; } } @@ -390,19 +392,15 @@ function woocommerce_wp_textarea_input( $field ) { function woocommerce_wp_checkbox( $field ) { global $thepostid, $post; - if (!$thepostid) $thepostid = $post->ID; - if (!isset($field['class'])) $field['class'] = 'checkbox'; - if (!isset($field['wrapper_class'])) $field['wrapper_class'] = ''; - if (!isset($field['value'])) $field['value'] = get_post_meta($thepostid, $field['id'], true); - if (!isset($field['cbvalue'])) $field['cbvalue'] = 'yes'; + $thepostid = empty( $thepostid ) ? $post->ID : $thepostid; + $field['class'] = isset( $field['class'] ) ? $field['class'] : 'checkbox'; + $field['wrapper_class'] = isset( $field['wrapper_class'] ) ? $field['wrapper_class'] : ''; + $field['value'] = isset( $field['value'] ) ? $field['value'] : get_post_meta( $thepostid, $field['id'], true ); + $field['cbvalue'] = isset( $field['cbvalue'] ) ? $field['cbvalue'] : 'yes'; - echo '

    '; - checked($field['value'], $field['cbvalue']); - - echo ' /> '; - - if (isset($field['description']) && $field['description']) echo '' .$field['description'] . ''; + if ( ! empty( $field['description'] ) ) echo '' . esc_html( $field['description'] ) . ''; echo '

    '; } @@ -418,31 +416,28 @@ function woocommerce_wp_checkbox( $field ) { function woocommerce_wp_select( $field ) { global $thepostid, $post, $woocommerce; - if (!$thepostid) $thepostid = $post->ID; - if (!isset($field['class'])) $field['class'] = 'select short'; - if (!isset($field['value'])) $field['value'] = get_post_meta($thepostid, $field['id'], true); + $thepostid = empty( $thepostid ) ? $post->ID : $thepostid; + $field['class'] = isset( $field['class'] ) ? $field['class'] : 'select short'; + $field['value'] = isset( $field['value'] ) ? $field['value'] : get_post_meta( $thepostid, $field['id'], true ); - echo '

    '; - foreach ($field['options'] as $key => $value) : + foreach ( $field['options'] as $key => $value ) { - echo ''; + echo ''; - endforeach; + } echo ' '; - if ( isset( $field['description'] ) && $field['description'] ) { + if ( ! empty( $field['description'] ) ) { if ( isset( $field['desc_tip'] ) ) { echo ''; } else { - echo '' . $field['description'] . ''; + echo '' . esc_html( $field['description'] ) . ''; } } - echo '

    '; } \ No newline at end of file