More escaping

2017-01-06 14:09:36 +00:00 · 2017-01-06 14:09:36 +00:00 · 66c3cff76d
parent 76f8c3dddd
commit 66c3cff76d
5 changed files with 6 additions and 8 deletions
--- a/includes/admin/meta-boxes/views/html-order-download-permission.php
+++ b/includes/admin/meta-boxes/views/html-order-download-permission.php
@ -16,7 +16,7 @@ if ( ! defined( 'ABSPATH' ) ) {
 				esc_html( $file_count ),
 				esc_html( wc_get_filename_from_url( $product->get_file_download_path( $download->get_download_id() ) ) )
 			);
-			printf( _n( 'Downloaded %s time', 'Downloaded %s times', $download->get_download_count(), 'woocommerce' ), $download->get_download_count() )
+			printf( _n( 'Downloaded %s time', 'Downloaded %s times', $download->get_download_count(), 'woocommerce' ), esc_html( $download->get_download_count() ) )
 		?></strong>
 	</h3>
 	<table cellpadding="0" cellspacing="0" class="wc-metabox-content">
--- a/includes/shortcodes/class-wc-shortcode-checkout.php
+++ b/includes/shortcodes/class-wc-shortcode-checkout.php
@ -148,7 +148,7 @@ class WC_Shortcode_Checkout {
 						<li class="method">
 							<?php _e( 'Payment method:', 'woocommerce' ); ?>
 							<strong><?php
-								echo $order->get_payment_method_title();
+								echo wp_kses_post( $order->get_payment_method_title() );
 							?></strong>
 						</li>
 						<?php endif; ?>
--- a/includes/widgets/class-wc-widget-recent-reviews.php
+++ b/includes/widgets/class-wc-widget-recent-reviews.php
@ -77,9 +77,7 @@ class WC_Widget_Recent_Reviews extends WC_Widget {

 				echo '<li><a href="' . esc_url( get_comment_link( $comment->comment_ID ) ) . '">';

-				echo $_product->get_image();
-
-				echo $_product->get_name() . '</a>';
+				echo $_product->get_image() . wp_kses_post( $_product->get_name() ) . '</a>';

 				echo $rating_html;

--- a/templates/single-product-reviews.php
+++ b/templates/single-product-reviews.php
@ -31,7 +31,7 @@ if ( ! comments_open() ) {
 		<h2 class="woocommerce-Reviews-title"><?php
 			if ( get_option( 'woocommerce_enable_review_rating' ) === 'yes' && ( $count = $product->get_review_count() ) ) {
 				/* translators: 1: reviews count 2: product name */
-				printf( esc_html( _n( '%1$s review for %2$s', '%1$s reviews for %2$s', $count, 'woocommerce' ) ), $count, '<span>' . get_the_title() . '</span>' );
+				printf( esc_html( _n( '%1$s review for %2$s', '%1$s reviews for %2$s', $count, 'woocommerce' ) ), esc_html( $count ), '<span>' . get_the_title() . '</span>' );
 			} else {
 				_e( 'Reviews', 'woocommerce' );
 			}
--- a/templates/single-product/rating.php
+++ b/templates/single-product/rating.php
@ -47,12 +47,12 @@ if ( $rating_count > 0 ) : ?>
 				/* translators: %s: rating count */
 				printf(
 					_n( 'based on %s customer rating', 'based on %s customer ratings', $rating_count, 'woocommerce' ),
-					'<span class="rating">' . $rating_count . '</span>'
+					'<span class="rating">' . esc_html( $rating_count ) . '</span>'
 				);
 				?>
 			</span>
 		</div>
-		<?php if ( comments_open() ) : ?><a href="#reviews" class="woocommerce-review-link" rel="nofollow">(<?php printf( _n( '%s customer review', '%s customer reviews', $review_count, 'woocommerce' ), '<span class="count">' . $review_count . '</span>' ); ?>)</a><?php endif ?>
+		<?php if ( comments_open() ) : ?><a href="#reviews" class="woocommerce-review-link" rel="nofollow">(<?php printf( _n( '%s customer review', '%s customer reviews', $review_count, 'woocommerce' ), '<span class="count">' . esc_html( $review_count ) . '</span>' ); ?>)</a><?php endif ?>
 	</div>

 <?php endif; ?>