Escape values just before rendering (https://github.com/woocommerce/woocommerce-blocks/pull/7797)

* Escape all values in output of Product category list

* Escape all values in output of Product Sale Badge

* Escape values before rendering

Whenever you’re rendering data, make sure to properly escape it. Escaping output prevents XSS (Cross-site scripting) attacks.

* Remove unnecessary space

Co-authored-by: Albert Juhé Lluveras <contact@albertjuhe.com>

Co-authored-by: Albert Juhé Lluveras <contact@albertjuhe.com>

plugins/woocommerce-blocks/src/BlockTypes/FeaturedProduct.php

@@ -1,8 +1,6 @@
 <?php
 namespace Automattic\WooCommerce\Blocks\BlockTypes;
 
-use Automattic\WooCommerce\Blocks\Utils\StyleAttributesUtils;
-
 /**
  * FeaturedProduct class.
  */

plugins/woocommerce-blocks/src/BlockTypes/MiniCart.php

@@ -410,7 +410,7 @@ class MiniCart extends AbstractBlock {
 			);
 		}
 
-		return '<div class="' . $wrapper_classes . '" style="' . $wrapper_styles . '">
+		return '<div class="' . esc_attr( $wrapper_classes ) . '" style="' . esc_attr( $wrapper_styles ) . '">
 			<button class="wc-block-mini-cart__button" aria-label="' . esc_attr( $aria_label ) . '">' . $button_html . '</button>
 			<div class="wc-block-mini-cart__drawer is-loading is-mobile wc-block-components-drawer__screen-overlay wc-block-components-drawer__screen-overlay--is-hidden" aria-hidden="true">
 				<div class="components-modal__frame wc-block-components-drawer">

plugins/woocommerce-blocks/src/BlockTypes/ProductButton.php

@@ -102,8 +102,8 @@ class ProductButton extends AbstractBlock {
 					esc_attr( $product->get_sku() ),
 					$product->is_purchasable() ? 'ajax_add_to_cart add_to_cart_button' : '',
 					esc_attr( $product->get_type() ),
-					$styles_and_classes['classes'],
-					$styles_and_classes['styles'],
+					esc_attr( $styles_and_classes['classes'] ),
+					esc_attr( $styles_and_classes['styles'] ),
 					esc_html( $product->add_to_cart_text() ),
 					$html_element
 				),

plugins/woocommerce-blocks/src/BlockTypes/ProductCategoryList.php

@@ -89,18 +89,23 @@ class ProductCategoryList extends AbstractBlock {
 
 		$output  = '';
 		$output .= '
-			<div class="wc-block-components-product-category-list ' . $classes_and_styles['classes'] . ' ' . $classname . '" style="' . $classes_and_styles['styles'] . '"">
-				' . __( 'Categories:', 'woo-gutenberg-products-block' )
-				. '<ul>';
+			<div class="wc-block-components-product-category-list '
+				. esc_attr( $classes_and_styles['classes'] ) . ' '
+				. esc_attr( $classname ) . '" '
+				. 'style="' . esc_attr( $classes_and_styles['styles'] ) . '">'
+					. __( 'Categories:', 'woo-gutenberg-products-block' )
+					. '<ul>';
 
 		foreach ( $product_categories_terms as $product_category_term ) {
 			$output .= '
-				<li class="category-list-item-' . $product_category_term->slug . '">
-					<a href="' . get_term_link( $product_category_term->term_id ) . '">' . $product_category_term->name . '</a></li>
-			';
+				<li class="category-list-item-' . esc_attr( $product_category_term->slug ) . '">
+					<a href="' . esc_url( get_term_link( $product_category_term->term_id ) ) . '">'
+						. esc_html( $product_category_term->name )
+				. '</a>'
+			. '</li>';
 		}
 
-		$output .= '</ul> </div>';
+		$output .= '</ul></div>';
 
 		return $output;
 	}

plugins/woocommerce-blocks/src/BlockTypes/ProductImage.php

@@ -105,8 +105,8 @@ class ProductImage extends AbstractBlock {
 		</div>
 	',
 			$attributes['saleBadgeAlign'],
-			isset( $font_size['class'] ) ? $font_size['class'] : '',
-			isset( $font_size['style'] ) ? $font_size['style'] : '',
+			isset( $font_size['class'] ) ? esc_attr( $font_size['class'] ) : '',
+			isset( $font_size['style'] ) ? esc_attr( $font_size['style'] ) : '',
 			esc_html__( 'Sale', 'woo-gutenberg-products-block' )
 		);
 		return $on_sale_badge;
@@ -199,8 +199,8 @@ class ProductImage extends AbstractBlock {
 				'<div class="wc-block-components-product-image wc-block-grid__product-image" style="%1$s %2$s">
 					%3$s
 				</div>',
-				isset( $border_radius['style'] ) ? $border_radius['style'] : '',
-				isset( $margin['style'] ) ? $margin['style'] : '',
+				isset( $border_radius['style'] ) ? esc_attr( $border_radius['style'] ) : '',
+				isset( $margin['style'] ) ? esc_attr( $margin['style'] ) : '',
 				$this->render_anchor(
 					$product,
 					$this->render_on_sale_badge( $product, $parsed_attributes ),

plugins/woocommerce-blocks/src/BlockTypes/ProductSaleBadge.php

@@ -98,13 +98,15 @@ class ProductSaleBadge extends AbstractBlock {
 		$classes_and_styles = StyleAttributesUtils::get_classes_and_styles_by_attributes( $attributes );
 		$classname          = isset( $attributes['className'] ) ? $attributes['className'] : '';
 
-		$output  = '';
-		$output .= '<div class="wc-block-components-product-sale-badge ' . $classes_and_styles['classes'] . ' ' . $classname . '" style="' . $classes_and_styles['styles'] . '"">';
+		$output  = '<div class="wc-block-components-product-sale-badge '
+								. esc_attr( $classes_and_styles['classes'] ) . ' '
+								. esc_attr( $classname ) . '" '
+						. 'style="' . esc_attr( $classes_and_styles['styles'] ) . '"'
+					. '>';
 		$output .= '<span class="wc-block-components-product-sale-badge__text" aria-hidden="true">' . __( 'Sale', 'woo-gutenberg-products-block' ) . '</span>';
-		$output .= '<span class="screen-reader-text">' . __(
-			'Product on sale',
-			'woo-gutenberg-products-block'
-		) . '</span>';
+		$output .= '<span class="screen-reader-text">'
+						. __( 'Product on sale', 'woo-gutenberg-products-block' )
+					. '</span>';
 		$output .= '</div>';
 
 		return $output;

plugins/woocommerce-blocks/src/Utils/StyleAttributesUtils.php

@@ -341,7 +341,7 @@ class StyleAttributesUtils {
 	public static function get_spacing_value( $spacing_value ) {
 		// Used following code as reference: https://github.com/WordPress/gutenberg/blob/cff6d70d6ff5a26e212958623dc3130569f95685/lib/block-supports/layout.php/#L219-L225.
 		if ( is_string( $spacing_value ) && str_contains( $spacing_value, 'var:preset|spacing|' ) ) {
-			$spacing_value = str_replace( 'var:preset|spacing|', '', 'var:preset|spacing|50' );
+			$spacing_value = str_replace( 'var:preset|spacing|', '', $spacing_value );
 			return sprintf( 'var(--wp--preset--spacing--%s)', $spacing_value );
 		}