From 70619b5cdbd65cf23393c1b46abbbcc5c71a8b14 Mon Sep 17 00:00:00 2001
From: Manish Menaria <the.manish.menaria@gmail.com>
Date: Thu, 1 Dec 2022 17:51:01 +0530
Subject: [PATCH] Escape values just before rendering 
 (https://github.com/woocommerce/woocommerce-blocks/pull/7797)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Escape all values in output of Product category list

* Escape all values in output of Product Sale Badge

* Escape values before rendering

Whenever you’re rendering data, make sure to properly escape it. Escaping output prevents XSS (Cross-site scripting) attacks.

* Remove unnecessary space

Co-authored-by: Albert Juhé Lluveras <contact@albertjuhe.com>

Co-authored-by: Albert Juhé Lluveras <contact@albertjuhe.com>
---
 .../src/BlockTypes/FeaturedProduct.php        |  2 --
 .../src/BlockTypes/MiniCart.php               |  2 +-
 .../src/BlockTypes/ProductButton.php          |  4 ++--
 .../src/BlockTypes/ProductCategoryList.php    | 19 ++++++++++++-------
 .../src/BlockTypes/ProductImage.php           |  8 ++++----
 .../src/BlockTypes/ProductSaleBadge.php       | 14 ++++++++------
 .../src/Utils/StyleAttributesUtils.php        |  2 +-
 7 files changed, 28 insertions(+), 23 deletions(-)

diff --git a/plugins/woocommerce-blocks/src/BlockTypes/FeaturedProduct.php b/plugins/woocommerce-blocks/src/BlockTypes/FeaturedProduct.php
index 59240d84a16..9fcf1ca5950 100644
--- a/plugins/woocommerce-blocks/src/BlockTypes/FeaturedProduct.php
+++ b/plugins/woocommerce-blocks/src/BlockTypes/FeaturedProduct.php
@@ -1,8 +1,6 @@
 <?php
 namespace Automattic\WooCommerce\Blocks\BlockTypes;
 
-use Automattic\WooCommerce\Blocks\Utils\StyleAttributesUtils;
-
 /**
  * FeaturedProduct class.
  */
diff --git a/plugins/woocommerce-blocks/src/BlockTypes/MiniCart.php b/plugins/woocommerce-blocks/src/BlockTypes/MiniCart.php
index 7de272f5684..e62afcfe3a6 100644
--- a/plugins/woocommerce-blocks/src/BlockTypes/MiniCart.php
+++ b/plugins/woocommerce-blocks/src/BlockTypes/MiniCart.php
@@ -410,7 +410,7 @@ class MiniCart extends AbstractBlock {
 			);
 		}
 
-		return '<div class="' . $wrapper_classes . '" style="' . $wrapper_styles . '">
+		return '<div class="' . esc_attr( $wrapper_classes ) . '" style="' . esc_attr( $wrapper_styles ) . '">
 			<button class="wc-block-mini-cart__button" aria-label="' . esc_attr( $aria_label ) . '">' . $button_html . '</button>
 			<div class="wc-block-mini-cart__drawer is-loading is-mobile wc-block-components-drawer__screen-overlay wc-block-components-drawer__screen-overlay--is-hidden" aria-hidden="true">
 				<div class="components-modal__frame wc-block-components-drawer">
diff --git a/plugins/woocommerce-blocks/src/BlockTypes/ProductButton.php b/plugins/woocommerce-blocks/src/BlockTypes/ProductButton.php
index 370195e3d4e..ec7a5670a1c 100644
--- a/plugins/woocommerce-blocks/src/BlockTypes/ProductButton.php
+++ b/plugins/woocommerce-blocks/src/BlockTypes/ProductButton.php
@@ -102,8 +102,8 @@ class ProductButton extends AbstractBlock {
 					esc_attr( $product->get_sku() ),
 					$product->is_purchasable() ? 'ajax_add_to_cart add_to_cart_button' : '',
 					esc_attr( $product->get_type() ),
-					$styles_and_classes['classes'],
-					$styles_and_classes['styles'],
+					esc_attr( $styles_and_classes['classes'] ),
+					esc_attr( $styles_and_classes['styles'] ),
 					esc_html( $product->add_to_cart_text() ),
 					$html_element
 				),
diff --git a/plugins/woocommerce-blocks/src/BlockTypes/ProductCategoryList.php b/plugins/woocommerce-blocks/src/BlockTypes/ProductCategoryList.php
index 81e96aaaa13..bbf736c1013 100644
--- a/plugins/woocommerce-blocks/src/BlockTypes/ProductCategoryList.php
+++ b/plugins/woocommerce-blocks/src/BlockTypes/ProductCategoryList.php
@@ -89,18 +89,23 @@ class ProductCategoryList extends AbstractBlock {
 
 		$output  = '';
 		$output .= '
-			<div class="wc-block-components-product-category-list ' . $classes_and_styles['classes'] . ' ' . $classname . '" style="' . $classes_and_styles['styles'] . '"">
-				' . __( 'Categories:', 'woo-gutenberg-products-block' )
-				. '<ul>';
+			<div class="wc-block-components-product-category-list '
+				. esc_attr( $classes_and_styles['classes'] ) . ' '
+				. esc_attr( $classname ) . '" '
+				. 'style="' . esc_attr( $classes_and_styles['styles'] ) . '">'
+					. __( 'Categories:', 'woo-gutenberg-products-block' )
+					. '<ul>';
 
 		foreach ( $product_categories_terms as $product_category_term ) {
 			$output .= '
-				<li class="category-list-item-' . $product_category_term->slug . '">
-					<a href="' . get_term_link( $product_category_term->term_id ) . '">' . $product_category_term->name . '</a></li>
-			';
+				<li class="category-list-item-' . esc_attr( $product_category_term->slug ) . '">
+					<a href="' . esc_url( get_term_link( $product_category_term->term_id ) ) . '">'
+						. esc_html( $product_category_term->name )
+				. '</a>'
+			. '</li>';
 		}
 
-		$output .= '</ul> </div>';
+		$output .= '</ul></div>';
 
 		return $output;
 	}
diff --git a/plugins/woocommerce-blocks/src/BlockTypes/ProductImage.php b/plugins/woocommerce-blocks/src/BlockTypes/ProductImage.php
index 591b883e369..0dd806f2f77 100644
--- a/plugins/woocommerce-blocks/src/BlockTypes/ProductImage.php
+++ b/plugins/woocommerce-blocks/src/BlockTypes/ProductImage.php
@@ -105,8 +105,8 @@ class ProductImage extends AbstractBlock {
 		</div>
 	',
 			$attributes['saleBadgeAlign'],
-			isset( $font_size['class'] ) ? $font_size['class'] : '',
-			isset( $font_size['style'] ) ? $font_size['style'] : '',
+			isset( $font_size['class'] ) ? esc_attr( $font_size['class'] ) : '',
+			isset( $font_size['style'] ) ? esc_attr( $font_size['style'] ) : '',
 			esc_html__( 'Sale', 'woo-gutenberg-products-block' )
 		);
 		return $on_sale_badge;
@@ -199,8 +199,8 @@ class ProductImage extends AbstractBlock {
 				'<div class="wc-block-components-product-image wc-block-grid__product-image" style="%1$s %2$s">
 					%3$s
 				</div>',
-				isset( $border_radius['style'] ) ? $border_radius['style'] : '',
-				isset( $margin['style'] ) ? $margin['style'] : '',
+				isset( $border_radius['style'] ) ? esc_attr( $border_radius['style'] ) : '',
+				isset( $margin['style'] ) ? esc_attr( $margin['style'] ) : '',
 				$this->render_anchor(
 					$product,
 					$this->render_on_sale_badge( $product, $parsed_attributes ),
diff --git a/plugins/woocommerce-blocks/src/BlockTypes/ProductSaleBadge.php b/plugins/woocommerce-blocks/src/BlockTypes/ProductSaleBadge.php
index 68826e8f442..fd72aeed564 100644
--- a/plugins/woocommerce-blocks/src/BlockTypes/ProductSaleBadge.php
+++ b/plugins/woocommerce-blocks/src/BlockTypes/ProductSaleBadge.php
@@ -98,13 +98,15 @@ class ProductSaleBadge extends AbstractBlock {
 		$classes_and_styles = StyleAttributesUtils::get_classes_and_styles_by_attributes( $attributes );
 		$classname          = isset( $attributes['className'] ) ? $attributes['className'] : '';
 
-		$output  = '';
-		$output .= '<div class="wc-block-components-product-sale-badge ' . $classes_and_styles['classes'] . ' ' . $classname . '" style="' . $classes_and_styles['styles'] . '"">';
+		$output  = '<div class="wc-block-components-product-sale-badge '
+								. esc_attr( $classes_and_styles['classes'] ) . ' '
+								. esc_attr( $classname ) . '" '
+						. 'style="' . esc_attr( $classes_and_styles['styles'] ) . '"'
+					. '>';
 		$output .= '<span class="wc-block-components-product-sale-badge__text" aria-hidden="true">' . __( 'Sale', 'woo-gutenberg-products-block' ) . '</span>';
-		$output .= '<span class="screen-reader-text">' . __(
-			'Product on sale',
-			'woo-gutenberg-products-block'
-		) . '</span>';
+		$output .= '<span class="screen-reader-text">'
+						. __( 'Product on sale', 'woo-gutenberg-products-block' )
+					. '</span>';
 		$output .= '</div>';
 
 		return $output;
diff --git a/plugins/woocommerce-blocks/src/Utils/StyleAttributesUtils.php b/plugins/woocommerce-blocks/src/Utils/StyleAttributesUtils.php
index cb46c807fed..0a126bf1c6f 100644
--- a/plugins/woocommerce-blocks/src/Utils/StyleAttributesUtils.php
+++ b/plugins/woocommerce-blocks/src/Utils/StyleAttributesUtils.php
@@ -341,7 +341,7 @@ class StyleAttributesUtils {
 	public static function get_spacing_value( $spacing_value ) {
 		// Used following code as reference: https://github.com/WordPress/gutenberg/blob/cff6d70d6ff5a26e212958623dc3130569f95685/lib/block-supports/layout.php/#L219-L225.
 		if ( is_string( $spacing_value ) && str_contains( $spacing_value, 'var:preset|spacing|' ) ) {
-			$spacing_value = str_replace( 'var:preset|spacing|', '', 'var:preset|spacing|50' );
+			$spacing_value = str_replace( 'var:preset|spacing|', '', $spacing_value );
 			return sprintf( 'var(--wp--preset--spacing--%s)', $spacing_value );
 		}