Steve-Dee-Designs
/
woocommerce
mirror of https://github.com/woocommerce/woocommerce.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Escape values just before rendering (https://github.com/woocommerce/woocommerce-blocks/pull/7797) 

* Escape all values in output of Product category list

* Escape all values in output of Product Sale Badge

* Escape values before rendering

Whenever you’re rendering data, make sure to properly escape it. Escaping output prevents XSS (Cross-site scripting) attacks.

* Remove unnecessary space

Co-authored-by: Albert Juhé Lluveras <contact@albertjuhe.com>

Co-authored-by: Albert Juhé Lluveras <contact@albertjuhe.com>
This commit is contained in:
Manish Menaria 2022-12-01 17:51:01 +05:30 committed by GitHub
parent 3b131f6d35
commit 70619b5cdb
7 changed files with 28 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
plugins/woocommerce-blocks/src/BlockTypes/FeaturedProduct.php
View File

@ -1,8 +1,6 @@
<?php <?php
namespace Automattic\WooCommerce\Blocks\BlockTypes; namespace Automattic\WooCommerce\Blocks\BlockTypes;
use Automattic\WooCommerce\Blocks\Utils\StyleAttributesUtils;
/** /**
* FeaturedProduct class. * FeaturedProduct class.
*/ */

2
plugins/woocommerce-blocks/src/BlockTypes/MiniCart.php
View File

@ -410,7 +410,7 @@ class MiniCart extends AbstractBlock {
); );
} }
return '<div class="' . $wrapper_classes . '" style="' . $wrapper_styles . '"> return '<div class="' . esc_attr( $wrapper_classes ) . '" style="' . esc_attr( $wrapper_styles ) . '">
<button class="wc-block-mini-cart__button" aria-label="' . esc_attr( $aria_label ) . '">' . $button_html . '</button> <button class="wc-block-mini-cart__button" aria-label="' . esc_attr( $aria_label ) . '">' . $button_html . '</button>
<div class="wc-block-mini-cart__drawer is-loading is-mobile wc-block-components-drawer__screen-overlay wc-block-components-drawer__screen-overlay--is-hidden" aria-hidden="true"> <div class="wc-block-mini-cart__drawer is-loading is-mobile wc-block-components-drawer__screen-overlay wc-block-components-drawer__screen-overlay--is-hidden" aria-hidden="true">
<div class="components-modal__frame wc-block-components-drawer"> <div class="components-modal__frame wc-block-components-drawer">

4
plugins/woocommerce-blocks/src/BlockTypes/ProductButton.php
View File

@ -102,8 +102,8 @@ class ProductButton extends AbstractBlock {
esc_attr( $product->get_sku() ), esc_attr( $product->get_sku() ),
$product->is_purchasable() ? 'ajax_add_to_cart add_to_cart_button' : '', $product->is_purchasable() ? 'ajax_add_to_cart add_to_cart_button' : '',
esc_attr( $product->get_type() ), esc_attr( $product->get_type() ),
$styles_and_classes['classes'], esc_attr( $styles_and_classes['classes'] ),
$styles_and_classes['styles'], esc_attr( $styles_and_classes['styles'] ),
esc_html( $product->add_to_cart_text() ), esc_html( $product->add_to_cart_text() ),
$html_element $html_element
), ),

15
plugins/woocommerce-blocks/src/BlockTypes/ProductCategoryList.php
View File

@ -89,15 +89,20 @@ class ProductCategoryList extends AbstractBlock {
$output = ''; $output = '';
$output .= ' $output .= '
<div class="wc-block-components-product-category-list ' . $classes_and_styles['classes'] . ' ' . $classname . '" style="' . $classes_and_styles['styles'] . '""> <div class="wc-block-components-product-category-list '
' . __( 'Categories:', 'woo-gutenberg-products-block' ) . esc_attr( $classes_and_styles['classes'] ) . ' '
. esc_attr( $classname ) . '" '
. 'style="' . esc_attr( $classes_and_styles['styles'] ) . '">'
. __( 'Categories:', 'woo-gutenberg-products-block' )
. '<ul>'; . '<ul>';
foreach ( $product_categories_terms as $product_category_term ) { foreach ( $product_categories_terms as $product_category_term ) {
$output .= ' $output .= '
<li class="category-list-item-' . $product_category_term->slug . '"> <li class="category-list-item-' . esc_attr( $product_category_term->slug ) . '">
<a href="' . get_term_link( $product_category_term->term_id ) . '">' . $product_category_term->name . '</a></li> <a href="' . esc_url( get_term_link( $product_category_term->term_id ) ) . '">'
'; . esc_html( $product_category_term->name )
. '</a>'
. '</li>';
} }
$output .= '</ul></div>'; $output .= '</ul></div>';

8
plugins/woocommerce-blocks/src/BlockTypes/ProductImage.php
View File

@ -105,8 +105,8 @@ class ProductImage extends AbstractBlock {
</div> </div>
', ',
$attributes['saleBadgeAlign'], $attributes['saleBadgeAlign'],
isset( $font_size['class'] ) ? $font_size['class'] : '', isset( $font_size['class'] ) ? esc_attr( $font_size['class'] ) : '',
isset( $font_size['style'] ) ? $font_size['style'] : '', isset( $font_size['style'] ) ? esc_attr( $font_size['style'] ) : '',
esc_html__( 'Sale', 'woo-gutenberg-products-block' ) esc_html__( 'Sale', 'woo-gutenberg-products-block' )
); );
return $on_sale_badge; return $on_sale_badge;
@ -199,8 +199,8 @@ class ProductImage extends AbstractBlock {
'<div class="wc-block-components-product-image wc-block-grid__product-image" style="%1$s %2$s"> '<div class="wc-block-components-product-image wc-block-grid__product-image" style="%1$s %2$s">
%3$s %3$s
</div>', </div>',
isset( $border_radius['style'] ) ? $border_radius['style'] : '', isset( $border_radius['style'] ) ? esc_attr( $border_radius['style'] ) : '',
isset( $margin['style'] ) ? $margin['style'] : '', isset( $margin['style'] ) ? esc_attr( $margin['style'] ) : '',
$this->render_anchor( $this->render_anchor(
$product, $product,
$this->render_on_sale_badge( $product, $parsed_attributes ), $this->render_on_sale_badge( $product, $parsed_attributes ),

14
plugins/woocommerce-blocks/src/BlockTypes/ProductSaleBadge.php
View File

@ -98,13 +98,15 @@ class ProductSaleBadge extends AbstractBlock {
$classes_and_styles = StyleAttributesUtils::get_classes_and_styles_by_attributes( $attributes ); $classes_and_styles = StyleAttributesUtils::get_classes_and_styles_by_attributes( $attributes );
$classname = isset( $attributes['className'] ) ? $attributes['className'] : ''; $classname = isset( $attributes['className'] ) ? $attributes['className'] : '';
$output = ''; $output = '<div class="wc-block-components-product-sale-badge '
$output .= '<div class="wc-block-components-product-sale-badge ' . $classes_and_styles['classes'] . ' ' . $classname . '" style="' . $classes_and_styles['styles'] . '"">'; . esc_attr( $classes_and_styles['classes'] ) . ' '
. esc_attr( $classname ) . '" '
. 'style="' . esc_attr( $classes_and_styles['styles'] ) . '"'
. '>';
$output .= '<span class="wc-block-components-product-sale-badge__text" aria-hidden="true">' . __( 'Sale', 'woo-gutenberg-products-block' ) . '</span>'; $output .= '<span class="wc-block-components-product-sale-badge__text" aria-hidden="true">' . __( 'Sale', 'woo-gutenberg-products-block' ) . '</span>';
$output .= '<span class="screen-reader-text">' . __( $output .= '<span class="screen-reader-text">'
'Product on sale', . __( 'Product on sale', 'woo-gutenberg-products-block' )
'woo-gutenberg-products-block' . '</span>';
) . '</span>';
$output .= '</div>'; $output .= '</div>';
return $output; return $output;

2
plugins/woocommerce-blocks/src/Utils/StyleAttributesUtils.php
View File

@ -341,7 +341,7 @@ class StyleAttributesUtils {
public static function get_spacing_value( $spacing_value ) { public static function get_spacing_value( $spacing_value ) {
// Used following code as reference: https://github.com/WordPress/gutenberg/blob/cff6d70d6ff5a26e212958623dc3130569f95685/lib/block-supports/layout.php/#L219-L225. // Used following code as reference: https://github.com/WordPress/gutenberg/blob/cff6d70d6ff5a26e212958623dc3130569f95685/lib/block-supports/layout.php/#L219-L225.
if ( is_string( $spacing_value ) && str_contains( $spacing_value, 'var:preset|spacing|' ) ) { if ( is_string( $spacing_value ) && str_contains( $spacing_value, 'var:preset|spacing|' ) ) {
$spacing_value = str_replace( 'var:preset|spacing|', '', 'var:preset|spacing|50' ); $spacing_value = str_replace( 'var:preset|spacing|', '', $spacing_value );
return sprintf( 'var(--wp--preset--spacing--%s)', $spacing_value ); return sprintf( 'var(--wp--preset--spacing--%s)', $spacing_value );
} }