From 812271fd85e51a6f936cc45f3089a430d2ebd886 Mon Sep 17 00:00:00 2001
From: paul sealock <psealock@gmail.com>
Date: Fri, 8 Dec 2023 09:53:46 +1300
Subject: [PATCH] use wp_kses to sanitize but allow links

---
 .../views/html-admin-page-shipping-zone-methods.php    | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/plugins/woocommerce/includes/admin/settings/views/html-admin-page-shipping-zone-methods.php b/plugins/woocommerce/includes/admin/settings/views/html-admin-page-shipping-zone-methods.php
index 769ac15ce1e..0e9f32b710f 100644
--- a/plugins/woocommerce/includes/admin/settings/views/html-admin-page-shipping-zone-methods.php
+++ b/plugins/woocommerce/includes/admin/settings/views/html-admin-page-shipping-zone-methods.php
@@ -201,8 +201,14 @@ if ( ! defined( 'ABSPATH' ) ) {
 								if ( ! $method->supports( 'shipping-zones' ) ) {
 									continue;
 								}
-								$description = wp_kses_post( $method->get_method_description() );
-								echo '<div class="wc-shipping-zone-method-input"><input type="radio" value="' . esc_attr( $method->id ) . '" id="' . esc_attr( $method->id ) . '" name="add_method_id"/><label for="' . esc_attr( $method->id ) . '">' . esc_html( $method->get_method_title() ) . '<span class="dashicons dashicons-yes"></span></label><div class="wc-shipping-zone-method-input-help-text"><span>' . esc_html( $description ) . '</span></div></div>';
+								$allowed_html = array(
+									'a' => array(
+										'href' => true,
+										'title' => true
+									)
+								);
+								$description = wp_kses( $method->get_method_description(), $allowed_html );
+								echo '<div class="wc-shipping-zone-method-input"><input type="radio" value="' . esc_attr( $method->id ) . '" id="' . esc_attr( $method->id ) . '" name="add_method_id"/><label for="' . esc_attr( $method->id ) . '">' . esc_html( $method->get_method_title() ) . '<span class="dashicons dashicons-yes"></span></label><div class="wc-shipping-zone-method-input-help-text"><span>' . $description . '</span></div></div>';
 							}
 							?>
 						</fieldset>