From 8ba55cd021f05dd2d8a1c72ee25c0f052807eb45 Mon Sep 17 00:00:00 2001
From: Shohei Tanaka <shohei.t@artws.info>
Date: Thu, 19 Aug 2021 07:26:48 +0900
Subject: [PATCH] Escape processing missing

It was escaped in other email templates, but not here.
---
 .../templates/emails/plain/customer-refunded-order.php          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/plugins/woocommerce/templates/emails/plain/customer-refunded-order.php b/plugins/woocommerce/templates/emails/plain/customer-refunded-order.php
index a6626d37165..69fbf7351a8 100644
--- a/plugins/woocommerce/templates/emails/plain/customer-refunded-order.php
+++ b/plugins/woocommerce/templates/emails/plain/customer-refunded-order.php
@@ -22,7 +22,7 @@ echo esc_html( wp_strip_all_tags( $email_heading ) );
 echo "\n=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n\n";
 
 /* translators: %s: Customer first name */
-echo sprintf( esc_html__( 'Hi %s,', 'woocommerce' ), $order->get_billing_first_name() ) . "\n\n"; // phpcs:ignore WordPress.XSS.EscapeOutput.OutputNotEscaped
+echo sprintf( esc_html__( 'Hi %s,', 'woocommerce' ), esc_html( $order->get_billing_first_name() ) ) . "\n\n";
 if ( $partial_refund ) {
 	/* translators: %s: Site title */
 	echo sprintf( esc_html__( 'Your order on %s has been partially refunded. There are more details below for your reference:', 'woocommerce' ), wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ) ) . "\n\n"; // phpcs:ignore WordPress.XSS.EscapeOutput.OutputNotEscaped