[3.2.3] XSS #1575
This commit is contained in:
Mike Jolley
parent
98530b3f6d
commit
97e67bfcea
|
|
@ -29,10 +29,10 @@ function woocommerce_order_downloads_meta_box() {
|
|||
<?php
|
||||
$i = -1;
|
||||
|
||||
$download_permissions = $wpdb->get_results("
|
||||
$download_permissions = $wpdb->get_results( $wpdb->prepare( "
|
||||
SELECT * FROM {$wpdb->prefix}woocommerce_downloadable_product_permissions
|
||||
WHERE order_id = $post->ID ORDER BY product_id
|
||||
");
|
||||
" ) );
|
||||
|
||||
$product = null;
|
||||
if ( $download_permissions && sizeof( $download_permissions ) > 0 ) foreach ( $download_permissions as $download ) :
|
||||
|
|
|
|||
|
|
@ -624,24 +624,24 @@ function process_product_meta_variable( $post_id ) {
|
|||
}
|
||||
|
||||
// Update post meta
|
||||
update_post_meta( $variation_id, '_sku', esc_attr( $variable_sku[ $i ] ) );
|
||||
update_post_meta( $variation_id, '_weight', esc_attr( $variable_weight[ $i ] ) );
|
||||
update_post_meta( $variation_id, '_sku', woocommerce_clean( $variable_sku[ $i ] ) );
|
||||
update_post_meta( $variation_id, '_weight', woocommerce_clean( $variable_weight[ $i ] ) );
|
||||
|
||||
update_post_meta( $variation_id, '_length', esc_attr( $variable_length[ $i ] ) );
|
||||
update_post_meta( $variation_id, '_width', esc_attr( $variable_width[ $i ] ) );
|
||||
update_post_meta( $variation_id, '_height', esc_attr( $variable_height[ $i ] ) );
|
||||
update_post_meta( $variation_id, '_length', woocommerce_clean( $variable_length[ $i ] ) );
|
||||
update_post_meta( $variation_id, '_width', woocommerce_clean( $variable_width[ $i ] ) );
|
||||
update_post_meta( $variation_id, '_height', woocommerce_clean( $variable_height[ $i ] ) );
|
||||
|
||||
update_post_meta( $variation_id, '_stock', esc_attr( $variable_stock[ $i ] ) );
|
||||
update_post_meta( $variation_id, '_stock', woocommerce_clean( $variable_stock[ $i ] ) );
|
||||
update_post_meta( $variation_id, '_thumbnail_id', absint( $upload_image_id[ $i ] ) );
|
||||
|
||||
update_post_meta( $variation_id, '_virtual', esc_attr( $is_virtual ) );
|
||||
update_post_meta( $variation_id, '_downloadable', esc_attr( $is_downloadable ) );
|
||||
update_post_meta( $variation_id, '_virtual', woocommerce_clean( $is_virtual ) );
|
||||
update_post_meta( $variation_id, '_downloadable', woocommerce_clean( $is_downloadable ) );
|
||||
|
||||
// Price handling
|
||||
$regular_price = esc_attr( $variable_regular_price[ $i ] );
|
||||
$sale_price = esc_attr( $variable_sale_price[ $i ] );
|
||||
$date_from = esc_attr( $variable_sale_price_dates_from[ $i ] );
|
||||
$date_to = esc_attr( $variable_sale_price_dates_to[ $i ] );
|
||||
$regular_price = woocommerce_clean( $variable_regular_price[ $i ] );
|
||||
$sale_price = woocommerce_clean( $variable_sale_price[ $i ] );
|
||||
$date_from = woocommerce_clean( $variable_sale_price_dates_from[ $i ] );
|
||||
$date_to = woocommerce_clean( $variable_sale_price_dates_to[ $i ] );
|
||||
|
||||
update_post_meta( $variation_id, '_regular_price', $regular_price );
|
||||
update_post_meta( $variation_id, '_sale_price', $sale_price );
|
||||
|
|
@ -676,22 +676,22 @@ function process_product_meta_variable( $post_id ) {
|
|||
}
|
||||
|
||||
if ( $variable_tax_class[ $i ] !== 'parent' )
|
||||
update_post_meta( $variation_id, '_tax_class', esc_attr( $variable_tax_class[ $i ] ) );
|
||||
update_post_meta( $variation_id, '_tax_class', woocommerce_clean( $variable_tax_class[ $i ] ) );
|
||||
else
|
||||
delete_post_meta( $variation_id, '_tax_class' );
|
||||
|
||||
if ( $is_downloadable == 'yes' ) {
|
||||
update_post_meta( $variation_id, '_download_limit', esc_attr( $variable_download_limit[ $i ] ) );
|
||||
update_post_meta( $variation_id, '_download_expiry', esc_attr( $variable_download_expiry[ $i ] ) );
|
||||
update_post_meta( $variation_id, '_download_limit', woocommerce_clean( $variable_download_limit[ $i ] ) );
|
||||
update_post_meta( $variation_id, '_download_expiry', woocommerce_clean( $variable_download_expiry[ $i ] ) );
|
||||
|
||||
$_file_paths = array();
|
||||
$file_paths = str_replace( "\r\n", "\n", esc_attr( $variable_file_paths[ $i ] ) );
|
||||
$file_paths = str_replace( "\r\n", "\n", $variable_file_paths[ $i ] );
|
||||
$file_paths = trim( preg_replace( "/\n+/", "\n", $file_paths ) );
|
||||
if ( $file_paths ) {
|
||||
$file_paths = explode( "\n", $file_paths );
|
||||
|
||||
foreach ( $file_paths as $file_path ) {
|
||||
$file_path = trim( $file_path );
|
||||
$file_path = woocommerce_clean( $file_path );
|
||||
$_file_paths[ md5( $file_path ) ] = $file_path;
|
||||
}
|
||||
}
|
||||
|
|
@ -719,7 +719,7 @@ function process_product_meta_variable( $post_id ) {
|
|||
|
||||
if ( $attribute['is_variation'] ) {
|
||||
|
||||
$value = esc_attr( trim( $_POST[ 'attribute_' . sanitize_title( $attribute['name'] ) ][ $i ] ) );
|
||||
$value = woocommerce_clean( $_POST[ 'attribute_' . sanitize_title( $attribute['name'] ) ][ $i ] );
|
||||
|
||||
update_post_meta( $variation_id, 'attribute_' . sanitize_title( $attribute['name'] ), $value );
|
||||
}
|
||||
|
|
@ -784,7 +784,7 @@ function process_product_meta_variable( $post_id ) {
|
|||
|
||||
foreach ( $attributes as $attribute ) {
|
||||
if ( $attribute['is_variation'] ) {
|
||||
$value = esc_attr( trim( $_POST[ 'default_attribute_' . sanitize_title( $attribute['name'] ) ] ) );
|
||||
$value = woocommerce_clean( $_POST[ 'default_attribute_' . sanitize_title( $attribute['name'] ) ] );
|
||||
if ( $value )
|
||||
$default_attributes[ sanitize_title( $attribute['name'] ) ] = $value;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -320,14 +320,14 @@ function woocommerce_wp_text_input( $field ) {
|
|||
$field['value'] = isset( $field['value'] ) ? $field['value'] : get_post_meta( $thepostid, $field['id'], true );
|
||||
$field['name'] = isset( $field['name'] ) ? $field['name'] : $field['id'];
|
||||
|
||||
echo '<p class="form-field ' . esc_attr( $field['id'] ) . '_field"><label for="' . esc_attr( $field['id'] ) . '">' . esc_html( $field['label'] ) . '</label><input type="text" class="' . esc_attr( $field['class'] ) . '" name="' . esc_attr( $field['name'] ) . '" id="' . esc_attr( $field['id'] ) . '" value="' . esc_attr( $field['value'] ) . '" placeholder="' . esc_attr( $field['placeholder'] ) . '" /> ';
|
||||
echo '<p class="form-field ' . esc_attr( $field['id'] ) . '_field"><label for="' . esc_attr( $field['id'] ) . '">' . wp_kses_post( $field['label'] ) . '</label><input type="text" class="' . esc_attr( $field['class'] ) . '" name="' . esc_attr( $field['name'] ) . '" id="' . esc_attr( $field['id'] ) . '" value="' . esc_attr( $field['value'] ) . '" placeholder="' . esc_attr( $field['placeholder'] ) . '" /> ';
|
||||
|
||||
if ( ! empty( $field['description'] ) ) {
|
||||
|
||||
if ( isset( $field['desc_tip'] ) ) {
|
||||
echo '<img class="help_tip" data-tip="' . esc_attr( $field['description'] ) . '" src="' . $woocommerce->plugin_url() . '/assets/images/help.png" />';
|
||||
} else {
|
||||
echo '<span class="description">' . esc_html( $field['description'] ) . '</span>';
|
||||
echo '<span class="description">' . wp_kses_post( $field['description'] ) . '</span>';
|
||||
}
|
||||
|
||||
}
|
||||
|
|
@ -367,14 +367,14 @@ function woocommerce_wp_textarea_input( $field ) {
|
|||
$field['class'] = isset( $field['class'] ) ? $field['class'] : 'short';
|
||||
$field['value'] = isset( $field['value'] ) ? $field['value'] : get_post_meta( $thepostid, $field['id'], true );
|
||||
|
||||
echo '<p class="form-field ' . esc_attr( $field['id'] ) . '_field"><label for="' . esc_attr( $field['id'] ) . '">' . esc_html( $field['label'] ) . '</label><textarea class="' . esc_attr( $field['class'] ) . '" name="' . esc_attr( $field['id'] ) . '" id="' . esc_attr( $field['id'] ) . '" placeholder="' . esc_attr( $field['placeholder'] ) . '" rows="2" cols="20">' . esc_textarea( $field['value'] ) . '</textarea> ';
|
||||
echo '<p class="form-field ' . esc_attr( $field['id'] ) . '_field"><label for="' . esc_attr( $field['id'] ) . '">' . wp_kses_post( $field['label'] ) . '</label><textarea class="' . esc_attr( $field['class'] ) . '" name="' . esc_attr( $field['id'] ) . '" id="' . esc_attr( $field['id'] ) . '" placeholder="' . esc_attr( $field['placeholder'] ) . '" rows="2" cols="20">' . esc_textarea( $field['value'] ) . '</textarea> ';
|
||||
|
||||
if ( ! empty( $field['description'] ) ) {
|
||||
|
||||
if ( isset( $field['desc_tip'] ) ) {
|
||||
echo '<img class="help_tip" data-tip="' . esc_attr( $field['description'] ) . '" src="' . $woocommerce->plugin_url() . '/assets/images/help.png" />';
|
||||
} else {
|
||||
echo '<span class="description">' . esc_html( $field['description'] ) . '</span>';
|
||||
echo '<span class="description">' . wp_kses_post( $field['description'] ) . '</span>';
|
||||
}
|
||||
|
||||
}
|
||||
|
|
@ -398,9 +398,9 @@ function woocommerce_wp_checkbox( $field ) {
|
|||
$field['value'] = isset( $field['value'] ) ? $field['value'] : get_post_meta( $thepostid, $field['id'], true );
|
||||
$field['cbvalue'] = isset( $field['cbvalue'] ) ? $field['cbvalue'] : 'yes';
|
||||
|
||||
echo '<p class="form-field ' . esc_attr( $field['id'] ) . '_field ' . esc_attr( $field['wrapper_class'] ) . '"><label for="' . esc_attr( $field['id'] ) . '">' . esc_html( $field['label'] ) . '</label><input type="checkbox" class="' . esc_attr( $field['class'] ) . '" name="' . esc_attr( $field['id'] ) . '" id="' . esc_attr( $field['id'] ) . '" value="' . esc_attr( $field['cbvalue'] ) . '" ' . checked( $field['value'], $field['cbvalue'], false ) . ' /> ';
|
||||
echo '<p class="form-field ' . esc_attr( $field['id'] ) . '_field ' . esc_attr( $field['wrapper_class'] ) . '"><label for="' . esc_attr( $field['id'] ) . '">' . wp_kses_post( $field['label'] ) . '</label><input type="checkbox" class="' . esc_attr( $field['class'] ) . '" name="' . esc_attr( $field['id'] ) . '" id="' . esc_attr( $field['id'] ) . '" value="' . esc_attr( $field['cbvalue'] ) . '" ' . checked( $field['value'], $field['cbvalue'], false ) . ' /> ';
|
||||
|
||||
if ( ! empty( $field['description'] ) ) echo '<span class="description">' . esc_html( $field['description'] ) . '</span>';
|
||||
if ( ! empty( $field['description'] ) ) echo '<span class="description">' . wp_kses_post( $field['description'] ) . '</span>';
|
||||
|
||||
echo '</p>';
|
||||
}
|
||||
|
|
@ -420,7 +420,7 @@ function woocommerce_wp_select( $field ) {
|
|||
$field['class'] = isset( $field['class'] ) ? $field['class'] : 'select short';
|
||||
$field['value'] = isset( $field['value'] ) ? $field['value'] : get_post_meta( $thepostid, $field['id'], true );
|
||||
|
||||
echo '<p class="form-field ' . esc_attr( $field['id'] ) . '_field"><label for="' . esc_attr( $field['id'] ) . '">' . esc_html( $field['label'] ) . '</label><select id="' . esc_attr( $field['id'] ) . '" name="' . esc_attr( $field['id'] ) . '" class="' . esc_attr( $field['class'] ) . '">';
|
||||
echo '<p class="form-field ' . esc_attr( $field['id'] ) . '_field"><label for="' . esc_attr( $field['id'] ) . '">' . wp_kses_post( $field['label'] ) . '</label><select id="' . esc_attr( $field['id'] ) . '" name="' . esc_attr( $field['id'] ) . '" class="' . esc_attr( $field['class'] ) . '">';
|
||||
|
||||
foreach ( $field['options'] as $key => $value ) {
|
||||
|
||||
|
|
@ -435,7 +435,7 @@ function woocommerce_wp_select( $field ) {
|
|||
if ( isset( $field['desc_tip'] ) ) {
|
||||
echo '<img class="help_tip" data-tip="' . esc_attr( $field['description'] ) . '" src="' . $woocommerce->plugin_url() . '/assets/images/help.png" />';
|
||||
} else {
|
||||
echo '<span class="description">' . esc_html( $field['description'] ) . '</span>';
|
||||
echo '<span class="description">' . wp_kses_post( $field['description'] ) . '</span>';
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue