From 97e67bfcea17b22f56dee6a0a6f7aa55aec0ffff Mon Sep 17 00:00:00 2001 From: Mike Jolley Date: Mon, 15 Oct 2012 20:39:37 +0100 Subject: [PATCH] [3.2.3] XSS #1575 --- .../writepanel-order_downloads.php | 4 +- .../writepanel-product-type-variable.php | 38 +++++++++---------- .../writepanels/writepanels-init.php | 16 ++++---- 3 files changed, 29 insertions(+), 29 deletions(-) diff --git a/admin/post-types/writepanels/writepanel-order_downloads.php b/admin/post-types/writepanels/writepanel-order_downloads.php index 73490a5f343..c2635fbaee9 100644 --- a/admin/post-types/writepanels/writepanel-order_downloads.php +++ b/admin/post-types/writepanels/writepanel-order_downloads.php @@ -29,10 +29,10 @@ function woocommerce_order_downloads_meta_box() { get_results(" + $download_permissions = $wpdb->get_results( $wpdb->prepare( " SELECT * FROM {$wpdb->prefix}woocommerce_downloadable_product_permissions WHERE order_id = $post->ID ORDER BY product_id - "); + " ) ); $product = null; if ( $download_permissions && sizeof( $download_permissions ) > 0 ) foreach ( $download_permissions as $download ) : diff --git a/admin/post-types/writepanels/writepanel-product-type-variable.php b/admin/post-types/writepanels/writepanel-product-type-variable.php index 68a77a0ef1e..5b2e8ee1b04 100644 --- a/admin/post-types/writepanels/writepanel-product-type-variable.php +++ b/admin/post-types/writepanels/writepanel-product-type-variable.php @@ -624,24 +624,24 @@ function process_product_meta_variable( $post_id ) { } // Update post meta - update_post_meta( $variation_id, '_sku', esc_attr( $variable_sku[ $i ] ) ); - update_post_meta( $variation_id, '_weight', esc_attr( $variable_weight[ $i ] ) ); + update_post_meta( $variation_id, '_sku', woocommerce_clean( $variable_sku[ $i ] ) ); + update_post_meta( $variation_id, '_weight', woocommerce_clean( $variable_weight[ $i ] ) ); - update_post_meta( $variation_id, '_length', esc_attr( $variable_length[ $i ] ) ); - update_post_meta( $variation_id, '_width', esc_attr( $variable_width[ $i ] ) ); - update_post_meta( $variation_id, '_height', esc_attr( $variable_height[ $i ] ) ); + update_post_meta( $variation_id, '_length', woocommerce_clean( $variable_length[ $i ] ) ); + update_post_meta( $variation_id, '_width', woocommerce_clean( $variable_width[ $i ] ) ); + update_post_meta( $variation_id, '_height', woocommerce_clean( $variable_height[ $i ] ) ); - update_post_meta( $variation_id, '_stock', esc_attr( $variable_stock[ $i ] ) ); + update_post_meta( $variation_id, '_stock', woocommerce_clean( $variable_stock[ $i ] ) ); update_post_meta( $variation_id, '_thumbnail_id', absint( $upload_image_id[ $i ] ) ); - update_post_meta( $variation_id, '_virtual', esc_attr( $is_virtual ) ); - update_post_meta( $variation_id, '_downloadable', esc_attr( $is_downloadable ) ); + update_post_meta( $variation_id, '_virtual', woocommerce_clean( $is_virtual ) ); + update_post_meta( $variation_id, '_downloadable', woocommerce_clean( $is_downloadable ) ); // Price handling - $regular_price = esc_attr( $variable_regular_price[ $i ] ); - $sale_price = esc_attr( $variable_sale_price[ $i ] ); - $date_from = esc_attr( $variable_sale_price_dates_from[ $i ] ); - $date_to = esc_attr( $variable_sale_price_dates_to[ $i ] ); + $regular_price = woocommerce_clean( $variable_regular_price[ $i ] ); + $sale_price = woocommerce_clean( $variable_sale_price[ $i ] ); + $date_from = woocommerce_clean( $variable_sale_price_dates_from[ $i ] ); + $date_to = woocommerce_clean( $variable_sale_price_dates_to[ $i ] ); update_post_meta( $variation_id, '_regular_price', $regular_price ); update_post_meta( $variation_id, '_sale_price', $sale_price ); @@ -676,22 +676,22 @@ function process_product_meta_variable( $post_id ) { } if ( $variable_tax_class[ $i ] !== 'parent' ) - update_post_meta( $variation_id, '_tax_class', esc_attr( $variable_tax_class[ $i ] ) ); + update_post_meta( $variation_id, '_tax_class', woocommerce_clean( $variable_tax_class[ $i ] ) ); else delete_post_meta( $variation_id, '_tax_class' ); if ( $is_downloadable == 'yes' ) { - update_post_meta( $variation_id, '_download_limit', esc_attr( $variable_download_limit[ $i ] ) ); - update_post_meta( $variation_id, '_download_expiry', esc_attr( $variable_download_expiry[ $i ] ) ); + update_post_meta( $variation_id, '_download_limit', woocommerce_clean( $variable_download_limit[ $i ] ) ); + update_post_meta( $variation_id, '_download_expiry', woocommerce_clean( $variable_download_expiry[ $i ] ) ); $_file_paths = array(); - $file_paths = str_replace( "\r\n", "\n", esc_attr( $variable_file_paths[ $i ] ) ); + $file_paths = str_replace( "\r\n", "\n", $variable_file_paths[ $i ] ); $file_paths = trim( preg_replace( "/\n+/", "\n", $file_paths ) ); if ( $file_paths ) { $file_paths = explode( "\n", $file_paths ); foreach ( $file_paths as $file_path ) { - $file_path = trim( $file_path ); + $file_path = woocommerce_clean( $file_path ); $_file_paths[ md5( $file_path ) ] = $file_path; } } @@ -719,7 +719,7 @@ function process_product_meta_variable( $post_id ) { if ( $attribute['is_variation'] ) { - $value = esc_attr( trim( $_POST[ 'attribute_' . sanitize_title( $attribute['name'] ) ][ $i ] ) ); + $value = woocommerce_clean( $_POST[ 'attribute_' . sanitize_title( $attribute['name'] ) ][ $i ] ); update_post_meta( $variation_id, 'attribute_' . sanitize_title( $attribute['name'] ), $value ); } @@ -784,7 +784,7 @@ function process_product_meta_variable( $post_id ) { foreach ( $attributes as $attribute ) { if ( $attribute['is_variation'] ) { - $value = esc_attr( trim( $_POST[ 'default_attribute_' . sanitize_title( $attribute['name'] ) ] ) ); + $value = woocommerce_clean( $_POST[ 'default_attribute_' . sanitize_title( $attribute['name'] ) ] ); if ( $value ) $default_attributes[ sanitize_title( $attribute['name'] ) ] = $value; } diff --git a/admin/post-types/writepanels/writepanels-init.php b/admin/post-types/writepanels/writepanels-init.php index 1cd3aaeda3f..e7e21e635cb 100644 --- a/admin/post-types/writepanels/writepanels-init.php +++ b/admin/post-types/writepanels/writepanels-init.php @@ -320,14 +320,14 @@ function woocommerce_wp_text_input( $field ) { $field['value'] = isset( $field['value'] ) ? $field['value'] : get_post_meta( $thepostid, $field['id'], true ); $field['name'] = isset( $field['name'] ) ? $field['name'] : $field['id']; - echo '

'; + echo '

'; if ( ! empty( $field['description'] ) ) { if ( isset( $field['desc_tip'] ) ) { echo ''; } else { - echo '' . esc_html( $field['description'] ) . ''; + echo '' . wp_kses_post( $field['description'] ) . ''; } } @@ -367,14 +367,14 @@ function woocommerce_wp_textarea_input( $field ) { $field['class'] = isset( $field['class'] ) ? $field['class'] : 'short'; $field['value'] = isset( $field['value'] ) ? $field['value'] : get_post_meta( $thepostid, $field['id'], true ); - echo '

'; + echo '

'; if ( ! empty( $field['description'] ) ) { if ( isset( $field['desc_tip'] ) ) { echo ''; } else { - echo '' . esc_html( $field['description'] ) . ''; + echo '' . wp_kses_post( $field['description'] ) . ''; } } @@ -398,9 +398,9 @@ function woocommerce_wp_checkbox( $field ) { $field['value'] = isset( $field['value'] ) ? $field['value'] : get_post_meta( $thepostid, $field['id'], true ); $field['cbvalue'] = isset( $field['cbvalue'] ) ? $field['cbvalue'] : 'yes'; - echo '

'; + echo '

'; - if ( ! empty( $field['description'] ) ) echo '' . esc_html( $field['description'] ) . ''; + if ( ! empty( $field['description'] ) ) echo '' . wp_kses_post( $field['description'] ) . ''; echo '

'; } @@ -420,7 +420,7 @@ function woocommerce_wp_select( $field ) { $field['class'] = isset( $field['class'] ) ? $field['class'] : 'select short'; $field['value'] = isset( $field['value'] ) ? $field['value'] : get_post_meta( $thepostid, $field['id'], true ); - echo '

'; foreach ( $field['options'] as $key => $value ) { @@ -435,7 +435,7 @@ function woocommerce_wp_select( $field ) { if ( isset( $field['desc_tip'] ) ) { echo ''; } else { - echo '' . esc_html( $field['description'] ) . ''; + echo '' . wp_kses_post( $field['description'] ) . ''; } }