From 98530b3f6d5d03ebd4dcdc54c626a3860ea460eb Mon Sep 17 00:00:00 2001 From: Mike Jolley Date: Mon, 15 Oct 2012 20:25:48 +0100 Subject: [PATCH] [3.2.3] XSS #1575 --- .../writepanels/variation-admin-html.php | 54 +-- .../writepanel-order_downloads.php | 2 +- .../writepanel-product-type-variable.php | 261 +++++++------- .../writepanels/writepanel-product_data.php | 322 +++++++++--------- 4 files changed, 317 insertions(+), 322 deletions(-) diff --git a/admin/post-types/writepanels/variation-admin-html.php b/admin/post-types/writepanels/variation-admin-html.php index f0dfb46d3b3..470e0c4dd9e 100644 --- a/admin/post-types/writepanels/variation-admin-html.php +++ b/admin/post-types/writepanels/variation-admin-html.php @@ -3,9 +3,9 @@ if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly ?>

- -
- # + +
+ # '; + echo ' + - + @@ -55,7 +55,7 @@ if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly - +   @@ -64,31 +64,31 @@ if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly - + - + - - + + - + - + - - + +   @@ -96,9 +96,9 @@ if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly - - - + + +   @@ -113,7 +113,7 @@ if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly 'show_option_all' => __( 'Same as parent', 'woocommerce' ), 'name' => 'variable_shipping_class[' . $loop . ']', 'id' => '', - 'selected' => isset( $shipping_class ) ? $shipping_class : '', + 'selected' => isset( $shipping_class ) ? esc_attr( $shipping_class ) : '', 'echo' => 0 ); @@ -123,7 +123,7 @@ if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly @@ -131,14 +131,14 @@ if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
- +
- +
@@ -146,7 +146,7 @@ if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
- +
@@ -156,10 +156,10 @@ if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly - + - + diff --git a/admin/post-types/writepanels/writepanel-order_downloads.php b/admin/post-types/writepanels/writepanel-order_downloads.php index 4509cdd170c..73490a5f343 100644 --- a/admin/post-types/writepanels/writepanel-order_downloads.php +++ b/admin/post-types/writepanels/writepanel-order_downloads.php @@ -35,7 +35,7 @@ function woocommerce_order_downloads_meta_box() { "); $product = null; - if ($download_permissions && sizeof($download_permissions)>0) foreach ($download_permissions as $download) : + if ( $download_permissions && sizeof( $download_permissions ) > 0 ) foreach ( $download_permissions as $download ) : if ( ! $product || $product->id != $download->product_id ) : $product = new WC_Product( $download->product_id ); diff --git a/admin/post-types/writepanels/writepanel-product-type-variable.php b/admin/post-types/writepanels/writepanel-product-type-variable.php index 7fd38347b76..68a77a0ef1e 100644 --- a/admin/post-types/writepanels/writepanel-product-type-variable.php +++ b/admin/post-types/writepanels/writepanel-product-type-variable.php @@ -7,7 +7,7 @@ * @author WooThemes * @category Admin * @package WooCommerce/Admin/WritePanels - * @version 1.6.4 + * @version 1.7.0 */ if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly @@ -20,11 +20,11 @@ if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly */ function variable_product_type_options_tab() { ?> -
  • +
  • ID, '_product_attributes', true) ); + $attributes = maybe_unserialize( get_post_meta( $post->ID, '_product_attributes', true ) ); // See if any are set $variation_attribute_found = false; - if ($attributes) foreach($attributes as $attribute){ - if (isset($attribute['is_variation'])) : + if ( $attributes ) foreach( $attributes as $attribute ) { + if ( isset( $attribute['is_variation'] ) ) { $variation_attribute_found = true; break; - endif; + } } // Get tax classes - $tax_classes = array_filter(array_map('trim', explode("\n", get_option('woocommerce_tax_classes')))); + $tax_classes = array_filter( array_map('trim', explode( "\n", get_option( 'woocommerce_tax_classes' ) ) ) ); $tax_class_options = array(); - $tax_class_options['parent'] =__('Same as parent', 'woocommerce'); - $tax_class_options[''] = __('Standard', 'woocommerce'); - if ($tax_classes) foreach ( $tax_classes as $class ) - $tax_class_options[sanitize_title($class)] = $class; - + $tax_class_options['parent'] = __( 'Same as parent', 'woocommerce' ); + $tax_class_options[''] = __( 'Standard', 'woocommerce' ); + if ( $tax_classes ) + foreach ( $tax_classes as $class ) + $tax_class_options[ sanitize_title( $class ) ] = esc_attr( $class ); ?>
    - +

    Attributes tab.', 'woocommerce' ); ?>

    -

    +

    - - + + - - + +

    @@ -119,7 +119,7 @@ function variable_product_type_options() { // Get variations $args = array( 'post_type' => 'product_variation', - 'post_status' => array('private', 'publish'), + 'post_status' => array( 'private', 'publish' ), 'numberposts' => -1, 'orderby' => 'menu_order', 'order' => 'asc', @@ -129,9 +129,9 @@ function variable_product_type_options() { $loop = 0; if ( $variations ) foreach ( $variations as $variation ) { - $variation_id = $variation->ID; - $variation_post_status = $variation->post_status; - $variation_data = get_post_custom( $variation_id ); + $variation_id = absint( $variation->ID ); + $variation_post_status = esc_attr( $variation->post_status ); + $variation_data = get_post_custom( $variation_id ); $variation_data['variation_post_id'] = $variation_id; // Grab shipping classes @@ -167,8 +167,8 @@ function variable_product_type_options() { $_regular_price = $_price; // Get image - $image_id = absint( $_thumbnail_id ); $image = ''; + $image_id = absint( $_thumbnail_id ); if ( $image_id ) $image = wp_get_attachment_url( $image_id ); @@ -186,40 +186,38 @@ function variable_product_type_options() {

    - + - + - + ID, '_default_attributes', true )); - foreach ($attributes as $attribute) : + $default_attributes = maybe_unserialize( get_post_meta( $post->ID, '_default_attributes', true ) ); + foreach ( $attributes as $attribute ) { // Only deal with attributes that are variations - if ( !$attribute['is_variation'] ) continue; + if ( ! $attribute['is_variation'] ) + continue; // Get current value for variation (if set) - $variation_selected_value = (isset($default_attributes[sanitize_title($attribute['name'])])) ? $default_attributes[sanitize_title($attribute['name'])] : ''; + $variation_selected_value = isset( $default_attributes[ sanitize_title( $attribute['name'] ) ] ) ? $default_attributes[ sanitize_title( $attribute['name'] ) ] : ''; // Name will be something like attribute_pa_color - echo ''; // Get terms for attribute taxonomy or value if its a custom attribute - if ($attribute['is_taxonomy']) : + if ( $attribute['is_taxonomy'] ) { $post_terms = wp_get_post_terms( $post->ID, $attribute['name'] ); - foreach ($post_terms as $term) : - echo ''; - endforeach; - else : - $options = explode('|', $attribute['value']); - foreach ($options as $option) : - echo ''; - endforeach; - endif; + foreach ( $post_terms as $term ) + echo ''; + } else { + $options = explode( '|', $attribute['value'] ); + foreach ( $options as $option ) + echo ''; + } echo ''; - - endforeach; + } ?>

    @@ -235,11 +233,11 @@ function variable_product_type_options() { ?> jQuery(function(){ - + jQuery('#variable_product_options').on('click', 'button.link_all_variations, button.add_variation', function(){ - alert(''); + alert(''); return false; @@ -283,7 +281,7 @@ function variable_product_type_options() { jQuery('#variable_product_options').on('click', 'button.link_all_variations', function(){ - var answer = confirm(''); + var answer = confirm(''); if (answer) { @@ -304,11 +302,11 @@ function variable_product_type_options() { } if (count==1) { - alert( count + ' '); + alert( count + ' '); } else if (count==0 || count>1) { - alert( count + ' '); + alert( count + ' '); } else { - alert(''); + alert(''); } jQuery('#variable_product_options').unblock(); @@ -320,7 +318,7 @@ function variable_product_type_options() { jQuery('#variable_product_options').on('click', 'button.remove_variation', function(e){ e.preventDefault(); - var answer = confirm(''); + var answer = confirm(''); if (answer){ var el = jQuery(this).parent().parent(); @@ -355,10 +353,10 @@ function variable_product_type_options() { }); jQuery('#variable_product_options').on('click', 'a.delete_variations', function(){ - var answer = confirm(''); + var answer = confirm(''); if (answer){ - var answer = confirm(''); + var answer = confirm(''); if (answer) { @@ -396,7 +394,7 @@ function variable_product_type_options() { var field_to_edit = jQuery('select#field_to_edit').val(); var input_tag = jQuery('select#field_to_edit :selected').attr('rel') ? jQuery('select#field_to_edit :selected').attr('rel') : 'input'; - var value = prompt(""); + var value = prompt(""); jQuery(input_tag + '[name^="' + field_to_edit + '"]').val( value ); return false; }); @@ -537,7 +535,7 @@ add_action('woocommerce_product_write_panels', 'variable_product_type_options'); * @return array */ function variable_product_type_selector( $types, $product_type ) { - $types['variable'] = __('Variable product', 'woocommerce'); + $types['variable'] = __( 'Variable product', 'woocommerce' ); return $types; } @@ -556,65 +554,66 @@ function process_product_meta_variable( $post_id ) { if ( isset( $_POST['variable_sku'] ) ) { - $variable_post_id = $_POST['variable_post_id']; - $variable_sku = $_POST['variable_sku']; - $variable_weight = $_POST['variable_weight']; - $variable_length = $_POST['variable_length']; - $variable_width = $_POST['variable_width']; - $variable_height = $_POST['variable_height']; - $variable_stock = $_POST['variable_stock']; - $variable_regular_price = $_POST['variable_regular_price']; - $variable_sale_price = $_POST['variable_sale_price']; - $upload_image_id = $_POST['upload_image_id']; - $variable_file_paths = $_POST['variable_file_paths']; - $variable_download_limit = $_POST['variable_download_limit']; - $variable_download_expiry = $_POST['variable_download_expiry']; - $variable_shipping_class = $_POST['variable_shipping_class']; - $variable_tax_class = $_POST['variable_tax_class']; - $variable_menu_order = $_POST['variation_menu_order']; + $variable_post_id = $_POST['variable_post_id']; + $variable_sku = $_POST['variable_sku']; + $variable_weight = $_POST['variable_weight']; + $variable_length = $_POST['variable_length']; + $variable_width = $_POST['variable_width']; + $variable_height = $_POST['variable_height']; + $variable_stock = $_POST['variable_stock']; + $variable_regular_price = $_POST['variable_regular_price']; + $variable_sale_price = $_POST['variable_sale_price']; + $upload_image_id = $_POST['upload_image_id']; + $variable_file_paths = $_POST['variable_file_paths']; + $variable_download_limit = $_POST['variable_download_limit']; + $variable_download_expiry = $_POST['variable_download_expiry']; + $variable_shipping_class = $_POST['variable_shipping_class']; + $variable_tax_class = $_POST['variable_tax_class']; + $variable_menu_order = $_POST['variation_menu_order']; $variable_sale_price_dates_from = $_POST['variable_sale_price_dates_from']; $variable_sale_price_dates_to = $_POST['variable_sale_price_dates_to']; - if (isset($_POST['variable_enabled'])) - $variable_enabled = $_POST['variable_enabled']; + if ( isset( $_POST['variable_enabled'] ) ) + $variable_enabled = $_POST['variable_enabled']; - if (isset($_POST['variable_is_virtual'])) - $variable_is_virtual = $_POST['variable_is_virtual']; + if ( isset( $_POST['variable_is_virtual'] ) ) + $variable_is_virtual = $_POST['variable_is_virtual']; - if (isset($_POST['variable_is_downloadable'])) - $variable_is_downloadable = $_POST['variable_is_downloadable']; + if ( isset( $_POST['variable_is_downloadable'] ) ) + $variable_is_downloadable = $_POST['variable_is_downloadable']; - $attributes = (array) maybe_unserialize( get_post_meta($post_id, '_product_attributes', true) ); + $attributes = (array) maybe_unserialize( get_post_meta( $post_id, '_product_attributes', true ) ); $max_loop = max( array_keys( $_POST['variable_post_id'] ) ); for ( $i = 0; $i <= $max_loop; $i ++ ) { - if ( ! isset( $variable_post_id[ $i ] ) ) continue; + if ( ! isset( $variable_post_id[ $i ] ) ) + continue; - $variation_id = (int) $variable_post_id[ $i ]; + $variation_id = absint( $variable_post_id[ $i ] ); // Virtal/Downloadable - if (isset($variable_is_virtual[ $i ])) $is_virtual = 'yes'; else $is_virtual = 'no'; - if (isset($variable_is_downloadable[ $i ])) $is_downloadable = 'yes'; else $is_downloadable = 'no'; + $is_virtual = isset( $variable_is_virtual[ $i ] ) ? 'yes' : 'no'; + $is_downloadable = isset( $variable_is_downloadable[ $i ] ) ? 'yes' : 'no'; // Enabled or disabled - if (isset($variable_enabled[ $i ])) $post_status = 'publish'; else $post_status = 'private'; + $post_status = isset( $variable_enabled[ $i ] ) ? 'publish' : 'private'; // Generate a useful post title - $variation_post_title = sprintf(__('Variation #%s of %s', 'woocommerce'), $variation_id, get_the_title($post_id)); + $variation_post_title = sprintf( __( 'Variation #%s of %s', 'woocommerce' ), absint( $variation_id ), esc_html( get_the_title( $post_id ) ) ); // Update or Add post if ( ! $variation_id ) { $variation = array( - 'post_title' => $variation_post_title, - 'post_content' => '', - 'post_status' => $post_status, - 'post_author' => get_current_user_id(), - 'post_parent' => $post_id, - 'post_type' => 'product_variation', - 'menu_order' => $variable_menu_order[ $i ] + 'post_title' => $variation_post_title, + 'post_content' => '', + 'post_status' => $post_status, + 'post_author' => get_current_user_id(), + 'post_parent' => $post_id, + 'post_type' => 'product_variation', + 'menu_order' => $variable_menu_order[ $i ] ); $variation_id = wp_insert_post( $variation ); @@ -625,24 +624,24 @@ function process_product_meta_variable( $post_id ) { } // Update post meta - update_post_meta( $variation_id, '_sku', esc_html( $variable_sku[ $i ] ) ); - update_post_meta( $variation_id, '_weight', $variable_weight[ $i ] ); + update_post_meta( $variation_id, '_sku', esc_attr( $variable_sku[ $i ] ) ); + update_post_meta( $variation_id, '_weight', esc_attr( $variable_weight[ $i ] ) ); - update_post_meta( $variation_id, '_length', $variable_length[ $i ] ); - update_post_meta( $variation_id, '_width', $variable_width[ $i ] ); - update_post_meta( $variation_id, '_height', $variable_height[ $i ] ); + update_post_meta( $variation_id, '_length', esc_attr( $variable_length[ $i ] ) ); + update_post_meta( $variation_id, '_width', esc_attr( $variable_width[ $i ] ) ); + update_post_meta( $variation_id, '_height', esc_attr( $variable_height[ $i ] ) ); - update_post_meta( $variation_id, '_stock', $variable_stock[ $i ] ); - update_post_meta( $variation_id, '_thumbnail_id', $upload_image_id[ $i ] ); + update_post_meta( $variation_id, '_stock', esc_attr( $variable_stock[ $i ] ) ); + update_post_meta( $variation_id, '_thumbnail_id', absint( $upload_image_id[ $i ] ) ); - update_post_meta( $variation_id, '_virtual', $is_virtual ); - update_post_meta( $variation_id, '_downloadable', $is_downloadable ); + update_post_meta( $variation_id, '_virtual', esc_attr( $is_virtual ) ); + update_post_meta( $variation_id, '_downloadable', esc_attr( $is_downloadable ) ); // Price handling - $regular_price = $variable_regular_price[ $i ]; - $sale_price = $variable_sale_price[ $i ]; - $date_from = $variable_sale_price_dates_from[ $i ]; - $date_to = $variable_sale_price_dates_to[ $i ]; + $regular_price = esc_attr( $variable_regular_price[ $i ] ); + $sale_price = esc_attr( $variable_sale_price[ $i ] ); + $date_from = esc_attr( $variable_sale_price_dates_from[ $i ] ); + $date_to = esc_attr( $variable_sale_price_dates_to[ $i ] ); update_post_meta( $variation_id, '_regular_price', $regular_price ); update_post_meta( $variation_id, '_sale_price', $sale_price ); @@ -677,13 +676,13 @@ function process_product_meta_variable( $post_id ) { } if ( $variable_tax_class[ $i ] !== 'parent' ) - update_post_meta( $variation_id, '_tax_class', $variable_tax_class[ $i ] ); + update_post_meta( $variation_id, '_tax_class', esc_attr( $variable_tax_class[ $i ] ) ); else delete_post_meta( $variation_id, '_tax_class' ); if ( $is_downloadable == 'yes' ) { - update_post_meta( $variation_id, '_download_limit', $variable_download_limit[ $i ] ); - update_post_meta( $variation_id, '_download_expiry', $variable_download_expiry[ $i ] ); + update_post_meta( $variation_id, '_download_limit', esc_attr( $variable_download_limit[ $i ] ) ); + update_post_meta( $variation_id, '_download_expiry', esc_attr( $variable_download_expiry[ $i ] ) ); $_file_paths = array(); $file_paths = str_replace( "\r\n", "\n", esc_attr( $variable_file_paths[ $i ] ) ); @@ -711,8 +710,9 @@ function process_product_meta_variable( $post_id ) { $variable_shipping_class[ $i ] = ( $variable_shipping_class[ $i ] ) ? (int) $variable_shipping_class[ $i ] : ''; wp_set_object_terms( $variation_id, $variable_shipping_class[ $i ], 'product_shipping_class'); - // Remove old taxnomies attributes so data is kept up to date - if ($variation_id) $wpdb->query("DELETE FROM $wpdb->postmeta WHERE meta_key LIKE 'attribute_%' AND post_id = $variation_id;"); + // Remove old taxonomies attributes so data is kept up to date + if ( $variation_id ) + $wpdb->query( $wpdb->prepare( "DELETE FROM $wpdb->postmeta WHERE meta_key LIKE %s AND post_id = %d;", 'attribute_%', $variation_id ) ); // Update taxonomies foreach ( $attributes as $attribute ) { @@ -722,7 +722,6 @@ function process_product_meta_variable( $post_id ) { $value = esc_attr( trim( $_POST[ 'attribute_' . sanitize_title( $attribute['name'] ) ][ $i ] ) ); update_post_meta( $variation_id, 'attribute_' . sanitize_title( $attribute['name'] ), $value ); - } } @@ -744,8 +743,8 @@ function process_product_meta_variable( $post_id ) { $lowest_price = $lowest_regular_price = $lowest_sale_price = $highest_price = $highest_regular_price = $highest_sale_price = ''; - if ($children) { - foreach ($children as $child) { + if ( $children ) { + foreach ( $children as $child ) { $child_price = get_post_meta( $child, '_price', true ); $child_regular_price = get_post_meta( $child, '_regular_price', true ); @@ -783,17 +782,15 @@ function process_product_meta_variable( $post_id ) { // Update default attribute options setting $default_attributes = array(); - foreach ($attributes as $attribute) : - if ( $attribute['is_variation'] ) : - $value = esc_attr(trim($_POST[ 'default_attribute_' . sanitize_title($attribute['name']) ])); - if ($value) : - $default_attributes[sanitize_title($attribute['name'])] = $value; - endif; - endif; - endforeach; + foreach ( $attributes as $attribute ) { + if ( $attribute['is_variation'] ) { + $value = esc_attr( trim( $_POST[ 'default_attribute_' . sanitize_title( $attribute['name'] ) ] ) ); + if ( $value ) + $default_attributes[ sanitize_title( $attribute['name'] ) ] = $value; + } + } update_post_meta( $post_parent, '_default_attributes', $default_attributes ); - } -add_action('woocommerce_process_product_meta_variable', 'process_product_meta_variable'); \ No newline at end of file +add_action( 'woocommerce_process_product_meta_variable', 'process_product_meta_variable' ); \ No newline at end of file diff --git a/admin/post-types/writepanels/writepanel-product_data.php b/admin/post-types/writepanels/writepanel-product_data.php index ae5d1823711..6eda70c6eec 100644 --- a/admin/post-types/writepanels/writepanel-product_data.php +++ b/admin/post-types/writepanels/writepanel-product_data.php @@ -49,14 +49,14 @@ function woocommerce_product_data_box() { 'virtual' => array( 'id' => '_virtual', 'wrapper_class' => 'show_if_simple', - 'label' => __('Virtual', 'woocommerce'), - 'description' => __('Virtual products are intangible and aren\'t shipped.', 'woocommerce') + 'label' => __( 'Virtual', 'woocommerce' ), + 'description' => __( 'Virtual products are intangible and aren\'t shipped.', 'woocommerce' ) ), 'downloadable' => array( 'id' => '_downloadable', 'wrapper_class' => 'show_if_simple', - 'label' => __('Downloadable', 'woocommerce'), - 'description' => __('Downloadable products give access to a file upon purchase.', 'woocommerce') + 'label' => __( 'Downloadable', 'woocommerce' ), + 'description' => __( 'Downloadable products give access to a file upon purchase.', 'woocommerce' ) ) ) ); @@ -72,19 +72,19 @@ function woocommerce_product_data_box() {
    - +
    post_type != 'product' ) return; - $current_visibility = get_post_meta( $post->ID, '_visibility', true ); - $current_featured = get_post_meta( $post->ID, '_featured', true ); + $current_visibility = ( $current_visibility = get_post_meta( $post->ID, '_visibility', true ) ) ? $current_visibility : 'visible'; + $current_featured = ( $current_featured = get_post_meta( $post->ID, '_featured', true ) ) ? $current_featured : 'no'; - $visibility_options = apply_filters('woocommerce_product_visibility_options', array( - 'visible' => __('Catalog/search', 'woocommerce'), - 'catalog' => __('Catalog', 'woocommerce'), - 'search' => __('Search', 'woocommerce'), - 'hidden' => __('Hidden', 'woocommerce') + $visibility_options = apply_filters( 'woocommerce_product_visibility_options', array( + 'visible' => __( 'Catalog/search', 'woocommerce' ), + 'catalog' => __( 'Catalog', 'woocommerce' ), + 'search' => __( 'Search', 'woocommerce' ), + 'hidden' => __( 'Hidden', 'woocommerce' ) ) ); - - if ( ! $current_visibility ) - $current_visibility = 'visible'; - - if ( ! $current_featured ) - $current_featured = 'no'; ?>
    - - +
    - - + + ' . __('Define the loops this product should be visible in. The product will still be accessible directly.', 'woocommerce') . '

    '; + echo '

    ' . __( 'Define the loops this product should be visible in. The product will still be accessible directly.', 'woocommerce' ) . '

    '; foreach ( $visibility_options as $name => $label ) { - echo '
    '; + echo '
    '; } - echo '

    ' . __('Enable this option to feature this product.', 'woocommerce') . '

    '; + echo '

    ' . __( 'Enable this option to feature this product.', 'woocommerce' ) . '

    '; - echo '
    '; + echo '
    '; ?>

    - - + +