Add names to nonces in template files.

2018-03-13 14:15:41 +00:00 · 2018-03-13 14:15:41 +00:00 · 9d10d107e2
parent 64f85346c0
commit 9d10d107e2
11 changed files with 85 additions and 105 deletions
--- a/templates/auth/form-login.php
+++ b/templates/auth/form-login.php
@ -12,16 +12,12 @@
 *
 * @see     https://docs.woocommerce.com/document/template-structure/
 * @package WooCommerce/Templates/Auth
- * @version 3.3.0
+ * @version 3.4.0
 */

-if ( ! defined( 'ABSPATH' ) ) {
-	exit;
-}
+defined( 'ABSPATH' ) || exit;

-?>
-
-<?php do_action( 'woocommerce_auth_page_header' ); ?>
+do_action( 'woocommerce_auth_page_header' ); ?>

 <h1>
 	<?php
@ -49,7 +45,7 @@ if ( ! defined( 'ABSPATH' ) ) {
 		<input class="input-text" type="password" name="password" id="password" />
 	</p>
 	<p class="wc-auth-actions">
-		<?php wp_nonce_field( 'woocommerce-login' ); ?>
+		<?php wp_nonce_field( 'woocommerce-login', 'woocommerce-login-nonce' ); ?>
 		<button type="submit" class="button button-large button-primary wc-auth-login-button" name="login" value="<?php esc_attr_e( 'Login', 'woocommerce' ); ?>"><?php esc_html_e( 'Login', 'woocommerce' ); ?></button>
 		<input type="hidden" name="redirect" value="<?php echo esc_url( $redirect_url ); ?>" />
 	</p>
--- a/templates/cart/cart.php
+++ b/templates/cart/cart.php
@ -11,14 +11,11 @@
 * the readme will list any important changes.
 *
 * @see     https://docs.woocommerce.com/document/template-structure/
- * @author  WooThemes
 * @package WooCommerce/Templates
 * @version 3.4.0
 */

-if ( ! defined( 'ABSPATH' ) ) {
-	exit;
-}
+defined( 'ABSPATH' ) || exit;

 wc_print_notices();

@ -64,57 +61,63 @@ do_action( 'woocommerce_before_cart' ); ?>
 							?>
 						</td>

-						<td class="product-thumbnail"><?php
+						<td class="product-thumbnail">
+						<?php
 						$thumbnail = apply_filters( 'woocommerce_cart_item_thumbnail', $_product->get_image(), $cart_item, $cart_item_key );

 						if ( ! $product_permalink ) {
-							echo $thumbnail;
+							echo wp_kses_post( $thumbnail );
 						} else {
-							printf( '<a href="%s">%s</a>', esc_url( $product_permalink ), $thumbnail );
+							printf( '<a href="%s">%s</a>', esc_url( $product_permalink ), wp_kses_post( $thumbnail ) );
 						}
-						?></td>
+						?>
+						</td>

-						<td class="product-name" data-title="<?php esc_attr_e( 'Product', 'woocommerce' ); ?>"><?php
+						<td class="product-name" data-title="<?php esc_attr_e( 'Product', 'woocommerce' ); ?>">
+						<?php
 						if ( ! $product_permalink ) {
-							echo apply_filters( 'woocommerce_cart_item_name', $_product->get_name(), $cart_item, $cart_item_key ) . '&nbsp;';
+							echo wp_kses_post( apply_filters( 'woocommerce_cart_item_name', $_product->get_name(), $cart_item, $cart_item_key ) . '&nbsp;' );
 						} else {
-							echo apply_filters( 'woocommerce_cart_item_name', sprintf( '<a href="%s">%s</a>', esc_url( $product_permalink ), $_product->get_name() ), $cart_item, $cart_item_key );
+							echo wp_kses_post( apply_filters( 'woocommerce_cart_item_name', sprintf( '<a href="%s">%s</a>', esc_url( $product_permalink ), $_product->get_name() ), $cart_item, $cart_item_key ) );
 						}

 						// Meta data.
-						echo wc_get_formatted_cart_item_data( $cart_item );
+						echo wc_get_formatted_cart_item_data( $cart_item ); // PHPCS: XSS ok.

 						// Backorder notification.
 						if ( $_product->backorders_require_notification() && $_product->is_on_backorder( $cart_item['quantity'] ) ) {
 							echo '<p class="backorder_notification">' . esc_html__( 'Available on backorder', 'woocommerce' ) . '</p>';
 						}
-						?></td>
+						?>
+						</td>

 						<td class="product-price" data-title="<?php esc_attr_e( 'Price', 'woocommerce' ); ?>">
 							<?php
-								echo apply_filters( 'woocommerce_cart_item_price', WC()->cart->get_product_price( $_product ), $cart_item, $cart_item_key );
+								echo apply_filters( 'woocommerce_cart_item_price', WC()->cart->get_product_price( $_product ), $cart_item, $cart_item_key ); // PHPCS: XSS ok.
 							?>
 						</td>

-						<td class="product-quantity" data-title="<?php esc_attr_e( 'Quantity', 'woocommerce' ); ?>"><?php
+						<td class="product-quantity" data-title="<?php esc_attr_e( 'Quantity', 'woocommerce' ); ?>">
+						<?php
 						if ( $_product->is_sold_individually() ) {
 							$product_quantity = sprintf( '1 <input type="hidden" name="cart[%s][qty]" value="1" />', $cart_item_key );
 						} else {
 							$product_quantity = woocommerce_quantity_input( array(
-								'input_name'    => "cart[{$cart_item_key}][qty]",
-								'input_value'   => $cart_item['quantity'],
-								'max_value'     => $_product->get_max_purchase_quantity(),
-								'min_value'     => '0',
-								'product_name'  => $_product->get_name(),
+								'input_name'   => "cart[{$cart_item_key}][qty]",
+								'input_value'  => $cart_item['quantity'],
+								'max_value'    => $_product->get_max_purchase_quantity(),
+								'min_value'    => '0',
+								'product_name' => $_product->get_name(),
 							), $_product, false );
 						}

-						echo apply_filters( 'woocommerce_cart_item_quantity', $product_quantity, $cart_item_key, $cart_item );
-						?></td>
+						echo apply_filters( 'woocommerce_cart_item_quantity', $product_quantity, $cart_item_key, $cart_item ); // PHPCS: XSS ok.
+						?>
+						</td>

 						<td class="product-subtotal" data-title="<?php esc_attr_e( 'Total', 'woocommerce' ); ?>">
 							<?php
-								echo apply_filters( 'woocommerce_cart_item_subtotal', WC()->cart->get_product_subtotal( $_product, $cart_item['quantity'] ), $cart_item, $cart_item_key );
+								echo apply_filters( 'woocommerce_cart_item_subtotal', WC()->cart->get_product_subtotal( $_product, $cart_item['quantity'] ), $cart_item, $cart_item_key ); // PHPCS: XSS ok.
 							?>
 						</td>
 					</tr>
@ -139,7 +142,7 @@ do_action( 'woocommerce_before_cart' ); ?>

 					<?php do_action( 'woocommerce_cart_actions' ); ?>

-					<?php wp_nonce_field( 'woocommerce-cart' ); ?>
+					<?php wp_nonce_field( 'woocommerce-cart', 'woocommerce-cart-nonce' ); ?>
 				</td>
 			</tr>

--- a/templates/cart/shipping-calculator.php
+++ b/templates/cart/shipping-calculator.php
@ -10,15 +10,12 @@
 * happen. When this occurs the version of the template file will be bumped and
 * the readme will list any important changes.
 *
- * @see 	    https://docs.woocommerce.com/document/template-structure/
- * @author 		WooThemes
- * @package 	WooCommerce/Templates
- * @version     3.2.0
+ * @see     https://docs.woocommerce.com/document/template-structure/
+ * @package WooCommerce/Templates
+ * @version 3.2.0
 */

-if ( ! defined( 'ABSPATH' ) ) {
-	exit;
-}
+defined( 'ABSPATH' ) || exit;

 if ( 'no' === get_option( 'woocommerce_enable_shipping_calc' ) || ! WC()->cart->needs_shipping() ) {
 	return;
@ -54,9 +51,12 @@ do_action( 'woocommerce_before_shipping_calculator' ); ?>
 				$states     = WC()->countries->get_states( $current_cc );

 				if ( is_array( $states ) && empty( $states ) ) {
-					?><input type="hidden" name="calc_shipping_state" id="calc_shipping_state" placeholder="<?php esc_attr_e( 'State / County', 'woocommerce' ); ?>" /><?php
+					?>
+					<input type="hidden" name="calc_shipping_state" id="calc_shipping_state" placeholder="<?php esc_attr_e( 'State / County', 'woocommerce' ); ?>" />
+					<?php
 				} elseif ( is_array( $states ) ) {
-					?><span>
+					?>
+					<span>
 						<select name="calc_shipping_state" class="state_select" id="calc_shipping_state" placeholder="<?php esc_attr_e( 'State / County', 'woocommerce' ); ?>">
 							<option value=""><?php esc_html_e( 'Select a state&hellip;', 'woocommerce' ); ?></option>
 							<?php
@ -65,9 +65,12 @@ do_action( 'woocommerce_before_shipping_calculator' ); ?>
 							}
 							?>
 						</select>
-					</span><?php
+					</span>
+					<?php
 				} else {
-					?><input type="text" class="input-text" value="<?php echo esc_attr( $current_r ); ?>" placeholder="<?php esc_attr_e( 'State / County', 'woocommerce' ); ?>" name="calc_shipping_state" id="calc_shipping_state" /><?php
+					?>
+					<input type="text" class="input-text" value="<?php echo esc_attr( $current_r ); ?>" placeholder="<?php esc_attr_e( 'State / County', 'woocommerce' ); ?>" name="calc_shipping_state" id="calc_shipping_state" />
+					<?php
 				}
 				?>
 			</p>
@ -92,7 +95,7 @@ do_action( 'woocommerce_before_shipping_calculator' ); ?>

 		<p><button type="submit" name="calc_shipping" value="1" class="button"><?php esc_html_e( 'Update totals', 'woocommerce' ); ?></button></p>

-		<?php wp_nonce_field( 'woocommerce-cart' ); ?>
+		<?php wp_nonce_field( 'woocommerce-shipping-calculator', 'woocommerce-shipping-calculator-nonce' ); ?>
 	</section>
 </form>

--- a/templates/checkout/form-pay.php
+++ b/templates/checkout/form-pay.php
@ -10,16 +10,14 @@
 * happen. When this occurs the version of the template file will be bumped and
 * the readme will list any important changes.
 *
- * @see      https://docs.woocommerce.com/document/template-structure/
- * @author   WooThemes
- * @package  WooCommerce/Templates
- * @version  3.3.0
+ * @see https://docs.woocommerce.com/document/template-structure/
+ * @package WooCommerce/Templates
+ * @version 3.4.0
 */

-if ( ! defined( 'ABSPATH' ) ) {
-	exit;
-}
+defined( 'ABSPATH' ) || exit;

+$totals = $order->get_order_item_totals();
 ?>
 <form id="order_review" method="post">

@ -58,7 +56,7 @@ if ( ! defined( 'ABSPATH' ) ) {
 			<?php endif; ?>
 		</tbody>
 		<tfoot>
-			<?php if ( $totals = $order->get_order_item_totals() ) : ?>
+			<?php if ( $totals ) : ?>
 				<?php foreach ( $totals as $total ) : ?>
 					<tr>
 						<th scope="row" colspan="2"><?php echo $total['label']; ?></th><?php // @codingStandardsIgnoreLine ?>
@ -94,7 +92,7 @@ if ( ! defined( 'ABSPATH' ) ) {

 			<?php do_action( 'woocommerce_pay_order_after_submit' ); ?>

-			<?php wp_nonce_field( 'woocommerce-pay' ); ?>
+			<?php wp_nonce_field( 'woocommerce-pay', 'woocommerce-pay-nonce' ); ?>
 		</div>
 	</div>
 </form>
--- a/templates/checkout/payment.php
+++ b/templates/checkout/payment.php
@ -10,15 +10,12 @@
 * happen. When this occurs the version of the template file will be bumped and
 * the readme will list any important changes.
 *
- * @see 	    https://docs.woocommerce.com/document/template-structure/
- * @author 		WooThemes
- * @package 	WooCommerce/Templates
- * @version     3.3.0
+ * @see https://docs.woocommerce.com/document/template-structure/
+ * @package WooCommerce/Templates
+ * @version 3.4.0
 */

-if ( ! defined( 'ABSPATH' ) ) {
-	exit;
-}
+defined( 'ABSPATH' ) || exit;

 if ( ! is_ajax() ) {
 	do_action( 'woocommerce_review_order_before_payment' );
@ -52,7 +49,7 @@ if ( ! is_ajax() ) {

 		<?php do_action( 'woocommerce_review_order_after_submit' ); ?>

-		<?php wp_nonce_field( 'woocommerce-process_checkout' ); ?>
+		<?php wp_nonce_field( 'woocommerce-process_checkout', 'woocommerce-process-checkout-nonce' ); ?>
 	</div>
 </div>
 <?php
--- a/templates/myaccount/form-add-payment-method.php
+++ b/templates/myaccount/form-add-payment-method.php
@ -10,17 +10,16 @@
 * happen. When this occurs the version of the template file will be bumped and
 * the readme will list any important changes.
 *
- * @see     https://docs.woocommerce.com/document/template-structure/
- * @author  WooThemes
+ * @see https://docs.woocommerce.com/document/template-structure/
 * @package WooCommerce/Templates
- * @version 3.3.0
+ * @version 3.4.0
 */

-if ( ! defined( 'ABSPATH' ) ) {
-	exit;
-}
+defined( 'ABSPATH' ) || exit;

-if ( $available_gateways = WC()->payment_gateways->get_available_payment_gateways() ) : ?>
+$available_gateways = WC()->payment_gateways->get_available_payment_gateways();
+
+if ( $available_gateways ) : ?>
 	<form id="add_payment_method" method="post">
 		<div id="payment" class="woocommerce-Payment">
 			<ul class="woocommerce-PaymentMethods payment_methods methods">
@ -49,7 +48,7 @@ if ( $available_gateways = WC()->payment_gateways->get_available_payment_gateway
 			</ul>

 			<div class="form-row">
-				<?php wp_nonce_field( 'woocommerce-add-payment-method' ); ?>
+				<?php wp_nonce_field( 'woocommerce-add-payment-method', 'woocommerce-add-payment-method-nonce' ); ?>
 				<button type="submit" class="woocommerce-Button woocommerce-Button--alt button alt" id="place_order" value="<?php esc_attr_e( 'Add payment method', 'woocommerce' ); ?>"><?php esc_html_e( 'Add payment method', 'woocommerce' ); ?></button>
 				<input type="hidden" name="woocommerce_add_payment_method" id="woocommerce_add_payment_method" value="1" />
 			</div>
--- a/templates/myaccount/form-edit-account.php
+++ b/templates/myaccount/form-edit-account.php
@ -10,15 +10,12 @@
 * happen. When this occurs the version of the template file will be bumped and
 * the readme will list any important changes.
 *
- * @see     https://docs.woocommerce.com/document/template-structure/
- * @author  WooThemes
+ * @see https://docs.woocommerce.com/document/template-structure/
 * @package WooCommerce/Templates
- * @version 3.3.0
+ * @version 3.4.0
 */

-if ( ! defined( 'ABSPATH' ) ) {
-	exit;
-}
+defined( 'ABSPATH' ) || exit;

 do_action( 'woocommerce_before_edit_account_form' ); ?>

@ -68,7 +65,7 @@ do_action( 'woocommerce_before_edit_account_form' ); ?>
 	<?php do_action( 'woocommerce_edit_account_form' ); ?>

 	<p>
-		<?php wp_nonce_field( 'save_account_details' ); ?>
+		<?php wp_nonce_field( 'save_account_details', 'save-account-details-nonce' ); ?>
 		<button type="submit" class="woocommerce-Button button" name="save_account_details" value="<?php esc_attr_e( 'Save changes', 'woocommerce' ); ?>"><?php esc_html_e( 'Save changes', 'woocommerce' ); ?></button>
 		<input type="hidden" name="action" value="save_account_details" />
 	</p>
--- a/templates/myaccount/form-edit-address.php
+++ b/templates/myaccount/form-edit-address.php
@ -10,15 +10,12 @@
 * happen. When this occurs the version of the template file will be bumped and
 * the readme will list any important changes.
 *
- * @see     https://docs.woocommerce.com/document/template-structure/
- * @author  WooThemes
+ * @see https://docs.woocommerce.com/document/template-structure/
 * @package WooCommerce/Templates
- * @version 3.3.0
+ * @version 3.4.0
 */

-if ( ! defined( 'ABSPATH' ) ) {
-	exit;
-}
+defined( 'ABSPATH' ) || exit;

 $page_title = ( 'billing' === $load_address ) ? __( 'Billing address', 'woocommerce' ) : __( 'Shipping address', 'woocommerce' );

@ -50,7 +47,7 @@ do_action( 'woocommerce_before_edit_account_address_form' ); ?>

 			<p>
 				<button type="submit" class="button" name="save_address" value="<?php esc_attr_e( 'Save address', 'woocommerce' ); ?>"><?php esc_html_e( 'Save address', 'woocommerce' ); ?></button>
-				<?php wp_nonce_field( 'woocommerce-edit_address' ); ?>
+				<?php wp_nonce_field( 'woocommerce-edit_address', 'woocommerce-edit-address-nonce' ); ?>
 				<input type="hidden" name="action" value="edit_address" />
 			</p>
 		</div>
--- a/templates/myaccount/form-lost-password.php
+++ b/templates/myaccount/form-lost-password.php
@ -10,15 +10,12 @@
 * happen. When this occurs the version of the template file will be bumped and
 * the readme will list any important changes.
 *
- * @see     https://docs.woocommerce.com/document/template-structure/
- * @author  WooThemes
+ * @see https://docs.woocommerce.com/document/template-structure/
 * @package WooCommerce/Templates
- * @version 3.3.0
+ * @version 3.4.0
 */

-if ( ! defined( 'ABSPATH' ) ) {
-	exit;
-}
+defined( 'ABSPATH' ) || exit;

 wc_print_notices(); ?>

@ -40,6 +37,6 @@ wc_print_notices(); ?>
 		<button type="submit" class="woocommerce-Button button" value="<?php esc_attr_e( 'Reset password', 'woocommerce' ); ?>"><?php esc_html_e( 'Reset password', 'woocommerce' ); ?></button>
 	</p>

-	<?php wp_nonce_field( 'lost_password' ); ?>
+	<?php wp_nonce_field( 'lost_password', 'woocommerce-lost-password-nonce' ); ?>

 </form>
--- a/templates/myaccount/form-reset-password.php
+++ b/templates/myaccount/form-reset-password.php
@ -10,15 +10,12 @@
 * happen. When this occurs the version of the template file will be bumped and
 * the readme will list any important changes.
 *
- * @see     https://docs.woocommerce.com/document/template-structure/
- * @author  WooThemes
+ * @see https://docs.woocommerce.com/document/template-structure/
 * @package WooCommerce/Templates
- * @version 3.3.0
+ * @version 3.4.0
 */

-if ( ! defined( 'ABSPATH' ) ) {
-	exit;
-}
+defined( 'ABSPATH' ) || exit;

 wc_print_notices(); ?>

@ -47,6 +44,6 @@ wc_print_notices(); ?>
 		<button type="submit" class="woocommerce-Button button" value="<?php esc_attr_e( 'Save', 'woocommerce' ); ?>"><?php esc_html_e( 'Save', 'woocommerce' ); ?></button>
 	</p>

-	<?php wp_nonce_field( 'reset_password' ); ?>
+	<?php wp_nonce_field( 'reset_password', 'woocommerce-reset-password-nonce' ); ?>

 </form>
--- a/templates/order/form-tracking.php
+++ b/templates/order/form-tracking.php
@ -10,18 +10,14 @@
 * happen. When this occurs the version of the template file will be bumped and
 * the readme will list any important changes.
 *
- * @see 	https://docs.woocommerce.com/document/template-structure/
- * @author  WooThemes
+ * @see https://docs.woocommerce.com/document/template-structure/
 * @package WooCommerce/Templates
- * @version 3.3.0
+ * @version 3.4.0
 */

-if ( ! defined( 'ABSPATH' ) ) {
-	exit; // Exit if accessed directly.
-}
+defined( 'ABSPATH' ) || exit;

 global $post;
-
 ?>

 <form action="<?php echo esc_url( get_permalink( $post->ID ) ); ?>" method="post" class="track_order">
@ -33,6 +29,6 @@ global $post;
 	<div class="clear"></div>

 	<p class="form-row"><button type="submit" class="button" name="track" value="<?php esc_attr_e( 'Track', 'woocommerce' ); ?>"><?php esc_html_e( 'Track', 'woocommerce' ); ?></button></p>
-	<?php wp_nonce_field( 'woocommerce-order_tracking' ); ?>
+	<?php wp_nonce_field( 'woocommerce-order_tracking', 'woocommerce-order-tracking-nonce' ); ?>

 </form>