From 9f94b7d51d122e24b45a36981feef23d47a787ea Mon Sep 17 00:00:00 2001
From: Claudiu Lodromanean <claudiu@Claudius-MacBook-Pro.local>
Date: Thu, 19 Jan 2017 15:48:15 -0800
Subject: [PATCH] 12518 Sanitizing and brackets

---
 .../single-product/product-attributes.php     | 30 ++++++++++++-------
 1 file changed, 20 insertions(+), 10 deletions(-)

diff --git a/templates/single-product/product-attributes.php b/templates/single-product/product-attributes.php
index 8b5c412278e..1b545e1ae86 100644
--- a/templates/single-product/product-attributes.php
+++ b/templates/single-product/product-attributes.php
@@ -43,22 +43,32 @@ if ( ! defined( 'ABSPATH' ) ) {
 			<td><?php
 				$values = array();
 
-				if ( $attribute->is_taxonomy() ) :
+				if ( $attribute->is_taxonomy() ) {
 
 					$attribute_taxonomy = $attribute->get_taxonomy_object();
 					$attribute_values = wc_get_product_terms( $product->get_id(), $attribute->get_name(), array( 'fields' => 'all' ) );
 
-					foreach ( $attribute_values as $attribute_value ) :
-						if ( $attribute_taxonomy->attribute_public ) :
-							$values[] = '<a href="' . esc_url( get_term_link( $attribute_value->term_id, $attribute->get_name() ) ) . '" rel="tag">' . $attribute_value->name . '</a>';
-						else:
-							$values[] = $attribute_value->name;
-						endif;
-					endforeach;
+					foreach ( $attribute_values as $attribute_value ) {
+
+						$value_name = esc_html( $attribute_value->name );
+
+						if ( $attribute_taxonomy->attribute_public ) {
+							$values[] = '<a href="' . esc_url( get_term_link( $attribute_value->term_id, $attribute->get_name() ) ) . '" rel="tag">' . $value_name . '</a>';
+						} else {
+							$values[] = $value_name;
+						}
+
+					}
+
+				} else {
 
-				else :
 					$values = $attribute->get_options();
-				endif;
+
+					foreach ( $values as &$value ) {
+						$value = esc_html( $value );
+					}
+
+				}
 
 				echo apply_filters( 'woocommerce_attribute', wpautop( wptexturize( implode( ', ', $values ) ) ), $attribute, $values );
 			?></td>