Steve-Dee-Designs
/
woocommerce
mirror of https://github.com/woocommerce/woocommerce.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Cherry-pick #363 into release/9.2 (#50100) 

* XSS vulnerability on various unescaped attributes

* escape more blocks

* Fix misplaced json encode flags

* Add escaping to the block names

* Update changelog message

---------

Co-authored-by: Luigi Teschio <gigitux@gmail.com>
Co-authored-by: roykho <roykho77@gmail.com>
This commit is contained in:
nigeljamesstevenson 2024-07-29 20:15:03 +01:00 committed by GitHub
parent 542c675963
commit a66da660f7
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
plugins/woocommerce/changelog/fix-woocommerce_product_add_to_cart_text-filter-core-approach
View File

@ -1,4 +1,4 @@
Significance: patch
Type: fix
Hardening against XSS via the Product Button unescaped attribute
Enhance escaping for block attributes

4
plugins/woocommerce/src/Blocks/BlockTypes/ProductFilterPrice.php
View File

@ -144,8 +144,8 @@ final class ProductFilterPrice extends AbstractBlock {
'data-wc-interactive' => wp_json_encode(
array(
'namespace' => $this->get_full_block_name(),
JSON_HEX_TAG | JSON_HEX_APOS | JSON_HEX_QUOT | JSON_HEX_AMP,
)
),
JSON_HEX_TAG | JSON_HEX_APOS | JSON_HEX_QUOT | JSON_HEX_AMP,
),
'data-wc-context' => wp_json_encode( $data, JSON_HEX_TAG | JSON_HEX_APOS | JSON_HEX_QUOT | JSON_HEX_AMP ),
'data-has-filter' => 'no',

4
plugins/woocommerce/src/Blocks/BlockTypes/ProductFilterRating.php
View File

@ -84,8 +84,8 @@ final class ProductFilterRating extends AbstractBlock {
/* translators: %d is the rating value. */
'title' => sprintf( __( 'Rated %d out of 5', 'woocommerce' ), $rating ),
'attributes' => array(
'data-wc-on--click' => "{$this->get_full_block_name()}::actions.removeFilter",
'data-wc-context' => "{$this->get_full_block_name()}::" . wp_json_encode( array( 'value' => $rating ), JSON_HEX_TAG | JSON_HEX_APOS | JSON_HEX_QUOT | JSON_HEX_AMP ),
'data-wc-on--click' => esc_attr( "{$this->get_full_block_name()}::actions.removeFilter" ),
'data-wc-context' => esc_attr( "{$this->get_full_block_name()}::" ) . wp_json_encode( array( 'value' => $rating ), JSON_HEX_TAG | JSON_HEX_APOS | JSON_HEX_QUOT | JSON_HEX_AMP ),
),
);
},

2
plugins/woocommerce/src/Blocks/BlockTypes/ProductGalleryPager.php
View File

@ -129,8 +129,8 @@ class ProductGalleryPager extends AbstractBlock {
wp_json_encode(
array(
'imageId' => strval( $product_gallery_image_id ),
JSON_HEX_TAG | JSON_HEX_APOS | JSON_HEX_QUOT | JSON_HEX_AMP,
),
JSON_HEX_TAG | JSON_HEX_APOS | JSON_HEX_QUOT | JSON_HEX_AMP,
)
);
$p->set_attribute(