From bbe2a6f2d786dd8673353059bbb02c0b2cdf4a31 Mon Sep 17 00:00:00 2001
From: nigeljamesstevenson
 <105309450+nigeljamesstevenson@users.noreply.github.com>
Date: Mon, 18 Dec 2023 16:28:17 +0000
Subject: [PATCH] Cherry pick #290 into trunk - Address potential rXSS
 vulnerability (product-reviews-have-moved notice) (#42728)

* Revert "k6 perf tests: Fix parsing of COT/HPOS environment variable (#40930)"

This reverts commit 50c56d8427c4ef4447b3b0591b5f7252ba63e188, reversing
changes made to cbc3bac88c42f6a22f7d5ab8ab319f1f232a82cb.

* Address potential rXSS vulnerability in the product-reviews-have-moved notice.

* Changelog.

* Restore button-based approach for notice dismissal.

In the context of this edit comments screen, it looks better as a button (than as a link, which would require extra CSS to support).

* Tidy.

* Update tests: reviews-have-moved notice HTML has been updated.

* Modify form-based approach following code-review feedback.

---------

Co-authored-by: barryhughes <3594411+barryhughes@users.noreply.github.com>
---
 .../changelog/fix-xss-review-dismiss-notice   |  4 +++
 .../ReviewsCommentsOverrides.php              | 30 +++++++++++--------
 .../ReviewsCommentsOverridesTest.php          |  4 ++-
 3 files changed, 25 insertions(+), 13 deletions(-)
 create mode 100644 plugins/woocommerce/changelog/fix-xss-review-dismiss-notice

diff --git a/plugins/woocommerce/changelog/fix-xss-review-dismiss-notice b/plugins/woocommerce/changelog/fix-xss-review-dismiss-notice
new file mode 100644
index 00000000000..bd2040e7d3e
--- /dev/null
+++ b/plugins/woocommerce/changelog/fix-xss-review-dismiss-notice
@@ -0,0 +1,4 @@
+Significance: patch
+Type: fix
+
+Remove the potential for a Reflected XSS attack in relation to a dismissable notice in the edit comments screen.
diff --git a/plugins/woocommerce/src/Internal/Admin/ProductReviews/ReviewsCommentsOverrides.php b/plugins/woocommerce/src/Internal/Admin/ProductReviews/ReviewsCommentsOverrides.php
index b54e9c10b3a..f1e46bb139f 100644
--- a/plugins/woocommerce/src/Internal/Admin/ProductReviews/ReviewsCommentsOverrides.php
+++ b/plugins/woocommerce/src/Internal/Admin/ProductReviews/ReviewsCommentsOverrides.php
@@ -73,26 +73,32 @@ class ReviewsCommentsOverrides {
 	 * @return void
 	 */
 	protected function display_reviews_moved_notice() : void {
-		$dismiss_url = wp_nonce_url(
-			add_query_arg(
-				[
-					'wc-hide-notice' => urlencode( static::REVIEWS_MOVED_NOTICE_ID ),
-				]
-			),
-			'woocommerce_hide_notices_nonce',
-			'_wc_notice_nonce'
-		);
 		?>
-
 		<div class="notice notice-info is-dismissible">
 			<p><strong><?php esc_html_e( 'Product reviews have moved!', 'woocommerce' ); ?></strong></p>
 			<p><?php esc_html_e( 'Product reviews can now be managed from Products > Reviews.', 'woocommerce' ); ?></p>
 			<p class="submit">
 				<a href="<?php echo esc_url( admin_url( 'edit.php?post_type=product&page=product-reviews' ) ); ?>" class="button-primary"><?php esc_html_e( 'Visit new location', 'woocommerce' ); ?></a>
 			</p>
-			<button type="button" class="notice-dismiss" onclick="window.location = '<?php echo esc_url( $dismiss_url ); ?>';"><span class="screen-reader-text"><?php esc_html_e( 'Dismiss this notice.', 'woocommerce' ); ?></span></button>
-		</div>
 
+			<form action="<?php echo esc_url( admin_url( 'edit-comments.php' ) ); ?>" method="get">
+				<input type="hidden" name="wc-hide-notice" value="<?php echo esc_attr( static::REVIEWS_MOVED_NOTICE_ID ); ?>" />
+
+				<?php if ( ! empty( $_GET['comment_status'] ) ): ?>
+					<input type="hidden" name="comment_status" value="<?php echo esc_attr( $_GET['comment_status'] ); ?>" />
+				<?php endif; ?>
+
+				<?php if ( ! empty( $_GET['paged'] ) ): ?>
+					<input type="hidden" name="paged" value="<?php echo esc_attr( $_GET['paged'] ); ?>" />
+				<?php endif; ?>
+
+				<?php wp_nonce_field( 'woocommerce_hide_notices_nonce', '_wc_notice_nonce' ); ?>
+
+				<button type="submit" class="notice-dismiss">
+					<span class="screen-reader-text"><?php esc_html_e( 'Dismiss this notice.', 'woocommerce' ); ?></span>
+				</button>
+			</form>
+		</div>
 		<?php
 	}
 
diff --git a/plugins/woocommerce/tests/php/src/Internal/Admin/ProductReviews/ReviewsCommentsOverridesTest.php b/plugins/woocommerce/tests/php/src/Internal/Admin/ProductReviews/ReviewsCommentsOverridesTest.php
index 295d78a5119..e0ef8fa4e53 100644
--- a/plugins/woocommerce/tests/php/src/Internal/Admin/ProductReviews/ReviewsCommentsOverridesTest.php
+++ b/plugins/woocommerce/tests/php/src/Internal/Admin/ProductReviews/ReviewsCommentsOverridesTest.php
@@ -205,7 +205,9 @@ class ReviewsCommentsOverridesTest extends WC_Unit_Test_Case {
 
 		$this->assertStringContainsString( '<div class="notice notice-info is-dismissible">', $output );
 		$this->assertStringContainsString( '<a href="http://' . WP_TESTS_DOMAIN . '/wp-admin/edit.php?post_type=product&#038;page=product-reviews" class="button-primary">', $output );
-		$this->assertStringContainsString( '<button type="button" class="notice-dismiss" onclick="window.location = \'?wc-hide-notice=product_reviews_moved&#038;_wc_notice_nonce=' . $nonce . '\';">', $output );
+		$this->assertStringContainsString( '<input type="hidden" name="wc-hide-notice" value="product_reviews_moved" />', $output );
+		$this->assertStringContainsString( '<input type="hidden" id="_wc_notice_nonce" name="_wc_notice_nonce" value="' . $nonce . '" />', $output );
+		$this->assertStringNotContainsString( 'onclick', $output );
 	}
 
 	/**