Cherry pick #290 into trunk - Address potential rXSS vulnerability (product-reviews-have-moved notice) (#42728)

* Revert "k6 perf tests: Fix parsing of COT/HPOS environment variable (#40930)"

This reverts commit 50c56d8427, reversing
changes made to cbc3bac88c.

* Address potential rXSS vulnerability in the product-reviews-have-moved notice.

* Changelog.

* Restore button-based approach for notice dismissal.

In the context of this edit comments screen, it looks better as a button (than as a link, which would require extra CSS to support).

* Tidy.

* Update tests: reviews-have-moved notice HTML has been updated.

* Modify form-based approach following code-review feedback.

---------

Co-authored-by: barryhughes <3594411+barryhughes@users.noreply.github.com>
This commit is contained in:
nigeljamesstevenson 2023-12-18 16:28:17 +00:00 committed by GitHub
parent bb63146947
commit bbe2a6f2d7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 25 additions and 13 deletions

View File

@ -0,0 +1,4 @@
Significance: patch
Type: fix
Remove the potential for a Reflected XSS attack in relation to a dismissable notice in the edit comments screen.

View File

@ -73,26 +73,32 @@ class ReviewsCommentsOverrides {
* @return void
*/
protected function display_reviews_moved_notice() : void {
$dismiss_url = wp_nonce_url(
add_query_arg(
[
'wc-hide-notice' => urlencode( static::REVIEWS_MOVED_NOTICE_ID ),
]
),
'woocommerce_hide_notices_nonce',
'_wc_notice_nonce'
);
?>
<div class="notice notice-info is-dismissible">
<p><strong><?php esc_html_e( 'Product reviews have moved!', 'woocommerce' ); ?></strong></p>
<p><?php esc_html_e( 'Product reviews can now be managed from Products > Reviews.', 'woocommerce' ); ?></p>
<p class="submit">
<a href="<?php echo esc_url( admin_url( 'edit.php?post_type=product&page=product-reviews' ) ); ?>" class="button-primary"><?php esc_html_e( 'Visit new location', 'woocommerce' ); ?></a>
</p>
<button type="button" class="notice-dismiss" onclick="window.location = '<?php echo esc_url( $dismiss_url ); ?>';"><span class="screen-reader-text"><?php esc_html_e( 'Dismiss this notice.', 'woocommerce' ); ?></span></button>
</div>
<form action="<?php echo esc_url( admin_url( 'edit-comments.php' ) ); ?>" method="get">
<input type="hidden" name="wc-hide-notice" value="<?php echo esc_attr( static::REVIEWS_MOVED_NOTICE_ID ); ?>" />
<?php if ( ! empty( $_GET['comment_status'] ) ): ?>
<input type="hidden" name="comment_status" value="<?php echo esc_attr( $_GET['comment_status'] ); ?>" />
<?php endif; ?>
<?php if ( ! empty( $_GET['paged'] ) ): ?>
<input type="hidden" name="paged" value="<?php echo esc_attr( $_GET['paged'] ); ?>" />
<?php endif; ?>
<?php wp_nonce_field( 'woocommerce_hide_notices_nonce', '_wc_notice_nonce' ); ?>
<button type="submit" class="notice-dismiss">
<span class="screen-reader-text"><?php esc_html_e( 'Dismiss this notice.', 'woocommerce' ); ?></span>
</button>
</form>
</div>
<?php
}

View File

@ -205,7 +205,9 @@ class ReviewsCommentsOverridesTest extends WC_Unit_Test_Case {
$this->assertStringContainsString( '<div class="notice notice-info is-dismissible">', $output );
$this->assertStringContainsString( '<a href="http://' . WP_TESTS_DOMAIN . '/wp-admin/edit.php?post_type=product&#038;page=product-reviews" class="button-primary">', $output );
$this->assertStringContainsString( '<button type="button" class="notice-dismiss" onclick="window.location = \'?wc-hide-notice=product_reviews_moved&#038;_wc_notice_nonce=' . $nonce . '\';">', $output );
$this->assertStringContainsString( '<input type="hidden" name="wc-hide-notice" value="product_reviews_moved" />', $output );
$this->assertStringContainsString( '<input type="hidden" id="_wc_notice_nonce" name="_wc_notice_nonce" value="' . $nonce . '" />', $output );
$this->assertStringNotContainsString( 'onclick', $output );
}
/**