wc_sanitize_tooltip
This commit is contained in:
Mike Jolley
parent
3b0ffb6047
commit
c44100f9e7
|
|
@ -243,7 +243,6 @@ abstract class WC_Settings_API {
|
|||
* @return string
|
||||
*/
|
||||
public function get_tooltip_html( $data ) {
|
||||
|
||||
if ( $data['desc_tip'] === true ) {
|
||||
$tip = $data['description'];
|
||||
} elseif ( ! empty( $data['desc_tip'] ) ) {
|
||||
|
|
@ -252,7 +251,7 @@ abstract class WC_Settings_API {
|
|||
$tip = '';
|
||||
}
|
||||
|
||||
return $tip ? '<img class="help_tip" data-tip="' . esc_attr( $tip ) . '" src="' . WC()->plugin_url() . '/assets/images/help.png" height="16" width="16" />' : '';
|
||||
return $tip ? '<img class="help_tip" data-tip="' . esc_attr( wc_sanitize_tooltip( $tip ) ) . '" src="' . WC()->plugin_url() . '/assets/images/help.png" height="16" width="16" />' : '';
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
|||
|
|
@ -478,7 +478,7 @@ class WC_Admin_Post_Types {
|
|||
break;
|
||||
case 'customer_message' :
|
||||
if ( $the_order->customer_message ) {
|
||||
echo '<span class="note-on tips" data-tip="' . esc_attr( strip_tags( html_entity_decode( $the_order->customer_message ) ) ) . '">' . __( 'Yes', 'woocommerce' ) . '</span>';
|
||||
echo '<span class="note-on tips" data-tip="' . esc_attr( wc_sanitize_tooltip( $the_order->customer_message ) ) . '">' . __( 'Yes', 'woocommerce' ) . '</span>';
|
||||
} else {
|
||||
echo '<span class="na">–</span>';
|
||||
}
|
||||
|
|
@ -535,7 +535,7 @@ class WC_Admin_Post_Types {
|
|||
if ( $post->comment_count ) {
|
||||
|
||||
// check the status of the post
|
||||
( $post->post_status !== 'trash' ) ? $status = '' : $status = 'post-trashed';
|
||||
$status = ( 'trash' !== $post->post_status ) ? '' : 'post-trashed';
|
||||
|
||||
$latest_notes = get_comments( array(
|
||||
'post_id' => $post->ID,
|
||||
|
|
@ -546,9 +546,9 @@ class WC_Admin_Post_Types {
|
|||
$latest_note = current( $latest_notes );
|
||||
|
||||
if ( $post->comment_count == 1 ) {
|
||||
echo '<span class="note-on tips" data-tip="' . esc_attr( $latest_note->comment_content ) . '">' . __( 'Yes', 'woocommerce' ) . '</span>';
|
||||
echo '<span class="note-on tips" data-tip="' . esc_attr( wc_sanitize_tooltip( $latest_note->comment_content ) ) . '">' . __( 'Yes', 'woocommerce' ) . '</span>';
|
||||
} else {
|
||||
$note_tip = isset( $latest_note->comment_content ) ? esc_attr( $latest_note->comment_content . '<small style="display:block">' . sprintf( _n( 'plus %d other note', 'plus %d other notes', ( $post->comment_count - 1 ), 'woocommerce' ), ( $post->comment_count - 1 ) ) . '</small>' ) : sprintf( _n( '%d note', '%d notes', $post->comment_count, 'woocommerce' ), $post->comment_count );
|
||||
$note_tip = isset( $latest_note->comment_content ) ? esc_attr( wc_sanitize_tooltip( $latest_note->comment_content ) . '<small style="display:block">' . sprintf( _n( 'plus %d other note', 'plus %d other notes', ( $post->comment_count - 1 ), 'woocommerce' ), ( $post->comment_count - 1 ) ) . '</small>' ) : sprintf( _n( '%d note', '%d notes', $post->comment_count, 'woocommerce' ), $post->comment_count );
|
||||
|
||||
echo '<span class="note-on tips" data-tip="' . $note_tip . '">' . __( 'Yes', 'woocommerce' ) . '</span>';
|
||||
}
|
||||
|
|
@ -581,7 +581,7 @@ class WC_Admin_Post_Types {
|
|||
$customer_tip .= __( 'Tel:', 'woocommerce' ) . ' ' . $the_order->billing_phone;
|
||||
}
|
||||
|
||||
echo '<div class="tips" data-tip="' . esc_attr( $customer_tip ) . '">';
|
||||
echo '<div class="tips" data-tip="' . esc_attr( wc_sanitize_tooltip( $customer_tip ) ) . '">';
|
||||
|
||||
if ( $the_order->user_id ) {
|
||||
$user_info = get_userdata( $the_order->user_id );
|
||||
|
|
|
|||
|
|
@ -253,6 +253,24 @@ function wc_clean( $var ) {
|
|||
return sanitize_text_field( $var );
|
||||
}
|
||||
|
||||
/**
|
||||
* Sanitize a string destined to be a tooltip. Prevents XSS.
|
||||
* @param string $var
|
||||
* @return string
|
||||
*/
|
||||
function wc_sanitize_tooltip( $var ) {
|
||||
return wp_kses( html_entity_decode( $var ), array(
|
||||
'br' => array(),
|
||||
'em' => array(),
|
||||
'strong' => array(),
|
||||
'span' => array(),
|
||||
'ul' => array(),
|
||||
'li' => array(),
|
||||
'ol' => array(),
|
||||
'p' => array(),
|
||||
) );
|
||||
}
|
||||
|
||||
/**
|
||||
* Merge two arrays
|
||||
*
|
||||
|
|
|
|||
|
|
@ -144,6 +144,7 @@ Yes you can! Join in on our [GitHub repository](http://github.com/woothemes/wooc
|
|||
* Fix - Settings API - allow multiselect fields to be emptied.
|
||||
* Fix - Saving an order needs to save the discount amount ex. tax like the cart.
|
||||
* Fix - Order again with custom attributes.
|
||||
* Fix - Prevent potential XSS within tooltips.
|
||||
* Tweak - Show discounts inc. tax when showing order totals inc. tax.
|
||||
* Tweak - Use 30 days instead of year for transients to avoid bugs in memcache plugins.
|
||||
* Tweak - Add reports menu item if user can access reports but not the main WC section.
|
||||
|
|
|
|||
Loading…
Reference in New Issue