Steve-Dee-Designs
/
woocommerce
mirror of https://github.com/woocommerce/woocommerce.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix coupon codes containing apostrophes (#40998) 

* Use wp_kses_post to sanitize coupon codes

* Fix notice (php 8)

* Add changefile(s) from automation for the following project(s): woocommerce

* Add changefile(s) from automation for the following project(s): woocommerce

* Remove duplicate changelog entry

* Try alternative wp_kses function

* Account for unfiltered_html

---------

Co-authored-by: github-actions <github-actions@github.com>
Co-authored-by: Thomas Roberts <thomas.roberts@automattic.com>
This commit is contained in:
Mike Jolley 2024-02-13 17:01:49 +00:00 committed by GitHub
parent a48e2111b8
commit cea1c10122
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 20 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
plugins/woocommerce/changelog/40998-fix-coupon-title-sanitization-39481 Normal file
View File

@ -0,0 +1,4 @@
Significance: patch
Type: fix
Fixed coupon errors with coupon codes containing apostrophes.

9
plugins/woocommerce/includes/class-wc-coupon.php
View File

@ -81,6 +81,15 @@ class WC_Coupon extends WC_Legacy_Coupon {
*/
protected $cache_group = 'coupons';
/**
* Sorting.
*
* Used by `get_coupons_from_cart` to sort coupons.
*
* @var int
*/
public $sort = 0;
/**
* Coupon constructor. Loads coupon data.
*

8
plugins/woocommerce/includes/wc-formatting-functions.php
View File

@ -371,15 +371,17 @@ function wc_format_coupon_code( $value ) {
/**
* Sanitize a coupon code.
*
* Uses sanitize_post_field since coupon codes are stored as
* post_titles - the sanitization and escaping must match.
* Uses sanitize_post_field since coupon codes are stored as post_titles - the sanitization and escaping must match.
*
* Due to the unfiltered_html captability that some (admin) users have, we need to account for slashes.
*
* @since 3.6.0
* @param string $value Coupon code to format.
* @return string
*/
function wc_sanitize_coupon_code( $value ) {
return wp_filter_kses( sanitize_post_field( 'post_title', $value ?? '', 0, 'db' ) );
$value = wp_kses( sanitize_post_field( 'post_title', $value ?? '', 0, 'db' ), 'entities' );
return current_user_can( 'unfiltered_html' ) ? $value : stripslashes( $value );
}
/**

1
plugins/woocommerce/tests/php/includes/wc-formatting-functions-test.php
View File

@ -16,6 +16,7 @@ class WC_Formatting_Functions_Test extends \WC_Unit_Test_Case {
public function test_wc_sanitize_coupon_code() {
$this->assertEquals( 'DUMMYCOUPON', wc_sanitize_coupon_code( 'DUMMYCOUPON' ) );
$this->assertEquals( 'a&amp;a', wc_sanitize_coupon_code( 'a&a' ) );
$this->assertEquals( "test's", wc_sanitize_coupon_code( "test's" ) );
}
/**