From e0053afd6a382d1bbd6eef3915e9fc22ac834ca6 Mon Sep 17 00:00:00 2001
From: Darren Ethier <darren@roughsmootheng.in>
Date: Wed, 14 Jul 2021 16:55:12 -0400
Subject: [PATCH] Merge pull request from GHSA-6hq4-w6wv-8wrp

---
 .../src/StoreApi/Utilities/ProductQueryFilters.php        | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/plugins/woocommerce-blocks/src/StoreApi/Utilities/ProductQueryFilters.php b/plugins/woocommerce-blocks/src/StoreApi/Utilities/ProductQueryFilters.php
index d8ebb7655be..bd3038ac8a0 100644
--- a/plugins/woocommerce-blocks/src/StoreApi/Utilities/ProductQueryFilters.php
+++ b/plugins/woocommerce-blocks/src/StoreApi/Utilities/ProductQueryFilters.php
@@ -83,7 +83,13 @@ class ProductQueryFilters {
 			$attributes = array_map( 'wc_attribute_taxonomy_name_by_id', wp_parse_id_list( $attributes ) );
 		}
 
-		$attributes_to_count     = array_map( 'wc_sanitize_taxonomy_name', $attributes );
+		$attributes_to_count     = array_map(
+			function( $attribute ) {
+				$attribute = wc_sanitize_taxonomy_name( $attribute );
+				return esc_sql( $attribute );
+			},
+			$attributes
+		);
 		$attributes_to_count_sql = 'AND term_taxonomy.taxonomy IN ("' . implode( '","', $attributes_to_count ) . '")';
 		$attribute_count_sql     = "
 			SELECT COUNT( DISTINCT posts.ID ) as term_count, terms.term_id as term_count_id