Correctly sanitize posted attributes when JS is off.
This commit is contained in:
parent
18f9bb408f
commit
e56b007af1
|
@ -877,17 +877,39 @@ class WC_Form_Handler {
|
|||
}
|
||||
}
|
||||
|
||||
// Gather posted attributes.
|
||||
$posted_attributes = array();
|
||||
|
||||
foreach ( $adding_to_cart->get_attributes() as $attribute ) {
|
||||
if ( ! $attribute['is_variation'] ) {
|
||||
continue;
|
||||
}
|
||||
$attribute_key = 'attribute_' . sanitize_title( $attribute['name'] );
|
||||
|
||||
if ( isset( $_REQUEST[ $attribute_key ] ) ) {
|
||||
if ( $attribute['is_taxonomy'] ) {
|
||||
// Don't use wc_clean as it destroys sanitized characters.
|
||||
$value = sanitize_title( wp_unslash( $_REQUEST[ $attribute_key ] ) );
|
||||
} else {
|
||||
$value = html_entity_decode( wc_clean( wp_unslash( $_REQUEST[ $attribute_key ] ) ), ENT_QUOTES, get_bloginfo( 'charset' ) ); // WPCS: sanitization ok.
|
||||
}
|
||||
|
||||
$posted_attributes[ $attribute_key ] = $value;
|
||||
}
|
||||
}
|
||||
|
||||
// If no variation ID is set, attempt to get a variation ID from posted attributes.
|
||||
if ( empty( $variation_id ) ) {
|
||||
$data_store = WC_Data_Store::load( 'product' );
|
||||
$variation_id = $data_store->find_matching_product_variation( $adding_to_cart, array_map( 'sanitize_title', wp_unslash( $_REQUEST ) ) );
|
||||
$variation_id = $data_store->find_matching_product_variation( $adding_to_cart, $posted_attributes );
|
||||
}
|
||||
|
||||
// Validate the attributes.
|
||||
// Do we have a variation ID?
|
||||
if ( empty( $variation_id ) ) {
|
||||
throw new Exception( __( 'Please choose product options…', 'woocommerce' ) );
|
||||
}
|
||||
|
||||
// Check the data we have is valid.
|
||||
$variation_data = wc_get_product_variation_attributes( $variation_id );
|
||||
|
||||
foreach ( $adding_to_cart->get_attributes() as $attribute ) {
|
||||
|
@ -896,28 +918,23 @@ class WC_Form_Handler {
|
|||
}
|
||||
|
||||
// Get valid value from variation data.
|
||||
$taxonomy = 'attribute_' . sanitize_title( $attribute['name'] );
|
||||
$valid_value = isset( $variation_data[ $taxonomy ] ) ? $variation_data[ $taxonomy ] : '';
|
||||
$attribute_key = 'attribute_' . sanitize_title( $attribute['name'] );
|
||||
$valid_value = isset( $variation_data[ $attribute_key ] ) ? $variation_data[ $attribute_key ]: '';
|
||||
|
||||
/**
|
||||
* If the attribute value was posted, check if it's valid.
|
||||
*
|
||||
* If no attribute was posted, only error if the variation has an 'any' attribute which requires a value.
|
||||
*/
|
||||
if ( isset( $_REQUEST[ $taxonomy ] ) ) {
|
||||
if ( $attribute['is_taxonomy'] ) {
|
||||
// Don't use wc_clean as it destroys sanitized characters.
|
||||
$value = sanitize_title( wp_unslash( $_REQUEST[ $taxonomy ] ) );
|
||||
} else {
|
||||
$value = html_entity_decode( wc_clean( wp_unslash( $_REQUEST[ $taxonomy ] ) ), ENT_QUOTES, get_bloginfo( 'charset' ) ); // WPCS: sanitization ok.
|
||||
}
|
||||
if ( isset( $posted_attributes[ $attribute_key ] ) ) {
|
||||
$value = $posted_attributes[ $attribute_key ];
|
||||
|
||||
// Allow if valid or show error.
|
||||
if ( $valid_value === $value ) {
|
||||
$variations[ $taxonomy ] = $value;
|
||||
$variations[ $attribute_key ] = $value;
|
||||
} elseif ( '' === $valid_value && in_array( $value, $attribute->get_slugs() ) ) {
|
||||
// If valid values are empty, this is an 'any' variation so get all possible values.
|
||||
$variations[ $taxonomy ] = $value;
|
||||
$variations[ $attribute_key ] = $value;
|
||||
} else {
|
||||
throw new Exception( sprintf( __( 'Invalid value posted for %s', 'woocommerce' ), wc_attribute_label( $attribute['name'] ) ) );
|
||||
}
|
||||
|
@ -933,7 +950,7 @@ class WC_Form_Handler {
|
|||
return false;
|
||||
}
|
||||
|
||||
$passed_validation = apply_filters( 'woocommerce_add_to_cart_validation', true, $product_id, $quantity, $variation_id, $variations );
|
||||
$passed_validation = apply_filters( 'woocommerce_add_to_cart_validation', true, $product_id, $quantity, $variation_id, $variations );
|
||||
|
||||
if ( $passed_validation && false !== WC()->cart->add_to_cart( $product_id, $quantity, $variation_id, $variations ) ) {
|
||||
wc_add_to_cart_message( array( $product_id => $quantity ), true );
|
||||
|
|
Loading…
Reference in New Issue