Commit Graph

12006 Commits

Author SHA1 Message Date
Claudio Sanches 95a4133bb7 Removed WooCommerce::fix_server_vars, closes #14 2015-06-01 13:37:33 +01:00
Mike Jolley 5b435024ea Use htmlspecialchars to ensure characters get encoded for select2
We cannot update to select2 4.0 until a major release. Closes #4
2015-06-01 13:37:26 +01:00
Mike Jolley c5bb4ad473 Fix tooltip implode 2015-06-01 13:37:21 +01:00
Mike Jolley cb2079deaa wc_send_frame_options_header
Prevent Clickjacking - prevent checkout and account pages from being
used in iFrames. Added via filter so this can be disabled.

Closes #8
2015-06-01 13:37:12 +01:00
Mike Jolley 3b45c0d46f Set nonce_user_logged_out to WC session ID, if set
Closes #9
2015-06-01 13:36:07 +01:00
Mike Jolley ed99be9aed Sanitize tooltips with htmlspecialchars and remove esc_attr usage
Part of #4
2015-06-01 13:36:03 +01:00
Claudio Sanches 51c8bbf87c wrong nonce verification 2015-06-01 13:33:51 +01:00
Mike Jolley ec5a693ad7 Use prepare for updating attributes
Closes #7
2015-06-01 13:29:02 +01:00
Claudio Sanches 9eb3b6ddf9 Changed all requests with wp_remote_* to wp_safe_remote_* 2015-06-01 13:28:55 +01:00
Alexander Concha c1db266e80 Explicitly cast as integer the rating comment meta.
On multisite this can contain arbitrary values.
2015-06-01 13:27:16 +01:00
Ben Bidner 27f1c15900 email templates can only be moved / deleted / edited if the user has `edit_themes` capabilities 2015-06-01 13:26:02 +01:00
Claudio Sanches 48094b9bf2 Added nonces and check capability when hide admin notices 2015-06-01 13:19:26 +01:00
Claudio Sanches 65608d3fd0 Added nonces and check capability to copy or delete email templates, closes #5 2015-06-01 13:12:25 +01:00
Claudio Sanches 5b00dee203 Implemented wp_safe_remote_* functions for webhooks requests #10 2015-06-01 13:09:21 +01:00
Claudio Sanches 166ec607c0 Escape columns 2015-06-01 13:08:33 +01:00
Alexander Concha f194330aeb Escape properly echoed values
The variables $base_slug/$structures may contain unsafe values due to
the use of urldecode. For example if the post slug is '%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E'
2015-06-01 12:59:03 +01:00
Alexander Concha f38bc86c5d Escape properly the metadata to be copied.
Fixes a SQL injection because the meta key can contain arbitrary values.
2015-06-01 12:58:56 +01:00
Alexander Concha 3c1b14d00d Escape properly the provided array of post codes
The callers only run wc_clean/esc_attr on the provided values which are
not functions meant to protect against SQL injections.
2015-06-01 12:58:51 +01:00
Ben Bidner 7d8db595f2 Fixes an (admin) SQLi when setting stock levels for product variations 2015-06-01 12:58:38 +01:00
Alexander Concha 7896b49684 fclose requires a resource, not a string. 2015-06-01 12:58:06 +01:00
Ben Bidner 2740db17c0 Merge conflict - esc customer data 2015-06-01 12:57:48 +01:00
Ben Bidner f46060a0dd Remove call to `wp_specialchars_decode()` in `wc_get_price_thousand_separator()` and `wc_get_price_decimal_separator()`.
Closes #6
2015-06-01 12:54:23 +01:00
Ben Bidner f3e3b5c209 add `$args` arguments to `WC_Product_Factory->get_product_class()` to allow `$product_type` to be overwritten by `$args['product_type']` 2015-06-01 12:54:18 +01:00
Ben Bidner 7b9a22208e readds the `$the_product` global variable 2015-06-01 12:54:14 +01:00
Ben Bidner c8dd2b6268 fixes usage of void return value from `wc_cart_totals_taxes_total_html()` 2015-06-01 12:54:07 +01:00
Ben Bidner f066a7bb21 pass correct number of arguments to `wc_lostpassword_url()`, `wc_nav_menu_items()`, `wc_nav_menu_item_classes()`, and `wc_change_term_counts()` 2015-06-01 12:53:51 +01:00
Ben Bidner 32e37b57d0 fixes too many arguments in function or method call: WC_Shortcode_My_Account::add_payment_method($wp->query_vars['add-payment-method']) 2015-06-01 12:52:10 +01:00
Ben Bidner 1aa020ca57 fixes undefined constant ('error_code' > '$error' typo) 2015-06-01 12:52:01 +01:00
Ben Bidner 5e22e13975 set default currency position format string (in case of missing or invalid `woocommerce_currency_pos` option value) 2015-06-01 12:51:56 +01:00
Mike Jolley 3d049ff379 [2.3] Clear expired transients on update 2015-06-01 11:39:03 +01:00
Mike Jolley 1ce272b385 [2.3] Tweak transient clear SQL 2015-06-01 11:38:43 +01:00
Mike Jolley b9708c4df9 Show refunded total shipping and taxes
Closes #8222
2015-06-01 11:06:11 +01:00
Mike Jolley 6760589381 Tweak code used to get country's statebox
Closes #8255
2015-06-01 10:50:16 +01:00
Mike Jolley bd7624e5b7 Check template code isset 2015-05-29 17:40:53 +01:00
Mike Jolley 1e3fcd0e6d [2.3] Avoid initialising classes when saving 2015-05-29 17:38:25 +01:00
Claudio Sanches b2a612dba2 [2.3] Revert some changes from a65616c 2015-05-29 12:27:38 -03:00
Mike Jolley 803f4a9e85 [2.3] Delete correct transient when linking variations
Closes #8241
2015-05-29 15:34:27 +01:00
Mike Jolley 3222d1473e Merge pull request #8242 from n-dawson/master
Add a filter to override needs_shipping_address order method.
2015-05-29 15:28:49 +01:00
Mike Jolley a7a290e12a Merge pull request #8250 from kilbot/patch-1
Add capability_type to product_variation
2015-05-29 15:27:41 +01:00
Mike Jolley 0a3defd798 Move tax enabled check 2015-05-29 14:55:57 +01:00
Claudio Sanches b2711f3d64 [API] Fixed products tags in write-mode 2015-05-29 10:05:15 -03:00
Claudio Sanches 88003436a6 [API] Add properly sanitization for categories and tags in products endpoint, closes #8251 2015-05-29 10:04:02 -03:00
Paul Kilmurray b16d443709 fix missing comma 2015-05-29 19:35:31 +08:00
Paul Kilmurray b158d517e9 Add capability_type to product_variation
By default the product_variation has `capability_type = 'post'` which means that users need `edit_post` capability to edit. This change will make variation capabilities consistent with products, ie: `edit_product`
2015-05-29 17:42:33 +08:00
Mike Jolley b91d3358ef Merge pull request #8247 from roykho/dynamic-variation-description
use esc_textarea function
2015-05-29 00:13:15 +01:00
roykho b9eefa58fa use esc_textarea function 2015-05-28 16:08:22 -07:00
Claudio Sanches 8b92bfa433 Merge pull request #8246 from roykho/dynamic-variation-description
Improved dynamic variation description and sanitized properly
2015-05-28 18:58:12 -03:00
roykho 54b0a0ca54 changed dynamic variation description to allow limited HTML and some sanitized tweaks 2015-05-28 14:31:45 -07:00
Mike Jolley e51eae80c6 Merge pull request #8167 from roykho/dynamic-variation-description
Dynamic variation description
2015-05-28 15:53:03 +01:00
Nathan Dawson e535e005b7 Add a filter to override needs_shipping_address order method.
If an order doesn't have any shipping methods it's not possible to set needs_shipping_address to true. When 'woocommerce_cart_needs_shipping_address' is set to true the address needs to be shown on the front end and in confirmation emails.
2015-05-28 15:48:37 +01:00