Skip to content
Permalink
Browse files

Extra sanitizing around payment_method_title

  • Loading branch information...
claudiulodro committed Nov 27, 2018
1 parent c8954b0 commit 3ecc4bfda1fd42c9be3905d1ca6ab324b08efe30
@@ -105,6 +105,9 @@ protected function prepare_object_for_database( $request, $creating = false ) {
}
}
break;
case 'payment_method_title' :
$order->set_payment_method_title( sanitize_text_field( $value ) );
break;
case 'meta_data':
if ( is_array( $value ) ) {
foreach ( $value as $meta ) {
@@ -433,7 +433,7 @@ public function create_order( $data ) {
}
update_post_meta( $order->get_id(), '_payment_method', $data['payment_details']['method_id'] );
update_post_meta( $order->get_id(), '_payment_method_title', $data['payment_details']['method_title'] );
update_post_meta( $order->get_id(), '_payment_method_title', sanitize_text_field( $data['payment_details']['method_title'] ) );
// mark as paid if set
if ( isset( $data['payment_details']['paid'] ) && true === $data['payment_details']['paid'] ) {
@@ -585,7 +585,7 @@ public function edit_order( $id, $data ) {
// Method title.
if ( isset( $data['payment_details']['method_title'] ) ) {
update_post_meta( $order->get_id(), '_payment_method_title', $data['payment_details']['method_title'] );
update_post_meta( $order->get_id(), '_payment_method_title', sanitize_text_field( $data['payment_details']['method_title'] ) );
}
// Mark as paid if set.
@@ -473,7 +473,7 @@ public function create_order( $data ) {
}
update_post_meta( $order->get_id(), '_payment_method', $data['payment_details']['method_id'] );
update_post_meta( $order->get_id(), '_payment_method_title', $data['payment_details']['method_title'] );
update_post_meta( $order->get_id(), '_payment_method_title', sanitize_text_field( $data['payment_details']['method_title'] ) );
// mark as paid if set
if ( isset( $data['payment_details']['paid'] ) && true === $data['payment_details']['paid'] ) {
@@ -622,7 +622,7 @@ public function edit_order( $id, $data ) {
// Method title.
if ( isset( $data['payment_details']['method_title'] ) ) {
update_post_meta( $order->get_id(), '_payment_method_title', $data['payment_details']['method_title'] );
update_post_meta( $order->get_id(), '_payment_method_title', sanitize_text_field( $data['payment_details']['method_title'] ) );
}
// Mark as paid if set.
@@ -481,6 +481,9 @@ protected function prepare_item_for_database( $request ) {
}
}
break;
case 'payment_method_title' :
$order->set_payment_method_title( sanitize_text_field( $value ) );
break;
default :
if ( is_callable( array( $order, "set_{$key}" ) ) ) {
$order->{"set_{$key}"}( $value );
@@ -472,6 +472,9 @@ protected function prepare_object_for_database( $request, $creating = false ) {
}
}
break;
case 'payment_method_title' :
$order->set_payment_method_title( sanitize_text_field( $value ) );
break;
case 'meta_data':
if ( is_array( $value ) ) {
foreach ( $value as $meta ) {
@@ -13,7 +13,7 @@
* @see https://docs.woocommerce.com/document/template-structure/
* @author WooThemes
* @package WooCommerce/Templates
* @version 3.3.0
* @version 3.5.2
*/
if ( ! defined( 'ABSPATH' ) ) {
@@ -71,10 +71,18 @@
<tfoot>
<?php
foreach ( $order->get_order_item_totals() as $key => $total ) {
switch ( $key ) {
case 'payment_method':
$value = esc_html( $total['value'] );
break;
default:
$value = $total['value'];
break;
}
?>
<tr>
<th scope="row"><?php echo $total['label']; ?></th>
<td><?php echo $total['value']; ?></td>
<td><?php echo $value ?></td>
</tr>
<?php
}
@@ -208,6 +208,82 @@ public function test_create_order() {
$this->assertEquals( 1, count( $data['shipping_lines'] ) );
}
/**
* Test the sanitization of the payment_method_title field through the API.
*
* @since 3.5.2
*/
public function test_create_update_order_payment_method_title_sanitize() {
wp_set_current_user( $this->user );
$product = WC_Helper_Product::create_simple_product();
// Test when creating order.
$request = new WP_REST_Request( 'POST', '/wc/v3/orders' );
$request->set_body_params(
array(
'payment_method' => 'bacs',
'payment_method_title' => '<h1>Sanitize this <script>alert(1);</script></h1>',
'set_paid' => true,
'billing' => array(
'first_name' => 'John',
'last_name' => 'Doe',
'address_1' => '969 Market',
'address_2' => '',
'city' => 'San Francisco',
'state' => 'CA',
'postcode' => '94103',
'country' => 'US',
'email' => 'john.doe@example.com',
'phone' => '(555) 555-5555',
),
'shipping' => array(
'first_name' => 'John',
'last_name' => 'Doe',
'address_1' => '969 Market',
'address_2' => '',
'city' => 'San Francisco',
'state' => 'CA',
'postcode' => '94103',
'country' => 'US',
),
'line_items' => array(
array(
'product_id' => $product->get_id(),
'quantity' => 2,
),
),
'shipping_lines' => array(
array(
'method_id' => 'flat_rate',
'method_title' => 'Flat rate',
'total' => '10',
),
),
)
);
$response = $this->server->dispatch( $request );
$data = $response->get_data();
$order = wc_get_order( $data['id'] );
$this->assertEquals( 201, $response->get_status() );
$this->assertEquals( $order->get_payment_method(), $data['payment_method'] );
$this->assertEquals( $order->get_payment_method_title(), 'Sanitize this' );
// Test when updating order.
$request = new WP_REST_Request( 'PUT', '/wc/v3/orders/' . $data['id'] );
$request->set_body_params(
array(
'payment_method' => 'bacs',
'payment_method_title' => '<h1>Sanitize this too <script>alert(1);</script></h1>'
)
);
$response = $this->server->dispatch( $request );
$data = $response->get_data();
$order = wc_get_order( $data['id'] );
$this->assertEquals( 200, $response->get_status() );
$this->assertEquals( $order->get_payment_method(), $data['payment_method'] );
$this->assertEquals( $order->get_payment_method_title(), 'Sanitize this too' );
}
/**
* Tests creating an order without required fields.
* @since 3.5.0
@@ -208,6 +208,82 @@ public function test_create_order() {
$this->assertEquals( 1, count( $data['shipping_lines'] ) );
}
/**
* Test the sanitization of the payment_method_title field through the API.
*
* @since 3.5.2
*/
public function test_create_update_order_payment_method_title_sanitize() {
wp_set_current_user( $this->user );
$product = WC_Helper_Product::create_simple_product();
// Test when creating order.
$request = new WP_REST_Request( 'POST', '/wc/v3/orders' );
$request->set_body_params(
array(
'payment_method' => 'bacs',
'payment_method_title' => '<h1>Sanitize this <script>alert(1);</script></h1>',
'set_paid' => true,
'billing' => array(
'first_name' => 'John',
'last_name' => 'Doe',
'address_1' => '969 Market',
'address_2' => '',
'city' => 'San Francisco',
'state' => 'CA',
'postcode' => '94103',
'country' => 'US',
'email' => 'john.doe@example.com',
'phone' => '(555) 555-5555',
),
'shipping' => array(
'first_name' => 'John',
'last_name' => 'Doe',
'address_1' => '969 Market',
'address_2' => '',
'city' => 'San Francisco',
'state' => 'CA',
'postcode' => '94103',
'country' => 'US',
),
'line_items' => array(
array(
'product_id' => $product->get_id(),
'quantity' => 2,
),
),
'shipping_lines' => array(
array(
'method_id' => 'flat_rate',
'method_title' => 'Flat rate',
'total' => '10',
),
),
)
);
$response = $this->server->dispatch( $request );
$data = $response->get_data();
$order = wc_get_order( $data['id'] );
$this->assertEquals( 201, $response->get_status() );
$this->assertEquals( $order->get_payment_method(), $data['payment_method'] );
$this->assertEquals( $order->get_payment_method_title(), 'Sanitize this' );
// Test when updating order.
$request = new WP_REST_Request( 'PUT', '/wc/v3/orders/' . $data['id'] );
$request->set_body_params(
array(
'payment_method' => 'bacs',
'payment_method_title' => '<h1>Sanitize this too <script>alert(1);</script></h1>'
)
);
$response = $this->server->dispatch( $request );
$data = $response->get_data();
$order = wc_get_order( $data['id'] );
$this->assertEquals( 200, $response->get_status() );
$this->assertEquals( $order->get_payment_method(), $data['payment_method'] );
$this->assertEquals( $order->get_payment_method_title(), 'Sanitize this too' );
}
/**
* Tests creating an order without required fields.
* @since 3.0.0

0 comments on commit 3ecc4bf

Please sign in to comment.
You can’t perform that action at this time.