Sync # 321 with release 8.9 (#48352)

* Use DOM API to create Order Attribution inputs * Add changelog entry * Update changelog entry and release date
woocommerce · Jun 11, 2024 · 0e98883 · 0e98883
1 parent a10dc5c
commit 0e98883
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 6 deletions.
diff --git a/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js b/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js
@@ -155,12 +155,16 @@
 		 * but it's not yet supported in Safari.
 		 */
 		connectedCallback() {
-			let inputs = '';
+			this.innerHTML = '';
+			const inputs = new DocumentFragment();
 			for( const fieldName of this._fieldNames ) {
-				const value = stringifyFalsyInputValue( this.values[ fieldName ] );
-				inputs += `<input type="hidden" name="${params.prefix}${fieldName}" value="${value}"/>`;
+				const input = document.createElement( 'input' );
+				input.type = 'hidden';
+				input.name = `${params.prefix}${fieldName}`;
+				input.value = stringifyFalsyInputValue( ( this.values && this.values[ fieldName ] ) || '' );
+				inputs.appendChild( input );
 			}
-			this.innerHTML = inputs;
+			this.appendChild( inputs );
 		}
 
 		/**

diff --git a/plugins/woocommerce/readme.txt b/plugins/woocommerce/readme.txt
@@ -165,10 +165,10 @@ WooCommerce comes with some sample data you can use to see how products look; im
 
 == Changelog ==
 
-= 8.9.3 2024-06-11 =
+= 8.9.3 2024-06-10 =
 
 **WooCommerce**
 
+* Security - Prevent HTML & JS injection attacks on registration and checkout forms when the Order Attribution is enabled. [#48348](https://github.com/woocommerce/woocommerce/pull/48348)
 
 [See changelog for all versions](https://raw.githubusercontent.com/woocommerce/woocommerce/trunk/changelog.txt).
-/trunk/changelog.txt).