Always sanitize coupon code to prevent inconsistent between admins and shop owners

[claudiosanches]

All Submissions:

• Have you followed the WooCommerce Contributing guideline?
• Does your code follow the WordPress' coding standards?
• Have you checked to ensure there aren't other open Pull Requests for the same update/change?

Changes proposed in this Pull Request:

By default WordPress will run kses_init_filters() if the current user can't use unfiltered HTML, applying the wp_filter_kses() function to the title_save_pre.
That's why admins can save a coupon code like a&a without getting converted into a&a.

To fix the inconsistent I'm changing to always apply the same sanitation for all users on WooCommerce, also should be safer to always sanitize.
And it also includes a upgrade routine to fix all codes at once.

Closes #23655.

How to test the changes in this Pull Request:

1. Create two coupons with the following codes using an admin:

• a&a
• b&b

2. Now create more two coupons using a shop manager:

• c&c
• d&d

3. Check that with the shop manager ampersand gets encoded.
4. With the shop manager edit the coupon with code a&a and note that the ampersand got encoded making impossible to restore.
5. Apply this patch, edit or create coupons with any user and see that ampersands always get encoded.
6. Added some products to the cart and try use your coupons created in the previous steps.
7. Also try apply coupons with both formats: a&a and a&a.

Other information:

• Have you added an explanation of what your changes do and why you'd like us to include them?
• Have you written new tests for your changes, as applicable?
• Have you successfully run tests with your changes locally?

Changelog entry

Fix - Coupon code inconsistent between admins and shop owners.

[vedanshujain]

Adding high impact label because this will existing coupon codes.

[claudiosanches]

@vedanshujain not sure if it's "high impact", since there's a migration script, and will also accept the old format too, since will got converted before searching in the database.

[vedanshujain]

Since the intention is to get to a state where code everywhere had run through wp_filter_kses I have a few questions/suggestions:

1. We have a method wc_format_coupon_code, perhaps it will be good to add wp_filter_kses there as well.
2. Should we batch the update function for shops that have large amount of coupons (incase running the request takes more than 30s).
3. Do we really need to run the update command for every coupon code, I think if we do it only where old_code !== new_code, it will be a good improvement.

wdyt?

[vedanshujain]

@claudiosanches agree with high impact assessment, removing the label.

[claudiosanches]

@vedanshujain

We have a method wc_format_coupon_code, perhaps it will be good to add wp_filter_kses there as well.

It already gets applied there by the woocommerce_coupon_code filter. See:

woocommerce/includes/wc-core-functions.php

Lines 38 to 40 in 8c2412e

	add_filter( 'woocommerce_coupon_code', 'html_entity_decode' );
	add_filter( 'woocommerce_coupon_code', 'wc_sanitize_coupon_code' );
	add_filter( 'woocommerce_coupon_code', 'wc_strtolower' );

I'm added this code to the wc_sanitize_coupon_code() function because this is the expected output of sanitize_post_field( 'post_title', $value, 0, 'db' ) if you are using an user that have unfiltered_html capabilities.

Do we really need to run the update command for every coupon code, I think if we do it only where old_code !== new_code, it will be a good improvement.

It will solve problems later, like for querying coupons where we should be search for a&a while in the database it's still a&a.

[claudiosanches]

Should we batch the update function for shops that have large amount of coupons (incase running the request takes more than 30s).

I just implemented it, now will update 10 coupons for each run.

If you like to test the migration script, you can install the "coupon-generator-for-woocommerce" plugin to generate how many coupons you like, you can install using wp plugin install --activate coupon-generator-for-woocommerce.
Then you need to update the $version to 4.5.0 in includes/class-woocommerce.php, it will trigger the banner to migrate the database to 4.5.0.

[vedanshujain]

Great work! I have a couple more suggestions, let me know what you think.

[claudiosanches]

@vedanshujain I just made the changes, if you like to test again in additional to change the $version to 4.5.0 you should also set the follow:

wp option update woocommerce_db_version "4.4.0"
wp option update woocommerce_version "4.4.0"

It will force to trigger the upgrade again.

[vedanshujain]

LGTM! I have left some comments but they are suggestions rather blockers, so approving the PR anyway.

[claudiosanches]

@vedanshujain thank you very much for reviewing and for all the tips 🤗