New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Always sanitize coupon code to prevent inconsistent between admins and shop owners #27140
Conversation
By default it only get sanitized when editing the coupon with an user that doesn't have unfiltered_html capability.
This makes match with WP sanitization for post_title. WP sanitize post_title using kses_init_filters() when the current user can't use unfiltered HTML.
Adding high impact label because this will existing coupon codes. |
@vedanshujain not sure if it's "high impact", since there's a migration script, and will also accept the old format too, since will got converted before searching in the database. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since the intention is to get to a state where code everywhere had run through wp_filter_kses
I have a few questions/suggestions:
- We have a method
wc_format_coupon_code
, perhaps it will be good to addwp_filter_kses
there as well. - Should we batch the update function for shops that have large amount of coupons (incase running the request takes more than 30s).
- Do we really need to run the update command for every coupon code, I think if we do it only where old_code !== new_code, it will be a good improvement.
wdyt?
@claudiosanches agree with high impact assessment, removing the label. |
It already gets applied there by the woocommerce/includes/wc-core-functions.php Lines 38 to 40 in 8c2412e
I'm added this code to the
It will solve problems later, like for querying coupons where we should be search for |
I just implemented it, now will update 10 coupons for each run. If you like to test the migration script, you can install the "coupon-generator-for-woocommerce" plugin to generate how many coupons you like, you can install using |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work! I have a couple more suggestions, let me know what you think.
@vedanshujain I just made the changes, if you like to test again in additional to change the wp option update woocommerce_db_version "4.4.0"
wp option update woocommerce_version "4.4.0" It will force to trigger the upgrade again. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! I have left some comments but they are suggestions rather blockers, so approving the PR anyway.
@vedanshujain thank you very much for reviewing and for all the tips 🤗 |
All Submissions:
Changes proposed in this Pull Request:
By default WordPress will run
kses_init_filters()
if the current user can't use unfiltered HTML, applying thewp_filter_kses()
function to thetitle_save_pre
.That's why admins can save a coupon code like
a&a
without getting converted intoa&a
.To fix the inconsistent I'm changing to always apply the same sanitation for all users on WooCommerce, also should be safer to always sanitize.
And it also includes a upgrade routine to fix all codes at once.
Closes #23655.
How to test the changes in this Pull Request:
a&a
b&b
c&c
d&d
a&a
and note that the ampersand got encoded making impossible to restore.a&a
anda&a
.Other information:
Changelog entry