Fix encoding

Author: nfourtythree

src/controllers/GatewaysController.php

@@ -53,7 +53,7 @@ public function actionIndex(): Response
                     'handle' => Html::encode($gateway->handle),
                     'type' => [
                         'missing' => $missing,
-                        'name' => $missing ? $gateway->expectedType : $gateway->displayName(),
+                        'name' => Html::encode($missing ? $gateway->expectedType : $gateway->displayName()),
                     ],
                     'hasTransactions' => in_array($gateway->id, $gatewayIdsWithTransactions),
                 ];

src/elements/traits/OrderElementTrait.php

@@ -110,11 +110,11 @@ protected function tableAttributeHtml(string $attribute): string
             }
             case 'shippingMethodName':
             {
-                return $this->shippingMethodName ?? '';
+                return Html::encode($this->shippingMethodName ?? '');
             }
             case 'gatewayName':
             {
-                return $this->getGateway()->name ?? '';
+                return Html::encode($this->getGateway()->name ?? '');
             }
             case 'paidStatus':
             {
@@ -216,7 +216,7 @@ protected function tableAttributeHtml(string $attribute): string
             case 'orderSite':
             {
                 $site = Craft::$app->getSites()->getSiteById($this->orderSiteId);
-                return $site->name ?? '';
+                return Html::encode($site->name ?? '');
             }
             default:
             {

src/models/LineItemStatus.php

@@ -102,7 +102,7 @@ public function getCpEditUrl(): string
 
     public function getLabelHtml(): string
     {
-        return sprintf('<span class="commerceStatusLabel nowrap"><span class="status %s"></span>%s</span>', $this->color, Html::encode($this->name));
+        return sprintf('<span class="commerceStatusLabel nowrap"><span class="status %s"></span>%s</span>', Html::encode($this->color), Html::encode($this->name));
     }
 
     /**

src/models/OrderStatus.php

@@ -158,7 +158,7 @@ public function getEmails(): array
 
     public function getLabelHtml(): string
     {
-        return sprintf('<span class="commerceStatusLabel nowrap"><span class="status %s"></span>%s</span>', $this->color, Html::encode($this->getDisplayName()));
+        return sprintf('<span class="commerceStatusLabel nowrap"><span class="status %s"></span>%s</span>', Html::encode($this->color), Html::encode($this->getDisplayName()));
     }
 
     /**

src/templates/settings/emails/index.twig

@@ -28,7 +28,7 @@
         subject: email.subject|t('site')|e,
         to: email.recipientType == 'custom' ? email.to|e : 'Customer'|t('commmerce')|e,
         bcc: email.bcc|e,
-        template: email.templatePath,
+        template: email.templatePath|e,
         preview: email.id,
     }]) %}
 {% endfor %}

src/templates/settings/gateways/index.twig

@@ -48,7 +48,7 @@
         handle: gateway.handle|e,
         type: {
             missing: gateway is missing ? true : false,
-            name: gateway is missing? gateway.expectedType : gateway.displayName()
+            name: (gateway is missing ? gateway.expectedType : gateway.displayName())|e
         },
         customerEnabled: parseBooleanEnv(gateway.isFrontendEnabled),
     }]) %}

src/templates/settings/pdfs/index.twig

@@ -23,7 +23,7 @@
     {% set tableData = tableData|merge([{
         id: pdf.id,
         title: pdf.name|t('site'),
-        handle: pdf.handle|t('site'),
+        handle: pdf.handle|t('site')|e,
         status: pdf.enabled ? true : false,
         url: url('commerce/settings/pdfs/'~pdf.id),
         isDefault: pdf.isDefault ? true : false,