Merge branch '4.x' into 5.x

lukeholder · lukeholder · commit a4bc3a5ebf0e · 2026-01-14T20:23:08.000+08:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,7 @@
 
 - Fixed a bug where the order’s table was showing the incorrect column heading on the Edit User page.
 - Fixed two high-severity SQL injection vulnerabilities in the control panel. (GHSA-j3x5-mghf-xvfw, GHSA-pmgj-gmm4-jh6j)
+- Fixed a moderate-severity XSS vulnerability in the control panel (GHSA-mqxf-2998-c6cp)
 
 ## 5.5.2 - 2025-12-31
 
diff --git a/example-templates/dist/shop/customer/order.twig b/example-templates/dist/shop/customer/order.twig
@@ -32,7 +32,7 @@
     </div>
     <div class="lg:w-1/2 lg:text-right">
       {# Display a link to download a PDF if the order has a PDF URL and a PDF has been configured #}
-      {% if order.pdfUrl and craft.commerce.pdfs.hasEnabledPdf %}
+      {% if craft.commerce.pdfs.hasEnabledPdf %}
         <a href="{{ order.getPdfUrl('receipt') }}" download target="_blank" class="text-blue-500 hover:text-blue-600">
           {{ 'Download PDF'|t }}
         </a>
diff --git a/example-templates/src/shop/customer/order.twig b/example-templates/src/shop/customer/order.twig
@@ -32,7 +32,7 @@
     </div>
     <div class="lg:w-1/2 lg:text-right">
       {# Display a link to download a PDF if the order has a PDF URL and a PDF has been configured #}
-      {% if order.pdfUrl and craft.commerce.pdfs.hasEnabledPdf %}
+      {% if craft.commerce.pdfs.hasEnabledPdf %}
         <a href="{{ order.getPdfUrl('receipt') }}" download target="_blank" class="[[classes.a]]">
           {{ 'Download PDF'|t }}
         </a>
