Various others

Author: lukeholder

src/controllers/CatalogPricingRulesController.php

@@ -103,7 +103,7 @@ public function actionIndex(?string $storeHandle = null): Response
 
             $tableData[] = [
                 'id' => $pcr->id,
-                'title' => Craft::t('site', $pcr->name),
+                'title' => Html::encode(Craft::t('site', $pcr->name)),
                 'url' => $pcr->getCpEditUrl(),
                 'status' => $pcr->enabled ? true : false,
                 'duration' => $dateRange,

src/controllers/DiscountsController.php

@@ -275,7 +275,7 @@ public function actionTableData(): Response
 
             $tableData[] = [
                 'id' => $item['id'],
-                'title' => Craft::t('site', $item['name']),
+                'title' => Html::encode(Craft::t('site', $item['name'])),
                 'url' => UrlHelper::cpUrl('commerce/store-management/' . $store->handle . '/discounts/' . $item['id']),
                 'status' => (bool)$item['enabled'],
                 'duration' => $dateRange,

src/controllers/GatewaysController.php

@@ -49,11 +49,11 @@ public function actionIndex(): Response
                 $missing = $gateway instanceof MissingGateway;
                 $gateway = [
                     'id' => $gateway->id,
-                    'title' => Craft::t('site', $gateway->name),
+                    'title' => Html::encode(Craft::t('site', $gateway->name)),
                     'handle' => Html::encode($gateway->handle),
                     'type' => [
                         'missing' => $missing,
-                        'name' => $missing ? $gateway->expectedType : $gateway->displayName(),
+                        'name' => Html::encode($missing ? $gateway->expectedType : $gateway->displayName()),
                     ],
                     'hasTransactions' => in_array($gateway->id, $gatewayIdsWithTransactions),
                 ];

src/templates/orders/_transactions.twig

@@ -28,12 +28,12 @@ var columns = [
         callback: function(value) {
             return '<span style="padding-left: '+value.level+'em;">'+
                 ((value.level) ? '<span class="extralight">&#8627;</span> ' : '') +
-                value.label+'</span>';
+                Craft.escapeHtml(value.label)+'</span>';
         }
     },
     { name: 'status', title: Craft.t('commerce', 'Status'),
         callback: function(value) {
-            return '<span class="transaction-status transaction-status-'+value.key+'">'+value.label+'</span>';
+            return '<span class="transaction-status transaction-status-'+Craft.escapeHtml(value.key)+'">'+Craft.escapeHtml(value.label)+'</span>';
         }
     },
     { name: 'amount', title: Craft.t('commerce', 'Amount'),

src/templates/promotions/sales/index.twig

@@ -48,7 +48,7 @@
   {% endif %}
   {% set tableData = tableData|merge([{
     id: sale.id,
-    title: sale.name|t('site'),
+    title: sale.name|t('site')|e,
     url: sale.getCpEditUrl(),
     status: sale.enabled ? true : false,
     duration: dateRange,

src/templates/settings/emails/index.twig

@@ -46,13 +46,13 @@
     {% for email in storeEmails %}
         {% set tableData = tableData|merge([{
             id: email.id,
-            title: email.name|t('site'),
+            title: email.name|t('site')|e,
             status: email.enabled ? true : false,
             url: email.getCpEditUrl(),
             subject: email.subject|t('site')|e,
             to: email.recipientType == 'custom' ? email.to|e : 'Customer'|t('commmerce')|e,
             bcc: email.bcc|e,
-            template: email.templatePath,
+            template: email.templatePath|e,
             preview: email.id ~ ':' ~ email.storeId,
         }]) %}
     {% endfor %}
@@ -66,7 +66,7 @@
             { name: 'template', title: Craft.t('commerce', 'Template Path'),
                 callback: function(value) {
                     if (value) {
-                        return '<span class="code">'+value+'</span>';
+                        return '<span class="code">'+Craft.escapeHtml(value)+'</span>';
                     }
 
                     return '';

src/templates/settings/gateways/index.twig

@@ -53,12 +53,12 @@
     {% for gateway in gateways %}
         {% set tableData = tableData|merge([{
             id: gateway.id,
-            title: gateway.name|t('site'),
+            title: gateway.name|t('site')|e,
             url: gateway.getCpEditUrl(),
             handle: gateway.handle|e,
             type: {
                 missing: gateway is missing ? true : false,
-                name: gateway is missing? gateway.expectedType : gateway.displayName()
+                name: (gateway is missing? gateway.expectedType : gateway.displayName())|e
             },
             customerEnabled: parseBooleanEnv(gateway.isFrontendEnabled),
         }]) %}
@@ -95,10 +95,10 @@
             title: Craft.t('commerce', 'Type'),
             callback: function(value) {
                 if (value.missing) {
-                    return '<span class="error">'+value.name+'</span>';
+                    return '<span class="error">'+Craft.escapeHtml(value.name)+'</span>';
                 }
 
-                return value.name;
+                return Craft.escapeHtml(value.name);
             }
         },
         {
@@ -138,10 +138,10 @@
             title: Craft.t('commerce', 'Type'),
             callback: function(value) {
                 if (value.missing) {
-                    return '<span class="error">'+value.name+'</span>';
+                    return '<span class="error">'+Craft.escapeHtml(value.name)+'</span>';
                 }
 
-                return value.name;
+                return Craft.escapeHtml(value.name);
             }
         },
         {

src/templates/settings/lineitemstatuses/index.twig

@@ -56,7 +56,7 @@
                 url: lineItemStatus.cpEditUrl,
                 html: lineItemStatus.labelHtml|raw
             },
-            title: lineItemStatus.name|t('site'),
+            title: lineItemStatus.name|t('site')|e,
             url: lineItemStatus.cpEditUrl,
             handle: lineItemStatus.handle|e,
             default: lineItemStatus.default ? true : false,

src/templates/settings/pdfs/index.twig

@@ -50,8 +50,8 @@
     {% for pdf in storePdfs %}
         {% set tableData = tableData|merge([{
             id: pdf.id,
-            title: pdf.name|t('site'),
-            handle: pdf.handle|t('site'),
+            title: pdf.name|t('site')|e,
+            handle: pdf.handle|e,
             status: pdf.enabled ? true : false,
             url:pdf.getCpEditUrl(),
             isDefault: pdf.isDefault ? true : false,

src/templates/settings/stores/index.twig

@@ -38,13 +38,13 @@
 {% for store in stores %}
     {% set tableData = tableData|merge([{
         id: store.id,
-        name: store.name|t('site'),
-        title: store.name|t('site'),
+        name: store.name|t('site')|e,
+        title: store.name|t('site')|e,
         url: url('commerce/settings/stores/'~store.id),
-        handle: store.handle,
+        handle: store.handle|e,
         currency: store.currency,
         primary: store.primary ? true : false,
-        sites: store.getSiteNames()|join(', '),
+        sites: store.getSiteNames()|join(', ')|e,
         menu: {
             showItems: true,
             showCount: false,