Skip to content

Commit 043eedb

Browse files
maxgurumaxguru
committed
Fixed issues caused by esc_html() and esc_attr() avoiding double-escaping HTML
1 parent 4f0ac2d commit 043eedb

File tree

1 file changed

+3
-3
lines changed

1 file changed

+3
-3
lines changed

pdf-forms-for-woocommerce.php

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -291,7 +291,7 @@ public function admin_notices()
291291
$messages = self::get_admin_messages();
292292
if( count( $messages ) > 0 )
293293
{
294-
$messages = array_map( function( $message ) { return "<span class='".esc_attr($message['type'])."'>".esc_html($message['message'])."</span>"; }, $messages );
294+
$messages = array_map( function( $message ) { return "<span class='".esc_attr($message['type'])."'>".esc_textarea($message['message'])."</span>"; }, $messages );
295295
$messageHtml = self::render(
296296
'admin-messages',
297297
array(
@@ -2273,11 +2273,11 @@ public function print_product_data_tab_contents()
22732273
woocommerce_wp_hidden_input( array(
22742274
'id' => 'pdf-forms-for-woocommerce-data',
22752275
'class' => 'pdf-forms-for-woocommerce-data',
2276-
'value' => Pdf_Forms_For_WooCommerce_Wrapper::json_encode( $settings ),
2276+
'value' => esc_textarea( Pdf_Forms_For_WooCommerce_Wrapper::json_encode( $settings ) ), // esc_attr() is used to output this value which does not double-escape by design, which causes issues with JSON already containing entities like &quot;, so we need to pre-emptively double-escape with esc_textarea()
22772277
) );
22782278
return ob_get_clean(); // no escaping needed
22792279
} ),
2280-
'preload-data' => esc_html( Pdf_Forms_For_WooCommerce_Wrapper::json_encode( $preload_data ) ),
2280+
'preload-data' => esc_textarea( Pdf_Forms_For_WooCommerce_Wrapper::json_encode( $preload_data ) ), // esc_textarea() is used to double-escape for correct JSON, esc_html() does not double-escape by design
22812281
'instructions' => esc_html__( "You can use this section to attach a PDF file to your product and link WooCommerce placeholders to fields in the PDF file. You can also embed images from a URL into the PDF file. Changes here are applied when the product is saved.", 'pdf-forms-for-woocommerce' ),
22822282
'attach-pdf' => esc_html__( "Attach a PDF File", 'pdf-forms-for-woocommerce' ),
22832283
'delete' => esc_html__( 'Delete', 'pdf-forms-for-woocommerce' ),

0 commit comments

Comments
 (0)