Strip tags from exceptions that are converted from notices (#4005)

* Strip tags that are added to notices

* Add test to ensure HTML is stripped by convert_notices_to_exceptions

* Test function directly, rather than through validate_cart_items

* Apply correct formatting to tests/php/StoreApi/Utilities/NoticeHandler.php

Co-authored-by: Albert Juhé Lluveras <[email protected]>

Co-authored-by: Albert Juhé Lluveras <[email protected]>

Author: opr

src/StoreApi/Utilities/NoticeHandler.php

@@ -34,7 +34,7 @@ public static function convert_notices_to_exceptions( $error_code = 'unknown_ser
 		wc_clear_notices();
 
 		foreach ( $error_notices as $error_notice ) {
-			throw new RouteException( $error_code, $error_notice['notice'], 400 );
+			throw new RouteException( $error_code, wp_strip_all_tags( $error_notice['notice'] ), 400 );
 		}
 	}
 }

tests/php/StoreApi/Utilities/NoticeHandler.php

@@ -0,0 +1,22 @@
+<?php
+/**
+ * NoticeHandler Tests.
+ */
+
+namespace Automattic\WooCommerce\Blocks\Tests\StoreApi\Utilities;
+
+use Automattic\WooCommerce\Blocks\StoreApi\Routes\RouteException;
+use Automattic\WooCommerce\Blocks\StoreApi\Utilities\CartController;
+use Automattic\WooCommerce\Blocks\StoreApi\Utilities\NoticeHandler;
+use PHPUnit\Framework\TestCase;
+use \WC_Helper_Product as ProductHelper;
+
+class NoticeHandlerTests extends TestCase {
+
+	public function test_convert_notices_to_exceptions() {
+		$this->expectException( RouteException::class );
+		$this->expectExceptionMessage( 'This is an error message with Some HTML in it.' );
+		wc_add_notice( '<strong>This is an error message with <a href="#">Some HTML in it</a>.', 'error' );
+		$errors = NoticeHandler::convert_notices_to_exceptions( 'test_error' );
+	}
+}