From 0584e2050a0e71c3449c7cb5fa4fffead1da7ec4 Mon Sep 17 00:00:00 2001 From: Miguel Peixe Date: Wed, 26 Nov 2025 11:31:12 -0300 Subject: [PATCH] fix(my-account): safe content argument to skip sanitization --- includes/class-newspack-ui.php | 99 ++++++++++--------- .../my-account/class-my-account-ui-v1.php | 83 ++++++++-------- 2 files changed, 96 insertions(+), 86 deletions(-) diff --git a/includes/class-newspack-ui.php b/includes/class-newspack-ui.php index dc8d0e7c76..2cd4d43deb 100644 --- a/includes/class-newspack-ui.php +++ b/includes/class-newspack-ui.php @@ -198,6 +198,7 @@ public static function colors_css_wrap() { * @type string $id The modal ID. * @type string $title The modal title. * @type string $content The modal content HTML. + * @type bool $content_is_safe Whether the content is already safe HTML. * @type string $footer The modal footer HTML. * @type string $form The form method to use. If given, modal content and action buttons will be wrapped in a form element. * @type array $actions { @@ -247,53 +248,57 @@ public static function generate_modal( $args ) {
[ - 'type' => true, - 'name' => true, - 'id' => true, - 'class' => true, - 'tabindex' => true, - 'placeholder' => true, - 'required' => true, - 'aria-hidden' => true, - 'aria-required' => true, - 'value' => true, - 'disabled' => true, - 'checked' => true, - ], - 'select' => [ - 'name' => true, - 'id' => true, - 'class' => true, - 'tabindex' => true, - 'required' => true, - 'aria-hidden' => true, - 'aria-required' => true, - 'value' => true, - 'disabled' => true, - 'multiple' => true, - 'autocomplete' => true, - 'data-label' => true, - 'data-placeholder' => true, - ], - 'option' => [ - 'value' => true, - 'selected' => true, - 'disabled' => true, - ], - 'noscript' => [], - 'iframe' => [ - 'src' => true, - ], - ] - ) - ); + if ( ! empty( $args['content_is_safe'] ) ) { + echo $args['content']; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped + } else { + echo wp_kses( + $args['content'], + array_merge( + \wp_kses_allowed_html( 'post' ), + Newspack_UI_Icons::sanitize_svgs(), + [ + 'input' => [ + 'type' => true, + 'name' => true, + 'id' => true, + 'class' => true, + 'tabindex' => true, + 'placeholder' => true, + 'required' => true, + 'aria-hidden' => true, + 'aria-required' => true, + 'value' => true, + 'disabled' => true, + 'checked' => true, + ], + 'select' => [ + 'name' => true, + 'id' => true, + 'class' => true, + 'tabindex' => true, + 'required' => true, + 'aria-hidden' => true, + 'aria-required' => true, + 'value' => true, + 'disabled' => true, + 'multiple' => true, + 'autocomplete' => true, + 'data-label' => true, + 'data-placeholder' => true, + ], + 'option' => [ + 'value' => true, + 'selected' => true, + 'disabled' => true, + ], + 'noscript' => [], + 'iframe' => [ + 'src' => true, + ], + ] + ) + ); + } ?> 'add-payment-method', - 'title' => __( 'Add Payment Method', 'newspack-plugin' ), - 'content' => $content, - 'size' => 'medium', - 'form' => 'POST', - 'form_class' => 'newspack-ui__accordion newspack-ui__accordion--open', - 'form_id' => 'add_payment_method', - 'actions' => [ + 'id' => 'add-payment-method', + 'title' => __( 'Add Payment Method', 'newspack-plugin' ), + 'content' => $content, + 'content_is_safe' => true, // Allow the contents of `woocommerce_account_add_payment_method` to be rendered as is. + 'size' => 'medium', + 'form' => 'POST', + 'form_class' => 'newspack-ui__accordion newspack-ui__accordion--open', + 'form_id' => 'add_payment_method', + 'actions' => [ 'cancel' => [ 'label' => __( 'Cancel', 'newspack-plugin' ), 'type' => 'ghost', @@ -681,40 +682,44 @@ public static function add_address_modals() { $address_types = \apply_filters( 'woocommerce_my_account_get_addresses', $address_types ); foreach ( $address_types as $address_type => $address_name ) { $address = \wc_get_account_formatted_address( $address_type ); + ob_start(); \woocommerce_account_edit_address( $address_type ); - $content = ob_get_clean(); - $edit_address_url = \add_query_arg( - 'edit-address', - $address_type, - \wc_get_endpoint_url( 'edit-address', $address_type ) - ); - Newspack_UI::generate_modal( - [ - 'id' => 'edit-address-' . $address_type, - 'title' => ! empty( $address ) ? sprintf( - // Translators: %s is the address type. - __( 'Edit %s address', 'newspack-plugin' ), - $address_type - ) : sprintf( - // Translators: %s is the address type. - __( 'Add %s address', 'newspack-plugin' ), - $address_type - ), - 'content' => $content, - 'size' => 'medium', - 'form' => 'POST', - 'form_id' => 'edit_address_' . $address_type, - 'form_action' => $edit_address_url, - 'actions' => [ - 'cancel' => [ - 'label' => __( 'Cancel', 'newspack-plugin' ), - 'type' => 'ghost', - 'action' => 'close', - ], + $content = ob_get_clean(); + + $edit_address_url = \add_query_arg( + 'edit-address', + $address_type, + \wc_get_endpoint_url( 'edit-address', $address_type ) + ); + + Newspack_UI::generate_modal( + [ + 'id' => 'edit-address-' . $address_type, + 'title' => ! empty( $address ) ? sprintf( + // Translators: %s is the address type. + __( 'Edit %s address', 'newspack-plugin' ), + $address_type + ) : sprintf( + // Translators: %s is the address type. + __( 'Add %s address', 'newspack-plugin' ), + $address_type + ), + 'content' => $content, + 'content_is_safe' => true, // Allow the contents of `woocommerce_account_edit_address` to be rendered as is. + 'size' => 'medium', + 'form' => 'POST', + 'form_id' => 'edit_address_' . $address_type, + 'form_action' => $edit_address_url, + 'actions' => [ + 'cancel' => [ + 'label' => __( 'Cancel', 'newspack-plugin' ), + 'type' => 'ghost', + 'action' => 'close', ], - ] - ); + ], + ] + ); } }