Automattic · miguelpeixe · Nov 26, 2025
@@ -198,6 +198,7 @@ public static function colors_css_wrap() {
 	 *     @type string $id The modal ID.
 	 *     @type string $title The modal title.
 	 *     @type string $content The modal content HTML.
+	 *     @type bool   $content_is_safe Whether the content is already safe HTML.
 	 *     @type string $footer The modal footer HTML.
 	 *     @type string $form The form method to use. If given, modal content and action buttons will be wrapped in a form element.
 	 *     @type array $actions {
@@ -247,53 +248,57 @@ public static function generate_modal( $args ) {
 				<section class="newspack-ui__modal__content">
 				<?php endif; ?>
 						<?php
-						echo wp_kses(
-							$args['content'],
-							array_merge(
-								\wp_kses_allowed_html( 'post' ),
-								Newspack_UI_Icons::sanitize_svgs(),
-								[
-									'input'    => [
-										'type'          => true,
-										'name'          => true,
-										'id'            => true,
-										'class'         => true,
-										'tabindex'      => true,
-										'placeholder'   => true,
-										'required'      => true,
-										'aria-hidden'   => true,
-										'aria-required' => true,
-										'value'         => true,
-										'disabled'      => true,
-										'checked'       => true,
-									],
-									'select'   => [
-										'name'             => true,
-										'id'               => true,
-										'class'            => true,
-										'tabindex'         => true,
-										'required'         => true,
-										'aria-hidden'      => true,
-										'aria-required'    => true,
-										'value'            => true,
-										'disabled'         => true,
-										'multiple'         => true,
-										'autocomplete'     => true,
-										'data-label'       => true,
-										'data-placeholder' => true,
-									],
-									'option'   => [
-										'value'    => true,
-										'selected' => true,
-										'disabled' => true,
-									],
-									'noscript' => [],
-									'iframe'   => [
-										'src' => true,
-									],
-								]
-							)
-						);
+						if ( ! empty( $args['content_is_safe'] ) ) {
+							echo $args['content']; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+						} else {
+							echo wp_kses(
+								$args['content'],
+								array_merge(
+									\wp_kses_allowed_html( 'post' ),
+									Newspack_UI_Icons::sanitize_svgs(),
+									[
+										'input'    => [
+											'type'        => true,
+											'name'        => true,
+											'id'          => true,
+											'class'       => true,
+											'tabindex'    => true,
+											'placeholder' => true,
+											'required'    => true,
+											'aria-hidden' => true,
+											'aria-required' => true,
+											'value'       => true,
+											'disabled'    => true,
+											'checked'     => true,
+										],
+										'select'   => [
+											'name'         => true,
+											'id'           => true,
+											'class'        => true,
+											'tabindex'     => true,
+											'required'     => true,
+											'aria-hidden'  => true,
+											'aria-required' => true,
+											'value'        => true,
+											'disabled'     => true,
+											'multiple'     => true,
+											'autocomplete' => true,
+											'data-label'   => true,
+											'data-placeholder' => true,
+										],
+										'option'   => [
+											'value'    => true,
+											'selected' => true,
+											'disabled' => true,
+										],
+										'noscript' => [],
+										'iframe'   => [
+											'src' => true,
+										],
+									]
+								)
+							);
+						}
 						?>
 						<?php
 						if ( ! empty( $args['actions'] ) ) :

@@ -649,14 +649,15 @@ public static function add_payment_method_modal() {
 		$content = ob_get_clean();
 		Newspack_UI::generate_modal(
 			[
-				'id'         => 'add-payment-method',
-				'title'      => __( 'Add Payment Method', 'newspack-plugin' ),
-				'content'    => $content,
-				'size'       => 'medium',
-				'form'       => 'POST',
-				'form_class' => 'newspack-ui__accordion newspack-ui__accordion--open',
-				'form_id'    => 'add_payment_method',
-				'actions'    => [
+				'id'              => 'add-payment-method',
+				'title'           => __( 'Add Payment Method', 'newspack-plugin' ),
+				'content'         => $content,
+				'content_is_safe' => true, // Allow the contents of `woocommerce_account_add_payment_method` to be rendered as is.
+				'size'            => 'medium',
+				'form'            => 'POST',
+				'form_class'      => 'newspack-ui__accordion newspack-ui__accordion--open',
+				'form_id'         => 'add_payment_method',
+				'actions'         => [
 					'cancel' => [
 						'label'  => __( 'Cancel', 'newspack-plugin' ),
 						'type'   => 'ghost',
@@ -681,40 +682,44 @@ public static function add_address_modals() {
 		$address_types = \apply_filters( 'woocommerce_my_account_get_addresses', $address_types );
 		foreach ( $address_types as $address_type => $address_name ) {
 			$address = \wc_get_account_formatted_address( $address_type );
+
 			ob_start();
 			\woocommerce_account_edit_address( $address_type );
-				$content          = ob_get_clean();
-				$edit_address_url = \add_query_arg(
-					'edit-address',
-					$address_type,
-					\wc_get_endpoint_url( 'edit-address', $address_type )
-				);
-				Newspack_UI::generate_modal(
-					[
-						'id'          => 'edit-address-' . $address_type,
-						'title'       => ! empty( $address ) ? sprintf(
-							// Translators: %s is the address type.
-							__( 'Edit %s address', 'newspack-plugin' ),
-							$address_type
-						) : sprintf(
-							// Translators: %s is the address type.
-							__( 'Add %s address', 'newspack-plugin' ),
-							$address_type
-						),
-						'content'     => $content,
-						'size'        => 'medium',
-						'form'        => 'POST',
-						'form_id'     => 'edit_address_' . $address_type,
-						'form_action' => $edit_address_url,
-						'actions'     => [
-							'cancel' => [
-								'label'  => __( 'Cancel', 'newspack-plugin' ),
-								'type'   => 'ghost',
-								'action' => 'close',
-							],
+			$content = ob_get_clean();
+
+			$edit_address_url = \add_query_arg(
+				'edit-address',
+				$address_type,
+				\wc_get_endpoint_url( 'edit-address', $address_type )
+			);
+
+			Newspack_UI::generate_modal(
+				[
+					'id'              => 'edit-address-' . $address_type,
+					'title'           => ! empty( $address ) ? sprintf(
+						// Translators: %s is the address type.
+						__( 'Edit %s address', 'newspack-plugin' ),
+						$address_type
+					) : sprintf(
+						// Translators: %s is the address type.
+						__( 'Add %s address', 'newspack-plugin' ),
+						$address_type
+					),
+					'content'         => $content,
+					'content_is_safe' => true, // Allow the contents of `woocommerce_account_edit_address` to be rendered as is.
+					'size'            => 'medium',
+					'form'            => 'POST',
+					'form_id'         => 'edit_address_' . $address_type,
+					'form_action'     => $edit_address_url,
+					'actions'         => [
+						'cancel' => [
+							'label'  => __( 'Cancel', 'newspack-plugin' ),
+							'type'   => 'ghost',
+							'action' => 'close',
 						],
-					]
-				);
+					],
+				]
+			);
 		}
 	}