Removed filter + sanitizing POST string

Automattic · Jan 8, 2024 · e37202f · e37202f
1 parent 4ce48d4
commit e37202f
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 28 deletions.
diff --git a/client/checkout/woopay/express-button/use-express-checkout-product-handler.js b/client/checkout/woopay/express-button/use-express-checkout-product-handler.js
@@ -2,7 +2,6 @@
  * External dependencies
  */
 import validator from 'validator';
-import { applyFilters } from '@wordpress/hooks';
 
 const useExpressCheckoutProductHandler = ( api ) => {
 	const getAttributes = () => {
@@ -105,24 +104,12 @@ const useExpressCheckoutProductHandler = ( api ) => {
 		}
 
 		const addOnForm = document.querySelector( 'form.cart' );
-		let allowedFieldNames = applyFilters(
-			'wcpayPaymentRequestAllowedFieldNames',
-			[]
-		);
-		// Ensure allowedFieldNames is an array.
-		if ( ! Array.isArray( allowedFieldNames ) ) {
-			allowedFieldNames = [ allowedFieldNames ];
-		}
 
 		if ( addOnForm ) {
 			const formData = new FormData( addOnForm );
 
 			formData.forEach( ( value, name ) => {
-				if (
-					/^addon-/.test( name ) ||
-					/^wc_/.test( name ) ||
-					allowedFieldNames.includes( name )
-				) {
+				if ( /^(addon-|wc_)/.test( name ) ) {
 					if ( /\[\]$/.test( name ) ) {
 						const fieldName = name.substring( 0, name.length - 2 );
 

diff --git a/client/payment-request/index.js b/client/payment-request/index.js
@@ -3,7 +3,7 @@
  * External dependencies
  */
 import { __ } from '@wordpress/i18n';
-import { applyFilters, doAction } from '@wordpress/hooks';
+import { doAction } from '@wordpress/hooks';
 import { debounce } from 'lodash';
 /**
  * Internal dependencies
@@ -189,19 +189,8 @@ jQuery( ( $ ) => {
 
 			// Add addons data to the POST body
 			const formData = $( 'form.cart' ).serializeArray();
-			let allowedFieldNames = applyFilters(
-				'wcpayPaymentRequestAllowedFieldNames',
-				[]
-			);
-			// Ensure allowedFieldNames is an array.
-			if ( ! Array.isArray( allowedFieldNames ) ) {
-				allowedFieldNames = [ allowedFieldNames ];
-			}
 			$.each( formData, ( i, field ) => {
-				if (
-					allowedFieldNames.includes( field.name ) ||
-					/^(addon-|wc_)/.test( field.name )
-				) {
+				if ( /^(addon-|wc_)/.test( field.name ) ) {
 					if ( /\[\]$/.test( field.name ) ) {
 						const fieldName = field.name.substring(
 							0,

diff --git a/includes/class-wc-payments-payment-request-button-handler.php b/includes/class-wc-payments-payment-request-button-handler.php
@@ -1062,7 +1062,7 @@ public function ajax_get_selected_product_data() {
 			$product      = wc_get_product( $product_id );
 			$variation_id = null;
 			$currency     = get_woocommerce_currency();
-			$is_deposit   = isset( $_POST['wc_deposit_option'] ) ? 'yes' === $_POST['wc_deposit_option'] : null;
+			$is_deposit   = isset( $_POST['wc_deposit_option'] ) ? 'yes' === sanitize_text_field( wp_unslash( $_POST['wc_deposit_option'] ) ) : null;
 
 			if ( ! is_a( $product, 'WC_Product' ) ) {
 				/* translators: product ID */