Escape html chars for order items

emilleszczak2 · emilleszczak2 · commit f84f9295ca33 · 2021-08-26T19:47:29.000+02:00
diff --git a/src/includes/class-paynow-gateway.php b/src/includes/class-paynow-gateway.php
@@ -81,25 +81,25 @@ public function payment_request( WC_Order $order, $return_url, $payment_method_i
 			foreach ( $order->get_items() as $item ) {
 				$product       = $item->get_product();
 				$order_items[] = [
-					'name'     => $product->get_title(),
+					'name'     => esc_html( $product->get_title() ),
 					'category' => WC_Pay_By_Paynow_PL_Helper::get_product_categories( $product->get_id() ),
 					'quantity' => $item->get_quantity(),
 					'price'    => WC_Pay_By_Paynow_PL_Helper::get_amount( WC_Pay_By_Paynow_PL_Helper::is_old_wc_version() ? wc_price( wc_get_price_including_tax( $product ) ) : $product->get_price_including_tax() )
 				];
 			}
 
-            $order_items = array_filter( $order_items, function ( $item ) {
-                return ! empty( $item['category'] );
-            } );
+			$order_items = array_filter( $order_items, function ( $item ) {
+				return ! empty( $item['category'] );
+			} );
 
 			if ( ! empty( $order_items ) ) {
 				$payment_data['orderItems'] = $order_items;
 			}
 		}
 
-        if ( $this->settings['use_payment_validity_time_flag'] === 'yes' ) {
-            $payment_data['validityTime'] = $this->settings['payment_validity_time'];
-        }
+		if ( $this->settings['use_payment_validity_time_flag'] === 'yes' ) {
+			$payment_data['validityTime'] = $this->settings['payment_validity_time'];
+		}
 
 		$idempotency_key = substr( uniqid( $order_id, true ), 0, 36 );
 		$payment         = new Payment( $this->client );
diff --git a/src/includes/class-wc-pay-by-paynow-pl-helper.php b/src/includes/class-wc-pay-by-paynow-pl-helper.php
@@ -96,7 +96,7 @@ public static function get_product_categories( $product_id ) {
 
 		$categories = [];
 		foreach ( $terms as $term ) {
-			$categories[] = $term->name;
+			$categories[] = esc_html($term->name);
 		}
 
 		return implode( ', ', $categories );

Original file line number	Diff line number	Diff line change
`@@ -96,7 +96,7 @@ public static function get_product_categories( $product_id ) {`
`96`	`96`
`97`	`97`	`$categories = [];`
`98`	`98`	`foreach ( $terms as $term ) {`
`99`		`- $categories[] = $term->name;`
	`99`	`+ $categories[] = esc_html($term->name);`
`100`	`100`	`}`
`101`	`101`
`102`	`102`	`return implode( ', ', $categories );`