Changed wc_clean sanitization to checking for valid utf8 and the inpu…

…t is later sanitized by WordPress db layer. It caused issues in 2 places: Order item name (product name) and user's password.
koikaam · Aug 6, 2018 · 925002b · 925002b
1 parent 97fcc50
commit 925002b
Show file tree

Hide file tree

Showing 5 changed files with 7 additions and 4 deletions.
diff --git a/includes/admin/wc-admin-functions.php b/includes/admin/wc-admin-functions.php
@@ -208,7 +208,7 @@ function wc_save_order_items( $order_id, $items ) {
 			$item_data = array();
 
 			foreach ( $data_keys as $key => $default ) {
-				$item_data[ $key ] = isset( $items[ $key ][ $item_id ] ) ? wc_clean( wp_unslash( $items[ $key ][ $item_id ] ) ) : $default;
+				$item_data[ $key ] = isset( $items[ $key ][ $item_id ] ) ? wp_check_invalid_utf8( wp_unslash( $items[ $key ][ $item_id ] ) ) : $default;
 			}
 
 			if ( '0' === $item_data['order_item_qty'] ) {

diff --git a/includes/api/v1/class-wc-rest-customers-controller.php b/includes/api/v1/class-wc-rest-customers-controller.php
@@ -419,7 +419,7 @@ public function update_item( $request ) {
 
 			// Customer password.
 			if ( isset( $request['password'] ) ) {
-				$customer->set_password( wc_clean( $request['password'] ) );
+				$customer->set_password( wp_check_invalid_utf8( $request['password'] ) );
 			}
 
 			$this->update_customer_meta_fields( $customer, $request );

diff --git a/includes/class-wc-checkout.php b/includes/class-wc-checkout.php
@@ -615,6 +615,9 @@ public function get_posted_data() {
 					case 'textarea':
 						$value = isset( $_POST[ $key ] ) ? wc_sanitize_textarea( wp_unslash( $_POST[ $key ] ) ) : ''; // WPCS: input var ok, CSRF ok.
 						break;
+					case 'password':
+						$value = isset( $_POST[ $key ] ) ? wp_check_invalid_utf8( wp_unslash( $_POST[ $key ] ) ) : ''; // WPCS: input var ok, CSRF ok.
+						break;
 					default:
 						$value = isset( $_POST[ $key ] ) ? wc_clean( wp_unslash( $_POST[ $key ] ) ) : ''; // WPCS: input var ok, CSRF ok.
 						break;

diff --git a/includes/class-wc-customer.php b/includes/class-wc-customer.php
@@ -294,7 +294,7 @@ public function set_calculated_shipping( $calculated = true ) {
 	 * @param string $password Password.
 	 */
 	public function set_password( $password ) {
-		$this->password = wc_clean( $password );
+		$this->password = wp_check_invalid_utf8( $password );
 	}
 
 	/**

diff --git a/includes/class-wc-order-item.php b/includes/class-wc-order-item.php
@@ -186,7 +186,7 @@ public function set_order_id( $value ) {
 	 * @param string $value Item name.
 	 */
 	public function set_name( $value ) {
-		$this->set_prop( 'name', wc_clean( $value ) );
+		$this->set_prop( 'name', wp_check_invalid_utf8( $value ) );
 	}
 
 	/*