Skip to content

Commit d3f595e

Browse files
dwainmdwainm
authored
Fix security notices (#8474)
1 parent a8068cf commit d3f595e

File tree

2 files changed

+9
-3
lines changed

2 files changed

+9
-3
lines changed

changelog/fix-multi-currency-phpcs-notices

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
Significance: patch
2+
Type: dev
3+
4+
Escaping error logs and ignoring noticese where there are no issues.

includes/multi-currency/MultiCurrency.php

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -561,7 +561,7 @@ public function update_single_currency_settings( string $currency_code, string $
561561
if ( ! is_numeric( $manual_rate ) || 0 >= $manual_rate ) {
562562
$message = 'Invalid manual currency rate passed to update_single_currency_settings: ' . $manual_rate;
563563
Logger::error( $message );
564-
throw new InvalidCurrencyRateException( $message, 'wcpay_multi_currency_invalid_currency_rate', 500 );
564+
throw new InvalidCurrencyRateException( esc_html( $message ), 'wcpay_multi_currency_invalid_currency_rate', 500 );
565565
}
566566
update_option( 'wcpay_multi_currency_manual_rate_' . $currency_code, $manual_rate );
567567
}
@@ -935,7 +935,7 @@ public function get_raw_conversion( float $amount, string $to_currency, string $
935935
if ( 0 >= $from_currency_rate ) {
936936
$message = 'Invalid rate for from_currency in get_raw_conversion: ' . $from_currency_rate;
937937
Logger::error( $message );
938-
throw new InvalidCurrencyRateException( $message, 'wcpay_multi_currency_invalid_currency_rate', 500 );
938+
throw new InvalidCurrencyRateException( esc_html( $message ), 'wcpay_multi_currency_invalid_currency_rate', 500 );
939939
}
940940

941941
$amount = $amount * ( $to_currency_rate / $from_currency_rate );
@@ -1019,6 +1019,8 @@ public function display_geolocation_currency_update_notice() {
10191019
$notice_id = md5( $message );
10201020

10211021
echo '<p class="woocommerce-store-notice demo_store" data-notice-id="' . esc_attr( $notice_id . 2 ) . '" style="display:none;">';
1022+
// No need to escape here as the function called handles it.
1023+
// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
10221024
echo \WC_Payments_Utils::esc_interpolated_html(
10231025
$message,
10241026
[
@@ -1624,7 +1626,7 @@ public function is_initialized(): bool {
16241626
private function log_and_throw_invalid_currency_exception( $method, $currency_code, $code = 500 ) {
16251627
$message = 'Invalid currency passed to ' . $method . ': ' . $currency_code;
16261628
Logger::error( $message );
1627-
throw new InvalidCurrencyException( $message, 'wcpay_multi_currency_invalid_currency', $code );
1629+
throw new InvalidCurrencyException( esc_html( $message ), 'wcpay_multi_currency_invalid_currency', esc_html( $code ) );
16281630
}
16291631

16301632
/**

0 commit comments

Comments
 (0)