widget attribute values not properly escaped

  • G’day,

    I notice that the plugin does not properly escape attributes when building a product widget. This means that product names with apostrophes are truncated, and invalid attributes result. Here’s a fix for the function that creates the widget:

    function wc_yotpo_show_widget() {
	$product = get_product();
	if($product->post->comment_status == 'open') {
		$product_data = wc_yotpo_get_product_data($product);
		$yotpo_div = "<div class='yotpo yotpo-main-widget'
	   				data-product-id='".esc_attr($product_data['id'])."'
	   				data-name='".esc_attr($product_data['title'])."'
	   				data-url='".esc_attr($product_data['url'])."'
	   				data-image-url='".esc_attr($product_data['image-url'])."'
	  				data-description='".esc_attr($product_data['description'])."'
	  				data-lang='".esc_attr($product_data['lang'])."'></div>";
		echo $yotpo_div;
	}
}

    NB: there are other instances in this plugin that would benefit from similar treatment. Please read about esc_attr() and other sanitisation functions.

    cheers,
    Ross

    https://www.ads-software.com/plugins/yotpo-social-reviews-for-woocommerce/

  • The topic ‘widget attribute values not properly escaped’ is closed to new replies.