magdev/wc-bootstrap
1
Fork 0
Code Issues Pull Requests Actions Releases 8 Activity

Security audit fixes: fn() whitelist, escaping, and performance (v0.1.4)
All checks were successful
Create Release Package / PHP Lint (push) Successful in 1m41s
Details
Create Release Package / Build Release (push) Successful in 1m47s
Details

Browse Source 
- WooCommerceExtension: ALLOWED_FUNCTIONS whitelist for fn() Twig function
- Notice templates: data attributes use wp_kses_post instead of raw
- Search form: esc_attr on search query value attribute
- Per-request ContextBuilder caching via static variable
- Shared wc_bootstrap_render_in_page_shell() helper (DRY)
- Removed unused WC_BOOTSTRAP_VERSION and WC_BOOTSTRAP_URL constants

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Marco Grätsch
2026-03-01 01:02:43 +01:00
parent e72b4ba3c1
commit 98359d4cfb
9 changed files with 118 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
CLAUDE.md
View File

@@ -327,10 +327,29 @@ The child theme inherits from `wp-bootstrap` via WordPress `Template: wp-bootstr
## Version History
Current version: **v0.1.3**
Current version: **v0.1.4**
## Session History
### 2026-03-01 — v0.1.4 Security Audit & Performance Fixes
**Scope:** Cross-theme security audit (12 findings), all fixed. Covers fn() whitelist, notice data escaping, search query escaping, per-request context caching, shared render helper, and unused constant removal.
**Files changed (6):**
- `inc/Twig/WooCommerceExtension.php` — Added `ALLOWED_FUNCTIONS` whitelist to `callFunction()`. Only 6 functions (`WC`, `_n`, `get_pagenum_link`, `wc_review_ratings_enabled`, `wc_get_product_category_list`, `wc_get_product_tag_list`) are permitted.
- `templates/notices/success.html.twig``notice.data|raw``notice.data|wp_kses_post`
- `templates/notices/error.html.twig``notice.data|raw``notice.data|wp_kses_post`
- `templates/notices/notice.html.twig``notice.data|raw``notice.data|wp_kses_post`
- `templates/product-searchform.html.twig` — Added `|esc_attr` on `get_search_query()` value
- `functions.php` — Removed unused `WC_BOOTSTRAP_VERSION`/`WC_BOOTSTRAP_URL` constants. Added `wc_bootstrap_get_theme_context()` with static caching and `wc_bootstrap_render_in_page_shell()` helper. Refactored 3 render functions to use shared helpers.
**Key decisions:**
- **fn() whitelist defense-in-depth**: Template files are static PHP, not user-editable, so exploitation requires file write access. Whitelist added anyway as defense-in-depth to prevent `exec()`, `system()`, etc. if template context were ever compromised.
- **`|wp_kses_post` over `|raw` for data attributes**: WooCommerce sanitizes notice data, but belt-and-suspenders approach prevents XSS if upstream behavior changes.
- **Static variable caching over transients**: Per-request `static $cached_context` is sufficient since WooCommerce pages build context once. No transient overhead or invalidation needed.
### 2026-02-28 — My Account Bootstrap 5 Polish
**Scope:** Redesigned 8 my-account Twig templates + CSS overrides to feel like a polished Bootstrap 5 application.