Security audit fixes: fn() whitelist, escaping, and performance (v0.1.4)

- WooCommerceExtension: ALLOWED_FUNCTIONS whitelist for fn() Twig function - Notice templates: data attributes use wp_kses_post instead of raw - Search form: esc_attr on search query value attribute - Per-request ContextBuilder caching via static variable - Shared wc_bootstrap_render_in_page_shell() helper (DRY) - Removed unused WC_BOOTSTRAP_VERSION and WC_BOOTSTRAP_URL constants Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-01 01:02:43 +01:00
parent e72b4ba3c1
commit 98359d4cfb
9 changed files with 118 additions and 65 deletions
--- a/templates/notices/error.html.twig
+++ b/templates/notices/error.html.twig
@@ -23,7 +23,7 @@
        {% else %}
            <ul class="mb-0 ps-3">
                {% for notice in notices %}
-                    <li {{ notice.data|default('')|raw }}>
+                    <li {{ notice.data|default('')|wp_kses_post }}>
                        {{ notice.notice|raw }}
                    </li>
                {% endfor %}
--- a/templates/notices/notice.html.twig
+++ b/templates/notices/notice.html.twig
@@ -17,7 +17,7 @@
 {% if notices is defined and notices|length > 0 %}
    {% for notice in notices %}
        <div class="alert alert-info alert-dismissible fade show woocommerce-info"
-             {{ notice.data|default('')|raw }}
+             {{ notice.data|default('')|wp_kses_post }}
             role="status">
            <i class="bi bi-info-circle me-2" aria-hidden="true"></i>
            {{ notice.notice|raw }}
--- a/templates/notices/success.html.twig
+++ b/templates/notices/success.html.twig
@@ -17,7 +17,7 @@
 {% if notices is defined and notices|length > 0 %}
    {% for notice in notices %}
        <div class="alert alert-success alert-dismissible fade show woocommerce-message"
-             {{ notice.data|default('')|raw }}
+             {{ notice.data|default('')|wp_kses_post }}
             role="alert">
            <i class="bi bi-check-circle me-2" aria-hidden="true"></i>
            {{ notice.notice|raw }}
--- a/templates/product-searchform.html.twig
+++ b/templates/product-searchform.html.twig
@@ -21,7 +21,7 @@
               id="{{ field_id }}"
               class="form-control"
               placeholder="{{ __('Search products…') }}"
-               value="{{ get_search_query() }}"
+               value="{{ get_search_query()|esc_attr }}"
               name="s" />
        <button type="submit" class="btn btn-outline-primary" aria-label="{{ __('Search') }}">
            <i class="bi bi-search" aria-hidden="true"></i>