magdev/wc-bootstrap
1
Fork 0
Code Issues Pull Requests Actions Releases 8 Activity

Security audit fixes: fn() whitelist, escaping, and performance (v0.1.4)
All checks were successful
Create Release Package / PHP Lint (push) Successful in 1m41s
Details
Create Release Package / Build Release (push) Successful in 1m47s
Details

Browse Source 
- WooCommerceExtension: ALLOWED_FUNCTIONS whitelist for fn() Twig function
- Notice templates: data attributes use wp_kses_post instead of raw
- Search form: esc_attr on search query value attribute
- Per-request ContextBuilder caching via static variable
- Shared wc_bootstrap_render_in_page_shell() helper (DRY)
- Removed unused WC_BOOTSTRAP_VERSION and WC_BOOTSTRAP_URL constants

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Marco Grätsch
2026-03-01 01:02:43 +01:00
parent e72b4ba3c1
commit 98359d4cfb
9 changed files with 118 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
templates/notices/notice.html.twig
View File

@@ -17,7 +17,7 @@
{% if notices is defined and notices|length > 0 %}
{% for notice in notices %}
<div class="alert alert-info alert-dismissible fade show woocommerce-info"
{{ notice.data|default('')|raw }}
{{ notice.data|default('')|wp_kses_post }}
role="status">
<i class="bi bi-info-circle me-2" aria-hidden="true"></i>
{{ notice.notice|raw }}