Dev news

Commit 5b8d60ae268 for woocommerce

commit 5b8d60ae26812c58eab4db1998672b5cafcdc919
Author: woocommercebot <30233865+woocommercebot@users.noreply.github.com>
Date:   Tue Mar 10 15:09:48 2026 +0000

    [Backport to trunk] Apply patch 440 (#63617)

    Apply patch 440 (#63616)

    Co-authored-by: Taha Paksu <3295+tpaksu@users.noreply.github.com>

diff --git a/plugins/woocommerce/changelog/opr-fix-receipt-note-xss b/plugins/woocommerce/changelog/opr-fix-receipt-note-xss
new file mode 100644
index 00000000000..f5b44b5c454
--- /dev/null
+++ b/plugins/woocommerce/changelog/opr-fix-receipt-note-xss
@@ -0,0 +1,4 @@
+Significance: patch
+Type: fix
+
+Prevent stored XSS on order notes added via REST API
diff --git a/plugins/woocommerce/includes/rest-api/Controllers/Version1/class-wc-rest-order-notes-v1-controller.php b/plugins/woocommerce/includes/rest-api/Controllers/Version1/class-wc-rest-order-notes-v1-controller.php
index b057cfda816..33e2a43ec99 100644
--- a/plugins/woocommerce/includes/rest-api/Controllers/Version1/class-wc-rest-order-notes-v1-controller.php
+++ b/plugins/woocommerce/includes/rest-api/Controllers/Version1/class-wc-rest-order-notes-v1-controller.php
@@ -66,9 +66,10 @@ class WC_REST_Order_Notes_V1_Controller extends WC_REST_Controller {
 				'permission_callback' => array( $this, 'create_item_permissions_check' ),
 				'args'                => array_merge( $this->get_endpoint_args_for_item_schema( WP_REST_Server::CREATABLE ), array(
 					'note' => array(
-						'type'        => 'string',
-						'description' => __( 'Order note content.', 'woocommerce' ),
-						'required'    => true,
+						'type'              => 'string',
+						'description'       => __( 'Order note content.', 'woocommerce' ),
+						'required'          => true,
+						'sanitize_callback' => 'wp_kses_post',
 					),
 				) ),
 			),
diff --git a/plugins/woocommerce/src/Internal/ReceiptRendering/Templates/order-receipt.php b/plugins/woocommerce/src/Internal/ReceiptRendering/Templates/order-receipt.php
index 264c20108c0..366adcfa8d9 100644
--- a/plugins/woocommerce/src/Internal/ReceiptRendering/Templates/order-receipt.php
+++ b/plugins/woocommerce/src/Internal/ReceiptRendering/Templates/order-receipt.php
@@ -49,7 +49,7 @@
 <?php if ( ! empty( $data['notes'] ) ) { ?>
 	<h3 id="order_notes_section_title"><?php echo strtoupper( $data['texts']['order_notes_section_title'] ); ?></h3>
 	<?php foreach ( $data['notes'] as $note ) { ?>
-		<p><?php echo $note; ?></p>
+		<p><?php echo wp_kses_post( $note ); ?></p>
 		<?php
 	}
 }
diff --git a/plugins/woocommerce/templates/myaccount/view-order.php b/plugins/woocommerce/templates/myaccount/view-order.php
index d851b760284..2a3862a6a3f 100644
--- a/plugins/woocommerce/templates/myaccount/view-order.php
+++ b/plugins/woocommerce/templates/myaccount/view-order.php
@@ -14,7 +14,7 @@
  *
  * @see     https://woocommerce.com/document/template-structure/
  * @package WooCommerce\Templates
- * @version 10.1.0
+ * @version 10.6.0
  */

 defined( 'ABSPATH' ) || exit;
@@ -56,7 +56,7 @@ echo wp_kses_post(
 				<div class="woocommerce-OrderUpdate-text comment-text">
 					<p class="woocommerce-OrderUpdate-meta meta"><?php echo date_i18n( esc_html__( 'l jS \o\f F Y, h:ia', 'woocommerce' ), strtotime( $note->comment_date ) ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?></p>
 					<div class="woocommerce-OrderUpdate-description description">
-						<?php echo wpautop( wptexturize( $note->comment_content ) ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?>
+						<?php echo wp_kses_post( wpautop( wptexturize( $note->comment_content ) ) ); ?>
 					</div>
 					<div class="clear"></div>
 				</div>
diff --git a/plugins/woocommerce/templates/order/tracking.php b/plugins/woocommerce/templates/order/tracking.php
index 9862ed49487..fe3b2d792cd 100644
--- a/plugins/woocommerce/templates/order/tracking.php
+++ b/plugins/woocommerce/templates/order/tracking.php
@@ -12,7 +12,7 @@
  *
  * @see https://woocommerce.com/document/template-structure/
  * @package WooCommerce\Templates
- * @version 10.1.0
+ * @version 10.6.0
  */

 defined( 'ABSPATH' ) || exit;
@@ -54,7 +54,7 @@ $notes = $order->get_customer_order_notes();
 				<div class="comment-text">
 					<p class="meta"><?php echo date_i18n( esc_html__( 'l jS \o\f F Y, h:ia', 'woocommerce' ), strtotime( $note->comment_date ) ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?></p>
 					<div class="description">
-						<?php echo wpautop( wptexturize( $note->comment_content ) ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?>
+						<?php echo wp_kses_post( wpautop( wptexturize( $note->comment_content ) ) ); ?>
 					</div>
 					<div class="clear"></div>
 				</div>