[dev] 9.8 → trunk sync (#55)

* Prep release/9.8 for 9.8 cycle (woocommerce#56031)

Prep release/9.8 for 9.8 cycle with version bump to 9.8.0-beta.1

Co-authored-by: WooCommerce Bot <[email protected]>

* Release: Prepare the changelog for 9.8 (woocommerce#56035)

* Delete changelog files from 9.8 release

* Update the readme files for the 9.8 release

* Update release date

---------

Co-authored-by: WooCommerce Bot <[email protected]>
Co-authored-by: Jorge Torres <[email protected]>

* Cherry pick 56047 into frozen release: release/9.8 (woocommerce#56057)

Fix combine 415 403 (woocommerce#56047)

* Secure “Generate coupon code” button

* Secure “Export products” button

* Secure “Import products” button

* Secure inline error messages

* Secure link inside inline error messages

* Remove “onChangeShippingMethodSelector”

* Add changelog message

* Secure “Read more” button

* Added changelog.

* Added element creation to avoid appending text to jQuery Object.

---------

Co-authored-by: Alba Rincón <[email protected]>
Co-authored-by: Niels Lange <[email protected]>
Co-authored-by: Paulo Arromba <[email protected]>

* Cherry pick 56048 into frozen release: release/9.8 (woocommerce#56060)

Remove decodeEntities from the product name used on cart & checkout (woocommerce#56048)

revert using RawHTML because it renders an extra div inside the <a> tag

Co-authored-by: Alba Rincón <[email protected]>
Co-authored-by: Alex Florisca <[email protected]>

* Prevent Fatal Error on malformed pagination query (woocommerce#56049)

* Avoid fatal by casting page number to integer

Cast page number to integer when generating aria-label to ensure proper number formatting

* Add changefile(s) from automation for the following project(s): woocommerce

---------

Co-authored-by: github-actions <[email protected]>

* Fix email accent color causing invisible text in emails (woocommerce#56061)

* Use theme button background color as accent color in emails

* Add changelog

* Update tests

* Fix textdomain loading warning in woocommerce 9 80 beta 1 (woocommerce#56133)

* Refactor Email Editor Integration Initialization from using FeaturesUtil to `get_option`

Using FeaturesUtil::feature_is_enabled here triggers a Translation loading early warning message on WordPress 6.8 Beta

* Add change log file

* Delete Transients: avoid running statements without options_to_clear. (woocommerce#56136)

* Delete Transients: avoid running statements without options_to_clear.

* Add changefile(s) from automation for the following project(s): woocommerce

* Delete Transients: adds test case.

* Fixes spelling.

* Fixes _wc_delete_transients call.

* Linting.

* Fix linter white space

* Returns early.

---------

Co-authored-by: cpap <[email protected]>
Co-authored-by: github-actions <[email protected]>
Co-authored-by: Tom Cafferkey <[email protected]>

* Cherry pick e2e test fixes 56083 and 56121 to 9.8 (woocommerce#56163)

* [e2e-utils] Update editor-canvas locator to support updates in Gutenberg nightly (woocommerce#56083)

* [e2e tests] Fixes to support WP core 6.8 (woocommerce#56121)

---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: WooCommerce Bot <[email protected]>
Co-authored-by: Alba Rincón <[email protected]>
Co-authored-by: Niels Lange <[email protected]>
Co-authored-by: Paulo Arromba <[email protected]>
Co-authored-by: Alex Florisca <[email protected]>
Co-authored-by: Luigi Teschio <[email protected]>
Co-authored-by: github-actions <[email protected]>
Co-authored-by: Ján Mikláš <[email protected]>
Co-authored-by: Oluwaseun Olorunsola <[email protected]>
Co-authored-by: Harris Papazoglou <[email protected]>
Co-authored-by: cpap <[email protected]>
Co-authored-by: Tom Cafferkey <[email protected]>
Co-authored-by: Adrian Moldovan <[email protected]>

Author: 15 people

packages/js/e2e-utils-playwright/changelog/e2e-utils-playwright-fix-editor-canvas-locator-gb-20.6

@@ -0,0 +1,4 @@
+Significance: patch
+Type: fix
+
+Updated the editor canvas frame locator to support changes in Gutenberg 20.6

plugins/woocommerce/changelog/414-appending-coupon-notices-as-elements

@@ -0,0 +1,4 @@
+Significance: patch
+Type: fix
+
+Improved shortcode cart and checkout coupon notices by appending elements instead of text.

plugins/woocommerce/changelog/56049-56015-fatal-errors-caused-by-wc_add_aria_label_to_pagination_numbers

@@ -0,0 +1,4 @@
+Significance: minor
+Type: fix
+
+Avoid fatal by casting page number to integer

plugins/woocommerce/changelog/56059-email-accent-color

@@ -0,0 +1,4 @@
+Significance: patch
+Type: fix
+
+Fix email accent color causing invisible text in emails

plugins/woocommerce/changelog/56136-fix-wc_delete_transients

@@ -0,0 +1,4 @@
+Significance: patch
+Type: fix
+
+Fixes an error when `_wc_delete_transients` is called but there aren't any transients stored in DB to delete yet.

plugins/woocommerce/changelog/fix-394-secure-HTML-elements

@@ -0,0 +1,4 @@
+Significance: patch
+Type: update
+
+Replaced concatenated string-based HTML elements in JS with createElement().

plugins/woocommerce/changelog/fix-product-editor-xss

@@ -0,0 +1,4 @@
+Significance: patch
+Type: fix
+
+Fix an xss vulnerability in the cart & checkout blocks

plugins/woocommerce/changelog/fix-textdomain-loading-warning-in-woocommerce-9-80-beta-1

@@ -0,0 +1,4 @@
+Significance: patch
+Type: tweak
+
+Switch from using FeaturesUtil to get_option for the Email Editor Integration package

plugins/woocommerce/client/blocks/assets/js/base/components/product-name/index.tsx

@@ -1,7 +1,6 @@
 /**
  * External dependencies
  */
-import { decodeEntities } from '@wordpress/html-entities';
 import clsx from 'clsx';
 import type { AnchorHTMLAttributes, HTMLAttributes } from 'react';
 
@@ -55,9 +54,6 @@ export const ProductName = ( {
 }: ProductNameProps ): JSX.Element => {
 	const classes = clsx( 'wc-block-components-product-name', className );
 	const DisabledTagName = disabledTagName as DisabledTagNameType;
-	// This HTML is safe because the store API runs titles through `wp_kses_post()` which removes dangerous HTML tags.
-	// Ref: https://github.com/woocommerce/woocommerce/blob/trunk/src/StoreApi/Schemas/V1/ProductSchema.php#L100
-	const decodedName = decodeEntities( name );
 
 	if ( disabled ) {
 		const disabledProps = props as HTMLAttributes<
@@ -69,7 +65,7 @@ export const ProductName = ( {
 				{ ...disabledProps }
 				// eslint-disable-next-line react/no-danger
 				dangerouslySetInnerHTML={ {
-					__html: decodedName,
+					__html: name,
 				} }
 			/>
 		);
@@ -82,7 +78,7 @@ export const ProductName = ( {
 			{ ...props }
 			// eslint-disable-next-line react/no-danger
 			dangerouslySetInnerHTML={ {
-				__html: decodedName,
+				__html: name,
 			} }
 			style={ style }
 		/>

plugins/woocommerce/client/blocks/assets/js/base/components/read-more/trim-html.js

@@ -105,12 +105,12 @@ export function trimHtml( html, options ) {
 				row = charArr.slice( 0, cut ).join( '' ) + suffix;
 
 				if ( moreLink ) {
-					row +=
-						'<a href="' +
-						moreLink +
-						'" style="display:inline">' +
-						moreText +
-						'</a>';
+					const link = document.createElement( 'a' );
+					link.href = moreLink;
+					link.style.display = 'inline';
+					link.textContent = moreText;
+
+					row += link.outerHTML;
 				}
 
 				sum = limit;

plugins/woocommerce/client/legacy/js/admin/meta-boxes-coupon.js

@@ -38,14 +38,19 @@ jQuery(function( $ ) {
 			}
         },
 
-        /**
-         * Insert generate coupon code button HTML.
-         */
-        insert_generate_coupon_code_button: function() {
-			$( '.post-type-shop_coupon' ).find( '#title' ).after(
-				'<a href="#" class="button generate-coupon-code">' + woocommerce_admin_meta_boxes_coupon.generate_button_text + '</a>'
-			);
-        },
+		/**
+		 * Insert generate coupon code button HTML.
+		 */
+		insert_generate_coupon_code_button: function () {
+			const $title = $('.post-type-shop_coupon').find('#title');
+			const button = document.createElement('a');
+			button.href = '#';
+			button.className = 'button generate-coupon-code';
+			button.textContent =
+				woocommerce_admin_meta_boxes_coupon.generate_button_text;
+
+			$title.after(button);
+		},
 
 		/**
 		 * Generate a random coupon code

plugins/woocommerce/client/legacy/js/admin/wc-shipping-zone-methods.js

@@ -104,7 +104,6 @@
 					$( document.body ).on( 'wc_backbone_modal_next_response', this.onAddShippingMethodSubmitted );
 					$( document.body ).on( 'wc_backbone_modal_before_remove', this.onCloseConfigureShippingMethod );
 					$( document.body ).on( 'wc_backbone_modal_back_response', this.onConfigureShippingMethodBack );
-					$( document.body ).on( 'change', '.wc-shipping-zone-method-selector select', this.onChangeShippingMethodSelector );
 					$( document.body ).on( 'click', '.wc-shipping-zone-postcodes-toggle', this.onTogglePostcodes );
 					$( document.body ).on( 'wc_backbone_modal_validation', { view: this }, this.validateFormArguments );
 					$( document.body ).on( 'wc_backbone_modal_loaded', { view: this }, this.onModalLoaded );
@@ -751,11 +750,6 @@
 						}
 					}
 				},
-				onChangeShippingMethodSelector: function() {
-					var description = $( this ).find( 'option:selected' ).data( 'description' );
-					$( this ).parent().find( '.wc-shipping-zone-method-description' ).remove();
-					$( this ).after( '<div class="wc-shipping-zone-method-description">' + description + '</div>' );
-				},
 				onTogglePostcodes: function( event ) {
 					event.preventDefault();
 					var $tr = $( this ).closest( 'tr');

plugins/woocommerce/client/legacy/js/admin/woocommerce_admin.js

@@ -17,22 +17,20 @@
 					.attr( 'href', woocommerce_admin.urls.add_product );
 			}
 			if ( woocommerce_admin.urls.export_products ) {
-				$title_action.after(
-					'<a href="' +
-						woocommerce_admin.urls.export_products +
-						'" class="page-title-action">' +
-						woocommerce_admin.strings.export_products +
-						'</a>'
-				);
+				const exportLink = document.createElement('a');
+				exportLink.href = woocommerce_admin.urls.export_products;
+				exportLink.className = 'page-title-action';
+				exportLink.textContent = woocommerce_admin.strings.export_products;
+
+				$title_action.after(exportLink);
 			}
 			if ( woocommerce_admin.urls.import_products ) {
-				$title_action.after(
-					'<a href="' +
-						woocommerce_admin.urls.import_products +
-						'" class="page-title-action">' +
-						woocommerce_admin.strings.import_products +
-						'</a>'
-				);
+				const importLink = document.createElement('a');
+				importLink.href = woocommerce_admin.urls.import_products;
+				importLink.className = 'page-title-action';
+				importLink.textContent = woocommerce_admin.strings.import_products;
+
+				$title_action.after(importLink);
 			}
 		} else {
 			$title_action.hide();

plugins/woocommerce/client/legacy/js/frontend/cart.js

@@ -135,8 +135,8 @@ jQuery( function ( $ ) {
 			if ( $( '.woocommerce-checkout' ).length ) {
 				$( document.body ).trigger( 'update_checkout' );
 			}
-			
-			// Store the old coupon error message and value before the 
+
+			// Store the old coupon error message and value before the
 			// .woocommerce-cart-form is replaced with the new form.
 			var $old_coupon_field_val = $( '#coupon_code' ).val();
 			var $old_coupon_error_msg = $( '#coupon_code' )
@@ -151,7 +151,7 @@ jQuery( function ( $ ) {
 			if ( preserve_notices && $old_coupon_error_msg.length > 0 ) {
 				var $new_coupon_field = $( '.woocommerce-cart-form' ).find( '#coupon_code' );
 				var $new_coupon_field_wrapper = $new_coupon_field.closest( '.coupon' );
-				
+
 				$new_coupon_field.val( $old_coupon_field_val );
 				// The coupon input with error needs to be focused before adding the live region
 				// with the error message, otherwise the screen reader won't read it.
@@ -206,30 +206,32 @@ jQuery( function ( $ ) {
 			return;
 		}
 
-		var $coupon_error_el = '';
+		var $coupon_error_el = html_element;
 
 		if ( typeof html_element === 'string' ) {
 			var msg = $( $.parseHTML( html_element ) ).text().trim();
-			
+
 			if ( msg === '' ) {
 				return;
 			}
-			
-			$coupon_error_el = $( '<p class="coupon-error-notice" id="coupon-error-notice">' + msg + '</p>' );
-		} else {
-			$coupon_error_el = html_element;
+
+			$coupon_error_el = $('<p>', {
+				class: 'coupon-error-notice',
+				id: 'coupon-error-notice',
+				text: msg
+			});
 		}
 
 		if ( is_live_region ) {
 			$coupon_error_el.attr( 'role', 'alert' );
 		}
-		
+
 		$target.find( '#coupon_code' )
 			.addClass( 'has-error' )
 			.attr( 'aria-invalid', 'true' )
 			.attr( 'aria-describedby', 'coupon-error-notice' );
 		$target.append( $coupon_error_el );
-	};	
+	};
 
 	/**
 	 * Object to handle AJAX calls for cart shipping changes.
@@ -280,7 +282,7 @@ jQuery( function ( $ ) {
 					$target.attr( 'aria-expanded', $form.is( ':visible' ) ? 'true' : 'false' );
 				}, 0 );
 			} );
-			
+
 			$( 'select.country_to_state, input.country_to_state' ).trigger(
 				'change'
 			);
@@ -315,7 +317,7 @@ jQuery( function ( $ ) {
 				dataType: 'html',
 				success: function ( response ) {
 					update_cart_totals_div( response );
-					
+
 					var newCurrentTarget = document.getElementById( event.currentTarget.id );
 
 					if ( newCurrentTarget ) {
@@ -600,17 +602,17 @@ jQuery( function ( $ ) {
 						'.woocommerce-error, .woocommerce-message, .woocommerce-info, ' +
 						'.is-error, .is-info, .is-success, .coupon-error-notice'
 					).remove();
-					
+
 					// We only want to show coupon notices if they are not errors.
 					// Coupon errors are shown under the input.
 					if ( response.indexOf( 'woocommerce-error' ) === -1 && response.indexOf( 'is-error' ) === -1 ) {
-						show_notice( response );						
+						show_notice( response );
 					} else {
 						var $coupon_wrapper = $text_field.closest( '.coupon' );
 
 						if ( $coupon_wrapper.length > 0 ) {
 							show_coupon_error( response, $coupon_wrapper, false );
-						}						
+						}
 					}
 
 					$( document.body ).trigger( 'applied_coupon', [

plugins/woocommerce/client/legacy/js/frontend/checkout.js

@@ -621,29 +621,39 @@ jQuery( function( $ ) {
 			$( document.body ).trigger( 'checkout_error' , [ error_message ] );
 		},
 		wrapMessagesInsideLink: function( $msgs ) {
-			$( 'li[data-id]', $msgs ).each( function() {
-				var $this = $( this );
-
-				$this.wrapInner( '<a href="#' + $this.attr( 'data-id' ) + '"></a>' );				
+			$msgs.find( 'li[data-id]' ).each( function() {
+				const $this = $( this );
+				const dataId = $this.attr( 'data-id' );
+				if ( dataId ) {
+					const $link = $('<a>', {
+						href: '#' + dataId,
+						html: $this.html()
+					} );
+					$this.empty().append( $link );
+				}
 			} );
 
 			return $msgs;
 		},
 		show_inline_errors: function( $messages ) {
 			$messages.find( 'li[data-id]' ).each( function() {
-				var $this = $( this );
-				var dataId = $this.attr( 'data-id' );
-				var $field = $( '#' + dataId );
+				const $this = $( this );
+				const dataId = $this.attr( 'data-id' );
+				const $field = $( '#' + dataId );
 
 				if ( $field.length === 1 ) {
-					var descriptionId = dataId + '_description';
-					var msg = $this.text().trim();
-					var $formRow = $field.closest( '.form-row' );
-					
-					$formRow.append( '<p id="' + descriptionId + '" class="checkout-inline-error-message">' + msg + '</p>' );
-					$field
-						.attr( 'aria-describedby', descriptionId )
-						.attr( 'aria-invalid', 'true' );
+					const descriptionId = dataId + '_description';
+					const msg = $this.text().trim();
+					const $formRow = $field.closest( '.form-row' );
+
+					const errorMessage = document.createElement( 'p' );
+					errorMessage.id = descriptionId;
+					errorMessage.className = 'checkout-inline-error-message';
+					errorMessage.textContent = msg;
+
+					$formRow.appendChild( errorMessage );
+					$field.setAttribute( 'aria-describedby', descriptionId );
+					$field.setAttribute( 'aria-invalid', 'true' );
 				}
 			} );
 		},
@@ -695,7 +705,13 @@ jQuery( function( $ ) {
 				.addClass( 'has-error' )
 				.attr( 'aria-invalid', 'true' )
 				.attr( 'aria-describedby', 'coupon-error-notice' );
-			$target.append( '<span class="coupon-error-notice" id="coupon-error-notice" role="alert">' + msg + '</span>' );
+
+			$('<span>', {
+				class: 'coupon-error-notice',
+				id: 'coupon-error-notice',
+				role: 'alert',
+				text: msg
+			}).appendTo($target);
 		},
 		remove_coupon_error: function( evt ) {
 			$( evt.currentTarget )

plugins/woocommerce/includes/wc-core-functions.php

@@ -2723,13 +2723,13 @@ function _wc_delete_transients( $transients ) {
 		}
 
 		// Limit the number of items in a single query to avoid exceeding database query parameter limits.
-		if ( count( $transients) > 199 ) {
+		if ( count( $transients ) > 199 ) {
 			// Process in smaller chunks to reduce memory usage.
 			$chunks  = array_chunk( $transients, 100 );
 			$success = true;
 
 			foreach ( $chunks as $chunk ) {
-				$result = wc_delete_transients( $chunk );
+				$result = _wc_delete_transients( $chunk );
 				if ( ! $result ) {
 					$success = false;
 				}
@@ -2754,6 +2754,11 @@ function _wc_delete_transients( $transients ) {
 				);
 			}
 
+			if ( empty( $options_to_clear ) ) {
+				// If there are no options to clear, return true immediately.
+				return true;
+			}
+
 			// Use a single query for better performance.
 			$wpdb->query(
 				$wpdb->prepare(
@@ -2764,7 +2769,7 @@ function _wc_delete_transients( $transients ) {
 
 			// Lets clear our options data from the cache.
 			// We can batch delete if available, introduced in WP 6.0.0.
-			if ( ! wp_installing() && ! empty( $options_to_clear ) ) {
+			if ( ! wp_installing() ) {
 				if ( function_exists( 'wp_cache_delete_multiple' ) ) {
 					wp_cache_delete_multiple( $options_to_clear, 'options' );
 				} else {

plugins/woocommerce/includes/wc-template-functions.php

@@ -4411,7 +4411,7 @@ function wc_add_aria_label_to_pagination_numbers( $html, $args ) {
 			continue;
 		}
 
-		$p->set_attribute( 'aria-label', $page_text . ' ' . number_format_i18n( $n ) );
+		$p->set_attribute( 'aria-label', $page_text . ' ' . number_format_i18n( (int) $n ) );
 		++$n;
 	}