From d3f595e7d42c7db31669ceb7962f676cb13ba52c Mon Sep 17 00:00:00 2001
From: Dwain Maralack <dwainm@users.noreply.github.com>
Date: Tue, 26 Mar 2024 12:39:37 +0200
Subject: [PATCH] Fix security notices (#8474)

---
 changelog/fix-multi-currency-phpcs-notices | 4 ++++
 includes/multi-currency/MultiCurrency.php  | 8 +++++---
 2 files changed, 9 insertions(+), 3 deletions(-)
 create mode 100644 changelog/fix-multi-currency-phpcs-notices

diff --git a/changelog/fix-multi-currency-phpcs-notices b/changelog/fix-multi-currency-phpcs-notices
new file mode 100644
index 00000000000..0910cb5ae43
--- /dev/null
+++ b/changelog/fix-multi-currency-phpcs-notices
@@ -0,0 +1,4 @@
+Significance: patch
+Type: dev
+
+Escaping error logs and ignoring noticese where there are no issues.
diff --git a/includes/multi-currency/MultiCurrency.php b/includes/multi-currency/MultiCurrency.php
index 002b0633a13..6b95ea66778 100644
--- a/includes/multi-currency/MultiCurrency.php
+++ b/includes/multi-currency/MultiCurrency.php
@@ -561,7 +561,7 @@ public function update_single_currency_settings( string $currency_code, string $
 			if ( ! is_numeric( $manual_rate ) || 0 >= $manual_rate ) {
 				$message = 'Invalid manual currency rate passed to update_single_currency_settings: ' . $manual_rate;
 				Logger::error( $message );
-				throw new InvalidCurrencyRateException( $message, 'wcpay_multi_currency_invalid_currency_rate', 500 );
+				throw new InvalidCurrencyRateException( esc_html( $message ), 'wcpay_multi_currency_invalid_currency_rate', 500 );
 			}
 			update_option( 'wcpay_multi_currency_manual_rate_' . $currency_code, $manual_rate );
 		}
@@ -935,7 +935,7 @@ public function get_raw_conversion( float $amount, string $to_currency, string $
 		if ( 0 >= $from_currency_rate ) {
 			$message = 'Invalid rate for from_currency in get_raw_conversion: ' . $from_currency_rate;
 			Logger::error( $message );
-			throw new InvalidCurrencyRateException( $message, 'wcpay_multi_currency_invalid_currency_rate', 500 );
+			throw new InvalidCurrencyRateException( esc_html( $message ), 'wcpay_multi_currency_invalid_currency_rate', 500 );
 		}
 
 		$amount = $amount * ( $to_currency_rate / $from_currency_rate );
@@ -1019,6 +1019,8 @@ public function display_geolocation_currency_update_notice() {
 		$notice_id = md5( $message );
 
 		echo '<p class="woocommerce-store-notice demo_store" data-notice-id="' . esc_attr( $notice_id . 2 ) . '" style="display:none;">';
+		// No need to escape here as the function called handles it.
+		// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 		echo \WC_Payments_Utils::esc_interpolated_html(
 			$message,
 			[
@@ -1624,7 +1626,7 @@ public function is_initialized(): bool {
 	private function log_and_throw_invalid_currency_exception( $method, $currency_code, $code = 500 ) {
 		$message = 'Invalid currency passed to ' . $method . ': ' . $currency_code;
 		Logger::error( $message );
-		throw new InvalidCurrencyException( $message, 'wcpay_multi_currency_invalid_currency', $code );
+		throw new InvalidCurrencyException( esc_html( $message ), 'wcpay_multi_currency_invalid_currency', esc_html( $code ) );
 	}
 
 	/**