Sanitize store notices html (woocommerce#7145)

Sanitizing the merchant store link in the error message added in WooPay when in some cases the customer could run into an issue where we need to tell them an error occurred and they have to go back to the merchant store and re-initialize WooPay to fix it. Because previously we were only expecting strings, the text was not sanitized.
senadir · Nov 20, 2022 · 8bee188 · 8bee188
1 parent 12f30fb
commit 8bee188
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/packages/checkout/components/store-notices-container/index.tsx b/packages/checkout/components/store-notices-container/index.tsx
@@ -1,6 +1,8 @@
 /**
  * External dependencies
  */
+import PropTypes from 'prop-types';
+import { useDispatch, useSelect } from '@wordpress/data';
 import classnames from 'classnames';
 import { Notice } from 'wordpress-components';
 import { sanitizeHTML } from '@woocommerce/utils';
@@ -13,6 +15,15 @@ import type { Notice as NoticeType } from '@wordpress/notices';
  */
 import './style.scss';
 
+const ALLOWED_TAGS = [ 'a', 'b', 'em', 'i', 'strong', 'p', 'br' ];
+const ALLOWED_ATTR = [ 'target', 'href', 'rel', 'name', 'download' ];
+
+const sanitizeHTML = ( html ) => {
+	return {
+		__html: sanitize( html, { ALLOWED_TAGS, ALLOWED_ATTR } ),
+	};
+};
+
 const getWooClassName = ( { status = 'default' } ) => {
 	switch ( status ) {
 		case 'error':