From 8bee188cf82fd59fd74a994b79f1120c05e0f879 Mon Sep 17 00:00:00 2001
From: Hsing-yu Flowers <hsingyuc.7@gmail.com>
Date: Fri, 23 Sep 2022 11:48:28 -0700
Subject: [PATCH] Sanitize store notices html (#7145)

Sanitizing the merchant store link in the error message added in WooPay when in some
cases the customer could run into an issue where we need to tell them an error occurred
and they have to go back to the merchant store and re-initialize WooPay to fix it.

Because previously we were only expecting strings, the text was not sanitized.
---
 .../components/store-notices-container/index.tsx      | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/packages/checkout/components/store-notices-container/index.tsx b/packages/checkout/components/store-notices-container/index.tsx
index 12faf4790cd..6d6378e334e 100644
--- a/packages/checkout/components/store-notices-container/index.tsx
+++ b/packages/checkout/components/store-notices-container/index.tsx
@@ -1,6 +1,8 @@
 /**
  * External dependencies
  */
+import PropTypes from 'prop-types';
+import { useDispatch, useSelect } from '@wordpress/data';
 import classnames from 'classnames';
 import { Notice } from 'wordpress-components';
 import { sanitizeHTML } from '@woocommerce/utils';
@@ -13,6 +15,15 @@ import type { Notice as NoticeType } from '@wordpress/notices';
  */
 import './style.scss';
 
+const ALLOWED_TAGS = [ 'a', 'b', 'em', 'i', 'strong', 'p', 'br' ];
+const ALLOWED_ATTR = [ 'target', 'href', 'rel', 'name', 'download' ];
+
+const sanitizeHTML = ( html ) => {
+	return {
+		__html: sanitize( html, { ALLOWED_TAGS, ALLOWED_ATTR } ),
+	};
+};
+
 const getWooClassName = ( { status = 'default' } ) => {
 	switch ( status ) {
 		case 'error':