Skip to content

Fix stored XSS on order notes in REST API v4#63661

Merged
opr merged 3 commits intotrunkfrom
opr/fix-xss-order-receipt-v4
Mar 13, 2026
Merged

Fix stored XSS on order notes in REST API v4#63661
opr merged 3 commits intotrunkfrom
opr/fix-xss-order-receipt-v4

Conversation

@opr
Copy link
Copy Markdown
Contributor

@opr opr commented Mar 12, 2026
edited
Loading

Submission Review Guidelines:

Changes proposed in this Pull Request:

Extends the stored XSS fix from #63616 (which covers REST API v1/v2/v3) to the v4 REST API.

Adds wp_kses_post() sanitization to the note content in the v4 OrderNotes\Controller::create_item() method before passing it to add_order_note(). This strips dangerous tags like <script> while preserving safe HTML.

Note: Unlike the v1 fix which uses sanitize_callback in route args via array_merge, the v4 fix sanitizes directly in create_item(). This is because v4's schema-driven architecture doesn't use array_merge to override endpoint args, and WordPress core's rest_get_endpoint_args_for_schema() hardcodes sanitize_callback to rest_sanitize_request_arg — ignoring any sanitize_callback set in the schema. Sanitizing at the point of use is cleaner for v4 and provides defense in depth.

Also adds a unit test verifying the sanitization behavior.

Screenshots or screen recordings:

N/A

How to test the changes in this Pull Request:

  1. Create an order via the WooCommerce admin.
  2. Use the v4 REST API to add an order note containing a <script> tag: 
    POST /wp-json/wc/v4/order-notes?order_id=<ORDER_ID>
{ "note": "<script>alert('xss')</script>Safe content<b>bold</b>" }
  3. Verify the response note field does not contain <script> tags.
  4. Verify safe HTML like <b>bold</b> is preserved.
  5. View the order in the admin and confirm no script injection occurs.

Testing that has already taken place:

  • Unit test test_create_item_sanitizes_note_content verifies XSS payloads are stripped and safe HTML is preserved.
  • Full v4 OrderNotes test suite passes (17 tests, 55 assertions).

Milestone

Note: Check the box above to have the milestone automatically assigned when merged.
Alternatively (e.g. for point releases), manually assign the appropriate milestone.

Changelog entry

  • Automatically create a changelog entry from the details below.

  • This Pull Request does not require a changelog entry. (Comment required below)

Changelog Entry Details

Significance

  • Patch
  • Minor
  • Major

Type

  • Fix - Fixes an existing bug
  • Add - Adds functionality
  • Update - Update existing functionality
  • Dev - Development related task
  • Tweak - A minor adjustment to the codebase
  • Performance - Address performance issues
  • Enhancement - Improvement to existing functionality

Message

Prevent stored XSS on order notes added via REST API v4

Changelog Entry Comment

Comment

@opr @claude
Fix stored XSS on order notes in REST API v4
b976702 
Add wp_kses_post sanitize_callback to the note field in the v4
OrderNoteSchema, matching the fix applied to v1/v2/v3 in #63616.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@woocommercebot woocommercebot requested review from a team and mikejolley and removed request for a team March 12, 2026 16:04
@github-actions github-actions Bot added the plugin: woocommerce Issues related to the WooCommerce Core plugin. label Mar 12, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Mar 12, 2026
edited
Loading

Testing Guidelines

Hi @mikejolley @woocommerce/rubik,

Apart from reviewing the code changes, please make sure to review the testing instructions (Guide) and verify that relevant tests (E2E, Unit, Integration, etc.) have been added or updated as needed.

Reminder: PR reviewers are required to document testing performed. This includes:

  • 🖼️ Screenshots or screen recordings.
  • 📝 List of functionality tested / steps followed.
  • 🌐 Site details (environment attributes such as hosting type, plugins, theme, store size, store age, and relevant settings).
  • 🔍 Any analysis performed, such as assessing potential impacts on environment attributes and other plugins, conducting performance profiling, or using LLM/AI-based analysis.

⚠️ Within the testing details you provide, please ensure that no sensitive information (such as API keys, passwords, user data, etc.) is included in this public issue.

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Mar 12, 2026
edited
Loading

📝 Walkthrough

Walkthrough

These changes add XSS protection to order notes in WooCommerce's REST API v4 by sanitizing note content using wp_kses_post, including a test to verify unsafe content is removed while safe HTML is preserved, and documenting the fix in the changelog.

Changes

Cohort / File(s) Summary
XSS Sanitization Implementation
plugins/woocommerce/src/Internal/RestApi/Routes/V4/OrderNotes/Controller.php		 Applies wp_kses_post() sanitization to note input in the create_item method before passing to add_order_note.
Testing & Documentation
plugins/woocommerce/tests/php/includes/rest-api/Controllers/Version4/OrderNotes/class-wc-rest-order-notes-v4-controller-tests.php, plugins/woocommerce/changelog/fix-xss-order-notes-v4		 Adds test method test_create_item_sanitizes_note_content() to verify script tags are removed while safe HTML is preserved; documents the XSS prevention patch in changelog.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and specifically describes the main change: fixing a stored XSS vulnerability in REST API v4 order notes, which accurately reflects the primary objective of this pull request.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Description check ✅ Passed The pull request description is directly related to the changeset, clearly explaining the XSS fix for REST API v4 order notes, implementation approach, testing, and security reasoning.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
  • 📝 Generate docstrings (stacked PR)
  • 📝 Generate docstrings (commit on current branch)
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch opr/fix-xss-order-receipt-v4
📝 Coding Plan
  • Generate coding plan for human review comments

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Tip

CodeRabbit can approve the review once all CodeRabbit's comments are resolved.

Enable the reviews.request_changes_workflow setting to automatically approve the review once all CodeRabbit's comments are resolved.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Mar 12, 2026
edited
Loading

Test using WordPress Playground

The changes in this pull request can be previewed and tested using a WordPress Playground instance.
WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Test this pull request with WordPress Playground.

Note that this URL is valid for 30 days from when this comment was last updated. You can update it by closing/reopening the PR or pushing a new commit.

opr and others added 2 commits March 12, 2026 16:15
@opr @claude
Add changelog entry for v4 order notes XSS fix
c11a3a4 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@opr @claude
Fix stored XSS on order notes in REST API v4
4cb49ee 
Sanitize note content with wp_kses_post() in the v4 OrderNotes
controller's create_item method, matching the fix applied to
v1/v2/v3 in #63616.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@opr opr marked this pull request as draft March 12, 2026 16:54
@opr opr marked this pull request as ready for review March 12, 2026 17:22
@woocommercebot woocommercebot requested a review from a team March 12, 2026 17:22
@opr opr merged commit a24559f into trunk Mar 13, 2026
57 of 59 checks passed
@opr opr deleted the opr/fix-xss-order-receipt-v4 branch March 13, 2026 12:09
@github-actions github-actions Bot added this to the 10.7.0 milestone Mar 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mikejolley mikejolley mikejolley approved these changes

Assignees

No one assigned

Labels

plugin: woocommerce Issues related to the WooCommerce Core plugin.

Projects

None yet

Milestone

10.7.0

Development

Successfully merging this pull request may close these issues.

2 participants

@opr @mikejolley