Repeated soft-rejections due to Envato theme check and WooCommerce template files

Hello everyone,

In my theme updates and new submissions, I repeatedly get the comment related to Envato theme check over and over.

I carefully comply with all the requirements by the check, getting all REQUIRED points addressed and most of the WARNING points. But the problem comes from few WooCommerce template files the I override by my theme. As usual I copied them to “woocommerce” folder in the theme and made few modifications.

As you can see in the screenshot below, the Envato theme check plugin shows WARNING points related to the original code in WooCommerce template files. I usually get approval after explaining the situation, but it’s frustrating and time-consuming to have to explain the situation in every update/submission, and in my current case, several times for the same submission (I explain, then the reviewer pass over the point, then in another re-submission after a soft-reject, another reviewer include the point again, then I explain, he/she pass over the point, and then the previous reviewer include the point again …etc).

Screenshot:

I don’t know what should I do. The WARNINGs want me to validate already validated data by WooCommerce plugin, which may result in broken output.

This issue drives me nuts and seriously thinking about removing WooCommerce support from my themes completely.

I need advice from theme authors who faced this particular issue with WooCommerce template files, and from Envato staff if possible.

Regards,
Ahmed

esc_attr() is your friend. https://developer.wordpress.org/reference/functions/esc_attr/

@3FortyMedia Thanks for the reply.

I know how to use esc_attr(), esc_html, and all the WordPress Escaping functions, this is not the problem.

I’m talking about a specific case, the original code in WooCommerce template files. The problem is I believe that I shouldn’t try to escape dynamic data that is supposed to be already escaped by the plugin. The plugin variables/functions that show the warnings may contain HTML tags, I shouldn’t even use wp_kses() because the HTML output could be changed over time by the plugin and I can’t predict what attributes may be added or removed.

I’m just overriding a few WooCommerce template files in my theme, I wonder how the authors of WooCommerce-specific themes deal with this issue.

When I explain the situation in my submission message, usually the reviewer understands and passes over the issue, but do I really have to explain this over and over, even several times in one submission?

I hope that I clearly explained the situation.

OK, I understand the issue now.

I don’t have the answer, but I would be interested myself to know how authors of WooCommerce themes deal with this.

Just throwing an idea out there if no other options are available, could you add a custom kses() function that handles all/most possible HTML tags and pass the output to this function for escaping?

1 Like

When you echo, by reviewing standards you will have to sanitize the output. Simple as that, your opinion isn’t relevant and will not get you pass the review process. What will, is that you fix up all of those, so, wp_kses_post for any echoed html, esc_html for any echoed string and so on. Hope this helps.

Literally all yellows will have to go.

1 Like

Thank you so much @3FortyMedia & @XforWooCommerce for your input.

OK, I was thinking: I may sanitize the output for WooCommerce files overridden by the theme, but the other files that come directly from the plugin will not have this EXTRA sanitization, it just doesn’t make sense to me.

But it looks like this is the only way to get rid of this issue: try to validate the already validated output anyway!

Thank you guys & stay safe,
Ahmed

Hi, yes, from my perspective, I think that malware hooks up mostly there and this is what’s being addressed by these rules. Not really sure how and why, but let’s say that someone knows better.

One more note. You will have most troubles with the echo $hidden ? ’ style=“display:none;”’ : ‘’; as you do need to sanitize the whole if. In my opinion, but not entirely following this example you should do the following: style="<?php echo $hidden ? 'display:none; : '' ; ?>". Empty attribute is not an error, and if you see all that rubbish code being loaded on your clients websites, this will be the least of it.

1 Like

That’s exactly what I have already done! But I took the whole if() statement outside the code block and let it store the output in a variable then put this variable in the style attribute, like this …

if ( $hidden ) {
    $form_style = 'display:none;'
} else {
    $form_style = '';
}

Then

style="<?php echo esc_attr( $form_style );  ?>"

Thanks man, your guidance was more than helpful :love_you_gesture:

1 Like

Considering that $hidden is a boolean and this code is inside a template file, then this would be the cleanest way to do it IMHO:

<div class="myclass"<?php echo ! empty( $hidden ) && true === $hidden ? ' style="display: none;"' : ''; >>