2e993b2f96
Products module had NO sanitization - fixed to match Orders/Coupons/Customers Issue: ❌ No sanitization in create_product ❌ No sanitization in update_product ❌ Direct assignment of raw user input ❌ Potential XSS and injection vulnerabilities ❌ Inconsistent with other modules Changes Made: 1. Created Sanitization Helpers (Lines 23-65): ✅ sanitize_text() - Text fields (name, SKU) ✅ sanitize_textarea() - Descriptions (allows newlines) ✅ sanitize_number() - Prices, dimensions (removes non-numeric) ✅ sanitize_slug() - URL slugs (uses sanitize_title) 2. Fixed create_product() (Lines 278-317): ✅ Name → sanitize_text() ✅ Slug → sanitize_slug() ✅ Status → sanitize_key() ✅ Description → sanitize_textarea() ✅ Short description → sanitize_textarea() ✅ SKU → sanitize_text() ✅ Regular price → sanitize_number() ✅ Sale price → sanitize_number() ✅ Weight → sanitize_number() ✅ Length → sanitize_number() ✅ Width → sanitize_number() ✅ Height → sanitize_number() 3. Fixed update_product() (Lines 377-398): ✅ Same sanitization as create ✅ All text fields sanitized ✅ All numeric fields sanitized ✅ Status fields use sanitize_key() Sanitization Logic: Text Fields: - sanitize_text_field() + trim() - Prevents XSS attacks - Example: '<script>alert(1)</script>' → '' Textarea Fields: - sanitize_textarea_field() + trim() - Allows newlines for descriptions - Prevents XSS but keeps formatting Numbers: - Remove non-numeric except . and - - Example: 'abc123.45' → '123.45' - Example: '10,000' → '10000' Slugs: - sanitize_title() - Creates URL-safe slugs - Example: 'Product Name!' → 'product-name' Module Audit Results: ✅ Orders: FIXED (comprehensive sanitization) ✅ Coupons: GOOD (already has sanitization) ✅ Customers: GOOD (already has sanitization) ✅ Products: FIXED (added comprehensive sanitization) All modules now have consistent, secure data handling!
WooNooW
WooNooW is a modern experience layer for WooCommerce — enhancing UX, speed, and reliability without data migration.
It keeps WooCommerce as the core engine while providing a modern React-powered interface for both the storefront (cart, checkout, my‑account) and the admin (orders, dashboard).
Three Admin Modes:
- Normal Mode: Traditional wp-admin integration (
/wp-admin/admin.php?page=woonoow) - Fullscreen Mode: Distraction-free interface (toggle in header)
- Standalone Mode: Complete standalone app at
yoursite.com/adminwith custom login ✨
🔍 Background
WooCommerce is the most used e‑commerce engine in the world, but its architecture has become heavy and fragmented.
With React‑based blocks (Checkout, Cart, Product Edit) and HPOS now rolling out, many existing addons are becoming obsolete or unstable.
WooNooW bridges the gap between Woo’s legacy PHP system and the new modern stack — so users get performance and simplicity without losing compatibility.
🚀 Key Principles
- No Migration Needed – Woo data stays intact.
- Safe Activate/Deactivate – revert to native Woo anytime, no data loss.
- Hybrid by Default – SSR + React islands for Cart/Checkout/My‑Account.
- Full SPA Toggle – optional React‑only mode for max performance.
- HPOS Mandatory – optimized datastore and async operations.
- Compat Layer – hook mirror + slot rendering for legacy addons.
- Async Mail & Tasks – powered by Action Scheduler.
🧱 Tech Stack
| Layer | Technology |
|---|---|
| Backend | PHP 8.2+, WordPress, WooCommerce (HPOS), Action Scheduler |
| Frontend | React 18 + TypeScript, Vite, React Query, Tailwind (optional) |
| Build & Package | Composer, NPM, ESM scripts, Zip automation |
| Architecture | Modular PSR‑4 classes, REST‑driven SPA islands |
🧩 Project Structure
woonoow/
├── admin-spa/
│ ├── src/
│ │ ├── components/
│ │ │ ├── filters/
│ │ │ │ ├── DateRange.tsx
│ │ │ │ └── OrderBy.tsx
│ │ │ └── CommandPalette.tsx
│ │ ├── hooks/
│ │ │ └── useShortcuts.tsx
│ │ ├── lib/
│ │ │ ├── api.ts
│ │ │ ├── currency.ts
│ │ │ ├── dates.ts
│ │ │ ├── query-params.ts
│ │ │ ├── useCommandStore.ts
│ │ │ └── utils.ts
│ │ ├── pages/
│ │ │ └── orders/
│ │ │ ├── partials
│ │ │ │ └── OrderForm.tsx
│ │ │ ├── Orders.tsx
│ │ │ ├── OrdersNew.tsx
│ │ │ └── OrderShow.tsx
│ │ ├── routes/
│ │ │ └── Dashboard.tsx
│ │ ├── types/
│ │ │ └── qrcode.d.ts
│ │ ├── App.tsx
│ │ ├── index.css
│ │ └── main.tsx
│ └── vite.config.ts
├── includes/
│ ├── Admin/
│ │ ├── Assets.php
│ │ └── Menu.php
│ ├── Api/
│ │ ├── CheckoutController.php
│ │ ├── OrdersController.php
│ │ ├── Permissions.php
│ │ └── Routes.php
│ ├── Compat/
│ │ ├── HideWooMenus.php
│ │ └── HooksShim.php
│ └── Core/
│ ├── DataStores/
│ │ ├── OrderStore_HPOS.php
│ │ └── OrderStore.php
│ ├── Mail/
│ │ ├── MailQueue.php
│ │ └── WooEmailOverride.php
│ ├── Bootstrap.php
│ └── Features.php
├── woonoow.php
└── docs (project notes, SOP, etc.)
⚙️ Development Workflow
- LocalWP / Docker setup with WordPress + WooCommerce.
- Activate plugin:
WooNooWshould appear in the admin menu. - Build SPAs:
npm run build - Package zip:
npm run pack - Upload
dist/woonoow.zipinto WordPress → Plugins → Add New → Upload.
🧭 Vision
“WooCommerce, reimagined for now.”
WooNooW delivers modern speed and UX while keeping WooCommerce’s ecosystem alive.
No migration. No lock‑in. Just Woo, evolved.