You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
PR #7941: Entity escaping site-wide (v2 — clean approach)
Total conversions: 125 instances across 45 unique variable/field names
What this is: Every variable being converted from unescaped ({!! !!} or {{{ }}}) → escaped ({{ }}) in this PR, grouped by the field/accessor name.
✅ Safe to Escape (text data — no HTML expected)
Field Name
Count
Examples
name
43
$store->name, $company->name, $brand['name'], $color->name, $block->name, $item['name'], $product_for_layout->name, etc.
product_name
5
$item->product_name
city
4
$store->city
state
4
$store->state
zip
4
$store->zip
code
3
$zone->code
$code
4
$code (delivery zone rates)
id
3
$pos->id, $pos['id']
$id
1
Station element group
address
1
$store->address
email
1
$pending_user->email
$city
1
Wizard configurator sidebar
$landing_name
4
Retailer header (enhanced + legacy)
$last_type
2
CRM status
title
2
$item->title (journal cluster)
value
1
Carrier option value
split_name_pattern
1
Report form
$SITE_TAG
1
Layout screen (site name text)
Lang::get(...)
14
Various translation keys — all return plain text
$CURRENT_CITY_LABEL ternary
2
Dealer masthead
⚠️ Review Closely (potentially contains HTML, URLs, or special chars)
Field Name
Count
Notes
icon
3
$enhanced_category->icon, $category['icon'] — if these are SVG markup or <img> tags, escaping will break them. If they're URL paths to icon images, they're fine.
link
4
$scope['link'] in cart/item-resolver — if this is a full URL with & chars used in href, escaping & → & could double-encode. Check if these are used inside href="..." attributes.
disclaimer
1
$marker['disclaimer'] — disclaimers could contain HTML formatting (bold, links, line breaks).
dropship_disclaimer
1
$marker['dropship_disclaimer'] — same concern as disclaimer.
$canonical
2
$canonical in v2/v3 layouts — used in <link rel="canonical">. URLs are safe to escape in this context. ✅ Probably fine.
$url
1
$url in widgets/dealers — URL used in an <a href>. If it contains &, escaping would produce & which is actually correct in HTML attributes. ✅ Fine.
$context
1
$context in variant-chooser — used in a data-context attribute. If it's a simple string like "pdp" or "modal", it's fine. If it could contain HTML, it's a problem.
$SITE_TAG
1
Layout screen — site branding. If this is ever HTML (e.g. <img> logo), escaping breaks it. If it's always plain text, it's safe.
upc_list
2
implode(',', $color['upc_list']) — comma-separated UPCs. ✅ Fine (numeric data).
Request::url() concat
2
Request::url().'?lang='.$locale — URL in <link hreflang>. ✅ Fine (escaping & in HTML attributes is correct).
country (via PhoneRepository)
1
PhoneRepository::link(...) — returns an <a href="tel:..."> tag potentially? If it returns HTML, escaping breaks it. Check what PhoneRepository::link() returns.
🔴 Highest Risk — Investigate These
icon (3 instances) — If $enhanced_category->icon or $category['icon'] contains inline SVG or <img> HTML, escaping will render raw <img...> on the page. Check the DB values.
disclaimer / dropship_disclaimer (2 instances) — These sound like they could contain rich text or HTML. If brands/stores enter disclaimers with links or formatting, escaping breaks them.
link (4 instances in cart/item-resolver.blade.php) — The variable name link suggests a URL. In HTML attributes, escaped & is actually correct. But if $scope['link'] contains an <a> tag (full HTML link), escaping breaks it.
PhoneRepository::link() (1 instance in widgets/dealers.blade.php) — The method name link() suggests it returns an HTML <a> tag. If so, escaping will break the phone link rendering. This is likely a bug.
