HTML code visible in the product downloads list

[Naxxed]

When a downloadable product is checked out and viewed on the order received page, my account page, order details emails, or any other place that pulls the downloads list, any HTML code inserted into a product title is visible.

This HTML code is displayed properly on the shop page and auto-removed in every list outside of the shop page except for the downloads list. Since the code is removed for other lists, I assume it's just an oversight for the downloads list.

I opened a ticket with support, and they referred me here. My description might be confusing, but I hope the screenshot makes everything obvious.

Prerequisites

• [X ] I have searched for similar issues in both open and closed tickets and cannot find a duplicate
• [ ] The issue still exists against the latest master branch of WooCommerce on Github (this is not the same version as on WordPress.org!)
• [X ] I have attempted to find the simplest possible steps to reproduce the issue
• [ ] I have included a failing test as a pull request (Optional)

Steps to reproduce the issue

1. Add any downloadable item to cart and checkout.
2. HTML code inserted in product title in backend/dashboard is now visible in the downloads list on the order received page as well as my account page and order emails.

Expected/actual behavior

When I follow those steps, I see... HTML code inserted on the back end in the product title now visible on the front end.

I was expecting to see... the HTML code removed/hidden like other "product lists" on the order received page, order emails, etc.

Isolating the problem

• [x ] This bug happens with only WooCommerce plugin active
• [x ] This bug happens with a default WordPress theme active, or Storefront
• [x ] I can reproduce this bug consistently using the steps above

WordPress Environment

``` ` ### WordPress Environment ### Home URL: https://piptix.com Site URL: https://piptix.com WC Version: 3.3.3 Log Directory Writable: ✔ WP Version: 4.9.4 WP Multisite: – WP Memory Limit: 256 MB WP Debug Mode: – WP Cron: ✔ Language: en_US ### Server Environment ### Server Info: Apache PHP Version: 5.6.27 PHP Post Max Size: 65 MB PHP Time Limit: 30 PHP Max Input Vars: 1000 cURL Version: 7.45.0 OpenSSL/1.0.1e SUHOSIN Installed: – MySQL Version: 5.6.32 Max Upload Size: 64 MB Default Timezone is UTC: ✔ fsockopen/cURL: ✔ SoapClient: ✔ DOMDocument: ✔ GZip: ✔ Multibyte String: ✔ Remote Post: ✔ Remote Get: ✔ ### Database ### WC Database Version: 3.3.3 WC Database Prefix: wp_pzz4kf69c0_ MaxMind GeoIP Database: ✔ Total Database Size: 11.34MB Database Data Size: 9.97MB Database Index Size: 1.37MB wp_pzz4kf69c0_woocommerce_sessions: Data: 0.02MB + Index: 0.02MB wp_pzz4kf69c0_woocommerce_api_keys: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_woocommerce_attribute_taxonomies: Data: 0.00MB + Index: 0.01MB wp_pzz4kf69c0_woocommerce_downloadable_product_permissions: Data: 0.00MB + Index: 0.01MB wp_pzz4kf69c0_woocommerce_order_items: Data: 0.02MB + Index: 0.01MB wp_pzz4kf69c0_woocommerce_order_itemmeta: Data: 0.08MB + Index: 0.07MB wp_pzz4kf69c0_woocommerce_tax_rates: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_woocommerce_tax_rate_locations: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_woocommerce_shipping_zones: Data: 0.02MB + Index: 0.00MB wp_pzz4kf69c0_woocommerce_shipping_zone_locations: Data: 0.02MB + Index: 0.05MB wp_pzz4kf69c0_woocommerce_shipping_zone_methods: Data: 0.02MB + Index: 0.00MB wp_pzz4kf69c0_woocommerce_payment_tokens: Data: 0.02MB + Index: 0.02MB wp_pzz4kf69c0_woocommerce_payment_tokenmeta: Data: 0.02MB + Index: 0.03MB wp_pzz4kf69c0_woocommerce_log: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_cjtoolbox_authors: Data: 0.00MB + Index: 0.01MB wp_pzz4kf69c0_cjtoolbox_backups: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_cjtoolbox_blocks: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_cjtoolbox_block_files: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_cjtoolbox_block_pins: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_cjtoolbox_block_templates: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_cjtoolbox_forms: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_cjtoolbox_form_groups: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_cjtoolbox_form_group_parameters: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_cjtoolbox_form_group_xfields: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_cjtoolbox_packages: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_cjtoolbox_package_objects: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_cjtoolbox_parameters: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_cjtoolbox_parameter_typedef: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_cjtoolbox_parameter_typeparams: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_cjtoolbox_templates: Data: 0.01MB + Index: 0.04MB wp_pzz4kf69c0_cjtoolbox_template_revisions: Data: 0.02MB + Index: 0.01MB wp_pzz4kf69c0_commentmeta: Data: 0.00MB + Index: 0.01MB wp_pzz4kf69c0_comments: Data: 0.11MB + Index: 0.04MB wp_pzz4kf69c0_contactformmaker: Data: 0.13MB + Index: 0.00MB wp_pzz4kf69c0_contactformmaker_blocked: Data: 0.02MB + Index: 0.00MB wp_pzz4kf69c0_contactformmaker_submits: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_contactformmaker_themes: Data: 0.55MB + Index: 0.00MB wp_pzz4kf69c0_contactformmaker_views: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_email_log: Data: 0.61MB + Index: 0.00MB wp_pzz4kf69c0_ewwwio_images: Data: 0.07MB + Index: 0.04MB wp_pzz4kf69c0_expm_maker: Data: 0.02MB + Index: 0.00MB wp_pzz4kf69c0_expm_maker_pages: Data: 0.02MB + Index: 0.00MB wp_pzz4kf69c0_failed_jobs: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_followup_coupons: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_followup_coupon_logs: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_followup_customers: Data: 0.00MB + Index: 0.01MB wp_pzz4kf69c0_followup_customer_carts: Data: 0.02MB + Index: 0.01MB wp_pzz4kf69c0_followup_customer_notes: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_followup_customer_orders: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_followup_email_coupons: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_followup_email_excludes: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_followup_email_logs: Data: 0.02MB + Index: 0.01MB wp_pzz4kf69c0_followup_email_orders: Data: 0.16MB + Index: 0.04MB wp_pzz4kf69c0_followup_email_order_coupons: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_followup_email_tracking: Data: 0.01MB + Index: 0.01MB wp_pzz4kf69c0_followup_followup_history: Data: 0.90MB + Index: 0.03MB wp_pzz4kf69c0_followup_order_categories: Data: 0.00MB + Index: 0.01MB wp_pzz4kf69c0_followup_order_items: Data: 0.00MB + Index: 0.01MB wp_pzz4kf69c0_followup_subscribers: Data: 0.00MB + Index: 0.01MB wp_pzz4kf69c0_followup_subscribers_to_lists: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_followup_subscriber_lists: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_groups_capability: Data: 0.01MB + Index: 0.02MB wp_pzz4kf69c0_groups_group: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_groups_group_capability: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_groups_user_capability: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_groups_user_group: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_links: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_mailchimp_carts: Data: 0.03MB + Index: 0.00MB wp_pzz4kf69c0_nf3_actions: Data: 0.02MB + Index: 0.00MB wp_pzz4kf69c0_nf3_action_meta: Data: 0.02MB + Index: 0.00MB wp_pzz4kf69c0_nf3_fields: Data: 0.02MB + Index: 0.00MB wp_pzz4kf69c0_nf3_field_meta: Data: 0.16MB + Index: 0.00MB wp_pzz4kf69c0_nf3_forms: Data: 0.02MB + Index: 0.00MB wp_pzz4kf69c0_nf3_form_meta: Data: 0.02MB + Index: 0.00MB wp_pzz4kf69c0_nf3_objects: Data: 0.02MB + Index: 0.00MB wp_pzz4kf69c0_nf3_object_meta: Data: 0.02MB + Index: 0.00MB wp_pzz4kf69c0_nf3_relationships: Data: 0.02MB + Index: 0.00MB wp_pzz4kf69c0_options: Data: 2.47MB + Index: 0.08MB wp_pzz4kf69c0_postmeta: Data: 2.26MB + Index: 0.40MB wp_pzz4kf69c0_posts: Data: 0.66MB + Index: 0.10MB wp_pzz4kf69c0_queue: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_signups: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_snippets: Data: 0.06MB + Index: 0.00MB wp_pzz4kf69c0_ssbp_email_log: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_termmeta: Data: 0.00MB + Index: 0.01MB wp_pzz4kf69c0_terms: Data: 0.00MB + Index: 0.01MB wp_pzz4kf69c0_term_relationships: Data: 0.01MB + Index: 0.03MB wp_pzz4kf69c0_term_taxonomy: Data: 0.00MB + Index: 0.01MB wp_pzz4kf69c0_usermeta: Data: 0.35MB + Index: 0.18MB wp_pzz4kf69c0_users: Data: 0.01MB + Index: 0.02MB wp_pzz4kf69c0_vtmam_rule_product: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_vtmam_rule_purchaser: Data: 0.01MB + Index: 0.00MB wp_pzz4kf69c0_wc_download_log: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_wc_webhooks: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_wpml_mails: Data: 0.59MB + Index: 0.00MB wp_pzz4kf69c0_yop2_pollmeta: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_yop2_polls: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_yop2_poll_answermeta: Data: 0.02MB + Index: 0.00MB wp_pzz4kf69c0_yop2_poll_answers: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_yop2_poll_bans: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_yop2_poll_custom_fields: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_yop2_poll_logs: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_yop2_poll_questionmeta: Data: 0.01MB + Index: 0.00MB wp_pzz4kf69c0_yop2_poll_questions: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_yop2_poll_results: Data: 0.00MB + Index: 0.00MB wp_pzz4kf69c0_yop2_poll_templates: Data: 0.27MB + Index: 0.00MB wp_pzz4kf69c0_yop2_poll_votes_custom_fields: Data: 0.00MB + Index: 0.00MB ### Post Type Counts ### acf: 1 attachment: 84 customize_changeset: 2 fl-builder-template: 1 follow_up_email: 52 nav_menu_item: 21 nf_sub: 4 page: 16 post: 1 product: 31 product_variation: 52 revision: 244 scheduled-action: 178 shop_coupon: 10 shop_order: 77 shop_order_refund: 4 sidebar: 1 tribe_events: 2 vtmam-rule: 4 wc_membership_plan: 25 wc_user_membership: 210 wppb-rf-cpt: 2 ### Security ### Secure connection (HTTPS): ✔ Hide errors from visitors: ✔ ### Active Plugins (37) ### Storefront Pro (Premium): by pootlepress – 5.5.1 Beaver Builder Plugin (Standard Version): by The Beaver Builder Team – 2.0.5 Code Snippets: by Shea Bunge – 2.10.1.1 Contact Widgets: by GoDaddy – 1.4.1 Google Tag Manager for Wordpress: by Thomas Geiger – 1.7.2 Email Log: by Sudar – 2.2.5 Enhanced E-commerce for Woocommerce store: by Tatvic – 1.2.2 – Not tested with the active version of WooCommerce Enhanced Text Widget: by Boston Dell-Vandenberg – 1.4.6 EWWW Image Optimizer: by Shane Bishop – 4.1.0 Export Users to CSV: by Matt Cromwell – 1.1 Google Analytics Dashboard for WP (GADWP): by Alin Marcu – 5.2.3.1 Google Language Translator: by Rob Myrick – 5.0.40 MailChimp for WooCommerce: by MailChimp – 2.1.4 – Not tested with the active version of WooCommerce VarkTech Min and Max Purchase for WooCommerce: by Vark – 1.08.2.1 VarkTech Min and Max Purchase Pro for WooCommerce: by VarkTech – 1.08.2 – Not tested with the active version of WooCommerce Mobile Menu: by Takanakui – 2.5.1 Ninja Forms: by The WP Ninjas – 3.2.15 Profile Builder - Custom Profile Menus Add-On: by Cozmoslabs Cristophor Hurduban – 1.0.7 Profile Builder - Email Confirmation Field: by Cozmoslabs Adrian Spiac – 1.0.4 Profile Builder - WooCommerce Sync Add-on: by Cozmoslabs Adrian Spiac – 1.4.9 Profile Builder - Multiple Admin E-mails Add-On: by Cozmoslabs Mihai Iova – 1.0.2 Post Expirator: by Aaron Axelsen – 2.3.1.1 Profile Builder Pro: by Cozmoslabs Madalin Ungureanu Antohe Cristian Barina Gabriel Mihai Iova – 2.7.6 Quick Toggle Text: by aerin – 1.0 Search Engine Visibility: by GoDaddy – 0.5 Storefront Pro Skins: by pootlepress – 0.5.0 Product Customer List for WooCommerce: by Kokomo – 2.6.3 – Not tested with the active version of WooCommerce Woo Extra Product Options: by ThemeHiGH – 1.2.7 Advanced Order Export For WooCommerce: by AlgolPlus – 1.5.3 WooCommerce Account Funds: by WooCommerce – 2.1.10 Follow-Up Emails: by WooCommerce – 4.7.0 WooCommerce PayPal Powered by Braintree Gateway: by WooCommerce – 2.1.1 WooCommerce USA ePay Gateway: by SkyVerge – 1.9.0 WooCommerce Memberships: by SkyVerge – 1.9.8 WooCommerce Remove Product Sorting: by SkyVerge – 1.0.0 – Not tested with the active version of WooCommerce WooCommerce: by Automattic – 3.3.3 WP Add Custom CSS: by Daniele De Santis – 1.1.1 ### Settings ### API Enabled: ✔ Force SSL: – Currency: USD ($) Currency Position: left Thousand Separator: , Decimal Separator: . Number of Decimals: 2 Taxonomies: Product Types: external (external) grouped (grouped) simple (simple) variable (variable) Taxonomies: Product Visibility: exclude-from-catalog (exclude-from-catalog) exclude-from-search (exclude-from-search) featured (featured) outofstock (outofstock) rated-1 (rated-1) rated-2 (rated-2) rated-3 (rated-3) rated-4 (rated-4) rated-5 (rated-5) ### WC Pages ### Shop base: #5 - /upcoming-events/ Cart: #6 - /cart/ Checkout: #7 - /checkout/ My account: #8 - /my-account/ Terms and conditions: #928 - /terms-and-conditions/ ### Theme ### Name: Storefront Child Version: 1.0 Author URL: http://woocommerce.com Child Theme: ✔ Parent Theme Name: Storefront Parent Theme Version: 2.2.8 Parent Theme Author URL: https://woocommerce.com/ WooCommerce Support: ✔ ### Templates ### Overrides: storefront-child/woocommerce/cart/cart.php version 3.1.0 is out of date. The core version is 3.3.0 storefront-child/woocommerce/emails/admin-new-order.php version - is out of date. The core version is 2.5.0 storefront-child/woocommerce/emails/customer-processing-order.php storefront-child/woocommerce/emails/email-order-details.php version 3.2.0 is out of date. The core version is 3.3.1 storefront-child/woocommerce/emails/email-order-items.php storefront-child/woocommerce/emails/email-styles.php version 2.3.0 is out of date. The core version is 3.3.0 storefront-child/woocommerce/loop/no-products-found.php storefront-child/woocommerce/single-product/tabs/description.php Outdated Templates: ❌Learn how to update ` ```

[mikejolley]

See https://github.com/woocommerce/woocommerce/pull/19191