From 16d02f6661ca86607151cf7d738aa23128fefab0 Mon Sep 17 00:00:00 2001
From: Adam Judd <adamjudd@users.noreply.github.com>
Date: Fri, 8 Aug 2025 19:43:40 +0200
Subject: [PATCH 1/2] Update orders to correctly sanitise post array

---
 orders.php | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/orders.php b/orders.php
index 3fb6aec..28d7c72 100755
--- a/orders.php
+++ b/orders.php
@@ -8,8 +8,11 @@ function foxyshop_multi_api_edit() {
 	if ($_GET['action-top'] == -1) $act = sanitize_text_field($_GET['action-bottom']);
 	if ($_GET['action-bottom'] == -1) $act = sanitize_text_field($_GET['action-top']);
 	if ($act == -1) return;
-	$posts = sanitize_text_field($_GET['post']);
-	if (!is_array($posts)) $posts = array(sanitize_text_field($_POST['post']));
+	$posts = $_GET['post'];
+	if (!is_array($posts)) $posts = $_POST['post'];
+	foreach ( $posts as $key => &$value ) {
+	    $value = sanitize_text_field( $value );
+	}
 
 	if ($act == "archive" || $act == "unarchive") {
 		$hide_transaction = $act == "archive" ? 1 : 0;
@@ -703,3 +706,4 @@ function foxyshop_inline_orders_js() {
 add_action( 'admin_print_footer_scripts', 'foxyshop_inline_orders_js' );
 
 }
+

From 0f880ef825d837077eeae41b2f42adb7638fbe55 Mon Sep 17 00:00:00 2001
From: Adam Judd <adamjudd@users.noreply.github.com>
Date: Fri, 8 Aug 2025 19:51:18 +0200
Subject: [PATCH 2/2] Ensure post attribute is an array

---
 orders.php | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/orders.php b/orders.php
index 28d7c72..e23dbcc 100755
--- a/orders.php
+++ b/orders.php
@@ -8,10 +8,11 @@ function foxyshop_multi_api_edit() {
 	if ($_GET['action-top'] == -1) $act = sanitize_text_field($_GET['action-bottom']);
 	if ($_GET['action-bottom'] == -1) $act = sanitize_text_field($_GET['action-top']);
 	if ($act == -1) return;
-	$posts = $_GET['post'];
-	if (!is_array($posts)) $posts = $_POST['post'];
+	$posts = (array) $_GET['post'];
+	if (!is_array($posts)) $posts = (array) $_POST['post'];
+	if (!is_array($posts)) return;
 	foreach ( $posts as $key => &$value ) {
-	    $value = sanitize_text_field( $value );
+		$value = sanitize_text_field( $value );
 	}
 
 	if ($act == "archive" || $act == "unarchive") {
@@ -707,3 +708,4 @@ function foxyshop_inline_orders_js() {
 
 }
 
+