OwlCyberSecurity - MANAGER

Edit File: NumberUtil.php

<?php //phpcs:ignore Generic.PHP.RequireStrictTypes.MissingDeclaration
// many places seem to be calling round with a string, and that causes PHP > 8.1 to throw a TypeError.
// It's not respecting the 'mixed' type hint in the docblock, and type unions aren't supported until PHP > 8.0.
// so I'm not sure how to handle this since adding the type union will cause errors below PHP < 8.0.
/**
 * A class of utilities for dealing with numbers.
 */

namespace Automattic\WooCommerce\Utilities;

/**
 * A class of utilities for dealing with numbers.
 */
final class NumberUtil {
	/**
	 * Round a number using the built-in `round` function, but unless the value to round is numeric
	 * (a number or a string that can be parsed as a number), apply 'floatval' first to it
	 * (so it will convert it to 0 in most cases).
	 *
	 * This is needed because in PHP 7 applying `round` to a non-numeric value returns 0,
	 * but in PHP 8 it throws an error. Specifically, in WooCommerce we have a few places where
	 * round('') is often executed.
	 *
	 * @param mixed $val The value to round.
	 * @param int   $precision The optional number of decimal digits to round to.
	 * @param int   $mode A constant to specify the mode in which rounding occurs.
	 *
	 * @return float The value rounded to the given precision as a float, or the supplied default value.
	 */
	public static function round( $val, int $precision = 0, int $mode = PHP_ROUND_HALF_UP ): float {
		if ( ! is_numeric( $val ) ) {
			$val = floatval( $val );
		}
		return round( $val, $precision, $mode );
	}

/**
	 * Get the sum of an array of values using the built-in array_sum function, but sanitize the array values
	 * first to ensure they are all floats.
	 *
	 * This is needed because in PHP 8.3 non-numeric values that cannot be cast as an int or a float will
	 * cause an E_WARNING to be emitted. Prior to PHP 8.3 these values were just ignored.
	 *
	 * Note that, unlike the built-in array_sum, this one will always return a float, never an int.
	 *
	 * @param array $arr The array of values to sum.
	 *
	 * @return float
	 */
	public static function array_sum( array $arr ): float {
		$sanitized_array = array_map( 'floatval', $arr );

return array_sum( $sanitized_array );
	}

/**
	 * Sanitize a cost value based on the current locale decimal and thousand separators.
	 *
	 * @param string $value               The value to sanitize.
	 * @return string                     The sanitized value.
	 * @throws \InvalidArgumentException If the value is not a valid numeric value.
	 */
	public static function sanitize_cost_in_current_locale( $value ): string {
		$value                      = is_null( $value ) ? '' : $value;
		$value                      = wp_kses_post( trim( wp_unslash( $value ) ) );
		$currency_symbol_encoded    = get_woocommerce_currency_symbol();
		$currency_symbol_variations = array( $currency_symbol_encoded, wp_kses_normalize_entities( $currency_symbol_encoded ), html_entity_decode( $currency_symbol_encoded ) );

$value = str_replace( $currency_symbol_variations, '', $value );

// Count the number of decimal points.
		$decimal_point_count = substr_count( $value, '.' );

// If it's a standard decimal number (single decimal point and is_numeric), accept it directly. This could be in the case where the frontend has de-localised the value.
		// We check for the decimal point count in addition to using is_numeric.
		// This is because is_numeric is much looser and accepts non-base10 numbers as well as 'e' to demarcate exponents.
		if ( 1 === $decimal_point_count && is_numeric( $value ) ) {
			return $value;
		}

// Otherwise, attempt to delocalise according to localisation rules.
		$allowed_characters_regex = sprintf(
			'/^[0-9\%s\%s]*$/',
			wc_get_price_thousand_separator(),
			wc_get_price_decimal_separator()
		);

if ( 1 !== preg_match( $allowed_characters_regex, $value ) ) {
			throw new \InvalidArgumentException(
				esc_html(
					sprintf(
						/* translators: %1$s: Invalid value that was input by the user, %2$s: thousand separator, %3$s: decimal separator */
						__( '%1$s is not a valid numeric value. Allowed characters are numbers, the thousand (%2$s), and decimal (%3$s) separators.', 'woocommerce' ),
						$value,
						wc_get_price_thousand_separator(),
						wc_get_price_decimal_separator()
					)
				)
			);
		}

// Validate decimal and thousand separator positions.
		$decimal_separator  = wc_get_price_decimal_separator();
		$thousand_separator = wc_get_price_thousand_separator();

if (
			// Check that there is only 1 decimal separator.
			substr_count( $value, $decimal_separator ) > 1 ||
			(
				// Check that decimal separator appears after thousand separator if both exist.
				false !== strpos( $value, $thousand_separator ) &&
				false !== strpos( $value, $decimal_separator ) &&
				strpos( $value, $decimal_separator ) <= strpos( $value, $thousand_separator )
			)
		) {
			throw new \InvalidArgumentException(
				esc_html(
					sprintf(
						/* translators: %s: Invalid value that was input by the user */
						__( '%s is not a valid numeric value: there should be one decimal separator and it has to be after the thousands separator.', 'woocommerce' ),
						$value
					)
				)
			);
		}

/**
		 * For context, as of 2025.
		 * The full set of thousands separators is PERIOD, COMMA, SPACE, APOSTROPHE.
		 * And the full set of decimal separators is PERIOD, COMMA.
		 * There are no locales that use the same thousands and decimal separators.
		 */

$value = str_replace( wc_get_price_thousand_separator(), '', $value );
		$value = str_replace( wc_get_price_decimal_separator(), '.', $value );

if ( $value && ! is_numeric( $value ) ) {
			/* translators: %s: Invalid value that was input by the user */
			throw new \InvalidArgumentException(
				esc_html(
					sprintf(
						/* translators: %s: Invalid value that was input by the user */
						__( '%s is not a valid numeric value.', 'woocommerce' ),
						$value
					)
				)
			);
		}

return $value;
	}
}