Fixed column typo and XSS

Author: nfourtythree

CHANGELOG.md

@@ -1,5 +1,10 @@
 # Release Notes for Craft Commerce
 
+## Unreleased
+
+- Fixed a bug where the order’s table was showing the incorrect column heading on the Edit User page.
+- Fixed XSS vulnerabilities.
+
 ## 4.10.1 - 2025-12-31
 
 - Fixed a bug where settings were being saved to the project config incorrectly. ([#4006](https://github.com/craftcms/commerce/issues/4006))

src/controllers/OrdersController.php

@@ -387,8 +387,26 @@ public function actionUserOrdersTable(): Response
             $orderQuery->search($search);
         }
 
+        $orderQuery->orderBy('dateOrdered DESC');
         if ($sort) {
-            [$field, $direction] = explode('|', $sort);
+            if (is_array($sort)) {
+                $field = $sort[0]['sortField'];
+                $direction = $sort[0]['direction'];
+            } else {
+                [$field, $direction] = explode('|', $sort);
+            }
+
+            // Validate sorting
+            if (!in_array($direction, ['asc', 'desc']) ||
+                !in_array($field, [
+                    'reference',
+                    'dateOrdered',
+                    'totalPrice',
+                ])
+            ) {
+                $field = null;
+                $direction = null;
+            }
 
             if ($field && $direction) {
                 $orderQuery->orderBy($field . ' ' . $direction);
@@ -399,7 +417,6 @@ public function actionUserOrdersTable(): Response
 
         $orderQuery->offset($offset);
         $orderQuery->limit($limit);
-        $orderQuery->orderBy('dateOrdered DESC');
         $orders = $orderQuery->all();
 
         $rows = [];
@@ -557,6 +574,15 @@ public function actionPurchasablesTable(): Response
         // Apply sorting if required
         if ($sort && strpos($sort, '|')) {
             [$column, $direction] = explode('|', $sort);
+
+            if (!in_array($column, [
+                'description',
+                'sku',
+                'price',
+            ])) {
+                $column = null;
+            }
+
             if ($column && in_array($direction, ['asc', 'desc'], true)) {
                 $sqlQuery->orderBy([$column => $direction == 'asc' ? SORT_ASC : SORT_DESC]);
             }

src/templates/_includes/users/_ordersTable.twig

@@ -12,7 +12,7 @@
 var orderColumns = [
     { name: '__slot:title', title: Craft.t('commerce', 'Order'), sortField: 'reference' },
     { name: 'date', title: Craft.t('commerce', 'Order Date'), sortField: 'dateOrdered' },
-    { name: 'total', title: Craft.t('commerce', 'Total Paid'), sortField: 'totalPaid' },
+    { name: 'total', title: Craft.t('commerce', 'Total'), sortField: 'totalPrice' },
     { name: 'orderStatus', title: Craft.t('commerce', 'Status'),
         callback: function(value) {
             return value;