MC-15311: [Sec] PageBuilder XSS Injection Possible Through Block on HTML Code Content Type For CSS Classes Attribute & in TinyMCE

Escape customVar directives on storefront

Author: danmooney2

app/code/Magento/PageBuilder/Plugin/Filter/TemplatePlugin.php

@@ -105,6 +105,32 @@ public function afterFilter(\Magento\Framework\Filter\Template $subject, string
         return $result;
     }
 
+    /**
+     * Determine if custom variable directive's return value needs to be escaped and do so if true
+     *
+     * @param \Magento\Framework\Filter\Template $subject
+     * @param \Closure $proceed
+     * @param $construction
+     * @return string
+     */
+    public function aroundCustomvarDirective(
+        \Magento\Framework\Filter\Template $subject,
+        \Closure $proceed,
+        $construction
+    ) {
+        // Determine the need to escape the return value of observed method.
+        // Admin context requires store ID of 0; in that context return value should be escaped
+        $shouldEscape = $subject->getStoreId() !== null && (int) $subject->getStoreId() === 0;
+
+        if (!$shouldEscape) {
+            return $proceed();
+        }
+
+        $result = $proceed($construction);
+
+        return htmlspecialchars($result);
+    }
+
     /**
      * Create a DOM document from a given string
      *