Skip to content

Commit ddd415c

Browse files
authored
Merge pull request #255 from magento-obsessive-owls/MAGETWO-99479
[Owls] MC-16599 Use Escaper methods
2 parents f998a44 + db532af commit ddd415c

File tree

4 files changed

+70
-31
lines changed

4 files changed

+70
-31
lines changed
Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,53 @@
1+
<?php
2+
/**
3+
* Copyright © Magento, Inc. All rights reserved.
4+
* See COPYING.txt for license details.
5+
*/
6+
declare(strict_types=1);
7+
8+
namespace Magento\PageBuilder\Plugin\Filter;
9+
10+
use Magento\Store\Model\Store;
11+
use Magento\Framework\Escaper;
12+
13+
/**
14+
* Plugin to the template filter to escape custom variable directives
15+
*/
16+
class CustomVarTemplate
17+
{
18+
/**
19+
* @var Escaper
20+
*/
21+
private $escaper;
22+
23+
/**
24+
* @param Escaper $escaper
25+
*/
26+
public function __construct(
27+
Escaper $escaper
28+
) {
29+
$this->escaper = $escaper;
30+
}
31+
32+
/**
33+
* Determine if custom variable within a Page Builder CMS Block directive's return value needs to be escaped
34+
*
35+
* @param \Magento\Email\Model\Template\Filter $subject
36+
* @param string $result
37+
* @return string
38+
*/
39+
public function afterCustomvarDirective(
40+
\Magento\Email\Model\Template\Filter $subject,
41+
$result
42+
) {
43+
// Determine the need to escape the return value of observed method.
44+
// Admin context requires store ID of 0; in that context return value should be escaped
45+
$shouldEscape = $subject->getStoreId() !== null && (int) $subject->getStoreId() === Store::DEFAULT_STORE_ID;
46+
47+
if ($shouldEscape) {
48+
return $this->escaper->escapeHtml($result);
49+
} else {
50+
return $result;
51+
}
52+
}
53+
}

app/code/Magento/PageBuilder/Plugin/Filter/TemplatePlugin.php

Lines changed: 13 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -7,8 +7,6 @@
77

88
namespace Magento\PageBuilder\Plugin\Filter;
99

10-
use Magento\Store\Model\Store;
11-
1210
/**
1311
* Plugin to the template filter to process any background images added by Page Builder
1412
*/
@@ -38,19 +36,27 @@ class TemplatePlugin
3836
*/
3937
private $mathRandom;
4038

39+
/**
40+
* @var \Magento\Framework\Serialize\Serializer\Json
41+
*/
42+
private $json;
43+
4144
/**
4245
* @param \Psr\Log\LoggerInterface $logger
4346
* @param \Magento\Framework\View\ConfigInterface $viewConfig
4447
* @param \Magento\Framework\Math\Random $mathRandom
48+
* @param \Magento\Framework\Serialize\Serializer\Json $json
4549
*/
4650
public function __construct(
4751
\Psr\Log\LoggerInterface $logger,
4852
\Magento\Framework\View\ConfigInterface $viewConfig,
49-
\Magento\Framework\Math\Random $mathRandom
53+
\Magento\Framework\Math\Random $mathRandom,
54+
\Magento\Framework\Serialize\Serializer\Json $json
5055
) {
5156
$this->logger = $logger;
5257
$this->viewConfig = $viewConfig;
5358
$this->mathRandom = $mathRandom;
59+
$this->json = $json;
5460
}
5561

5662
/**
@@ -107,32 +113,6 @@ public function afterFilter(\Magento\Framework\Filter\Template $subject, string
107113
return $result;
108114
}
109115

110-
/**
111-
* Determine if custom variable directive's return value needs to be escaped and do so if true
112-
*
113-
* @param \Magento\Framework\Filter\Template $subject
114-
* @param \Closure $proceed
115-
* @param string[] $construction
116-
* @return string
117-
*/
118-
public function aroundCustomvarDirective(
119-
\Magento\Framework\Filter\Template $subject,
120-
\Closure $proceed,
121-
$construction
122-
) {
123-
// Determine the need to escape the return value of observed method.
124-
// Admin context requires store ID of 0; in that context return value should be escaped
125-
$shouldEscape = $subject->getStoreId() !== null && (int) $subject->getStoreId() === Store::DEFAULT_STORE_ID;
126-
127-
if (!$shouldEscape) {
128-
return $proceed($construction);
129-
}
130-
131-
$result = $proceed($construction);
132-
133-
return htmlspecialchars($result);
134-
}
135-
136116
/**
137117
* Create a DOM document from a given string
138118
*
@@ -161,7 +141,7 @@ private function createDomDocument(string $html) : \DOMDocument
161141
$domDocument = new \DOMDocument('1.0', 'UTF-8');
162142
set_error_handler(
163143
function ($errorNumber, $errorString) {
164-
throw new \Exception($errorString, $errorNumber);
144+
throw new \DOMException($errorString, $errorNumber);
165145
}
166146
);
167147
$string = mb_convert_encoding($html, 'HTML-ENTITIES', 'UTF-8');
@@ -225,6 +205,7 @@ private function generateDecodedHtmlPlaceholderMappingInDocument(\DOMDocument $d
225205
$preDecodedOuterHtml = $document->saveHTML($htmlContentTypeNode);
226206

227207
// clear empty <div> wrapper around outerHTML to replace with $clonedHtmlContentTypeNode
208+
// phpcs:ignore Magento2.Functions.DiscouragedFunction
228209
$decodedInnerHtml = preg_replace('#^<[^>]*>|</[^>]*>$#', '', html_entity_decode($preDecodedOuterHtml));
229210

230211
// Use $clonedHtmlContentTypeNode's placeholder to inject decoded inner html
@@ -258,7 +239,8 @@ private function generateBackgroundImageStyles(\DOMDocument $document) : void
258239
$backgroundImages = $node->attributes->getNamedItem('data-background-images');
259240
if ($backgroundImages->nodeValue !== '') {
260241
$elementClass = uniqid('background-image-');
261-
$images = json_decode(stripslashes($backgroundImages->nodeValue), true);
242+
// phpcs:ignore Magento2.Functions.DiscouragedFunction
243+
$images = $this->json->unserialize(stripslashes($backgroundImages->nodeValue));
262244
if (count($images) > 0) {
263245
$style = $xpath->document->createElement(
264246
'style',

app/code/Magento/PageBuilder/composer.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@
1515
"magento/module-catalog-widget": "*",
1616
"magento/module-rule": "*",
1717
"magento/module-directory": "*",
18+
"magento/module-email": "*",
1819
"php": "~7.1.3||~7.2.0"
1920
},
2021
"conflict": {

app/code/Magento/PageBuilder/etc/frontend/di.xml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,4 +12,7 @@
1212
<type name="Magento\Framework\Filter\Template">
1313
<plugin name="convertBackgroundImages" type="Magento\PageBuilder\Plugin\Filter\TemplatePlugin"/>
1414
</type>
15+
<type name="Magento\Email\Model\Template\Filter">
16+
<plugin name="escapeCustomVarDirectives" type="Magento\PageBuilder\Plugin\Filter\CustomVarTemplate"/>
17+
</type>
1518
</config>

0 commit comments

Comments
 (0)