Merge pull request #255 from magento-obsessive-owls/MAGETWO-99479

[Owls] MC-16599 Use Escaper methods

Author: davemacaulay

app/code/Magento/PageBuilder/Plugin/Filter/CustomVarTemplate.php

@@ -0,0 +1,53 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\PageBuilder\Plugin\Filter;
+
+use Magento\Store\Model\Store;
+use Magento\Framework\Escaper;
+
+/**
+ * Plugin to the template filter to escape custom variable directives
+ */
+class CustomVarTemplate
+{
+    /**
+     * @var Escaper
+     */
+    private $escaper;
+
+    /**
+     * @param Escaper $escaper
+     */
+    public function __construct(
+        Escaper $escaper
+    ) {
+        $this->escaper = $escaper;
+    }
+
+    /**
+     * Determine if custom variable within a Page Builder CMS Block directive's return value needs to be escaped
+     *
+     * @param \Magento\Email\Model\Template\Filter $subject
+     * @param string $result
+     * @return string
+     */
+    public function afterCustomvarDirective(
+        \Magento\Email\Model\Template\Filter $subject,
+        $result
+    ) {
+        // Determine the need to escape the return value of observed method.
+        // Admin context requires store ID of 0; in that context return value should be escaped
+        $shouldEscape = $subject->getStoreId() !== null && (int) $subject->getStoreId() === Store::DEFAULT_STORE_ID;
+
+        if ($shouldEscape) {
+            return $this->escaper->escapeHtml($result);
+        } else {
+            return $result;
+        }
+    }
+}

app/code/Magento/PageBuilder/Plugin/Filter/TemplatePlugin.php

@@ -7,8 +7,6 @@
 
 namespace Magento\PageBuilder\Plugin\Filter;
 
-use Magento\Store\Model\Store;
-
 /**
  * Plugin to the template filter to process any background images added by Page Builder
  */
@@ -38,19 +36,27 @@ class TemplatePlugin
      */
     private $mathRandom;
 
+    /**
+     * @var \Magento\Framework\Serialize\Serializer\Json
+     */
+    private $json;
+
     /**
      * @param \Psr\Log\LoggerInterface $logger
      * @param \Magento\Framework\View\ConfigInterface $viewConfig
      * @param \Magento\Framework\Math\Random $mathRandom
+     * @param \Magento\Framework\Serialize\Serializer\Json $json
      */
     public function __construct(
         \Psr\Log\LoggerInterface $logger,
         \Magento\Framework\View\ConfigInterface $viewConfig,
-        \Magento\Framework\Math\Random $mathRandom
+        \Magento\Framework\Math\Random $mathRandom,
+        \Magento\Framework\Serialize\Serializer\Json $json
     ) {
         $this->logger = $logger;
         $this->viewConfig = $viewConfig;
         $this->mathRandom = $mathRandom;
+        $this->json = $json;
     }
 
     /**
@@ -107,32 +113,6 @@ public function afterFilter(\Magento\Framework\Filter\Template $subject, string
         return $result;
     }
 
-    /**
-     * Determine if custom variable directive's return value needs to be escaped and do so if true
-     *
-     * @param \Magento\Framework\Filter\Template $subject
-     * @param \Closure $proceed
-     * @param string[] $construction
-     * @return string
-     */
-    public function aroundCustomvarDirective(
-        \Magento\Framework\Filter\Template $subject,
-        \Closure $proceed,
-        $construction
-    ) {
-        // Determine the need to escape the return value of observed method.
-        // Admin context requires store ID of 0; in that context return value should be escaped
-        $shouldEscape = $subject->getStoreId() !== null && (int) $subject->getStoreId() === Store::DEFAULT_STORE_ID;
-
-        if (!$shouldEscape) {
-            return $proceed($construction);
-        }
-
-        $result = $proceed($construction);
-
-        return htmlspecialchars($result);
-    }
-
     /**
      * Create a DOM document from a given string
      *
@@ -161,7 +141,7 @@ private function createDomDocument(string $html) : \DOMDocument
         $domDocument = new \DOMDocument('1.0', 'UTF-8');
         set_error_handler(
             function ($errorNumber, $errorString) {
-                throw new \Exception($errorString, $errorNumber);
+                throw new \DOMException($errorString, $errorNumber);
             }
         );
         $string = mb_convert_encoding($html, 'HTML-ENTITIES', 'UTF-8');
@@ -225,6 +205,7 @@ private function generateDecodedHtmlPlaceholderMappingInDocument(\DOMDocument $d
             $preDecodedOuterHtml = $document->saveHTML($htmlContentTypeNode);
 
             // clear empty <div> wrapper around outerHTML to replace with $clonedHtmlContentTypeNode
+            // phpcs:ignore Magento2.Functions.DiscouragedFunction
             $decodedInnerHtml = preg_replace('#^<[^>]*>|</[^>]*>$#', '', html_entity_decode($preDecodedOuterHtml));
 
             // Use $clonedHtmlContentTypeNode's placeholder to inject decoded inner html
@@ -258,7 +239,8 @@ private function generateBackgroundImageStyles(\DOMDocument $document) : void
             $backgroundImages = $node->attributes->getNamedItem('data-background-images');
             if ($backgroundImages->nodeValue !== '') {
                 $elementClass = uniqid('background-image-');
-                $images = json_decode(stripslashes($backgroundImages->nodeValue), true);
+                // phpcs:ignore Magento2.Functions.DiscouragedFunction
+                $images = $this->json->unserialize(stripslashes($backgroundImages->nodeValue));
                 if (count($images) > 0) {
                     $style = $xpath->document->createElement(
                         'style',

app/code/Magento/PageBuilder/composer.json

@@ -15,6 +15,7 @@
         "magento/module-catalog-widget": "*",
         "magento/module-rule": "*",
         "magento/module-directory": "*",
+        "magento/module-email": "*",
         "php": "~7.1.3||~7.2.0"
     },
     "conflict": {

app/code/Magento/PageBuilder/etc/frontend/di.xml

@@ -12,4 +12,7 @@
     <type name="Magento\Framework\Filter\Template">
         <plugin name="convertBackgroundImages" type="Magento\PageBuilder\Plugin\Filter\TemplatePlugin"/>
     </type>
+    <type name="Magento\Email\Model\Template\Filter">
+        <plugin name="escapeCustomVarDirectives" type="Magento\PageBuilder\Plugin\Filter\CustomVarTemplate"/>
+    </type>
 </config>