Merge branch 'pr' of https://github.com/magento-jackalopes/magento2ce into pr

Joan He · Joan He · commit 057129ea6573 · 2016-09-03T07:14:35.000-05:00
diff --git a/app/code/Magento/Security/view/adminhtml/templates/session/activity.phtml b/app/code/Magento/Security/view/adminhtml/templates/session/activity.phtml
@@ -55,9 +55,11 @@ $sessionInfoCollection = $block->getSessionInfoCollection();
                 if ($block->areMultipleSessionsActive()): ?>
                     data-mage-init='{"confirmRedirect":{
                         "message": "<?php
-                    echo $block->escapeJs(__('Are you sure that you want to log out all other sessions?')) ?>",
+                            echo $block->escapeJs(__('Are you sure that you want to log out all other sessions?'))
+                        ?>",
                         "url":"<?php
-                    echo $block->escapeJs($block->escapeUrl($block->getUrl('security/session/logoutAll'))) ?>"
+                            echo $block->escapeJs($block->escapeUrl($block->getUrl('security/session/logoutAll')))
+                        ?>"
                     }}'
                 <?php
                 else: ?>disabled<?php
diff --git a/lib/internal/Magento/Framework/Escaper.php b/lib/internal/Magento/Framework/Escaper.php
@@ -23,20 +23,21 @@ class Escaper
     /**
      * @var string[]
      */
-    private $notAllowedTags = ['script', 'img'];
+    private $notAllowedTags = ['script', 'img', 'embed', 'iframe', 'video', 'source', 'object', 'audio'];
 
     /**
      * @var string[]
      */
-    private $allowedAttributes = ['id', 'class', 'href', 'target', 'title'];
+    private $allowedAttributes = ['id', 'class', 'href', 'target', 'title', 'style'];
 
     /**
      * @var string[]
      */
     private $escapeAsUrlAttributes = ['href'];
 
     /**
-     * Escape string for HTML context, allowedTags will not be escaped
+     * Escape string for HTML context. allowedTags will not be escaped, except the following: script, img, embed,
+     * iframe, video, source, object, audio
      *
      * @param string|array $data
      * @param array|null $allowedTags
@@ -59,7 +60,7 @@ public function escapeHtml($data, $allowedTags = null)
                     $this->getLogger()->critical(
                         'The following tag(s) are not allowed: ' . implode(', ', $notAllowedTags)
                     );
-                    return '';
+                    $allowedTags = array_diff($allowedTags, $this->notAllowedTags);
                 }
                 $wrapperElementId = uniqid();
                 $domDocument = new \DOMDocument('1.0', 'UTF-8');
@@ -76,7 +77,6 @@ function ($errorNumber, $errorString) {
                 } catch (\Exception $e) {
                     restore_error_handler();
                     $this->getLogger()->critical($e);
-                    return '';
                 }
                 restore_error_handler();
 
@@ -87,7 +87,7 @@ function ($errorNumber, $errorString) {
 
                 $result = mb_convert_encoding($domDocument->saveHTML(), 'UTF-8', 'HTML-ENTITIES');
                 preg_match('/<body id="' . $wrapperElementId . '">(.+)<\/body><\/html>$/si', $result, $matches);
-                return $matches[1];
+                return !empty($matches) ? $matches[1] : '';
             } else {
                 $result = htmlspecialchars($data, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8', false);
             }
diff --git a/lib/internal/Magento/Framework/Test/Unit/EscaperTest.php b/lib/internal/Magento/Framework/Test/Unit/EscaperTest.php
@@ -219,13 +219,18 @@ public function escapeHtmlDataProvider()
                 'allowedTags' => ['span', 'b'],
             ],
             'text with non ascii characters' => [
-                'data' => ['абвгд', 'مثال'],
-                'expected' => ['абвгд', 'مثال'],
+                'data' => ['абвгд', 'مثال', '幸福'],
+                'expected' => ['абвгд', 'مثال', '幸福'],
                 'allowedTags' => [],
             ],
             'html and body tags' => [
                 'data' => '<html><body><span>String</span></body></html>',
-                'expected' => '',
+                'expected' => '<span>String</span>',
+                'allowedTags' => ['span'],
+            ],
+            'invalid tag' => [
+                'data' => '<some tag> some text',
+                'expected' => ' some text',
                 'allowedTags' => ['span'],
             ],
         ];
@@ -239,12 +244,12 @@ public function escapeHtmlInvalidDataProvider()
         return [
             'text with allowed script tag' => [
                 'data' => '<span><script>some text in tags</script></span>',
-                'expected' => '',
+                'expected' => '<span>some text in tags</span>',
                 'allowedTags' => ['span', 'script'],
             ],
             'text with invalid html' => [
                 'data' => '<spa>n id="id1">Some string</span>',
-                'expected' => '',
+                'expected' => 'n id=&quot;id1&quot;&gt;Some string',
                 'allowedTags' => ['span'],
             ],
         ];
