Merge pull request #4087 from magento-borg/borg-qwerty-2.3

[borg] Bug fixes

Author: nathanjosiah

app/code/Magento/Captcha/Model/DefaultModel.php

@@ -3,13 +3,18 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+declare(strict_types=1);
+
 namespace Magento\Captcha\Model;
 
 use Magento\Captcha\Helper\Data;
+use Magento\Framework\Math\Random;
 
 /**
  * Implementation of \Zend\Captcha\Image
  *
+ * @SuppressWarnings(PHPMD.CookieAndSessionMisuse)
+ *
  * @api
  * @since 100.0.2
  */
@@ -83,24 +88,32 @@ class DefaultModel extends \Zend\Captcha\Image implements \Magento\Captcha\Model
      */
     private $words;
 
+    /**
+     * @var Random
+     */
+    private $randomMath;
+
     /**
      * @param \Magento\Framework\Session\SessionManagerInterface $session
      * @param \Magento\Captcha\Helper\Data $captchaData
      * @param ResourceModel\LogFactory $resLogFactory
      * @param string $formId
+     * @param Random $randomMath
      * @throws \Zend\Captcha\Exception\ExtensionNotLoadedException
      */
     public function __construct(
         \Magento\Framework\Session\SessionManagerInterface $session,
         \Magento\Captcha\Helper\Data $captchaData,
         \Magento\Captcha\Model\ResourceModel\LogFactory $resLogFactory,
-        $formId
+        $formId,
+        Random $randomMath = null
     ) {
         parent::__construct();
         $this->session = $session;
         $this->captchaData = $captchaData;
         $this->resLogFactory = $resLogFactory;
         $this->formId = $formId;
+        $this->randomMath = $randomMath ?? \Magento\Framework\App\ObjectManager::getInstance()->get(Random::class);
     }
 
     /**
@@ -382,23 +395,9 @@ public function setShowCaptchaInSession($value = true)
      */
     protected function generateWord()
     {
-        $word = '';
-        $symbols = $this->getSymbols();
+        $symbols = (string)$this->captchaData->getConfig('symbols');
         $wordLen = $this->getWordLen();
-        for ($i = 0; $i < $wordLen; $i++) {
-            $word .= $symbols[array_rand($symbols)];
-        }
-        return $word;
-    }
-
-    /**
-     * Get symbols array to use for word generation
-     *
-     * @return array
-     */
-    private function getSymbols()
-    {
-        return str_split((string)$this->captchaData->getConfig('symbols'));
+        return $this->randomMath->getRandomString($wordLen, $symbols);
     }
 
     /**
@@ -562,7 +561,7 @@ protected function randomSize()
      */
     protected function gc()
     {
-        //do nothing
+        return; // required for static testing to pass
     }
 
     /**

app/code/Magento/Captcha/Test/Unit/Model/DefaultTest.php

@@ -3,8 +3,12 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+declare(strict_types=1);
+
 namespace Magento\Captcha\Test\Unit\Model;
 
+use Magento\Framework\Math\Random;
+
 /**
  * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
  */
@@ -375,4 +379,38 @@ public function isShownToLoggedInUserDataProvider()
             [false, 'user_forgotpassword']
         ];
     }
+
+    /**
+     * @param string $string
+     * @dataProvider generateWordProvider
+     * @throws \ReflectionException
+     */
+    public function testGenerateWord($string)
+    {
+        $randomMock = $this->createMock(Random::class);
+        $randomMock->expects($this->once())
+            ->method('getRandomString')
+            ->will($this->returnValue($string));
+        $captcha = new \Magento\Captcha\Model\DefaultModel(
+            $this->session,
+            $this->_getHelperStub(),
+            $this->_resLogFactory,
+            'user_create',
+            $randomMock
+        );
+        $method = new \ReflectionMethod($captcha, 'generateWord');
+        $method->setAccessible(true);
+        $this->assertEquals($string, $method->invoke($captcha));
+    }
+    /**
+     * @return array
+     */
+    public function generateWordProvider()
+    {
+        return [
+            ['ABC123'],
+            ['1234567890'],
+            ['The quick brown fox jumps over the lazy dog.']
+        ];
+    }
 }

app/code/Magento/Customer/etc/adminhtml/system.xml

@@ -280,6 +280,7 @@
                 </field>
                 <field id="html" translate="label" type="textarea" sortOrder="3" showInDefault="1" showInWebsite="1" showInStore="1" canRestore="1">
                     <label>HTML</label>
+                    <comment>Only 'b', 'br', 'em', 'i', 'li', 'ol', 'p', 'strong', 'sub', 'sup', 'ul' tags are allowed</comment>
                 </field>
                 <field id="pdf" translate="label" type="textarea" sortOrder="4" showInDefault="1" showInWebsite="1" showInStore="1" canRestore="1">
                     <label>PDF</label>

app/code/Magento/Customer/i18n/en_US.csv

@@ -500,6 +500,7 @@ Strong,Strong
 "Address Templates","Address Templates"
 "Online Customers Options","Online Customers Options"
 "Online Minutes Interval","Online Minutes Interval"
+"Only 'b', 'br', 'em', 'i', 'li', 'ol', 'p', 'strong', 'sub', 'sup', 'ul' tags are allowed","Only 'b', 'br', 'em', 'i', 'li', 'ol', 'p', 'strong', 'sub', 'sup', 'ul' tags are allowed"
 "Leave empty for default (15 minutes).","Leave empty for default (15 minutes)."
 "Customer Notification","Customer Notification"
 "Customer Grid","Customer Grid"

app/code/Magento/Customer/view/adminhtml/templates/tab/view/personal_info.phtml

@@ -13,6 +13,7 @@ $lastLoginDateStore = $block->getStoreLastLoginDate();
 
 $createDateAdmin = $block->getCreateDate();
 $createDateStore = $block->getStoreCreateDate();
+$allowedAddressHtmlTags = ['b', 'br', 'em', 'i', 'li', 'ol', 'p', 'strong', 'sub', 'sup', 'ul'];
 ?>
 <div class="fieldset-wrapper customer-information">
     <div class="fieldset-wrapper-title">
@@ -61,7 +62,7 @@ $createDateStore = $block->getStoreCreateDate();
     </table>
     <address>
         <strong><?= $block->escapeHtml(__('Default Billing Address')) ?></strong><br/>
-        <?= $block->getBillingAddressHtml() ?>
+        <?= $block->escapeHtml($block->getBillingAddressHtml(), $allowedAddressHtmlTags) ?>
     </address>
 
 </div>

app/code/Magento/Sales/view/adminhtml/templates/order/create/data.phtml

@@ -10,7 +10,7 @@
 <div class="page-create-order">
     <script>
     require(["Magento_Sales/order/create/form"], function(){
-        order.setCurrencySymbol('<?= /* @escapeNotVerified */ $block->getCurrencySymbol($block->getCurrentCurrencyCode()) ?>')
+        order.setCurrencySymbol('<?= $block->escapeJs($block->getCurrencySymbol($block->getCurrentCurrencyCode())) ?>')
     });
 </script>
     <div class="order-details<?php if ($block->getCustomerId()): ?> order-details-existing-customer<?php endif; ?>">
@@ -35,7 +35,7 @@
 
         <section id="order-addresses" class="admin__page-section order-addresses">
             <div class="admin__page-section-title">
-                <span class="title"><?= /* @escapeNotVerified */ __('Address Information') ?></span>
+                <span class="title"><?= $block->escapeHtml(__('Address Information')) ?></span>
             </div>
             <div class="admin__page-section-content">
                 <div id="order-billing_address" class="admin__page-section-item order-billing-address">
@@ -69,11 +69,11 @@
 
         <section class="admin__page-section order-summary">
             <div class="admin__page-section-title">
-                <span class="title"><?= /* @escapeNotVerified */ __('Order Total') ?></span>
+                <span class="title"><?= $block->escapeHtml(__('Order Total')) ?></span>
             </div>
             <div class="admin__page-section-content">
                 <fieldset class="admin__fieldset order-history" id="order-comment">
-                    <legend class="admin__legend"><span><?= /* @escapeNotVerified */ __('Order History') ?></span></legend>
+                    <legend class="admin__legend"><span><?= $block->escapeHtml(__('Order History')) ?></span></legend>
                     <br>
                     <?= $block->getChildHtml('comment') ?>
                 </fieldset>
@@ -88,15 +88,15 @@
         <div class="order-sidebar">
             <div class="store-switcher order-currency">
                 <label class="admin__field-label" for="currency_switcher">
-                    <?= /* @escapeNotVerified */ __('Order Currency:') ?>
+                    <?= $block->escapeHtml(__('Order Currency:')) ?>
                 </label>
                 <select id="currency_switcher"
                         class="admin__control-select"
                         name="order[currency]"
                         onchange="order.setCurrencyId(this.value); order.setCurrencySymbol(this.options[this.selectedIndex].getAttribute('symbol'));">
                     <?php foreach ($block->getAvailableCurrencies() as $_code): ?>
-                        <option value="<?= /* @escapeNotVerified */ $_code ?>"<?php if ($_code == $block->getCurrentCurrencyCode()): ?> selected="selected"<?php endif; ?> symbol="<?= /* @escapeNotVerified */ $block->getCurrencySymbol($_code) ?>">
-                            <?= /* @escapeNotVerified */ $block->getCurrencyName($_code) ?>
+                        <option value="<?= $block->escapeHtmlAttr($_code) ?>"<?php if ($_code == $block->getCurrentCurrencyCode()): ?> selected="selected"<?php endif; ?> symbol="<?=$block->escapeHtmlAttr($block->getCurrencySymbol($_code)) ?>">
+                            <?= $block->escapeHtml($block->getCurrencyName($_code)) ?>
                         </option>
                     <?php endforeach; ?>
                 </select>

app/code/Magento/Sales/view/adminhtml/templates/order/view/info.phtml

@@ -26,6 +26,7 @@ $orderStoreDate = $block->formatDate(
 );
 
 $customerUrl = $block->getCustomerViewUrl();
+$allowedAddressHtmlTags = ['b', 'br', 'em', 'i', 'li', 'ol', 'p', 'strong', 'sub', 'sup', 'ul'];
 ?>
 
 <section class="admin__page-section order-view-account-information">
@@ -171,7 +172,7 @@ $customerUrl = $block->getCustomerViewUrl();
                 <span class="title"><?= $block->escapeHtml(__('Billing Address')) ?></span>
                 <div class="actions"><?= /* @noEscape */ $block->getAddressEditLink($order->getBillingAddress()); ?></div>
             </div>
-            <address class="admin__page-section-item-content"><?= /* @noEscape */ $block->getFormattedAddress($order->getBillingAddress()); ?></address>
+            <address class="admin__page-section-item-content"><?= $block->escapeHtml($block->getFormattedAddress($order->getBillingAddress()), $allowedAddressHtmlTags); ?></address>
         </div>
         <?php if (!$block->getOrder()->getIsVirtual()): ?>
             <div class="admin__page-section-item order-shipping-address">
@@ -180,7 +181,7 @@ $customerUrl = $block->getCustomerViewUrl();
                     <span class="title"><?= $block->escapeHtml(__('Shipping Address')) ?></span>
                     <div class="actions"><?= /* @noEscape */ $block->getAddressEditLink($order->getShippingAddress()); ?></div>
                 </div>
-                <address class="admin__page-section-item-content"><?= /* @noEscape */ $block->getFormattedAddress($order->getShippingAddress()); ?></address>
+                <address class="admin__page-section-item-content"><?= $block->escapeHtml($block->getFormattedAddress($order->getShippingAddress()), $allowedAddressHtmlTags); ?></address>
             </div>
         <?php endif; ?>
     </div>