magento
diff --git a/‎app/code/Magento/Authorizenet/Model/Authorizenet.php
Lines changed: 12 additions & 0 deletions b/‎app/code/Magento/Authorizenet/Model/Authorizenet.php
Lines changed: 12 additions & 0 deletions
diff --git a/‎app/code/Magento/Authorizenet/Model/Directpost.php
Lines changed: 3 additions & 0 deletions b/‎app/code/Magento/Authorizenet/Model/Directpost.php
Lines changed: 3 additions & 0 deletions
diff --git a/‎app/code/Magento/Authorizenet/etc/adminhtml/system.xml
Lines changed: 1 addition & 1 deletion b/‎app/code/Magento/Authorizenet/etc/adminhtml/system.xml
Lines changed: 1 addition & 1 deletion
diff --git a/‎app/code/Magento/Authorizenet/view/frontend/web/js/view/payment/method-renderer/authorizenet-directpost.js
Lines changed: 1 addition & 1 deletion b/‎app/code/Magento/Authorizenet/view/frontend/web/js/view/payment/method-renderer/authorizenet-directpost.js
Lines changed: 1 addition & 1 deletion
diff --git a/‎app/code/Magento/Backend/view/adminhtml/templates/widget/form/renderer/fieldset/element.phtml
Lines changed: 2 additions & 1 deletion b/‎app/code/Magento/Backend/view/adminhtml/templates/widget/form/renderer/fieldset/element.phtml
Lines changed: 2 additions & 1 deletion
diff --git a/‎app/code/Magento/Braintree/Block/Creditcard/Management.php
Lines changed: 7 additions & 7 deletions b/‎app/code/Magento/Braintree/Block/Creditcard/Management.php
Lines changed: 7 additions & 7 deletions
diff --git a/‎app/code/Magento/Braintree/Block/PayPal/Shortcut.php
Lines changed: 1 addition & 1 deletion b/‎app/code/Magento/Braintree/Block/PayPal/Shortcut.php
Lines changed: 1 addition & 1 deletion
diff --git a/‎app/code/Magento/Braintree/Controller/PayPal/SaveShippingMethod.php
Lines changed: 2 additions & 2 deletions b/‎app/code/Magento/Braintree/Controller/PayPal/SaveShippingMethod.php
Lines changed: 2 additions & 2 deletions
diff --git a/‎app/code/Magento/Braintree/Model/ConfigProvider.php
Lines changed: 1 addition & 1 deletion b/‎app/code/Magento/Braintree/Model/ConfigProvider.php
Lines changed: 1 addition & 1 deletion
diff --git a/‎app/code/Magento/Braintree/Model/PaymentMethod.php
Lines changed: 22 additions & 34 deletions b/‎app/code/Magento/Braintree/Model/PaymentMethod.php
Lines changed: 22 additions & 34 deletions
@@ -104,6 +104,11 @@ abstract class Authorizenet extends \Magento\Payment\Model\Method\Cc
      */
     protected $_debugReplacePrivateDataKeys = ['merchantAuthentication', 'x_login'];
 
+    /**
+     * @var \Magento\Framework\Xml\Security
+     */
+    protected $xmlSecurityHelper;
+
     /**
      * @param \Magento\Framework\Model\Context $context
      * @param \Magento\Framework\Registry $registry
@@ -117,6 +122,7 @@ abstract class Authorizenet extends \Magento\Payment\Model\Method\Cc
      * @param \Magento\Authorizenet\Helper\Data $dataHelper
      * @param \Magento\Authorizenet\Model\Request\Factory $requestFactory
      * @param \Magento\Authorizenet\Model\Response\Factory $responseFactory
+     * @param \Magento\Framework\Xml\Security $xmlSecurityHelper
      * @param \Magento\Framework\Model\Resource\AbstractResource $resource
      * @param \Magento\Framework\Data\Collection\AbstractDb $resourceCollection
      * @param array $data
@@ -135,13 +141,15 @@ public function __construct(
         \Magento\Authorizenet\Helper\Data $dataHelper,
         \Magento\Authorizenet\Model\Request\Factory $requestFactory,
         \Magento\Authorizenet\Model\Response\Factory $responseFactory,
+        \Magento\Framework\Xml\Security $xmlSecurityHelper,
         \Magento\Framework\Model\Resource\AbstractResource $resource = null,
         \Magento\Framework\Data\Collection\AbstractDb $resourceCollection = null,
         array $data = []
     ) {
         $this->dataHelper = $dataHelper;
         $this->requestFactory = $requestFactory;
         $this->responseFactory = $responseFactory;
+        $this->xmlSecurityHelper = $xmlSecurityHelper;
 
         parent::__construct(
             $context,
@@ -489,6 +497,10 @@ protected function loadTransactionDetails($transactionId)
 
         try {
             $responseBody = $client->request()->getBody();
+            if (!$this->xmlSecurityHelper->scan($responseBody)) {
+                $this->_logger->critical('Attempt loading of external XML entities in response from Authorizenet.');
+                throw new \Exception();
+            }
             $debugData['response'] = $responseBody;
             libxml_use_internal_errors(true);
             $responseXmlDocument = new \Magento\Framework\Simplexml\Element($responseBody);
 
@@ -130,6 +130,7 @@ class Directpost extends \Magento\Authorizenet\Model\Authorizenet implements Tra
      * @param \Magento\Authorizenet\Helper\Data $dataHelper
      * @param \Magento\Authorizenet\Model\Directpost\Request\Factory $requestFactory
      * @param \Magento\Authorizenet\Model\Directpost\Response\Factory $responseFactory
+     * @param \Magento\Framework\Xml\Security $xmlSecurityHelper
      * @param \Magento\Sales\Model\OrderFactory $orderFactory
      * @param \Magento\Store\Model\StoreManagerInterface $storeManager
      * @param \Magento\Quote\Model\QuoteRepository $quoteRepository
@@ -153,6 +154,7 @@ public function __construct(
         \Magento\Authorizenet\Helper\Data $dataHelper,
         \Magento\Authorizenet\Model\Directpost\Request\Factory $requestFactory,
         \Magento\Authorizenet\Model\Directpost\Response\Factory $responseFactory,
+        \Magento\Framework\Xml\Security $xmlSecurityHelper,
         \Magento\Sales\Model\OrderFactory $orderFactory,
         \Magento\Store\Model\StoreManagerInterface $storeManager,
         \Magento\Quote\Model\QuoteRepository $quoteRepository,
@@ -183,6 +185,7 @@ public function __construct(
             $dataHelper,
             $requestFactory,
             $responseFactory,
+            $xmlSecurityHelper,
             $resource,
             $resourceCollection,
             $data
 
@@ -45,7 +45,7 @@
                     <label>Gateway URL</label>
                 </field>
                 <field id="cgi_url_td" translate="label" type="text" sortOrder="100" showInDefault="1" showInWebsite="1" showInStore="0">
-                    <label>Transaction Details Url</label>
+                    <label>Transaction Details URL</label>
                 </field>
                 <field id="currency" translate="label" type="select" sortOrder="110" showInDefault="1" showInWebsite="1" showInStore="0">
                     <label>Accepted Currency</label>
 
@@ -48,7 +48,7 @@ define(
                 var self = this;
                 if (this.validateHandler() && additionalValidators.validate()) {
                     this.isPlaceOrderActionAllowed(false);
-                    $.when(setPaymentInformationAction(this.messageContainer)).done(function() {
+                    $.when(setPaymentInformationAction(this.messageContainer, {'method': self.getCode()})).done(function() {
                         self.placeOrderHandler();
                     }).fail(function() {
                         self.isPlaceOrderActionAllowed(true);
 
@@ -22,7 +22,8 @@ $fieldClass .= ($note) ? ' with-note' : '';
 $fieldClass .= (!$element->getLabelHtml()) ? ' no-label' : '';
 
 $fieldAttributes = $fieldId . ' class="' . $fieldClass . '" '
-    . $block->getUiId('form-field', $element->getId());
+    . $block->getUiId('form-field', $element->getId())
+    . ($element->getFieldExtraAttributes() ? ' ' . $element->getFieldExtraAttributes() : '');
 ?>
 
 <?php if (!$element->getNoDisplay()): ?>
 
@@ -258,7 +258,7 @@ public function currentCustomerLastName()
      */
     public function getEditUrl($token)
     {
-        return $this->getUrl('braintree/creditcard/edit', ['token' => $token]);
+        return $this->getUrl('braintree/creditcard/edit', ['token' => $token, '_secure' => true]);
     }
 
     /**
@@ -269,7 +269,7 @@ public function getEditUrl($token)
      */
     public function getDeleteUrl($token)
     {
-        return $this->getUrl('braintree/creditcard/delete', ['token' => $token]);
+        return $this->getUrl('braintree/creditcard/delete', ['token' => $token, '_secure' => true]);
     }
 
     /**
@@ -279,7 +279,7 @@ public function getDeleteUrl($token)
      */
     public function getAddUrl()
     {
-        return $this->getUrl('braintree/creditcard/newcard');
+        return $this->getUrl('braintree/creditcard/newcard', ['_secure' => true]);
     }
 
     /**
@@ -289,7 +289,7 @@ public function getAddUrl()
      */
     public function getDeleteConfirmUrl()
     {
-        return $this->getUrl('braintree/creditcard/deleteconfirm');
+        return $this->getUrl('braintree/creditcard/deleteconfirm', ['_secure' => true]);
     }
 
     /**
@@ -299,7 +299,7 @@ public function getDeleteConfirmUrl()
      */
     public function getAjaxSaveUrl()
     {
-        return $this->getUrl('braintree/creditcard/ajaxsave');
+        return $this->getUrl('braintree/creditcard/ajaxsave', ['_secure' => true]);
     }
 
     /**
@@ -309,7 +309,7 @@ public function getAjaxSaveUrl()
      */
     public function getFormAction()
     {
-        return $this->getUrl('braintree/creditcard/save');
+        return $this->getUrl('braintree/creditcard/save', ['_secure' => true]);
     }
 
     /**
@@ -319,7 +319,7 @@ public function getFormAction()
      */
     public function getBackUrl()
     {
-        return $this->getUrl('braintree/creditcard/index');
+        return $this->getUrl('braintree/creditcard/index', ['_secure' => true]);
     }
 
     /**
 
@@ -125,7 +125,7 @@ public function getAmount()
      */
     public function getReviewPageUrl()
     {
-        return $this->_urlBuilder->getUrl('braintree/paypal/review');
+        return $this->_urlBuilder->getUrl('braintree/paypal/review', ['_secure' => true]);
     }
 
     /**
 
@@ -38,11 +38,11 @@ public function execute()
         if ($isAjax) {
             $this->getResponse()->setBody(
                 '<script>window.location.href = '
-                . $this->_url->getUrl('*/*/review')
+                . $this->_url->getUrl('*/*/review', ['_secure' => true])
                 . ';</script>'
             );
         } else {
-            $this->_redirect('*/*/review');
+            $this->_redirect('*/*/review', ['_secure' => true]);
         }
     }
 }
@@ -134,7 +134,7 @@ public function show3dSecure()
      */
     public function getAjaxGenerateNonceUrl()
     {
-        return $this->urlBuilder->getUrl('braintree/creditcard/generate');
+        return $this->urlBuilder->getUrl('braintree/creditcard/generate', ['_secure' => true]);
     }
 
     /**
 
@@ -95,7 +95,7 @@ class PaymentMethod extends \Magento\Payment\Model\Method\Cc
      * @var bool
      */
     protected $_canRefundInvoicePartial = true;
-  
+
     /**
      * @var string
      */
@@ -289,7 +289,7 @@ public function validate()
                 throw new LocalizedException($error);
             }
         }
-        
+
         return $this;
     }
 
@@ -474,7 +474,7 @@ protected function braintreeAuthorize(InfoInterface $payment, $amount, $capture,
             $this->_debug($transactionParams);
             try {
                 $result = $this->braintreeTransaction->sale($transactionParams);
-                $this->_debug($result);
+                $this->_debug($this->_convertObjToArray($result));
             } catch (\Exception $e) {
                 $this->_logger->critical($e);
                 throw new LocalizedException(__('Please try again later'));
@@ -589,8 +589,8 @@ public function capture(InfoInterface $payment, $amount)
                     $this->partialCapture($payment, $amount);
                 } else {
                     $result = $this->braintreeTransaction->submitForSettlement($payment->getCcTransId(), $amount);
-                    $this->_debug($payment->getCcTransId().' - '.$amount);
-                    $this->_debug($result);
+                    $this->_debug([$payment->getCcTransId().' - '.$amount]);
+                    $this->_debug($this->_convertObjToArray($result));
                     if ($result->success) {
                         $payment->setIsTransactionClosed(0)
                             ->setShouldCloseParentTransaction(false);
@@ -621,8 +621,8 @@ public function refund(InfoInterface $payment, $amount)
         $transactionId = $this->braintreeHelper->clearTransactionId($payment->getRefundTransactionId());
         try {
             $transaction = $this->braintreeTransaction->find($transactionId);
-            $this->_debug($payment->getCcTransId());
-            $this->_debug($transaction);
+            $this->_debug([$payment->getCcTransId()]);
+            $this->_debug($this->_convertObjToArray($transaction));
             if ($transaction->status === \Braintree_Transaction::SUBMITTED_FOR_SETTLEMENT) {
                 if ($transaction->amount != $amount) {
                     $message = __('This refund is for a partial amount but the Transaction has not settled.')
@@ -641,7 +641,7 @@ public function refund(InfoInterface $payment, $amount)
             $result = $canVoid
                 ? $this->braintreeTransaction->void($transactionId)
                 : $this->braintreeTransaction->refund($transactionId, $amount);
-            $this->_debug($result);
+            $this->_debug($this->_convertObjToArray($result));
             if ($result->success) {
                 $payment->setIsTransactionClosed(1);
             } else {
@@ -711,9 +711,9 @@ public function void(InfoInterface $payment)
         }
         $errors = '';
         foreach ($transactionIds as $transactionId) {
-            $this->_debug('void-' . $transactionId);
+            $this->_debug(['void-' . $transactionId]);
             $result = $this->braintreeTransaction->void($transactionId);
-            $this->_debug($result);
+            $this->_debug($this->_convertObjToArray($result));
             if (!$result->success) {
                 $errors .= ' ' . $this->errorHelper->parseBraintreeError($result)->getText();
             } elseif ($message) {
@@ -853,7 +853,7 @@ protected function getChannel()
      */
     protected function cloneTransaction($amount, $transactionId)
     {
-        $this->_debug('clone-' . $transactionId . ' amount=' . $amount);
+        $this->_debug(['clone-' . $transactionId . ' amount=' . $amount]);
         $result = $this->braintreeTransaction->cloneTransaction(
             $transactionId,
             [
@@ -863,7 +863,7 @@ protected function cloneTransaction($amount, $transactionId)
                 ]
             ]
         );
-        $this->_debug($result);
+        $this->_debug($this->_convertObjToArray($result));
         return $result;
     }
 
@@ -907,28 +907,6 @@ public function canVoid()
         return $this->_canVoid;
     }
 
-    /**
-     * Log debug data to file
-     *
-     * @param mixed $debugData
-     * @return $this
-     */
-    protected function _debug($debugData)
-    {
-        if (!$this->config->isDebugEnabled()) {
-            return $this;
-        }
-        if (!is_array($debugData)) {
-            if (is_object($debugData)) {
-                $debugData = var_export($debugData, true);
-            } else {
-                $debugData = [$debugData];
-            }
-        }
-        parent::_debug((array)$debugData);
-        return $this;
-    }
-
     /**
      * Return replace keys for debug data
      *
@@ -957,4 +935,14 @@ public function getConfigData($field, $storeId = null)
         }
         return $this->config->getConfigData($field, $storeId);
     }
+
+    /**
+     * Convert response from Braintree to array
+     * @param \Braintree_Result_Successful|\Braintree_Result_Error|\Braintree_Transaction $data
+     * @return array
+     */
+    protected function _convertObjToArray($data)
+    {
+        return json_decode(json_encode($data), true);
+    }
 }
Original file line number	Diff line number	Diff line change
`@@ -258,7 +258,7 @@ public function currentCustomerLastName()`
`258`	`258`	`*/`
`259`	`259`	`public function getEditUrl($token)`
`260`	`260`	`{`
`261`		`- return $this->getUrl('braintree/creditcard/edit', ['token' => $token]);`
	`261`	`+ return $this->getUrl('braintree/creditcard/edit', ['token' => $token, '_secure' => true]);`
`262`	`262`	`}`
`263`	`263`
`264`	`264`	`/**`
`@@ -269,7 +269,7 @@ public function getEditUrl($token)`
`269`	`269`	`*/`
`270`	`270`	`public function getDeleteUrl($token)`
`271`	`271`	`{`
`272`		`- return $this->getUrl('braintree/creditcard/delete', ['token' => $token]);`
	`272`	`+ return $this->getUrl('braintree/creditcard/delete', ['token' => $token, '_secure' => true]);`
`273`	`273`	`}`
`274`	`274`
`275`	`275`	`/**`
`@@ -279,7 +279,7 @@ public function getDeleteUrl($token)`
`279`	`279`	`*/`
`280`	`280`	`public function getAddUrl()`
`281`	`281`	`{`
`282`		`- return $this->getUrl('braintree/creditcard/newcard');`
	`282`	`+ return $this->getUrl('braintree/creditcard/newcard', ['_secure' => true]);`
`283`	`283`	`}`
`284`	`284`
`285`	`285`	`/**`
`@@ -289,7 +289,7 @@ public function getAddUrl()`
`289`	`289`	`*/`
`290`	`290`	`public function getDeleteConfirmUrl()`
`291`	`291`	`{`
`292`		`- return $this->getUrl('braintree/creditcard/deleteconfirm');`
	`292`	`+ return $this->getUrl('braintree/creditcard/deleteconfirm', ['_secure' => true]);`
`293`	`293`	`}`
`294`	`294`
`295`	`295`	`/**`
`@@ -299,7 +299,7 @@ public function getDeleteConfirmUrl()`
`299`	`299`	`*/`
`300`	`300`	`public function getAjaxSaveUrl()`
`301`	`301`	`{`
`302`		`- return $this->getUrl('braintree/creditcard/ajaxsave');`
	`302`	`+ return $this->getUrl('braintree/creditcard/ajaxsave', ['_secure' => true]);`
`303`	`303`	`}`
`304`	`304`
`305`	`305`	`/**`
`@@ -309,7 +309,7 @@ public function getAjaxSaveUrl()`
`309`	`309`	`*/`
`310`	`310`	`public function getFormAction()`
`311`	`311`	`{`
`312`		`- return $this->getUrl('braintree/creditcard/save');`
	`312`	`+ return $this->getUrl('braintree/creditcard/save', ['_secure' => true]);`
`313`	`313`	`}`
`314`	`314`
`315`	`315`	`/**`
`@@ -319,7 +319,7 @@ public function getFormAction()`
`319`	`319`	`*/`
`320`	`320`	`public function getBackUrl()`
`321`	`321`	`{`
`322`		`- return $this->getUrl('braintree/creditcard/index');`
	`322`	`+ return $this->getUrl('braintree/creditcard/index', ['_secure' => true]);`
`323`	`323`	`}`
`324`	`324`
`325`	`325`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -125,7 +125,7 @@ public function getAmount()`
`125`	`125`	`*/`
`126`	`126`	`public function getReviewPageUrl()`
`127`	`127`	`{`
`128`		`- return $this->_urlBuilder->getUrl('braintree/paypal/review');`
	`128`	`+ return $this->_urlBuilder->getUrl('braintree/paypal/review', ['_secure' => true]);`
`129`	`129`	`}`
`130`	`130`
`131`	`131`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -38,11 +38,11 @@ public function execute()`
`38`	`38`	`if ($isAjax) {`
`39`	`39`	`$this->getResponse()->setBody(`
`40`	`40`	`'<script>window.location.href = '`
`41`		`- . $this->_url->getUrl('//review')`
	`41`	`+ . $this->_url->getUrl('//review', ['_secure' => true])`
`42`	`42`	`. ';</script>'`
`43`	`43`	`);`
`44`	`44`	`} else {`
`45`		`- $this->_redirect('//review');`
	`45`	`+ $this->_redirect('//review', ['_secure' => true]);`
`46`	`46`	`}`
`47`	`47`	`}`
`48`	`48`	`}`
Original file line number	Diff line number	Diff line change
`@@ -134,7 +134,7 @@ public function show3dSecure()`
`134`	`134`	`*/`
`135`	`135`	`public function getAjaxGenerateNonceUrl()`
`136`	`136`	`{`
`137`		`- return $this->urlBuilder->getUrl('braintree/creditcard/generate');`
	`137`	`+ return $this->urlBuilder->getUrl('braintree/creditcard/generate', ['_secure' => true]);`
`138`	`138`	`}`
`139`	`139`
`140`	`140`	`/**`