MAGETWO-45594: XSS code still can be saved into database

- Removed html tags
- Added check to returnUrl action

Author: Alexander Makeev

app/code/Magento/Paypal/Controller/Payflow.php

@@ -73,6 +73,8 @@ public function __construct(
      */
     protected function _cancelPayment($errorMsg = '')
     {
+        $errorMsg = trim(strip_tags($errorMsg));
+
         $gotoSection = false;
         $this->_checkoutHelper->cancelCurrentOrder($errorMsg);
         if ($this->_checkoutSession->restoreQuote()) {

app/code/Magento/Paypal/Controller/Payflow/ReturnUrl.php

@@ -7,6 +7,7 @@
 namespace Magento\Paypal\Controller\Payflow;
 
 use Magento\Paypal\Controller\Payflow;
+use Magento\Paypal\Model\Config;
 use Magento\Sales\Model\Order;
 
 class ReturnUrl extends Payflow
@@ -19,6 +20,15 @@ class ReturnUrl extends Payflow
         Order::STATE_COMPLETE,
     ];
 
+    /**
+     * Payment method code
+     * @var string
+     */
+    protected $allowedPaymentMethodCodes = [
+        Config::METHOD_PAYFLOWPRO,
+        Config::METHOD_PAYFLOWLINK
+    ];
+
     /**
      * When a customer return to website from payflow gateway.
      *
@@ -35,16 +45,44 @@ public function execute()
             $order = $this->_orderFactory->create()->loadByIncrementId($this->_checkoutSession->getLastRealOrderId());
 
             if ($order->getIncrementId()) {
-                if (in_array($order->getState(), $this->allowedOrderStates)) {
+                if ($this->checkOrderState($order)) {
                     $redirectBlock->setData('goto_success_page', true);
                 } else {
-                    $gotoSection = $this->_cancelPayment(strval($this->getRequest()->getParam('RESPMSG')));
-                    $redirectBlock->setData('goto_section', $gotoSection);
-                    $redirectBlock->setData('error_msg', __('Your payment has been declined. Please try again.'));
+                    if ($this->checkPaymentMethod($order)) {
+                        $gotoSection = $this->_cancelPayment(strval($this->getRequest()->getParam('RESPMSG')));
+                        $redirectBlock->setData('goto_section', $gotoSection);
+                        $redirectBlock->setData('error_msg', __('Your payment has been declined. Please try again.'));
+                    } else {
+                        $redirectBlock->setData('goto_section', false);
+                        $redirectBlock->setData('error_msg', __('Requested payment method does not match with order.'));
+                    }
                 }
             }
         }
 
         $this->_view->renderLayout();
     }
+
+    /**
+     * Check order state
+     *
+     * @param Order $order
+     * @return bool
+     */
+    protected function checkOrderState(Order $order)
+    {
+        return in_array($order->getState(), $this->allowedOrderStates);
+    }
+
+    /**
+     * Check requested payment method
+     *
+     * @param Order $order
+     * @return bool
+     */
+    protected function checkPaymentMethod(Order $order)
+    {
+        $payment = $order->getPayment();
+        return in_array($payment->getMethod(), $this->allowedPaymentMethodCodes);
+    }
 }

app/code/Magento/Paypal/Controller/Payflowadvanced/ReturnUrl.php

@@ -6,11 +6,21 @@
  */
 namespace Magento\Paypal\Controller\Payflowadvanced;
 
+use Magento\Paypal\Model\Config;
+
 class ReturnUrl extends \Magento\Paypal\Controller\Payflow\ReturnUrl
 {
     /**
      * Redirect block name
      * @var string
      */
     protected $_redirectBlockName = 'payflow.advanced.iframe';
+
+    /**
+     * Payment method code
+     * @var string
+     */
+    protected $allowedPaymentMethodCodes = [
+        Config::METHOD_PAYFLOWADVANCED
+    ];
 }

app/code/Magento/Paypal/i18n/en_US.csv

@@ -693,3 +693,4 @@ unverified,unverified
 Eligible,Eligible
 Ineligible,Inligible
 "PayPal Express Checkout","PayPal Express Checkout"
+"Requested payment method does not match with order.","Requested payment method does not match with order."