Merge remote-tracking branch 'remotes/mainline_ce/develop' into MAGETWO-37070-2

Author: Pechenushko

app/code/Magento/Catalog/Model/Observer.php

@@ -149,27 +149,10 @@ protected function _addCategoriesToMenu($categories, $parentCategoryNode, $block
             if (!$category->getIsActive()) {
                 continue;
             }
-
-            $nodeId = 'category-node-' . $category->getId();
-
             $block->addIdentity(\Magento\Catalog\Model\Category::CACHE_TAG . '_' . $category->getId());
 
             $tree = $parentCategoryNode->getTree();
-
-            $isActiveCategory = false;
-            /** @var \Magento\Catalog\Model\Category $currentCategory */
-            $currentCategory = $this->_registry->registry('current_category');
-            if ($currentCategory && $currentCategory->getId() == $category->getId()) {
-                $isActiveCategory = true;
-            }
-
-            $categoryData = [
-                'name' => $category->getName(),
-                'id' => $nodeId,
-                'url' => $this->_catalogCategory->getCategoryUrl($category),
-                'has_active' => $this->hasActive($category),
-                'is_active' => $isActiveCategory
-            ];
+            $categoryData = $this->getMenuCategoryData($category);
             $categoryNode = new \Magento\Framework\Data\Tree\Node($categoryData, 'id', $tree, $parentCategoryNode);
             $parentCategoryNode->addChild($categoryNode);
 
@@ -183,6 +166,34 @@ protected function _addCategoriesToMenu($categories, $parentCategoryNode, $block
         }
     }
 
+    /**
+     * Get category data to be added to the Menu
+     *
+     * @param \Magento\Framework\Data\Tree\Node $category
+     * @return array
+     */
+    public function getMenuCategoryData($category)
+    {
+        $nodeId = 'category-node-' . $category->getId();
+
+        $isActiveCategory = false;
+        /** @var \Magento\Catalog\Model\Category $currentCategory */
+        $currentCategory = $this->_registry->registry('current_category');
+        if ($currentCategory && $currentCategory->getId() == $category->getId()) {
+            $isActiveCategory = true;
+        }
+
+        $categoryData = [
+            'name' => $category->getName(),
+            'id' => $nodeId,
+            'url' => $this->_catalogCategory->getCategoryUrl($category),
+            'has_active' => $this->hasActive($category),
+            'is_active' => $isActiveCategory,
+        ];
+
+        return $categoryData;
+    }
+
     /**
      * Checks whether category belongs to active category's path
      *

app/code/Magento/Catalog/Test/Unit/Model/ObserverTest.php

@@ -18,27 +18,27 @@ class ObserverTest extends \PHPUnit_Framework_TestCase
     protected $_observer;
 
     /**
-     * @var \Magento\Catalog\Helper\Category
+     * @var \PHPUnit_Framework_MockObject_MockObject|\Magento\Catalog\Helper\Category
      */
     protected $_catalogCategory;
 
     /**
-     * @var \Magento\Catalog\Model\Category
+     * @var \PHPUnit_Framework_MockObject_MockObject|\Magento\Catalog\Model\Category
      */
     protected $_category;
 
     /**
-     * @var \Magento\Catalog\Model\Category
+     * @var \PHPUnit_Framework_MockObject_MockObject|\Magento\Catalog\Model\Category
      */
     protected $_childrenCategory;
 
     /**
-     * @var \Magento\Catalog\Model\Indexer\Category\Flat\State
+     * @var \PHPUnit_Framework_MockObject_MockObject|\Magento\Catalog\Model\Indexer\Category\Flat\State
      */
     protected $_categoryFlatState;
 
     /**
-     * @var \Magento\Store\Model\StoreManagerInterface
+     * @var \PHPUnit_Framework_MockObject_MockObject|\Magento\Store\Model\StoreManagerInterface
      */
     protected $_storeManager;
 
@@ -64,11 +64,13 @@ public function setUp()
             ->disableOriginalConstructor()
             ->getMock();
 
+        $layerResolver = $this->_getCleanMock('Magento\Catalog\Model\Layer\Resolver');
+        $layerResolver->expects($this->once())->method('get')->willReturn(null);
         $this->_observer = (new ObjectManager($this))->getObject('Magento\Catalog\Model\Observer', [
             'categoryResource' => $this->_getCleanMock('\Magento\Catalog\Model\Resource\Category'),
             'catalogProduct' => $this->_getCleanMock('\Magento\Catalog\Model\Resource\Product'),
             'storeManager' => $this->_storeManager,
-            'catalogLayer' => $this->_getCleanMock('\Magento\Catalog\Model\Layer\Category'),
+            'layerResolver' => $layerResolver,
             'indexIndexer' => $this->_getCleanMock('\Magento\Index\Model\Indexer'),
             'catalogCategory' => $this->_catalogCategory,
             'catalogData' => $this->_getCleanMock('\Magento\Catalog\Helper\Data'),
@@ -176,4 +178,23 @@ public function testAddCatalogToTopMenuItemsWithFlat()
 
         $this->_observer->addCatalogToTopmenuItems($observer);
     }
+
+    public function testGetMenuCategoryData()
+    {
+        $category = $this->getMock('Magento\Catalog\Model\Category', ['getId', 'getName'], [], '', false);
+        $category->expects($this->once())->method('getId')->willReturn('id');
+        $category->expects($this->once())->method('getName')->willReturn('name');
+        $this->_catalogCategory->expects($this->once())->method('getCategoryUrl')->willReturn('url');
+
+        $this->assertEquals(
+            [
+                'name' => 'name',
+                'id' => 'category-node-id',
+                'url' => 'url',
+                'is_active' => false,
+                'has_active' => false,
+            ],
+            $this->_observer->getMenuCategoryData($category)
+        );
+    }
 }

app/code/Magento/Catalog/view/adminhtml/templates/catalog/product/attribute/options.phtml

@@ -58,7 +58,7 @@
             <td id="delete_button_container_<%- data.id %>" class="col-delete">
                 <input type="hidden" class="delete-flag" name="option[delete][<%- data.id %>]" value="" />
                 <?php if (!$block->getReadOnly() && !$block->canManageOptionDefaultOnly()):?>
-                    <button title="<?php echo __('Delete') ?>" type="button"
+                    <button id="delete_button_<%- data.id %>" title="<?php echo __('Delete') ?>" type="button"
                         class="action- scalable delete delete-option"
                         >
                         <span><?php echo __('Delete') ?></span>
@@ -100,7 +100,6 @@ require([
             if (isNewOption && !this.isReadOnly) {
                 this.enableNewOptionDeleteButton(data.id);
             }
-            this.bindRemoveButtons();
             this.itemCount++;
             this.totalItems++;
             this.updateItemsCountField();
@@ -139,22 +138,16 @@ require([
                 button.removeClassName('disabled');
             });
         },
-        bindRemoveButtons: function() {
-            var buttons = $$('.delete-option');
-            for (var i = 0; i < buttons.length; i++) {
-                if (!$(buttons[i]).binded) {
-                    $(buttons[i]).binded = true;
-                    Event.observe(buttons[i], 'click', this.remove.bind(this));
-                }
-            }
-        }
     };
 
-    attributeOption.bindRemoveButtons();
-
     if ($('add_new_option_button')) {
         Event.observe('add_new_option_button', 'click', attributeOption.add.bind(attributeOption));
     }
+    
+    $('manage-options-panel').on('click', '.delete-option', function(event, element) {
+        attributeOption.remove(event);
+    });
+
     <?php foreach ($block->getOptionValues() as $_value): ?>
     attributeOption.add(<?php echo $_value->toJson() ?>);
     <?php endforeach; ?>

app/code/Magento/Catalog/view/adminhtml/web/catalog/category/form.js

@@ -57,7 +57,7 @@ define([
                 if (response.error) {
                     alert(response.message);
                 } else {
-                    if (this.element.find(this.options.categoryIdSelector).prop('value') === response.id) {
+                    if (this.element.find(this.options.categoryIdSelector).prop('value') == response.id) {
                         this.element.find(this.options.categoryPathSelector)
                             .prop('value', response.path);
                     }

app/code/Magento/OfflinePayments/etc/adminhtml/system.xml

@@ -166,7 +166,7 @@
                     <label>Automatically Invoice All Items</label>
                     <source_model>Magento\Payment\Model\Source\Invoice</source_model>
                     <depends>
-                        <field id="order_status" separator=",">processing,processed_ogone</field>
+                        <field id="order_status" separator=",">processing</field>
                     </depends>
                 </field>
                 <field id="sort_order" translate="label" type="text" sortOrder="100" showInDefault="1" showInWebsite="1" showInStore="0">

app/code/Magento/Payment/view/frontend/templates/transparent/iframe.phtml

@@ -13,9 +13,9 @@ $params = $block->getParams();
     <head>
         <script>
         <?php if (isset($params['redirect'])): ?>
-            window.location="<?php echo $block->escapeUrl($params['redirect']) ?>";
+            window.location="<?php echo $block->escapeXssInUrl($params['redirect']) ?>";
         <?php elseif (isset($params['redirect_parent'])): ?>
-            window.top.location="<?php echo $block->escapeUrl($params['redirect_parent']) ?>";
+            window.top.location="<?php echo $block->escapeXssInUrl($params['redirect_parent']) ?>";
         <?php elseif (isset($params['error_msg'])): ?>
             window.top.alert(<?php echo $this->helper('Magento\Framework\Json\Helper\Data')->jsonEncode($params['error_msg']) ?>);
         <?php elseif (isset($params['order_success'])): ?>

dev/tests/integration/testsuite/Magento/Payment/Block/Transparent/IframeTest.php

@@ -5,16 +5,19 @@
  */
 namespace Magento\Payment\Block\Transparent;
 
+/**
+ * Class IframeTest
+ * @package Magento\Payment\Block\Transparent
+ */
 class IframeTest extends \PHPUnit_Framework_TestCase
 {
     /**
      * @magentoAppIsolation enabled
      * @magentoAppArea frontend
+     * @dataProvider xssDataProvider
      */
-    public function testToHtml()
+    public function testToHtml($xssString)
     {
-        $xssString = '</script><script>alert("XSS")</script>';
-
         /** @var $block Iframe */
         $block = \Magento\TestFramework\Helper\Bootstrap::getObjectManager()->get(
             'Magento\Framework\View\LayoutInterface'
@@ -34,7 +37,20 @@ public function testToHtml()
 
         $content = $block->toHtml();
 
-        $this->assertNotContains($xssString, $content, 'Params mast be escaped');
-        $this->assertContains(htmlspecialchars($xssString), $content, 'Content must present');
+        $this->assertNotContains($xssString, $content, 'Params must be escaped');
+        $this->assertContains($block->escapeXssInUrl($xssString), $content, 'Content must be present');
+    }
+
+    /**
+     * @return array
+     */
+    public function xssDataProvider()
+    {
+        return [
+            ['</script><script>alert("XSS")</script>'],
+            ['javascript%3Aalert%28String.fromCharCode%280x78%29%2BString.fromCharCode%280x73%29%2BString.'
+                . 'fromCharCode%280x73%29%29'],
+            ['javascript:alert(String.fromCharCode(0x78)+String.fromCharCode(0x73)+String.fromCharCode(0x73))']
+        ];
     }
 }

dev/tools/Magento/Tools/Migration/factory_table_names/replace_ce.php

@@ -230,7 +230,6 @@
     'oauth/consumer' => 'oauth_consumer',
     'oauth/nonce' => 'oauth_nonce',
     'oauth/token' => 'oauth_token',
-    'ogone/api_debug' => 'ogone_api_debug',
     'oscommerce/catalog_category' => 'catalog_category_entity',
     'oscommerce/catalog_product_website' => 'catalog_product_website',
     'oscommerce/oscommerce' => 'oscommerce_import',

lib/internal/Magento/Framework/Escaper.php

@@ -70,6 +70,24 @@ public function escapeJsQuote($data, $quote = '\'')
         return $result;
     }
 
+    /**
+     * Escape xss in urls
+     *
+     * @param string $data
+     * @return string
+     */
+    public function escapeXssInUrl($data)
+    {
+        $result = $data;
+        $urlQuery = parse_url($data, PHP_URL_QUERY);
+        if ($urlQuery !== null && strpos($urlQuery, 'javascript') !== false) {
+            $result = str_replace($urlQuery, '', $data);
+        } elseif (parse_url($data, PHP_URL_HOST) === null) {
+            $result = str_replace('javascript', '', $data);
+        }
+        return htmlspecialchars($result, ENT_COMPAT, 'UTF-8', false);
+    }
+
     /**
      * Escape quotes inside html attributes
      * Use $addSlashes = false for escaping js that inside html attribute (onClick, onSubmit etc)

lib/internal/Magento/Framework/Test/Unit/EscaperTest.php

@@ -92,4 +92,16 @@ public function testEscapeQuote()
         $this->assertEquals($expected[0], $this->_escaper->escapeQuote($data));
         $this->assertEquals($expected[1], $this->_escaper->escapeQuote($data, true));
     }
+
+    /**
+     * @covers \Magento\Framework\Escaper::escapeXssInUrl
+     */
+    public function testEscapeXssInUrl()
+    {
+        $data = 'javascript%3Aalert%28String.fromCharCode%280x78%29%2BString.'
+            . 'fromCharCode%280x73%29%2BString.fromCharCode%280x73%29%29';
+        $expected = '%3Aalert%28String.fromCharCode%280x78%29%2BString.'
+            . 'fromCharCode%280x73%29%2BString.fromCharCode%280x73%29%29';
+        $this->assertEquals($expected, $this->_escaper->escapeXssInUrl($data));
+    }
 }