MAGETWO-45688: Reflected XSS in Cookie HTTP header

Alexander Paliarush · Alexander Paliarush · commit 2f78c408aa69 · 2016-01-15T14:22:56.000+02:00
- Eliminated direct dependency on Zend\Escaper\Escaper, which caused functional tests failures
diff --git a/lib/internal/Magento/Framework/Data/Form/FormKey.php b/lib/internal/Magento/Framework/Data/Form/FormKey.php
@@ -23,19 +23,19 @@ class FormKey
     protected $session;
 
     /**
-     * @var \Zend\Escaper\Escaper
+     * @var \Magento\Framework\Escaper
      */
     protected $escaper;
 
     /**
      * @param \Magento\Framework\Math\Random $mathRandom
      * @param \Magento\Framework\Session\SessionManagerInterface $session
-     * @param \Zend\Escaper\Escaper $escaper
+     * @param \Magento\Framework\Escaper $escaper
      */
     public function __construct(
         \Magento\Framework\Math\Random $mathRandom,
         \Magento\Framework\Session\SessionManagerInterface $session,
-        \Zend\Escaper\Escaper $escaper
+        \Magento\Framework\Escaper $escaper
     ) {
         $this->mathRandom = $mathRandom;
         $this->session = $session;
@@ -52,7 +52,7 @@ public function getFormKey()
         if (!$this->isPresent()) {
             $this->set($this->mathRandom->getRandomString(16));
         }
-        return $this->escaper->escapeHtmlAttr($this->session->getData(self::FORM_KEY));
+        return $this->escaper->escapeHtml($this->session->getData(self::FORM_KEY));
     }
 
     /**
diff --git a/lib/internal/Magento/Framework/Data/Test/Unit/Form/FormKeyTest.php b/lib/internal/Magento/Framework/Data/Test/Unit/Form/FormKeyTest.php
@@ -37,8 +37,8 @@ protected function setUp()
         $this->mathRandomMock = $this->getMock('Magento\Framework\Math\Random', [], [], '', false);
         $methods = ['setData', 'getData'];
         $this->sessionMock = $this->getMock('Magento\Framework\Session\SessionManager', $methods, [], '', false);
-        $this->escaperMock = $this->getMock('Zend\Escaper\Escaper', ['escapeHtmlAttr'], [], '', false);
-        $this->escaperMock->expects($this->any())->method('escapeHtmlAttr')->willReturnArgument(0);
+        $this->escaperMock = $this->getMock('Magento\Framework\Escaper', [], [], '', false);
+        $this->escaperMock->expects($this->any())->method('escapeHtml')->willReturnArgument(0);
         $this->formKey = new FormKey(
             $this->mathRandomMock,
             $this->sessionMock,
