magento
diff --git a/‎app/code/Magento/Backend/Block/Widget/Grid.php
Lines changed: 1 addition & 1 deletion b/‎app/code/Magento/Backend/Block/Widget/Grid.php
Lines changed: 1 addition & 1 deletion
diff --git a/‎app/code/Magento/Backend/Block/Widget/Grid/Column/Filter/AbstractFilter.php
Lines changed: 3 additions & 3 deletions b/‎app/code/Magento/Backend/Block/Widget/Grid/Column/Filter/AbstractFilter.php
Lines changed: 3 additions & 3 deletions
diff --git a/‎app/code/Magento/Backend/Test/Unit/Block/Widget/Grid/Column/Filter/TextTest.php
Lines changed: 68 additions & 0 deletions b/‎app/code/Magento/Backend/Test/Unit/Block/Widget/Grid/Column/Filter/TextTest.php
Lines changed: 68 additions & 0 deletions
diff --git a/‎app/code/Magento/Backend/view/adminhtml/templates/widget/grid.phtml
Lines changed: 10 additions & 10 deletions b/‎app/code/Magento/Backend/view/adminhtml/templates/widget/grid.phtml
Lines changed: 10 additions & 10 deletions
diff --git a/‎app/code/Magento/Backend/view/adminhtml/templates/widget/grid/extended.phtml
Lines changed: 11 additions & 11 deletions b/‎app/code/Magento/Backend/view/adminhtml/templates/widget/grid/extended.phtml
Lines changed: 11 additions & 11 deletions
diff --git a/‎app/code/Magento/Bundle/Controller/Adminhtml/Bundle/Selection/Grid.php
Lines changed: 6 additions & 3 deletions b/‎app/code/Magento/Bundle/Controller/Adminhtml/Bundle/Selection/Grid.php
Lines changed: 6 additions & 3 deletions
diff --git a/‎app/code/Magento/Bundle/Test/Unit/Controller/Adminhtml/Bundle/Selection/GridTest.php
Lines changed: 11 additions & 0 deletions b/‎app/code/Magento/Bundle/Test/Unit/Controller/Adminhtml/Bundle/Selection/GridTest.php
Lines changed: 11 additions & 0 deletions
@@ -760,7 +760,7 @@ public function setSaveParametersInSession($flag)
      */
     public function getJsObjectName()
     {
-        return $this->getId() . 'JsObject';
+        return preg_replace("~[^a-z0-9_]*~i", '', $this->getId()) . 'JsObject';
     }
 
     /**
 
@@ -67,7 +67,7 @@ public function getColumn()
      */
     protected function _getHtmlName()
     {
-        return $this->getColumn()->getId();
+        return $this->escapeHtml($this->getColumn()->getId());
     }
 
     /**
@@ -77,7 +77,7 @@ protected function _getHtmlName()
      */
     protected function _getHtmlId()
     {
-        return $this->getColumn()->getHtmlId();
+        return $this->escapeHtml($this->getColumn()->getHtmlId());
     }
 
     /**
@@ -88,7 +88,7 @@ protected function _getHtmlId()
      */
     public function getEscapedValue($index = null)
     {
-        return htmlspecialchars((string)$this->getValue($index));
+        return $this->escapeHtml((string)$this->getValue($index));
     }
 
     /**
 
@@ -0,0 +1,68 @@
+<?php
+/**
+ * Copyright © 2015 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+namespace Magento\Backend\Test\Unit\Block\Widget\Grid\Column\Filter;
+
+use Magento\Framework\TestFramework\Unit\Helper\ObjectManager as ObjectManagerHelper;
+
+class TextTest extends \PHPUnit_Framework_TestCase
+{
+    /** @var \Magento\Backend\Block\Widget\Grid\Column\Filter\Text*/
+    protected $block;
+
+    /** @var ObjectManagerHelper */
+    protected $objectManagerHelper;
+
+    /** @var \Magento\Backend\Block\Context|\PHPUnit_Framework_MockObject_MockObject */
+    protected $context;
+
+    /** @var \Magento\Framework\DB\Helper|\PHPUnit_Framework_MockObject_MockObject */
+    protected $helper;
+
+    /** @var \Magento\Framework\Escaper|\PHPUnit_Framework_MockObject_MockObject */
+    protected $escaper;
+
+    protected function setUp()
+    {
+        $this->context = $this->getMockBuilder('Magento\Backend\Block\Context')
+            ->setMethods(['getEscaper'])
+            ->disableOriginalConstructor()
+            ->getMock();
+        $this->escaper = $this->getMock('Magento\Framework\Escaper', ['escapeHtml'], [], '', false);
+        $this->helper = $this->getMock('Magento\Framework\DB\Helper', [], [], '', false);
+
+        $this->context->expects($this->once())->method('getEscaper')->willReturn($this->escaper);
+
+        $this->objectManagerHelper = new ObjectManagerHelper($this);
+        $this->block = $this->objectManagerHelper->getObject(
+            'Magento\Backend\Block\Widget\Grid\Column\Filter\Text',
+            [
+                'context' => $this->context,
+                'resourceHelper' => $this->helper
+            ]
+        );
+    }
+
+    public function testGetHtml()
+    {
+        $resultHtml = '<input type="text" name="escapedHtml" ' .
+            'id="escapedHtml" value="escapedHtml" ' .
+            'class="input-text admin__control-text no-changes" data-ui-id="filter-escapedhtml"  />';
+
+        $column = $this->getMockBuilder('Magento\Backend\Block\Widget\Grid\Column')
+            ->setMethods(['getId', 'getHtmlId'])
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        $this->block->setColumn($column);
+
+        $this->escaper->expects($this->any())->method('escapeHtml')->willReturn('escapedHtml');
+        $column->expects($this->any())->method('getId')->willReturn('id');
+        $column->expects($this->once())->method('getHtmlId')->willReturn('htmlId');
+
+        $this->assertEquals($resultHtml, $this->block->getHtml());
+    }
+}
@@ -24,7 +24,7 @@ $numColumns = sizeof($block->getColumns());
 <?php if ($block->getCollection()): ?>
 
 <?php if ($block->canDisplayContainer()): ?>
-<div id="<?php /* @escapeNotVerified */ echo $block->getId() ?>" data-grid-id="<?php /* @escapeNotVerified */ echo $block->getId() ?>">
+<div id="<?php echo $block->escapeHtml($block->getId()) ?>" data-grid-id="<?php echo $block->escapeHtml($block->getId()) ?>">
 <?php else: ?>
 <?php echo $block->getLayout()->getMessagesBlock()->getGroupedHtml() ?>
 <?php endif; ?>
@@ -50,17 +50,17 @@ $numColumns = sizeof($block->getColumns());
                 <?php endif; ?>
                     <?php $countRecords = $block->getCollection()->getSize(); ?>
                     <div class="admin__control-support-text">
-                        <span id="<?php echo $block->getHtmlId() ?>-total-count" <?php /* @escapeNotVerified */ echo $block->getUiId('total-count') ?>>
+                        <span id="<?php echo $block->escapeHtml($block->getHtmlId()) ?>-total-count" <?php /* @escapeNotVerified */ echo $block->getUiId('total-count') ?>>
                             <?php /* @escapeNotVerified */ echo $countRecords ?>
                         </span>
                         <?php /* @escapeNotVerified */ echo __('records found') ?>
-                        <span id="<?php echo $block->getHtmlId() ?>_massaction-count"
+                        <span id="<?php echo $block->escapeHtml($block->getHtmlId()) ?>_massaction-count"
                               class="mass-select-info _empty"><strong data-role="counter">0</strong> <span><?php /* @escapeNotVerified */ echo __('selected') ?></span></span>
                     </div>
                 <?php if ($block->getPagerVisibility()): ?>
                     <div class="admin__data-grid-pager-wrap">
                         <select name="<?php /* @escapeNotVerified */ echo $block->getVarNameLimit() ?>"
-                                id="<?php echo $block->getHtmlId()?>_page-limit"
+                                id="<?php echo $block->escapeHtml($block->getHtmlId())?>_page-limit"
                                 onchange="<?php /* @escapeNotVerified */ echo $block->getJsObjectName() ?>.loadByElement(this)" <?php /* @escapeNotVerified */ echo $block->getUiId('per-page') ?>
                                 class="admin__control-select">
                             <option value="20"<?php if ($block->getCollection()->getPageSize() == 20): ?>
@@ -79,7 +79,7 @@ $numColumns = sizeof($block->getColumns());
                                 selected="selected"<?php endif; ?>>200
                             </option>
                         </select>
-                        <label for="<?php echo $block->getHtmlId()?>_page-limit"
+                        <label for="<?php echo $block->escapeHtml($block->getHtmlId())?>_page-limit"
                             class="admin__control-support-text"><?php /* @escapeNotVerified */ echo __('per page') ?></label>
                         <div class="admin__data-grid-pager">
                             <?php $_curPage = $block->getCollection()->getCurPage() ?>
@@ -96,13 +96,13 @@ $numColumns = sizeof($block->getColumns());
                             <?php endif; ?>
 
                             <input type="text"
-                                   id="<?php echo $block->getHtmlId()?>_page-current"
+                                   id="<?php echo $block->escapeHtml($block->getHtmlId())?>_page-current"
                                    name="<?php /* @escapeNotVerified */ echo $block->getVarNamePage() ?>"
                                    value="<?php /* @escapeNotVerified */ echo $_curPage ?>"
                                    class="admin__control-text"
                                    onkeypress="<?php /* @escapeNotVerified */ echo $block->getJsObjectName() ?>.inputPage(event, '<?php /* @escapeNotVerified */ echo $_lastPage ?>')" <?php /* @escapeNotVerified */ echo $block->getUiId('current-page') ?> />
 
-                            <label class="admin__control-support-text" for="<?php echo $block->getHtmlId()
+                            <label class="admin__control-support-text" for="<?php echo $block->escapeHtml($block->getHtmlId())
                             ?>_page-current">
                                 <?php /* @escapeNotVerified */ echo __('of %1', '<span>' . $block->getCollection()->getLastPageNumber() . '</span>') ?>
                             </label>
@@ -122,13 +122,13 @@ $numColumns = sizeof($block->getColumns());
         </div>
         <div class="admin__data-grid-wrap admin__data-grid-wrap-static">
         <?php if ($block->getGridCssClass()): ?>
-            <table class="<?php /* @escapeNotVerified */ echo $block->getGridCssClass() ?> data-grid" id="<?php /* @escapeNotVerified */ echo $block->getId() ?>_table">
+            <table class="<?php /* @escapeNotVerified */ echo $block->getGridCssClass() ?> data-grid" id="<?php echo $block->escapeHtml($block->getId()) ?>_table">
                 <!-- Rendering column set -->
                 <?php echo $block->getChildHtml('grid.columnSet'); ?>
             </table>
         <?php else: ?>
 
-            <table class="data-grid" id="<?php /* @escapeNotVerified */ echo $block->getId() ?>_table">
+            <table class="data-grid" id="<?php echo $block->escapeHtml($block->getId()) ?>_table">
                 <!-- Rendering column set -->
                 <?php echo $block->getChildHtml('grid.columnSet'); ?>
             </table>
@@ -161,7 +161,7 @@ $numColumns = sizeof($block->getColumns());
             registry.get('<?php /* @escapeNotVerified */ echo $block->getDependencyJsObject() ?>', function (<?php /* @escapeNotVerified */ echo $block->getDependencyJsObject() ?>) {
         <?php endif; ?>
 
-        <?php /* @escapeNotVerified */ echo $block->getJsObjectName() ?> = new varienGrid('<?php /* @escapeNotVerified */ echo $block->getId() ?>', '<?php /* @escapeNotVerified */ echo $block->getGridUrl() ?>', '<?php /* @escapeNotVerified */ echo $block->getVarNamePage() ?>', '<?php /* @escapeNotVerified */ echo $block->getVarNameSort() ?>', '<?php /* @escapeNotVerified */ echo $block->getVarNameDir() ?>', '<?php /* @escapeNotVerified */ echo $block->getVarNameFilter() ?>');
+        <?php /* @escapeNotVerified */ echo $block->getJsObjectName() ?> = new varienGrid('<?php echo $block->escapeHtml($block->getId()) ?>', '<?php /* @escapeNotVerified */ echo $block->getGridUrl() ?>', '<?php /* @escapeNotVerified */ echo $block->getVarNamePage() ?>', '<?php /* @escapeNotVerified */ echo $block->getVarNameSort() ?>', '<?php /* @escapeNotVerified */ echo $block->getVarNameDir() ?>', '<?php /* @escapeNotVerified */ echo $block->getVarNameFilter() ?>');
         <?php /* @escapeNotVerified */ echo $block->getJsObjectName() ?>.useAjax = <?php /* @escapeNotVerified */ echo $block->getUseAjax() ? 'true' : 'false' ?>;
         <?php if ($block->getRowClickCallback()): ?>
         <?php /* @escapeNotVerified */ echo $block->getJsObjectName() ?>.rowClickCallback = <?php /* @escapeNotVerified */ echo $block->getRowClickCallback() ?>;
 
@@ -26,7 +26,7 @@ $numColumns = sizeof($block->getColumns());
 <?php if ($block->getCollection()): ?>
     <?php if ($block->canDisplayContainer()): ?>
 
-    <div id="<?php /* @escapeNotVerified */ echo $block->getId() ?>" data-grid-id="<?php /* @escapeNotVerified */ echo $block->getId() ?>">
+    <div id="<?php echo $block->escapeHtml($block->getId()) ?>" data-grid-id="<?php echo $block->escapeHtml($block->getId()) ?>">
     <?php else: ?>
         <?php echo $block->getLayout()->getMessagesBlock()->getGroupedHtml() ?>
     <?php endif; ?>
@@ -41,8 +41,8 @@ $numColumns = sizeof($block->getColumns());
                 <div class="admin__data-grid-export">
                     <label
                         class="admin__control-support-text"
-                        for="<?php /* @escapeNotVerified */ echo $block->getId() ?>_export"><?php /* @escapeNotVerified */ echo __('Export to:') ?></label>
-                    <select name="<?php /* @escapeNotVerified */ echo $block->getId() ?>_export" id="<?php /* @escapeNotVerified */ echo $block->getId() ?>_export"
+                        for="<?php echo $block->escapeHtml($block->getId()) ?>_export"><?php /* @escapeNotVerified */ echo __('Export to:') ?></label>
+                    <select name="<?php echo $block->escapeHtml($block->getId()) ?>_export" id="<?php echo $block->escapeHtml($block->getId()) ?>_export"
                             class="admin__control-select">
                         <?php foreach ($block->getExportTypes() as $_type): ?>
                             <option value="<?php /* @escapeNotVerified */ echo $_type->getUrl() ?>"><?php /* @escapeNotVerified */ echo $_type->getLabel() ?></option>
@@ -61,18 +61,18 @@ $numColumns = sizeof($block->getColumns());
                 <?php endif; ?>
                 <?php $countRecords = $block->getCollection()->getSize(); ?>
                 <div class="admin__control-support-text">
-                        <span id="<?php echo $block->getHtmlId() ?>-total-count" <?php /* @escapeNotVerified */ echo $block->getUiId('total-count') ?>>
+                        <span id="<?php echo $block->escapeHtml($block->getHtmlId()) ?>-total-count" <?php /* @escapeNotVerified */ echo $block->getUiId('total-count') ?>>
                             <?php /* @escapeNotVerified */ echo $countRecords ?>
                         </span>
                     <?php /* @escapeNotVerified */ echo __('records found') ?>
-                    <span id="<?php echo $block->getHtmlId() ?>_massaction-count"
+                    <span id="<?php echo $block->escapeHtml($block->getHtmlId()) ?>_massaction-count"
                           class="mass-select-info _empty"><strong data-role="counter">0</strong> <span><?php /* @escapeNotVerified */ echo __('selected') ?></span></span>
                 </div>
 
             <?php if ($block->getPagerVisibility()): ?>
                 <div class="admin__data-grid-pager-wrap">
                     <select name="<?php /* @escapeNotVerified */ echo $block->getVarNameLimit() ?>"
-                            id="<?php echo $block->getHtmlId()?>_page-limit"
+                            id="<?php echo $block->escapeHTML($block->getHtmlId())?>_page-limit"
                             onchange="<?php /* @escapeNotVerified */ echo $block->getJsObjectName() ?>.loadByElement(this)"
                             class="admin__control-select">
                         <option value="20"<?php if ($block->getCollection()->getPageSize() == 20): ?>
@@ -91,7 +91,7 @@ $numColumns = sizeof($block->getColumns());
                             selected="selected"<?php endif; ?>>200
                         </option>
                     </select>
-                    <label for="<?php echo $block->getHtmlId()?><?php echo $block->getHtmlId()?>_page-limit"
+                    <label for="<?php echo $block->escapeHTML($block->getHtmlId())?><?php echo $block->escapeHTML($block->getHtmlId())?>_page-limit"
                         class="admin__control-support-text"><?php /* @escapeNotVerified */ echo __('per page') ?></label>
 
                     <div class="admin__data-grid-pager">
@@ -107,12 +107,12 @@ $numColumns = sizeof($block->getColumns());
                             <button type="button" class="action-previous disabled"><span><?php /* @escapeNotVerified */ echo __('Previous page') ?></span></button>
                         <?php endif; ?>
                         <input type="text"
-                               id="<?php echo $block->getHtmlId()?>_page-current"
+                               id="<?php echo $block->escapeHTML($block->getHtmlId())?>_page-current"
                                name="<?php /* @escapeNotVerified */ echo $block->getVarNamePage() ?>"
                                value="<?php /* @escapeNotVerified */ echo $_curPage ?>"
                                class="admin__control-text"
                                onkeypress="<?php /* @escapeNotVerified */ echo $block->getJsObjectName() ?>.inputPage(event, '<?php /* @escapeNotVerified */ echo $_lastPage ?>')" <?php /* @escapeNotVerified */ echo $block->getUiId('current-page') ?> />
-                        <label class="admin__control-support-text" for="<?php echo $block->getHtmlId()?>_page-current">
+                        <label class="admin__control-support-text" for="<?php echo $block->escapeHTML($block->getHtmlId())?>_page-current">
                             <?php /* @escapeNotVerified */ echo __('of %1', '<span>' . $block->getCollection()->getLastPageNumber() . '</span>') ?>
                         </label>
                         <?php if ($_curPage < $_lastPage): ?>
@@ -133,7 +133,7 @@ $numColumns = sizeof($block->getColumns());
     <?php endif; ?>
 
     <div class="admin__data-grid-wrap admin__data-grid-wrap-static">
-        <table class="data-grid" id="<?php /* @escapeNotVerified */ echo $block->getId() ?>_table">
+        <table class="data-grid" id="<?php echo $block->escapeHtml($block->getId()) ?>_table">
             <?php
             /* This part is commented to remove all <col> tags from the code. */
             /* foreach ($block->getColumns() as $_column): ?>
@@ -263,7 +263,7 @@ $numColumns = sizeof($block->getColumns());
         registry.get('<?php /* @escapeNotVerified */ echo $block->getDependencyJsObject() ?>', function (<?php /* @escapeNotVerified */ echo $block->getDependencyJsObject() ?>) {
     <?php endif; ?>
 
-    <?php /* @escapeNotVerified */ echo $block->getJsObjectName() ?> = new varienGrid('<?php /* @escapeNotVerified */ echo $block->getId() ?>', '<?php /* @escapeNotVerified */ echo $block->getGridUrl() ?>', '<?php /* @escapeNotVerified */ echo $block->getVarNamePage() ?>', '<?php /* @escapeNotVerified */ echo $block->getVarNameSort() ?>', '<?php /* @escapeNotVerified */ echo $block->getVarNameDir() ?>', '<?php /* @escapeNotVerified */ echo $block->getVarNameFilter() ?>');
+    <?php /* @escapeNotVerified */ echo $block->getJsObjectName() ?> = new varienGrid(<?php /* @noEscape */ echo $this->helper('Magento\Framework\Json\Helper\Data')->jsonEncode($block->getId()) ?>, '<?php /* @escapeNotVerified */ echo $block->getGridUrl() ?>', '<?php /* @escapeNotVerified */ echo $block->getVarNamePage() ?>', '<?php /* @escapeNotVerified */ echo $block->getVarNameSort() ?>', '<?php /* @escapeNotVerified */ echo $block->getVarNameDir() ?>', '<?php /* @escapeNotVerified */ echo $block->getVarNameFilter() ?>');
     <?php /* @escapeNotVerified */ echo $block->getJsObjectName() ?>.useAjax = '<?php /* @escapeNotVerified */ echo $block->getUseAjax() ?>';
     <?php if ($block->getRowClickCallback()): ?>
     <?php /* @escapeNotVerified */ echo $block->getJsObjectName() ?>.rowClickCallback = <?php /* @escapeNotVerified */ echo $block->getRowClickCallback() ?>;
 
@@ -13,13 +13,16 @@ class Grid extends \Magento\Backend\App\Action
      */
     public function execute()
     {
+        $index = $this->getRequest()->getParam('index');
+        if (!preg_match('/^[a-z0-9_.]*$/i', $index)) {
+            throw new \InvalidArgumentException('Invalid parameter "index"');
+        }
+
         return $this->getResponse()->setBody(
             $this->_view->getLayout()->createBlock(
                 'Magento\Bundle\Block\Adminhtml\Catalog\Product\Edit\Tab\Bundle\Option\Search\Grid',
                 'adminhtml.catalog.product.edit.tab.bundle.option.search.grid'
-            )->setIndex(
-                $this->getRequest()->getParam('index')
-            )->toHtml()
+            )->setIndex($index)->toHtml()
         );
     }
 }
@@ -90,4 +90,15 @@ public function testExecute()
 
         $this->assertEquals($this->response, $this->controller->execute());
     }
+
+    /**
+     * @expectedException \InvalidArgumentException
+     * @expectedExceptionMessage Invalid parameter "index"
+     */
+    public function testExecuteWithException()
+    {
+        $this->request->expects($this->once())->method('getParam')->with('index')->willReturn('<index"');
+
+        $this->controller->execute();
+    }
 }
Original file line number	Diff line number	Diff line change
`@@ -760,7 +760,7 @@ public function setSaveParametersInSession($flag)`
`760`	`760`	`*/`
`761`	`761`	`public function getJsObjectName()`
`762`	`762`	`{`
`763`		`- return $this->getId() . 'JsObject';`
	`763`	`+ return preg_replace("~[^a-z0-9_]*~i", '', $this->getId()) . 'JsObject';`
`764`	`764`	`}`
`765`	`765`
`766`	`766`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -67,7 +67,7 @@ public function getColumn()`
`67`	`67`	`*/`
`68`	`68`	`protected function _getHtmlName()`
`69`	`69`	`{`
`70`		`- return $this->getColumn()->getId();`
	`70`	`+ return $this->escapeHtml($this->getColumn()->getId());`
`71`	`71`	`}`
`72`	`72`
`73`	`73`	`/**`
`@@ -77,7 +77,7 @@ protected function _getHtmlName()`
`77`	`77`	`*/`
`78`	`78`	`protected function _getHtmlId()`
`79`	`79`	`{`
`80`		`- return $this->getColumn()->getHtmlId();`
	`80`	`+ return $this->escapeHtml($this->getColumn()->getHtmlId());`
`81`	`81`	`}`
`82`	`82`
`83`	`83`	`/**`
`@@ -88,7 +88,7 @@ protected function _getHtmlId()`
`88`	`88`	`*/`
`89`	`89`	`public function getEscapedValue($index = null)`
`90`	`90`	`{`
`91`		`- return htmlspecialchars((string)$this->getValue($index));`
	`91`	`+ return $this->escapeHtml((string)$this->getValue($index));`
`92`	`92`	`}`
`93`	`93`
`94`	`94`	`/**`