Skip to content

Commit 4df90a4

Browse files
author
Kasian,Andrii(akasian)
committed
Merge pull request #615 from magento-dragons/S75
[DRAGONS] S75
2 parents cae6f5f + 0370613 commit 4df90a4

File tree

31 files changed

+388
-137
lines changed

31 files changed

+388
-137
lines changed

app/code/Magento/Backend/Block/Widget/Grid.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -760,7 +760,7 @@ public function setSaveParametersInSession($flag)
760760
*/
761761
public function getJsObjectName()
762762
{
763-
return $this->getId() . 'JsObject';
763+
return preg_replace("~[^a-z0-9_]*~i", '', $this->getId()) . 'JsObject';
764764
}
765765

766766
/**

app/code/Magento/Backend/Block/Widget/Grid/Column/Filter/AbstractFilter.php

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -67,7 +67,7 @@ public function getColumn()
6767
*/
6868
protected function _getHtmlName()
6969
{
70-
return $this->getColumn()->getId();
70+
return $this->escapeHtml($this->getColumn()->getId());
7171
}
7272

7373
/**
@@ -77,7 +77,7 @@ protected function _getHtmlName()
7777
*/
7878
protected function _getHtmlId()
7979
{
80-
return $this->getColumn()->getHtmlId();
80+
return $this->escapeHtml($this->getColumn()->getHtmlId());
8181
}
8282

8383
/**
@@ -88,7 +88,7 @@ protected function _getHtmlId()
8888
*/
8989
public function getEscapedValue($index = null)
9090
{
91-
return htmlspecialchars((string)$this->getValue($index));
91+
return $this->escapeHtml((string)$this->getValue($index));
9292
}
9393

9494
/**

app/code/Magento/Backend/Test/Unit/Block/Widget/Grid/Column/Filter/TextTest.php

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
<?php
2+
/**
3+
* Copyright © 2015 Magento. All rights reserved.
4+
* See COPYING.txt for license details.
5+
*/
6+
7+
namespace Magento\Backend\Test\Unit\Block\Widget\Grid\Column\Filter;
8+
9+
use Magento\Framework\TestFramework\Unit\Helper\ObjectManager as ObjectManagerHelper;
10+
11+
class TextTest extends \PHPUnit_Framework_TestCase
12+
{
13+
/** @var \Magento\Backend\Block\Widget\Grid\Column\Filter\Text*/
14+
protected $block;
15+
16+
/** @var ObjectManagerHelper */
17+
protected $objectManagerHelper;
18+
19+
/** @var \Magento\Backend\Block\Context|\PHPUnit_Framework_MockObject_MockObject */
20+
protected $context;
21+
22+
/** @var \Magento\Framework\DB\Helper|\PHPUnit_Framework_MockObject_MockObject */
23+
protected $helper;
24+
25+
/** @var \Magento\Framework\Escaper|\PHPUnit_Framework_MockObject_MockObject */
26+
protected $escaper;
27+
28+
protected function setUp()
29+
{
30+
$this->context = $this->getMockBuilder('Magento\Backend\Block\Context')
31+
->setMethods(['getEscaper'])
32+
->disableOriginalConstructor()
33+
->getMock();
34+
$this->escaper = $this->getMock('Magento\Framework\Escaper', ['escapeHtml'], [], '', false);
35+
$this->helper = $this->getMock('Magento\Framework\DB\Helper', [], [], '', false);
36+
37+
$this->context->expects($this->once())->method('getEscaper')->willReturn($this->escaper);
38+
39+
$this->objectManagerHelper = new ObjectManagerHelper($this);
40+
$this->block = $this->objectManagerHelper->getObject(
41+
'Magento\Backend\Block\Widget\Grid\Column\Filter\Text',
42+
[
43+
'context' => $this->context,
44+
'resourceHelper' => $this->helper
45+
]
46+
);
47+
}
48+
49+
public function testGetHtml()
50+
{
51+
$resultHtml = '<input type="text" name="escapedHtml" ' .
52+
'id="escapedHtml" value="escapedHtml" ' .
53+
'class="input-text admin__control-text no-changes" data-ui-id="filter-escapedhtml" />';
54+
55+
$column = $this->getMockBuilder('Magento\Backend\Block\Widget\Grid\Column')
56+
->setMethods(['getId', 'getHtmlId'])
57+
->disableOriginalConstructor()
58+
->getMock();
59+
60+
$this->block->setColumn($column);
61+
62+
$this->escaper->expects($this->any())->method('escapeHtml')->willReturn('escapedHtml');
63+
$column->expects($this->any())->method('getId')->willReturn('id');
64+
$column->expects($this->once())->method('getHtmlId')->willReturn('htmlId');
65+
66+
$this->assertEquals($resultHtml, $this->block->getHtml());
67+
}
68+
}

app/code/Magento/Backend/view/adminhtml/templates/widget/grid.phtml

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ $numColumns = sizeof($block->getColumns());
2424
<?php if ($block->getCollection()): ?>
2525

2626
<?php if ($block->canDisplayContainer()): ?>
27-
<div id="<?php /* @escapeNotVerified */ echo $block->getId() ?>" data-grid-id="<?php /* @escapeNotVerified */ echo $block->getId() ?>">
27+
<div id="<?php echo $block->escapeHtml($block->getId()) ?>" data-grid-id="<?php echo $block->escapeHtml($block->getId()) ?>">
2828
<?php else: ?>
2929
<?php echo $block->getLayout()->getMessagesBlock()->getGroupedHtml() ?>
3030
<?php endif; ?>
@@ -50,17 +50,17 @@ $numColumns = sizeof($block->getColumns());
5050
<?php endif; ?>
5151
<?php $countRecords = $block->getCollection()->getSize(); ?>
5252
<div class="admin__control-support-text">
53-
<span id="<?php echo $block->getHtmlId() ?>-total-count" <?php /* @escapeNotVerified */ echo $block->getUiId('total-count') ?>>
53+
<span id="<?php echo $block->escapeHtml($block->getHtmlId()) ?>-total-count" <?php /* @escapeNotVerified */ echo $block->getUiId('total-count') ?>>
5454
<?php /* @escapeNotVerified */ echo $countRecords ?>
5555
</span>
5656
<?php /* @escapeNotVerified */ echo __('records found') ?>
57-
<span id="<?php echo $block->getHtmlId() ?>_massaction-count"
57+
<span id="<?php echo $block->escapeHtml($block->getHtmlId()) ?>_massaction-count"
5858
class="mass-select-info _empty"><strong data-role="counter">0</strong> <span><?php /* @escapeNotVerified */ echo __('selected') ?></span></span>
5959
</div>
6060
<?php if ($block->getPagerVisibility()): ?>
6161
<div class="admin__data-grid-pager-wrap">
6262
<select name="<?php /* @escapeNotVerified */ echo $block->getVarNameLimit() ?>"
63-
id="<?php echo $block->getHtmlId()?>_page-limit"
63+
id="<?php echo $block->escapeHtml($block->getHtmlId())?>_page-limit"
6464
onchange="<?php /* @escapeNotVerified */ echo $block->getJsObjectName() ?>.loadByElement(this)" <?php /* @escapeNotVerified */ echo $block->getUiId('per-page') ?>
6565
class="admin__control-select">
6666
<option value="20"<?php if ($block->getCollection()->getPageSize() == 20): ?>
@@ -79,7 +79,7 @@ $numColumns = sizeof($block->getColumns());
7979
selected="selected"<?php endif; ?>>200
8080
</option>
8181
</select>
82-
<label for="<?php echo $block->getHtmlId()?>_page-limit"
82+
<label for="<?php echo $block->escapeHtml($block->getHtmlId())?>_page-limit"
8383
class="admin__control-support-text"><?php /* @escapeNotVerified */ echo __('per page') ?></label>
8484
<div class="admin__data-grid-pager">
8585
<?php $_curPage = $block->getCollection()->getCurPage() ?>
@@ -96,13 +96,13 @@ $numColumns = sizeof($block->getColumns());
9696
<?php endif; ?>
9797

9898
<input type="text"
99-
id="<?php echo $block->getHtmlId()?>_page-current"
99+
id="<?php echo $block->escapeHtml($block->getHtmlId())?>_page-current"
100100
name="<?php /* @escapeNotVerified */ echo $block->getVarNamePage() ?>"
101101
value="<?php /* @escapeNotVerified */ echo $_curPage ?>"
102102
class="admin__control-text"
103103
onkeypress="<?php /* @escapeNotVerified */ echo $block->getJsObjectName() ?>.inputPage(event, '<?php /* @escapeNotVerified */ echo $_lastPage ?>')" <?php /* @escapeNotVerified */ echo $block->getUiId('current-page') ?> />
104104

105-
<label class="admin__control-support-text" for="<?php echo $block->getHtmlId()
105+
<label class="admin__control-support-text" for="<?php echo $block->escapeHtml($block->getHtmlId())
106106
?>_page-current">
107107
<?php /* @escapeNotVerified */ echo __('of %1', '<span>' . $block->getCollection()->getLastPageNumber() . '</span>') ?>
108108
</label>
@@ -122,13 +122,13 @@ $numColumns = sizeof($block->getColumns());
122122
</div>
123123
<div class="admin__data-grid-wrap admin__data-grid-wrap-static">
124124
<?php if ($block->getGridCssClass()): ?>
125-
<table class="<?php /* @escapeNotVerified */ echo $block->getGridCssClass() ?> data-grid" id="<?php /* @escapeNotVerified */ echo $block->getId() ?>_table">
125+
<table class="<?php /* @escapeNotVerified */ echo $block->getGridCssClass() ?> data-grid" id="<?php echo $block->escapeHtml($block->getId()) ?>_table">
126126
<!-- Rendering column set -->
127127
<?php echo $block->getChildHtml('grid.columnSet'); ?>
128128
</table>
129129
<?php else: ?>
130130

131-
<table class="data-grid" id="<?php /* @escapeNotVerified */ echo $block->getId() ?>_table">
131+
<table class="data-grid" id="<?php echo $block->escapeHtml($block->getId()) ?>_table">
132132
<!-- Rendering column set -->
133133
<?php echo $block->getChildHtml('grid.columnSet'); ?>
134134
</table>
@@ -161,7 +161,7 @@ $numColumns = sizeof($block->getColumns());
161161
registry.get('<?php /* @escapeNotVerified */ echo $block->getDependencyJsObject() ?>', function (<?php /* @escapeNotVerified */ echo $block->getDependencyJsObject() ?>) {
162162
<?php endif; ?>
163163

164-
<?php /* @escapeNotVerified */ echo $block->getJsObjectName() ?> = new varienGrid('<?php /* @escapeNotVerified */ echo $block->getId() ?>', '<?php /* @escapeNotVerified */ echo $block->getGridUrl() ?>', '<?php /* @escapeNotVerified */ echo $block->getVarNamePage() ?>', '<?php /* @escapeNotVerified */ echo $block->getVarNameSort() ?>', '<?php /* @escapeNotVerified */ echo $block->getVarNameDir() ?>', '<?php /* @escapeNotVerified */ echo $block->getVarNameFilter() ?>');
164+
<?php /* @escapeNotVerified */ echo $block->getJsObjectName() ?> = new varienGrid('<?php echo $block->escapeHtml($block->getId()) ?>', '<?php /* @escapeNotVerified */ echo $block->getGridUrl() ?>', '<?php /* @escapeNotVerified */ echo $block->getVarNamePage() ?>', '<?php /* @escapeNotVerified */ echo $block->getVarNameSort() ?>', '<?php /* @escapeNotVerified */ echo $block->getVarNameDir() ?>', '<?php /* @escapeNotVerified */ echo $block->getVarNameFilter() ?>');
165165
<?php /* @escapeNotVerified */ echo $block->getJsObjectName() ?>.useAjax = <?php /* @escapeNotVerified */ echo $block->getUseAjax() ? 'true' : 'false' ?>;
166166
<?php if ($block->getRowClickCallback()): ?>
167167
<?php /* @escapeNotVerified */ echo $block->getJsObjectName() ?>.rowClickCallback = <?php /* @escapeNotVerified */ echo $block->getRowClickCallback() ?>;

app/code/Magento/Backend/view/adminhtml/templates/widget/grid/extended.phtml

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,7 @@ $numColumns = sizeof($block->getColumns());
2626
<?php if ($block->getCollection()): ?>
2727
<?php if ($block->canDisplayContainer()): ?>
2828

29-
<div id="<?php /* @escapeNotVerified */ echo $block->getId() ?>" data-grid-id="<?php /* @escapeNotVerified */ echo $block->getId() ?>">
29+
<div id="<?php echo $block->escapeHtml($block->getId()) ?>" data-grid-id="<?php echo $block->escapeHtml($block->getId()) ?>">
3030
<?php else: ?>
3131
<?php echo $block->getLayout()->getMessagesBlock()->getGroupedHtml() ?>
3232
<?php endif; ?>
@@ -41,8 +41,8 @@ $numColumns = sizeof($block->getColumns());
4141
<div class="admin__data-grid-export">
4242
<label
4343
class="admin__control-support-text"
44-
for="<?php /* @escapeNotVerified */ echo $block->getId() ?>_export"><?php /* @escapeNotVerified */ echo __('Export to:') ?></label>
45-
<select name="<?php /* @escapeNotVerified */ echo $block->getId() ?>_export" id="<?php /* @escapeNotVerified */ echo $block->getId() ?>_export"
44+
for="<?php echo $block->escapeHtml($block->getId()) ?>_export"><?php /* @escapeNotVerified */ echo __('Export to:') ?></label>
45+
<select name="<?php echo $block->escapeHtml($block->getId()) ?>_export" id="<?php echo $block->escapeHtml($block->getId()) ?>_export"
4646
class="admin__control-select">
4747
<?php foreach ($block->getExportTypes() as $_type): ?>
4848
<option value="<?php /* @escapeNotVerified */ echo $_type->getUrl() ?>"><?php /* @escapeNotVerified */ echo $_type->getLabel() ?></option>
@@ -61,18 +61,18 @@ $numColumns = sizeof($block->getColumns());
6161
<?php endif; ?>
6262
<?php $countRecords = $block->getCollection()->getSize(); ?>
6363
<div class="admin__control-support-text">
64-
<span id="<?php echo $block->getHtmlId() ?>-total-count" <?php /* @escapeNotVerified */ echo $block->getUiId('total-count') ?>>
64+
<span id="<?php echo $block->escapeHtml($block->getHtmlId()) ?>-total-count" <?php /* @escapeNotVerified */ echo $block->getUiId('total-count') ?>>
6565
<?php /* @escapeNotVerified */ echo $countRecords ?>
6666
</span>
6767
<?php /* @escapeNotVerified */ echo __('records found') ?>
68-
<span id="<?php echo $block->getHtmlId() ?>_massaction-count"
68+
<span id="<?php echo $block->escapeHtml($block->getHtmlId()) ?>_massaction-count"
6969
class="mass-select-info _empty"><strong data-role="counter">0</strong> <span><?php /* @escapeNotVerified */ echo __('selected') ?></span></span>
7070
</div>
7171

7272
<?php if ($block->getPagerVisibility()): ?>
7373
<div class="admin__data-grid-pager-wrap">
7474
<select name="<?php /* @escapeNotVerified */ echo $block->getVarNameLimit() ?>"
75-
id="<?php echo $block->getHtmlId()?>_page-limit"
75+
id="<?php echo $block->escapeHTML($block->getHtmlId())?>_page-limit"
7676
onchange="<?php /* @escapeNotVerified */ echo $block->getJsObjectName() ?>.loadByElement(this)"
7777
class="admin__control-select">
7878
<option value="20"<?php if ($block->getCollection()->getPageSize() == 20): ?>
@@ -91,7 +91,7 @@ $numColumns = sizeof($block->getColumns());
9191
selected="selected"<?php endif; ?>>200
9292
</option>
9393
</select>
94-
<label for="<?php echo $block->getHtmlId()?><?php echo $block->getHtmlId()?>_page-limit"
94+
<label for="<?php echo $block->escapeHTML($block->getHtmlId())?><?php echo $block->escapeHTML($block->getHtmlId())?>_page-limit"
9595
class="admin__control-support-text"><?php /* @escapeNotVerified */ echo __('per page') ?></label>
9696

9797
<div class="admin__data-grid-pager">
@@ -107,12 +107,12 @@ $numColumns = sizeof($block->getColumns());
107107
<button type="button" class="action-previous disabled"><span><?php /* @escapeNotVerified */ echo __('Previous page') ?></span></button>
108108
<?php endif; ?>
109109
<input type="text"
110-
id="<?php echo $block->getHtmlId()?>_page-current"
110+
id="<?php echo $block->escapeHTML($block->getHtmlId())?>_page-current"
111111
name="<?php /* @escapeNotVerified */ echo $block->getVarNamePage() ?>"
112112
value="<?php /* @escapeNotVerified */ echo $_curPage ?>"
113113
class="admin__control-text"
114114
onkeypress="<?php /* @escapeNotVerified */ echo $block->getJsObjectName() ?>.inputPage(event, '<?php /* @escapeNotVerified */ echo $_lastPage ?>')" <?php /* @escapeNotVerified */ echo $block->getUiId('current-page') ?> />
115-
<label class="admin__control-support-text" for="<?php echo $block->getHtmlId()?>_page-current">
115+
<label class="admin__control-support-text" for="<?php echo $block->escapeHTML($block->getHtmlId())?>_page-current">
116116
<?php /* @escapeNotVerified */ echo __('of %1', '<span>' . $block->getCollection()->getLastPageNumber() . '</span>') ?>
117117
</label>
118118
<?php if ($_curPage < $_lastPage): ?>
@@ -133,7 +133,7 @@ $numColumns = sizeof($block->getColumns());
133133
<?php endif; ?>
134134

135135
<div class="admin__data-grid-wrap admin__data-grid-wrap-static">
136-
<table class="data-grid" id="<?php /* @escapeNotVerified */ echo $block->getId() ?>_table">
136+
<table class="data-grid" id="<?php echo $block->escapeHtml($block->getId()) ?>_table">
137137
<?php
138138
/* This part is commented to remove all <col> tags from the code. */
139139
/* foreach ($block->getColumns() as $_column): ?>
@@ -263,7 +263,7 @@ $numColumns = sizeof($block->getColumns());
263263
registry.get('<?php /* @escapeNotVerified */ echo $block->getDependencyJsObject() ?>', function (<?php /* @escapeNotVerified */ echo $block->getDependencyJsObject() ?>) {
264264
<?php endif; ?>
265265

266-
<?php /* @escapeNotVerified */ echo $block->getJsObjectName() ?> = new varienGrid('<?php /* @escapeNotVerified */ echo $block->getId() ?>', '<?php /* @escapeNotVerified */ echo $block->getGridUrl() ?>', '<?php /* @escapeNotVerified */ echo $block->getVarNamePage() ?>', '<?php /* @escapeNotVerified */ echo $block->getVarNameSort() ?>', '<?php /* @escapeNotVerified */ echo $block->getVarNameDir() ?>', '<?php /* @escapeNotVerified */ echo $block->getVarNameFilter() ?>');
266+
<?php /* @escapeNotVerified */ echo $block->getJsObjectName() ?> = new varienGrid(<?php /* @noEscape */ echo $this->helper('Magento\Framework\Json\Helper\Data')->jsonEncode($block->getId()) ?>, '<?php /* @escapeNotVerified */ echo $block->getGridUrl() ?>', '<?php /* @escapeNotVerified */ echo $block->getVarNamePage() ?>', '<?php /* @escapeNotVerified */ echo $block->getVarNameSort() ?>', '<?php /* @escapeNotVerified */ echo $block->getVarNameDir() ?>', '<?php /* @escapeNotVerified */ echo $block->getVarNameFilter() ?>');
267267
<?php /* @escapeNotVerified */ echo $block->getJsObjectName() ?>.useAjax = '<?php /* @escapeNotVerified */ echo $block->getUseAjax() ?>';
268268
<?php if ($block->getRowClickCallback()): ?>
269269
<?php /* @escapeNotVerified */ echo $block->getJsObjectName() ?>.rowClickCallback = <?php /* @escapeNotVerified */ echo $block->getRowClickCallback() ?>;

app/code/Magento/Bundle/Controller/Adminhtml/Bundle/Selection/Grid.php

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -13,13 +13,16 @@ class Grid extends \Magento\Backend\App\Action
1313
*/
1414
public function execute()
1515
{
16+
$index = $this->getRequest()->getParam('index');
17+
if (!preg_match('/^[a-z0-9_.]*$/i', $index)) {
18+
throw new \InvalidArgumentException('Invalid parameter "index"');
19+
}
20+
1621
return $this->getResponse()->setBody(
1722
$this->_view->getLayout()->createBlock(
1823
'Magento\Bundle\Block\Adminhtml\Catalog\Product\Edit\Tab\Bundle\Option\Search\Grid',
1924
'adminhtml.catalog.product.edit.tab.bundle.option.search.grid'
20-
)->setIndex(
21-
$this->getRequest()->getParam('index')
22-
)->toHtml()
25+
)->setIndex($index)->toHtml()
2326
);
2427
}
2528
}

app/code/Magento/Bundle/Test/Unit/Controller/Adminhtml/Bundle/Selection/GridTest.php

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -90,4 +90,15 @@ public function testExecute()
9090

9191
$this->assertEquals($this->response, $this->controller->execute());
9292
}
93+
94+
/**
95+
* @expectedException \InvalidArgumentException
96+
* @expectedExceptionMessage Invalid parameter "index"
97+
*/
98+
public function testExecuteWithException()
99+
{
100+
$this->request->expects($this->once())->method('getParam')->with('index')->willReturn('<index"');
101+
102+
$this->controller->execute();
103+
}
93104
}

0 commit comments

Comments
 (0)