Merge remote-tracking branch 'origin/2.3-develop' into 2.3-develop-pr3

Author: zakdma

app/code/Magento/Backend/Block/Widget/Grid/Column/Filter/Date.php

@@ -127,7 +127,7 @@ public function getHtml()
 
     /**
      * @param string|null $index
-     * @return string
+     * @return array|string|int|float|null
      */
     public function getEscapedValue($index = null)
     {
@@ -138,6 +138,11 @@ public function getEscapedValue($index = null)
                 $this->_localeDate->getDateFormat(\IntlDateFormatter::SHORT)
             );
         }
+
+        if (is_string($value)) {
+            return $this->escapeHtml($value);
+        }
+
         return $value;
     }
 

app/code/Magento/Backend/Block/Widget/Grid/Column/Filter/Datetime.php

@@ -140,8 +140,8 @@ public function getHtml()
     /**
      * Return escaped value for calendar
      *
-     * @param string $index
-     * @return string
+     * @param string|null $index
+     * @return array|string|int|float|null
      */
     public function getEscapedValue($index = null)
     {
@@ -150,6 +150,11 @@ public function getEscapedValue($index = null)
             if ($value instanceof \DateTimeInterface) {
                 return $this->_localeDate->formatDateTime($value);
             }
+
+            if (is_string($value)) {
+                return $this->escapeHtml($value);
+            }
+
             return $value;
         }
 

app/code/Magento/Backend/Test/Unit/Block/Widget/Grid/Column/Filter/DateTest.php

@@ -30,6 +30,12 @@ class DateTest extends \PHPUnit\Framework\TestCase
     /** @var \Magento\Framework\Stdlib\DateTime\TimezoneInterface|\PHPUnit_Framework_MockObject_MockObject */
     protected $localeDateMock;
 
+    /** @var \Magento\Framework\Escaper|\PHPUnit_Framework_MockObject_MockObject */
+    private $escaperMock;
+
+    /** @var \Magento\Backend\Block\Context|\PHPUnit_Framework_MockObject_MockObject */
+    private $contextMock;
+
     protected function setUp()
     {
         $this->mathRandomMock = $this->getMockBuilder(\Magento\Framework\Math\Random::class)
@@ -58,14 +64,26 @@ protected function setUp()
             ->setMethods([])
             ->getMock();
 
+        $this->escaperMock = $this->getMockBuilder(\Magento\Framework\Escaper::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        $this->contextMock = $this->getMockBuilder(\Magento\Backend\Block\Context::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        $this->contextMock->expects($this->once())->method('getEscaper')->willReturn($this->escaperMock);
+        $this->contextMock->expects($this->once())->method('getLocaleDate')->willReturn($this->localeDateMock);
+
         $objectManagerHelper = new \Magento\Framework\TestFramework\Unit\Helper\ObjectManager($this);
         $this->model = $objectManagerHelper->getObject(
             \Magento\Backend\Block\Widget\Grid\Column\Filter\Date::class,
             [
                 'mathRandom' => $this->mathRandomMock,
                 'localeResolver' => $this->localeResolverMock,
                 'dateTimeFormatter' => $this->dateTimeFormatterMock,
-                'localeDate' => $this->localeDateMock
+                'localeDate' => $this->localeDateMock,
+                'context' => $this->contextMock,
             ]
         );
         $this->model->setColumn($this->columnMock);
@@ -98,4 +116,16 @@ public function testGetHtmlSuccessfulTimestamp()
         $this->assertContains('id="' . $uniqueHash . '_from" value="' . $yesterday->getTimestamp(), $output);
         $this->assertContains('id="' . $uniqueHash . '_to" value="' . $tomorrow->getTimestamp(), $output);
     }
+
+    public function testGetEscapedValueEscapeString()
+    {
+        $value = "\"><img src=x onerror=alert(2) />";
+        $array = [
+            'orig_from' => $value,
+            'from' => $value,
+        ];
+        $this->model->setValue($array);
+        $this->escaperMock->expects($this->once())->method('escapeHtml')->with($value);
+        $this->model->getEscapedValue('from');
+    }
 }

app/code/Magento/Backend/Test/Unit/Block/Widget/Grid/Column/Filter/DatetimeTest.php

@@ -30,6 +30,12 @@ class DatetimeTest extends \PHPUnit\Framework\TestCase
     /** @var \Magento\Framework\Stdlib\DateTime\TimezoneInterface|\PHPUnit_Framework_MockObject_MockObject */
     protected $localeDateMock;
 
+    /** @var \Magento\Framework\Escaper|\PHPUnit_Framework_MockObject_MockObject */
+    private $escaperMock;
+
+    /** @var \Magento\Backend\Block\Context|\PHPUnit_Framework_MockObject_MockObject */
+    private $contextMock;
+
     protected function setUp()
     {
         $this->mathRandomMock = $this->getMockBuilder(\Magento\Framework\Math\Random::class)
@@ -50,22 +56,34 @@ protected function setUp()
 
         $this->columnMock = $this->getMockBuilder(\Magento\Backend\Block\Widget\Grid\Column::class)
             ->disableOriginalConstructor()
-            ->setMethods(['getTimezone', 'getHtmlId', 'getId'])
+            ->setMethods(['getTimezone', 'getHtmlId', 'getId', 'getFilterTime'])
             ->getMock();
 
         $this->localeDateMock = $this->getMockBuilder(\Magento\Framework\Stdlib\DateTime\TimezoneInterface::class)
             ->disableOriginalConstructor()
             ->setMethods([])
             ->getMock();
 
+        $this->escaperMock = $this->getMockBuilder(\Magento\Framework\Escaper::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        $this->contextMock = $this->getMockBuilder(\Magento\Backend\Block\Context::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        $this->contextMock->expects($this->once())->method('getEscaper')->willReturn($this->escaperMock);
+        $this->contextMock->expects($this->once())->method('getLocaleDate')->willReturn($this->localeDateMock);
+
         $objectManagerHelper = new \Magento\Framework\TestFramework\Unit\Helper\ObjectManager($this);
         $this->model = $objectManagerHelper->getObject(
             \Magento\Backend\Block\Widget\Grid\Column\Filter\Datetime::class,
             [
                 'mathRandom' => $this->mathRandomMock,
                 'localeResolver' => $this->localeResolverMock,
                 'dateTimeFormatter' => $this->dateTimeFormatterMock,
-                'localeDate' => $this->localeDateMock
+                'localeDate' => $this->localeDateMock,
+                'context' => $this->contextMock,
             ]
         );
         $this->model->setColumn($this->columnMock);
@@ -98,4 +116,17 @@ public function testGetHtmlSuccessfulTimestamp()
         $this->assertContains('id="' . $uniqueHash . '_from" value="' . $yesterday->getTimestamp(), $output);
         $this->assertContains('id="' . $uniqueHash . '_to" value="' . $tomorrow->getTimestamp(), $output);
     }
+
+    public function testGetEscapedValueEscapeString()
+    {
+        $value = "\"><img src=x onerror=alert(2) />";
+        $array = [
+            'orig_from' => $value,
+            'from' => $value,
+        ];
+        $this->model->setValue($array);
+        $this->escaperMock->expects($this->once())->method('escapeHtml')->with($value);
+        $this->columnMock->expects($this->once())->method('getFilterTime')->willReturn(true);
+        $this->model->getEscapedValue('from');
+    }
 }

app/code/Magento/Catalog/view/frontend/templates/product/list.phtml

@@ -77,7 +77,7 @@ $_helper = $this->helper('Magento\Catalog\Helper\Output');
                                 <div class="actions-primary"<?= strpos($pos, $viewMode . '-primary') ? $position : '' ?>>
                                     <?php if ($_product->isSaleable()): ?>
                                         <?php $postParams = $block->getAddToCartPostParams($_product); ?>
-                                        <form data-role="tocart-form" data-product-sku="<?=  /* @NoEscape */ $_product->getSku() ?>" action="<?= /* @NoEscape */ $postParams['action'] ?>" method="post">
+                                        <form data-role="tocart-form" data-product-sku="<?= $block->escapeHtml($_product->getSku()) ?>" action="<?= /* @NoEscape */ $postParams['action'] ?>" method="post">
                                             <input type="hidden" name="product" value="<?= /* @escapeNotVerified */ $postParams['data']['product'] ?>">
                                             <input type="hidden" name="<?= /* @escapeNotVerified */ Action::PARAM_NAME_URL_ENCODED ?>" value="<?= /* @escapeNotVerified */ $postParams['data'][Action::PARAM_NAME_URL_ENCODED] ?>">
                                             <?= $block->getBlockHtml('formkey') ?>

app/code/Magento/Catalog/view/frontend/templates/product/view/form.phtml

@@ -16,7 +16,7 @@
 <?php $_product = $block->getProduct(); ?>
 
 <div class="product-add-form">
-    <form data-product-sku="<?= /* @NoEscape */ $_product->getSku() ?>"
+    <form data-product-sku="<?= $block->escapeHtml($_product->getSku()) ?>"
           action="<?= /* @NoEscape */ $block->getSubmitUrl($_product) ?>" method="post"
           id="product_addtocart_form"<?php if ($_product->getOptions()): ?> enctype="multipart/form-data"<?php endif; ?>>
         <input type="hidden" name="product" value="<?= /* @escapeNotVerified */ $_product->getId() ?>" />

app/code/Magento/Checkout/Block/Cart/Shipping.php

@@ -74,7 +74,8 @@ public function getJsLayout()
         foreach ($this->layoutProcessors as $processor) {
             $this->jsLayout = $processor->process($this->jsLayout);
         }
-        return $this->serializer->serialize($this->jsLayout);
+
+        return json_encode($this->jsLayout, JSON_HEX_TAG);
     }
 
     /**
@@ -94,6 +95,6 @@ public function getBaseUrl()
      */
     public function getSerializedCheckoutConfig()
     {
-        return $this->serializer->serialize($this->getCheckoutConfig());
+        return json_encode($this->getCheckoutConfig(), JSON_HEX_TAG);
     }
 }

app/code/Magento/Checkout/Block/Cart/Totals.php

@@ -69,7 +69,8 @@ public function getJsLayout()
         foreach ($this->layoutProcessors as $processor) {
             $this->jsLayout = $processor->process($this->jsLayout);
         }
-        return parent::getJsLayout();
+
+        return json_encode($this->jsLayout, JSON_HEX_TAG);
     }
 
     /**

app/code/Magento/Checkout/Block/Onepage.php

@@ -77,7 +77,8 @@ public function getJsLayout()
         foreach ($this->layoutProcessors as $processor) {
             $this->jsLayout = $processor->process($this->jsLayout);
         }
-        return $this->serializer->serialize($this->jsLayout);
+
+        return json_encode($this->jsLayout, JSON_HEX_TAG);
     }
 
     /**
@@ -119,6 +120,6 @@ public function getBaseUrl()
      */
     public function getSerializedCheckoutConfig()
     {
-        return $this->serializer->serialize($this->getCheckoutConfig());
+        return json_encode($this->getCheckoutConfig(), JSON_HEX_TAG);
     }
 }

app/code/Magento/Checkout/Test/Unit/Block/Cart/ShippingTest.php

@@ -99,9 +99,6 @@ public function testGetJsLayout()
             ->with($this->layout)
             ->willReturn($layoutProcessed);
 
-        $this->serializer->expects($this->once())->method('serialize')->will(
-            $this->returnValue($jsonLayoutProcessed)
-        );
         $this->assertEquals(
             $jsonLayoutProcessed,
             $this->model->getJsLayout()
@@ -121,9 +118,6 @@ public function testGetSerializedCheckoutConfig()
     {
         $checkoutConfig = ['checkout', 'config'];
         $this->configProvider->expects($this->once())->method('getConfig')->willReturn($checkoutConfig);
-        $this->serializer->expects($this->once())->method('serialize')->will(
-            $this->returnValue(json_encode($checkoutConfig))
-        );
 
         $this->assertEquals(json_encode($checkoutConfig), $this->model->getSerializedCheckoutConfig());
     }