Skip to content

Commit 5693121

Browse files
committed
MAGETWO-95391: Widget Escaping
- Convert widget code to heredoc and escape output
1 parent b93bcf8 commit 5693121

File tree

1 file changed

+12
-8
lines changed

1 file changed

+12
-8
lines changed

app/code/Magento/Widget/Block/Adminhtml/Widget.php

Lines changed: 12 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -40,13 +40,17 @@ protected function _construct()
4040
$this->buttonList->update('reset', 'label', __('Cancel'));
4141
$this->buttonList->update('reset', 'onclick', 'wWidget.closeModal()');
4242

43-
$this->_formScripts[] = 'require(["mage/adminhtml/wysiwyg/widget"],'
44-
. ' function(){wWidget = new WysiwygWidget.Widget('
45-
. '"widget_options_form", "select_widget_type", "widget_options", "'
46-
. $this->getUrl(
47-
'adminhtml/*/loadOptions'
48-
) . '", "' . $this->getRequest()->getParam(
49-
'widget_target_id'
50-
) . '");});';
43+
$this->_formScripts[] = <<<EOJS
44+
require(['mage/adminhtml/wysiwyg/widget'], function() {
45+
wWidget = new WysiwygWidget.Widget(
46+
'widget_options_form',
47+
'select_widget_type',
48+
'widget_options',
49+
'{$this->getUrl('adminhtml/*/loadOptions')}',
50+
'{$this->escapeJs($this->getRequest()->getParam('widget_target_id'))}'
51+
);
52+
});
53+
EOJS;
54+
5155
}
5256
}

0 commit comments

Comments
 (0)