Merge remote-tracking branch 'origin/2.1.18-develop' into 2.1.18-develop-pr70

Author: zakdma

app/code/Magento/CatalogRule/Controller/Adminhtml/Promo/Catalog/Save.php

@@ -78,6 +78,9 @@ public function execute()
                     unset($data['rule']);
                 }
 
+                unset($data['conditions_serialized']);
+                unset($data['actions_serialized']);
+
                 $model->loadPost($data);
 
                 $this->_objectManager->get('Magento\Backend\Model\Session')->setPageData($data);

app/code/Magento/Config/Model/Config/Backend/Serialized.php

@@ -5,16 +5,55 @@
  */
 namespace Magento\Config\Model\Config\Backend;
 
+use Magento\Framework\Unserialize\SecureUnserializer;
+use Magento\Framework\App\ObjectManager;
+
 class Serialized extends \Magento\Framework\App\Config\Value
 {
+    /**
+     * @var SecureUnserializer
+     */
+    private $unserializer;
+
+    /**
+     * Serialized constructor
+     *
+     * @param \Magento\Framework\Model\Context $context
+     * @param \Magento\Framework\Registry $registry
+     * @param \Magento\Framework\App\Config\ScopeConfigInterface $config
+     * @param \Magento\Framework\App\Cache\TypeListInterface $cacheTypeList
+     * @param \Magento\Framework\Model\ResourceModel\AbstractResource|null $resource
+     * @param \Magento\Framework\Data\Collection\AbstractDb|null $resourceCollection
+     * @param array $data
+     * @param SecureUnserializer|null $unserializer
+     */
+    public function __construct(
+        \Magento\Framework\Model\Context $context,
+        \Magento\Framework\Registry $registry,
+        \Magento\Framework\App\Config\ScopeConfigInterface $config,
+        \Magento\Framework\App\Cache\TypeListInterface $cacheTypeList,
+        \Magento\Framework\Model\ResourceModel\AbstractResource $resource = null,
+        \Magento\Framework\Data\Collection\AbstractDb $resourceCollection = null,
+        array $data = [],
+        SecureUnserializer $unserializer = null
+    ) {
+        parent::__construct($context, $registry, $config, $cacheTypeList, $resource, $resourceCollection, $data);
+        $this->unserializer = $unserializer ?: ObjectManager::getInstance()->get(SecureUnserializer::class);
+    }
+
     /**
      * @return void
      */
     protected function _afterLoad()
     {
-        if (!is_array($this->getValue())) {
-            $value = $this->getValue();
-            $this->setValue(empty($value) ? false : unserialize($value));
+        $value = $this->getValue();
+        if (!is_array($value)) {
+            try {
+                $this->setValue(empty($value) ? false : $this->unserializer->unserialize($value));
+            } catch (\Exception $e) {
+                $this->_logger->critical($e);
+                $this->setValue(false);
+            }
         }
     }
 
@@ -23,9 +62,11 @@ protected function _afterLoad()
      */
     public function beforeSave()
     {
-        if (is_array($this->getValue())) {
-            $this->setValue(serialize($this->getValue()));
+        $value = $this->getValue();
+        if (is_array($value)) {
+            $this->setValue(serialize($value));
         }
-        return parent::beforeSave();
+        parent::beforeSave();
+        return $this;
     }
 }

app/code/Magento/Rule/Block/Editable.php

@@ -8,6 +8,9 @@
 use Magento\Framework\Data\Form\Element\Renderer\RendererInterface;
 use Magento\Framework\View\Element\AbstractBlock;
 
+/**
+ * Renderer for Editable sales rules
+ */
 class Editable extends AbstractBlock implements RendererInterface
 {
     /**
@@ -48,15 +51,15 @@ public function render(\Magento\Framework\Data\Form\Element\AbstractElement $ele
 
         if ($element->getShowAsText()) {
             $html = ' <input type="hidden" class="hidden" id="' .
-                $element->getHtmlId() .
+                $this->escapeHtmlAttr($element->getHtmlId()) .
                 '" name="' .
-                $element->getName() .
+                $this->escapeHtmlAttr($element->getName()) .
                 '" value="' .
-                $element->getValue() .
+                $this->escapeHtmlAttr($element->getValue()) .
                 '" data-form-part="' .
-                $element->getData('data-form-part') .
+                $this->escapeHtmlAttr($element->getData('data-form-part')) .
                 '"/> ' .
-                htmlspecialchars(
+                $this->escapeHtml(
                     $valueName
                 ) . '&nbsp;';
         } else {
@@ -92,4 +95,15 @@ public function render(\Magento\Framework\Data\Form\Element\AbstractElement $ele
 
         return $html;
     }
+
+    /**
+     * Escape html attribute
+     *
+     * @param string\null $attribute
+     * @return string
+     */
+    private function escapeHtmlAttr($attribute)
+    {
+        return $attribute ? $this->_escaper->escapeHtmlAttr($attribute) : $attribute;
+    }
 }

dev/tests/static/testsuite/Magento/Test/Js/_files/eslint/.eslintrc-magento

@@ -62,7 +62,8 @@
             2,
             {
                 "args": "after-used",
-                "vars": "all"
+                "vars": "all",
+                "varsIgnorePattern": "config"
             }
         ],
         "no-use-before-define": 2,