MAGETWO-45594: XSS code still can be saved into database

Alexander Makeev · Yaroslav Voronoy · commit 8ea358548378 · 2016-01-17T16:48:39.000+02:00
- Added templates for redirect
diff --git a/app/code/Magento/Paypal/view/frontend/templates/payflowadvanced/iframe.phtml b/app/code/Magento/Paypal/view/frontend/templates/payflowadvanced/iframe.phtml
@@ -0,0 +1,15 @@
+<?php
+/**
+ * Copyright © 2015 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+/**
+ * @var \Magento\Paypal\Block\Payflow\Link\Iframe $block
+ */
+?>
+<div id="iframe-warning" class="message notice">
+    <div><?php echo $block->escapeHtml(__('Please do not refresh the page until you complete payment.')); ?></div>
+</div>
+<iframe id="hss-iframe" data-container="paypal-iframe" class="paypal iframe" scrolling="no" frameborder="0" border="0"
+        src="<?php echo $block->escapeUrl($block->getFrameActionUrl()); ?>" height="610" width="100%"></iframe>
diff --git a/app/code/Magento/Paypal/view/frontend/templates/payflowlink/iframe.phtml b/app/code/Magento/Paypal/view/frontend/templates/payflowlink/iframe.phtml
@@ -0,0 +1,15 @@
+<?php
+/**
+ * Copyright © 2015 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+/**
+ * @var \Magento\Paypal\Block\Payflow\Link\Iframe $block
+ */
+?>
+<div id="iframe-warning" class="message notice">
+    <div><?php echo $block->escapeHtml(__('Please do not refresh the page until you complete payment.')); ?></div>
+</div>
+<iframe id="hss-iframe" data-container="paypal-iframe" class="paypal iframe" scrolling="no" frameborder="0" border="0"
+        src="<?php echo $block->escapeUrl($block->getFrameActionUrl()); ?>" height="610" width="100%"></iframe>
