Merge remote-tracking branch 'arcticfoxes/MAGETWO-98906' into 2.1.18-develop-pr

Joan He · Joan He · commit 90bb2a2bc8bb · 2019-04-09T14:42:43.000-05:00
diff --git a/app/code/Magento/CatalogRule/Controller/Adminhtml/Promo/Catalog/Save.php b/app/code/Magento/CatalogRule/Controller/Adminhtml/Promo/Catalog/Save.php
@@ -78,6 +78,9 @@ public function execute()
                     unset($data['rule']);
                 }
 
+                unset($data['conditions_serialized']);
+                unset($data['actions_serialized']);
+
                 $model->loadPost($data);
 
                 $this->_objectManager->get('Magento\Backend\Model\Session')->setPageData($data);
diff --git a/app/code/Magento/Rule/Block/Editable.php b/app/code/Magento/Rule/Block/Editable.php
@@ -8,6 +8,9 @@
 use Magento\Framework\Data\Form\Element\Renderer\RendererInterface;
 use Magento\Framework\View\Element\AbstractBlock;
 
+/**
+ * Renderer for Editable sales rules
+ */
 class Editable extends AbstractBlock implements RendererInterface
 {
     /**
@@ -48,15 +51,15 @@ public function render(\Magento\Framework\Data\Form\Element\AbstractElement $ele
 
         if ($element->getShowAsText()) {
             $html = ' <input type="hidden" class="hidden" id="' .
-                $element->getHtmlId() .
+                $this->escapeHtmlAttr($element->getHtmlId()) .
                 '" name="' .
-                $element->getName() .
+                $this->escapeHtmlAttr($element->getName()) .
                 '" value="' .
-                $element->getValue() .
+                $this->escapeHtmlAttr($element->getValue()) .
                 '" data-form-part="' .
-                $element->getData('data-form-part') .
+                $this->escapeHtmlAttr($element->getData('data-form-part')) .
                 '"/> ' .
-                htmlspecialchars(
+                $this->escapeHtml(
                     $valueName
                 ) . '&nbsp;';
         } else {
@@ -92,4 +95,15 @@ public function render(\Magento\Framework\Data\Form\Element\AbstractElement $ele
 
         return $html;
     }
+
+    /**
+     * Escape html attribute
+     *
+     * @param string\null $attribute
+     * @return string
+     */
+    private function escapeHtmlAttr($attribute)
+    {
+        return $attribute ? $this->_escaper->escapeHtmlAttr($attribute) : $attribute;
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -78,6 +78,9 @@ public function execute()`
`78`	`78`	`unset($data['rule']);`
`79`	`79`	`}`
`80`	`80`
	`81`	`+ unset($data['conditions_serialized']);`
	`82`	`+ unset($data['actions_serialized']);`
	`83`	`+`
`81`	`84`	`$model->loadPost($data);`
`82`	`85`
`83`	`86`	`$this->_objectManager->get('Magento\Backend\Model\Session')->setPageData($data);`