Merge remote-tracking branch 'origin/MC-17065' into borg-security-2.3

nathanjosiah · nathanjosiah · commit 93b0de1ce55f · 2019-06-14T08:47:47.000-05:00
diff --git a/app/code/Magento/Customer/Controller/Adminhtml/Index/InlineEdit.php b/app/code/Magento/Customer/Controller/Adminhtml/Index/InlineEdit.php
@@ -70,6 +70,11 @@ class InlineEdit extends \Magento\Backend\App\Action implements HttpPostActionIn
      */
     private $addressRegistry;
 
+    /**
+     * @var \Magento\Framework\Escaper
+     */
+    private $escaper;
+
     /**
      * @param Action\Context $context
      * @param CustomerRepositoryInterface $customerRepository
@@ -78,6 +83,7 @@ class InlineEdit extends \Magento\Backend\App\Action implements HttpPostActionIn
      * @param \Magento\Framework\Api\DataObjectHelper $dataObjectHelper
      * @param \Psr\Log\LoggerInterface $logger
      * @param AddressRegistry|null $addressRegistry
+     * @param \Magento\Framework\Escaper $escaper
      */
     public function __construct(
         Action\Context $context,
@@ -86,14 +92,16 @@ public function __construct(
         \Magento\Customer\Model\Customer\Mapper $customerMapper,
         \Magento\Framework\Api\DataObjectHelper $dataObjectHelper,
         \Psr\Log\LoggerInterface $logger,
-        AddressRegistry $addressRegistry = null
+        AddressRegistry $addressRegistry = null,
+        \Magento\Framework\Escaper $escaper = null
     ) {
         $this->customerRepository = $customerRepository;
         $this->resultJsonFactory = $resultJsonFactory;
         $this->customerMapper = $customerMapper;
         $this->dataObjectHelper = $dataObjectHelper;
         $this->logger = $logger;
         $this->addressRegistry = $addressRegistry ?: ObjectManager::getInstance()->get(AddressRegistry::class);
+        $this->escaper = $escaper ?: ObjectManager::getInstance()->get(\Magento\Framework\Escaper::class);
         parent::__construct($context);
     }
 
@@ -128,10 +136,14 @@ public function execute()
 
         $postItems = $this->getRequest()->getParam('items', []);
         if (!($this->getRequest()->getParam('isAjax') && count($postItems))) {
-            return $resultJson->setData([
-                'messages' => [__('Please correct the data sent.')],
-                'error' => true,
-            ]);
+            return $resultJson->setData(
+                [
+                    'messages' => [
+                        __('Please correct the data sent.')
+                    ],
+                    'error' => true,
+                ]
+            );
         }
 
         foreach (array_keys($postItems) as $customerId) {
@@ -147,10 +159,12 @@ public function execute()
             $this->getEmailNotification()->credentialsChanged($this->getCustomer(), $currentCustomer->getEmail());
         }
 
-        return $resultJson->setData([
-            'messages' => $this->getErrorMessages(),
-            'error' => $this->isErrorExists()
-        ]);
+        return $resultJson->setData(
+            [
+                'messages' => $this->getErrorMessages(),
+                'error' => $this->isErrorExists()
+            ]
+        );
     }
 
     /**
@@ -234,13 +248,16 @@ protected function saveCustomer(CustomerInterface $customer)
             $this->disableAddressValidation($customer);
             $this->customerRepository->save($customer);
         } catch (\Magento\Framework\Exception\InputException $e) {
-            $this->getMessageManager()->addError($this->getErrorWithCustomerId($e->getMessage()));
+            $this->getMessageManager()
+                ->addError($this->getErrorWithCustomerId($this->escaper->escapeHtml($e->getMessage())));
             $this->logger->critical($e);
         } catch (\Magento\Framework\Exception\LocalizedException $e) {
-            $this->getMessageManager()->addError($this->getErrorWithCustomerId($e->getMessage()));
+            $this->getMessageManager()
+                ->addError($this->getErrorWithCustomerId($this->escaper->escapeHtml($e->getMessage())));
             $this->logger->critical($e);
         } catch (\Exception $e) {
-            $this->getMessageManager()->addError($this->getErrorWithCustomerId('We can\'t save the customer.'));
+            $this->getMessageManager()
+                ->addError($this->getErrorWithCustomerId('We can\'t save the customer.'));
             $this->logger->critical($e);
         }
     }
diff --git a/app/code/Magento/Customer/Test/Unit/Controller/Adminhtml/Index/InlineEditTest.php b/app/code/Magento/Customer/Test/Unit/Controller/Adminhtml/Index/InlineEditTest.php
@@ -9,6 +9,7 @@
 use Magento\Customer\Model\EmailNotificationInterface;
 use Magento\Framework\DataObject;
 use Magento\Framework\Message\MessageInterface;
+use Magento\Framework\Escaper;
 
 /**
  * Unit tests for Inline customer edit
@@ -78,6 +79,9 @@ class InlineEditTest extends \PHPUnit\Framework\TestCase
     /** @var array */
     private $items;
 
+    /** @var \Magento\Framework\Escaper */
+    private $escaper;
+
     /**
      * Sets up mocks
      *
@@ -86,7 +90,7 @@ class InlineEditTest extends \PHPUnit\Framework\TestCase
     protected function setUp()
     {
         $objectManager = new \Magento\Framework\TestFramework\Unit\Helper\ObjectManager($this);
-
+        $this->escaper = new Escaper();
         $this->request = $this->getMockForAbstractClass(
             \Magento\Framework\App\RequestInterface::class,
             [],
@@ -172,7 +176,8 @@ protected function setUp()
                 'addressDataFactory' => $this->addressDataFactory,
                 'addressRepository' => $this->addressRepository,
                 'logger' => $this->logger,
-                'addressRegistry' => $this->addressRegistry
+                'addressRegistry' => $this->addressRegistry,
+                'escaper' => $this->escaper,
             ]
         );
         $reflection = new \ReflectionClass(get_class($this->controller));
@@ -291,10 +296,14 @@ protected function prepareMocksForErrorMessagesProcessing()
             ->willReturn('Error text');
         $this->resultJson->expects($this->once())
             ->method('setData')
-            ->with([
-                'messages' => ['Error text'],
-                'error' => true,
-            ])
+            ->with(
+                [
+                    'messages' => [
+                        'Error text',
+                    ],
+                    'error' => true,
+                ]
+            )
             ->willReturnSelf();
     }
 
@@ -340,10 +349,14 @@ public function testExecuteWithoutItems()
         $this->resultJson
             ->expects($this->once())
             ->method('setData')
-            ->with([
-                'messages' => [__('Please correct the data sent.')],
-                'error' => true,
-            ])
+            ->with(
+                [
+                    'messages' => [
+                        __('Please correct the data sent.'),
+                    ],
+                    'error' => true,
+                ]
+            )
             ->willReturnSelf();
         $this->assertSame($this->resultJson, $this->controller->execute());
     }
@@ -365,6 +378,7 @@ public function testExecuteLocalizedException()
             ->method('save')
             ->with($this->customerData)
             ->willThrowException($exception);
+
         $this->messageManager->expects($this->once())
             ->method('addError')
             ->with('[Customer ID: 12] Exception message');
