Merge remote-tracking branch 'origin/MAGETWO-83605' into 2.3-develop-pr4

svitja · svitja · commit 9877bc99a5a5 · 2018-03-13T17:02:56.000+02:00
diff --git a/app/code/Magento/Newsletter/Block/Adminhtml/Template/Grid/Renderer/Sender.php b/app/code/Magento/Newsletter/Block/Adminhtml/Template/Grid/Renderer/Sender.php
@@ -14,7 +14,7 @@
 class Sender extends \Magento\Backend\Block\Widget\Grid\Column\Renderer\AbstractRenderer
 {
     /**
-     * Renderer for "Action" column in Newsletter templates grid
+     * Renderer for "Action" column in Newsletter templates grid.
      *
      * @param \Magento\Framework\DataObject $row
      * @return string
@@ -26,11 +26,12 @@ public function render(\Magento\Framework\DataObject $row)
             $str .= htmlspecialchars($row->getTemplateSenderName()) . ' ';
         }
         if ($row->getTemplateSenderEmail()) {
-            $str .= '[' . $row->getTemplateSenderEmail() . ']';
+            $str .= '[' . htmlspecialchars($row->getTemplateSenderEmail()) . ']';
         }
         if ($str == '') {
             $str .= '---';
         }
+        
         return $str;
     }
 }
diff --git a/app/code/Magento/Newsletter/Test/Unit/Block/Adminhtml/Template/Grid/Renderer/SenderTest.php b/app/code/Magento/Newsletter/Test/Unit/Block/Adminhtml/Template/Grid/Renderer/SenderTest.php
@@ -0,0 +1,94 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\Newsletter\Test\Unit\Block\Adminhtml\Template\Grid\Renderer;
+
+/**
+ * Test for \Magento\Newsletter\Block\Adminhtml\Template\Grid\Renderer\Sender.
+ */
+class SenderTest extends \PHPUnit\Framework\TestCase
+{
+    /**
+     * @var \Magento\Newsletter\Block\Adminhtml\Template\Grid\Renderer\Sender
+     */
+    private $sender;
+
+    /**
+     * @var \Magento\Framework\TestFramework\Unit\Helper\ObjectManager
+     */
+    private $objectManagerHelper;
+
+    /**
+     * @inheritdoc
+     */
+    protected function setUp()
+    {
+        $this->objectManagerHelper = new \Magento\Framework\TestFramework\Unit\Helper\ObjectManager($this);
+        $this->sender = $this->objectManagerHelper->getObject(
+            \Magento\Newsletter\Block\Adminhtml\Template\Grid\Renderer\Sender::class
+        );
+    }
+
+    /**
+     * @dataProvider rendererDataProvider
+     * @param array $expectedSender
+     * @param array $passedSender
+     *
+     * @return void
+     */
+    public function testRender(array $passedSender, array $expectedSender)
+    {
+        $row = $this->getMockBuilder(\Magento\Framework\DataObject::class)
+            ->setMethods(['getTemplateSenderName', 'getTemplateSenderEmail'])
+            ->getMock();
+        $row->expects($this->atLeastOnce())->method('getTemplateSenderName')
+            ->willReturn($passedSender['sender']);
+        $row->expects($this->atLeastOnce())->method('getTemplateSenderEmail')
+            ->willReturn($passedSender['sender_email']);
+        $this->assertEquals(
+            $expectedSender['sender'] . ' [' . $expectedSender['sender_email'] . ']',
+            $this->sender->render($row)
+        );
+    }
+
+    /**
+     * @return array
+     */
+    public function rendererDataProvider()
+    {
+        return [
+            [
+                [
+                    'sender' => 'Sender',
+                    'sender_email' => 'sender@example.com',
+                ],
+                [
+                    'sender' => 'Sender',
+                    'sender_email' => 'sender@example.com',
+                ],
+            ],
+            [
+                [
+                    'sender' => "<br>'Sender'</br>",
+                    'sender_email' => "<br>'email@example.com'</br>",
+                ],
+                [
+                    'sender' => "&lt;br&gt;'Sender'&lt;/br&gt;",
+                    'sender_email' => "&lt;br&gt;'email@example.com'&lt;/br&gt;",
+                ],
+            ],
+            [
+                [
+                    'sender' => '"<script>alert(document.domain)</script>"@example.com',
+                    'sender_email' => '"<script>alert(document.domain)</script>"@example.com',
+                ],
+                [
+                    'sender' => '&quot;&lt;script&gt;alert(document.domain)&lt;/script&gt;&quot;@example.com',
+                    'sender_email' => '&quot;&lt;script&gt;alert(document.domain)&lt;/script&gt;&quot;@example.com',
+                ],
+            ],
+        ];
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@`
`14`	`14`	`class Sender extends \Magento\Backend\Block\Widget\Grid\Column\Renderer\AbstractRenderer`
`15`	`15`	`{`
`16`	`16`	`/**`
`17`		`- * Renderer for "Action" column in Newsletter templates grid`
	`17`	`+ * Renderer for "Action" column in Newsletter templates grid.`
`18`	`18`	`*`
`19`	`19`	`* @param \Magento\Framework\DataObject $row`
`20`	`20`	`* @return string`
`@@ -26,11 +26,12 @@ public function render(\Magento\Framework\DataObject $row)`
`26`	`26`	`$str .= htmlspecialchars($row->getTemplateSenderName()) . ' ';`
`27`	`27`	`}`
`28`	`28`	`if ($row->getTemplateSenderEmail()) {`
`29`		`- $str .= '[' . $row->getTemplateSenderEmail() . ']';`
	`29`	`+ $str .= '[' . htmlspecialchars($row->getTemplateSenderEmail()) . ']';`
`30`	`30`	`}`
`31`	`31`	`if ($str == '') {`
`32`	`32`	`$str .= '---';`
`33`	`33`	`}`
	`34`	`+`
`34`	`35`	`return $str;`
`35`	`36`	`}`
`36`	`37`	`}`