Merge pull request #3981 from magento-tsg/2.3-qwerty-pr46

[TSG] Upporting for 2.3 (pr46) (2.3-qwerty)

Author: dvoskoboinikov

app/code/Magento/Cms/Test/Unit/Ui/Component/Listing/Column/BlockActionsTest.php

@@ -14,7 +14,7 @@
 use PHPUnit_Framework_MockObject_MockObject as MockObject;
 
 /**
- * BlockActionsTest contains unit tests for \Magento\Cms\Ui\Component\Listing\Column\BlockActions class
+ * BlockActionsTest contains unit tests for \Magento\Cms\Ui\Component\Listing\Column\BlockActions class.
  */
 class BlockActionsTest extends \PHPUnit\Framework\TestCase
 {
@@ -33,6 +33,9 @@ class BlockActionsTest extends \PHPUnit\Framework\TestCase
      */
     private $urlBuilder;
 
+    /**
+     * @inheritdoc
+     */
     protected function setUp()
     {
         $objectManager = new ObjectManager($this);
@@ -42,15 +45,15 @@ protected function setUp()
         $processor = $this->getMockBuilder(Processor::class)
             ->disableOriginalConstructor()
             ->getMock();
-        $context->expects(static::never())
+        $context->expects($this->never())
             ->method('getProcessor')
             ->willReturn($processor);
 
         $this->urlBuilder = $this->createMock(UrlInterface::class);
 
         $this->escaper = $this->getMockBuilder(Escaper::class)
             ->disableOriginalConstructor()
-            ->setMethods(['escapeHtml'])
+            ->setMethods(['escapeHtmlAttr'])
             ->getMock();
 
         $this->blockActions = $objectManager->getObject(BlockActions::class, [
@@ -62,7 +65,10 @@ protected function setUp()
     }
 
     /**
+     * Unit test for prepareDataSource method.
+     *
      * @covers \Magento\Cms\Ui\Component\Listing\Column\BlockActions::prepareDataSource
+     * @return void
      */
     public function testPrepareDataSource()
     {
@@ -73,10 +79,10 @@ public function testPrepareDataSource()
                 'items' => [
                     [
                         'block_id' => $blockId,
-                        'title' => $title
-                    ]
-                ]
-            ]
+                        'title' => $title,
+                    ],
+                ],
+            ],
         ];
         $name = 'item_name';
         $expectedItems = [
@@ -93,34 +99,34 @@ public function testPrepareDataSource()
                         'label' => __('Delete'),
                         'confirm' => [
                             'title' => __('Delete %1', $title),
-                            'message' => __('Are you sure you want to delete a %1 record?', $title)
+                            'message' => __('Are you sure you want to delete a %1 record?', $title),
                         ],
-                        'post' => true
-                    ]
+                        'post' => true,
+                    ],
                 ],
-            ]
+            ],
         ];
 
-        $this->escaper->expects(static::once())
-            ->method('escapeHtml')
+        $this->escaper->expects($this->once())
+            ->method('escapeHtmlAttr')
             ->with($title)
             ->willReturn($title);
 
-        $this->urlBuilder->expects(static::exactly(2))
+        $this->urlBuilder->expects($this->exactly(2))
             ->method('getUrl')
             ->willReturnMap(
                 [
                     [
                         BlockActions::URL_PATH_EDIT,
                         [
-                            'block_id' => $blockId
+                            'block_id' => $blockId,
                         ],
                         'test/url/edit',
                     ],
                     [
                         BlockActions::URL_PATH_DELETE,
                         [
-                            'block_id' => $blockId
+                            'block_id' => $blockId,
                         ],
                         'test/url/delete',
                     ],
@@ -130,6 +136,6 @@ public function testPrepareDataSource()
         $this->blockActions->setData('name', $name);
 
         $actual = $this->blockActions->prepareDataSource($items);
-        static::assertEquals($expectedItems, $actual['data']['items']);
+        $this->assertEquals($expectedItems, $actual['data']['items']);
     }
 }

app/code/Magento/Cms/Test/Unit/Ui/Component/Listing/Column/PageActionsTest.php

@@ -8,6 +8,9 @@
 use Magento\Cms\Ui\Component\Listing\Column\PageActions;
 use Magento\Framework\Escaper;
 
+/**
+ * Test for Magento\Cms\Ui\Component\Listing\Column\PageActions class.
+ */
 class PageActionsTest extends \PHPUnit\Framework\TestCase
 {
     public function testPrepareItemsByPageId()
@@ -68,12 +71,13 @@ public function testPrepareItemsByPageId()
                         'label' => __('Delete'),
                         'confirm' => [
                             'title' => __('Delete %1', $title),
-                            'message' => __('Are you sure you want to delete a %1 record?', $title)
+                            'message' => __('Are you sure you want to delete a %1 record?', $title),
+                            '__disableTmpl' => true,
                         ],
-                        'post' => true
-                    ]
+                        'post' => true,
+                    ],
                 ],
-            ]
+            ],
         ];
 
         $escaper->expects(static::once())

app/code/Magento/Cms/Ui/Component/Listing/Column/BlockActions.php

@@ -13,7 +13,7 @@
 use Magento\Framework\Escaper;
 
 /**
- * Class BlockActions
+ * Class to build edit and delete link for each item.
  */
 class BlockActions extends Column
 {
@@ -35,8 +35,6 @@ class BlockActions extends Column
     private $escaper;
 
     /**
-     * Constructor
-     *
      * @param ContextInterface $context
      * @param UiComponentFactory $uiComponentFactory
      * @param UrlInterface $urlBuilder
@@ -62,31 +60,31 @@ public function prepareDataSource(array $dataSource)
         if (isset($dataSource['data']['items'])) {
             foreach ($dataSource['data']['items'] as & $item) {
                 if (isset($item['block_id'])) {
-                    $title = $this->getEscaper()->escapeHtml($item['title']);
+                    $title = $this->getEscaper()->escapeHtmlAttr($item['title']);
                     $item[$this->getData('name')] = [
                         'edit' => [
                             'href' => $this->urlBuilder->getUrl(
                                 static::URL_PATH_EDIT,
                                 [
-                                    'block_id' => $item['block_id']
+                                    'block_id' => $item['block_id'],
                                 ]
                             ),
-                            'label' => __('Edit')
+                            'label' => __('Edit'),
                         ],
                         'delete' => [
                             'href' => $this->urlBuilder->getUrl(
                                 static::URL_PATH_DELETE,
                                 [
-                                    'block_id' => $item['block_id']
+                                    'block_id' => $item['block_id'],
                                 ]
                             ),
                             'label' => __('Delete'),
                             'confirm' => [
                                 'title' => __('Delete %1', $title),
-                                'message' => __('Are you sure you want to delete a %1 record?', $title)
+                                'message' => __('Are you sure you want to delete a %1 record?', $title),
                             ],
-                            'post' => true
-                        ]
+                            'post' => true,
+                        ],
                     ];
                 }
             }

app/code/Magento/Cms/Ui/Component/Listing/Column/PageActions.php

@@ -85,9 +85,10 @@ public function prepareDataSource(array $dataSource)
                         'label' => __('Delete'),
                         'confirm' => [
                             'title' => __('Delete %1', $title),
-                            'message' => __('Are you sure you want to delete a %1 record?', $title)
+                            'message' => __('Are you sure you want to delete a %1 record?', $title),
+                            '__disableTmpl' => true,
                         ],
-                        'post' => true
+                        'post' => true,
                     ];
                 }
                 if (isset($item['identifier'])) {

app/code/Magento/Sales/Controller/Guest/View.php

@@ -9,8 +9,12 @@
 use Magento\Sales\Helper\Guest as GuestHelper;
 use Magento\Framework\View\Result\PageFactory;
 use Magento\Framework\Controller\ResultInterface;
+use Magento\Framework\App\Action\HttpPostActionInterface as HttpPostActionInterface;
 
-class View extends Action\Action
+/**
+ * Guest order view action.
+ */
+class View extends Action\Action implements HttpPostActionInterface
 {
     /**
      * @var \Magento\Sales\Helper\Guest
@@ -38,7 +42,7 @@ public function __construct(
     }
 
     /**
-     * @return \Magento\Framework\Controller\ResultInterface
+     * @inheritdoc
      */
     public function execute()
     {

dev/tests/integration/testsuite/Magento/Sales/Controller/Guest/FormTest.php

@@ -40,6 +40,7 @@ public function testViewOrderAsGuest()
     public function testViewOrderAsLoggedIn()
     {
         $this->login(1);
+        $this->getRequest()->setMethod(Request::METHOD_POST);
         $this->dispatch('sales/guest/view/');
         $this->assertRedirect($this->stringContains('sales/order/history/'));
     }

dev/tests/integration/testsuite/Magento/Sales/Controller/Guest/ViewTest.php

@@ -0,0 +1,28 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Sales\Controller\Guest;
+
+use Magento\TestFramework\Request;
+use Magento\TestFramework\TestCase\AbstractController;
+
+/**
+ * Test for \Magento\Sales\Controller\Guest\View class.
+ */
+class ViewTest extends AbstractController
+{
+    /**
+     * Check that controller applied only POST requests.
+     */
+    public function testExecuteWithNonPostRequest()
+    {
+        $this->getRequest()->setMethod(Request::METHOD_GET);
+        $this->dispatch('sales/guest/view/');
+
+        $this->assert404NotFound();
+    }
+}

lib/internal/Magento/Framework/Escaper.php

@@ -67,7 +67,7 @@ public function escapeHtml($data, $allowedTags = null)
             foreach ($data as $item) {
                 $result[] = $this->escapeHtml($item, $allowedTags);
             }
-        } elseif (strlen($data)) {
+        } elseif (!empty($data)) {
             if (is_array($allowedTags) && !empty($allowedTags)) {
                 $allowedTags = $this->filterProhibitedTags($allowedTags);
                 $wrapperElementId = uniqid();
@@ -328,7 +328,8 @@ public function escapeXssInUrl($data)
      */
     private function escapeScriptIdentifiers(string $data): string
     {
-        $filteredData = preg_replace(self::$xssFiltrationPattern, ':', $data) ?: '';
+        $filteredData = preg_replace('/[\x00-\x1F\x7F\xA0]/u', '', $data) ?: '';
+        $filteredData = preg_replace(self::$xssFiltrationPattern, ':', $filteredData) ?: '';
         if (preg_match(self::$xssFiltrationPattern, $filteredData)) {
             $filteredData = $this->escapeScriptIdentifiers($filteredData);
         }

lib/internal/Magento/Framework/Test/Unit/EscaperTest.php

@@ -43,6 +43,7 @@ protected function setUp()
      *
      * @param int $codepoint Unicode codepoint in hex notation
      * @return string UTF-8 literal string
+     * @throws \Exception
      */
     protected function codepointToUtf8($codepoint)
     {
@@ -265,15 +266,36 @@ public function escapeHtmlInvalidDataProvider()
 
     /**
      * @covers \Magento\Framework\Escaper::escapeUrl
+     *
+     * @param string $data
+     * @param string $expected
+     * @return void
+     *
+     * @dataProvider escapeUrlDataProvider
      */
-    public function testEscapeUrl()
+    public function testEscapeUrl(string $data, string $expected): void
     {
-        $data = 'http://example.com/search?term=this+%26+that&view=list';
-        $expected = 'http://example.com/search?term=this+%26+that&view=list';
         $this->assertEquals($expected, $this->escaper->escapeUrl($data));
         $this->assertEquals($expected, $this->escaper->escapeUrl($expected));
     }
 
+    /**
+     * @return array
+     */
+    public function escapeUrlDataProvider(): array
+    {
+        return [
+            [
+                'data' => "http://example.com/search?term=this+%26+that&view=list",
+                'expected' => "http://example.com/search?term=this+%26+that&view=list",
+            ],
+            [
+                'data' => "http://exam\r\nple.com/search?term=this+%26+that&view=list",
+                'expected' => "http://example.com/search?term=this+%26+that&view=list",
+            ],
+        ];
+    }
+
     /**
      * @covers \Magento\Framework\Escaper::escapeJsQuote
      */