Merge branch 'develop' of github.corp.ebay.com:magento2/magento2ce into develop

Author: Volodymyr klymenko

app/code/Magento/OfflinePayments/etc/adminhtml/system.xml

@@ -166,7 +166,7 @@
                     <label>Automatically Invoice All Items</label>
                     <source_model>Magento\Payment\Model\Source\Invoice</source_model>
                     <depends>
-                        <field id="order_status" separator=",">processing,processed_ogone</field>
+                        <field id="order_status" separator=",">processing</field>
                     </depends>
                 </field>
                 <field id="sort_order" translate="label" type="text" sortOrder="100" showInDefault="1" showInWebsite="1" showInStore="0">

app/code/Magento/Payment/view/frontend/templates/transparent/iframe.phtml

@@ -13,9 +13,9 @@ $params = $block->getParams();
     <head>
         <script>
         <?php if (isset($params['redirect'])): ?>
-            window.location="<?php echo $block->escapeUrl($params['redirect']) ?>";
+            window.location="<?php echo $block->escapeXssInUrl($params['redirect']) ?>";
         <?php elseif (isset($params['redirect_parent'])): ?>
-            window.top.location="<?php echo $block->escapeUrl($params['redirect_parent']) ?>";
+            window.top.location="<?php echo $block->escapeXssInUrl($params['redirect_parent']) ?>";
         <?php elseif (isset($params['error_msg'])): ?>
             window.top.alert(<?php echo $this->helper('Magento\Framework\Json\Helper\Data')->jsonEncode($params['error_msg']) ?>);
         <?php elseif (isset($params['order_success'])): ?>

dev/tests/integration/testsuite/Magento/Payment/Block/Transparent/IframeTest.php

@@ -5,16 +5,19 @@
  */
 namespace Magento\Payment\Block\Transparent;
 
+/**
+ * Class IframeTest
+ * @package Magento\Payment\Block\Transparent
+ */
 class IframeTest extends \PHPUnit_Framework_TestCase
 {
     /**
      * @magentoAppIsolation enabled
      * @magentoAppArea frontend
+     * @dataProvider xssDataProvider
      */
-    public function testToHtml()
+    public function testToHtml($xssString)
     {
-        $xssString = '</script><script>alert("XSS")</script>';
-
         /** @var $block Iframe */
         $block = \Magento\TestFramework\Helper\Bootstrap::getObjectManager()->get(
             'Magento\Framework\View\LayoutInterface'
@@ -34,7 +37,20 @@ public function testToHtml()
 
         $content = $block->toHtml();
 
-        $this->assertNotContains($xssString, $content, 'Params mast be escaped');
-        $this->assertContains(htmlspecialchars($xssString), $content, 'Content must present');
+        $this->assertNotContains($xssString, $content, 'Params must be escaped');
+        $this->assertContains($block->escapeXssInUrl($xssString), $content, 'Content must be present');
+    }
+
+    /**
+     * @return array
+     */
+    public function xssDataProvider()
+    {
+        return [
+            ['</script><script>alert("XSS")</script>'],
+            ['javascript%3Aalert%28String.fromCharCode%280x78%29%2BString.fromCharCode%280x73%29%2BString.'
+                . 'fromCharCode%280x73%29%29'],
+            ['javascript:alert(String.fromCharCode(0x78)+String.fromCharCode(0x73)+String.fromCharCode(0x73))']
+        ];
     }
 }

dev/tools/Magento/Tools/Migration/factory_table_names/replace_ce.php

@@ -230,7 +230,6 @@
     'oauth/consumer' => 'oauth_consumer',
     'oauth/nonce' => 'oauth_nonce',
     'oauth/token' => 'oauth_token',
-    'ogone/api_debug' => 'ogone_api_debug',
     'oscommerce/catalog_category' => 'catalog_category_entity',
     'oscommerce/catalog_product_website' => 'catalog_product_website',
     'oscommerce/oscommerce' => 'oscommerce_import',

lib/internal/Magento/Framework/Escaper.php

@@ -70,6 +70,24 @@ public function escapeJsQuote($data, $quote = '\'')
         return $result;
     }
 
+    /**
+     * Escape xss in urls
+     *
+     * @param string $data
+     * @return string
+     */
+    public function escapeXssInUrl($data)
+    {
+        $result = $data;
+        $urlQuery = parse_url($data, PHP_URL_QUERY);
+        if ($urlQuery !== null && strpos($urlQuery, 'javascript') !== false) {
+            $result = str_replace($urlQuery, '', $data);
+        } elseif (parse_url($data, PHP_URL_HOST) === null) {
+            $result = str_replace('javascript', '', $data);
+        }
+        return htmlspecialchars($result, ENT_COMPAT, 'UTF-8', false);
+    }
+
     /**
      * Escape quotes inside html attributes
      * Use $addSlashes = false for escaping js that inside html attribute (onClick, onSubmit etc)

lib/internal/Magento/Framework/Test/Unit/EscaperTest.php

@@ -92,4 +92,16 @@ public function testEscapeQuote()
         $this->assertEquals($expected[0], $this->_escaper->escapeQuote($data));
         $this->assertEquals($expected[1], $this->_escaper->escapeQuote($data, true));
     }
+
+    /**
+     * @covers \Magento\Framework\Escaper::escapeXssInUrl
+     */
+    public function testEscapeXssInUrl()
+    {
+        $data = 'javascript%3Aalert%28String.fromCharCode%280x78%29%2BString.'
+            . 'fromCharCode%280x73%29%2BString.fromCharCode%280x73%29%29';
+        $expected = '%3Aalert%28String.fromCharCode%280x78%29%2BString.'
+            . 'fromCharCode%280x73%29%2BString.fromCharCode%280x73%29%29';
+        $this->assertEquals($expected, $this->_escaper->escapeXssInUrl($data));
+    }
 }

lib/internal/Magento/Framework/View/Element/AbstractBlock.php

@@ -874,6 +874,17 @@ public function escapeUrl($data)
         return $this->_escaper->escapeUrl($data);
     }
 
+    /**
+     * Escape xss in urls
+     *
+     * @param string $data
+     * @return string
+     */
+    public function escapeXssInUrl($data)
+    {
+        return $this->_escaper->escapeXssInUrl($data);
+    }
+
     /**
      * Escape quotes inside html attributes
      *