Skip to content

Commit a5bab5a

Browse files
authored
Merge pull request #4428 from magento-obsessive-owls/MC-16112
[Owls] Security Bug MC-16112
2 parents 23c0ef4 + 60c3c25 commit a5bab5a

File tree

19 files changed

+159
-54
lines changed

19 files changed

+159
-54
lines changed

app/code/Magento/Catalog/Test/Unit/Ui/Component/Product/MassActionTest.php

Lines changed: 19 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,9 @@
1212
use Magento\Framework\TestFramework\Unit\Helper\ObjectManager;
1313
use Magento\Framework\View\Element\UiComponent\ContextInterface;
1414

15+
/**
16+
* MassAction test
17+
*/
1518
class MassActionTest extends \PHPUnit\Framework\TestCase
1619
{
1720
/**
@@ -103,7 +106,8 @@ public function getPrepareDataProvider() : array
103106
[
104107
'type' => 'first_action',
105108
'label' => 'First Action',
106-
'url' => '/module/controller/firstAction'
109+
'url' => '/module/controller/firstAction',
110+
'__disableTmpl' => true
107111
],
108112
],
109113
[
@@ -122,7 +126,8 @@ public function getPrepareDataProvider() : array
122126
'label' => 'Second Sub Action 2',
123127
'url' => '/module/controller/secondSubAction2'
124128
],
125-
]
129+
],
130+
'__disableTmpl' => true
126131
],
127132
],
128133
[
@@ -141,7 +146,8 @@ public function getPrepareDataProvider() : array
141146
'label' => 'Second Sub Action 2',
142147
'url' => '/module/controller/disable'
143148
],
144-
]
149+
],
150+
'__disableTmpl' => true
145151
],
146152
],
147153
[
@@ -160,7 +166,8 @@ public function getPrepareDataProvider() : array
160166
'label' => 'Second Sub Action 2',
161167
'url' => '/module/controller/disable'
162168
],
163-
]
169+
],
170+
'__disableTmpl' => true
164171
],
165172
false,
166173
false
@@ -170,15 +177,17 @@ public function getPrepareDataProvider() : array
170177
[
171178
'type' => 'delete',
172179
'label' => 'First Action',
173-
'url' => '/module/controller/delete'
180+
'url' => '/module/controller/delete',
181+
'__disableTmpl' => true
174182
],
175183
],
176184
[
177185
'delete_component_not_allowed',
178186
[
179187
'type' => 'delete',
180188
'label' => 'First Action',
181-
'url' => '/module/controller/delete'
189+
'url' => '/module/controller/delete',
190+
'__disableTmpl' => true
182191
],
183192
false,
184193
false
@@ -188,15 +197,17 @@ public function getPrepareDataProvider() : array
188197
[
189198
'type' => 'delete',
190199
'label' => 'First Action',
191-
'url' => '/module/controller/attributes'
200+
'url' => '/module/controller/attributes',
201+
'__disableTmpl' => true
192202
],
193203
],
194204
[
195205
'attributes_component_not_allowed',
196206
[
197207
'type' => 'delete',
198208
'label' => 'First Action',
199-
'url' => '/module/controller/attributes'
209+
'url' => '/module/controller/attributes',
210+
'__disableTmpl' => true
200211
],
201212
false,
202213
false

app/code/Magento/Catalog/Ui/Component/Listing/Columns/ProductActions.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -60,6 +60,7 @@ public function prepareDataSource(array $dataSource)
6060
),
6161
'label' => __('Edit'),
6262
'hidden' => false,
63+
'__disableTmpl' => true
6364
];
6465
}
6566
}

app/code/Magento/Catalog/Ui/Component/Product/MassAction.php

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,9 @@
1212
use Magento\Framework\View\Element\UiComponent\ContextInterface;
1313
use Magento\Ui\Component\AbstractComponent;
1414

15+
/**
16+
* Class MassAction
17+
*/
1518
class MassAction extends AbstractComponent
1619
{
1720
const NAME = 'massaction';
@@ -40,7 +43,7 @@ public function __construct(
4043
}
4144

4245
/**
43-
* {@inheritdoc}
46+
* @inheritdoc
4447
*/
4548
public function prepare() : void
4649
{
@@ -49,7 +52,7 @@ public function prepare() : void
4952
foreach ($this->getChildComponents() as $actionComponent) {
5053
$actionType = $actionComponent->getConfiguration()['type'];
5154
if ($this->isActionAllowed($actionType)) {
52-
$config['actions'][] = $actionComponent->getConfiguration();
55+
$config['actions'][] = array_merge($actionComponent->getConfiguration(), ['__disableTmpl' => true]);
5356
}
5457
}
5558
$origConfig = $this->getConfiguration();
@@ -64,7 +67,7 @@ public function prepare() : void
6467
}
6568

6669
/**
67-
* {@inheritdoc}
70+
* @inheritdoc
6871
*/
6972
public function getComponentName() : string
7073
{

app/code/Magento/Cms/Test/Unit/Ui/Component/Listing/Column/BlockActionsTest.php

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -56,10 +56,13 @@ protected function setUp()
5656
->setMethods(['escapeHtmlAttr'])
5757
->getMock();
5858

59-
$this->blockActions = $objectManager->getObject(BlockActions::class, [
60-
'context' => $context,
61-
'urlBuilder' => $this->urlBuilder
62-
]);
59+
$this->blockActions = $objectManager->getObject(
60+
BlockActions::class,
61+
[
62+
'context' => $context,
63+
'urlBuilder' => $this->urlBuilder
64+
]
65+
);
6366

6467
$objectManager->setBackwardCompatibleProperty($this->blockActions, 'escaper', $this->escaper);
6568
}
@@ -93,6 +96,7 @@ public function testPrepareDataSource()
9396
'edit' => [
9497
'href' => 'test/url/edit',
9598
'label' => __('Edit'),
99+
'__disableTmpl' => true,
96100
],
97101
'delete' => [
98102
'href' => 'test/url/delete',
@@ -102,6 +106,7 @@ public function testPrepareDataSource()
102106
'message' => __('Are you sure you want to delete a %1 record?', $title),
103107
],
104108
'post' => true,
109+
'__disableTmpl' => true,
105110
],
106111
],
107112
],

app/code/Magento/Cms/Test/Unit/Ui/Component/Listing/Column/PageActionsTest.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -65,6 +65,7 @@ public function testPrepareItemsByPageId()
6565
'edit' => [
6666
'href' => 'test/url/edit',
6767
'label' => __('Edit'),
68+
'__disableTmpl' => true,
6869
],
6970
'delete' => [
7071
'href' => 'test/url/delete',
@@ -75,6 +76,7 @@ public function testPrepareItemsByPageId()
7576
'__disableTmpl' => true,
7677
],
7778
'post' => true,
79+
'__disableTmpl' => true,
7880
],
7981
],
8082
],
@@ -84,7 +86,6 @@ public function testPrepareItemsByPageId()
8486
->method('escapeHtml')
8587
->with($title)
8688
->willReturn($title);
87-
8889
// Configure mocks and object data
8990
$urlBuilderMock->expects($this->any())
9091
->method('getUrl')
@@ -106,7 +107,6 @@ public function testPrepareItemsByPageId()
106107
],
107108
]
108109
);
109-
110110
$model->setName($name);
111111
$items = $model->prepareDataSource($items);
112112
// Run test

app/code/Magento/Cms/Ui/Component/Listing/Column/BlockActions.php

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -70,6 +70,7 @@ public function prepareDataSource(array $dataSource)
7070
]
7171
),
7272
'label' => __('Edit'),
73+
'__disableTmpl' => true,
7374
],
7475
'delete' => [
7576
'href' => $this->urlBuilder->getUrl(
@@ -84,6 +85,7 @@ public function prepareDataSource(array $dataSource)
8485
'message' => __('Are you sure you want to delete a %1 record?', $title),
8586
],
8687
'post' => true,
88+
'__disableTmpl' => true,
8789
],
8890
];
8991
}

app/code/Magento/Cms/Ui/Component/Listing/Column/PageActions.php

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -77,7 +77,8 @@ public function prepareDataSource(array $dataSource)
7777
if (isset($item['page_id'])) {
7878
$item[$name]['edit'] = [
7979
'href' => $this->urlBuilder->getUrl($this->editUrl, ['page_id' => $item['page_id']]),
80-
'label' => __('Edit')
80+
'label' => __('Edit'),
81+
'__disableTmpl' => true,
8182
];
8283
$title = $this->getEscaper()->escapeHtml($item['title']);
8384
$item[$name]['delete'] = [
@@ -89,6 +90,7 @@ public function prepareDataSource(array $dataSource)
8990
'__disableTmpl' => true,
9091
],
9192
'post' => true,
93+
'__disableTmpl' => true,
9294
];
9395
}
9496
if (isset($item['identifier'])) {
@@ -98,7 +100,8 @@ public function prepareDataSource(array $dataSource)
98100
isset($item['_first_store_id']) ? $item['_first_store_id'] : null,
99101
isset($item['store_code']) ? $item['store_code'] : null
100102
),
101-
'label' => __('View')
103+
'label' => __('View'),
104+
'__disableTmpl' => true,
102105
];
103106
}
104107
}

app/code/Magento/Customer/Test/Unit/Ui/Component/Listing/Column/ActionsTest.php

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,9 @@
77

88
use Magento\Customer\Ui\Component\Listing\Column\Actions;
99

10+
/**
11+
* Class ActionsTest
12+
*/
1013
class ActionsTest extends \PHPUnit\Framework\TestCase
1114
{
1215
/** @var Actions */
@@ -64,7 +67,8 @@ public function testPrepareDataSource()
6467
'edit' => [
6568
'href' => 'http://magento.com/customer/index/edit',
6669
'label' => new \Magento\Framework\Phrase('Edit'),
67-
'hidden' => false
70+
'hidden' => false,
71+
'__disableTmpl' => true,
6872
]
6973
]
7074
],

app/code/Magento/Customer/Ui/Component/Listing/Column/Actions.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -60,6 +60,7 @@ public function prepareDataSource(array $dataSource)
6060
),
6161
'label' => __('Edit'),
6262
'hidden' => false,
63+
'__disableTmpl' => true
6364
];
6465
}
6566
}

app/code/Magento/Customer/Ui/Component/Listing/Column/GroupActions.php

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -79,6 +79,7 @@ public function prepareDataSource(array $dataSource)
7979
]
8080
),
8181
'label' => __('Edit'),
82+
'__disableTmpl' => true
8283
],
8384
];
8485

@@ -102,7 +103,8 @@ public function prepareDataSource(array $dataSource)
102103
$this->escaper->escapeJs($title)
103104
)
104105
],
105-
'post' => true
106+
'post' => true,
107+
'__disableTmpl' => true
106108
];
107109
}
108110
}

0 commit comments

Comments
 (0)