Merge branch '2.2.7-develop' into MAGETWO-61322

Author: mduuude

app/code/Magento/AdminNotification/Block/Grid/Renderer/Actions.php

@@ -8,6 +8,9 @@
 
 namespace Magento\AdminNotification\Block\Grid\Renderer;
 
+/**
+ * Renderer class for action in the admin notifications grid
+ */
 class Actions extends \Magento\Backend\Block\Widget\Grid\Column\Renderer\AbstractRenderer
 {
     /**
@@ -37,7 +40,8 @@ public function __construct(
      */
     public function render(\Magento\Framework\DataObject $row)
     {
-        $readDetailsHtml = $row->getUrl() ? '<a class="action-details" target="_blank" href="' . $row->getUrl() . '">' .
+        $readDetailsHtml = $row->getUrl() ? '<a class="action-details" target="_blank" href="' .
+            $this->escapeUrl($row->getUrl()) . '">' .
             __('Read Details') . '</a>' : '';
 
         $markAsReadHtml = !$row->getIsRead() ? '<a class="action-mark" href="' . $this->getUrl(

app/code/Magento/Widget/Block/Adminhtml/Widget.php

@@ -12,11 +12,12 @@
  *
  * @api
  * @since 100.0.2
+ * @SuppressWarnings(PHPMD.RequestAwareBlockMethod)
  */
 class Widget extends \Magento\Backend\Block\Widget\Form\Container
 {
     /**
-     * @return void
+     * @inheritdoc
      */
     protected function _construct()
     {
@@ -36,12 +37,16 @@ protected function _construct()
         $this->buttonList->update('save', 'region', 'footer');
         $this->buttonList->update('save', 'data_attribute', []);
 
-        $this->_formScripts[] = 'require(["mage/adminhtml/wysiwyg/widget"], function(){wWidget = new WysiwygWidget.Widget(' .
-            '"widget_options_form", "select_widget_type", "widget_options", "' .
-            $this->getUrl(
-                'adminhtml/*/loadOptions'
-            ) . '", "' . $this->getRequest()->getParam(
-                'widget_target_id'
-            ) . '");});';
+        $this->_formScripts[] = <<<EOJS
+ 		require(['mage/adminhtml/wysiwyg/widget'], function() {
+ 		    wWidget = new WysiwygWidget.Widget(
+ 		        'widget_options_form',
+ 		        'select_widget_type',
+ 		        'widget_options',
+ 		        '{$this->getUrl('adminhtml/*/loadOptions')}',
+ 		        '{$this->escapeJs($this->getRequest()->getParam('widget_target_id'))}'
+ 		    );
+ 		});
+EOJS;
     }
 }

dev/tests/static/framework/Magento/CodeMessDetector/Rule/Design/RequestAwareBlockMethod.php

@@ -0,0 +1,53 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\CodeMessDetector\Rule\Design;
+
+use PHPMD\AbstractNode;
+use PHPMD\AbstractRule;
+use PHPMD\Node\ClassNode;
+use PHPMD\Node\MethodNode;
+use PDepend\Source\AST\ASTMethod;
+use PHPMD\Rule\MethodAware;
+
+/**
+ * Detect direct request usages.
+ */
+class RequestAwareBlockMethod extends AbstractRule implements MethodAware
+{
+    /**
+     * @inheritDoc
+     *
+     * @param ASTMethod|MethodNode $method
+     */
+    public function apply(AbstractNode $method)
+    {
+        $definedIn = $method->getParentType();
+        try {
+            $isBlock = ($definedIn instanceof ClassNode)
+                && is_subclass_of(
+                    $definedIn->getFullQualifiedName(),
+                    \Magento\Framework\View\Element\AbstractBlock::class
+                );
+        } catch (\Throwable $exception) {
+            //Failed to load classes.
+            return;
+        }
+
+        if ($isBlock) {
+            $nodes = $method->findChildrenOfType('PropertyPostfix') + $method->findChildrenOfType('MethodPostfix');
+            foreach ($nodes as $node) {
+                $name = mb_strtolower($node->getFirstChildOfType('Identifier')->getImage());
+                if ($name === '_request' || $name === 'getrequest') {
+                    $this->addViolation($method, [$method->getFullQualifiedName()]);
+                    break;
+                }
+            }
+        }
+    }
+}

dev/tests/static/framework/Magento/CodeMessDetector/resources/rulesets/design.xml

@@ -29,6 +29,37 @@ final class Foo
 }
 class Baz {
     final public function bad() {}
+}
+            ]]>
+        </example>
+    </rule>
+    <rule name="RequestAwareBlockMethod"
+          class="Magento\CodeMessDetector\Rule\Design\RequestAwareBlockMethod"
+          message="{0} uses request object directly. Add user input validation and suppress this warning.">
+        <description>
+            <![CDATA[
+Blocks must not depend on being used with certain controllers.
+If you use request object in a block directly you must validate all user input inside the block.
+            ]]>
+        </description>
+        <priority>2</priority>
+        <properties />
+        <example>
+            <![CDATA[
+class MyOrder extends AbstractBlock
+{
+
+    .......
+
+    public function getOrder()
+    {
+        $orderId = $this->getRequest()->getParam('order_id');
+        //Validate customer having such order.
+        if (!$this->hasOrder($this->getCustomerId(), $orderId)) {
+            ...deny access...
+        }
+        .....
+    }
 }
             ]]>
         </example>

dev/tests/static/testsuite/Magento/Test/Php/_files/phpmd/ruleset.xml

@@ -47,5 +47,5 @@
 
     <!-- Magento Specific Rules -->
     <rule ref="Magento/CodeMessDetector/resources/rulesets/design.xml/FinalImplementation" />
-
+    <rule ref="Magento/CodeMessDetector/resources/rulesets/design.xml/RequestAwareBlockMethod" />
 </ruleset>