MAGETWO-57271: Modify escapeHtml function to filter not allowed attributes and tags

Igor Melnikov · Igor Melnikov · commit cb30704c8e53 · 2016-09-02T12:46:17.000-05:00
Modifying function to filter not allowed tags and attributes
diff --git a/lib/internal/Magento/Framework/Escaper.php b/lib/internal/Magento/Framework/Escaper.php
@@ -36,7 +36,8 @@ class Escaper
     private $escapeAsUrlAttributes = ['href'];
 
     /**
-     * Escape string for HTML context, allowedTags will not be escaped
+     * Escape string for HTML context. allowedTags will not be escaped, except the following: script, img, embed,
+     * iframe, video, source, object, audio
      *
      * @param string|array $data
      * @param array|null $allowedTags

Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,8 @@ class Escaper`
`36`	`36`	`private $escapeAsUrlAttributes = ['href'];`
`37`	`37`
`38`	`38`	`/**`
`39`		`- * Escape string for HTML context, allowedTags will not be escaped`
	`39`	`+ * Escape string for HTML context. allowedTags will not be escaped, except the following: script, img, embed,`
	`40`	`+ * iframe, video, source, object, audio`
`40`	`41`	`*`
`41`	`42`	`* @param string\|array $data`
`42`	`43`	`* @param array\|null $allowedTags`