MAGETWO-32743: Direct web link on Magento order transactions to backend records

Author: rliukshyn

app/code/Magento/Sales/Block/Adminhtml/Order/Comments/View.php

@@ -19,18 +19,26 @@ class View extends \Magento\Backend\Block\Template
      */
     protected $_salesData = null;
 
+    /**
+     * @var \Magento\Sales\Helper\Admin
+     */
+    private $adminHelper;
+
     /**
      * @param \Magento\Backend\Block\Template\Context $context
      * @param \Magento\Sales\Helper\Data $salesData
+     * @param \Magento\Sales\Helper\Admin $adminHelper
      * @param array $data
      */
     public function __construct(
         \Magento\Backend\Block\Template\Context $context,
         \Magento\Sales\Helper\Data $salesData,
+        \Magento\Sales\Helper\Admin $adminHelper,
         array $data = []
     ) {
         $this->_salesData = $salesData;
         parent::__construct($context, $data);
+        $this->adminHelper = $adminHelper;
     }
 
     /**
@@ -96,4 +104,16 @@ public function canSendCommentEmail()
         }
         return true;
     }
+
+    /**
+     * Replace links in string
+     *
+     * @param array|string $data
+     * @param null|array $allowedTags
+     * @return string
+     */
+    public function escapeHtml($data, $allowedTags = null)
+    {
+        return $this->adminHelper->escapeHtmlWithLinks($data, $allowedTags);
+    }
 }

app/code/Magento/Sales/Block/Adminhtml/Order/View/History.php

@@ -26,21 +26,29 @@ class History extends \Magento\Backend\Block\Template
      */
     protected $_salesData = null;
 
+    /**
+     * @var \Magento\Sales\Helper\Admin
+     */
+    private $adminHelper;
+
     /**
      * @param \Magento\Backend\Block\Template\Context $context
      * @param \Magento\Sales\Helper\Data $salesData
      * @param \Magento\Framework\Registry $registry
+     * @param \Magento\Sales\Helper\Admin $adminHelper
      * @param array $data
      */
     public function __construct(
         \Magento\Backend\Block\Template\Context $context,
         \Magento\Sales\Helper\Data $salesData,
         \Magento\Framework\Registry $registry,
+        \Magento\Sales\Helper\Admin $adminHelper,
         array $data = []
     ) {
         $this->_coreRegistry = $registry;
         $this->_salesData = $salesData;
         parent::__construct($context, $data);
+        $this->adminHelper = $adminHelper;
     }
 
     /**
@@ -122,4 +130,16 @@ public function isCustomerNotificationNotApplicable(\Magento\Sales\Model\Order\S
     {
         return $history->isCustomerNotificationNotApplicable();
     }
+
+    /**
+     * Replace links in string
+     *
+     * @param array|string $data
+     * @param null|array $allowedTags
+     * @return string
+     */
+    public function escapeHtml($data, $allowedTags = null)
+    {
+        return $this->adminHelper->escapeHtmlWithLinks($data, $allowedTags);
+    }
 }

app/code/Magento/Sales/Block/Adminhtml/Order/View/Tab/History.php

@@ -26,18 +26,26 @@ class History extends \Magento\Backend\Block\Template implements \Magento\Backen
      */
     protected $_coreRegistry = null;
 
+    /**
+     * @var \Magento\Sales\Helper\Admin
+     */
+    private $adminHelper;
+
     /**
      * @param \Magento\Backend\Block\Template\Context $context
      * @param \Magento\Framework\Registry $registry
+     * @param \Magento\Sales\Helper\Admin $adminHelper
      * @param array $data
      */
     public function __construct(
         \Magento\Backend\Block\Template\Context $context,
         \Magento\Framework\Registry $registry,
+        \Magento\Sales\Helper\Admin $adminHelper,
         array $data = []
     ) {
         $this->_coreRegistry = $registry;
         parent::__construct($context, $data);
+        $this->adminHelper = $adminHelper;
     }
 
     /**
@@ -192,8 +200,9 @@ public function isItemNotified(array $item, $isSimpleCheck = true)
      */
     public function getItemComment(array $item)
     {
-        $allowedTags = ['b', 'br', 'strong', 'i', 'u'];
-        return isset($item['comment']) ? $this->escapeHtml($item['comment'], $allowedTags) : '';
+        $allowedTags = ['b', 'br', 'strong', 'i', 'u', 'a'];
+        return isset($item['comment'])
+            ? $this->adminHelper->escapeHtmlWithLinks($item['comment'], $allowedTags) : '';
     }
 
     /**

app/code/Magento/Sales/Block/Adminhtml/Transactions/Detail.php

@@ -26,17 +26,25 @@ class Detail extends \Magento\Backend\Block\Widget\Container
      */
     protected $_coreRegistry = null;
 
+    /**
+     * @var \Magento\Sales\Helper\Admin
+     */
+    private $adminHelper;
+
     /**
      * @param \Magento\Backend\Block\Widget\Context $context
      * @param \Magento\Framework\Registry $registry
+     * @param \Magento\Sales\Helper\Admin $adminHelper
      * @param array $data
      */
     public function __construct(
         \Magento\Backend\Block\Widget\Context $context,
         \Magento\Framework\Registry $registry,
+        \Magento\Sales\Helper\Admin $adminHelper,
         array $data = []
     ) {
         $this->_coreRegistry = $registry;
+        $this->adminHelper = $adminHelper;
         parent::__construct($context, $data);
     }
 
@@ -97,7 +105,10 @@ public function getHeaderText()
      */
     protected function _toHtml()
     {
-        $this->setTxnIdHtml($this->escapeHtml($this->_txn->getTxnId()));
+        $this->setTxnIdHtml($this->adminHelper->escapeHtmlWithLinks(
+            $this->_txn->getHtmlTxnId(),
+            ['a']
+        ));
 
         $this->setParentTxnIdUrlHtml(
             $this->escapeHtml($this->getUrl('sales/transactions/view', ['txn_id' => $this->_txn->getParentId()]))

app/code/Magento/Sales/Helper/Admin.php

@@ -22,21 +22,29 @@ class Admin extends \Magento\Framework\App\Helper\AbstractHelper
      */
     protected $priceCurrency;
 
+    /**
+     * @var \Magento\Framework\Escaper
+     */
+    protected $escaper;
+
     /**
      * @param \Magento\Framework\App\Helper\Context $context
      * @param \Magento\Store\Model\StoreManagerInterface $storeManager
      * @param \Magento\Sales\Model\Config $salesConfig
      * @param \Magento\Framework\Pricing\PriceCurrencyInterface $priceCurrency
+     * @param \Magento\Framework\Escaper $escaper
      */
     public function __construct(
         \Magento\Framework\App\Helper\Context $context,
         \Magento\Store\Model\StoreManagerInterface $storeManager,
         \Magento\Sales\Model\Config $salesConfig,
-        \Magento\Framework\Pricing\PriceCurrencyInterface $priceCurrency
+        \Magento\Framework\Pricing\PriceCurrencyInterface $priceCurrency,
+        \Magento\Framework\Escaper $escaper
     ) {
         $this->priceCurrency = $priceCurrency;
         $this->_storeManager = $storeManager;
         $this->_salesConfig = $salesConfig;
+        $this->escaper = $escaper;
         parent::__construct($context);
     }
 
@@ -127,4 +135,29 @@ public function applySalableProductTypesFilter($collection)
         }
         return $collection;
     }
+
+    /**
+     * Escape string preserving links
+     *
+     * @param string $data
+     * @param null|array $allowedTags
+     * @return string
+     */
+    public function escapeHtmlWithLinks($data, $allowedTags = null)
+    {
+        if (!empty($data) && is_array($allowedTags) && in_array('a', $allowedTags)) {
+            $links = [];
+            $i = 1;
+            $data = str_replace('%', '%%', $data);
+            $regexp = '@(<a[^>]*>(?:[^<]|<[^/]|</[^a]|</a[^>])*</a>)@';
+            while (preg_match($regexp, $data, $matches)) {
+                $links[] = $matches[1];
+                $data = str_replace($matches[1], '%' . $i . '$s', $data);
+                ++$i;
+            }
+            $data = $this->escaper->escapeHtml($data, $allowedTags);
+            return vsprintf($data, $links);
+        }
+        return $this->escaper->escapeHtml($data, $allowedTags);
+    }
 }

app/code/Magento/Sales/Model/Order/Payment.php

@@ -1421,7 +1421,7 @@ protected function _isTransactionExists($txnId = null)
     protected function _appendTransactionToMessage($transaction, $message)
     {
         if ($transaction) {
-            $txnId = is_object($transaction) ? $transaction->getTxnId() : $transaction;
+            $txnId = is_object($transaction) ? $transaction->getHtmlTxnId() : $transaction;
             $message .= ' ' . __('Transaction ID: "%1"', $txnId);
         }
         return $message;

app/code/Magento/Sales/Model/Order/Payment/Transaction.php

@@ -979,6 +979,17 @@ public function getTxnId()
         return $this->getData(TransactionInterface::TXN_ID);
     }
 
+    /**
+     * Get HTML format for transaction id
+     *
+     * @return string
+     */
+    public function getHtmlTxnId()
+    {
+        $this->_eventManager->dispatch($this->_eventPrefix . '_html_txn_id', $this->_getEventData());
+        return isset($this->_data['html_txn_id']) ? $this->_data['html_txn_id'] : $this->getTxnId();
+    }
+
     /**
      * Returns parent_txn_id
      *

app/code/Magento/Sales/Test/Unit/Block/Adminhtml/Order/Comments/ViewTest.php

@@ -0,0 +1,73 @@
+<?php
+/**
+ * Copyright © 2015 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\Sales\Test\Unit\Block\Adminhtml\Order\Comments;
+
+class ViewTest extends \PHPUnit_Framework_TestCase
+{
+    /**
+     * @var \Magento\Sales\Helper\Admin|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $adminHelperMock;
+
+    /**
+     * @var \Magento\Sales\Block\Adminhtml\Order\Comments\View
+     */
+    protected $commentsView;
+
+    protected function setUp()
+    {
+        $this->adminHelperMock = $this->getMockBuilder('Magento\Sales\Helper\Admin')
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        $this->commentsView = (new \Magento\Framework\TestFramework\Unit\Helper\ObjectManager($this))->getObject(
+            'Magento\Sales\Block\Adminhtml\Order\Comments\View',
+            [
+                'adminHelper' => $this->adminHelperMock
+            ]
+        );
+    }
+
+    /**
+     * @param string $data
+     * @param string $expected
+     * @param null|array $allowedTags
+     * @dataProvider escapeHtmlDataProvider
+     */
+    public function testEscapeHtml($data, $expected, $allowedTags = null)
+    {
+        $this->adminHelperMock
+            ->expects($this->any())
+            ->method('escapeHtmlWithLinks')
+            ->will($this->returnValue($expected));
+        $actual = $this->commentsView->escapeHtml($data, $allowedTags);
+        $this->assertEquals($expected, $actual);
+    }
+
+    /**
+     * @return array
+     */
+    public function escapeHtmlDataProvider()
+    {
+        return [
+            [
+                '<a>some text in tags</a>',
+                '&lt;a&gt;some text in tags&lt;/a&gt;',
+                'allowedTags' => null
+            ],
+            [
+                'Transaction ID: "<a target="_blank" href="https://www.paypal.com/?id=XX123XX">XX123XX</a>"',
+                'Transaction ID: &quot;<a target="_blank" href="https://www.paypal.com/?id=XX123XX">XX123XX</a>&quot;',
+                'allowedTags' => ['b', 'br', 'strong', 'i', 'u', 'a']
+            ],
+            [
+                '<a>some text in tags</a>',
+                '<a>some text in tags</a>',
+                'allowedTags' => ['a']
+            ]
+        ];
+    }
+}