Merge remote-tracking branch 'public/2.3-develop' into translation-fix

Author: Oleksii Korshenko

.htaccess

@@ -36,7 +36,7 @@
 ############################################
 ## adjust memory limit
 
-    php_value memory_limit 768M
+    php_value memory_limit 756M
     php_value max_execution_time 18000
 
 ############################################
@@ -59,7 +59,7 @@
 ############################################
 ## adjust memory limit
 
-    php_value memory_limit 768M
+    php_value memory_limit 756M
     php_value max_execution_time 18000
 
 ############################################

.htaccess.sample

@@ -35,7 +35,7 @@
 ############################################
 ## adjust memory limit
 
-    php_value memory_limit 768M
+    php_value memory_limit 756M
     php_value max_execution_time 18000
 
 ############################################

.travis.yml

@@ -52,7 +52,6 @@ install: composer install --no-interaction
 before_script: ./dev/travis/before_script.sh
 script:
   # Set arguments for variants of phpunit based tests; '|| true' prevents failing script when leading test fails
-  - test $TEST_SUITE = "static" && TEST_FILTER='--filter "Magento\\Test\\Php\\LiveCodeTest"' || true
   - test $TEST_SUITE = "functional" && TEST_FILTER='dev/tests/functional/testsuites/Magento/Mtf/TestSuite/InjectableTests.php' || true
 
   # The scripts for grunt/phpunit type tests

.user.ini

@@ -1,4 +1,4 @@
-memory_limit = 768M
+memory_limit = 756M
 max_execution_time = 18000
 session.auto_start = off
 suhosin.session.cryptua = off

app/code/Magento/AdminNotification/Controller/Adminhtml/System/Message/ListAction.php

@@ -8,6 +8,11 @@
 
 class ListAction extends \Magento\Backend\App\AbstractAction
 {
+    /**
+     * Authorization level of a basic admin session
+     */
+    const ADMIN_RESOURCE = 'Magento_AdminNotification::show_list';
+
     /**
      * @var \Magento\Framework\Json\Helper\Data
      */

app/code/Magento/AdminNotification/Model/Feed.php

@@ -148,9 +148,9 @@ public function checkUpdate()
                     $feedData[] = [
                         'severity' => (int)$item->severity,
                         'date_added' => date('Y-m-d H:i:s', $itemPublicationDate),
-                        'title' => (string)$item->title,
-                        'description' => (string)$item->description,
-                        'url' => (string)$item->link,
+                        'title' => $this->escapeString($item->title),
+                        'description' => $this->escapeString($item->description),
+                        'url' => $this->escapeString($item->link),
                     ];
                 }
             }
@@ -246,4 +246,15 @@ public function getFeedXml()
 
         return $xml;
     }
+
+    /**
+     * Converts incoming data to string format and escapes special characters.
+     *
+     * @param \SimpleXMLElement $data
+     * @return string
+     */
+    private function escapeString(\SimpleXMLElement $data)
+    {
+        return htmlspecialchars((string)$data);
+    }
 }

app/code/Magento/AdminNotification/Test/Unit/Model/FeedTest.php

@@ -145,8 +145,27 @@ public function testCheckUpdate($callInbox, $curlRequest)
             ->will($this->returnValue('Sat, 6 Sep 2014 16:46:11 UTC'));
         if ($callInbox) {
             $this->inboxFactory->expects($this->once())->method('create')
-                ->will(($this->returnValue($this->inboxModel)));
-            $this->inboxModel->expects($this->once())->method('parse')->will($this->returnSelf());
+                ->will($this->returnValue($this->inboxModel));
+            $this->inboxModel->expects($this->once())
+                ->method('parse')
+                ->with(
+                    $this->callback(
+                        function ($data) {
+                            $fieldsToCheck = ['title', 'description', 'url'];
+                            return array_reduce(
+                                $fieldsToCheck,
+                                function ($initialValue, $item) use ($data) {
+                                    $haystack = $data[0][$item] ?? false;
+                                    return $haystack
+                                        ? $initialValue && !strpos($haystack, '<') && !strpos($haystack, '>')
+                                        : true;
+                                },
+                                true
+                            );
+                        }
+                    )
+                )
+                ->will($this->returnSelf());
         } else {
             $this->inboxFactory->expects($this->never())->method('create');
             $this->inboxModel->expects($this->never())->method('parse');
@@ -196,7 +215,27 @@ public function checkUpdateDataProvider()
                                 </item>
                             </channel>
                         </rss>'
-            ]
+            ],
+            [
+                true,
+                // @codingStandardsIgnoreStart
+                'HEADER
+
+                <?xml version="1.0" encoding="utf-8" ?>
+                        <rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
+                            <channel>
+                                <title>MagentoCommerce</title>
+                                <item>
+                                    <title><![CDATA[<script>alert("Hello!");</script>Test Title]]></title>
+                                    <link><![CDATA[http://magento.com/feed_url<script>alert("Hello!");</script>]]></link>
+                                    <severity>4</severity>
+                                    <description><![CDATA[Test <script>alert("Hello!");</script>Description]]></description>
+                                    <pubDate>Tue, 20 Jun 2017 13:14:47 UTC</pubDate>
+                                </item>
+                            </channel>
+                        </rss>'
+                // @codingStandardsIgnoreEnd
+            ],
         ];
     }
 }

app/code/Magento/AdminNotification/composer.json

@@ -1,14 +1,17 @@
 {
     "name": "magento/module-admin-notification",
     "description": "N/A",
+    "config": {
+        "sort-packages": true
+    },
     "require": {
         "php": "7.0.2|7.0.4|~7.0.6|~7.1.0",
-        "magento/module-store": "100.3.*",
+        "lib-libxml": "*",
+        "magento/framework": "100.3.*",
         "magento/module-backend": "100.3.*",
         "magento/module-media-storage": "100.3.*",
-        "magento/framework": "100.3.*",
-        "magento/module-ui": "100.3.*",
-        "lib-libxml": "*"
+        "magento/module-store": "100.3.*",
+        "magento/module-ui": "100.3.*"
     },
     "type": "magento2-module",
     "version": "100.3.0-dev",

app/code/Magento/AdminNotification/etc/config.xml

@@ -12,7 +12,7 @@
                 <feed_url>notifications.magentocommerce.com/magento2/community/notifications.rss</feed_url>
                 <popup_url>widgets.magentocommerce.com/notificationPopup</popup_url>
                 <severity_icons_url>widgets.magentocommerce.com/%s/%s.gif</severity_icons_url>
-                <use_https>0</use_https>
+                <use_https>1</use_https>
                 <frequency>1</frequency>
                 <last_update>0</last_update>
             </adminnotification>

app/code/Magento/AdminNotification/view/adminhtml/layout/adminhtml_notification_block.xml

@@ -20,14 +20,14 @@
                     <arguments>
                         <argument name="filter_visibility" xsi:type="string">0</argument>
                     </arguments>
-                    <block class="Magento\Backend\Block\Widget\Grid\Column" as="severity">
+                    <block class="Magento\Backend\Block\Widget\Grid\Column" name="adminhtml.notification.container.grid.columnSet.severity" as="severity">
                         <arguments>
                             <argument name="header" xsi:type="string" translate="true">Severity</argument>
                             <argument name="index" xsi:type="string">severity</argument>
                             <argument name="renderer" xsi:type="string">Magento\AdminNotification\Block\Grid\Renderer\Severity</argument>
                         </arguments>
                     </block>
-                    <block class="Magento\Backend\Block\Widget\Grid\Column" as="date_added">
+                    <block class="Magento\Backend\Block\Widget\Grid\Column" name="adminhtml.notification.container.grid.columnSet.date_added" as="date_added">
                         <arguments>
                             <argument name="header" xsi:type="string" translate="true">Date Added</argument>
                             <argument name="id" xsi:type="string">date_added</argument>
@@ -37,14 +37,14 @@
                             <argument name="header_css_class" xsi:type="string">col-date</argument>
                         </arguments>
                     </block>
-                    <block class="Magento\Backend\Block\Widget\Grid\Column" as="title">
+                    <block class="Magento\Backend\Block\Widget\Grid\Column" name="adminhtml.notification.container.grid.columnSet.title" as="title">
                         <arguments>
                             <argument name="header" xsi:type="string" translate="true">Message</argument>
                             <argument name="index" xsi:type="string">title</argument>
                             <argument name="renderer" xsi:type="string">Magento\AdminNotification\Block\Grid\Renderer\Notice</argument>
                         </arguments>
                     </block>
-                    <block class="Magento\Backend\Block\Widget\Grid\Column" as="actions">
+                    <block class="Magento\Backend\Block\Widget\Grid\Column" name="adminhtml.notification.container.grid.columnSet.actions" as="actions">
                         <arguments>
                             <argument name="header" xsi:type="string" translate="true">Actions</argument>
                             <argument name="sortable" xsi:type="string">0</argument>