Merge pull request #7 from magento-nord/develop

NORD P1

Author: kandy

lib/internal/Magento/Framework/Convert/Excel.php

@@ -134,6 +134,19 @@ protected function _getXmlRow($row, $useCallback)
             $value = htmlspecialchars($value);
             $dataType = is_numeric($value) && $value[0] !== '+' && $value[0] !== '0' ? 'Number' : 'String';
 
+            /**
+             * Security enhancement for CSV data processing by Excel-like applications.
+             * @see https://bugzilla.mozilla.org/show_bug.cgi?id=1054702
+             *
+             * @var $value string|\Magento\Framework\Phrase
+             */
+            if (!is_string($value)) {
+                $value = (string)$value;
+            }
+            if (isset($value[0]) && in_array($value[0], ['=', '+', '-'])) {
+                $value = ' ' . $value;
+            }
+
             $value = str_replace("\r\n", '
', $value);
             $value = str_replace("\r", '
', $value);
             $value = str_replace("\n", '
', $value);

lib/internal/Magento/Framework/Convert/Test/Unit/ExcelTest.php

@@ -17,21 +17,24 @@ class ExcelTest extends \PHPUnit_Framework_TestCase
      * @var array
      */
     private $_testData = [
-        ['ID', 'Name', 'Email', 'Group', 'Telephone', '+Telephone', 'ZIP', '0ZIP', 'Country', 'State/Province'],
+        [
+            'ID', 'Name', 'Email', 'Group', 'Telephone', '+Telephone', 'ZIP', '0ZIP', 'Country', 'State/Province',
+            'Symbol=', 'Symbol-', 'Symbol+'
+        ],
         [
             1, 'Jon Doe', 'jon.doe@magento.com', 'General', '310-111-1111', '+310-111-1111', 90232, '090232',
-            'United States', 'California'
+            'United States', 'California', '=', '-', '+'
         ],
     ];
 
     protected $_testHeader = [
-        'HeaderID', 'HeaderName', 'HeaderEmail', 'HeaderGroup', 'HeaderPhone', 'Header+Phone',
-        'HeaderZIP', 'Header0ZIP', 'HeaderCountry', 'HeaderRegion',
+        'HeaderID', 'HeaderName', 'HeaderEmail', 'HeaderGroup', 'HeaderPhone', 'Header+Phone', 'HeaderZIP',
+        'Header0ZIP', 'HeaderCountry', 'HeaderRegion', 'HeaderSymbol=', 'HeaderSymbol-', 'HeaderSymbol+'
     ];
 
     protected $_testFooter = [
-        'FooterID', 'FooterName', 'FooterEmail', 'FooterGroup', 'FooterPhone', 'Footer+Phone',
-        'FooterZIP', 'Footer0ZIP', 'FooterCountry', 'FooterRegion',
+        'FooterID', 'FooterName', 'FooterEmail', 'FooterGroup', 'FooterPhone', 'Footer+Phone', 'FooterZIP',
+        'Footer0ZIP', 'FooterCountry', 'FooterRegion', 'FooterSymbol=', 'FooterSymbol-', 'FooterSymbol+'
     ];
 
     /**

lib/internal/Magento/Framework/Convert/Test/Unit/_files/sample.xml

@@ -29,30 +29,39 @@
                 <Cell><Data ss:Type="String">Header0ZIP</Data></Cell>
                 <Cell><Data ss:Type="String">HeaderCountry</Data></Cell>
                 <Cell><Data ss:Type="String">HeaderRegion</Data></Cell>
+                <Cell><Data ss:Type="String">HeaderSymbol=</Data></Cell>
+                <Cell><Data ss:Type="String">HeaderSymbol-</Data></Cell>
+                <Cell><Data ss:Type="String">HeaderSymbol+</Data></Cell>
             </Row>
             <Row>
                 <Cell><Data ss:Type="String">ID</Data></Cell>
                 <Cell><Data ss:Type="String">Name</Data></Cell>
                 <Cell><Data ss:Type="String">Email</Data></Cell>
                 <Cell><Data ss:Type="String">Group</Data></Cell>
                 <Cell><Data ss:Type="String">Telephone</Data></Cell>
-                <Cell><Data ss:Type="String">+Telephone</Data></Cell>
+                <Cell><Data ss:Type="String"> +Telephone</Data></Cell>
                 <Cell><Data ss:Type="String">ZIP</Data></Cell>
                 <Cell><Data ss:Type="String">0ZIP</Data></Cell>
                 <Cell><Data ss:Type="String">Country</Data></Cell>
                 <Cell><Data ss:Type="String">State/Province</Data></Cell>
+                <Cell><Data ss:Type="String">Symbol=</Data></Cell>
+                <Cell><Data ss:Type="String">Symbol-</Data></Cell>
+                <Cell><Data ss:Type="String">Symbol+</Data></Cell>
             </Row>
             <Row>
                 <Cell><Data ss:Type="Number">1</Data></Cell>
                 <Cell><Data ss:Type="String">Jon Doe</Data></Cell>
                 <Cell><Data ss:Type="String">jon.doe@magento.com</Data></Cell>
                 <Cell><Data ss:Type="String">General</Data></Cell>
                 <Cell><Data ss:Type="String">310-111-1111</Data></Cell>
-                <Cell><Data ss:Type="String">+310-111-1111</Data></Cell>
+                <Cell><Data ss:Type="String"> +310-111-1111</Data></Cell>
                 <Cell><Data ss:Type="Number">90232</Data></Cell>
                 <Cell><Data ss:Type="String">090232</Data></Cell>
                 <Cell><Data ss:Type="String">United States</Data></Cell>
                 <Cell><Data ss:Type="String">California</Data></Cell>
+                <Cell><Data ss:Type="String"> =</Data></Cell>
+                <Cell><Data ss:Type="String"> -</Data></Cell>
+                <Cell><Data ss:Type="String"> +</Data></Cell>
             </Row>
             <Row>
                 <Cell><Data ss:Type="String">FooterID</Data></Cell>
@@ -65,6 +74,9 @@
                 <Cell><Data ss:Type="String">Footer0ZIP</Data></Cell>
                 <Cell><Data ss:Type="String">FooterCountry</Data></Cell>
                 <Cell><Data ss:Type="String">FooterRegion</Data></Cell>
+                <Cell><Data ss:Type="String">FooterSymbol=</Data></Cell>
+                <Cell><Data ss:Type="String">FooterSymbol-</Data></Cell>
+                <Cell><Data ss:Type="String">FooterSymbol+</Data></Cell>
             </Row>
         </Table>
     </Worksheet>