Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added method to make use of Mage_Core_Model_Security_HtmlEscapedString easier #4123

Merged
merged 22 commits into from
Sep 6, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion app/Mage.php
Original file line number Diff line number Diff line change
Expand Up @@ -433,7 +433,7 @@ public static function getStoreConfigAsInt(string $path, $store = null): int
* Retrieve config flag for store by path
*
* @param string $path
* @param mixed $store
* @param null|string|bool|int|Mage_Core_Model_Store $store
* @return bool
*/
public static function getStoreConfigFlag($path, $store = null)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -77,9 +77,9 @@ public function canSendCommentEmail()
/**
* Replace links in string
*
* @param array|string $data
* @param null|array $allowedTags
* @return string
* @param string|string[] $data
* @param array|null $allowedTags
* @return null|string|string[]
*/
public function escapeHtml($data, $allowedTags = null)
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -80,9 +80,9 @@ public function isCustomerNotificationNotApplicable(Mage_Sales_Model_Order_Statu
/**
* Replace links in string
*
* @param array|string $data
* @param null|array $allowedTags
* @return string
* @param string|string[] $data
* @param array|null $allowedTags
* @return null|string|string[]
*/
public function escapeHtml($data, $allowedTags = null)
{
Expand Down
6 changes: 3 additions & 3 deletions app/code/core/Mage/Adminhtml/Helper/Sales.php
Original file line number Diff line number Diff line change
Expand Up @@ -109,9 +109,9 @@ public function applySalableProductTypesFilter($collection)
/**
* Escape string preserving links
*
* @param array|string $data
* @param null|array $allowedTags
* @return string
* @param string|string[] $data
* @param array|null $allowedTags
* @return null|string|string[]
*/
public function escapeHtmlWithLinks($data, $allowedTags = null)
{
Expand Down
45 changes: 41 additions & 4 deletions app/code/core/Mage/Core/Block/Abstract.php
Original file line number Diff line number Diff line change
Expand Up @@ -165,6 +165,7 @@ abstract class Mage_Core_Block_Abstract extends Varien_Object
/**
* @var Varien_Object
*/
// phpcs:ignore Ecg.PHP.PrivateClassMember.PrivateClassMemberError
private static $_transportObject;

/**
Expand Down Expand Up @@ -524,6 +525,7 @@ public function unsetCallChild($alias, $callback, $result, $params)
}

Mage::helper('core/security')->validateAgainstBlockMethodBlacklist($child, $callback, $params);
// phpcs:ignore Ecg.Security.ForbiddenFunction.Found
if ($result == call_user_func_array([&$child, $callback], $params)) {
$this->unsetChild($alias);
}
Expand Down Expand Up @@ -863,7 +865,7 @@ public function getChildGroup($groupName, $callback = null, $skipEmptyResults =
*
* @param string $alias
* @param string $key
* @return mixed
* @return mixed|void
*/
public function getChildData($alias, $key = '')
{
Expand Down Expand Up @@ -1167,6 +1169,7 @@ public function getModuleName()
public function __()
{
$args = func_get_args();
// phpcs:ignore Ecg.Classes.ObjectInstantiation.DirectInstantiation
$expr = new Mage_Core_Model_Translate_Expr(array_shift($args), $this->getModuleName());
array_unshift($args, $expr);
return $this->_getApp()->getTranslator()->translate($args);
Expand All @@ -1187,15 +1190,49 @@ public function htmlEscape($data, $allowedTags = null)
/**
* Escape html entities
*
* @param string|array $data
* @param array $allowedTags
* @return string
* @param string|string[] $data
* @param array|null $allowedTags
* @return null|string|string[]
*/
public function escapeHtml($data, $allowedTags = null)
{
return $this->helper('core')->escapeHtml($data, $allowedTags);
}

/**
* Wrapper for escapeHtml() function with keeping original value
*
* @param string $data
* @param string[]|null $allowedTags
* @return Mage_Core_Model_Security_HtmlEscapedString
*
* @see Mage_Core_Model_Security_HtmlEscapedString::getUnescapedValue()
*/
public function escapeHtmlAsObject(string $data, ?array $allowedTags = null): Mage_Core_Model_Security_HtmlEscapedString
{
// phpcs:ignore Ecg.Classes.ObjectInstantiation.DirectInstantiation
return new Mage_Core_Model_Security_HtmlEscapedString($data, $allowedTags);
}

/**
* Wrapper for escapeHtml() function with keeping original value
*
* @param string[] $data
* @param string[]|null $allowedTags
* @return Mage_Core_Model_Security_HtmlEscapedString[]
*
* @see Mage_Core_Model_Security_HtmlEscapedString::getUnescapedValue()
*/
public function escapeHtmlArrayAsObject(array $data, ?array $allowedTags = null): array
{
$result = [];
foreach ($data as $key => $string) {
$result[$key] = $this->escapeHtmlAsObject($string, $allowedTags);
}

return $result;
}

/**
* Wrapper for standard strip_tags() function with extra functionality for html entities
*
Expand Down
19 changes: 10 additions & 9 deletions app/code/core/Mage/Core/Helper/Abstract.php
Original file line number Diff line number Diff line change
Expand Up @@ -178,9 +178,10 @@ public function __()
}

/**
* @param array $data
* @param array $allowedTags
* @return mixed
* @param string|string[] $data
* @param array|null $allowedTags
* @return null|string|string[]
*
* @see self::escapeHtml()
* @deprecated after 1.4.0.0-rc1
*/
Expand All @@ -192,9 +193,9 @@ public function htmlEscape($data, $allowedTags = null)
/**
* Escape html entities
*
* @param string|array $data
* @param array $allowedTags
* @return mixed
* @param string|string[] $data
* @param array|null $allowedTags
* @return null|string|string[]
*/
public function escapeHtml($data, $allowedTags = null)
{
Expand Down Expand Up @@ -244,7 +245,7 @@ function ($matches) {
* Wrapper for standard strip_tags() function with extra functionality for html entities
*
* @param string $data
* @param string $allowableTags
* @param null|string|string[] $allowableTags
* @param bool $escape
* @return string
*/
Expand Down Expand Up @@ -320,9 +321,9 @@ public function escapeScriptIdentifiers($data)
/**
* Escape quotes in java script
*
* @param mixed $data
* @param string|string[] $data
* @param string $quote
* @return mixed
* @return string|string[]
*/
public function jsQuoteEscape($data, $quote = '\'')
{
Expand Down
2 changes: 1 addition & 1 deletion app/code/core/Mage/Core/Model/Layout.php
Original file line number Diff line number Diff line change
Expand Up @@ -419,7 +419,7 @@ protected function _translateLayoutNode($node, &$args)
* Save block in blocks registry
*
* @param string $name
* @param Mage_Core_Model_Layout $block
* @param Mage_Core_Block_Abstract $block
* @return $this
*/
public function setBlock($name, $block)
Expand Down
37 changes: 35 additions & 2 deletions app/code/core/Mage/Core/Model/Security/HtmlEscapedString.php
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,35 @@
declare(strict_types=1);

/**
* OpenMage
*
* This source file is subject to the Open Software License (OSL 3.0)
* that is bundled with this package in the file LICENSE.txt.
* It is also available at https://opensource.org/license/osl-3-0-php
*
* @category Mage
* @package Mage_Core
* @copyright Copyright (c) 2024 The OpenMage Contributors (https://www.openmage.org)
* @license https://opensource.org/licenses/osl-3.0.php Open Software License (OSL 3.0)
*/

/**
* Wrapper to escape a string value with a method to get the original string value
*
* @category Mage
* @package Mage_Core
*/
class Mage_Core_Model_Security_HtmlEscapedString implements Stringable
{
protected $originalValue;
protected $allowedTags;
/**
* @var string
*/
protected string $originalValue;

/**
* @var string[]|null
*/
protected ?array $allowedTags;

/**
* @param string $originalValue
Expand All @@ -20,6 +43,11 @@ public function __construct(string $originalValue, ?array $allowedTags = null)
$this->allowedTags = $allowedTags;
}

/**
* Get escaped html entities
*
* @return string
*/
public function __toString(): string
{
return (string) Mage::helper('core')->escapeHtml(
Expand All @@ -28,6 +56,11 @@ public function __toString(): string
);
}

/**
* Get un-escaped html entities
*
* @return string
*/
public function getUnescapedValue(): string
{
return $this->originalValue;
Expand Down
16 changes: 4 additions & 12 deletions app/code/core/Mage/Page/Block/Html/Header.php
Original file line number Diff line number Diff line change
Expand Up @@ -57,9 +57,7 @@ public function setLogo($logo_src, $logo_alt)
public function getLogoSrc()
{
if (empty($this->_data['logo_src'])) {
$this->_data['logo_src'] = new Mage_Core_Model_Security_HtmlEscapedString(
(string) Mage::getStoreConfig('design/header/logo_src')
);
$this->_data['logo_src'] = $this->escapeHtmlAsObject((string) Mage::getStoreConfig('design/header/logo_src'));
}
return $this->getSkinUrl($this->_data['logo_src']);
}
Expand All @@ -70,9 +68,7 @@ public function getLogoSrc()
public function getLogoSrcSmall()
{
if (empty($this->_data['logo_src_small'])) {
$this->_data['logo_src_small'] = new Mage_Core_Model_Security_HtmlEscapedString(
(string) Mage::getStoreConfig('design/header/logo_src_small')
);
$this->_data['logo_src_small'] = $this->escapeHtmlAsObject((string) Mage::getStoreConfig('design/header/logo_src_small'));
}
return $this->getSkinUrl($this->_data['logo_src_small']);
}
Expand All @@ -83,9 +79,7 @@ public function getLogoSrcSmall()
public function getLogoAlt()
{
if (empty($this->_data['logo_alt'])) {
$this->_data['logo_alt'] = new Mage_Core_Model_Security_HtmlEscapedString(
(string) Mage::getStoreConfig('design/header/logo_alt')
);
$this->_data['logo_alt'] = $this->escapeHtmlAsObject((string) Mage::getStoreConfig('design/header/logo_alt'));
}
return $this->_data['logo_alt'];
}
Expand All @@ -103,9 +97,7 @@ public function getWelcome()
if (Mage::isInstalled() && Mage::getSingleton('customer/session')->isLoggedIn()) {
$this->_data['welcome'] = $this->__('Welcome, %s!', $this->escapeHtml(Mage::getSingleton('customer/session')->getCustomer()->getName()));
} else {
$this->_data['welcome'] = new Mage_Core_Model_Security_HtmlEscapedString(
(string) Mage::getStoreConfig('design/header/welcome')
);
$this->_data['welcome'] = $this->escapeHtmlAsObject((string) Mage::getStoreConfig('design/header/welcome'));
}
}

Expand Down
4 changes: 1 addition & 3 deletions app/code/core/Mage/Page/Block/Html/Welcome.php
Original file line number Diff line number Diff line change
Expand Up @@ -44,9 +44,7 @@ protected function _toHtml()
if (Mage::isInstalled() && $this->_getSession()->isLoggedIn()) {
$this->_data['welcome'] = $this->__('Welcome, %s!', $this->escapeHtml($this->_getSession()->getCustomer()->getName()));
} else {
$this->_data['welcome'] = new Mage_Core_Model_Security_HtmlEscapedString(
(string) Mage::getStoreConfig('design/header/welcome')
);
$this->_data['welcome'] = $this->escapeHtmlAsObject((string) Mage::getStoreConfig('design/header/welcome'));
}
}

Expand Down
Loading