Merge pull request #5252 from magento-borg/borg-2.4.0

[CIA] Bug fixes

Author: nathanjosiah

app/code/Magento/Sales/Test/Mftf/Test/AdminUnassignCustomOrderStatusTest.xml

@@ -55,7 +55,7 @@
 
         <!--Click unassign and verify AssertOrderStatusSuccessUnassignMessage-->
         <click selector="{{AdminOrderStatusGridSection.unassign}}" stepKey="clickUnassign"/>
-        <see selector="{{AdminMessagesSection.success}}" userInput="You have unassigned the order status." stepKey="seeAssertOrderStatusSuccessUnassignMessage"/>
+        <waitForText selector="{{AdminMessagesSection.success}}" userInput="You have unassigned the order status." stepKey="seeAssertOrderStatusSuccessUnassignMessage"/>
 
         <!--Verify the order status grid page shows the updated order status and verify AssertOrderStatusInGrid-->
         <actionGroup ref="AssertOrderStatusExistsInGrid" stepKey="seeAssertOrderStatusInGrid">

app/code/Magento/Security/view/base/requirejs-config.js

@@ -0,0 +1,12 @@
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+var config = {
+    map: {
+        '*': {
+            escaper: 'Magento_Security/js/escaper'
+        }
+    }
+};

app/code/Magento/Security/view/base/web/js/escaper.js

@@ -0,0 +1,174 @@
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+/**
+ * A loose JavaScript version of Magento\Framework\Escaper
+ *
+ * Due to differences in how XML/HTML is processed in PHP vs JS there are a couple of minor differences in behavior
+ * from the PHP counterpart.
+ *
+ * The first difference is that the default invocation of escapeHtml without allowedTags will double-escape existing
+ * entities as the intention of such an invocation is that the input isn't supposed to contain any HTML.
+ *
+ * The second difference is that escapeHtml will not escape quotes. Since the input is actually being processed by the
+ * DOM there is no chance of quotes being mixed with HTML syntax. And, since escapeHtml is not
+ * intended to be used with raw injection into a HTML attribute, this is acceptable.
+ *
+ * @api
+ */
+define([], function () {
+    'use strict';
+
+    return {
+        neverAllowedElements: ['script', 'img', 'embed', 'iframe', 'video', 'source', 'object', 'audio'],
+        generallyAllowedAttributes: ['id', 'class', 'href', 'title', 'style'],
+        forbiddenAttributesByElement: {
+            a: ['style']
+        },
+
+        /**
+         * Escape a string for safe injection into HTML
+         *
+         * @param {String} data
+         * @param {Array|null} allowedTags
+         * @returns {String}
+         */
+        escapeHtml: function (data, allowedTags) {
+            var domParser = new DOMParser(),
+                fragment = domParser.parseFromString('<div></div>', 'text/html');
+
+            fragment = fragment.body.childNodes[0];
+            allowedTags = typeof allowedTags === 'object' && allowedTags.length ? allowedTags : null;
+
+            if (allowedTags) {
+                fragment.innerHTML = data || '';
+                allowedTags = this._filterProhibitedTags(allowedTags);
+
+                this._removeComments(fragment);
+                this._removeNotAllowedElements(fragment, allowedTags);
+                this._removeNotAllowedAttributes(fragment);
+
+                return fragment.innerHTML;
+            }
+
+            fragment.textContent = data || '';
+
+            return fragment.innerHTML;
+        },
+
+        /**
+         * Remove the always forbidden tags from a list of provided tags
+         *
+         * @param {Array} tags
+         * @returns {Array}
+         * @private
+         */
+        _filterProhibitedTags: function (tags) {
+            return tags.filter(function (n) {
+                return this.neverAllowedElements.indexOf(n) === -1;
+            }.bind(this));
+        },
+
+        /**
+         * Remove comment nodes from the given node
+         *
+         * @param {Node} node
+         * @private
+         */
+        _removeComments: function (node) {
+            var treeWalker = node.ownerDocument.createTreeWalker(
+                    node,
+                    NodeFilter.SHOW_COMMENT,
+                    function () {
+                        return NodeFilter.FILTER_ACCEPT;
+                    },
+                    false
+                ),
+                nodesToRemove = [];
+
+            while (treeWalker.nextNode()) {
+                nodesToRemove.push(treeWalker.currentNode);
+            }
+
+            nodesToRemove.forEach(function (nodeToRemove) {
+                nodeToRemove.parentNode.removeChild(nodeToRemove);
+            });
+        },
+
+        /**
+         * Strip the given node of all disallowed tags while permitting any nested text nodes
+         *
+         * @param {Node} node
+         * @param {Array|null} allowedTags
+         * @private
+         */
+        _removeNotAllowedElements: function (node, allowedTags) {
+            var treeWalker = node.ownerDocument.createTreeWalker(
+                    node,
+                    NodeFilter.SHOW_ELEMENT,
+                    function (currentNode) {
+                        return allowedTags.indexOf(currentNode.nodeName.toLowerCase()) === -1 ?
+                            NodeFilter.FILTER_ACCEPT
+                            // SKIP instead of REJECT because REJECT also rejects child nodes
+                            : NodeFilter.FILTER_SKIP;
+                    },
+                false
+                ),
+                nodesToRemove = [];
+
+            while (treeWalker.nextNode()) {
+                if (allowedTags.indexOf(treeWalker.currentNode.nodeName.toLowerCase()) === -1) {
+                    nodesToRemove.push(treeWalker.currentNode);
+                }
+            }
+
+            nodesToRemove.forEach(function (nodeToRemove) {
+                nodeToRemove.parentNode.replaceChild(
+                    node.ownerDocument.createTextNode(nodeToRemove.textContent),
+                    nodeToRemove
+                );
+            });
+        },
+
+        /**
+         * Remove any invalid attributes from the given node
+         *
+         * @param {Node} node
+         * @private
+         */
+        _removeNotAllowedAttributes: function (node) {
+            var treeWalker = node.ownerDocument.createTreeWalker(
+                    node,
+                    NodeFilter.SHOW_ELEMENT,
+                    function () {
+                        return NodeFilter.FILTER_ACCEPT;
+                    },
+                false
+                ),
+                i,
+                attribute,
+                nodeName,
+                attributesToRemove = [];
+
+            while (treeWalker.nextNode()) {
+                for (i = 0; i < treeWalker.currentNode.attributes.length; i++) {
+                    attribute = treeWalker.currentNode.attributes[i];
+                    nodeName = treeWalker.currentNode.nodeName.toLowerCase();
+
+                    if (this.generallyAllowedAttributes.indexOf(attribute.name) === -1 || // eslint-disable-line max-depth,max-len
+                        this.forbiddenAttributesByElement[nodeName] &&
+                        this.forbiddenAttributesByElement[nodeName].indexOf(attribute.name) !== -1
+                    ) {
+                        attributesToRemove.push(attribute);
+                    }
+                }
+            }
+
+            attributesToRemove.forEach(function (attributeToRemove) {
+                attributeToRemove.ownerElement.removeAttribute(attributeToRemove.name);
+            });
+        }
+    };
+});

app/code/Magento/Theme/Controller/Result/MessagePlugin.php

@@ -14,6 +14,8 @@
 
 /**
  * Plugin for putting messages to cookies
+ *
+ * @SuppressWarnings(PHPMD.CookieAndSessionMisuse)
  */
 class MessagePlugin
 {
@@ -116,7 +118,6 @@ public function afterRenderResult(
      *   ],
      * ]
      *
-     *
      * @param array $messages List of Magento messages that must be set as 'mage-messages' cookie.
      * @return void
      */

app/code/Magento/Theme/view/frontend/templates/messages.phtml

@@ -11,17 +11,18 @@
             class: 'message-' + message.type + ' ' + message.type + ' message',
             'data-ui-id': 'message-' + message.type
         }">
-            <div data-bind="html: message.text"></div>
+            <div data-bind="html: $parent.prepareMessageForHtml(message.text)"></div>
         </div>
     </div>
     <!-- /ko -->
+
     <!-- ko if: messages().messages && messages().messages.length > 0 -->
     <div role="alert" data-bind="foreach: { data: messages().messages, as: 'message' }" class="messages">
         <div data-bind="attr: {
             class: 'message-' + message.type + ' ' + message.type + ' message',
             'data-ui-id': 'message-' + message.type
         }">
-            <div data-bind="html: message.text"></div>
+            <div data-bind="html: $parent.prepareMessageForHtml(message.text)"></div>
         </div>
     </div>
     <!-- /ko -->

app/code/Magento/Theme/view/frontend/web/js/view/messages.js

@@ -11,14 +11,16 @@ define([
     'uiComponent',
     'Magento_Customer/js/customer-data',
     'underscore',
+    'escaper',
     'jquery/jquery-storageapi'
-], function ($, Component, customerData, _) {
+], function ($, Component, customerData, _, escaper) {
     'use strict';
 
     return Component.extend({
         defaults: {
             cookieMessages: [],
-            messages: []
+            messages: [],
+            allowedTags: ['div', 'span', 'b', 'strong', 'i', 'em', 'u', 'a']
         },
 
         /**
@@ -38,6 +40,16 @@ define([
             }
 
             $.cookieStorage.set('mage-messages', '');
+        },
+
+        /**
+         * Prepare the given message to be rendered as HTML
+         *
+         * @param {String} message
+         * @return {String}
+         */
+        prepareMessageForHtml: function (message) {
+            return escaper.escapeHtml(message, this.allowedTags);
         }
     });
 });