MAGETWO-62915: [Backport] - [Github] Directive values are not quote-escaped #3860 - for 2.0

Author: OlgaVasyltsun

app/code/Magento/CatalogWidget/Block/Product/Widget/Conditions.php

@@ -82,12 +82,19 @@ public function __construct(
     protected function _construct()
     {
         $widget = $this->registry->registry('current_widget_instance');
+
         if ($widget) {
             $widgetParameters = $widget->getWidgetParameters();
-            if (isset($widgetParameters['conditions'])) {
-                $this->rule->loadPost($widgetParameters);
+        } else {
+            $widgetOptions = $this->getLayout()->getBlock('wysiwyg_widget.options');
+            if ($widgetOptions) {
+                $widgetParameters = $widgetOptions->getWidgetValues();
             }
         }
+
+        if (isset($widgetParameters['conditions'])) {
+            $this->rule->loadPost($widgetParameters);
+        }
     }
 
     /**

app/code/Magento/CatalogWidget/Test/Unit/Block/Product/Widget/ConditionsTest.php

@@ -0,0 +1,161 @@
+<?php
+/**
+ * Copyright © 2016 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\CatalogWidget\Test\Unit\Block\Product\Widget;
+
+use Magento\Framework\TestFramework\Unit\Helper\ObjectManager as ObjectManagerHelper;
+use Magento\CatalogWidget\Block\Product\Widget\Conditions;
+use Magento\Framework\Registry;
+use Magento\Backend\Block\Template\Context;
+use Magento\CatalogWidget\Model\Rule;
+use Magento\Framework\View\LayoutInterface;
+use Magento\Framework\View\Element\BlockInterface;
+
+/**
+ * Test class for \Magento\CatalogWidget\Block\Product\Widget\Conditions
+ */
+class ConditionsTest extends \PHPUnit_Framework_TestCase
+{
+    /**
+     * @var ObjectManagerHelper
+     */
+    private $objectManagerHelper;
+
+    /**
+     * @var Registry|\PHPUnit_Framework_MockObject_MockObject
+     */
+    private $registryMock;
+
+    /**
+     * @var Context|\PHPUnit_Framework_MockObject_MockObject
+     */
+    private $contextMock;
+
+    /**
+     * @var Rule|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $ruleMock;
+
+    /**
+     * @var LayoutInterface|\PHPUnit_Framework_MockObject_MockObject
+     */
+    private $layoutMock;
+
+    /**
+     * @var BlockInterface|\PHPUnit_Framework_MockObject_MockObject
+     */
+    private $blockMock;
+
+    protected function setUp()
+    {
+        $this->objectManagerHelper = new ObjectManagerHelper($this);
+        $this->ruleMock = $this->getMockBuilder(Rule::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+        $this->registryMock = $this->getMockBuilder(Registry::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+        $this->layoutMock = $this->getMockForAbstractClass(LayoutInterface::class);
+        $this->blockMock = $this->getMockBuilder(BlockInterface::class)
+            ->setMethods(['getWidgetValues'])
+            ->getMockForAbstractClass();
+        $this->contextMock = $this->getMockBuilder(Context::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+        $this->contextMock->expects($this->once())
+            ->method('getLayout')
+            ->willReturn($this->layoutMock);
+    }
+
+    public function testConstructWithEmptyData()
+    {
+        $this->registryMock->expects($this->once())
+            ->method('registry')
+            ->with('current_widget_instance')
+            ->willReturn(null);
+        $this->layoutMock->expects($this->once())
+            ->method('getBlock')
+            ->with('wysiwyg_widget.options')
+            ->willReturn(null);
+        $this->blockMock->expects($this->never())
+            ->method('getWidgetValues');
+        $this->ruleMock->expects($this->never())
+            ->method('loadPost');
+
+        $this->objectManagerHelper->getObject(
+            Conditions::class,
+            [
+                'context' => $this->contextMock,
+                'registry' => $this->registryMock,
+                'rule' => $this->ruleMock,
+            ]
+        );
+    }
+
+    public function testConstructWithWidgetInstance()
+    {
+        $widgetParams = ['conditions' => 'some conditions'];
+
+        /** @var \Magento\Widget\Model\Widget\Instance|\PHPUnit_Framework_MockObject_MockObject $widgetMock */
+        $widgetMock = $this->getMockBuilder(\Magento\Widget\Model\Widget\Instance::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+        $widgetMock->expects($this->once())
+            ->method('getWidgetParameters')
+            ->willReturn($widgetParams);
+
+        $this->layoutMock->expects($this->never())
+            ->method('getBlock');
+        $this->blockMock->expects($this->never())
+            ->method('getWidgetValues');
+        $this->registryMock->expects($this->once())
+            ->method('registry')
+            ->with('current_widget_instance')
+            ->willReturn($widgetMock);
+        $this->ruleMock->expects($this->once())
+            ->method('loadPost')
+            ->with($widgetParams)
+            ->willReturnSelf();
+
+        $this->objectManagerHelper->getObject(
+            Conditions::class,
+            [
+                'context' => $this->contextMock,
+                'registry' => $this->registryMock,
+                'rule' => $this->ruleMock,
+            ]
+        );
+    }
+
+    public function testConstructWithParamsFromBlock()
+    {
+        $widgetParams = ['conditions' => 'some conditions'];
+
+        $this->registryMock->expects($this->once())
+            ->method('registry')
+            ->with('current_widget_instance')
+            ->willReturn(null);
+        $this->layoutMock->expects($this->once())
+            ->method('getBlock')
+            ->with('wysiwyg_widget.options')
+            ->willReturn($this->blockMock);
+        $this->blockMock->expects($this->once())
+            ->method('getWidgetValues')
+            ->willReturn($widgetParams);
+        $this->ruleMock->expects($this->once())
+            ->method('loadPost')
+            ->with($widgetParams)
+            ->willReturnSelf();
+
+        $this->objectManagerHelper->getObject(
+            Conditions::class,
+            [
+                'context' => $this->contextMock,
+                'registry' => $this->registryMock,
+                'rule' => $this->ruleMock,
+            ]
+        );
+    }
+}

app/code/Magento/Widget/Controller/Adminhtml/Widget/LoadOptions.php

@@ -4,10 +4,21 @@
  * Copyright © 2013-2017 Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+
 namespace Magento\Widget\Controller\Adminhtml\Widget;
 
+use Magento\Framework\App\ObjectManager;
+
+/**
+ * Load widget options
+ */
 class LoadOptions extends \Magento\Backend\App\Action
 {
+    /**
+     * @var \Magento\Widget\Helper\Conditions
+     */
+    private $conditionsHelper;
+    
     /**
      * Ajax responder for loading plugin options form
      *
@@ -17,14 +28,22 @@ public function execute()
     {
         try {
             $this->_view->loadLayout();
-            if ($paramsJson = $this->getRequest()->getParam('widget')) {
-                $request = $this->_objectManager->get('Magento\Framework\Json\Helper\Data')->jsonDecode($paramsJson);
+            $paramsJson = $this->getRequest()->getParam('widget');
+
+            if ($paramsJson) {
+                $request = $this->_objectManager->get(\Magento\Framework\Json\Helper\Data::class)
+                    ->jsonDecode($paramsJson);
                 if (is_array($request)) {
                     $optionsBlock = $this->_view->getLayout()->getBlock('wysiwyg_widget.options');
                     if (isset($request['widget_type'])) {
                         $optionsBlock->setWidgetType($request['widget_type']);
                     }
                     if (isset($request['values'])) {
+                        $request['values'] = array_map('htmlspecialchars_decode', $request['values']);
+                        if (isset($request['values']['conditions_encoded'])) {
+                            $request['values']['conditions'] =
+                                $this->getConditionsHelper()->decode($request['values']['conditions_encoded']);
+                        }
                         $optionsBlock->setWidgetValues($request['values']);
                     }
                 }
@@ -33,8 +52,21 @@ public function execute()
         } catch (\Magento\Framework\Exception\LocalizedException $e) {
             $result = ['error' => true, 'message' => $e->getMessage()];
             $this->getResponse()->representJson(
-                $this->_objectManager->get('Magento\Framework\Json\Helper\Data')->jsonEncode($result)
+                $this->_objectManager->get(\Magento\Framework\Json\Helper\Data::class)->jsonEncode($result)
             );
         }
     }
+    
+    /**
+     * @return \Magento\Widget\Helper\Conditions
+     * @deprecated
+     */
+    private function getConditionsHelper()
+    {
+        if (!$this->conditionsHelper) {
+            $this->conditionsHelper = ObjectManager::getInstance()->get(\Magento\Widget\Helper\Conditions::class);
+        }
+
+        return $this->conditionsHelper;
+    }
 }

app/code/Magento/Widget/Model/Widget.php

@@ -7,6 +7,7 @@
 
 /**
  * Widget model for different purposes
+ * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
  */
 class Widget
 {
@@ -50,6 +51,11 @@ class Widget
      */
     protected $conditionsHelper;
 
+    /**
+     * @var \Magento\Framework\Math\Random
+     */
+    private $mathRandom;
+
     /**
      * @param \Magento\Framework\Escaper $escaper
      * @param \Magento\Widget\Model\Config\Data $dataStorage
@@ -74,6 +80,21 @@ public function __construct(
         $this->conditionsHelper = $conditionsHelper;
     }
 
+    /**
+     * @return \Magento\Framework\Math\Random
+     *
+     * @deprecated
+     */
+    private function getMathRandom()
+    {
+        if ($this->mathRandom === null) {
+            $this->mathRandom = \Magento\Framework\App\ObjectManager::getInstance()
+                ->get(\Magento\Framework\Math\Random::class);
+        }
+        
+        return $this->mathRandom;
+    }
+
     /**
      * Return widget config based on its class type
      *
@@ -294,9 +315,12 @@ public function getWidgetDeclaration($type, $params = [], $asIs = true)
                 }
             }
             if ($value) {
-                $directive .= sprintf(' %s="%s"', $name, $value);
+                $directive .= sprintf(' %s="%s"', $name, $this->escaper->escapeQuote($value));
             }
         }
+
+        $directive .= $this->getWidgetPageVarName($params);
+
         $directive .= '}}';
 
         if ($asIs) {
@@ -309,9 +333,29 @@ public function getWidgetDeclaration($type, $params = [], $asIs = true)
             $this->getPlaceholderImageUrl($type),
             $this->escaper->escapeUrl($directive)
         );
+        
         return $html;
     }
 
+    /**
+     * @param array $params
+     * @return string
+     * @throws \Magento\Framework\Exception\LocalizedException
+     */
+    private function getWidgetPageVarName($params = [])
+    {
+        $pageVarName = '';
+        if (array_key_exists('show_pager', $params) && (bool)$params['show_pager']) {
+            $pageVarName = sprintf(
+                ' %s="%s"',
+                'page_var_name',
+                'p' . $this->getMathRandom()->getRandomString(5, \Magento\Framework\Math\Random::CHARS_LOWERS)
+            );
+        }
+        
+        return $pageVarName;
+    }
+
     /**
      * Get image URL of WYSIWYG placeholder image
      *