MAGETWO-57271: Modify escapeHtml function to filter not allowed attributes and tags

Igor Melnikov · Igor Melnikov · commit df261e75bd8e · 2016-09-01T17:13:48.000-05:00
Modifying function to filter not allowed tags and attributes
diff --git a/lib/internal/Magento/Framework/Escaper.php b/lib/internal/Magento/Framework/Escaper.php
@@ -76,7 +76,7 @@ function ($errorNumber, $errorString) {
                 } catch (\Exception $e) {
                     restore_error_handler();
                     $this->getLogger()->critical($e);
-                    return '';
+                    return $this->escapeHtml($data);
                 }
                 restore_error_handler();
 
diff --git a/lib/internal/Magento/Framework/Test/Unit/EscaperTest.php b/lib/internal/Magento/Framework/Test/Unit/EscaperTest.php
@@ -225,7 +225,7 @@ public function escapeHtmlDataProvider()
             ],
             'html and body tags' => [
                 'data' => '<html><body><span>String</span></body></html>',
-                'expected' => '',
+                'expected' => '&lt;html&gt;&lt;body&gt;&lt;span&gt;String&lt;/span&gt;&lt;/body&gt;&lt;/html&gt;',
                 'allowedTags' => ['span'],
             ],
         ];
@@ -244,7 +244,7 @@ public function escapeHtmlInvalidDataProvider()
             ],
             'text with invalid html' => [
                 'data' => '<spa>n id="id1">Some string</span>',
-                'expected' => '',
+                'expected' => '&lt;spa&gt;n id=&quot;id1&quot;&gt;Some string&lt;/span&gt;',
                 'allowedTags' => ['span'],
             ],
         ];

Original file line number	Diff line number	Diff line change
`@@ -76,7 +76,7 @@ function ($errorNumber, $errorString) {`
`76`	`76`	`} catch (\Exception $e) {`
`77`	`77`	`restore_error_handler();`
`78`	`78`	`$this->getLogger()->critical($e);`
`79`		`- return '';`
	`79`	`+ return $this->escapeHtml($data);`
`80`	`80`	`}`
`81`	`81`	`restore_error_handler();`
`82`	`82`