MAGE-1381 Add XSS protection with SecureHtmlRenderer for PHPCS

Author: cammonro

view/frontend/templates/internals/configuration.phtml

@@ -1,32 +1,53 @@
 <?php
 
 /** @var \Algolia\AlgoliaSearch\Block\Configuration $block */
+/** @var \Magento\Framework\Escaper $escaper */
 
 $configuration = $block->getConfiguration();
 
+// Escape untrusted input (escape inline for PHPCS where possible)
+$instantSearchHideCss = $escaper->escapeHtml($configuration['instant']['selector']) . ' {display:none}';
+
 if (class_exists('\Magento\Framework\View\Helper\SecureHtmlRenderer')): ?>
     <?php
-        /** @var \Magento\Framework\View\Helper\SecureHtmlRenderer $secureRenderer */
+    /** @var \Magento\Framework\View\Helper\SecureHtmlRenderer $secureRenderer */
     if ($block->canLoadInstantSearch()) {
-        $css = /* @noEscape */ $secureRenderer->renderTag('style', [], $configuration['instant']['selector'] . ' {display:none}', false);
-        /* @noEscape */ echo $secureRenderer->renderTag('script', [], 'document.write(\'' . $css . '\');', false);
+        $styleElement = $secureRenderer->renderTag('style', [], $instantSearchHideCss, false);
+        /** SecureHtmlRenderer::renderTag yields a false positive on PHPCS */
+        echo /** phpcs:ignore Magento2.Security.EscapeOutput.OutputNotEscaped */
+            $secureRenderer->renderTag(
+                'script',
+                [],
+                'document.write(\'' . $escaper->escapeJs($styleElement) . '\');',
+                false
+            );
     }
     ?>
 
-    <?= /* @noEscape */ $secureRenderer->renderTag('script', [], "window.algoliaConfig = " . json_encode($configuration) . ';', false); ?>
+    <?=
+    /**
+     * SecureHtmlRenderer::renderTag yields a false positive on PHPCS
+     * phpcs:ignore Magento2.Security.EscapeOutput.OutputNotEscaped
+     */
+    $secureRenderer->renderTag(
+        'script',
+        [],
+        "window.algoliaConfig = JSON.parse('" . $escaper->escapeJs(json_encode($configuration)) . "')",
+        false
+    )
+    ?>
 <?php else: ?>
     <script>
         <?php
         if ($block->canLoadInstantSearch()):
-            $css = '<style type="text/css">' . $configuration['instant']['selector'] . ' {display:none}</style>';
+            $styleElement = "<style>$instantSearchHideCss</style>";
             ?>
         // Hide the instant-search selector ASAP to remove flickering. Will be re-displayed later with JS.
-        document.write('<?= /* @noEscape */ $css; ?>');
+        document.write('<?= $escaper->escapeJs($styleElement) ?>');
             <?php
         endif;
         ?>
-
-        window.algoliaConfig = <?= /* @noEscape */ json_encode($configuration); ?>;
+        window.algoliaConfig = JSON.parse('<?= $escaper->escapeJs(json_encode($configuration)) ?>');
     </script>
 <?php endif; ?>
 
@@ -39,4 +60,4 @@ if (class_exists('\Magento\Framework\View\Helper\SecureHtmlRenderer')): ?>
             }
         }
     </script>
-<?php endif;?>
+<?php endif; ?>