MAGE-1377 Address Codacy escaping complaint

Author: cammonro

Model/Backend/QueueCron.php

@@ -7,7 +7,9 @@
 
 class QueueCron extends Value
 {
-    const CRON_REGEX = '/^(\*|[0-9,\-\/\*]+)\s+(\*|[0-9,\-\/\*]+)\s+(\*|[0-9,\-\/\*]+)\s+(\*|[0-9,\-\/\*]+)\s+(\*|[0-9,\-\/\*]+)$/';
+    const CRON_FORMAT_REGEX = '/^(\*|[0-9,\-\/\*]+)\s+(\*|[0-9,\-\/\*]+)\s+(\*|[0-9,\-\/\*]+)\s+(\*|[0-9,\-\/\*]+)\s+(\*|[0-9,\-\/\*]+)$/';
+    const CRON_DISALLOW_REGEX = '/[^@a-z0-9\*\-,\/ ]/';
+
 
     protected array $mappings = [
         '@yearly' => '0 0 1 1 *',
@@ -27,8 +29,15 @@ public function beforeSave()
             $this->setValue($value);
         }
 
-        if (!preg_match(self::CRON_REGEX, $value)) {
-            throw new InvalidCronException("Cron expression \"$value\" is not valid.");
+        if (!preg_match(self::CRON_FORMAT_REGEX, $value)) {
+            $safeValue = preg_replace(self::CRON_DISALLOW_REGEX, '', (string) $value);
+            $msg = ($safeValue !== $value)
+                ? 'Cron expression is invalid.'
+                : sprintf(
+                    'Cron expression "%s" is not valid.',
+                    $safeValue
+                );
+            throw new InvalidCronException($msg);
         }
 
         return parent::beforeSave();

Test/Unit/Model/Backend/QueueCronTest.php

@@ -31,7 +31,7 @@ protected function setUp(): void
     /**
      * @dataProvider valuesProvider
      */
-    public function testInput($value, $isValid): void
+    public function testInput($value, $isValid, $canReplay = true): void
     {
         $this->queueCronModel->setValue($value);
 
@@ -45,8 +45,11 @@ public function testInput($value, $isValid): void
                 "Cron expression \"$value\" is not valid but it should be."
             );
 
+            $msg = $canReplay
+                ? "Cron expression \"$value\" is not valid."
+                : "Cron expression is invalid.";
             $this->assertEquals(
-                "Cron expression \"$value\" is not valid.",
+                $msg,
                 $exception->getMessage()
             );
         }
@@ -94,6 +97,11 @@ public static function valuesProvider(): array
             [
                 'value' => '@foo', // Not working alias
                 'isValid' => false
+            ],
+            [
+                'value' => '"><script>alert(\'XSS\')</script>',
+                'isValid' => false,
+                'canReplay' => false
             ]
         ];
     }