Merge branch 'AC-10528' into cia-2.4.8-beta1-develop-bugfix-05202024

Author: pawan-adobe-security

app/code/Magento/Sales/Helper/Admin.php

@@ -160,84 +160,6 @@ public function applySalableProductTypesFilter($collection)
      */
     public function escapeHtmlWithLinks($data, $allowedTags = null)
     {
-        if (!empty($data) && is_array($allowedTags) && in_array('a', $allowedTags)) {
-            $wrapperElementId = uniqid();
-            $domDocument = $this->domDocumentFactory->create();
-
-            $internalErrors = libxml_use_internal_errors(true);
-
-            $convmap = [0x80, 0x10FFFF, 0, 0x1FFFFF];
-            $data = mb_encode_numericentity(
-                $data,
-                $convmap,
-                'UTF-8'
-            );
-
-            $domDocument->loadHTML(
-                '<html><body id="' . $wrapperElementId . '">' . $data . '</body></html>'
-            );
-
-            libxml_use_internal_errors($internalErrors);
-
-            $linkTags = $domDocument->getElementsByTagName('a');
-
-            foreach ($linkTags as $linkNode) {
-                $linkAttributes = [];
-                foreach ($linkNode->attributes as $attribute) {
-                    $linkAttributes[$attribute->name] = $attribute->value;
-                }
-
-                foreach ($linkAttributes as $attributeName => $attributeValue) {
-                    if ($attributeName === 'href') {
-                        $url = $this->filterUrl($attributeValue ?? '');
-                        $url = $this->escaper->escapeUrl($url);
-                        $linkNode->setAttribute('href', $url);
-                    } else {
-                        $linkNode->removeAttribute($attributeName);
-                    }
-                }
-            }
-
-            $result = mb_decode_numericentity(
-                // phpcs:ignore Magento2.Functions.DiscouragedFunction
-                html_entity_decode(
-                    $domDocument->saveHTML(),
-                    ENT_QUOTES|ENT_SUBSTITUTE,
-                    'UTF-8'
-                ),
-                $convmap,
-                'UTF-8'
-            );
-
-            preg_match('/<body id="' . $wrapperElementId . '">(.+)<\/body><\/html>$/si', $result, $matches);
-            $data = !empty($matches) ? $matches[1] : '';
-        }
-
         return $this->escaper->escapeHtml($data, $allowedTags);
     }
-
-    /**
-     * Filter the URL for allowed protocols.
-     *
-     * @param string $url
-     * @return string
-     */
-    private function filterUrl(string $url): string
-    {
-        if ($url) {
-            //Revert the sprintf escaping
-            // phpcs:ignore Magento2.Functions.DiscouragedFunction
-            $urlScheme = parse_url($url, PHP_URL_SCHEME);
-            $urlScheme = $urlScheme ? strtolower($urlScheme) : '';
-            if ($urlScheme !== 'http' && $urlScheme !== 'https') {
-                $url = null;
-            }
-        }
-
-        if (!$url) {
-            $url = '#';
-        }
-
-        return $url;
-    }
 }

app/code/Magento/Sales/view/adminhtml/templates/order/comments/view.phtml

@@ -5,13 +5,14 @@
  */
 
 /** @var \Magento\Framework\View\Helper\SecureHtmlRenderer $secureRenderer */
+/** @var \Magento\Framework\Escaper $escaper */
 ?>
 <?php if ($_entity = $block->getEntity()): ?>
 <div id="comments_block" class="edit-order-comments">
     <div class="order-history-block">
         <div class="admin__field field-row">
             <label class="admin__field-label"
-                   for="history_comment"><?= $block->escapeHtml(__('Comment Text')) ?></label>
+                   for="history_comment"><?= $escaper->escapeHtml(__('Comment Text')) ?></label>
             <div class="admin__field-control">
                 <textarea name="comment[comment]"
                           class="admin__control-textarea"
@@ -30,7 +31,7 @@
                                id="history_notify"
                                value="1" />
                         <label class="admin__field-label"
-                               for="history_notify"><?= $block->escapeHtml(__('Notify Customer by Email')) ?></label>
+                               for="history_notify"><?= $escaper->escapeHtml(__('Notify Customer by Email')) ?></label>
                     </div>
                 <?php endif; ?>
                 <div class="admin__field admin__field-option">
@@ -40,7 +41,7 @@
                            class="admin__control-checkbox"
                            value="1" />
                     <label class="admin__field-label"
-                           for="history_visible"> <?= $block->escapeHtml(__('Visible on Storefront')) ?></label>
+                           for="history_visible"> <?= $escaper->escapeHtml(__('Visible on Storefront')) ?></label>
                 </div>
             </div>
             <div class="order-history-comments-actions">
@@ -59,17 +60,20 @@
                     <?= /* @noEscape */ $block->formatTime($_comment->getCreatedAt(), \IntlDateFormatter::MEDIUM) ?>
                 </span>
                 <span class="note-list-customer">
-                    <?= $block->escapeHtml(__('Customer')) ?>
+                    <?= $escaper->escapeHtml(__('Customer')) ?>
                     <?php if ($_comment->getIsCustomerNotified()): ?>
-                        <span class="note-list-customer-notified"><?= $block->escapeHtml(__('Notified')) ?></span>
+                        <span class="note-list-customer-notified"><?= $escaper->escapeHtml(__('Notified')) ?></span>
                     <?php else: ?>
                         <span class="note-list-customer-not-notified">
-                            <?= $block->escapeHtml(__('Not Notified')) ?>
+                            <?= $escaper->escapeHtml(__('Not Notified')) ?>
                         </span>
                     <?php endif; ?>
                 </span>
                 <div class="note-list-comment">
-                    <?= $block->escapeHtml($_comment->getComment(), ['b', 'br', 'strong', 'i', 'u', 'a']) ?>
+                    <?= /* @noEscape */ nl2br($escaper->escapeHtml(
+                        $_comment->getComment(),
+                        ['b', 'br', 'strong', 'i', 'u', 'a']
+                    ))?>
                 </div>
             </li>
         <?php endforeach; ?>
@@ -78,7 +82,7 @@
     <?php $scriptString = <<<script
 require(['prototype'], function(){
     submitComment = function() {
-        submitAndReloadArea($('comments_block').parentNode, '{$block->escapeJs($block->getSubmitUrl())}')
+        submitAndReloadArea($('comments_block').parentNode, '{$escaper->escapeJs($block->getSubmitUrl())}')
     };
     if ($('submit_comment_button')) {
         $('submit_comment_button').observe('click', submitComment);

dev/tests/integration/testsuite/Magento/Sales/Helper/AdminTest.php

@@ -76,7 +76,7 @@ public function escapeHtmlWithLinksDataProvider(): array
             ],
             [
                 '<a href=\"#\">Foo</a>',
-                '<a href="#">Foo</a>',
+                '<a href="%5C&quot;#%5C&quot;">Foo</a>',
                 'allowedTags' => ['a'],
             ],
             [
@@ -86,7 +86,7 @@ public function escapeHtmlWithLinksDataProvider(): array
             ],
             [
                 "<a href=\"javascript&colon;alert(59)\">Foo</a>",
-                '<a href="#">Foo</a>',
+                '<a href="javascript&amp;colon;alert(59)">Foo</a>',
                 'allowedTags' => ['a'],
             ],
             [