Merge pull request #19 from mageplaza/2.4-develop

- Compatible with Magento v2.3.6
- Fixed XSS bugs

Author: Tuvpt

Helper/Data.php

@@ -57,7 +57,7 @@ public function getLayerConfiguration($filters)
             if ($key === 'amp;dimbaar') {
                 continue;
             }
-            $filterParams[$this->escapeJs(htmlentities($key))] = $this->escapeJs(htmlentities($param));
+            $filterParams[htmlentities($key)] = htmlentities($param);
         }
         $config = new DataObject([
             'active' => array_keys($filterParams),
@@ -67,32 +67,4 @@ public function getLayerConfiguration($filters)
 
         return self::jsonEncode($config->getData());
     }
-
-    /**
-     * from Magento Core
-     *
-     * @param string $string
-     *
-     * @return string|null
-     */
-    public function escapeJs($string)
-    {
-        if ($string === '' || ctype_digit($string)) {
-            return $string;
-        }
-
-        return preg_replace_callback(
-            '/[^a-z0-9,\._]/iSu',
-            function ($matches) {
-                $chr = $matches[0];
-                if (strlen($chr) != 1) {
-                    $chr = mb_convert_encoding($chr, 'UTF-16BE', 'UTF-8');
-                    $chr = ($chr === false) ? '' : $chr;
-                }
-
-                return sprintf('\\u%04s', strtoupper(bin2hex($chr)));
-            },
-            $string
-        );
-    }
 }

view/frontend/templates/layer/view.phtml

@@ -79,7 +79,7 @@
             <script type="text/x-magento-init">
                 {
                      ".block-content.filter-content":{
-                         "mpAjax": <?= /** @noEscape */ $layerConfig ?>
+                         "mpAjax": <?= /** @noEscape */ $block->escapeJs($layerConfig) ?>
                      }
                 }
             </script>