Skip to content

Commit 4e73e60

Browse files
sreichelkiatng
andauthored
Added method to make use of Mage_Core_Model_Security_HtmlEscapedString easier (OpenMage#4123)
* Rector: CQ - UnusedForeachValueToArrayKeysRector (#1) * Rector: CQ - UnusedForeachValueToArrayKeysRector See Rector\CodeQuality\Rector\Foreach_\UnusedForeachValueToArrayKeysRector * fixes + phpstan See fix at rector: rectorphp/rector-src#6164 * Revert "Rector: CQ - UnusedForeachValueToArrayKeysRector (#1)" This reverts commit 3d7eaf6. * Updates for 20.10.1 release * Re-add possibility to get original value * Changed default value * Moved method to Mage_Core_Block_Abstract * Ignore some phpcs-ecg errors [skip ci] * Added method to work with arrays * Added method to work with arrays (2) * Typo [skip ci] * Update app/code/core/Mage/Core/Model/Security/HtmlEscapedString.php Co-authored-by: Ng Kiat Siong <[email protected]> * Renamed methods * Reverted renaming, updated docblocks --------- Co-authored-by: Ng Kiat Siong <[email protected]>
1 parent 5fd5e04 commit 4e73e60

File tree

10 files changed

+102
-41
lines changed

10 files changed

+102
-41
lines changed

app/Mage.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -433,7 +433,7 @@ public static function getStoreConfigAsInt(string $path, $store = null): int
433433
* Retrieve config flag for store by path
434434
*
435435
* @param string $path
436-
* @param mixed $store
436+
* @param null|string|bool|int|Mage_Core_Model_Store $store
437437
* @return bool
438438
*/
439439
public static function getStoreConfigFlag($path, $store = null)

app/code/core/Mage/Adminhtml/Block/Sales/Order/Comments/View.php

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -77,9 +77,9 @@ public function canSendCommentEmail()
7777
/**
7878
* Replace links in string
7979
*
80-
* @param array|string $data
81-
* @param null|array $allowedTags
82-
* @return string
80+
* @param string|string[] $data
81+
* @param array|null $allowedTags
82+
* @return null|string|string[]
8383
*/
8484
public function escapeHtml($data, $allowedTags = null)
8585
{

app/code/core/Mage/Adminhtml/Block/Sales/Order/View/History.php

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -80,9 +80,9 @@ public function isCustomerNotificationNotApplicable(Mage_Sales_Model_Order_Statu
8080
/**
8181
* Replace links in string
8282
*
83-
* @param array|string $data
84-
* @param null|array $allowedTags
85-
* @return string
83+
* @param string|string[] $data
84+
* @param array|null $allowedTags
85+
* @return null|string|string[]
8686
*/
8787
public function escapeHtml($data, $allowedTags = null)
8888
{

app/code/core/Mage/Adminhtml/Helper/Sales.php

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -109,9 +109,9 @@ public function applySalableProductTypesFilter($collection)
109109
/**
110110
* Escape string preserving links
111111
*
112-
* @param array|string $data
113-
* @param null|array $allowedTags
114-
* @return string
112+
* @param string|string[] $data
113+
* @param array|null $allowedTags
114+
* @return null|string|string[]
115115
*/
116116
public function escapeHtmlWithLinks($data, $allowedTags = null)
117117
{

app/code/core/Mage/Core/Block/Abstract.php

Lines changed: 41 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -165,6 +165,7 @@ abstract class Mage_Core_Block_Abstract extends Varien_Object
165165
/**
166166
* @var Varien_Object
167167
*/
168+
// phpcs:ignore Ecg.PHP.PrivateClassMember.PrivateClassMemberError
168169
private static $_transportObject;
169170

170171
/**
@@ -524,6 +525,7 @@ public function unsetCallChild($alias, $callback, $result, $params)
524525
}
525526

526527
Mage::helper('core/security')->validateAgainstBlockMethodBlacklist($child, $callback, $params);
528+
// phpcs:ignore Ecg.Security.ForbiddenFunction.Found
527529
if ($result == call_user_func_array([&$child, $callback], $params)) {
528530
$this->unsetChild($alias);
529531
}
@@ -863,7 +865,7 @@ public function getChildGroup($groupName, $callback = null, $skipEmptyResults =
863865
*
864866
* @param string $alias
865867
* @param string $key
866-
* @return mixed
868+
* @return mixed|void
867869
*/
868870
public function getChildData($alias, $key = '')
869871
{
@@ -1167,6 +1169,7 @@ public function getModuleName()
11671169
public function __()
11681170
{
11691171
$args = func_get_args();
1172+
// phpcs:ignore Ecg.Classes.ObjectInstantiation.DirectInstantiation
11701173
$expr = new Mage_Core_Model_Translate_Expr(array_shift($args), $this->getModuleName());
11711174
array_unshift($args, $expr);
11721175
return $this->_getApp()->getTranslator()->translate($args);
@@ -1187,15 +1190,49 @@ public function htmlEscape($data, $allowedTags = null)
11871190
/**
11881191
* Escape html entities
11891192
*
1190-
* @param string|array $data
1191-
* @param array $allowedTags
1192-
* @return string
1193+
* @param string|string[] $data
1194+
* @param array|null $allowedTags
1195+
* @return null|string|string[]
11931196
*/
11941197
public function escapeHtml($data, $allowedTags = null)
11951198
{
11961199
return $this->helper('core')->escapeHtml($data, $allowedTags);
11971200
}
11981201

1202+
/**
1203+
* Wrapper for escapeHtml() function with keeping original value
1204+
*
1205+
* @param string $data
1206+
* @param string[]|null $allowedTags
1207+
* @return Mage_Core_Model_Security_HtmlEscapedString
1208+
*
1209+
* @see Mage_Core_Model_Security_HtmlEscapedString::getUnescapedValue()
1210+
*/
1211+
public function escapeHtmlAsObject(string $data, ?array $allowedTags = null): Mage_Core_Model_Security_HtmlEscapedString
1212+
{
1213+
// phpcs:ignore Ecg.Classes.ObjectInstantiation.DirectInstantiation
1214+
return new Mage_Core_Model_Security_HtmlEscapedString($data, $allowedTags);
1215+
}
1216+
1217+
/**
1218+
* Wrapper for escapeHtml() function with keeping original value
1219+
*
1220+
* @param string[] $data
1221+
* @param string[]|null $allowedTags
1222+
* @return Mage_Core_Model_Security_HtmlEscapedString[]
1223+
*
1224+
* @see Mage_Core_Model_Security_HtmlEscapedString::getUnescapedValue()
1225+
*/
1226+
public function escapeHtmlArrayAsObject(array $data, ?array $allowedTags = null): array
1227+
{
1228+
$result = [];
1229+
foreach ($data as $key => $string) {
1230+
$result[$key] = $this->escapeHtmlAsObject($string, $allowedTags);
1231+
}
1232+
1233+
return $result;
1234+
}
1235+
11991236
/**
12001237
* Wrapper for standard strip_tags() function with extra functionality for html entities
12011238
*

app/code/core/Mage/Core/Helper/Abstract.php

Lines changed: 10 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -178,9 +178,10 @@ public function __()
178178
}
179179

180180
/**
181-
* @param array $data
182-
* @param array $allowedTags
183-
* @return mixed
181+
* @param string|string[] $data
182+
* @param array|null $allowedTags
183+
* @return null|string|string[]
184+
*
184185
* @see self::escapeHtml()
185186
* @deprecated after 1.4.0.0-rc1
186187
*/
@@ -192,9 +193,9 @@ public function htmlEscape($data, $allowedTags = null)
192193
/**
193194
* Escape html entities
194195
*
195-
* @param string|array $data
196-
* @param array $allowedTags
197-
* @return mixed
196+
* @param string|string[] $data
197+
* @param array|null $allowedTags
198+
* @return null|string|string[]
198199
*/
199200
public function escapeHtml($data, $allowedTags = null)
200201
{
@@ -244,7 +245,7 @@ function ($matches) {
244245
* Wrapper for standard strip_tags() function with extra functionality for html entities
245246
*
246247
* @param string $data
247-
* @param string $allowableTags
248+
* @param null|string|string[] $allowableTags
248249
* @param bool $escape
249250
* @return string
250251
*/
@@ -320,9 +321,9 @@ public function escapeScriptIdentifiers($data)
320321
/**
321322
* Escape quotes in java script
322323
*
323-
* @param mixed $data
324+
* @param string|string[] $data
324325
* @param string $quote
325-
* @return mixed
326+
* @return string|string[]
326327
*/
327328
public function jsQuoteEscape($data, $quote = '\'')
328329
{

app/code/core/Mage/Core/Model/Layout.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -419,7 +419,7 @@ protected function _translateLayoutNode($node, &$args)
419419
* Save block in blocks registry
420420
*
421421
* @param string $name
422-
* @param Mage_Core_Model_Layout $block
422+
* @param Mage_Core_Block_Abstract $block
423423
* @return $this
424424
*/
425425
public function setBlock($name, $block)

app/code/core/Mage/Core/Model/Security/HtmlEscapedString.php

Lines changed: 35 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,12 +3,35 @@
33
declare(strict_types=1);
44

55
/**
6+
* OpenMage
67
*
8+
* This source file is subject to the Open Software License (OSL 3.0)
9+
* that is bundled with this package in the file LICENSE.txt.
10+
* It is also available at https://opensource.org/license/osl-3-0-php
11+
*
12+
* @category Mage
13+
* @package Mage_Core
14+
* @copyright Copyright (c) 2024 The OpenMage Contributors (https://www.openmage.org)
15+
* @license https://opensource.org/licenses/osl-3.0.php Open Software License (OSL 3.0)
16+
*/
17+
18+
/**
19+
* Wrapper to escape a string value with a method to get the original string value
20+
*
21+
* @category Mage
22+
* @package Mage_Core
723
*/
824
class Mage_Core_Model_Security_HtmlEscapedString implements Stringable
925
{
10-
protected $originalValue;
11-
protected $allowedTags;
26+
/**
27+
* @var string
28+
*/
29+
protected string $originalValue;
30+
31+
/**
32+
* @var string[]|null
33+
*/
34+
protected ?array $allowedTags;
1235

1336
/**
1437
* @param string $originalValue
@@ -20,6 +43,11 @@ public function __construct(string $originalValue, ?array $allowedTags = null)
2043
$this->allowedTags = $allowedTags;
2144
}
2245

46+
/**
47+
* Get escaped html entities
48+
*
49+
* @return string
50+
*/
2351
public function __toString(): string
2452
{
2553
return (string) Mage::helper('core')->escapeHtml(
@@ -28,6 +56,11 @@ public function __toString(): string
2856
);
2957
}
3058

59+
/**
60+
* Get un-escaped html entities
61+
*
62+
* @return string
63+
*/
3164
public function getUnescapedValue(): string
3265
{
3366
return $this->originalValue;

app/code/core/Mage/Page/Block/Html/Header.php

Lines changed: 4 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -57,9 +57,7 @@ public function setLogo($logo_src, $logo_alt)
5757
public function getLogoSrc()
5858
{
5959
if (empty($this->_data['logo_src'])) {
60-
$this->_data['logo_src'] = new Mage_Core_Model_Security_HtmlEscapedString(
61-
(string) Mage::getStoreConfig('design/header/logo_src')
62-
);
60+
$this->_data['logo_src'] = $this->escapeHtmlAsObject((string) Mage::getStoreConfig('design/header/logo_src'));
6361
}
6462
return $this->getSkinUrl($this->_data['logo_src']);
6563
}
@@ -70,9 +68,7 @@ public function getLogoSrc()
7068
public function getLogoSrcSmall()
7169
{
7270
if (empty($this->_data['logo_src_small'])) {
73-
$this->_data['logo_src_small'] = new Mage_Core_Model_Security_HtmlEscapedString(
74-
(string) Mage::getStoreConfig('design/header/logo_src_small')
75-
);
71+
$this->_data['logo_src_small'] = $this->escapeHtmlAsObject((string) Mage::getStoreConfig('design/header/logo_src_small'));
7672
}
7773
return $this->getSkinUrl($this->_data['logo_src_small']);
7874
}
@@ -83,9 +79,7 @@ public function getLogoSrcSmall()
8379
public function getLogoAlt()
8480
{
8581
if (empty($this->_data['logo_alt'])) {
86-
$this->_data['logo_alt'] = new Mage_Core_Model_Security_HtmlEscapedString(
87-
(string) Mage::getStoreConfig('design/header/logo_alt')
88-
);
82+
$this->_data['logo_alt'] = $this->escapeHtmlAsObject((string) Mage::getStoreConfig('design/header/logo_alt'));
8983
}
9084
return $this->_data['logo_alt'];
9185
}
@@ -103,9 +97,7 @@ public function getWelcome()
10397
if (Mage::isInstalled() && Mage::getSingleton('customer/session')->isLoggedIn()) {
10498
$this->_data['welcome'] = $this->__('Welcome, %s!', $this->escapeHtml(Mage::getSingleton('customer/session')->getCustomer()->getName()));
10599
} else {
106-
$this->_data['welcome'] = new Mage_Core_Model_Security_HtmlEscapedString(
107-
(string) Mage::getStoreConfig('design/header/welcome')
108-
);
100+
$this->_data['welcome'] = $this->escapeHtmlAsObject((string) Mage::getStoreConfig('design/header/welcome'));
109101
}
110102
}
111103

app/code/core/Mage/Page/Block/Html/Welcome.php

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -44,9 +44,7 @@ protected function _toHtml()
4444
if (Mage::isInstalled() && $this->_getSession()->isLoggedIn()) {
4545
$this->_data['welcome'] = $this->__('Welcome, %s!', $this->escapeHtml($this->_getSession()->getCustomer()->getName()));
4646
} else {
47-
$this->_data['welcome'] = new Mage_Core_Model_Security_HtmlEscapedString(
48-
(string) Mage::getStoreConfig('design/header/welcome')
49-
);
47+
$this->_data['welcome'] = $this->escapeHtmlAsObject((string) Mage::getStoreConfig('design/header/welcome'));
5048
}
5149
}
5250

0 commit comments

Comments
 (0)