From 484cf8afc550e98bbf2c03fbb29a8450a32e7948 Mon Sep 17 00:00:00 2001 From: Daniel Fahlke Date: Wed, 24 Jul 2024 15:20:18 +0200 Subject: [PATCH] Merge commit from fork * introduce wrapper class to keep unescaped variants available for templates * escape more settings before usage --- .../Core/Model/Security/HtmlEscapedString.php | 35 +++++++++++++++++++ app/code/core/Mage/Page/Block/Html/Header.php | 16 ++++++--- .../core/Mage/Page/Block/Html/Welcome.php | 4 ++- 3 files changed, 50 insertions(+), 5 deletions(-) create mode 100644 app/code/core/Mage/Core/Model/Security/HtmlEscapedString.php diff --git a/app/code/core/Mage/Core/Model/Security/HtmlEscapedString.php b/app/code/core/Mage/Core/Model/Security/HtmlEscapedString.php new file mode 100644 index 00000000000..3f654ece1fd --- /dev/null +++ b/app/code/core/Mage/Core/Model/Security/HtmlEscapedString.php @@ -0,0 +1,35 @@ +originalValue = $originalValue; + $this->allowedTags = $allowedTags; + } + + public function __toString(): string + { + return (string) Mage::helper('core')->escapeHtml( + $this->originalValue, + $this->allowedTags + ); + } + + public function getUnescapedValue(): string + { + return $this->originalValue; + } +} diff --git a/app/code/core/Mage/Page/Block/Html/Header.php b/app/code/core/Mage/Page/Block/Html/Header.php index 11362d55cc7..dab05f44c1f 100644 --- a/app/code/core/Mage/Page/Block/Html/Header.php +++ b/app/code/core/Mage/Page/Block/Html/Header.php @@ -57,7 +57,9 @@ public function setLogo($logo_src, $logo_alt) public function getLogoSrc() { if (empty($this->_data['logo_src'])) { - $this->_data['logo_src'] = Mage::getStoreConfig('design/header/logo_src'); + $this->_data['logo_src'] = new Mage_Core_Model_Security_HtmlEscapedString( + (string) Mage::getStoreConfig('design/header/logo_src') + ); } return $this->getSkinUrl($this->_data['logo_src']); } @@ -68,7 +70,9 @@ public function getLogoSrc() public function getLogoSrcSmall() { if (empty($this->_data['logo_src_small'])) { - $this->_data['logo_src_small'] = Mage::getStoreConfig('design/header/logo_src_small'); + $this->_data['logo_src_small'] = new Mage_Core_Model_Security_HtmlEscapedString( + (string) Mage::getStoreConfig('design/header/logo_src_small') + ); } return $this->getSkinUrl($this->_data['logo_src_small']); } @@ -79,7 +83,9 @@ public function getLogoSrcSmall() public function getLogoAlt() { if (empty($this->_data['logo_alt'])) { - $this->_data['logo_alt'] = Mage::getStoreConfig('design/header/logo_alt'); + $this->_data['logo_alt'] = new Mage_Core_Model_Security_HtmlEscapedString( + (string) Mage::getStoreConfig('design/header/logo_alt') + ); } return $this->_data['logo_alt']; } @@ -97,7 +103,9 @@ public function getWelcome() if (Mage::isInstalled() && Mage::getSingleton('customer/session')->isLoggedIn()) { $this->_data['welcome'] = $this->__('Welcome, %s!', $this->escapeHtml(Mage::getSingleton('customer/session')->getCustomer()->getName())); } else { - $this->_data['welcome'] = Mage::getStoreConfig('design/header/welcome'); + $this->_data['welcome'] = new Mage_Core_Model_Security_HtmlEscapedString( + (string) Mage::getStoreConfig('design/header/welcome') + ); } } diff --git a/app/code/core/Mage/Page/Block/Html/Welcome.php b/app/code/core/Mage/Page/Block/Html/Welcome.php index ec593c3e3ef..2f1e1f98238 100644 --- a/app/code/core/Mage/Page/Block/Html/Welcome.php +++ b/app/code/core/Mage/Page/Block/Html/Welcome.php @@ -44,7 +44,9 @@ protected function _toHtml() if (Mage::isInstalled() && $this->_getSession()->isLoggedIn()) { $this->_data['welcome'] = $this->__('Welcome, %s!', $this->escapeHtml($this->_getSession()->getCustomer()->getName())); } else { - $this->_data['welcome'] = Mage::getStoreConfig('design/header/welcome'); + $this->_data['welcome'] = new Mage_Core_Model_Security_HtmlEscapedString( + (string) Mage::getStoreConfig('design/header/welcome') + ); } }