diff --git a/app/code/Magento/Cms/Block/Adminhtml/Block/Widget/Chooser.php b/app/code/Magento/Cms/Block/Adminhtml/Block/Widget/Chooser.php
index fed2f67da6f177806559e463deb8fda56a2fbb3f..11a83c181d64f504d267524440423a30c90b2970 100644
--- a/app/code/Magento/Cms/Block/Adminhtml/Block/Widget/Chooser.php
+++ b/app/code/Magento/Cms/Block/Adminhtml/Block/Widget/Chooser.php
@@ -81,7 +81,7 @@ class Chooser extends \Magento\Backend\Block\Widget\Grid\Extended
if ($element->getValue()) {
$block = $this->_blockFactory->create()->load($element->getValue());
if ($block->getId()) {
- $chooser->setLabel($block->getTitle());
+ $chooser->setLabel($this->escapeHtml($block->getTitle()));
}
}
diff --git a/app/code/Magento/Cms/Block/Adminhtml/Page/Widget/Chooser.php b/app/code/Magento/Cms/Block/Adminhtml/Page/Widget/Chooser.php
index addaf3f4926b8e05f48833b16e540eb73ad295ef..54c169c890a9b8f8901203bff0a9a3a6d4e69275 100644
--- a/app/code/Magento/Cms/Block/Adminhtml/Page/Widget/Chooser.php
+++ b/app/code/Magento/Cms/Block/Adminhtml/Page/Widget/Chooser.php
@@ -98,7 +98,7 @@ class Chooser extends \Magento\Backend\Block\Widget\Grid\Extended
if ($element->getValue()) {
$page = $this->_pageFactory->create()->load((int)$element->getValue());
if ($page->getId()) {
- $chooser->setLabel($page->getTitle());
+ $chooser->setLabel($this->escapeHtml($page->getTitle()));
}
}
diff --git a/app/code/Magento/Cms/Test/Unit/Block/Adminhtml/Block/Widget/ChooserTest.php b/app/code/Magento/Cms/Test/Unit/Block/Adminhtml/Block/Widget/ChooserTest.php
index 0c075194e3330d099d7bb12b2427b971621f8a81..55761dae44ac94230eb126aa182e22394aaf1d32 100644
--- a/app/code/Magento/Cms/Test/Unit/Block/Adminhtml/Block/Widget/ChooserTest.php
+++ b/app/code/Magento/Cms/Test/Unit/Block/Adminhtml/Block/Widget/ChooserTest.php
@@ -35,6 +35,11 @@ class ChooserTest extends \PHPUnit_Framework_TestCase
*/
protected $urlBuilderMock;
+ /**
+ * @var \Magento\Framework\Escaper|\PHPUnit_Framework_MockObject_MockObject
+ */
+ protected $escaper;
+
/**
* @var \Magento\Cms\Model\BlockFactory|\PHPUnit_Framework_MockObject_MockObject
*/
@@ -66,6 +71,14 @@ class ChooserTest extends \PHPUnit_Framework_TestCase
$this->urlBuilderMock = $this->getMockBuilder('Magento\Framework\UrlInterface')
->disableOriginalConstructor()
->getMock();
+ $this->escaper = $this->getMockBuilder('Magento\Framework\Escaper')
+ ->disableOriginalConstructor()
+ ->setMethods(
+ [
+ 'escapeHtml',
+ ]
+ )
+ ->getMock();
$this->blockFactoryMock = $this->getMockBuilder('Magento\Cms\Model\BlockFactory')
->setMethods(
[
@@ -90,6 +103,7 @@ class ChooserTest extends \PHPUnit_Framework_TestCase
[
'getTitle',
'load',
+ 'getId',
]
)
->getMock();
@@ -112,15 +126,16 @@ class ChooserTest extends \PHPUnit_Framework_TestCase
$this->context = $objectManager->getObject(
'Magento\Backend\Block\Template\Context',
[
- 'layout' => $this->layoutMock,
+ 'layout' => $this->layoutMock,
'mathRandom' => $this->mathRandomMock,
- 'urlBuilder' => $this->urlBuilderMock
+ 'urlBuilder' => $this->urlBuilderMock,
+ 'escaper' => $this->escaper,
]
);
$this->this = $objectManager->getObject(
'Magento\Cms\Block\Adminhtml\Block\Widget\Chooser',
[
- 'context' => $this->context,
+ 'context' => $this->context,
'blockFactory' => $this->blockFactoryMock
]
);
@@ -135,13 +150,14 @@ class ChooserTest extends \PHPUnit_Framework_TestCase
*/
public function testPrepareElementHtml($elementValue, $modelBlockId)
{
- $elementId = 1;
- $uniqId = '126hj4h3j73hk7b347jhkl37gb34';
- $sourceUrl = 'cms/block_widget/chooser/126hj4h3j73hk7b347jhkl37gb34';
- $config = ['key1' => 'value1'];
- $fieldsetId = 2;
- $html = 'some html';
- $title = 'some title';
+ $elementId = 1;
+ $uniqId = '126hj4h3j73hk7b347jhkl37gb34';
+ $sourceUrl = 'cms/block_widget/chooser/126hj4h3j73hk7b347jhkl37gb34';
+ $config = ['key1' => 'value1'];
+ $fieldsetId = 2;
+ $html = 'some html';
+ $title = 'some "><img src=y onerror=prompt(document.domain)>; title';
+ $titleEscaped = 'some "><img src=y onerror=prompt(document.domain)>; title';
$this->this->setConfig($config);
$this->this->setFieldsetId($fieldsetId);
@@ -197,13 +213,18 @@ class ChooserTest extends \PHPUnit_Framework_TestCase
$this->modelBlockMock->expects($this->any())
->method('getTitle')
->willReturn($title);
- $this->chooserMock->expects($this->any())
- ->method('setLabel')
- ->with($title)
- ->willReturnSelf();
$this->chooserMock->expects($this->atLeastOnce())
->method('toHtml')
->willReturn($html);
+ if (!empty($elementValue) && !empty($modelBlockId)) {
+ $this->escaper->expects(($this->atLeastOnce()))
+ ->method('escapeHtml')
+ ->willReturn($titleEscaped);
+ $this->chooserMock->expects($this->atLeastOnce())
+ ->method('setLabel')
+ ->with($titleEscaped)
+ ->willReturnSelf();
+ }
$this->elementMock->expects($this->atLeastOnce())
->method('setData')
->with('after_element_html', $html)
diff --git a/app/code/Magento/Cms/Test/Unit/Block/Adminhtml/Page/Widget/ChooserTest.php b/app/code/Magento/Cms/Test/Unit/Block/Adminhtml/Page/Widget/ChooserTest.php
new file mode 100644
index 0000000000000000000000000000000000000000..75107bcb42de11db287607e49595aa6fecfd637b
--- /dev/null
+++ b/app/code/Magento/Cms/Test/Unit/Block/Adminhtml/Page/Widget/ChooserTest.php
@@ -0,0 +1,271 @@
+<?php
+/**
+ * Copyright © 2015 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\Cms\Test\Unit\Block\Adminhtml\Page\Widget;
+
+/**
+ * @covers \Magento\Cms\Block\Adminhtml\Page\Widget\Chooser
+ */
+class ChooserTest extends \PHPUnit_Framework_TestCase
+{
+ /**
+ * @var \Magento\Cms\Block\Adminhtml\Page\Widget\Chooser
+ */
+ protected $this;
+
+ /**
+ * @var \Magento\Backend\Block\Template\Context
+ */
+ protected $context;
+
+ /**
+ * @var \Magento\Framework\Math\Random|\PHPUnit_Framework_MockObject_MockObject
+ */
+ protected $mathRandomMock;
+
+ /**
+ * @var \Magento\Framework\UrlInterface|\PHPUnit_Framework_MockObject_MockObject
+ */
+ protected $urlBuilderMock;
+
+ /**
+ * @var \Magento\Framework\Escaper|\PHPUnit_Framework_MockObject_MockObject
+ */
+ protected $escaper;
+
+ /**
+ * @var \Magento\Cms\Model\Page|\PHPUnit_Framework_MockObject_MockObject
+ */
+ protected $cmsPageMock;
+
+ /**
+ * @var \Magento\Framework\View\LayoutInterface|\PHPUnit_Framework_MockObject_MockObject
+ */
+ protected $layoutMock;
+
+ /**
+ * @var \Magento\Cms\Model\PageFactory|\PHPUnit_Framework_MockObject_MockObject
+ */
+ protected $pageFactoryMock;
+
+ /**
+ * @var \Magento\Framework\Data\Form\Element\AbstractElement|\PHPUnit_Framework_MockObject_MockObject
+ */
+ protected $elementMock;
+
+ /**
+ * @var \Magento\Framework\View\Element\BlockInterface|\PHPUnit_Framework_MockObject_MockObject
+ */
+ protected $chooserMock;
+
+ protected function setUp()
+ {
+ $this->layoutMock = $this->getMockBuilder('Magento\Framework\View\LayoutInterface')
+ ->disableOriginalConstructor()
+ ->getMock();
+ $this->mathRandomMock = $this->getMockBuilder('Magento\Framework\Math\Random')
+ ->disableOriginalConstructor()
+ ->getMock();
+ $this->urlBuilderMock = $this->getMockBuilder('Magento\Framework\UrlInterface')
+ ->disableOriginalConstructor()
+ ->getMock();
+ $this->escaper = $this->getMockBuilder('Magento\Framework\Escaper')
+ ->disableOriginalConstructor()
+ ->setMethods(
+ [
+ 'escapeHtml',
+ ]
+ )
+ ->getMock();
+ $this->pageFactoryMock = $this->getMockBuilder('Magento\Cms\Model\PageFactory')
+ ->setMethods(
+ [
+ 'create',
+ ]
+ )
+ ->disableOriginalConstructor()
+ ->getMock();
+ $this->elementMock = $this->getMockBuilder('Magento\Framework\Data\Form\Element\AbstractElement')
+ ->disableOriginalConstructor()
+ ->setMethods(
+ [
+ 'getId',
+ 'getValue',
+ 'setData',
+ ]
+ )
+ ->getMock();
+ $this->cmsPageMock = $this->getMockBuilder('Magento\Cms\Model\Page')
+ ->disableOriginalConstructor()
+ ->setMethods(
+ [
+ 'getTitle',
+ 'load',
+ 'getId',
+ ]
+ )
+ ->getMock();
+ $this->chooserMock = $this->getMockBuilder('Magento\Framework\View\Element\BlockInterface')
+ ->disableOriginalConstructor()
+ ->setMethods(
+ [
+ 'setElement',
+ 'setConfig',
+ 'setFieldsetId',
+ 'setSourceUrl',
+ 'setUniqId',
+ 'setLabel',
+ 'toHtml',
+ ]
+ )
+ ->getMock();
+
+ $objectManager = new \Magento\Framework\TestFramework\Unit\Helper\ObjectManager($this);
+ $this->context = $objectManager->getObject(
+ 'Magento\Backend\Block\Template\Context',
+ [
+ 'layout' => $this->layoutMock,
+ 'mathRandom' => $this->mathRandomMock,
+ 'urlBuilder' => $this->urlBuilderMock,
+ 'escaper' => $this->escaper,
+ ]
+ );
+ $this->this = $objectManager->getObject(
+ 'Magento\Cms\Block\Adminhtml\Page\Widget\Chooser',
+ [
+ 'context' => $this->context,
+ 'pageFactory' => $this->pageFactoryMock
+ ]
+ );
+ }
+
+ /**
+ * @covers \Magento\Cms\Block\Adminhtml\Block\Widget\Chooser::prepareElementHtml
+ *
+ * @param string $elementValue
+ * @param integer|null $cmsPageId
+ *
+ * @dataProvider prepareElementHtmlDataProvider
+ */
+ public function testPrepareElementHtml($elementValue, $cmsPageId)
+ {
+ //$elementValue = 12345;
+ //$cmsPageId = 1;
+ $elementId = 1;
+ $uniqId = '126hj4h3j73hk7b347jhkl37gb34';
+ $sourceUrl = 'cms/page_widget/chooser/126hj4h3j73hk7b347jhkl37gb34';
+ $config = ['key1' => 'value1'];
+ $fieldsetId = 2;
+ $html = 'some html';
+ $title = 'some "><img src=y onerror=prompt(document.domain)>; title';
+ $titleEscaped = 'some "><img src=y onerror=prompt(document.domain)>; title';
+
+ $this->this->setConfig($config);
+ $this->this->setFieldsetId($fieldsetId);
+
+ $this->elementMock->expects($this->atLeastOnce())
+ ->method('getId')
+ ->willReturn($elementId);
+ $this->mathRandomMock->expects($this->atLeastOnce())
+ ->method('getUniqueHash')
+ ->with($elementId)
+ ->willReturn($uniqId);
+ $this->urlBuilderMock->expects($this->atLeastOnce())
+ ->method('getUrl')
+ ->with('cms/page_widget/chooser', ['uniq_id' => $uniqId])
+ ->willReturn($sourceUrl);
+ $this->layoutMock->expects($this->atLeastOnce())
+ ->method('createBlock')
+ ->with('Magento\Widget\Block\Adminhtml\Widget\Chooser')
+ ->willReturn($this->chooserMock);
+ $this->chooserMock->expects($this->atLeastOnce())
+ ->method('setElement')
+ ->with($this->elementMock)
+ ->willReturnSelf();
+ $this->chooserMock->expects($this->atLeastOnce())
+ ->method('setConfig')
+ ->with($config)
+ ->willReturnSelf();
+ $this->chooserMock->expects($this->atLeastOnce())
+ ->method('setFieldsetId')
+ ->with($fieldsetId)
+ ->willReturnSelf();
+ $this->chooserMock->expects($this->atLeastOnce())
+ ->method('setSourceUrl')
+ ->with($sourceUrl)
+ ->willReturnSelf();
+ $this->chooserMock->expects($this->atLeastOnce())
+ ->method('setUniqId')
+ ->with($uniqId)
+ ->willReturnSelf();
+ $this->elementMock->expects($this->atLeastOnce())
+ ->method('getValue')
+ ->willReturn($elementValue);
+ $this->pageFactoryMock->expects($this->any())
+ ->method('create')
+ ->willReturn($this->cmsPageMock);
+ $this->cmsPageMock->expects($this->any())
+ ->method('load')
+ ->with((int)$elementValue)
+ ->willReturnSelf();
+ $this->cmsPageMock->expects($this->any())
+ ->method('getId')
+ ->willReturn($cmsPageId);
+ $this->cmsPageMock->expects($this->any())
+ ->method('getTitle')
+ ->willReturn($title);
+ $this->chooserMock->expects($this->atLeastOnce())
+ ->method('toHtml')
+ ->willReturn($html);
+ if (!empty($elementValue) && !empty($cmsPageId)) {
+ $this->escaper->expects(($this->atLeastOnce()))
+ ->method('escapeHtml')
+ ->willReturn($titleEscaped);
+ $this->chooserMock->expects($this->atLeastOnce())
+ ->method('setLabel')
+ ->with($titleEscaped)
+ ->willReturnSelf();
+ }
+ $this->elementMock->expects($this->atLeastOnce())
+ ->method('setData')
+ ->with('after_element_html', $html)
+ ->willReturnSelf();
+
+ $this->assertEquals($this->elementMock, $this->this->prepareElementHtml($this->elementMock));
+ }
+
+ public function prepareElementHtmlDataProvider()
+ {
+ return [
+ 'elementValue NOT EMPTY, modelBlockId NOT EMPTY' => [
+ 'elementValue' => 'some value',
+ 'cmsPageId' => 1,
+ ],
+ 'elementValue NOT EMPTY, modelBlockId IS EMPTY' => [
+ 'elementValue' => 'some value',
+ 'cmsPageId' => null,
+ ],
+ 'elementValue IS EMPTY, modelBlockId NEVER REACHED' => [
+ 'elementValue' => '',
+ 'cmsPageId' => 1,
+ ]
+ ];
+ }
+
+ /**
+ * @covers \Magento\Cms\Block\Adminhtml\Page\Widget\Chooser::getGridUrl
+ */
+ public function testGetGridUrl()
+ {
+ $url = 'some url';
+
+ $this->urlBuilderMock->expects($this->atLeastOnce())
+ ->method('getUrl')
+ ->with('cms/page_widget/chooser', ['_current' => true])
+ ->willReturn($url);
+
+ $this->assertEquals($url, $this->this->getGridUrl());
+ }
+}