Skip to content

Commit

Permalink
MC-18475: [Incorrect Escaping] Fix insufficient escaping capabilities…
Browse files Browse the repository at this point in the history 
… of an 'escapeUrl' method
  • Loading branch information
@StasKozar
StasKozar committed Jul 30, 2019
1 parent 6ddf099 commit c6ab7ac
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 1 deletion.
2 changes: 1 addition & 1 deletion lib/internal/Magento/Framework/Escaper.php
View file
Expand Up @@ -320,7 +320,7 @@ public function escapeJsQuote($data, $quote = '\'')
public function escapeXssInUrl($data)
{
return htmlspecialchars(
$this->escapeScriptIdentifiers((string)$data),
$this->escapeScriptIdentifiers(html_entity_decode((string)$data)),
$this->htmlSpecialCharsFlag | ENT_HTML5 | ENT_HTML401,
'UTF-8',
false
Expand Down
4 changes: 4 additions & 0 deletions lib/internal/Magento/Framework/Test/Unit/EscaperTest.php
View file
Expand Up @@ -292,6 +292,10 @@ public function escapeUrlDataProvider(): array
'data' => "http://exam\r\nple.com/search?term=this+%26+that&view=list",
'expected' => "http://example.com/search?term=this+%26+that&view=list",
],
[
'data' => "http://example.com/",
'expected' => "http://example.com/",
],
];
}

Expand Down

0 comments on commit c6ab7ac

Please sign in to comment.