MCLOUD-13752: Improve category view

Author: mrprabhu92

patches.json

@@ -301,6 +301,9 @@
     },
     "Patch - Improve-web-api-async-performance": {
       ">=2.4.4 <2.4.4-p13 || >=2.4.5 <2.4.5-p12 || >=2.4.6 <2.4.6-p10 || >=2.4.7 <2.4.7-p5 || 2.4.8": "MCLOUD-13619__Improve_web_api_async_performance__2.4.x.patch"
+    },
+    "Patch for CVE-2025-47109 - Improve-category-view": {
+      "2.4.8": "MCLOUD-13752__Patch_for_CVE-2025-47109_Improve_category_view__2.4.8.patch"
     }
   },
   "magento/module-paypal": {

patches/MCLOUD-13752__Patch_for_CVE-2025-47109_Improve_category_view__2.4.8.patch

@@ -0,0 +1,59 @@
+diff --git a/vendor/magento/module-catalog/Helper/Category.php b/vendor/magento/module-catalog/Helper/Category.php
+index fe511d40e9caa..761dc6f62adda 100644
+--- a/vendor/magento/module-catalog/Helper/Category.php
++++ b/vendor/magento/module-catalog/Helper/Category.php
+@@ -10,8 +10,10 @@
+ use Magento\Catalog\Model\CategoryFactory;
+ use Magento\Framework\App\Helper\AbstractHelper;
+ use Magento\Framework\App\Helper\Context;
++use Magento\Framework\App\ObjectManager;
+ use Magento\Framework\Data\CollectionFactory;
+ use Magento\Framework\Data\Tree\Node\Collection;
++use Magento\Framework\Escaper;
+ use Magento\Framework\Exception\NoSuchEntityException;
+ use Magento\Framework\ObjectManager\ResetAfterRequestInterface;
+ use Magento\Store\Model\ScopeInterface;
+@@ -63,24 +65,33 @@ class Category extends AbstractHelper implements ResetAfterRequestInterface
+      */
+     protected $categoryRepository;
+ 
++    /**
++     * @var Escaper|null
++     */
++    private ?Escaper $escaper;
++
+     /**
+      * @param Context $context
+      * @param CategoryFactory $categoryFactory
+      * @param StoreManagerInterface $storeManager
+      * @param CollectionFactory $dataCollectionFactory
+      * @param CategoryRepositoryInterface $categoryRepository
++     * @param Escaper|null $escaper
+      */
+     public function __construct(
+         Context $context,
+         CategoryFactory $categoryFactory,
+         StoreManagerInterface $storeManager,
+         CollectionFactory $dataCollectionFactory,
+-        CategoryRepositoryInterface $categoryRepository
++        CategoryRepositoryInterface $categoryRepository,
++        ?Escaper $escaper = null
+     ) {
+         $this->_categoryFactory = $categoryFactory;
+         $this->_storeManager = $storeManager;
+         $this->_dataCollectionFactory = $dataCollectionFactory;
+         $this->categoryRepository = $categoryRepository;
++        $this->escaper = $escaper ?: ObjectManager::getInstance()->get(Escaper::class);
++
+         parent::__construct($context);
+     }
+ 
+@@ -204,6 +215,7 @@ public function getCanonicalUrl(string $categoryUrl): string
+         if ($params && isset($params['p'])) {
+             $categoryUrl = $categoryUrl . '?p=' . $params['p'];
+         }
+-        return $categoryUrl;
++
++        return $this->escaper->escapeUrl($categoryUrl);
+     }
+ }