Skip to content

Commit 484cf8a

Browse files
FlyingmanaFlyingmana
authored
Merge commit from fork
* introduce wrapper class to keep unescaped variants available for templates * escape more settings before usage
1 parent eba4aa8 commit 484cf8a

File tree

3 files changed

+50
-5
lines changed

3 files changed

+50
-5
lines changed

app/code/core/Mage/Core/Model/Security/HtmlEscapedString.php

+35
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
<?php
2+
declare(strict_types=1);
3+
4+
/**
5+
*
6+
*/
7+
class Mage_Core_Model_Security_HtmlEscapedString implements Stringable
8+
{
9+
10+
protected $originalValue;
11+
protected $allowedTags;
12+
13+
/**
14+
* @param string $originalValue
15+
* @param string[]|null $allowedTags
16+
*/
17+
public function __construct(string $originalValue, ?array $allowedTags = null)
18+
{
19+
$this->originalValue = $originalValue;
20+
$this->allowedTags = $allowedTags;
21+
}
22+
23+
public function __toString(): string
24+
{
25+
return (string) Mage::helper('core')->escapeHtml(
26+
$this->originalValue,
27+
$this->allowedTags
28+
);
29+
}
30+
31+
public function getUnescapedValue(): string
32+
{
33+
return $this->originalValue;
34+
}
35+
}

app/code/core/Mage/Page/Block/Html/Header.php

+12-4
Original file line numberDiff line numberDiff line change
@@ -57,7 +57,9 @@ public function setLogo($logo_src, $logo_alt)
5757
public function getLogoSrc()
5858
{
5959
if (empty($this->_data['logo_src'])) {
60-
$this->_data['logo_src'] = Mage::getStoreConfig('design/header/logo_src');
60+
$this->_data['logo_src'] = new Mage_Core_Model_Security_HtmlEscapedString(
61+
(string) Mage::getStoreConfig('design/header/logo_src')
62+
);
6163
}
6264
return $this->getSkinUrl($this->_data['logo_src']);
6365
}
@@ -68,7 +70,9 @@ public function getLogoSrc()
6870
public function getLogoSrcSmall()
6971
{
7072
if (empty($this->_data['logo_src_small'])) {
71-
$this->_data['logo_src_small'] = Mage::getStoreConfig('design/header/logo_src_small');
73+
$this->_data['logo_src_small'] = new Mage_Core_Model_Security_HtmlEscapedString(
74+
(string) Mage::getStoreConfig('design/header/logo_src_small')
75+
);
7276
}
7377
return $this->getSkinUrl($this->_data['logo_src_small']);
7478
}
@@ -79,7 +83,9 @@ public function getLogoSrcSmall()
7983
public function getLogoAlt()
8084
{
8185
if (empty($this->_data['logo_alt'])) {
82-
$this->_data['logo_alt'] = Mage::getStoreConfig('design/header/logo_alt');
86+
$this->_data['logo_alt'] = new Mage_Core_Model_Security_HtmlEscapedString(
87+
(string) Mage::getStoreConfig('design/header/logo_alt')
88+
);
8389
}
8490
return $this->_data['logo_alt'];
8591
}
@@ -97,7 +103,9 @@ public function getWelcome()
97103
if (Mage::isInstalled() && Mage::getSingleton('customer/session')->isLoggedIn()) {
98104
$this->_data['welcome'] = $this->__('Welcome, %s!', $this->escapeHtml(Mage::getSingleton('customer/session')->getCustomer()->getName()));
99105
} else {
100-
$this->_data['welcome'] = Mage::getStoreConfig('design/header/welcome');
106+
$this->_data['welcome'] = new Mage_Core_Model_Security_HtmlEscapedString(
107+
(string) Mage::getStoreConfig('design/header/welcome')
108+
);
101109
}
102110
}
103111

app/code/core/Mage/Page/Block/Html/Welcome.php

+3-1
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,9 @@ protected function _toHtml()
4444
if (Mage::isInstalled() && $this->_getSession()->isLoggedIn()) {
4545
$this->_data['welcome'] = $this->__('Welcome, %s!', $this->escapeHtml($this->_getSession()->getCustomer()->getName()));
4646
} else {
47-
$this->_data['welcome'] = Mage::getStoreConfig('design/header/welcome');
47+
$this->_data['welcome'] = new Mage_Core_Model_Security_HtmlEscapedString(
48+
(string) Mage::getStoreConfig('design/header/welcome')
49+
);
4850
}
4951
}
5052

0 commit comments

Comments
 (0)