Merge pull request #2897 from spryker/bugfix/core-2145-xss-injection

core-2145: fix XSS in zed customer view page
spryker · Oct 26, 2017 · 4ffedb8 · 4ffedb8
2 parents ca7ffc0 + dfee078
commit 4ffedb8
Show file tree

Hide file tree

Showing 6 changed files with 97 additions and 4 deletions.
diff --git a/composer.json b/composer.json
@@ -13,6 +13,7 @@
     "spryker/session": "^3.0.0",
     "spryker/symfony": "^3.0.0",
     "spryker/util-date-time": "^1.0.0",
+    "spryker/util-sanitize": "^2.0.0",
     "spryker/util-text": "^1.1.0",
     "spryker/zed-request": "^3.0.0"
   },

diff --git a/src/Spryker/Zed/Customer/Communication/CustomerCommunicationFactory.php b/src/Spryker/Zed/Customer/Communication/CustomerCommunicationFactory.php
@@ -42,7 +42,7 @@ public function createCustomerTable()
      */
     public function createCustomerAddressTable($idCustomer)
     {
-        return new AddressTable($this->getQueryContainer(), $idCustomer);
+        return new AddressTable($this->getQueryContainer(), $idCustomer, $this->getUtilSanitizeService());
     }
 
     /**
@@ -127,4 +127,12 @@ public function getCustomerTransferExpanderPlugins()
     {
         return $this->getProvidedDependency(CustomerDependencyProvider::PLUGINS_CUSTOMER_TRANSFER_EXPANDER);
     }
+
+    /**
+     * @return \Spryker\Zed\Customer\Dependency\Service\CustomerToUtilSanitizeInterface
+     */
+    protected function getUtilSanitizeService()
+    {
+        return $this->getProvidedDependency(CustomerDependencyProvider::SERVICE_UTIL_SANITIZE);
+    }
 }
diff --git a/src/Spryker/Zed/Customer/Communication/Table/AddressTable.php b/src/Spryker/Zed/Customer/Communication/Table/AddressTable.php
@@ -9,6 +9,7 @@
 
 use Orm\Zed\Customer\Persistence\Map\SpyCustomerAddressTableMap;
 use Spryker\Shared\Customer\CustomerConstants;
+use Spryker\Zed\Customer\Dependency\Service\CustomerToUtilSanitizeInterface;
 use Spryker\Zed\Customer\Persistence\CustomerQueryContainerInterface;
 use Spryker\Zed\Gui\Communication\Table\AbstractTable;
 use Spryker\Zed\Gui\Communication\Table\TableConfiguration;
@@ -32,14 +33,24 @@ class AddressTable extends AbstractTable
      */
     protected $idCustomer;
 
+    /**
+     * @var \Spryker\Zed\Customer\Dependency\Service\CustomerToUtilSanitizeInterface
+     */
+    protected $utilSanitize;
+
     /**
      * @param \Spryker\Zed\Customer\Persistence\CustomerQueryContainerInterface $customerQueryContainer
      * @param int $idCustomer
+     * @param \Spryker\Zed\Customer\Dependency\Service\CustomerToUtilSanitizeInterface $utilSanitize
      */
-    public function __construct(CustomerQueryContainerInterface $customerQueryContainer, $idCustomer)
-    {
+    public function __construct(
+        CustomerQueryContainerInterface $customerQueryContainer,
+        $idCustomer,
+        CustomerToUtilSanitizeInterface $utilSanitize
+    ) {
         $this->customerQueryContainer = $customerQueryContainer;
         $this->idCustomer = $idCustomer;
+        $this->utilSanitize = $utilSanitize;
     }
 
     /**
@@ -125,7 +136,8 @@ protected function prepareData(TableConfiguration $config)
                     $tags[] = '<span class="label label-danger" title="Default shipping address">SHIPPING</span>';
                 }
 
-                $lines[$key][SpyCustomerAddressTableMap::COL_ADDRESS1] = (!empty($tags) ? implode('&nbsp;', $tags) . '&nbsp;' : '') . $lines[$key][SpyCustomerAddressTableMap::COL_ADDRESS1];
+                $address = $this->utilSanitize->escapeHtml($lines[$key][SpyCustomerAddressTableMap::COL_ADDRESS1]);
+                $lines[$key][SpyCustomerAddressTableMap::COL_ADDRESS1] = (!empty($tags) ? implode('&nbsp;', $tags) . '&nbsp;' : '') . $address;
 
                 $lines[$key][self::ACTIONS] = $this->buildLinks($value);
             }

diff --git a/src/Spryker/Zed/Customer/CustomerDependencyProvider.php b/src/Spryker/Zed/Customer/CustomerDependencyProvider.php
@@ -12,6 +12,7 @@
 use Spryker\Zed\Customer\Dependency\Facade\CustomerToLocaleBridge;
 use Spryker\Zed\Customer\Dependency\Facade\CustomerToMailBridge;
 use Spryker\Zed\Customer\Dependency\Facade\CustomerToSequenceNumberBridge;
+use Spryker\Zed\Customer\Dependency\Service\CustomerToUtilSanitizeBridge;
 use Spryker\Zed\Kernel\AbstractBundleDependencyProvider;
 use Spryker\Zed\Kernel\Container;
 
@@ -28,6 +29,8 @@ class CustomerDependencyProvider extends AbstractBundleDependencyProvider
     const PLUGINS_CUSTOMER_ANONYMIZER = 'PLUGINS_CUSTOMER_ANONYMIZER';
     const PLUGINS_CUSTOMER_TRANSFER_EXPANDER = 'PLUGINS_CUSTOMER_TRANSFER_EXPANDER';
 
+    const SERVICE_UTIL_SANITIZE = 'SERVICE_UTIL_SANITIZE';
+
     /**
      * @param \Spryker\Zed\Kernel\Container $container
      *
@@ -77,6 +80,7 @@ public function provideCommunicationLayerDependencies(Container $container)
 
         $container = $this->addStore($container);
         $container = $this->addCustomerTransferExpanderPlugins($container);
+        $container = $this->addUtilSanitizeService($container);
 
         return $container;
     }
@@ -138,4 +142,18 @@ protected function getCustomerTransferExpanderPlugins()
     {
         return [];
     }
+
+    /**
+     * @param \Spryker\Zed\Kernel\Container $container
+     *
+     * @return \Spryker\Zed\Kernel\Container
+     */
+    protected function addUtilSanitizeService(Container $container)
+    {
+        $container[static::SERVICE_UTIL_SANITIZE] = function (Container $container) {
+            return new CustomerToUtilSanitizeBridge($container->getLocator()->utilSanitize()->service());
+        };
+
+        return $container;
+    }
 }
diff --git a/src/Spryker/Zed/Customer/Dependency/Service/CustomerToUtilSanitizeBridge.php b/src/Spryker/Zed/Customer/Dependency/Service/CustomerToUtilSanitizeBridge.php
@@ -0,0 +1,35 @@
+<?php
+/**
+ * Copyright © 2017-present Spryker Systems GmbH. All rights reserved.
+ * Use of this software requires acceptance of the Evaluation License Agreement. See LICENSE file.
+ */
+
+namespace Spryker\Zed\Customer\Dependency\Service;
+
+class CustomerToUtilSanitizeBridge implements CustomerToUtilSanitizeInterface
+{
+    /**
+     * @var \Spryker\Service\UtilSanitize\UtilSanitizeServiceInterface
+     */
+    protected $utilSanitizeService;
+
+    /**
+     * @param \Spryker\Service\UtilSanitize\UtilSanitizeServiceInterface $utilSanitizeService
+     */
+    public function __construct($utilSanitizeService)
+    {
+        $this->utilSanitizeService = $utilSanitizeService;
+    }
+
+    /**
+     * @param string $text
+     * @param bool $double
+     * @param string|null $charset
+     *
+     * @return string
+     */
+    public function escapeHtml($text, $double = true, $charset = null)
+    {
+        return $this->utilSanitizeService->escapeHtml($text, $double, $charset);
+    }
+}
diff --git a/src/Spryker/Zed/Customer/Dependency/Service/CustomerToUtilSanitizeInterface.php b/src/Spryker/Zed/Customer/Dependency/Service/CustomerToUtilSanitizeInterface.php
@@ -0,0 +1,19 @@
+<?php
+/**
+ * Copyright © 2017-present Spryker Systems GmbH. All rights reserved.
+ * Use of this software requires acceptance of the Evaluation License Agreement. See LICENSE file.
+ */
+
+namespace Spryker\Zed\Customer\Dependency\Service;
+
+interface CustomerToUtilSanitizeInterface
+{
+    /**
+     * @param string $text
+     * @param bool $double
+     * @param string|null $charset
+     *
+     * @return string
+     */
+    public function escapeHtml($text, $double = true, $charset = null);
+}