Script tags interpreted
Axel29 opened this issue · comments
Preconditions
- Mutli-website instance of Magento 2
- Install Avs_ScopeHint2 module
Steps to reproduce
- Create a textarea configuration field
- Set a JavaScript script inside the configuration in a website or store view
- Save the configuration
- Inspect source code of the configuration page
Expected result
- The script tag is not interpreted in the page
Actual result
- The script tag is interpreted when the page is loaded because of the tooltip
Configuration field:
DOM:
As you can see, the script tag set in the textarea field is interpreted in the DOM.
Thank you for your help.
Mm valid point, this should not happen!
For now a quick way to solve this is by editing ConfigFieldPlugin.php and change line 124 with:
if ($scopeValue != $currentValue) {
switch($scopeType) {
case self::SCOPE_TYPE_STORES:
return __('Store <code>%1</code>: <textarea>%2</textarea>', $scope->getCode(), $scopeValue);
case self::SCOPE_TYPE_WEBSITES:
return __('Website <code>%1</code>: <textarea>%2</textarea>', $scope->getCode(), $scopeValue);
}
}
Ok just put two seconds more time in it and solved it in a better way:
Add the following below "private $request;":
/**
* Escaper
*
* @var \Magento\Framework\Escaper
*/
protected $_escaper;
Replace the __construct with:
public function __construct(
ScopeConfigInterface $scopeConfig,
WebsiteRepositoryInterface $websiteRepository,
StoreRepositoryInterface $storeRepository,
RequestInterface $request,
\Magento\Framework\Escaper $_escaper
)
{
$this->scopeConfig = $scopeConfig;
$this->websiteRepository = $websiteRepository;
$this->storeRepository = $storeRepository;
$this->request = $request;
$this->_escaper=$_escaper;
}
Replace function getScopeHint with:
private function getScopeHint($path, $scopeType, $scope)
{
$scopeLine = '';
$currentValue = $this->scopeConfig->getValue($path);
$scopeValue = $this->scopeConfig->getValue($path, $scopeType, $scope->getId());
if ($scopeValue != $currentValue) {
switch($scopeType) {
case self::SCOPE_TYPE_STORES:
return __('Store <code>%1</code>: <pre>%2</pre>', $scope->getCode(), $this->_escaper->escapeHtml($scopeValue));
case self::SCOPE_TYPE_WEBSITES:
return __('Website <code>%1</code>: <pre>%2</pre>', $scope->getCode(), $this->_escaper->escapeHtml($scopeValue));
}
}
return $scopeLine;
}
}
@avstudnitz Can we add this to the next release as well?