Script tags interpreted

Question

Script tags interpreted

Axel29 opened this issue 3 years ago · comments

Axel29 commented 3 years ago

Preconditions

Mutli-website instance of Magento 2
Install Avs_ScopeHint2 module

Steps to reproduce

Create a textarea configuration field
Set a JavaScript script inside the configuration in a website or store view
Save the configuration
Inspect source code of the configuration page

Expected result

The script tag is not interpreted in the page

Actual result

The script tag is interpreted when the page is loaded because of the tooltip

Configuration field:

DOM:

As you can see, the script tag set in the textarea field is interpreted in the DOM.

Thank you for your help.

jorgb90 · Answer 1 · Fri May 21 2021 17:48:38 GMT+0800 (China Standard Time)

Mm valid point, this should not happen!

For now a quick way to solve this is by editing ConfigFieldPlugin.php and change line 124 with:

    if ($scopeValue != $currentValue) {
        switch($scopeType) {
            case self::SCOPE_TYPE_STORES:
                return __('Store <code>%1</code>: <textarea>%2</textarea>', $scope->getCode(), $scopeValue);
            case self::SCOPE_TYPE_WEBSITES:
                return __('Website <code>%1</code>: <textarea>%2</textarea>', $scope->getCode(), $scopeValue);
        }
    }

jorgb90 · Answer 2 · Fri May 21 2021 21:57:01 GMT+0800 (China Standard Time)

Ok just put two seconds more time in it and solved it in a better way:

Add the following below "private $request;":

/**
    * Escaper
    *
    * @var \Magento\Framework\Escaper
    */
    protected $_escaper;

Replace the __construct with:

 public function __construct(
        ScopeConfigInterface $scopeConfig,
        WebsiteRepositoryInterface $websiteRepository,
        StoreRepositoryInterface $storeRepository,
        RequestInterface $request,
        \Magento\Framework\Escaper $_escaper
    )
    {
        $this->scopeConfig = $scopeConfig;
        $this->websiteRepository = $websiteRepository;
        $this->storeRepository = $storeRepository;
        $this->request = $request;
        $this->_escaper=$_escaper;
    }

Replace function getScopeHint with:

private function getScopeHint($path, $scopeType, $scope)
    {
        $scopeLine = '';
        $currentValue = $this->scopeConfig->getValue($path);
        $scopeValue = $this->scopeConfig->getValue($path, $scopeType, $scope->getId());
        if ($scopeValue != $currentValue) {
            switch($scopeType) {
                case self::SCOPE_TYPE_STORES:
                    return __('Store <code>%1</code>: <pre>%2</pre>', $scope->getCode(), $this->_escaper->escapeHtml($scopeValue));
                case self::SCOPE_TYPE_WEBSITES:
                    return __('Website <code>%1</code>: <pre>%2</pre>', $scope->getCode(), $this->_escaper->escapeHtml($scopeValue));
            }
        }
        return $scopeLine;
    }
}

jorgb90 · Answer 3 · Thu Jan 20 2022 16:18:36 GMT+0800 (China Standard Time)

@avstudnitz Can we add this to the next release as well?