diff --git a/app/code/Magento/Catalog/ViewModel/Product/Breadcrumbs.php b/app/code/Magento/Catalog/ViewModel/Product/Breadcrumbs.php index 871d21d8ee8d3..01c286cdc74ce 100644 --- a/app/code/Magento/Catalog/ViewModel/Product/Breadcrumbs.php +++ b/app/code/Magento/Catalog/ViewModel/Product/Breadcrumbs.php @@ -13,6 +13,7 @@ use Magento\Framework\DataObject; use Magento\Framework\Serialize\Serializer\Json; use Magento\Framework\View\Element\Block\ArgumentInterface; +use Magento\Framework\Escaper; /** * Product breadcrumbs view model. @@ -36,21 +37,29 @@ class Breadcrumbs extends DataObject implements ArgumentInterface */ private $json; + /** + * @var Escaper + */ + private $escaper; + /** * @param Data $catalogData * @param ScopeConfigInterface $scopeConfig - * @param Json $json + * @param Json|null $json + * @param Escaper|null $escaper */ public function __construct( Data $catalogData, ScopeConfigInterface $scopeConfig, - Json $json = null + Json $json = null, + Escaper $escaper = null ) { parent::__construct(); $this->catalogData = $catalogData; $this->scopeConfig = $scopeConfig; $this->json = $json ?: ObjectManager::getInstance()->get(Json::class); + $this->escaper = $escaper ?: ObjectManager::getInstance()->get(Escaper::class); } /** @@ -98,12 +107,14 @@ public function getProductName(): string */ public function getJsonConfiguration() { - return $this->json->serialize([ - 'breadcrumbs' => [ - 'categoryUrlSuffix' => $this->getCategoryUrlSuffix(), - 'userCategoryPathInUrl' => (int)$this->isCategoryUsedInProductUrl(), - 'product' => $this->getProductName() + return $this->json->serialize( + [ + 'breadcrumbs' => [ + 'categoryUrlSuffix' => $this->escaper->escapeHtml($this->getCategoryUrlSuffix()), + 'userCategoryPathInUrl' => (int)$this->isCategoryUsedInProductUrl(), + 'product' => $this->escaper->escapeHtml($this->escaper->escapeJs($this->getProductName())) + ] ] - ]); + ); } }