Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resolve Message at Frontend has No HTML format issue25162 #25163

Closed
wants to merge 3 commits into from
Closed

Resolve Message at Frontend has No HTML format issue25162 #25163

wants to merge 3 commits into from

Conversation

edenduong
Copy link
Contributor

Description (*)

  1. Resolve Message at Frontend has No HTML format #25162: Message at Frontend has No HTML format

Fixed Issues (if relevant)

  1. Message at Frontend has No HTML format #25162: Message at Frontend has No HTML format

Manual testing scenarios (*)

  1. Go to backend
  2. Store-> configuration-> Customer -> Newsletter

image
"Allow Guest Subscription" is "No"
4. Go to frontend
5. Enter the email "[email protected]" , press "Subscribe" at the bottom.
6. Look the message:

image

Questions or comments

Contribution checklist (*)

  • Pull request has a meaningful description of its purpose
  • All commits are accompanied by meaningful commit messages
  • All new or changed code is covered with unit/integration tests (if applicable)
  • All automated tests passed successfully (all builds are green)

@m2-assistant
Copy link

m2-assistant bot commented Oct 19, 2019

Hi @edenduong. Thank you for your contribution
Here is some useful tips how you can test your changes using Magento test environment.
Add the comment under your pull request to deploy test or vanilla Magento instance:

  • @magento give me test instance - deploy test instance based on PR changes
  • @magento give me 2.3-develop instance - deploy vanilla Magento instance

For more details, please, review the Magento Contributor Guide documentation.

@kalpmehta kalpmehta self-assigned this Oct 19, 2019
@kalpmehta
Copy link
Contributor

@magento give me test instance

@magento-engcom-team
Copy link
Contributor

Hi @kalpmehta. Thank you for your request. I'm working on Magento instance for you

@magento-engcom-team
Copy link
Contributor

Hi @kalpmehta, here is your new Magento instance.
Admin access: https://pr-25163.instances.magento-community.engineering/admin
Login: admin Password: 123123q

@edenduong edenduong requested a review from kokoc as a code owner October 20, 2019 04:44
kalpmehta
kalpmehta requested changes Oct 20, 2019
View reviewed changes
app/code/Magento/Theme/view/frontend/web/js/view/messages.js
this.cookieMessages.forEach(function (value) {
value.text = _.unescape(value.text);
value.text = value.text.replace(SCRIPT_REGEX, "");

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@edenduong Instead of unescaping message and removing script tags, I think whitelisting only anchor tag with href attribute would be more painless and secure.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kalpmehta: I have solved it. Please check it again. Thanks!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@edenduong Thanks! Do you think this can be supported with tests?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kalpmehta : I just cover it by MFTF Test. Please check it. Thanks!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this has no place in core Magento because it's a really dirty hack. I don't see the commit where a tag is whitelisted instead

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@AlexMaxHorkun Thanks! Do you have suggestion to render only a tag and also ensure it's secure?

@edenduong edenduong force-pushed the 2.3-bugfix/message_frontend_html_issue25162 branch from b885f3c to 9f41b3d Compare October 20, 2019 09:20
@edenduong
Copy link
Contributor Author

@kalpmehta : I just cover it by MFTF Test. Please check it. Thanks!

@sidolov sidolov changed the base branch from 2.3-develop to 2.4-develop December 5, 2019 17:17
@edenduong edenduong closed this Dec 21, 2019
@m2-assistant
Copy link

m2-assistant bot commented Dec 21, 2019

Hi @edenduong, thank you for your contribution!
Please, complete Contribution Survey, it will take less than a minute.
Your feedback will help us to improve contribution process.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AlexMaxHorkun AlexMaxHorkun AlexMaxHorkun left review comments

@kalpmehta kalpmehta kalpmehta requested changes

@DrewML DrewML Awaiting requested review from DrewML

@kokoc kokoc Awaiting requested review from kokoc

@buskamuza buskamuza Awaiting requested review from buskamuza

@melnikovi melnikovi Awaiting requested review from melnikovi

@VladimirZaets VladimirZaets Awaiting requested review from VladimirZaets

Assignees

@kalpmehta kalpmehta

Labels
Area: Frontend Component: Theme Progress: needs update Release Line: 2.4 Squashtoberfest 2019
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Message at Frontend has No HTML format
5 participants
@edenduong @kalpmehta @magento-engcom-team @AlexMaxHorkun @sidolov