MAGETWO-70580: Merged fixes

Author: heyitsroberthe

app/code/Magento/AdminNotification/Controller/Adminhtml/System/Message/ListAction.php

@@ -8,6 +8,11 @@
 
 class ListAction extends \Magento\Backend\App\AbstractAction
 {
+    /**
+     * Authorization level of a basic admin session
+     */
+    const ADMIN_RESOURCE = 'Magento_AdminNotification::show_list';
+
     /**
      * @var \Magento\Framework\Json\Helper\Data
      */

app/code/Magento/AdminNotification/Model/Feed.php

@@ -148,9 +148,9 @@ public function checkUpdate()
                     $feedData[] = [
                         'severity' => (int)$item->severity,
                         'date_added' => date('Y-m-d H:i:s', $itemPublicationDate),
-                        'title' => (string)$item->title,
-                        'description' => (string)$item->description,
-                        'url' => (string)$item->link,
+                        'title' => $this->escapeString($item->title),
+                        'description' => $this->escapeString($item->description),
+                        'url' => $this->escapeString($item->link),
                     ];
                 }
             }
@@ -246,4 +246,15 @@ public function getFeedXml()
 
         return $xml;
     }
+
+    /**
+     * Converts incoming data to string format and escapes special characters.
+     *
+     * @param \SimpleXMLElement $data
+     * @return string
+     */
+    private function escapeString(\SimpleXMLElement $data)
+    {
+        return htmlspecialchars((string)$data);
+    }
 }

app/code/Magento/AdminNotification/Test/Unit/Model/FeedTest.php

@@ -145,8 +145,27 @@ public function testCheckUpdate($callInbox, $curlRequest)
             ->will($this->returnValue('Sat, 6 Sep 2014 16:46:11 UTC'));
         if ($callInbox) {
             $this->inboxFactory->expects($this->once())->method('create')
-                ->will(($this->returnValue($this->inboxModel)));
-            $this->inboxModel->expects($this->once())->method('parse')->will($this->returnSelf());
+                ->will($this->returnValue($this->inboxModel));
+            $this->inboxModel->expects($this->once())
+                ->method('parse')
+                ->with(
+                    $this->callback(
+                        function ($data) {
+                            $fieldsToCheck = ['title', 'description', 'url'];
+                            return array_reduce(
+                                $fieldsToCheck,
+                                function ($initialValue, $item) use ($data) {
+                                    $haystack = $data[0][$item] ?? false;
+                                    return $haystack
+                                        ? $initialValue && !strpos($haystack, '<') && !strpos($haystack, '>')
+                                        : true;
+                                },
+                                true
+                            );
+                        }
+                    )
+                )
+                ->will($this->returnSelf());
         } else {
             $this->inboxFactory->expects($this->never())->method('create');
             $this->inboxModel->expects($this->never())->method('parse');
@@ -196,7 +215,27 @@ public function checkUpdateDataProvider()
                                 </item>
                             </channel>
                         </rss>'
-            ]
+            ],
+            [
+                true,
+                // @codingStandardsIgnoreStart
+                'HEADER
+
+                <?xml version="1.0" encoding="utf-8" ?>
+                        <rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
+                            <channel>
+                                <title>MagentoCommerce</title>
+                                <item>
+                                    <title><![CDATA[<script>alert("Hello!");</script>Test Title]]></title>
+                                    <link><![CDATA[http://magento.com/feed_url<script>alert("Hello!");</script>]]></link>
+                                    <severity>4</severity>
+                                    <description><![CDATA[Test <script>alert("Hello!");</script>Description]]></description>
+                                    <pubDate>Tue, 20 Jun 2017 13:14:47 UTC</pubDate>
+                                </item>
+                            </channel>
+                        </rss>'
+                // @codingStandardsIgnoreEnd
+            ],
         ];
     }
 }

app/code/Magento/AdminNotification/etc/config.xml

@@ -12,7 +12,7 @@
                 <feed_url>notifications.magentocommerce.com/magento2/community/notifications.rss</feed_url>
                 <popup_url>widgets.magentocommerce.com/notificationPopup</popup_url>
                 <severity_icons_url>widgets.magentocommerce.com/%s/%s.gif</severity_icons_url>
-                <use_https>0</use_https>
+                <use_https>1</use_https>
                 <frequency>1</frequency>
                 <last_update>0</last_update>
             </adminnotification>

app/code/Magento/AdminNotification/view/adminhtml/ui_component/notification_area.xml

@@ -24,6 +24,7 @@
             </storageConfig>
             <updateUrl path="mui/index/render"/>
         </settings>
+        <aclResource>Magento_AdminNotification::show_list</aclResource>
         <dataProvider class="Magento\AdminNotification\Ui\Component\DataProvider\DataProvider" name="notification_area_data_source">
             <settings>
                 <requestFieldName>identity</requestFieldName>

app/code/Magento/Authorizenet/Controller/Directpost/Payment/BackendResponse.php

@@ -6,8 +6,48 @@
  */
 namespace Magento\Authorizenet\Controller\Directpost\Payment;
 
+use Magento\Authorizenet\Helper\DataFactory;
+use Magento\Authorizenet\Model\Directpost;
+use Magento\Authorizenet\Model\DirectpostFactory;
+use Magento\Framework\App\Action\Context;
+use Magento\Framework\Controller\ResultFactory;
+use Magento\Framework\Exception\LocalizedException;
+use Magento\Framework\Registry;
+use Psr\Log\LoggerInterface;
+
 class BackendResponse extends \Magento\Authorizenet\Controller\Directpost\Payment
 {
+    /**
+     * @var LoggerInterface
+     */
+    private $logger;
+
+    /**
+     * @var DirectpostFactory
+     */
+    private $directpostFactory;
+
+    /**
+     * BackendResponse constructor.
+     *
+     * @param Context $context
+     * @param Registry $coreRegistry
+     * @param DataFactory $dataFactory
+     * @param DirectpostFactory $directpostFactory
+     * @param LoggerInterface|null $logger
+     */
+    public function __construct(
+        Context $context,
+        Registry $coreRegistry,
+        DataFactory $dataFactory,
+        DirectpostFactory $directpostFactory,
+        LoggerInterface $logger = null
+    ) {
+        parent::__construct($context, $coreRegistry, $dataFactory);
+        $this->directpostFactory = $directpostFactory ?: $this->_objectManager->create(DirectpostFactory::class);
+        $this->logger = $logger ?: $this->_objectManager->get(LoggerInterface::class);
+    }
+
     /**
      * Response action.
      * Action for Authorize.net SIM Relay Request.
@@ -16,7 +56,20 @@ class BackendResponse extends \Magento\Authorizenet\Controller\Directpost\Paymen
      */
     public function execute()
     {
+        $data = $this->getRequest()->getParams();
+        /** @var Directpost $paymentMethod */
+        $paymentMethod = $this->directpostFactory->create();
+        if (!empty($data['store_id'])) {
+            $paymentMethod->setStore($data['store_id']);
+        }
+        $paymentMethod->setResponseData($data);
+        try {
+            $paymentMethod->validateResponse();
+        } catch (LocalizedException $e) {
+            $this->logger->critical($e->getMessage());
+            return $this->_redirect('noroute');
+        }
         $this->_responseAction('adminhtml');
-        return $this->resultFactory->create(\Magento\Framework\Controller\ResultFactory::TYPE_PAGE);
+        return $this->resultFactory->create(ResultFactory::TYPE_PAGE);
     }
 }

app/code/Magento/Backend/Block/Widget/Grid/Column.php

@@ -5,6 +5,7 @@
  */
 namespace Magento\Backend\Block\Widget\Grid;
 
+use Magento\Backend\Block\Widget;
 use Magento\Backend\Block\Widget\Grid\Column\Filter\AbstractFilter;
 
 /**
@@ -14,7 +15,7 @@
  * @deprecated 100.2.0 in favour of UI component implementation
  * @since 100.0.2
  */
-class Column extends \Magento\Backend\Block\Widget
+class Column extends Widget
 {
     /**
      * Parent grid
@@ -289,12 +290,30 @@ public function getRowField(\Magento\Framework\DataObject $row)
          */
         $frameCallback = $this->getFrameCallback();
         if (is_array($frameCallback)) {
+            $this->validateFrameCallback($frameCallback);
             $renderedValue = call_user_func($frameCallback, $renderedValue, $row, $this, false);
         }
 
         return $renderedValue;
     }
 
+    /**
+     * Validate frame callback
+     *
+     * @throws \InvalidArgumentException
+     *
+     * @param array $callback
+     * @return void
+     */
+    private function validateFrameCallback(array $callback)
+    {
+        if (!is_object($callback[0]) || !$callback[0] instanceof Widget) {
+            throw new \InvalidArgumentException(
+                "Frame callback host must be instance of Magento\\Backend\\Block\\Widget"
+            );
+        }
+    }
+
     /**
      * Retrieve row column field value for export
      *
@@ -314,6 +333,7 @@ public function getRowFieldExport(\Magento\Framework\DataObject $row)
          */
         $frameCallback = $this->getFrameCallback();
         if (is_array($frameCallback)) {
+            $this->validateFrameCallback($frameCallback);
             $renderedValue = call_user_func($frameCallback, $renderedValue, $row, $this, true);
         }
 

app/code/Magento/Backend/Controller/Adminhtml/Ajax/Translate.php

@@ -20,6 +20,11 @@ class Translate extends \Magento\Backend\App\Action
      */
     protected $resultJsonFactory;
 
+    /**
+     * Authorization level of a basic admin session
+     */
+    const ADMIN_RESOURCE = 'Magento_Backend::content_translation';
+
     /**
      * @param Action\Context $context
      * @param \Magento\Framework\Translate\Inline\ParserInterface $inlineParser

app/code/Magento/Backend/Test/Unit/Block/Widget/Grid/ColumnTest.php

@@ -3,12 +3,11 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
-
-/**
- * Test class for \Magento\Backend\Block\Widget\Grid\Column
- */
 namespace Magento\Backend\Test\Unit\Block\Widget\Grid;
 
+use Magento\Backend\Block\Widget\Grid\Column\Renderer\AbstractRenderer;
+use Magento\Framework\DataObject;
+
 class ColumnTest extends \PHPUnit\Framework\TestCase
 {
     /**
@@ -379,4 +378,97 @@ public function columnGroupedDataProvider()
     {
         return [[[], false], [['grouped' => 0], false], [['grouped' => 1], true]];
     }
+
+    /**
+     * Testing row field export with valid frame callback
+     */
+    public function testGetRowFieldAndExportWithFrameCallback()
+    {
+        $row = new DataObject(['id' => '2', 'title' => 'some item']);
+        /** @var  $rendererMock */
+        $rendererMock = $this->getMockBuilder(AbstractRenderer::class)
+            ->disableOriginalConstructor()
+            ->setMethods(['renderExport', 'render'])
+            ->getMock();
+
+        $rendererMock->expects($this->any())->method('renderExport')->willReturnCallback(
+            function (DataObject $row) {
+                return $row->getData('title');
+            }
+        );
+
+        $rendererMock->expects($this->any())->method('render')->willReturnCallback(
+            function (DataObject $row) {
+                return $row->getData('title');
+            }
+        );
+
+        $frameCallbackHostObject = $this->getMockBuilder(\Magento\Backend\Block\Widget::class)
+            ->disableOriginalConstructor()
+            ->setMethods(['decorate'])
+            ->getMock();
+
+        $frameCallbackHostObject->expects($this->any())
+            ->method('decorate')
+            ->willReturnCallback(
+                function ($renderValue) {
+                    return '__callback_decorated_' . $renderValue;
+                }
+            );
+
+        $this->_block->setRenderer($rendererMock);
+        $this->_block->setFrameCallback([$frameCallbackHostObject, 'decorate']);
+        $renderResult = $this->_block->getRowField($row);
+        $exportResult = $this->_block->getRowFieldExport($row);
+        $this->assertEquals('__callback_decorated_some item', $exportResult);
+        $this->assertEquals('__callback_decorated_some item', $renderResult);
+    }
+
+    /**
+     * @expectedException \InvalidArgumentException
+     * @expectedExceptionMessage Frame callback host must be instance of Magento\Backend\Block\Widget
+     */
+    public function testGetRowFieldExportWithInvalidCallback()
+    {
+        $row = new DataObject(['id' => '2', 'title' => 'some item']);
+        /** @var  $rendererMock */
+        $rendererMock = $this->getMockBuilder(AbstractRenderer::class)
+            ->disableOriginalConstructor()
+            ->setMethods(['renderExport', 'render'])
+            ->getMock();
+
+        $rendererMock->expects($this->any())->method('renderExport')->willReturnCallback(
+            function (DataObject $row) {
+                return $row->getData('title');
+            }
+        );
+
+        $this->_block->setRenderer($rendererMock);
+        $this->_block->setFrameCallback([$this, 'testGetRowFieldExportWithFrameCallback']);
+        $this->_block->getRowFieldExport($row);
+    }
+
+    /**
+     * @expectedException \InvalidArgumentException
+     * @expectedExceptionMessage Frame callback host must be instance of Magento\Backend\Block\Widget
+     */
+    public function testGetRowFieldWithInvalidCallback()
+    {
+        $row = new DataObject(['id' => '2', 'title' => 'some item']);
+        /** @var  $rendererMock */
+        $rendererMock = $this->getMockBuilder(AbstractRenderer::class)
+            ->disableOriginalConstructor()
+            ->setMethods(['render'])
+            ->getMock();
+
+        $rendererMock->expects($this->any())->method('render')->willReturnCallback(
+            function (DataObject $row) {
+                return $row->getData('title');
+            }
+        );
+
+        $this->_block->setRenderer($rendererMock);
+        $this->_block->setFrameCallback([$this, 'testGetRowFieldExportWithFrameCallback']);
+        $this->_block->getRowField($row);
+    }
 }

app/code/Magento/Backend/etc/acl.xml

@@ -22,6 +22,7 @@
                     <resource id="Magento_Backend::design"  title="Design" translate="title" sortOrder="20">
                         <resource id="Magento_Backend::schedule" title="Schedule" translate="title" sortOrder="30" />
                     </resource>
+                    <resource id="Magento_Backend::content_translation" title="Content translation" translate="title" sortOrder="40" />
                 </resource>
                 <resource id="Magento_Backend::stores" title="Stores" translate="title" sortOrder="80">
                     <resource id="Magento_Backend::stores_settings" title="Settings" translate="title" sortOrder="10">

app/code/Magento/Braintree/view/adminhtml/ui_component/braintree_report.xml

@@ -26,6 +26,7 @@
         <settings>
             <updateUrl path="mui/index/render"/>
         </settings>
+        <aclResource>Magento_Braintree::settlement_report</aclResource>
         <dataProvider class="BraintreeTransactionsDataProvider" name="braintree_report_data_source">
             <settings>
                 <requestFieldName>id</requestFieldName>

app/code/Magento/Braintree/view/adminhtml/web/js/vault.js

@@ -109,7 +109,7 @@ define([
 
             $('body').trigger('processStart');
 
-            $.get(self.nonceUrl, {
+            $.getJSON(self.nonceUrl, {
                 'public_hash': self.publicHash
             }).done(function (response) {
                 self.setPaymentDetails(response.paymentMethodNonce);