Added tests for different kind of expressions possible in echo statement.

We are not trying to fix all the unsafe output. We try to escape output that we can be sure of. We leave complex expressions as it is. Developer can for now fix
them manually. As of now it should cover 70% of cases. Escaping xss in URL will be handled as a separate rule.

Author: Abhishek Jakhotiya

Magento2/Rector/Src/AddHtmlEscaperToOutput.php

@@ -16,6 +16,9 @@
 
 class AddHtmlEscaperToOutput extends AbstractRector
 {
+
+    private $_phpFunctionsToIgnore = ['\count','\strip_tags'];
+
     /**
      * @inheritDoc
      */
@@ -29,20 +32,37 @@ public function getNodeTypes(): array
      */
     public function refactor(Node $node): ?Node
     {
-        // if the echo already has escapeHtml called on $block or escaper, don't do anthing
 
         $echoContent  = $node->exprs[0];
 
-        if ($echoContent instanceof  Node\Expr\Variable || $echoContent instanceof Node\Expr\FuncCall) {
-            $node->exprs[0] = new Node\Expr\MethodCall(
-                new Node\Expr\Variable('escaper'),
-                'escapeHtml',
-                [new Node\Arg($echoContent)]
-            );
+        if ($echoContent instanceof Node\Expr\Ternary) {
+
+            if (!$this->hasNoEscapeAttribute($echoContent->if) && $this->canEscapeOutput($echoContent->if)) {
+                $node->exprs[0]->if = new Node\Expr\MethodCall(
+                    new Node\Expr\Variable('escaper'),
+                    'escapeHtml',
+                    [new Node\Arg($echoContent->if)]
+                );
+
+            }
+
+            if (!$this->hasNoEscapeAttribute($echoContent->else) && $this->canEscapeOutput($echoContent->else)) {
+                $node->exprs[0]->else = new Node\Expr\MethodCall(
+                    new Node\Expr\Variable('escaper'),
+                    'escapeHtml',
+                    [new Node\Arg($echoContent->else)]
+                );
+
+            }
             return $node;
+
         }
 
-        if ($echoContent instanceof Node\Expr\MethodCall && $echoContent->name != 'escapeHtml') {
+        if ($this->hasNoEscapeAttribute($echoContent)) {
+            return null;
+        }
+
+        if ($this->canEscapeOutput($echoContent)) {
 
             $node->exprs[0] = new Node\Expr\MethodCall(
                 new Node\Expr\Variable('escaper'),
@@ -55,6 +75,81 @@ public function refactor(Node $node): ?Node
         return null;
     }
 
+    private function canEscapeOutput(Node $echoContent):bool
+    {
+        if ($echoContent instanceof  Node\Expr\Variable) {
+            return true;
+        }
+
+        if ($echoContent instanceof Node\Expr\FuncCall
+            && !$this->willFunctionReturnSafeOutput($echoContent)) {
+
+            // if string passed to __() contains html don't do anthing
+            if ($echoContent->name == '__' && $this->stringContainsHtml($echoContent->args[0]->value->value)) {
+                return false;
+            }
+
+            return true;
+        }
+
+        // if the echo already has escapeHtml called on $block or escaper, don't do anthing
+        if ($echoContent instanceof Node\Expr\MethodCall &&
+            !$this->methodReturnsValidHtmlOrUrl($echoContent)
+        ) {
+
+            // if the method is part of secureRenderer don't do anything
+            if ($echoContent->var->name === 'secureRenderer') {
+                return false;
+            }
+
+            return true;
+
+        }
+
+        return false;
+    }
+
+    private function stringContainsHtml(string $str)
+    {
+        return strlen($str) !== strlen(strip_tags($str));
+    }
+
+    /**
+     * If the developer has marked the output as noEscape by using the @noEscape
+     * we want to leave that code as it is
+     */
+    private function hasNoEscapeAttribute(Node $echoContent):bool
+    {
+
+        $comments = $echoContent->getComments();
+        foreach ($comments as $comment) {
+            if (stripos($comment->getText(), '@noEscape') !== false) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    /**
+     * If method contains the keyword HTML we assume developer intends to output html
+     */
+    private function methodReturnsValidHtmlOrUrl(Node\Expr\MethodCall $echoContent):bool
+    {
+        return stripos($echoContent->name->name, 'Html') !== false
+            || stripos($echoContent->name->name, 'Url') !== false;
+    }
+
+    /**
+     * Some php function return safe output. They need not be escaped.
+     * count, strip_tags are example
+     */
+    private function willFunctionReturnSafeOutput(Node\Expr\FuncCall $funcNode):bool
+    {
+        //@TODO did not handle things like $callback();
+        $funcName = $funcNode->name->toCodeString();
+        return in_array($funcName, $this->_phpFunctionsToIgnore);
+    }
+
     /**
      * @inheritDoc
      */

Magento2/Rector/Tests/AddHtmlEscaperToOutput/Fixture/complex-phtml-code-mix.php.inc

@@ -0,0 +1,27 @@
+<?php
+$items = $block->getAllItems();
+?>
+<div class="test">
+    <?php if (count($items) > 0): ?>
+        <div class="counter"><?= __('Total <span>%1</span> items found', count($items)) ?></div>
+        <?php foreach ($items as $item): ?>
+            <a href="<?= $block->getActionUrl($item); ?>"><?= $item->getName(); ?></a>
+        <?php endforeach; ?>
+    <?php else: ?>
+        <?= __('No items found.'); ?>
+    <?php endif; ?>
+</div>
+-----
+<?php
+$items = $block->getAllItems();
+?>
+<div class="test">
+    <?php if (count($items) > 0): ?>
+        <div class="counter"><?= __('Total <span>%1</span> items found', count($items)) ?></div>
+        <?php foreach ($items as $item): ?>
+            <a href="<?= $block->getActionUrl($item); ?>"><?= $escaper->escapeHtml($item->getName()); ?></a>
+        <?php endforeach; ?>
+    <?php else: ?>
+        <?= $escaper->escapeHtml(__('No items found.')); ?>
+    <?php endif; ?>
+</div>

Magento2/Rector/Tests/AddHtmlEscaperToOutput/Fixture/message-string-contains-html.php.inc

@@ -0,0 +1 @@
+<div class="counter"><?= __('Total <span>%1</span> items found',count($items))?></div>

Magento2/Rector/Tests/AddHtmlEscaperToOutput/Fixture/method-that-return-html.php.inc

@@ -0,0 +1,3 @@
+<?=  $block->getChildHtml(); ?>
+<?= $block->getToolBarHtml();?>
+<?= $block->getChildBlock('toolbar')->setIsBottom(true)->toHtml() ?>

Magento2/Rector/Tests/AddHtmlEscaperToOutput/Fixture/skip-escaped-output-using-secure-renderer.php.inc

@@ -0,0 +1,4 @@
+<?=  $secureRenderer->renderStyleAsTag(
+    $position,
+    'product-item-info_' . $_product->getId() . ' div.actions-primary'
+) ?>

Magento2/Rector/Tests/AddHtmlEscaperToOutput/Fixture/skip-output-of-count-function.php.inc

@@ -0,0 +1,3 @@
+<?= count($items); ?>
+<?= (int)$items ?>
+<?= (bool)$items ?>

Magento2/Rector/Tests/AddHtmlEscaperToOutput/Fixture/skip-with-no-escape-annotation.php.inc

@@ -0,0 +1,3 @@
+<?= /* @noEscape */ $block->getProductPrice($_product) ?>
+<?= /* @noEscape */ $price ?>
+<?= /* @noEscape */ trim($price) ?>

Magento2/Rector/Tests/AddHtmlEscaperToOutput/Fixture/ternary-condition.php.inc

@@ -0,0 +1,11 @@
+<?php
+
+echo $block->canShowInfo() ?  $escaper->escapeHtml($block->getInfo()) : __('Nothing to show');
+
+?>
+-----
+<?php
+
+echo $block->canShowInfo() ?  $escaper->escapeHtml($block->getInfo()) : $escaper->escapeHtml(__('Nothing to show'));
+
+?>