From e3c7f9c15e23b3cabdbdc540fb5c8ab2ab5c1562 Mon Sep 17 00:00:00 2001
From: Michiel Gerritsen <michiel@controlaltdelete.nl>
Date: Mon, 22 Jul 2024 15:22:08 +0200
Subject: [PATCH] Bugfix: Render script in secure tag #797

---
 .../form/mollie_paymentlink_javascript.phtml  | 12 ++++++--
 .../create/payment_hold_warning.phtml         | 16 ++++++++--
 .../system/config/button/apikey.phtml         | 25 ++++++++++------
 .../system/config/button/compatibility.phtml  | 29 ++++++++++++-------
 4 files changed, 56 insertions(+), 26 deletions(-)

diff --git a/view/adminhtml/templates/form/mollie_paymentlink_javascript.phtml b/view/adminhtml/templates/form/mollie_paymentlink_javascript.phtml
index f99f16fa7ed..a2e2a307797 100644
--- a/view/adminhtml/templates/form/mollie_paymentlink_javascript.phtml
+++ b/view/adminhtml/templates/form/mollie_paymentlink_javascript.phtml
@@ -3,8 +3,12 @@
  * Copyright Magmodules.eu. All rights reserved.
  * See COPYING.txt for license details.
  */
-?>
-<script>
+
+use Magento\Framework\View\Helper\SecureHtmlRenderer;
+
+/** @var SecureHtmlRenderer $secureRenderer */
+
+$scriptString = <<<SCRIPT
     document.addEventListener('DOMContentLoaded', function () {
         const saveSelectedMethods = () => {
             // Save the selected payment methods to local storage
@@ -46,4 +50,6 @@
             setSelectedMethods();
         })
     });
-</script>
+SCRIPT;
+
+echo $secureRenderer->renderTag('script', [], $scriptString, false);
diff --git a/view/adminhtml/templates/order/shipment/create/payment_hold_warning.phtml b/view/adminhtml/templates/order/shipment/create/payment_hold_warning.phtml
index 273c7804f62..5018f42fa81 100644
--- a/view/adminhtml/templates/order/shipment/create/payment_hold_warning.phtml
+++ b/view/adminhtml/templates/order/shipment/create/payment_hold_warning.phtml
@@ -1,14 +1,22 @@
 <?php
+/*
+ * Copyright Magmodules.eu. All rights reserved.
+ * See COPYING.txt for license details.
+ */
 
 declare(strict_types=1);
-?>
 
+use Magento\Framework\View\Helper\SecureHtmlRenderer;
+
+/** @var SecureHtmlRenderer $secureRenderer */
+?>
 <div class="mollie-manual-capture-warning message message-warning">
     Please note: You are creating a partial shipment, but it's only possible to capture the payment once.
     Please double-check you are shipping the correct items.
 </div>
 
-<script>
+<?php
+$scriptString = <<<SCRIPT
     (() => {
         let warningElement = document.querySelector('.mollie-manual-capture-warning');
         let fields = Array.from(document.querySelectorAll('.qty-item'));
@@ -28,4 +36,6 @@ declare(strict_types=1);
 
         checkFields();
     })();
-</script>
+SCRIPT;
+
+echo $secureRenderer->renderTag('script', [], $scriptString, false);
diff --git a/view/adminhtml/templates/system/config/button/apikey.phtml b/view/adminhtml/templates/system/config/button/apikey.phtml
index 7a1667f6bba..79b69a60dae 100644
--- a/view/adminhtml/templates/system/config/button/apikey.phtml
+++ b/view/adminhtml/templates/system/config/button/apikey.phtml
@@ -1,15 +1,19 @@
 <?php
-/**
- * Copyright © 2018 Magmodules.eu. All rights reserved.
+/*
+ * Copyright Magmodules.eu. All rights reserved.
  * See COPYING.txt for license details.
  */
 
+use Magento\Framework\View\Helper\SecureHtmlRenderer;
+use Mollie\Payment\Block\Adminhtml\System\Config\Form\Apikey\Checker;
+
 /**
- * @see \Mollie\Payment\Block\Adminhtml\System\Config\Form\Apikey\Checker
- * @var \Mollie\Payment\Block\Adminhtml\System\Config\Form\Apikey\Checker $block
+ * @see Checker
+ * @var Checker $block
+ * @var SecureHtmlRenderer $secureRenderer
  */
-?>
-<script>
+
+$scriptString = <<<SCRIPT
     require([
         'jquery',
         'prototype'
@@ -20,7 +24,7 @@
                 "test_key": jQuery("#mollie_general_api_details_apikey_test").val(),
                 "live_key": jQuery("#mollie_general_api_details_apikey_live").val()
             	};
-            new Ajax.Request('<?= $block->getAjaxUrl() ?>', {
+            new Ajax.Request('{$block->getAjaxUrl()}', {
                 parameters: params,
                 loaderArea: false,
                 asynchronous: true,
@@ -45,5 +49,8 @@
             });
         });
     });
-</script>
-<?= $block->getButtonHtml() ?>
+SCRIPT;
+
+echo $secureRenderer->renderTag('script', [], $scriptString, false);
+
+echo $block->getButtonHtml();
diff --git a/view/adminhtml/templates/system/config/button/compatibility.phtml b/view/adminhtml/templates/system/config/button/compatibility.phtml
index 6d714a1b9dd..9afa0b54d1b 100644
--- a/view/adminhtml/templates/system/config/button/compatibility.phtml
+++ b/view/adminhtml/templates/system/config/button/compatibility.phtml
@@ -1,24 +1,28 @@
 <?php
-/**
- * Copyright © 2018 Magmodules.eu. All rights reserved.
+/*
+ * Copyright Magmodules.eu. All rights reserved.
  * See COPYING.txt for license details.
  */
 
+use Magento\Framework\View\Helper\SecureHtmlRenderer;
+use Mollie\Payment\Block\Adminhtml\System\Config\Form\Compatibility\Checker;
+
 /**
- * @see \Mollie\Payment\Block\Adminhtml\System\Config\Form\Compatibility\Checker
- * @var \Mollie\Payment\Block\Adminhtml\System\Config\Form\Compatibility\Checker $block
+ * @see Checker
+ * @var Checker $block
+ * @var SecureHtmlRenderer $secureRenderer
  */
-?>
-<script>
+
+$scriptString = <<<SCRIPT
     require([
         'jquery',
         'mage/translate',
         'prototype',
-    ], function (jQuery, $t) {
+    ], function (jQuery, \$t) {
         var resultSpan = jQuery('#result_compatibility');
         jQuery('#compatibility_button').click(function () {
             var params = {};
-            new Ajax.Request('<?= $block->getAjaxUrl() ?>', {
+            new Ajax.Request('{$block->getAjaxUrl()}', {
                 parameters: params,
                 loaderArea: false,
                 asynchronous: true,
@@ -36,7 +40,7 @@
                         if (typeof json.msg != 'undefined') {
                             resultText = json.msg;
                         } else {
-                            resultText = $t('Invalid response received. This indicates an unknown problem.');
+                            resultText = \$t('Invalid response received. This indicates an unknown problem.');
                         }
                     }
                     resultSpan.find('.result').show();
@@ -46,5 +50,8 @@
         });
 
     });
-</script>
-<?= $block->getButtonHtml() ?>
\ No newline at end of file
+SCRIPT;
+
+echo $secureRenderer->renderTag('script', [], $scriptString, false);
+
+echo $block->getButtonHtml();