Fix isTemplate to not return true for string containing ${{

[slackerzz]

Changed isTemplate in template.js
Now it returns false if value contains ${{

Description

Fixed Issues (if relevant)

1. Dollar sign before config path or custom variables in cms page content makes listing crash #10501 Dollar sign before config path or custom variables in cms page content makes listing crash

Manual testing scenarios

1. create a cms page o static block with ${{config path="web/unsecure/base_url"}} as content
2. ...

Contribution checklist

• Pull request has a meaningful description of its purpose
• All commits are accompanied by meaningful commit messages
• All new or changed code is covered with unit/integration tests (if applicable)
• All automated tests passed successfully (all builds on Travis CI are green)

[okorshenko]

Hi @slackerzz
Thank you for your contribution. We have several failed tests:
1.

Magento\Cms\Controller\Adminhtml\Page\SaveTest::testSaveActionWrongId
PHPUnit\Framework\Exception: Notice: Undefined index: content in /app/code/Magento/Cms/Controller/Adminhtml/Page/Save.php:87.

Magento\Cms\Test\Unit\Controller\Adminhtml\Block\SaveTest

Magento\Test\Php\LiveCodeTest::testCodeStyle
PHP Code Sniffer detected 2 violation(s): 

FILE: lib/internal/Magento/Framework/Escaper.php
----------------------------------------------------------------------
FOUND 1 ERROR AFFECTING 1 LINE
----------------------------------------------------------------------
 324 | ERROR | [x] Whitespace found at end of line
(9 more lines...)

Also, please review the Backward Compatibility Guide for adding new constructor argument.

[okorshenko]

You can run tests on local machine or wait for travis results

[orlangur]

We should come to conclusion in initial issue before processing this PR.

[slackerzz]

I think that escaping ${ is the simplest way of fix that behaviour. Following the advice in the issue i will change escapeDollarSign to replace ${ with $⁠{ https://www.compart.com/en/unicode/U+2060

[orlangur]

Please expand \Magento\Cms\Test\Unit\Model\PageTest with additional case and implement similar \Magento\Cms\Test\Unit\Model\BlockTest for fixed case.

After all changes are made and all builds are green, please squash all changes into a single commit.

[orlangur]

For now this is just some Magento_Cms-specific hack to overcome collision with JS templates syntax thus it should not be a part of Magento_Framework.

to replace ${ with $⁠{

No need in HTML entity, just use unicode character. As we can simply do str_replace('${', '$<proper code>{') I don't think there is a real need to do it as separate method.

If we would need something more than one-liner, the class could be something like \Magento\Cms\Model\PseudoEs6TemplateEscaper.

[slackerzz]

This collission happens with every text field in the Magento backend, not only in Magento_Cms #10501 (comment).
According to me it doesn't make sense to put it in Magento_Cms

[orlangur]

${ in product/category name would be pretty strange. Only those places needs to be fixed where we normally use some {{ ... }} now as a variable template.

My suggestion is: simply do str_replace in place, as soon as this logic this be identified frequently reusable (hope no) it can be refactored into separate class in whatever module or framework itself is suitable (now it should not go outside Magento_Cms, depending on use cases it may become a part of Magento_Backend or Magento_Ui).

[slackerzz]

If someone sign up with a ${ inside the name, all the customer section in the backend is broken. Obviously it is not common, but we cannot trust user inputs.
${ should NEVER be saved as is, so it makes sense to add the `Escaper' class to escape every user/admin inputs

[orlangur]

Escaper class is not needed currently at all as I already said.

If someone sign up with a ${ inside the name, all the customer section in the backend is broken.

This is a bit different story. In such case string replace does not make a lot of sense and also such situation never occurred before in reality. Please report it separately and we can discuss a fix for it then. I tend to forbidding such combination of symbols via validation.

[orlangur]

I suggest moving such logic to \Magento\Cms\Model\Block::beforeSave.

[orlangur]

I suggest moving such logic to \Magento\Cms\Model\Page::beforeSave.