Merge pull request #1 from landofcoder/fix-pci-issues

Fix pci issues

Author: landofcoder

Block/Search/Result.php

@@ -1,18 +1,18 @@
 <?php
 /**
  * Venustheme
- * 
+ *
  * NOTICE OF LICENSE
- * 
+ *
  * This source file is subject to the Venustheme.com license that is
  * available through the world-wide-web at this URL:
  * http://www.venustheme.com/license-agreement.html
- * 
+ *
  * DISCLAIMER
- * 
+ *
  * Do not edit or add to this file if you wish to upgrade this extension to newer
  * version in the future.
- * 
+ *
  * @category   Venustheme
  * @package    Ves_Blog
  * @copyright  Copyright (c) 2016 Venustheme (http://www.venustheme.com/)
@@ -119,13 +119,14 @@ public function getCollection(){
      * @return $this
      */
     protected function _prepareLayout()
-    {	
+    {
         $searchKey = $this->_request->getParam('s');
+        $searchKey = $this->_blogHelper->xss_clean($searchKey);
     	$page_title = __("Search result for: '%1'", $searchKey);
     	$this->pageConfig->addBodyClass('vesblog-page');
         $this->pageConfig->addBodyClass('blog-searchresult');
     	if($page_title){
-    		$this->pageConfig->getTitle()->set($page_title);   
+    		$this->pageConfig->getTitle()->set($page_title);
     	}
     	return parent::_prepareLayout();
     }
@@ -151,7 +152,7 @@ public function getPostsBlock()
         $html = $block->toHtml();
         if ($html) {
             return $html;
-        }   
+        }
     }
 
     /**
@@ -178,6 +179,7 @@ protected function _beforeToHtml()
 
         $store = $this->_storeManager->getStore();
         $searchKey = $this->_request->getParam('s');
+        $searchKey = $this->_blogHelper->xss_clean($searchKey);
         $itemsperpage = (int)$this->getConfig('blog_page/item_per_page');
         $orderby = $this->getConfig('blog_page/orderby');
         $orderby = $orderby?$orderby:"DESC";
@@ -210,4 +212,4 @@ protected function _beforeToHtml()
         }
         return parent::_beforeToHtml();
     }
-}
+}

Controller/Comment/Add.php

@@ -1,18 +1,18 @@
 <?php
 /**
  * Venustheme
- * 
+ *
  * NOTICE OF LICENSE
- * 
+ *
  * This source file is subject to the Venustheme.com license that is
  * available through the world-wide-web at this URL:
  * http://www.venustheme.com/license-agreement.html
- * 
+ *
  * DISCLAIMER
- * 
+ *
  * Do not edit or add to this file if you wish to upgrade this extension to newer
  * version in the future.
- * 
+ *
  * @category   Venustheme
  * @package    Ves_Blog
  * @copyright  Copyright (c) 2016 Venustheme (http://www.venustheme.com/)
@@ -83,14 +83,14 @@ class Add extends \Magento\Framework\App\Action\Action
 
     /**
      * [__construct description]
-     * @param Context                                             $context              
-     * @param \Magento\Framework\View\Result\PageFactory          $resultPageFactory    
-     * @param \Ves\Blog\Helper\Data                               $blogHelper           
-     * @param \Magento\Framework\Controller\Result\ForwardFactory $resultForwardFactory 
-     * @param \Magento\Framework\Translate\Inline\StateInterface  $inlineTranslation    
-     * @param \Magento\Framework\Mail\Template\TransportBuilder   $transportBuilder     
-     * @param \Magento\Framework\App\Config\ScopeConfigInterface  $scopeConfig          
-     * @param \Magento\Store\Model\StoreManagerInterface          $storeManager         
+     * @param Context                                             $context
+     * @param \Magento\Framework\View\Result\PageFactory          $resultPageFactory
+     * @param \Ves\Blog\Helper\Data                               $blogHelper
+     * @param \Magento\Framework\Controller\Result\ForwardFactory $resultForwardFactory
+     * @param \Magento\Framework\Translate\Inline\StateInterface  $inlineTranslation
+     * @param \Magento\Framework\Mail\Template\TransportBuilder   $transportBuilder
+     * @param \Magento\Framework\App\Config\ScopeConfigInterface  $scopeConfig
+     * @param \Magento\Store\Model\StoreManagerInterface          $storeManager
      */
     public function __construct(
         Context $context,
@@ -148,6 +148,7 @@ public function execute()
             if (isset($data['content']) && $allowableTags) {
                 $data['content'] = strip_tags($data['content'], $allowableTags);
             }
+            $data['content'] = $this->_blogHelper->xss_clean($data['content']);
 
             $model = $this->_objectManager->create('Ves\Blog\Model\Comment');
             $store = $this->_storeManager->getStore();
@@ -231,4 +232,4 @@ public function execute()
         }
         return $resultRedirect->setRefererOrBaseUrl();
     }
-}
+}