magespecialist/m2-MSP_DevTools

Script gets injected into raw controller results.

frekvent-szabolcs opened this issue · 0 comments

frekvent-szabolcs commented

I use a backend controller (implementing HttpGetActionInterface) to return a CSV file. I trigger the download with a button click. (button in system.xml, block type is a custom AbstractElement and I changed the button onClick to setLocaltion(...backendUrl->getUrl()...)).
The file I download this way when the MSP Devtools is enabled get the script tag appended:

image

If the devtools is disabled, I get the expected CSV file.

I think this issue is similar to #53

Preconditions

Magento: 2.4.6
PHP: 8.1

Steps to reproduce

Backend controller like:

<?php
declare(strict_types=1);

namespace YourNameSpace\YourModule\Controller\Adminhtml\System\Config;

use Magento\Framework\App\Action\HttpGetActionInterface;
use Magento\Framework\App\Config\ScopeConfigInterface;
use Magento\Framework\App\Filesystem\DirectoryList;
use Magento\Framework\App\Response\Http\FileFactory;
use Magento\Framework\App\ResponseInterface;
use Magento\Framework\Controller\Result\Forward;
use Magento\Framework\Controller\Result\RawFactory;
use Magento\Framework\Controller\ResultFactory;
use Magento\Framework\Controller\ResultInterface;
use Magento\Framework\Exception\FileSystemException;
use Magento\Framework\Filesystem;
use Magento\Framework\Filesystem\Driver\File;

class Download implements HttpGetActionInterface
{
    private RawFactory $resultRawFactory;
    private FileFactory $fileFactory;
    private Filesystem $filesystem;
    private File $fileDriver;
    private ResultFactory $resultFactory;
    private ScopeConfigInterface $scopeConfig;

    public function __construct(
        \Magento\Backend\App\Action\Context $context,
        RawFactory $resultRawFactory,
        FileFactory $fileFactory,
        Filesystem $filesystem,
        File $fileDriver,
        ResultFactory $resultFactory,
        ScopeConfigInterface $scopeConfig
    )
    {
        $this->resultRawFactory = $resultRawFactory;
        $this->fileFactory = $fileFactory;
        $this->filesystem = $filesystem;
        $this->fileDriver = $fileDriver;
        $this->resultFactory = $resultFactory;
        $this->scopeConfig = $scopeConfig;
    }

    /**
     *
     * @throws FileSystemException
     * @throws \Exception
     */
    public function execute(): ResponseInterface|ResultInterface
    {
        $mediaPath = $this->filesystem->getDirectoryRead(DirectoryList::MEDIA)->getAbsolutePath();
        $uploadDir = 'YourNameSpace_on_site_install/';

        $currentFile = $this->scopeConfig->getValue("YourNameSpace_catalog/on_site_install/on_site_install_file_upload", ScopeConfigInterface::SCOPE_TYPE_DEFAULT);

        $filePath = $mediaPath.$uploadDir.$currentFile;

        if (!$this->fileDriver->isExists($filePath)) {
            /** @var Forward $resultForward */
            $resultForward = $this->resultFactory->create(ResultFactory::TYPE_FORWARD);
            $resultForward->forward('noroute');
            return $resultForward;
        }

        $content = $this->fileDriver->fileGetContents($filePath);

        $this->fileFactory->create(
            'on-site-install.csv',
            $content,
            DirectoryList::MEDIA,
            'text/csv' // <--- IF I CHANGE THIS TO 'application/json' I DO NOT GET THE SCRIPT TAG INJECTED !!
        );

        return $this->resultRawFactory->create();
    }

}

Expected result

It should not inject script code into raw files. Maybe skip media types like text/* similar to application/json.