EC-CUBE · chihiro-adachi · Jul 6, 2021 · Jun 25, 2021 · Jun 25, 2021 · Jun 30, 2021
diff --git a/src/Eccube/Resource/template/default/Mail/contact_mail.twig b/src/Eccube/Resource/template/default/Mail/contact_mail.twig
@@ -8,7 +8,7 @@ http://www.ec-cube.co.jp/
 For the full copyright and license information, please view the LICENSE
 file that was distributed with this source code.
 #}
-{% autoescape false %}
+{% autoescape 'safe_textmail' %}
 ※本メールは自動配信メールです。
 
 ┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓

diff --git a/src/Eccube/Resource/template/default/Mail/customer_withdraw_mail.twig b/src/Eccube/Resource/template/default/Mail/customer_withdraw_mail.twig
@@ -8,7 +8,7 @@ http://www.ec-cube.co.jp/
 For the full copyright and license information, please view the LICENSE
 file that was distributed with this source code.
 #}
-{% autoescape false %}
+{% autoescape 'safe_textmail' %}
 ※本メールは自動配信メールです。
 
 ┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓

diff --git a/src/Eccube/Resource/template/default/Mail/entry_complete.twig b/src/Eccube/Resource/template/default/Mail/entry_complete.twig
@@ -8,7 +8,7 @@ http://www.ec-cube.co.jp/
 For the full copyright and license information, please view the LICENSE
 file that was distributed with this source code.
 #}
-{% autoescape false %}
+{% autoescape 'safe_textmail' %}
 ※本メールは自動配信メールです。
 
 ┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓

diff --git a/src/Eccube/Resource/template/default/Mail/entry_confirm.twig b/src/Eccube/Resource/template/default/Mail/entry_confirm.twig
@@ -8,7 +8,7 @@ http://www.ec-cube.co.jp/
 For the full copyright and license information, please view the LICENSE
 file that was distributed with this source code.
 #}
-{% autoescape false %}
+{% autoescape 'safe_textmail' %}
 ※本メールは自動配信メールです。
 
 ┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓

diff --git a/src/Eccube/Resource/template/default/Mail/forgot_mail.twig b/src/Eccube/Resource/template/default/Mail/forgot_mail.twig
@@ -8,7 +8,7 @@ http://www.ec-cube.co.jp/
 For the full copyright and license information, please view the LICENSE
 file that was distributed with this source code.
 #}
-{% autoescape false %}
+{% autoescape 'safe_textmail' %}
 ※本メールは自動配信メールです。
 
 ┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓

diff --git a/src/Eccube/Resource/template/default/Mail/order.twig b/src/Eccube/Resource/template/default/Mail/order.twig
@@ -8,7 +8,7 @@ http://www.ec-cube.co.jp/
 For the full copyright and license information, please view the LICENSE
 file that was distributed with this source code.
 #}
-{% autoescape false %}
+{% autoescape 'safe_textmail' %}
 {{ Order.name01 }} {{ Order.name02 }} 様
 
 この度はご注文いただき誠にありがとうございます。下記ご注文内容にお間違えがないかご確認下さい。

diff --git a/src/Eccube/Resource/template/default/Mail/reset_complete_mail.twig b/src/Eccube/Resource/template/default/Mail/reset_complete_mail.twig
@@ -8,7 +8,7 @@ http://www.ec-cube.co.jp/
 For the full copyright and license information, please view the LICENSE
 file that was distributed with this source code.
 #}
-{% autoescape false %}
+{% autoescape 'safe_textmail' %}
 ※本メールは自動配信メールです。
 
 ┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓

diff --git a/src/Eccube/Resource/template/default/Mail/shipping_notify.twig b/src/Eccube/Resource/template/default/Mail/shipping_notify.twig
@@ -8,7 +8,7 @@ http://www.ec-cube.co.jp/
 For the full copyright and license information, please view the LICENSE
 file that was distributed with this source code.
 #}
-{% autoescape false %}
+{% autoescape 'safe_textmail' %}
 {{ Order.name01 }} {{ Order.name02 }} 様
 
 お客さまがご注文された以下の商品を発送いたしました。商品の到着まで、今しばらくお待ちください。

diff --git a/src/Eccube/Twig/Extension/SafeTextmailEscaperExtension.php b/src/Eccube/Twig/Extension/SafeTextmailEscaperExtension.php
@@ -0,0 +1,29 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Twig\Extension;
+
+use Twig\Extension\AbstractExtension;
+use Twig\Extension\EscaperExtension;
+
+class SafeTextmailEscaperExtension extends AbstractExtension
+{
+    public function __construct(\Twig\Environment $twig)
+    {
+        $twig->getExtension(EscaperExtension::class)->setEscaper(
+            'safe_textmail', function ($twig, $string, $charset) {
+                return str_replace(['<', '>'], ['＜', '＞'], $string);
+            }
+        );
+    }
+}
diff --git a/tests/Eccube/Tests/Service/CsvImportServiceTest.php b/tests/Eccube/Tests/Service/CsvImportServiceTest.php
@@ -90,6 +90,7 @@ public function testReadCsvFileWithManualColumnHeaders()
     public function testReadCsvFileWithTrailingBlankLines()
     {
         $file = new \SplFileObject(__DIR__.'/../../../Fixtures/data_blank_lines.csv');
+
         $CsvImportService = new CsvImportService($file);
         $CsvImportService->setColumnHeaders(['id', 'number', 'description']);
 

diff --git a/tests/Eccube/Tests/Web/Admin/Order/ShippingControllerTest.php b/tests/Eccube/Tests/Web/Admin/Order/ShippingControllerTest.php
@@ -208,6 +208,47 @@ public function testSendNotifyMail()
         self::assertEquals([$Order->getEmail() => null], $Message->getTo());
     }
 
+    public function testSendNotifyMailWithSanitize()
+    {
+        $this->client->enableProfiler();
+        $Customer = $this->createCustomer();
+        $Customer->setName01('<Sanitize&>');
+
+        $Order = $this->createOrder($Customer);
+        /** @var Shipping $Shipping */
+        $Shipping = $Order->getShippings()->first();
+
+        $shippingDate = new \DateTime();
+        $Shipping->setShippingDate($shippingDate);
+        $this->entityManager->persist($Shipping);
+        $this->entityManager->flush();
+
+        $this->client->request(
+            'PUT',
+            $this->generateUrl('admin_shipping_notify_mail', ['id' => $Shipping->getId()])
+        );
+
+        $this->assertTrue($this->client->getResponse()->isSuccessful());
+
+        $Messages = $this->getMailCollector(false)->getMessages();
+        self::assertEquals(1, count($Messages));
+
+        /** @var \Swift_Message $Message */
+        $Message = $Messages[0];
+
+        self::assertRegExp('/\[.*?\] 商品出荷のお知らせ/', $Message->getSubject());
+        self::assertEquals([$Order->getEmail() => null], $Message->getTo());
+
+        $this->assertContains('＜Sanitize&＞', $Message->getBody(), 'テキストメールがサニタイズされている');
+
+        $MultiPart = $Message->getChildren();
+        foreach ($MultiPart as $Part) {
+            if ($Part->getContentType() == 'text/html') {
+                $this->assertContains('&lt;Sanitize&amp;&gt;', $Part->getBody(), 'HTMLメールがサニタイズされている');
+            }
+        }
+    }
+
     public function testNotSendNotifyMail()
     {
         $this->client->enableProfiler();

diff --git a/tests/Eccube/Tests/Web/Admin/Setting/Shop/MailControllerTest.php b/tests/Eccube/Tests/Web/Admin/Setting/Shop/MailControllerTest.php
@@ -27,6 +27,9 @@ public function tearDown()
         if (file_exists($themeDir.'/Mail/order.twig')) {
             unlink($themeDir.'/Mail/order.twig');
         }
+        if (file_exists($themeDir.'/Mail/order.html.twig')) {
+            unlink($themeDir.'/Mail/order.html.twig');
+        }
         parent::tearDown();
     }
 

diff --git a/tests/Eccube/Tests/Web/ContactControllerTest.php b/tests/Eccube/Tests/Web/ContactControllerTest.php
@@ -98,6 +98,43 @@ public function testComplete()
         $this->verify();
     }
 
+    public function testCompleteWithSanitize()
+    {
+        $this->client->enableProfiler();
+        $form = $this->createFormData();
+        $form['name']['name01'] .= '<Sanitize&>';
+        $crawler = $this->client->request(
+            'POST',
+            $this->generateUrl('contact'),
+            ['contact' => $form,
+                  'mode' => 'complete', ]
+        );
+
+        $this->assertTrue($this->client->getResponse()->isRedirect($this->generateUrl('contact_complete')));
+
+        $BaseInfo = $this->entityManager->find(BaseInfo::class, 1);
+
+        $mailCollector = $this->getMailCollector(false);
+        $this->assertEquals(1, $mailCollector->getMessageCount());
+
+        $collectedMessages = $mailCollector->getMessages();
+        /** @var \Swift_Message $Message */
+        $Message = $collectedMessages[0];
+
+        $this->expected = '['.$BaseInfo->getShopName().'] お問い合わせを受け付けました。';
+        $this->actual = $Message->getSubject();
+        $this->verify();
+
+        $this->assertContains('＜Sanitize&＞', $Message->getBody(), 'テキストメールがサニタイズされている');
+
+        $MultiPart = $Message->getChildren();
+        foreach ($MultiPart as $Part) {
+            if ($Part->getContentType() == 'text/html') {
+                $this->assertContains('&lt;Sanitize&amp;&gt;', $Part->getBody(), 'HTMLメールがサニタイズされている');
+            }
+        }
+    }
+
     /**
      * 必須項目のみのテストケース
      *

diff --git a/tests/Eccube/Tests/Web/EntryControllerTest.php b/tests/Eccube/Tests/Web/EntryControllerTest.php
@@ -163,6 +163,43 @@ public function testCompleteWithActivate()
         $this->verify();
     }
 
+    public function testCompleteWithActivateWithMultipartSanitize()
+    {
+        $BaseInfo = $this->entityManager->getRepository(\Eccube\Entity\BaseInfo::class)->get();
+        $BaseInfo->setOptionCustomerActivate(1);
+        $this->entityManager->flush();
+
+        $client = $this->client;
+        $form = $this->createFormData();
+        $form['name']['name01'] .= '<Sanitize&>'; // サニタイズ対象の文字列
+        $crawler = $client->request('POST',
+            $this->generateUrl('entry'),
+            [
+                'entry' => $form,
+                'mode' => 'complete',
+            ]
+        );
+
+        $this->assertTrue($client->getResponse()->isRedirect($this->generateUrl('entry_complete')));
+
+        $collectedMessages = $this->getMailCollector(false)->getMessages();
+        /** @var \Swift_Message $Message */
+        $Message = $collectedMessages[0];
+
+        $this->expected = '['.$BaseInfo->getShopName().'] 会員登録のご確認';
+        $this->actual = $Message->getSubject();
+        $this->verify();
+
+        $this->assertContains('＜Sanitize&＞', $Message->getBody(), 'テキストメールがサニタイズされている');
+
+        $MultiPart = $Message->getChildren();
+        foreach ($MultiPart as $Part) {
+            if ($Part->getContentType() == 'text/html') {
+                $this->assertContains('&lt;Sanitize&amp;&gt;', $Part->getBody(), 'HTMLメールがサニタイズされている');
+            }
+        }
+    }
+
     public function testRoutingComplete()
     {
         $client = $this->client;
@@ -192,6 +229,37 @@ public function testActivate()
         $this->verify();
     }
 
+    public function testActivateWithSanitize()
+    {
+        $BaseInfo = $this->entityManager->getRepository(\Eccube\Entity\BaseInfo::class)->get();
+        $Customer = $this->createCustomer();
+        $Customer->setName01('<Sanitize&>');
+        $secret_key = $Customer->getSecretKey();
+        $Status = $this->entityManager->getRepository('Eccube\Entity\Master\CustomerStatus')->find(CustomerStatus::NONACTIVE);
+        $Customer->setStatus($Status);
+        $this->entityManager->flush();
+
+        $client = $this->client;
+        $client->request('GET', $this->generateUrl('entry_activate', ['secret_key' => $secret_key]));
+
+        $this->assertTrue($client->getResponse()->isSuccessful());
+        $collectedMessages = $this->getMailCollector(false)->getMessages();
+        /** @var \Swift_Message $Message */
+        $Message = $collectedMessages[0];
+        $this->expected = '['.$BaseInfo->getShopName().'] 会員登録が完了しました。';
+        $this->actual = $Message->getSubject();
+        $this->verify();
+
+        $this->assertContains('＜Sanitize&＞', $Message->getBody(), 'テキストメールがサニタイズされている');
+
+        $MultiPart = $Message->getChildren();
+        foreach ($MultiPart as $Part) {
+            if ($Part->getContentType() == 'text/html') {
+                $this->assertContains('&lt;Sanitize&amp;&gt;', $Part->getBody(), 'HTMLメールがサニタイズされている');
+            }
+        }
+    }
+
     public function testActivateWithNotFound()
     {
         $this->client->request('GET', $this->generateUrl('entry_activate', ['secret_key' => 'aaaaa']));

diff --git a/tests/Eccube/Tests/Web/Mypage/WithdrawControllerTest.php b/tests/Eccube/Tests/Web/Mypage/WithdrawControllerTest.php
@@ -93,6 +93,46 @@ public function testIndexWithPostComplete()
         $this->verify();
     }
 
+    public function testIndexWithPostCompleteWithSanitize()
+    {
+        $this->Customer->setName01('<Sanitize&>');
+        $this->entityManager->flush();
+
+        $this->client->enableProfiler();
+        $this->logInTo($this->Customer);
+
+        $crawler = $this->client->request(
+            'POST',
+            $this->generateUrl('mypage_withdraw'),
+            [
+                'form' => ['_token' => 'dummy'],
+                'mode' => 'complete',
+            ]
+        );
+
+        $this->assertRegExp('/@dummy.dummy/', $this->Customer->getEmail());
+
+        $this->assertTrue($this->client->getResponse()->isRedirect($this->generateUrl('mypage_withdraw_complete')));
+
+        $Messages = $this->getMailCollector(false)->getMessages();
+        /** @var \Swift_Message $Message */
+        $Message = $Messages[0];
+
+        $BaseInfo = $this->entityManager->getRepository(\Eccube\Entity\BaseInfo::class)->get();
+        $this->expected = '['.$BaseInfo->getShopName().'] 退会手続きのご完了';
+        $this->actual = $Message->getSubject();
+        $this->verify();
+
+        $this->assertContains('＜Sanitize&＞', $Message->getBody(), 'テキストメールがサニタイズされている');
+
+        $MultiPart = $Message->getChildren();
+        foreach ($MultiPart as $Part) {
+            if ($Part->getContentType() == 'text/html') {
+                $this->assertContains('&lt;Sanitize&amp;&gt;', $Part->getBody(), 'HTMLメールがサニタイズされている');
+            }
+        }
+    }
+
     public function testComplete()
     {
         $this->client->request(