The Magento patch 7405 adds a function to app/code/core/Mage/Adminhtml/Helper/Sales.php that is as follows:
/**
* Escape string preserving links
*
* @param array|string $data
* @param null|array $allowedTags
* @return string
*/
public function escapeHtmlWithLinks($data, $allowedTags = null)
{
if (!empty($data) && is_array($allowedTags) && in_array('a', $allowedTags)) {
$links = [];
$i = 1;
$regexp = "/<a\s[^>]*href\s*?=\s*?([\"\']??)([^\" >]*?)\\1[^>]*>(.*)<\/a>/siU";
while (preg_match($regexp, $data, $matches)) {
//Revert the sprintf escaping
$url = str_replace('%%', '%', $matches[2]);
$text = str_replace('%%', '%', $matches[3]);
//Check for an valid url
if ($url) {
$urlScheme = strtolower(parse_url($url, PHP_URL_SCHEME));
if ($urlScheme !== 'http' && $urlScheme !== 'https') {
$url = null;
}
}
//Use hash tag as fallback
if (!$url) {
$url = '#';
}
//Recreate a minimalistic secure a tag
$links[] = sprintf(
'<a href="%s">%s</a>',
htmlspecialchars($url, ENT_QUOTES, 'UTF-8', false),
parent::escapeHtml($text)
);
$data = str_replace($matches[0], '%' . $i . '$s', $data);
++$i;
}
$data = parent::escapeHtml($data, $allowedTags);
return vsprintf($data, $links);
}
return parent::escapeHtml($data, $allowedTags);
}
However, when trying to view an order, I'm getting a fatal error because the parent class does not have an escapeHtml() function. Here's the error:
Call to undefined method Mage_Core_Helper_Abstract::escapeHtml()
It seems the htmlEscape() may be what we need, but I haven't tried it yet.
