Magento Framework Escaper - Critical log with special symbols

[ihor-sviziev]

Preconditions

1. Magento 2.3.3

Steps to reproduce

Case 1

1. Register a new customer from frontend;
2. Created one order from frontend;
3. Add & to store view name

• Go to Admin >> Stores >> All Stores
• Click on "Default Store View"
• Change Name field to "Default & Store View"
• Click "Save Store View" button

4. Remove all log files from magento2/var/log directory (in order to have only needed logs)
5. Go to Frontend >> [user name] >> My Account >> My Orders;
6. Click on "View Order" link for our order that was created in step 2;
7. See magento2/var/log directory;

Expected result

1. No exception logs should be there

Actual result

1. exception.log file appeared with one line:

[[2019-12-03 10:47:42] main.CRITICAL: DOMDocument::loadHTML(): Tag date invalid in Entity, line: 1 {"exception":"[object] (InvalidArgumentException(code: 2): DOMDocument::loadHTML(): Tag date invalid in Entity, line: 1 at /home/arthur/sites/magento/magento233/vendor/magento/framework/Escaper.php:89)"} []

Case 2

1. Register a new customer from frontend;
2. Created one order from frontend;
3. Go to Admin->Sales->Orders;
4. Click on the "View" link for our order that was created in step 2;
5. In "Order Total" block add comment "&";
6. Click on the "Submit Comment" button;
7. Remove all log files from magento2/var/log directory (in order to have only needed logs)
8. Go to Frontend >> [user name] >> My Account >> My Orders;
9. Click on "View Order" link for our order that was created in step 2;
10. See magento2/var/log directory;

Expected result

1. No exception logs should be there

Actual result

1. exception.log file appeared with one line:

[[2019-12-03 10:55:22] main.CRITICAL: DOMDocument::loadHTML(): Tag date invalid in Entity, line: 1 {"exception":"[object] (InvalidArgumentException(code: 2): DOMDocument::loadHTML(): Tag date invalid in Entity, line: 1 at /home/arthur/sites/magento/magento233/vendor/magento/framework/Escaper.php:89)"} []

Reason: On View order page in the admin we have "Purchased From" block.

This block uses \Magento\Framework\Escaper::escapeHtml with string that contains ampersand and allowed tags is "br". In this case it writes critical log. This issue appeared in Magento 2.2.0, it was introduced in 59c2c9e + df261e7 + 624ee86.

For someone who will fix this issue:
I prepared tests for this fix in my branch that are currently fails (not only this case):
2.2-develop...ihor-sviziev:escaper-critical-log-when-ampersand-is-present

[magento-engcom-team]

@ihor-sviziev, thank you for your report.
We've acknowledged the issue and added to our backlog.

[oleksandr-butenko]

hi
We have the same issue with comments in order.
The version of Magento is 2.2.5
Admin user can write an order comment with "&" for example.
Then, during load of the order page, we will have errors about using &.

Have you fixed this issue in one the next releases?
Maybe there is a patch to fix it?

Thanks.

[simonmaass]

have the same issue in 2.2.6

[TimQSO]

Any news on this one? As this error floods our logfile.

[joris-ati4]

I just did some testing and the problem seems to come from the \Magento\Framework\Escaper::escapeHtml.

The line 74 should convert the data to htmlentities

$string = mb_convert_encoding($data, 'HTML-ENTITIES', 'UTF-8');

Edit: I just found in the documentation of mb_convert_encoding that it won't escape the following characters: ''', '"', '<', '>', or '&'. I will look at how this function evolved since 2.1.x