From 50f9fee96d885bb5a43b245ab16f05f290c2426c Mon Sep 17 00:00:00 2001
From: kiy0taka <kiy0taka333@gmail.com>
Date: Fri, 11 Jun 2021 21:36:07 +0900
Subject: [PATCH 1/2] prevent xss

---
 Event/OrderPdfLegacy.php | 50 +++++++++-------------------------------
 1 file changed, 11 insertions(+), 39 deletions(-)

diff --git a/Event/OrderPdfLegacy.php b/Event/OrderPdfLegacy.php
index 057ba61..dc959d0 100644
--- a/Event/OrderPdfLegacy.php
+++ b/Event/OrderPdfLegacy.php
@@ -57,48 +57,20 @@ public function onRenderAdminOrderPdfBefore(FilterResponseEvent $event)
      */
     private function getHtml(Response $response)
     {
-        // 検索結果一覧の下部に帳票出力を追加する
-        // 受注管理-受注マスターのHTMLを取得し、DOM化
-        $crawler = new Crawler($response->getContent());
+        $document = \DOMDocument::loadHTML($response->getContent());
 
-        // [Form id="dropdown-form"]の最終項目に追加(レイアウトに依存（時間無いのでベタ）)
-        $html = $this->getHtmlFromCrawler($crawler);
+        $xpath = new \DOMXPath($document);
+        $menu = $xpath->query('//li[@id="dropmenu"]//ul[@class="dropdown-menu"]', $document)->item(0);
 
-        $parts = $this->app->renderView(
-            'OrderPdf/Resource/template/admin/order_pdf_menu.twig'
-        );
-
-        try {
-            // ※商品編集画面 idなりclassなりがきちんとつかないとDOMをいじるのは難しい
-            // また、[その他]メニューの中に入れ込もうとしたがJQUERYのイベントが動作するので不可
-            // = = = = = = = = =
-            // その他メニューに追加するバージョン
-            $form = $crawler->filter('#dropmenu .dropdown-menu')->last()->html();
-            $newForm = $form.$parts;
-
-            $html = str_replace($form, $newForm, $html);
-        } catch (\InvalidArgumentException $e) {
-            log_error('Cannot found .dropdown-menu', array($e->getMessage()));
-        }
-
-        return html_entity_decode($html);
-    }
-
-    /**
-     * 解析用HTMLを取得.
-     *
-     * @param Crawler $crawler
-     *
-     * @return string
-     */
-    private function getHtmlFromCrawler(Crawler $crawler)
-    {
-        $html = '';
-        foreach ($crawler as $domElement) {
-            $domElement->ownerDocument->formatOutput = true;
-            $html .= $domElement->ownerDocument->saveHTML();
+        if ($menu) {
+            $parts = $this->app->renderView(
+                'OrderPdf/Resource/template/admin/order_pdf_menu.twig'
+            );
+            $newNode = \DOMDocument::loadXML($parts)->getElementsByTagName('li')->item(0);
+            $menu->appendChild($document->importNode($newNode, true));
         }
 
-        return html_entity_decode($html, ENT_NOQUOTES, 'UTF-8');
+        $crawler = new Crawler($document);
+        return $crawler->html();
     }
 }

From 41411a17ca5b3029174d89da22be34ba01434f3c Mon Sep 17 00:00:00 2001
From: kiy0taka <kiy0taka333@gmail.com>
Date: Sat, 12 Jun 2021 16:40:41 +0900
Subject: [PATCH 2/2] bump version

---
 config.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config.yml b/config.yml
index 583988b..665bb00 100644
--- a/config.yml
+++ b/config.yml
@@ -1,7 +1,7 @@
 name: OrderPdf
 event: OrderPdfEvent
 code: OrderPdf
-version: 1.0.0
+version: 1.0.1
 service:
     - OrderPdfServiceProvider
 orm.path: