From cb1b7749c0520cb45cd47ec1560c62a06dbb172c Mon Sep 17 00:00:00 2001
From: nathanm <nathanm@fisheyehq.com>
Date: Tue, 19 Nov 2019 15:13:17 +0000
Subject: [PATCH] Add escaping on meta properties for open graph

Fixes issue where double quotes can bleed though the html attribute
---
 .../frontend/templates/product/view/opengraph/general.phtml   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/code/Magento/Catalog/view/frontend/templates/product/view/opengraph/general.phtml b/app/code/Magento/Catalog/view/frontend/templates/product/view/opengraph/general.phtml
index eb2bde647f9b1..4d4a34c6239d4 100644
--- a/app/code/Magento/Catalog/view/frontend/templates/product/view/opengraph/general.phtml
+++ b/app/code/Magento/Catalog/view/frontend/templates/product/view/opengraph/general.phtml
@@ -9,11 +9,11 @@
 
 <meta property="og:type" content="product" />
 <meta property="og:title"
-      content="<?= /* @noEscape */ $block->stripTags($block->getProduct()->getName()) ?>" />
+      content="<?= $block->escapeHtmlAttr($block->stripTags($block->getProduct()->getName())) ?>" />
 <meta property="og:image"
       content="<?= $block->escapeUrl($block->getImage($block->getProduct(), 'product_base_image')->getImageUrl()) ?>" />
 <meta property="og:description"
-      content="<?= /* @noEscape */ $block->stripTags($block->getProduct()->getShortDescription()) ?>" />
+      content="<?= $block->escapeHtmlAttr($block->stripTags($block->getProduct()->getShortDescription())) ?>" />
 <meta property="og:url" content="<?= $block->escapeUrl($block->getProduct()->getProductUrl()) ?>" />
 <?php if ($priceAmount = $block->getProduct()->getPriceInfo()->getPrice(\Magento\Catalog\Pricing\Price\FinalPrice::PRICE_CODE)->getAmount()) :?>
     <meta property="product:price:amount" content="<?= $block->escapeHtmlAttr($priceAmount) ?>"/>